DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix SSL Passthrough template issue and custom ports in redirect to HTTPS (#1870)

Browse source
This commit is contained in:
Manuel Alejandro de Brito Fontes 2018-01-02 14:48:42 -03:00 committed by GitHub
parent 2f202e5656
commit da829748ec
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
internal/ingress/controller/controller.go
View file

@ -476,6 +476,7 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
loc.Whitelist = anns.Whitelist loc.Whitelist = anns.Whitelist
loc.Denied = anns.Denied loc.Denied = anns.Denied
loc.XForwardedPrefix = anns.XForwardedPrefix loc.XForwardedPrefix = anns.XForwardedPrefix
loc.UsePortInRedirects = anns.UsePortInRedirects
if loc.Redirect.FromToWWW { if loc.Redirect.FromToWWW {
server.RedirectFromToWWW = true server.RedirectFromToWWW = true
@ -507,6 +508,7 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
Whitelist: anns.Whitelist, Whitelist: anns.Whitelist,
Denied: anns.Denied, Denied: anns.Denied,
XForwardedPrefix: anns.XForwardedPrefix, XForwardedPrefix: anns.XForwardedPrefix,
UsePortInRedirects: anns.UsePortInRedirects,
} }
if loc.Redirect.FromToWWW { if loc.Redirect.FromToWWW {
@ -1219,9 +1221,12 @@ func (n *NGINXController) SetForceReload(shouldReload bool) {
} }
func (n *NGINXController) extractAnnotations(ing *extensions.Ingress) { func (n *NGINXController) extractAnnotations(ing *extensions.Ingress) {
glog.V(3).Infof("updating annotations information for ingress %v/%v", ing.Namespace, ing.Name)
anns := n.annotations.Extract(ing) anns := n.annotations.Extract(ing)
glog.V(3).Infof("updating annotations information for ingress %v/%v", anns.Namespace, anns.Name) err := n.listers.IngressAnnotation.Update(anns)
n.listers.IngressAnnotation.Update(anns) if err != nil {
glog.Errorf("unexpected error updating annotations information for ingress %v/%v: %v", anns.Namespace, anns.Name, err)
}
} }
// getByIngress returns the parsed annotations from an Ingress // getByIngress returns the parsed annotations from an Ingress

6
internal/ingress/controller/nginx.go
View file

@ -234,8 +234,6 @@ type NGINXController struct {
// returns true if proxy protocol es enabled // returns true if proxy protocol es enabled
IsProxyProtocolEnabled bool IsProxyProtocolEnabled bool
isSSLPassthroughEnabled bool
isShuttingDown bool isShuttingDown bool
Proxy *TCPProxy Proxy *TCPProxy
@ -490,7 +488,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
}) })
} }
if n.isSSLPassthroughEnabled { if n.cfg.EnableSSLPassthrough {
n.Proxy.ServerList = servers n.Proxy.ServerList = servers
} }
@ -636,7 +634,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
Cfg: cfg, Cfg: cfg,
IsIPV6Enabled: n.isIPV6Enabled && !cfg.DisableIpv6, IsIPV6Enabled: n.isIPV6Enabled && !cfg.DisableIpv6,
RedirectServers: redirectServers, RedirectServers: redirectServers,
IsSSLPassthroughEnabled: n.isSSLPassthroughEnabled, IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough,
ListenPorts: n.cfg.ListenPorts, ListenPorts: n.cfg.ListenPorts,
PublishService: n.GetPublishService(), PublishService: n.GetPublishService(),
} }

11
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -214,7 +214,7 @@ http {
} }
{{ else }} {{ else }}
map $pass_server_port $pass_port { map $pass_server_port $pass_port {
443 443; {{ $all.ListenPorts.HTTPS }} 443;
default $pass_server_port; default $pass_server_port;
} }
{{ end }} {{ end }}
@ -678,6 +678,8 @@ stream {
{{ end }} {{ end }}
location {{ $path }} { location {{ $path }} {
port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
{{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }} {{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }}
set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}"; set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}";
@ -688,11 +690,12 @@ stream {
set $ingress_name "{{ $ing.Rule }}"; set $ingress_name "{{ $ing.Rule }}";
set $service_name "{{ $ing.Service }}"; set $service_name "{{ $ing.Service }}";
{{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
# enforce ssl on server side # enforce ssl on server side
if ($redirect_to_https) { if ($redirect_to_https) {
{{ if ne $all.ListenPorts.HTTPS 443 }} {{ if $location.UsePortInRedirects }}
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri; return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri;
{{ else }} {{ else }}
return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host$request_uri; return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host$request_uri;
@ -716,8 +719,6 @@ stream {
} }
{{ end }} {{ end }}
port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
{{ if not (empty $authPath) }} {{ if not (empty $authPath) }}
# this location requires authentication # this location requires authentication
auth_request {{ $authPath }}; auth_request {{ $authPath }};