Move certificate authentication from location to server

core/pkg/ingress/annotations/authtls/main.go

@@ -36,8 +36,8 @@ const (
 // AuthSSLConfig contains the AuthSSLCert used for muthual autentication
 // and the configured ValidationDepth
 type AuthSSLConfig struct {
-	AuthSSLCert     resolver.AuthSSLCert `json:"authSSLCert"`
-	ValidationDepth int                  `json:"validationDepth"`
+	resolver.AuthSSLCert
+	ValidationDepth int `json:"validationDepth"`
 }
 
 // Equal tests for equality between two AuthSSLConfig types

core/pkg/ingress/annotations/ratelimit/main.go

@@ -91,9 +91,15 @@ func (rt1 *RateLimit) Equal(rt2 *RateLimit) bool {
 	if rt1.LimitRateAfter != rt2.LimitRateAfter {
 		return false
 	}
+	if rt1.ID != rt2.ID {
+		return false
+	}
 	if rt1.Name != rt2.Name {
 		return false
 	}
+	if len(rt1.Whitelist) != len(rt2.Whitelist) {
+		return false
+	}
 
 	for _, r1l := range rt1.Whitelist {
 		found := false

core/pkg/ingress/controller/annotations.go

@@ -23,6 +23,7 @@ import (
 	"k8s.io/ingress/core/pkg/ingress/annotations/auth"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authreq"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authtls"
+	"k8s.io/ingress/core/pkg/ingress/annotations/clientbodybuffersize"
 	"k8s.io/ingress/core/pkg/ingress/annotations/cors"
 	"k8s.io/ingress/core/pkg/ingress/annotations/healthcheck"
 	"k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist"
@@ -39,7 +40,6 @@ import (
 	"k8s.io/ingress/core/pkg/ingress/annotations/sslpassthrough"
 	"k8s.io/ingress/core/pkg/ingress/errors"
 	"k8s.io/ingress/core/pkg/ingress/resolver"
-	"k8s.io/ingress/core/pkg/ingress/annotations/clientbodybuffersize"
 )
 
 type extractorConfig interface {
@@ -115,6 +115,7 @@ const (
 	serviceUpstream      = "ServiceUpstream"
 	serverAlias          = "Alias"
 	clientBodyBufferSize = "ClientBodyBufferSize"
+	certificateAuth      = "CertificateAuth"
 )
 
 func (e *annotationExtractor) ServiceUpstream(ing *extensions.Ingress) bool {
@@ -155,3 +156,16 @@ func (e *annotationExtractor) SessionAffinity(ing *extensions.Ingress) *sessiona
 	val, _ := e.annotations[sessionAffinity].Parse(ing)
 	return val.(*sessionaffinity.AffinityConfig)
 }
+
+func (e *annotationExtractor) CertificateAuth(ing *extensions.Ingress) *authtls.AuthSSLConfig {
+	val, err := e.annotations[certificateAuth].Parse(ing)
+	if errors.IsMissingAnnotations(err) {
+		return nil
+	}
+
+	if err != nil {
+		glog.Errorf("error parsing certificate auth: %v", err)
+	}
+	secure := val.(*authtls.AuthSSLConfig)
+	return secure
+}

core/pkg/ingress/controller/controller.go

@@ -652,6 +652,15 @@ func (ic *GenericController) getBackendServers() ([]*ingress.Backend, []*ingress
 				continue
 			}
 
+			if server.CertificateAuth.CAFileName == "" {
+				ca := ic.annotations.CertificateAuth(ing)
+				if ca != nil {
+					server.CertificateAuth = *ca
+				}
+			} else {
+				glog.V(3).Infof("server %v already contains a muthual autentication configuration - ingress rule %v/%v", server.Hostname, ing.Namespace, ing.Name)
+			}
+
 			for _, path := range rule.HTTP.Paths {
 				upsName := fmt.Sprintf("%v-%v-%v",
 					ing.GetNamespace(),

core/pkg/ingress/types.go

@@ -158,7 +158,7 @@ type Backend struct {
 	Secure bool `json:"secure"`
 	// SecureCACert has the filename and SHA1 of the certificate authorities used to validate
 	// a secured connection to the backend
-	SecureCACert resolver.AuthSSLCert `json:"secureCert"`
+	SecureCACert resolver.AuthSSLCert `json:"secureCACert"`
 	// SSLPassthrough indicates that Ingress controller will delegate TLS termination to the endpoints.
 	SSLPassthrough bool `json:"sslPassthrough"`
 	// Endpoints contains the list of endpoints currently running
@@ -225,6 +225,9 @@ type Server struct {
 	Alias string `json:"alias,omitempty"`
 	// RedirectFromToWWW returns if a redirect to/from prefix www is required
 	RedirectFromToWWW bool `json:"redirectFromToWWW,omitempty"`
+	// CertificateAuth indicates the this server requires mutual authentication
+	// +optional
+	CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth"`
 }
 
 // Location describes an URI inside a server.
@@ -236,7 +239,6 @@ type Server struct {
 // In some cases when more than one annotations is defined a particular order in the execution
 // is required.
 // The chain in the execution order of annotations should be:
-// - CertificateAuth
 // - Whitelist
 // - RateLimit
 // - BasicDigestAuth
@@ -293,10 +295,6 @@ type Location struct {
 	// to be used in connections against endpoints
 	// +optional
 	Proxy proxy.Configuration `json:"proxy,omitempty"`
-	// CertificateAuth indicates the access to this location requires
-	// external authentication
-	// +optional
-	CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth,omitempty"`
 	// UsePortInRedirects indicates if redirects must specify the port
 	// +optional
 	UsePortInRedirects bool `json:"use-port-in-redirects"`

core/pkg/ingress/types_equals.go

@@ -279,6 +279,9 @@ func (s1 *Server) Equal(s2 *Server) bool {
 	if s1.Hostname != s2.Hostname {
 		return false
 	}
+	if s1.Alias != s2.Alias {
+		return false
+	}
 	if s1.SSLPassthrough != s2.SSLPassthrough {
 		return false
 	}
@@ -288,6 +291,12 @@ func (s1 *Server) Equal(s2 *Server) bool {
 	if s1.SSLPemChecksum != s2.SSLPemChecksum {
 		return false
 	}
+	if !(&s1.CertificateAuth).Equal(&s2.CertificateAuth) {
+		return false
+	}
+	if s1.RedirectFromToWWW != s2.RedirectFromToWWW {
+		return false
+	}
 
 	if len(s1.Locations) != len(s2.Locations) {
 		return false
@@ -370,9 +379,6 @@ func (l1 *Location) Equal(l2 *Location) bool {
 	if !(&l1.Proxy).Equal(&l2.Proxy) {
 		return false
 	}
-	if !(&l1.CertificateAuth).Equal(&l2.CertificateAuth) {
-		return false
-	}
 	if l1.UsePortInRedirects != l2.UsePortInRedirects {
 		return false
 	}