From 0980f320443e902cee32e19eac623f8797e08817 Mon Sep 17 00:00:00 2001
From: mohamed abdelrhman <mohamed95zoytak@gmail.com>
Date: Thu, 2 May 2024 18:08:17 +0300
Subject: [PATCH 1/2] fix:tls configuration for letsencrypt and secret

---
 api/handler/endpoint/handler_test.go |  5 +++++
 api/handler/setting/handler.go       | 14 ++++++++++----
 api/handler/setting/handler_test.go  | 14 +++++++++-----
 api/handler/user/handler_test.go     |  5 +++++
 core/setting/service.go              |  4 ++++
 k8s/tlscertificate/service.go        | 10 +++++++---
 6 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/api/handler/endpoint/handler_test.go b/api/handler/endpoint/handler_test.go
index dd90c58..9994980 100644
--- a/api/handler/endpoint/handler_test.go
+++ b/api/handler/endpoint/handler_test.go
@@ -83,6 +83,7 @@ var (
 	settingConfigureDomainFunc        func(dto *setting.ConfigureDomainRequestDto) restErrors.IRestErr
 	settingIsDomainConfiguredFunc     func() bool
 	settingConfigureRegistrationFunc  func(dto *setting.ConfigureRegistrationRequestDto) restErrors.IRestErr
+	settingGetDomainFunc              func() (string, restErrors.IRestErr)
 	settingIsRegistrationEnabledFunc  func() bool
 	settingConfigureActivationKeyFunc func(key string) restErrors.IRestErr
 	settingGetActivationKeyFunc       func() (string, restErrors.IRestErr)
@@ -90,6 +91,10 @@ var (
 
 type settingServiceMock struct{}
 
+func (s settingServiceMock) GetDomain() (string, restErrors.IRestErr) {
+	return settingGetDomainFunc()
+}
+
 func (s settingServiceMock) ConfigureActivationKey(key string) restErrors.IRestErr {
 	return settingConfigureActivationKeyFunc(key)
 }
diff --git a/api/handler/setting/handler.go b/api/handler/setting/handler.go
index ebd114c..d021107 100644
--- a/api/handler/setting/handler.go
+++ b/api/handler/setting/handler.go
@@ -106,7 +106,7 @@ func ConfigureDomain(c *fiber.Ctx) error {
 	}
 
 	//configure lets encrypt
-	restErr = tlsCertificateService.ConfigureLetsEncrypt(setting.KotalLetsEncryptResolverName, userDetails.Email)
+	restErr = tlsCertificateService.ConfigureLetsEncrypt(dto.Domain, setting.KotalLetsEncryptResolverName, userDetails.Email)
 	if restErr != nil {
 		logger.Error("CONFIGURE_TLS", restErr)
 		sqlclient.Rollback(txHandle)
@@ -148,8 +148,14 @@ func ConfigureTLS(c *fiber.Ctx) error {
 		if restErr != nil {
 			return c.Status(restErr.StatusCode()).JSON(restErr)
 		}
+		//get domain
+		mainDomain, restErr := settingService.GetDomain()
+		if restErr != nil {
+			return c.Status(restErr.StatusCode()).JSON(restErr)
+		}
+
 		//Sets LetsEncrypt static Configuration
-		restErr = tlsCertificateService.ConfigureLetsEncrypt(setting.KotalLetsEncryptResolverName, userDetails.Email)
+		restErr = tlsCertificateService.ConfigureLetsEncrypt(mainDomain, setting.KotalLetsEncryptResolverName, userDetails.Email)
 		if restErr != nil {
 			logger.Error("CONFIGURE_TLS", restErr)
 			return c.Status(restErr.StatusCode()).JSON(restErr)
@@ -178,12 +184,12 @@ func ConfigureTLS(c *fiber.Ctx) error {
 			return c.Status(badReq.StatusCode()).JSON(badReq)
 		}
 
-		_ = secretService.Delete(setting.CustomTLSSecretName, config.Environment.KotalNamespace)
+		_ = secretService.Delete(setting.CustomTLSSecretName, config.Environment.TraefikNamespace)
 
 		restErr := secretService.Create(&secret.CreateSecretDto{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      setting.CustomTLSSecretName,
-				Namespace: config.Environment.KotalNamespace,
+				Namespace: config.Environment.TraefikNamespace,
 			},
 			Type: corev1.SecretTypeTLS,
 			Data: map[string][]byte{
diff --git a/api/handler/setting/handler_test.go b/api/handler/setting/handler_test.go
index db22f3c..bf0ffc6 100644
--- a/api/handler/setting/handler_test.go
+++ b/api/handler/setting/handler_test.go
@@ -33,6 +33,7 @@ var (
 	settingConfigureDomainFunc        func(dto *setting.ConfigureDomainRequestDto) restErrors.IRestErr
 	settingIsDomainConfiguredFunc     func() bool
 	settingConfigureRegistrationFunc  func(dto *setting.ConfigureRegistrationRequestDto) restErrors.IRestErr
+	settingGetDomainFunc              func() (string, restErrors.IRestErr)
 	settingIsRegistrationEnabledFunc  func() bool
 	settingConfigureActivationKeyFunc func(key string) restErrors.IRestErr
 	settingGetActivationKey           func() (string, restErrors.IRestErr)
@@ -40,6 +41,9 @@ var (
 
 type settingServiceMocks struct{}
 
+func (s settingServiceMocks) GetDomain() (string, restErrors.IRestErr) {
+	return settingGetDomainFunc()
+}
 func (s settingServiceMocks) ConfigureActivationKey(key string) restErrors.IRestErr {
 	return settingConfigureActivationKeyFunc(key)
 }
@@ -138,15 +142,15 @@ type tlsCertificateServiceMock struct{}
 
 var (
 	tlsGetTraefikDeploymentFunc       func() (*appsv1.Deployment, restErrors.IRestErr)
-	tlsConfigureLetsEncryptFunc       func(resolverNme string, acmeEmail string) restErrors.IRestErr
+	tlsConfigureLetsEncryptFunc       func(domain string, resolverNme string, acmeEmail string) restErrors.IRestErr
 	tlsConfigureCustomCertificateFunc func(secretName string) restErrors.IRestErr
 )
 
 func (tls tlsCertificateServiceMock) GetTraefikDeployment() (*appsv1.Deployment, restErrors.IRestErr) {
 	return tlsGetTraefikDeploymentFunc()
 }
-func (tls tlsCertificateServiceMock) ConfigureLetsEncrypt(resolverNme string, acmeEmail string) restErrors.IRestErr {
-	return tlsConfigureLetsEncryptFunc(resolverNme, acmeEmail)
+func (tls tlsCertificateServiceMock) ConfigureLetsEncrypt(domain string, resolverNme string, acmeEmail string) restErrors.IRestErr {
+	return tlsConfigureLetsEncryptFunc(domain, resolverNme, acmeEmail)
 }
 func (tls tlsCertificateServiceMock) ConfigureCustomCertificate(secretName string) restErrors.IRestErr {
 	return tlsConfigureCustomCertificateFunc(secretName)
@@ -297,7 +301,7 @@ func TestConfigureDomain(t *testing.T) {
 		GetByIdFunc = func(Id string) (*user.User, restErrors.IRestErr) {
 			return &user.User{Email: "email.com"}, nil
 		}
-		tlsConfigureLetsEncryptFunc = func(resolverNme string, acmeEmail string) restErrors.IRestErr {
+		tlsConfigureLetsEncryptFunc = func(domain string, resolverNme string, acmeEmail string) restErrors.IRestErr {
 			return nil
 		}
 		networkIdentifiers = func() (ip string, hostName string, restErr restErrors.IRestErr) {
@@ -343,7 +347,7 @@ func TestConfigureDomain(t *testing.T) {
 		GetByIdFunc = func(Id string) (*user.User, restErrors.IRestErr) {
 			return &user.User{Email: "email.com"}, nil
 		}
-		tlsConfigureLetsEncryptFunc = func(resolverNme string, acmeEmail string) restErrors.IRestErr {
+		tlsConfigureLetsEncryptFunc = func(domain string, resolverNme string, acmeEmail string) restErrors.IRestErr {
 			return nil
 		}
 		networkIdentifiers = func() (ip string, hostName string, restErr restErrors.IRestErr) {
diff --git a/api/handler/user/handler_test.go b/api/handler/user/handler_test.go
index 62bb2b2..2e167c3 100644
--- a/api/handler/user/handler_test.go
+++ b/api/handler/user/handler_test.go
@@ -253,6 +253,7 @@ var (
 	settingConfigureDomainFunc        func(dto *setting.ConfigureDomainRequestDto) restErrors.IRestErr
 	settingIsDomainConfiguredFunc     func() bool
 	settingConfigureRegistrationFunc  func(dto *setting.ConfigureRegistrationRequestDto) restErrors.IRestErr
+	settingGetDomainFunc              func() (string, restErrors.IRestErr)
 	settingIsRegistrationEnabledFunc  func() bool
 	settingConfigureActivationKeyFunc func(key string) restErrors.IRestErr
 	settingGetActivationKey           func() (string, restErrors.IRestErr)
@@ -260,6 +261,10 @@ var (
 
 type settingServiceMocks struct{}
 
+func (s settingServiceMocks) GetDomain() (string, restErrors.IRestErr) {
+	return settingGetDomainFunc()
+}
+
 func (s settingServiceMocks) ConfigureActivationKey(key string) restErrors.IRestErr {
 	return settingConfigureActivationKeyFunc(key)
 }
diff --git a/core/setting/service.go b/core/setting/service.go
index 94d9e4d..bef02ca 100644
--- a/core/setting/service.go
+++ b/core/setting/service.go
@@ -14,6 +14,7 @@ type IService interface {
 	WithoutTransaction() IService
 	Settings() ([]*Setting, restErrors.IRestErr)
 	ConfigureDomain(dto *ConfigureDomainRequestDto) restErrors.IRestErr
+	GetDomain() (string, restErrors.IRestErr)
 	IsDomainConfigured() bool
 	ConfigureRegistration(dto *ConfigureRegistrationRequestDto) restErrors.IRestErr
 	IsRegistrationEnabled() bool
@@ -53,6 +54,9 @@ func (s service) ConfigureDomain(dto *ConfigureDomainRequestDto) restErrors.IRes
 	//record exits update it
 	return settingRepo.Update(DomainKey, dto.Domain)
 }
+func (s service) GetDomain() (string, restErrors.IRestErr) {
+	return settingRepo.Get(DomainKey)
+}
 
 func (s service) IsDomainConfigured() bool {
 	value, _ := settingRepo.Get(DomainKey)
diff --git a/k8s/tlscertificate/service.go b/k8s/tlscertificate/service.go
index c04c8f1..5c251b3 100644
--- a/k8s/tlscertificate/service.go
+++ b/k8s/tlscertificate/service.go
@@ -10,6 +10,7 @@ import (
 	"github.com/kotalco/core-api/pkg/logger"
 	traefikv1alpha1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
 	"github.com/traefik/traefik/v2/pkg/tls"
+	types2 "github.com/traefik/traefik/v2/pkg/types"
 	appsv1 "k8s.io/api/apps/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -20,7 +21,7 @@ var k8sClient = k8s.NewClientService()
 
 type TLSCertificate interface {
 	GetTraefikDeployment() (*appsv1.Deployment, restErrors.IRestErr)
-	ConfigureLetsEncrypt(resolverNme string, acmeEmail string) restErrors.IRestErr
+	ConfigureLetsEncrypt(domain string, resolverNme string, acmeEmail string) restErrors.IRestErr
 	ConfigureCustomCertificate(secretName string) restErrors.IRestErr
 }
 
@@ -39,7 +40,7 @@ func (t *tlsCertificate) GetTraefikDeployment() (*appsv1.Deployment, restErrors.
 	return record, nil
 }
 
-func (t *tlsCertificate) ConfigureLetsEncrypt(resolverNme string, acmeEmail string) restErrors.IRestErr {
+func (t *tlsCertificate) ConfigureLetsEncrypt(domain string, resolverNme string, acmeEmail string) restErrors.IRestErr {
 	//delete default tls-store if exists
 	tlsStore := &traefikv1alpha1.TLSStore{
 		ObjectMeta: metav1.ObjectMeta{
@@ -56,7 +57,10 @@ func (t *tlsCertificate) ConfigureLetsEncrypt(resolverNme string, acmeEmail stri
 			Namespace: config.Environment.TraefikNamespace,
 		},
 		Spec: traefikv1alpha1.TLSStoreSpec{
-			DefaultGeneratedCert: &tls.GeneratedCert{Resolver: setting.KotalLetsEncryptResolverName},
+			DefaultGeneratedCert: &tls.GeneratedCert{Resolver: setting.KotalLetsEncryptResolverName, Domain: &types2.Domain{
+				Main: domain,
+				SANs: []string{fmt.Sprintf("app.%s", domain)},
+			}},
 		},
 	}
 	_ = k8sClient.Create(context.Background(), tlsStore)

From 8ba76cb828d5b478439e0f20445ab0b884a674ea Mon Sep 17 00:00:00 2001
From: mohamed abdelrhman <mohamed95zoytak@gmail.com>
Date: Thu, 2 May 2024 21:04:02 +0300
Subject: [PATCH 2/2] feat:add endpoints SAN to tls certificate

---
 k8s/tlscertificate/service.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/k8s/tlscertificate/service.go b/k8s/tlscertificate/service.go
index 5c251b3..61ae6f8 100644
--- a/k8s/tlscertificate/service.go
+++ b/k8s/tlscertificate/service.go
@@ -59,7 +59,7 @@ func (t *tlsCertificate) ConfigureLetsEncrypt(domain string, resolverNme string,
 		Spec: traefikv1alpha1.TLSStoreSpec{
 			DefaultGeneratedCert: &tls.GeneratedCert{Resolver: setting.KotalLetsEncryptResolverName, Domain: &types2.Domain{
 				Main: domain,
-				SANs: []string{fmt.Sprintf("app.%s", domain)},
+				SANs: []string{fmt.Sprintf("app.%s", domain), fmt.Sprintf("endpoints.%s", domain)},
 			}},
 		},
 	}