DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #2678 from hnrytrn/refactor-cert

Browse source 
Refactor server type to include SSLCert
This commit is contained in:
k8s-ci-robot 2018-06-22 12:34:04 -07:00 committed by GitHub
commit 700a2275d1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
internal/ingress/controller/controller.go
View file

@ -858,9 +858,11 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
// initialize default server and root location // initialize default server and root location
servers[defServerName] = &ingress.Server{ servers[defServerName] = &ingress.Server{
Hostname: defServerName, Hostname: defServerName,
SSLCertificate: defaultPemFileName, SSLCert: ingress.SSLCert{
SSLPemChecksum: defaultPemSHA, PemFileName: defaultPemFileName,
PemSHA: defaultPemSHA,
},
Locations: []*ingress.Location{ Locations: []*ingress.Location{
{ {
Path: rootLocation, Path: rootLocation,
@ -989,7 +991,7 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
} }
// only add a certificate if the server does not have one previously configured // only add a certificate if the server does not have one previously configured
if servers[host].SSLCertificate != "" { if servers[host].SSLCert.PemFileName != "" {
continue continue
} }
@ -1002,8 +1004,8 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
if tlsSecretName == "" { if tlsSecretName == "" {
glog.V(3).Infof("Host %q is listed in the TLS section but secretName is empty. Using default certificate.", host) glog.V(3).Infof("Host %q is listed in the TLS section but secretName is empty. Using default certificate.", host)
servers[host].SSLCertificate = defaultPemFileName servers[host].SSLCert.PemFileName = defaultPemFileName
servers[host].SSLPemChecksum = defaultPemSHA servers[host].SSLCert.PemSHA = defaultPemSHA
continue continue
} }
@ -1027,10 +1029,7 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
} }
} }
servers[host].SSLCertificate = cert.PemFileName servers[host].SSLCert = *cert
servers[host].SSLFullChainCertificate = cert.FullChainPemFileName
servers[host].SSLPemChecksum = cert.PemSHA
servers[host].SSLExpireTime = cert.ExpireTime
if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) { if cert.ExpireTime.Before(time.Now().Add(240 * time.Hour)) {
glog.Warningf("SSL certificate for server %q is about to expire (%v)", cert.ExpireTime) glog.Warningf("SSL certificate for server %q is about to expire (%v)", cert.ExpireTime)

2
internal/ingress/controller/metrics.go
View file

@ -114,7 +114,7 @@ func ConfigSuccessTime() {
func setSSLExpireTime(servers []*ingress.Server) { func setSSLExpireTime(servers []*ingress.Server) {
for _, s := range servers { for _, s := range servers {
if s.Hostname != defServerName { if s.Hostname != defServerName {
sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLExpireTime.Unix())) sslExpireTime.WithLabelValues(s.Hostname).Set(float64(s.SSLCert.ExpireTime.Unix()))
} }
} }
} }

16
internal/ingress/types.go
View file

@ -17,8 +17,6 @@ limitations under the License.
package ingress package ingress
import ( import (
"time"
apiv1 "k8s.io/api/core/v1" apiv1 "k8s.io/api/core/v1"
extensions "k8s.io/api/extensions/v1beta1" extensions "k8s.io/api/extensions/v1beta1"
"k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/intstr"
@ -143,18 +141,8 @@ type Server struct {
// SSLPassthrough indicates if the TLS termination is realized in // SSLPassthrough indicates if the TLS termination is realized in
// the server or in the remote endpoint // the server or in the remote endpoint
SSLPassthrough bool `json:"sslPassthrough"` SSLPassthrough bool `json:"sslPassthrough"`
// SSLCertificate path to the SSL certificate on disk // SSLCert describes the certificate that will be used on the server
SSLCertificate string `json:"sslCertificate"` SSLCert SSLCert `json:"sslCert"`
// SSLFullChainCertificate path to the SSL certificate on disk
// This certificate contains the full chain (ca + intermediates + cert)
SSLFullChainCertificate string `json:"sslFullChainCertificate"`
// SSLExpireTime has the expire date of this certificate
SSLExpireTime time.Time `json:"sslExpireTime"`
// SSLPemChecksum returns the checksum of the certificate file on disk.
// There is no restriction in the hash generator. This checksum can be
// used to determine if the secret changed without the use of file
// system notifications
SSLPemChecksum string `json:"sslPemChecksum"`
// Locations list of URIs configured in the server. // Locations list of URIs configured in the server.
Locations []*Location `json:"locations,omitempty"` Locations []*Location `json:"locations,omitempty"`
// Alias return the alias of the server name // Alias return the alias of the server name

16
internal/ingress/types_equals.go
View file

@ -263,16 +263,7 @@ func (s1 *Server) Equal(s2 *Server) bool {
if s1.SSLPassthrough != s2.SSLPassthrough { if s1.SSLPassthrough != s2.SSLPassthrough {
return false return false
} }
if s1.SSLCertificate != s2.SSLCertificate { if !(&s1.SSLCert).Equal(&s2.SSLCert) {
return false
}
if s1.SSLFullChainCertificate != s2.SSLFullChainCertificate {
return false
}
if !s1.SSLExpireTime.Equal(s2.SSLExpireTime) {
return false
}
if s1.SSLPemChecksum != s2.SSLPemChecksum {
return false return false
} }
if s1.Alias != s2.Alias { if s1.Alias != s2.Alias {
@ -494,7 +485,7 @@ func (l4b1 *L4Backend) Equal(l4b2 *L4Backend) bool {
return true return true
} }
// Equal tests for equality between two L4Backend types // Equal tests for equality between two SSLCert types
func (s1 *SSLCert) Equal(s2 *SSLCert) bool { func (s1 *SSLCert) Equal(s2 *SSLCert) bool {
if s1 == s2 { if s1 == s2 {
return true return true
@ -511,6 +502,9 @@ func (s1 *SSLCert) Equal(s2 *SSLCert) bool {
if !s1.ExpireTime.Equal(s2.ExpireTime) { if !s1.ExpireTime.Equal(s2.ExpireTime) {
return false return false
} }
if s1.FullChainPemFileName != s2.FullChainPemFileName {
return false
}
for _, cn1 := range s1.CN { for _, cn1 := range s1.CN {
found := false found := false

20
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -725,7 +725,7 @@ stream {
{{/* Listen on {{ $all.ListenPorts.SSLProxy }} because port {{ $all.ListenPorts.HTTPS }} is used in the TLS sni server */}} {{/* Listen on {{ $all.ListenPorts.SSLProxy }} because port {{ $all.ListenPorts.HTTPS }} is used in the TLS sni server */}}
{{/* This listener must always have proxy_protocol enabled, because the SNI listener forwards on source IP info in it. */}} {{/* This listener must always have proxy_protocol enabled, because the SNI listener forwards on source IP info in it. */}}
{{ if not (empty $server.SSLCertificate) }} {{ if not (empty $server.SSLCert.PemFileName) }}
{{ range $address := $all.Cfg.BindAddressIpv4 }} {{ range $address := $all.Cfg.BindAddressIpv4 }}
listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol {{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
{{ else }} {{ else }}
@ -733,17 +733,17 @@ stream {
{{ end }} {{ end }}
{{ if $all.IsIPV6Enabled }} {{ if $all.IsIPV6Enabled }}
{{ range $address := $all.Cfg.BindAddressIpv6 }} {{ range $address := $all.Cfg.BindAddressIpv6 }}
{{ if not (empty $server.SSLCertificate) }}listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; {{ if not (empty $server.SSLCert.PemFileName) }}listen {{ $address }}:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
{{ else }} {{ else }}
{{ if not (empty $server.SSLCertificate) }}listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }}; {{ if not (empty $server.SSLCert.PemFileName) }}listen [::]:{{ if $all.IsSSLPassthroughEnabled }}{{ $all.ListenPorts.SSLProxy }} proxy_protocol{{ else }}{{ $all.ListenPorts.HTTPS }}{{ if $all.Cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ end }}{{ end }} {{ if eq $server.Hostname "_"}} default_server {{ if $all.Cfg.ReusePort }}reuseport{{ end }} backlog={{ $all.BacklogSize }}{{end}} ssl {{ if $all.Cfg.UseHTTP2 }}http2{{ end }};
{{ end }} {{ end }}
{{ end }} {{ end }}
{{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}} {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
# PEM sha: {{ $server.SSLPemChecksum }} # PEM sha: {{ $server.SSLCert.PemSHA }}
ssl_certificate {{ $server.SSLCertificate }}; ssl_certificate {{ $server.SSLCert.PemFileName }};
ssl_certificate_key {{ $server.SSLCertificate }}; ssl_certificate_key {{ $server.SSLCert.PemFileName }};
{{ if not (empty $server.SSLFullChainCertificate)}} {{ if not (empty $server.SSLCert.FullChainPemFileName)}}
ssl_trusted_certificate {{ $server.SSLFullChainCertificate }}; ssl_trusted_certificate {{ $server.SSLCert.FullChainPemFileName }};
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
{{ end }} {{ end }}
@ -912,7 +912,7 @@ stream {
} }
{{ end }} {{ end }}
{{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }} {{ if (and (not (empty $server.SSLCert.PemFileName)) $all.Cfg.HSTS) }}
if ($scheme = https) { if ($scheme = https) {
more_set_headers "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}"; more_set_headers "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}";
} }
@ -932,7 +932,7 @@ stream {
set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}"; set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}";
{{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}} {{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCert.PemFileName)) $location.Rewrite.SSLRedirect)) }}
{{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }} {{ if not (isLocationInLocationList $location $all.Cfg.NoTLSRedirectLocations) }}
# enforce ssl on server side # enforce ssl on server side
if ($redirect_to_https) { if ($redirect_to_https) {