fix: fix generating SNIs in dbless (#7853) (#7857)

* fix: fix generating SNIs in dbless (#7853)

* fix: fix generating SNIs in dbless

* tests: fix golden tests files

* tests: fix golden tests files

* chore: add changelog

* chore: update kong-ee test dependency to 3.10.0.9

Author: pmalek

.github/test_dependencies.yaml

@@ -46,14 +46,14 @@ integration:
   # renovate: datasource=docker depName=kong versioning=docker
   kong-oss: '3.9.0'
   # renovate: datasource=docker depName=kong/kong-gateway versioning=docker
-  kong-ee: '3.9.1.1'
+  kong-ee: '3.10.0.9'
 
 kongintegration:
   # renovate: datasource=docker depName=kong versioning=docker
   kong-oss: '3.9.0'
   # renovate: datasource=docker depName=kong/kong-gateway versioning=docker
-  kong-ee: '3.9.1.1'
+  kong-ee: '3.10.0.9'
 
 envtests:
   # renovate: datasource=docker depName=kong/kong-gateway versioning=docker
-  kong-ee: '3.9.1.1'
+  kong-ee: '3.10.0.9'

CHANGELOG.md

@@ -111,6 +111,15 @@ Adding a new version? You'll need three changes:
  - [0.0.5](#005)
  - [0.0.4 and prior](#004-and-prior)
 
+## Unreleased
+
+> Release date: TBA
+
+### Fixed
+
+- Fixed an issue with SNI generation in dbless mode.
+  [#7853](https://github.com/Kong/kubernetes-ingress-controller/pull/7853)
+
 ## [3.4.11]
 
 > Release date: 2025-02-17

internal/dataplane/deckgen/deckgen.go

@@ -32,7 +32,7 @@ func GenerateSHA(targetContent *file.Content, customEntities map[string][]custom
 }
 
 // GetFCertificateFromKongCert converts a kong.Certificate to a file.FCertificate.
-func GetFCertificateFromKongCert(kongCert kong.Certificate) file.FCertificate {
+func GetFCertificateFromKongCert(inmemory bool, kongCert kong.Certificate) file.FCertificate {
 	var res file.FCertificate
 	if kongCert.ID != nil {
 		res.ID = kong.String(*kongCert.ID)
@@ -43,17 +43,17 @@ func GetFCertificateFromKongCert(kongCert kong.Certificate) file.FCertificate {
 	if kongCert.Cert != nil {
 		res.Cert = kong.String(*kongCert.Cert)
 	}
-	res.SNIs = getCertsSNIs(kongCert)
+	res.SNIs = getCertsSNIs(inmemory, kongCert)
 	return res
 }
 
-func getCertsSNIs(kongCert kong.Certificate) []kong.SNI {
+func getCertsSNIs(inmemory bool, kongCert kong.Certificate) []kong.SNI {
 	snis := make([]kong.SNI, 0, len(kongCert.SNIs))
 	for _, sni := range kongCert.SNIs {
 		kongSNI := kong.SNI{
 			Name: sni,
 		}
-		if kongCert.ID != nil {
+		if !inmemory && kongCert.ID != nil {
 			kongSNI.Certificate = &kong.Certificate{
 				ID: kongCert.ID,
 			}

internal/dataplane/deckgen/deckgen_test.go

@@ -10,6 +10,102 @@ import (
 	"github.com/kong/kubernetes-ingress-controller/v3/internal/dataplane/deckgen"
 )
 
+func TestGetFCertificateFromKongCert(t *testing.T) {
+	testCases := []struct {
+		name     string
+		inmemory bool
+		cert     kong.Certificate
+		want     file.FCertificate
+	}{
+		{
+			name:     "empty certificate",
+			inmemory: false,
+			cert:     kong.Certificate{},
+			want: file.FCertificate{
+				SNIs: []kong.SNI{},
+			},
+		},
+		{
+			name:     "all fields set, inmemory=true, SNIs have no certificate ref",
+			inmemory: true,
+			cert: kong.Certificate{
+				ID:   kong.String("cert-id"),
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+				SNIs: []*string{kong.String("example.com"), kong.String("other.com")},
+			},
+			want: file.FCertificate{
+				ID:   kong.String("cert-id"),
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+				SNIs: []kong.SNI{
+					{Name: kong.String("example.com")},
+					{Name: kong.String("other.com")},
+				},
+			},
+		},
+		{
+			name:     "all fields set, inmemory=false, SNIs have certificate ref",
+			inmemory: false,
+			cert: kong.Certificate{
+				ID:   kong.String("cert-id"),
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+				SNIs: []*string{kong.String("example.com")},
+			},
+			want: file.FCertificate{
+				ID:   kong.String("cert-id"),
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+				SNIs: []kong.SNI{
+					{
+						Name:        kong.String("example.com"),
+						Certificate: &kong.Certificate{ID: kong.String("cert-id")},
+					},
+				},
+			},
+		},
+		{
+			name:     "nil ID, inmemory=false, SNIs have no certificate ref",
+			inmemory: false,
+			cert: kong.Certificate{
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+				SNIs: []*string{kong.String("example.com")},
+			},
+			want: file.FCertificate{
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+				SNIs: []kong.SNI{
+					{Name: kong.String("example.com")},
+				},
+			},
+		},
+		{
+			name:     "no SNIs",
+			inmemory: false,
+			cert: kong.Certificate{
+				ID:   kong.String("cert-id"),
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+			},
+			want: file.FCertificate{
+				ID:   kong.String("cert-id"),
+				Key:  kong.String("cert-key"),
+				Cert: kong.String("cert-pem"),
+				SNIs: []kong.SNI{},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := deckgen.GetFCertificateFromKongCert(tc.inmemory, tc.cert)
+			require.Equal(t, tc.want, got)
+		})
+	}
+}
+
 func TestIsContentEmpty(t *testing.T) {
 	testCases := []struct {
 		name    string

internal/dataplane/deckgen/generate.go

@@ -32,6 +32,11 @@ type GenerateDeckContentParams struct {
 	// the configuration is empty. It is used to workaround behavior in Kong where sending an empty configuration
 	// does not make its `GET /status/ready` endpoint return 200s.
 	AppendStubEntityWhenConfigEmpty bool
+
+	// InMemory indicates whether the generated deck content is intended to be used in-memory.
+	// This is used to determine whether to include certain fields in the generated content
+	// that are not relevant for in-memory use but are required for db based / konnect configurations.
+	InMemory bool
 }
 
 // ToDeckContent generates a decK configuration from `k8sState` and auxiliary parameters.
@@ -125,7 +130,7 @@ func ToDeckContent(
 	})
 
 	for _, c := range k8sState.Certificates {
-		cert := GetFCertificateFromKongCert(c.Certificate)
+		cert := GetFCertificateFromKongCert(params.InMemory, c.Certificate)
 		content.Certificates = append(content.Certificates, cert)
 	}
 	sort.SliceStable(content.Certificates, func(i, j int) bool {

internal/dataplane/kong_client.go

@@ -794,6 +794,7 @@ func (c *KongClient) sendToClient(
 		ExpressionRoutes:                config.ExpressionRoutes,
 		PluginSchemas:                   client.PluginSchemaStore(),
 		AppendStubEntityWhenConfigEmpty: config.InMemory,
+		InMemory:                        config.InMemory,
 	}
 	targetContent := deckgen.ToDeckContent(ctx, logger, s, deckGenParams)
 	customEntities := make(sendconfig.CustomEntitiesByType)

internal/dataplane/kong_client_golden_test.go

@@ -130,7 +130,9 @@ func pruneTestCaseDirectory(t *testing.T, path string) {
 
 	for _, fileInDirectory := range filesInDirectory {
 		// First, let's skip the files we want to keep.
-		if fileInDirectory.Name() == inFileName || strings.HasSuffix(fileInDirectory.Name(), settingsFileSuffix) {
+		if fileInDirectory.Name() == inFileName ||
+			strings.HasSuffix(fileInDirectory.Name(), settingsFileSuffix) ||
+			strings.HasSuffix(fileInDirectory.Name(), ".txt") {
 			continue
 		}
 
@@ -262,7 +264,9 @@ func runKongClientGoldenTest(t *testing.T, tc kongClientGoldenTestCase) {
 	translatorConfig := translator.Config{
 		ClusterDomain: consts.DefaultClusterDomain,
 	}
-	p, err := translator.NewTranslator(logger, s, "", tc.featureFlags, fakeSchemaServiceProvier{}, translatorConfig)
+	p, err := translator.NewTranslator(logger, s, "", tc.featureFlags, fakeSchemaServiceProvier{},
+		translatorConfig,
+	)
 	require.NoError(t, err, "failed creating translator")
 
 	// Start a mock Admin API server and create an Admin API client for inspecting the configuration.

…ith-tls-and-consumer/default_golden.yaml …-tls-and-consumer-ee/default_golden.yamlinternal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/default_golden.yaml renamed to internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer-ee/default_golden.yaml internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/default_golden.yaml renamed to internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer-ee/default_golden.yaml

@@ -31,12 +31,8 @@ certificates:
     5GTyl7XJmyY/
     -----END PRIVATE KEY-----
   snis:
-  - certificate:
-      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
-    name: 1.example.com
-  - certificate:
-      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
-    name: 2.example.com
+  - name: 1.example.com
+  - name: 2.example.com
 consumers:
 - basicauth_credentials:
   - password: consumer-1-password

…onsumer/expression-routes-on_golden.yaml …umer-ee/expression-routes-on_golden.yamlinternal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/expression-routes-on_golden.yaml renamed to internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer-ee/expression-routes-on_golden.yaml internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer/expression-routes-on_golden.yaml renamed to internal/dataplane/testdata/golden/ingress-v1-rule-with-tls-and-consumer-ee/expression-routes-on_golden.yaml

@@ -31,12 +31,8 @@ certificates:
     5GTyl7XJmyY/
     -----END PRIVATE KEY-----
   snis:
-  - certificate:
-      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
-    name: 1.example.com
-  - certificate:
-      id: c6ac927c-4f5a-4e88-8b5d-c7b01d0f43af
-    name: 2.example.com
+  - name: 1.example.com
+  - name: 2.example.com
 consumers:
 - basicauth_credentials:
   - password: consumer-1-password