Add annotation to enable passing the certificate to the upstream server

2017-11-17 21:28:45 -03:00 · 2017-11-17 21:28:45 -03:00 · 2223ea9600
commit 2223ea9600
parent de37e8ea89
3 changed files with 30 additions and 7 deletions
--- a/docs/user-guide/annotations.md
+++ b/docs/user-guide/annotations.md
@ -14,6 +14,7 @@ The following annotations are supported:
 |[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number|
 |[ingress.kubernetes.io/auth-tls-verify-client](#certificate-authentication)|string|
 |[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string|
+|[ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream](#certificate-authentication)|string|
 |[ingress.kubernetes.io/auth-url](#external-authentication)|string|
 |[ingress.kubernetes.io/base-url-scheme](#rewrite)|string|
 |[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
@ -149,6 +150,13 @@ ingress.kubernetes.io/auth-tls-error-page

 The URL/Page that user should be redirected in case of a Certificate Authentication Error

+```
+ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream
+```
+
+Indicates if the received certificates should be passed or not to the upstream server.
+By default this is disabled.
+
 Please check the [tls-auth](../examples/auth/client-certs/README.md) example.

 **Important:**
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@ -41,9 +41,10 @@ var (
 // and the configured ValidationDepth
 type Config struct {
 	resolver.AuthSSLCert
-	VerifyClient    string `json:"verify_client"`
-	ValidationDepth int    `json:"validationDepth"`
-	ErrorPage       string `json:"errorPage"`
+	VerifyClient       string `json:"verify_client"`
+	ValidationDepth    int    `json:"validationDepth"`
+	ErrorPage          string `json:"errorPage"`
+	PassCertToUpstream bool   `json:"passCertToUpstream"`
 }

 // Equal tests for equality between two Config types
@ -66,6 +67,10 @@ func (assl1 *Config) Equal(assl2 *Config) bool {
 	if assl1.ErrorPage != assl2.ErrorPage {
 		return false
 	}
+	if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
+		return false
+	}
+
 	return true
 }

@ -118,10 +123,16 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
 		errorpage = ""
 	}

+	passCert, err := parser.GetBoolAnnotation("auth-tls-pass-certificate-to-upstream", ing, a.r)
+	if err != nil {
+		passCert = false
+	}
+
 	return &Config{
-		AuthSSLCert:     *authCert,
-		VerifyClient:    tlsVerifyClient,
-		ValidationDepth: tlsdepth,
-		ErrorPage:       errorpage,
+		AuthSSLCert:        *authCert,
+		VerifyClient:       tlsVerifyClient,
+		ValidationDepth:    tlsdepth,
+		ErrorPage:          errorpage,
+		PassCertToUpstream: passCert,
 	}, nil
 }
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -756,7 +756,11 @@ stream {

            # Pass the extracted client certificate to the backend
            {{ if not (empty $server.CertificateAuth.CAFileName) }}
+            {{ if $server.CertificateAuth.PassCertToUpstream }}
            proxy_set_header ssl-client-cert        $ssl_client_raw_cert;
+            {{ else }}
+            proxy_set_header ssl-client-cert        "";
+            {{ end }}
            proxy_set_header ssl-client-verify      $ssl_client_verify;
            proxy_set_header ssl-client-dn          $ssl_client_s_dn;
            {{ else }}