DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor to add SSLCert as a field in server type

Browse source
This commit is contained in:
Henry Tran 2018-06-11 13:42:40 -04:00
parent 3b0d225186
commit 2751cbf06d
5 changed files with 27 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
internal/ingress/controller/controller.go
View file

@ -868,9 +868,11 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
// initialize the default server // initialize the default server
servers[defServerName] = &ingress.Server{ servers[defServerName] = &ingress.Server{
Hostname: defServerName, Hostname: defServerName,
SSLCertificate: defaultPemFileName, SSLCert: ingress.SSLCert{
SSLPemChecksum: defaultPemSHA, PemFileName: defaultPemFileName,
PemSHA: defaultPemSHA,
},
Locations: []*ingress.Location{ Locations: []*ingress.Location{
{ {
Path: rootLocation, Path: rootLocation,
@ -1000,7 +1002,7 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
} }
// only add a certificate if the server does not have one previously configured // only add a certificate if the server does not have one previously configured
if servers[host].SSLCertificate != "" { if servers[host].SSLCert.PemFileName != "" {
continue continue
} }
@ -1013,8 +1015,8 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
if tlsSecretName == "" { if tlsSecretName == "" {
glog.V(3).Infof("host %v is listed on tls section but secretName is empty. Using default cert", host) glog.V(3).Infof("host %v is listed on tls section but secretName is empty. Using default cert", host)
servers[host].SSLCertificate = defaultPemFileName servers[host].SSLCert.PemFileName = defaultPemFileName
servers[host].SSLPemChecksum = defaultPemSHA servers[host].SSLCert.PemSHA = defaultPemSHA
continue continue
} }
@ -1038,10 +1040,7 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
} }
} }
servers[host].SSLCertificate = cert.PemFileName servers[host].SSLCert = *cert
servers[host].SSLFullChainCertificate = cert.FullChainPemFileName
servers[host].SSLPemChecksum = cert.PemSHA
servers[host].SSLExpireTime = cert.ExpireTime
if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) { if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) {
glog.Warningf("ssl certificate for host %v is about to expire in 10 days", host) glog.Warningf("ssl certificate for host %v is about to expire in 10 days", host)

2
internal/ingress/controller/metrics.go
View file

@ -114,7 +114,7 @@ func ConfigSuccessTime() {
func setSSLExpireTime(servers []*ingress.Server) { func setSSLExpireTime(servers []*ingress.Server) {
for _, s := range servers { for _, s := range servers {
if s.Hostname != defServerName { if s.Hostname != defServerName {
sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLExpireTime.Unix())) sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLCert.ExpireTime.Unix()))
} }
} }
} }

16
internal/ingress/types.go
View file

@ -17,8 +17,6 @@ limitations under the License.
package ingress package ingress
import ( import (
"time"
apiv1 "k8s.io/api/core/v1" apiv1 "k8s.io/api/core/v1"
extensions "k8s.io/api/extensions/v1beta1" extensions "k8s.io/api/extensions/v1beta1"
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
@ -140,18 +138,8 @@ type Server struct {
// SSLPassthrough indicates if the TLS termination is realized in // SSLPassthrough indicates if the TLS termination is realized in
// the server or in the remote endpoint // the server or in the remote endpoint
SSLPassthrough bool `json:"sslPassthrough"` SSLPassthrough bool `json:"sslPassthrough"`
// SSLCertificate path to the SSL certificate on disk // SSLCert describes the certificate that will be used on the server
SSLCertificate string `json:"sslCertificate"` SSLCert SSLCert `json:"sslCert"`
// SSLFullChainCertificate path to the SSL certificate on disk
// This certificate contains the full chain (ca + intermediates + cert)
SSLFullChainCertificate string `json:"sslFullChainCertificate"`
// SSLExpireTime has the expire date of this certificate
SSLExpireTime time.Time `json:"sslExpireTime"`
// SSLPemChecksum returns the checksum of the certificate file on disk.
// There is no restriction in the hash generator. This checksum can be
// used to determine if the secret changed without the use of file
// system notifications
SSLPemChecksum string `json:"sslPemChecksum"`
// Locations list of URIs configured in the server. // Locations list of URIs configured in the server.
Locations []*Location `json:"locations,omitempty"` Locations []*Location `json:"locations,omitempty"`
// Alias return the alias of the server name // Alias return the alias of the server name

13
internal/ingress/types_equals.go
View file

@ -262,18 +262,12 @@ func (s1 *Server) Equal(s2 *Server) bool {
if s1.SSLPassthrough != s2.SSLPassthrough { if s1.SSLPassthrough != s2.SSLPassthrough {
return false return false
} }
if s1.SSLCertificate != s2.SSLCertificate { if !(&s1.SSLCert).Equal(&s2.SSLCert) {
return false
}
if s1.SSLPemChecksum != s2.SSLPemChecksum {
return false return false
} }
if !(&s1.CertificateAuth).Equal(&s2.CertificateAuth) { if !(&s1.CertificateAuth).Equal(&s2.CertificateAuth) {
return false return false
} }
if s1.SSLFullChainCertificate != s2.SSLFullChainCertificate {
return false
}
if s1.RedirectFromToWWW != s2.RedirectFromToWWW { if s1.RedirectFromToWWW != s2.RedirectFromToWWW {
return false return false
} }
@ -481,7 +475,7 @@ func (l4b1 *L4Backend) Equal(l4b2 *L4Backend) bool {
return true return true
} }
// Equal tests for equality between two L4Backend types // Equal tests for equality between two SSLCert types
func (s1 *SSLCert) Equal(s2 *SSLCert) bool { func (s1 *SSLCert) Equal(s2 *SSLCert) bool {
if s1 == s2 { if s1 == s2 {
return true return true
@ -498,6 +492,9 @@ func (s1 *SSLCert) Equal(s2 *SSLCert) bool {
if !s1.ExpireTime.Equal(s2.ExpireTime) { if !s1.ExpireTime.Equal(s2.ExpireTime) {
return false return false
} }
if s1.FullChainPemFileName != s2.FullChainPemFileName {
return false
}
for _, cn1 := range s1.CN { for _, cn1 := range s1.CN {
found := false found := false

20
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -717,7 +717,7 @@ stream {
{{/* Listen on {{ $all.ListenPorts.SSLProxy }} because port {{ $all.ListenPorts.HTTPS }} is used in the TLS sni server */}} {{/* Listen on {{ $all.ListenPorts.SSLProxy }} because port {{ $all.ListenPorts.HTTPS }} is used in the TLS sni server */}}
{{/* This listener must always have proxy_protocol enabled, because the SNI listener forwards on source IP info in it. */}} {{/* This listener must always have proxy_protocol enabled, because the SNI listener forwards on source IP info in it. */}}
{{ if not (empty $server.SSLCertificate) }} {{ if not (empty $server.SSLCert.PemFileName) }}
{{ range $address := $all.Cfg.BindAddressIpv4 }} {{ range $address := $all.Cfg.BindAddressIpv4 }}
listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
{{ else }} {{ else }}
@ -725,17 +725,17 @@ stream {
{{ end }} {{ end }}
{{ if $all.IsIPV6Enabled }} {{ if $all.IsIPV6Enabled }}
{{ range $address := $all.Cfg.BindAddressIpv6 }} {{ range $address := $all.Cfg.BindAddressIpv6 }}
{{ if not (empty $server.SSLCertificate) }}listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; {{ if not (empty $server.SSLCert.PemFileName) }}listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
{{ else }} {{ else }}
{{ if not (empty $server.SSLCertificate) }}listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; {{ if not (empty $server.SSLCert.PemFileName) }}listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
{{ end }} {{ end }}
{{ end }} {{ end }}
{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}} {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
# PEM sha: {{ $server.SSLPemChecksum }} # PEM sha: {{ $server.SSLCert.PemSHA }}
ssl_certificate {{ $server.SSLCertificate }}; ssl_certificate {{ $server.SSLCert.PemFileName }};
ssl_certificate_key {{ $server.SSLCertificate }}; ssl_certificate_key {{ $server.SSLCert.PemFileName }};
{{ if not (empty $server.SSLFullChainCertificate)}} {{ if not (empty $server.SSLCert.FullChainPemFileName)}}
ssl_trusted_certificate {{ $server.SSLFullChainCertificate }}; ssl_trusted_certificate {{ $server.SSLCert.FullChainPemFileName }};
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
{{ end }} {{ end }}
@ -891,7 +891,7 @@ stream {
} }
{{ end }} {{ end }}
{{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }} {{ if (and (not (empty $server.SSLCert.PemFileName)) $all.Cfg.HSTS) }}
if ($scheme = https) { if ($scheme = https) {
more_set_headers "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}"; more_set_headers "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}";
} }
@ -919,7 +919,7 @@ stream {
set $service_name "{{ $ing.Service }}"; set $service_name "{{ $ing.Service }}";
{{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}} {{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCert.PemFileName)) $location.Rewrite.SSLRedirect)) }}
{{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }} {{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }}
# enforce ssl on server side # enforce ssl on server side
if ($redirect_to_https) { if ($redirect_to_https) {