backport: part 1 (#351)

Co-authored-by: AlinsRan <[email protected]>

Author: ronething

internal/adc/translator/apisixtls.go

@@ -27,6 +27,7 @@ import (
 	"github.com/apache/apisix-ingress-controller/internal/controller/label"
 	"github.com/apache/apisix-ingress-controller/internal/id"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
 )
 
@@ -44,7 +45,7 @@ func (t *Translator) TranslateApisixTls(tctx *provider.TranslateContext, tls *ap
 	}
 
 	// Extract cert and key from secret
-	cert, key, err := extractKeyPair(secret, true)
+	cert, key, err := sslutils.ExtractKeyPair(secret, true)
 	if err != nil {
 		return nil, err
 	}
@@ -81,7 +82,7 @@ func (t *Translator) TranslateApisixTls(tctx *provider.TranslateContext, tls *ap
 			return nil, fmt.Errorf("client CA secret %s not found", caSecretKey.String())
 		}
 
-		ca, _, err := extractKeyPair(caSecret, false)
+		ca, _, err := sslutils.ExtractKeyPair(caSecret, false)
 		if err != nil {
 			return nil, err
 		}

internal/adc/translator/apisixupstream.go

@@ -29,6 +29,7 @@ import (
 	"github.com/apache/apisix-ingress-controller/api/adc"
 	apiv2 "github.com/apache/apisix-ingress-controller/api/v2"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	"github.com/apache/apisix-ingress-controller/internal/utils"
 )
 
@@ -187,7 +188,7 @@ func translateApisixUpstreamClientTLS(tctx *provider.TranslateContext, config *a
 		return errors.Errorf("sercret %s not found", secretNN)
 	}
 
-	cert, key, err := extractKeyPair(secret, true)
+	cert, key, err := sslutils.ExtractKeyPair(secret, true)
 	if err != nil {
 		return err
 	}

internal/adc/translator/gateway.go

@@ -18,13 +18,10 @@
 package translator
 
 import (
-	"crypto/x509"
 	"encoding/json"
-	"encoding/pem"
 	"fmt"
 
 	"github.com/pkg/errors"
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 
@@ -33,6 +30,7 @@ import (
 	"github.com/apache/apisix-ingress-controller/internal/controller/label"
 	"github.com/apache/apisix-ingress-controller/internal/id"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
 	"github.com/apache/apisix-ingress-controller/internal/utils"
 )
@@ -97,7 +95,7 @@ func (t *Translator) translateSecret(tctx *provider.TranslateContext, listener g
 					t.Log.Error(errors.New("secret data is nil"), "failed to get secret data", "secret", secretNN)
 					return nil, fmt.Errorf("no secret data found for %s/%s", ns, name)
 				}
-				cert, key, err := extractKeyPair(secret, true)
+				cert, key, err := sslutils.ExtractKeyPair(secret, true)
 				if err != nil {
 					t.Log.Error(err, "extract key pair", "secret", secretNN)
 					return nil, err
@@ -110,7 +108,7 @@ func (t *Translator) translateSecret(tctx *provider.TranslateContext, listener g
 				if listener.Hostname != nil && *listener.Hostname != "" {
 					sslObj.Snis = append(sslObj.Snis, string(*listener.Hostname))
 				} else {
-					hosts, err := extractHost(cert)
+					hosts, err := sslutils.ExtractHostsFromCertificate(cert)
 					if err != nil {
 						return nil, err
 					}
@@ -137,68 +135,6 @@ func (t *Translator) translateSecret(tctx *provider.TranslateContext, listener g
 	return sslObjs, nil
 }
 
-func extractHost(cert []byte) ([]string, error) {
-	block, _ := pem.Decode(cert)
-	if block == nil {
-		return nil, errors.New("parse certificate: not in PEM format")
-	}
-	der, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return nil, errors.Wrap(err, "parse certificate")
-	}
-	hosts := make([]string, 0, len(der.DNSNames))
-	for _, dnsName := range der.DNSNames {
-		if dnsName != "*" {
-			hosts = append(hosts, dnsName)
-		}
-	}
-	return hosts, nil
-}
-
-func extractKeyPair(s *corev1.Secret, hasPrivateKey bool) ([]byte, []byte, error) {
-	if _, ok := s.Data["cert"]; ok {
-		return extractApisixSecretKeyPair(s, hasPrivateKey)
-	} else if _, ok := s.Data[corev1.TLSCertKey]; ok {
-		return extractKubeSecretKeyPair(s, hasPrivateKey)
-	} else if ca, ok := s.Data[corev1.ServiceAccountRootCAKey]; ok && !hasPrivateKey {
-		return ca, nil, nil
-	} else {
-		return nil, nil, errors.New("unknown secret format")
-	}
-}
-
-func extractApisixSecretKeyPair(s *corev1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
-	var ok bool
-	cert, ok = s.Data["cert"]
-	if !ok {
-		return nil, nil, errors.New("missing cert field")
-	}
-
-	if hasPrivateKey {
-		key, ok = s.Data["key"]
-		if !ok {
-			return nil, nil, errors.New("missing key field")
-		}
-	}
-	return
-}
-
-func extractKubeSecretKeyPair(s *corev1.Secret, hasPrivateKey bool) (cert []byte, key []byte, err error) {
-	var ok bool
-	cert, ok = s.Data[corev1.TLSCertKey]
-	if !ok {
-		return nil, nil, errors.New("missing cert field")
-	}
-
-	if hasPrivateKey {
-		key, ok = s.Data[corev1.TLSPrivateKeyKey]
-		if !ok {
-			return nil, nil, errors.New("missing key field")
-		}
-	}
-	return
-}
-
 // fillPluginsFromGatewayProxy fill plugins from GatewayProxy to given plugins
 func (t *Translator) fillPluginsFromGatewayProxy(plugins adctypes.GlobalRule, gatewayProxy *v1alpha1.GatewayProxy) {
 	if gatewayProxy == nil {

internal/adc/translator/ingress.go

@@ -25,25 +25,27 @@ import (
 	discoveryv1 "k8s.io/api/discovery/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/utils/ptr"
 
 	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
 	"github.com/apache/apisix-ingress-controller/internal/controller/label"
 	"github.com/apache/apisix-ingress-controller/internal/id"
 	"github.com/apache/apisix-ingress-controller/internal/provider"
+	sslutils "github.com/apache/apisix-ingress-controller/internal/ssl"
 	internaltypes "github.com/apache/apisix-ingress-controller/internal/types"
 )
 
 func (t *Translator) translateIngressTLS(namespace, name string, tlsIndex int, ingressTLS *networkingv1.IngressTLS, secret *corev1.Secret, labels map[string]string) (*adctypes.SSL, error) {
 	// extract the key pair from the secret
-	cert, key, err := extractKeyPair(secret, true)
+	cert, key, err := sslutils.ExtractKeyPair(secret, true)
 	if err != nil {
 		return nil, err
 	}
 
 	hosts := ingressTLS.Hosts
 	if len(hosts) == 0 {
-		certHosts, err := extractHost(cert)
+		certHosts, err := sslutils.ExtractHostsFromCertificate(cert)
 		if err != nil {
 			return nil, err
 		}
@@ -172,12 +174,11 @@ func (t *Translator) resolveIngressUpstream(
 	t.AttachBackendTrafficPolicyToUpstream(backendRef, tctx.BackendTrafficPolicies, upstream)
 	// determine service port/port name
 	var protocol string
-	var servicePort int32 = 0
-	var servicePortName string
+	var port intstr.IntOrString
 	if backendService.Port.Number != 0 {
-		servicePort = backendService.Port.Number
+		port = intstr.FromInt32(backendService.Port.Number)
 	} else if backendService.Port.Name != "" {
-		servicePortName = backendService.Port.Name
+		port = intstr.FromString(backendService.Port.Name)
 	}
 
 	getService := tctx.Services[types.NamespacedName{
@@ -187,43 +188,28 @@ func (t *Translator) resolveIngressUpstream(
 	if getService == nil {
 		return protocol
 	}
-
+	getServicePort, _ := findMatchingServicePort(getService, port)
+	if getServicePort != nil && getServicePort.AppProtocol != nil {
+		protocol = *getServicePort.AppProtocol
+		if upstream.Scheme == "" {
+			upstream.Scheme = appProtocolToUpstreamScheme(*getServicePort.AppProtocol)
+		}
+	}
 	if getService.Spec.Type == corev1.ServiceTypeExternalName {
-		defaultServicePort := 80
-		if servicePort > 0 {
-			defaultServicePort = int(servicePort)
+		servicePort := 80
+		if getServicePort != nil {
+			servicePort = int(getServicePort.Port)
 		}
 		upstream.Nodes = adctypes.UpstreamNodes{
 			{
 				Host:   getService.Spec.ExternalName,
-				Port:   defaultServicePort,
+				Port:   servicePort,
 				Weight: 1,
 			},
 		}
 		return protocol
 	}
 
-	// find matching service port object
-	var getServicePort *corev1.ServicePort
-	for _, port := range getService.Spec.Ports {
-		p := port
-		if servicePort > 0 && p.Port == servicePort {
-			getServicePort = &p
-			break
-		}
-		if servicePortName != "" && p.Name == servicePortName {
-			getServicePort = &p
-			break
-		}
-	}
-
-	if getServicePort != nil && getServicePort.AppProtocol != nil {
-		protocol = *getServicePort.AppProtocol
-		if upstream.Scheme == "" {
-			upstream.Scheme = appProtocolToUpstreamScheme(*getServicePort.AppProtocol)
-		}
-	}
-
 	endpointSlices := tctx.EndpointSlices[types.NamespacedName{
 		Namespace: obj.Namespace,
 		Name:      backendService.Name,

internal/controller/indexer/indexer.go

@@ -50,6 +50,7 @@ const (
 	IngressClassParametersRef = "ingressClassParametersRef"
 	ConsumerGatewayRef        = "consumerGatewayRef"
 	PolicyTargetRefs          = "targetRefs"
+	TLSHostIndexRef           = "tlsHostRefs"
 	GatewayClassIndexRef      = "gatewayClassRef"
 	ApisixUpstreamRef         = "apisixUpstreamRef"
 	PluginConfigIndexRef      = "pluginConfigRefs"
@@ -140,6 +141,16 @@ func setupGatewayIndexer(mgr ctrl.Manager) error {
 	); err != nil {
 		return err
 	}
+
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&gatewayv1.Gateway{},
+		TLSHostIndexRef,
+		GatewayTLSHostIndexFunc,
+	); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -460,6 +471,15 @@ func setupIngressIndexer(mgr ctrl.Manager) error {
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&networkingv1.Ingress{},
+		TLSHostIndexRef,
+		IngressTLSHostIndexFunc,
+	); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -925,6 +945,15 @@ func setupApisixTlsIndexer(mgr ctrl.Manager) error {
 		return err
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&apiv2.ApisixTls{},
+		TLSHostIndexRef,
+		ApisixTlsHostIndexFunc,
+	); err != nil {
+		return err
+	}
+
 	return nil
 }