From a5765a72a0623881a889b6813472ae41bc810611 Mon Sep 17 00:00:00 2001 From: Tony Li Date: Thu, 26 Jan 2017 20:33:02 -0500 Subject: [PATCH] works for setting tls --- controllers/gce/controller/controller.go | 1 + controllers/gce/controller/utils.go | 9 ++++++ .../gce/loadbalancers/loadbalancers.go | 32 +++++++++++++++++-- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/controllers/gce/controller/controller.go b/controllers/gce/controller/controller.go index c4d15e2fd..38309a34e 100644 --- a/controllers/gce/controller/controller.go +++ b/controllers/gce/controller/controller.go @@ -431,6 +431,7 @@ func (lbc *LoadBalancerController) ListRuntimeInfo() (lbs []*loadbalancers.L7Run lbs = append(lbs, &loadbalancers.L7RuntimeInfo{ Name: k, TLS: tls, + TLSName: annotations.useNamedTLS(), AllowHTTP: annotations.allowHTTP(), StaticIPName: annotations.staticIPName(), }) diff --git a/controllers/gce/controller/utils.go b/controllers/gce/controller/utils.go index 35fb3875c..0696edb30 100644 --- a/controllers/gce/controller/utils.go +++ b/controllers/gce/controller/utils.go @@ -86,6 +86,15 @@ func (ing ingAnnotations) allowHTTP() bool { return v } +func (ing ingAnnotations) useNamedTLS() string { + val, ok := ing[useNamedTLS] + if !ok { + return "" + } + + return val +} + func (ing ingAnnotations) staticIPName() string { val, ok := ing[staticIPNameKey] if !ok { diff --git a/controllers/gce/loadbalancers/loadbalancers.go b/controllers/gce/loadbalancers/loadbalancers.go index 948718f7f..bc92b2fb1 100644 --- a/controllers/gce/loadbalancers/loadbalancers.go +++ b/controllers/gce/loadbalancers/loadbalancers.go @@ -246,6 +246,8 @@ type L7RuntimeInfo struct { IP string // TLS are the tls certs to use in termination. TLS *TLSCerts + // TLSName is the name of/for the tls cert to use. + TLSName string // AllowHTTP will not setup :80, if TLS is nil and AllowHTTP is set, // no loadbalancer is created. AllowHTTP bool @@ -354,6 +356,29 @@ func (l *L7) checkSSLCert() (err error) { // so we don't need to bother with disambiguation. Naming the cert after // the loadbalancer is a simplification. + namedCert := l.runtimeInfo.TLSName + + // Use the named GCE cert if specified by the annotation. + if namedCert != "" { + glog.Infof("-- %s: Using namedCert %s for certName", l.runtimeInfo.Name, namedCert) + certName := namedCert + + // Use the targetHTTPSProxy's cert name if one already exists. + if l.sslCert != nil { + certName = l.sslCert.Name + } + cert, _ := l.cloud.GetSslCertificate(certName) + + if cert == nil { + glog.Warningf("-- %s: Uh oh, no cert found by %f", l.runtimeInfo.Name, certName) + } + + glog.Infof("-- %s: Got cert name: %s, cert: %+v, name: %s, selflink: %s", l.runtimeInfo.Name, certName, cert, cert.Name, cert.SelfLink) + //cert.SelfLink = cert.Name + l.sslCert = cert + return nil + } + ingCert := l.runtimeInfo.TLS.Cert ingKey := l.runtimeInfo.TLS.Key @@ -578,12 +603,12 @@ func (l *L7) edgeHop() error { } } // Defer promoting an emphemral to a static IP till it's really needed. - if l.runtimeInfo.AllowHTTP && l.runtimeInfo.TLS != nil { + if l.runtimeInfo.AllowHTTP && (l.runtimeInfo.TLS != nil || l.runtimeInfo.TLSName != "") { if err := l.checkStaticIP(); err != nil { return err } } - if l.runtimeInfo.TLS != nil { + if l.runtimeInfo.TLS != nil || l.runtimeInfo.TLSName != "" { glog.V(3).Infof("validating https for %v", l.Name) if err := l.edgeHopHttps(); err != nil { return err @@ -843,7 +868,8 @@ func (l *L7) Cleanup() error { } l.tps = nil } - if l.sslCert != nil { + // Delete the SSL cert if it is not a pre-created GCE cert. + if l.sslCert != nil && l.sslCert.Name != l.runtimeInfo.TLSName { glog.Infof("Deleting sslcert %v", l.sslCert.Name) if err := l.cloud.DeleteSslCertificate(l.sslCert.Name); err != nil { if !utils.IsHTTPErrorCode(err, http.StatusNotFound) {