DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move SSL passthrough code inside the controller package

Browse source
This commit is contained in:
Manuel de Brito Fontes 2018-01-16 16:23:05 -03:00
parent 9283bdbe23
commit 847fdb3168
No known key found for this signature in database
GPG key ID: 786136016A8BA02A
2 changed files with 89 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
cmd/nginx/main.go
View file

@ -19,6 +19,7 @@ package main
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"math/rand"
"net" "net"
"net/http" "net/http"
"net/http/pprof" "net/http/pprof"
@ -47,6 +48,8 @@ import (
) )
func main() { func main() {
rand.Seed(time.Now().UnixNano())
fmt.Println(version.String()) fmt.Println(version.String())
showVersion, conf, err := parseFlags() showVersion, conf, err := parseFlags()
@ -118,7 +121,7 @@ func main() {
// create the default SSL certificate (dummy) // create the default SSL certificate (dummy)
defCert, defKey := ssl.GetFakeSSLCert() defCert, defKey := ssl.GetFakeSSLCert()
c, err := ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{}, fs) c, err := ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{})
if err != nil { if err != nil {
glog.Fatalf("Error generating self signed certificate: %v", err) glog.Fatalf("Error generating self signed certificate: %v", err)
} }
@ -189,7 +192,7 @@ func setupSSLProxy(sslPort, proxyPort int, n *controller.NGINXController) {
var conn net.Conn var conn net.Conn
var err error var err error
if n.IsProxyProtocolEnabled() { if n.IsProxyProtocolEnabled {
// we need to wrap the listener in order to decode // we need to wrap the listener in order to decode
// proxy protocol before handling the connection // proxy protocol before handling the connection
conn, err = proxyList.Accept() conn, err = proxyList.Accept()

117
internal/ingress/controller/nginx.go
View file

@ -32,6 +32,7 @@ import (
"github.com/golang/glog" "github.com/golang/glog"
proxyproto "github.com/armon/go-proxyproto"
apiv1 "k8s.io/api/core/v1" apiv1 "k8s.io/api/core/v1"
extensions "k8s.io/api/extensions/v1beta1" extensions "k8s.io/api/extensions/v1beta1"
"k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/kubernetes/scheme"
@ -227,6 +228,8 @@ type NGINXController struct {
isShuttingDown bool isShuttingDown bool
Proxy *TCPProxy
store store.Storer store store.Storer
fileSystem filesystem.Filesystem fileSystem filesystem.Filesystem
@ -252,6 +255,10 @@ func (n *NGINXController) Start() {
Pgid: 0, Pgid: 0,
} }
if n.cfg.EnableSSLPassthrough {
n.setupSSLProxy()
}
glog.Info("starting NGINX process...") glog.Info("starting NGINX process...")
n.start(cmd) n.start(cmd)
@ -399,40 +406,38 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
cfg := n.store.GetBackendConfiguration() cfg := n.store.GetBackendConfiguration()
cfg.Resolver = n.resolver cfg.Resolver = n.resolver
/* servers := []*TCPServer{}
servers := []*TCPServer{} for _, pb := range ingressCfg.PassthroughBackends {
for _, pb := range ingressCfg.PassthroughBackends { svc := pb.Service
svc := pb.Service if svc == nil {
if svc == nil { glog.Warningf("missing service for PassthroughBackends %v", pb.Backend)
glog.Warningf("missing service for PassthroughBackends %v", pb.Backend) continue
continue
}
port, err := strconv.Atoi(pb.Port.String())
if err != nil {
for _, sp := range svc.Spec.Ports {
if sp.Name == pb.Port.String() {
port = int(sp.Port)
break
}
}
} else {
for _, sp := range svc.Spec.Ports {
if sp.Port == int32(port) {
port = int(sp.Port)
break
}
}
}
//TODO: Allow PassthroughBackends to specify they support proxy-protocol
servers = append(servers, &TCPServer{
Hostname: pb.Hostname,
IP: svc.Spec.ClusterIP,
Port: port,
ProxyProtocol: false,
})
} }
*/ port, err := strconv.Atoi(pb.Port.String())
if err != nil {
for _, sp := range svc.Spec.Ports {
if sp.Name == pb.Port.String() {
port = int(sp.Port)
break
}
}
} else {
for _, sp := range svc.Spec.Ports {
if sp.Port == int32(port) {
port = int(sp.Port)
break
}
}
}
//TODO: Allow PassthroughBackends to specify they support proxy-protocol
servers = append(servers, &TCPServer{
Hostname: pb.Hostname,
IP: svc.Spec.ClusterIP,
Port: port,
ProxyProtocol: false,
})
}
// we need to check if the status module configuration changed // we need to check if the status module configuration changed
if cfg.EnableVtsStatus { if cfg.EnableVtsStatus {
@ -640,3 +645,49 @@ func nextPowerOf2(v int) int {
return v return v
} }
func (n *NGINXController) setupSSLProxy() {
sslPort := n.cfg.ListenPorts.HTTPS
proxyPort := n.cfg.ListenPorts.SSLProxy
glog.Info("starting TLS proxy for SSL passthrough")
n.Proxy = &TCPProxy{
Default: &TCPServer{
Hostname: "localhost",
IP: "127.0.0.1",
Port: proxyPort,
ProxyProtocol: true,
},
}
listener, err := net.Listen("tcp", fmt.Sprintf(":%v", sslPort))
if err != nil {
glog.Fatalf("%v", err)
}
proxyList := &proxyproto.Listener{Listener: listener}
// start goroutine that accepts tcp connections in port 443
go func() {
for {
var conn net.Conn
var err error
if n.store.GetBackendConfiguration().UseProxyProtocol {
// we need to wrap the listener in order to decode
// proxy protocol before handling the connection
conn, err = proxyList.Accept()
} else {
conn, err = listener.Accept()
}
if err != nil {
glog.Warningf("unexpected error accepting tcp connection: %v", err)
continue
}
glog.V(3).Infof("remote address %s to local %s", conn.RemoteAddr(), conn.LocalAddr())
go n.Proxy.Handle(conn)
}
}()
}