From 20ea36488601fe3948b13a5d6abd79092528337f Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Thu, 6 Jul 2017 17:48:35 -0400
Subject: [PATCH] Move certificate authentication from location to server

---
 .../nginx/rootfs/etc/nginx/template/nginx.tmpl   | 16 ++++++++--------
 core/pkg/ingress/controller/util_test.go         |  2 --
 core/pkg/ingress/types.go                        |  9 ++++-----
 3 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index bb289fc59..ba76bf493 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -308,17 +308,17 @@ http {
 
         {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }}
 
+        {{ if not (empty $server.CertificateAuth.AuthSSLCert.CAFileName) }}
+        # PEM sha: {{ $server.CertificateAuth.AuthSSLCert.PemSHA }}
+        ssl_client_certificate                  {{ $server.CertificateAuth.AuthSSLCert.CAFileName }};
+        ssl_verify_client                       on;
+        ssl_verify_depth                        {{ $server.CertificateAuth.ValidationDepth }};
+        {{ end }}
+
         {{ range $location := $server.Locations }}
         {{ $path := buildLocation $location }}
         {{ $authPath := buildAuthLocation $location }}
 
-        {{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }}
-        # PEM sha: {{ $location.CertificateAuth.AuthSSLCert.PemSHA }}
-        ssl_client_certificate              {{ $location.CertificateAuth.AuthSSLCert.CAFileName }};
-        ssl_verify_client on;
-        ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }};
-        {{ end }}
-
         {{ if not (empty $location.Redirect.AppRoot)}}
         if ($uri = /) {
             return 302 {{ $location.Redirect.AppRoot }};
@@ -407,7 +407,7 @@ http {
             proxy_set_header Host                   $best_http_host;
 
             # Pass the extracted client certificate to the backend
-            {{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }}
+            {{ if not (empty $server.CertificateAuth.AuthSSLCert.CAFileName) }}
             proxy_set_header ssl-client-cert        $ssl_client_cert;
             {{ end }}
 
diff --git a/core/pkg/ingress/controller/util_test.go b/core/pkg/ingress/controller/util_test.go
index 2aa6d5a20..2ea006a8d 100644
--- a/core/pkg/ingress/controller/util_test.go
+++ b/core/pkg/ingress/controller/util_test.go
@@ -23,7 +23,6 @@ import (
 	"k8s.io/ingress/core/pkg/ingress"
 	"k8s.io/ingress/core/pkg/ingress/annotations/auth"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authreq"
-	"k8s.io/ingress/core/pkg/ingress/annotations/authtls"
 	"k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist"
 	"k8s.io/ingress/core/pkg/ingress/annotations/proxy"
 	"k8s.io/ingress/core/pkg/ingress/annotations/ratelimit"
@@ -102,7 +101,6 @@ func TestMergeLocationAnnotations(t *testing.T) {
 		"Redirect":           rewrite.Redirect{},
 		"Whitelist":          ipwhitelist.SourceRange{},
 		"Proxy":              proxy.Configuration{},
-		"CertificateAuth":    authtls.AuthSSLConfig{},
 		"UsePortInRedirects": true,
 	}
 
diff --git a/core/pkg/ingress/types.go b/core/pkg/ingress/types.go
index 163286003..77ffe0aa4 100644
--- a/core/pkg/ingress/types.go
+++ b/core/pkg/ingress/types.go
@@ -213,6 +213,10 @@ type Server struct {
 	SSLPemChecksum string `json:"sslPemChecksum"`
 	// Locations list of URIs configured in the server.
 	Locations []*Location `json:"locations,omitempty"`
+	// CertificateAuth indicates the access to this location requires
+	// external authentication
+	// +optional
+	CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth,omitempty"`
 }
 
 // Location describes an URI inside a server.
@@ -224,7 +228,6 @@ type Server struct {
 // In some cases when more than one annotations is defined a particular order in the execution
 // is required.
 // The chain in the execution order of annotations should be:
-// - CertificateAuth
 // - Whitelist
 // - RateLimit
 // - BasicDigestAuth
@@ -278,10 +281,6 @@ type Location struct {
 	// to be used in connections against endpoints
 	// +optional
 	Proxy proxy.Configuration `json:"proxy,omitempty"`
-	// CertificateAuth indicates the access to this location requires
-	// external authentication
-	// +optional
-	CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth,omitempty"`
 	// UsePortInRedirects indicates if redirects must specify the port
 	// +optional
 	UsePortInRedirects bool `json:"use-port-in-redirects"`