From 725f45b996e839f05d1a0f6e608a15fde3297d67 Mon Sep 17 00:00:00 2001
From: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
Date: Tue, 24 Jan 2017 16:03:56 -0200
Subject: [PATCH] Corrects the behaviour of default-ssl-certificate

---
 .../nginx/rootfs/etc/nginx/template/nginx.tmpl  |  2 +-
 core/pkg/ingress/controller/controller.go       | 17 +++++++++++++++--
 core/pkg/ingress/controller/launch.go           |  4 ++++
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 5f10d030b..4f05e9faf 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -203,7 +203,7 @@ http {
         server_name {{ $server.Hostname }};
         listen [::]:80{{ if $cfg.UseProxyProtocol }} proxy_protocol{{ end }}{{ if eq $index 0 }} ipv6only=off{{end}}{{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}};
         {{/* Listen on 442 because port 443 is used in the stream section */}}
-        {{ if not (empty $server.SSLCertificate) }}listen 442 {{ if $cfg.UseProxyProtocol }}proxy_protocol{{ end }} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
+        {{ if not (empty $server.SSLCertificate) }}listen 442 {{ if $cfg.UseProxyProtocol }}proxy_protocol{{ end }} {{ if eq $server.Hostname "_"}} default_server reuseport backlog={{ $backlogSize }}{{end}} ssl {{ if $cfg.UseHTTP2 }}http2{{ end }};
         {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
         # PEM sha: {{ $server.SSLPemChecksum }}
         ssl_certificate                         {{ $server.SSLCertificate }};
diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go
index 29b2c30d3..c937d3a09 100644
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@@ -807,9 +807,21 @@ func (ic *GenericController) createServers(data []interface{}, upstreams map[str
 
 	dun := ic.getDefaultUpstream().Name
 
+	// This adds the Default Certificate to Default Backend and also for vhosts missing the secret
+	var defaultPemFileName, defaultPemSHA string
+	defaultCertificate, err := ic.getPemCertificate(ic.cfg.DefaultSSLCertificate)
+	if err != nil {
+		glog.Fatalf("Unable to get default SSL Certificate %v", ic.cfg.DefaultSSLCertificate)
+	} else {
+		defaultPemFileName = defaultCertificate.PemFileName
+		defaultPemSHA = defaultCertificate.PemSHA
+	}
+
 	// default server
 	servers[defServerName] = &ingress.Server{
-		Hostname: defServerName,
+		Hostname:       defServerName,
+		SSLCertificate: defaultPemFileName,
+		SSLPemChecksum: defaultPemSHA,
 		Locations: []*ingress.Location{
 			{
 				Path:         rootLocation,
@@ -879,7 +891,8 @@ func (ic *GenericController) createServers(data []interface{}, upstreams map[str
 						servers[host].SSLPemChecksum = cert.PemSHA
 					}
 				} else {
-					glog.Warningf("secret %v does not exists", key)
+					servers[host].SSLCertificate = defaultPemFileName
+					servers[host].SSLPemChecksum = defaultPemSHA
 				}
 			}
 
diff --git a/core/pkg/ingress/controller/launch.go b/core/pkg/ingress/controller/launch.go
index a1f325d4f..fd85fbc7f 100644
--- a/core/pkg/ingress/controller/launch.go
+++ b/core/pkg/ingress/controller/launch.go
@@ -99,6 +99,10 @@ func NewIngressController(backend ingress.Controller) *GenericController {
 		glog.Fatalf("Please specify --default-backend-service")
 	}
 
+	if *defSSLCertificate == "" {
+		glog.Fatalf("Please specify --default-ssl-certificate")
+	}
+
 	kubeClient, err := createApiserverClient(*apiserverHost, *kubeConfigFile)
 	if err != nil {
 		handleFatalInitError(err)