diff --git a/internal/controller/impersonatorconfig/impersonator_config.go b/internal/controller/impersonatorconfig/impersonator_config.go index b4eba710..4e8468d1 100644 --- a/internal/controller/impersonatorconfig/impersonator_config.go +++ b/internal/controller/impersonatorconfig/impersonator_config.go @@ -13,6 +13,7 @@ import ( "fmt" "net" "net/http" + "strings" "sync" "time" @@ -491,12 +492,12 @@ func (c *impersonatorConfigController) findDesiredTLSCertificateName(config *imp } func (c *impersonatorConfigController) findTLSCertificateNameFromEndpointConfig(config *impersonator.Config) (net.IP, string, bool, error) { - // TODO Endpoint could have a port number in it, which we should parse out and ignore for this purpose - parsedAsIP := net.ParseIP(config.Endpoint) + endpointWithoutPort := strings.Split(config.Endpoint, ":")[0] + parsedAsIP := net.ParseIP(endpointWithoutPort) if parsedAsIP != nil { return parsedAsIP, "", true, nil } - return nil, config.Endpoint, true, nil + return nil, endpointWithoutPort, true, nil } func (c *impersonatorConfigController) findTLSCertificateNameFromLoadBalancer() (net.IP, string, bool, error) { diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index bc7e4975..7570e2f5 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -1210,6 +1210,44 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { }) }) + when("endpoint is IP address with a port", func() { + const fakeIpWithPort = "127.0.0.1:3000" + it.Before(func() { + configMapYAML := fmt.Sprintf("{mode: enabled, endpoint: %s}", fakeIpWithPort) + addImpersonatorConfigMapToTracker(configMapResourceName, configMapYAML, kubeInformerClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + }) + + it("starts the impersonator, generates a valid cert for the hostname", func() { + startInformersAndController() + r.NoError(runControllerSync()) + r.Len(kubeAPIClient.Actions(), 2) + requireNodesListed(kubeAPIClient.Actions()[0]) + ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) + // Check that the server is running and that TLS certs that are being served are are for fakeIpWithPort. + requireTLSServerIsRunning(ca, fakeIpWithPort, map[string]string{fakeIpWithPort: testServerAddr()}) + }) + }) + + when("endpoint is hostname with a port", func() { + const fakeHostnameWithPort = "fake.example.com:3000" + it.Before(func() { + configMapYAML := fmt.Sprintf("{mode: enabled, endpoint: %s}", fakeHostnameWithPort) + addImpersonatorConfigMapToTracker(configMapResourceName, configMapYAML, kubeInformerClient) + addNodeWithRoleToTracker("worker", kubeAPIClient) + }) + + it("starts the impersonator, generates a valid cert for the hostname", func() { + startInformersAndController() + r.NoError(runControllerSync()) + r.Len(kubeAPIClient.Actions(), 2) + requireNodesListed(kubeAPIClient.Actions()[0]) + ca := requireTLSSecretWasCreated(kubeAPIClient.Actions()[1]) + // Check that the server is running and that TLS certs that are being served are are for fakeHostnameWithPort. + requireTLSServerIsRunning(ca, fakeHostnameWithPort, map[string]string{fakeHostnameWithPort: testServerAddr()}) + }) + }) + when("switching from ip address endpoint to hostname endpoint and back to ip address", func() { const fakeHostname = "fake.example.com" const fakeIP = "127.0.0.42"