GCE/GKE "pre-shared" TLS cert (#291)

* add allow-named-tls annotation * works for setting tls * fix logs (mostly) * add ssl cert annotation * return an error when cert not found * use annotation if specified, otherwise use spec * add TODO on naming * use the annotation key from k8s * add unit test for HTTPS LB w/ cert annotation * refactor logic and check for error * move annotation to controller package * remove todo for function naming
2017-03-07 16:42:41 -05:00 · 2017-03-07 16:42:41 -05:00 · e1d1445370
commit e1d1445370
parent 648f899751
4 changed files with 97 additions and 8 deletions
--- a/controllers/gce/controller/controller.go
+++ b/controllers/gce/controller/controller.go
@ -427,14 +427,23 @@ func (lbc *LoadBalancerController) ListRuntimeInfo() (lbs []*loadbalancers.L7Run
 			glog.Warningf("Cannot get key for Ingress %v/%v: %v", ing.Namespace, ing.Name, err)
 			continue
 		}
-		tls, err := lbc.tlsLoader.load(&ing)
-		if err != nil {
-			glog.Warningf("Cannot get certs for Ingress %v/%v: %v", ing.Namespace, ing.Name, err)
-		}
+
+		var tls *loadbalancers.TLSCerts
+
 		annotations := ingAnnotations(ing.ObjectMeta.Annotations)
+		// Load the TLS cert from the API Spec if it is not specified in the annotation.
+		// TODO: enforce this with validation.
+		if annotations.useNamedTLS() == "" {
+			tls, err = lbc.tlsLoader.load(&ing)
+			if err != nil {
+				glog.Warningf("Cannot get certs for Ingress %v/%v: %v", ing.Namespace, ing.Name, err)
+			}
+		}
+
 		lbs = append(lbs, &loadbalancers.L7RuntimeInfo{
 			Name:         k,
 			TLS:          tls,
+			TLSName:      annotations.useNamedTLS(),
 			AllowHTTP:    annotations.allowHTTP(),
 			StaticIPName: annotations.staticIPName(),
 		})
--- a/controllers/gce/controller/utils.go
+++ b/controllers/gce/controller/utils.go
@ -52,6 +52,13 @@ const (
 	// responsibility to create/delete it.
 	staticIPNameKey = "kubernetes.io/ingress.global-static-ip-name"

+	// preSharedCertKey represents the specific pre-shared SSL
+	// certicate for the Ingress controller to use. The controller *does not*
+	// manage this certificate, it is the users responsibility to create/delete it.
+	// In GCP, the Ingress controller assigns the SSL certificate with this name
+	// to the target proxies of the Ingress.
+	preSharedCertKey = "ingress.gcp.kubernetes.io/pre-shared-cert"
+
 	// ingressClassKey picks a specific "class" for the Ingress. The controller
 	// only processes Ingresses with this annotation either unset, or set
 	// to either gceIngessClass or the empty string.
@ -79,6 +86,16 @@ func (ing ingAnnotations) allowHTTP() bool {
 	return v
 }

+// useNamedTLS returns the name of the GCE SSL certificate. Empty by default.
+func (ing ingAnnotations) useNamedTLS() string {
+	val, ok := ing[preSharedCertKey]
+	if !ok {
+		return ""
+	}
+
+	return val
+}
+
 func (ing ingAnnotations) staticIPName() string {
 	val, ok := ing[staticIPNameKey]
 	if !ok {