Supervisor listens for HTTPS on port 443 with configurable TLS certs

- TLS certificates can be configured on the OIDCProviderConfig using the `secretName` field. - When listening for incoming TLS connections, choose the TLS cert based on the SNI hostname of the incoming request. - Because SNI hostname information on incoming requests does not include the port number of the request, we add a validation that OIDCProviderConfigs where the issuer hostnames (not including port number) are the same must use the same `secretName`. - Note that this approach does not yet support requests made to an IP address instead of a hostname. Also note that `localhost` is considered a hostname by SNI. - Add port 443 as a container port to the pod spec. - A new controller watches for TLS secrets and caches them in memory. That same in-memory cache is used while servicing incoming connections on the TLS port. - Make it easy to configure both port 443 and/or port 80 for various Service types using our ytt templates for the supervisor. - When deploying to kind, add another nodeport and forward it to the host on another port to expose our new HTTPS supervisor port to the host.
2026-05-01 13:26:07 +00:00 · 2020-10-26 17:03:26 -07:00
parent 25a91019c2
commit 8b7c30cfbd
17 changed files with 672 additions and 44 deletions
--- a/hack/lib/kind-config/single-node.yaml
+++ b/hack/lib/kind-config/single-node.yaml
@@ -6,7 +6,14 @@ nodes:
    - protocol: TCP
      # This same port number is hardcoded in the integration test setup
      # when creating a Service on a kind cluster. It is used to talk to
-      # the supervisor app.
+      # the supervisor app via HTTPS.
+      containerPort: 31243
+      hostPort: 12344
+      listenAddress: 127.0.0.1
+    - protocol: TCP
+      # This same port number is hardcoded in the integration test setup
+      # when creating a Service on a kind cluster. It is used to talk to
+      # the supervisor app via HTTP.
      containerPort: 31234
      hostPort: 12345
      listenAddress: 127.0.0.1
--- a/hack/lib/tilt/Tiltfile
+++ b/hack/lib/tilt/Tiltfile
@@ -86,7 +86,7 @@ docker_build_with_restart('image/supervisor', '.',

 # Render the supervisor installation manifest using ytt.
 #
-# 31234 is the same port number hardcoded in the port forwarding of our kind configuration.
+# 31234 and 31243 are the same port numbers hardcoded in the port forwarding of our kind configuration.
 # Don't think that you can just change this!
 k8s_yaml(local([
    'ytt',
@@ -96,8 +96,10 @@ k8s_yaml(local([
    '--data-value', 'image_repo=image/supervisor',
    '--data-value', 'image_tag=tilt-dev',
    '--data-value-yaml', 'replicas=1',
-    '--data-value-yaml', 'service_nodeport_port=80',
-    '--data-value-yaml', 'service_nodeport_nodeport=31234',
+    '--data-value-yaml', 'service_http_nodeport_port=80',
+    '--data-value-yaml', 'service_http_nodeport_nodeport=31234',
+    '--data-value-yaml', 'service_https_nodeport_port=443',
+    '--data-value-yaml', 'service_https_nodeport_nodeport=31243',
    '--data-value-yaml', 'custom_labels={mySupervisorCustomLabelName: mySupervisorCustomLabelValue}',
 ]))
 # Tell tilt to watch all of those files for changes.
--- a/hack/prepare-for-integration-tests.sh
+++ b/hack/prepare-for-integration-tests.sh
@@ -119,7 +119,7 @@ if ! tilt_mode; then
  log_note "Checking for running kind clusters..."
  if ! kind get clusters | grep -q -e '^pinniped$'; then
    log_note "Creating a kind cluster..."
-    # single-node.yaml exposes node port 31234 as 127.0.0.1:12345 and port 31235 as 127.0.0.1:12346
+    # single-node.yaml exposes node port 31234 as 127.0.0.1:12345, 31243 as 127.0.0.1:12344, and 31235 as 127.0.0.1:12346
    kind create cluster --config "$pinniped_path/hack/lib/kind-config/single-node.yaml" --name pinniped
  else
    if ! kubectl cluster-info | grep master | grep -q 127.0.0.1; then
@@ -224,8 +224,11 @@ if ! tilt_mode; then
    --data-value "image_repo=$registry_repo" \
    --data-value "image_tag=$tag" \
    --data-value-yaml "custom_labels=$supervisor_custom_labels" \
-    --data-value-yaml 'service_nodeport_port=80' \
-    --data-value-yaml 'service_nodeport_nodeport=31234' >"$manifest"
+    --data-value-yaml 'service_http_nodeport_port=80' \
+    --data-value-yaml 'service_http_nodeport_nodeport=31234' \
+    --data-value-yaml 'service_https_nodeport_port=443' \
+    --data-value-yaml 'service_https_nodeport_nodeport=31243' \
+    >"$manifest"

  kapp deploy --yes --app "$supervisor_app_name" --diff-changes --file "$manifest"