Adds correct support for TLS Muthual autentication and depth verification

modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml
2017-02-06 16:16:36 -02:00 · 2017-02-06 16:16:36 -02:00 · a342c0bce3
commit a342c0bce3
parent f5e005f84f
12 changed files with 349 additions and 52 deletions
--- a/core/pkg/ingress/annotations/authtls/main.go
+++ b/core/pkg/ingress/annotations/authtls/main.go
@ -28,11 +28,16 @@ import (

 const (
 	// name of the secret
-	authTLSSecret = "ingress.kubernetes.io/auth-tls-secret"
+	annotationAuthTLSSecret = "ingress.kubernetes.io/auth-tls-secret"
+	annotationAuthTLSDepth  = "ingress.kubernetes.io/auth-tls-verify-depth"
+	defaultAuthTLSDepth     = 1
 )

-type authTLS struct {
-	certResolver resolver.AuthCertificate
+// AuthSSLConfig contains the AuthSSLCert used for muthual autentication
+// and the configured ValidationDepth
+type AuthSSLConfig struct {
+	AuthSSLCert     resolver.AuthSSLCert
+	ValidationDepth int `json:"validationDepth"`
 }

 // NewParser creates a new TLS authentication annotation parser
@ -40,29 +45,42 @@ func NewParser(resolver resolver.AuthCertificate) parser.IngressAnnotation {
 	return authTLS{resolver}
 }

-// ParseAnnotations parses the annotations contained in the ingress
-// rule used to use an external URL as source for authentication
+type authTLS struct {
+	certResolver resolver.AuthCertificate
+}
+
+// Parse parses the annotations contained in the ingress
+// rule used to use a Certificate as authentication method
 func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
-	str, err := parser.GetStringAnnotation(authTLSSecret, ing)
+
+	tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing)
 	if err != nil {
-		return nil, err
+		return &AuthSSLConfig{}, err
 	}

-	if str == "" {
-		return nil, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
+	if tlsauthsecret == "" {
+		return &AuthSSLConfig{}, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
 	}

-	_, _, err = k8s.ParseNameNS(str)
+	_, _, err = k8s.ParseNameNS(tlsauthsecret)
 	if err != nil {
-		return nil, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
+		return &AuthSSLConfig{}, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
 	}

-	authCert, err := a.certResolver.GetAuthCertificate(str)
+	tlsdepth, err := parser.GetIntAnnotation(annotationAuthTLSDepth, ing)
+	if err != nil || tlsdepth == 0 {
+		tlsdepth = defaultAuthTLSDepth
+	}
+
+	authCert, err := a.certResolver.GetAuthCertificate(tlsauthsecret)
 	if err != nil {
-		return nil, ing_errors.LocationDenied{
+		return &AuthSSLConfig{}, ing_errors.LocationDenied{
 			Reason: errors.Wrap(err, "error obtaining certificate"),
 		}
 	}

-	return authCert, nil
+	return &AuthSSLConfig{
+		AuthSSLCert:     *authCert,
+		ValidationDepth: tlsdepth,
+	}, nil
 }