Merge pull request #365 from pwillie/forcesslredirect

add ForceSSLRedirect ingress annotation
2017-03-03 09:05:02 -03:00 · 2017-03-03 09:05:02 -03:00 · 9f39abc019
commit 9f39abc019
parent ecb21a63a2 1a72b3f775
5 changed files with 72 additions and 34 deletions
--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@ -292,6 +292,7 @@ func NewDefault() Configuration {
 			ProxyCookieDomain:    "off",
 			ProxyCookiePath:      "off",
 			SSLRedirect:          true,
+			ForceSSLRedirect:     false,
 			CustomHTTPErrors:     []int{},
 			WhitelistSourceRange: []string{},
 			SkipAccessLogURLs:    []string{},
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -268,9 +268,9 @@ http {
            auth_request {{ $authPath }};
            {{ end }}

-            {{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }}
+            {{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }}
            # enforce ssl on server side
-            if ($scheme = http) {
+            if ($pass_access_scheme = http) {
                return 301 https://$host$request_uri;
            }
            {{ end }}
--- a/core/pkg/ingress/annotations/rewrite/main.go
+++ b/core/pkg/ingress/annotations/rewrite/main.go
@ -24,9 +24,10 @@ import (
 )

 const (
-	rewriteTo   = "ingress.kubernetes.io/rewrite-target"
-	addBaseURL  = "ingress.kubernetes.io/add-base-url"
-	sslRedirect = "ingress.kubernetes.io/ssl-redirect"
+	rewriteTo        = "ingress.kubernetes.io/rewrite-target"
+	addBaseURL       = "ingress.kubernetes.io/add-base-url"
+	sslRedirect      = "ingress.kubernetes.io/ssl-redirect"
+	forceSSLRedirect = "ingress.kubernetes.io/force-ssl-redirect"
 )

 // Redirect describes the per location redirect config
@ -38,6 +39,8 @@ type Redirect struct {
 	AddBaseURL bool `json:"addBaseUrl"`
 	// SSLRedirect indicates if the location section is accessible SSL only
 	SSLRedirect bool `json:"sslRedirect"`
+	// ForceSSLRedirect indicates if the location section is accessible SSL only
+	ForceSSLRedirect bool `json:"forceSSLRedirect"`
 }

 type rewrite struct {
@ -57,10 +60,15 @@ func (a rewrite) Parse(ing *extensions.Ingress) (interface{}, error) {
 	if err != nil {
 		sslRe = a.backendResolver.GetDefaultBackend().SSLRedirect
 	}
+	fSslRe, err := parser.GetBoolAnnotation(forceSSLRedirect, ing)
+	if err != nil {
+		fSslRe = a.backendResolver.GetDefaultBackend().ForceSSLRedirect
+	}
 	abu, _ := parser.GetBoolAnnotation(addBaseURL, ing)
 	return &Redirect{
-		Target:      rt,
-		AddBaseURL:  abu,
-		SSLRedirect: sslRe,
+		Target:           rt,
+		AddBaseURL:       abu,
+		SSLRedirect:      sslRe,
+		ForceSSLRedirect: fSslRe,
 	}, nil
 }
--- a/core/pkg/ingress/annotations/rewrite/main_test.go
+++ b/core/pkg/ingress/annotations/rewrite/main_test.go
@ -117,10 +117,6 @@ func TestSSLRedirect(t *testing.T) {
 		t.Errorf("Expected true but returned false")
 	}

-	if !redirect.SSLRedirect {
-		t.Errorf("Expected true but returned false")
-	}
-
 	data[sslRedirect] = "false"
 	ing.SetAnnotations(data)

@ -133,3 +129,32 @@ func TestSSLRedirect(t *testing.T) {
 		t.Errorf("Expected false but returned true")
 	}
 }
+
+func TestForceSSLRedirect(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[rewriteTo] = defRoute
+	ing.SetAnnotations(data)
+
+	i, _ := NewParser(mockBackend{true}).Parse(ing)
+	redirect, ok := i.(*Redirect)
+	if !ok {
+		t.Errorf("expected a Redirect type")
+	}
+	if redirect.ForceSSLRedirect {
+		t.Errorf("Expected false but returned true")
+	}
+
+	data[forceSSLRedirect] = "true"
+	ing.SetAnnotations(data)
+
+	i, _ = NewParser(mockBackend{false}).Parse(ing)
+	redirect, ok = i.(*Redirect)
+	if !ok {
+		t.Errorf("expected a Redirect type")
+	}
+	if !redirect.ForceSSLRedirect {
+		t.Errorf("Expected true but returned false")
+	}
+}
--- a/core/pkg/ingress/defaults/main.go
+++ b/core/pkg/ingress/defaults/main.go
@ -59,6 +59,10 @@ type Backend struct {
 	// Enables or disables the redirect (301) to the HTTPS port
 	SSLRedirect bool `json:"ssl-redirect"`

+	// Enables or disables the redirect (301) to the HTTPS port even without TLS cert
+	// This is useful if doing SSL offloading outside of cluster eg AWS ELB
+	ForceSSLRedirect bool `json:"force-ssl-redirect"`
+
 	// Enables or disables the specification of port in redirects
 	// Default: false
 	UsePortInRedirects bool `json:"use-port-in-redirects"`