Move certificate authentication from location to server

2017-08-22 17:16:59 -03:00 · 2017-08-22 17:16:59 -03:00 · 806144421e
commit 806144421e
parent f0144a1df4
9 changed files with 57 additions and 24 deletions
--- a/core/pkg/ingress/controller/annotations.go
+++ b/core/pkg/ingress/controller/annotations.go
@ -23,6 +23,7 @@ import (
 	"k8s.io/ingress/core/pkg/ingress/annotations/auth"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authreq"
 	"k8s.io/ingress/core/pkg/ingress/annotations/authtls"
+	"k8s.io/ingress/core/pkg/ingress/annotations/clientbodybuffersize"
 	"k8s.io/ingress/core/pkg/ingress/annotations/cors"
 	"k8s.io/ingress/core/pkg/ingress/annotations/healthcheck"
 	"k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist"
@ -39,7 +40,6 @@ import (
 	"k8s.io/ingress/core/pkg/ingress/annotations/sslpassthrough"
 	"k8s.io/ingress/core/pkg/ingress/errors"
 	"k8s.io/ingress/core/pkg/ingress/resolver"
-	"k8s.io/ingress/core/pkg/ingress/annotations/clientbodybuffersize"
 )

 type extractorConfig interface {
@ -115,6 +115,7 @@ const (
 	serviceUpstream      = "ServiceUpstream"
 	serverAlias          = "Alias"
 	clientBodyBufferSize = "ClientBodyBufferSize"
+	certificateAuth      = "CertificateAuth"
 )

 func (e *annotationExtractor) ServiceUpstream(ing *extensions.Ingress) bool {
@ -155,3 +156,16 @@ func (e *annotationExtractor) SessionAffinity(ing *extensions.Ingress) *sessiona
 	val, _ := e.annotations[sessionAffinity].Parse(ing)
 	return val.(*sessionaffinity.AffinityConfig)
 }
+
+func (e *annotationExtractor) CertificateAuth(ing *extensions.Ingress) *authtls.AuthSSLConfig {
+	val, err := e.annotations[certificateAuth].Parse(ing)
+	if errors.IsMissingAnnotations(err) {
+		return nil
+	}
+
+	if err != nil {
+		glog.Errorf("error parsing certificate auth: %v", err)
+	}
+	secure := val.(*authtls.AuthSSLConfig)
+	return secure
+}
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@ -652,6 +652,15 @@ func (ic *GenericController) getBackendServers() ([]*ingress.Backend, []*ingress
 				continue
 			}

+			if server.CertificateAuth.CAFileName == "" {
+				ca := ic.annotations.CertificateAuth(ing)
+				if ca != nil {
+					server.CertificateAuth = *ca
+				}
+			} else {
+				glog.V(3).Infof("server %v already contains a muthual autentication configuration - ingress rule %v/%v", server.Hostname, ing.Namespace, ing.Name)
+			}
+
 			for _, path := range rule.HTTP.Paths {
 				upsName := fmt.Sprintf("%v-%v-%v",
 					ing.GetNamespace(),