apache · shukitchan · Jan 4, 2026 · Oct 9, 2025 · Oct 9, 2025 · Nov 13, 2025
@@ -63,6 +63,23 @@ jobs:
         run: |
           eval $(minikube -p minikube docker-env)
           docker build -t caching-app k8s/images/caching-app/
+
+      - name: Create CA to sign certificates
+        run: |
+          mkdir -p tests/certs
+          openssl genrsa -out tests/certs/rootCA.key 4096
+          openssl req -x509 -new -key tests/certs/rootCA.key -sha256 -days 1 -out tests/certs/rootCA.crt -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=TestRootCA" -addext "basicConstraints=critical,CA:TRUE" -addext "keyUsage=critical,keyCertSign,cRLSign" -addext "subjectKeyIdentifier=hash"
+
+      - name: Create Certs for node-app-4
+        run: |
+          openssl genrsa -out k8s/images/node-app-4/origin.key 4096
+          openssl req -x509 -new -key k8s/images/node-app-4/origin.key -sha256 -days 1 -out k8s/images/node-app-4/origin.crt -subj "/C=US/ST=State/L=City/O=MyOrg/OU=MyUnit/CN=test.example.com"
+
+      - name: Create Certs for node-app-3
+        run: |
+          openssl genrsa -out k8s/images/node-app-3/backend.key 2048
+          openssl req -new -key k8s/images/node-app-3/backend.key -out k8s/images/node-app-3/backend.csr -subj "/C=US/ST=State/L=City/O=TestOrg/CN=test.example.com.backend.svc.cluster.local"
+          openssl x509 -req -in k8s/images/node-app-3/backend.csr -CA tests/certs/rootCA.crt -CAkey tests/certs/rootCA.key -CAcreateserial -out k8s/images/node-app-3/backend.crt -days 1 -sha256
 
       - name: Build App 3
         run: |

@@ -19,22 +19,37 @@
 set +x
 
 if [ -z "${POD_TLS_PATH}" ]; then
-	echo "POD_TLS_PATH not defined"
-	exit 1
+    echo "POD_TLS_PATH not defined"
+    exit 1
 fi
 
-tlspath="$POD_TLS_PATH/"      
-tlskey="$POD_TLS_PATH/tls.key"
-tlscrt="$POD_TLS_PATH/tls.crt"
+
+# Clear existing file
+> /opt/ats/etc/trafficserver/ssl_multicert.config
+
+found_any=false
+
+IFS=':' read -r -a paths <<< "$POD_TLS_PATH"
+
+for tlspath in "${paths[@]}"; do      
+    tlskey="${tlspath}/tls.key"
+    tlscrt="${tlspath}/tls.crt"
 
-if [ ! -f "${tlscrt}" ]; then
-	echo "${tlscrt} not found"
-	exit 1
-fi
+    if [ ! -f "${tlscrt}" ]; then
+        echo "${tlscrt} not found"
+        exit 1
+    fi
 
-if [ ! -f "${tlskey}" ]; then
-	echo "${tlskey} not found"
-	exit 1
-fi
+    if [ ! -f "${tlskey}" ]; then
+        echo "${tlskey} not found"
+        exit 1
+    fi
 
-echo "dest_ip=* ssl_cert_name=${tlscrt} ssl_key_name=${tlskey}" > /opt/ats/etc/trafficserver/ssl_multicert.config
+    echo "dest_ip=* ssl_cert_name=${tlscrt} ssl_key_name=${tlskey}" >> /opt/ats/etc/trafficserver/ssl_multicert.config
+    found_any=true
+done
+
+if [ "$found_any" = false ]; then
+    echo "No valid TLS cert/key pairs found in $tlspath"
+    exit 1
+fi
@@ -20,7 +20,8 @@ spec:
     spec:
       containers:
         - name: node-https
-          image: node-https-app:latest
+          image: node-app-3:latest
+          imagePullPolicy: Never
           ports:
             - containerPort: 8443
               name: https

@@ -21,6 +21,7 @@ spec:
       containers:
         - name: node-app-4-container
           image: node-app-4:latest
+          imagePullPolicy: Never
           ports:
             - containerPort: 8443
               name: https

@@ -49,7 +49,7 @@ metadata:
   namespace: trafficserver-test-2
 spec:
   ports:
-  - port: 8080
+  - port: 8443
     name: "appsvc2http"
     protocol: TCP
     targetPort: 8080

@@ -14,12 +14,6 @@
 #  See the License for the specific language governing permissions and
 #  limitations under the License.
 
-apiVersion: v1
-kind: Namespace
-metadata:
-    name: trafficserver-test
-
----
 
 apiVersion: v1
 kind: ConfigMap
@@ -36,3 +30,8 @@ data:
 
   proxy.config.http.cache.http: "1"
   proxy.config.http.cache.required_headers: "0"
+  proxy.config.diags.debug.enabled: "1"
+
+  proxy.config.ssl.CA.cert.path: "/etc/ats/ssl/ca/"
+  proxy.config.ssl.CA.cert.filename: "tls.crt"
+
@@ -27,6 +27,7 @@ metadata:
   name: app-ingress
   namespace: trafficserver-test-2
 spec:
+  ingressClassName: ats
   rules:
   - host: test.media.com
     http:
@@ -56,4 +57,10 @@ spec:
             name: appsvc1
             port:
               number: 8080
-
+      - path: /app2
+        pathType: Exact
+        backend:
+          service:
+            name: appsvc2
+            port:
+              number: 8080
@@ -35,7 +35,6 @@ spec:
     matchLabels:
       app: trafficserver-test
 
-  # DO NOT EXCEED ONE COPY
   replicas: 1
   # DO NOT EXCEED ONE COPY
   template:
@@ -47,13 +46,19 @@ spec:
       containers:
         - name: trafficserver-test
           image: ats-ingress:latest # Needs to be updated
+          imagePullPolicy: IfNotPresent
           volumeMounts:
             - mountPath: "/etc/ats/ssl"
               name: ats-ssl
-              readOnly: true
+            - mountPath: "/etc/ats/ssl/ca"
+              name: ca-ssl
+            - mountPath: "/etc/ats/ssl/server"
+              name: server-ssl
+            - mountPath: "/etc/ats/ssl/server2"
+              name: server2-ssl
             - name: varlog
               mountPath: /opt/ats/var/log/trafficserver
-          imagePullPolicy: IfNotPresent
+
           env:
             - name: POD_NAME
               valueFrom:
@@ -63,12 +68,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
-#            - name: INGRESS_CLASS
-#              value: "ats"
             - name: SNIPPET
               value: "1"
             - name: POD_TLS_PATH
-              value: "/etc/ats/ssl"
+              value: "/etc/ats/ssl:/etc/ats/ssl/server:/etc/ats/ssl/server2"
           ports:
           - containerPort: 8080
             name: http
@@ -83,16 +86,19 @@ spec:
             mountPath: "/var/log"
           - name: config-volume
             mountPath: "/fluentd/etc"
-#        - name: trafficserver-exporter
-#          image: ats-ingress-exporter:latest
-#          imagePullPolicy: IfNotPresent
-#          args: ["--endpoint=http://127.0.0.1:8080/_stats"]
-#          ports:
-#          - containerPort: 9122
       volumes:
         - name: ats-ssl
           secret:
             secretName: tls-secret
+        - name: server-ssl
+          secret:
+            secretName: server-secret
+        - name: server2-ssl
+          secret:
+            secretName: server2-secret
+        - name: ca-ssl
+          secret:
+            secretName: ca-secret
         - name: varlog
           emptyDir: {}
         - name: config-volume