Add secure-verify-ca-secret annotation

core/pkg/ingress/annotations/secureupstream/main.go

@@ -17,25 +17,61 @@ limitations under the License.
 package secureupstream
 
 import (
+	"fmt"
+	"github.com/pkg/errors"
 	extensions "k8s.io/client-go/pkg/apis/extensions/v1beta1"
 
 	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/ingress/resolver"
 )
 
 const (
-	secureUpstream = "ingress.kubernetes.io/secure-backends"
+	secureUpstream       = "ingress.kubernetes.io/secure-backends"
+	secureVerifyCASecret = "ingress.kubernetes.io/secure-verify-ca-secret"
 )
 
+// Secure describes SSL backend configuration
+type Secure struct {
+	Secure bool
+	CACert resolver.AuthSSLCert
+}
+
 type su struct {
+	certResolver resolver.AuthCertificate
 }
 
 // NewParser creates a new secure upstream annotation parser
-func NewParser() parser.IngressAnnotation {
-	return su{}
+func NewParser(resolver resolver.AuthCertificate) parser.IngressAnnotation {
+	return su{
+		certResolver: resolver,
+	}
 }
 
 // Parse parses the annotations contained in the ingress
 // rule used to indicate if the upstream servers should use SSL
 func (a su) Parse(ing *extensions.Ingress) (interface{}, error) {
-	return parser.GetBoolAnnotation(secureUpstream, ing)
+	s, _ := parser.GetBoolAnnotation(secureUpstream, ing)
+	ca, _ := parser.GetStringAnnotation(secureVerifyCASecret, ing)
+	secure := &Secure{
+		Secure: s,
+		CACert: resolver.AuthSSLCert{},
+	}
+	if !s && ca != "" {
+		return secure,
+			errors.Errorf("trying to use CA from secret %v/%v on a non secure backend", ing.Namespace, ca)
+	}
+	if ca == "" {
+		return secure, nil
+	}
+	caCert, err := a.certResolver.GetAuthCertificate(fmt.Sprintf("%v/%v", ing.Namespace, ca))
+	if err != nil {
+		return secure, errors.Wrap(err, "error obtaining certificate")
+	}
+	if caCert == nil {
+		return secure, nil
+	}
+	return &Secure{
+		Secure: s,
+		CACert: *caCert,
+	}, nil
 }

core/pkg/ingress/annotations/secureupstream/main_test.go

@@ -23,7 +23,9 @@ import (
 	api "k8s.io/client-go/pkg/api/v1"
 	extensions "k8s.io/client-go/pkg/apis/extensions/v1beta1"
 
+	"fmt"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/ingress/core/pkg/ingress/resolver"
 )
 
 func buildIngress() *extensions.Ingress {
@@ -61,22 +63,58 @@ func buildIngress() *extensions.Ingress {
 	}
 }
 
+type mockCfg struct {
+	certs map[string]resolver.AuthSSLCert
+}
+
+func (cfg mockCfg) GetAuthCertificate(secret string) (*resolver.AuthSSLCert, error) {
+	if cert, ok := cfg.certs[secret]; ok {
+		return &cert, nil
+	}
+	return nil, fmt.Errorf("secret not found: %v", secret)
+}
+
 func TestAnnotations(t *testing.T) {
 	ing := buildIngress()
 	data := map[string]string{}
 	data[secureUpstream] = "true"
+	data[secureVerifyCASecret] = "secure-verify-ca"
 	ing.SetAnnotations(data)
 
-	_, err := NewParser().Parse(ing)
+	_, err := NewParser(mockCfg{
+		certs: map[string]resolver.AuthSSLCert{
+			"default/secure-verify-ca": resolver.AuthSSLCert{},
+		},
+	}).Parse(ing)
 	if err != nil {
-		t.Error("Expected error with ingress without annotations")
+		t.Errorf("Unexpected error on ingress: %v", err)
 	}
 }
 
-func TestWithoutAnnotations(t *testing.T) {
+func TestSecretNotFound(t *testing.T) {
 	ing := buildIngress()
-	_, err := NewParser().Parse(ing)
+	data := map[string]string{}
+	data[secureUpstream] = "true"
+	data[secureVerifyCASecret] = "secure-verify-ca"
+	ing.SetAnnotations(data)
+	_, err := NewParser(mockCfg{}).Parse(ing)
 	if err == nil {
-		t.Error("Expected error with ingress without annotations")
+		t.Error("Expected secret not found error on ingress")
+	}
+}
+
+func TestSecretOnNonSecure(t *testing.T) {
+	ing := buildIngress()
+	data := map[string]string{}
+	data[secureUpstream] = "false"
+	data[secureVerifyCASecret] = "secure-verify-ca"
+	ing.SetAnnotations(data)
+	_, err := NewParser(mockCfg{
+		certs: map[string]resolver.AuthSSLCert{
+			"default/secure-verify-ca": resolver.AuthSSLCert{},
+		},
+	}).Parse(ing)
+	if err == nil {
+		t.Error("Expected CA secret on non secure backend error on ingress")
 	}
 }