Implement a validation webhook

In case some ingress have a syntax error in the snippet configuration,
the freshly generated configuration will not be reloaded to prevent tearing down existing rules.
Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster.
To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses.
In case the generated configuration is not validated by nginx, deny the insertion of the ingress.

In case certificates are mounted using kubernetes secrets, when those
changes, keys are automatically updated in the container volume, and the
controller reloads it using the filewatcher.

Related changes:

- Update vendors
- Extract useful functions to check configuration with an additional ingress
- Update documentation for validating webhook
- Add validating webhook examples
- Add a metric for each syntax check success and errors
- Add more certificate generation examples

internal/net/ssl/ssl.go

@@ -31,15 +31,15 @@ import (
 	"net"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/zakjan/cert-chain-resolver/certUtil"
-	"k8s.io/klog"
-
 	"k8s.io/apimachinery/pkg/util/sets"
-
 	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress"
+	"k8s.io/ingress-nginx/internal/watch"
+	"k8s.io/klog"
 )
 
 var (
@@ -360,6 +360,23 @@ func AddOrUpdateDHParam(name string, dh []byte, fs file.Filesystem) (string, err
 // GetFakeSSLCert creates a Self Signed Certificate
 // Based in the code https://golang.org/src/crypto/tls/generate_cert.go
 func GetFakeSSLCert(fs file.Filesystem) *ingress.SSLCert {
+	cert, key := getFakeHostSSLCert("ingress.local")
+
+	sslCert, err := CreateSSLCert(cert, key)
+	if err != nil {
+		klog.Fatalf("unexpected error creating fake SSL Cert: %v", err)
+	}
+
+	err = StoreSSLCertOnDisk(fs, fakeCertificateName, sslCert)
+	if err != nil {
+		klog.Fatalf("unexpected error storing fake SSL Cert: %v", err)
+	}
+
+	return sslCert
+}
+
+func getFakeHostSSLCert(host string) ([]byte, []byte) {
+
 	var priv interface{}
 	var err error
 
@@ -392,7 +409,7 @@ func GetFakeSSLCert(fs file.Filesystem) *ingress.SSLCert {
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
-		DNSNames:              []string{"ingress.local"},
+		DNSNames:              []string{host},
 	}
 	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.(*rsa.PrivateKey).PublicKey, priv)
 	if err != nil {
@@ -403,17 +420,7 @@ func GetFakeSSLCert(fs file.Filesystem) *ingress.SSLCert {
 
 	key := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))})
 
-	sslCert, err := CreateSSLCert(cert, key)
-	if err != nil {
-		klog.Fatalf("unexpected error creating fake SSL Cert: %v", err)
-	}
-
-	err = StoreSSLCertOnDisk(fs, fakeCertificateName, sslCert)
-	if err != nil {
-		klog.Fatalf("unexpected error storing fake SSL Cert: %v", err)
-	}
-
-	return sslCert
+	return cert, key
 }
 
 // FullChainCert checks if a certificate file contains issues in the intermediate CA chain
@@ -470,3 +477,64 @@ func IsValidHostname(hostname string, commonNames []string) bool {
 
 	return false
 }
+
+// TLSListener implements a dynamic certificate loader
+type TLSListener struct {
+	certificatePath string
+	keyPath         string
+	fs              file.Filesystem
+	certificate     *tls.Certificate
+	err             error
+	lock            sync.Mutex
+}
+
+// NewTLSListener watches changes to th certificate and key paths
+// and reloads it whenever it changes
+func NewTLSListener(certificate, key string) *TLSListener {
+	fs, err := file.NewLocalFS()
+	if err != nil {
+		panic(fmt.Sprintf("failed to instanciate certificate: %v", err))
+	}
+	l := TLSListener{
+		certificatePath: certificate,
+		keyPath:         key,
+		fs:              fs,
+		lock:            sync.Mutex{},
+	}
+	l.load()
+	watch.NewFileWatcher(certificate, l.load)
+	watch.NewFileWatcher(key, l.load)
+	return &l
+}
+
+// GetCertificate implements the tls.Config.GetCertificate interface
+func (tl *TLSListener) GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+	tl.lock.Lock()
+	defer tl.lock.Unlock()
+	return tl.certificate, tl.err
+}
+
+// TLSConfig instanciates a TLS configuration, always providing an up to date certificate
+func (tl *TLSListener) TLSConfig() *tls.Config {
+	return &tls.Config{
+		GetCertificate: tl.GetCertificate,
+	}
+}
+
+func (tl *TLSListener) load() {
+	klog.Infof("loading tls certificate from certificate path %s and key path %s", tl.certificatePath, tl.keyPath)
+	certBytes, err := tl.fs.ReadFile(tl.certificatePath)
+	if err != nil {
+		tl.certificate = nil
+		tl.err = err
+	}
+	keyBytes, err := tl.fs.ReadFile(tl.keyPath)
+	if err != nil {
+		tl.certificate = nil
+		tl.err = err
+	}
+	cert, err := tls.X509KeyPair(certBytes, keyBytes)
+	tl.lock.Lock()
+	defer tl.lock.Unlock()
+	tl.certificate, tl.err = &cert, err
+}

internal/net/ssl/ssl_test.go

@@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	cryptorand "crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -29,10 +30,15 @@ import (
 	"fmt"
 	"math"
 	"math/big"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"sync"
 	"testing"
 	"time"
 
 	certutil "k8s.io/client-go/util/cert"
+	"k8s.io/kubernetes/pkg/util/filesystem"
 
 	"k8s.io/ingress-nginx/internal/file"
 )
@@ -366,3 +372,87 @@ func encodeCertPEM(cert *x509.Certificate) []byte {
 	}
 	return pem.EncodeToMemory(&block)
 }
+
+func fakeCertificate(t *testing.T, fs filesystem.Filesystem) []byte {
+	cert, key := getFakeHostSSLCert("localhost")
+	fd, err := fs.Create("/key.crt")
+	if err != nil {
+		t.Errorf("failed to write test key: %v", err)
+	}
+	fd.Write(cert)
+	fd, err = fs.Create("/key.key")
+	if err != nil {
+		t.Errorf("failed to write test key: %v", err)
+	}
+	fd.Write(key)
+	return cert
+}
+
+func dialTestServer(port string, rootCertificates ...[]byte) error {
+	roots := x509.NewCertPool()
+	for _, cert := range rootCertificates {
+		ok := roots.AppendCertsFromPEM(cert)
+		if !ok {
+			return fmt.Errorf("failed to add root certificate")
+		}
+	}
+	resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{
+		RootCAs: roots,
+	})
+	if err != nil {
+		return err
+	}
+	if resp.Handshake() != nil {
+		return fmt.Errorf("TLS handshake should succeed: %v", err)
+	}
+	return nil
+}
+
+func TestTLSKeyReloader(t *testing.T) {
+	fs := filesystem.NewFakeFs()
+	cert := fakeCertificate(t, fs)
+
+	watcher := TLSListener{
+		certificatePath: "/key.crt",
+		keyPath:         "/key.key",
+		fs:              fs,
+		lock:            sync.Mutex{},
+	}
+	watcher.load()
+
+	s := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
+	s.Config.TLSConfig = watcher.TLSConfig()
+	s.Listener = tls.NewListener(s.Listener, s.Config.TLSConfig)
+	go s.Start()
+	defer s.Close()
+	port := strings.Split(s.Listener.Addr().String(), ":")[1]
+
+	t.Run("without the trusted certificate", func(t *testing.T) {
+		if dialTestServer(port) == nil {
+			t.Errorf("TLS dial should fail")
+		}
+	})
+
+	t.Run("with the certificate trustes as root certificate", func(t *testing.T) {
+		if err := dialTestServer(port, cert); err != nil {
+			t.Errorf("TLS dial should succeed, got error: %v", err)
+		}
+	})
+
+	t.Run("with a new certificate", func(t *testing.T) {
+		newCert := fakeCertificate(t, fs)
+		t.Run("when the certificate is not reloaded", func(t *testing.T) {
+			if dialTestServer(port, newCert) == nil {
+				t.Errorf("TLS dial should fail")
+			}
+		})
+		// simulate watch.NewFileWatcher to call the load function
+		watcher.load()
+		t.Run("when the certificate is reloaded", func(t *testing.T) {
+			if err := dialTestServer(port, newCert); err != nil {
+				t.Errorf("TLS dial should succeed, got error: %v", err)
+			}
+		})
+	})
+
+}