From b112acdbb95a4164fe9c4aa35dfb874f2a4435ce Mon Sep 17 00:00:00 2001
From: Julio Camarero <julio.camarero@elastic.co>
Date: Fri, 6 Dec 2024 10:54:44 +0100
Subject: [PATCH] Add new annotations

---
 internal/ingress/annotations/proxyssl/main.go | 34 +++++++++++++++----
 1 file changed, 27 insertions(+), 7 deletions(-)

diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go
index c40bc85e0..4c5685fa2 100644
--- a/internal/ingress/annotations/proxyssl/main.go
+++ b/internal/ingress/annotations/proxyssl/main.go
@@ -45,13 +45,15 @@ var (
 )
 
 const (
-	proxySSLSecretAnnotation      = "proxy-ssl-secret"
-	proxySSLCiphersAnnotation     = "proxy-ssl-ciphers"
-	proxySSLProtocolsAnnotation   = "proxy-ssl-protocols"
-	proxySSLNameAnnotation        = "proxy-ssl-name"
-	proxySSLVerifyAnnotation      = "proxy-ssl-verify"
-	proxySSLVerifyDepthAnnotation = "proxy-ssl-verify-depth"
-	proxySSLServerNameAnnotation  = "proxy-ssl-server-name"
+	proxySSLSecretAnnotation       = "proxy-ssl-secret"
+	proxySSLClientSecretAnnotation = "proxy-ssl-client-secret" // #nosec
+	proxySSLCAConfigMapAnnotation  = "proxy-ssl-ca-configmap"
+	proxySSLCiphersAnnotation      = "proxy-ssl-ciphers"
+	proxySSLProtocolsAnnotation    = "proxy-ssl-protocols"
+	proxySSLNameAnnotation         = "proxy-ssl-name"
+	proxySSLVerifyAnnotation       = "proxy-ssl-verify"
+	proxySSLVerifyDepthAnnotation  = "proxy-ssl-verify-depth"
+	proxySSLServerNameAnnotation   = "proxy-ssl-server-name"
 )
 
 var proxySSLAnnotation = parser.Annotation{
@@ -66,6 +68,24 @@ var proxySSLAnnotation = parser.Annotation{
 			This annotation expects the Secret name in the form "namespace/secretName"
 			Just secrets on the same namespace of the ingress can be used.`,
 		},
+		proxySSLClientSecretAnnotation: {
+			Validator: parser.ValidateRegex(parser.BasicCharsRegex, true),
+			Scope:     parser.AnnotationScopeIngress,
+			Risk:      parser.AnnotationRiskMedium,
+			Documentation: `This annotation specifies a Secret with the certificate tls.crt, key tls.key in PEM format used for authentication to a proxied HTTPS server. 
+			If the annotation proxy-ssl-secret is also present, the tls.crt and tls.key from this secret will take precedence.
+			This annotation expects the Secret name in the form "namespace/secretName"
+			Just secrets on the same namespace of the ingress can be used.`,
+		},
+		proxySSLCAConfigMapAnnotation: {
+			Validator: parser.ValidateRegex(parser.BasicCharsRegex, true),
+			Scope:     parser.AnnotationScopeIngress,
+			Risk:      parser.AnnotationRiskMedium,
+			Documentation: `This annotation specifies a ConfigMap with the trusted CA certificates ca.crt in PEM format used to verify the certificate of the proxied HTTPS server. 
+			If the annotation proxy-ssl-secret is also present, ca tls.crt and ca.clr (revocation list) from this configMap will take precedence.
+			This annotation expects the ConfigMap name in the form "namespace/configMapName"
+			Just configMaps on the same namespace of the ingress can be used.`,
+		},
 		proxySSLCiphersAnnotation: {
 			Validator: parser.ValidateRegex(proxySSLCiphersRegex, true),
 			Scope:     parser.AnnotationScopeIngress,