Merge pull request #4689 from janosi/upstream_ssl

Server-only authentication of backends and per-location SSL config
2019-11-18 19:49:43 -08:00 · 2019-11-18 19:49:43 -08:00 · 4ffc076e0c
commit 4ffc076e0c
parent 9481d399e2 23ccfe81f5
5 changed files with 23 additions and 2 deletions
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -1166,6 +1166,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress)
 	loc.EnableGlobalAuth = anns.EnableGlobalAuth
 	loc.HTTP2PushPreload = anns.HTTP2PushPreload
 	loc.Proxy = anns.Proxy
 	loc.ProxySSL = anns.ProxySSL
 	loc.RateLimit = anns.RateLimit
 	loc.Redirect = anns.Redirect
 	loc.Rewrite = anns.Rewrite
--- a/internal/ingress/controller/store/backend_ssl.go
+++ b/internal/ingress/controller/store/backend_ssl.go
@ -115,6 +115,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 				return nil, fmt.Errorf("error while storing certificate and key: %v", err)
 			}
 			sslCert.PemFileName = path
 			sslCert.CACertificate = caCert
 			sslCert.CAFileName = path
 			sslCert.CASHA = file.SHA1(path)
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@ -843,6 +843,7 @@ func (s *k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error
 		CASHA:       cert.CASHA,
 		CRLFileName: cert.CRLFileName,
 		CRLSHA:      cert.CRLSHA,
 		PemFileName: cert.PemFileName,
 	}, nil
 }
--- a/internal/ingress/resolver/main.go
+++ b/internal/ingress/resolver/main.go
@ -56,6 +56,8 @@ type AuthSSLCert struct {
 	CRLFileName string `json:"crlFileName"`
 	// CRLSHA contains the SHA1 hash of the 'ca.crl' file
 	CRLSHA string `json:"crlSha"`
 	// PemFileName contains the path to the secrets 'tls.crt' and 'tls.key'
 	PemFileName string `json:"pemFilename"`
 }
 // Equal tests for equality between two AuthSSLCert types
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -818,8 +818,6 @@ stream {
        {{ if not (empty $server.ProxySSL.CAFileName) }}
        # PEM sha: {{ $server.ProxySSL.CASHA }}
        proxy_ssl_certificate                   {{ $server.ProxySSL.CAFileName }};
        proxy_ssl_certificate_key               {{ $server.ProxySSL.CAFileName }};
        proxy_ssl_trusted_certificate           {{ $server.ProxySSL.CAFileName }};
        proxy_ssl_ciphers                       {{ $server.ProxySSL.Ciphers }};
        proxy_ssl_protocols                     {{ $server.ProxySSL.Protocols }};
@ -827,6 +825,11 @@ stream {
        proxy_ssl_verify_depth                  {{ $server.ProxySSL.VerifyDepth }};
        {{ end }}
        {{ if not (empty $server.ProxySSL.PemFileName) }}
        proxy_ssl_certificate                   {{ $server.ProxySSL.PemFileName }};
        proxy_ssl_certificate_key               {{ $server.ProxySSL.PemFileName }};
        {{ end }}
        {{ if not (empty $server.SSLCiphers) }}
        ssl_ciphers                             {{ $server.SSLCiphers }};
        {{ end }}
@ -1287,6 +1290,19 @@ stream {
            # Location denied. Reason: {{ $location.Denied | quote }}
            return 503;
            {{ end }}
            {{ if not (empty $location.ProxySSL.CAFileName) }}
            # PEM sha: {{ $location.ProxySSL.CASHA }}
            proxy_ssl_trusted_certificate           {{ $location.ProxySSL.CAFileName }};
            proxy_ssl_ciphers                       {{ $location.ProxySSL.Ciphers }};
            proxy_ssl_protocols                     {{ $location.ProxySSL.Protocols }};
            proxy_ssl_verify                        {{ $location.ProxySSL.Verify }};
            proxy_ssl_verify_depth                  {{ $location.ProxySSL.VerifyDepth }};
            {{ end }}
            {{ if not (empty $location.ProxySSL.PemFileName) }}
            proxy_ssl_certificate                   {{ $location.ProxySSL.PemFileName }};
            proxy_ssl_certificate_key               {{ $location.ProxySSL.PemFileName }};
            {{ end }}
        }
        {{ end }}
        {{ end }}