Add proxy_ssl_* directives

Add support for backends which require client certificate (eg. NiFi) authentication. The `proxy-ssl-secret` k8s annotation references a secret which is used to authenticate to the backend server. All other directives fine tune the backend communication. The following annotations are supported: * proxy-ssl-secret * proxy-ssl-ciphers * proxy-ssl-protocol * proxy-ssl-verify * proxy-ssl-verify-depth
2019-07-17 02:23:32 +02:00 · 2019-07-17 02:23:32 +02:00 · def13fc06c
commit def13fc06c
parent 589c9a20f9
8 changed files with 476 additions and 0 deletions
--- a/internal/ingress/annotations/annotations.go
+++ b/internal/ingress/annotations/annotations.go
@ -20,6 +20,7 @@ import (
 	"github.com/imdario/mergo"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher"
 	"k8s.io/klog"

@ -87,6 +88,7 @@ type Ingress struct {
 	EnableGlobalAuth   bool
 	HTTP2PushPreload   bool
 	Proxy              proxy.Config
+	ProxySSL           proxyssl.Config
 	RateLimit          ratelimit.Config
 	Redirect           redirect.Config
 	Rewrite            rewrite.Config
@ -132,6 +134,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
 			"EnableGlobalAuth":     authreqglobal.NewParser(cfg),
 			"HTTP2PushPreload":     http2pushpreload.NewParser(cfg),
 			"Proxy":                proxy.NewParser(cfg),
+			"ProxySSL":             proxyssl.NewParser(cfg),
 			"RateLimit":            ratelimit.NewParser(cfg),
 			"Redirect":             redirect.NewParser(cfg),
 			"Rewrite":              rewrite.NewParser(cfg),