Update dependencies

2017-10-06 17:33:32 -03:00 · 2017-10-06 17:33:32 -03:00 · d6d374b28d
commit d6d374b28d
parent bf5616c65b
13962 changed files with 48226 additions and 3618880 deletions
--- a/pkg/ingress/annotations/secureupstream/main.go
+++ b/pkg/ingress/annotations/secureupstream/main.go
@ -0,0 +1,78 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secureupstream
+
+import (
+	"fmt"
+
+	"github.com/pkg/errors"
+	extensions "k8s.io/api/extensions/v1beta1"
+
+	"k8s.io/ingress-nginx/pkg/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/pkg/ingress/resolver"
+)
+
+const (
+	secureUpstream       = "ingress.kubernetes.io/secure-backends"
+	secureVerifyCASecret = "ingress.kubernetes.io/secure-verify-ca-secret"
+)
+
+// Secure describes SSL backend configuration
+type Secure struct {
+	Secure bool                 `json:"secure"`
+	CACert resolver.AuthSSLCert `json:"caCert"`
+}
+
+type su struct {
+	certResolver resolver.AuthCertificate
+}
+
+// NewParser creates a new secure upstream annotation parser
+func NewParser(resolver resolver.AuthCertificate) parser.IngressAnnotation {
+	return su{
+		certResolver: resolver,
+	}
+}
+
+// Parse parses the annotations contained in the ingress
+// rule used to indicate if the upstream servers should use SSL
+func (a su) Parse(ing *extensions.Ingress) (interface{}, error) {
+	s, _ := parser.GetBoolAnnotation(secureUpstream, ing)
+	ca, _ := parser.GetStringAnnotation(secureVerifyCASecret, ing)
+	secure := &Secure{
+		Secure: s,
+		CACert: resolver.AuthSSLCert{},
+	}
+	if !s && ca != "" {
+		return secure,
+			errors.Errorf("trying to use CA from secret %v/%v on a non secure backend", ing.Namespace, ca)
+	}
+	if ca == "" {
+		return secure, nil
+	}
+	caCert, err := a.certResolver.GetAuthCertificate(fmt.Sprintf("%v/%v", ing.Namespace, ca))
+	if err != nil {
+		return secure, errors.Wrap(err, "error obtaining certificate")
+	}
+	if caCert == nil {
+		return secure, nil
+	}
+	return &Secure{
+		Secure: s,
+		CACert: *caCert,
+	}, nil
+}
--- a/pkg/ingress/annotations/secureupstream/main_test.go
+++ b/pkg/ingress/annotations/secureupstream/main_test.go
@ -0,0 +1,121 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secureupstream
+
+import (
+	"testing"
+
+	api "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/ingress-nginx/pkg/ingress/resolver"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+type mockCfg struct {
+	certs map[string]resolver.AuthSSLCert
+}
+
+func (cfg mockCfg) GetAuthCertificate(secret string) (*resolver.AuthSSLCert, error) {
+	if cert, ok := cfg.certs[secret]; ok {
+		return &cert, nil
+	}
+	return nil, fmt.Errorf("secret not found: %v", secret)
+}
+
+func TestAnnotations(t *testing.T) {
+	ing := buildIngress()
+	data := map[string]string{}
+	data[secureUpstream] = "true"
+	data[secureVerifyCASecret] = "secure-verify-ca"
+	ing.SetAnnotations(data)
+
+	_, err := NewParser(mockCfg{
+		certs: map[string]resolver.AuthSSLCert{
+			"default/secure-verify-ca": {},
+		},
+	}).Parse(ing)
+	if err != nil {
+		t.Errorf("Unexpected error on ingress: %v", err)
+	}
+}
+
+func TestSecretNotFound(t *testing.T) {
+	ing := buildIngress()
+	data := map[string]string{}
+	data[secureUpstream] = "true"
+	data[secureVerifyCASecret] = "secure-verify-ca"
+	ing.SetAnnotations(data)
+	_, err := NewParser(mockCfg{}).Parse(ing)
+	if err == nil {
+		t.Error("Expected secret not found error on ingress")
+	}
+}
+
+func TestSecretOnNonSecure(t *testing.T) {
+	ing := buildIngress()
+	data := map[string]string{}
+	data[secureUpstream] = "false"
+	data[secureVerifyCASecret] = "secure-verify-ca"
+	ing.SetAnnotations(data)
+	_, err := NewParser(mockCfg{
+		certs: map[string]resolver.AuthSSLCert{
+			"default/secure-verify-ca": {},
+		},
+	}).Parse(ing)
+	if err == nil {
+		t.Error("Expected CA secret on non secure backend error on ingress")
+	}
+}