Move SSL passthrough code inside the controller package

cmd/nginx/main.go

@@ -19,7 +19,6 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"net"
 	"net/http"
 	"net/http/pprof"
 	"os"
@@ -28,7 +27,6 @@ import (
 	"syscall"
 	"time"
 
-	proxyproto "github.com/armon/go-proxyproto"
 	"github.com/golang/glog"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 
@@ -130,10 +128,6 @@ func main() {
 
 	ngx := controller.NewNGINXController(conf, fs)
 
-	if conf.EnableSSLPassthrough {
-		setupSSLProxy(conf.ListenPorts.HTTPS, conf.ListenPorts.SSLProxy, ngx)
-	}
-
 	go handleSigterm(ngx, func(code int) {
 		os.Exit(code)
 	})
@@ -165,49 +159,6 @@ func handleSigterm(ngx *controller.NGINXController, exit exiter) {
 	exit(exitCode)
 }
 
-func setupSSLProxy(sslPort, proxyPort int, n *controller.NGINXController) {
-	glog.Info("starting TLS proxy for SSL passthrough")
-	n.Proxy = &controller.TCPProxy{
-		Default: &controller.TCPServer{
-			Hostname:      "localhost",
-			IP:            "127.0.0.1",
-			Port:          proxyPort,
-			ProxyProtocol: true,
-		},
-	}
-
-	listener, err := net.Listen("tcp", fmt.Sprintf(":%v", sslPort))
-	if err != nil {
-		glog.Fatalf("%v", err)
-	}
-
-	proxyList := &proxyproto.Listener{Listener: listener}
-
-	// start goroutine that accepts tcp connections in port 443
-	go func() {
-		for {
-			var conn net.Conn
-			var err error
-
-			if n.IsProxyProtocolEnabled() {
-				// we need to wrap the listener in order to decode
-				// proxy protocol before handling the connection
-				conn, err = proxyList.Accept()
-			} else {
-				conn, err = listener.Accept()
-			}
-
-			if err != nil {
-				glog.Warningf("unexpected error accepting tcp connection: %v", err)
-				continue
-			}
-
-			glog.V(3).Infof("remote address %s to local %s", conn.RemoteAddr(), conn.LocalAddr())
-			go n.Proxy.Handle(conn)
-		}
-	}()
-}
-
 // createApiserverClient creates new Kubernetes Apiserver client. When kubeconfig or apiserverHost param is empty
 // the function assumes that it is running inside a Kubernetes cluster and attempts to
 // discover the Apiserver. Otherwise, it connects to the Apiserver specified.

internal/ingress/controller/nginx.go

@@ -32,6 +32,7 @@ import (
 
 	"github.com/golang/glog"
 
+	proxyproto "github.com/armon/go-proxyproto"
 	apiv1 "k8s.io/api/core/v1"
 	extensions "k8s.io/api/extensions/v1beta1"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -227,6 +228,8 @@ type NGINXController struct {
 
 	isShuttingDown bool
 
+	Proxy *TCPProxy
+
 	store store.Storer
 
 	fileSystem filesystem.Filesystem
@@ -252,6 +255,10 @@ func (n *NGINXController) Start() {
 		Pgid:    0,
 	}
 
+	if n.cfg.EnableSSLPassthrough {
+		n.setupSSLProxy()
+	}
+
 	glog.Info("starting NGINX process...")
 	n.start(cmd)
 
@@ -399,40 +406,38 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
 	cfg := n.store.GetBackendConfiguration()
 	cfg.Resolver = n.resolver
 
-	/*
+	servers := []*TCPServer{}
-		servers := []*TCPServer{}
+	for _, pb := range ingressCfg.PassthroughBackends {
-		for _, pb := range ingressCfg.PassthroughBackends {
+		svc := pb.Service
-			svc := pb.Service
+		if svc == nil {
-			if svc == nil {
+			glog.Warningf("missing service for PassthroughBackends %v", pb.Backend)
-				glog.Warningf("missing service for PassthroughBackends %v", pb.Backend)
+			continue
-				continue
-			}
-			port, err := strconv.Atoi(pb.Port.String())
-			if err != nil {
-				for _, sp := range svc.Spec.Ports {
-					if sp.Name == pb.Port.String() {
-						port = int(sp.Port)
-						break
-					}
-				}
-			} else {
-				for _, sp := range svc.Spec.Ports {
-					if sp.Port == int32(port) {
-						port = int(sp.Port)
-						break
-					}
-				}
-			}
-
-			//TODO: Allow PassthroughBackends to specify they support proxy-protocol
-			servers = append(servers, &TCPServer{
-				Hostname:      pb.Hostname,
-				IP:            svc.Spec.ClusterIP,
-				Port:          port,
-				ProxyProtocol: false,
-			})
 		}
-	*/
+		port, err := strconv.Atoi(pb.Port.String())
+		if err != nil {
+			for _, sp := range svc.Spec.Ports {
+				if sp.Name == pb.Port.String() {
+					port = int(sp.Port)
+					break
+				}
+			}
+		} else {
+			for _, sp := range svc.Spec.Ports {
+				if sp.Port == int32(port) {
+					port = int(sp.Port)
+					break
+				}
+			}
+		}
+
+		//TODO: Allow PassthroughBackends to specify they support proxy-protocol
+		servers = append(servers, &TCPServer{
+			Hostname:      pb.Hostname,
+			IP:            svc.Spec.ClusterIP,
+			Port:          port,
+			ProxyProtocol: false,
+		})
+	}
 
 	// we need to check if the status module configuration changed
 	if cfg.EnableVtsStatus {
@@ -640,3 +645,49 @@ func nextPowerOf2(v int) int {
 
 	return v
 }
+
+func (n *NGINXController) setupSSLProxy() {
+	sslPort := n.cfg.ListenPorts.HTTPS
+	proxyPort := n.cfg.ListenPorts.SSLProxy
+
+	glog.Info("starting TLS proxy for SSL passthrough")
+	n.Proxy = &TCPProxy{
+		Default: &TCPServer{
+			Hostname:      "localhost",
+			IP:            "127.0.0.1",
+			Port:          proxyPort,
+			ProxyProtocol: true,
+		},
+	}
+
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%v", sslPort))
+	if err != nil {
+		glog.Fatalf("%v", err)
+	}
+
+	proxyList := &proxyproto.Listener{Listener: listener}
+
+	// start goroutine that accepts tcp connections in port 443
+	go func() {
+		for {
+			var conn net.Conn
+			var err error
+
+			if n.store.GetBackendConfiguration().UseProxyProtocol {
+				// we need to wrap the listener in order to decode
+				// proxy protocol before handling the connection
+				conn, err = proxyList.Accept()
+			} else {
+				conn, err = listener.Accept()
+			}
+
+			if err != nil {
+				glog.Warningf("unexpected error accepting tcp connection: %v", err)
+				continue
+			}
+
+			glog.V(3).Infof("remote address %s to local %s", conn.RemoteAddr(), conn.LocalAddr())
+			go n.Proxy.Handle(conn)
+		}
+	}()
+}