Merge pull request #179 from rikatz/defaultssl

Allows the usage of Default SSL Cert
2017-01-26 16:26:17 -03:00 · 2017-01-26 16:26:17 -03:00 · 53f1336e58
commit 53f1336e58
parent 92ddc6c670 cc1413261f
2 changed files with 31 additions and 3 deletions
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -203,7 +203,11 @@ http {
        server_name {{ $server.Hostname }};
        listen [::]:80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $index 0 }} ipv6only=off{{end}}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}};
        {{/* Listen on 442 because port 443 is used in the stream section */}}
-        {{ if not (empty $server.SSLCertificate) }}listen 442 {{ if $cfg.UseProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
+	{{ if not (empty $server.SSLCertificate) }}listen 442 {{ if $cfg.UseProxyProtocol }}proxy_protocol{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
+          {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
+          # PEM sha: {{ $server.SSLPemChecksum }}
+          ssl_certificate                         {{ $server.SSLCertificate }};
+
        {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
        # PEM sha: {{ $server.SSLPemChecksum }}
        ssl_certificate                         {{ $server.SSLCertificate }};
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@ -47,6 +47,7 @@ import (
 	"k8s.io/ingress/core/pkg/ingress/resolver"
 	"k8s.io/ingress/core/pkg/ingress/status"
 	"k8s.io/ingress/core/pkg/k8s"
+	ssl "k8s.io/ingress/core/pkg/net/ssl"
 	local_strings "k8s.io/ingress/core/pkg/strings"
 	"k8s.io/ingress/core/pkg/task"
 )
@ -827,9 +828,30 @@ func (ic *GenericController) createServers(data []interface{}, upstreams map[str

 	dun := ic.getDefaultUpstream().Name

+	// This adds the Default Certificate to Default Backend and also for vhosts missing the secret
+	var defaultPemFileName, defaultPemSHA string
+	defaultCertificate, err := ic.getPemCertificate(ic.cfg.DefaultSSLCertificate)
+	// If no default Certificate was supplied, tries to generate a new dumb one
+	if err != nil {
+		var cert *ingress.SSLCert
+		defCert, defKey := ssl.GetFakeSSLCert()
+		cert, err = ssl.AddOrUpdateCertAndKey("system-snake-oil-certificate", defCert, defKey, []byte{})
+		if err != nil {
+			glog.Fatalf("Error generating self signed certificate: %v", err)
+		} else {
+			defaultPemFileName = cert.PemFileName
+			defaultPemSHA = cert.PemSHA
+		}
+	} else {
+		defaultPemFileName = defaultCertificate.PemFileName
+		defaultPemSHA = defaultCertificate.PemSHA
+	}
+
 	// default server
 	servers[defServerName] = &ingress.Server{
-		Hostname: defServerName,
+		Hostname:       defServerName,
+		SSLCertificate: defaultPemFileName,
+		SSLPemChecksum: defaultPemSHA,
 		Locations: []*ingress.Location{
 			{
 				Path:         rootLocation,
@ -899,7 +921,9 @@ func (ic *GenericController) createServers(data []interface{}, upstreams map[str
 						servers[host].SSLPemChecksum = cert.PemSHA
 					}
 				} else {
-					glog.Warningf("secret %v does not exists", key)
+
+					servers[host].SSLCertificate = defaultPemFileName
+					servers[host].SSLPemChecksum = defaultPemSHA
 				}
 			}