ignore when only * is passed

Revolyssup · Revolyssup · commit 581a7355033a · 2024-09-25T15:40:33.000+05:30
diff --git a/internal/controlplane/controlplane.go b/internal/controlplane/controlplane.go
@@ -69,14 +69,21 @@ func (d *dashboardClient) Update(ctx context.Context, tctx *translator.Translate
 		}
 	}
 	for _, ssl := range result.SSL {
+		// to avoid duplication
+		ssl.Snis = arrayUniqueElements(ssl.Snis, []string{})
+		if len(ssl.Snis) == 1 && ssl.Snis[0] == "*" {
+			// skip creating ssl without throwing error
+			return nil
+		}
+		ssl.Snis = removeWildcard(ssl.Snis)
 		oldssl, err := d.c.Cluster(name).SSL().Get(ctx, ssl.Cert)
 		if err != nil || oldssl == nil {
 			if _, err := d.c.Cluster(name).SSL().Create(ctx, ssl); err != nil {
 				return fmt.Errorf("failed to create ssl for sni %+v: %w", ssl.Snis, err)
 			}
 		} else {
 			// array union is done to avoid host duplication
-			ssl.Snis = arrayUnion(ssl.Snis, oldssl.Snis)
+			ssl.Snis = arrayUniqueElements(ssl.Snis, oldssl.Snis)
 			if _, err := d.c.Cluster(name).SSL().Update(ctx, ssl); err != nil {
 				return fmt.Errorf("failed to update ssl for sni %+v: %w", ssl.Snis, err)
 			}
@@ -85,7 +92,17 @@ func (d *dashboardClient) Update(ctx context.Context, tctx *translator.Translate
 	return nil
 }
 
-func arrayUnion(arr1 []string, arr2 []string) []string {
+func removeWildcard(snis []string) []string {
+	newSni := make([]string, 0)
+	for _, sni := range snis {
+		if sni != "*" {
+			newSni = append(newSni, sni)
+		}
+	}
+	return newSni
+}
+
+func arrayUniqueElements(arr1 []string, arr2 []string) []string {
 	// return a union of elements from both array
 	presentEle := make(map[string]bool)
 	newArr := make([]string, 0)
diff --git a/internal/controlplane/translator/gateway.go b/internal/controlplane/translator/gateway.go
@@ -1,6 +1,7 @@
 package translator
 
 import (
+	"crypto/x509"
 	"fmt"
 
 	v1 "github.com/api7/api7-ingress-controller/api/dashboard/v1"
@@ -43,11 +44,8 @@ func (t *Translator) translateSecret(tctx *TranslateContext, listener gatewayv1.
 			if ref.Namespace != nil {
 				ns = string(*ref.Namespace)
 			}
-			sslObj := &v1.Ssl{}
-			sslObj.Snis = []string{}
-			// Dashboard doesn't allow wildcard hostname
-			if listener.Hostname != nil && *listener.Hostname != "" && *listener.Hostname != "*" {
-				sslObj.Snis = append(sslObj.Snis, string(*listener.Hostname))
+			sslObj := &v1.Ssl{
+				Snis: []string{},
 			}
 			name := listener.TLS.CertificateRefs[0].Name
 			secret := tctx.Secrets[types.NamespacedName{Namespace: ns, Name: string(ref.Name)}]
@@ -61,6 +59,15 @@ func (t *Translator) translateSecret(tctx *TranslateContext, listener gatewayv1.
 			}
 			sslObj.Cert = string(cert)
 			sslObj.Key = string(key)
+			// Dashboard doesn't allow wildcard hostname
+			if listener.Hostname != nil && *listener.Hostname != "" {
+				sslObj.Snis = append(sslObj.Snis, string(*listener.Hostname))
+			}
+			hosts, err := extractHost(cert)
+			if err != nil {
+				return nil, err
+			}
+			sslObj.Snis = append(sslObj.Snis, hosts...)
 			// Note: Dashboard doesn't allow duplicate certificate across ssl objects
 			sslObj.ID = id.GenID(sslObj.Cert)
 			sslObj.Labels = label.GenLabel(obj)
@@ -76,6 +83,14 @@ func (t *Translator) translateSecret(tctx *TranslateContext, listener gatewayv1.
 	return sslObjs, nil
 }
 
+func extractHost(cert []byte) ([]string, error) {
+	parsedCert, err := x509.ParseCertificate(cert)
+	if err != nil {
+		return nil, err
+	}
+	return parsedCert.DNSNames, nil
+}
+
 func extractKeyPair(s *corev1.Secret, hasPrivateKey bool) ([]byte, []byte, error) {
 	if _, ok := s.Data["cert"]; ok {
 		return extractApisixSecretKeyPair(s, hasPrivateKey)
diff --git a/test/conformance/conformance_test.go b/test/conformance/conformance_test.go
@@ -18,6 +18,12 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
+var skippedTestsForSSL = []string{
+	// Reason: https://github.com/kubernetes-sigs/gateway-api/blob/5c5fc388829d24e8071071b01e8313ada8f15d9f/conformance/utils/suite/suite.go#L358.  SAN includes '*'
+	tests.HTTPRouteHTTPSListener.ShortName,
+	tests.HTTPRouteRedirectPortAndScheme.ShortName,
+}
+
 var skippedTestsForTraditionalRoutes = []string{
 	// TODO: Support ReferenceGrant resource
 	tests.HTTPRouteInvalidReferenceGrant.ShortName,
@@ -68,7 +74,8 @@ func TestGatewayAPIConformance(t *testing.T) {
 	opts.CleanupBaseResources = true
 	opts.GatewayClassName = gatewayClassName
 	opts.SupportedFeatures = sets.New(gatewaySupportedFeatures...)
-	opts.SkipTests = skippedTestsForTraditionalRoutes
+	opts.SkipTests = skippedTestsForSSL
+	opts.SkipTests = append(opts.SkipTests, skippedTestsForTraditionalRoutes...)
 	opts.Implementation = conformancev1.Implementation{
 		Organization: "API7",
 		Project:      "api7-ingress-controller",
