DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #3808 from ElvinEfendi/dynamic-cert

Browse source 
make dynamic SSL mode default
This commit is contained in:
Kubernetes Prow Robot 2019-03-18 05:17:15 -07:00 committed by GitHub
commit 080bed8e88
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 24 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
cmd/nginx/flags.go
View file

@ -141,7 +141,7 @@ extension for this to succeed.`)
`Customized address to set as the load-balancer status of Ingress objects this controller satisfies. `Customized address to set as the load-balancer status of Ingress objects this controller satisfies.
Requires the update-status parameter.`) Requires the update-status parameter.`)
dynamicCertificatesEnabled = flags.Bool("enable-dynamic-certificates", false, dynamicCertificatesEnabled = flags.Bool("enable-dynamic-certificates", true,
`Dynamically update SSL certificates instead of reloading NGINX. `Dynamically update SSL certificates instead of reloading NGINX.
Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not enabled`) Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not enabled`)

2
docs/user-guide/cli-arguments.md
View file

@ -15,7 +15,7 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
| `--default-ssl-certificate string` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". | | `--default-ssl-certificate string` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". |
| `--disable-catch-all` | Disable support for catch-all Ingresses. | | `--disable-catch-all` | Disable support for catch-all Ingresses. |
| `--election-id string` | Election id to use for Ingress status updates. (default "ingress-controller-leader") | | `--election-id string` | Election id to use for Ingress status updates. (default "ingress-controller-leader") |
| `--enable-dynamic-certificates` | Dynamically serves certificates instead of reloading NGINX when certificates are created, updated, or deleted. Currently does not support OCSP stapling, so --enable-ssl-chain-completion must be turned off. Assuming the certificate is generated with a 2048 bit RSA key/cert pair, this feature can store roughly 5000 certificates. This is an experiemental feature that currently is not ready for production use. Feature backed by OpenResty Lua libraries. (disabled by default) | | `--enable-dynamic-certificates` | Dynamically serves certificates instead of reloading NGINX when certificates are created, updated, or deleted. Currently does not support OCSP stapling, so --enable-ssl-chain-completion must be turned off (default behaviour). Assuming the certificate is generated with a 2048 bit RSA key/cert pair, this feature can store roughly 5000 certificates. (enabled by default) |
| `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. A valid certificate chain is required to enable OCSP stapling. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default true) | | `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. A valid certificate chain is required to enable OCSP stapling. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default true) |
| `--enable-ssl-passthrough` | Enable SSL Passthrough. | | `--enable-ssl-passthrough` | Enable SSL Passthrough. |
| `--health-check-path string` | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") | | `--health-check-path string` | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") |

61
test/e2e/annotations/authtls.go
View file

@ -55,22 +55,7 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations)) f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations))
// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values assertSslClientCertificateConfig(f, host, "on", "1")
sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslVerify := "ssl_verify_client on;"
sslVerifyDepth := "ssl_verify_depth 1;"
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, sslCertDirective) &&
strings.Contains(server, sslKeyDirective) &&
strings.Contains(server, sslClientCertDirective) &&
strings.Contains(server, sslVerify) &&
strings.Contains(server, sslVerifyDepth)
})
// Send Request without Client Certs // Send Request without Client Certs
req := gorequest.New() req := gorequest.New()
@ -112,18 +97,7 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations)) f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations))
// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values assertSslClientCertificateConfig(f, host, "off", "2")
sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslVerify := "ssl_verify_client off;"
sslVerifyDepth := "ssl_verify_depth 2;"
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, sslCertDirective) && strings.Contains(server, sslKeyDirective) && strings.Contains(server, sslClientCertDirective) && strings.Contains(server, sslVerify) && strings.Contains(server, sslVerifyDepth)
})
// Send Request without Client Certs // Send Request without Client Certs
req := gorequest.New() req := gorequest.New()
@ -158,24 +132,14 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations)) f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations))
// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values assertSslClientCertificateConfig(f, host, "on", "1")
sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
sslVerify := "ssl_verify_client on;"
sslVerifyDepth := "ssl_verify_depth 1;"
sslErrorPage := fmt.Sprintf("error_page 495 496 = %s;", f.GetURL(framework.HTTP)+errorPath) sslErrorPage := fmt.Sprintf("error_page 495 496 = %s;", f.GetURL(framework.HTTP)+errorPath)
sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;" sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;"
f.WaitForNginxServer(host, f.WaitForNginxServer(host,
func(server string) bool { func(server string) bool {
return strings.Contains(server, sslCertDirective) && return strings.Contains(server, sslErrorPage) &&
strings.Contains(server, sslKeyDirective) &&
strings.Contains(server, sslClientCertDirective) &&
strings.Contains(server, sslVerify) &&
strings.Contains(server, sslVerifyDepth) &&
strings.Contains(server, sslErrorPage) &&
strings.Contains(server, sslUpstreamClientCert) strings.Contains(server, sslUpstreamClientCert)
}) })
@ -202,3 +166,20 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
Expect(resp.StatusCode).Should(Equal(http.StatusOK)) Expect(resp.StatusCode).Should(Equal(http.StatusOK))
}) })
}) })
func assertSslClientCertificateConfig(f *framework.Framework, host string, verifyClient string, verifyDepth string) {
sslCertDirective := "ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem;"
sslKeyDirective := "ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;"
sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", f.Namespace, host)
sslVerify := fmt.Sprintf("ssl_verify_client %s;", verifyClient)
sslVerifyDepth := fmt.Sprintf("ssl_verify_depth %s;", verifyDepth)
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, sslCertDirective) &&
strings.Contains(server, sslKeyDirective) &&
strings.Contains(server, sslClientCertDirective) &&
strings.Contains(server, sslVerify) &&
strings.Contains(server, sslVerifyDepth)
})
}

1
test/e2e/annotations/fromtowwwredirect.go
View file

@ -90,7 +90,6 @@ var _ = framework.IngressNginxDescribe("Annotations - from-to-www-redirect", fun
f.WaitForNginxServer(fmt.Sprintf("www.%v", host), f.WaitForNginxServer(fmt.Sprintf("www.%v", host),
func(server string) bool { func(server string) bool {
return Expect(server).Should(ContainSubstring(`server_name www.fromtowwwredirect.bar.com;`)) && return Expect(server).Should(ContainSubstring(`server_name www.fromtowwwredirect.bar.com;`)) &&
Expect(server).Should(ContainSubstring(fmt.Sprintf("/etc/ingress-controller/ssl/%v-fromtowwwredirect.bar.com.pem", f.Namespace))) &&
Expect(server).Should(ContainSubstring(`return 308 $scheme://fromtowwwredirect.bar.com$request_uri;`)) Expect(server).Should(ContainSubstring(`return 308 $scheme://fromtowwwredirect.bar.com$request_uri;`))
}) })

18
test/e2e/lua/dynamic_certificates.go
View file

@ -24,7 +24,6 @@ import (
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
. "github.com/onsi/gomega" . "github.com/onsi/gomega"
appsv1beta1 "k8s.io/api/apps/v1beta1"
extensions "k8s.io/api/extensions/v1beta1" extensions "k8s.io/api/extensions/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@ -36,23 +35,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
host := "foo.com" host := "foo.com"
BeforeEach(func() { BeforeEach(func() {
err := framework.UpdateDeployment(f.KubeClientSet, f.Namespace, "nginx-ingress-controller", 1,
func(deployment *appsv1beta1.Deployment) error {
args := deployment.Spec.Template.Spec.Containers[0].Args
args = append(args, "--enable-dynamic-certificates")
args = append(args, "--enable-ssl-chain-completion=false")
deployment.Spec.Template.Spec.Containers[0].Args = args
_, err := f.KubeClientSet.AppsV1beta1().Deployments(f.Namespace).Update(deployment)
return err
})
Expect(err).NotTo(HaveOccurred())
f.WaitForNginxConfiguration(
func(cfg string) bool {
return strings.Contains(cfg, "ok, res = pcall(require, \"certificate\")")
})
f.NewEchoDeploymentWithReplicas(1) f.NewEchoDeploymentWithReplicas(1)
}) })