Removing secure-verify-ca-secret support and writing an error log if that annotation is used in an Ingress definition
This commit is contained in:
Laszlo Janosi
parent
a6815c36aa
commit
31227d61c2
10 changed files with 24 additions and 80 deletions
|
|
@ -121,11 +121,6 @@ $ kubectl ingress-nginx backends -n ingress-nginx
|
|||
}
|
||||
},
|
||||
"port": 0,
|
||||
"secureCACert": {
|
||||
"secret": "",
|
||||
"caFilename": "",
|
||||
"caSha": ""
|
||||
},
|
||||
"sslPassthrough": false,
|
||||
"endpoints": [
|
||||
{
|
||||
|
|
|
|||
|
|
@ -78,7 +78,6 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|
|||
|[nginx.ingress.kubernetes.io/enable-rewrite-log](#enable-rewrite-log)|"true" or "false"|
|
||||
|[nginx.ingress.kubernetes.io/rewrite-target](#rewrite)|URI|
|
||||
|[nginx.ingress.kubernetes.io/satisfy](#satisfy)|string|
|
||||
|[nginx.ingress.kubernetes.io/secure-verify-ca-secret](#secure-backends)|string|
|
||||
|[nginx.ingress.kubernetes.io/server-alias](#server-alias)|string|
|
||||
|[nginx.ingress.kubernetes.io/server-snippet](#server-snippet)|string|
|
||||
|[nginx.ingress.kubernetes.io/service-upstream](#service-upstream)|"true" or "false"|
|
||||
|
|
|
|||
|
|
@ -110,41 +110,6 @@ func buildIngress() *networking.Ingress {
|
|||
}
|
||||
}
|
||||
|
||||
func TestSecureVerifyCACert(t *testing.T) {
|
||||
ec := NewAnnotationExtractor(mockCfg{
|
||||
MockSecrets: map[string]*apiv1.Secret{
|
||||
"default/secure-verify-ca": {
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "secure-verify-ca",
|
||||
},
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
anns := []struct {
|
||||
it int
|
||||
annotations map[string]string
|
||||
exists bool
|
||||
}{
|
||||
{1, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert: "not"}, false},
|
||||
{2, map[string]string{backendProtocol: "HTTP", annotationSecureVerifyCACert: "secure-verify-ca"}, false},
|
||||
{3, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert: "secure-verify-ca"}, true},
|
||||
{4, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert + "_not": "secure-verify-ca"}, false},
|
||||
{5, map[string]string{backendProtocol: "HTTPS"}, false},
|
||||
{6, map[string]string{}, false},
|
||||
{7, nil, false},
|
||||
}
|
||||
|
||||
for _, ann := range anns {
|
||||
ing := buildIngress()
|
||||
ing.SetAnnotations(ann.annotations)
|
||||
su := ec.Extract(ing).SecureUpstream
|
||||
if (su.CACert.CAFileName != "") != ann.exists {
|
||||
t.Errorf("Expected exists was %v on iteration %v", ann.exists, ann.it)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestSSLPassthrough(t *testing.T) {
|
||||
ec := NewAnnotationExtractor(mockCfg{})
|
||||
ing := buildIngress()
|
||||
|
|
|
|||
|
|
@ -17,10 +17,8 @@ limitations under the License.
|
|||
package secureupstream
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
networking "k8s.io/api/networking/v1beta1"
|
||||
"k8s.io/klog"
|
||||
|
||||
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
|
||||
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
||||
|
|
@ -43,27 +41,10 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation {
|
|||
// Parse parses the annotations contained in the ingress
|
||||
// rule used to indicate if the upstream servers should use SSL
|
||||
func (a su) Parse(ing *networking.Ingress) (interface{}, error) {
|
||||
bp, _ := parser.GetStringAnnotation("backend-protocol", ing)
|
||||
ca, _ := parser.GetStringAnnotation("secure-verify-ca-secret", ing)
|
||||
secure := &Config{
|
||||
CACert: resolver.AuthSSLCert{},
|
||||
}
|
||||
|
||||
if (bp != "HTTPS" && bp != "GRPCS") && ca != "" {
|
||||
return secure,
|
||||
errors.Errorf("trying to use CA from secret %v/%v on a non secure backend", ing.Namespace, ca)
|
||||
if ca != "" {
|
||||
klog.Errorf("NOTE! secure-verify-ca-secret is not suppored anymore. Please use proxy-ssl-secret instead")
|
||||
}
|
||||
if ca == "" {
|
||||
return secure, nil
|
||||
}
|
||||
caCert, err := a.r.GetAuthCertificate(fmt.Sprintf("%v/%v", ing.Namespace, ca))
|
||||
if err != nil {
|
||||
return secure, errors.Wrap(err, "error obtaining certificate")
|
||||
}
|
||||
if caCert == nil {
|
||||
return secure, nil
|
||||
}
|
||||
return &Config{
|
||||
CACert: *caCert,
|
||||
}, nil
|
||||
return nil, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ func TestAnnotations(t *testing.T) {
|
|||
"default/secure-verify-ca": {},
|
||||
},
|
||||
}).Parse(ing)
|
||||
if err != nil {
|
||||
if err == nil {
|
||||
t.Errorf("Unexpected error on ingress: %v", err)
|
||||
}
|
||||
}
|
||||
|
|
@ -116,7 +116,7 @@ func TestSecretNotFound(t *testing.T) {
|
|||
data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca"
|
||||
ing.SetAnnotations(data)
|
||||
_, err := NewParser(mockCfg{}).Parse(ing)
|
||||
if err == nil {
|
||||
if err != nil {
|
||||
t.Error("Expected secret not found error on ingress")
|
||||
}
|
||||
}
|
||||
|
|
@ -132,7 +132,24 @@ func TestSecretOnNonSecure(t *testing.T) {
|
|||
"default/secure-verify-ca": {},
|
||||
},
|
||||
}).Parse(ing)
|
||||
if err == nil {
|
||||
if err != nil {
|
||||
t.Error("Expected CA secret on non secure backend error on ingress")
|
||||
}
|
||||
}
|
||||
|
||||
func TestUnsupportedAnnotation(t *testing.T) {
|
||||
ing := buildIngress()
|
||||
data := map[string]string{}
|
||||
data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS"
|
||||
data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca"
|
||||
ing.SetAnnotations(data)
|
||||
|
||||
_, err := NewParser(mockCfg{
|
||||
certs: map[string]resolver.AuthSSLCert{
|
||||
"default/secure-verify-ca": {},
|
||||
},
|
||||
}).Parse(ing)
|
||||
if err != nil {
|
||||
t.Errorf("Unexpected error on ingress: %v", err)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -706,8 +706,6 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
|
|||
klog.V(3).Infof("Creating upstream %q", defBackend)
|
||||
upstreams[defBackend] = newUpstream(defBackend)
|
||||
|
||||
upstreams[defBackend].SecureCACert = anns.SecureUpstream.CACert
|
||||
|
||||
upstreams[defBackend].UpstreamHashBy.UpstreamHashBy = anns.UpstreamHashBy.UpstreamHashBy
|
||||
upstreams[defBackend].UpstreamHashBy.UpstreamHashBySubset = anns.UpstreamHashBy.UpstreamHashBySubset
|
||||
upstreams[defBackend].UpstreamHashBy.UpstreamHashBySubsetSize = anns.UpstreamHashBy.UpstreamHashBySubsetSize
|
||||
|
|
@ -771,8 +769,6 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B
|
|||
upstreams[name] = newUpstream(name)
|
||||
upstreams[name].Port = path.Backend.ServicePort
|
||||
|
||||
upstreams[name].SecureCACert = anns.SecureUpstream.CACert
|
||||
|
||||
upstreams[name].UpstreamHashBy.UpstreamHashBy = anns.UpstreamHashBy.UpstreamHashBy
|
||||
upstreams[name].UpstreamHashBy.UpstreamHashBySubset = anns.UpstreamHashBy.UpstreamHashBySubset
|
||||
upstreams[name].UpstreamHashBy.UpstreamHashBySubsetSize = anns.UpstreamHashBy.UpstreamHashBySubsetSize
|
||||
|
|
|
|||
|
|
@ -39,7 +39,6 @@ import (
|
|||
"k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit"
|
||||
"k8s.io/ingress-nginx/internal/ingress/annotations/redirect"
|
||||
"k8s.io/ingress-nginx/internal/ingress/annotations/rewrite"
|
||||
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
@ -86,9 +85,6 @@ type Backend struct {
|
|||
Name string `json:"name"`
|
||||
Service *apiv1.Service `json:"service,omitempty"`
|
||||
Port intstr.IntOrString `json:"port"`
|
||||
// SecureCACert has the filename and SHA1 of the certificate authorities used to validate
|
||||
// a secured connection to the backend
|
||||
SecureCACert resolver.AuthSSLCert `json:"secureCACert"`
|
||||
// SSLPassthrough indicates that Ingress controller will delegate TLS termination to the endpoints.
|
||||
SSLPassthrough bool `json:"sslPassthrough"`
|
||||
// Endpoints contains the list of endpoints currently running
|
||||
|
|
|
|||
|
|
@ -113,9 +113,6 @@ func (b1 *Backend) Equal(b2 *Backend) bool {
|
|||
if b1.Port != b2.Port {
|
||||
return false
|
||||
}
|
||||
if !(&b1.SecureCACert).Equal(&b2.SecureCACert) {
|
||||
return false
|
||||
}
|
||||
if b1.SSLPassthrough != b2.SSLPassthrough {
|
||||
return false
|
||||
}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,6 @@ func (in *Backend) DeepCopyInto(out *Backend) {
|
|||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
out.Port = in.Port
|
||||
out.SecureCACert = in.SecureCACert
|
||||
if in.Endpoints != nil {
|
||||
in, out := &in.Endpoints, &out.Endpoints
|
||||
*out = make([]Endpoint, len(*in))
|
||||
|
|
|
|||
|
|
@ -33,7 +33,6 @@ local function reset_backends()
|
|||
backends = {
|
||||
{
|
||||
name = "access-router-production-web-80", port = "80", secure = false,
|
||||
secureCACert = { secret = "", caFilename = "", caSha = "" },
|
||||
sslPassthrough = false,
|
||||
endpoints = {
|
||||
{ address = "10.184.7.40", port = "8080", maxFails = 0, failTimeout = 0 },
|
||||
|
|
|
|||
Loading…
Reference in a new issue