DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add proxy-ssl-server-name to enable passing SNI

Browse source
This commit is contained in:
Zhongcheng Lao 2020-05-30 23:35:20 +08:00
parent baa2b2cd33
commit c0629e92c2
No known key found for this signature in database
GPG key ID: 3B0C92A7E58EF413
5 changed files with 52 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

24
test/e2e/annotations/proxyssl.go
View file

@ -45,7 +45,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
assertProxySSL(f, host, "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "off", 1)
assertProxySSL(f, host, "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "off", 1, "on")
f.HTTPTestClient().
GET("/").
@ -61,12 +61,13 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
Status(http.StatusOK)
})
ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-verify to on, and proxy-ssl-verify-depth to 2", func() {
ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on", func() {
host := "proxyssl.foo.com"
annotations := make(map[string]string)
annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host
annotations["nginx.ingress.kubernetes.io/proxy-ssl-verify"] = "on"
annotations["nginx.ingress.kubernetes.io/proxy-ssl-verify-depth"] = "2"
annotations["nginx.ingress.kubernetes.io/proxy-ssl-server-name"] = "on"
tlsConfig, err := framework.CreateIngressMASecret(f.KubeClientSet, host, host, f.Namespace)
assert.Nil(ginkgo.GinkgoT(), err)
@ -74,7 +75,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
assertProxySSL(f, host, "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "on", 2)
assertProxySSL(f, host, "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "on", 2, "on")
f.HTTPTestClient().
GET("/").
@ -102,7 +103,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
assertProxySSL(f, host, "HIGH:!AES", "TLSv1 TLSv1.1 TLSv1.2", "off", 1)
assertProxySSL(f, host, "HIGH:!AES", "TLSv1 TLSv1.1 TLSv1.2", "off", 1, "off")
f.HTTPTestClient().
GET("/").
@ -130,7 +131,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
assertProxySSL(f, host, "DEFAULT", "TLSv1.2 TLSv1.3", "off", 1)
assertProxySSL(f, host, "DEFAULT", "TLSv1.2 TLSv1.3", "off", 1, "off")
f.HTTPTestClient().
GET("/").
@ -156,6 +157,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + secretName
annotations["nginx.ingress.kubernetes.io/backend-protocol"] = "HTTPS"
annotations["nginx.ingress.kubernetes.io/proxy-ssl-verify"] = "on"
annotations["nginx.ingress.kubernetes.io/proxy-ssl-server-name"] = "on"
tlsConfig, err := framework.CreateIngressMASecret(f.KubeClientSet, host, secretName, f.Namespace)
assert.Nil(ginkgo.GinkgoT(), err)
@ -167,7 +169,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
wlValue := "true"
f.UpdateNginxConfigMapData(wlKey, wlValue)
assertProxySSLName(f, host, secretName, "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "on", 1)
assertProxySSLName(f, host, secretName, "DEFAULT", "TLSv1 TLSv1.1 TLSv1.2", "on", 1, "on")
f.WaitForNginxCustomConfiguration("## start server proxyssl.com", "location ", func(server string) bool {
return (!strings.Contains(server, "proxy_ssl_trusted_certificate") &&
@ -196,7 +198,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() {
})
func assertProxySSL(f *framework.Framework, host, ciphers, protocols, verify string, depth int) {
func assertProxySSL(f *framework.Framework, host, ciphers, protocols, verify string, depth int, proxySSLServerName string) {
certFile := fmt.Sprintf("/etc/ingress-controller/ssl/%s-%s.pem", f.Namespace, host)
f.WaitForNginxServer(host,
func(server string) bool {
@ -206,11 +208,12 @@ func assertProxySSL(f *framework.Framework, host, ciphers, protocols, verify str
strings.Contains(server, fmt.Sprintf("proxy_ssl_ciphers %s;", ciphers)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_protocols %s;", protocols)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_verify %s;", verify)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_verify_depth %d;", depth))
strings.Contains(server, fmt.Sprintf("proxy_ssl_verify_depth %d;", depth)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_server_name %s;", proxySSLServerName))
})
}
func assertProxySSLName(f *framework.Framework, host, sslName, ciphers, protocols, verify string, depth int) {
func assertProxySSLName(f *framework.Framework, host, sslName, ciphers, protocols, verify string, depth int, proxySSLServerName string) {
certFile := fmt.Sprintf("/etc/ingress-controller/ssl/%s-%s.pem", f.Namespace, sslName)
f.WaitForNginxServer(host,
func(server string) bool {
@ -220,6 +223,7 @@ func assertProxySSLName(f *framework.Framework, host, sslName, ciphers, protocol
strings.Contains(server, fmt.Sprintf("proxy_ssl_ciphers %s;", ciphers)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_protocols %s;", protocols)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_verify %s;", verify)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_verify_depth %d;", depth))
strings.Contains(server, fmt.Sprintf("proxy_ssl_verify_depth %d;", depth)) &&
strings.Contains(server, fmt.Sprintf("proxy_ssl_server_name %s;", proxySSLServerName))
})
}