From 5270b82d8e96caf034a70b4d6110e23ed74b5dc4 Mon Sep 17 00:00:00 2001
From: Sascha Schwarze <schwarzs@de.ibm.com>
Date: Fri, 5 May 2023 17:48:58 +0200
Subject: [PATCH] Check all host names of a certificate in isWildcardSecret
 (#1108)

---
 pkg/reconciler/ingress/ingress_test.go           |  4 ++--
 pkg/reconciler/ingress/resources/gateway_test.go |  2 +-
 pkg/reconciler/ingress/resources/secret.go       | 13 ++++++++++++-
 pkg/reconciler/ingress/resources/secret_test.go  |  9 ++++++---
 pkg/reconciler/ingress/resources/util.go         | 12 +++++++-----
 5 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/pkg/reconciler/ingress/ingress_test.go b/pkg/reconciler/ingress/ingress_test.go
index 0809562723..6298a688f5 100644
--- a/pkg/reconciler/ingress/ingress_test.go
+++ b/pkg/reconciler/ingress/ingress_test.go
@@ -101,8 +101,8 @@ var (
 )
 
 var (
-	nonWildcardCert, _ = resources.GenerateCertificate("host-1.example.com", "secret0", "istio-system")
-	wildcardCert, _    = resources.GenerateCertificate("*.example.com", "secret0", "istio-system")
+	nonWildcardCert, _ = resources.GenerateCertificate([]string{"host-1.example.com"}, "secret0", "istio-system")
+	wildcardCert, _    = resources.GenerateCertificate([]string{"*.example.com"}, "secret0", "istio-system")
 	selector           = map[string]string{
 		"istio": "ingress",
 	}
diff --git a/pkg/reconciler/ingress/resources/gateway_test.go b/pkg/reconciler/ingress/resources/gateway_test.go
index 0a49160a4a..5ef3917574 100644
--- a/pkg/reconciler/ingress/resources/gateway_test.go
+++ b/pkg/reconciler/ingress/resources/gateway_test.go
@@ -56,7 +56,7 @@ var secret = corev1.Secret{
 
 var secretGVK = schema.GroupVersionKind{Version: "v1", Kind: "Secret"}
 
-var wildcardSecret, _ = GenerateCertificate("*.example.com", "secret0", system.Namespace())
+var wildcardSecret, _ = GenerateCertificate([]string{"*.example.com"}, "secret0", system.Namespace())
 
 var wildcardSecrets = map[string]*corev1.Secret{
 	fmt.Sprintf("%s/secret0", system.Namespace()): wildcardSecret,
diff --git a/pkg/reconciler/ingress/resources/secret.go b/pkg/reconciler/ingress/resources/secret.go
index 4820b0366f..e60be44cc5 100644
--- a/pkg/reconciler/ingress/resources/secret.go
+++ b/pkg/reconciler/ingress/resources/secret.go
@@ -203,7 +203,18 @@ func isWildcardSecret(secret *corev1.Secret) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return isWildcardHost(hosts[0])
+
+	for _, host := range hosts {
+		isWildcard, err := isWildcardHost(host)
+		if err != nil {
+			return false, err
+		}
+		if isWildcard {
+			return true, nil
+		}
+	}
+
+	return false, nil
 }
 
 func isWildcardHost(domain string) (bool, error) {
diff --git a/pkg/reconciler/ingress/resources/secret_test.go b/pkg/reconciler/ingress/resources/secret_test.go
index ae5fe45625..3a7815dd66 100644
--- a/pkg/reconciler/ingress/resources/secret_test.go
+++ b/pkg/reconciler/ingress/resources/secret_test.go
@@ -59,8 +59,9 @@ var (
 		},
 	}
 
-	wildcardCert, _    = GenerateCertificate("*.example.com", "wildcard", "")
-	nonWildcardCert, _ = GenerateCertificate("test.example.com", "nonWildcard", "")
+	wildcardCert, _    = GenerateCertificate([]string{"*.example.com"}, "wildcard", "")
+	wildcardCert2, _   = GenerateCertificate([]string{"example.com", "*.example.com"}, "wildcard", "")
+	nonWildcardCert, _ = GenerateCertificate([]string{"test.example.com"}, "nonWildcard", "")
 )
 
 func TestGetSecrets(t *testing.T) {
@@ -301,13 +302,15 @@ func TestCategorizeSecrets(t *testing.T) {
 		name: "work correctly",
 		secrets: map[string]*corev1.Secret{
 			"wildcard":    wildcardCert,
+			"wildcard2":   wildcardCert2,
 			"nonwildcard": nonWildcardCert,
 		},
 		wantNonWildcard: map[string]*corev1.Secret{
 			"nonwildcard": nonWildcardCert,
 		},
 		wantWildcard: map[string]*corev1.Secret{
-			"wildcard": wildcardCert,
+			"wildcard":  wildcardCert,
+			"wildcard2": wildcardCert2,
 		},
 	}, {
 		name: "invalid secret",
diff --git a/pkg/reconciler/ingress/resources/util.go b/pkg/reconciler/ingress/resources/util.go
index 3049fa113e..a34baa3e6e 100644
--- a/pkg/reconciler/ingress/resources/util.go
+++ b/pkg/reconciler/ingress/resources/util.go
@@ -51,7 +51,7 @@ const (
 	RouteNamespaceLabelKey = ServingGroupName + "/routeNamespace"
 )
 
-func GenerateCertificate(host string, secretName string, namespace string) (*corev1.Secret, error) {
+func GenerateCertificate(hosts []string, secretName string, namespace string) (*corev1.Secret, error) {
 	priv, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate private key: %w", err)
@@ -79,10 +79,12 @@ func GenerateCertificate(host string, secretName string, namespace string) (*cor
 		BasicConstraintsValid: true,
 	}
 
-	if ip := net.ParseIP(host); ip != nil {
-		template.IPAddresses = append(template.IPAddresses, ip)
-	} else {
-		template.DNSNames = append(template.DNSNames, host)
+	for _, host := range hosts {
+		if ip := net.ParseIP(host); ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, host)
+		}
 	}
 
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)