From c4f42c2491e1bf23ac5e8ca413cabb45030a72d3 Mon Sep 17 00:00:00 2001 From: Asish Kumar <87874775+officialasishkumar@users.noreply.github.com> Date: Wed, 13 May 2026 12:16:47 +0530 Subject: [PATCH] fix: skip empty ingress tls secret names (#1649) Signed-off-by: Asish Kumar --- pkg/analyzer/ingress.go | 3 +++ pkg/analyzer/ingress_test.go | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/pkg/analyzer/ingress.go b/pkg/analyzer/ingress.go index 4d05fa23..6b4657dd 100644 --- a/pkg/analyzer/ingress.go +++ b/pkg/analyzer/ingress.go @@ -129,6 +129,9 @@ func (IngressAnalyzer) Analyze(a common.Analyzer) ([]common.Result, error) { } for _, tls := range ing.Spec.TLS { + if tls.SecretName == "" { + continue + } _, err := a.Client.GetClient().CoreV1().Secrets(ing.Namespace).Get(a.Context, tls.SecretName, metav1.GetOptions{}) if err != nil { doc := apiDoc.GetApiDocV2("spec.tls.secretName") diff --git a/pkg/analyzer/ingress_test.go b/pkg/analyzer/ingress_test.go index 2df02235..69a233bd 100644 --- a/pkg/analyzer/ingress_test.go +++ b/pkg/analyzer/ingress_test.go @@ -247,6 +247,39 @@ func TestIngressAnalyzerLabelSelector(t *testing.T) { require.Equal(t, "default/ingress-with-label", results[0].Name) } +func TestIngressAnalyzerSkipsEmptyTLSSecretName(t *testing.T) { + ingressClassName := "gce" + clientSet := fake.NewSimpleClientset( + &networkingv1.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "default-certificate-ingress", + Namespace: "default", + }, + Spec: networkingv1.IngressSpec{ + IngressClassName: &ingressClassName, + TLS: []networkingv1.IngressTLS{ + { + Hosts: []string{"example.com"}, + }, + }, + }, + }, + ) + + config := common.Analyzer{ + Client: &kubernetes.Client{ + Client: clientSet, + }, + Context: context.Background(), + Namespace: "default", + } + + analyzer := IngressAnalyzer{} + results, err := analyzer.Analyze(config) + require.NoError(t, err) + require.Empty(t, results) +} + func TestIsGKEBuiltInIngressClass(t *testing.T) { tests := []struct { name string