Merge branch 'master' into server-alias
This commit is contained in:
Fernando Diaz
GitHub
commit
47e4dd59a8
157 changed files with 26072 additions and 489 deletions
|
|
@ -63,7 +63,7 @@ func newAnnotationExtractor(cfg extractorConfig) annotationExtractor {
|
|||
"Whitelist": ipwhitelist.NewParser(cfg),
|
||||
"UsePortInRedirects": portinredirect.NewParser(cfg),
|
||||
"Proxy": proxy.NewParser(cfg),
|
||||
"RateLimit": ratelimit.NewParser(),
|
||||
"RateLimit": ratelimit.NewParser(cfg),
|
||||
"Redirect": rewrite.NewParser(cfg),
|
||||
"SecureUpstream": secureupstream.NewParser(cfg),
|
||||
"ServiceUpstream": serviceupstream.NewParser(),
|
||||
|
|
|
|||
|
|
@ -34,14 +34,13 @@ import (
|
|||
"k8s.io/apimachinery/pkg/fields"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/apimachinery/pkg/util/runtime"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/kubernetes/scheme"
|
||||
unversionedcore "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/tools/record"
|
||||
"k8s.io/client-go/util/flowcontrol"
|
||||
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/ingress/core/pkg/file"
|
||||
"k8s.io/ingress/core/pkg/ingress"
|
||||
"k8s.io/ingress/core/pkg/ingress/annotations/class"
|
||||
|
|
@ -151,7 +150,7 @@ func newIngressController(config *Configuration) *GenericController {
|
|||
eventBroadcaster := record.NewBroadcaster()
|
||||
eventBroadcaster.StartLogging(glog.Infof)
|
||||
eventBroadcaster.StartRecordingToSink(&unversionedcore.EventSinkImpl{
|
||||
Interface: config.Client.Core().Events(config.Namespace),
|
||||
Interface: config.Client.CoreV1().Events(config.Namespace),
|
||||
})
|
||||
|
||||
ic := GenericController{
|
||||
|
|
@ -274,27 +273,27 @@ func newIngressController(config *Configuration) *GenericController {
|
|||
}
|
||||
|
||||
ic.ingLister.Store, ic.ingController = cache.NewInformer(
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.Extensions().RESTClient(), "ingresses", ic.cfg.Namespace, fields.Everything()),
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.ExtensionsV1beta1().RESTClient(), "ingresses", ic.cfg.Namespace, fields.Everything()),
|
||||
&extensions.Ingress{}, ic.cfg.ResyncPeriod, ingEventHandler)
|
||||
|
||||
ic.endpLister.Store, ic.endpController = cache.NewInformer(
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "endpoints", ic.cfg.Namespace, fields.Everything()),
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.CoreV1().RESTClient(), "endpoints", ic.cfg.Namespace, fields.Everything()),
|
||||
&api.Endpoints{}, ic.cfg.ResyncPeriod, eventHandler)
|
||||
|
||||
ic.secrLister.Store, ic.secrController = cache.NewInformer(
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "secrets", watchNs, fields.Everything()),
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.CoreV1().RESTClient(), "secrets", watchNs, fields.Everything()),
|
||||
&api.Secret{}, ic.cfg.ResyncPeriod, secrEventHandler)
|
||||
|
||||
ic.mapLister.Store, ic.mapController = cache.NewInformer(
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "configmaps", watchNs, fields.Everything()),
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.CoreV1().RESTClient(), "configmaps", watchNs, fields.Everything()),
|
||||
&api.ConfigMap{}, ic.cfg.ResyncPeriod, mapEventHandler)
|
||||
|
||||
ic.svcLister.Store, ic.svcController = cache.NewInformer(
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "services", ic.cfg.Namespace, fields.Everything()),
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.CoreV1().RESTClient(), "services", ic.cfg.Namespace, fields.Everything()),
|
||||
&api.Service{}, ic.cfg.ResyncPeriod, cache.ResourceEventHandlerFuncs{})
|
||||
|
||||
ic.nodeLister.Store, ic.nodeController = cache.NewInformer(
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.Core().RESTClient(), "nodes", api.NamespaceAll, fields.Everything()),
|
||||
cache.NewListWatchFromClient(ic.cfg.Client.CoreV1().RESTClient(), "nodes", api.NamespaceAll, fields.Everything()),
|
||||
&api.Node{}, ic.cfg.ResyncPeriod, cache.ResourceEventHandlerFuncs{})
|
||||
|
||||
if config.UpdateStatus {
|
||||
|
|
@ -340,6 +339,11 @@ func (ic GenericController) GetDefaultBackend() defaults.Backend {
|
|||
return ic.cfg.Backend.BackendDefaults()
|
||||
}
|
||||
|
||||
// GetRecorder returns the event recorder
|
||||
func (ic GenericController) GetRecoder() record.EventRecorder {
|
||||
return ic.recorder
|
||||
}
|
||||
|
||||
// GetSecret searches for a secret in the local secrets Store
|
||||
func (ic GenericController) GetSecret(name string) (*api.Secret, error) {
|
||||
s, exists, err := ic.secrLister.Store.GetByKey(name)
|
||||
|
|
@ -582,6 +586,7 @@ func (ic *GenericController) getDefaultUpstream() *ingress.Backend {
|
|||
endps = []ingress.Endpoint{newDefaultServer()}
|
||||
}
|
||||
|
||||
upstream.Service = svc
|
||||
upstream.Endpoints = append(upstream.Endpoints, endps...)
|
||||
return upstream
|
||||
}
|
||||
|
|
@ -845,6 +850,8 @@ func (ic *GenericController) createUpstreams(data []interface{}) map[string]*ing
|
|||
|
||||
glog.V(3).Infof("creating upstream %v", name)
|
||||
upstreams[name] = newUpstream(name)
|
||||
upstreams[name].Port = path.Backend.ServicePort
|
||||
|
||||
if !upstreams[name].Secure {
|
||||
upstreams[name].Secure = secUpstream.Secure
|
||||
}
|
||||
|
|
@ -881,12 +888,12 @@ func (ic *GenericController) createUpstreams(data []interface{}) map[string]*ing
|
|||
continue
|
||||
}
|
||||
|
||||
if exists {
|
||||
upstreams[name].Service = s.(*api.Service)
|
||||
} else {
|
||||
if !exists {
|
||||
glog.Warningf("service %v does not exists", svcKey)
|
||||
continue
|
||||
}
|
||||
upstreams[name].Port = path.Backend.ServicePort
|
||||
|
||||
upstreams[name].Service = s.(*api.Service)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1011,6 +1018,7 @@ func (ic *GenericController) createServers(data []interface{},
|
|||
}
|
||||
|
||||
// initialize the default server
|
||||
du := ic.getDefaultUpstream()
|
||||
servers[defServerName] = &ingress.Server{
|
||||
Hostname: defServerName,
|
||||
SSLCertificate: defaultPemFileName,
|
||||
|
|
@ -1019,8 +1027,9 @@ func (ic *GenericController) createServers(data []interface{},
|
|||
{
|
||||
Path: rootLocation,
|
||||
IsDefBackend: true,
|
||||
Backend: ic.getDefaultUpstream().Name,
|
||||
Backend: du.Name,
|
||||
Proxy: ngxProxy,
|
||||
Service: du.Service,
|
||||
},
|
||||
}}
|
||||
|
||||
|
|
@ -1033,12 +1042,13 @@ func (ic *GenericController) createServers(data []interface{},
|
|||
|
||||
// check if ssl passthrough is configured
|
||||
sslpt := ic.annotations.SSLPassthrough(ing)
|
||||
dun := ic.getDefaultUpstream().Name
|
||||
du := ic.getDefaultUpstream()
|
||||
un := du.Name
|
||||
if ing.Spec.Backend != nil {
|
||||
// replace default backend
|
||||
defUpstream := fmt.Sprintf("%v-%v-%v", ing.GetNamespace(), ing.Spec.Backend.ServiceName, ing.Spec.Backend.ServicePort.String())
|
||||
if backendUpstream, ok := upstreams[defUpstream]; ok {
|
||||
dun = backendUpstream.Name
|
||||
un = backendUpstream.Name
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1058,8 +1068,9 @@ func (ic *GenericController) createServers(data []interface{},
|
|||
{
|
||||
Path: rootLocation,
|
||||
IsDefBackend: true,
|
||||
Backend: dun,
|
||||
Backend: un,
|
||||
Proxy: ngxProxy,
|
||||
Service: &api.Service{},
|
||||
},
|
||||
}, SSLPassthrough: sslpt}
|
||||
}
|
||||
|
|
@ -1120,8 +1131,9 @@ func (ic *GenericController) createServers(data []interface{},
|
|||
}
|
||||
|
||||
cert := bc.(*ingress.SSLCert)
|
||||
if !isHostValid(host, cert) {
|
||||
glog.Warningf("ssl certificate %v does not contain a common name for host %v", key, host)
|
||||
err = cert.Certificate.VerifyHostname(host)
|
||||
if err != nil {
|
||||
glog.Warningf("ssl certificate %v does not contain a Common Name or Subject Alternative Name for host %v", key, host)
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -17,9 +17,6 @@ limitations under the License.
|
|||
package controller
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"unicode/utf8"
|
||||
|
||||
"github.com/golang/glog"
|
||||
"github.com/imdario/mergo"
|
||||
|
||||
|
|
@ -47,80 +44,6 @@ func newUpstream(name string) *ingress.Backend {
|
|||
}
|
||||
}
|
||||
|
||||
func isHostValid(host string, cert *ingress.SSLCert) bool {
|
||||
if cert == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
lowered := toLowerCaseASCII(host)
|
||||
for _, cn := range cert.CN {
|
||||
if matchHostnames(toLowerCaseASCII(cn), lowered) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func matchHostnames(pattern, host string) bool {
|
||||
host = strings.TrimSuffix(host, ".")
|
||||
pattern = strings.TrimSuffix(pattern, ".")
|
||||
|
||||
if len(pattern) == 0 || len(host) == 0 {
|
||||
return false
|
||||
}
|
||||
|
||||
patternParts := strings.Split(pattern, ".")
|
||||
hostParts := strings.Split(host, ".")
|
||||
|
||||
if len(patternParts) != len(hostParts) {
|
||||
return false
|
||||
}
|
||||
|
||||
for i, patternPart := range patternParts {
|
||||
if i == 0 && patternPart == "*" {
|
||||
continue
|
||||
}
|
||||
if patternPart != hostParts[i] {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
|
||||
// an explicitly ASCII function to avoid any sharp corners resulting from
|
||||
// performing Unicode operations on DNS labels.
|
||||
func toLowerCaseASCII(in string) string {
|
||||
// If the string is already lower-case then there's nothing to do.
|
||||
isAlreadyLowerCase := true
|
||||
for _, c := range in {
|
||||
if c == utf8.RuneError {
|
||||
// If we get a UTF-8 error then there might be
|
||||
// upper-case ASCII bytes in the invalid sequence.
|
||||
isAlreadyLowerCase = false
|
||||
break
|
||||
}
|
||||
if 'A' <= c && c <= 'Z' {
|
||||
isAlreadyLowerCase = false
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if isAlreadyLowerCase {
|
||||
return in
|
||||
}
|
||||
|
||||
out := []byte(in)
|
||||
for i, c := range out {
|
||||
if 'A' <= c && c <= 'Z' {
|
||||
out[i] += 'a' - 'A'
|
||||
}
|
||||
}
|
||||
return string(out)
|
||||
}
|
||||
|
||||
func mergeLocationAnnotations(loc *ingress.Location, anns map[string]interface{}) {
|
||||
if _, ok := anns[DeniedKeyName]; ok {
|
||||
loc.Denied = anns[DeniedKeyName].(error)
|
||||
|
|
|
|||
|
|
@ -36,57 +36,6 @@ func (fe *fakeError) Error() string {
|
|||
return "fakeError"
|
||||
}
|
||||
|
||||
func TestIsHostValid(t *testing.T) {
|
||||
fkCert := &ingress.SSLCert{
|
||||
CAFileName: "foo",
|
||||
PemFileName: "foo.cr",
|
||||
PemSHA: "perha",
|
||||
CN: []string{
|
||||
"*.cluster.local", "default.local",
|
||||
},
|
||||
}
|
||||
|
||||
fooTests := []struct {
|
||||
cr *ingress.SSLCert
|
||||
host string
|
||||
er bool
|
||||
}{
|
||||
{nil, "foo1.cluster.local", false},
|
||||
{fkCert, "foo1.cluster.local", true},
|
||||
{fkCert, "default.local", true},
|
||||
{fkCert, "foo2.cluster.local.t", false},
|
||||
{fkCert, "", false},
|
||||
}
|
||||
|
||||
for _, foo := range fooTests {
|
||||
r := isHostValid(foo.host, foo.cr)
|
||||
if r != foo.er {
|
||||
t.Errorf("Returned %v but expected %v for foo=%v", r, foo.er, foo)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestMatchHostnames(t *testing.T) {
|
||||
fooTests := []struct {
|
||||
pattern string
|
||||
host string
|
||||
er bool
|
||||
}{
|
||||
{"*.cluster.local.", "foo1.cluster.local.", true},
|
||||
{"foo1.cluster.local.", "foo2.cluster.local.", false},
|
||||
{"cluster.local.", "foo1.cluster.local.", false},
|
||||
{".", "foo1.cluster.local.", false},
|
||||
{"cluster.local.", ".", false},
|
||||
}
|
||||
|
||||
for _, foo := range fooTests {
|
||||
r := matchHostnames(foo.pattern, foo.host)
|
||||
if r != foo.er {
|
||||
t.Errorf("Returned %v but expected %v for foo=%v", r, foo.er, foo)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestMergeLocationAnnotations(t *testing.T) {
|
||||
// initial parameters
|
||||
loc := ingress.Location{}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue