diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go index 144cc7c2b4..19799d362f 100644 --- a/cmd/nginx-ingress/flags.go +++ b/cmd/nginx-ingress/flags.go @@ -164,7 +164,9 @@ var ( `The namespace/name of the GlobalConfiguration resource for global configuration of the Ingress Controller. Requires -enable-custom-resources. Format: /`) enableTLSPassthrough = flag.Bool("enable-tls-passthrough", false, - "Enable TLS Passthrough on port 443. Requires -enable-custom-resources") + "Enable TLS Passthrough on default port 443. Requires -enable-custom-resources") + + tlsPassthroughPort = flag.Int("tls-passthrough-port", 443, "Set custom port for TLS Passthrough. [1024 - 65535]") spireAgentAddress = flag.String("spire-agent-address", "", `Specifies the address of the running Spire agent. Requires -nginx-plus and is for use with NGINX Service Mesh only. If the flag is set, diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index dc4db316c5..8e86d5f942 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -97,6 +97,7 @@ func main() { NginxStatusPort: *nginxStatusPort, StubStatusOverUnixSocketForOSS: *enablePrometheusMetrics, TLSPassthrough: *enableTLSPassthrough, + TLSPassthroughPort: *tlsPassthroughPort, EnableSnippets: *enableSnippets, NginxServiceMesh: *spireAgentAddress != "", MainAppProtectLoadModule: *appProtect, @@ -166,6 +167,7 @@ func main() { IsPrometheusEnabled: *enablePrometheusMetrics, IsLatencyMetricsEnabled: *enableLatencyMetrics, IsTLSPassthroughEnabled: *enableTLSPassthrough, + TLSPassthroughPort: *tlsPassthroughPort, SnippetsEnabled: *enableSnippets, CertManagerEnabled: *enableCertManager, ExternalDNSEnabled: *enableExternalDNS, @@ -459,6 +461,10 @@ func createGlobalConfigurationValidator() *cr_validation.GlobalConfigurationVali forbiddenListenerPorts[*serviceInsightListenPort] = true } + if *enableTLSPassthrough { + forbiddenListenerPorts[*tlsPassthroughPort] = true + } + return cr_validation.NewGlobalConfigurationValidator(forbiddenListenerPorts) } diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index fada8f7041..e963b435ed 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -251,7 +251,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.enableCustomResources` | Enable the custom resources. | true | |`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false | |`controller.enableOIDC` | Enable OIDC policies. | false | -|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index b94ff9ad1c..101529c391 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -228,6 +228,9 @@ spec: - -disable-ipv6={{ .Values.controller.disableIPV6 }} {{- if .Values.controller.enableCustomResources }} - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{ if .Values.controller.enableTLSPassthrough }} + - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{ end }} - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index 0c1b9ad5dd..07c4586385 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -233,6 +233,9 @@ spec: - -disable-ipv6={{ .Values.controller.disableIPV6 }} {{- if .Values.controller.enableCustomResources }} - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{ if .Values.controller.enableTLSPassthrough }} + - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{ end }} - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} diff --git a/deployments/helm-chart/values.schema.json b/deployments/helm-chart/values.schema.json index bfb49f9610..e10d6dded6 100644 --- a/deployments/helm-chart/values.schema.json +++ b/deployments/helm-chart/values.schema.json @@ -619,6 +619,14 @@ false ] }, + "tlsPassthroughPort": { + "type": "integer", + "default": 443, + "title": "The tlsPassthroughPort", + "examples": [ + 443 + ] + }, "enableCertManager": { "type": "boolean", "default": false, @@ -1332,6 +1340,7 @@ "enableOIDC": false, "includeYear": false, "enableTLSPassthrough": false, + "tlsPassthroughPort": 443, "enableCertManager": false, "enableExternalDNS": false, "globalConfiguration": { diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index ffefecd87c..6a1245b143 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -239,6 +239,9 @@ controller: ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. enableTLSPassthrough: false + ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough. + tlsPassthroughPort: 443 + ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources. enableCertManager: false diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md index b7e5968407..56172fb3a3 100644 --- a/docs/content/configuration/global-configuration/command-line-arguments.md +++ b/docs/content/configuration/global-configuration/command-line-arguments.md @@ -94,6 +94,15 @@ See [-report-ingress-status](#cmdoption-report-ingress-status) flag. Enable TLS Passthrough on port 443. +Requires [-enable-custom-resources](#cmdoption-enable-custom-resources). +  + + +### -tls-passthrough-port `` + +Set the port for TLS Passthrough. +Format: `[1024 - 65535]` (default `443`) + Requires [-enable-custom-resources](#cmdoption-enable-custom-resources).   diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index c0fcea6bd1..151445b215 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -228,7 +228,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.enableCustomResources` | Enable the custom resources. | true | |`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false | |`controller.enableOIDC` | Enable OIDC policies. | false | -|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false | +|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false | +|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 | |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false | |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false | |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false | diff --git a/examples/custom-resources/tls-passthrough/README.md b/examples/custom-resources/tls-passthrough/README.md index fe60ea8f5a..0e2c844d44 100644 --- a/examples/custom-resources/tls-passthrough/README.md +++ b/examples/custom-resources/tls-passthrough/README.md @@ -34,12 +34,21 @@ You can see how the Secure App is implemented in the `secure-app.yaml` file. and [`-enable-tls-passthrough`](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-tls-passthrough) command-line arguments of the Ingress Controller to enable the TLS Passthrough feature. + - If you would like to use any other port than 443 for TLS Passthrough, set + the [`-tls-passthrough-port`](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-tls-passthrough-port) + command-line argument of the Ingress Controller, and configure the load balancer to forward traffic to that port. + 1. Save the public IP address of the Ingress Controller into a shell variable: ```console IC_IP=XXX.YYY.ZZZ.III ``` +1. Save the HTTPS port of the Ingress Controller where TLS Passthrough is enabled into a shell variable: + + ```console + $ IC_HTTPS_PORT= + 1. Save the HTTPS port of the Ingress Controller into a shell variable: ```console diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go index c2dfa6a2bb..ba4be02d86 100644 --- a/internal/configs/config_params.go +++ b/internal/configs/config_params.go @@ -121,6 +121,7 @@ type StaticConfigParams struct { NginxStatusPort int StubStatusOverUnixSocketForOSS bool TLSPassthrough bool + TLSPassthroughPort int EnableSnippets bool NginxServiceMesh bool EnableInternalRoutes bool diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go index 8e7c893b2f..675fc7e443 100644 --- a/internal/configs/configmaps.go +++ b/internal/configs/configmaps.go @@ -550,6 +550,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config SSLProtocols: config.MainServerSSLProtocols, SSLRejectHandshake: staticCfgParams.SSLRejectHandshake, TLSPassthrough: staticCfgParams.TLSPassthrough, + TLSPassthroughPort: staticCfgParams.TLSPassthroughPort, StreamLogFormat: config.MainStreamLogFormat, StreamLogFormatEscaping: config.MainStreamLogFormatEscaping, StreamSnippets: config.MainStreamSnippets, diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go index 912c767099..4afb16796b 100644 --- a/internal/configs/version1/config.go +++ b/internal/configs/version1/config.go @@ -205,6 +205,7 @@ type MainConfig struct { StreamSnippets []string StubStatusOverUnixSocketForOSS bool TLSPassthrough bool + TLSPassthroughPort int VariablesHashBucketSize uint64 VariablesHashMaxSize uint64 WorkerConnections string diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index 46634b447c..792bf75311 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -313,8 +313,8 @@ stream { } server { - listen 443{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .ProxyProtocol}} {{range $setRealIPFrom := .SetRealIPFrom}} diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index eb415edb05..e9ebdc50df 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -251,8 +251,8 @@ stream { } server { - listen 443{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .ProxyProtocol}} diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index 02f29606eb..67b942903c 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -264,6 +264,162 @@ func TestExecuteTemplate_ForMergeableIngressForNGINXPlusWithPathRegexAnnotationO } } +func TestExecuteTemplate_ForMainForNGINXWithCustomTLSPassthroughPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomTLSPassthroughPort) + t.Log(buf.String()) + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 8443;", + "listen [::]:8443;", + "proxy_pass $dest_internal_passthrough", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithCustomTLSPassthroughPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomTLSPassthroughPort) + t.Log(buf.String()) + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 8443;", + "listen [::]:8443;", + "proxy_pass $dest_internal_passthrough", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXWithoutCustomTLSPassthroughPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443;", + "listen [::]:443;", + "proxy_pass $dest_internal_passthrough", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomTLSPassthroughPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 443;", + "listen [::]:443;", + "proxy_pass $dest_internal_passthrough", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXTLSPassthroughDisabled(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgWithoutTLSPassthrough) + t.Log(buf.String()) + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + unwantDirectives := []string{ + "listen 8443;", + "listen [::]:8443;", + "proxy_pass $dest_internal_passthrough", + } + + mainConf := buf.String() + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("unwant %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusTLSPassthroughPortDisabled(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgWithoutTLSPassthrough) + t.Log(buf.String()) + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + unwantDirectives := []string{ + "listen 443;", + "listen [::]:443;", + "proxy_pass $dest_internal_passthrough", + } + + mainConf := buf.String() + for _, want := range unwantDirectives { + if strings.Contains(mainConf, want) { + t.Errorf("unwant %q in generated config", want) + } + } +} + func newNGINXPlusIngressTmpl(t *testing.T) *template.Template { t.Helper() tmpl, err := template.New("nginx-plus.ingress.tmpl").Funcs(helperFunctions).ParseFiles("nginx-plus.ingress.tmpl") @@ -597,6 +753,57 @@ var ( VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, TLSPassthrough: true, + TLSPassthroughPort: 443, + } + + mainCfgCustomTLSPassthroughPort = MainConfig{ + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + TLSPassthrough: true, + TLSPassthroughPort: 8443, + } + + mainCfgWithoutTLSPassthrough = MainConfig{ + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + TLSPassthrough: false, + TLSPassthroughPort: 8443, } // Vars for Mergable Ingress Master - Minion tests diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index b8e73b72f0..72d9348c32 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -199,6 +199,7 @@ type NewLoadBalancerControllerInput struct { IsPrometheusEnabled bool IsLatencyMetricsEnabled bool IsTLSPassthroughEnabled bool + TLSPassthroughPort int SnippetsEnabled bool CertManagerEnabled bool ExternalDNSEnabled bool diff --git a/tests/data/common/service/loadbalancer-with-additional-ports.yaml b/tests/data/common/service/loadbalancer-with-additional-ports.yaml index 57b311a835..489b6b13dc 100644 --- a/tests/data/common/service/loadbalancer-with-additional-ports.yaml +++ b/tests/data/common/service/loadbalancer-with-additional-ports.yaml @@ -19,6 +19,10 @@ spec: targetPort: 8080 protocol: TCP name: api + - port: 8443 + targetPort: 8443 + protocol: TCP + name: custom-tls-port - port: 9113 targetPort: 9113 protocol: TCP diff --git a/tests/data/common/service/nodeport-with-additional-ports.yaml b/tests/data/common/service/nodeport-with-additional-ports.yaml index 9d845b2ed4..f2b717a801 100644 --- a/tests/data/common/service/nodeport-with-additional-ports.yaml +++ b/tests/data/common/service/nodeport-with-additional-ports.yaml @@ -34,5 +34,9 @@ spec: targetPort: 9114 protocol: TCP name: service-insight + - port: 8443 + targetPort: 8443 + protocol: TCP + name: custom-ssl-port selector: app: nginx-ingress diff --git a/tests/suite/fixtures/fixtures.py b/tests/suite/fixtures/fixtures.py index fd43cfa4a6..fcafa32804 100644 --- a/tests/suite/fixtures/fixtures.py +++ b/tests/suite/fixtures/fixtures.py @@ -86,6 +86,7 @@ def __init__( tcp_server_port=3333, udp_server_port=3334, service_insight_port=9114, + custom_ssl_port=8443, ): self.public_ip = public_ip self.port = port @@ -95,6 +96,7 @@ def __init__( self.tcp_server_port = tcp_server_port self.udp_server_port = udp_server_port self.service_insight_port = service_insight_port + self.custom_ssl_port = custom_ssl_port class IngressControllerPrerequisites: @@ -182,9 +184,18 @@ def ingress_controller_endpoint(cli_arguments, kube_apis, ingress_controller_pre tcp_server_port, udp_server_port, service_insight_port, + custom_ssl_port, ) = get_service_node_ports(kube_apis.v1, service_name, namespace) return PublicEndpoint( - public_ip, port, port_ssl, api_port, metrics_port, tcp_server_port, udp_server_port, service_insight_port + public_ip, + port, + port_ssl, + api_port, + metrics_port, + tcp_server_port, + udp_server_port, + service_insight_port, + custom_ssl_port, ) else: create_service_from_yaml( diff --git a/tests/suite/fixtures/ic_fixtures.py b/tests/suite/fixtures/ic_fixtures.py index 0409b0a710..4b39e18e6c 100644 --- a/tests/suite/fixtures/ic_fixtures.py +++ b/tests/suite/fixtures/ic_fixtures.py @@ -74,9 +74,8 @@ def crd_ingress_controller( :param ingress_controller_prerequisites :param ingress_controller_endpoint: :param request: pytest fixture to parametrize this method - {type: complete|rbac-without-vs, extra_args: } - 'type' type of test pre-configuration - 'extra_args' list of IC cli arguments + {type: complete|rbac-without-vs, + 'extra_args': list of IC cli arguments } :return: """ namespace = ingress_controller_prerequisites.namespace @@ -94,6 +93,8 @@ def crd_ingress_controller( namespace, request.param.get("extra_args", None), ) + if request.param["type"] == "tls-passthrough-custom-port": + ingress_controller_endpoint.port_ssl = ingress_controller_endpoint.custom_ssl_port ensure_connection_to_public_endpoint( ingress_controller_endpoint.public_ip, ingress_controller_endpoint.port, diff --git a/tests/suite/test_ts_tls_passthrough.py b/tests/suite/test_ts_tls_passthrough.py index 0e991817ad..14dd36fc67 100644 --- a/tests/suite/test_ts_tls_passthrough.py +++ b/tests/suite/test_ts_tls_passthrough.py @@ -24,14 +24,18 @@ class TransportServerTlsSetup: Attributes: public_endpoint (object): + tls_passthrough_port (int): ts_resource (dict): name (str): namespace (str): ts_host (str): """ - def __init__(self, public_endpoint: PublicEndpoint, ts_resource, name, namespace, ts_host): + def __init__( + self, public_endpoint: PublicEndpoint, tls_passthrough_port: int, ts_resource, name, namespace, ts_host + ): self.public_endpoint = public_endpoint + self.tls_passthrough_port = tls_passthrough_port self.ts_resource = ts_resource self.name = name self.namespace = namespace @@ -72,6 +76,7 @@ def fin(): return TransportServerTlsSetup( ingress_controller_endpoint, + request.param["tls_passthrough_port"], ts_resource, ts_resource["metadata"]["name"], test_namespace, @@ -91,10 +96,23 @@ def fin(): "-enable-tls-passthrough=true", ], }, - {"example": "transport-server-tls-passthrough"}, - ) + {"example": "transport-server-tls-passthrough", "tls_passthrough_port": 443}, + ), + ( + { + "type": "tls-passthrough-custom-port", + # set publicEndpoint.port_ssl to 8443 when checking connection to public endpoint and in all tests + "extra_args": [ + "-enable-leader-election=false", + "-enable-tls-passthrough=true", + "-tls-passthrough-port=8443", + ], + }, + {"example": "transport-server-tls-passthrough", "tls_passthrough_port": 8443}, + ), ], indirect=True, + ids=["tls_passthrough_with_default_port", "tls_passthrough_with_custom_port"], ) class TestTransportServerTlsPassthrough: def restore_ts(self, kube_apis, transport_server_tls_passthrough_setup) -> None: @@ -154,8 +172,8 @@ def test_tls_passthrough_proxy_protocol_config( ) wait_before_test(1) config = get_nginx_template_conf(kube_apis.v1, ingress_controller_prerequisites.namespace) - assert "listen 443 proxy_protocol;" in config - assert "listen [::]:443 proxy_protocol;" in config + assert f"listen {transport_server_tls_passthrough_setup.tls_passthrough_port} proxy_protocol;" in config + assert f"listen [::]:{transport_server_tls_passthrough_setup.tls_passthrough_port} proxy_protocol;" in config std_cm_src = f"{DEPLOYMENTS}/common/nginx-config.yaml" replace_configmap_from_yaml( kube_apis.v1, diff --git a/tests/suite/utils/resources_utils.py b/tests/suite/utils/resources_utils.py index d750f6a475..0327e521ea 100644 --- a/tests/suite/utils/resources_utils.py +++ b/tests/suite/utils/resources_utils.py @@ -437,9 +437,15 @@ def get_service_node_ports(v1: CoreV1Api, name, namespace) -> (int, int, int, in resp = v1.read_namespaced_service(name, namespace) if len(resp.spec.ports) == 7: print("An unexpected amount of ports in a service. Check the configuration") + + print(f"Service with an HTTP port: {resp.spec.ports[0].node_port}") + print(f"Service with an HTTPS port: {resp.spec.ports[1].node_port}") print(f"Service with an API port: {resp.spec.ports[2].node_port}") print(f"Service with an Exporter port: {resp.spec.ports[3].node_port}") + print(f"Service with an TPC server port: {resp.spec.ports[4].node_port}") + print(f"Service with an UDP server port: {resp.spec.ports[5].node_port}") print(f"Service with an Service Insight port: {resp.spec.ports[6].node_port}") + print(f"Service with an custom ssl port: {resp.spec.ports[7].node_port}") return ( resp.spec.ports[0].node_port, resp.spec.ports[1].node_port, @@ -448,6 +454,7 @@ def get_service_node_ports(v1: CoreV1Api, name, namespace) -> (int, int, int, in resp.spec.ports[4].node_port, resp.spec.ports[5].node_port, resp.spec.ports[6].node_port, + resp.spec.ports[7].node_port, )