DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #5166 from janosi/proxy-ssl-name

Browse source 
proxy_ssl_name support
This commit is contained in:
Kubernetes Prow Robot 2020-02-25 07:08:48 -08:00 committed by GitHub
commit f9e410458c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 24 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
docs/user-guide/nginx-configuration/annotations.md
View file

@ -73,6 +73,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|[nginx.ingress.kubernetes.io/proxy-http-version](#proxy-http-version)|"1.0" or "1.1"|
|[nginx.ingress.kubernetes.io/proxy-ssl-secret](#backend-certificate-authentication)|string|
|[nginx.ingress.kubernetes.io/proxy-ssl-ciphers](#backend-certificate-authentication)|string|
|[nginx.ingress.kubernetes.io/proxy-ssl-name](#backend-certificate-authentication)|string|
|[nginx.ingress.kubernetes.io/proxy-ssl-protocols](#backend-certificate-authentication)|string|
|[nginx.ingress.kubernetes.io/proxy-ssl-verify](#backend-certificate-authentication)|string|
|[nginx.ingress.kubernetes.io/proxy-ssl-verify-depth](#backend-certificate-authentication)|number|
@ -274,6 +275,8 @@ It is possible to authenticate to a proxied HTTPS backend with certificate using
Sets the verification depth in the proxied HTTPS server certificates chain. (default: 1)
* `nginx.ingress.kubernetes.io/proxy-ssl-ciphers`:
Specifies the enabled [ciphers](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_ciphers) for requests to a proxied HTTPS server. The ciphers are specified in the format understood by the OpenSSL library.
* `nginx.ingress.kubernetes.io/proxy-ssl-name`:
Allows to set [proxy_ssl_name](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_name). This allows overriding the server name used to verify the certificate of the proxied HTTPS server. This value is also passed through SNI when a connection is established to the proxied HTTPS server.
* `nginx.ingress.kubernetes.io/proxy-ssl-protocols`:
Enables the specified [protocols](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_protocols) for requests to a proxied HTTPS server.

6
internal/ingress/annotations/proxyssl/main.go
View file

@ -47,6 +47,7 @@ type Config struct {
resolver.AuthSSLCert
Ciphers string `json:"ciphers"`
Protocols string `json:"protocols"`
ProxySSLName string `json:"proxySSLName"`
Verify string `json:"verify"`
VerifyDepth int `json:"verifyDepth"`
}
@ -143,6 +144,11 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
config.Protocols = sortProtocols(config.Protocols)
}
config.ProxySSLName, err = parser.GetStringAnnotation("proxy-ssl-name", ing)
if err != nil {
config.ProxySSLName = ""
}
config.Verify, err = parser.GetStringAnnotation("proxy-ssl-verify", ing)
if err != nil || !proxySSLOnOffRegex.MatchString(config.Verify) {
config.Verify = defaultProxySSLVerify

4
internal/ingress/annotations/proxyssl/main_test.go
View file

@ -128,6 +128,10 @@ func TestAnnotations(t *testing.T) {
if u.VerifyDepth != 3 {
t.Errorf("expected %v but got %v", 3, u.VerifyDepth)
}
if u.ProxySSLName != "$host" {
t.Errorf("expected %v but got %v", "$host", u.ProxySSLName)
}
}
func TestInvalidAnnotations(t *testing.T) {

7
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -813,6 +813,9 @@ stream {
proxy_ssl_protocols {{ $server.ProxySSL.Protocols }};
proxy_ssl_verify {{ $server.ProxySSL.Verify }};
proxy_ssl_verify_depth {{ $server.ProxySSL.VerifyDepth }};
{{ if not (empty $server.ProxySSL.ProxySSLName) }}
proxy_ssl_name {{ $server.ProxySSL.ProxySSLName }};
{{ end }}
{{ end }}
{{ if not (empty $server.ProxySSL.PemFileName) }}
@ -1234,6 +1237,10 @@ stream {
proxy_ssl_verify_depth {{ $location.ProxySSL.VerifyDepth }};
{{ end }}
{{ if not (empty $location.ProxySSL.ProxySSLName) }}
proxy_ssl_name {{ $location.ProxySSL.ProxySSLName }};
{{ end }}
{{ if not (empty $location.ProxySSL.PemFileName) }}
proxy_ssl_certificate {{ $location.ProxySSL.PemFileName }};
proxy_ssl_certificate_key {{ $location.ProxySSL.PemFileName }};