diff --git a/adapter/internal/operator/controllers/dp/api_controller.go b/adapter/internal/operator/controllers/dp/api_controller.go index 83a5653c06..571820b9d5 100644 --- a/adapter/internal/operator/controllers/dp/api_controller.go +++ b/adapter/internal/operator/controllers/dp/api_controller.go @@ -769,11 +769,14 @@ func (apiReconciler *APIReconciler) getAPIPolicyChildrenRefs(ctx context.Context func (apiReconciler *APIReconciler) resolveAuthentications(ctx context.Context, authentications map[string]dpv1alpha1.Authentication) (*dpv1alpha1.MutualSSL, error) { - resolvedMutualSSL := dpv1alpha1.MutualSSL{} + var resolvedMutualSSL *dpv1alpha1.MutualSSL for _, authentication := range authentications { - resolvedMutualSSL = utils.GetResolvedMutualSSL(ctx, apiReconciler.client, authentication) + if resolvedMutualSSL == nil { + resolvedMutualSSL = &dpv1alpha1.MutualSSL{} + } + utils.GetResolvedMutualSSL(ctx, apiReconciler.client, authentication, resolvedMutualSSL) } - return &resolvedMutualSSL, nil + return resolvedMutualSSL, nil } func (apiReconciler *APIReconciler) getResolvedBackendsMapping(ctx context.Context, diff --git a/adapter/internal/operator/synchronizer/synchronizer.go b/adapter/internal/operator/synchronizer/synchronizer.go index 1d137fba7f..43fa028c05 100644 --- a/adapter/internal/operator/synchronizer/synchronizer.go +++ b/adapter/internal/operator/synchronizer/synchronizer.go @@ -162,8 +162,7 @@ func GenerateAdapterInternalAPI(apiState APIState, httpRoute *HTTPRouteState, en adapterInternalAPI.SetDisableMtls(apiState.MutualSSL.Disabled) adapterInternalAPI.SetMutualSSL(apiState.MutualSSL.Required) adapterInternalAPI.SetClientCerts(apiState.APIDefinition.Name, apiState.MutualSSL.ClientCertificates) - } - if adapterInternalAPI.IsSystemAPI || apiState.MutualSSL == nil { + } else { adapterInternalAPI.SetDisableMtls(true) } diff --git a/adapter/internal/operator/utils/utils.go b/adapter/internal/operator/utils/utils.go index 5b32746827..bbc0ddc6cc 100644 --- a/adapter/internal/operator/utils/utils.go +++ b/adapter/internal/operator/utils/utils.go @@ -458,8 +458,7 @@ func getResolvedBackendSecurity(ctx context.Context, client k8client.Client, } // GetResolvedMutualSSL resolves mTLS related security configurations. -func GetResolvedMutualSSL(ctx context.Context, client k8client.Client, authentication dpv1alpha1.Authentication) dpv1alpha1.MutualSSL { - resolvedMutualSSL := dpv1alpha1.MutualSSL{} +func GetResolvedMutualSSL(ctx context.Context, client k8client.Client, authentication dpv1alpha1.Authentication, resolvedMutualSSL *dpv1alpha1.MutualSSL) { var err error var certificate string var mutualSSL *dpv1alpha1.MutualSSLConfig @@ -471,15 +470,13 @@ func GetResolvedMutualSSL(ctx context.Context, client k8client.Client, authentic if mutualSSL != nil { resolvedCertificates := ResolveAllmTLSCertificates(ctx, mutualSSL, certificate, err, client, authentication.Namespace) resolvedMutualSSL.Disabled = mutualSSL.Disabled - resolvedMutualSSL.Required = authentication.Spec.Default.AuthTypes.MutualSSL.Required + resolvedMutualSSL.Required = mutualSSL.Required resolvedMutualSSL.ClientCertificates = append(resolvedMutualSSL.ClientCertificates, resolvedCertificates...) } if err != nil { loggers.LoggerAPKOperator.ErrorC(logging.PrintError(logging.Error2622, logging.TRIVIAL, "Error in resolving mutual SSL %v in authentication", certificate)) } - - return resolvedMutualSSL } // ResolveAllmTLSCertificates resolves all mTLS certificates diff --git a/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml b/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml index 552cebd5f6..a9ea0ed483 100644 --- a/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml +++ b/runtime/config-deployer-service/ballerina/resources/apk-conf-schema.yaml @@ -155,7 +155,7 @@ components: - optional certificates: type: array - description: The names and keys of the secrets containing the mTLS certificates of that API + description: The names and keys of the config maps containing the mTLS certificates of that API items: type: object properties: diff --git a/test/cucumber-tests/CRs/artifacts.yaml b/test/cucumber-tests/CRs/artifacts.yaml index 3f102e158c..5289f9c024 100644 --- a/test/cucumber-tests/CRs/artifacts.yaml +++ b/test/cucumber-tests/CRs/artifacts.yaml @@ -730,4 +730,58 @@ metadata: namespace: apk-integration-test spec: applicationRef: 583e4146-7ef5-11ee-b962-0242ac120004 - subscriptionRef: 583e4146-7ef6-11ee-b962-0242ac120003 \ No newline at end of file + subscriptionRef: 583e4146-7ef6-11ee-b962-0242ac120003 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mtls-test-configmap + namespace: apk-integration-test +data: + tls.crt: | + -----BEGIN CERTIFICATE----- + MIIDGTCCAgECFANIkLQBkd76qiTXzSXjBS2scPJsMA0GCSqGSIb3DQEBCwUAME0x + CzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQKDAR3c28y + MQwwCgYDVQQLDANhcGsxDDAKBgNVBAMMA2FwazAeFw0yMzEyMDYxMDEyNDhaFw0y + NTA0MTkxMDEyNDhaMEUxCzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRl + MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQCdG90W/Tlk4u9awHPteD5zpVcThUKwMLvAKw9i + vVQBC0AG6GzPbakol5gKVm+kBUDFzzzF6eayEXKWbyaZDty66A2+7HLLcKBop5M/ + a57Q9XtU3lRYvotgutLWuHcI7mLCScZDrjA3rnb/KjjbhZ602ZS1pp5jtyUz6DwL + m7w4wQ/RProqCdBj8QqoAvnDDLSPeDfsx14J5VeNJVGJV2wax65jWRjRkj6wE7z2 + qzWAlP5vDeED6bogYYVDpC8DtgayQ+vKAQLi1uj+I9Yqb/nPUrdUh9IlxudlqiFQ + QxyvsXMJEzbWWmlbD0kXYkHmHzetJNPK9ayOS/fJcAcfAb01AgMBAAEwDQYJKoZI + hvcNAQELBQADggEBAFmUc7+cI8d0Dl4wTdq+gfyWdqjQb7AYVO9DvJi3XGxdc5Kp + 1nCSsKzKUz9gvxXHeaYKrBNYf4SSU+Pkdf/BWePqi7UX/SIxNXby2da8zWg+W6Uh + xZfKlLYGMp3mCjueZpZTJ7SKOOGFA8IIgEzjJD9Ln1gl3ywMaCwlNrG9RpiD1McT + COKvyWNKnSRVr/RvCklLVrAMTJr50kce2czcdFl/xF4Hm66vp7cP/bYJKWAL8hBG + zUa9aQBKncOoAO+zQ/SGy7uJxTDUF8SverDsmjOc6AU6IhBGVUyX/JQbYyJfZinB + YlviYxVzIm6IaNJHx4sihw4U1/jMFWRXT470zcQ= + -----END CERTIFICATE----- +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: mtls-test-configmap2 + namespace: apk-integration-test +data: + tls.crt: | + -----BEGIN CERTIFICATE----- + MIIDGTCCAgECFANIkLQBkd76qiTXzSXjBS2scPJsMA0GCSqGSIb3DQEBCwUAME0x + CzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQKDAR3c28y + MQwwCgYDVQQLDANhcGsxDDAKBgNVBAMMA2FwazAeFw0yMzEyMDYxMDEyNDhaFw0y + NTA0MTkxMDEyNDhaMEUxCzAJBgNVBAYTAkxLMRMwEQYDVQQIDApTb21lLVN0YXRl + MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3 + DQEBAQUAA4IBDwAwggEKAoIBAQCdG90W/Tlk4u9awHPteD5zpVcThUKwMLvAKw9i + vVQBC0AG6GzPbakol5gKVm+kBUDFzzzF6eayEXKWbyaZDty66A2+7HLLcKBop5M/ + a57Q9XtU3lRYvotgutLWuHcI7mLCScZDrjA3rnb/KjjbhZ602ZS1pp5jtyUz6DwL + m7w4wQ/RProqCdBj8QqoAvnDDLSPeDfsx14J5VeNJVGJV2wax65jWRjRkj6wE7z2 + qzWAlP5vDeED6bogYYVDpC8DtgayQ+vKAQLi1uj+I9Yqb/nPUrdUh9IlxudlqiFQ + QxyvsXMJEzbWWmlbD0kXYkHmHzetJNPK9ayOS/fJcAcfAb01AgMBAAEwDQYJKoZI + hvcNAQELBQADggEBAFmUc7+cI8d0Dl4wTdq+gfyWdqjQb7AYVO9DvJi3XGxdc5Kp + 1nCSsKzKUz9gvxXHeaYKrBNYf4SSU+Pkdf/BWePqi7UX/SIxNXby2da8zWg+W6Uh + xZfKlLYGMp3mCjueZpZTJ7SKOOGFA8IIgEzjJD9Ln1gl3ywMaCwlNrG9RpiD1McT + COKvyWNKnSRVr/RvCklLVrAMTJr50kce2czcdFl/xF4Hm66vp7cP/bYJKWAL8hBG + zUa9aQBKncOoAO+zQ/SGy7uJxTDUF8SverDsmjOc6AU6IhBGVUyX/JQbYyJfZinB + YlviYxVzIm6IaNJHx4sihw4U1/jMFWRXT470zcQ= + -----END CERTIFICATE-----