Merge pull request #4816 from kdomanski/fix-ssl-redirect

apply default certificate again in cases of invalid or incomplete cert config
2019-12-10 17:40:05 -08:00 · 2019-12-10 17:40:05 -08:00 · d5e197c3e2
commit d5e197c3e2
parent 67dce30ba6 16b5ad3c09
3 changed files with 74 additions and 6 deletions
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -1115,6 +1115,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 			tlsSecretName := extractTLSSecretName(host, ing, n.store.GetLocalSSLCert)
 			if tlsSecretName == "" {
 				klog.V(3).Infof("Host %q is listed in the TLS section but secretName is empty. Using default certificate.", host)
+				servers[host].SSLCert = n.getDefaultSSLCertificate()
 				continue
 			}

@ -1122,6 +1123,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 			cert, err := n.store.GetLocalSSLCert(secrKey)
 			if err != nil {
 				klog.Warningf("Error getting SSL certificate %q: %v. Using default certificate", secrKey, err)
+				servers[host].SSLCert = n.getDefaultSSLCertificate()
 				continue
 			}

@ -1136,6 +1138,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 					klog.Warningf("SSL certificate %q does not contain a Common Name or Subject Alternative Name for server %q: %v",
 						secrKey, host, err)
 					klog.Warningf("Using default certificate")
+					servers[host].SSLCert = n.getDefaultSSLCertificate()
 					continue
 				}
 			}
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -1155,12 +1155,6 @@ func buildHTTPSListener(t interface{}, s interface{}) string {
 		return ""
 	}

-	/*
-		if server.SSLCert == nil && server.Hostname != "_" {
-			return ""
-		}
-	*/
-
 	co := commonListenOptions(tc, hostname)

 	addrV4 := []string{""}
--- a/test/e2e/ssl/http_redirect.go
+++ b/test/e2e/ssl/http_redirect.go
@ -0,0 +1,71 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ssl
+
+import (
+	"net/http"
+	"strings"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/parnurzeal/gorequest"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("sslredirect", func() {
+	f := framework.NewDefaultFramework("sslredirect")
+
+	BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	AfterEach(func() {
+	})
+
+	It("should redirect from HTTP to HTTPS when secret is missing", func() {
+		host := "redirect.com"
+
+		_ = f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, "server_name redirect.com") &&
+					strings.Contains(server, "listen 443") &&
+					strings.Contains(server, "listen 80")
+			})
+
+		log, err := f.NginxLogs()
+		Expect(err).ToNot(HaveOccurred())
+		Expect(log).ToNot(BeEmpty())
+
+		resp, _, errs := gorequest.New().
+			Get(f.GetURL(framework.HTTP)).
+			Set("Host", host).
+			RedirectPolicy(func(_ gorequest.Request, _ []gorequest.Request) error {
+				return http.ErrUseLastResponse
+			}).
+			End()
+
+		Expect(errs).Should(BeEmpty())
+		Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect))
+
+		location, err := (*http.Response)(resp).Location()
+		Expect(err).Should(BeNil())
+		Expect(location.String()).Should(Equal("https://redirect.com/"))
+	})
+})