From 417a92652f01e067379e9942ae67e79285bb4b6c Mon Sep 17 00:00:00 2001 From: Giancarlo Rubio Date: Thu, 13 Apr 2017 15:53:30 +0200 Subject: [PATCH] Move certificateauth from location to server --- .../nginx/rootfs/etc/nginx/template/nginx.tmpl | 16 ++++++++-------- core/pkg/ingress/controller/util_test.go | 2 -- core/pkg/ingress/types.go | 9 ++++----- 3 files changed, 12 insertions(+), 15 deletions(-) diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index e0961db2d..95d6d49a5 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -238,17 +238,17 @@ http { {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }} + {{ if not (empty $server.CertificateAuth.AuthSSLCert.CAFileName) }} + # PEM sha: {{ $server.CertificateAuth.AuthSSLCert.PemSHA }} + ssl_client_certificate {{ $server.CertificateAuth.AuthSSLCert.CAFileName }}; + ssl_verify_client on; + ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }}; + {{ end }} + {{ range $location := $server.Locations }} {{ $path := buildLocation $location }} {{ $authPath := buildAuthLocation $location }} - {{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }} - # PEM sha: {{ $location.CertificateAuth.AuthSSLCert.PemSHA }} - ssl_client_certificate {{ $location.CertificateAuth.AuthSSLCert.CAFileName }}; - ssl_verify_client on; - ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }}; - {{ end }} - {{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }} # enforce ssl on server side if ($pass_access_scheme = http) { @@ -331,7 +331,7 @@ http { proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend - {{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }} + {{ if not (empty $server.CertificateAuth.AuthSSLCert.CAFileName) }} proxy_set_header ssl-client-cert $ssl_client_cert; {{ end }} diff --git a/core/pkg/ingress/controller/util_test.go b/core/pkg/ingress/controller/util_test.go index 2aa6d5a20..2ea006a8d 100644 --- a/core/pkg/ingress/controller/util_test.go +++ b/core/pkg/ingress/controller/util_test.go @@ -23,7 +23,6 @@ import ( "k8s.io/ingress/core/pkg/ingress" "k8s.io/ingress/core/pkg/ingress/annotations/auth" "k8s.io/ingress/core/pkg/ingress/annotations/authreq" - "k8s.io/ingress/core/pkg/ingress/annotations/authtls" "k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist" "k8s.io/ingress/core/pkg/ingress/annotations/proxy" "k8s.io/ingress/core/pkg/ingress/annotations/ratelimit" @@ -102,7 +101,6 @@ func TestMergeLocationAnnotations(t *testing.T) { "Redirect": rewrite.Redirect{}, "Whitelist": ipwhitelist.SourceRange{}, "Proxy": proxy.Configuration{}, - "CertificateAuth": authtls.AuthSSLConfig{}, "UsePortInRedirects": true, } diff --git a/core/pkg/ingress/types.go b/core/pkg/ingress/types.go index 8b9626549..7579337a2 100644 --- a/core/pkg/ingress/types.go +++ b/core/pkg/ingress/types.go @@ -212,6 +212,10 @@ type Server struct { SSLPemChecksum string `json:"sslPemChecksum"` // Locations list of URIs configured in the server. Locations []*Location `json:"locations,omitempty"` + // CertificateAuth indicates the access to this location requires + // external authentication + // +optional + CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth,omitempty"` } // Location describes an URI inside a server. @@ -223,7 +227,6 @@ type Server struct { // In some cases when more than one annotations is defined a particular order in the execution // is required. // The chain in the execution order of annotations should be: -// - CertificateAuth // - Whitelist // - RateLimit // - BasicDigestAuth @@ -274,10 +277,6 @@ type Location struct { // to be used in connections against endpoints // +optional Proxy proxy.Configuration `json:"proxy,omitempty"` - // CertificateAuth indicates the access to this location requires - // external authentication - // +optional - CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth,omitempty"` // UsePortInRedirects indicates if redirects must specify the port // +optional UsePortInRedirects bool `json:"use-port-in-redirects"`