Merge pull request #4689 from janosi/upstream_ssl

Server-only authentication of backends and per-location SSL config

internal/ingress/controller/controller.go

@@ -1166,6 +1166,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress)
 	loc.EnableGlobalAuth = anns.EnableGlobalAuth
 	loc.HTTP2PushPreload = anns.HTTP2PushPreload
 	loc.Proxy = anns.Proxy
+	loc.ProxySSL = anns.ProxySSL
 	loc.RateLimit = anns.RateLimit
 	loc.Redirect = anns.Redirect
 	loc.Rewrite = anns.Rewrite

internal/ingress/controller/store/backend_ssl.go

@@ -115,6 +115,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error
 				return nil, fmt.Errorf("error while storing certificate and key: %v", err)
 			}
 
+			sslCert.PemFileName = path
 			sslCert.CACertificate = caCert
 			sslCert.CAFileName = path
 			sslCert.CASHA = file.SHA1(path)

internal/ingress/controller/store/store.go

@@ -843,6 +843,7 @@ func (s *k8sStore) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error
 		CASHA:       cert.CASHA,
 		CRLFileName: cert.CRLFileName,
 		CRLSHA:      cert.CRLSHA,
+		PemFileName: cert.PemFileName,
 	}, nil
 }
 

internal/ingress/resolver/main.go

@@ -56,6 +56,8 @@ type AuthSSLCert struct {
 	CRLFileName string `json:"crlFileName"`
 	// CRLSHA contains the SHA1 hash of the 'ca.crl' file
 	CRLSHA string `json:"crlSha"`
+	// PemFileName contains the path to the secrets 'tls.crt' and 'tls.key'
+	PemFileName string `json:"pemFilename"`
 }
 
 // Equal tests for equality between two AuthSSLCert types