From e65aa403c79abe19cf77736aaf4b8befb314f12d Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 28 Oct 2025 14:57:10 +0000 Subject: [PATCH 01/45] Add tls gen script POC --- go.mod | 1 + go.sum | 2 + hack/tls-cert-gen/a-test-secret.yaml | 8 + hack/tls-cert-gen/makefile | 0 hack/tls-cert-gen/test.yaml | 8 + hack/tls-cert-gen/test2.yaml | 8 + hack/tls-cert-gen/tls-cert-gen.go | 187 ++++++++++++++++++ .../tls-secret-cafe.example.com.yaml | 8 + 8 files changed, 222 insertions(+) create mode 100644 hack/tls-cert-gen/a-test-secret.yaml create mode 100644 hack/tls-cert-gen/makefile create mode 100644 hack/tls-cert-gen/test.yaml create mode 100644 hack/tls-cert-gen/test2.yaml create mode 100644 hack/tls-cert-gen/tls-cert-gen.go create mode 100644 hack/tls-cert-gen/tls-secret-cafe.example.com.yaml diff --git a/go.mod b/go.mod index 8c9462eefe..e38b9ed662 100644 --- a/go.mod +++ b/go.mod @@ -26,6 +26,7 @@ require ( k8s.io/apimachinery v0.34.1 k8s.io/client-go v0.34.1 k8s.io/code-generator v0.34.1 + k8s.io/kubernetes v1.34.1 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 sigs.k8s.io/controller-tools v0.19.0 sigs.k8s.io/yaml v1.6.0 diff --git a/go.sum b/go.sum index d16ea2e3cc..a17b8d492d 100644 --- a/go.sum +++ b/go.sum @@ -560,6 +560,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= +k8s.io/kubernetes v1.34.1 h1:F3p8dtpv+i8zQoebZeK5zBqM1g9x1aIdnA5vthvcuUk= +k8s.io/kubernetes v1.34.1/go.mod h1:iu+FhII+Oc/1gGWLJcer6wpyih441aNFHl7Pvm8yPto= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 h1:qPrZsv1cwQiFeieFlRqT627fVZ+tyfou/+S5S0H5ua0= diff --git a/hack/tls-cert-gen/a-test-secret.yaml b/hack/tls-cert-gen/a-test-secret.yaml new file mode 100644 index 0000000000..184f8149ac --- /dev/null +++ b/hack/tls-cert-gen/a-test-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJvVENDQVVhZ0F3SUJBZ0lSQU9sNVoxYlBSeHR3MnB3dmMxMllITUl3Q2dZSUtvWkl6ajBFQXdJd0VqRVEKTUE0R0ExVUVDaE1IUVdOdFpTQkRiekFlRncweU5URXdNamd4TkRNME1qVmFGdzB5TlRFeE1ERXhORE0wTWpWYQpNQkl4RURBT0JnTlZCQW9UQjBGamJXVWdRMjh3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVR4CjYxMXQ2bjc0a2ZuZ01RbFZLVGxWdkNRbmd2Q1QxYkNNZ05MaW43UnpvSHpmTkFINHJZMXllMnVKdkszK3JneVQKcEF6eXVCSnVLSDRSN1owZ0YwT0NvMzB3ZXpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RXdZRFZSMGxCQXd3Q2dZSQpLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVWUFpaOWhRbEdOdVpqRGNiCmJlQWRkRTBEZ0lJd0pBWURWUjBSQkIwd0c0SUxaWGhoYlhCc1pTNWpiMjJDREdWNFlXMXdiR1V1ZEdWemREQUsKQmdncWhrak9QUVFEQWdOSkFEQkdBaUVBcUFuK3YxeDJ1ZUF3TDlMSGRiWTBpb3pYQWVSUTQyWWthU0ZNZ01EQgpPRzRDSVFDNEd5TmgwWkE0L2ptbE1KaDZnNFgxSnl6eWQ0dHQ1ZHRLVmJlYkI0QXpkdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ2ZreGRRMGNUQnBiYWJYZjcKekZBTml0ckNLQysxY1FxSmVXTUR3dyt4Ni9PaFJBTkNBQVR4NjExdDZuNzRrZm5nTVFsVktUbFZ2Q1FuZ3ZDVAoxYkNNZ05MaW43UnpvSHpmTkFINHJZMXllMnVKdkszK3JneVRwQXp5dUJKdUtINFI3WjBnRjBPQwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== +kind: Secret +metadata: + name: v1-secret-thing +type: kubernetes.io/tls diff --git a/hack/tls-cert-gen/makefile b/hack/tls-cert-gen/makefile new file mode 100644 index 0000000000..e69de29bb2 diff --git a/hack/tls-cert-gen/test.yaml b/hack/tls-cert-gen/test.yaml new file mode 100644 index 0000000000..55582eb064 --- /dev/null +++ b/hack/tls-cert-gen/test.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + tls.crt: d2VsbCBoZWxsbyB0aGVyZQ== + tls.key: Z2VuZXJhbCBrZW5vYmk= +kind: Secret +metadata: + name: v1-secret-thing +type: kubernetes.io/tls diff --git a/hack/tls-cert-gen/test2.yaml b/hack/tls-cert-gen/test2.yaml new file mode 100644 index 0000000000..28146fdd88 --- /dev/null +++ b/hack/tls-cert-gen/test2.yaml @@ -0,0 +1,8 @@ +Data: + tls.crt: d2VsbCBoZWxsbyB0aGVyZQ== + tls.key: Z2VuZXJhbCBrZW5vYmk= +Immutable: null +Type: kubernetes.io/tls +apiVersion: v1 +kind: Secret +name: core-secret-thing diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go new file mode 100644 index 0000000000..c00034ee04 --- /dev/null +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -0,0 +1,187 @@ +package main + +import ( + "bytes" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "log/slog" + "math/big" + "net" + "os" + "strings" + "time" + + log "github.com/nginx/kubernetes-ingress/internal/logger" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" +) + +var tlsKeys = []yamlSecret{ + { + secretName: "a-test-secret", + fileName: "a-test-secret.yaml", + hosts: []string{"example.com", "example.test"}, + }, +} + +func main() { + logger := slog.New(slog.NewTextHandler(os.Stdout, nil)) + var err error + + for _, tlsKey := range tlsKeys { + err = printYaml(tlsKey) + if err != nil { + log.Fatalf(logger, "Failed to print tls key: %v: %v", tlsKey, err) + } + } +} + +func publicKey(priv any) any { + switch k := priv.(type) { + case *rsa.PrivateKey: + return &k.PublicKey + case *ecdsa.PrivateKey: + return &k.PublicKey + case ed25519.PrivateKey: + return k.Public().(ed25519.PublicKey) + default: + return nil + } +} + +// printTLS is roughly the same function as crypto/tls/generate_cert.go in the +// go standard library. Notable differences: +// - this one returns the cert/key as bytes rather than writing them as files +// - this one does not take input as flags or anything other +// - only exception is a comma-separated list of domains the generated cert +// should be valid for +// - it defaults to ecdsa.P256 key type, and therefore does not have the code +// for the other key types +// - keys are always valid from "now" until 4 days in the future. Given the +// short usage window of the keys, this is enough +// - all keys are certificate authorities (isCA is set to true for all) +func printTLS(host string) (*JITTLSKey, error) { + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, fmt.Errorf("failed to generate private key: %w", err) + } + + validFrom := time.Now() + validUntil := validFrom.Add(4 * 24 * time.Hour) + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + return nil, fmt.Errorf("failed to generate serial number: %w", err) + } + + template := x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + Organization: []string{"Acme Co"}, + }, + NotBefore: validFrom, + NotAfter: validUntil, + + KeyUsage: x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + + IsCA: true, + } + + hosts := strings.Split(host, ",") + for _, h := range hosts { + if ip := net.ParseIP(h); ip != nil { + template.IPAddresses = append(template.IPAddresses, ip) + } else { + template.DNSNames = append(template.DNSNames, h) + } + } + + derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv) + if err != nil { + return nil, fmt.Errorf("failed to create certificate: %w", err) + } + + certOut := &bytes.Buffer{} + + if err = pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { + return nil, fmt.Errorf("failed to write data to cert bytes buffer: %w", err) + } + + keyOut := &bytes.Buffer{} + + privBytes, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + return nil, fmt.Errorf("failed to marshal private key: %w", err) + } + if err = pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil { + return nil, fmt.Errorf("failed to write data to keybytes buffer: %w", err) + } + + return &JITTLSKey{ + cert: certOut.Bytes(), + key: keyOut.Bytes(), + }, nil +} + +// JITTLSKey is a Just In Time TLS key representation. The only two parts that +// we need here are the bytes for the cert and the key. These two will be +// written as the data.tls.cert and data.tls.key properties of the kubernetes +// core.Secret type. +// +// This does not hold the hosts information, because that's being assembled +// elsewhere, but the data does actually contain the passed in hosts. +type JITTLSKey struct { + cert []byte + key []byte +} + +type yamlSecret struct { + secretName string + fileName string + hosts []string +} + +func printYaml(secret yamlSecret) error { + tlsKeys, err := printTLS(strings.Join(secret.hosts, ",")) + if err != nil { + return fmt.Errorf("failed generating TLS keys for hosts: %v: %w", secret.hosts, err) + } + + s := v1.Secret{ + TypeMeta: metav1.TypeMeta{ + Kind: "Secret", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "v1-secret-thing", + }, + Data: map[string][]byte{ + v1.TLSCertKey: tlsKeys.cert, + v1.TLSPrivateKeyKey: tlsKeys.key, + }, + Type: v1.SecretTypeTLS, + } + + sb, err := yaml.Marshal(s) + if err != nil { + return fmt.Errorf("failed to marshal kubernetes secret: %w", err) + } + + err = os.WriteFile(secret.fileName, sb, 0o600) + if err != nil { + return fmt.Errorf("failed to write kubernetes secret to file %s: %w", secret.fileName, err) + } + + return nil +} diff --git a/hack/tls-cert-gen/tls-secret-cafe.example.com.yaml b/hack/tls-cert-gen/tls-secret-cafe.example.com.yaml new file mode 100644 index 0000000000..c421f9daed --- /dev/null +++ b/hack/tls-cert-gen/tls-secret-cafe.example.com.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: tls-secret +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdKRENDQkF5Z0F3SUJBZ0lVWUsyTGNWTlJrZVB5ZXUrdis0ckNMWTVJVmJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1TRXdId1lEVlFRS0RCaEpiblJsY201bApkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHVEFYQmdOVkJBTU1FR05oWm1VdVpYaGhiWEJzWlM1amIyMHdIaGNOCk1qUXhNREk0TVRVMU9UUXhXaGNOTXpReE1ESTJNVFUxT1RReFdqQllNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0cKQTFVRUNBd0NRMEV4SVRBZkJnTlZCQW9NR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREVaTUJjRwpBMVVFQXd3UVkyRm1aUzVsZUdGdGNHeGxMbU52YlRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDCkFnb0NnZ0lCQU9pM3dZaGRCTGI0RldzY20yeHV3S2JNaElPRUM3YXF1aVpDQ2V2bHc5MUZUWVNvdHBGbUU2NkIKc1V6WWlRYVVtRGJLdWxRS3lramNXcC9LNExBbGI3Y2Z0ckdmUkN1b0xDT21oSkhvaXV5RDBMWXlsQXBXWjc5eApnOWEydlVUR3Joa2NVVGF3RVFoMlExT2dnTmk0Szd4S1U2cVJFRktnbmFTMXdTdmdiNXV6WXRaVys3SFdVbTlkCmliUEV4Qkc5TFJGaGVOdGZ5Vk9mSzVLRm11ZzdFVEN1Nzd5V001WWlxTmRKMEI0UnZQbS9XTlNrUzVXZ0c4RnMKaHMxRnlqTWFBWGYrU2t1ZVQxRlpUWEpjZzJjVjZOeEp3L3IrclNjZFozbWRDa29yaVBtSWRrM3FVR3pUaU1Mcgo2aUo2bEl1VTBOWFg4bXlwUXV3YUZtb3hBZWZZbzVqd0s2S3N5Q0tETTBLSWhsSVFVcHBnZHhST3packdXbjJQCm5EVkJuZmllWlRvWlU1dlMxNHNMZzhmQllmc3Z3LzNTZk1oNFoveVp1cnY3UDY3Yi9WSlowTlMvOW1SYmsySmcKblpjd0ViZ3ptUFJwUWdXUCtML1BieHBYaktBdEVXVG5lZW55KzZHaG9tVG0ycWh3NCt6Tm1rL0s3Nm4vMmhaZAphcFRaS0xrQk5rRVo3R0hxZGJBSUZ1RkVaVWo5b0wrYXI1d2hzTmNnU2JrU3RiNTkwMko2OE1oLzlvU2llajcxClNoWEJneklkcFpMWVppRkJEeWYxV3dGaDVBWDJkbVUwU3JGN3hTU1o4bkFseWFkU1lWOStuSlNtUXdiSzhNRUwKT041OVRXVXhWaGx3NG5MZlU3K0RCUVhkV2ZIZHNMK0RqajRUOGxtL3p1L0FzMk9lZWsxeEFnTUJBQUdqZ2VVdwpnZUl3SFFZRFZSME9CQllFRkxqcTBnQTQvUHU5VXZ3dnRXY1lJYTdsdER2Z01Cc0dBMVVkRVFRVU1CS0NFR05oClptVXVaWGhoYlhCc1pTNWpiMjB3Z1pVR0ExVWRJd1NCalRDQmlvQVV1T3JTQURqOCs3MVMvQysxWnhnaHJ1VzAKTytDaFhLUmFNRmd4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVoTUI4R0ExVUVDZ3dZU1c1MApaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTVJrd0Z3WURWUVFEREJCallXWmxMbVY0WVcxd2JHVXVZMjl0CmdoUmdyWXR4VTFHUjQvSjY3Ni83aXNJdGpraFZ0akFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUNBUUNnZnZ1MWo4K2FzVHQ3d2lCRmlDTnU1SUR3M25rQjYvOWg1Z3d2STR4YTNOdEhETTliYm5QUgpncnZTWjJXZ3FJNFR5dktKVVB5NHNaRGR3dUhiYjJSVC9MT1lQQTFXaVZhMjRiRTZtcXE1Y3VTNlZNb3h4bnB1CnBmdVllaml3eWpDTytUYXdhbFltTzVvNDFvRUxjR2ZNY21VK0YvK0tZZnozZFMvalNkYVc3cEM5YWpJQnFBTnMKS0daZ1JGKzl1ZlVibUlIcjZHeDJ5MU5oTnBjb1U4T2QrdkxKWXZxOGd1NDRqTG4xNE1Ra3hWZndyUU10T1E5RgpnOGpsTXphaVlMSnMwY3luRTJGSjhrYmI0K01QRkRyZjcranJGNGdlOXZCTDg5TlJkZXFZYWFGNTVMM0RQZzRZClRVVWQ3L1I4dlVUeEs0eHpqZlpNeHdnRGExRmtTMXB2VlNSNmkrVmVuYXdsUmZ2Q3FMUndvN1V3VjJLWUJjbGkKUFlCRzB2Z01mOEhQc0xvU1BibDNIY0xQTFhSdVI4RHZjdTdvUnEyYzRaOFVDNVBJS2FoWlZEekdsS0N6WHZlYwpQZ2xqSStFRzdyTWlnc1Fjcm5MdmxOZmRGdzZIcjkzVmR5OGYrZm4xdkVsN1A0NnBFWThlYnplOVhxNXNWT3I0CmhTcE5JMllGaWhjNXBlNzVmMXh2QjVHcjJJTm1PditZb0Jsc2VKNkUrR2tuOU1QY3Jjc3lwcVBoeXJORHF6THgKdE5DN0dLb2hEWlJRY1F6L3YvdGppV1lYRzFRY2RQU1JNakJiL2dkb1RBenNuNDRBWGpqT1A2YzkwWTEzUjdwaQpuRTJyUlFKWThCUHk4RitTT1pkUUV3d0NBbjZ6M2Job3BLc2ovM1JRU1lUNDhGZElRVndrbmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRG90OEdJWFFTMitCVnIKSEp0c2JzQ216SVNEaEF1MnFyb21RZ25yNWNQZFJVMkVxTGFSWmhPdWdiRk0ySWtHbEpnMnlycFVDc3BJM0ZxZgp5dUN3SlcrM0g3YXhuMFFycUN3anBvU1I2SXJzZzlDMk1wUUtWbWUvY1lQV3RyMUV4cTRaSEZFMnNCRUlka05UCm9JRFl1Q3U4U2xPcWtSQlNvSjJrdGNFcjRHK2JzMkxXVnZ1eDFsSnZYWW16eE1RUnZTMFJZWGpiWDhsVG55dVMKaFpyb094RXdydSs4bGpPV0lxalhTZEFlRWJ6NXYxalVwRXVWb0J2QmJJYk5SY296R2dGMy9rcExuazlSV1UxeQpYSU5uRmVqY1NjUDYvcTBuSFdkNW5RcEtLNGo1aUhaTjZsQnMwNGpDNitvaWVwU0xsTkRWMS9Kc3FVTHNHaFpxCk1RSG4yS09ZOEN1aXJNZ2lnek5DaUlaU0VGS2FZSGNVVHMyYXhscDlqNXcxUVozNG5tVTZHVk9iMHRlTEM0UEgKd1dIN0w4UDkwbnpJZUdmOG1icTcreit1Mi8xU1dkRFV2L1prVzVOaVlKMlhNQkc0TTVqMGFVSUZqL2kvejI4YQpWNHlnTFJGazUzbnA4dnVob2FKazV0cW9jT1BzelpwUHl1K3AvOW9XWFdxVTJTaTVBVFpCR2V4aDZuV3dDQmJoClJHVkkvYUMvbXErY0liRFhJRW01RXJXK2ZkTmlldkRJZi9hRW9ubys5VW9Wd1lNeUhhV1MyR1loUVE4bjlWc0IKWWVRRjluWmxORXF4ZThVa21mSndKY21uVW1GZmZweVVwa01HeXZEQkN6amVmVTFsTVZZWmNPSnkzMU8vZ3dVRgozVm54M2JDL2c0NCtFL0padjg3dndMTmpubnBOY1FJREFRQUJBb0lDQUJaQmFJazllQk4xY3pyc24vS0ZQdmhVCnE4R1dFYmEwNmh0NWlsQmNoMWcwWmY3dlVaSmpKRE8ycEhtWVpiWlM1S0dzenBmMTlqVjBtVmdadzFZbEptTnAKYllQY0d0MWY5bVNzYXBZM21uMlc5NUZORWZwUkhCZmpaN3ZUZXhOR091VWMzNmx1dWhwSWtSVEF6MEdxajBneApCWUpVNEM0K3ZRVEErd25TcTJuRkJJbENCVTBURll3ZjhtaldRdmY5VXYrTUJrNVlnVHoxaG1tN1RENjBVMmNICis5Wlp1UEk5TzA5bmVEYy85QVlnWmdMaitYU0VQTk5KS1RVZFhRSjVGTFhnaEVOcUR1VFZPUUpjVlphNHNpM0wKQWlxUlM0Ym5tWHM0YVFFQjI5WWRWazhLUHduQlN4MTFDVTJsMG1uczMvSHJkbndzemNFZGw1SXRRS1RuQTNJUQpvZkRMVk1OSkg2UHE1Um1zREZYaFh1bnhLdkhXUHpvU0pkZ3REZHNZUnNaaFRnaW5vZ1AwQVdrdmMwT0MwaHh3CjNldWJLcDh3d3F0RndHNk1nWFg0WUFLQUd0K3RzVVdkRENmWUVPYUVWcXBXT3F3UUhsb3J0cmwvN1hmRjNra2UKY0VzalJyRXRMSytCOEhvdjFNSmtibVFlblE0cHdkcXdrdHV3SU41QUdqN2lCQ2V1U2R5S2gyc0hxRUIvbkZEbApTbFh1VzVNTjUranMrZ0lyOU5GRUdDdUEyQ3BGWWpKQk9sNk1nV0t3S0FwWWgwYnEvNTVOV0pwV1JTRllTZ29UCnFiV285S3JYZkR4azJVb05pVFVBcEdVeXBaWTFXT2hyOUs3WU1HOXpHbHQ0WnNrV1dhdXFEMnBQSjhhVXdabjEKeWY1TnMyb25LMkNmZmhvUkRPVC9Bb0lCQVFEOWU5MlE0RWVKamlNQ0JIREhycDgzMUM0eXRJclJHbENJS3pNQgpoMjl6SFIvRWJUanplUmFzU1RLQzQ1SjhhTnQ4MStvM2xpcVFhclJvOFdHelEvNnpqdWVpSW9SRDNpWm5pZUJ3CmU3R1piK0doVmdlVkNKbGtFQ0FTc0dlZ1pkSzA0dWRzZmU5d3JWaDY1TjZnWW92Z2dyOVZPU1NNZ25NSys2Z1IKb0cxNHRSMDArN0kzdndoL0YyQVZLOXdkY3ZoN2puK2FXbGp3R1lFWHRDWUNJWENVbjhHTHpWVU53MlRHckFuRQpOL2d5anUyeTk1R2FrR3JpZTRkdmpoUTl5dTNPbU9haWp1enlXMGxxdnVrakVWTmZ2L3lYbzFNOWJ4OTdQNkFLCkxEU3VGVjJEY1pGSEpvT1NLYVV0eHpibzFIVmdGWmZiK3hpUmNRb0N3c0NjMC9VUEFvSUJBUURyQng4UGQwSjIKVkU3eUhVdC9LMDQ2OXNoejFzVUtEeFkrQ1B0dTZvODFkU0QzUHBMV3c1VzR1aWdSeFJnTUpqK3UyMGFSeEM4UgpMbDhXSmJCR0I4QllyQXhiMWlGMm5XTnFzdFVicVp1ZUlxeUIvbWJNZFk5OSt2L01Iek1WTnZwTjBTdkJsTWFaClhVSTdFWW1zbXJHYjRSMXdOa3VwWVdHL1RpMHNVUk9qSFpSZldsM0kxR1dpbkNVdE5oeEZ2OEtGcWJDd05DVTAKOHNYMjdLTEIza3RRZWhmc3JlTjd4NEw2MGU0T0FKMGhjZFUzL2I5b2VERGttVWFSYVE0bk9TVWEveDdTQW5RdQpnQmxQTTdjUWUrbjYwZEU0QjVrZzJpeG0reEhaL09tMGluK1JTR0ljRTc3eG0vMlhhTlZjcEUxRWlhaGdJT3hTCkpYVU4zWjdsTHBWL0FvSUJBUUNXTkxjWHFYOWFxS3BnQUtlZisvOEhReWxaREprUnpha1k5NWhTK0tGM01qUG4KM3QwWGtaSjQ1eXNTV3E0c0lLcW5jUDZ1ajhLTEwxL1dxK3E4SXJla1NUTkRaWGJCREx2dk1NbVpmZ0xBcklhawpadWs1VEE0eE9FajVLaVZONitpUEhjSUxEUms4eU11Y2oxREk4M3gxdnFTSWFNTWFyQlpsMUxoRU1hK05EcTNPCi9yTWR5NHJLWE55bnp3U3hRcmF4NkwvK2hEa2RsYzlrYjNEeVpFUmxIY0hBQ1IyMGVTdVhlc3lTeEtQRHVlUnEKMzc4ZE95VExMbTRVRWJvMjM3QkpjMXQveW5mb0tXWDQ1a1lhYktMZUkxTVh2RVdRS3ZBWnhac2RUQkt2Y2FPbgpSejNTVHFVNmtJajc5b2U0TW1XWFdWUlNtNWwwWGVxVHRqb1M5SnJMQW9JQkFRQ2JiY2szeENuNjhVU0lUNkZYCkIzK2o5UUtad1FYcjRoQldsRUFibVJsK1EraTZPZktIL3k2cnpNaWsvOUFvY0w4YTF6NnpOYWZlMStqZ1Q2cGsKbGNtNW1vWk4wYTJ0c09aSGNOOElmVUZCOGpKZGdhM2dOenJmR0xoRCtMb2lwSW9pSGx1dW1NSkNPRytOZXNxdQprRnMyK0Vnc3BtdWhKNXFxRm53L1c1cjkrNWpjK25rZFVJR3FhVk1ZdERrOFUxWEVhWFZGQWljOC9mUzNtTVVHCkt3bHB2bVRHRERWdDdZS01kM3JVWGNtTWphaHhiK2srb0lYTkdDU1lFMzdkcDZnSFU0TEJaZ2dKbklPZ1lsWUYKbTcwZ045UUNGdHhJNHFBTXRxdVdtdkMvaWZ4VlN5WSs1VHdZc28yaHJSMjFONTgxM1VleDB2UVdXMWt2QTBxSwp6Q1RuQW9JQkFHVTkrRFY0cnZqV21zSmFnckw4TEV4RWY1ZHVDeVhtY0huak5wZmkrcjdjamQ3dlNYY29aZjQrCm1IaDJ6NVN0NUpsVEpWMCtOcVFWL2ZnUS9EcWlZeVNESFcza1JXaFBNT1ROeHZoV1lmMU4wd1diMmllS3lmTlMKVGRXS2JsUFcwZjh3WGYwL09JOFRaSjZFWXVBVXBpbGpSenB1emlkMVJOT3ZJb3BiUnBxd2pMVUtzb0IvMG5LZAp3YmNOcWdWN0lSNDVDZDlCTm8vTThFc2ppZkRnQVpmQzNZbjRWOGl4eXdSQmFjQ1dWcXhvK3UvT2wzN052QkJJCmhnQ1RqNVBDQ3NBcHZwK0dhRERJdFg0cVpoWURERys0ZFNDRHNpSnB1U1orWjZrQnFSNnVncUliMGJVQXFIbGkKd2hZUllYNklldnF2QUEzNTNxbmJzQW5ZQ09oZk5hVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= From a946d07acf2be568627266150482321bb5494cf0 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 4 Nov 2025 11:30:56 +0000 Subject: [PATCH 02/45] More refinement to the tls gen script --- hack/tls-cert-gen/tls-cert-gen.go | 49 ++++++++++++++++++------------- 1 file changed, 29 insertions(+), 20 deletions(-) diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index c00034ee04..b482a7a7a0 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -24,11 +24,11 @@ import ( "sigs.k8s.io/yaml" ) -var tlsKeys = []yamlSecret{ +var yamlSecrets = []yamlSecret{ { - secretName: "a-test-secret", + secretName: "tls-secret", fileName: "a-test-secret.yaml", - hosts: []string{"example.com", "example.test"}, + hosts: []string{"*.example.com"}, }, } @@ -36,10 +36,10 @@ func main() { logger := slog.New(slog.NewTextHandler(os.Stdout, nil)) var err error - for _, tlsKey := range tlsKeys { - err = printYaml(tlsKey) + for _, secret := range yamlSecrets { + err = printYaml(secret) if err != nil { - log.Fatalf(logger, "Failed to print tls key: %v: %v", tlsKey, err) + log.Fatalf(logger, "Failed to print tls key: %v: %v", secret, err) } } } @@ -85,26 +85,35 @@ func printTLS(host string) (*JITTLSKey, error) { template := x509.Certificate{ SerialNumber: serialNumber, + Issuer: pkix.Name{ + Country: []string{"GB"}, + Organization: []string{"Internet Widgits Pty Ltd"}, + }, Subject: pkix.Name{ - Organization: []string{"Acme Co"}, + Country: []string{"US"}, + Organization: []string{"Acme Co"}, + OrganizationalUnit: []string{"Finance"}, + Locality: []string{"San Francisco"}, + Province: []string{"California"}, + StreetAddress: nil, + PostalCode: nil, + SerialNumber: "", + CommonName: host, + Names: nil, + ExtraNames: nil, }, - NotBefore: validFrom, - NotAfter: validUntil, - + NotBefore: validFrom, + NotAfter: validUntil, KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, - - IsCA: true, + IsCA: true, } - hosts := strings.Split(host, ",") - for _, h := range hosts { - if ip := net.ParseIP(h); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, h) - } + if ip := net.ParseIP(host); ip != nil { + template.IPAddresses = append(template.IPAddresses, ip) + } else { + template.DNSNames = append(template.DNSNames, host) } derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv) @@ -164,7 +173,7 @@ func printYaml(secret yamlSecret) error { APIVersion: "v1", }, ObjectMeta: metav1.ObjectMeta{ - Name: "v1-secret-thing", + Name: secret.secretName, }, Data: map[string][]byte{ v1.TLSCertKey: tlsKeys.cert, From 43a098088afe29ca58aa20d6b7d0b2987b475781 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Mon, 10 Nov 2025 11:18:01 +0000 Subject: [PATCH 03/45] Replace NBSP with actual spaces in test makefile --- tests/Makefile | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/tests/Makefile b/tests/Makefile index e7a8bc67ec..5efa830301 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -12,16 +12,18 @@ MINIKUBE_KUBE_CONFIG_FOLDER = $(KUBE_CONFIG_FOLDER)/minikube DOCKERFILEPATH := ${ROOT_DIR}/tests/Dockerfile PYTHON ?= python3 IP_FAMILY = dual -IC_TYPE ?= nginx-ingress ## The Ingress Controller type to use, "nginx-ingress" or "nginx-plus-ingress". Defaults to "nginx-ingress" +IC_TYPE ?= nginx-ingress ## The Ingress Controller type to use, "nginx-ingress" or "nginx-plus-ingress". Defaults to "nginx-ingress" SHOW_IC_LOGS ?= no ## Should the tests show the Ingress Controller logs on failure, "yes" or "no". Defaults to "no" -TEST_TAG ?= latest ## The Tag to use for the test image. e.g. commitsha +TEST_TAG ?= latest ## The Tag to use for the test image. e.g. commitsha REGISTRY ?= docker.io ## The registry where the image is located. For example, docker.io PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress TAG ?= edge ## The tag of the image. For example, edge -K8S_CLUSTER_NAME ?= local ## The name used when creating/using a Kind Kubernetes cluster +K8S_CLUSTER_NAME ?= local ## The name used when creating/using a Kind Kubernetes cluster # renovate: datasource=docker depName=kindest/node K8S_CLUSTER_VERSION ?= v1.34.0 -K8S_TIMEOUT ?= 75s ## The timeout used when creating a Kind Kubernetes cluster +K8S_TIMEOUT ?= 75s ## The timeout used when creating a Kind Kubernetes cluster +AD_SECRET ?= +K8S_TIMEOUT ?= 75s ## The timeout used when creating a Kind Kubernetes cluster PLUS_JWT ?= PYTEST_ARGS ?= ifeq (${REGISTRY},) @@ -119,7 +121,7 @@ run-tests-in-kind: ## Run tests in Kind .PHONY: create-kind-cluster -create-kind-cluster: $(KIND_KUBE_CONFIG_FOLDER) ## Create a Kind K8S cluster +create-kind-cluster: $(KIND_KUBE_CONFIG_FOLDER) ## Create a Kind K8S cluster @kind create cluster \ --name $(K8S_CLUSTER_NAME) \ --image=kindest/node:$(K8S_CLUSTER_VERSION) \ @@ -135,7 +137,7 @@ delete-kind-cluster: ## Delete a Kind K8S cluster .PHONY: image-load -image-load: ## Load the image into the Kind K8S cluster +image-load: ## Load the image into the Kind K8S cluster @kind load docker-image $(BUILD_IMAGE) --name $(K8S_CLUSTER_NAME) @@ -162,7 +164,7 @@ run-tests-in-minikube: ## Run tests in Minikube .PHONY: create-mini-cluster -create-mini-cluster: $(MINIKUBE_KUBE_CONFIG_FOLDER) ## Create a Minikube K8S cluster +create-mini-cluster: $(MINIKUBE_KUBE_CONFIG_FOLDER) ## Create a Minikube K8S cluster @minikube start --kubernetes-version=$(K8S_CLUSTER_VERSION) \ && KUBECONFIG=$(MINIKUBE_KUBE_CONFIG_FOLDER)/config minikube update-context \ && KUBECONFIG=$(MINIKUBE_KUBE_CONFIG_FOLDER)/config kubectl config set-cluster minikube --server=https://minikube:8443 @@ -175,7 +177,7 @@ delete-mini-cluster: ## Delete a Minikube K8S cluster .PHONY: mini-image-load -mini-image-load: ## Load the image into the Minikube K8S cluster +mini-image-load: ## Load the image into the Minikube K8S cluster @minikube image load $(BUILD_IMAGE) From 910c04888c2c5e5cfd9a075a592266707fca20a2 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 12 Nov 2025 11:24:34 +0000 Subject: [PATCH 04/45] Update the tls cert generation script --- go.mod | 1 - go.sum | 2 - hack/tls-cert-gen/a-test-secret.yaml | 8 -- hack/tls-cert-gen/makefile | 17 +++ hack/tls-cert-gen/test.yaml | 8 -- hack/tls-cert-gen/test2.yaml | 8 -- hack/tls-cert-gen/tls-cert-gen.go | 129 +++++++++++------- .../tls-secret-cafe.example.com.yaml | 8 -- 8 files changed, 98 insertions(+), 83 deletions(-) delete mode 100644 hack/tls-cert-gen/a-test-secret.yaml delete mode 100644 hack/tls-cert-gen/test.yaml delete mode 100644 hack/tls-cert-gen/test2.yaml delete mode 100644 hack/tls-cert-gen/tls-secret-cafe.example.com.yaml diff --git a/go.mod b/go.mod index e38b9ed662..8c9462eefe 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,6 @@ require ( k8s.io/apimachinery v0.34.1 k8s.io/client-go v0.34.1 k8s.io/code-generator v0.34.1 - k8s.io/kubernetes v1.34.1 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 sigs.k8s.io/controller-tools v0.19.0 sigs.k8s.io/yaml v1.6.0 diff --git a/go.sum b/go.sum index a17b8d492d..d16ea2e3cc 100644 --- a/go.sum +++ b/go.sum @@ -560,8 +560,6 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= -k8s.io/kubernetes v1.34.1 h1:F3p8dtpv+i8zQoebZeK5zBqM1g9x1aIdnA5vthvcuUk= -k8s.io/kubernetes v1.34.1/go.mod h1:iu+FhII+Oc/1gGWLJcer6wpyih441aNFHl7Pvm8yPto= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 h1:qPrZsv1cwQiFeieFlRqT627fVZ+tyfou/+S5S0H5ua0= diff --git a/hack/tls-cert-gen/a-test-secret.yaml b/hack/tls-cert-gen/a-test-secret.yaml deleted file mode 100644 index 184f8149ac..0000000000 --- a/hack/tls-cert-gen/a-test-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJvVENDQVVhZ0F3SUJBZ0lSQU9sNVoxYlBSeHR3MnB3dmMxMllITUl3Q2dZSUtvWkl6ajBFQXdJd0VqRVEKTUE0R0ExVUVDaE1IUVdOdFpTQkRiekFlRncweU5URXdNamd4TkRNME1qVmFGdzB5TlRFeE1ERXhORE0wTWpWYQpNQkl4RURBT0JnTlZCQW9UQjBGamJXVWdRMjh3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVR4CjYxMXQ2bjc0a2ZuZ01RbFZLVGxWdkNRbmd2Q1QxYkNNZ05MaW43UnpvSHpmTkFINHJZMXllMnVKdkszK3JneVQKcEF6eXVCSnVLSDRSN1owZ0YwT0NvMzB3ZXpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RXdZRFZSMGxCQXd3Q2dZSQpLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVWUFpaOWhRbEdOdVpqRGNiCmJlQWRkRTBEZ0lJd0pBWURWUjBSQkIwd0c0SUxaWGhoYlhCc1pTNWpiMjJDREdWNFlXMXdiR1V1ZEdWemREQUsKQmdncWhrak9QUVFEQWdOSkFEQkdBaUVBcUFuK3YxeDJ1ZUF3TDlMSGRiWTBpb3pYQWVSUTQyWWthU0ZNZ01EQgpPRzRDSVFDNEd5TmgwWkE0L2ptbE1KaDZnNFgxSnl6eWQ0dHQ1ZHRLVmJlYkI0QXpkdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JR0hBZ0VBTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEJHMHdhd0lCQVFRZ2ZreGRRMGNUQnBiYWJYZjcKekZBTml0ckNLQysxY1FxSmVXTUR3dyt4Ni9PaFJBTkNBQVR4NjExdDZuNzRrZm5nTVFsVktUbFZ2Q1FuZ3ZDVAoxYkNNZ05MaW43UnpvSHpmTkFINHJZMXllMnVKdkszK3JneVRwQXp5dUJKdUtINFI3WjBnRjBPQwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== -kind: Secret -metadata: - name: v1-secret-thing -type: kubernetes.io/tls diff --git a/hack/tls-cert-gen/makefile b/hack/tls-cert-gen/makefile index e69de29bb2..f4a20fcaed 100644 --- a/hack/tls-cert-gen/makefile +++ b/hack/tls-cert-gen/makefile @@ -0,0 +1,17 @@ +.PHONY: run +run: + go run tls-cert-gen.go + +.PHONY: extract +extract: + @if [ -z "$@" ]; then \ + echo "Usage: make extract "; \ + exit 1; \ + fi + + @echo "dollar at is" + @echo $@ + @echo "this was dollar" + + @# Extract the TLS certificate from the Kubernetes secret + cat $@ | yq eval '.data["tls.crt"]' - | base64 -d | openssl x509 -text -noout diff --git a/hack/tls-cert-gen/test.yaml b/hack/tls-cert-gen/test.yaml deleted file mode 100644 index 55582eb064..0000000000 --- a/hack/tls-cert-gen/test.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - tls.crt: d2VsbCBoZWxsbyB0aGVyZQ== - tls.key: Z2VuZXJhbCBrZW5vYmk= -kind: Secret -metadata: - name: v1-secret-thing -type: kubernetes.io/tls diff --git a/hack/tls-cert-gen/test2.yaml b/hack/tls-cert-gen/test2.yaml deleted file mode 100644 index 28146fdd88..0000000000 --- a/hack/tls-cert-gen/test2.yaml +++ /dev/null @@ -1,8 +0,0 @@ -Data: - tls.crt: d2VsbCBoZWxsbyB0aGVyZQ== - tls.key: Z2VuZXJhbCBrZW5vYmk= -Immutable: null -Type: kubernetes.io/tls -apiVersion: v1 -kind: Secret -name: core-secret-thing diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index b482a7a7a0..291932b444 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -13,7 +13,6 @@ import ( "fmt" "log/slog" "math/big" - "net" "os" "strings" "time" @@ -24,14 +23,55 @@ import ( "sigs.k8s.io/yaml" ) +const ( + secretShouldBeValid = true + secretShouldBeInvalid = false +) + var yamlSecrets = []yamlSecret{ { secretName: "tls-secret", - fileName: "a-test-secret.yaml", - hosts: []string{"*.example.com"}, + fileName: "tls-secret.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, }, } +// JITTLSKey is a Just In Time TLS key representation. The only two parts that +// we need here are the bytes for the cert and the key. These two will be +// written as the data.tls.cert and data.tls.key properties of the kubernetes +// core.Secret type. +// +// This does not hold the hosts information, because that's being assembled +// elsewhere, but the data does actually contain the passed in hosts. +type JITTLSKey struct { + cert []byte + key []byte +} + +type templateData struct { + country []string + organization []string + organizationalUnit []string + locality []string + province []string + commonName string + dnsNames []string +} + +type yamlSecret struct { + secretName string + fileName string + templateData templateData +} + func main() { logger := slog.New(slog.NewTextHandler(os.Stdout, nil)) var err error @@ -68,14 +108,14 @@ func publicKey(priv any) any { // - keys are always valid from "now" until 4 days in the future. Given the // short usage window of the keys, this is enough // - all keys are certificate authorities (isCA is set to true for all) -func printTLS(host string) (*JITTLSKey, error) { +func printTLS(templateData templateData) (*JITTLSKey, error) { priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate private key: %w", err) } validFrom := time.Now() - validUntil := validFrom.Add(4 * 24 * time.Hour) + validUntil := validFrom.Add(31 * 24 * time.Hour) serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) @@ -84,36 +124,26 @@ func printTLS(host string) (*JITTLSKey, error) { } template := x509.Certificate{ - SerialNumber: serialNumber, Issuer: pkix.Name{ - Country: []string{"GB"}, - Organization: []string{"Internet Widgits Pty Ltd"}, + Country: templateData.country, + Organization: templateData.organization, }, Subject: pkix.Name{ - Country: []string{"US"}, - Organization: []string{"Acme Co"}, - OrganizationalUnit: []string{"Finance"}, - Locality: []string{"San Francisco"}, - Province: []string{"California"}, - StreetAddress: nil, - PostalCode: nil, - SerialNumber: "", - CommonName: host, - Names: nil, - ExtraNames: nil, + Country: templateData.country, + Organization: templateData.organization, + OrganizationalUnit: templateData.organizationalUnit, + Locality: templateData.locality, + Province: templateData.province, + CommonName: templateData.commonName, }, + DNSNames: templateData.dnsNames, + SerialNumber: serialNumber, NotBefore: validFrom, NotAfter: validUntil, KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, - IsCA: true, - } - - if ip := net.ParseIP(host); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, host) + IsCA: false, } derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv) @@ -143,30 +173,26 @@ func printTLS(host string) (*JITTLSKey, error) { }, nil } -// JITTLSKey is a Just In Time TLS key representation. The only two parts that -// we need here are the bytes for the cert and the key. These two will be -// written as the data.tls.cert and data.tls.key properties of the kubernetes -// core.Secret type. -// -// This does not hold the hosts information, because that's being assembled -// elsewhere, but the data does actually contain the passed in hosts. -type JITTLSKey struct { - cert []byte - key []byte -} +func printYaml(secret yamlSecret) error { + tlsKeys, err := printTLS(secret.templateData) + if err != nil { + return fmt.Errorf("failed generating TLS keys for hosts: (%s: %v): %w", secret.templateData.commonName, secret.templateData.dnsNames, err) + } -type yamlSecret struct { - secretName string - fileName string - hosts []string -} + err = createYamlSecret(secret, secretShouldBeValid, tlsKeys) + if err != nil { + return fmt.Errorf("writing valid file for %s: %w", secret.fileName, err) + } -func printYaml(secret yamlSecret) error { - tlsKeys, err := printTLS(strings.Join(secret.hosts, ",")) + err = createYamlSecret(secret, secretShouldBeInvalid, tlsKeys) if err != nil { - return fmt.Errorf("failed generating TLS keys for hosts: %v: %w", secret.hosts, err) + return fmt.Errorf("writing invalid file for %s: %w", secret.fileName, err) } + return nil +} + +func createYamlSecret(secret yamlSecret, isValid bool, tlsKeys *JITTLSKey) error { s := v1.Secret{ TypeMeta: metav1.TypeMeta{ Kind: "Secret", @@ -182,14 +208,21 @@ func printYaml(secret yamlSecret) error { Type: v1.SecretTypeTLS, } + fileName := secret.fileName + + if !isValid { + fileName = strings.ReplaceAll(secret.fileName, ".yaml", "-invalid.yaml") + s.Data[v1.TLSCertKey] = []byte(``) + } + sb, err := yaml.Marshal(s) if err != nil { - return fmt.Errorf("failed to marshal kubernetes secret: %w", err) + return fmt.Errorf("marshaling kubernetes secret into yaml %v: %w", s, err) } - err = os.WriteFile(secret.fileName, sb, 0o600) + err = os.WriteFile(fileName, sb, 0o600) if err != nil { - return fmt.Errorf("failed to write kubernetes secret to file %s: %w", secret.fileName, err) + return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) } return nil diff --git a/hack/tls-cert-gen/tls-secret-cafe.example.com.yaml b/hack/tls-cert-gen/tls-secret-cafe.example.com.yaml deleted file mode 100644 index c421f9daed..0000000000 --- a/hack/tls-cert-gen/tls-secret-cafe.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: tls-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdKRENDQkF5Z0F3SUJBZ0lVWUsyTGNWTlJrZVB5ZXUrdis0ckNMWTVJVmJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1TRXdId1lEVlFRS0RCaEpiblJsY201bApkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHVEFYQmdOVkJBTU1FR05oWm1VdVpYaGhiWEJzWlM1amIyMHdIaGNOCk1qUXhNREk0TVRVMU9UUXhXaGNOTXpReE1ESTJNVFUxT1RReFdqQllNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0cKQTFVRUNBd0NRMEV4SVRBZkJnTlZCQW9NR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREVaTUJjRwpBMVVFQXd3UVkyRm1aUzVsZUdGdGNHeGxMbU52YlRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDCkFnb0NnZ0lCQU9pM3dZaGRCTGI0RldzY20yeHV3S2JNaElPRUM3YXF1aVpDQ2V2bHc5MUZUWVNvdHBGbUU2NkIKc1V6WWlRYVVtRGJLdWxRS3lramNXcC9LNExBbGI3Y2Z0ckdmUkN1b0xDT21oSkhvaXV5RDBMWXlsQXBXWjc5eApnOWEydlVUR3Joa2NVVGF3RVFoMlExT2dnTmk0Szd4S1U2cVJFRktnbmFTMXdTdmdiNXV6WXRaVys3SFdVbTlkCmliUEV4Qkc5TFJGaGVOdGZ5Vk9mSzVLRm11ZzdFVEN1Nzd5V001WWlxTmRKMEI0UnZQbS9XTlNrUzVXZ0c4RnMKaHMxRnlqTWFBWGYrU2t1ZVQxRlpUWEpjZzJjVjZOeEp3L3IrclNjZFozbWRDa29yaVBtSWRrM3FVR3pUaU1Mcgo2aUo2bEl1VTBOWFg4bXlwUXV3YUZtb3hBZWZZbzVqd0s2S3N5Q0tETTBLSWhsSVFVcHBnZHhST3packdXbjJQCm5EVkJuZmllWlRvWlU1dlMxNHNMZzhmQllmc3Z3LzNTZk1oNFoveVp1cnY3UDY3Yi9WSlowTlMvOW1SYmsySmcKblpjd0ViZ3ptUFJwUWdXUCtML1BieHBYaktBdEVXVG5lZW55KzZHaG9tVG0ycWh3NCt6Tm1rL0s3Nm4vMmhaZAphcFRaS0xrQk5rRVo3R0hxZGJBSUZ1RkVaVWo5b0wrYXI1d2hzTmNnU2JrU3RiNTkwMko2OE1oLzlvU2llajcxClNoWEJneklkcFpMWVppRkJEeWYxV3dGaDVBWDJkbVUwU3JGN3hTU1o4bkFseWFkU1lWOStuSlNtUXdiSzhNRUwKT041OVRXVXhWaGx3NG5MZlU3K0RCUVhkV2ZIZHNMK0RqajRUOGxtL3p1L0FzMk9lZWsxeEFnTUJBQUdqZ2VVdwpnZUl3SFFZRFZSME9CQllFRkxqcTBnQTQvUHU5VXZ3dnRXY1lJYTdsdER2Z01Cc0dBMVVkRVFRVU1CS0NFR05oClptVXVaWGhoYlhCc1pTNWpiMjB3Z1pVR0ExVWRJd1NCalRDQmlvQVV1T3JTQURqOCs3MVMvQysxWnhnaHJ1VzAKTytDaFhLUmFNRmd4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVoTUI4R0ExVUVDZ3dZU1c1MApaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTVJrd0Z3WURWUVFEREJCallXWmxMbVY0WVcxd2JHVXVZMjl0CmdoUmdyWXR4VTFHUjQvSjY3Ni83aXNJdGpraFZ0akFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUNBUUNnZnZ1MWo4K2FzVHQ3d2lCRmlDTnU1SUR3M25rQjYvOWg1Z3d2STR4YTNOdEhETTliYm5QUgpncnZTWjJXZ3FJNFR5dktKVVB5NHNaRGR3dUhiYjJSVC9MT1lQQTFXaVZhMjRiRTZtcXE1Y3VTNlZNb3h4bnB1CnBmdVllaml3eWpDTytUYXdhbFltTzVvNDFvRUxjR2ZNY21VK0YvK0tZZnozZFMvalNkYVc3cEM5YWpJQnFBTnMKS0daZ1JGKzl1ZlVibUlIcjZHeDJ5MU5oTnBjb1U4T2QrdkxKWXZxOGd1NDRqTG4xNE1Ra3hWZndyUU10T1E5RgpnOGpsTXphaVlMSnMwY3luRTJGSjhrYmI0K01QRkRyZjcranJGNGdlOXZCTDg5TlJkZXFZYWFGNTVMM0RQZzRZClRVVWQ3L1I4dlVUeEs0eHpqZlpNeHdnRGExRmtTMXB2VlNSNmkrVmVuYXdsUmZ2Q3FMUndvN1V3VjJLWUJjbGkKUFlCRzB2Z01mOEhQc0xvU1BibDNIY0xQTFhSdVI4RHZjdTdvUnEyYzRaOFVDNVBJS2FoWlZEekdsS0N6WHZlYwpQZ2xqSStFRzdyTWlnc1Fjcm5MdmxOZmRGdzZIcjkzVmR5OGYrZm4xdkVsN1A0NnBFWThlYnplOVhxNXNWT3I0CmhTcE5JMllGaWhjNXBlNzVmMXh2QjVHcjJJTm1PditZb0Jsc2VKNkUrR2tuOU1QY3Jjc3lwcVBoeXJORHF6THgKdE5DN0dLb2hEWlJRY1F6L3YvdGppV1lYRzFRY2RQU1JNakJiL2dkb1RBenNuNDRBWGpqT1A2YzkwWTEzUjdwaQpuRTJyUlFKWThCUHk4RitTT1pkUUV3d0NBbjZ6M2Job3BLc2ovM1JRU1lUNDhGZElRVndrbmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRG90OEdJWFFTMitCVnIKSEp0c2JzQ216SVNEaEF1MnFyb21RZ25yNWNQZFJVMkVxTGFSWmhPdWdiRk0ySWtHbEpnMnlycFVDc3BJM0ZxZgp5dUN3SlcrM0g3YXhuMFFycUN3anBvU1I2SXJzZzlDMk1wUUtWbWUvY1lQV3RyMUV4cTRaSEZFMnNCRUlka05UCm9JRFl1Q3U4U2xPcWtSQlNvSjJrdGNFcjRHK2JzMkxXVnZ1eDFsSnZYWW16eE1RUnZTMFJZWGpiWDhsVG55dVMKaFpyb094RXdydSs4bGpPV0lxalhTZEFlRWJ6NXYxalVwRXVWb0J2QmJJYk5SY296R2dGMy9rcExuazlSV1UxeQpYSU5uRmVqY1NjUDYvcTBuSFdkNW5RcEtLNGo1aUhaTjZsQnMwNGpDNitvaWVwU0xsTkRWMS9Kc3FVTHNHaFpxCk1RSG4yS09ZOEN1aXJNZ2lnek5DaUlaU0VGS2FZSGNVVHMyYXhscDlqNXcxUVozNG5tVTZHVk9iMHRlTEM0UEgKd1dIN0w4UDkwbnpJZUdmOG1icTcreit1Mi8xU1dkRFV2L1prVzVOaVlKMlhNQkc0TTVqMGFVSUZqL2kvejI4YQpWNHlnTFJGazUzbnA4dnVob2FKazV0cW9jT1BzelpwUHl1K3AvOW9XWFdxVTJTaTVBVFpCR2V4aDZuV3dDQmJoClJHVkkvYUMvbXErY0liRFhJRW01RXJXK2ZkTmlldkRJZi9hRW9ubys5VW9Wd1lNeUhhV1MyR1loUVE4bjlWc0IKWWVRRjluWmxORXF4ZThVa21mSndKY21uVW1GZmZweVVwa01HeXZEQkN6amVmVTFsTVZZWmNPSnkzMU8vZ3dVRgozVm54M2JDL2c0NCtFL0padjg3dndMTmpubnBOY1FJREFRQUJBb0lDQUJaQmFJazllQk4xY3pyc24vS0ZQdmhVCnE4R1dFYmEwNmh0NWlsQmNoMWcwWmY3dlVaSmpKRE8ycEhtWVpiWlM1S0dzenBmMTlqVjBtVmdadzFZbEptTnAKYllQY0d0MWY5bVNzYXBZM21uMlc5NUZORWZwUkhCZmpaN3ZUZXhOR091VWMzNmx1dWhwSWtSVEF6MEdxajBneApCWUpVNEM0K3ZRVEErd25TcTJuRkJJbENCVTBURll3ZjhtaldRdmY5VXYrTUJrNVlnVHoxaG1tN1RENjBVMmNICis5Wlp1UEk5TzA5bmVEYy85QVlnWmdMaitYU0VQTk5KS1RVZFhRSjVGTFhnaEVOcUR1VFZPUUpjVlphNHNpM0wKQWlxUlM0Ym5tWHM0YVFFQjI5WWRWazhLUHduQlN4MTFDVTJsMG1uczMvSHJkbndzemNFZGw1SXRRS1RuQTNJUQpvZkRMVk1OSkg2UHE1Um1zREZYaFh1bnhLdkhXUHpvU0pkZ3REZHNZUnNaaFRnaW5vZ1AwQVdrdmMwT0MwaHh3CjNldWJLcDh3d3F0RndHNk1nWFg0WUFLQUd0K3RzVVdkRENmWUVPYUVWcXBXT3F3UUhsb3J0cmwvN1hmRjNra2UKY0VzalJyRXRMSytCOEhvdjFNSmtibVFlblE0cHdkcXdrdHV3SU41QUdqN2lCQ2V1U2R5S2gyc0hxRUIvbkZEbApTbFh1VzVNTjUranMrZ0lyOU5GRUdDdUEyQ3BGWWpKQk9sNk1nV0t3S0FwWWgwYnEvNTVOV0pwV1JTRllTZ29UCnFiV285S3JYZkR4azJVb05pVFVBcEdVeXBaWTFXT2hyOUs3WU1HOXpHbHQ0WnNrV1dhdXFEMnBQSjhhVXdabjEKeWY1TnMyb25LMkNmZmhvUkRPVC9Bb0lCQVFEOWU5MlE0RWVKamlNQ0JIREhycDgzMUM0eXRJclJHbENJS3pNQgpoMjl6SFIvRWJUanplUmFzU1RLQzQ1SjhhTnQ4MStvM2xpcVFhclJvOFdHelEvNnpqdWVpSW9SRDNpWm5pZUJ3CmU3R1piK0doVmdlVkNKbGtFQ0FTc0dlZ1pkSzA0dWRzZmU5d3JWaDY1TjZnWW92Z2dyOVZPU1NNZ25NSys2Z1IKb0cxNHRSMDArN0kzdndoL0YyQVZLOXdkY3ZoN2puK2FXbGp3R1lFWHRDWUNJWENVbjhHTHpWVU53MlRHckFuRQpOL2d5anUyeTk1R2FrR3JpZTRkdmpoUTl5dTNPbU9haWp1enlXMGxxdnVrakVWTmZ2L3lYbzFNOWJ4OTdQNkFLCkxEU3VGVjJEY1pGSEpvT1NLYVV0eHpibzFIVmdGWmZiK3hpUmNRb0N3c0NjMC9VUEFvSUJBUURyQng4UGQwSjIKVkU3eUhVdC9LMDQ2OXNoejFzVUtEeFkrQ1B0dTZvODFkU0QzUHBMV3c1VzR1aWdSeFJnTUpqK3UyMGFSeEM4UgpMbDhXSmJCR0I4QllyQXhiMWlGMm5XTnFzdFVicVp1ZUlxeUIvbWJNZFk5OSt2L01Iek1WTnZwTjBTdkJsTWFaClhVSTdFWW1zbXJHYjRSMXdOa3VwWVdHL1RpMHNVUk9qSFpSZldsM0kxR1dpbkNVdE5oeEZ2OEtGcWJDd05DVTAKOHNYMjdLTEIza3RRZWhmc3JlTjd4NEw2MGU0T0FKMGhjZFUzL2I5b2VERGttVWFSYVE0bk9TVWEveDdTQW5RdQpnQmxQTTdjUWUrbjYwZEU0QjVrZzJpeG0reEhaL09tMGluK1JTR0ljRTc3eG0vMlhhTlZjcEUxRWlhaGdJT3hTCkpYVU4zWjdsTHBWL0FvSUJBUUNXTkxjWHFYOWFxS3BnQUtlZisvOEhReWxaREprUnpha1k5NWhTK0tGM01qUG4KM3QwWGtaSjQ1eXNTV3E0c0lLcW5jUDZ1ajhLTEwxL1dxK3E4SXJla1NUTkRaWGJCREx2dk1NbVpmZ0xBcklhawpadWs1VEE0eE9FajVLaVZONitpUEhjSUxEUms4eU11Y2oxREk4M3gxdnFTSWFNTWFyQlpsMUxoRU1hK05EcTNPCi9yTWR5NHJLWE55bnp3U3hRcmF4NkwvK2hEa2RsYzlrYjNEeVpFUmxIY0hBQ1IyMGVTdVhlc3lTeEtQRHVlUnEKMzc4ZE95VExMbTRVRWJvMjM3QkpjMXQveW5mb0tXWDQ1a1lhYktMZUkxTVh2RVdRS3ZBWnhac2RUQkt2Y2FPbgpSejNTVHFVNmtJajc5b2U0TW1XWFdWUlNtNWwwWGVxVHRqb1M5SnJMQW9JQkFRQ2JiY2szeENuNjhVU0lUNkZYCkIzK2o5UUtad1FYcjRoQldsRUFibVJsK1EraTZPZktIL3k2cnpNaWsvOUFvY0w4YTF6NnpOYWZlMStqZ1Q2cGsKbGNtNW1vWk4wYTJ0c09aSGNOOElmVUZCOGpKZGdhM2dOenJmR0xoRCtMb2lwSW9pSGx1dW1NSkNPRytOZXNxdQprRnMyK0Vnc3BtdWhKNXFxRm53L1c1cjkrNWpjK25rZFVJR3FhVk1ZdERrOFUxWEVhWFZGQWljOC9mUzNtTVVHCkt3bHB2bVRHRERWdDdZS01kM3JVWGNtTWphaHhiK2srb0lYTkdDU1lFMzdkcDZnSFU0TEJaZ2dKbklPZ1lsWUYKbTcwZ045UUNGdHhJNHFBTXRxdVdtdkMvaWZ4VlN5WSs1VHdZc28yaHJSMjFONTgxM1VleDB2UVdXMWt2QTBxSwp6Q1RuQW9JQkFHVTkrRFY0cnZqV21zSmFnckw4TEV4RWY1ZHVDeVhtY0huak5wZmkrcjdjamQ3dlNYY29aZjQrCm1IaDJ6NVN0NUpsVEpWMCtOcVFWL2ZnUS9EcWlZeVNESFcza1JXaFBNT1ROeHZoV1lmMU4wd1diMmllS3lmTlMKVGRXS2JsUFcwZjh3WGYwL09JOFRaSjZFWXVBVXBpbGpSenB1emlkMVJOT3ZJb3BiUnBxd2pMVUtzb0IvMG5LZAp3YmNOcWdWN0lSNDVDZDlCTm8vTThFc2ppZkRnQVpmQzNZbjRWOGl4eXdSQmFjQ1dWcXhvK3UvT2wzN052QkJJCmhnQ1RqNVBDQ3NBcHZwK0dhRERJdFg0cVpoWURERys0ZFNDRHNpSnB1U1orWjZrQnFSNnVncUliMGJVQXFIbGkKd2hZUllYNklldnF2QUEzNTNxbmJzQW5ZQ09oZk5hVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= From 6a7d8d9fba038ebfddf206da1598eaf1742669d9 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 12 Nov 2025 11:28:58 +0000 Subject: [PATCH 05/45] Add cert link finder script --- hack/cert-links/certinfo.txt | 364 +++++++++++++++++++++++++ hack/cert-links/files-and-symlinks.txt | 109 ++++++++ hack/cert-links/go.mod | 5 + hack/cert-links/go.sum | 2 + hack/cert-links/main.go | 191 +++++++++++++ 5 files changed, 671 insertions(+) create mode 100644 hack/cert-links/certinfo.txt create mode 100644 hack/cert-links/files-and-symlinks.txt create mode 100644 hack/cert-links/go.mod create mode 100644 hack/cert-links/go.sum create mode 100644 hack/cert-links/main.go diff --git a/hack/cert-links/certinfo.txt b/hack/cert-links/certinfo.txt new file mode 100644 index 0000000000..9b8d9b2769 --- /dev/null +++ b/hack/cert-links/certinfo.txt @@ -0,0 +1,364 @@ +/examples/common-secrets/greeter-secret-virtual-server.example.com.yaml + secret name: greeter-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com + Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:virtual-server.example.com + X509v3 Basic Constraints: + CA:FALSE + +/examples/common-secrets/tls-secret-wildcard.example.com.yaml + secret name: tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=*.example.com + Subject: CN=*.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + +/examples/common-secrets/tls-secret-webapp.example.com.yaml + secret name: tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=webapp.example.com + Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=webapp.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:webapp.example.com + X509v3 Basic Constraints: + CA:FALSE + +/tests/data/common-secrets/default-server-secret-NGINXIngressController.yaml + secret name: default-server-secret + namespace: nginx-ingress + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=NGINXIngressController + Subject: CN=NGINXIngressController + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + +/tests/data/common-secrets/wildcard-tls-secret-example.com.yaml + secret name: wildcard-tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=ES, ST=CanaryIslands, O=nginx, OU=example.com, CN=example.com + Subject: C=ES, ST=CanaryIslands, O=nginx, OU=example.com, CN=example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + +/examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml + secret name: cafe-secret + namespace: cafe + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/tests/data/common-secrets/app-tls-secret-app.example.com.yaml + secret name: app-tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com + Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:app.example.com + X509v3 Basic Constraints: + CA:FALSE + +/tests/data/common-secrets/cafe-secret-cafe.example.com.yaml + secret name: cafe-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/tests/data/common-secrets/tls-secret-cafe.example.com-gb.yaml + secret name: tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com + Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/tests/data/common-secrets/transport-server-tls-secret-cafe.example.com-gb.yaml + secret name: transport-server-tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com + Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/tests/data/common-secrets/wildcard-tls-secret-example.com-gb.yaml + secret name: wildcard-tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=example.com + Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + +/examples/common-secrets/app-tls-secret-app.example.com.yaml + secret name: app-tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com + Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:app.example.com + X509v3 Basic Constraints: + CA:FALSE + +/tests/data/common-secrets/appprotect-secret-appprotect.example.com.yaml + secret name: appprotect-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=appprotect.example.com + Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=appprotect.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:appprotect.example.com + X509v3 Basic Constraints: + CA:FALSE + +/tests/data/common-secrets/tls-secret-virtual-server.example.com.yaml + secret name: tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com + Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:virtual-server.example.com + X509v3 Basic Constraints: + CA:FALSE + +/tests/data/common-secrets/test-secret-cafe.example.com.yaml + secret name: test-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/tests/data/common-secrets/tls-secret-cafe.example.com.yaml + secret name: tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/examples/common-secrets/mongo-secret-mongo.example.com.yaml + secret name: mongo-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=mongo.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=mongo.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:mongo.example.com + X509v3 Basic Constraints: + CA:FALSE + +/examples/common-secrets/service-insight-secret-cafe.example.com.yaml + secret name: service-insight-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/examples/common-secrets/webapp-secret-cafe.example.com.yaml + secret name: webapp-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/tests/data/common-secrets/default-server-secret-cafe.example.com-gb.yaml + secret name: default-server-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com + Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/tests/data/common-secrets/transport-server-tls-secret-kic.example.com.yaml + secret name: transport-server-tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=kic.example.com + Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=kic.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:kic.example.com + X509v3 Basic Constraints: + CA:FALSE + +/examples/common-secrets/cafe-secret-cafe.example.com.yaml + secret name: cafe-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:cafe.example.com + X509v3 Basic Constraints: + CA:TRUE + +/examples/common-secrets/default-server-secret-NGINXIngressController.yaml + secret name: default-server-secret + namespace: nginx-ingress + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=NGINXIngressController + Subject: CN=NGINXIngressController + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + +/tests/data/egress-mtls/secret/tls-secret.yaml + secret name: egress-tls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=example.com + Subject: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=client + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + +/tests/data/mgmt-configmap-keys/ssl-cert.yaml + secret name: ssl-cert + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + +/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml + secret name: egress-mtls-secret + namespace: not specified + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=example.com + Subject: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=client + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) diff --git a/hack/cert-links/files-and-symlinks.txt b/hack/cert-links/files-and-symlinks.txt new file mode 100644 index 0000000000..fc3c5c2c52 --- /dev/null +++ b/hack/cert-links/files-and-symlinks.txt @@ -0,0 +1,109 @@ +Actual file: /examples/common-secrets/cafe-secret-cafe.example.com.yaml + - : /examples/custom-resources/api-key/cafe-secret.yaml + - : /examples/custom-resources/external-dns/cafe-secret.yaml + - : /examples/custom-resources/transport-server-sni/cafe-secret.yaml + - : /examples/ingress-resources/basic-auth/cafe-secret.yaml + - : /examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml + - : /examples/custom-resources/custom-listeners/cafe-secret.yaml + - : /examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml + - : /examples/ingress-resources/security-monitoring/cafe-secret.yaml + - : /examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml + - : /examples/ingress-resources/app-protect-waf/cafe-secret.yaml + - : /examples/custom-resources/basic-auth/cafe-secret.yaml + - : /examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml + - : /examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml + - : /examples/custom-resources/basic-configuration/cafe-secret.yaml + - : /examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml + - : /examples/custom-resources/cache-policy/cafe-secret.yaml + - : /examples/ingress-resources/complete-example/cafe-secret.yaml + - : /examples/ingress-resources/rate-limit/cafe-secret.yaml + +Actual file: /examples/common-secrets/app-tls-secret-app.example.com.yaml + - : /examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml + - : /examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml + - : /examples/custom-resources/tls-passthrough/app-tls-secret.yaml + +Actual file: /tests/data/common-secrets/test-secret-cafe.example.com.yaml + - : /tests/data/service-insight/secret.yaml + - : /tests/data/upgrade-test-resources/secret.yaml + +Actual file: /tests/data/common-secrets/tls-secret-cafe.example.com-gb.yaml + - : /tests/data/tls/new-tls-secret.yaml + - : /tests/data/virtual-server-tls/new-tls-secret.yaml + +Actual file: /tests/data/common-secrets/transport-server-tls-secret-cafe.example.com-gb.yaml + - : /tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml + +Actual file: /tests/data/common-secrets/cafe-secret-cafe.example.com.yaml + - : /tests/data/transport-server-with-host/cafe-secret.yaml + +Actual file: /tests/data/common-secrets/wildcard-tls-secret-example.com.yaml + - : /tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml + +Actual file: /examples/common-secrets/tls-secret-webapp.example.com.yaml + - : /examples/custom-resources/oidc-fclo/tls-secret.yaml + - : /examples/custom-resources/ingress-mtls/tls-secret.yaml + - : /examples/custom-resources/oidc/tls-secret.yaml + +Actual file: /tests/data/common-secrets/tls-secret-virtual-server.example.com.yaml + - : /tests/data/ap-waf-grpc/tls-secret.yaml + - : /tests/data/ingress-mtls/secret/tls-secret.yaml + - : /tests/data/virtual-server-grpc/tls-secret.yaml + - : /tests/data/virtual-server-route-grpc/tls-secret.yaml + +Actual file: /tests/data/common-secrets/app-tls-secret-app.example.com.yaml + - : /tests/data/common/app/secure/secret/app-tls-secret.yaml + +Actual file: /tests/data/common-secrets/tls-secret-cafe.example.com.yaml + - : /tests/data/virtual-server-tls/tls-secret.yaml + - : /tests/data/smoke/smoke-secret.yaml + - : /tests/data/tls/tls-secret.yaml + - : /tests/data/prometheus/secret.yaml + - : /tests/data/watch-secret-namespace/tls-secret.yaml + - : /tests/data/dos/tls-secret.yaml + - : /tests/data/virtual-server-certmanager/tls-secret.yaml + +Actual file: /tests/data/common-secrets/default-server-secret-NGINXIngressController.yaml + - : /tests/data/common/default-server-secret.yaml + +Actual file: /tests/data/common-secrets/wildcard-tls-secret-example.com-gb.yaml + - : /tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml + +Actual file: /examples/common-secrets/mongo-secret-mongo.example.com.yaml + - : /examples/custom-resources/transport-server-sni/mongo-secret.yaml + +Actual file: /tests/data/common-secrets/appprotect-secret-appprotect.example.com.yaml + - : /tests/data/appprotect/appprotect-secret.yaml + +Actual file: /examples/common-secrets/service-insight-secret-cafe.example.com.yaml + - : /examples/custom-resources/service-insight/service-insight-secret.yaml + +Actual file: /tests/data/common-secrets/default-server-secret-cafe.example.com-gb.yaml + - : /tests/data/default-server/new-tls-secret.yaml + +Actual file: /examples/common-secrets/tls-secret-wildcard.example.com.yaml + - : /examples/custom-resources/jwks/tls-secret.yaml + +Actual file: /examples/common-secrets/greeter-secret-virtual-server.example.com.yaml + - : /examples/custom-resources/grpc-upstreams/greeter-secret.yaml + +Actual file: /examples/common-secrets/default-server-secret-NGINXIngressController.yaml + - : /examples/shared-examples/default-server-secret/default-server-secret.yaml + +Actual file: /examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml + - : /examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml + +Actual file: /examples/common-secrets/webapp-secret-cafe.example.com.yaml + - : /examples/ingress-resources/app-protect-dos/webapp-secret.yaml + +Actual file: /tests/data/common-secrets/transport-server-tls-secret-kic.example.com.yaml + - : /tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml + + + +Printing only Actual Files with no symbolic links pointing to them + +/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml +/tests/data/default-server/invalid-tls-secret.yaml +/tests/data/mgmt-configmap-keys/ssl-cert.yaml +/tests/data/egress-mtls/secret/tls-secret.yaml diff --git a/hack/cert-links/go.mod b/hack/cert-links/go.mod new file mode 100644 index 0000000000..db78c30644 --- /dev/null +++ b/hack/cert-links/go.mod @@ -0,0 +1,5 @@ +module github.com/javorszky/cert-links + +go 1.25.1 + +require github.com/goccy/go-yaml v1.18.0 // indirect diff --git a/hack/cert-links/go.sum b/hack/cert-links/go.sum new file mode 100644 index 0000000000..eb0d822307 --- /dev/null +++ b/hack/cert-links/go.sum @@ -0,0 +1,2 @@ +github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= +github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= diff --git a/hack/cert-links/main.go b/hack/cert-links/main.go new file mode 100644 index 0000000000..b1906b5d2a --- /dev/null +++ b/hack/cert-links/main.go @@ -0,0 +1,191 @@ +package main + +import ( + "bytes" + "fmt" + "io" + "io/fs" + "log" + "os" + "os/exec" + "path/filepath" + "strings" + + "github.com/goccy/go-yaml" +) + +type yamlTLS struct { + ResourceKind string `yaml:"kind"` + ResourceType string `yaml:"type"` +} + +func main() { + p, err := filepath.Abs("../..") + if err != nil { + panic(err) + } + + examples := filepath.Join(p, "examples") + + tests := filepath.Join(p, "tests") + + yamlActuals := make(map[string]os.FileInfo) + yamlSymlinks := make(map[string]os.FileInfo) + + err = filepath.WalkDir(p, func(path string, d fs.DirEntry, err error) error { + if !strings.HasPrefix(path, examples) && !strings.HasPrefix(path, tests) { + return nil + } + + if err != nil { + return fmt.Errorf("error while walking path %s: %w", path, err) + } + + ext := filepath.Ext(d.Name()) + if ext != ".yaml" && ext != ".yml" { + return nil + } + + if d.Type().IsRegular() || d.Type() == fs.ModeSymlink { + f, err := os.Open(path) + if err != nil { + return fmt.Errorf("error while opening file %s: %w", path, err) + } + + fi, err := f.Stat() + if err != nil { + return fmt.Errorf("error while stating file %s: %w", path, err) + } + + yk := yamlTLS{} + + contents, err := io.ReadAll(f) + if err != nil { + return fmt.Errorf("error while reading file %s: %w", path, err) + } + + err = yaml.Unmarshal(contents, &yk) + if err != nil { + return fmt.Errorf("error while parsing file into tls yaml %s: %w", path, err) + } + + if yk.ResourceType != "kubernetes.io/tls" { + return nil + } + + if yk.ResourceKind != "Secret" { + return nil + } + + if d.Type().IsRegular() { + yamlActuals[path] = fi + return nil + } + + yamlSymlinks[path] = fi + + return nil + } + + return nil + }) + if err != nil { + log.Fatalf("error walking path %s: %v", p, err) + } + + actualsAndSymlinks := make(map[string][]string) + + for path := range yamlSymlinks { + starget, err := filepath.EvalSymlinks(path) + if err != nil { + log.Fatalf("error while evaluating symlink %s: %v", path, err) + } + + actualsAndSymlinks[starget] = append(actualsAndSymlinks[starget], path) + } + + certInfo := make([]string, 0) + + for target, symlinks := range actualsAndSymlinks { + fmt.Printf("Actual file: %s\n", strings.TrimPrefix(target, p)) + for _, path := range symlinks { + fmt.Printf(" - : %s\n", strings.TrimPrefix(path, p)) + } + + info, err := getCertificateInfo(target) + if err != nil { + log.Fatalf("error while getting certificate info for %s: %v", target, err) + } + + certInfo = append(certInfo, strings.TrimPrefix(target, p)) + certInfo = append(certInfo, info...) + } + + onlyActualFiles := make(map[string]os.FileInfo) + for path, info := range yamlActuals { + if _, ok := actualsAndSymlinks[path]; !ok { + onlyActualFiles[path] = info + } + } + + fmt.Print("\n\nPrinting only Actual Files with no symbolic links pointing to them\n\n") + for path := range onlyActualFiles { + if path == "/Users/g.javorszky/Projects/NIC/kubernetes-ingress/tests/data/default-server/invalid-tls-secret.yaml" { + continue + } + + fmt.Printf("%s\n", strings.TrimPrefix(path, p)) + + info, err := getCertificateInfo(path) + if err != nil { + log.Fatalf("error while getting certificate info for %s: %v", path, err) + } + + certInfo = append(certInfo, strings.TrimPrefix(path, p)) + certInfo = append(certInfo, info...) + } + + err = os.WriteFile("certinfo.txt", []byte(strings.Join(certInfo, "\n")), fs.ModePerm) + if err != nil { + log.Fatalf("error while writing cert.txt: %v", err) + } +} + +func getCertificateInfo(path string) ([]string, error) { + output := bytes.NewBuffer(nil) + cmd := exec.Command("extract", path) + cmd.Stdout = output + err := cmd.Run() + if err != nil { + return nil, fmt.Errorf("error running extract command %s: %w", path, err) + } + + parsedOutput := make([]string, 0) + for _, line := range strings.Split(output.String(), "\n") { + // skip the line with the modulus + if strings.Contains(line, "Modulus:") { + continue + } + + // skip the lines with the hexdump modulus + if strings.HasPrefix(line, " ") { + continue + } + + // skip the public key exponent + if strings.Contains(line, "Exponent:") { + continue + } + + // skip the double printing of the x509v3 extensions + if !strings.HasPrefix(line, " ") { + continue + } + + parsedOutput = append(parsedOutput, line) + } + + parsedOutput = append(parsedOutput, "") + + return parsedOutput, nil +} From 758cde3cc6d74dff9f70aaec12c8461eeff3780c Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 12 Nov 2025 12:27:16 +0000 Subject: [PATCH 06/45] Write the files and symlinks --- hack/tls-cert-gen/tls-cert-gen.go | 95 +++++++++++++++++++++---------- 1 file changed, 64 insertions(+), 31 deletions(-) diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 291932b444..13dcf131eb 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -14,7 +14,7 @@ import ( "log/slog" "math/big" "os" - "strings" + "path/filepath" "time" log "github.com/nginx/kubernetes-ingress/internal/logger" @@ -26,23 +26,48 @@ import ( const ( secretShouldBeValid = true secretShouldBeInvalid = false + realSecretDirectory = "examples/common-secrets/" ) -var yamlSecrets = []yamlSecret{ - { - secretName: "tls-secret", - fileName: "tls-secret.yaml", - templateData: templateData{ - country: []string{"IE"}, - organization: []string{"F5 NGINX"}, - organizationalUnit: []string{"NGINX Ingress Controller"}, - locality: []string{"Cork"}, - province: []string{"Cork"}, - commonName: "example.com", - dnsNames: []string{"*.example.com"}, +var ( + projectRoot = "" // this will be redefined in main() + yamlSecrets = []yamlSecret{ + { + secretName: "tls-secret", + fileName: "tls-secret.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldBeValid, + symlinks: []string{ + "examples/custom-resources/oidc-fclo/tls-secret-symlinked.yaml", + }, }, - }, -} + { + secretName: "tls-secret", + fileName: "tls-secret-invalid.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldBeInvalid, + symlinks: []string{ + "/tests/data/default-server/invalid-tls-secret.yaml", + }, + }, + } +) // JITTLSKey is a Just In Time TLS key representation. The only two parts that // we need here are the bytes for the cert and the key. These two will be @@ -69,6 +94,8 @@ type templateData struct { type yamlSecret struct { secretName string fileName string + symlinks []string + valid bool templateData templateData } @@ -76,8 +103,13 @@ func main() { logger := slog.New(slog.NewTextHandler(os.Stdout, nil)) var err error + projectRoot, err = filepath.Abs("../..") + if err != nil { + log.Fatalf(logger, "filepath.Abs: %v", err) + } + for _, secret := range yamlSecrets { - err = printYaml(secret) + err = printYaml(secret, projectRoot) if err != nil { log.Fatalf(logger, "Failed to print tls key: %v: %v", secret, err) } @@ -173,26 +205,35 @@ func printTLS(templateData templateData) (*JITTLSKey, error) { }, nil } -func printYaml(secret yamlSecret) error { +func printYaml(secret yamlSecret, projectRoot string) error { tlsKeys, err := printTLS(secret.templateData) if err != nil { return fmt.Errorf("failed generating TLS keys for hosts: (%s: %v): %w", secret.templateData.commonName, secret.templateData.dnsNames, err) } - err = createYamlSecret(secret, secretShouldBeValid, tlsKeys) + fileContents, err := createYamlSecret(secret, secret.valid, tlsKeys) if err != nil { return fmt.Errorf("writing valid file for %s: %w", secret.fileName, err) } - err = createYamlSecret(secret, secretShouldBeInvalid, tlsKeys) + // write actual file + realFilePath := filepath.Join(projectRoot, realSecretDirectory, secret.fileName) + err = os.WriteFile(realFilePath, fileContents, 0o600) if err != nil { - return fmt.Errorf("writing invalid file for %s: %w", secret.fileName, err) + return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) + } + + for _, symlinkTarget := range secret.symlinks { + err = os.Symlink(realFilePath, filepath.Join(projectRoot, symlinkTarget)) + if err != nil { + return fmt.Errorf("symlink %s to %s: %w", symlinkTarget, realFilePath, err) + } } return nil } -func createYamlSecret(secret yamlSecret, isValid bool, tlsKeys *JITTLSKey) error { +func createYamlSecret(secret yamlSecret, isValid bool, tlsKeys *JITTLSKey) ([]byte, error) { s := v1.Secret{ TypeMeta: metav1.TypeMeta{ Kind: "Secret", @@ -208,22 +249,14 @@ func createYamlSecret(secret yamlSecret, isValid bool, tlsKeys *JITTLSKey) error Type: v1.SecretTypeTLS, } - fileName := secret.fileName - if !isValid { - fileName = strings.ReplaceAll(secret.fileName, ".yaml", "-invalid.yaml") s.Data[v1.TLSCertKey] = []byte(``) } sb, err := yaml.Marshal(s) if err != nil { - return fmt.Errorf("marshaling kubernetes secret into yaml %v: %w", s, err) + return nil, fmt.Errorf("marshaling kubernetes secret into yaml %v: %w", s, err) } - err = os.WriteFile(fileName, sb, 0o600) - if err != nil { - return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) - } - - return nil + return sb, nil } From f1eaf33ac3720a57614c887cbeb152a66398f23b Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 12 Nov 2025 16:25:34 +0000 Subject: [PATCH 07/45] Add inline comments --- hack/tls-cert-gen/tls-cert-gen.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 13dcf131eb..a01d9ed1de 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -206,23 +206,37 @@ func printTLS(templateData templateData) (*JITTLSKey, error) { } func printYaml(secret yamlSecret, projectRoot string) error { + // This part creates the tls keys (certificate and key) based on the + // issuer, subject, and dnsnames data. tlsKeys, err := printTLS(secret.templateData) if err != nil { return fmt.Errorf("failed generating TLS keys for hosts: (%s: %v): %w", secret.templateData.commonName, secret.templateData.dnsNames, err) } + // This part takes the created certificate and key, still in bytes, and + // embeds them into a kubernetes tls secret yaml format. At this point the + // fileContents is still a byteslice waiting to be written to a file. + // + // If the incoming secret is not valid, then the created yaml file will have + // an empty tls.key value. fileContents, err := createYamlSecret(secret, secret.valid, tlsKeys) if err != nil { return fmt.Errorf("writing valid file for %s: %w", secret.fileName, err) } - // write actual file + // This part takes care of writing the yaml file onto disk, and creating the + // symbolic links for them. The functions used, os.WriteFile, and os.SymLink + // will truncate the files first if they exist. The SymLink function will + // also work in case the existing file is a regular file: it will truncate + // that, and turn that into a SymLink. There is no need to manually remove + // leftover files. realFilePath := filepath.Join(projectRoot, realSecretDirectory, secret.fileName) err = os.WriteFile(realFilePath, fileContents, 0o600) if err != nil { return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) } + // Create symlinks for _, symlinkTarget := range secret.symlinks { err = os.Symlink(realFilePath, filepath.Join(projectRoot, symlinkTarget)) if err != nil { From a638544f120a2e89dec3be229a119101690f4cc6 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 12 Nov 2025 16:38:19 +0000 Subject: [PATCH 08/45] More inline comments and code organisation --- hack/tls-cert-gen/certs.go | 38 ++++++++ hack/tls-cert-gen/tls-cert-gen.go | 143 +++++++++++++----------------- 2 files changed, 100 insertions(+), 81 deletions(-) create mode 100644 hack/tls-cert-gen/certs.go diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go new file mode 100644 index 0000000000..20c2c0380b --- /dev/null +++ b/hack/tls-cert-gen/certs.go @@ -0,0 +1,38 @@ +package main + +var yamlSecrets = []yamlSecret{ + { + secretName: "tls-secret", + fileName: "tls-secret.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldBeValid, + symlinks: []string{ + "examples/custom-resources/oidc-fclo/tls-secret-symlinked.yaml", + }, + }, + { + secretName: "tls-secret", + fileName: "tls-secret-invalid.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldBeInvalid, + symlinks: []string{ + "/tests/data/default-server/invalid-tls-secret.yaml", + }, + }, +} diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index a01d9ed1de..e531acec37 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -29,45 +29,7 @@ const ( realSecretDirectory = "examples/common-secrets/" ) -var ( - projectRoot = "" // this will be redefined in main() - yamlSecrets = []yamlSecret{ - { - secretName: "tls-secret", - fileName: "tls-secret.yaml", - templateData: templateData{ - country: []string{"IE"}, - organization: []string{"F5 NGINX"}, - organizationalUnit: []string{"NGINX Ingress Controller"}, - locality: []string{"Cork"}, - province: []string{"Cork"}, - commonName: "example.com", - dnsNames: []string{"*.example.com"}, - }, - valid: secretShouldBeValid, - symlinks: []string{ - "examples/custom-resources/oidc-fclo/tls-secret-symlinked.yaml", - }, - }, - { - secretName: "tls-secret", - fileName: "tls-secret-invalid.yaml", - templateData: templateData{ - country: []string{"IE"}, - organization: []string{"F5 NGINX"}, - organizationalUnit: []string{"NGINX Ingress Controller"}, - locality: []string{"Cork"}, - province: []string{"Cork"}, - commonName: "example.com", - dnsNames: []string{"*.example.com"}, - }, - valid: secretShouldBeInvalid, - symlinks: []string{ - "/tests/data/default-server/invalid-tls-secret.yaml", - }, - }, - } -) +var projectRoot = "" // this will be redefined in main() // JITTLSKey is a Just In Time TLS key representation. The only two parts that // we need here are the bytes for the cert and the key. These two will be @@ -81,6 +43,13 @@ type JITTLSKey struct { key []byte } +// templateData is a subset of the x509.Certificate info: it pulls in some of +// the Issuer, Subject, and DNSNames properties from that struct. Motivation for +// this is to provide a complete but limited struct we need to fill out for +// every tls certificate we want to use for testing or examples. +// +// Making decisions on what data to leave out of the x509.Certificate struct is +// therefore no longer a concern. type templateData struct { country []string organization []string @@ -91,6 +60,14 @@ type templateData struct { dnsNames []string } +// yamlSecret encapsulates all the data that we need to create the tls secrets +// that kubernetes needs as tls files. +// +// secretName - this is what virtualservers and other objects reference +// fileName - every secret needs to have an actual file on the disk. This is going to be the name of the file that's placed in the examples/common-secrets directory +// symlinks - a slice of paths that will symlink to the actual file. These paths are relative to the project root. For example: []string{"examples/custom-resources/oidc/tls-secret.yaml"} +// valid - whether the generated kubernetes secret file should be valid. An invalid secret will not have the data["tls.key"] property set in the yaml file. +// templateData - has information about issuer, subject, common name (main domain), and dnsNames (subject alternate names). type yamlSecret struct { secretName string fileName string @@ -129,6 +106,50 @@ func publicKey(priv any) any { } } +// printYaml wraps creating the TLS certificate and key, and writes the actual +// file, and any symbolic links to the disk. +func printYaml(secret yamlSecret, projectRoot string) error { + // This part creates the tls keys (certificate and key) based on the + // issuer, subject, and dnsnames data. + tlsKeys, err := printTLS(secret.templateData) + if err != nil { + return fmt.Errorf("failed generating TLS keys for hosts: (%s: %v): %w", secret.templateData.commonName, secret.templateData.dnsNames, err) + } + + // This part takes the created certificate and key, still in bytes, and + // embeds them into a kubernetes tls secret yaml format. At this point the + // fileContents is still a byteslice waiting to be written to a file. + // + // If the incoming secret is not valid, then the created yaml file will have + // an empty tls.key value. + fileContents, err := createYamlSecret(secret, secret.valid, tlsKeys) + if err != nil { + return fmt.Errorf("writing valid file for %s: %w", secret.fileName, err) + } + + // This part takes care of writing the yaml file onto disk, and creating the + // symbolic links for them. The functions used, os.WriteFile, and os.SymLink + // will truncate the files first if they exist. The SymLink function will + // also work in case the existing file is a regular file: it will truncate + // that, and turn that into a SymLink. There is no need to manually remove + // leftover files. + realFilePath := filepath.Join(projectRoot, realSecretDirectory, secret.fileName) + err = os.WriteFile(realFilePath, fileContents, 0o600) + if err != nil { + return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) + } + + // Create symlinks + for _, symlinkTarget := range secret.symlinks { + err = os.Symlink(realFilePath, filepath.Join(projectRoot, symlinkTarget)) + if err != nil { + return fmt.Errorf("symlink %s to %s: %w", symlinkTarget, realFilePath, err) + } + } + + return nil +} + // printTLS is roughly the same function as crypto/tls/generate_cert.go in the // go standard library. Notable differences: // - this one returns the cert/key as bytes rather than writing them as files @@ -205,48 +226,8 @@ func printTLS(templateData templateData) (*JITTLSKey, error) { }, nil } -func printYaml(secret yamlSecret, projectRoot string) error { - // This part creates the tls keys (certificate and key) based on the - // issuer, subject, and dnsnames data. - tlsKeys, err := printTLS(secret.templateData) - if err != nil { - return fmt.Errorf("failed generating TLS keys for hosts: (%s: %v): %w", secret.templateData.commonName, secret.templateData.dnsNames, err) - } - - // This part takes the created certificate and key, still in bytes, and - // embeds them into a kubernetes tls secret yaml format. At this point the - // fileContents is still a byteslice waiting to be written to a file. - // - // If the incoming secret is not valid, then the created yaml file will have - // an empty tls.key value. - fileContents, err := createYamlSecret(secret, secret.valid, tlsKeys) - if err != nil { - return fmt.Errorf("writing valid file for %s: %w", secret.fileName, err) - } - - // This part takes care of writing the yaml file onto disk, and creating the - // symbolic links for them. The functions used, os.WriteFile, and os.SymLink - // will truncate the files first if they exist. The SymLink function will - // also work in case the existing file is a regular file: it will truncate - // that, and turn that into a SymLink. There is no need to manually remove - // leftover files. - realFilePath := filepath.Join(projectRoot, realSecretDirectory, secret.fileName) - err = os.WriteFile(realFilePath, fileContents, 0o600) - if err != nil { - return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) - } - - // Create symlinks - for _, symlinkTarget := range secret.symlinks { - err = os.Symlink(realFilePath, filepath.Join(projectRoot, symlinkTarget)) - if err != nil { - return fmt.Errorf("symlink %s to %s: %w", symlinkTarget, realFilePath, err) - } - } - - return nil -} - +// createYamlSecret takes in the generated TLS key in printTLS, and marshals it +// into a yaml file contents and returns that as a byteslice. func createYamlSecret(secret yamlSecret, isValid bool, tlsKeys *JITTLSKey) ([]byte, error) { s := v1.Secret{ TypeMeta: metav1.TypeMeta{ From d3f47a0ace73421756a6c4a0fa68768913d5e334 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 12 Nov 2025 16:52:18 +0000 Subject: [PATCH 09/45] Fix symbolic link logic --- hack/tls-cert-gen/makefile | 2 +- hack/tls-cert-gen/tls-cert-gen.go | 20 ++++++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/hack/tls-cert-gen/makefile b/hack/tls-cert-gen/makefile index f4a20fcaed..50677322f7 100644 --- a/hack/tls-cert-gen/makefile +++ b/hack/tls-cert-gen/makefile @@ -1,6 +1,6 @@ .PHONY: run run: - go run tls-cert-gen.go + go run ./... .PHONY: extract extract: diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index e531acec37..54235826ab 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -128,19 +128,27 @@ func printYaml(secret yamlSecret, projectRoot string) error { } // This part takes care of writing the yaml file onto disk, and creating the - // symbolic links for them. The functions used, os.WriteFile, and os.SymLink - // will truncate the files first if they exist. The SymLink function will - // also work in case the existing file is a regular file: it will truncate - // that, and turn that into a SymLink. There is no need to manually remove - // leftover files. + // symbolic links for them. os.WriteFile will truncate the files first if + // they exist. The SymLink function needs the symlink target to not exist, + // so we need to walk and remove those beforehand. realFilePath := filepath.Join(projectRoot, realSecretDirectory, secret.fileName) err = os.WriteFile(realFilePath, fileContents, 0o600) if err != nil { return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) } - // Create symlinks + // Remove and create symlinks for _, symlinkTarget := range secret.symlinks { + absSymlinkTarget := filepath.Join(projectRoot, symlinkTarget) + + if _, err = os.Stat(absSymlinkTarget); err == nil { + // symlink exists, delete it + err = os.Remove(absSymlinkTarget) + if err != nil { + return fmt.Errorf("symlink target remove %s: %w", absSymlinkTarget, err) + } + } + err = os.Symlink(realFilePath, filepath.Join(projectRoot, symlinkTarget)) if err != nil { return fmt.Errorf("symlink %s to %s: %w", symlinkTarget, realFilePath, err) From 969131352725b5e434cea2ff7e271eba5f6d3946 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Thu, 13 Nov 2025 18:27:04 +0000 Subject: [PATCH 10/45] Refine tls cert gen script --- hack/tls-cert-gen/certs.go | 63 +++++++++++++++++++++++++++++-- hack/tls-cert-gen/tls-cert-gen.go | 25 ++++++++++-- 2 files changed, 80 insertions(+), 8 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 20c2c0380b..2ab871f761 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -10,10 +10,10 @@ var yamlSecrets = []yamlSecret{ organizationalUnit: []string{"NGINX Ingress Controller"}, locality: []string{"Cork"}, province: []string{"Cork"}, - commonName: "example.com", - dnsNames: []string{"*.example.com"}, + commonName: "example.com,*.example.com", + dnsNames: []string{"foo.bar.example.com"}, }, - valid: secretShouldBeValid, + valid: secretShouldHaveValidTLSCrt, symlinks: []string{ "examples/custom-resources/oidc-fclo/tls-secret-symlinked.yaml", }, @@ -30,9 +30,64 @@ var yamlSecrets = []yamlSecret{ commonName: "example.com", dnsNames: []string{"*.example.com"}, }, - valid: secretShouldBeInvalid, + valid: secretShouldHaveInvalidTLSCrt, symlinks: []string{ "/tests/data/default-server/invalid-tls-secret.yaml", }, }, + + // ==== the below ones are needed for specific pytests === + { + secretName: "tls-secret", + fileName: "tls-secret-gb.yaml", + templateData: templateData{ + country: []string{"GB"}, + organization: []string{"nginx"}, + locality: []string{"Cork"}, + province: []string{"Cambridgeshire"}, + commonName: "cafe.example.com", + dnsNames: []string{"example.com", "*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/tls/new-tls-secret.yaml", + "/tests/data/virtual-server-tls/new-tls-secret.yaml", + }, + }, + + { + secretName: "tls-secret", + fileName: "tls-secret-us.yaml", + templateData: templateData{ + country: []string{"US"}, + organization: []string{"Internet Widgits Pty Ltd"}, + locality: []string{"San Francisco"}, + province: []string{"CA"}, + commonName: "cafe.example.com", + dnsNames: []string{"example.com", "*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/tls/tls-secret.yaml", + "/tests/data/virtual-server-tls/tls-secret.yaml", + }, + }, + { + secretName: "tls-secret", + fileName: "tls-secret-invalid-type.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/tls/invalid-tls-secret.yaml", + }, + secretType: "some type", + }, } diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 54235826ab..ba78815c7f 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -24,9 +24,9 @@ import ( ) const ( - secretShouldBeValid = true - secretShouldBeInvalid = false - realSecretDirectory = "examples/common-secrets/" + secretShouldHaveValidTLSCrt = true + secretShouldHaveInvalidTLSCrt = false + realSecretDirectory = "examples/common-secrets/" ) var projectRoot = "" // this will be redefined in main() @@ -68,12 +68,14 @@ type templateData struct { // symlinks - a slice of paths that will symlink to the actual file. These paths are relative to the project root. For example: []string{"examples/custom-resources/oidc/tls-secret.yaml"} // valid - whether the generated kubernetes secret file should be valid. An invalid secret will not have the data["tls.key"] property set in the yaml file. // templateData - has information about issuer, subject, common name (main domain), and dnsNames (subject alternate names). +// secretType - if left empty, it will be the default v1.SecretTypeTLS value. The type is "k8s.io/api/core/v1".SecretType, which is an alias for strings. type yamlSecret struct { secretName string fileName string symlinks []string valid bool templateData templateData + secretType string } func main() { @@ -140,6 +142,17 @@ func printYaml(secret yamlSecret, projectRoot string) error { // Remove and create symlinks for _, symlinkTarget := range secret.symlinks { absSymlinkTarget := filepath.Join(projectRoot, symlinkTarget) + // relativeSymlinkTarget := filepath.Join(".", symlinkTarget) + + // Figure out the relative path between the directories. Involving files + // will produce an inaccurate relative path here. + relativeDirectory, err := filepath.Rel(filepath.Dir(absSymlinkTarget), filepath.Dir(realFilePath)) + if err != nil { + return fmt.Errorf("relative target path relative to %s: %w", absSymlinkTarget, err) + } + + // Attach the real file to the end of the relative directory path. + relativeTarget := filepath.Join(relativeDirectory, filepath.Base(realFilePath)) if _, err = os.Stat(absSymlinkTarget); err == nil { // symlink exists, delete it @@ -149,7 +162,7 @@ func printYaml(secret yamlSecret, projectRoot string) error { } } - err = os.Symlink(realFilePath, filepath.Join(projectRoot, symlinkTarget)) + err = os.Symlink(relativeTarget, absSymlinkTarget) if err != nil { return fmt.Errorf("symlink %s to %s: %w", symlinkTarget, realFilePath, err) } @@ -256,6 +269,10 @@ func createYamlSecret(secret yamlSecret, isValid bool, tlsKeys *JITTLSKey) ([]by s.Data[v1.TLSCertKey] = []byte(``) } + if secret.secretType != "" { + s.Type = v1.SecretType(secret.secretType) + } + sb, err := yaml.Marshal(s) if err != nil { return nil, fmt.Errorf("marshaling kubernetes secret into yaml %v: %w", s, err) From 1d18d69cbbd0380eca78c03f9d8eb5dbeb191ac0 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Thu, 13 Nov 2025 18:54:51 +0000 Subject: [PATCH 11/45] Remove secrets from repository --- .../app-tls-secret-app.example.com.yaml | 8 --- .../cafe-secret-cafe-ns.example.com.yaml | 9 --- .../cafe-secret-cafe.example.com.yaml | 8 --- ...-server-secret-NGINXIngressController.yaml | 9 --- ...ter-secret-virtual-server.example.com.yaml | 8 --- .../mongo-secret-mongo.example.com.yaml | 8 --- ...rvice-insight-secret-cafe.example.com.yaml | 8 --- .../tls-secret-webapp.example.com.yaml | 8 --- .../tls-secret-wildcard.example.com.yaml | 8 --- .../webapp-secret-cafe.example.com.yaml | 8 --- .../custom-resources/api-key/cafe-secret.yaml | 1 - .../transport-server/app-tls-secret.yaml | 1 - .../virtual-server/cafe-secret.yaml | 1 - .../basic-auth/cafe-secret.yaml | 1 - .../basic-configuration/cafe-secret.yaml | 1 - .../cache-policy/cafe-secret.yaml | 1 - .../cafe-secret.yaml | 1 - .../virtualserver/cafe-secret.yaml | 1 - .../custom-listeners/cafe-secret.yaml | 1 - .../egress-mtls/egress-mtls-secret.yaml | 8 --- .../external-dns/cafe-secret.yaml | 1 - .../transport-server/app-tls-secret.yaml | 1 - .../grpc-upstreams/greeter-secret.yaml | 1 - .../ingress-mtls/tls-secret.yaml | 1 - .../custom-resources/jwks/tls-secret.yaml | 1 - .../oidc-fclo/tls-secret.yaml | 1 - .../custom-resources/oidc/tls-secret.yaml | 1 - .../cafe-secret.yaml | 1 - .../service-insight-secret.yaml | 1 - .../tls-passthrough/app-tls-secret.yaml | 1 - .../transport-server-sni/cafe-secret.yaml | 1 - .../transport-server-sni/mongo-secret.yaml | 1 - .../app-protect-dos/webapp-secret.yaml | 1 - .../app-protect-waf/cafe-secret.yaml | 1 - .../basic-auth/cafe-secret.yaml | 1 - .../complete-example/cafe-secret.yaml | 1 - .../mergeable-ingress-types/cafe-secret.yaml | 1 - .../mergeable-ingress/cafe-secret.yaml | 1 - .../standard-ingress/cafe-secret.yaml | 1 - .../rate-limit/cafe-secret.yaml | 1 - .../security-monitoring/cafe-secret.yaml | 1 - .../default-server-secret.yaml | 1 - hack/tls-cert-gen/certs.go | 56 ++++++++++++++++++- tests/.gitignore | 27 +++++++++ tests/data/ap-waf-grpc/tls-secret.yaml | 1 - tests/data/appprotect/appprotect-secret.yaml | 1 - .../app/secure/secret/app-tls-secret.yaml | 1 - tests/data/common/default-server-secret.yaml | 1 - .../default-server/invalid-tls-secret.yaml | 8 --- tests/data/default-server/new-tls-secret.yaml | 1 - tests/data/dos/tls-secret.yaml | 1 - tests/data/egress-mtls/secret/tls-secret.yaml | 8 --- .../data/ingress-mtls/secret/tls-secret.yaml | 1 - tests/data/mgmt-configmap-keys/ssl-cert.yaml | 8 --- tests/data/prometheus/secret.yaml | 1 - tests/data/service-insight/secret.yaml | 1 - tests/data/smoke/smoke-secret.yaml | 1 - tests/data/tls/invalid-tls-secret.yaml | 1 - tests/data/tls/new-tls-secret.yaml | 1 - tests/data/tls/tls-secret.yaml | 1 - .../tcp-tls-secret.yaml | 1 - tests/data/upgrade-test-resources/secret.yaml | 1 - .../tls-secret.yaml | 1 - .../data/virtual-server-grpc/tls-secret.yaml | 1 - .../virtual-server-route-grpc/tls-secret.yaml | 1 - .../virtual-server-tls/new-tls-secret.yaml | 1 - tests/data/virtual-server-tls/tls-secret.yaml | 1 - .../watch-secret-namespace/tls-secret.yaml | 1 - .../gb-wildcard-tls-secret.yaml | 1 - .../wildcard-tls-secret.yaml | 1 - 70 files changed, 82 insertions(+), 169 deletions(-) delete mode 100644 examples/common-secrets/app-tls-secret-app.example.com.yaml delete mode 100644 examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml delete mode 100644 examples/common-secrets/cafe-secret-cafe.example.com.yaml delete mode 100644 examples/common-secrets/default-server-secret-NGINXIngressController.yaml delete mode 100644 examples/common-secrets/greeter-secret-virtual-server.example.com.yaml delete mode 100644 examples/common-secrets/mongo-secret-mongo.example.com.yaml delete mode 100644 examples/common-secrets/service-insight-secret-cafe.example.com.yaml delete mode 100644 examples/common-secrets/tls-secret-webapp.example.com.yaml delete mode 100644 examples/common-secrets/tls-secret-wildcard.example.com.yaml delete mode 100644 examples/common-secrets/webapp-secret-cafe.example.com.yaml delete mode 120000 examples/custom-resources/api-key/cafe-secret.yaml delete mode 120000 examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml delete mode 120000 examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml delete mode 120000 examples/custom-resources/basic-auth/cafe-secret.yaml delete mode 120000 examples/custom-resources/basic-configuration/cafe-secret.yaml delete mode 120000 examples/custom-resources/cache-policy/cafe-secret.yaml delete mode 120000 examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml delete mode 120000 examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml delete mode 120000 examples/custom-resources/custom-listeners/cafe-secret.yaml delete mode 100644 examples/custom-resources/egress-mtls/egress-mtls-secret.yaml delete mode 120000 examples/custom-resources/external-dns/cafe-secret.yaml delete mode 120000 examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml delete mode 120000 examples/custom-resources/grpc-upstreams/greeter-secret.yaml delete mode 120000 examples/custom-resources/ingress-mtls/tls-secret.yaml delete mode 120000 examples/custom-resources/jwks/tls-secret.yaml delete mode 120000 examples/custom-resources/oidc-fclo/tls-secret.yaml delete mode 120000 examples/custom-resources/oidc/tls-secret.yaml delete mode 120000 examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml delete mode 120000 examples/custom-resources/service-insight/service-insight-secret.yaml delete mode 120000 examples/custom-resources/tls-passthrough/app-tls-secret.yaml delete mode 120000 examples/custom-resources/transport-server-sni/cafe-secret.yaml delete mode 120000 examples/custom-resources/transport-server-sni/mongo-secret.yaml delete mode 120000 examples/ingress-resources/app-protect-dos/webapp-secret.yaml delete mode 120000 examples/ingress-resources/app-protect-waf/cafe-secret.yaml delete mode 120000 examples/ingress-resources/basic-auth/cafe-secret.yaml delete mode 120000 examples/ingress-resources/complete-example/cafe-secret.yaml delete mode 120000 examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml delete mode 120000 examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml delete mode 120000 examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml delete mode 120000 examples/ingress-resources/rate-limit/cafe-secret.yaml delete mode 120000 examples/ingress-resources/security-monitoring/cafe-secret.yaml delete mode 120000 examples/shared-examples/default-server-secret/default-server-secret.yaml delete mode 120000 tests/data/ap-waf-grpc/tls-secret.yaml delete mode 120000 tests/data/appprotect/appprotect-secret.yaml delete mode 120000 tests/data/common/app/secure/secret/app-tls-secret.yaml delete mode 120000 tests/data/common/default-server-secret.yaml delete mode 100644 tests/data/default-server/invalid-tls-secret.yaml delete mode 120000 tests/data/default-server/new-tls-secret.yaml delete mode 120000 tests/data/dos/tls-secret.yaml delete mode 100644 tests/data/egress-mtls/secret/tls-secret.yaml delete mode 120000 tests/data/ingress-mtls/secret/tls-secret.yaml delete mode 100644 tests/data/mgmt-configmap-keys/ssl-cert.yaml delete mode 120000 tests/data/prometheus/secret.yaml delete mode 120000 tests/data/service-insight/secret.yaml delete mode 120000 tests/data/smoke/smoke-secret.yaml delete mode 120000 tests/data/tls/invalid-tls-secret.yaml delete mode 120000 tests/data/tls/new-tls-secret.yaml delete mode 120000 tests/data/tls/tls-secret.yaml delete mode 120000 tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml delete mode 120000 tests/data/upgrade-test-resources/secret.yaml delete mode 120000 tests/data/virtual-server-certmanager/tls-secret.yaml delete mode 120000 tests/data/virtual-server-grpc/tls-secret.yaml delete mode 120000 tests/data/virtual-server-route-grpc/tls-secret.yaml delete mode 120000 tests/data/virtual-server-tls/new-tls-secret.yaml delete mode 120000 tests/data/virtual-server-tls/tls-secret.yaml delete mode 120000 tests/data/watch-secret-namespace/tls-secret.yaml delete mode 120000 tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml delete mode 120000 tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml diff --git a/examples/common-secrets/app-tls-secret-app.example.com.yaml b/examples/common-secrets/app-tls-secret-app.example.com.yaml deleted file mode 100644 index b500a7e641..0000000000 --- a/examples/common-secrets/app-tls-secret-app.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: app-tls-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZvekNDQTR1Z0F3SUJBZ0lVUnlPSlVVZmVXUmMvenpCK01hYkN4ZWhOMzdjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1ZqRUxNQWtHQTFVRUJoTUNTVVV4RFRBTEJnTlZCQWdNQkVOdmNtc3hEakFNQmdOVkJBb01CVTVIU1U1WQpNUTR3REFZRFZRUUxEQVZPUjBsT1dERVlNQllHQTFVRUF3d1BZWEJ3TG1WNFlXMXdiR1V1WTI5dE1CNFhEVEkwCk1UQXlPVEUzTURZMU4xb1hEVE0wTVRBeU56RTNNRFkxTjFvd1ZqRUxNQWtHQTFVRUJoTUNTVVV4RFRBTEJnTlYKQkFnTUJFTnZjbXN4RGpBTUJnTlZCQW9NQlU1SFNVNVlNUTR3REFZRFZRUUxEQVZPUjBsT1dERVlNQllHQTFVRQpBd3dQWVhCd0xtVjRZVzF3YkdVdVkyOXRNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDCkFnRUF1VmcvMlNyWFFtM3FqeUNYYThINmcxMkpyYStzSGIzdnJScHh2SDNmbVJxR3JGK2t2RjJDa1lCcFF3ckkKWVAxeHJyMnI3TjNuMGlQR2hRclJxdjIrYm4zdTM0ZjhiaW5ZRmt1WmRKTkVaajB6b0o4eTZCN0dQVGhnLzg3cgpDRnR3NkdFaVh5K29BZXlVVzFGcHlxbld4QUcxRGpNek9RS1h2SjB6SXpBZEorWkluVmhiS1RpNHVkNnphaklJCklEY2pnYzdVUEh4bTlncDY4d1MvaUVMbWxFR2dlOC9CeE1NcGVqcmJsOTJvMXNybU02WU1ldXI1RStWZkowUWgKVHVwR1hyRVdySGNoT1F6akwyU0lOM09jVmp1SzVrUEdBNXh6WHllcUtjWkVJazZmdXlBaW5aLzJNL1JRL3F5eAo0RTB2MEVIbGpzN3UyTkdmQ2tudVZoZFhld28zMXRLUUI4ZnJiM29BRUNWYmk4cDdvdGxSalpLVE1FQXRlNkV4ClpmckdiVThObmJNRlVEV3lHZERnT1Q3a28xaFNSc3ZoM3h6cGk0V0pYSjZHYnpYdkxoenJyd0k2WjdDeHkrdDUKdzFPbFpOUFlQOGtSK1hHa3Vrb1RkSGplSWZZdGhtN04rYUxmdXU0ektFOUpGcWx6Szl4L3h6RFFUK1g0REpCMQp3UmpmcW9lQm9IMGxmN0l1MlpRK25VbVpIdEh4RFhSUFY0U1lESW42Q2JwaHF1ZnJZTEk3SExJMFZ4Y2Uwd1lZCnhoNlhzNHNydEFnZHJ1bUU0ek5URm56aHA3UjAyRktnbmxrWlBsYXZkSkJFaDlvLzU0NmFZSE44UmxEQzJLV2MKNWh5SmtxOVJlZE5YTTBxMjJpWDBndlVDMVR5MklxaTJmT2ZMS0krMGdMTUJSa0VDQXdFQUFhTnBNR2N3SFFZRApWUjBPQkJZRUZJU016S1lzVnZyMjM1VXp6Zmw1UGkwVEw4L3lNQjhHQTFVZEl3UVlNQmFBRklTTXpLWXNWdnIyCjM1VXp6Zmw1UGkwVEw4L3lNQm9HQTFVZEVRUVRNQkdDRDJGd2NDNWxlR0Z0Y0d4bExtTnZiVEFKQmdOVkhSTUUKQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQTE4VHorS0IxbG5tM2hFSStOQ2ZWWlRTMlpmVUZxVTU2Uwp2MEwvejROWGhsWmhnZTNLckx0RGhPNTFsSWNqa2I2WlU2M25RUkp1bFJDbStGejdPdys2eGNoeUJWOFRNMmRsCnU4aEJwOXkxRDVXUTlLdmVPQU40b2E4U245OVdEcTBtUEIyUmpEUDRRMFo3bXE0QXpUdG40ZlhKQUdNWit0NUUKUWtZVGpJTktYTzk3cGtlRUdlOXg0dDAwWk04NHFJMnlRTW5hdkQzL2czK1phbkFiRXEySGEva25QaENrVnFwVQpoL2RHTTFiYWg4QmhLMW9QY3VvMWgwSFcrTzFzdktLelgzYXEzS3k2eHRSbTRST1BCR0hRVnA5TnR3b09LcSt2CjdtdmRybHZmVzV1VnhZQUE2eGlJZkQxWStacUVYUFdGZXZJUjdhU01TZ0ZIOG0rWVJ2NTFlMXZUOHkwNG1TWVQKRTI0aFpjRGw4ZWxMMXIvRmsrUzg2M1g0bk9BY1cwZTZxYTFpVkQveWhKdGhKWjI4NkhsSVAxc3J5WmJmd0ZNNgpLWFhBVHpvSWE1YUt2ajdic2JtaVpDZS9nd1RxNWpxNXJCK0FmNnk4dVBMaHRPMUFWSVdxaGpZSEgwcmlWdFk1ClpjN2hLWTdvUGhXeTVod1czOUtLT2lZbUgwbHRvdjFhT2xLL0ovVGI2YmdpZ00xZTNNbGhqQWxqVEErd1JhdDcKYXBUSDMvWnVhNUpweG9tdXlaelVQVHd1dnhic0NaNm41bHpqNXZYMVgzdWY4Y3lrNFdoRk1zbnVwTXFLOFJ3SApxUXFpdDBTUlVIRk9DaUVaNEVtSzI0OERHUVBrU051Y0MyZDVTVFZwcVVQSlE1YnpjZWlYRmIxWUFUN3JZT2ltCk5ON3J4Q2tVcEE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQzVXRC9aS3RkQ2JlcVAKSUpkcndmcURYWW10cjZ3ZHZlK3RHbkc4ZmQrWkdvYXNYNlM4WFlLUmdHbERDc2hnL1hHdXZhdnMzZWZTSThhRgpDdEdxL2I1dWZlN2ZoL3h1S2RnV1M1bDBrMFJtUFRPZ256TG9Ic1k5T0dEL3p1c0lXM0RvWVNKZkw2Z0I3SlJiClVXbktxZGJFQWJVT016TTVBcGU4blRNak1CMG41a2lkV0ZzcE9MaTUzck5xTWdnZ055T0J6dFE4ZkdiMkNucnoKQkwrSVF1YVVRYUI3ejhIRXd5bDZPdHVYM2FqV3l1WXpwZ3g2NnZrVDVWOG5SQ0ZPNmtaZXNSYXNkeUU1RE9NdgpaSWczYzV4V080cm1ROFlEbkhOZko2b3B4a1FpVHArN0lDS2RuL1l6OUZEK3JMSGdUUy9RUWVXT3p1N1kwWjhLClNlNVdGMWQ3Q2pmVzBwQUh4K3R2ZWdBUUpWdUx5bnVpMlZHTmtwTXdRQzE3b1RGbCtzWnRUdzJkc3dWUU5iSVoKME9BNVB1U2pXRkpHeStIZkhPbUxoWWxjbm9adk5lOHVIT3V2QWpwbnNMSEw2M25EVTZWazA5Zy95Ukg1Y2FTNgpTaE4wZU40aDlpMkdiczM1b3QrNjdqTW9UMGtXcVhNcjNIL0hNTkJQNWZnTWtIWEJHTitxaDRHZ2ZTVi9zaTdaCmxENmRTWmtlMGZFTmRFOVhoSmdNaWZvSnVtR3E1K3Rnc2pzY3NqUlhGeDdUQmhqR0hwZXppeXUwQ0IydTZZVGoKTTFNV2ZPR250SFRZVXFDZVdSaytWcTkwa0VTSDJqL25qcHBnYzN4R1VNTFlwWnptSEltU3IxRjUwMWN6U3JiYQpKZlNDOVFMVlBMWWlxTFo4NThzb2o3U0Fzd0ZHUVFJREFRQUJBb0lDQUJvRVBlSWtBS3lvZFN1N2JYQ0kwcnRYCk0rNUNJZGVDN241NVNjeDY5c1NzL29rbEJuWVNiTjR6dDVMYmsvT3V0U01oZmdmMUZqSUowamRMK2lackVTeTkKVjFIZjZzVWo4VEIxVXQyKzY1NVdWUEE2VXp1clVOOE52T3FXTWFrRFVqNnNTU3VIVmFsVTBNdXpYK0E4MEQxdgpQVCtqQnVaU2E0T08rcnRPYVA2aXlwVkdROHJ1S3EveDNNbGtBSDZxZnJ6SDVabDFTa0ZGM2dCTmd2MHVOdU9mCldxeEdlM0tTaFRpaWJtbjJOQVJYM1h4cEt6Tk4xeGRvaVFvZi9CK2NXYk1OQ2ZFU1A5aEc2MytlNHYxZ1V4VDEKQXJMK2djWEdxTzNnZENNQ1c2b0gwMUFYQmdUamkveGxwOERpbmpnQ3N3VjVXb1J6U1ArbnNtVmxWS1B0Q1lXcAp1NjJFY203OXh1Qys1WUlaQ2pTYlFLZUJPRkEzN01YMkpXanBBanZhZVhSZ2EwQjRnSXRKNEIvOEZ5UUJlNzVwCmJDTkw0VFpGMndMY01pU05lTWNKRmQ4eUJqbjJsZEgyeGg1YTM0L0lsNzdsa29FeHBFVHl4NVkxSkg2WlJqKzQKZVE2SnpaRWwzZkZ4eGtFSy9IalRVUUp5TVZFTEdCNnNFVURlVGxjYmhvcFZMYSsxTVgzVGRSdGJHNC9CY1VJbwpiNHBsZnRrdG81d3dSU0oza1c5RDBuc3MyTlh1UDE0R1JSZmw0L1VqSWtWUXpCR0dhcU5ub2tUaks2OGl4Yzg4CjhWTSt0QTJhUVNzM3FnV1lPQ0pBdnZRK2IxZFlFK0g2MDkzbzFWL052QkhKYjhxb2lsbjFvcXJNTWt6NC95M2QKNi9XbzdCL2xzM0ZSRjFsc2hVbnBBb0lCQVFEeWVpdjRrQk9meDU5Y0NaaFVOWFJ4U3NUVnpENFNmMHlsQ09kYgpwYk1KWnVVbnRNYlYxVzNiZzRFV0tYYVZMaVVvRjJ6byt6WlVYNmxzNGNqOEVyc2I1VjVDNXVqdjJmYkxFeFBTCm9FeGt4WFpRaFNtYTdCSHdDeUEzZlNoZDlLNWNoVE1vVWxKVStIT0ttcjBYUFV5Nm90YldSaFRiWmVxS2s3SjIKM0ZkUVhiOE80TzdUSllHSzVlTERCcW1UTXR0dGw2SllDdzhuNm83dXZuRXB6MjM0OGlYZ21HZWRxS0FPMjRIUQp1dDdQMzNSUWdSVWdwZXhOYWkrRHdLQ2cveGdkdlloSVEzSXlWelJKK3pQNXFhTFRGSzhQRHJjSHJHSzZLeG9vCms1ZnpTR1haWGVjM3pwWGE4L0tqVlZqR2p0SXNaODA3eDlGV09SaWVpSndjTWxJbkFvSUJBUUREcm1hK1VrMnUKNStBUFBuRGh2cFNieHJwejg0dEV1SGUzL1lRb0pWdy9kYVFLZllkekR6MEY2cEh1N05zRjR2SlVPV0pSV0l2VQp1b3M5TVZ4U3NsdTVOVmlIRWVQdnc3d2xheE5yZTVLbFJmSDJ6eTI4d1JOeUNkbjdsT0EvOUpMYjRxUzJxaG1aCnpvTXdzbWYwMDZ5TllnY3p1TDV2elNlMENTMzZGVEM5UmxXaVM0MXRDcWFCY005VkhlWkF1NG9vZUxyTXdVbEwKYTc4MXQxWVhkMUI0a0JGRExJY1BQYWlxSGdFY1FGY05wOURleTVRcTVtamlhRHdyb2VmZUFyK1pYelFqSzBjRwpXRGJpcGpFZ3NoY1RWNjVXNUJaTkJNTEV0NnVWT3NqVmE5dXo1czVrUWVydHppS0UxZ0plcGJCZGMwaFNYeXBwCit2SW1zYmFWWmExWEFvSUJBUUNFL3JHamNoTHhibUpmN3Z0WUpNR3JhaUV3U3dnNHlRM1c3MTFHalVuMy9ESHcKWjEwdjZCS0xka09WVGtTMmFrc0RCR1krRzV1ZkI2RThFVk5WdjBoVmNxY1M5dWdJdG5xQXhBUDVZT2JGMXZDZwpGWW5PYVhFbFFsVDNXblNMcENzR29DQ0JHellCV1F5Mmwwemp0RUdqbExGVmNiYjY1NW1QVEpkMFRrS3QxOTExClliWmNwWk82QllFdEN6aHpmaytRZXIwV29XbzhzSkNaTG1lUFVUQzJmTXA5dDlvTlJYSVU5Qnp0eWJGd1B0WGoKV2dtbWtKdGRrc0pnOTRTakNZZkd1REJKd29TZVMrcG9NWm8rYytiVTgrRlkxdTlaREJwU2xsV1FyL09HQXMycQpQYkVXa1A3c3l5VG9wV1U5OHhRZ093YjhwUXFTeWxwUWlnbG1CY3U5QW9JQkFBODJkTWhoRDZjRVlkZnRpOHNSCkRPNmJZWTE0SnFDZUVyaWNIZlVkQ25Ib2pHdEFYUkpsNGVHZTNkK01URzdGdVA4eFF1SitGc2pnQThrckdEbFoKb21YZ3J0UTVZTllZQ24yQ09JMUhteHY4Tnhadi91ZEl2MkZEUU00ZFFkM1cvci9YZStTempxLzFiUitSRHlIcQpmdVN5OVVwaEYzVUxwd1dKSFNqdkVzMzBOTjRjTDQrRm4zSTZ1Zk90RW1SLzcvcTdnQkpCQ0ppemRMY1JYTUVRClJwSkk2UDZtN0kwVHh4UUtweDF5SnhKcHRJUk5vV1JBYTNFR2wzN3c1RnpQSytRWmthMFdSVHhLQ1dKUGQweEsKYkI3VjF6anNISXU2VGdZTEhXekptQ2wzYkNvdFRHaGc4NG12VitHcDNaOU1GRXovbEdUSy96b2tCMFZZMVpBQgp5cHNDZ2dFQUVTb0xNd0VvN3dWNDVlQ3JVOWNoMzBnSHY3RUpnYStLeGNHMjBPT0RKcEZMVVViYlZ0ZVQ5aFBUCnJSZ0l6WDUzNGZxVmVKQ2Zpdy9xZW56RS9wcjlBcW8rNjYrYWdDN1JlRUMyeS83R2kxWEdwcThJa3hKZEtzUEsKVjFqbk9sdmpMU0lSV3RVdGRwSmlhdTBWcTAzZW1GVDNERFJJTTF3RkhjK0hQakNwVER3bDh1WDRscmlPWlFJdApRbnhjRUFSbzNIMkdudmpSZ2xxZ1Z2S0NPaWF2anozalBpaEpGZjVCRjR6YzlkdWZVajhBSjVhd2J1SDFLSHJ4ClIzYXFSamUzSTV0eDVJU0FXTVhjRmVXWDhucUZJUDM5L0V5TE5xRHQ2enQrUkZETU4xNGx2WVNLQ01KNVA5RUIKazB1RU0xQ2pzeWtwNnNlT2lyTEVYWW01QWpvZDNBPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml b/examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml deleted file mode 100644 index 75e9220abc..0000000000 --- a/examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cafe-secret - namespace: cafe -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdKRENDQkF5Z0F3SUJBZ0lVWUsyTGNWTlJrZVB5ZXUrdis0ckNMWTVJVmJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1TRXdId1lEVlFRS0RCaEpiblJsY201bApkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHVEFYQmdOVkJBTU1FR05oWm1VdVpYaGhiWEJzWlM1amIyMHdIaGNOCk1qUXhNREk0TVRVMU9UUXhXaGNOTXpReE1ESTJNVFUxT1RReFdqQllNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0cKQTFVRUNBd0NRMEV4SVRBZkJnTlZCQW9NR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREVaTUJjRwpBMVVFQXd3UVkyRm1aUzVsZUdGdGNHeGxMbU52YlRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDCkFnb0NnZ0lCQU9pM3dZaGRCTGI0RldzY20yeHV3S2JNaElPRUM3YXF1aVpDQ2V2bHc5MUZUWVNvdHBGbUU2NkIKc1V6WWlRYVVtRGJLdWxRS3lramNXcC9LNExBbGI3Y2Z0ckdmUkN1b0xDT21oSkhvaXV5RDBMWXlsQXBXWjc5eApnOWEydlVUR3Joa2NVVGF3RVFoMlExT2dnTmk0Szd4S1U2cVJFRktnbmFTMXdTdmdiNXV6WXRaVys3SFdVbTlkCmliUEV4Qkc5TFJGaGVOdGZ5Vk9mSzVLRm11ZzdFVEN1Nzd5V001WWlxTmRKMEI0UnZQbS9XTlNrUzVXZ0c4RnMKaHMxRnlqTWFBWGYrU2t1ZVQxRlpUWEpjZzJjVjZOeEp3L3IrclNjZFozbWRDa29yaVBtSWRrM3FVR3pUaU1Mcgo2aUo2bEl1VTBOWFg4bXlwUXV3YUZtb3hBZWZZbzVqd0s2S3N5Q0tETTBLSWhsSVFVcHBnZHhST3packdXbjJQCm5EVkJuZmllWlRvWlU1dlMxNHNMZzhmQllmc3Z3LzNTZk1oNFoveVp1cnY3UDY3Yi9WSlowTlMvOW1SYmsySmcKblpjd0ViZ3ptUFJwUWdXUCtML1BieHBYaktBdEVXVG5lZW55KzZHaG9tVG0ycWh3NCt6Tm1rL0s3Nm4vMmhaZAphcFRaS0xrQk5rRVo3R0hxZGJBSUZ1RkVaVWo5b0wrYXI1d2hzTmNnU2JrU3RiNTkwMko2OE1oLzlvU2llajcxClNoWEJneklkcFpMWVppRkJEeWYxV3dGaDVBWDJkbVUwU3JGN3hTU1o4bkFseWFkU1lWOStuSlNtUXdiSzhNRUwKT041OVRXVXhWaGx3NG5MZlU3K0RCUVhkV2ZIZHNMK0RqajRUOGxtL3p1L0FzMk9lZWsxeEFnTUJBQUdqZ2VVdwpnZUl3SFFZRFZSME9CQllFRkxqcTBnQTQvUHU5VXZ3dnRXY1lJYTdsdER2Z01Cc0dBMVVkRVFRVU1CS0NFR05oClptVXVaWGhoYlhCc1pTNWpiMjB3Z1pVR0ExVWRJd1NCalRDQmlvQVV1T3JTQURqOCs3MVMvQysxWnhnaHJ1VzAKTytDaFhLUmFNRmd4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVoTUI4R0ExVUVDZ3dZU1c1MApaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTVJrd0Z3WURWUVFEREJCallXWmxMbVY0WVcxd2JHVXVZMjl0CmdoUmdyWXR4VTFHUjQvSjY3Ni83aXNJdGpraFZ0akFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUNBUUNnZnZ1MWo4K2FzVHQ3d2lCRmlDTnU1SUR3M25rQjYvOWg1Z3d2STR4YTNOdEhETTliYm5QUgpncnZTWjJXZ3FJNFR5dktKVVB5NHNaRGR3dUhiYjJSVC9MT1lQQTFXaVZhMjRiRTZtcXE1Y3VTNlZNb3h4bnB1CnBmdVllaml3eWpDTytUYXdhbFltTzVvNDFvRUxjR2ZNY21VK0YvK0tZZnozZFMvalNkYVc3cEM5YWpJQnFBTnMKS0daZ1JGKzl1ZlVibUlIcjZHeDJ5MU5oTnBjb1U4T2QrdkxKWXZxOGd1NDRqTG4xNE1Ra3hWZndyUU10T1E5RgpnOGpsTXphaVlMSnMwY3luRTJGSjhrYmI0K01QRkRyZjcranJGNGdlOXZCTDg5TlJkZXFZYWFGNTVMM0RQZzRZClRVVWQ3L1I4dlVUeEs0eHpqZlpNeHdnRGExRmtTMXB2VlNSNmkrVmVuYXdsUmZ2Q3FMUndvN1V3VjJLWUJjbGkKUFlCRzB2Z01mOEhQc0xvU1BibDNIY0xQTFhSdVI4RHZjdTdvUnEyYzRaOFVDNVBJS2FoWlZEekdsS0N6WHZlYwpQZ2xqSStFRzdyTWlnc1Fjcm5MdmxOZmRGdzZIcjkzVmR5OGYrZm4xdkVsN1A0NnBFWThlYnplOVhxNXNWT3I0CmhTcE5JMllGaWhjNXBlNzVmMXh2QjVHcjJJTm1PditZb0Jsc2VKNkUrR2tuOU1QY3Jjc3lwcVBoeXJORHF6THgKdE5DN0dLb2hEWlJRY1F6L3YvdGppV1lYRzFRY2RQU1JNakJiL2dkb1RBenNuNDRBWGpqT1A2YzkwWTEzUjdwaQpuRTJyUlFKWThCUHk4RitTT1pkUUV3d0NBbjZ6M2Job3BLc2ovM1JRU1lUNDhGZElRVndrbmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRG90OEdJWFFTMitCVnIKSEp0c2JzQ216SVNEaEF1MnFyb21RZ25yNWNQZFJVMkVxTGFSWmhPdWdiRk0ySWtHbEpnMnlycFVDc3BJM0ZxZgp5dUN3SlcrM0g3YXhuMFFycUN3anBvU1I2SXJzZzlDMk1wUUtWbWUvY1lQV3RyMUV4cTRaSEZFMnNCRUlka05UCm9JRFl1Q3U4U2xPcWtSQlNvSjJrdGNFcjRHK2JzMkxXVnZ1eDFsSnZYWW16eE1RUnZTMFJZWGpiWDhsVG55dVMKaFpyb094RXdydSs4bGpPV0lxalhTZEFlRWJ6NXYxalVwRXVWb0J2QmJJYk5SY296R2dGMy9rcExuazlSV1UxeQpYSU5uRmVqY1NjUDYvcTBuSFdkNW5RcEtLNGo1aUhaTjZsQnMwNGpDNitvaWVwU0xsTkRWMS9Kc3FVTHNHaFpxCk1RSG4yS09ZOEN1aXJNZ2lnek5DaUlaU0VGS2FZSGNVVHMyYXhscDlqNXcxUVozNG5tVTZHVk9iMHRlTEM0UEgKd1dIN0w4UDkwbnpJZUdmOG1icTcreit1Mi8xU1dkRFV2L1prVzVOaVlKMlhNQkc0TTVqMGFVSUZqL2kvejI4YQpWNHlnTFJGazUzbnA4dnVob2FKazV0cW9jT1BzelpwUHl1K3AvOW9XWFdxVTJTaTVBVFpCR2V4aDZuV3dDQmJoClJHVkkvYUMvbXErY0liRFhJRW01RXJXK2ZkTmlldkRJZi9hRW9ubys5VW9Wd1lNeUhhV1MyR1loUVE4bjlWc0IKWWVRRjluWmxORXF4ZThVa21mSndKY21uVW1GZmZweVVwa01HeXZEQkN6amVmVTFsTVZZWmNPSnkzMU8vZ3dVRgozVm54M2JDL2c0NCtFL0padjg3dndMTmpubnBOY1FJREFRQUJBb0lDQUJaQmFJazllQk4xY3pyc24vS0ZQdmhVCnE4R1dFYmEwNmh0NWlsQmNoMWcwWmY3dlVaSmpKRE8ycEhtWVpiWlM1S0dzenBmMTlqVjBtVmdadzFZbEptTnAKYllQY0d0MWY5bVNzYXBZM21uMlc5NUZORWZwUkhCZmpaN3ZUZXhOR091VWMzNmx1dWhwSWtSVEF6MEdxajBneApCWUpVNEM0K3ZRVEErd25TcTJuRkJJbENCVTBURll3ZjhtaldRdmY5VXYrTUJrNVlnVHoxaG1tN1RENjBVMmNICis5Wlp1UEk5TzA5bmVEYy85QVlnWmdMaitYU0VQTk5KS1RVZFhRSjVGTFhnaEVOcUR1VFZPUUpjVlphNHNpM0wKQWlxUlM0Ym5tWHM0YVFFQjI5WWRWazhLUHduQlN4MTFDVTJsMG1uczMvSHJkbndzemNFZGw1SXRRS1RuQTNJUQpvZkRMVk1OSkg2UHE1Um1zREZYaFh1bnhLdkhXUHpvU0pkZ3REZHNZUnNaaFRnaW5vZ1AwQVdrdmMwT0MwaHh3CjNldWJLcDh3d3F0RndHNk1nWFg0WUFLQUd0K3RzVVdkRENmWUVPYUVWcXBXT3F3UUhsb3J0cmwvN1hmRjNra2UKY0VzalJyRXRMSytCOEhvdjFNSmtibVFlblE0cHdkcXdrdHV3SU41QUdqN2lCQ2V1U2R5S2gyc0hxRUIvbkZEbApTbFh1VzVNTjUranMrZ0lyOU5GRUdDdUEyQ3BGWWpKQk9sNk1nV0t3S0FwWWgwYnEvNTVOV0pwV1JTRllTZ29UCnFiV285S3JYZkR4azJVb05pVFVBcEdVeXBaWTFXT2hyOUs3WU1HOXpHbHQ0WnNrV1dhdXFEMnBQSjhhVXdabjEKeWY1TnMyb25LMkNmZmhvUkRPVC9Bb0lCQVFEOWU5MlE0RWVKamlNQ0JIREhycDgzMUM0eXRJclJHbENJS3pNQgpoMjl6SFIvRWJUanplUmFzU1RLQzQ1SjhhTnQ4MStvM2xpcVFhclJvOFdHelEvNnpqdWVpSW9SRDNpWm5pZUJ3CmU3R1piK0doVmdlVkNKbGtFQ0FTc0dlZ1pkSzA0dWRzZmU5d3JWaDY1TjZnWW92Z2dyOVZPU1NNZ25NSys2Z1IKb0cxNHRSMDArN0kzdndoL0YyQVZLOXdkY3ZoN2puK2FXbGp3R1lFWHRDWUNJWENVbjhHTHpWVU53MlRHckFuRQpOL2d5anUyeTk1R2FrR3JpZTRkdmpoUTl5dTNPbU9haWp1enlXMGxxdnVrakVWTmZ2L3lYbzFNOWJ4OTdQNkFLCkxEU3VGVjJEY1pGSEpvT1NLYVV0eHpibzFIVmdGWmZiK3hpUmNRb0N3c0NjMC9VUEFvSUJBUURyQng4UGQwSjIKVkU3eUhVdC9LMDQ2OXNoejFzVUtEeFkrQ1B0dTZvODFkU0QzUHBMV3c1VzR1aWdSeFJnTUpqK3UyMGFSeEM4UgpMbDhXSmJCR0I4QllyQXhiMWlGMm5XTnFzdFVicVp1ZUlxeUIvbWJNZFk5OSt2L01Iek1WTnZwTjBTdkJsTWFaClhVSTdFWW1zbXJHYjRSMXdOa3VwWVdHL1RpMHNVUk9qSFpSZldsM0kxR1dpbkNVdE5oeEZ2OEtGcWJDd05DVTAKOHNYMjdLTEIza3RRZWhmc3JlTjd4NEw2MGU0T0FKMGhjZFUzL2I5b2VERGttVWFSYVE0bk9TVWEveDdTQW5RdQpnQmxQTTdjUWUrbjYwZEU0QjVrZzJpeG0reEhaL09tMGluK1JTR0ljRTc3eG0vMlhhTlZjcEUxRWlhaGdJT3hTCkpYVU4zWjdsTHBWL0FvSUJBUUNXTkxjWHFYOWFxS3BnQUtlZisvOEhReWxaREprUnpha1k5NWhTK0tGM01qUG4KM3QwWGtaSjQ1eXNTV3E0c0lLcW5jUDZ1ajhLTEwxL1dxK3E4SXJla1NUTkRaWGJCREx2dk1NbVpmZ0xBcklhawpadWs1VEE0eE9FajVLaVZONitpUEhjSUxEUms4eU11Y2oxREk4M3gxdnFTSWFNTWFyQlpsMUxoRU1hK05EcTNPCi9yTWR5NHJLWE55bnp3U3hRcmF4NkwvK2hEa2RsYzlrYjNEeVpFUmxIY0hBQ1IyMGVTdVhlc3lTeEtQRHVlUnEKMzc4ZE95VExMbTRVRWJvMjM3QkpjMXQveW5mb0tXWDQ1a1lhYktMZUkxTVh2RVdRS3ZBWnhac2RUQkt2Y2FPbgpSejNTVHFVNmtJajc5b2U0TW1XWFdWUlNtNWwwWGVxVHRqb1M5SnJMQW9JQkFRQ2JiY2szeENuNjhVU0lUNkZYCkIzK2o5UUtad1FYcjRoQldsRUFibVJsK1EraTZPZktIL3k2cnpNaWsvOUFvY0w4YTF6NnpOYWZlMStqZ1Q2cGsKbGNtNW1vWk4wYTJ0c09aSGNOOElmVUZCOGpKZGdhM2dOenJmR0xoRCtMb2lwSW9pSGx1dW1NSkNPRytOZXNxdQprRnMyK0Vnc3BtdWhKNXFxRm53L1c1cjkrNWpjK25rZFVJR3FhVk1ZdERrOFUxWEVhWFZGQWljOC9mUzNtTVVHCkt3bHB2bVRHRERWdDdZS01kM3JVWGNtTWphaHhiK2srb0lYTkdDU1lFMzdkcDZnSFU0TEJaZ2dKbklPZ1lsWUYKbTcwZ045UUNGdHhJNHFBTXRxdVdtdkMvaWZ4VlN5WSs1VHdZc28yaHJSMjFONTgxM1VleDB2UVdXMWt2QTBxSwp6Q1RuQW9JQkFHVTkrRFY0cnZqV21zSmFnckw4TEV4RWY1ZHVDeVhtY0huak5wZmkrcjdjamQ3dlNYY29aZjQrCm1IaDJ6NVN0NUpsVEpWMCtOcVFWL2ZnUS9EcWlZeVNESFcza1JXaFBNT1ROeHZoV1lmMU4wd1diMmllS3lmTlMKVGRXS2JsUFcwZjh3WGYwL09JOFRaSjZFWXVBVXBpbGpSenB1emlkMVJOT3ZJb3BiUnBxd2pMVUtzb0IvMG5LZAp3YmNOcWdWN0lSNDVDZDlCTm8vTThFc2ppZkRnQVpmQzNZbjRWOGl4eXdSQmFjQ1dWcXhvK3UvT2wzN052QkJJCmhnQ1RqNVBDQ3NBcHZwK0dhRERJdFg0cVpoWURERys0ZFNDRHNpSnB1U1orWjZrQnFSNnVncUliMGJVQXFIbGkKd2hZUllYNklldnF2QUEzNTNxbmJzQW5ZQ09oZk5hVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/common-secrets/cafe-secret-cafe.example.com.yaml b/examples/common-secrets/cafe-secret-cafe.example.com.yaml deleted file mode 100644 index 210f89ef66..0000000000 --- a/examples/common-secrets/cafe-secret-cafe.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cafe-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdKRENDQkF5Z0F3SUJBZ0lVWUsyTGNWTlJrZVB5ZXUrdis0ckNMWTVJVmJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1TRXdId1lEVlFRS0RCaEpiblJsY201bApkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHVEFYQmdOVkJBTU1FR05oWm1VdVpYaGhiWEJzWlM1amIyMHdIaGNOCk1qUXhNREk0TVRVMU9UUXhXaGNOTXpReE1ESTJNVFUxT1RReFdqQllNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0cKQTFVRUNBd0NRMEV4SVRBZkJnTlZCQW9NR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREVaTUJjRwpBMVVFQXd3UVkyRm1aUzVsZUdGdGNHeGxMbU52YlRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDCkFnb0NnZ0lCQU9pM3dZaGRCTGI0RldzY20yeHV3S2JNaElPRUM3YXF1aVpDQ2V2bHc5MUZUWVNvdHBGbUU2NkIKc1V6WWlRYVVtRGJLdWxRS3lramNXcC9LNExBbGI3Y2Z0ckdmUkN1b0xDT21oSkhvaXV5RDBMWXlsQXBXWjc5eApnOWEydlVUR3Joa2NVVGF3RVFoMlExT2dnTmk0Szd4S1U2cVJFRktnbmFTMXdTdmdiNXV6WXRaVys3SFdVbTlkCmliUEV4Qkc5TFJGaGVOdGZ5Vk9mSzVLRm11ZzdFVEN1Nzd5V001WWlxTmRKMEI0UnZQbS9XTlNrUzVXZ0c4RnMKaHMxRnlqTWFBWGYrU2t1ZVQxRlpUWEpjZzJjVjZOeEp3L3IrclNjZFozbWRDa29yaVBtSWRrM3FVR3pUaU1Mcgo2aUo2bEl1VTBOWFg4bXlwUXV3YUZtb3hBZWZZbzVqd0s2S3N5Q0tETTBLSWhsSVFVcHBnZHhST3packdXbjJQCm5EVkJuZmllWlRvWlU1dlMxNHNMZzhmQllmc3Z3LzNTZk1oNFoveVp1cnY3UDY3Yi9WSlowTlMvOW1SYmsySmcKblpjd0ViZ3ptUFJwUWdXUCtML1BieHBYaktBdEVXVG5lZW55KzZHaG9tVG0ycWh3NCt6Tm1rL0s3Nm4vMmhaZAphcFRaS0xrQk5rRVo3R0hxZGJBSUZ1RkVaVWo5b0wrYXI1d2hzTmNnU2JrU3RiNTkwMko2OE1oLzlvU2llajcxClNoWEJneklkcFpMWVppRkJEeWYxV3dGaDVBWDJkbVUwU3JGN3hTU1o4bkFseWFkU1lWOStuSlNtUXdiSzhNRUwKT041OVRXVXhWaGx3NG5MZlU3K0RCUVhkV2ZIZHNMK0RqajRUOGxtL3p1L0FzMk9lZWsxeEFnTUJBQUdqZ2VVdwpnZUl3SFFZRFZSME9CQllFRkxqcTBnQTQvUHU5VXZ3dnRXY1lJYTdsdER2Z01Cc0dBMVVkRVFRVU1CS0NFR05oClptVXVaWGhoYlhCc1pTNWpiMjB3Z1pVR0ExVWRJd1NCalRDQmlvQVV1T3JTQURqOCs3MVMvQysxWnhnaHJ1VzAKTytDaFhLUmFNRmd4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVoTUI4R0ExVUVDZ3dZU1c1MApaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTVJrd0Z3WURWUVFEREJCallXWmxMbVY0WVcxd2JHVXVZMjl0CmdoUmdyWXR4VTFHUjQvSjY3Ni83aXNJdGpraFZ0akFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUNBUUNnZnZ1MWo4K2FzVHQ3d2lCRmlDTnU1SUR3M25rQjYvOWg1Z3d2STR4YTNOdEhETTliYm5QUgpncnZTWjJXZ3FJNFR5dktKVVB5NHNaRGR3dUhiYjJSVC9MT1lQQTFXaVZhMjRiRTZtcXE1Y3VTNlZNb3h4bnB1CnBmdVllaml3eWpDTytUYXdhbFltTzVvNDFvRUxjR2ZNY21VK0YvK0tZZnozZFMvalNkYVc3cEM5YWpJQnFBTnMKS0daZ1JGKzl1ZlVibUlIcjZHeDJ5MU5oTnBjb1U4T2QrdkxKWXZxOGd1NDRqTG4xNE1Ra3hWZndyUU10T1E5RgpnOGpsTXphaVlMSnMwY3luRTJGSjhrYmI0K01QRkRyZjcranJGNGdlOXZCTDg5TlJkZXFZYWFGNTVMM0RQZzRZClRVVWQ3L1I4dlVUeEs0eHpqZlpNeHdnRGExRmtTMXB2VlNSNmkrVmVuYXdsUmZ2Q3FMUndvN1V3VjJLWUJjbGkKUFlCRzB2Z01mOEhQc0xvU1BibDNIY0xQTFhSdVI4RHZjdTdvUnEyYzRaOFVDNVBJS2FoWlZEekdsS0N6WHZlYwpQZ2xqSStFRzdyTWlnc1Fjcm5MdmxOZmRGdzZIcjkzVmR5OGYrZm4xdkVsN1A0NnBFWThlYnplOVhxNXNWT3I0CmhTcE5JMllGaWhjNXBlNzVmMXh2QjVHcjJJTm1PditZb0Jsc2VKNkUrR2tuOU1QY3Jjc3lwcVBoeXJORHF6THgKdE5DN0dLb2hEWlJRY1F6L3YvdGppV1lYRzFRY2RQU1JNakJiL2dkb1RBenNuNDRBWGpqT1A2YzkwWTEzUjdwaQpuRTJyUlFKWThCUHk4RitTT1pkUUV3d0NBbjZ6M2Job3BLc2ovM1JRU1lUNDhGZElRVndrbmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRG90OEdJWFFTMitCVnIKSEp0c2JzQ216SVNEaEF1MnFyb21RZ25yNWNQZFJVMkVxTGFSWmhPdWdiRk0ySWtHbEpnMnlycFVDc3BJM0ZxZgp5dUN3SlcrM0g3YXhuMFFycUN3anBvU1I2SXJzZzlDMk1wUUtWbWUvY1lQV3RyMUV4cTRaSEZFMnNCRUlka05UCm9JRFl1Q3U4U2xPcWtSQlNvSjJrdGNFcjRHK2JzMkxXVnZ1eDFsSnZYWW16eE1RUnZTMFJZWGpiWDhsVG55dVMKaFpyb094RXdydSs4bGpPV0lxalhTZEFlRWJ6NXYxalVwRXVWb0J2QmJJYk5SY296R2dGMy9rcExuazlSV1UxeQpYSU5uRmVqY1NjUDYvcTBuSFdkNW5RcEtLNGo1aUhaTjZsQnMwNGpDNitvaWVwU0xsTkRWMS9Kc3FVTHNHaFpxCk1RSG4yS09ZOEN1aXJNZ2lnek5DaUlaU0VGS2FZSGNVVHMyYXhscDlqNXcxUVozNG5tVTZHVk9iMHRlTEM0UEgKd1dIN0w4UDkwbnpJZUdmOG1icTcreit1Mi8xU1dkRFV2L1prVzVOaVlKMlhNQkc0TTVqMGFVSUZqL2kvejI4YQpWNHlnTFJGazUzbnA4dnVob2FKazV0cW9jT1BzelpwUHl1K3AvOW9XWFdxVTJTaTVBVFpCR2V4aDZuV3dDQmJoClJHVkkvYUMvbXErY0liRFhJRW01RXJXK2ZkTmlldkRJZi9hRW9ubys5VW9Wd1lNeUhhV1MyR1loUVE4bjlWc0IKWWVRRjluWmxORXF4ZThVa21mSndKY21uVW1GZmZweVVwa01HeXZEQkN6amVmVTFsTVZZWmNPSnkzMU8vZ3dVRgozVm54M2JDL2c0NCtFL0padjg3dndMTmpubnBOY1FJREFRQUJBb0lDQUJaQmFJazllQk4xY3pyc24vS0ZQdmhVCnE4R1dFYmEwNmh0NWlsQmNoMWcwWmY3dlVaSmpKRE8ycEhtWVpiWlM1S0dzenBmMTlqVjBtVmdadzFZbEptTnAKYllQY0d0MWY5bVNzYXBZM21uMlc5NUZORWZwUkhCZmpaN3ZUZXhOR091VWMzNmx1dWhwSWtSVEF6MEdxajBneApCWUpVNEM0K3ZRVEErd25TcTJuRkJJbENCVTBURll3ZjhtaldRdmY5VXYrTUJrNVlnVHoxaG1tN1RENjBVMmNICis5Wlp1UEk5TzA5bmVEYy85QVlnWmdMaitYU0VQTk5KS1RVZFhRSjVGTFhnaEVOcUR1VFZPUUpjVlphNHNpM0wKQWlxUlM0Ym5tWHM0YVFFQjI5WWRWazhLUHduQlN4MTFDVTJsMG1uczMvSHJkbndzemNFZGw1SXRRS1RuQTNJUQpvZkRMVk1OSkg2UHE1Um1zREZYaFh1bnhLdkhXUHpvU0pkZ3REZHNZUnNaaFRnaW5vZ1AwQVdrdmMwT0MwaHh3CjNldWJLcDh3d3F0RndHNk1nWFg0WUFLQUd0K3RzVVdkRENmWUVPYUVWcXBXT3F3UUhsb3J0cmwvN1hmRjNra2UKY0VzalJyRXRMSytCOEhvdjFNSmtibVFlblE0cHdkcXdrdHV3SU41QUdqN2lCQ2V1U2R5S2gyc0hxRUIvbkZEbApTbFh1VzVNTjUranMrZ0lyOU5GRUdDdUEyQ3BGWWpKQk9sNk1nV0t3S0FwWWgwYnEvNTVOV0pwV1JTRllTZ29UCnFiV285S3JYZkR4azJVb05pVFVBcEdVeXBaWTFXT2hyOUs3WU1HOXpHbHQ0WnNrV1dhdXFEMnBQSjhhVXdabjEKeWY1TnMyb25LMkNmZmhvUkRPVC9Bb0lCQVFEOWU5MlE0RWVKamlNQ0JIREhycDgzMUM0eXRJclJHbENJS3pNQgpoMjl6SFIvRWJUanplUmFzU1RLQzQ1SjhhTnQ4MStvM2xpcVFhclJvOFdHelEvNnpqdWVpSW9SRDNpWm5pZUJ3CmU3R1piK0doVmdlVkNKbGtFQ0FTc0dlZ1pkSzA0dWRzZmU5d3JWaDY1TjZnWW92Z2dyOVZPU1NNZ25NSys2Z1IKb0cxNHRSMDArN0kzdndoL0YyQVZLOXdkY3ZoN2puK2FXbGp3R1lFWHRDWUNJWENVbjhHTHpWVU53MlRHckFuRQpOL2d5anUyeTk1R2FrR3JpZTRkdmpoUTl5dTNPbU9haWp1enlXMGxxdnVrakVWTmZ2L3lYbzFNOWJ4OTdQNkFLCkxEU3VGVjJEY1pGSEpvT1NLYVV0eHpibzFIVmdGWmZiK3hpUmNRb0N3c0NjMC9VUEFvSUJBUURyQng4UGQwSjIKVkU3eUhVdC9LMDQ2OXNoejFzVUtEeFkrQ1B0dTZvODFkU0QzUHBMV3c1VzR1aWdSeFJnTUpqK3UyMGFSeEM4UgpMbDhXSmJCR0I4QllyQXhiMWlGMm5XTnFzdFVicVp1ZUlxeUIvbWJNZFk5OSt2L01Iek1WTnZwTjBTdkJsTWFaClhVSTdFWW1zbXJHYjRSMXdOa3VwWVdHL1RpMHNVUk9qSFpSZldsM0kxR1dpbkNVdE5oeEZ2OEtGcWJDd05DVTAKOHNYMjdLTEIza3RRZWhmc3JlTjd4NEw2MGU0T0FKMGhjZFUzL2I5b2VERGttVWFSYVE0bk9TVWEveDdTQW5RdQpnQmxQTTdjUWUrbjYwZEU0QjVrZzJpeG0reEhaL09tMGluK1JTR0ljRTc3eG0vMlhhTlZjcEUxRWlhaGdJT3hTCkpYVU4zWjdsTHBWL0FvSUJBUUNXTkxjWHFYOWFxS3BnQUtlZisvOEhReWxaREprUnpha1k5NWhTK0tGM01qUG4KM3QwWGtaSjQ1eXNTV3E0c0lLcW5jUDZ1ajhLTEwxL1dxK3E4SXJla1NUTkRaWGJCREx2dk1NbVpmZ0xBcklhawpadWs1VEE0eE9FajVLaVZONitpUEhjSUxEUms4eU11Y2oxREk4M3gxdnFTSWFNTWFyQlpsMUxoRU1hK05EcTNPCi9yTWR5NHJLWE55bnp3U3hRcmF4NkwvK2hEa2RsYzlrYjNEeVpFUmxIY0hBQ1IyMGVTdVhlc3lTeEtQRHVlUnEKMzc4ZE95VExMbTRVRWJvMjM3QkpjMXQveW5mb0tXWDQ1a1lhYktMZUkxTVh2RVdRS3ZBWnhac2RUQkt2Y2FPbgpSejNTVHFVNmtJajc5b2U0TW1XWFdWUlNtNWwwWGVxVHRqb1M5SnJMQW9JQkFRQ2JiY2szeENuNjhVU0lUNkZYCkIzK2o5UUtad1FYcjRoQldsRUFibVJsK1EraTZPZktIL3k2cnpNaWsvOUFvY0w4YTF6NnpOYWZlMStqZ1Q2cGsKbGNtNW1vWk4wYTJ0c09aSGNOOElmVUZCOGpKZGdhM2dOenJmR0xoRCtMb2lwSW9pSGx1dW1NSkNPRytOZXNxdQprRnMyK0Vnc3BtdWhKNXFxRm53L1c1cjkrNWpjK25rZFVJR3FhVk1ZdERrOFUxWEVhWFZGQWljOC9mUzNtTVVHCkt3bHB2bVRHRERWdDdZS01kM3JVWGNtTWphaHhiK2srb0lYTkdDU1lFMzdkcDZnSFU0TEJaZ2dKbklPZ1lsWUYKbTcwZ045UUNGdHhJNHFBTXRxdVdtdkMvaWZ4VlN5WSs1VHdZc28yaHJSMjFONTgxM1VleDB2UVdXMWt2QTBxSwp6Q1RuQW9JQkFHVTkrRFY0cnZqV21zSmFnckw4TEV4RWY1ZHVDeVhtY0huak5wZmkrcjdjamQ3dlNYY29aZjQrCm1IaDJ6NVN0NUpsVEpWMCtOcVFWL2ZnUS9EcWlZeVNESFcza1JXaFBNT1ROeHZoV1lmMU4wd1diMmllS3lmTlMKVGRXS2JsUFcwZjh3WGYwL09JOFRaSjZFWXVBVXBpbGpSenB1emlkMVJOT3ZJb3BiUnBxd2pMVUtzb0IvMG5LZAp3YmNOcWdWN0lSNDVDZDlCTm8vTThFc2ppZkRnQVpmQzNZbjRWOGl4eXdSQmFjQ1dWcXhvK3UvT2wzN052QkJJCmhnQ1RqNVBDQ3NBcHZwK0dhRERJdFg0cVpoWURERys0ZFNDRHNpSnB1U1orWjZrQnFSNnVncUliMGJVQXFIbGkKd2hZUllYNklldnF2QUEzNTNxbmJzQW5ZQ09oZk5hVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/common-secrets/default-server-secret-NGINXIngressController.yaml b/examples/common-secrets/default-server-secret-NGINXIngressController.yaml deleted file mode 100644 index d618c2fca2..0000000000 --- a/examples/common-secrets/default-server-secret-NGINXIngressController.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: default-server-secret - namespace: nginx-ingress -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURIVENDQWdXZ0F3SUJBZ0lVUGNkNmxHUGs4MU43c2RhVVF0c0UxTkZWRkRrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pBZUZ3MHlOREV4TURjeApOekV4TkRkYUZ3MHpOREV4TURVeE56RXhORGRhTUNFeEh6QWRCZ05WQkFNTUZrNUhTVTVZU1c1bmNtVnpjME52CmJuUnliMnhzWlhJd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNqNU1yU081a0EKdGpya2VWKzBYL3lUSVJobkxCRmxtQTJoV1ZpYSttMlloK0Q1VFZscm5rYUc3NXcyUitSV0FsdHFPL0lzanp4UAo5SDBMWGFqSTNYaWFUWmJnT2dCY0Q4VXF4Smp4V3B0Mnc5T01uVXU1ekVIU3pjWUw4aUxPaHlSaDhHUy9IK21DCk9XYW5DeVZlVkhzMCs3cU4yNVlMRGMxR0kyU05tWlhQMGRuSStuSmxjRENHbGI1V3JCN3V5aFBiWEN3S2UybzYKWCtpRm8xbVZobXVFTnVCcjBNMkg4K2k4OStudkRuUFRsb1pBRW9NODhuT1JHbGV0V1NnRDVPTzZlcUN1bXZURgpvQ08xMUhUdnVXUDV2czBONVdBdEl3RWF5WlpWQVpibW1JUExVOXhHRXBGdXNrZkEzUFdhNU5CMGg0UndXQXk2ClVyTFRaeXViR3dNZkFnTUJBQUdqVFRCTE1CMEdBMVVkRGdRV0JCUUYyVzc5VU9BK0hmcE9pS0tlYUkxcll3cUkKTERBZkJnTlZIU01FR0RBV2dCUUYyVzc5VU9BK0hmcE9pS0tlYUkxcll3cUlMREFKQmdOVkhSTUVBakFBTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnpSQmZuTlRWcHozSlhndGozUldTa3M4anBkODZqNldpK0l4Ry9ITnhNCkhZZVliTlNLRUMreHUrMVVjRC90eHpvdDdrcUg3SXNuMFFIMVh6MW52V3dwRlVUVVliU1FaR1Z5RlZrSFk5elAKRlluUU1WczBOeGFKUWNkd2dvYVZWOHBCWVhhSHVmMSt4UWVUcnUvZ0RlWHd5em5RMDFEQU1kTWRHT0xENlpibwo4Z0s0UklaTVB3Tm5OcGZuekszU3ZVclM0QnNnTDk3NlpUMU1xdW1pYitTS2U4VE94MG5LYWE5WVc1SlFqejZjCkxxcUVkdURXTldPM212clo1RnhqdXYvNjN3L2diK1pHdnJCSDk5OUNwN2dYdEczZVk1NGZqbUw0VXBKWXlsQmIKa1lSZnAvN1VxNnhwQWcwazBpZ2N0MW4zUDVkQTRBd3VJMXVUeUdpcVAvVGoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2o1TXJTTzVrQXRqcmsKZVYrMFgveVRJUmhuTEJGbG1BMmhXVmlhK20yWWgrRDVUVmxybmthRzc1dzJSK1JXQWx0cU8vSXNqenhQOUgwTApYYWpJM1hpYVRaYmdPZ0JjRDhVcXhKanhXcHQydzlPTW5VdTV6RUhTemNZTDhpTE9oeVJoOEdTL0grbUNPV2FuCkN5VmVWSHMwKzdxTjI1WUxEYzFHSTJTTm1aWFAwZG5JK25KbGNEQ0dsYjVXckI3dXloUGJYQ3dLZTJvNlgraUYKbzFtVmhtdUVOdUJyME0ySDgraTg5K252RG5QVGxvWkFFb004OG5PUkdsZXRXU2dENU9PNmVxQ3VtdlRGb0NPMQoxSFR2dVdQNXZzME41V0F0SXdFYXlaWlZBWmJtbUlQTFU5eEdFcEZ1c2tmQTNQV2E1TkIwaDRSd1dBeTZVckxUClp5dWJHd01mQWdNQkFBRUNnZ0VBRHlHaklzc2pKOUJWNzV6UHhvb2d6NVNtcEIvZ0cwNXhNN2NFQklyMUdMZ0kKS3FiY01xQzg4akw5Rm5zeURFbDdiSHQzQ0d0N3JnWVhPcmdTOVRpU3JKY0NtYXZCTjJsZFVzTFpQQVNaaGRyZQpsUytRa09tQ3lrRDZuKys0WVo1VE1FSk80RFp2WUtQY0RtQVdaY3gyODVWVXkvUVNEa00xU0ljaFZDYkhPMnN4CkdkSUZjclA3T1hZR0h3RyswL1NtY3dKb2IvTUJTdzd1ak9qYWwwblNySWZUOHJROU1EMnlTYTNGOTJ3eENKUnMKeFBuTEpVSnF6R0dsejVOTDJBSjMvWGNyVXFlVVFDN2hjQzVtZkR5OXAxbUp3YWFxVytNTDlsZG5YZVo3RlFycQpZeXR5bzlLYVpnNmJEZytFVG55TjVMRkVMMTRuU2lwZGVkajd3YURGZ1FLQmdRRGs1TDk5K0tNY3MxbU12dEJCCjBhVnZzbUNoMTFrcHNFTnRpRHE2bkNQdDJjRk5kWEtXK1pYZDljU3dQbDJocFZOUWpxZXlrWmFQMlRVK2ErL3UKeGVHSDlQckFMRVBmTGV3YjBWbjA2ZzBzS3hzLzkweEJvU3lyMHZBWElKcEEzazd0UkkwSDRySVNuZHpnSno5UApZLzJ0ajc2dHFWb0xROThHVVlSNmZMQlYxd0tCZ1FDM1RYb09EK0syOXl4cWVFWUN5Q2JMeHF6N0NiRzJoZ28vClhsbS96TnVVK2p2SmsweTYwcnJuSnQrR01QNkp4VlI0cHQ5YnRicW8vTUYzVE1KdnRhM1dUV0JkamhCanJYVjEKQ0xQQ1FHNVBVODU5bS9DQWU5TkFQSW1aMVNoV2oyeDVuSWZhWmhhcmxGRWdiNGs5bU9sU0FIWlRwZFhsbE5nMwpWRjZQODFvRCtRS0JnUUNTa2VBRlhHZW1nem8rcEJsYmJGSFJtcG5DU05HeG5rc3ZJbUxwQi84QjJjU3NReDdqCmltTHJST3QwS0J0dzNScmlwTmJCdy9Sem5KVTVxWWgwajRZQnQxK3lHeVpERFhiNXdTOG5ZNUNYemVxZkpVNVIKWUZIb25TUmN5dVc3MEI4ZVZCMHpCWGtkN3JSM1hPcHZmZ245VCtTNzg0dlRWdHpEZ1FPaUk2SU85UUtCZ0Jhcwp1OXQvZFpFaWxGajdWZFhFUXFCVWpGTmxpSmxHalgvM1FPenIvNEczVHF3Sno2VVFxbFFyeDl6R3RNWUFKZ25pCndxQ0tvM09DQ01Da095MHNjVHVnU0xwcDkzY05Id21DTVJKbmUvM09KUzMrbTBxWmhyRmNpN3orMUVXWTZsZEUKMkwxWWdaZHArbnNqc1B0d3JmUVo0SWxLYTJKQi9sa2gwNnpFOHE2cEFvR0FFWThlN1ZObnJDeFB3ZDZNRnk5QgpGMnhJK3NTcWlTVnlXUWFrMDdEejdFUmI2WDFiQ1p5MzBKK0tzRFNpQWdPK2YrUEs4TnEyY0U3M00xTzJvMjhECmdrZjN1Skk0UzZsQ3ZRVExFR1BnRXMwNHZjWmlCYWx1YXFMYzkzNDRVWG0vaEd1YTNYamtPSHBuZzdZRnpUWTgKbFRPeGtxSHJDeHNuc01XMFZhWGpxYnc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/examples/common-secrets/greeter-secret-virtual-server.example.com.yaml b/examples/common-secrets/greeter-secret-virtual-server.example.com.yaml deleted file mode 100644 index 39cdea876f..0000000000 --- a/examples/common-secrets/greeter-secret-virtual-server.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: greeter-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4RENDQTZ5Z0F3SUJBZ0lVR1FZUGZpZnA3QkV4aTloNWg4c3lUd2ozSjNJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNTVVV4RFRBTEJnTlZCQWdNQkVOdmNtc3hEakFNQmdOVkJBb01CVTVIU1U1WQpNUTR3REFZRFZRUUxEQVZPUjBsT1dERWpNQ0VHQTFVRUF3d2FkbWx5ZEhWaGJDMXpaWEoyWlhJdVpYaGhiWEJzClpTNWpiMjB3SGhjTk1qUXhNREk1TVRVeE9UTXpXaGNOTXpReE1ESTNNVFV4T1RNeldqQmhNUXN3Q1FZRFZRUUcKRXdKSlJURU5NQXNHQTFVRUNBd0VRMjl5YXpFT01Bd0dBMVVFQ2d3RlRrZEpUbGd4RGpBTUJnTlZCQXNNQlU1SApTVTVZTVNNd0lRWURWUVFEREJwMmFYSjBkV0ZzTFhObGNuWmxjaTVsZUdGdGNHeGxMbU52YlRDQ0FpSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUtxdDNhUWJxN0NuelhOcC9CQW8wajZsbTB5SFQ3cngKRERjZWNnZ2FSd2owWjAwc1FlMC9NckJTVnc2SytEcWlXSS9YYjNDMmFSOHVUc1UrRzNIWDlLdENsb2V4VWJqbApQK1pPNys2cENVcVlkN1I4eHZQcU1rOXFCdXp6Q01nYVBJZVV2d1RhTCswdGFTNHJtYmY2YU5UUmQ2ZXRuK1pOCmhqK3dMWmZuM0EyWlA1YktpditMb25CKzdsUGdKS2JJenFKTUJFNEl2V3VYK3krU2pSd1JMUnlvZDNTbklkcVoKUlFtQ1ZPdktIbHFFM1QzTkJyMW4xcFRxZ3U2SDNhVkJmd3R1ekN0dmZJWUU3Rk15d2xMazZza3ovbVhxS2tJVQpzQ1ZDQmJvdGlUM1ZiV2l3aWswSE5mSGw4VUVlT2Y3bnd5ZWVSbEdjenRWaDk0dC9TbXdxTHNVQzB0b2l4VWprCnQ4NEYxa3FCRjFkMDZXSUdjSEJRSWwzS0FHK3RaWnV4SVNrSytURSsvYURLTjRiWGU0Uzd2bzZqTUQ1R2FVYUwKSnB5UXhrZy8vU2I3a3Q4VHg1RDA5cnZhUWtKZnR0cEtjZ1hlNERtTHNQWVNaY2ZoZkxmaFFjZjNtTXk1UjVPVgpOWFA0MnBhTG9Xa0dtVWtnUmhtRTg0TjljalZkUmNvOEd2RklyaWEyU0p2WmNTYmRFUnhVYmMyT0l4ZXBNRGs3CmVaRlJ6dXU2aGhpL3hScVQ0bTBGNjBnMzdyb1QzR2x4N09PNkd0TFZZNlEzbGNRSGdxRVUrUDdmaHNWVmVlQU4KWVQycDZYRWFlZEVqUTRSUHpUOS9KOCtuU1c4Z1p2TGFhYXdYTm1KWDV3NndUNmZHSWxZb1hHeHlNNWZSTmRXRQpRdEZQL0JIUGQ1bjFBZ01CQUFHamREQnlNQjBHQTFVZERnUVdCQlNrUG5sSGcvUmVEOVJZczdkZHQ5dURyRzVlCnNEQWZCZ05WSFNNRUdEQVdnQlNrUG5sSGcvUmVEOVJZczdkZHQ5dURyRzVlc0RBbEJnTlZIUkVFSGpBY2docDIKYVhKMGRXRnNMWE5sY25abGNpNWxlR0Z0Y0d4bExtTnZiVEFKQmdOVkhSTUVBakFBTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQ0FRQTZjUUVzZ0VhY2trUmJHTUFBeXpJUlVDSDhmbW9mT1VjS1Zpcy9iem1NUnRLWnRpTVVDTjR5CmVmQlhINkxzcVk3VXRYU1VmR2hOeldVQjNKdnAyU2FPSlE0RTg3ZVc2Q1hWOUZ6NE4wTG1uYmtQN015TmhwaHcKSVVXRGJGN0Nib1hTczNGZXVieTFOaDJJdUdQQmFSdVlBRjJnMkhINlUyS0FDZ3lXWlR2ZEJteHNSREIyaERCZwpaQ2pkM0h2RHdVYmJZaW5ud2ZqSi9EMkMzVC9rZzB4UHNqU1BqWU0zS0xZNVBNMEg1SVgvTllVMW9YQU1STVh4ClBBZUEvQS9DdTU4UDFGdy93Q2xVSVFXQk1KNjB2a08vWHVSZUExenRITG1lZ2JaRldZTENtUmJuOWNlRzIybkIKVzQ2enRaVWlzdDVaRHo4RU1XTWVWNzRrUzVsNlhsak55YkVIRVFkTHlOdC9PWHVuMjZCZHRTdzRqekJ4QS9Vcgp2WlZ4YUhQTVlNaWNOWHlqUHZkdGhuTlVZYUgwVEVSbE9DOXdSL25QQnJjOFpJK2tKOVYwS3hrMFM0VGVJRGJvCjZJOUw1ekNvM1dNbWVGWGt1UUt6UmVqM2p0bkpLMHB1bXhsUC9jQUlIeXdhOEppOCtiNXBTWkdJeVhzdjhOemQKbTJkRDR0dTBNeFh5ZENxemNHdXNJaFlwYzE3cC9pSFFtVkxYcE5QVm0zMEdWUFlnRFBIVUtaUmwrVTBEa3FhMApCcGVtYmpqMUR1RjVkN2wrQml1TXB4R0VQQmpncDk4VW9IcEw1R1BFRU1XZFFVbHZmVzJ5SW1OdUd2WW5UVTJFCitlSTVwM0dUOVZEWG0vbE04WUpsUTltWElQa2xLbndwU3VYd3R0MXMzU0k1UTRQc0ZWbnlUUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ3FyZDJrRzZ1d3A4MXoKYWZ3UUtOSStwWnRNaDArNjhRdzNIbklJR2tjSTlHZE5MRUh0UHpLd1VsY09pdmc2b2xpUDEyOXd0bWtmTGs3RgpQaHR4MS9TclFwYUhzVkc0NVQvbVR1L3VxUWxLbUhlMGZNYno2akpQYWdiczh3aklHanlIbEw4RTJpL3RMV2t1Cks1bTMrbWpVMFhlbnJaL21UWVkvc0MyWDU5d05tVCtXeW9yL2k2SndmdTVUNENTbXlNNmlUQVJPQ0wxcmwvc3YKa28wY0VTMGNxSGQwcHlIYW1VVUpnbFRyeWg1YWhOMDl6UWE5WjlhVTZvTHVoOTJsUVg4TGJzd3JiM3lHQk94VApNc0pTNU9ySk0vNWw2aXBDRkxBbFFnVzZMWWs5MVcxb3NJcE5Celh4NWZGQkhqbis1OE1ubmtaUm5NN1ZZZmVMCmYwcHNLaTdGQXRMYUlzVkk1TGZPQmRaS2dSZFhkT2xpQm5Cd1VDSmR5Z0J2cldXYnNTRXBDdmt4UHYyZ3lqZUcKMTN1RXU3Nk9vekErUm1sR2l5YWNrTVpJUC8wbSs1TGZFOGVROVBhNzJrSkNYN2JhU25JRjN1QTVpN0QyRW1YSAo0WHkzNFVISDk1ak11VWVUbFRWeitOcVdpNkZwQnBsSklFWVpoUE9EZlhJMVhVWEtQQnJ4U0s0bXRraWIyWEVtCjNSRWNWRzNOamlNWHFUQTVPM21SVWM3cnVvWVl2OFVhaytKdEJldElOKzY2RTl4cGNlemp1aHJTMVdPa041WEUKQjRLaEZQaiszNGJGVlhuZ0RXRTlxZWx4R25uUkkwT0VUODAvZnlmUHAwbHZJR2J5Mm1tc0Z6WmlWK2NPc0Urbgp4aUpXS0Z4c2NqT1gwVFhWaEVMUlQvd1J6M2VaOVFJREFRQUJBb0lDQUVUWnNEQVVMWFVzcTdja0NOZG44Qy92ClZDOVI0anJTSkJCVUNzSHovN1hBQ2EvYTY1bE54aC9VaDJQSmNZc05sRllxSEwxR0NDL1kyVk85MHdwZ2lFVlIKcmpGOHVTK3g0czRBQjgrcGhxTDkwRVFSbFp3dFhEQW00RFpUYjdad3h2d1daOXdJUEE4Y0kzTEppYy9xaHNGYQo0ajdVemt6ejl2VFlGL3hRUHJlSm0xb3p5RkIvdm41TTVjMFYvUkwrckVSU0QrWitwaEt5RTFURWRJSGU5K2k0Cm1MK0k4Q0lqYy9MN0RWQzBqdndLM3NpZ1hWaW9lNnBFMDU1dlZsemtoK0JQeUxLNDNXMmVyTXAvRGw2c0UzNG8KcURYcWVUT0E3dkdJcVpESjc3UHUxWnpHb25PaU5nT25zMk9HVXZUZC94NkxQV2lNcmU3ci94VFp1MmJZdVZaOQpRQU5tZVM2UFdpSDhzT1dTeWRQWDVvbHJYVVpUcWRPZzY5VDcwNjdzaFVkT1ptQVRDMGJ6RVR2cEloUFZuNmlsCisrTzFlU3BTWFpjdzVqV2d5T1V6TFR0RkY0MkllS1p2YzRmMkJlbUJMNWNJRm1jYzFXSnhTNk9DWjJaVVg1ZTYKcjczT21YWjNXRHQ0ckNHYlIxVjRVWnhZUlZUY2paQWRMeUJLckNSK0VFT1krWVhyeTBmZzlTQUwzVDNxTlR0ZwpZWmRWdVhUMU9kU1d1YVNBN0cxbHJvcXoyL3UrQi9EZ3N6em50OXNDRFdHOGJQT1F1RzNrS3VaSGxRRldJTHpVClBmL2Ruc2U5Q1AvNmI2QklxSk5MMTFmMmVhQkd1T0t3dVNpQ0RiRHhWcy9GdXlKdG5WYjlVWm1mTk9uMis0WWcKbGR4OURpeDZzdWwwWjBJSEdENTlBb0lCQVFEU2duT1hkNUdvMkF3MGM0VUgyR3VKQmU5aHQwdzNER2o1OFJzTQpiaFVyKzNIMXNiWWVIV0dJNmkwbXlOeTkrSGxHaGxCT2VxTU13RGZHdXNXeExmeXFGSUhqZXpudkFjSVYySUVsCnh6Nk84ZmRLTmpJblZ3VEY3M2hkdU1qZDhmbkxlakJXeXZNQVF5TkQ4NVlxa3pZaVVrNjkxZWZ0M2RpdXdURHoKVTdqMk5zeVdVcmRlTldRcmRSUHNNY0NWcVhybGh4dTVwZU8yanBOSlc0bTJHRTBzZ2dJeXBETHRSblh0cWVoTApNbW5xdnZjMlo2OSs1cURXRDJnMWtIRFZJMlFkQmRvY1NkRzhjcTBwYjNOM25kRlU1NTdzaCt0UVFwK00veFQvClNvYzN1VHJCaWlzRisrY2tNWmpreHpzWDBPOTQrVFhVZGlncCtGT1hObE9yQ0ZQbkFvSUJBUURQai9jOUMrREYKUHVjanNpSkt3dmZMd1ZsM3NzZ3hobklNOGRPQkE5RHM1SzdpWjk0S1Qyd1lkeW5aeG1Rcjh2a1pmcGx0ekxxNApGYmRIQVYzS1FDUkQrSzR0YndLWDdyRW8vckR1OStSbnh0STFOZkUrYUM4bVR3dmJQSU9POTJvUUN2Zlp6WlJ3CjBobXlPVkU5d0JoTjhSUjBFSzlnN2xPb3hOcWFWc2hzUFdPS0pva1pTNjgvZDg3ME1PeDgvdTVMUUlILzBmY1oKZHB2K0x4OVUrZDlGTFA1MmxDSFpVVVlpMWoraCt5KzVKRmJnOXE0SlRWRUpPVlVrd1haZ0QxM05rRTRCNWlFZgpncWNNM3NtNGdNMHE1YUoxTjllZlRIQWZtVEVxb0x3RVlMTG54dGdKckVpMDQzUnNHcWEvcDV1U2NGdDRuejRHCkhueitFZEl1L0tmREFvSUJBRzdWOUpxSmdBM1FRd3pTemZaRmdza1FjT3VZSU83Uy8rcXBnYjVYcjVvS3VBUE8KMzc2WFphVTY5eTcyanhNTzRudTVlRXI1MHlPQmlWeC9ObHVGaFFUZjYwdWtzK29kbU56N3MzUDZwZnVKZHRTQwpHSUlTRlJkS2NLdVlBVnFxYndVdGZvb1VMVUcwRjd0Tlk0RmpKUnVKRHFCeEliNWlFaFpnN2E4UUk5Q3ZKYVQ0ClJFZThBTlBJdndhYlkzVHBXU1hFcjFwZDk3bEU5Rk9wZUthQndSQndHMHdpbkJYR0JZMXU2am05ZjNyenRTSFcKRWRiVkExWHhvc0toSEdkOFROZmpIdVhLRUQ0U2V3M1grb20rZEZzcDRNbFUveGF4SFdTVllhN1F4TVVZSjlHRApPQWZjaStUSW9HSEViRjZyeVlwK1hGTlRLdTUrS3pUd2k3ai9sMzBDZ2dFQkFJcnhwYURnOWFzMGk0Z1NzKy8yCkNla0UybjVOV01RR2F3eU5TWGRnOVpmUEVkOFBoc3pDRSt0Z3djdzlpVXIrVUpBbmRrL1JMK0VROEdxQTJLY08KUHZpZFhRT2UvMDV6ZzNhYzRCWm9MU2JuS2twaWZNYTQrVzhjbFNSQ294S3VQdnJVVE13cFdVZ1k3UWlvWStFQgpXWU83Y1dTczBxb0JnRkZHemN0cGNxczZnUXEyOXluT3gxYW1QZ3lyUDNRQk44VjZQa3ZnNHhmUmxXVVhhRkw3CkhlSHgxN25MT2NsL0pZTW1odHhKQ001WUxDeFdGWFMycEJ1WG5JNkpUMVBJbFpPSkdSOGVUV2dKandnSGoyT0sKSFUydEFRNlV2aXV1QUpTMmVQby9OUDE5T2VYNzd4eXlqczFBUWV3bi94M205amFXTGpWVjdEQXVjcCtsa0Z6UgoxdjhDZ2dFQkFJY1M4VEtQZDY4eTdXSWJRaHljSWdMRW4vUHZPTENtd3VaSUxCRWFhUVRFZGRONjlHRkdtTnRuClE3bFBhMEFTMUlSSnZHaFhYWGt6KzlJczVhTE5nazZpYWlGY3ZwMEhyQTRBVU50SGZWVmc2ZTMvbGhNY1pSOWoKNG1KY1lqdEtpL0RGR3FEaFQvUEtuditFK2hiQno2dTBYZVFFeDBPWC8xUnhXc1NFWFNEYzdZcUw4eDlBSXBZdQpkdE5rWlp2ZHRDck0xSDRFNjdKb1VtQWJDMHJ4Q2xLYS9kendTOXVNNXRjRHBkb2lLTExqb2xWc3B6cGszTXZRClhGeXoycTl5dE9mcCtIeUtnd2d6OW81RXB2OEZGTTNvaWpxeFBOYk1ETFZGdzcxMkpWeHVET091cU1pVVlta3oKMVZ4eHhpL2UrQytSUEMyMmg4SGdkVC8wQnQ4MU01OD0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/common-secrets/mongo-secret-mongo.example.com.yaml b/examples/common-secrets/mongo-secret-mongo.example.com.yaml deleted file mode 100644 index d374b1f738..0000000000 --- a/examples/common-secrets/mongo-secret-mongo.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: mongo-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZxekNDQTVPZ0F3SUJBZ0lVUmkzOEp5d1EreHF0Zk5UVEtUenNLWSt5eFBrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1TRXdId1lEVlFRS0RCaEpiblJsY201bApkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHakFZQmdOVkJBTU1FVzF2Ym1kdkxtVjRZVzF3YkdVdVkyOXRNQjRYCkRUSTBNVEF5T1RFME5UYzFObG9YRFRNME1UQXlOekUwTlRjMU5sb3dXVEVMTUFrR0ExVUVCaE1DVlZNeEN6QUoKQmdOVkJBZ01Ba05CTVNFd0h3WURWUVFLREJoSmJuUmxjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F4R2pBWQpCZ05WQkFNTUVXMXZibWR2TG1WNFlXMXdiR1V1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBCk1JSUNDZ0tDQWdFQXI5ZVNoTHZ3RG83TDlyN2VvU0dZanludmJPR3BsZUcvcWFSaDVRQWZRWU9nV2ZwSDZScDMKYkJ0VUlnK09zZC9SNmRpUFlaZUt2T2VQWjY2VUdDOTM0cmN2RDY2M3FLV1l2WVl5OW5pdnY2MzJCNmo2eUFXdQpzclk2R1Q0MG1Xd1dIdHJGK3dXL2JwR0xZaVFkbGkvdVNzbHoxZCtUdDk0KzFuNWkrRWZyM2Q3NmF3U3I2S0M2Ck1xMGNKb3hCT3E4cklpZVFUM2ZSczV1VW1GVmdjdCtVN3VyeDQxUENQRWthR2ZkSWxldFZPRGRzaXVHY1FRbkQKMm5kZzEzUHJrYjgrUU5zNkFJNk52U2JpSTdTOTQ2RHplTnNVZCtza0h5aTVYMUpCYXpkOGswNVJyM2RJeXE4TQpSQmZlZTFGTjFHYWpMNWZnTUd1dVpwWGhubEtRUStwWlVkOXV2UmdmRHI2a2VSZW5md0toSC9nL2xjU1k5UU5wCmtiVFlvd2NLTlN2N0kwaTR2RkhsbTB2b3d6eVA4UVAxSWRFd0VZSjBBdk80WC91SGNiVkNHeXFtWFVESXdTbjIKd2Z0aWZITFVZVnZrcmhISDN2ZGVtdnZKZzFLRFhaYk5PaTcxbXN0d1BQYit2Z0dUa0gvbEtDaTZ1enRTY2t3ZwpZSmxrN21pMThTOEVHbEtZMDF2N1RnTExFQWZZVkhpTndMZy9CNDhET1hTOGxSVkUza0x2eGllWFBnaEtaQTB3CmF6UHBrR2htTU90amNyZW9RRlQrT3JjcGU4T2ZwRkYyMHFna0g3NVMwYzZvRkZKOVZ3R1FzYTZ5eWlPbTVwWFYKblBvOE5qMTB4VE5OL0lOUjJUeWVlUWIybmJOSE1vekcvWkNYSGMvMVloQStqeEtJbGppblpWc0NBd0VBQWFOcgpNR2t3SFFZRFZSME9CQllFRk5WcVR4M24wTGFEUk5wc2V3dERwNkcyZStBQ01COEdBMVVkSXdRWU1CYUFGTlZxClR4M24wTGFEUk5wc2V3dERwNkcyZStBQ01Cd0dBMVVkRVFRVk1CT0NFVzF2Ym1kdkxtVjRZVzF3YkdVdVkyOXQKTUFrR0ExVWRFd1FDTUFBd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFFTnRlVmFUL2RWNXVmMEVRb1cyeHlNRApNVWFwZ0hNOXl3NzBibGZMa2tJUm5vLzdFb2JFUGRucGJ1MmYzelM3QjB4Njl2eS9NUnk0ZjRxcU96cjhJQ2lHCnY5WkdGRGZXNk5zNElFTmdFOVJtcTlWdFpUT25HV3c0eFFRZWRPSnFLMHY5T3kzcTRBRzlCY2RHK0hyZW4rSmgKYUtLdVhpcHRiOFVDNk4rajFwM1NzcmQzWk5WYlpNTlFHbHR0dkZyR0tqcmF2dmE4YjVQUUwwZjkxQ3VyMlNmSwphbktDbmFhYjhBL0R1UTBPV1h4eWR2cndKYUl1K2lRbTZ1alBVclB2RWc2aUlJNWVLTnBaMXMrWHliZkRBd3o1CjFtN3hjQ3cvUHFjVnJBYjYra1A3NTBJZzdGaE1CMHlyb0wxeFVEOGxwcm4zVlBtZnRYOUpHa1hpSE1Vbms3YmQKZHpFZ0l1SkxDQWhaUnk5RGVFNkRIdVczQXhaeit3cFNUZVllSm4xVzRKb1BVTTV5cGlCSkI5VGhRRU41TDVESApuTXRxa0I3b09WcDF3Vm95VGZUcE9hMFNNWlgxaUtxNWxoMUlMOC9YWENiUnRmaFFWZkoxMzk3NzZYb1MzQWV6CkRaQ005TEFJMU9QQ1RRUzlDWlBTRHZlVDFzMzFXczVQenUzNlJydk1oQnhIT0NVZ1UwNGJxRmdldGZhQ3g0WUYKdXAvdVF3cmtsYWNSdm5KZElHOUFLZ1k4c09lWHpSaHRQYjNGOFoxVFovbkk0aGUxTTNRYlp6dWlvcXRQdnVTUgpBT1R3YVlPTndDN0UySCttbGJtVW5sT2tXaVBOV1RnM0FqbytNUkZDZHJ2Y1UzWjBXNk4ybWFYUGkyZUtHK1k4CnVpRkxaekt5SEdkcnFJaytLeXlrCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ3YxNUtFdS9BT2pzdjIKdnQ2aElaaVBLZTlzNGFtVjRiK3BwR0hsQUI5Qmc2Qlora2ZwR25kc0cxUWlENDZ4MzlIcDJJOWhsNHE4NTQ5bgpycFFZTDNmaXR5OFBycmVvcFppOWhqTDJlSysvcmZZSHFQcklCYTZ5dGpvWlBqU1piQlllMnNYN0JiOXVrWXRpCkpCMldMKzVLeVhQVjM1TzMzajdXZm1MNFIrdmQzdnByQkt2b29Mb3lyUndtakVFNnJ5c2lKNUJQZDlHem01U1kKVldCeTM1VHU2dkhqVThJOFNSb1o5MGlWNjFVNE4yeUs0WnhCQ2NQYWQyRFhjK3VSdno1QTJ6b0FqbzI5SnVJagp0TDNqb1BONDJ4UjM2eVFmS0xsZlVrRnJOM3lUVGxHdmQwaktyd3hFRjk1N1VVM1VacU12bCtBd2E2NW1sZUdlClVwQkQ2bGxSMzI2OUdCOE92cVI1RjZkL0FxRWYrRCtWeEpqMUEybVJ0TmlqQndvMUsvc2pTTGk4VWVXYlMrakQKUEkveEEvVWgwVEFSZ25RQzg3aGYrNGR4dFVJYktxWmRRTWpCS2ZiQisySjhjdFJoVytTdUVjZmU5MTZhKzhtRApVb05kbHMwNkx2V2F5M0E4OXY2K0FaT1FmK1VvS0xxN08xSnlUQ0JnbVdUdWFMWHhMd1FhVXBqVFcvdE9Bc3NRCkI5aFVlSTNBdUQ4SGp3TTVkTHlWRlVUZVF1L0dKNWMrQ0Vwa0RUQnJNK21RYUdZdzYyTnl0NmhBVlA0NnR5bDcKdzUra1VYYlNxQ1FmdmxMUnpxZ1VVbjFYQVpDeHJyTEtJNmJtbGRXYytqdzJQWFRGTTAzOGcxSFpQSjU1QnZhZApzMGN5ak1iOWtKY2R6L1ZpRUQ2UEVvaVdPS2RsV3dJREFRQUJBb0lDQUQxWlY4d3BpY0o2Zlp6VDBQYWtzd1pYCjJpbkJ2Wm9HVGdsUXlick14UnJsWW4raCs0N1BaaFQ0bit6V1FyRzZaaEZSTmcwVmd4a1BMUkErYjNyVXJONFQKalQ3S2RWZElsemFnYUkxblkrSGJQcmhEYzJOdjRCaUh6Vk5iU1p5eGdqSTNuOVZKbHhWcmdCYTRoUDRPTVBRMAp2czVDbDlZUm14all0WXpzQXRYQTR0dU5vTENqeXZLOVJOSUtJd1BuYzRRU0M1NCtMcEtjV0VhaG11blpLYXdGCm1tajJveERIYkd6Y3dwMVRvc0xmUzJaVSttQVNtUnRTaFI0R1dvemFEVTB4YjFZY1prVTFHTGJlYTFYTXBNVm8Kb2dhSXFteVlsN3d6QlpIenBPbjc3REhzeXgrejNQS3c1VFZmRTJsa2VkQzBDMHE1ZHZwaGxuclhVVy93aGtLZQpPYTg1Sng0dmlsdGovWU43NnlzbmxvUHBVTkFTdkhNSkFSVWtpY2FFR2U1aVp2UXdyd09DeXA3Vy9rbmhrUzg3CmFFNEQ0VVAwQ1J2R3JYeEREaGZzYkMwd2ZVbmU3Z2tWaENhVU1Yd005N1VkVGZXTWZGUEJYWTkxcHYva1VIc3cKcURWd3gzWjA0cktzbjlkTDd0NUZSOUpYbUpSSWY1TWpFRUNkUEI0SzZrNXl2TGJyWlhQSHA1NFA1L0pOV01GMApxUEdMeVBScGpTNXFLVzN3bFBnQUhqZ3hlbGpvTzdWaHVobXR5MlRXcGVCTmZscDN6VlpoczNkUlYxalZTK1o1ClFPUWxRSG5tTHpzdW5CalA1RTE2cmpaSTR3MER2WksxS2pOcGtQcU1GL2pLWkJib202dUNFYnpWelN0QjlkZmMKNkFobDJtcEgyUEFsRklIdmhDZ0JBb0lCQVFEdStmbkNiaFVQVWFIcThJYkRvSk1rMzhZZUd1Vng1eFJRem0zMwpqVEdwbzFhZXpWeHhpRUZ0NnF4VGJqYmNjdTNZMDB0OFdSSmhnZUFtWjliV3VGeU9NcVM5VVdKK1IwbDhOSVY5CjcyMnFnTXVKcmZjRVdyYjUvZ2dYU05wNkZpd1VIQnlyZzhHK0cxcThBK1doSWhwSmhlNng5MHMva2p3TFZXeHUKcjRCQ0l6bFFkZzI4Y2dXcXNiOGU0cEVUa2VZdmpWOW5TVkxoTkpMYVpNYUpQci9wUzRxU05JUjVQcWVkNFl4YQppU0FDbWcwSGR5STdFaFRxL3pxRmtKS2taQWVJRGhzRGdzYk1OYy9waFRjYkZjSDRvNCt5NkpwdTN3Y0pYeEdZClc2ZDRTSTc5aXJPS0c0WGNXdWhyQU9tai83dTFuZC9JODFjRFB4a1dGWFVab3BsYkFvSUJBUUM4WGtQUzFvdTcKTlRTQWZFTlNtV3ZwWnBvQzhTKzljQVRLdmFoVVFZb0ZabTFxRXoraXRJV29VUlJaNENRNmNNaTNNZDE2UzdaSAoxZzdNYnF4QU9ITVdXc2V6QXRCWHZOeHpLZGZxd3RpQTdMd0tCVUEwSEdzeFdrRzBBZXV6L2tlRVp3V3FXcU03CnZkUmlBVDM2bXR1VHZqOUZJS3BLR2lIaUVuZVV5QWZaWEJEdGFQRXN5eitUaThjSTVDN1hOTStJNFR6Nk93anUKZmsxUm1CYk9vUnV1MlNDWDhwK2hVLzM5MDArZVA1QU5acnkrMFdFMWtXTzc5R21QMmJxSGVzN3JTc1V3b2s0Vwo2VldObVpSZnZwUlJNbUowVDZpQUdiUDR6WTA0Tmc2UjlZZlVWN2hFL3RoZG96WHJpV3FRUDg3bFpmeXkrTVZ3Ci9QOXc2bjNLbkNRQkFvSUJBRFdnelVhdmszUkxtbTF4cXB4dUJYZEo3RmpIS21SRU9nL2tNMU5SVVNyRForWGQKS2Zpa1hpSi9ma3ArdWpzQVk1VzczUDI3czE5RVdQdmxZNVh0NjM5UnFCeUFEZjFPbkJRT2FVS1luMkNhNUpJeQpBdlBzTTVHb1MwS0dhOWpuN3Q1WWJLcWt0NjZrenRqUWV4Q002WjlFT2d1ZjlqZis1aENaQyt0TzRSWjJkeDh5ClR1VFNKYWxubC84alV2RTBWWmFvUUJlYW9jbStGWktDK1BiRnFTVitlVXRVRThKdHFBbkxHc2NhYkorSTJKR3IKVDNnNEY0K2cxUTR5SW1aWHVFVDAvV1R0VFJWNG9mN0NrVm8zcUw3V1hhSUZodHFJbkRpakoveXIzTW9tWmtoSgpmdjdvTEVNRjk1QkR0U3JEY2VsUTAyNXlCVDNLUkNQcmpzckE3VzhDZ2dFQkFJTmE1TWJ3NzYzVGsxSUoxVlNUClFpb1hiMHlmN2QrWGJ2QUdRNHpGeXo2cXg1L1IzbTFTbjJYWmJHeWtIZjlXeU5EZkNBZ1JKZ0tBSmYrdktaVDcKQ0Y1TlhiYmFQbmtBYldZdGhyRGh3T0plczEzMWZXa1piREtWTXY0WTNNbStoeGF3Vk1ZUHdJYVhnTFA3RThKZgpITUd4U0NPbmZMaUI4cURZcWVUcGZIZTVlT0JsYnRFQ3hzbllEaXFJSEpYYjhPRU4yRnpTc0E3SHFwazhpcUw2CnUvZzQxejYrWlV5MTZvZUhSSjBnekE1Y1YwQmxkL2xIOHBtTi9kTGZUUERPMWQ1RVhLL21icmdSYktSNnRYbnkKeHpDOEJ1WCs2b3l4Mzh1Zlkxd1FiaWFnWm1EUDd1TEdLQkZjRCt5NC9jT3JpMVp5d1QzNHRvNXREcUFxRlNBbAp0QUVDZ2dFQkFLMGhFeE04ZjNka1puSTI3ZVlBWjc4UGozZ2phYlRLMkcycEZNNDF3Q0tRTXNKeWdES2FTempPCkc2WXZCdmxKQzlpNEJQaVdYOEF6MGpQWVZnWUtqOFFod0N1OHlXZ1BlamY0bk5zZEt5VEtUOVFhZ2tOVWhyazAKN1QvaXk5Zm9NSzQ2dXczMU9uQ05jd2pWaStuVHlIdTIwcFhzRktoZXJtM1dQcUk4Yy9qdTdoWXVIU0xVOEQ4awoxaTBYNXJ5QmN5eW40eEk2WjVXY1pIUHZ0NXJNamtFSzhyQTVRd0lKeWVEMENsS0oxSkhkbzhURElVaEE3aVNPCnlpbjJ6MXVwSXdsalNRMmJ5NkJiZ0lLZi9mdWZVZGllWHcxN0JGaGFQbnpOT09aYU4xa1FQTEVodVBhZFd6aDIKZ3d1TTlHU3NRYTJjK1oyc0M2eFh3NkZSdmZ6aG1MVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/common-secrets/service-insight-secret-cafe.example.com.yaml b/examples/common-secrets/service-insight-secret-cafe.example.com.yaml deleted file mode 100644 index abd2ad71f6..0000000000 --- a/examples/common-secrets/service-insight-secret-cafe.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: service-insight-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdKRENDQkF5Z0F3SUJBZ0lVWUsyTGNWTlJrZVB5ZXUrdis0ckNMWTVJVmJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1TRXdId1lEVlFRS0RCaEpiblJsY201bApkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHVEFYQmdOVkJBTU1FR05oWm1VdVpYaGhiWEJzWlM1amIyMHdIaGNOCk1qUXhNREk0TVRVMU9UUXhXaGNOTXpReE1ESTJNVFUxT1RReFdqQllNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0cKQTFVRUNBd0NRMEV4SVRBZkJnTlZCQW9NR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREVaTUJjRwpBMVVFQXd3UVkyRm1aUzVsZUdGdGNHeGxMbU52YlRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDCkFnb0NnZ0lCQU9pM3dZaGRCTGI0RldzY20yeHV3S2JNaElPRUM3YXF1aVpDQ2V2bHc5MUZUWVNvdHBGbUU2NkIKc1V6WWlRYVVtRGJLdWxRS3lramNXcC9LNExBbGI3Y2Z0ckdmUkN1b0xDT21oSkhvaXV5RDBMWXlsQXBXWjc5eApnOWEydlVUR3Joa2NVVGF3RVFoMlExT2dnTmk0Szd4S1U2cVJFRktnbmFTMXdTdmdiNXV6WXRaVys3SFdVbTlkCmliUEV4Qkc5TFJGaGVOdGZ5Vk9mSzVLRm11ZzdFVEN1Nzd5V001WWlxTmRKMEI0UnZQbS9XTlNrUzVXZ0c4RnMKaHMxRnlqTWFBWGYrU2t1ZVQxRlpUWEpjZzJjVjZOeEp3L3IrclNjZFozbWRDa29yaVBtSWRrM3FVR3pUaU1Mcgo2aUo2bEl1VTBOWFg4bXlwUXV3YUZtb3hBZWZZbzVqd0s2S3N5Q0tETTBLSWhsSVFVcHBnZHhST3packdXbjJQCm5EVkJuZmllWlRvWlU1dlMxNHNMZzhmQllmc3Z3LzNTZk1oNFoveVp1cnY3UDY3Yi9WSlowTlMvOW1SYmsySmcKblpjd0ViZ3ptUFJwUWdXUCtML1BieHBYaktBdEVXVG5lZW55KzZHaG9tVG0ycWh3NCt6Tm1rL0s3Nm4vMmhaZAphcFRaS0xrQk5rRVo3R0hxZGJBSUZ1RkVaVWo5b0wrYXI1d2hzTmNnU2JrU3RiNTkwMko2OE1oLzlvU2llajcxClNoWEJneklkcFpMWVppRkJEeWYxV3dGaDVBWDJkbVUwU3JGN3hTU1o4bkFseWFkU1lWOStuSlNtUXdiSzhNRUwKT041OVRXVXhWaGx3NG5MZlU3K0RCUVhkV2ZIZHNMK0RqajRUOGxtL3p1L0FzMk9lZWsxeEFnTUJBQUdqZ2VVdwpnZUl3SFFZRFZSME9CQllFRkxqcTBnQTQvUHU5VXZ3dnRXY1lJYTdsdER2Z01Cc0dBMVVkRVFRVU1CS0NFR05oClptVXVaWGhoYlhCc1pTNWpiMjB3Z1pVR0ExVWRJd1NCalRDQmlvQVV1T3JTQURqOCs3MVMvQysxWnhnaHJ1VzAKTytDaFhLUmFNRmd4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVoTUI4R0ExVUVDZ3dZU1c1MApaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTVJrd0Z3WURWUVFEREJCallXWmxMbVY0WVcxd2JHVXVZMjl0CmdoUmdyWXR4VTFHUjQvSjY3Ni83aXNJdGpraFZ0akFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUNBUUNnZnZ1MWo4K2FzVHQ3d2lCRmlDTnU1SUR3M25rQjYvOWg1Z3d2STR4YTNOdEhETTliYm5QUgpncnZTWjJXZ3FJNFR5dktKVVB5NHNaRGR3dUhiYjJSVC9MT1lQQTFXaVZhMjRiRTZtcXE1Y3VTNlZNb3h4bnB1CnBmdVllaml3eWpDTytUYXdhbFltTzVvNDFvRUxjR2ZNY21VK0YvK0tZZnozZFMvalNkYVc3cEM5YWpJQnFBTnMKS0daZ1JGKzl1ZlVibUlIcjZHeDJ5MU5oTnBjb1U4T2QrdkxKWXZxOGd1NDRqTG4xNE1Ra3hWZndyUU10T1E5RgpnOGpsTXphaVlMSnMwY3luRTJGSjhrYmI0K01QRkRyZjcranJGNGdlOXZCTDg5TlJkZXFZYWFGNTVMM0RQZzRZClRVVWQ3L1I4dlVUeEs0eHpqZlpNeHdnRGExRmtTMXB2VlNSNmkrVmVuYXdsUmZ2Q3FMUndvN1V3VjJLWUJjbGkKUFlCRzB2Z01mOEhQc0xvU1BibDNIY0xQTFhSdVI4RHZjdTdvUnEyYzRaOFVDNVBJS2FoWlZEekdsS0N6WHZlYwpQZ2xqSStFRzdyTWlnc1Fjcm5MdmxOZmRGdzZIcjkzVmR5OGYrZm4xdkVsN1A0NnBFWThlYnplOVhxNXNWT3I0CmhTcE5JMllGaWhjNXBlNzVmMXh2QjVHcjJJTm1PditZb0Jsc2VKNkUrR2tuOU1QY3Jjc3lwcVBoeXJORHF6THgKdE5DN0dLb2hEWlJRY1F6L3YvdGppV1lYRzFRY2RQU1JNakJiL2dkb1RBenNuNDRBWGpqT1A2YzkwWTEzUjdwaQpuRTJyUlFKWThCUHk4RitTT1pkUUV3d0NBbjZ6M2Job3BLc2ovM1JRU1lUNDhGZElRVndrbmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRG90OEdJWFFTMitCVnIKSEp0c2JzQ216SVNEaEF1MnFyb21RZ25yNWNQZFJVMkVxTGFSWmhPdWdiRk0ySWtHbEpnMnlycFVDc3BJM0ZxZgp5dUN3SlcrM0g3YXhuMFFycUN3anBvU1I2SXJzZzlDMk1wUUtWbWUvY1lQV3RyMUV4cTRaSEZFMnNCRUlka05UCm9JRFl1Q3U4U2xPcWtSQlNvSjJrdGNFcjRHK2JzMkxXVnZ1eDFsSnZYWW16eE1RUnZTMFJZWGpiWDhsVG55dVMKaFpyb094RXdydSs4bGpPV0lxalhTZEFlRWJ6NXYxalVwRXVWb0J2QmJJYk5SY296R2dGMy9rcExuazlSV1UxeQpYSU5uRmVqY1NjUDYvcTBuSFdkNW5RcEtLNGo1aUhaTjZsQnMwNGpDNitvaWVwU0xsTkRWMS9Kc3FVTHNHaFpxCk1RSG4yS09ZOEN1aXJNZ2lnek5DaUlaU0VGS2FZSGNVVHMyYXhscDlqNXcxUVozNG5tVTZHVk9iMHRlTEM0UEgKd1dIN0w4UDkwbnpJZUdmOG1icTcreit1Mi8xU1dkRFV2L1prVzVOaVlKMlhNQkc0TTVqMGFVSUZqL2kvejI4YQpWNHlnTFJGazUzbnA4dnVob2FKazV0cW9jT1BzelpwUHl1K3AvOW9XWFdxVTJTaTVBVFpCR2V4aDZuV3dDQmJoClJHVkkvYUMvbXErY0liRFhJRW01RXJXK2ZkTmlldkRJZi9hRW9ubys5VW9Wd1lNeUhhV1MyR1loUVE4bjlWc0IKWWVRRjluWmxORXF4ZThVa21mSndKY21uVW1GZmZweVVwa01HeXZEQkN6amVmVTFsTVZZWmNPSnkzMU8vZ3dVRgozVm54M2JDL2c0NCtFL0padjg3dndMTmpubnBOY1FJREFRQUJBb0lDQUJaQmFJazllQk4xY3pyc24vS0ZQdmhVCnE4R1dFYmEwNmh0NWlsQmNoMWcwWmY3dlVaSmpKRE8ycEhtWVpiWlM1S0dzenBmMTlqVjBtVmdadzFZbEptTnAKYllQY0d0MWY5bVNzYXBZM21uMlc5NUZORWZwUkhCZmpaN3ZUZXhOR091VWMzNmx1dWhwSWtSVEF6MEdxajBneApCWUpVNEM0K3ZRVEErd25TcTJuRkJJbENCVTBURll3ZjhtaldRdmY5VXYrTUJrNVlnVHoxaG1tN1RENjBVMmNICis5Wlp1UEk5TzA5bmVEYy85QVlnWmdMaitYU0VQTk5KS1RVZFhRSjVGTFhnaEVOcUR1VFZPUUpjVlphNHNpM0wKQWlxUlM0Ym5tWHM0YVFFQjI5WWRWazhLUHduQlN4MTFDVTJsMG1uczMvSHJkbndzemNFZGw1SXRRS1RuQTNJUQpvZkRMVk1OSkg2UHE1Um1zREZYaFh1bnhLdkhXUHpvU0pkZ3REZHNZUnNaaFRnaW5vZ1AwQVdrdmMwT0MwaHh3CjNldWJLcDh3d3F0RndHNk1nWFg0WUFLQUd0K3RzVVdkRENmWUVPYUVWcXBXT3F3UUhsb3J0cmwvN1hmRjNra2UKY0VzalJyRXRMSytCOEhvdjFNSmtibVFlblE0cHdkcXdrdHV3SU41QUdqN2lCQ2V1U2R5S2gyc0hxRUIvbkZEbApTbFh1VzVNTjUranMrZ0lyOU5GRUdDdUEyQ3BGWWpKQk9sNk1nV0t3S0FwWWgwYnEvNTVOV0pwV1JTRllTZ29UCnFiV285S3JYZkR4azJVb05pVFVBcEdVeXBaWTFXT2hyOUs3WU1HOXpHbHQ0WnNrV1dhdXFEMnBQSjhhVXdabjEKeWY1TnMyb25LMkNmZmhvUkRPVC9Bb0lCQVFEOWU5MlE0RWVKamlNQ0JIREhycDgzMUM0eXRJclJHbENJS3pNQgpoMjl6SFIvRWJUanplUmFzU1RLQzQ1SjhhTnQ4MStvM2xpcVFhclJvOFdHelEvNnpqdWVpSW9SRDNpWm5pZUJ3CmU3R1piK0doVmdlVkNKbGtFQ0FTc0dlZ1pkSzA0dWRzZmU5d3JWaDY1TjZnWW92Z2dyOVZPU1NNZ25NSys2Z1IKb0cxNHRSMDArN0kzdndoL0YyQVZLOXdkY3ZoN2puK2FXbGp3R1lFWHRDWUNJWENVbjhHTHpWVU53MlRHckFuRQpOL2d5anUyeTk1R2FrR3JpZTRkdmpoUTl5dTNPbU9haWp1enlXMGxxdnVrakVWTmZ2L3lYbzFNOWJ4OTdQNkFLCkxEU3VGVjJEY1pGSEpvT1NLYVV0eHpibzFIVmdGWmZiK3hpUmNRb0N3c0NjMC9VUEFvSUJBUURyQng4UGQwSjIKVkU3eUhVdC9LMDQ2OXNoejFzVUtEeFkrQ1B0dTZvODFkU0QzUHBMV3c1VzR1aWdSeFJnTUpqK3UyMGFSeEM4UgpMbDhXSmJCR0I4QllyQXhiMWlGMm5XTnFzdFVicVp1ZUlxeUIvbWJNZFk5OSt2L01Iek1WTnZwTjBTdkJsTWFaClhVSTdFWW1zbXJHYjRSMXdOa3VwWVdHL1RpMHNVUk9qSFpSZldsM0kxR1dpbkNVdE5oeEZ2OEtGcWJDd05DVTAKOHNYMjdLTEIza3RRZWhmc3JlTjd4NEw2MGU0T0FKMGhjZFUzL2I5b2VERGttVWFSYVE0bk9TVWEveDdTQW5RdQpnQmxQTTdjUWUrbjYwZEU0QjVrZzJpeG0reEhaL09tMGluK1JTR0ljRTc3eG0vMlhhTlZjcEUxRWlhaGdJT3hTCkpYVU4zWjdsTHBWL0FvSUJBUUNXTkxjWHFYOWFxS3BnQUtlZisvOEhReWxaREprUnpha1k5NWhTK0tGM01qUG4KM3QwWGtaSjQ1eXNTV3E0c0lLcW5jUDZ1ajhLTEwxL1dxK3E4SXJla1NUTkRaWGJCREx2dk1NbVpmZ0xBcklhawpadWs1VEE0eE9FajVLaVZONitpUEhjSUxEUms4eU11Y2oxREk4M3gxdnFTSWFNTWFyQlpsMUxoRU1hK05EcTNPCi9yTWR5NHJLWE55bnp3U3hRcmF4NkwvK2hEa2RsYzlrYjNEeVpFUmxIY0hBQ1IyMGVTdVhlc3lTeEtQRHVlUnEKMzc4ZE95VExMbTRVRWJvMjM3QkpjMXQveW5mb0tXWDQ1a1lhYktMZUkxTVh2RVdRS3ZBWnhac2RUQkt2Y2FPbgpSejNTVHFVNmtJajc5b2U0TW1XWFdWUlNtNWwwWGVxVHRqb1M5SnJMQW9JQkFRQ2JiY2szeENuNjhVU0lUNkZYCkIzK2o5UUtad1FYcjRoQldsRUFibVJsK1EraTZPZktIL3k2cnpNaWsvOUFvY0w4YTF6NnpOYWZlMStqZ1Q2cGsKbGNtNW1vWk4wYTJ0c09aSGNOOElmVUZCOGpKZGdhM2dOenJmR0xoRCtMb2lwSW9pSGx1dW1NSkNPRytOZXNxdQprRnMyK0Vnc3BtdWhKNXFxRm53L1c1cjkrNWpjK25rZFVJR3FhVk1ZdERrOFUxWEVhWFZGQWljOC9mUzNtTVVHCkt3bHB2bVRHRERWdDdZS01kM3JVWGNtTWphaHhiK2srb0lYTkdDU1lFMzdkcDZnSFU0TEJaZ2dKbklPZ1lsWUYKbTcwZ045UUNGdHhJNHFBTXRxdVdtdkMvaWZ4VlN5WSs1VHdZc28yaHJSMjFONTgxM1VleDB2UVdXMWt2QTBxSwp6Q1RuQW9JQkFHVTkrRFY0cnZqV21zSmFnckw4TEV4RWY1ZHVDeVhtY0huak5wZmkrcjdjamQ3dlNYY29aZjQrCm1IaDJ6NVN0NUpsVEpWMCtOcVFWL2ZnUS9EcWlZeVNESFcza1JXaFBNT1ROeHZoV1lmMU4wd1diMmllS3lmTlMKVGRXS2JsUFcwZjh3WGYwL09JOFRaSjZFWXVBVXBpbGpSenB1emlkMVJOT3ZJb3BiUnBxd2pMVUtzb0IvMG5LZAp3YmNOcWdWN0lSNDVDZDlCTm8vTThFc2ppZkRnQVpmQzNZbjRWOGl4eXdSQmFjQ1dWcXhvK3UvT2wzN052QkJJCmhnQ1RqNVBDQ3NBcHZwK0dhRERJdFg0cVpoWURERys0ZFNDRHNpSnB1U1orWjZrQnFSNnVncUliMGJVQXFIbGkKd2hZUllYNklldnF2QUEzNTNxbmJzQW5ZQ09oZk5hVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/common-secrets/tls-secret-webapp.example.com.yaml b/examples/common-secrets/tls-secret-webapp.example.com.yaml deleted file mode 100644 index f190264e23..0000000000 --- a/examples/common-secrets/tls-secret-webapp.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: tls-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZyRENDQTVTZ0F3SUJBZ0lVTE1iL3hUWmVQNFZlQjRYMDM5OTlCc2FubzA0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dURUxNQWtHQTFVRUJoTUNTVVV4RFRBTEJnTlZCQWdNQkVOdmNtc3hEakFNQmdOVkJBb01CVTVIU1U1WQpNUTR3REFZRFZRUUxEQVZPUjBsT1dERWJNQmtHQTFVRUF3d1NkMlZpWVhCd0xtVjRZVzF3YkdVdVkyOXRNQjRYCkRUSTBNVEF6TURFek5EYzFPVm9YRFRNME1UQXlPREV6TkRjMU9Wb3dXVEVMTUFrR0ExVUVCaE1DU1VVeERUQUwKQmdOVkJBZ01CRU52Y21zeERqQU1CZ05WQkFvTUJVNUhTVTVZTVE0d0RBWURWUVFMREFWT1IwbE9XREViTUJrRwpBMVVFQXd3U2QyVmlZWEJ3TG1WNFlXMXdiR1V1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBCk1JSUNDZ0tDQWdFQXlVaEFtaVpOY1FOWU1sR21LenhEWmJZWlVQdll2U3ZweXBaYzgwalhqMjExZGZRNTcySHkKcTlTR1d1NnNKM2pwMVB0TU5Dd2M0Yko0Rm5qcS82OFZCZlJHVkNuQzRsNVJHUG14SzQycjdNWHMyYldvM1ZvQQpEZ3VGYnlpV2xhRmxDZTNVSmM4aHJpblJ1SHFkRXM5SXJaKzlzQkx0eVBuRzAxNjIydzM0YXVzblc3aFpWeUNNCmFaWnZMb1VEYVFmRWNhQ2VZcUJpcTAzYnR4WmFGOERKeXpTc1A0cTJBRlR5a2kxb29FVHoxSWdIL3g2WkRra0sKclhqb0hRS2xndEJuaU9yRWM2bk9JMzlCTkxFNi9HOTliQjZ4VjExa0VXZ2NHWk5nRXNxTEl1MFE0OTZNUzl3ZQovT24zWFgwdnF3WG1weDJSajRtdTVkcC8velJIc1NjWTgxMldWZGJvTzVGL3hNK2k2ZTR1Qis5bnBydGpZSXZaCmpMOGh2RDhQVVVZa0k3ZDVqR2ZBQlFXclRFUGhCZ0VtaHFkTCtrQjV5anQvd21acENINDFYUjAxdHlCWUQzVzkKc2dIaDVtWjdRQXlYbjRxdW5GMzdoOUo3cUh0UmtuNy9EMEFGYzFXaGY3bHlsTFJOUm1ub0ZLTnNoMXVwa01WaApTZldVNkFXNFVMNGZ5UGVpdDFzdDN5aC96aTgvVGtCVUR4NVJPbWxIN05XVHJBTW55Yk10RGVQRno3ZU85L1RBCmQ4VnZrRjd2T3QwWFNKK0d1OWszMHcrckVleXBQbTFEcjZ2R0lqT3JmN2x4bEhVTjh6d0VYeGlMSHZQdjhyMksKNFBpK2tHVy9reFRjRS81L0lpQm4wNEtybTZjRk9pU3Q1WmNMM29OMWpacnhBb2YyN1NDYi9aMENBd0VBQWFOcwpNR293SFFZRFZSME9CQllFRkNlMWkrMGVFRjNFMEYxVkt2MThjRVNEWCtpOU1COEdBMVVkSXdRWU1CYUFGQ2UxCmkrMGVFRjNFMEYxVkt2MThjRVNEWCtpOU1CMEdBMVVkRVFRV01CU0NFbmRsWW1Gd2NDNWxlR0Z0Y0d4bExtTnYKYlRBSkJnTlZIUk1FQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ0hXV3gvNVk4RlE5czU2Y25RNVg5VwpXN1N1bTlmTVQxNTBnUmlTcHlDcVh4WFd4d2JNWERsRUdVcTdaL3lFNXNzZkF2c3ZZdTlVc05IM3pTUFpVb2RNClFZdnJzVmpFTHAySGhHWnV1MlJuaVg3NDRKUm5ucXVDays4NitmcnEva3Y2RHlkUTRNT2sxaG1jR2dsK0ZBVWQKWGpvUmdvaXpzeTNUWkFIK2NHV3MrUEdvSFJRaFoyT1ZJSlAvOUtBM29XZFh3aFU5T2ROWk15RG0zRWk4cXFLMAp4TklqVU9nTG8zdm9WS3hpV1FUM0d2VFQ5Q0RoQlJSK1VseWJMQXI2TlQxeGsvVFd1OFZYNDIvWXNvVmE0cTFhCm1MRkhGcWlDbytsSlJ0UERweUoyempab3lzNHFaa1o1ZGZVcFNGUzNjd1B5bjY4REVlMjNPRW10MW0xNDR1UVoKYTlQY2dyZnhjNnZCUGVUMnozUzYxbHZuZ2hhWXBYUnltK3hEOUhUSzhqdUFDL0ZJOXZWQlRmaHRxT2o2TkYyawp3d3NQNUt0NW03T1pjMk9QU1I4OGFxY2p3cnE4UUpaNUw5cHpsOTlrSGE0UDhxR1pnQ0pNYi9ld0kwZTRrR2ZQCjQ2TVNUM2wzNFdaWHZ0alB5T0gyOWpScXZya1hJMWliSHZDQXFjLzBkZUtVcW5qQ1dMVVh1RmVyWG5Ud1lOZDAKSUovc2pSVExzaGRKclptbjA4Kzc2WUY1aEtLZS8vcERVL2d2WWdhSEVlV3dFNmx4WWppc0FFL0h0eXRyR2ZKcAorY2JSVUJVZUZoYnlLdm52WDNIVjZ2elRPZHlRcS8rUC9lVTNwYmFudm9ydCtiTzRYQzNDUWZJeXdJbWZjUFd2CitTZXNrVXl2KzJXNm8ySUgxN0pzdGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRREpTRUNhSmsxeEExZ3kKVWFZclBFTmx0aGxRKzlpOUsrbktsbHp6U05lUGJYVjE5RG52WWZLcjFJWmE3cXduZU9uVSswdzBMQnpoc25nVwplT3IvcnhVRjlFWlVLY0xpWGxFWStiRXJqYXZzeGV6WnRhamRXZ0FPQzRWdktKYVZvV1VKN2RRbHp5R3VLZEc0CmVwMFN6MGl0bjcyd0V1M0krY2JUWHJiYkRmaHE2eWRidUZsWElJeHBsbTh1aFFOcEI4UnhvSjVpb0dLclRkdTMKRmxvWHdNbkxOS3cvaXJZQVZQS1NMV2lnUlBQVWlBZi9IcGtPU1FxdGVPZ2RBcVdDMEdlSTZzUnpxYzRqZjBFMApzVHI4YjMxc0hyRlhYV1FSYUJ3WmsyQVN5b3NpN1JEajNveEwzQjc4NmZkZGZTK3JCZWFuSFpHUGlhN2wybi8vCk5FZXhKeGp6WFpaVjF1ZzdrWC9FejZMcDdpNEg3MmVtdTJOZ2k5bU12eUc4UHc5UlJpUWp0M21NWjhBRkJhdE0KUStFR0FTYUdwMHY2UUhuS08zL0NabWtJZmpWZEhUVzNJRmdQZGIyeUFlSG1abnRBREplZmlxNmNYZnVIMG51bwplMUdTZnY4UFFBVnpWYUYvdVhLVXRFMUdhZWdVbzJ5SFc2bVF4V0ZKOVpUb0JiaFF2aC9JOTZLM1d5M2ZLSC9PCkx6OU9RRlFQSGxFNmFVZnMxWk9zQXlmSnN5ME40OFhQdDQ3MzlNQjN4VytRWHU4NjNSZEluNGE3MlRmVEQ2c1IKN0trK2JVT3ZxOFlpTTZ0L3VYR1VkUTN6UEFSZkdJc2U4Ky95dllyZytMNlFaYitURk53VC9uOGlJR2ZUZ3F1Ygpwd1U2SkszbGx3dmVnM1dObXZFQ2gvYnRJSnY5blFJREFRQUJBb0lDQUFqbWl3VEdBTktvaFRQa2JHYXBDWW5yCjNYNjVSRUpKT05OZWhzbXpST1R3d0NyeEc4YThIQkVCR3RmV2lnSk0xSG80aW93Y0QwTGpzMis2OVJsTlVxNnEKdUpsc0oxUC9PN0xSQjhhWFF5ejdLNWdNOG1TbllDMCswUzJ6SzhWK0Y0dXkycGk1YWhIYmc0eVd6MjlQZnpVKwpSUk1PSXptcDRlTGk0MDhZZFEyMVRFNC8vcU5kcXhmWU1SNXJmMVVicE5JcGVoZCtaQjZUR000bHpPSVVBbGhjCkFlbmxabHJwWnJpVURYWlkxamRsdElUUmc0OGdKN3E0Qi91UWJHVTJkZjJWOUEzeFNrNURpRXllTWErTDlvM2IKWlpncFp3MWwveWdhWGpzMmZhU1R1eFY0ZDllNjZodmc5TEZMb2RuOEx0RGcrOWpQQzg3YU5LTENXeEU0VzJBRAplMnhBUWR2TWVSU3REVnMyV29XSGxZUWllQ0Q3REZoYmZHc29vaktULzhocUp2VEhvRzJmckVYYk1CT2RoQnI4Cm5MdkVXWEpNUXNMQ0hVcVBET1pRQk5BalVVRzl4SVZqb2dkVmdsUmtTekNBM1U4aUU4bG05NEh3Z0VXQjEreGMKYmxMVGhNQXlmbTVuY2lBVlhTc2VadUZTR3RreG15ZElrVmU1ay9VV1VxUXczNTFUcmVMMU10RTl5eXdsV0w4cgpJdWJ5dWFFWmxSWFNwaHk2N0FiYTlqazY2K3hNcUNwb3pvQXgrSDFnV25PaFdTc3FkQ2VUeE9QL084b1ZPa2IvCnR5czloMkZIZ3JCeVpHV254WHFjQnc1WXljYWlSNS9NZ1JwQVpMUk1xbDI3dTFETnArU2hWVmQ2aXA2enhVNXcKTmg2YVFVdGZBR1JYUGY0U2EvUEJBb0lCQVFEeUVKMk5XWk14d202S29xY25iN3ZWcnJHWXBaL2huRUpySFJCagpLcDVWVFdNZXN4OHlTcWtsYnV3TUhQbE83bFo0Q2ZtWllmU3lJTU5GWHlWM1R5bVVocFMxUTE0VjRsQ1o5bGZQCjhhTTJrZnI3ZCs3RlF4WEszTkYvbEJrZlVPNUFqR3crWDhsWFFFVW1hTmlxWFRqVFUvcmZiTktYLzRyQ05YQ3kKdnltejdNU1cwMS9WWnhaWnVpTkdOLzRJVXN4TFFNQy9qQXIzdGdrMzNEN0xSTkx0QWRETXgwY1NTNmY1SE1xQgpUck51dER6bWppdk1vZlZMa01RSGplVmh6WE9YRFFXK0VHVmNhckpuV0FXSWpKMTZBa1BTTXQxY3ZMbitJMVlNCnVTcmsrTVhtdkhSeUVjM1Bwdno3K1hFOHZZeGFoZ3o4VjlIeG04dUtOT2RlcHZzRkFvSUJBUURVM3B3NWVHUlQKUzNVcytIYStkcFAvVGtXR0FpeUNNYTZ4bGpHQ0JmdTJnVFN0VXljeDBYalhhVXJqVW1DbTcrSmloSk15TkdYbgpud29CYU9Dek5DdXQzT0VKbkVqZXIzYVgyYUNtU295RzZNWk1uOHlSa29HdjZQWnVOTHBoSk5YaFlMWmRidmRLCkhRZlY3YWhGdENoWnVZWGNnbW9LWHFvemZvam8vMGIrTlo4djQzY0lhR0pxK0svNjFnYmFkenZFa2lWc00xUSsKZldhL28rOHFSUUR0ZTdnbGdxNHU2alNYeFZoMmtOemQ0aE5XVVFmZUFPMS9LS0t2OG11QmNxNWpybTBqT0ovWgpsYU9YbmtBRUczL0RmU21XcjRmYmtoT0lrb0VQekRoZE8vVy9WTDErN1EyS2ovR0owcHYvRlJRRjRaM244VDZNCjZNdWJKUVV3NSt1NUFvSUJBQWFhcFhIQnk5NURxN2hrajZMbnpYd2E5QVZ5SDFhTWFOTjdTNE1wR29EQlI3OEMKckFzM05qNHJOSTF3RE8wMlcyMlMrQmhUTDlYY1J2ZVJqUGdnVk1ZVWxlSU1JSGtBWDZxVHFmbW1ZZ21QR2dYYQpVODFWOHpaQnFBV1BDTkJ0Nk5JaUFxSUJBd0U2WTZpVW03U3FMbTYxajlhZ3BXNDRMcFQxMkVsSUpkOGV5bzVDCjNnNTRiWWV0S0dFMkRkdzBSaGFYZ2FxNEsyUnV0dm1yTEp0bkdVb1dEcGhIcDR5OE82ejBPQ0ltLzRZNXJKK3QKcVV3Lzd1MU0yY3hLOXNNZ1U5TC9LL1R2aFpScjVNb2xBS0dsRkhiTHNRWC9GVUwrY3lTWDJqVW1xQ0R2R0pjZQo5UjVYbGdIZ1VHNmZjNU53cUcrZjBLTGgwbnlBLzZDWnFPWlFML0VDZ2dFQkFNWGRDYyt0cFd0N0p6YWUyUmtlCjlXQUpiRHd0Qnh3WmZDMGIwM2J0Z3RSWWN4TnN5SERaS1g3cEl5LzdvVlZxZ3I1YVJzd1N3bW95ZlVWa0xBREcKekpiMlNjTDZIdzNHZ1BDUzNHM1Z1NXVuQUxPMmtacjZXRXVmdW5najBONTlNOFVqZFQrUjVwQmdQYWxQRit0NgprMHNiVkY3c1pnNnZnWHNOOGNySmhqN0NydTMvZStRM3lzdHR6MzNUdFZrYUhWY1JGWEhtb0RiWnIwa1E0ejBpCkdNT21EVHZvcFdsOFQxaUhtanZUV1VseFc5SU96Y1pBaklGMnp3bkd4c0R6VFQvZ29SZHRDY0JoQkVmcFU4MjkKbGR1ckdwNHpHSkF5enE5U3BsNTkwQ0p4bW5LM0hOQy9IYWdmTmorS29XL1FNdVZvbXJNK25ZcXkxSmFvS1pRVQo3eGtDZ2dFQkFNbTRZamZKL0RlRFlrQVhiYTQ4QnZuSVo4WlFWSm1GWE9zWFU5Q01uOUg0YW4vT1Y0Q0RLLy85ClZOWGVvUW55N3hlUlJBcFR0cGFWOWVwVDVCc2VOdFMyaG1IOFFtc3Fvd3dGSjMvTmIvZHc0dHZiVFJUSzVlWmMKZ3NaYlZhcVBKVlR0ZVUzUlAwYzUyMDhFRnRrWXY2QytDdllJUE43dlJiZUVzNmFBelQ4UXdTWFB3VCtTMDFUNQoxRGNTc2dFMmpZb3V0OXhHUzFiWTZFemMvK3FnSDdTN2RscXZVQ1lzRkUvbGx0SjQzT0hnNGxMekRIaWpJZkRJCjJsNGdCWDdaZTEzbWZzV05VeEdCU2hySXFKOTV3QkE0UGFTRElSZkNaR0k1T1lBR2EyYnhuWFpBeG13eDNFamYKaTA3V1ozTHdidkpGclZzcHVxb2lhYXQ0WHJLQ2NoWT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/common-secrets/tls-secret-wildcard.example.com.yaml b/examples/common-secrets/tls-secret-wildcard.example.com.yaml deleted file mode 100644 index 6cb10b54ad..0000000000 --- a/examples/common-secrets/tls-secret-wildcard.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: tls-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFVENDQWZtZ0F3SUJBZ0lVS2hTQzBBcnhUblYrbjBhVnNENkFVTE5VQWhZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF3d05LaTVsZUdGdGNHeGxMbU52YlRBZUZ3MHlNVEF4TVRZd01qSXpNekZhRncwegpNVEF4TVRRd01qSXpNekZhTUJneEZqQVVCZ05WQkFNTURTb3VaWGhoYlhCc1pTNWpiMjB3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURGeU1DSlhlSm9tMTdhcUVQc01NbTNlVzlpQzFHdlI4YW8KaDJhNmgvZWRXTUFndEtWSERmR2tPQ2V5NDBEdGtXTDN3U0NvZE1McnhPcnN2Lzhuc1VablFwQmNBekxBbzBJVgptYnhoS21WaS9EMkJpb2pBcDlqVXlsMjNma2RWMFdYM3NYV0JQekhSa3RyK0ozaW83YVcvNUl0WVBNWWFYM3dmCkZYRWFXVmQ4QmJDQ0hyVlZ3ckMvem9aTEF3dFE0d1I5NUI2NHdtd2d4TEhNZDlWZDRSZ1l2U0ppc1QzWi9IRkkKTGpaTGdMa0FlMGlDci9xdmFsdnVhU3BNVmJUd1lQZ2l6YWhXSVFTYjVyd29JeUhnYXFBWnRYSEhjNSsydDVoZQpMMDc2RjgrOE84b0hpdDR6WGpsR1V4TFNjTWFPTnI2ZHI0Q256NmlXZzJNTGlJcno0VnR4QWdNQkFBR2pVekJSCk1CMEdBMVVkRGdRV0JCUTdCSGpyZHlicnpWNHIwVkRrc2k3TXFPNWRKREFmQmdOVkhTTUVHREFXZ0JRN0JIanIKZHlicnpWNHIwVkRrc2k3TXFPNWRKREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQQpBNElCQVFDdm5TdUY4dUFUWFl2VHVjVGhEcG9jKzI5RU1LVFp2VDBmSmJrNWZMaWQzYjhFTDQxdk5tTjRwUTUrCmJtSFh1bkhLL29aSm43bWVNTngwc0ZQMW1Pa1U5MXBqZVJLWmoxOXVNQjlvTVBreXdXRENuQ1BHYWtFUHpxOS8KWjFwcERKQ0FJc2cvME8wZ1BCMDdFSm9RcU0wdDlZc3BuMlJ4djMwUGdBZ3ZuSXduUlNzUWpvOEpxQ1VuemZJLwpPdXovNVl1UkhJRHQzY0RpdTdzWG1DTW01cFJ5eUd2WGZiWEsrSVFWOHZDRTZlZS9FTlNFcnB0NUdzeVNURjZKCk5LdDhXM1VwNkUvL2dwMkRvTXBxS0tGQkE0aG5OQXVzQVphTkNQdi9EY0xueG9xQUp4S0V5cmpxelJBeTlCRXkKRzBhSTJ5bitKWW5yVW8wMmc1OWFXalZMTzg4RwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRREZ5TUNKWGVKb20xN2EKcUVQc01NbTNlVzlpQzFHdlI4YW9oMmE2aC9lZFdNQWd0S1ZIRGZHa09DZXk0MER0a1dMM3dTQ29kTUxyeE9ycwp2Lzhuc1VablFwQmNBekxBbzBJVm1ieGhLbVZpL0QyQmlvakFwOWpVeWwyM2ZrZFYwV1gzc1hXQlB6SFJrdHIrCkozaW83YVcvNUl0WVBNWWFYM3dmRlhFYVdWZDhCYkNDSHJWVndyQy96b1pMQXd0UTR3Ujk1QjY0d213Z3hMSE0KZDlWZDRSZ1l2U0ppc1QzWi9IRklMalpMZ0xrQWUwaUNyL3F2YWx2dWFTcE1WYlR3WVBnaXphaFdJUVNiNXJ3bwpJeUhnYXFBWnRYSEhjNSsydDVoZUwwNzZGOCs4TzhvSGl0NHpYamxHVXhMU2NNYU9OcjZkcjRDbno2aVdnMk1MCmlJcno0VnR4QWdNQkFBRUNnZ0VBQXhBcjR6VEFCK3k0R0Z6WXlIU3MreGwzWHlaYnVvSTdFbXNlYlM4ajU1enoKUk01bmJPVkxZOGEyM3E5a1Z3bVVaYy9vNkpMK1hkWnI2UVRFTitJbisvdHM3dS9odmxnSTh2cXhqek92NUV1Ugp6RXJQK1dQZ0dOT1ZoZnovcjlXUlpiZXE0VGlRVmZXWFRLNWgwUVAxT0RhYTdkL3JGWWQ3RGFRd1h6OFkrc080CnhqV0dNNFprOW1oWm1PbG9nZjNtYyszUFhYTWV6RFRMY2kzRWNpZVlaTkhTeXIzWkg2NU8rSkdsOFZ2bkZUWS8KQytQZi9tYmJKL282dlNWWDNWQUVIM29BY05qd1dqMkdBNUhiRk5RTnV0ckhRcnNkR0ZqUVB5aHNBYjNOV1h2bwo2M3hoS1NNbHpxSWd2WXZMbENOS0VjZmJsVjRuelJ4NVhhM0dzZjJkUFFLQmdRRDlYeEs4ekhpN2g4WjlQV2sxCktDZFlvZDFVa2ViWktYUVQvOUtNcmhrOE9abG1oV2hFK1lBY3lJRElVeFZuZ2xkR0d3RVViTFcyWEVnVStQVmEKM1ZlaUNCTlRWM3FwV3lYWXdIdG9yYm5WbGtlMGh4eE9WakhvSmpZWitmV0h6MDU0algvYkdsdWp5bVJGMWpoWApuMnhNUW5RUkV0S2FGN0R2d2FGK083dGExd0tCZ1FESDFndWRlVCsvQ3M1R3g3eEkwUnhwRUt4c0FtcUV3blBECklsaHoxZHJqbGZFaTRPZ25wK0ZOK05acGJiMHRaWmUyTTM2QXpMVENIUURmQVNJTlBDMkxzOHEvTjAyR2xzcG8KalVTd3M4cWc2N2ZjcG1UN1FVVTVMZmZuaDE3S1A5ZEdCdlRuK3Vza1MwVjRFZ2M0Ti9lS2pUQi9xcjYzYWRHUwp4dmRaYzdnNjl3S0JnRE9CQWdRUzVHL3FkN1M1cVFzL01GQmFCdTNNQXNzZUhCUjhxa1lpbGNxaVFzYU9VOVhCCmlnTlAxcTNpQmJYV3p2clhQbTd5Y2pXeHFJMXExaVUwWFQzNHVrVDB3V0J2d00vQXdOVlVpelFacWxYT0tUamIKV0tYQ0xyazFFRzRjKyt5Umh1MzQrNnZkMW1oRDFZd3FRZzkyYXJXVngrMis1eDYxazZoZmFBUmRBb0dCQU1Kcgp0QmM4VE5IQVlKb3FYenYwL3BBVm9icmZ5dVJwRHhsdFErTkd6OVFXSUduUHFPNVQvZmJQUDBPSmVjRStFeEU0CkhqNlBhdGxrUUdHMmgzdWE3YkQ2ZGluOVV4YTdoQ2VlTVpNOUNNbnhLNHVuODUwampvYW4rNFd0aFlKK0JDSmsKU0VlZUxzRzczZFdJcks5OGZBQzNodFRldVBoWElvZUx2a0N3UGpCWEFvR0JBUFBteVJJRGs5bUF5M2ZINnBtVwplRWlqYlBWbFdDd3FjalI5ZjQ0L3duVEpha0h4cVVxRk04cTVLNnJJejdPMmMvcDdmTm83andrVHc0R0hIVWcrCjQyVkpGOXRrdnRDbEhOZ3l6cXNjT3FjN0p2ZDNyYnBFbGVpNGgyTHo4Z0RDNFo4WldqWDBBKzVTaTlQd3RMaFEKN3pBZEJUMHk5WjZuNGYxMVg0UWhKSkR1Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/examples/common-secrets/webapp-secret-cafe.example.com.yaml b/examples/common-secrets/webapp-secret-cafe.example.com.yaml deleted file mode 100644 index b505f9b4c1..0000000000 --- a/examples/common-secrets/webapp-secret-cafe.example.com.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: webapp-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdKRENDQkF5Z0F3SUJBZ0lVWUsyTGNWTlJrZVB5ZXUrdis0ckNMWTVJVmJZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1dERUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1TRXdId1lEVlFRS0RCaEpiblJsY201bApkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhHVEFYQmdOVkJBTU1FR05oWm1VdVpYaGhiWEJzWlM1amIyMHdIaGNOCk1qUXhNREk0TVRVMU9UUXhXaGNOTXpReE1ESTJNVFUxT1RReFdqQllNUXN3Q1FZRFZRUUdFd0pWVXpFTE1Ba0cKQTFVRUNBd0NRMEV4SVRBZkJnTlZCQW9NR0VsdWRHVnlibVYwSUZkcFpHZHBkSE1nVUhSNUlFeDBaREVaTUJjRwpBMVVFQXd3UVkyRm1aUzVsZUdGdGNHeGxMbU52YlRDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDCkFnb0NnZ0lCQU9pM3dZaGRCTGI0RldzY20yeHV3S2JNaElPRUM3YXF1aVpDQ2V2bHc5MUZUWVNvdHBGbUU2NkIKc1V6WWlRYVVtRGJLdWxRS3lramNXcC9LNExBbGI3Y2Z0ckdmUkN1b0xDT21oSkhvaXV5RDBMWXlsQXBXWjc5eApnOWEydlVUR3Joa2NVVGF3RVFoMlExT2dnTmk0Szd4S1U2cVJFRktnbmFTMXdTdmdiNXV6WXRaVys3SFdVbTlkCmliUEV4Qkc5TFJGaGVOdGZ5Vk9mSzVLRm11ZzdFVEN1Nzd5V001WWlxTmRKMEI0UnZQbS9XTlNrUzVXZ0c4RnMKaHMxRnlqTWFBWGYrU2t1ZVQxRlpUWEpjZzJjVjZOeEp3L3IrclNjZFozbWRDa29yaVBtSWRrM3FVR3pUaU1Mcgo2aUo2bEl1VTBOWFg4bXlwUXV3YUZtb3hBZWZZbzVqd0s2S3N5Q0tETTBLSWhsSVFVcHBnZHhST3packdXbjJQCm5EVkJuZmllWlRvWlU1dlMxNHNMZzhmQllmc3Z3LzNTZk1oNFoveVp1cnY3UDY3Yi9WSlowTlMvOW1SYmsySmcKblpjd0ViZ3ptUFJwUWdXUCtML1BieHBYaktBdEVXVG5lZW55KzZHaG9tVG0ycWh3NCt6Tm1rL0s3Nm4vMmhaZAphcFRaS0xrQk5rRVo3R0hxZGJBSUZ1RkVaVWo5b0wrYXI1d2hzTmNnU2JrU3RiNTkwMko2OE1oLzlvU2llajcxClNoWEJneklkcFpMWVppRkJEeWYxV3dGaDVBWDJkbVUwU3JGN3hTU1o4bkFseWFkU1lWOStuSlNtUXdiSzhNRUwKT041OVRXVXhWaGx3NG5MZlU3K0RCUVhkV2ZIZHNMK0RqajRUOGxtL3p1L0FzMk9lZWsxeEFnTUJBQUdqZ2VVdwpnZUl3SFFZRFZSME9CQllFRkxqcTBnQTQvUHU5VXZ3dnRXY1lJYTdsdER2Z01Cc0dBMVVkRVFRVU1CS0NFR05oClptVXVaWGhoYlhCc1pTNWpiMjB3Z1pVR0ExVWRJd1NCalRDQmlvQVV1T3JTQURqOCs3MVMvQysxWnhnaHJ1VzAKTytDaFhLUmFNRmd4Q3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVoTUI4R0ExVUVDZ3dZU1c1MApaWEp1WlhRZ1YybGtaMmwwY3lCUWRIa2dUSFJrTVJrd0Z3WURWUVFEREJCallXWmxMbVY0WVcxd2JHVXVZMjl0CmdoUmdyWXR4VTFHUjQvSjY3Ni83aXNJdGpraFZ0akFNQmdOVkhSTUVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUNBUUNnZnZ1MWo4K2FzVHQ3d2lCRmlDTnU1SUR3M25rQjYvOWg1Z3d2STR4YTNOdEhETTliYm5QUgpncnZTWjJXZ3FJNFR5dktKVVB5NHNaRGR3dUhiYjJSVC9MT1lQQTFXaVZhMjRiRTZtcXE1Y3VTNlZNb3h4bnB1CnBmdVllaml3eWpDTytUYXdhbFltTzVvNDFvRUxjR2ZNY21VK0YvK0tZZnozZFMvalNkYVc3cEM5YWpJQnFBTnMKS0daZ1JGKzl1ZlVibUlIcjZHeDJ5MU5oTnBjb1U4T2QrdkxKWXZxOGd1NDRqTG4xNE1Ra3hWZndyUU10T1E5RgpnOGpsTXphaVlMSnMwY3luRTJGSjhrYmI0K01QRkRyZjcranJGNGdlOXZCTDg5TlJkZXFZYWFGNTVMM0RQZzRZClRVVWQ3L1I4dlVUeEs0eHpqZlpNeHdnRGExRmtTMXB2VlNSNmkrVmVuYXdsUmZ2Q3FMUndvN1V3VjJLWUJjbGkKUFlCRzB2Z01mOEhQc0xvU1BibDNIY0xQTFhSdVI4RHZjdTdvUnEyYzRaOFVDNVBJS2FoWlZEekdsS0N6WHZlYwpQZ2xqSStFRzdyTWlnc1Fjcm5MdmxOZmRGdzZIcjkzVmR5OGYrZm4xdkVsN1A0NnBFWThlYnplOVhxNXNWT3I0CmhTcE5JMllGaWhjNXBlNzVmMXh2QjVHcjJJTm1PditZb0Jsc2VKNkUrR2tuOU1QY3Jjc3lwcVBoeXJORHF6THgKdE5DN0dLb2hEWlJRY1F6L3YvdGppV1lYRzFRY2RQU1JNakJiL2dkb1RBenNuNDRBWGpqT1A2YzkwWTEzUjdwaQpuRTJyUlFKWThCUHk4RitTT1pkUUV3d0NBbjZ6M2Job3BLc2ovM1JRU1lUNDhGZElRVndrbmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRG90OEdJWFFTMitCVnIKSEp0c2JzQ216SVNEaEF1MnFyb21RZ25yNWNQZFJVMkVxTGFSWmhPdWdiRk0ySWtHbEpnMnlycFVDc3BJM0ZxZgp5dUN3SlcrM0g3YXhuMFFycUN3anBvU1I2SXJzZzlDMk1wUUtWbWUvY1lQV3RyMUV4cTRaSEZFMnNCRUlka05UCm9JRFl1Q3U4U2xPcWtSQlNvSjJrdGNFcjRHK2JzMkxXVnZ1eDFsSnZYWW16eE1RUnZTMFJZWGpiWDhsVG55dVMKaFpyb094RXdydSs4bGpPV0lxalhTZEFlRWJ6NXYxalVwRXVWb0J2QmJJYk5SY296R2dGMy9rcExuazlSV1UxeQpYSU5uRmVqY1NjUDYvcTBuSFdkNW5RcEtLNGo1aUhaTjZsQnMwNGpDNitvaWVwU0xsTkRWMS9Kc3FVTHNHaFpxCk1RSG4yS09ZOEN1aXJNZ2lnek5DaUlaU0VGS2FZSGNVVHMyYXhscDlqNXcxUVozNG5tVTZHVk9iMHRlTEM0UEgKd1dIN0w4UDkwbnpJZUdmOG1icTcreit1Mi8xU1dkRFV2L1prVzVOaVlKMlhNQkc0TTVqMGFVSUZqL2kvejI4YQpWNHlnTFJGazUzbnA4dnVob2FKazV0cW9jT1BzelpwUHl1K3AvOW9XWFdxVTJTaTVBVFpCR2V4aDZuV3dDQmJoClJHVkkvYUMvbXErY0liRFhJRW01RXJXK2ZkTmlldkRJZi9hRW9ubys5VW9Wd1lNeUhhV1MyR1loUVE4bjlWc0IKWWVRRjluWmxORXF4ZThVa21mSndKY21uVW1GZmZweVVwa01HeXZEQkN6amVmVTFsTVZZWmNPSnkzMU8vZ3dVRgozVm54M2JDL2c0NCtFL0padjg3dndMTmpubnBOY1FJREFRQUJBb0lDQUJaQmFJazllQk4xY3pyc24vS0ZQdmhVCnE4R1dFYmEwNmh0NWlsQmNoMWcwWmY3dlVaSmpKRE8ycEhtWVpiWlM1S0dzenBmMTlqVjBtVmdadzFZbEptTnAKYllQY0d0MWY5bVNzYXBZM21uMlc5NUZORWZwUkhCZmpaN3ZUZXhOR091VWMzNmx1dWhwSWtSVEF6MEdxajBneApCWUpVNEM0K3ZRVEErd25TcTJuRkJJbENCVTBURll3ZjhtaldRdmY5VXYrTUJrNVlnVHoxaG1tN1RENjBVMmNICis5Wlp1UEk5TzA5bmVEYy85QVlnWmdMaitYU0VQTk5KS1RVZFhRSjVGTFhnaEVOcUR1VFZPUUpjVlphNHNpM0wKQWlxUlM0Ym5tWHM0YVFFQjI5WWRWazhLUHduQlN4MTFDVTJsMG1uczMvSHJkbndzemNFZGw1SXRRS1RuQTNJUQpvZkRMVk1OSkg2UHE1Um1zREZYaFh1bnhLdkhXUHpvU0pkZ3REZHNZUnNaaFRnaW5vZ1AwQVdrdmMwT0MwaHh3CjNldWJLcDh3d3F0RndHNk1nWFg0WUFLQUd0K3RzVVdkRENmWUVPYUVWcXBXT3F3UUhsb3J0cmwvN1hmRjNra2UKY0VzalJyRXRMSytCOEhvdjFNSmtibVFlblE0cHdkcXdrdHV3SU41QUdqN2lCQ2V1U2R5S2gyc0hxRUIvbkZEbApTbFh1VzVNTjUranMrZ0lyOU5GRUdDdUEyQ3BGWWpKQk9sNk1nV0t3S0FwWWgwYnEvNTVOV0pwV1JTRllTZ29UCnFiV285S3JYZkR4azJVb05pVFVBcEdVeXBaWTFXT2hyOUs3WU1HOXpHbHQ0WnNrV1dhdXFEMnBQSjhhVXdabjEKeWY1TnMyb25LMkNmZmhvUkRPVC9Bb0lCQVFEOWU5MlE0RWVKamlNQ0JIREhycDgzMUM0eXRJclJHbENJS3pNQgpoMjl6SFIvRWJUanplUmFzU1RLQzQ1SjhhTnQ4MStvM2xpcVFhclJvOFdHelEvNnpqdWVpSW9SRDNpWm5pZUJ3CmU3R1piK0doVmdlVkNKbGtFQ0FTc0dlZ1pkSzA0dWRzZmU5d3JWaDY1TjZnWW92Z2dyOVZPU1NNZ25NSys2Z1IKb0cxNHRSMDArN0kzdndoL0YyQVZLOXdkY3ZoN2puK2FXbGp3R1lFWHRDWUNJWENVbjhHTHpWVU53MlRHckFuRQpOL2d5anUyeTk1R2FrR3JpZTRkdmpoUTl5dTNPbU9haWp1enlXMGxxdnVrakVWTmZ2L3lYbzFNOWJ4OTdQNkFLCkxEU3VGVjJEY1pGSEpvT1NLYVV0eHpibzFIVmdGWmZiK3hpUmNRb0N3c0NjMC9VUEFvSUJBUURyQng4UGQwSjIKVkU3eUhVdC9LMDQ2OXNoejFzVUtEeFkrQ1B0dTZvODFkU0QzUHBMV3c1VzR1aWdSeFJnTUpqK3UyMGFSeEM4UgpMbDhXSmJCR0I4QllyQXhiMWlGMm5XTnFzdFVicVp1ZUlxeUIvbWJNZFk5OSt2L01Iek1WTnZwTjBTdkJsTWFaClhVSTdFWW1zbXJHYjRSMXdOa3VwWVdHL1RpMHNVUk9qSFpSZldsM0kxR1dpbkNVdE5oeEZ2OEtGcWJDd05DVTAKOHNYMjdLTEIza3RRZWhmc3JlTjd4NEw2MGU0T0FKMGhjZFUzL2I5b2VERGttVWFSYVE0bk9TVWEveDdTQW5RdQpnQmxQTTdjUWUrbjYwZEU0QjVrZzJpeG0reEhaL09tMGluK1JTR0ljRTc3eG0vMlhhTlZjcEUxRWlhaGdJT3hTCkpYVU4zWjdsTHBWL0FvSUJBUUNXTkxjWHFYOWFxS3BnQUtlZisvOEhReWxaREprUnpha1k5NWhTK0tGM01qUG4KM3QwWGtaSjQ1eXNTV3E0c0lLcW5jUDZ1ajhLTEwxL1dxK3E4SXJla1NUTkRaWGJCREx2dk1NbVpmZ0xBcklhawpadWs1VEE0eE9FajVLaVZONitpUEhjSUxEUms4eU11Y2oxREk4M3gxdnFTSWFNTWFyQlpsMUxoRU1hK05EcTNPCi9yTWR5NHJLWE55bnp3U3hRcmF4NkwvK2hEa2RsYzlrYjNEeVpFUmxIY0hBQ1IyMGVTdVhlc3lTeEtQRHVlUnEKMzc4ZE95VExMbTRVRWJvMjM3QkpjMXQveW5mb0tXWDQ1a1lhYktMZUkxTVh2RVdRS3ZBWnhac2RUQkt2Y2FPbgpSejNTVHFVNmtJajc5b2U0TW1XWFdWUlNtNWwwWGVxVHRqb1M5SnJMQW9JQkFRQ2JiY2szeENuNjhVU0lUNkZYCkIzK2o5UUtad1FYcjRoQldsRUFibVJsK1EraTZPZktIL3k2cnpNaWsvOUFvY0w4YTF6NnpOYWZlMStqZ1Q2cGsKbGNtNW1vWk4wYTJ0c09aSGNOOElmVUZCOGpKZGdhM2dOenJmR0xoRCtMb2lwSW9pSGx1dW1NSkNPRytOZXNxdQprRnMyK0Vnc3BtdWhKNXFxRm53L1c1cjkrNWpjK25rZFVJR3FhVk1ZdERrOFUxWEVhWFZGQWljOC9mUzNtTVVHCkt3bHB2bVRHRERWdDdZS01kM3JVWGNtTWphaHhiK2srb0lYTkdDU1lFMzdkcDZnSFU0TEJaZ2dKbklPZ1lsWUYKbTcwZ045UUNGdHhJNHFBTXRxdVdtdkMvaWZ4VlN5WSs1VHdZc28yaHJSMjFONTgxM1VleDB2UVdXMWt2QTBxSwp6Q1RuQW9JQkFHVTkrRFY0cnZqV21zSmFnckw4TEV4RWY1ZHVDeVhtY0huak5wZmkrcjdjamQ3dlNYY29aZjQrCm1IaDJ6NVN0NUpsVEpWMCtOcVFWL2ZnUS9EcWlZeVNESFcza1JXaFBNT1ROeHZoV1lmMU4wd1diMmllS3lmTlMKVGRXS2JsUFcwZjh3WGYwL09JOFRaSjZFWXVBVXBpbGpSenB1emlkMVJOT3ZJb3BiUnBxd2pMVUtzb0IvMG5LZAp3YmNOcWdWN0lSNDVDZDlCTm8vTThFc2ppZkRnQVpmQzNZbjRWOGl4eXdSQmFjQ1dWcXhvK3UvT2wzN052QkJJCmhnQ1RqNVBDQ3NBcHZwK0dhRERJdFg0cVpoWURERys0ZFNDRHNpSnB1U1orWjZrQnFSNnVncUliMGJVQXFIbGkKd2hZUllYNklldnF2QUEzNTNxbmJzQW5ZQ09oZk5hVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/custom-resources/api-key/cafe-secret.yaml b/examples/custom-resources/api-key/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/api-key/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml b/examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml deleted file mode 120000 index 72ef9c58a2..0000000000 --- a/examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/app-tls-secret-app.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml b/examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml deleted file mode 120000 index e9128201ad..0000000000 --- a/examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/basic-auth/cafe-secret.yaml b/examples/custom-resources/basic-auth/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/basic-auth/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/basic-configuration/cafe-secret.yaml b/examples/custom-resources/basic-configuration/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/basic-configuration/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/cache-policy/cafe-secret.yaml b/examples/custom-resources/cache-policy/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/cache-policy/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml b/examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml deleted file mode 120000 index 6d8cd13e70..0000000000 --- a/examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe-ns.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml b/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml deleted file mode 120000 index e9128201ad..0000000000 --- a/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/custom-listeners/cafe-secret.yaml b/examples/custom-resources/custom-listeners/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/custom-listeners/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml b/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml deleted file mode 100644 index b83a8af04e..0000000000 --- a/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: egress-mtls-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWlzQ0NRRE5Tc2YvSXpBaElUQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl5TXpFek9Gb1hEVE13TVRFeE1ESXlNekV6T0Zvd1lURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVE4d0RRWURWUVFEREFaamJHbGxiblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUUM1M2djYWFXMGo0ZVdWZmV5OWZIYkZtUzMvRWtjMFFYbFVrdUZsSUc4T016blQKQ2hFUmd3a1hyOWNFeTZEY2hxN0FlNjh3SjBHcmdHdjl6elEyTHdyOHJLd1NNWUVmUXIwQ2NJc1ZXUy9ncDNrSAp2VG1FS3RacXdIL1VhWWJHVFVzRlBpaENFeEV1T3pwRWROMmhDZ1Vsclk2Y1RPMGJjRzNGbk1Dbk9IZE0zZ2tsCkFOajRYd0pBSXhVN216bkNSWFkyWGRJVHhZbG0yc0FyWmVxR1JycGVKNTJDejhhME9iN3poUTgwK2d3QjZBczEKL2dXeHVTR2Y4eGhrL1NhVlpQUE4xU2RTeDcwUU5BZnFFU21tQ0lnVEYralFGQkx3bDhnTkZxajYvR2lSdElvWgozMEpEaXhuZVBrUTQ3S2ZoOS96c0xsRy9WV0hyUXA0d29TY1BqTlBkQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQUZtS05PK0dRQVpFcHBZdXBYNnJ6NktZcUFXUEtkcXRPUjJaNlR0K0ZSNlNPRExSem56RDJuRjkKU3ZhZitaZkJ4SFhtR1FwRkZXTEpINUlmbEgzM21KOFZORlh2Z0F6WnVwNG9tSDJobndHYW9NaklCS2FQSnZUZQpPQ3IwTWpjMjB4Qk82WTdzdU1Eem5VTDRRTjJib3QrM3M2SXZSaHhWeEM3ZS9OSWMzaHVQTjUxUEJUWDRCVkJWCkwweVc5Z2ltMXdibHJOVllaRDB1cnFDZ05wTm8rbWpqZXJsRkxpN0p6YWhNSllIV0JNUDc2Vnp0bk82ZnFhMU8KZXRBd3RYUnNnVnpxUkhWK0lFWk0rNUtZY2RYcEY3bjVBeFFkNUdxVDVhNTBaRnBYS2tJaURFRE91TXFUY0NQWQp2K0szQ1EzaW5wUXg4bXUwckRUL0ZQdDgrVnhpVEpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdWQ0SEdtbHRJK0hsbFgzc3ZYeDJ4Wmt0L3hKSE5FRjVWSkxoWlNCdkRqTTUwd29SCkVZTUpGNi9YQk11ZzNJYXV3SHV2TUNkQnE0QnIvYzgwTmk4Sy9LeXNFakdCSDBLOUFuQ0xGVmt2NEtkNUI3MDUKaENyV2FzQi8xR21HeGsxTEJUNG9RaE1STGpzNlJIVGRvUW9GSmEyT25FenRHM0J0eFp6QXB6aDNUTjRKSlFEWQorRjhDUUNNVk81czV3a1YyTmwzU0U4V0padHJBSzJYcWhrYTZYaWVkZ3MvR3REbSs4NFVQTlBvTUFlZ0xOZjRGCnNia2huL01ZWlAwbWxXVHp6ZFVuVXNlOUVEUUg2aEVwcGdpSUV4Zm8wQlFTOEpmSURSYW8rdnhva2JTS0dkOUMKUTRzWjNqNUVPT3luNGZmODdDNVJ2MVZoNjBLZU1LRW5ENHpUM1FJREFRQUJBb0lCQUM1enNmekUyblQ4VVArUwprQ2N2UXhQUlc3Q0M1ZTdHYWtkYnloOFhBd3BlZlJZa1R1MjhmUHBCaFJCNnY4STltdEVhV0VkRm1HRC9ZSDMzCldnb3NxYWRLbEZxYnFyU2dYbEtNeEFYYTIxOWZHNTEyaWpoZzZHT1hwcHIwb0sxUXhlNFNnY2M1c3JLR05PTEUKL2xyd0FTZFFmL0xLT3Z2L2xqK3NGRzMyYThKMjBtWVY0dFpsZmJsaUlxNHd0YzVnc0JWUVJ2T3RielQzQzRscwowM1JwbnJPbitxV3NwVkVleU52WjRjM2NKUGJpVTJ4WmkvcE1MZWhnUUhZcDZ0bEpVMFZQRDJaWDJoaDkrRlNDCndOaGNhQVBMTkZrNy9Vc3grdTVhMUM3b3Y0WEw1MExWVE15RjVkdVpCY2ZsUmd3ZWJVc0JqNlRWUDl4Tkp3aTUKb3VmOXJDRUNnWUVBNFJCVE5Oam5LWC9qQVJVZW1tTEpZVFpYNm12bXUzMTJSU1ZuK1ZUV1VzMHVhZVhaS2pmMwpWa3Q0Z3VkdzB1UWh1aFhJbkxVclJhdmVhZHBNc0o0VkZxRHJSRW5LVWlmZWU5QzQraWJOSnk3NHBYcVJpaVpaCjVCT2RKWjNlNVZCbDlTcDJNNExxMUNFNGF5cyt5djAyak9jSjJPallJSW9MU2IxL21WZnVpTmtDZ1lFQTAycHYKTTQyTEljWjFJQW9jMStlTXZIVVpuQ0ltei8vMVBGTTJoaGdlSUs1VXhZM0FRRVg5dzJDWUFKT202Q05WbHhiNAp6dkVrVnVOMnZ0cE5LaWlUQkRGczZtLzBkSE8wTERQdDdjV2ozNDAzbUtwcjBPY2pEVjllYnhpVWJ0R0lKVE84CkpyYzB2OUNUMnFJaFBpTElZdXBpOXg3SFZHUi9pTCswMnJNZm9LVUNnWUVBdktDaERBYktYd2EzSy80V1l4QnUKZFZKRmhzeWVXZjlCODV2eE00LzkvUEhJZDZyVFFzWWJQekVMdExMaTVXMmNNc2oxRlJubVJZTlJhbWd5cEVncApwb2lDQmY3T1dlTGVYZWxHVHluY0FYNGxtUk5NRFh3dEZMRzNvSUpiQU5oTVM1a2w3ZkJJZmpmRmdGU0RVVCs5Cnk0UUx4Y2NJOU9TZHAxVHlMNFA2QUtrQ2dZRUEwQmZVU3I4SWNuOC83QUJvTVkrRmRENGlyZzdqZXhwcVRTMXUKM29CQXIxUkl0b2IyODR5dzRhMWpFRFpGTS9zTGxRTVVkY1RmU3ZMcmY2R3FFRlFObVRQNUM2eVV4a2JZMGlWdgpEUG5iZWdBcStBYk94cm1yUTg5YVNTbTllSEtmZWxhNDNMYTVvZy93YUdQcktwamIrcGpRUG9NNkdmUXRuL0ZxClYxVzJUTTBDZ1lBNXg3aVRLa0lZQlgwR0JhWERZOUlxMVBWeTkxK3pFeDhIWUdDczRNR2ttME42Y3lncm84UmwKMzA3R09ocnhwam1wMTNEb1JtM21XZWhQMmV1WEdhLy9VS2gxaTUvVkQ0R1ltL2psc1plZUx6MURiR2crQVZqegpWVFdueFJCemYwRmdGZkZkTmNIeFlwNTJ3VTZuK2x3MTVTdkNTWmJKQzYzUTBsZ3N1NlhZN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= diff --git a/examples/custom-resources/external-dns/cafe-secret.yaml b/examples/custom-resources/external-dns/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/external-dns/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml b/examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml deleted file mode 120000 index 72ef9c58a2..0000000000 --- a/examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/app-tls-secret-app.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/grpc-upstreams/greeter-secret.yaml b/examples/custom-resources/grpc-upstreams/greeter-secret.yaml deleted file mode 120000 index 78c861e95b..0000000000 --- a/examples/custom-resources/grpc-upstreams/greeter-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/greeter-secret-virtual-server.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/ingress-mtls/tls-secret.yaml b/examples/custom-resources/ingress-mtls/tls-secret.yaml deleted file mode 120000 index 3c1bc0a2dc..0000000000 --- a/examples/custom-resources/ingress-mtls/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/tls-secret-webapp.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/jwks/tls-secret.yaml b/examples/custom-resources/jwks/tls-secret.yaml deleted file mode 120000 index 04db4d8b4f..0000000000 --- a/examples/custom-resources/jwks/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/tls-secret-wildcard.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/oidc-fclo/tls-secret.yaml b/examples/custom-resources/oidc-fclo/tls-secret.yaml deleted file mode 120000 index 3c1bc0a2dc..0000000000 --- a/examples/custom-resources/oidc-fclo/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/tls-secret-webapp.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/oidc/tls-secret.yaml b/examples/custom-resources/oidc/tls-secret.yaml deleted file mode 120000 index 3c1bc0a2dc..0000000000 --- a/examples/custom-resources/oidc/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/tls-secret-webapp.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml b/examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/service-insight/service-insight-secret.yaml b/examples/custom-resources/service-insight/service-insight-secret.yaml deleted file mode 120000 index f21ee0f271..0000000000 --- a/examples/custom-resources/service-insight/service-insight-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/service-insight-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/tls-passthrough/app-tls-secret.yaml b/examples/custom-resources/tls-passthrough/app-tls-secret.yaml deleted file mode 120000 index 0d8709ac71..0000000000 --- a/examples/custom-resources/tls-passthrough/app-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/app-tls-secret-app.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/transport-server-sni/cafe-secret.yaml b/examples/custom-resources/transport-server-sni/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/custom-resources/transport-server-sni/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/custom-resources/transport-server-sni/mongo-secret.yaml b/examples/custom-resources/transport-server-sni/mongo-secret.yaml deleted file mode 120000 index fcbd2906b2..0000000000 --- a/examples/custom-resources/transport-server-sni/mongo-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../examples/common-secrets/mongo-secret-mongo.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/app-protect-dos/webapp-secret.yaml b/examples/ingress-resources/app-protect-dos/webapp-secret.yaml deleted file mode 120000 index 9dc1214bcf..0000000000 --- a/examples/ingress-resources/app-protect-dos/webapp-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/webapp-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/app-protect-waf/cafe-secret.yaml b/examples/ingress-resources/app-protect-waf/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/app-protect-waf/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/basic-auth/cafe-secret.yaml b/examples/ingress-resources/basic-auth/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/basic-auth/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/complete-example/cafe-secret.yaml b/examples/ingress-resources/complete-example/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/complete-example/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml b/examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml b/examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml deleted file mode 120000 index e9128201ad..0000000000 --- a/examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml b/examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml deleted file mode 120000 index e9128201ad..0000000000 --- a/examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/rate-limit/cafe-secret.yaml b/examples/ingress-resources/rate-limit/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/rate-limit/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/ingress-resources/security-monitoring/cafe-secret.yaml b/examples/ingress-resources/security-monitoring/cafe-secret.yaml deleted file mode 120000 index efa8919b4b..0000000000 --- a/examples/ingress-resources/security-monitoring/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/examples/shared-examples/default-server-secret/default-server-secret.yaml b/examples/shared-examples/default-server-secret/default-server-secret.yaml deleted file mode 120000 index 33f71322bf..0000000000 --- a/examples/shared-examples/default-server-secret/default-server-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/default-server-secret-NGINXIngressController.yaml \ No newline at end of file diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 2ab871f761..ed5d191772 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -15,7 +15,61 @@ var yamlSecrets = []yamlSecret{ }, valid: secretShouldHaveValidTLSCrt, symlinks: []string{ - "examples/custom-resources/oidc-fclo/tls-secret-symlinked.yaml", + "/examples/custom-resources/api-key/cafe-secret.yaml", + "/examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml", + "/examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml", + "/examples/custom-resources/basic-auth/cafe-secret.yaml", + "/examples/custom-resources/basic-configuration/cafe-secret.yaml", + "/examples/custom-resources/cache-policy/cafe-secret.yaml", + "/examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml", + "/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml", + "/examples/custom-resources/custom-listeners/cafe-secret.yaml", + "/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml", + "/examples/custom-resources/external-dns/cafe-secret.yaml", + "/examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml", + "/examples/custom-resources/grpc-upstreams/greeter-secret.yaml", + "/examples/custom-resources/ingress-mtls/tls-secret.yaml", + "/examples/custom-resources/jwks/tls-secret.yaml", + "/examples/custom-resources/oidc-fclo/tls-secret.yaml", + "/examples/custom-resources/oidc/tls-secret.yaml", + "/examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml", + "/examples/custom-resources/service-insight/service-insight-secret.yaml", + "/examples/custom-resources/tls-passthrough/app-tls-secret.yaml", + "/examples/custom-resources/transport-server-sni/cafe-secret.yaml", + "/examples/custom-resources/transport-server-sni/mongo-secret.yaml", + "/examples/ingress-resources/app-protect-dos/webapp-secret.yaml", + "/examples/ingress-resources/app-protect-waf/cafe-secret.yaml", + "/examples/ingress-resources/basic-auth/cafe-secret.yaml", + "/examples/ingress-resources/complete-example/cafe-secret.yaml", + "/examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml", + "/examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml", + "/examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml", + "/examples/ingress-resources/rate-limit/cafe-secret.yaml", + "/examples/ingress-resources/security-monitoring/cafe-secret.yaml", + "/examples/shared-examples/default-server-secret/default-server-secret.yaml", + "/tests/data/ap-waf-grpc/tls-secret.yaml", + "/tests/data/appprotect/appprotect-secret.yaml", + "/tests/data/common/app/secure/secret/app-tls-secret.yaml", + "/tests/data/common/default-server-secret.yaml", + "/tests/data/default-server/invalid-tls-secret.yaml", + "/tests/data/default-server/new-tls-secret.yaml", + "/tests/data/dos/tls-secret.yaml", + "/tests/data/egress-mtls/secret/tls-secret.yaml", + "/tests/data/ingress-mtls/secret/tls-secret.yaml", + "/tests/data/mgmt-configmap-keys/ssl-cert.yaml", + "/tests/data/prometheus/secret.yaml", + "/tests/data/service-insight/secret.yaml", + "/tests/data/smoke/smoke-secret.yaml", + "/tests/data/tls/tls-secret.yaml", + "/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml", + "/tests/data/upgrade-test-resources/secret.yaml", + "/tests/data/virtual-server-certmanager/tls-secret.yaml", + "/tests/data/virtual-server-grpc/tls-secret.yaml", + "/tests/data/virtual-server-route-grpc/tls-secret.yaml", + "/tests/data/virtual-server-tls/tls-secret.yaml", + "/tests/data/watch-secret-namespace/tls-secret.yaml", + "/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml", + "/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml", }, }, { diff --git a/tests/.gitignore b/tests/.gitignore index e3a489170b..6d68a79025 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -21,3 +21,30 @@ __pycache__/ # json artifacts json_files/* + +# kubernetes secrets +# these are auto-generated: cd ../hack/tls-cert-gen && make run +# see ../hack/certs.go +data/ap-waf-grpc/tls-secret.yaml +data/appprotect/appprotect-secret.yaml +data/common/app/secure/secret/app-tls-secret.yaml +data/common/default-server-secret.yaml +data/default-server/invalid-tls-secret.yaml +data/default-server/new-tls-secret.yaml +data/dos/tls-secret.yaml +data/egress-mtls/secret/tls-secret.yaml +data/ingress-mtls/secret/tls-secret.yaml +data/mgmt-configmap-keys/ssl-cert.yaml +data/prometheus/secret.yaml +data/service-insight/secret.yaml +data/smoke/smoke-secret.yaml +data/tls/tls-secret.yaml +data/transport-server-tcp-load-balance/tcp-tls-secret.yaml +data/upgrade-test-resources/secret.yaml +data/virtual-server-certmanager/tls-secret.yaml +data/virtual-server-grpc/tls-secret.yaml +data/virtual-server-route-grpc/tls-secret.yaml +data/virtual-server-tls/tls-secret.yaml +data/watch-secret-namespace/tls-secret.yaml +data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml +data/wildcard-tls-secret/wildcard-tls-secret.yaml diff --git a/tests/data/ap-waf-grpc/tls-secret.yaml b/tests/data/ap-waf-grpc/tls-secret.yaml deleted file mode 120000 index af2ffa79cc..0000000000 --- a/tests/data/ap-waf-grpc/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-virtual-server.example.com.yaml \ No newline at end of file diff --git a/tests/data/appprotect/appprotect-secret.yaml b/tests/data/appprotect/appprotect-secret.yaml deleted file mode 120000 index 159acb1e46..0000000000 --- a/tests/data/appprotect/appprotect-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/appprotect-secret-appprotect.example.com.yaml \ No newline at end of file diff --git a/tests/data/common/app/secure/secret/app-tls-secret.yaml b/tests/data/common/app/secure/secret/app-tls-secret.yaml deleted file mode 120000 index a085cd1334..0000000000 --- a/tests/data/common/app/secure/secret/app-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../../common-secrets/app-tls-secret-app.example.com.yaml \ No newline at end of file diff --git a/tests/data/common/default-server-secret.yaml b/tests/data/common/default-server-secret.yaml deleted file mode 120000 index e7080f1ea0..0000000000 --- a/tests/data/common/default-server-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/default-server-secret-NGINXIngressController.yaml \ No newline at end of file diff --git a/tests/data/default-server/invalid-tls-secret.yaml b/tests/data/default-server/invalid-tls-secret.yaml deleted file mode 100644 index 0ffd948ece..0000000000 --- a/tests/data/default-server/invalid-tls-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: default-server-secret -type: kubernetes.io/tls -data: - tls.crt: - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdXh6aXlKNFg5ZVlodGZETXhLYk95S0g1UmdZLzl2ekZkT1BaQUNoNURiemM1bG9yClZsK2J3REt4UU1pNytMcVIxOXZhQVpNczJoM25QcnpVRzVSN3B2aCtTblVIMWw2bHVnYzBibXQ5Sk1TUHFhTHEKOFl1LzNJZGpSUDc3OUdnNUtJdHJRLy9RZW9hZGxTZFdLaUw2R2dwZENXbDErN1Z4dkIzdVNqMFlORjlwaTUxdApKS0pwUDJFM1RwdjZ2VTNEK0lFWVpKTzVoeU5QVWREYU9SMHBnNjczZ0YwTm5NaFdFVDFBbkdRanNCODBCbEVECjdrRE5PVC9tQW9GVWtLU0NWMUxhQ0pZQTlNV0hpL0VESkgrclRJMTZzMGxFMmdWN09neVVwYm1uTG9jM1ZwcjAKYWprRWpHMUlvTUZEeFFRK1NoQUI3Tjl4eHNsY3J3ZkttSkdodHdJREFRQUJBb0lCQUVuZHpXbUZmOUFEV2F1Sgp0RXl0elZSSEhURVhwb2pLb09qVVNnWlY4L1FJYXV4RkRIYThwNi9vVXpGUURXVFR3bCtFMnp0ajdvRHM3UzFIClBqVGxHU3VCVGRuMitYRVhURFYwUXE2VW9JS3pWa09SblU1ZDdSQVNJbzVLV3d6UldEODVTczg5WGdBQXhKVHQKUW9hLzZCdi9tMXJyMXpmWEdWODZNYWY5Rm1FVjI5bmpCcHZ3cUpzOFlUaFU5VE5BRUdnbkxBWGFJYTJZSUJTSgozcVhJd1RrdFBHUUZyZUowdnBiOVlaTkRxWk0rMmI1K3BBVEVXclpyeTQxTlpvdzhNUnVOYnoxVU5sWXkyazZKCjlXclUxUDVYM2l3dEZmcXA3TzREakNOMFR2Y1Y1Nm5QczJoYldDeHp4RmxFalJwNW5KQ3Bsdi9yNCt4eHJVRWQKd0NjU0x3RUNnWUVBOGVDUGM2S2JpSXVFUWxwVjcxTXRQMjdBZzhkMzN5aWZKajAvQ3R3RlF6dlhWcHZCSHFRagphUE1ZaEswZ3o0MzFHMGtqVUpTeUU2STJYVWhFU3gxZUw2TU5sVS9xc29Uc0JaZEV3N0cvMFRhdW1TQUJWemZPCkIvckdtbEZkZitxWVpiR3pIdGtvbVJWb1JqVWtPcGRJL3RnL1ZlSmJ3K1RIS2dYS01NU2V5cjhDZ1lFQXhnbTkKWXN5dVZVUGlEdDhuL1JXeEJwZ1Zqazk0M3BFOVFjK2FVK0VPcGROK2NNQjkvaGJiWUpMZEZ2WUUwd2s1cEQ1SQpibktscjZycndEVUJKNWY2TXM0L3gyS3JISjlCQ3VNT3JyTEVTVm42ZG9NdDhWdEtpQkVLTVFuSnIzYmM4UDV3CnpvVmNhRGl1dCtISjcySG83cG5QQTFhaS9QV1ZwM2pZUTlCSXZ3a0NnWUJRNzkzUXlmYlZxQ25uc2liVFlMZmgKWkFRVGxLbXVDUC9JWWZJNGhndFV4aTkya2NQN3B0MGFmMDRUQjRQVk1DRjJzZkNaUkVpYWZVdEh4Nmppb2I4awpuYUVyOTRRSG5LY0Y3K3BZdWFBQU9CWVFzejcvbW5MZEJMTjBiQW1uaGk3Y3lLdXhoT1VxNUpqeDlWSmNNTWVDClQ0WlNETjY4SEUvdzVlTVVrcGE0TFFLQmdGM0piUXhtUE1XYW9XdERtYytNdjBxTktlQThtTlJtMmlqWnBZL0YKek1jUnN4YTR3ckpicHNkRXBqbmlod1Jlb1JLOGdGYjJLcXRYK2RBTUNpRHpJNFYrRWN4ZVdRVDBFcnlTTFhqawpwbnJLaHdnck5jM1EyeW8zVDZsTHBsMVhvR2p0UndVM09UME9Zd2dvZ1JiQ09xc000bklGVEtrWnNTY2YzdU8yCnQwenBBb0dCQU5Fc1V4Yit6UHpKbEgwL2hOTlhteisvNGx4aXlJb1ZQQXgzaEtBemtjOGtkZzhoS25XWkZhK0YKTjZMOXZjTDhNbnRjNHpmVDdDanNxWGJ2cGUzRUFOeGk4TWRSZzd1Z093L2NiZWdLVklZY3hTdXdRKzYrNUZYOApKRzlhbGxzdXovTk40b2RpMzRvblpEVmRZcURnY2xaZnZucXZKMHZWSzc1VXhQZ3F3aUJQCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/tests/data/default-server/new-tls-secret.yaml b/tests/data/default-server/new-tls-secret.yaml deleted file mode 120000 index 797c9ac2ae..0000000000 --- a/tests/data/default-server/new-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/default-server-secret-cafe.example.com-gb.yaml \ No newline at end of file diff --git a/tests/data/dos/tls-secret.yaml b/tests/data/dos/tls-secret.yaml deleted file mode 120000 index 6d56549938..0000000000 --- a/tests/data/dos/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/egress-mtls/secret/tls-secret.yaml b/tests/data/egress-mtls/secret/tls-secret.yaml deleted file mode 100644 index 988e849398..0000000000 --- a/tests/data/egress-mtls/secret/tls-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: egress-tls-secret -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURRekNDQWlzQ0NRRE5Tc2YvSXpBaElUQU5CZ2txaGtpRzl3MEJBUXNGQURCbU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVjMmx6WTI4eERqQU1CZ05WQkFvTQpCVTVIU1U1WU1Rd3dDZ1lEVlFRTERBTkxTVU14RkRBU0JnTlZCQU1NQzJWNFlXMXdiR1V1WTI5dE1CNFhEVEl3Ck1URXhNakl5TXpFek9Gb1hEVE13TVRFeE1ESXlNekV6T0Zvd1lURUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlYKQkFnTUFrTkJNUll3RkFZRFZRUUhEQTFUWVc0Z1JuSmhibk5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTQpNQW9HQTFVRUN3d0RTMGxETVE4d0RRWURWUVFEREFaamJHbGxiblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBCkE0SUJEd0F3Z2dFS0FvSUJBUUM1M2djYWFXMGo0ZVdWZmV5OWZIYkZtUzMvRWtjMFFYbFVrdUZsSUc4T016blQKQ2hFUmd3a1hyOWNFeTZEY2hxN0FlNjh3SjBHcmdHdjl6elEyTHdyOHJLd1NNWUVmUXIwQ2NJc1ZXUy9ncDNrSAp2VG1FS3RacXdIL1VhWWJHVFVzRlBpaENFeEV1T3pwRWROMmhDZ1Vsclk2Y1RPMGJjRzNGbk1Dbk9IZE0zZ2tsCkFOajRYd0pBSXhVN216bkNSWFkyWGRJVHhZbG0yc0FyWmVxR1JycGVKNTJDejhhME9iN3poUTgwK2d3QjZBczEKL2dXeHVTR2Y4eGhrL1NhVlpQUE4xU2RTeDcwUU5BZnFFU21tQ0lnVEYralFGQkx3bDhnTkZxajYvR2lSdElvWgozMEpEaXhuZVBrUTQ3S2ZoOS96c0xsRy9WV0hyUXA0d29TY1BqTlBkQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMCkJRQURnZ0VCQUZtS05PK0dRQVpFcHBZdXBYNnJ6NktZcUFXUEtkcXRPUjJaNlR0K0ZSNlNPRExSem56RDJuRjkKU3ZhZitaZkJ4SFhtR1FwRkZXTEpINUlmbEgzM21KOFZORlh2Z0F6WnVwNG9tSDJobndHYW9NaklCS2FQSnZUZQpPQ3IwTWpjMjB4Qk82WTdzdU1Eem5VTDRRTjJib3QrM3M2SXZSaHhWeEM3ZS9OSWMzaHVQTjUxUEJUWDRCVkJWCkwweVc5Z2ltMXdibHJOVllaRDB1cnFDZ05wTm8rbWpqZXJsRkxpN0p6YWhNSllIV0JNUDc2Vnp0bk82ZnFhMU8KZXRBd3RYUnNnVnpxUkhWK0lFWk0rNUtZY2RYcEY3bjVBeFFkNUdxVDVhNTBaRnBYS2tJaURFRE91TXFUY0NQWQp2K0szQ1EzaW5wUXg4bXUwckRUL0ZQdDgrVnhpVEpBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdWQ0SEdtbHRJK0hsbFgzc3ZYeDJ4Wmt0L3hKSE5FRjVWSkxoWlNCdkRqTTUwd29SCkVZTUpGNi9YQk11ZzNJYXV3SHV2TUNkQnE0QnIvYzgwTmk4Sy9LeXNFakdCSDBLOUFuQ0xGVmt2NEtkNUI3MDUKaENyV2FzQi8xR21HeGsxTEJUNG9RaE1STGpzNlJIVGRvUW9GSmEyT25FenRHM0J0eFp6QXB6aDNUTjRKSlFEWQorRjhDUUNNVk81czV3a1YyTmwzU0U4V0padHJBSzJYcWhrYTZYaWVkZ3MvR3REbSs4NFVQTlBvTUFlZ0xOZjRGCnNia2huL01ZWlAwbWxXVHp6ZFVuVXNlOUVEUUg2aEVwcGdpSUV4Zm8wQlFTOEpmSURSYW8rdnhva2JTS0dkOUMKUTRzWjNqNUVPT3luNGZmODdDNVJ2MVZoNjBLZU1LRW5ENHpUM1FJREFRQUJBb0lCQUM1enNmekUyblQ4VVArUwprQ2N2UXhQUlc3Q0M1ZTdHYWtkYnloOFhBd3BlZlJZa1R1MjhmUHBCaFJCNnY4STltdEVhV0VkRm1HRC9ZSDMzCldnb3NxYWRLbEZxYnFyU2dYbEtNeEFYYTIxOWZHNTEyaWpoZzZHT1hwcHIwb0sxUXhlNFNnY2M1c3JLR05PTEUKL2xyd0FTZFFmL0xLT3Z2L2xqK3NGRzMyYThKMjBtWVY0dFpsZmJsaUlxNHd0YzVnc0JWUVJ2T3RielQzQzRscwowM1JwbnJPbitxV3NwVkVleU52WjRjM2NKUGJpVTJ4WmkvcE1MZWhnUUhZcDZ0bEpVMFZQRDJaWDJoaDkrRlNDCndOaGNhQVBMTkZrNy9Vc3grdTVhMUM3b3Y0WEw1MExWVE15RjVkdVpCY2ZsUmd3ZWJVc0JqNlRWUDl4Tkp3aTUKb3VmOXJDRUNnWUVBNFJCVE5Oam5LWC9qQVJVZW1tTEpZVFpYNm12bXUzMTJSU1ZuK1ZUV1VzMHVhZVhaS2pmMwpWa3Q0Z3VkdzB1UWh1aFhJbkxVclJhdmVhZHBNc0o0VkZxRHJSRW5LVWlmZWU5QzQraWJOSnk3NHBYcVJpaVpaCjVCT2RKWjNlNVZCbDlTcDJNNExxMUNFNGF5cyt5djAyak9jSjJPallJSW9MU2IxL21WZnVpTmtDZ1lFQTAycHYKTTQyTEljWjFJQW9jMStlTXZIVVpuQ0ltei8vMVBGTTJoaGdlSUs1VXhZM0FRRVg5dzJDWUFKT202Q05WbHhiNAp6dkVrVnVOMnZ0cE5LaWlUQkRGczZtLzBkSE8wTERQdDdjV2ozNDAzbUtwcjBPY2pEVjllYnhpVWJ0R0lKVE84CkpyYzB2OUNUMnFJaFBpTElZdXBpOXg3SFZHUi9pTCswMnJNZm9LVUNnWUVBdktDaERBYktYd2EzSy80V1l4QnUKZFZKRmhzeWVXZjlCODV2eE00LzkvUEhJZDZyVFFzWWJQekVMdExMaTVXMmNNc2oxRlJubVJZTlJhbWd5cEVncApwb2lDQmY3T1dlTGVYZWxHVHluY0FYNGxtUk5NRFh3dEZMRzNvSUpiQU5oTVM1a2w3ZkJJZmpmRmdGU0RVVCs5Cnk0UUx4Y2NJOU9TZHAxVHlMNFA2QUtrQ2dZRUEwQmZVU3I4SWNuOC83QUJvTVkrRmRENGlyZzdqZXhwcVRTMXUKM29CQXIxUkl0b2IyODR5dzRhMWpFRFpGTS9zTGxRTVVkY1RmU3ZMcmY2R3FFRlFObVRQNUM2eVV4a2JZMGlWdgpEUG5iZWdBcStBYk94cm1yUTg5YVNTbTllSEtmZWxhNDNMYTVvZy93YUdQcktwamIrcGpRUG9NNkdmUXRuL0ZxClYxVzJUTTBDZ1lBNXg3aVRLa0lZQlgwR0JhWERZOUlxMVBWeTkxK3pFeDhIWUdDczRNR2ttME42Y3lncm84UmwKMzA3R09ocnhwam1wMTNEb1JtM21XZWhQMmV1WEdhLy9VS2gxaTUvVkQ0R1ltL2psc1plZUx6MURiR2crQVZqegpWVFdueFJCemYwRmdGZkZkTmNIeFlwNTJ3VTZuK2x3MTVTdkNTWmJKQzYzUTBsZ3N1NlhZN3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= diff --git a/tests/data/ingress-mtls/secret/tls-secret.yaml b/tests/data/ingress-mtls/secret/tls-secret.yaml deleted file mode 120000 index a44b5d1ec6..0000000000 --- a/tests/data/ingress-mtls/secret/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/tls-secret-virtual-server.example.com.yaml \ No newline at end of file diff --git a/tests/data/mgmt-configmap-keys/ssl-cert.yaml b/tests/data/mgmt-configmap-keys/ssl-cert.yaml deleted file mode 100644 index 511f818611..0000000000 --- a/tests/data/mgmt-configmap-keys/ssl-cert.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: ssl-cert -type: kubernetes.io/tls -data: - tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/tests/data/prometheus/secret.yaml b/tests/data/prometheus/secret.yaml deleted file mode 120000 index 6d56549938..0000000000 --- a/tests/data/prometheus/secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/service-insight/secret.yaml b/tests/data/service-insight/secret.yaml deleted file mode 120000 index 52ca58f4b7..0000000000 --- a/tests/data/service-insight/secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/test-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/smoke/smoke-secret.yaml b/tests/data/smoke/smoke-secret.yaml deleted file mode 120000 index 6d56549938..0000000000 --- a/tests/data/smoke/smoke-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/tls/invalid-tls-secret.yaml b/tests/data/tls/invalid-tls-secret.yaml deleted file mode 120000 index 900348c94a..0000000000 --- a/tests/data/tls/invalid-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-invalid-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/tls/new-tls-secret.yaml b/tests/data/tls/new-tls-secret.yaml deleted file mode 120000 index 2d15b501d2..0000000000 --- a/tests/data/tls/new-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com-gb.yaml \ No newline at end of file diff --git a/tests/data/tls/tls-secret.yaml b/tests/data/tls/tls-secret.yaml deleted file mode 120000 index 6d56549938..0000000000 --- a/tests/data/tls/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml b/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml deleted file mode 120000 index 7502fc312d..0000000000 --- a/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/transport-server-tls-secret-kic.example.com.yaml \ No newline at end of file diff --git a/tests/data/upgrade-test-resources/secret.yaml b/tests/data/upgrade-test-resources/secret.yaml deleted file mode 120000 index 52ca58f4b7..0000000000 --- a/tests/data/upgrade-test-resources/secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/test-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/virtual-server-certmanager/tls-secret.yaml b/tests/data/virtual-server-certmanager/tls-secret.yaml deleted file mode 120000 index 6d56549938..0000000000 --- a/tests/data/virtual-server-certmanager/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/virtual-server-grpc/tls-secret.yaml b/tests/data/virtual-server-grpc/tls-secret.yaml deleted file mode 120000 index af2ffa79cc..0000000000 --- a/tests/data/virtual-server-grpc/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-virtual-server.example.com.yaml \ No newline at end of file diff --git a/tests/data/virtual-server-route-grpc/tls-secret.yaml b/tests/data/virtual-server-route-grpc/tls-secret.yaml deleted file mode 120000 index af2ffa79cc..0000000000 --- a/tests/data/virtual-server-route-grpc/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-virtual-server.example.com.yaml \ No newline at end of file diff --git a/tests/data/virtual-server-tls/new-tls-secret.yaml b/tests/data/virtual-server-tls/new-tls-secret.yaml deleted file mode 120000 index 2d15b501d2..0000000000 --- a/tests/data/virtual-server-tls/new-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com-gb.yaml \ No newline at end of file diff --git a/tests/data/virtual-server-tls/tls-secret.yaml b/tests/data/virtual-server-tls/tls-secret.yaml deleted file mode 120000 index 6d56549938..0000000000 --- a/tests/data/virtual-server-tls/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/watch-secret-namespace/tls-secret.yaml b/tests/data/watch-secret-namespace/tls-secret.yaml deleted file mode 120000 index 6d56549938..0000000000 --- a/tests/data/watch-secret-namespace/tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/tls-secret-cafe.example.com.yaml \ No newline at end of file diff --git a/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml b/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml deleted file mode 120000 index 86190da6a1..0000000000 --- a/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/wildcard-tls-secret-example.com-gb.yaml \ No newline at end of file diff --git a/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml b/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml deleted file mode 120000 index 708028c7d4..0000000000 --- a/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/wildcard-tls-secret-example.com.yaml \ No newline at end of file From e4ec2157b5943fb96882f4510bd7af7f18420f21 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 11:55:10 +0000 Subject: [PATCH 12/45] Add makefile target to gen certs --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 7d6164d8fd..c03fa826c6 100644 --- a/Makefile +++ b/Makefile @@ -264,3 +264,7 @@ update-crd-docs: ## Update CRD markdown documentation from YAML definitions @echo "Generating CRD documentation..." @go run hack/generate-crd-docs.go -crd-dir config/crd/bases -output-dir docs/crd @echo "CRD documentation updated successfully!" + +.PHONY: certs +certs: + make -C hack/tls-cert-gen run From 42d1f36cb1db31c3a2d0ad420e9fd2a78d8f417c Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 11:56:40 +0000 Subject: [PATCH 13/45] Create default secret --- hack/tls-cert-gen/certs.go | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index ed5d191772..5b7655e208 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -46,11 +46,9 @@ var yamlSecrets = []yamlSecret{ "/examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml", "/examples/ingress-resources/rate-limit/cafe-secret.yaml", "/examples/ingress-resources/security-monitoring/cafe-secret.yaml", - "/examples/shared-examples/default-server-secret/default-server-secret.yaml", "/tests/data/ap-waf-grpc/tls-secret.yaml", "/tests/data/appprotect/appprotect-secret.yaml", "/tests/data/common/app/secure/secret/app-tls-secret.yaml", - "/tests/data/common/default-server-secret.yaml", "/tests/data/default-server/invalid-tls-secret.yaml", "/tests/data/default-server/new-tls-secret.yaml", "/tests/data/dos/tls-secret.yaml", @@ -72,6 +70,26 @@ var yamlSecrets = []yamlSecret{ "/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml", }, }, + + { + secretName: "default-server-secret", + fileName: "tls-secret-default.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "NGINXIngressController", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldHaveInvalidTLSCrt, + symlinks: []string{ + "/examples/shared-examples/default-server-secret/default-server-secret.yaml", + "/tests/data/common/default-server-secret.yaml", + }, + }, + { secretName: "tls-secret", fileName: "tls-secret-invalid.yaml", From 6c0c05fc00d1bf4a5dbbceed6119157168582ee0 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 12:11:36 +0000 Subject: [PATCH 14/45] Default TLS should be valid --- hack/tls-cert-gen/certs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 5b7655e208..991c7c2201 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -83,7 +83,7 @@ var yamlSecrets = []yamlSecret{ commonName: "NGINXIngressController", dnsNames: []string{"*.example.com"}, }, - valid: secretShouldHaveInvalidTLSCrt, + valid: secretShouldHaveValidTLSCrt, symlinks: []string{ "/examples/shared-examples/default-server-secret/default-server-secret.yaml", "/tests/data/common/default-server-secret.yaml", From 06eb4057371c08cdc17b96e75aeca1f9f3b29291 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 12:23:04 +0000 Subject: [PATCH 15/45] Add make certs to the smoke test setup step --- .github/workflows/setup-smoke.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 7f4deec436..cbe32d65ac 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -54,6 +54,10 @@ jobs: - name: Checkout Repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + - name: Generate TLS certificates + run: | + make certs + - name: Set image variables id: image_details run: | From ce43097e57c2b4e763633f51741fcf374ec2e677 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 13:37:08 +0000 Subject: [PATCH 16/45] Generate the actual TLS files into a new dir --- .gitignore | 4 ++++ common-secrets/.gitkeep | 0 hack/tls-cert-gen/tls-cert-gen.go | 2 +- 3 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 common-secrets/.gitkeep diff --git a/.gitignore b/.gitignore index 1bfe11490b..aceb784a30 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,7 @@ package.json # kind kube-config kube-local venv/ + +# generated certificates +common-secrets/* +!common-secrets/.gitkeep diff --git a/common-secrets/.gitkeep b/common-secrets/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index ba78815c7f..77711c0523 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -26,7 +26,7 @@ import ( const ( secretShouldHaveValidTLSCrt = true secretShouldHaveInvalidTLSCrt = false - realSecretDirectory = "examples/common-secrets/" + realSecretDirectory = "common-secrets/" ) var projectRoot = "" // this will be redefined in main() From 3b901d38fcf0eb591d02e6e0a9c8915d52aa2c90 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 13:38:37 +0000 Subject: [PATCH 17/45] Add examples gitignore file --- examples/.gitignore | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 examples/.gitignore diff --git a/examples/.gitignore b/examples/.gitignore new file mode 100644 index 0000000000..e69de29bb2 From 5400b66f78149cf65521cc77aa3988cdbcdf6551 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 13:42:21 +0000 Subject: [PATCH 18/45] Add generated symlink files to gitignores --- examples/.gitignore | 32 ++++++++++++++++++++++++++++++++ tests/.gitignore | 3 +++ 2 files changed, 35 insertions(+) diff --git a/examples/.gitignore b/examples/.gitignore index e69de29bb2..70b7d8771f 100644 --- a/examples/.gitignore +++ b/examples/.gitignore @@ -0,0 +1,32 @@ +custom-resources/api-key/cafe-secret.yaml +custom-resources/backup-directive/transport-server/app-tls-secret.yaml +custom-resources/backup-directive/virtual-server/cafe-secret.yaml +custom-resources/basic-auth/cafe-secret.yaml +custom-resources/basic-configuration/cafe-secret.yaml +custom-resources/cache-policy/cafe-secret.yaml +custom-resources/cross-namespace-configuration/cafe-secret.yaml +custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml +custom-resources/custom-listeners/cafe-secret.yaml +custom-resources/egress-mtls/egress-mtls-secret.yaml +custom-resources/external-dns/cafe-secret.yaml +custom-resources/externalname-services/transport-server/app-tls-secret.yaml +custom-resources/grpc-upstreams/greeter-secret.yaml +custom-resources/ingress-mtls/tls-secret.yaml +custom-resources/jwks/tls-secret.yaml +custom-resources/oidc-fclo/tls-secret.yaml +custom-resources/oidc/tls-secret.yaml +custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml +custom-resources/service-insight/service-insight-secret.yaml +custom-resources/tls-passthrough/app-tls-secret.yaml +custom-resources/transport-server-sni/cafe-secret.yaml +custom-resources/transport-server-sni/mongo-secret.yaml +ingress-resources/app-protect-dos/webapp-secret.yaml +ingress-resources/app-protect-waf/cafe-secret.yaml +ingress-resources/basic-auth/cafe-secret.yaml +ingress-resources/complete-example/cafe-secret.yaml +ingress-resources/mergeable-ingress-types/cafe-secret.yaml +ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml +ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml +ingress-resources/rate-limit/cafe-secret.yaml +ingress-resources/security-monitoring/cafe-secret.yaml +shared-examples/default-server-secret/default-server-secret.yaml diff --git a/tests/.gitignore b/tests/.gitignore index 6d68a79025..687b247062 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -38,12 +38,15 @@ data/mgmt-configmap-keys/ssl-cert.yaml data/prometheus/secret.yaml data/service-insight/secret.yaml data/smoke/smoke-secret.yaml +data/tls/invalid-tls-secret.yaml +data/tls/new-tls-secret.yaml data/tls/tls-secret.yaml data/transport-server-tcp-load-balance/tcp-tls-secret.yaml data/upgrade-test-resources/secret.yaml data/virtual-server-certmanager/tls-secret.yaml data/virtual-server-grpc/tls-secret.yaml data/virtual-server-route-grpc/tls-secret.yaml +data/virtual-server-tls/new-tls-secret.yaml data/virtual-server-tls/tls-secret.yaml data/watch-secret-namespace/tls-secret.yaml data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml From 532f4932157186ff89a100b6b0a5b72a9c103e0c Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 13:52:31 +0000 Subject: [PATCH 19/45] Removing helper cert-links --- hack/cert-links/certinfo.txt | 364 ------------------------- hack/cert-links/files-and-symlinks.txt | 109 -------- hack/cert-links/go.mod | 5 - hack/cert-links/go.sum | 2 - hack/cert-links/main.go | 191 ------------- 5 files changed, 671 deletions(-) delete mode 100644 hack/cert-links/certinfo.txt delete mode 100644 hack/cert-links/files-and-symlinks.txt delete mode 100644 hack/cert-links/go.mod delete mode 100644 hack/cert-links/go.sum delete mode 100644 hack/cert-links/main.go diff --git a/hack/cert-links/certinfo.txt b/hack/cert-links/certinfo.txt deleted file mode 100644 index 9b8d9b2769..0000000000 --- a/hack/cert-links/certinfo.txt +++ /dev/null @@ -1,364 +0,0 @@ -/examples/common-secrets/greeter-secret-virtual-server.example.com.yaml - secret name: greeter-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com - Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:virtual-server.example.com - X509v3 Basic Constraints: - CA:FALSE - -/examples/common-secrets/tls-secret-wildcard.example.com.yaml - secret name: tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=*.example.com - Subject: CN=*.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - -/examples/common-secrets/tls-secret-webapp.example.com.yaml - secret name: tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=webapp.example.com - Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=webapp.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:webapp.example.com - X509v3 Basic Constraints: - CA:FALSE - -/tests/data/common-secrets/default-server-secret-NGINXIngressController.yaml - secret name: default-server-secret - namespace: nginx-ingress - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=NGINXIngressController - Subject: CN=NGINXIngressController - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - -/tests/data/common-secrets/wildcard-tls-secret-example.com.yaml - secret name: wildcard-tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=ES, ST=CanaryIslands, O=nginx, OU=example.com, CN=example.com - Subject: C=ES, ST=CanaryIslands, O=nginx, OU=example.com, CN=example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - -/examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml - secret name: cafe-secret - namespace: cafe - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/tests/data/common-secrets/app-tls-secret-app.example.com.yaml - secret name: app-tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com - Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:app.example.com - X509v3 Basic Constraints: - CA:FALSE - -/tests/data/common-secrets/cafe-secret-cafe.example.com.yaml - secret name: cafe-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/tests/data/common-secrets/tls-secret-cafe.example.com-gb.yaml - secret name: tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com - Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/tests/data/common-secrets/transport-server-tls-secret-cafe.example.com-gb.yaml - secret name: transport-server-tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com - Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/tests/data/common-secrets/wildcard-tls-secret-example.com-gb.yaml - secret name: wildcard-tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=example.com - Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - -/examples/common-secrets/app-tls-secret-app.example.com.yaml - secret name: app-tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com - Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=app.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:app.example.com - X509v3 Basic Constraints: - CA:FALSE - -/tests/data/common-secrets/appprotect-secret-appprotect.example.com.yaml - secret name: appprotect-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=appprotect.example.com - Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=appprotect.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:appprotect.example.com - X509v3 Basic Constraints: - CA:FALSE - -/tests/data/common-secrets/tls-secret-virtual-server.example.com.yaml - secret name: tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com - Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=virtual-server.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:virtual-server.example.com - X509v3 Basic Constraints: - CA:FALSE - -/tests/data/common-secrets/test-secret-cafe.example.com.yaml - secret name: test-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/tests/data/common-secrets/tls-secret-cafe.example.com.yaml - secret name: tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/examples/common-secrets/mongo-secret-mongo.example.com.yaml - secret name: mongo-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=mongo.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=mongo.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:mongo.example.com - X509v3 Basic Constraints: - CA:FALSE - -/examples/common-secrets/service-insight-secret-cafe.example.com.yaml - secret name: service-insight-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/examples/common-secrets/webapp-secret-cafe.example.com.yaml - secret name: webapp-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/tests/data/common-secrets/default-server-secret-cafe.example.com-gb.yaml - secret name: default-server-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com - Subject: C=GB, ST=Cambridgeshire, O=nginx, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/tests/data/common-secrets/transport-server-tls-secret-kic.example.com.yaml - secret name: transport-server-tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=kic.example.com - Subject: C=IE, ST=Cork, O=NGINX, OU=NGINX, CN=kic.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:kic.example.com - X509v3 Basic Constraints: - CA:FALSE - -/examples/common-secrets/cafe-secret-cafe.example.com.yaml - secret name: cafe-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (4096 bit) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:cafe.example.com - X509v3 Basic Constraints: - CA:TRUE - -/examples/common-secrets/default-server-secret-NGINXIngressController.yaml - secret name: default-server-secret - namespace: nginx-ingress - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=NGINXIngressController - Subject: CN=NGINXIngressController - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - X509v3 extensions: - X509v3 Basic Constraints: - CA:FALSE - -/tests/data/egress-mtls/secret/tls-secret.yaml - secret name: egress-tls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=example.com - Subject: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=client - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - -/tests/data/mgmt-configmap-keys/ssl-cert.yaml - secret name: ssl-cert - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject: C=US, ST=CA, O=Internet Widgits Pty Ltd, CN=cafe.example.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - -/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml - secret name: egress-mtls-secret - namespace: not specified - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=example.com - Subject: C=US, ST=CA, L=San Fransisco, O=NGINX, OU=KIC, CN=client - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) diff --git a/hack/cert-links/files-and-symlinks.txt b/hack/cert-links/files-and-symlinks.txt deleted file mode 100644 index fc3c5c2c52..0000000000 --- a/hack/cert-links/files-and-symlinks.txt +++ /dev/null @@ -1,109 +0,0 @@ -Actual file: /examples/common-secrets/cafe-secret-cafe.example.com.yaml - - : /examples/custom-resources/api-key/cafe-secret.yaml - - : /examples/custom-resources/external-dns/cafe-secret.yaml - - : /examples/custom-resources/transport-server-sni/cafe-secret.yaml - - : /examples/ingress-resources/basic-auth/cafe-secret.yaml - - : /examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml - - : /examples/custom-resources/custom-listeners/cafe-secret.yaml - - : /examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml - - : /examples/ingress-resources/security-monitoring/cafe-secret.yaml - - : /examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml - - : /examples/ingress-resources/app-protect-waf/cafe-secret.yaml - - : /examples/custom-resources/basic-auth/cafe-secret.yaml - - : /examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml - - : /examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml - - : /examples/custom-resources/basic-configuration/cafe-secret.yaml - - : /examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml - - : /examples/custom-resources/cache-policy/cafe-secret.yaml - - : /examples/ingress-resources/complete-example/cafe-secret.yaml - - : /examples/ingress-resources/rate-limit/cafe-secret.yaml - -Actual file: /examples/common-secrets/app-tls-secret-app.example.com.yaml - - : /examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml - - : /examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml - - : /examples/custom-resources/tls-passthrough/app-tls-secret.yaml - -Actual file: /tests/data/common-secrets/test-secret-cafe.example.com.yaml - - : /tests/data/service-insight/secret.yaml - - : /tests/data/upgrade-test-resources/secret.yaml - -Actual file: /tests/data/common-secrets/tls-secret-cafe.example.com-gb.yaml - - : /tests/data/tls/new-tls-secret.yaml - - : /tests/data/virtual-server-tls/new-tls-secret.yaml - -Actual file: /tests/data/common-secrets/transport-server-tls-secret-cafe.example.com-gb.yaml - - : /tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml - -Actual file: /tests/data/common-secrets/cafe-secret-cafe.example.com.yaml - - : /tests/data/transport-server-with-host/cafe-secret.yaml - -Actual file: /tests/data/common-secrets/wildcard-tls-secret-example.com.yaml - - : /tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml - -Actual file: /examples/common-secrets/tls-secret-webapp.example.com.yaml - - : /examples/custom-resources/oidc-fclo/tls-secret.yaml - - : /examples/custom-resources/ingress-mtls/tls-secret.yaml - - : /examples/custom-resources/oidc/tls-secret.yaml - -Actual file: /tests/data/common-secrets/tls-secret-virtual-server.example.com.yaml - - : /tests/data/ap-waf-grpc/tls-secret.yaml - - : /tests/data/ingress-mtls/secret/tls-secret.yaml - - : /tests/data/virtual-server-grpc/tls-secret.yaml - - : /tests/data/virtual-server-route-grpc/tls-secret.yaml - -Actual file: /tests/data/common-secrets/app-tls-secret-app.example.com.yaml - - : /tests/data/common/app/secure/secret/app-tls-secret.yaml - -Actual file: /tests/data/common-secrets/tls-secret-cafe.example.com.yaml - - : /tests/data/virtual-server-tls/tls-secret.yaml - - : /tests/data/smoke/smoke-secret.yaml - - : /tests/data/tls/tls-secret.yaml - - : /tests/data/prometheus/secret.yaml - - : /tests/data/watch-secret-namespace/tls-secret.yaml - - : /tests/data/dos/tls-secret.yaml - - : /tests/data/virtual-server-certmanager/tls-secret.yaml - -Actual file: /tests/data/common-secrets/default-server-secret-NGINXIngressController.yaml - - : /tests/data/common/default-server-secret.yaml - -Actual file: /tests/data/common-secrets/wildcard-tls-secret-example.com-gb.yaml - - : /tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml - -Actual file: /examples/common-secrets/mongo-secret-mongo.example.com.yaml - - : /examples/custom-resources/transport-server-sni/mongo-secret.yaml - -Actual file: /tests/data/common-secrets/appprotect-secret-appprotect.example.com.yaml - - : /tests/data/appprotect/appprotect-secret.yaml - -Actual file: /examples/common-secrets/service-insight-secret-cafe.example.com.yaml - - : /examples/custom-resources/service-insight/service-insight-secret.yaml - -Actual file: /tests/data/common-secrets/default-server-secret-cafe.example.com-gb.yaml - - : /tests/data/default-server/new-tls-secret.yaml - -Actual file: /examples/common-secrets/tls-secret-wildcard.example.com.yaml - - : /examples/custom-resources/jwks/tls-secret.yaml - -Actual file: /examples/common-secrets/greeter-secret-virtual-server.example.com.yaml - - : /examples/custom-resources/grpc-upstreams/greeter-secret.yaml - -Actual file: /examples/common-secrets/default-server-secret-NGINXIngressController.yaml - - : /examples/shared-examples/default-server-secret/default-server-secret.yaml - -Actual file: /examples/common-secrets/cafe-secret-cafe-ns.example.com.yaml - - : /examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml - -Actual file: /examples/common-secrets/webapp-secret-cafe.example.com.yaml - - : /examples/ingress-resources/app-protect-dos/webapp-secret.yaml - -Actual file: /tests/data/common-secrets/transport-server-tls-secret-kic.example.com.yaml - - : /tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml - - - -Printing only Actual Files with no symbolic links pointing to them - -/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml -/tests/data/default-server/invalid-tls-secret.yaml -/tests/data/mgmt-configmap-keys/ssl-cert.yaml -/tests/data/egress-mtls/secret/tls-secret.yaml diff --git a/hack/cert-links/go.mod b/hack/cert-links/go.mod deleted file mode 100644 index db78c30644..0000000000 --- a/hack/cert-links/go.mod +++ /dev/null @@ -1,5 +0,0 @@ -module github.com/javorszky/cert-links - -go 1.25.1 - -require github.com/goccy/go-yaml v1.18.0 // indirect diff --git a/hack/cert-links/go.sum b/hack/cert-links/go.sum deleted file mode 100644 index eb0d822307..0000000000 --- a/hack/cert-links/go.sum +++ /dev/null @@ -1,2 +0,0 @@ -github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= -github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= diff --git a/hack/cert-links/main.go b/hack/cert-links/main.go deleted file mode 100644 index b1906b5d2a..0000000000 --- a/hack/cert-links/main.go +++ /dev/null @@ -1,191 +0,0 @@ -package main - -import ( - "bytes" - "fmt" - "io" - "io/fs" - "log" - "os" - "os/exec" - "path/filepath" - "strings" - - "github.com/goccy/go-yaml" -) - -type yamlTLS struct { - ResourceKind string `yaml:"kind"` - ResourceType string `yaml:"type"` -} - -func main() { - p, err := filepath.Abs("../..") - if err != nil { - panic(err) - } - - examples := filepath.Join(p, "examples") - - tests := filepath.Join(p, "tests") - - yamlActuals := make(map[string]os.FileInfo) - yamlSymlinks := make(map[string]os.FileInfo) - - err = filepath.WalkDir(p, func(path string, d fs.DirEntry, err error) error { - if !strings.HasPrefix(path, examples) && !strings.HasPrefix(path, tests) { - return nil - } - - if err != nil { - return fmt.Errorf("error while walking path %s: %w", path, err) - } - - ext := filepath.Ext(d.Name()) - if ext != ".yaml" && ext != ".yml" { - return nil - } - - if d.Type().IsRegular() || d.Type() == fs.ModeSymlink { - f, err := os.Open(path) - if err != nil { - return fmt.Errorf("error while opening file %s: %w", path, err) - } - - fi, err := f.Stat() - if err != nil { - return fmt.Errorf("error while stating file %s: %w", path, err) - } - - yk := yamlTLS{} - - contents, err := io.ReadAll(f) - if err != nil { - return fmt.Errorf("error while reading file %s: %w", path, err) - } - - err = yaml.Unmarshal(contents, &yk) - if err != nil { - return fmt.Errorf("error while parsing file into tls yaml %s: %w", path, err) - } - - if yk.ResourceType != "kubernetes.io/tls" { - return nil - } - - if yk.ResourceKind != "Secret" { - return nil - } - - if d.Type().IsRegular() { - yamlActuals[path] = fi - return nil - } - - yamlSymlinks[path] = fi - - return nil - } - - return nil - }) - if err != nil { - log.Fatalf("error walking path %s: %v", p, err) - } - - actualsAndSymlinks := make(map[string][]string) - - for path := range yamlSymlinks { - starget, err := filepath.EvalSymlinks(path) - if err != nil { - log.Fatalf("error while evaluating symlink %s: %v", path, err) - } - - actualsAndSymlinks[starget] = append(actualsAndSymlinks[starget], path) - } - - certInfo := make([]string, 0) - - for target, symlinks := range actualsAndSymlinks { - fmt.Printf("Actual file: %s\n", strings.TrimPrefix(target, p)) - for _, path := range symlinks { - fmt.Printf(" - : %s\n", strings.TrimPrefix(path, p)) - } - - info, err := getCertificateInfo(target) - if err != nil { - log.Fatalf("error while getting certificate info for %s: %v", target, err) - } - - certInfo = append(certInfo, strings.TrimPrefix(target, p)) - certInfo = append(certInfo, info...) - } - - onlyActualFiles := make(map[string]os.FileInfo) - for path, info := range yamlActuals { - if _, ok := actualsAndSymlinks[path]; !ok { - onlyActualFiles[path] = info - } - } - - fmt.Print("\n\nPrinting only Actual Files with no symbolic links pointing to them\n\n") - for path := range onlyActualFiles { - if path == "/Users/g.javorszky/Projects/NIC/kubernetes-ingress/tests/data/default-server/invalid-tls-secret.yaml" { - continue - } - - fmt.Printf("%s\n", strings.TrimPrefix(path, p)) - - info, err := getCertificateInfo(path) - if err != nil { - log.Fatalf("error while getting certificate info for %s: %v", path, err) - } - - certInfo = append(certInfo, strings.TrimPrefix(path, p)) - certInfo = append(certInfo, info...) - } - - err = os.WriteFile("certinfo.txt", []byte(strings.Join(certInfo, "\n")), fs.ModePerm) - if err != nil { - log.Fatalf("error while writing cert.txt: %v", err) - } -} - -func getCertificateInfo(path string) ([]string, error) { - output := bytes.NewBuffer(nil) - cmd := exec.Command("extract", path) - cmd.Stdout = output - err := cmd.Run() - if err != nil { - return nil, fmt.Errorf("error running extract command %s: %w", path, err) - } - - parsedOutput := make([]string, 0) - for _, line := range strings.Split(output.String(), "\n") { - // skip the line with the modulus - if strings.Contains(line, "Modulus:") { - continue - } - - // skip the lines with the hexdump modulus - if strings.HasPrefix(line, " ") { - continue - } - - // skip the public key exponent - if strings.Contains(line, "Exponent:") { - continue - } - - // skip the double printing of the x509v3 extensions - if !strings.HasPrefix(line, " ") { - continue - } - - parsedOutput = append(parsedOutput, line) - } - - parsedOutput = append(parsedOutput, "") - - return parsedOutput, nil -} From f94956bfc32b710b58d84902071bff6373a545c1 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 14:30:31 +0000 Subject: [PATCH 20/45] Move secret into generated list --- .../foreign-namespace-upstreams/cafe-secret.yaml | 1 - hack/tls-cert-gen/certs.go | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 120000 examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml diff --git a/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml b/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml deleted file mode 120000 index 6d8cd13e70..0000000000 --- a/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../common-secrets/cafe-secret-cafe-ns.example.com.yaml \ No newline at end of file diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 991c7c2201..ed4a98ef1e 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -27,6 +27,7 @@ var yamlSecrets = []yamlSecret{ "/examples/custom-resources/egress-mtls/egress-mtls-secret.yaml", "/examples/custom-resources/external-dns/cafe-secret.yaml", "/examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml", + "/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml", "/examples/custom-resources/grpc-upstreams/greeter-secret.yaml", "/examples/custom-resources/ingress-mtls/tls-secret.yaml", "/examples/custom-resources/jwks/tls-secret.yaml", From 98cb6007d1d7d8164817a9c82196f3e5a8b3a1b8 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 15:06:44 +0000 Subject: [PATCH 21/45] Restore directories that was removed because empty --- .../foreign-namespace-upstreams/cafe-secret.yaml | 1 + examples/shared-examples/default-server-secret/.gitkeep | 0 tests/data/common/app/secure/secret/.gitkeep | 0 tests/data/default-server/.gitkeep | 0 4 files changed, 1 insertion(+) create mode 120000 examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml create mode 100644 examples/shared-examples/default-server-secret/.gitkeep create mode 100644 tests/data/common/app/secure/secret/.gitkeep create mode 100644 tests/data/default-server/.gitkeep diff --git a/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml b/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml new file mode 120000 index 0000000000..dba2da77eb --- /dev/null +++ b/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml @@ -0,0 +1 @@ +../../../common-secrets/tls-secret.yaml \ No newline at end of file diff --git a/examples/shared-examples/default-server-secret/.gitkeep b/examples/shared-examples/default-server-secret/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/data/common/app/secure/secret/.gitkeep b/tests/data/common/app/secure/secret/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/data/default-server/.gitkeep b/tests/data/default-server/.gitkeep new file mode 100644 index 0000000000..e69de29bb2 From 6068ccb00ad765aaf658d4105340f87868208bbe Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 15:10:15 +0000 Subject: [PATCH 22/45] Remove and ignore generated secret --- examples/.gitignore | 1 + .../foreign-namespace-upstreams/cafe-secret.yaml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 120000 examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml diff --git a/examples/.gitignore b/examples/.gitignore index 70b7d8771f..98a4a7c621 100644 --- a/examples/.gitignore +++ b/examples/.gitignore @@ -10,6 +10,7 @@ custom-resources/custom-listeners/cafe-secret.yaml custom-resources/egress-mtls/egress-mtls-secret.yaml custom-resources/external-dns/cafe-secret.yaml custom-resources/externalname-services/transport-server/app-tls-secret.yaml +custom-resources/foreign-namespace-upstreams/cafe-secret.yaml custom-resources/grpc-upstreams/greeter-secret.yaml custom-resources/ingress-mtls/tls-secret.yaml custom-resources/jwks/tls-secret.yaml diff --git a/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml b/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml deleted file mode 120000 index dba2da77eb..0000000000 --- a/examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/tls-secret.yaml \ No newline at end of file From a4a99edf38f5aa3cd41354e3936f560adfd3b06a Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 15:16:03 +0000 Subject: [PATCH 23/45] Clean up makefiles --- Makefile | 2 +- hack/tls-cert-gen/makefile | 16 +--------------- tests/Makefile | 12 ++++++++---- 3 files changed, 10 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index c03fa826c6..af0e8a0e06 100644 --- a/Makefile +++ b/Makefile @@ -266,5 +266,5 @@ update-crd-docs: ## Update CRD markdown documentation from YAML definitions @echo "CRD documentation updated successfully!" .PHONY: certs -certs: +certs: ## Create just in time TLS certificates needed for tests and examples make -C hack/tls-cert-gen run diff --git a/hack/tls-cert-gen/makefile b/hack/tls-cert-gen/makefile index 50677322f7..e9f4197d1d 100644 --- a/hack/tls-cert-gen/makefile +++ b/hack/tls-cert-gen/makefile @@ -1,17 +1,3 @@ .PHONY: run -run: +run: ## Create just in time TLS certificates needed for tests and examples go run ./... - -.PHONY: extract -extract: - @if [ -z "$@" ]; then \ - echo "Usage: make extract "; \ - exit 1; \ - fi - - @echo "dollar at is" - @echo $@ - @echo "this was dollar" - - @# Extract the TLS certificate from the Kubernetes secret - cat $@ | yq eval '.data["tls.crt"]' - | base64 -d | openssl x509 -text -noout diff --git a/tests/Makefile b/tests/Makefile index 5efa830301..0249718693 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -68,7 +68,7 @@ clean-venv: .PHONY: run-local-tests -run-local-tests: ## Run tests +run-local-tests: certs ## Run tests source $(ROOT_DIR)/tests/venv/bin/activate \ && pytest \ --image=$(BUILD_IMAGE) \ @@ -84,7 +84,7 @@ run-local-tests: ## Run tests .PHONY: run-tests -run-tests: ## Run tests +run-tests: certs ## Run tests docker run --rm -v $(KUBE_CONFIG_FOLDER):/root/.kube \ $(TEST_PREFIX):$(TEST_TAG) \ --context=$(CONTEXT) \ @@ -100,7 +100,7 @@ run-tests: ## Run tests .PHONY: run-tests-in-kind -run-tests-in-kind: ## Run tests in Kind +run-tests-in-kind: certs ## Run tests in Kind docker run --network=kind --rm \ -v $(KIND_KUBE_CONFIG_FOLDER):/root/.kube \ -v $(ROOT_DIR)/tests:/workspace/tests \ @@ -142,7 +142,7 @@ image-load: ## Load the image into the Kind K8S cluster .PHONY: run-tests-in-minikube -run-tests-in-minikube: ## Run tests in Minikube +run-tests-in-minikube: certs ## Run tests in Minikube docker run --network=minikube --rm \ -v $(MINIKUBE_KUBE_CONFIG_FOLDER):/root/.kube \ -v $(ROOT_DIR)/tests:/workspace/tests \ @@ -192,3 +192,7 @@ upgrade-resources: ## Create and delete resources for upgrade tests e.g. `make upgrade-resources PYTEST_ARGS="create OR delete"` pip install -r ../tests/requirements.txt --no-deps pytest -v -s -m $(PYTEST_ARGS) + +.PHONY: certs +certs: ## Create just in time TLS certificates needed for tests and examples + make -C $(ROOT_DIR) certs From 1e983be7d772c53e795822f7b3894ac30b6f67aa Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 15:43:03 +0000 Subject: [PATCH 24/45] Remove unneeded commented out code --- hack/tls-cert-gen/tls-cert-gen.go | 1 - 1 file changed, 1 deletion(-) diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 77711c0523..4efd2a57aa 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -142,7 +142,6 @@ func printYaml(secret yamlSecret, projectRoot string) error { // Remove and create symlinks for _, symlinkTarget := range secret.symlinks { absSymlinkTarget := filepath.Join(projectRoot, symlinkTarget) - // relativeSymlinkTarget := filepath.Join(".", symlinkTarget) // Figure out the relative path between the directories. Involving files // will produce an inaccurate relative path here. From 916ab7f84a9c903902932d203e4312771bf3d5e1 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 16:04:26 +0000 Subject: [PATCH 25/45] Use os.Lstat instead of os.Stat on symlinks --- hack/tls-cert-gen/tls-cert-gen.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 4efd2a57aa..6c2393ecf0 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -153,7 +153,7 @@ func printYaml(secret yamlSecret, projectRoot string) error { // Attach the real file to the end of the relative directory path. relativeTarget := filepath.Join(relativeDirectory, filepath.Base(realFilePath)) - if _, err = os.Stat(absSymlinkTarget); err == nil { + if _, err = os.Lstat(absSymlinkTarget); err == nil { // symlink exists, delete it err = os.Remove(absSymlinkTarget) if err != nil { From 82dc2666dfc958ed41218b1d5683ca7b22bb5e7e Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Fri, 14 Nov 2025 16:16:26 +0000 Subject: [PATCH 26/45] Use docker in case go is not available --- Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index af0e8a0e06..716567810c 100644 --- a/Makefile +++ b/Makefile @@ -267,4 +267,8 @@ update-crd-docs: ## Update CRD markdown documentation from YAML definitions .PHONY: certs certs: ## Create just in time TLS certificates needed for tests and examples +ifeq (, $(shell command -v go)) + docker run --rm -v .:/workspace/kubernetes-ingress -w /workspace/kubernetes-ingress golang:1.25.4-trixie make certs +else make -C hack/tls-cert-gen run +endif From f3dbb1ddd0c0b31a0a9aad8bc26b062244071d85 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Mon, 17 Nov 2025 08:52:36 +0000 Subject: [PATCH 27/45] Add logging to tls cert gen script --- hack/tls-cert-gen/tls-cert-gen.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 6c2393ecf0..db425e04fd 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -139,6 +139,8 @@ func printYaml(secret yamlSecret, projectRoot string) error { return fmt.Errorf("write kubernetes secret to file %s: %w", secret.fileName, err) } + fmt.Printf("Wrote real file: %s\n", realFilePath) + // Remove and create symlinks for _, symlinkTarget := range secret.symlinks { absSymlinkTarget := filepath.Join(projectRoot, symlinkTarget) @@ -165,6 +167,10 @@ func printYaml(secret yamlSecret, projectRoot string) error { if err != nil { return fmt.Errorf("symlink %s to %s: %w", symlinkTarget, realFilePath, err) } + + fmt.Printf(""+ + " - symlink target: %s\n"+ + " - absolute file: %s\n\n", relativeTarget, absSymlinkTarget) } return nil From 6afe0650131775dc15b2eb228a50d57e9ce4490a Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Mon, 17 Nov 2025 09:50:54 +0000 Subject: [PATCH 28/45] Rejig gitignore to account for moved folder --- .gitignore | 4 ---- examples/.gitignore | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index aceb784a30..1bfe11490b 100644 --- a/.gitignore +++ b/.gitignore @@ -64,7 +64,3 @@ package.json # kind kube-config kube-local venv/ - -# generated certificates -common-secrets/* -!common-secrets/.gitkeep diff --git a/examples/.gitignore b/examples/.gitignore index 98a4a7c621..366a7f42bb 100644 --- a/examples/.gitignore +++ b/examples/.gitignore @@ -1,3 +1,4 @@ +common-secrets/*.yaml custom-resources/api-key/cafe-secret.yaml custom-resources/backup-directive/transport-server/app-tls-secret.yaml custom-resources/backup-directive/virtual-server/cafe-secret.yaml From 444bfb16f7d43b76bd847ccf52df99be5de8e47b Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Mon, 17 Nov 2025 15:01:21 +0000 Subject: [PATCH 29/45] Use the actual tls certs from the correct directory --- .github/actions/smoke-tests/action.yaml | 2 +- .gitignore | 4 ++++ hack/tls-cert-gen/tls-cert-gen.go | 2 +- tests/Makefile | 4 ++-- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index cba6ac4dd5..44eb28cc42 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -82,7 +82,7 @@ runs: -v "/var/run/docker.sock:/var/run/docker.sock" \ -v ~/.docker:/root/.docker \ -v ${{ github.workspace }}/tests:/workspace/tests \ - -v ${{ github.workspace }}/examples/common-secrets:/workspace/examples/common-secrets \ + -v ${{ github.workspace }}/common-secrets:/workspace/common-secrets \ -v ${{ github.workspace }}/deployments:/workspace/deployments \ -v ${{ github.workspace }}/charts:/workspace/charts \ -v ${{ github.workspace }}/config:/workspace/config \ diff --git a/.gitignore b/.gitignore index 1bfe11490b..930be756e5 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,7 @@ package.json # kind kube-config kube-local venv/ + +# generated tls certificates +common-secrets/* +!common-secrets/.gitkeep diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index db425e04fd..750d6afb45 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -64,7 +64,7 @@ type templateData struct { // that kubernetes needs as tls files. // // secretName - this is what virtualservers and other objects reference -// fileName - every secret needs to have an actual file on the disk. This is going to be the name of the file that's placed in the examples/common-secrets directory +// fileName - every secret needs to have an actual file on the disk. This is going to be the name of the file that's placed in the ./common-secrets directory // symlinks - a slice of paths that will symlink to the actual file. These paths are relative to the project root. For example: []string{"examples/custom-resources/oidc/tls-secret.yaml"} // valid - whether the generated kubernetes secret file should be valid. An invalid secret will not have the data["tls.key"] property set in the yaml file. // templateData - has information about issuer, subject, common name (main domain), and dnsNames (subject alternate names). diff --git a/tests/Makefile b/tests/Makefile index 0249718693..353b4c6d97 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -104,7 +104,7 @@ run-tests-in-kind: certs ## Run tests in Kind docker run --network=kind --rm \ -v $(KIND_KUBE_CONFIG_FOLDER):/root/.kube \ -v $(ROOT_DIR)/tests:/workspace/tests \ - -v $(ROOT_DIR)/examples/common-secrets:/workspace/examples/common-secrets \ + -v $(ROOT_DIR)/common-secrets:/workspace/common-secrets \ -v $(ROOT_DIR)/deployments:/workspace/deployments \ -v $(ROOT_DIR)/config:/workspace/config \ -v $(ROOT_DIR)/pyproject.toml:/workspace/pyproject.toml \ @@ -147,7 +147,7 @@ run-tests-in-minikube: certs ## Run tests in Minikube -v $(MINIKUBE_KUBE_CONFIG_FOLDER):/root/.kube \ -v $(ROOT_DIR)/tests:/workspace/tests \ -v $$HOME/.minikube:$$HOME/.minikube \ - -v $(ROOT_DIR)/examples/common-secrets:/workspace/examples/common-secrets \ + -v $(ROOT_DIR)/common-secrets:/workspace/common-secrets \ -v $(ROOT_DIR)/deployments:/workspace/deployments \ -v $(ROOT_DIR)/config:/workspace/config \ -v $(ROOT_DIR)/pyproject.toml:/workspace/pyproject.toml \ From e7ece672cd3aa4ed0510fc1da67b81f92962dbe6 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 18 Nov 2025 10:03:09 +0000 Subject: [PATCH 30/45] Fix certs for test default server pytest --- hack/tls-cert-gen/certs.go | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index ed4a98ef1e..eb06522c4f 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -10,8 +10,8 @@ var yamlSecrets = []yamlSecret{ organizationalUnit: []string{"NGINX Ingress Controller"}, locality: []string{"Cork"}, province: []string{"Cork"}, - commonName: "example.com,*.example.com", - dnsNames: []string{"foo.bar.example.com"}, + commonName: "example.com", + dnsNames: []string{"foo.bar.example.com", "*.example.com"}, }, valid: secretShouldHaveValidTLSCrt, symlinks: []string{ @@ -50,8 +50,6 @@ var yamlSecrets = []yamlSecret{ "/tests/data/ap-waf-grpc/tls-secret.yaml", "/tests/data/appprotect/appprotect-secret.yaml", "/tests/data/common/app/secure/secret/app-tls-secret.yaml", - "/tests/data/default-server/invalid-tls-secret.yaml", - "/tests/data/default-server/new-tls-secret.yaml", "/tests/data/dos/tls-secret.yaml", "/tests/data/egress-mtls/secret/tls-secret.yaml", "/tests/data/ingress-mtls/secret/tls-secret.yaml", @@ -92,7 +90,7 @@ var yamlSecrets = []yamlSecret{ }, { - secretName: "tls-secret", + secretName: "default-server-secret", fileName: "tls-secret-invalid.yaml", templateData: templateData{ country: []string{"IE"}, @@ -128,6 +126,23 @@ var yamlSecrets = []yamlSecret{ }, }, + { + secretName: "default-server-secret", + fileName: "tls-secret-default-gb.yaml", + templateData: templateData{ + country: []string{"GB"}, + organization: []string{"nginx"}, + locality: []string{"Cork"}, + province: []string{"Cambridgeshire"}, + commonName: "cafe.example.com", + dnsNames: []string{"example.com", "*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/default-server/new-tls-secret.yaml", + }, + }, + { secretName: "tls-secret", fileName: "tls-secret-us.yaml", From c784a8189d0f4a86647613c7639b249fd8566e47 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 18 Nov 2025 10:22:51 +0000 Subject: [PATCH 31/45] Add explanations to certs and move a struct --- hack/tls-cert-gen/certs.go | 98 ++++++++++++++++++++++--------- hack/tls-cert-gen/tls-cert-gen.go | 18 ------ 2 files changed, 69 insertions(+), 47 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index eb06522c4f..4d9d6f41ae 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -1,5 +1,25 @@ package main +// yamlSecret encapsulates all the data that we need to create the tls secrets +// that kubernetes needs as tls files. +// +// secretName - this is what virtualservers and other objects reference +// fileName - every secret needs to have an actual file on the disk. This is going to be the name of the file that's placed in the ./common-secrets directory +// symlinks - a slice of paths that will symlink to the actual file. These paths are relative to the project root. For example: []string{"examples/custom-resources/oidc/tls-secret.yaml"} +// valid - whether the generated kubernetes secret file should be valid. An invalid secret will not have the data["tls.key"] property set in the yaml file. +// templateData - has information about issuer, subject, common name (main domain), and dnsNames (subject alternate names). +// secretType - if left empty, it will be the default v1.SecretTypeTLS value. The type is "k8s.io/api/core/v1".SecretType, which is an alias for strings. +// usedIn - not used in the generation, it's only so we can keep track on which py tests used the specific certs +type yamlSecret struct { + secretName string + fileName string + symlinks []string + valid bool + templateData templateData + secretType string + usedIn []string +} + var yamlSecrets = []yamlSecret{ { secretName: "tls-secret", @@ -70,47 +90,54 @@ var yamlSecrets = []yamlSecret{ }, }, + // ==== the below ones are needed for specific pytests === { - secretName: "default-server-secret", - fileName: "tls-secret-default.yaml", + secretName: "tls-secret", + fileName: "tls-secret-gb.yaml", templateData: templateData{ - country: []string{"IE"}, - organization: []string{"F5 NGINX"}, - organizationalUnit: []string{"NGINX Ingress Controller"}, - locality: []string{"Cork"}, - province: []string{"Cork"}, - commonName: "NGINXIngressController", - dnsNames: []string{"*.example.com"}, + country: []string{"GB"}, + organization: []string{"nginx"}, + locality: []string{"Cork"}, + province: []string{"Cambridgeshire"}, + commonName: "cafe.example.com", + dnsNames: []string{"example.com", "*.example.com"}, }, valid: secretShouldHaveValidTLSCrt, symlinks: []string{ - "/examples/shared-examples/default-server-secret/default-server-secret.yaml", - "/tests/data/common/default-server-secret.yaml", + "/tests/data/tls/new-tls-secret.yaml", + "/tests/data/virtual-server-tls/new-tls-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_tls.py - needed for subject info and common name", + "tests/suite/test_virtual_server_tls.py - needed for subject info and common name", }, }, { secretName: "default-server-secret", - fileName: "tls-secret-invalid.yaml", + fileName: "tls-secret-default.yaml", templateData: templateData{ country: []string{"IE"}, organization: []string{"F5 NGINX"}, organizationalUnit: []string{"NGINX Ingress Controller"}, locality: []string{"Cork"}, province: []string{"Cork"}, - commonName: "example.com", + commonName: "NGINXIngressController", dnsNames: []string{"*.example.com"}, }, - valid: secretShouldHaveInvalidTLSCrt, + valid: secretShouldHaveValidTLSCrt, symlinks: []string{ - "/tests/data/default-server/invalid-tls-secret.yaml", + "/examples/shared-examples/default-server-secret/default-server-secret.yaml", + "/tests/data/common/default-server-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_default_server.py - needed for secret name and common name", }, }, - // ==== the below ones are needed for specific pytests === { - secretName: "tls-secret", - fileName: "tls-secret-gb.yaml", + secretName: "default-server-secret", + fileName: "tls-secret-default-gb.yaml", templateData: templateData{ country: []string{"GB"}, organization: []string{"nginx"}, @@ -121,25 +148,31 @@ var yamlSecrets = []yamlSecret{ }, valid: secretShouldHaveValidTLSCrt, symlinks: []string{ - "/tests/data/tls/new-tls-secret.yaml", - "/tests/data/virtual-server-tls/new-tls-secret.yaml", + "/tests/data/default-server/new-tls-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_default_server.py - needed for secret name and common name", }, }, { secretName: "default-server-secret", - fileName: "tls-secret-default-gb.yaml", + fileName: "tls-secret-invalid.yaml", templateData: templateData{ - country: []string{"GB"}, - organization: []string{"nginx"}, - locality: []string{"Cork"}, - province: []string{"Cambridgeshire"}, - commonName: "cafe.example.com", - dnsNames: []string{"example.com", "*.example.com"}, + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, }, - valid: secretShouldHaveValidTLSCrt, + valid: secretShouldHaveInvalidTLSCrt, symlinks: []string{ - "/tests/data/default-server/new-tls-secret.yaml", + "/tests/data/default-server/invalid-tls-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_default_server.py - needed for the secret name", }, }, @@ -159,6 +192,10 @@ var yamlSecrets = []yamlSecret{ "/tests/data/tls/tls-secret.yaml", "/tests/data/virtual-server-tls/tls-secret.yaml", }, + usedIn: []string{ + "tests/suite/test_tls.py - needed for subject info and common name", + "tests/suite/test_virtual_server_tls.py - needed for subject info and common name", + }, }, { secretName: "tls-secret", @@ -177,5 +214,8 @@ var yamlSecrets = []yamlSecret{ "/tests/data/tls/invalid-tls-secret.yaml", }, secretType: "some type", + usedIn: []string{ + "tests/suite/test_tls.py - needed for the secretType", + }, }, } diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 750d6afb45..b1afc2ba0e 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -60,24 +60,6 @@ type templateData struct { dnsNames []string } -// yamlSecret encapsulates all the data that we need to create the tls secrets -// that kubernetes needs as tls files. -// -// secretName - this is what virtualservers and other objects reference -// fileName - every secret needs to have an actual file on the disk. This is going to be the name of the file that's placed in the ./common-secrets directory -// symlinks - a slice of paths that will symlink to the actual file. These paths are relative to the project root. For example: []string{"examples/custom-resources/oidc/tls-secret.yaml"} -// valid - whether the generated kubernetes secret file should be valid. An invalid secret will not have the data["tls.key"] property set in the yaml file. -// templateData - has information about issuer, subject, common name (main domain), and dnsNames (subject alternate names). -// secretType - if left empty, it will be the default v1.SecretTypeTLS value. The type is "k8s.io/api/core/v1".SecretType, which is an alias for strings. -type yamlSecret struct { - secretName string - fileName string - symlinks []string - valid bool - templateData templateData - secretType string -} - func main() { logger := slog.New(slog.NewTextHandler(os.Stdout, nil)) var err error From c37cb1b2706f1c444e0a49c32eec591e05e73678 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 18 Nov 2025 10:24:24 +0000 Subject: [PATCH 32/45] Remove duplicate symlinks --- hack/tls-cert-gen/certs.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 4d9d6f41ae..cc6bce4e60 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -77,13 +77,11 @@ var yamlSecrets = []yamlSecret{ "/tests/data/prometheus/secret.yaml", "/tests/data/service-insight/secret.yaml", "/tests/data/smoke/smoke-secret.yaml", - "/tests/data/tls/tls-secret.yaml", "/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml", "/tests/data/upgrade-test-resources/secret.yaml", "/tests/data/virtual-server-certmanager/tls-secret.yaml", "/tests/data/virtual-server-grpc/tls-secret.yaml", "/tests/data/virtual-server-route-grpc/tls-secret.yaml", - "/tests/data/virtual-server-tls/tls-secret.yaml", "/tests/data/watch-secret-namespace/tls-secret.yaml", "/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml", "/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml", From b907278889c500297076cb4d281e34aa70b3820f Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 18 Nov 2025 10:51:32 +0000 Subject: [PATCH 33/45] Create wildcard es tls cert --- hack/tls-cert-gen/certs.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index cc6bce4e60..ca3a02e24d 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -84,7 +84,6 @@ var yamlSecrets = []yamlSecret{ "/tests/data/virtual-server-route-grpc/tls-secret.yaml", "/tests/data/watch-secret-namespace/tls-secret.yaml", "/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml", - "/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml", }, }, @@ -216,4 +215,25 @@ var yamlSecrets = []yamlSecret{ "tests/suite/test_tls.py - needed for the secretType", }, }, + + { + secretName: "wildcard-tls-secret", + fileName: "wildcard-tls-secret.yaml", + templateData: templateData{ + country: []string{"ES"}, + organization: []string{"nginx"}, + organizationalUnit: []string{"example.com"}, + locality: []string{"Cork"}, + province: []string{"CanaryIslands"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_wildcard_tls_secret.py - subject info", + }, + }, } From 64a5a5738c12524d4b9504f4216220164936f908 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 18 Nov 2025 15:13:33 +0000 Subject: [PATCH 34/45] Egress mtls test fix - WIP --- hack/tls-cert-gen/certs.go | 22 +++++++++++++++++++++- hack/tls-cert-gen/tls-cert-gen.go | 8 +++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index ca3a02e24d..095a9f9c4e 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -1,5 +1,9 @@ package main +import ( + v1 "k8s.io/api/core/v1" +) + // yamlSecret encapsulates all the data that we need to create the tls secrets // that kubernetes needs as tls files. // @@ -16,7 +20,7 @@ type yamlSecret struct { symlinks []string valid bool templateData templateData - secretType string + secretType v1.SecretType usedIn []string } @@ -236,4 +240,20 @@ var yamlSecrets = []yamlSecret{ "tests/suite/test_wildcard_tls_secret.py - subject info", }, }, + + { + secretName: "egress-tls-secret", + fileName: "egress-tls-secret.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"foo.bar.example.com", "*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{}, + }, } diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index b1afc2ba0e..fca5cce04a 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -17,6 +17,8 @@ import ( "path/filepath" "time" + "github.com/nginx/kubernetes-ingress/internal/configs" + "github.com/nginx/kubernetes-ingress/internal/k8s/secrets" log "github.com/nginx/kubernetes-ingress/internal/logger" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -252,12 +254,16 @@ func createYamlSecret(secret yamlSecret, isValid bool, tlsKeys *JITTLSKey) ([]by Type: v1.SecretTypeTLS, } + if secret.secretType == secrets.SecretTypeCA { + s.Data[configs.CACrlKey] = s.Data[v1.TLSCertKey] + } + if !isValid { s.Data[v1.TLSCertKey] = []byte(``) } if secret.secretType != "" { - s.Type = v1.SecretType(secret.secretType) + s.Type = secret.secretType } sb, err := yaml.Marshal(s) From 07c73668949fb07b9c1268f9fb86905c5b6d097f Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Tue, 18 Nov 2025 15:18:29 +0000 Subject: [PATCH 35/45] Add cert for ap-waf-grpc test --- hack/tls-cert-gen/certs.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 095a9f9c4e..9650dfbcc6 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -71,7 +71,6 @@ var yamlSecrets = []yamlSecret{ "/examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml", "/examples/ingress-resources/rate-limit/cafe-secret.yaml", "/examples/ingress-resources/security-monitoring/cafe-secret.yaml", - "/tests/data/ap-waf-grpc/tls-secret.yaml", "/tests/data/appprotect/appprotect-secret.yaml", "/tests/data/common/app/secure/secret/app-tls-secret.yaml", "/tests/data/dos/tls-secret.yaml", @@ -256,4 +255,25 @@ var yamlSecrets = []yamlSecret{ valid: secretShouldHaveValidTLSCrt, symlinks: []string{}, }, + + { + secretName: "tls-secret", + fileName: "tls-secret.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "virtual-server.example.com", + dnsNames: []string{"virtual-server.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/ap-waf-grpc/tls-secret.yaml", + }, + usedIn: []string{ + "suite/test_app_protect_waf_policies_grpc.py::TestAppProtectVSGrpc - needed for the common name", + }, + }, } From ad4dc44acd03856ecb989cdc803acdb848bc51a5 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 12:51:06 +0000 Subject: [PATCH 36/45] Update secrets for wildcard tls tests --- hack/tls-cert-gen/certs.go | 42 ++++++++++++++++++- tests/.gitignore | 1 + .../invalid-wildcard-tls-secret.yaml | 1 - 3 files changed, 42 insertions(+), 2 deletions(-) delete mode 120000 tests/data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 9650dfbcc6..385ead540a 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -86,7 +86,6 @@ var yamlSecrets = []yamlSecret{ "/tests/data/virtual-server-grpc/tls-secret.yaml", "/tests/data/virtual-server-route-grpc/tls-secret.yaml", "/tests/data/watch-secret-namespace/tls-secret.yaml", - "/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml", }, }, @@ -219,6 +218,28 @@ var yamlSecrets = []yamlSecret{ }, }, + { + secretName: "wildcard-tls-secret", + fileName: "tls-secret-invalid-type.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml", + }, + secretType: "broken", + usedIn: []string{ + "tests/suite/test_wildcard_tls_secret.py - needed for the secret name and secret type", + }, + }, + { secretName: "wildcard-tls-secret", fileName: "wildcard-tls-secret.yaml", @@ -240,6 +261,25 @@ var yamlSecrets = []yamlSecret{ }, }, + { + secretName: "wildcard-tls-secret", + fileName: "wildcard-tls-secret-gb.yaml", + templateData: templateData{ + country: []string{"GB"}, + organization: []string{"nginx"}, + province: []string{"Cambridgeshire"}, + commonName: "example.com", + dnsNames: []string{"*.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_wildcard_tls_secret.py - subject info", + }, + }, + { secretName: "egress-tls-secret", fileName: "egress-tls-secret.yaml", diff --git a/tests/.gitignore b/tests/.gitignore index 687b247062..7d2d2388fa 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -51,3 +51,4 @@ data/virtual-server-tls/tls-secret.yaml data/watch-secret-namespace/tls-secret.yaml data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml data/wildcard-tls-secret/wildcard-tls-secret.yaml +data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml diff --git a/tests/data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml b/tests/data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml deleted file mode 120000 index 9d7e197710..0000000000 --- a/tests/data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../common-secrets/wildcard-tls-secret-invalid-example.com.yaml \ No newline at end of file From 782466214e3556b64ee3b1cae27cbd78133e9228 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 15:46:24 +0000 Subject: [PATCH 37/45] Make sure we don't overwrite an existing secret --- hack/tls-cert-gen/certs.go | 6 +++--- hack/tls-cert-gen/tls-cert-gen.go | 8 ++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 385ead540a..b11ea2c787 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -198,7 +198,7 @@ var yamlSecrets = []yamlSecret{ }, { secretName: "tls-secret", - fileName: "tls-secret-invalid-type.yaml", + fileName: "tls-secret-invalid-type-some.yaml", templateData: templateData{ country: []string{"IE"}, organization: []string{"F5 NGINX"}, @@ -220,7 +220,7 @@ var yamlSecrets = []yamlSecret{ { secretName: "wildcard-tls-secret", - fileName: "tls-secret-invalid-type.yaml", + fileName: "tls-secret-invalid-type-broken.yaml", templateData: templateData{ country: []string{"IE"}, organization: []string{"F5 NGINX"}, @@ -298,7 +298,7 @@ var yamlSecrets = []yamlSecret{ { secretName: "tls-secret", - fileName: "tls-secret.yaml", + fileName: "vs-tls-secret.yaml", templateData: templateData{ country: []string{"IE"}, organization: []string{"F5 NGINX"}, diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index fca5cce04a..1a9901dcf8 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -71,7 +71,15 @@ func main() { log.Fatalf(logger, "filepath.Abs: %v", err) } + filenames := make(map[string]struct{}) + for _, secret := range yamlSecrets { + if _, ok := filenames[secret.fileName]; ok { + log.Fatalf(logger, "secret contains duplicated files: %v", secret.fileName) + } + + filenames[secret.fileName] = struct{}{} + err = printYaml(secret, projectRoot) if err != nil { log.Fatalf(logger, "Failed to print tls key: %v: %v", secret, err) From ecde71153c1d85eb014393d7018c6bff45fa9039 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 16:06:47 +0000 Subject: [PATCH 38/45] Also check for duplicate symlinks --- hack/tls-cert-gen/tls-cert-gen.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 1a9901dcf8..03d320ca94 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -80,6 +80,14 @@ func main() { filenames[secret.fileName] = struct{}{} + for _, symlink := range secret.symlinks { + if _, ok := filenames[symlink]; ok { + log.Fatalf(logger, "secret contains duplicated symlink for file %s: %s", secret.fileName, symlink) + } + + filenames[symlink] = struct{}{} + } + err = printYaml(secret, projectRoot) if err != nil { log.Fatalf(logger, "Failed to print tls key: %v: %v", secret, err) From a5e901025feec78fcada4387ce645bb7704dfdc1 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 16:41:48 +0000 Subject: [PATCH 39/45] Create cert for transport server backup service --- hack/tls-cert-gen/certs.go | 22 +++++++++++++++++++++- hack/tls-cert-gen/tls-cert-gen.go | 2 +- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index b11ea2c787..5f95b07076 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -72,7 +72,6 @@ var yamlSecrets = []yamlSecret{ "/examples/ingress-resources/rate-limit/cafe-secret.yaml", "/examples/ingress-resources/security-monitoring/cafe-secret.yaml", "/tests/data/appprotect/appprotect-secret.yaml", - "/tests/data/common/app/secure/secret/app-tls-secret.yaml", "/tests/data/dos/tls-secret.yaml", "/tests/data/egress-mtls/secret/tls-secret.yaml", "/tests/data/ingress-mtls/secret/tls-secret.yaml", @@ -316,4 +315,25 @@ var yamlSecrets = []yamlSecret{ "suite/test_app_protect_waf_policies_grpc.py::TestAppProtectVSGrpc - needed for the common name", }, }, + + { + secretName: "app-tls-secret", + fileName: "app-tls-secret.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "app.example.com", + dnsNames: []string{"app.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/common/app/secure/secret/app-tls-secret.yaml", + }, + usedIn: []string{ + "suite/test_transport_server_backup_service.py - needed for the common name and secret name", + }, + }, } diff --git a/hack/tls-cert-gen/tls-cert-gen.go b/hack/tls-cert-gen/tls-cert-gen.go index 03d320ca94..006cfbc2fd 100644 --- a/hack/tls-cert-gen/tls-cert-gen.go +++ b/hack/tls-cert-gen/tls-cert-gen.go @@ -90,7 +90,7 @@ func main() { err = printYaml(secret, projectRoot) if err != nil { - log.Fatalf(logger, "Failed to print tls key: %v: %v", secret, err) + log.Fatalf(logger, "Failed to print tls key: %s %v", secret.fileName, err) } } } From eb805e1b16ef99f1388c657e4d46302e4c8af56c Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 17:29:44 +0000 Subject: [PATCH 40/45] Use a different cert for test_prometheus_metrics --- hack/tls-cert-gen/certs.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 5f95b07076..d47e6a1da1 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -76,7 +76,6 @@ var yamlSecrets = []yamlSecret{ "/tests/data/egress-mtls/secret/tls-secret.yaml", "/tests/data/ingress-mtls/secret/tls-secret.yaml", "/tests/data/mgmt-configmap-keys/ssl-cert.yaml", - "/tests/data/prometheus/secret.yaml", "/tests/data/service-insight/secret.yaml", "/tests/data/smoke/smoke-secret.yaml", "/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml", @@ -189,10 +188,12 @@ var yamlSecrets = []yamlSecret{ symlinks: []string{ "/tests/data/tls/tls-secret.yaml", "/tests/data/virtual-server-tls/tls-secret.yaml", + "/tests/data/prometheus/secret.yaml", }, usedIn: []string{ "tests/suite/test_tls.py - needed for subject info and common name", "tests/suite/test_virtual_server_tls.py - needed for subject info and common name", + "tests/suite/test_prometheus_metrics.py - needed for common name and subject info", }, }, { From 2e2b64e2429d76d1527703635db95eaeb18813d1 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 17:50:27 +0000 Subject: [PATCH 41/45] Use a different cert for service insight --- hack/tls-cert-gen/certs.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index d47e6a1da1..3fc87c4782 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -76,7 +76,6 @@ var yamlSecrets = []yamlSecret{ "/tests/data/egress-mtls/secret/tls-secret.yaml", "/tests/data/ingress-mtls/secret/tls-secret.yaml", "/tests/data/mgmt-configmap-keys/ssl-cert.yaml", - "/tests/data/service-insight/secret.yaml", "/tests/data/smoke/smoke-secret.yaml", "/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml", "/tests/data/upgrade-test-resources/secret.yaml", @@ -189,11 +188,13 @@ var yamlSecrets = []yamlSecret{ "/tests/data/tls/tls-secret.yaml", "/tests/data/virtual-server-tls/tls-secret.yaml", "/tests/data/prometheus/secret.yaml", + "/tests/data/service-insight/secret.yaml", }, usedIn: []string{ "tests/suite/test_tls.py - needed for subject info and common name", "tests/suite/test_virtual_server_tls.py - needed for subject info and common name", "tests/suite/test_prometheus_metrics.py - needed for common name and subject info", + "tests/suite/test_transport_server_service_insight.py - needed for subject info and common name", }, }, { From d92f8b3d4cfd531fc138c0ec14674d46ac5b03bb Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 17:55:20 +0000 Subject: [PATCH 42/45] Fix certs for test transport srv tcp loadbalanced --- hack/tls-cert-gen/certs.go | 24 ++++++++++++++++++- .../new-tls-secret.yaml | 2 +- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 3fc87c4782..7e1b369902 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -77,7 +77,6 @@ var yamlSecrets = []yamlSecret{ "/tests/data/ingress-mtls/secret/tls-secret.yaml", "/tests/data/mgmt-configmap-keys/ssl-cert.yaml", "/tests/data/smoke/smoke-secret.yaml", - "/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml", "/tests/data/upgrade-test-resources/secret.yaml", "/tests/data/virtual-server-certmanager/tls-secret.yaml", "/tests/data/virtual-server-grpc/tls-secret.yaml", @@ -189,12 +188,14 @@ var yamlSecrets = []yamlSecret{ "/tests/data/virtual-server-tls/tls-secret.yaml", "/tests/data/prometheus/secret.yaml", "/tests/data/service-insight/secret.yaml", + "/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml", }, usedIn: []string{ "tests/suite/test_tls.py - needed for subject info and common name", "tests/suite/test_virtual_server_tls.py - needed for subject info and common name", "tests/suite/test_prometheus_metrics.py - needed for common name and subject info", "tests/suite/test_transport_server_service_insight.py - needed for subject info and common name", + "tests/suite/test_transport_server_tcp_load_balance.py - needed for subject info and common name", }, }, { @@ -338,4 +339,25 @@ var yamlSecrets = []yamlSecret{ "suite/test_transport_server_backup_service.py - needed for the common name and secret name", }, }, + + { + secretName: "tls-secret", + fileName: "kic-tls-secret.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "kic.example.com", + dnsNames: []string{"kic.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_transport_server_tcp_load_balance.py - needed for subject info and common name", + }, + }, } diff --git a/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml b/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml index 5d193ca83a..aede444c75 120000 --- a/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml +++ b/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml @@ -1 +1 @@ -../common-secrets/transport-server-tls-secret-cafe.example.com-gb.yaml \ No newline at end of file +../../../common-secrets/tls-secret-us.yaml \ No newline at end of file From b41327a446b1e84f42811c390e350b977e09d2a8 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 18:19:07 +0000 Subject: [PATCH 43/45] Remove secret from being tracked --- tests/.gitignore | 1 + tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) delete mode 120000 tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml diff --git a/tests/.gitignore b/tests/.gitignore index 7d2d2388fa..915895092a 100644 --- a/tests/.gitignore +++ b/tests/.gitignore @@ -52,3 +52,4 @@ data/watch-secret-namespace/tls-secret.yaml data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml data/wildcard-tls-secret/wildcard-tls-secret.yaml data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml +data/transport-server-tcp-load-balance/new-tls-secret.yaml diff --git a/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml b/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml deleted file mode 120000 index aede444c75..0000000000 --- a/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../common-secrets/tls-secret-us.yaml \ No newline at end of file From 2b5b89f89ecc1aa26dc9acfa604ab66eeceb9de7 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 19:07:47 +0000 Subject: [PATCH 44/45] Create secret for test virt srv insight --- hack/tls-cert-gen/certs.go | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 7e1b369902..73b9354e70 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -180,14 +180,13 @@ var yamlSecrets = []yamlSecret{ locality: []string{"San Francisco"}, province: []string{"CA"}, commonName: "cafe.example.com", - dnsNames: []string{"example.com", "*.example.com"}, + dnsNames: []string{"cafe.example.com"}, }, valid: secretShouldHaveValidTLSCrt, symlinks: []string{ "/tests/data/tls/tls-secret.yaml", "/tests/data/virtual-server-tls/tls-secret.yaml", "/tests/data/prometheus/secret.yaml", - "/tests/data/service-insight/secret.yaml", "/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml", }, usedIn: []string{ @@ -360,4 +359,24 @@ var yamlSecrets = []yamlSecret{ "tests/suite/test_transport_server_tcp_load_balance.py - needed for subject info and common name", }, }, + + { + secretName: "test-secret", + fileName: "tls-secret-test.yaml", + templateData: templateData{ + country: []string{"US"}, + organization: []string{"Internet Widgits Pty Ltd"}, + locality: []string{"San Francisco"}, + province: []string{"CA"}, + commonName: "cafe.example.com", + dnsNames: []string{"cafe.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/service-insight/secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_virtual_server_service_insight.py - secret name common name", + }, + }, } From e2d508dd76b36f2c115b530faccda21670a8b203 Mon Sep 17 00:00:00 2001 From: Gabor Javorszky Date: Wed, 19 Nov 2025 19:17:01 +0000 Subject: [PATCH 45/45] Fix certs used by tls load balanced --- hack/tls-cert-gen/certs.go | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/hack/tls-cert-gen/certs.go b/hack/tls-cert-gen/certs.go index 73b9354e70..d4a850e70b 100644 --- a/hack/tls-cert-gen/certs.go +++ b/hack/tls-cert-gen/certs.go @@ -187,14 +187,12 @@ var yamlSecrets = []yamlSecret{ "/tests/data/tls/tls-secret.yaml", "/tests/data/virtual-server-tls/tls-secret.yaml", "/tests/data/prometheus/secret.yaml", - "/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml", }, usedIn: []string{ "tests/suite/test_tls.py - needed for subject info and common name", "tests/suite/test_virtual_server_tls.py - needed for subject info and common name", "tests/suite/test_prometheus_metrics.py - needed for common name and subject info", "tests/suite/test_transport_server_service_insight.py - needed for subject info and common name", - "tests/suite/test_transport_server_tcp_load_balance.py - needed for subject info and common name", }, }, { @@ -340,7 +338,28 @@ var yamlSecrets = []yamlSecret{ }, { - secretName: "tls-secret", + secretName: "transport-server-tls-secret", + fileName: "tls-secret-tcp-lb-cafe.yaml", + templateData: templateData{ + country: []string{"IE"}, + organization: []string{"F5 NGINX"}, + organizationalUnit: []string{"NGINX Ingress Controller"}, + locality: []string{"Cork"}, + province: []string{"Cork"}, + commonName: "cafe.example.com", + dnsNames: []string{"cafe.example.com"}, + }, + valid: secretShouldHaveValidTLSCrt, + symlinks: []string{ + "/tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml", + }, + usedIn: []string{ + "tests/suite/test_transport_server_tcp_load_balance.py - needed for subject info and common name", + }, + }, + + { + secretName: "transport-server-tls-secret", fileName: "kic-tls-secret.yaml", templateData: templateData{ country: []string{"IE"}, @@ -356,7 +375,7 @@ var yamlSecrets = []yamlSecret{ "/tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml", }, usedIn: []string{ - "tests/suite/test_transport_server_tcp_load_balance.py - needed for subject info and common name", + "tests/suite/test_transport_server_tcp_load_balance.py - needed for secret name, subject info and common name", }, },