From 7e70470f187d1a5bd70b43b8ec4f7c3d02f51149 Mon Sep 17 00:00:00 2001 From: Julio Camarero Date: Fri, 6 Dec 2024 16:04:43 +0100 Subject: [PATCH] Add new fields to proxyssl.Config --- internal/ingress/annotations/proxyssl/main.go | 22 ++++-- internal/ingress/resolver/main.go | 67 +++++++++++++++++++ 2 files changed, 82 insertions(+), 7 deletions(-) diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go index 14f3d5205..f1725ad9a 100644 --- a/internal/ingress/annotations/proxyssl/main.go +++ b/internal/ingress/annotations/proxyssl/main.go @@ -128,16 +128,18 @@ var proxySSLAnnotation = parser.Annotation{ }, } -// Config contains the AuthSSLCert used for mutual authentication +// Config contains the Proxy SSL certificates and CAs used for mutual authentication // and the configured VerifyDepth type Config struct { resolver.AuthSSLCert - Ciphers string `json:"ciphers"` - Protocols string `json:"protocols"` - ProxySSLName string `json:"proxySSLName"` - Verify string `json:"verify"` - VerifyDepth int `json:"verifyDepth"` - ProxySSLServerName string `json:"proxySSLServerName"` + ProxySSLClientCert resolver.SSLClientCert `json:"proxySSLClientCert"` + ProxySSLCA resolver.SSLCA `json:"proxySSLCA"` + Ciphers string `json:"ciphers"` + Protocols string `json:"protocols"` + ProxySSLName string `json:"proxySSLName"` + Verify string `json:"verify"` + VerifyDepth int `json:"verifyDepth"` + ProxySSLServerName string `json:"proxySSLServerName"` } // Equal tests for equality between two Config types @@ -151,6 +153,12 @@ func (pssl1 *Config) Equal(pssl2 *Config) bool { if !(&pssl1.AuthSSLCert).Equal(&pssl2.AuthSSLCert) { return false } + if !(&pssl1.ProxySSLClientCert).Equal(&pssl2.ProxySSLClientCert) { + return false + } + if !(&pssl1.ProxySSLCA).Equal(&pssl2.ProxySSLCA) { + return false + } if pssl1.Ciphers != pssl2.Ciphers { return false } diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go index 259f44e49..37973f66b 100644 --- a/internal/ingress/resolver/main.go +++ b/internal/ingress/resolver/main.go @@ -91,3 +91,70 @@ func (asslc1 *AuthSSLCert) Equal(assl2 *AuthSSLCert) bool { return true } + +// SSLClientCert contains the clients certificate information +type SSLClientCert struct { + // Secret contains the name of the secret this was fetched from + Secret string `json:"secret"` + // PemFileName contains the path to the secrets 'tls.crt' and 'tls.key' + PemFileName string `json:"pemFilename"` +} + +// Equal tests for equality between two SSLClientCert types +func (sslcc1 *SSLClientCert) Equal(sslcc2 *SSLClientCert) bool { + if sslcc1 == sslcc2 { + return true + } + if sslcc1 == nil || sslcc2 == nil { + return false + } + + if sslcc1.Secret != sslcc2.Secret { + return false + } + + return true +} + +// SSLCA contains the CAs used to validate client certificates +type SSLCA struct { + // ConfigMap contains the name of the configMap this was fetched from + ConfigMap string `json:"configmap"` + // CAFileName contains the path to the secrets 'ca.crt' + CAFileName string `json:"caFilename"` + // CASHA contains the SHA1 hash of the 'ca.crt' + CASHA string `json:"caSha"` + // CRLFileName contains the path to the secrets 'ca.crl' + CRLFileName string `json:"crlFileName"` + // CRLSHA contains the SHA1 hash of the 'ca.crl' file + CRLSHA string `json:"crlSha"` +} + +// Equal tests for equality between two SSLCA types +func (sslc1 *SSLCA) Equal(sslc2 *SSLCA) bool { + if sslc1 == sslc2 { + return true + } + if sslc1 == nil || sslc2 == nil { + return false + } + + if sslc1.ConfigMap != sslc2.ConfigMap { + return false + } + if sslc1.CAFileName != sslc2.CAFileName { + return false + } + if sslc1.CASHA != sslc2.CASHA { + return false + } + + if sslc1.CRLFileName != sslc2.CRLFileName { + return false + } + if sslc1.CRLSHA != sslc2.CRLSHA { + return false + } + + return true +}