diff --git a/core/pkg/ingress/annotations/authtls/main.go b/core/pkg/ingress/annotations/authtls/main.go index 79d4b22d5..415b079c8 100644 --- a/core/pkg/ingress/annotations/authtls/main.go +++ b/core/pkg/ingress/annotations/authtls/main.go @@ -21,6 +21,7 @@ import ( "k8s.io/ingress/core/pkg/ingress/annotations/parser" ing_errors "k8s.io/ingress/core/pkg/ingress/errors" + "k8s.io/ingress/core/pkg/ingress/resolver" "k8s.io/ingress/core/pkg/k8s" ) @@ -29,28 +30,12 @@ const ( authTLSSecret = "ingress.kubernetes.io/auth-tls-secret" ) -// AuthCertificate has a method that searchs for a secret -// that contains a SSL certificate. -// The secret must contain 3 keys named: -type AuthCertificate interface { - GetAuthCertificate(string) (*SSLCert, error) -} - -// SSLCert returns external authentication configuration for an Ingress rule -type SSLCert struct { - Secret string `json:"secret"` - CertFileName string `json:"certFilename"` - KeyFileName string `json:"keyFilename"` - CAFileName string `json:"caFilename"` - PemSHA string `json:"pemSha"` -} - type authTLS struct { - certResolver AuthCertificate + certResolver resolver.AuthCertificate } // NewParser creates a new TLS authentication annotation parser -func NewParser(resolver AuthCertificate) parser.IngressAnnotation { +func NewParser(resolver resolver.AuthCertificate) parser.IngressAnnotation { return authTLS{resolver} } diff --git a/core/pkg/ingress/controller/annotations_test.go b/core/pkg/ingress/controller/annotations_test.go index 431e3c1a8..687830288 100644 --- a/core/pkg/ingress/controller/annotations_test.go +++ b/core/pkg/ingress/controller/annotations_test.go @@ -23,8 +23,8 @@ import ( "k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/util/intstr" - "k8s.io/ingress/core/pkg/ingress/annotations/authtls" "k8s.io/ingress/core/pkg/ingress/defaults" + "k8s.io/ingress/core/pkg/ingress/resolver" ) type mockCfg struct { @@ -38,7 +38,7 @@ func (m mockCfg) GetSecret(string) (*api.Secret, error) { return nil, nil } -func (m mockCfg) GetAuthCertificate(string) (*authtls.SSLCert, error) { +func (m mockCfg) GetAuthCertificate(string) (*resolver.AuthSSLCert, error) { return nil, nil } diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go index 1851bb9b5..76f1bdbe4 100644 --- a/core/pkg/ingress/controller/controller.go +++ b/core/pkg/ingress/controller/controller.go @@ -39,11 +39,11 @@ import ( cache_store "k8s.io/ingress/core/pkg/cache" "k8s.io/ingress/core/pkg/ingress" - "k8s.io/ingress/core/pkg/ingress/annotations/authtls" "k8s.io/ingress/core/pkg/ingress/annotations/healthcheck" "k8s.io/ingress/core/pkg/ingress/annotations/proxy" "k8s.io/ingress/core/pkg/ingress/annotations/service" "k8s.io/ingress/core/pkg/ingress/defaults" + "k8s.io/ingress/core/pkg/ingress/resolver" "k8s.io/ingress/core/pkg/ingress/status" "k8s.io/ingress/core/pkg/k8s" local_strings "k8s.io/ingress/core/pkg/strings" @@ -668,13 +668,13 @@ func (ic *GenericController) getBackendServers() ([]*ingress.Backend, []*ingress } // GetAuthCertificate ... -func (ic GenericController) GetAuthCertificate(secretName string) (*authtls.SSLCert, error) { +func (ic GenericController) GetAuthCertificate(secretName string) (*resolver.AuthSSLCert, error) { bc, exists := ic.sslCertTracker.Get(secretName) if !exists { - return &authtls.SSLCert{}, fmt.Errorf("secret %v does not exists", secretName) + return &resolver.AuthSSLCert{}, fmt.Errorf("secret %v does not exists", secretName) } cert := bc.(*ingress.SSLCert) - return &authtls.SSLCert{ + return &resolver.AuthSSLCert{ Secret: secretName, CertFileName: cert.PemFileName, CAFileName: cert.CAFileName, diff --git a/core/pkg/ingress/controller/util.go b/core/pkg/ingress/controller/util.go index 57b31dba3..439526cba 100644 --- a/core/pkg/ingress/controller/util.go +++ b/core/pkg/ingress/controller/util.go @@ -28,6 +28,9 @@ import ( "k8s.io/ingress/core/pkg/ingress/annotations/parser" ) +// DeniedKeyName name of the key that contains the reason to deny a location +const DeniedKeyName = "Denied" + // newDefaultServer return an BackendServer to be use as default server that returns 503. func newDefaultServer() ingress.Endpoint { return ingress.Endpoint{Address: "127.0.0.1", Port: "8181"} @@ -97,13 +100,11 @@ func IsValidClass(ing *extensions.Ingress, class string) bool { return cc == class } -const denied = "Denied" - func mergeLocationAnnotations(loc *ingress.Location, anns map[string]interface{}) { - if _, ok := anns[denied]; ok { - loc.Denied = anns[denied].(error) + if _, ok := anns[DeniedKeyName]; ok { + loc.Denied = anns[DeniedKeyName].(error) } - delete(anns, denied) + delete(anns, DeniedKeyName) err := mergo.Map(loc, anns) if err != nil { glog.Errorf("unexpected error merging extracted annotations in location type: %v", err) diff --git a/core/pkg/ingress/resolver/main.go b/core/pkg/ingress/resolver/main.go index c345ad289..1e122e236 100644 --- a/core/pkg/ingress/resolver/main.go +++ b/core/pkg/ingress/resolver/main.go @@ -19,7 +19,6 @@ package resolver import ( "k8s.io/kubernetes/pkg/api" - "k8s.io/ingress/core/pkg/ingress/annotations/authtls" "k8s.io/ingress/core/pkg/ingress/defaults" ) @@ -35,9 +34,26 @@ type Secret interface { GetSecret(string) (*api.Secret, error) } -// AuthCertificate has a method that searchs for a secret -// that contains a SSL certificate. +// AuthCertificate resolves a given secret name into an SSL certificate. // The secret must contain 3 keys named: +// ca.crt: contains the certificate chain used for authentication +// tls.crt: (ignored) contains the tls certificate chain, or any other valid base64 data +// tls.key: (ignored) contains the tls secret key, or any other valid base64 data type AuthCertificate interface { - GetAuthCertificate(string) (*authtls.SSLCert, error) + GetAuthCertificate(string) (*AuthSSLCert, error) +} + +// AuthSSLCert contains the necessary information to do certificate based +// authentication of an ingress location +type AuthSSLCert struct { + // Secret contains the name of the secret this was fetched from + Secret string `json:"secret"` + // CertFileName contains the filename the secret's 'tls.crt' was saved to + CertFileName string `json:"certFilename"` + // KeyFileName contains the path the secret's 'tls.key' + KeyFileName string `json:"keyFilename"` + // CAFileName contains the path to the secrets 'ca.crt' + CAFileName string `json:"caFilename"` + // PemSHA contains the SHA1 hash of the 'tls.crt' value + PemSHA string `json:"pemSha"` } diff --git a/core/pkg/ingress/types.go b/core/pkg/ingress/types.go index e26b1e9c5..dc8080987 100644 --- a/core/pkg/ingress/types.go +++ b/core/pkg/ingress/types.go @@ -22,12 +22,12 @@ import ( "k8s.io/ingress/core/pkg/ingress/annotations/auth" "k8s.io/ingress/core/pkg/ingress/annotations/authreq" - "k8s.io/ingress/core/pkg/ingress/annotations/authtls" "k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist" "k8s.io/ingress/core/pkg/ingress/annotations/proxy" "k8s.io/ingress/core/pkg/ingress/annotations/ratelimit" "k8s.io/ingress/core/pkg/ingress/annotations/rewrite" "k8s.io/ingress/core/pkg/ingress/defaults" + "k8s.io/ingress/core/pkg/ingress/resolver" ) var ( @@ -232,7 +232,7 @@ type Location struct { // CertificateAuth indicates the access to this location requires // external authentication // +optional - CertificateAuth authtls.SSLCert `json:"certificateAuth,omitempty"` + CertificateAuth resolver.AuthSSLCert `json:"certificateAuth,omitempty"` } // SSLPassthroughBackend describes a SSL upstream server configured