DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enabling per-location proxy-ssl parameters, so locations of the same server but with own unique Ingress definitions can have different SSL configs

Browse source
This commit is contained in:
Laszlo Janosi 2019-10-17 09:23:42 +02:00
parent a6815c36aa
commit 37fe9c9876
5 changed files with 29 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
internal/ingress/controller/controller.go
View file

@ -491,17 +491,6 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
server.Hostname, ingKey) server.Hostname, ingKey)
} }
if server.ProxySSL.CAFileName == "" {
server.ProxySSL = anns.ProxySSL
if server.ProxySSL.Secret != "" && server.ProxySSL.CAFileName == "" {
klog.V(3).Infof("Secret %q has no 'ca.crt' key, client cert authentication disabled for Ingress %q",
server.ProxySSL.Secret, ingKey)
}
} else {
klog.V(3).Infof("Server %q is already configured for client cert authentication (Ingress %q)",
server.Hostname, ingKey)
}
if rule.HTTP == nil { if rule.HTTP == nil {
klog.V(3).Infof("Ingress %q does not contain any HTTP rule, using default backend", ingKey) klog.V(3).Infof("Ingress %q does not contain any HTTP rule, using default backend", ingKey)
continue continue
@ -1170,6 +1159,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress)
loc.EnableGlobalAuth = anns.EnableGlobalAuth loc.EnableGlobalAuth = anns.EnableGlobalAuth
loc.HTTP2PushPreload = anns.HTTP2PushPreload loc.HTTP2PushPreload = anns.HTTP2PushPreload
loc.Proxy = anns.Proxy loc.Proxy = anns.Proxy
loc.ProxySSL = anns.ProxySSL
loc.RateLimit = anns.RateLimit loc.RateLimit = anns.RateLimit
loc.Redirect = anns.Redirect loc.Redirect = anns.Redirect
loc.Rewrite = anns.Rewrite loc.Rewrite = anns.Rewrite

12
internal/ingress/controller/store/backend_ssl.go
View file

@ -104,17 +104,19 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err) return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err)
} }
path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert)
if err != nil {
return nil, fmt.Errorf("error while storing certificate and key: %v", err)
}
sslCert.PemFileName = path
if len(ca) > 0 { if len(ca) > 0 {
caCert, err := ssl.CheckCACert(ca) caCert, err := ssl.CheckCACert(ca)
if err != nil { if err != nil {
return nil, fmt.Errorf("parsing CA certificate: %v", err) return nil, fmt.Errorf("parsing CA certificate: %v", err)
} }
path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert)
if err != nil {
return nil, fmt.Errorf("error while storing certificate and key: %v", err)
}
sslCert.CACertificate = caCert sslCert.CACertificate = caCert
sslCert.CAFileName = path sslCert.CAFileName = path
sslCert.CASHA = file.SHA1(path) sslCert.CASHA = file.SHA1(path)

1
internal/ingress/controller/store/store.go
View file

@ -843,6 +843,7 @@ func (s *k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error
CASHA: cert.CASHA, CASHA: cert.CASHA,
CRLFileName: cert.CRLFileName, CRLFileName: cert.CRLFileName,
CRLSHA: cert.CRLSHA, CRLSHA: cert.CRLSHA,
PemFileName: cert.PemFileName,
}, nil }, nil
} }

2
internal/ingress/resolver/main.go
View file

@ -56,6 +56,8 @@ type AuthSSLCert struct {
CRLFileName string `json:"crlFileName"` CRLFileName string `json:"crlFileName"`
// CRLSHA contains the SHA1 hash of the 'ca.crl' file // CRLSHA contains the SHA1 hash of the 'ca.crl' file
CRLSHA string `json:"crlSha"` CRLSHA string `json:"crlSha"`
// PemFileName contains the path to the secrets 'tls.crt' and 'tls.key'
PemFileName string `json:"pemFilename"`
} }
// Equal tests for equality between two AuthSSLCert types // Equal tests for equality between two AuthSSLCert types

20
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -817,8 +817,6 @@ stream {
{{ if not (empty $server.ProxySSL.CAFileName) }} {{ if not (empty $server.ProxySSL.CAFileName) }}
# PEM sha: {{ $server.ProxySSL.CASHA }} # PEM sha: {{ $server.ProxySSL.CASHA }}
proxy_ssl_certificate {{ $server.ProxySSL.CAFileName }};
proxy_ssl_certificate_key {{ $server.ProxySSL.CAFileName }};
proxy_ssl_trusted_certificate {{ $server.ProxySSL.CAFileName }}; proxy_ssl_trusted_certificate {{ $server.ProxySSL.CAFileName }};
proxy_ssl_ciphers {{ $server.ProxySSL.Ciphers }}; proxy_ssl_ciphers {{ $server.ProxySSL.Ciphers }};
proxy_ssl_protocols {{ $server.ProxySSL.Protocols }}; proxy_ssl_protocols {{ $server.ProxySSL.Protocols }};
@ -826,6 +824,11 @@ stream {
proxy_ssl_verify_depth {{ $server.ProxySSL.VerifyDepth }}; proxy_ssl_verify_depth {{ $server.ProxySSL.VerifyDepth }};
{{ end }} {{ end }}
{{ if not (empty $server.ProxySSL.PemFileName) }}
proxy_ssl_certificate {{ $server.ProxySSL.CAFileName }};
proxy_ssl_certificate_key {{ $server.ProxySSL.CAFileName }};
{{ end }}
{{ if not (empty $server.SSLCiphers) }} {{ if not (empty $server.SSLCiphers) }}
ssl_ciphers {{ $server.SSLCiphers }}; ssl_ciphers {{ $server.SSLCiphers }};
{{ end }} {{ end }}
@ -1286,6 +1289,19 @@ stream {
# Location denied. Reason: {{ $location.Denied | quote }} # Location denied. Reason: {{ $location.Denied | quote }}
return 503; return 503;
{{ end }} {{ end }}
{{ if not (empty $location.ProxySSL.CAFileName) }}
# PEM sha: {{ $location.ProxySSL.CASHA }}
proxy_ssl_trusted_certificate {{ $location.ProxySSL.CAFileName }};
proxy_ssl_ciphers {{ $location.ProxySSL.Ciphers }};
proxy_ssl_protocols {{ $location.ProxySSL.Protocols }};
proxy_ssl_verify {{ $location.ProxySSL.Verify }};
proxy_ssl_verify_depth {{ $location.ProxySSL.VerifyDepth }};
{{ end }}
{{ if not (empty $location.ProxySSL.PemFileName) }}
proxy_ssl_certificate {{ $location.ProxySSL.CAFileName }};
proxy_ssl_certificate_key {{ $location.ProxySSL.CAFileName }};
{{ end }}
} }
{{ end }} {{ end }}
{{ end }} {{ end }}