Merge pull request #365 from pwillie/forcesslredirect
add ForceSSLRedirect ingress annotation
This commit is contained in:
Manuel Alejandro de Brito Fontes
GitHub
commit
9f39abc019
5 changed files with 72 additions and 34 deletions
|
|
@ -292,6 +292,7 @@ func NewDefault() Configuration {
|
||||||
ProxyCookieDomain: "off",
|
ProxyCookieDomain: "off",
|
||||||
ProxyCookiePath: "off",
|
ProxyCookiePath: "off",
|
||||||
SSLRedirect: true,
|
SSLRedirect: true,
|
||||||
|
ForceSSLRedirect: false,
|
||||||
CustomHTTPErrors: []int{},
|
CustomHTTPErrors: []int{},
|
||||||
WhitelistSourceRange: []string{},
|
WhitelistSourceRange: []string{},
|
||||||
SkipAccessLogURLs: []string{},
|
SkipAccessLogURLs: []string{},
|
||||||
|
|
|
||||||
|
|
@ -268,9 +268,9 @@ http {
|
||||||
auth_request {{ $authPath }};
|
auth_request {{ $authPath }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }}
|
{{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }}
|
||||||
# enforce ssl on server side
|
# enforce ssl on server side
|
||||||
if ($scheme = http) {
|
if ($pass_access_scheme = http) {
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
|
||||||
|
|
@ -24,9 +24,10 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
rewriteTo = "ingress.kubernetes.io/rewrite-target"
|
rewriteTo = "ingress.kubernetes.io/rewrite-target"
|
||||||
addBaseURL = "ingress.kubernetes.io/add-base-url"
|
addBaseURL = "ingress.kubernetes.io/add-base-url"
|
||||||
sslRedirect = "ingress.kubernetes.io/ssl-redirect"
|
sslRedirect = "ingress.kubernetes.io/ssl-redirect"
|
||||||
|
forceSSLRedirect = "ingress.kubernetes.io/force-ssl-redirect"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Redirect describes the per location redirect config
|
// Redirect describes the per location redirect config
|
||||||
|
|
@ -38,6 +39,8 @@ type Redirect struct {
|
||||||
AddBaseURL bool `json:"addBaseUrl"`
|
AddBaseURL bool `json:"addBaseUrl"`
|
||||||
// SSLRedirect indicates if the location section is accessible SSL only
|
// SSLRedirect indicates if the location section is accessible SSL only
|
||||||
SSLRedirect bool `json:"sslRedirect"`
|
SSLRedirect bool `json:"sslRedirect"`
|
||||||
|
// ForceSSLRedirect indicates if the location section is accessible SSL only
|
||||||
|
ForceSSLRedirect bool `json:"forceSSLRedirect"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type rewrite struct {
|
type rewrite struct {
|
||||||
|
|
@ -57,10 +60,15 @@ func (a rewrite) Parse(ing *extensions.Ingress) (interface{}, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
sslRe = a.backendResolver.GetDefaultBackend().SSLRedirect
|
sslRe = a.backendResolver.GetDefaultBackend().SSLRedirect
|
||||||
}
|
}
|
||||||
|
fSslRe, err := parser.GetBoolAnnotation(forceSSLRedirect, ing)
|
||||||
|
if err != nil {
|
||||||
|
fSslRe = a.backendResolver.GetDefaultBackend().ForceSSLRedirect
|
||||||
|
}
|
||||||
abu, _ := parser.GetBoolAnnotation(addBaseURL, ing)
|
abu, _ := parser.GetBoolAnnotation(addBaseURL, ing)
|
||||||
return &Redirect{
|
return &Redirect{
|
||||||
Target: rt,
|
Target: rt,
|
||||||
AddBaseURL: abu,
|
AddBaseURL: abu,
|
||||||
SSLRedirect: sslRe,
|
SSLRedirect: sslRe,
|
||||||
|
ForceSSLRedirect: fSslRe,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -117,10 +117,6 @@ func TestSSLRedirect(t *testing.T) {
|
||||||
t.Errorf("Expected true but returned false")
|
t.Errorf("Expected true but returned false")
|
||||||
}
|
}
|
||||||
|
|
||||||
if !redirect.SSLRedirect {
|
|
||||||
t.Errorf("Expected true but returned false")
|
|
||||||
}
|
|
||||||
|
|
||||||
data[sslRedirect] = "false"
|
data[sslRedirect] = "false"
|
||||||
ing.SetAnnotations(data)
|
ing.SetAnnotations(data)
|
||||||
|
|
||||||
|
|
@ -133,3 +129,32 @@ func TestSSLRedirect(t *testing.T) {
|
||||||
t.Errorf("Expected false but returned true")
|
t.Errorf("Expected false but returned true")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestForceSSLRedirect(t *testing.T) {
|
||||||
|
ing := buildIngress()
|
||||||
|
|
||||||
|
data := map[string]string{}
|
||||||
|
data[rewriteTo] = defRoute
|
||||||
|
ing.SetAnnotations(data)
|
||||||
|
|
||||||
|
i, _ := NewParser(mockBackend{true}).Parse(ing)
|
||||||
|
redirect, ok := i.(*Redirect)
|
||||||
|
if !ok {
|
||||||
|
t.Errorf("expected a Redirect type")
|
||||||
|
}
|
||||||
|
if redirect.ForceSSLRedirect {
|
||||||
|
t.Errorf("Expected false but returned true")
|
||||||
|
}
|
||||||
|
|
||||||
|
data[forceSSLRedirect] = "true"
|
||||||
|
ing.SetAnnotations(data)
|
||||||
|
|
||||||
|
i, _ = NewParser(mockBackend{false}).Parse(ing)
|
||||||
|
redirect, ok = i.(*Redirect)
|
||||||
|
if !ok {
|
||||||
|
t.Errorf("expected a Redirect type")
|
||||||
|
}
|
||||||
|
if !redirect.ForceSSLRedirect {
|
||||||
|
t.Errorf("Expected true but returned false")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -59,6 +59,10 @@ type Backend struct {
|
||||||
// Enables or disables the redirect (301) to the HTTPS port
|
// Enables or disables the redirect (301) to the HTTPS port
|
||||||
SSLRedirect bool `json:"ssl-redirect"`
|
SSLRedirect bool `json:"ssl-redirect"`
|
||||||
|
|
||||||
|
// Enables or disables the redirect (301) to the HTTPS port even without TLS cert
|
||||||
|
// This is useful if doing SSL offloading outside of cluster eg AWS ELB
|
||||||
|
ForceSSLRedirect bool `json:"force-ssl-redirect"`
|
||||||
|
|
||||||
// Enables or disables the specification of port in redirects
|
// Enables or disables the specification of port in redirects
|
||||||
// Default: false
|
// Default: false
|
||||||
UsePortInRedirects bool `json:"use-port-in-redirects"`
|
UsePortInRedirects bool `json:"use-port-in-redirects"`
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue