Merge pull request #716 from jcmoraisjr/jm-secure-ca

Add secure-verify-ca-secret annotation
2017-05-17 07:41:13 -04:00 · 2017-05-17 07:41:13 -04:00 · 3dc7717a68
commit 3dc7717a68
parent b4032f0648 8b5a6e7661
6 changed files with 144 additions and 17 deletions
--- a/core/pkg/ingress/controller/annotations.go
+++ b/core/pkg/ingress/controller/annotations.go
@ -68,7 +68,7 @@ func newAnnotationExtractor(cfg extractorConfig) annotationExtractor {
 			"Proxy":                proxy.NewParser(cfg),
 			"RateLimit":            ratelimit.NewParser(),
 			"Redirect":             rewrite.NewParser(cfg),
-			"SecureUpstream":       secureupstream.NewParser(),
+			"SecureUpstream":       secureupstream.NewParser(cfg),
 			"SessionAffinity":      sessionaffinity.NewParser(),
 			"SSLPassthrough":       sslpassthrough.NewParser(),
 			"ConfigurationSnippet": snippet.NewParser(),
@ -111,9 +111,13 @@ const (
 	sessionAffinity = "SessionAffinity"
 )

-func (e *annotationExtractor) SecureUpstream(ing *extensions.Ingress) bool {
-	val, _ := e.annotations[secureUpstream].Parse(ing)
-	return val.(bool)
+func (e *annotationExtractor) SecureUpstream(ing *extensions.Ingress) *secureupstream.Secure {
+	val, err := e.annotations[secureUpstream].Parse(ing)
+	if err != nil {
+		glog.Errorf("error parsing secure upstream: %v", err)
+	}
+	secure := val.(*secureupstream.Secure)
+	return secure
 }

 func (e *annotationExtractor) HealthCheck(ing *extensions.Ingress) *healthcheck.Upstream {
--- a/core/pkg/ingress/controller/annotations_test.go
+++ b/core/pkg/ingress/controller/annotations_test.go
@ -30,6 +30,7 @@ import (

 const (
 	annotationSecureUpstream     = "ingress.kubernetes.io/secure-backends"
+	annotationSecureVerifyCACert = "ingress.kubernetes.io/secure-verify-ca-secret"
 	annotationUpsMaxFails        = "ingress.kubernetes.io/upstream-max-fails"
 	annotationUpsFailTimeout     = "ingress.kubernetes.io/upstream-fail-timeout"
 	annotationPassthrough        = "ingress.kubernetes.io/ssl-passthrough"
@ -51,7 +52,14 @@ func (m mockCfg) GetSecret(name string) (*api.Secret, error) {
 	return m.MockSecrets[name], nil
 }

-func (m mockCfg) GetAuthCertificate(string) (*resolver.AuthSSLCert, error) {
+func (m mockCfg) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) {
+	if secret, _ := m.GetSecret(name); secret != nil {
+		return &resolver.AuthSSLCert{
+			Secret:     name,
+			CAFileName: "/opt/ca.pem",
+			PemSHA:     "123",
+		}, nil
+	}
 	return nil, nil
 }

@ -122,12 +130,47 @@ func TestSecureUpstream(t *testing.T) {
 	for _, foo := range fooAnns {
 		ing.SetAnnotations(foo.annotations)
 		r := ec.SecureUpstream(ing)
-		if r != foo.er {
+		if r.Secure != foo.er {
 			t.Errorf("Returned %v but expected %v", r, foo.er)
 		}
 	}
 }

+func TestSecureVerifyCACert(t *testing.T) {
+	ec := newAnnotationExtractor(mockCfg{
+		MockSecrets: map[string]*api.Secret{
+			"default/secure-verify-ca": {
+				ObjectMeta: meta_v1.ObjectMeta{
+					Name: "secure-verify-ca",
+				},
+			},
+		},
+	})
+
+	anns := []struct {
+		it          int
+		annotations map[string]string
+		exists      bool
+	}{
+		{1, map[string]string{annotationSecureUpstream: "true", annotationSecureVerifyCACert: "not"}, false},
+		{2, map[string]string{annotationSecureUpstream: "false", annotationSecureVerifyCACert: "secure-verify-ca"}, false},
+		{3, map[string]string{annotationSecureUpstream: "true", annotationSecureVerifyCACert: "secure-verify-ca"}, true},
+		{4, map[string]string{annotationSecureUpstream: "true", annotationSecureVerifyCACert + "_not": "secure-verify-ca"}, false},
+		{5, map[string]string{annotationSecureUpstream: "true"}, false},
+		{6, map[string]string{}, false},
+		{7, nil, false},
+	}
+
+	for _, ann := range anns {
+		ing := buildIngress()
+		ing.SetAnnotations(ann.annotations)
+		res := ec.SecureUpstream(ing)
+		if (res.CACert.CAFileName != "") != ann.exists {
+			t.Errorf("Expected exists was %v on iteration %v", ann.exists, ann.it)
+		}
+	}
+}
+
 func TestHealthCheck(t *testing.T) {
 	ec := newAnnotationExtractor(mockCfg{})
 	ing := buildIngress()
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@ -784,7 +784,10 @@ func (ic *GenericController) createUpstreams(data []interface{}) map[string]*ing
 				glog.V(3).Infof("creating upstream %v", name)
 				upstreams[name] = newUpstream(name)
 				if !upstreams[name].Secure {
-					upstreams[name].Secure = secUpstream
+					upstreams[name].Secure = secUpstream.Secure
+				}
+				if upstreams[name].SecureCACert.Secret == "" {
+					upstreams[name].SecureCACert = secUpstream.CACert
 				}
 				if upstreams[name].SessionAffinity.AffinityType == "" {
 					upstreams[name].SessionAffinity.AffinityType = affinity.AffinityType