From 555c5eb04d0285bba3fdc1d37938e7036f624287 Mon Sep 17 00:00:00 2001
From: Tamal Saha <tamal@appscode.com>
Date: Mon, 23 Oct 2023 17:32:47 -0700
Subject: [PATCH] Allow proxy-ssl-* annotations without proxy-ssl-secret

Signed-off-by: Tamal Saha <tamal@appscode.com>
---
 internal/ingress/annotations/proxyssl/main.go | 35 ++++++++++---------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go
index 0e854cd21..ad0cf4057 100644
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@@ -17,6 +17,7 @@ limitations under the License.
 package proxyssl
 
 import (
+	"errors"
 	"fmt"
 	"regexp"
 	"sort"
@@ -190,28 +191,28 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
 	config := &Config{}
 
 	proxysslsecret, err := parser.GetStringAnnotation(proxySSLSecretAnnotation, ing, p.annotationConfig.Annotations)
-	if err != nil {
+	if err != nil && !errors.Is(err, ing_errors.ErrMissingAnnotations) {
 		return &Config{}, err
-	}
+	} else if err == nil {
+		ns, _, err := k8s.ParseNameNS(proxysslsecret)
+		if err != nil {
+			return &Config{}, ing_errors.NewLocationDenied(err.Error())
+		}
 
-	ns, _, err := k8s.ParseNameNS(proxysslsecret)
-	if err != nil {
-		return &Config{}, ing_errors.NewLocationDenied(err.Error())
-	}
+		secCfg := p.r.GetSecurityConfiguration()
+		// We don't accept different namespaces for secrets.
+		if !secCfg.AllowCrossNamespaceResources && ns != ing.Namespace {
+			return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported")
+		}
 
-	secCfg := p.r.GetSecurityConfiguration()
-	// We don't accept different namespaces for secrets.
-	if !secCfg.AllowCrossNamespaceResources && ns != ing.Namespace {
-		return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported")
+		proxyCert, err := p.r.GetAuthCertificate(proxysslsecret)
+		if err != nil {
+			e := fmt.Errorf("error obtaining certificate: %w", err)
+			return &Config{}, ing_errors.LocationDeniedError{Reason: e}
+		}
+		config.AuthSSLCert = *proxyCert
 	}
 
-	proxyCert, err := p.r.GetAuthCertificate(proxysslsecret)
-	if err != nil {
-		e := fmt.Errorf("error obtaining certificate: %w", err)
-		return &Config{}, ing_errors.LocationDeniedError{Reason: e}
-	}
-	config.AuthSSLCert = *proxyCert
-
 	config.Ciphers, err = parser.GetStringAnnotation(proxySSLCiphersAnnotation, ing, p.annotationConfig.Annotations)
 	if err != nil {
 		if ing_errors.IsValidationError(err) {