enable dynamic SSL mode by default

test/e2e/annotations/authtls.go

@@ -55,22 +55,7 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
 
 		f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations))
 
-		// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values
-		sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-		sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-		sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-
-		sslVerify := "ssl_verify_client on;"
-		sslVerifyDepth := "ssl_verify_depth 1;"
-
-		f.WaitForNginxServer(host,
-			func(server string) bool {
-				return strings.Contains(server, sslCertDirective) &&
-					strings.Contains(server, sslKeyDirective) &&
-					strings.Contains(server, sslClientCertDirective) &&
-					strings.Contains(server, sslVerify) &&
-					strings.Contains(server, sslVerifyDepth)
-			})
+		assertSslClientCertificateConfig(f, host, "on", "1")
 
 		// Send Request without Client Certs
 		req := gorequest.New()
@@ -112,18 +97,7 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
 
 		f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations))
 
-		// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values
-		sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-		sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-		sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-
-		sslVerify := "ssl_verify_client off;"
-		sslVerifyDepth := "ssl_verify_depth 2;"
-
-		f.WaitForNginxServer(host,
-			func(server string) bool {
-				return strings.Contains(server, sslCertDirective) && strings.Contains(server, sslKeyDirective) && strings.Contains(server, sslClientCertDirective) && strings.Contains(server, sslVerify) && strings.Contains(server, sslVerifyDepth)
-			})
+		assertSslClientCertificateConfig(f, host, "off", "2")
 
 		// Send Request without Client Certs
 		req := gorequest.New()
@@ -158,24 +132,14 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
 
 		f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, "http-svc", 80, &annotations))
 
-		// Since we can use the same certificate-chain for tls as well as mutual-auth, we will check all values
-		sslCertDirective := fmt.Sprintf("ssl_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-		sslKeyDirective := fmt.Sprintf("ssl_certificate_key /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
-		sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", nameSpace, host)
+		assertSslClientCertificateConfig(f, host, "on", "1")
 
-		sslVerify := "ssl_verify_client on;"
-		sslVerifyDepth := "ssl_verify_depth 1;"
 		sslErrorPage := fmt.Sprintf("error_page 495 496 = %s;", f.GetURL(framework.HTTP)+errorPath)
 		sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;"
 
 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, sslCertDirective) &&
-					strings.Contains(server, sslKeyDirective) &&
-					strings.Contains(server, sslClientCertDirective) &&
-					strings.Contains(server, sslVerify) &&
-					strings.Contains(server, sslVerifyDepth) &&
-					strings.Contains(server, sslErrorPage) &&
+				return strings.Contains(server, sslErrorPage) &&
 					strings.Contains(server, sslUpstreamClientCert)
 			})
 
@@ -202,3 +166,20 @@ var _ = framework.IngressNginxDescribe("Annotations - AuthTLS", func() {
 		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
 	})
 })
+
+func assertSslClientCertificateConfig(f *framework.Framework, host string, verifyClient string, verifyDepth string) {
+	sslCertDirective := "ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem;"
+	sslKeyDirective := "ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem;"
+	sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", f.Namespace, host)
+	sslVerify := fmt.Sprintf("ssl_verify_client %s;", verifyClient)
+	sslVerifyDepth := fmt.Sprintf("ssl_verify_depth %s;", verifyDepth)
+
+	f.WaitForNginxServer(host,
+		func(server string) bool {
+			return strings.Contains(server, sslCertDirective) &&
+				strings.Contains(server, sslKeyDirective) &&
+				strings.Contains(server, sslClientCertDirective) &&
+				strings.Contains(server, sslVerify) &&
+				strings.Contains(server, sslVerifyDepth)
+		})
+}

test/e2e/annotations/fromtowwwredirect.go

@@ -90,7 +90,6 @@ var _ = framework.IngressNginxDescribe("Annotations - from-to-www-redirect", fun
 		f.WaitForNginxServer(fmt.Sprintf("www.%v", host),
 			func(server string) bool {
 				return Expect(server).Should(ContainSubstring(`server_name www.fromtowwwredirect.bar.com;`)) &&
-					Expect(server).Should(ContainSubstring(fmt.Sprintf("/etc/ingress-controller/ssl/%v-fromtowwwredirect.bar.com.pem", f.Namespace))) &&
 					Expect(server).Should(ContainSubstring(`return 308 $scheme://fromtowwwredirect.bar.com$request_uri;`))
 			})
 

test/e2e/lua/dynamic_certificates.go

@@ -24,7 +24,6 @@ import (
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
 
-	appsv1beta1 "k8s.io/api/apps/v1beta1"
 	extensions "k8s.io/api/extensions/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -36,23 +35,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
 	host := "foo.com"
 
 	BeforeEach(func() {
-		err := framework.UpdateDeployment(f.KubeClientSet, f.Namespace, "nginx-ingress-controller", 1,
-			func(deployment *appsv1beta1.Deployment) error {
-				args := deployment.Spec.Template.Spec.Containers[0].Args
-				args = append(args, "--enable-dynamic-certificates")
-				args = append(args, "--enable-ssl-chain-completion=false")
-				deployment.Spec.Template.Spec.Containers[0].Args = args
-				_, err := f.KubeClientSet.AppsV1beta1().Deployments(f.Namespace).Update(deployment)
-
-				return err
-			})
-		Expect(err).NotTo(HaveOccurred())
-
-		f.WaitForNginxConfiguration(
-			func(cfg string) bool {
-				return strings.Contains(cfg, "ok, res = pcall(require, \"certificate\")")
-			})
-
 		f.NewEchoDeploymentWithReplicas(1)
 	})