Feat/transport server sni (#6605)

* commit poc

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* remove build errors

* fix go tests

* fix example readme linting

* fix tests

* remove unnessary changes

* update snaps

* tls passthrough example lint

* fix tests

* fix test

* add new snapshot test, fix makeServerName function

* add test for makeServerName function

* add go tests

* change c.listeners to c.listenerHosts

* fix non tls passthrough hosts being added to tls passthrough template

* more go tests

* add python tests

* add listenerhost tests

* add docs

* fix validateTSHost logic

* remove unused function

* Apply suggestions from code review

Co-authored-by: Alan Dooley <[email protected]>
Signed-off-by: Jim Ryan <[email protected]>

* test undo enumeration

* change numbers to headings

* make changes from code review

* bash to shell

---------

Signed-off-by: Jim Ryan <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Alan Dooley <[email protected]>

Author: 3 people

examples/custom-resources/tls-passthrough/README.md

@@ -46,8 +46,9 @@ You can see how the Secure App is implemented in the `secure-app.yaml` file.
 
 1. Save the HTTPS port of the Ingress Controller where TLS Passthrough is enabled into a shell variable:
 
-    ```console
-    $ IC_HTTPS_PORT=<port number>
+```console
+IC_HTTPS_PORT=<port number>
+```
 
 1. Save the HTTPS port of the Ingress Controller into a shell variable:
 

examples/custom-resources/transport-server-sni/README.md

@@ -0,0 +1,110 @@
+# TransportServer SNI
+
+In this example we create two different TransportServers that listen on the same interface, which are distinguished by their Host field.
+The applications (a TCP echo server, and MongoDB) will be accessed via `ncat` and `mongosh`.
+The `ncat` binary is available via `nmap`. On mac/linux this can be installed via homebrew/linuxbrew with `brew install nmap`
+`mongosh` installation instructions are [available here](https://www.mongodb.com/docs/mongodb-shell/install/).
+
+## Create a GlobalConfiguration resource with the following listener
+
+```yaml
+listeners:
+    - name: tcp-listener
+      port: 7000 
+      protocol: TCP
+```
+
+## Add a custom port to the NGINX Ingress Controller pod with the Helm chart
+
+```yaml
+controller.customPorts:
+    - name: port
+      containerPort: 7000
+      protocol: TCP
+```
+
+## Add a custom port to the NGINX Ingress Controller service
+
+```yaml
+controller.service.customPorts:
+    - name: tcp-port 
+      port: 7000 
+      protocol: TCP
+      targetPort: 7000 
+```
+
+## Use `kubectl` to create the cafe-secret, and mongo-secret. These secrets are used for TLS in the TransportServers
+
+`kubectl apply -f cafe-secret.yaml`
+`kubectl apply -f mongo-secret.yaml`
+
+## Create the mongo and tcp echo example applications
+
+`kubectl apply -f mongo.yaml`
+`kubectl apply -f tcp-echo-server.yaml`
+
+## Wait until these are ready
+
+`kubectl get deploy -w`
+
+## Create the TransportServers for each application
+
+`kubectl apply -f cafe-transport-server.yaml`
+`kubectl apply -f mongo-transport-server.yaml`
+
+## Ensure they are in valid state
+
+`kubectl get ts`
+
+```shell
+NAME       STATE   REASON           AGE
+cafe-ts    Valid   AddedOrUpdated   2m
+mongo-ts   Valid   AddedOrUpdated   2m
+```
+
+## Set up /etc/hosts or DNS
+
+This example uses a local NGINX Ingress Controller instance, so the /etc/hosts file
+is being used to set cafe.example.com and mongo.example.com to localhost.
+In a production instance, the server names would be set at the DNS layer.
+`cat /etc/hosts`
+
+```shell
+...
+127.0.0.1 cafe.example.com
+127.0.0.1 mongo.example.com
+```
+
+## Expose port 7000 of the LoadBalancer service
+
+`kubectl port-forward svc/my-release-nginx-ingress-controller 7000:7000`
+
+## Use `ncat` to ping cafe.example.com on port 7000 with SSL
+
+`ncat --ssl cafe.example.com 7000`
+When you write a message you should receive the following response:
+
+```shell
+hi
+hi
+```
+
+Close the connection (CTRL+ c), then view the NGINX Ingress Controller logs.
+
+The request and response should both be 2 bytes.
+
+```shell
+127.0.0.1 [24/Sep/2024:15:48:58 +0000] TCP 200 3 3 2.702 "-
+```
+
+## Use mongosh to connect to the mongodb container through the TransportServer on port 7000
+
+`mongosh --host mongo.example.com --port 7000 --tls --tlsAllowInvalidCertificates`
+
+```shell
+test> show dbs
+admin   40.00 KiB
+config  60.00 KiB
+local   40.00 KiB
+test>
+```

examples/custom-resources/transport-server-sni/cafe-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY1ekNDQTgrZ0F3SUJBZ0lVR2dXT0JNTkR2TXNWOGY3OWc0MlpSZy9KaWc0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZSXhDekFKQmdOVkJBWVRBbGhZTVJJd0VBWURWUVFJREFsVGRHRjBaVTVoYldVeEVUQVBCZ05WQkFjTQpDRU5wZEhsT1lXMWxNUlF3RWdZRFZRUUtEQXREYjIxd1lXNTVUbUZ0WlRFYk1Ca0dBMVVFQ3d3U1EyOXRjR0Z1CmVWTmxZM1JwYjI1T1lXMWxNUmt3RndZRFZRUUREQkJqWVdabExtVjRZVzF3YkdVdVkyOXRNQjRYRFRJME1Ea3kKTXpFd01EUXdNVm9YRFRNME1Ea3lNVEV3TURRd01Wb3dnWUl4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSQpEQWxUZEdGMFpVNWhiV1V4RVRBUEJnTlZCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1ClRtRnRaVEViTUJrR0ExVUVDd3dTUTI5dGNHRnVlVk5sWTNScGIyNU9ZVzFsTVJrd0Z3WURWUVFEREJCallXWmwKTG1WNFlXMXdiR1V1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBbjkvZwpkMml5NEZyaGNtS3ZXQTVHZXFiS1c5WU1xeml6Vm4yRExkd215enkvS2FUdTdtUlkvUWRsTkxHaVhIM1NEa0FkCkhtZFJEK0Zob1ZHaWxoTjEzcTI0azdyRSt6dk1iMlRqdnBnMmVLYVd1dDBHaGQ3V3l3TnpIUU9WcWJCM2o2U2QKSE1sNlJKK25ERHo2Yi9adkRiNm9nQjBucUowZjBWN0tBMHFFalYxVld2dXI4YVZpVlVxK0tBOVMveEdJMHZSSwo2NE9BS2xIUUF4a2xGWWhheHVjcWRsS0owQlRXekE0Z0gzUTZlQi9CRjNOMTJDQjgrMVEzZG54bU5TVnpLbXp1CmJYdm1jK1RPUjg0V3ovemlaMTl1K3RuRHg2aklNajZZQXd2M0tzSVlYbmV1ZEgycUZKRG5FMmZwYjNnZzRxbm0KQnduY0ZlU1poY09nZWdnR1RmKzRTc3YwRUNuamNNdXhteTEwMTNwY0h1a2prTUNmVGJsUGZTU0NNS24rVnlGZQpUNzlSeUkxM3hmL0JXOSt0aTFad1IwYVpkWk5jV1R2Um53R1M1bWhnelJXclhRUmdJQlVVVjk2N3cxRVVONDJVCkE3ZjBVSzZlYks5bExBMnNZWmJJSWUrbllRY1d1OVRuNXo5YnVwK2w3aU5hUDYxWXdwWGdrUTFyNHlSamhMeUEKajVha1Z5VnROYzZmSWltaXlWV0Y1QzBaZnNIYzF3cUpLb2lXQzBtT1dyNEVRSVorRkY2WC9FRytSMmhodjZkQQpGcndpd3BHUE9kWkROQzNqNFBqVzVreWlYMlh2Vm1RWTUvbkxNdFpUaFF6VHpadG8zT3M4d1RsRjFyQlZkd05iCi9zNTh2dnlTQitsYk5Sd215TEErQVYvOGQ2L2VNcGZjS0ZyYU85OENBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUUKRktEejZlREZLaC93ZDVLTHpPMXpCMDR2UGVRSU1COEdBMVVkSXdRWU1CYUFGS0R6NmVERktoL3dkNUtMek8xegpCMDR2UGVRSU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFKQnd5WVlyCllXa3RvRGJPYlpHRUFXT0lEcjFTb3NWRDVIRXdkazV6ZTJuT05oQXFHVWszOHpUT3V1VVZRNk5lT1c1UWtML3oKVTFUa3dwUlNFNjFpbVZHOUdjYWY5ampkSjd5VGhsOGpmZXUyWTF4RHo1OUpmbWJ1WUo2SGE4ZmR4STAxQXZ3RgoxaERYY1ZEcTZoalhhb0pKMVZta1NiTEJPc1JXaGVzWGl1K3FiN3NSOUhlZmJmaTUxandQb2NFblE4YzNiWXF5CmpIRkwxS1JJekIyR2VYVGk2WngwN2lqcDZIeGJSQUFEWnBuRGN0blM1UVQvTGFoYklIZVNNTExMK21vdnUrSUgKTVgwQmtaYmJjRk94L3d2ZlN1SXdveEVXR1RjVGJIYnJGanVUUDRkalpPdFhybElSK1RJTmRiaFhaMm1XZVdHbgpRa0tkcyt4a3puNzNZbG9xZCtPZGZ2d1dJYXVFYktuaXdQUk01NHZqK0dnbndiWmZNWXpnY292cE5BYzZjMmlmCkNNdHlHWDBUREptSjRVWC9FaFFSYTArSURMbFZTMWc2Y3IxWmVQM1N1MWpkSnhBSFVwUjZwSVYrWGdsTENDdGYKQXdDUW9BUWtUeXkyb0Y1Z0hWOGVuc28zVE15cmI5R1NBWDF0UEdJL080L3VCRDBqRzQ4anZsZEI3dzZKbjdmSwoyS21DWnIwYlRDdU9vWnVuZHA3OHA2R1ozb3lVOXBxcTFTUmU0MTdjSlVuNzR3S05TTkd0U0xTNm9OZ3FQQ2h6Cm9ZTy9zK0NHL295c0JUcTBma2VBYXdMZ2oxVG9ybGNsaEt6M05uWUtLZmhDVFBLTDVVUFZLNjVXQ3V2djlSVWgKVUZvM2F2TnhhSmpWUEY4V0FVUnRZem82bXBadFRITm53ZkJTCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ2YzK0IzYUxMZ1d1RnkKWXE5WURrWjZwc3BiMWd5ck9MTldmWU10M0NiTFBMOHBwTzd1WkZqOUIyVTBzYUpjZmRJT1FCMGVaMUVQNFdHaApVYUtXRTNYZXJiaVR1c1Q3Tzh4dlpPTyttRFo0cHBhNjNRYUYzdGJMQTNNZEE1V3BzSGVQcEowY3lYcEVuNmNNClBQcHY5bThOdnFpQUhTZW9uUi9SWHNvRFNvU05YVlZhKzZ2eHBXSlZTcjRvRDFML0VZalM5RXJyZzRBcVVkQUQKR1NVVmlGckc1eXAyVW9uUUZOYk1EaUFmZERwNEg4RVhjM1hZSUh6N1ZEZDJmR1kxSlhNcWJPNXRlK1p6NU01SAp6aGJQL09KblgyNzYyY1BIcU1neVBwZ0RDL2Nxd2hoZWQ2NTBmYW9Va09jVForbHZlQ0RpcWVZSENkd1Y1Sm1GCnc2QjZDQVpOLzdoS3kvUVFLZU53eTdHYkxYVFhlbHdlNlNPUXdKOU51VTk5SklJd3FmNVhJVjVQdjFISWpYZkYKLzhGYjM2MkxWbkJIUnBsMWsxeFpPOUdmQVpMbWFHRE5GYXRkQkdBZ0ZSUlgzcnZEVVJRM2paUUR0L1JRcnA1cwpyMlVzRGF4aGxzZ2g3NmRoQnhhNzFPZm5QMXU2bjZYdUkxby9yVmpDbGVDUkRXdmpKR09FdklDUGxxUlhKVzAxCnpwOGlLYUxKVllYa0xSbCt3ZHpYQ29rcWlKWUxTWTVhdmdSQWhuNFVYcGY4UWI1SGFHRy9wMEFXdkNMQ2tZODUKMWtNMExlUGcrTmJtVEtKZlplOVdaQmpuK2NzeTFsT0ZETlBObTJqYzZ6ekJPVVhXc0ZWM0Exdit6bnkrL0pJSAo2VnMxSENiSXNENEJYL3gzcjk0eWw5d29XdG83M3dJREFRQUJBb0lDQUNkQmRZQmNlTytWNFIyUkZiVHRiR2paClkzN0JSRU1XblJKenB5NHZqR2NDOTMxbVBqVFM5dmJLUmhOMk9vT3pjVXlHZVovcGhvSDd1VmsvRGtrRFprSFQKTGlzNEJQNGJaTXRGWHBhQ0VYMzJpYlJBYVVXZHZlZ0RaTlNPK01TOXk5MjljY2FMd2pYdmJia1hqL2JGNytiVQpGZE8vVk9tV0N5WUJ2R0NxZjNtbW5UckY2U1pna1pDWDFiRkljZnluZFkwMjV0NkZYNGNFcDZyYkZidi95eXBqCndJMWxIdW0wOURrT2p0eXFVV0VGaXdnVEZiQ0g2YWhjdVhHaWdnWXl0K0NHOXRSelE5YlpLNzE5NFNRWTJBN0IKNUNJOExsSnNJeHdUT29naysvL0h3T3dSUHdqamdrdWllTnJPL1FhZDNKVkxXbXdJQTc1c2J6WGxIeFpYdWhReApFZTlTTVNaRE5JMGMvcGdDVXloL2h5Y3ZYWVJKb1dIMnZYTDYzL1EyRWJVVVZVcXpzcEpjV0xMbkhSSFdBQjZQCmtPb0FMeEs2M3lpQTU5KzREQ0ZZMGM0dXd4WHM5YnZlVWk5UUdxaUtoZkFaNmE3Ymh4ajNvRWIvRDZ0dWZKb1QKMnIxUXFKTlJ4N0RzMmJUc3J6SEgyYmVKR0R4bFJ4djdaNmdSTzdHd2lrU25veDlMcnY3YzMwUHp0WjZENXhwQwpoVHdmM0VpRWlrZ2pOM1FGd2RaUXVqV3RxWXQ1UWVGYUxpL2Q3VXZteFdZNWcrWTYyQnFkNnBpWFFJSlFVbDZUCmZmU0U2OEYvZWF6QnhPQm9INUMvWWcrd1kyVEpTb1BzK3NFUUtnYlNJTmRQNHU4N3FiQ056YWZ4WjFySTN1dmgKR3NZTWpSbm50c3RKamJXVEJkakJBb0lCQVFEZXpsY3dVNFJYbnhKVENSTjFQZUx1UHI2aXFnc09uY1lRRXNuTgpZemdwOXF6eC9SSTJodGZCYnN6TkM2RUZ3eDBDZy8wRnpRbVhqWEQ3VmhQS0UrOHBXMmQzNTg4YTBwU0xSbFBOCkprUnFxR2ovbzhIaEtmTGdCYy9BSGU3dkJEZG1UTXh1d0o1SmFmMWZ3OGtxNEJyRXROTi83SVF3MkNYcFNIK2MKSEhSZnBTM1JidDArbW9xK2RTRW1pU2h3UGgxL2FJbng4ZnBKbTFmaU1QdXhvYStzOXNUVmQ3Ky9GSjdIaWNZSApSQThQRHdQT2RMQ2loQlZFT3liSkduTlpaSFhYQTA4MThhNnpjdjU2aUM2VGZzSkhWZUg4a2Nma1IzblI4eTUvCkx2MnI1QzVaZWJlbW9ZaVhBTC9sVnZ0QUNGMXE3UW1zdlRkQ2R3R1lvaXBMbksvNUFvSUJBUUMzc1YvcFFOVlEKSjNsZExFem9OVUdBZWFwL0NNU2tuY0lUUXNnMUI3SDJHclIyR201VGNuVGE0SE5Rbmt3a2h3YUxyTUlmVDFXZAorMFVvR3M5ZXdyYkZERWtKR0MxQVd2RmFIREk3Q3NOYUFUM2FWYTE5R1ZRWFg2NnkrWEF2QXFTOXpOU25id0J0CnM5UDFFVURwMko1SGtyNlVLUHZjSnY3Q0MyR3J5emZaTy85MFpTTlFQUXdKMXFqZ2NNOUJpMlBYSkE0OENldnMKK3RvaGFqUWFIMStVY0VqNkQ0SHhoQ1RtcTBxM2YvdFNudk9iaTNOYklEWjNEWmR4ejVPelJSVmpLNWlSOGZDNQpzSVVKckxCSXRZeWpUeHAzTzROUmRFaHhzamdBZTZrSTV2dm95RVAvRFZwTFlQU0s3cFpoVjJ4YUpXUkZUUVZzCjhrKzZDbGduWGZDWEFvSUJBUUM5QjY4dFR3NHZFTVNKTW1BUnprbWovQlBkQ2d1TGdRd3pRdDEzcGNCV3lmUDgKOHNycS9BZzlFbllyV0x4cW1Sa1pzMFdPRUdFYzlXRnZ1NTNhaW9NVVFYcE5YcHgxazBkM3lsajY2b2FOUHdpbQpLeGNvbzJCdDlFQklMSjAwcUEwZ2UvUE4yeG53Q3o1dWF6dFhadjhPK0tPZ0d0Z2tZSjM1aUFyTU5jLzkvYlFiCnhjVnJnYzVJdkRNOThJd2dmbktrVDlzSkxGVSs4YzdrRnM3VDYrdVNBV01LQVNqclF1RmJSV1ovYjV5ZkdBd1EKc3l2UkZlSzlHcnBUVUYrZzdmeVVTVGlBK2VWUVZqWFZXNGk0bG9qWjRPRjBXWEtRR0p3Z0pnUEMzK2xVVnFtRQpQQ0kxKzBKWmFzZGtHaUhjTjd5YUpUVmFHc2F4V3lvOWh3Zi9VcFp4QW9JQkFDQ0hDem5ObmpoTVZTUlhsT0xGCmsyekJucHhTSENnZU8yQ1h3Y1lLTDh3cG5HMFJieG5kdWEyTWN6OENXTzlhN2FETUhhL1hwNHlMRXdydi9HcUcKUmtFTVZONkVabmJ2NDY4V01ScmRaQXhMRGYzY2tCVUg2Q2tmYTFzTDZuNllsRDE3eU9oQk1xMDZXNzBZcWdyKwpyY0IwenNTRG9WMnhsZ2tjWk5ZNzdRN05uZ1dwWnlCdFB2VjdDbnA3MzJkMjNGNGJaMTNnVCtPdDQvUm96d01WCkxTS200M1ZNUzdGTnVnOFNvKzlzZlQ5N0lCNGFDbnBIY1AyUjdaQmN0b1hYSk50anUrZVVGUkY4bllKQ0R4RkEKL0w5cVlZQmRqSHBmQWZrSUd2eVM2VExIWERJelREOGN5VEZ4NEx1OVZlbTB4bDRNSXY1V2pqQmxsQktZaEZXcwpQODhDZ2dFQkFKUjR5UUIrREtoRE1ZOGlHOXpYWUJpWmZ5MFI2c21oeEJycTREZWd4cElkajBydHUyMFNuWDdsCnN3YlZsN2NmdWRxUi9tVEhnZ1lYeGJSS3UxUXhmN3NHTW4zWVpRY1AxZDVJelFMOWZFQitidGJsdWY5VTB4NDIKUzM0U0l6Z25pd0hPQnN3M2ZLYm1Gbnc1dmtNd2RoemlBT1R0elRwcmU3ckdhaEpwZlk0eFRWWjZpK3pjQ1pCWgo0ZHhSTjlQWnBiQm4vNmJDTFY3S0I3ZmY0Uk04b3c3K1l4aHFFTFhxcnVQS2paMnRRSWs2M2hzZklMd0tiRWIrCkhEM2VLZEhNc2hhbXFXZzI0NnlORW5nQUZCQzhoVU5kQ0pmeUthUlhkSlV5eDhqcWlKM3ErdnpnNFBieUhqeW0KZEQzM2pVT2UwdHdoSWJxKytUaXZCa1ptSDBsSStnVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: cafe-secret
+type: kubernetes.io/tls

examples/custom-resources/transport-server-sni/cafe-transport-server.yaml

@@ -0,0 +1,17 @@
+apiVersion: k8s.nginx.org/v1
+kind: TransportServer
+metadata:
+  name: cafe-ts
+spec:
+  host: cafe.example.com
+  listener:
+    name: tcp-listener
+    protocol: TCP
+  tls:
+    secret: cafe-secret
+  upstreams:
+    - name: tcp-echo
+      service: tcp-echo-service
+      port: 7000
+  action:
+    pass: tcp-echo

examples/custom-resources/transport-server-sni/mongo-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY2VENDQTlHZ0F3SUJBZ0lVTGRHUktVc3FrZktiV1JheWwvaTdrSkVvWnRjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZTXhDekFKQmdOVkJBWVRBbGhZTVJJd0VBWURWUVFJREFsVGRHRjBaVTVoYldVeEVUQVBCZ05WQkFjTQpDRU5wZEhsT1lXMWxNUlF3RWdZRFZRUUtEQXREYjIxd1lXNTVUbUZ0WlRFYk1Ca0dBMVVFQ3d3U1EyOXRjR0Z1CmVWTmxZM1JwYjI1T1lXMWxNUm93R0FZRFZRUUREQkZ0YjI1bmJ5NWxlR0Z0Y0d4bExtTnZiVEFlRncweU5EQTUKTWpNeE1EQTFNVGxhRncwek5EQTVNakV4TURBMU1UbGFNSUdETVFzd0NRWURWUVFHRXdKWVdERVNNQkFHQTFVRQpDQXdKVTNSaGRHVk9ZVzFsTVJFd0R3WURWUVFIREFoRGFYUjVUbUZ0WlRFVU1CSUdBMVVFQ2d3TFEyOXRjR0Z1CmVVNWhiV1V4R3pBWkJnTlZCQXNNRWtOdmJYQmhibmxUWldOMGFXOXVUbUZ0WlRFYU1CZ0dBMVVFQXd3UmJXOXUKWjI4dVpYaGhiWEJzWlM1amIyMHdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFEUAppQngwMDU3MjB2S2JVMGJsZUNjcTg2N0RJREkzbnZ1VjdiMVhCaEJHOFJ5S1MveDREc2pPYjMwaVZtVm1MR29xCm5WVnk5bnN5VDBEMmhydnE2eUp4VEtBMmtTNFVOd3JJZDBhc3FqSmxITWFpbkNmbmtGLzB4RmwxZERvYUEydncKelZZYnpQd3NBRlQrZGk2cG1hcnFQVFlNditiL0NhQnFib3dBQWFtUjhLemdGRTZDSFNZc1EwSzFEV2xhbmRBOAoxRXlFT0p0dndjQXFjVHVXTXl6eGMzUUx6dmM4Z0hGcG1NdlNEUUtvL2xpbytUYlFaOW1ldXJKTTY0dUVtRThzCmloVDNxREo2OUE0VkpDQWs0cGVmZ0p6cjNnN1ExOTBvVmpwOGtXZ0NIMkl3OHdXUGVjYUVySXFHcmo2YkNzcHUKSHVQaGlaQnB4aDlmOUhmWCt1NHBpNytGU2VPaC8xU0xEdE9qVzAwV256TnFJSGJvSmhLd2MyRXU3Z2xkc2VNdgp5a0VQbWtKNDkyNXN1Rmsxc3U5RWdDeDBhM1JwWCtxNERsSjFHaEl6QUJja0hOVXplUXJWVGdYTHkwdk1wZGdCClVXU3hkMWdGdGM2ZGp6WEoxZUxwcEVPaEtQdmQrVWN2eEpPb2NLekx3a1BGNmNueVl2NElFUnFZWE9UUktlNFcKamFKR05xWisvNGRJQXh4M0UxamtyZUR0UUNzMVByaFBLaGpVdVlKaVI5UFFsdEFUa2w4MXQ1NzEyeDExYUQ0SgpNMWRsOXdoSUlNcjFoQzF6Wms5SkZXdkluRytCTEdBY3d4cjduY2pLTEpzcjBpS3R2aFEzbndWdG9GWnlzWERCClBBdU5QclFMM0JaT3JKanpvV3FJdU5lNVRqY3FiTG9WREx2NzMwMytXUUlEQVFBQm8xTXdVVEFkQmdOVkhRNEUKRmdRVVpjTjdpUitRNGkrb3U2YS9aR01JUXQrRWJRY3dId1lEVlIwakJCZ3dGb0FVWmNON2lSK1E0aStvdTZhLwpaR01JUXQrRWJRY3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFKYVRXCnFENnEyRm51RmtJcmJIbkxPdFdFTDUxTC9QMncyUWZqMTcrSWlJeDRNd3hzS082ZEtHbUdlazY2Sy9sSjdBaEIKWngyRkFiOFdERmpPeVFtL3Axc1lQME82L1RyUzYrYjRlbndaR3p3YXVoVWdXR0M3djByRlp0VnNMNm5pdGJkMAp6VExGZ1V6QkJHR3cwZ3E2ekF4ZG5BNXo1VkFyYjhzcGZFNzZ1Q1FWbEdYVXhua0Fka2FYVXlOYXU1YXo0VW1WClMzRjIvaG53RG5XYUpZUmxqMTJ2SFYxWmxiamwxMzE3Uk0rRHZMSkRwV29JTkdzRzd0SG9pTGQ1dXJJeWYxZ0oKZXdJN1FXYTQ5UE1MWCszYnNSbjQ4dnJZUGxqWGcvdkhqYlZvUWlzMmFCak1sSDNCczdMVGVvVWZqVERsU2c3cApHd3ZzaW41dWJPZFAvTGRrWllaTFhiMWkvT1E3cjFpZTJ3OTQyd1RZT3NKRk5QVlB4N3JPV1BNeHd0Q0tUeE41Ck5URXFPM0F5dXZpUW9tRVhhL1RyL2xybnFSWS8rcXNpL2J2d01QWWlIS0RiTmJMM1NQaSt4bmU0Y3NxQ0d5L3QKMGVsaHVYVHpDTXUvcXdvM2ZNVXc4VFBBMXcvOEZTMWh4ZWkzY0JhL3VxQzFPS2s3aDRTLzJocXljaFd5ekhIRApMNUdob2RGZ0NkVTZaSUZJSnJzQS9uQ09maGZWUXJJMFRRZWlMSHR6OXd0T2tWTXhPeWRpcGpVMEgySjErRElwCi8vQzUrM2FpNWlxTkZnUTNZNEp5SGFlYmh3NW5lcjh1U3JmN3NnMit1a1dVU0QxamhnRVQxVWEzTTNUeG00bmYKNXhXOFV1aTFDYjVMdEM2clgvV1A4SG4veTJid2Iyc0swMGJYb1Y4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRRFBpQngwMDU3MjB2S2IKVTBibGVDY3E4NjdESURJM252dVY3YjFYQmhCRzhSeUtTL3g0RHNqT2IzMGlWbVZtTEdvcW5WVnk5bnN5VDBEMgpocnZxNnlKeFRLQTJrUzRVTndySWQwYXNxakpsSE1haW5DZm5rRi8weEZsMWREb2FBMnZ3elZZYnpQd3NBRlQrCmRpNnBtYXJxUFRZTXYrYi9DYUJxYm93QUFhbVI4S3pnRkU2Q0hTWXNRMEsxRFdsYW5kQTgxRXlFT0p0dndjQXEKY1R1V015enhjM1FMenZjOGdIRnBtTXZTRFFLby9saW8rVGJRWjltZXVySk02NHVFbUU4c2loVDNxREo2OUE0VgpKQ0FrNHBlZmdKenIzZzdRMTkwb1ZqcDhrV2dDSDJJdzh3V1BlY2FFcklxR3JqNmJDc3B1SHVQaGlaQnB4aDlmCjlIZlgrdTRwaTcrRlNlT2gvMVNMRHRPalcwMFduek5xSUhib0poS3djMkV1N2dsZHNlTXZ5a0VQbWtKNDkyNXMKdUZrMXN1OUVnQ3gwYTNScFgrcTREbEoxR2hJekFCY2tITlV6ZVFyVlRnWEx5MHZNcGRnQlVXU3hkMWdGdGM2ZApqelhKMWVMcHBFT2hLUHZkK1VjdnhKT29jS3pMd2tQRjZjbnlZdjRJRVJxWVhPVFJLZTRXamFKR05xWisvNGRJCkF4eDNFMWprcmVEdFFDczFQcmhQS2hqVXVZSmlSOVBRbHRBVGtsODF0NTcxMngxMWFENEpNMWRsOXdoSUlNcjEKaEMxelprOUpGV3ZJbkcrQkxHQWN3eHI3bmNqS0xKc3IwaUt0dmhRM253VnRvRlp5c1hEQlBBdU5QclFMM0JaTwpySmp6b1dxSXVOZTVUamNxYkxvVkRMdjczMDMrV1FJREFRQUJBb0lDQUU3ZDJYNldPMmR1WkE4ZUZ5ZTJRU0JFCkNlcVNUak13QWtrSVYzZCtVT284ejgxSXNqSEg0SXorOW0xNXFzQW82ZEczQjlXUUVPSmVGd0I0MUdvaW9HeXgKSTRPSktaczZEYW1BRm9ZZ2lkVStHY2lMRW1rZ1J5OEQvVUV6QWErSUZGbW5GdTJxdVR4WmhmTkw0MURGbXB1NAoxbFVEQ3B4cVFxR2YwQ2xpZUZnRFFCZEo4RW5uSE80ZVEzZjltRWQ5Q0xsTkxxVGl4RU0wdkx3RVd4SXA4WTd5CmdxdklJOUhFdUJUYW9iNTUva1JOb0ZEYW9IZVR0N0pvSGNFNGxFVTRBb0taR1AzQzJDZzhuaXR2bHAyZDFPUWoKSXI5S0hKUkdMSUFiUU0rOURHc2VGUmtvQ2Jsc0hFS29OVjZZVWlkbWN1WmxhOUYyajBCN0w4b3Q0K3RhcTIzRApYendTSWFrWXBlaFVrYlRrbDJDak9FTHkxaCsrOFYzcFZqak5LdW9pRHhKWTdSSzFMQk9obExlSG5YUzlGY2hGCmVGRVZlb0c2ZlY0QWtFdGJocDJjRExacGF0UWg5ZUNzbmhUT2d2a002WjZ2ZWlTcGpvTUtleGM3bnRVZEJyWFAKQ3lSemVkSEFaaEh5MnBvREFvYU80aW5yOEI2U2VwWlJiaTBPK1ZXQXJkNDJ3UWhXdWZRUFQ1VExVSEoyR3VjeQpkME5wZk9VRXJYT3RVdU11NFNRU2lQbHJ6Ykx3NThrOFdKUVU2TXRGTnpXQ29yTG9TNWVmNU9LclBFYXh3SmhNCnh5Q1FPaWhLQk1SWE1IUXNib2JQZjhOQlJqYVNtK1ZzL0ZpOXdiYnVLZTVpYUhQenB2YVlzMmpqYzcyYWIzMVcKL2V4cUtSQmtEUVQvcmRPSHdJWHZBb0lCQVFEKzdIKzJyM3EwVVMvY0VHalZlSlovdzJXQzJJRCsxNGY3eHdvKwo5V05iWUdyY3NoZTRVSC9JSVpEL3RHQ2MrZ01mSlhTckk5OVhXejZ5Y0p5YXhTdTFsQmxsWEduTk5JM1AwYXpPCmdRc2FjenpjR1JLdk5WTWIyZmJDVEdHR3JVMXZjQVNET1ltZDZha3laemxBaWN4aHI3bStuMWZrLzY1bWFBeEgKTFBleXQwYWMydEdVL293MWJwV1hvRi9OL05QMTRsZ2ZMU2pXQmpWVEQ0bnByenNBU1RsK1hCLzRuK01wUG9CZwo4K2poYW5mUHFDY2MyQW5VMXAvTGZKSDZ6MWJkcHpDNVVQaFF6K2t3a2gwa3Q1cDRQOW5kV3FIWkw1cDlzS1J6Cld3S3pVQld4VjB3VDBOQzRnRlBtYzJaRGpTR0hlSXJLeWx1YVdIS2w4eVcwNGRldkFvSUJBUURRYUdVSlBtT08KQlZzUFROanhTdStzVGg4czNUZFhLUVIwQU02Y0l4UmVrVHpaODg2L3ptUFhlQThsNmROV2c1L0hCTE4rbUllNApnZnV2YWxnMEh5TWI3TC8vbEtYcHpFQTRncVdxU29MaXd4c1JHcUU1NFNud1g3QXV6K0NsT1lTUlNSQXpmeC9BCnE2QS9rOHR6SzN5NVF4Rk5Sc0NFak1GdWY5ak1yWCs0aXU0c3JvZEdUMXkvRE9hZ2twRmphVWZpL2NiaTM4V2sKdVhvK0ZoYmV1Yys0N1VzWjRXWDJSOGg1Uy9sUVhBYkxKU0lwMjlSZy9EK2pZdUllZTZXbk9pdzZWVkRweHhlYgp6RDh3SGVJTHhuRHdZbXprTzVrSG5ZVU5ubUtmWFovU1NpdWpkN0ZvQ1pMZld0R1gzQlFSdVNtRHlQSnBmSTlKCmVtNTl3bkkxVEFSM0FvSUJBUUNBa1l5VCtZcThPSm9YdGhyNVZ2a29kTWJVcUJiZThKci9xOUlLRUw3TWppTTMKTFliekNYNTQxQjBLS2RIME9jK3JQTHZMdUtyaXB2MUhCNjZrREQ5UU0rSmZFYTIydGdPenhYOFBJMXdUT2YxKwowQkp4VlVhV0xHYmNkYU5XUmo5Z3JiRkk4WkxybHJZajJwV3diQTh0VVhBdnFMT3VwaGt5UXRXMmJBSjlHeHc4CjdjdDRCcTEySVZESENUWm9jRlFDbGVaMXl0UG1wWGp0YkUvVkVQQ0Q0MnBneFZ2R2kvVUlqeUkyUTYyM1NuZ2sKdmgwRDJoMlRQNitWOUR5M3J5eVRXOGdpSHFrdU1MM2VKa01XaXBjWWdMT0RoVHROaTBteWpJMVVOSmwzRURQdwpuaU9iZHR4ZHdUTVBiaklzYlpoMGQ2SWdSdERPVmo5MFhONHVqUnkzQW9JQkFFNTRRREt1endWV2R1Ylg1SWRWCjA5Qm95Y3cycnZPZWVoTERpd2UzSGFCTnh6KzVVUXRmUnJDR2dBMmljUFNPTXNiWXVremNXWjNiTTB6bEdiam0KVUczZlFwdVUrTE9ET0ZzT3RobmNYRlBOYW8rU0cwcVR3UnJFcksyemo3NG1YZ2ZtSHJlRkVndVZrNHpjdFNuMApJYzRQdHFBR0Y4N1F3TFErWnY4S0JLRVRqb0k4WktyUWp2ZFFnRFhOZWZpWVYzemNXTnBycnh0S3l3QTlpUGJyCnQ0N0ZxaFZnak9laU41V1VTWmM4VDBLR0JNc0YvbjFWL1JBajEwZnEvb0Jzb3VLRDVTZGcwejdTTktpRlYrdGYKR0g4cVVCM1BZdHMvTUMza2lQWEFac0RqTkhNa1NpUUdGc3NLZ3doTzBTK3JMRHAybXUraytyNkwzclp6VkZWRQovaGtDZ2dFQUxpdGI5U29mLy9HenBpcmpTMW16SXNRWUxBWW9ETkZGNE5wYzV1Q0pDWEJJTmVFQnl4YlVzZFRVCkRyTnZ2NG1oNTF5SU1WVHVuM3MzKzFUU25lVjZwdjlIS3JicTlEdU85YXBUOFZnV1E5ZGU5YkVaU0lLVG5iVE0KcUVoLzNIelpKcmNRWjMxWEdTZm5NN0NsVjdPQWM4bVNiT3M4NDlGLzg4UEg0Y3VrYVRWNmZPUnFOaW54RXhuZQpqbnk3ajUxT01aWTQ4TVIvaGJhOVk3QWM3TE1Ec0pQdFZ5cStBemU4ODRreU5ZV2dtZHJHanBaVnhLeDQzMjFJCmhXM1NUam9SZEZBMFVCdENyT2ZUalF0cThPQzZqL1QrYWdwa0g2VjFQVkw3Y29PbjREU2RIb1RqdnJFZ0QrYTgKVzY1ODFvdHdha2tMK0FGalU0MkVHaTkxWnJLSUx3PT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: mongo-secret
+type: kubernetes.io/tls

examples/custom-resources/transport-server-sni/mongo-transport-server.yaml

@@ -0,0 +1,17 @@
+apiVersion: k8s.nginx.org/v1
+kind: TransportServer
+metadata:
+  name: mongo-ts
+spec:
+  host: mongo.example.com
+  tls:
+    secret: mongo-secret
+  listener:
+    name: tcp-listener
+    protocol: TCP
+  upstreams:
+    - name: mongo
+      service: mongodb
+      port: 27017
+  action:
+    pass: mongo

examples/custom-resources/transport-server-sni/mongo.yaml

@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb
+spec:
+  selector:
+    app: mongodb
+  ports:
+    - protocol: TCP
+      port: 27017
+      targetPort: 27017
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mongodb
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongodb
+  template:
+    metadata:
+      labels:
+        app: mongodb
+    spec:
+      containers:
+      - name: mongodb
+        image: mongo:latest
+        ports:
+        - containerPort: 27017
+        volumeMounts:
+        - name: storage
+          mountPath: /data/db
+      volumes:
+      - name: storage
+        emptyDir: {}

examples/custom-resources/transport-server-sni/tcp-echo-server.yaml

@@ -0,0 +1,36 @@
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+   name: tcp-echo-server
+ spec:
+   replicas: 1
+   selector:
+     matchLabels:
+       app: tcp-echo-server
+   template:
+     metadata:
+       labels:
+         app: tcp-echo-server
+     spec:
+       containers:
+       - name: tcp-echo-server
+         image: alpine
+         command: ["/bin/sh"]
+         args:
+         - -c
+         - nc -lk -p 7000 -e /bin/cat
+         ports:
+         - containerPort: 7000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tcp-echo-service
+spec:
+  selector:
+    app: tcp-echo-server
+  ports:
+  - protocol: TCP
+    port: 7000
+    targetPort: 7000
+  type: ClusterIP