Split implementations from generic code

2016-11-10 19:56:29 -03:00 · 2016-11-10 19:56:29 -03:00 · ed9a416b01
commit ed9a416b01
parent d1e8a629ca
107 changed files with 5777 additions and 3546 deletions
--- a/core/pkg/ingress/annotations/auth/main.go
+++ b/core/pkg/ingress/annotations/auth/main.go
@ -0,0 +1,122 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"regexp"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	authType   = "ingress.kubernetes.io/auth-type"
+	authSecret = "ingress.kubernetes.io/auth-secret"
+	authRealm  = "ingress.kubernetes.io/auth-realm"
+
+	// DefAuthDirectory default directory used to store files
+	// to authenticate request
+	DefAuthDirectory = "/etc/ingress-controller/auth"
+)
+
+func init() {
+	// TODO: check permissions required
+	os.MkdirAll(DefAuthDirectory, 0655)
+}
+
+var (
+	authTypeRegex = regexp.MustCompile(`basic|digest`)
+
+	// ErrInvalidAuthType is return in case of unsupported authentication type
+	ErrInvalidAuthType = errors.New("invalid authentication type")
+
+	// ErrMissingSecretName is returned when the name of the secret is missing
+	ErrMissingSecretName = errors.New("secret name is missing")
+
+	// ErrMissingAuthInSecret is returned when there is no auth key in secret data
+	ErrMissingAuthInSecret = errors.New("the secret does not contains the auth key")
+)
+
+// BasicDigest returns authentication configuration for an Ingress rule
+type BasicDigest struct {
+	Type    string
+	Realm   string
+	File    string
+	Secured bool
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to add authentication in the paths defined in the rule
+// and generated an htpasswd compatible file to be used as source
+// during the authentication process
+func ParseAnnotations(ing *extensions.Ingress, authDir string, fn func(string) (*api.Secret, error)) (*BasicDigest, error) {
+	if ing.GetAnnotations() == nil {
+		return &BasicDigest{}, parser.ErrMissingAnnotations
+	}
+
+	at, err := parser.GetStringAnnotation(authType, ing)
+	if err != nil {
+		return &BasicDigest{}, err
+	}
+
+	if !authTypeRegex.MatchString(at) {
+		return &BasicDigest{}, ErrInvalidAuthType
+	}
+
+	s, err := parser.GetStringAnnotation(authSecret, ing)
+	if err != nil {
+		return &BasicDigest{}, err
+	}
+
+	secret, err := fn(fmt.Sprintf("%v/%v", ing.Namespace, s))
+	if err != nil {
+		return &BasicDigest{}, err
+	}
+
+	realm, _ := parser.GetStringAnnotation(authRealm, ing)
+
+	passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
+	err = dumpSecret(passFile, secret)
+	if err != nil {
+		return &BasicDigest{}, err
+	}
+
+	return &BasicDigest{
+		Type:    at,
+		Realm:   realm,
+		File:    passFile,
+		Secured: true,
+	}, nil
+}
+
+// dumpSecret dumps the content of a secret into a file
+// in the expected format for the specified authorization
+func dumpSecret(filename string, secret *api.Secret) error {
+	val, ok := secret.Data["auth"]
+	if !ok {
+		return ErrMissingAuthInSecret
+	}
+
+	// TODO: check permissions required
+	return ioutil.WriteFile(filename, val, 0777)
+}
--- a/core/pkg/ingress/annotations/auth/main_test.go
+++ b/core/pkg/ingress/annotations/auth/main_test.go
@ -0,0 +1,143 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"testing"
+	"time"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func mockSecret(name string) (*api.Secret, error) {
+	return &api.Secret{
+		ObjectMeta: api.ObjectMeta{
+			Namespace: api.NamespaceDefault,
+			Name:      "demo-secret",
+		},
+		Data: map[string][]byte{"auth": []byte("foo:$apr1$OFG3Xybp$ckL0FHDAkoXYIlH9.cysT0")},
+	}, nil
+}
+func TestIngressWithoutAuth(t *testing.T) {
+	ing := buildIngress()
+	_, err := ParseAnnotations(ing, "", mockSecret)
+	if err == nil {
+		t.Error("Expected error with ingress without annotations")
+	}
+}
+
+func TestIngressAuth(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[authType] = "basic"
+	data[authSecret] = "demo-secret"
+	data[authRealm] = "-realm-"
+	ing.SetAnnotations(data)
+
+	_, dir, _ := dummySecretContent(t)
+	defer os.RemoveAll(dir)
+
+	auth, err := ParseAnnotations(ing, dir, mockSecret)
+	if err != nil {
+		t.Errorf("Uxpected error with ingress: %v", err)
+	}
+
+	if auth.Type != "basic" {
+		t.Errorf("Expected basic as auth type but returned %s", auth.Type)
+	}
+	if auth.Realm != "-realm-" {
+		t.Errorf("Expected -realm- as realm but returned %s", auth.Realm)
+	}
+	if !auth.Secured {
+		t.Errorf("Expected true as secured but returned %v", auth.Secured)
+	}
+}
+
+func dummySecretContent(t *testing.T) (string, string, *api.Secret) {
+	dir, err := ioutil.TempDir("", fmt.Sprintf("%v", time.Now().Unix()))
+	if err != nil {
+		t.Error(err)
+	}
+
+	tmpfile, err := ioutil.TempFile("", "example-")
+	if err != nil {
+		t.Error(err)
+	}
+	defer tmpfile.Close()
+	s, _ := mockSecret("demo")
+	return tmpfile.Name(), dir, s
+}
+
+func TestDumpSecret(t *testing.T) {
+	tmpfile, dir, s := dummySecretContent(t)
+	defer os.RemoveAll(dir)
+
+	sd := s.Data
+	s.Data = nil
+
+	err := dumpSecret(tmpfile, s)
+	if err == nil {
+		t.Errorf("Expected error with secret without auth")
+	}
+
+	s.Data = sd
+	err = dumpSecret(tmpfile, s)
+	if err != nil {
+		t.Errorf("Unexpected error creating htpasswd file %v: %v", tmpfile, err)
+	}
+}
--- a/core/pkg/ingress/annotations/authreq/main.go
+++ b/core/pkg/ingress/annotations/authreq/main.go
@ -0,0 +1,101 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authreq
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	// external URL that provides the authentication
+	authURL    = "ingress.kubernetes.io/auth-url"
+	authMethod = "ingress.kubernetes.io/auth-method"
+	authBody   = "ingress.kubernetes.io/auth-send-body"
+)
+
+// External returns external authentication configuration for an Ingress rule
+type External struct {
+	URL      string
+	Method   string
+	SendBody bool
+}
+
+var (
+	methods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "CONNECT", "OPTIONS", "TRACE"}
+)
+
+func validMethod(method string) bool {
+	if len(method) == 0 {
+		return false
+	}
+
+	for _, m := range methods {
+		if method == m {
+			return true
+		}
+	}
+	return false
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to use an external URL as source for authentication
+func ParseAnnotations(ing *extensions.Ingress) (External, error) {
+	if ing.GetAnnotations() == nil {
+		return External{}, parser.ErrMissingAnnotations
+	}
+
+	str, err := parser.GetStringAnnotation(authURL, ing)
+	if err != nil {
+		return External{}, err
+	}
+	if str == "" {
+		return External{}, fmt.Errorf("an empty string is not a valid URL")
+	}
+
+	ur, err := url.Parse(str)
+	if err != nil {
+		return External{}, err
+	}
+	if ur.Scheme == "" {
+		return External{}, fmt.Errorf("url scheme is empty")
+	}
+	if ur.Host == "" {
+		return External{}, fmt.Errorf("url host is empty")
+	}
+
+	if strings.Contains(ur.Host, "..") {
+		return External{}, fmt.Errorf("invalid url host")
+	}
+
+	m, _ := parser.GetStringAnnotation(authMethod, ing)
+	if len(m) != 0 && !validMethod(m) {
+		return External{}, fmt.Errorf("invalid HTTP method")
+	}
+
+	sb, _ := parser.GetBoolAnnotation(authBody, ing)
+
+	return External{
+		URL:      str,
+		Method:   m,
+		SendBody: sb,
+	}, nil
+}
--- a/core/pkg/ingress/annotations/authreq/main_test.go
+++ b/core/pkg/ingress/annotations/authreq/main_test.go
@ -0,0 +1,109 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authreq
+
+import (
+	"fmt"
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+
+	tests := []struct {
+		title    string
+		url      string
+		method   string
+		sendBody bool
+		expErr   bool
+	}{
+		{"empty", "", "", false, true},
+		{"no scheme", "bar", "", false, true},
+		{"invalid host", "http://", "", false, true},
+		{"invalid host (multiple dots)", "http://foo..bar.com", "", false, true},
+		{"valid URL", "http://bar.foo.com/external-auth", "", false, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "POST", true, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "GET", true, false},
+	}
+
+	for _, test := range tests {
+		data[authURL] = test.url
+		data[authBody] = fmt.Sprintf("%v", test.sendBody)
+		data[authMethod] = fmt.Sprintf("%v", test.method)
+
+		u, err := ParseAnnotations(ing)
+
+		if test.expErr {
+			if err == nil {
+				t.Errorf("%v: expected error but retuned nil", test.title)
+			}
+			continue
+		}
+
+		if u.URL != test.url {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
+		}
+		if u.Method != test.method {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
+		}
+		if u.SendBody != test.sendBody {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.sendBody, u.SendBody)
+		}
+	}
+}
--- a/core/pkg/ingress/annotations/authtls/main.go
+++ b/core/pkg/ingress/annotations/authtls/main.go
@ -0,0 +1,65 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authtls
+
+import (
+	"fmt"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/k8s"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	// name of the secret
+	authTLSSecret = "ingress.kubernetes.io/auth-tls-secret"
+)
+
+// SSLCert returns external authentication configuration for an Ingress rule
+type SSLCert struct {
+	Secret       string
+	CertFileName string
+	KeyFileName  string
+	CAFileName   string
+	PemSHA       string
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to use an external URL as source for authentication
+func ParseAnnotations(ing *extensions.Ingress,
+	fn func(secret string) (*SSLCert, error)) (*SSLCert, error) {
+	if ing.GetAnnotations() == nil {
+		return &SSLCert{}, parser.ErrMissingAnnotations
+	}
+
+	str, err := parser.GetStringAnnotation(authTLSSecret, ing)
+	if err != nil {
+		return &SSLCert{}, err
+	}
+
+	if str == "" {
+		return &SSLCert{}, fmt.Errorf("an empty string is not a valid secret name")
+	}
+
+	_, _, err = k8s.ParseNameNS(str)
+	if err != nil {
+		return &SSLCert{}, err
+	}
+
+	return fn(str)
+}
--- a/core/pkg/ingress/annotations/authtls/main_test.go
+++ b/core/pkg/ingress/annotations/authtls/main_test.go
@ -0,0 +1,107 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authtls
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+	/*
+		tests := []struct {
+			title    string
+			url      string
+			method   string
+			sendBody bool
+			expErr   bool
+		}{
+			{"empty", "", "", false, true},
+			{"no scheme", "bar", "", false, true},
+			{"invalid host", "http://", "", false, true},
+			{"invalid host (multiple dots)", "http://foo..bar.com", "", false, true},
+			{"valid URL", "http://bar.foo.com/external-auth", "", false, false},
+			{"valid URL - send body", "http://foo.com/external-auth", "POST", true, false},
+			{"valid URL - send body", "http://foo.com/external-auth", "GET", true, false},
+		}
+
+		for _, test := range tests {
+			data[authTLSSecret] = ""
+			test.title
+
+				u, err := ParseAnnotations(ing)
+
+				if test.expErr {
+					if err == nil {
+						t.Errorf("%v: expected error but retuned nil", test.title)
+					}
+					continue
+				}
+
+				if u.URL != test.url {
+					t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
+				}
+				if u.Method != test.method {
+					t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
+				}
+				if u.SendBody != test.sendBody {
+					t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.sendBody, u.SendBody)
+				}
+		}*/
+}
--- a/core/pkg/ingress/annotations/cors/main.go
+++ b/core/pkg/ingress/annotations/cors/main.go
@ -0,0 +1,33 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cors
+
+import (
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	cors = "ingress.kubernetes.io/enable-cors"
+)
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to indicate if the location/s should allows CORS
+func ParseAnnotations(ing *extensions.Ingress) (bool, error) {
+	return parser.GetBoolAnnotation(cors, ing)
+}
--- a/core/pkg/ingress/annotations/healthcheck/main.go
+++ b/core/pkg/ingress/annotations/healthcheck/main.go
@ -0,0 +1,56 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package healthcheck
+
+import (
+	"k8s.io/kubernetes/pkg/apis/extensions"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+const (
+	upsMaxFails    = "ingress.kubernetes.io/upstream-max-fails"
+	upsFailTimeout = "ingress.kubernetes.io/upstream-fail-timeout"
+)
+
+// Upstream returns the URL and method to use check the status of
+// the upstream server/s
+type Upstream struct {
+	MaxFails    int
+	FailTimeout int
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to configure upstream check parameters
+func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) *Upstream {
+	if ing.GetAnnotations() == nil {
+		return &Upstream{cfg.UpstreamMaxFails, cfg.UpstreamFailTimeout}
+	}
+
+	mf, err := parser.GetIntAnnotation(upsMaxFails, ing)
+	if err != nil {
+		mf = cfg.UpstreamMaxFails
+	}
+
+	ft, err := parser.GetIntAnnotation(upsFailTimeout, ing)
+	if err != nil {
+		ft = cfg.UpstreamFailTimeout
+	}
+
+	return &Upstream{mf, ft}
+}
--- a/core/pkg/ingress/annotations/healthcheck/main_test.go
+++ b/core/pkg/ingress/annotations/healthcheck/main_test.go
@ -0,0 +1,82 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package healthcheck
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestIngressHealthCheck(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[upsMaxFails] = "2"
+	ing.SetAnnotations(data)
+
+	cfg := defaults.Backend{UpstreamFailTimeout: 1}
+
+	nginxHz := ParseAnnotations(cfg, ing)
+
+	if nginxHz.MaxFails != 2 {
+		t.Errorf("Expected 2 as max-fails but returned %v", nginxHz.MaxFails)
+	}
+
+	if nginxHz.FailTimeout != 1 {
+		t.Errorf("Expected 0 as fail-timeout but returned %v", nginxHz.FailTimeout)
+	}
+}
--- a/core/pkg/ingress/annotations/ipwhitelist/main.go
+++ b/core/pkg/ingress/annotations/ipwhitelist/main.go
@ -0,0 +1,72 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipwhitelist
+
+import (
+	"errors"
+	"strings"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/net/sets"
+)
+
+const (
+	whitelist = "ingress.kubernetes.io/whitelist-source-range"
+)
+
+var (
+	// ErrInvalidCIDR returned error when the whitelist annotation does not
+	// contains a valid IP or network address
+	ErrInvalidCIDR = errors.New("the annotation does not contains a valid IP address or network")
+)
+
+// SourceRange returns the CIDR
+type SourceRange struct {
+	CIDR []string
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to limit access to certain client addresses or networks.
+// Multiple ranges can specified using commas as separator
+// e.g. `18.0.0.0/8,56.0.0.0/8`
+func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*SourceRange, error) {
+	cidrs := []string{}
+
+	if ing.GetAnnotations() == nil {
+		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, parser.ErrMissingAnnotations
+	}
+
+	val, err := parser.GetStringAnnotation(whitelist, ing)
+	if err != nil {
+		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, err
+	}
+
+	values := strings.Split(val, ",")
+	ipnets, err := sets.ParseIPNets(values...)
+	if err != nil {
+		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, ErrInvalidCIDR
+	}
+
+	for k := range ipnets {
+		cidrs = append(cidrs, k)
+	}
+
+	return &SourceRange{cidrs}, nil
+}
--- a/core/pkg/ingress/annotations/ipwhitelist/main_test.go
+++ b/core/pkg/ingress/annotations/ipwhitelist/main_test.go
@ -0,0 +1,109 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipwhitelist
+
+import (
+	"reflect"
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestParseAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	testNet := "10.0.0.0/24"
+	enet := []string{testNet}
+
+	data := map[string]string{}
+	data[whitelist] = testNet
+	ing.SetAnnotations(data)
+
+	expected := &SourceRange{
+		CIDR: enet,
+	}
+
+	sr, err := ParseAnnotations(defaults.Backend{}, ing)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	if !reflect.DeepEqual(sr, expected) {
+		t.Errorf("Expected %v but returned %s", sr, expected)
+	}
+
+	data[whitelist] = "www"
+	ing.SetAnnotations(data)
+	_, err = ParseAnnotations(defaults.Backend{}, ing)
+	if err == nil {
+		t.Errorf("Expected error parsing an invalid cidr")
+	}
+
+	delete(data, "whitelist")
+	ing.SetAnnotations(data)
+	//sr, _ = ParseAnnotations(defaults.Backend{}, ing)
+	// TODO: fix test
+	/*
+		if !reflect.DeepEqual(sr.CIDR, []string{}) {
+			t.Errorf("Expected empty CIDR but %v returned", sr.CIDR)
+		}
+
+		sr, _ = ParseAnnotations(defaults.Upstream{}, &extensions.Ingress{})
+		if !reflect.DeepEqual(sr.CIDR, []string{}) {
+			t.Errorf("Expected empty CIDR but %v returned", sr.CIDR)
+		}
+	*/
+}
--- a/core/pkg/ingress/annotations/parser/main.go
+++ b/core/pkg/ingress/annotations/parser/main.go
@ -0,0 +1,102 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package parser
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+var (
+	// ErrMissingAnnotations is returned when the ingress rule
+	// does not contains annotations related with rate limit
+	ErrMissingAnnotations = errors.New("Ingress rule without annotations")
+
+	// ErrInvalidName ...
+	ErrInvalidName = errors.New("invalid annotation name")
+)
+
+type ingAnnotations map[string]string
+
+func (a ingAnnotations) parseBool(name string) (bool, error) {
+	val, ok := a[name]
+	if ok {
+		if b, err := strconv.ParseBool(val); err == nil {
+			return b, nil
+		}
+	}
+	return false, ErrMissingAnnotations
+}
+
+func (a ingAnnotations) parseString(name string) (string, error) {
+	val, ok := a[name]
+	if ok {
+		return val, nil
+	}
+	return "", ErrMissingAnnotations
+}
+
+func (a ingAnnotations) parseInt(name string) (int, error) {
+	val, ok := a[name]
+	if ok {
+		i, err := strconv.Atoi(val)
+		if err != nil {
+			return 0, fmt.Errorf("invalid annotations value: %v", err)
+		}
+		return i, nil
+	}
+	return 0, ErrMissingAnnotations
+}
+
+// GetBoolAnnotation ...
+func GetBoolAnnotation(name string, ing *extensions.Ingress) (bool, error) {
+	if ing == nil || ing.GetAnnotations() == nil {
+		return false, ErrMissingAnnotations
+	}
+	if name == "" {
+		return false, ErrInvalidName
+	}
+
+	return ingAnnotations(ing.GetAnnotations()).parseBool(name)
+}
+
+// GetStringAnnotation ...
+func GetStringAnnotation(name string, ing *extensions.Ingress) (string, error) {
+	if ing == nil || ing.GetAnnotations() == nil {
+		return "", ErrMissingAnnotations
+	}
+	if name == "" {
+		return "", ErrInvalidName
+	}
+
+	return ingAnnotations(ing.GetAnnotations()).parseString(name)
+}
+
+// GetIntAnnotation ...
+func GetIntAnnotation(name string, ing *extensions.Ingress) (int, error) {
+	if ing == nil || ing.GetAnnotations() == nil {
+		return 0, ErrMissingAnnotations
+	}
+	if name == "" {
+		return 0, ErrInvalidName
+	}
+
+	return ingAnnotations(ing.GetAnnotations()).parseInt(name)
+}
--- a/core/pkg/ingress/annotations/parser/main_test.go
+++ b/core/pkg/ingress/annotations/parser/main_test.go
@ -0,0 +1,154 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package parser
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+func buildIngress() *extensions.Ingress {
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{},
+	}
+}
+
+func TestGetBoolAnnotation(t *testing.T) {
+	ing := buildIngress()
+
+	_, err := GetBoolAnnotation("", nil)
+	if err == nil {
+		t.Errorf("expected error but retuned nil")
+	}
+
+	tests := []struct {
+		name   string
+		field  string
+		value  string
+		exp    bool
+		expErr bool
+	}{
+		{"empty - false", "", "false", false, true},
+		{"empty - true", "", "true", false, true},
+		{"valid - false", "bool", "false", false, false},
+		{"valid - true", "bool", "true", true, false},
+	}
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+
+	for _, test := range tests {
+		data[test.field] = test.value
+
+		u, err := GetBoolAnnotation(test.field, ing)
+		if test.expErr {
+			if err == nil {
+				t.Errorf("%v: expected error but retuned nil", test.name)
+			}
+			continue
+		}
+		if u != test.exp {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.name, test.exp, u)
+		}
+	}
+}
+
+func TestGetStringAnnotation(t *testing.T) {
+	ing := buildIngress()
+
+	_, err := GetStringAnnotation("", nil)
+	if err == nil {
+		t.Errorf("expected error but retuned nil")
+	}
+
+	tests := []struct {
+		name   string
+		field  string
+		value  string
+		exp    string
+		expErr bool
+	}{
+		{"empty - A", "", "A", "", true},
+		{"empty - B", "", "B", "", true},
+		{"valid - A", "string", "A", "A", false},
+		{"valid - B", "string", "B", "B", false},
+	}
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+
+	for _, test := range tests {
+		data[test.field] = test.value
+
+		s, err := GetStringAnnotation(test.field, ing)
+		if test.expErr {
+			if err == nil {
+				t.Errorf("%v: expected error but retuned nil", test.name)
+			}
+			continue
+		}
+		if s != test.exp {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.name, test.exp, s)
+		}
+	}
+}
+
+func TestGetIntAnnotation(t *testing.T) {
+	ing := buildIngress()
+
+	_, err := GetIntAnnotation("", nil)
+	if err == nil {
+		t.Errorf("expected error but retuned nil")
+	}
+
+	tests := []struct {
+		name   string
+		field  string
+		value  string
+		exp    int
+		expErr bool
+	}{
+		{"empty - A", "", "1", 0, true},
+		{"empty - B", "", "2", 0, true},
+		{"valid - A", "string", "1", 1, false},
+		{"valid - B", "string", "2", 2, false},
+	}
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+
+	for _, test := range tests {
+		data[test.field] = test.value
+
+		s, err := GetIntAnnotation(test.field, ing)
+		if test.expErr {
+			if err == nil {
+				t.Errorf("%v: expected error but retuned nil", test.name)
+			}
+			continue
+		}
+		if s != test.exp {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.name, test.exp, s)
+		}
+	}
+}
--- a/core/pkg/ingress/annotations/proxy/main.go
+++ b/core/pkg/ingress/annotations/proxy/main.go
@ -0,0 +1,74 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package proxy
+
+import (
+	"k8s.io/kubernetes/pkg/apis/extensions"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+const (
+	connect    = "ingress.kubernetes.io/proxy-connect-timeout"
+	send       = "ingress.kubernetes.io/proxy-send-timeout"
+	read       = "ingress.kubernetes.io/proxy-read-timeout"
+	bufferSize = "ingress.kubernetes.io/proxy-buffer-size"
+)
+
+// Configuration returns the proxy timeout to use in the upstream server/s
+type Configuration struct {
+	ConnectTimeout int
+	SendTimeout    int
+	ReadTimeout    int
+	BufferSize     string
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to configure upstream check parameters
+func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) *Configuration {
+	if ing == nil || ing.GetAnnotations() == nil {
+		return &Configuration{
+			cfg.ProxyConnectTimeout,
+			cfg.ProxySendTimeout,
+			cfg.ProxyReadTimeout,
+			cfg.ProxyBufferSize,
+		}
+	}
+
+	ct, err := parser.GetIntAnnotation(connect, ing)
+	if err != nil {
+		ct = cfg.ProxyConnectTimeout
+	}
+
+	st, err := parser.GetIntAnnotation(send, ing)
+	if err != nil {
+		st = cfg.ProxySendTimeout
+	}
+
+	rt, err := parser.GetIntAnnotation(read, ing)
+	if err != nil {
+		rt = cfg.ProxyReadTimeout
+	}
+
+	bs, err := parser.GetStringAnnotation(bufferSize, ing)
+	if err != nil || bs == "" {
+		bs = cfg.ProxyBufferSize
+	}
+
+	return &Configuration{ct, st, rt, bs}
+}
--- a/core/pkg/ingress/annotations/proxy/main_test.go
+++ b/core/pkg/ingress/annotations/proxy/main_test.go
@ -0,0 +1,90 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package proxy
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestIngressHealthCheck(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[connect] = "1"
+	data[send] = "2"
+	data[read] = "3"
+	data[bufferSize] = "1k"
+	ing.SetAnnotations(data)
+
+	cfg := defaults.Backend{UpstreamFailTimeout: 1}
+
+	p := ParseAnnotations(cfg, ing)
+
+	if p.ConnectTimeout != 1 {
+		t.Errorf("Expected 1 as connect-timeout but returned %v", p.ConnectTimeout)
+	}
+	if p.SendTimeout != 2 {
+		t.Errorf("Expected 2 as send-timeout but returned %v", p.SendTimeout)
+	}
+	if p.ReadTimeout != 3 {
+		t.Errorf("Expected 3 as read-timeout but returned %v", p.ReadTimeout)
+	}
+	if p.BufferSize != "1k" {
+		t.Errorf("Expected 1k as buffer-size but returned %v", p.BufferSize)
+	}
+}
--- a/core/pkg/ingress/annotations/ratelimit/main.go
+++ b/core/pkg/ingress/annotations/ratelimit/main.go
@ -0,0 +1,99 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ratelimit
+
+import (
+	"errors"
+	"fmt"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	limitIP  = "ingress.kubernetes.io/limit-connections"
+	limitRPS = "ingress.kubernetes.io/limit-rps"
+
+	// allow 5 times the specified limit as burst
+	defBurst = 5
+
+	// 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states
+	// default is 5MB
+	defSharedSize = 5
+)
+
+var (
+	// ErrInvalidRateLimit is returned when the annotation caontains invalid values
+	ErrInvalidRateLimit = errors.New("invalid rate limit value. Must be > 0")
+)
+
+// RateLimit returns rate limit configuration for an Ingress rule
+// Is possible to limit the number of connections per IP address or
+// connections per second.
+// Note: Is possible to specify both limits
+type RateLimit struct {
+	// Connections indicates a limit with the number of connections per IP address
+	Connections Zone
+	// RPS indicates a limit with the number of connections per second
+	RPS Zone
+}
+
+// Zone returns information about the NGINX rate limit (limit_req_zone)
+// http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone
+type Zone struct {
+	Name  string
+	Limit int
+	Burst int
+	// SharedSize amount of shared memory for the zone
+	SharedSize int
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to rewrite the defined paths
+func ParseAnnotations(ing *extensions.Ingress) (*RateLimit, error) {
+	if ing.GetAnnotations() == nil {
+		return &RateLimit{}, parser.ErrMissingAnnotations
+	}
+
+	rps, _ := parser.GetIntAnnotation(limitRPS, ing)
+	conn, _ := parser.GetIntAnnotation(limitIP, ing)
+
+	if rps == 0 && conn == 0 {
+		return &RateLimit{
+			Connections: Zone{},
+			RPS:         Zone{},
+		}, ErrInvalidRateLimit
+	}
+
+	zoneName := fmt.Sprintf("%v_%v", ing.GetNamespace(), ing.GetName())
+
+	return &RateLimit{
+		Connections: Zone{
+			Name:       fmt.Sprintf("%v_conn", zoneName),
+			Limit:      conn,
+			Burst:      conn * defBurst,
+			SharedSize: defSharedSize,
+		},
+		RPS: Zone{
+			Name:       fmt.Sprintf("%v_rps", zoneName),
+			Limit:      rps,
+			Burst:      conn * defBurst,
+			SharedSize: defSharedSize,
+		},
+	}, nil
+}
--- a/core/pkg/ingress/annotations/ratelimit/main_test.go
+++ b/core/pkg/ingress/annotations/ratelimit/main_test.go
@ -0,0 +1,100 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ratelimit
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestWithoutAnnotations(t *testing.T) {
+	ing := buildIngress()
+	_, err := ParseAnnotations(ing)
+	if err == nil {
+		t.Error("Expected error with ingress without annotations")
+	}
+}
+
+func TestBadRateLimiting(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[limitIP] = "0"
+	data[limitRPS] = "0"
+	ing.SetAnnotations(data)
+
+	_, err := ParseAnnotations(ing)
+	if err == nil {
+		t.Errorf("Expected error with invalid limits (0)")
+	}
+
+	data = map[string]string{}
+	data[limitIP] = "5"
+	data[limitRPS] = "100"
+	ing.SetAnnotations(data)
+
+	rateLimit, err := ParseAnnotations(ing)
+	if err != nil {
+		t.Errorf("Uxpected error: %v", err)
+	}
+
+	if rateLimit.Connections.Limit != 5 {
+		t.Errorf("Expected 5 in limit by ip but %v was returend", rateLimit.Connections)
+	}
+
+	if rateLimit.RPS.Limit != 100 {
+		t.Errorf("Expected 100 in limit by rps but %v was returend", rateLimit.RPS)
+	}
+}
--- a/core/pkg/ingress/annotations/rewrite/main.go
+++ b/core/pkg/ingress/annotations/rewrite/main.go
@ -0,0 +1,64 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rewrite
+
+import (
+	"errors"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	rewriteTo   = "ingress.kubernetes.io/rewrite-target"
+	addBaseURL  = "ingress.kubernetes.io/add-base-url"
+	sslRedirect = "ingress.kubernetes.io/ssl-redirect"
+)
+
+// Redirect describes the per location redirect config
+type Redirect struct {
+	// Target URI where the traffic must be redirected
+	Target string
+	// AddBaseURL indicates if is required to add a base tag in the head
+	// of the responses from the upstream servers
+	AddBaseURL bool
+	// SSLRedirect indicates if the location section is accessible SSL only
+	SSLRedirect bool
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to rewrite the defined paths
+func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*Redirect, error) {
+	if ing.GetAnnotations() == nil {
+		return &Redirect{}, errors.New("no annotations present")
+	}
+
+	sslRe, err := parser.GetBoolAnnotation(sslRedirect, ing)
+	if err != nil {
+		sslRe = cfg.SSLRedirect
+	}
+
+	rt, _ := parser.GetStringAnnotation(rewriteTo, ing)
+	abu, _ := parser.GetBoolAnnotation(addBaseURL, ing)
+	return &Redirect{
+		Target:      rt,
+		AddBaseURL:  abu,
+		SSLRedirect: sslRe,
+	}, nil
+}
--- a/core/pkg/ingress/annotations/rewrite/main_test.go
+++ b/core/pkg/ingress/annotations/rewrite/main_test.go
@ -0,0 +1,116 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rewrite
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+const (
+	defRoute = "/demo"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestWithoutAnnotations(t *testing.T) {
+	ing := buildIngress()
+	_, err := ParseAnnotations(defaults.Backend{}, ing)
+	if err == nil {
+		t.Error("Expected error with ingress without annotations")
+	}
+}
+
+func TestRedirect(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[rewriteTo] = defRoute
+	ing.SetAnnotations(data)
+
+	redirect, err := ParseAnnotations(defaults.Backend{}, ing)
+	if err != nil {
+		t.Errorf("Uxpected error with ingress: %v", err)
+	}
+
+	if redirect.Target != defRoute {
+		t.Errorf("Expected %v as redirect but returned %s", defRoute, redirect.Target)
+	}
+}
+
+func TestSSLRedirect(t *testing.T) {
+	ing := buildIngress()
+
+	cfg := defaults.Backend{SSLRedirect: true}
+
+	data := map[string]string{}
+
+	ing.SetAnnotations(data)
+
+	redirect, _ := ParseAnnotations(cfg, ing)
+
+	if !redirect.SSLRedirect {
+		t.Errorf("Expected true but returned false")
+	}
+
+	data[sslRedirect] = "false"
+	ing.SetAnnotations(data)
+
+	redirect, _ = ParseAnnotations(cfg, ing)
+
+	if redirect.SSLRedirect {
+		t.Errorf("Expected false but returned true")
+	}
+}
--- a/core/pkg/ingress/annotations/secureupstream/main.go
+++ b/core/pkg/ingress/annotations/secureupstream/main.go
@ -0,0 +1,33 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secureupstream
+
+import (
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	secureUpstream = "ingress.kubernetes.io/secure-backends"
+)
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to indicate if the upstream servers should use SSL
+func ParseAnnotations(ing *extensions.Ingress) (bool, error) {
+	return parser.GetBoolAnnotation(secureUpstream, ing)
+}
--- a/core/pkg/ingress/annotations/secureupstream/main_test.go
+++ b/core/pkg/ingress/annotations/secureupstream/main_test.go
@ -0,0 +1,80 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package secureupstream
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestAnnotations(t *testing.T) {
+	ing := buildIngress()
+	data := map[string]string{}
+	data[secureUpstream] = "true"
+	ing.SetAnnotations(data)
+
+	_, err := ParseAnnotations(ing)
+	if err != nil {
+		t.Error("Expected error with ingress without annotations")
+	}
+}
+
+func TestWithoutAnnotations(t *testing.T) {
+	ing := buildIngress()
+	_, err := ParseAnnotations(ing)
+	if err == nil {
+		t.Error("Expected error with ingress without annotations")
+	}
+}
--- a/core/pkg/ingress/annotations/service/service.go
+++ b/core/pkg/ingress/annotations/service/service.go
@ -0,0 +1,73 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package service
+
+import (
+	"encoding/json"
+	"fmt"
+	"strconv"
+
+	"k8s.io/kubernetes/pkg/api"
+
+	"github.com/golang/glog"
+)
+
+const (
+	// NamedPortAnnotation annotation used to map named port in services
+	NamedPortAnnotation = "ingress.kubernetes.io/named-ports"
+)
+
+type namedPortMapping map[string]string
+
+// getPort returns the port defined in a named port
+func (npm namedPortMapping) getPort(name string) (string, bool) {
+	val, ok := npm.getPortMappings()[name]
+	return val, ok
+}
+
+// getPortMappings returns a map containing the mapping of named ports names and number
+func (npm namedPortMapping) getPortMappings() map[string]string {
+	data := npm[NamedPortAnnotation]
+	var mapping map[string]string
+	if data == "" {
+		return mapping
+	}
+	if err := json.Unmarshal([]byte(data), &mapping); err != nil {
+		glog.Errorf("unexpected error reading annotations: %v", err)
+	}
+
+	return mapping
+}
+
+// GetPortMapping returns the number of the named port or an error if is not valid
+func GetPortMapping(name string, s *api.Service) (int32, error) {
+	if s == nil {
+		return -1, fmt.Errorf("impossible to extract por mapping from %v (missing service)", name)
+	}
+	namedPorts := s.ObjectMeta.Annotations
+	val, ok := namedPortMapping(namedPorts).getPort(name)
+	if ok {
+		port, err := strconv.Atoi(val)
+		if err != nil {
+			return -1, fmt.Errorf("service %v contains an invalid port mapping for %v (%v), %v", s.Name, name, val, err)
+		}
+
+		return int32(port), nil
+	}
+
+	return -1, fmt.Errorf("there is no port with name %v", name)
+}
--- a/core/pkg/ingress/annotations/sslpassthrough/main.go
+++ b/core/pkg/ingress/annotations/sslpassthrough/main.go
@ -0,0 +1,45 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sslpassthrough
+
+import (
+	"fmt"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+const (
+	passthrough = "ingress.kubernetes.io/ssl-passthrough"
+)
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to indicate if is required to configure
+func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (bool, error) {
+
+	if ing.GetAnnotations() == nil {
+		return false, parser.ErrMissingAnnotations
+	}
+
+	if len(ing.Spec.TLS) == 0 {
+		return false, fmt.Errorf("ingres rule %v/%v does not contains a TLS section", ing.Name, ing.Namespace)
+	}
+
+	return parser.GetBoolAnnotation(passthrough, ing)
+}
--- a/core/pkg/ingress/annotations/sslpassthrough/main_test.go
+++ b/core/pkg/ingress/annotations/sslpassthrough/main_test.go
@ -0,0 +1,74 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sslpassthrough
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+func buildIngress() *extensions.Ingress {
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+		},
+	}
+}
+
+func TestParseAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	_, err := ParseAnnotations(defaults.Backend{}, ing)
+	if err == nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	data := map[string]string{}
+	data[passthrough] = "true"
+	ing.SetAnnotations(data)
+	// test ingress using the annotation without a TLS section
+	val, err := ParseAnnotations(defaults.Backend{}, ing)
+	if err == nil {
+		t.Errorf("expected error parsing an invalid cidr")
+	}
+
+	// test with a valid host
+	ing.Spec.TLS = []extensions.IngressTLS{
+		{
+			Hosts: []string{"foo.bar.com"},
+		},
+	}
+	val, err = ParseAnnotations(defaults.Backend{}, ing)
+	if err != nil {
+		t.Errorf("expected error parsing an invalid cidr")
+	}
+	if !val {
+		t.Errorf("expected true but false returned")
+	}
+}
--- a/core/pkg/ingress/controller/backend_ssl.go
+++ b/core/pkg/ingress/controller/backend_ssl.go
@ -0,0 +1,161 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/client/cache"
+
+	"github.com/golang/glog"
+	"k8s.io/ingress/core/pkg/ingress"
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	ssl "k8s.io/ingress/core/pkg/net/ssl"
+)
+
+// syncSecret keeps in sync Secrets used by Ingress rules with files to allow
+// being used in controllers.
+func (ic *GenericController) syncSecret(k interface{}) error {
+	if ic.secretQueue.IsShuttingDown() {
+		return nil
+	}
+	if !ic.controllersInSync() {
+		time.Sleep(podStoreSyncedPollPeriod)
+		return fmt.Errorf("deferring sync till endpoints controller has synced")
+	}
+
+	// check if the default certificate is configured
+	key := fmt.Sprintf("default/%v", defServerName)
+	_, exists := ic.sslCertTracker.Get(key)
+	var cert *ingress.SSLCert
+	var err error
+	if !exists {
+		if ic.cfg.DefaultSSLCertificate != "" {
+			cert, err = ic.getPemCertificate(ic.cfg.DefaultSSLCertificate)
+			if err != nil {
+				return err
+			}
+		} else {
+			defCert, defKey := ssl.GetFakeSSLCert()
+			cert, err = ssl.AddOrUpdateCertAndKey("system-snake-oil-certificate", defCert, defKey, []byte{})
+			if err != nil {
+				return nil
+			}
+		}
+		cert.Name = defServerName
+		cert.Namespace = api.NamespaceDefault
+		ic.sslCertTracker.Add(key, cert)
+	}
+
+	key = k.(string)
+
+	// get secret
+	secObj, exists, err := ic.secrLister.Store.GetByKey(key)
+	if err != nil {
+		return fmt.Errorf("error getting secret %v: %v", key, err)
+	}
+	if !exists {
+		return fmt.Errorf("secret %v was not found", key)
+	}
+	sec := secObj.(*api.Secret)
+	if !ic.secrReferenced(sec.Name, sec.Namespace) {
+		glog.V(2).Infof("secret %v/%v is not used in Ingress rules. skipping ", sec.Namespace, sec.Name)
+		return nil
+	}
+
+	cert, err = ic.getPemCertificate(key)
+	if err != nil {
+		return err
+	}
+
+	// create certificates and add or update the item in the store
+	_, exists = ic.sslCertTracker.Get(key)
+	if exists {
+		ic.sslCertTracker.Update(key, cert)
+		return nil
+	}
+	ic.sslCertTracker.Add(key, cert)
+	return nil
+}
+
+func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLCert, error) {
+	secretInterface, exists, err := ic.secrLister.Store.GetByKey(secretName)
+	if err != nil {
+		return nil, fmt.Errorf("Error retriveing secret %v: %v", secretName, err)
+	}
+	if !exists {
+		return nil, fmt.Errorf("secret named %v does not exists", secretName)
+	}
+
+	secret := secretInterface.(*api.Secret)
+	cert, ok := secret.Data[api.TLSCertKey]
+	if !ok {
+		return nil, fmt.Errorf("secret named %v has no private key", secretName)
+	}
+	key, ok := secret.Data[api.TLSPrivateKeyKey]
+	if !ok {
+		return nil, fmt.Errorf("secret named %v has no cert", secretName)
+	}
+
+	ca := secret.Data["ca.crt"]
+
+	nsSecName := strings.Replace(secretName, "/", "-", -1)
+	s, err := ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
+	if err != nil {
+		return nil, err
+	}
+
+	s.Name = secret.Name
+	s.Namespace = secret.Namespace
+	return s, nil
+}
+
+// check if secret is referenced in this controller's config
+func (ic *GenericController) secrReferenced(name, namespace string) bool {
+	for _, ingIf := range ic.ingLister.Store.List() {
+		ing := ingIf.(*extensions.Ingress)
+		str, err := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing)
+		if err == nil && str == fmt.Sprintf("%v/%v", namespace, name) {
+			return true
+		}
+
+		if ing.Namespace != namespace {
+			continue
+		}
+		for _, tls := range ing.Spec.TLS {
+			if tls.SecretName == name {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// sslCertTracker ...
+type sslCertTracker struct {
+	cache.ThreadSafeStore
+}
+
+func newSSLCertTracker() *sslCertTracker {
+	return &sslCertTracker{
+		cache.NewThreadSafeStore(cache.Indexers{}, cache.Indices{}),
+	}
+}
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
--- a/core/pkg/ingress/controller/launch.go
+++ b/core/pkg/ingress/controller/launch.go
@ -0,0 +1,182 @@
+package controller
+
+import (
+	"flag"
+	"fmt"
+	"net/http"
+	"net/http/pprof"
+	"os"
+	"syscall"
+	"time"
+
+	"github.com/golang/glog"
+	"github.com/spf13/pflag"
+
+	"k8s.io/ingress/core/pkg/ingress"
+	"k8s.io/ingress/core/pkg/k8s"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"k8s.io/kubernetes/pkg/api"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	"k8s.io/kubernetes/pkg/client/restclient"
+	"k8s.io/kubernetes/pkg/healthz"
+	kubectl_util "k8s.io/kubernetes/pkg/kubectl/cmd/util"
+)
+
+// NewIngressController returns a configured Ingress controller ready to start
+func NewIngressController(backend ingress.Controller) Interface {
+	var (
+		flags = pflag.NewFlagSet("", pflag.ExitOnError)
+
+		defaultSvc = flags.String("default-backend-service", "",
+			`Service used to serve a 404 page for the default backend. Takes the form
+    	namespace/name. The controller uses the first node port of this Service for
+    	the default backend.`)
+
+		ingressClass = flags.String("ingress-class", "nginx",
+			`Name of the ingress class to route through this controller.`)
+
+		configMap = flags.String("configmap", "",
+			`Name of the ConfigMap that contains the custom configuration to use`)
+
+		publishSvc = flags.String("publish-service", "",
+			`Service fronting the ingress controllers. Takes the form
+ 		namespace/name. The controller will set the endpoint records on the
+ 		ingress objects to reflect those on the service.`)
+
+		tcpConfigMapName = flags.String("tcp-services-configmap", "",
+			`Name of the ConfigMap that contains the definition of the TCP services to expose.
+		The key in the map indicates the external port to be used. The value is the name of the
+		service with the format namespace/serviceName and the port of the service could be a 
+		number of the name of the port.
+		The ports 80 and 443 are not allowed as external ports. This ports are reserved for nginx`)
+
+		udpConfigMapName = flags.String("udp-services-configmap", "",
+			`Name of the ConfigMap that contains the definition of the UDP services to expose.
+		The key in the map indicates the external port to be used. The value is the name of the
+		service with the format namespace/serviceName and the port of the service could be a 
+		number of the name of the port.`)
+
+		resyncPeriod = flags.Duration("sync-period", 60*time.Second,
+			`Relist and confirm cloud resources this often.`)
+
+		watchNamespace = flags.String("watch-namespace", api.NamespaceAll,
+			`Namespace to watch for Ingress. Default is to watch all namespaces`)
+
+		healthzPort = flags.Int("healthz-port", 10254, "port for healthz endpoint.")
+
+		profiling = flags.Bool("profiling", true, `Enable profiling via web interface host:port/debug/pprof/`)
+
+		defSSLCertificate = flags.String("default-ssl-certificate", "", `Name of the secret 
+		that contains a SSL certificate to be used as default for a HTTPS catch-all server`)
+
+		defHealthzURL = flags.String("health-check-path", "/healthz", `Defines 
+		the URL to be used as health check inside in the default server in NGINX.`)
+	)
+
+	flags.AddGoFlagSet(flag.CommandLine)
+	flags.Parse(os.Args)
+	clientConfig := kubectl_util.DefaultClientConfig(flags)
+
+	flag.Set("logtostderr", "true")
+
+	glog.Info(backend.Info())
+
+	if *ingressClass != "" {
+		glog.Infof("Watching for ingress class: %s", *ingressClass)
+	}
+
+	if *defaultSvc == "" {
+		glog.Fatalf("Please specify --default-backend-service")
+	}
+
+	kubeconfig, err := restclient.InClusterConfig()
+	if err != nil {
+		kubeconfig, err = clientConfig.ClientConfig()
+		if err != nil {
+			glog.Fatalf("error configuring the client: %v", err)
+		}
+	}
+
+	kubeClient, err := clientset.NewForConfig(kubeconfig)
+	if err != nil {
+		glog.Fatalf("failed to create client: %v", err)
+	}
+
+	_, err = k8s.IsValidService(kubeClient, *defaultSvc)
+	if err != nil {
+		glog.Fatalf("no service with name %v found: %v", *defaultSvc, err)
+	}
+	glog.Infof("validated %v as the default backend", *defaultSvc)
+
+	if *publishSvc != "" {
+		svc, err := k8s.IsValidService(kubeClient, *publishSvc)
+		if err != nil {
+			glog.Fatalf("no service with name %v found: %v", *publishSvc, err)
+		}
+
+		if len(svc.Status.LoadBalancer.Ingress) == 0 {
+			// We could poll here, but we instead just exit and rely on k8s to restart us
+			glog.Fatalf("service %s does not (yet) have ingress points", *publishSvc)
+		}
+
+		glog.Infof("service %v validated as source of Ingress status", *publishSvc)
+	}
+
+	if *configMap != "" {
+		_, _, err = k8s.ParseNameNS(*configMap)
+		if err != nil {
+			glog.Fatalf("configmap error: %v", err)
+		}
+	}
+
+	os.MkdirAll(ingress.DefaultSSLDirectory, 0655)
+
+	config := &Configuration{
+		Client:                kubeClient,
+		ResyncPeriod:          *resyncPeriod,
+		DefaultService:        *defaultSvc,
+		IngressClass:          *ingressClass,
+		Namespace:             *watchNamespace,
+		ConfigMapName:         *configMap,
+		TCPConfigMapName:      *tcpConfigMapName,
+		UDPConfigMapName:      *udpConfigMapName,
+		DefaultSSLCertificate: *defSSLCertificate,
+		DefaultHealthzURL:     *defHealthzURL,
+		PublishService:        *publishSvc,
+		Backend:               backend,
+	}
+
+	ic := newIngressController(config)
+	go registerHandlers(*profiling, *healthzPort, ic)
+	return ic
+}
+
+func registerHandlers(enableProfiling bool, port int, ic Interface) {
+	mux := http.NewServeMux()
+	healthz.InstallHandler(mux, ic)
+
+	mux.Handle("/metrics", prometheus.Handler())
+
+	mux.HandleFunc("/build", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, ic.Info())
+	})
+
+	mux.HandleFunc("/stop", func(w http.ResponseWriter, r *http.Request) {
+		syscall.Kill(syscall.Getpid(), syscall.SIGTERM)
+	})
+
+	if enableProfiling {
+		mux.HandleFunc("/debug/pprof/", pprof.Index)
+		mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+		mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+		mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+	}
+
+	server := &http.Server{
+		Addr:    fmt.Sprintf(":%v", port),
+		Handler: mux,
+	}
+	glog.Fatal(server.ListenAndServe())
+}
--- a/core/pkg/ingress/controller/metrics.go
+++ b/core/pkg/ingress/controller/metrics.go
@ -0,0 +1,60 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import "github.com/prometheus/client_golang/prometheus"
+
+const (
+	ns          = "ingress_controller"
+	operation   = "count"
+	reloadLabel = "reloads"
+)
+
+func init() {
+	prometheus.MustRegister(reloadOperation)
+	prometheus.MustRegister(reloadOperationErrors)
+
+	reloadOperationErrors.WithLabelValues(reloadLabel).Set(0)
+	reloadOperation.WithLabelValues(reloadLabel).Set(0)
+}
+
+var (
+	reloadOperation = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: ns,
+			Name:      "success",
+			Help:      "Cumulative number of Ingress controller reload operations",
+		},
+		[]string{operation},
+	)
+	reloadOperationErrors = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: ns,
+			Name:      "errors",
+			Help:      "Cumulative number of Ingress controller errors during reload operations",
+		},
+		[]string{operation},
+	)
+)
+
+func incReloadCount() {
+	reloadOperation.WithLabelValues(reloadLabel).Inc()
+}
+
+func incReloadErrorCount() {
+	reloadOperationErrors.WithLabelValues(reloadLabel).Inc()
+}
--- a/core/pkg/ingress/controller/named_port.go
+++ b/core/pkg/ingress/controller/named_port.go
@ -0,0 +1,105 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"strconv"
+
+	"github.com/golang/glog"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/service"
+
+	"k8s.io/kubernetes/pkg/api"
+	podutil "k8s.io/kubernetes/pkg/api/pod"
+	"k8s.io/kubernetes/pkg/labels"
+)
+
+// checkSvcForUpdate verifies if one of the running pods for a service contains
+// named port. If the annotation in the service does not exists or is not equals
+// to the port mapping obtained from the pod the service must be updated to reflect
+// the current state
+func (ic *GenericController) checkSvcForUpdate(svc *api.Service) error {
+	// get the pods associated with the service
+	// TODO: switch this to a watch
+	pods, err := ic.cfg.Client.Pods(svc.Namespace).List(api.ListOptions{
+		LabelSelector: labels.Set(svc.Spec.Selector).AsSelector(),
+	})
+
+	if err != nil {
+		return fmt.Errorf("error searching service pods %v/%v: %v", svc.Namespace, svc.Name, err)
+	}
+
+	if len(pods.Items) == 0 {
+		return nil
+	}
+
+	namedPorts := map[string]string{}
+
+	// we need to check only one pod searching for named ports
+	pod := &pods.Items[0]
+	glog.V(4).Infof("checking pod %v/%v for named port information", pod.Namespace, pod.Name)
+	for i := range svc.Spec.Ports {
+		servicePort := &svc.Spec.Ports[i]
+
+		_, err := strconv.Atoi(servicePort.TargetPort.StrVal)
+		if err != nil {
+			portNum, err := podutil.FindPort(pod, servicePort)
+			if err != nil {
+				glog.V(4).Infof("failed to find port for service %s/%s: %v", portNum, svc.Namespace, svc.Name, err)
+				continue
+			}
+
+			if servicePort.TargetPort.StrVal == "" {
+				continue
+			}
+
+			namedPorts[servicePort.TargetPort.StrVal] = fmt.Sprintf("%v", portNum)
+		}
+	}
+
+	if svc.ObjectMeta.Annotations == nil {
+		svc.ObjectMeta.Annotations = map[string]string{}
+	}
+
+	curNamedPort := svc.ObjectMeta.Annotations[service.NamedPortAnnotation]
+	if len(namedPorts) > 0 && !reflect.DeepEqual(curNamedPort, namedPorts) {
+		data, _ := json.Marshal(namedPorts)
+
+		newSvc, err := ic.cfg.Client.Services(svc.Namespace).Get(svc.Name)
+		if err != nil {
+			return fmt.Errorf("error getting service %v/%v: %v", svc.Namespace, svc.Name, err)
+		}
+
+		if newSvc.ObjectMeta.Annotations == nil {
+			newSvc.ObjectMeta.Annotations = map[string]string{}
+		}
+
+		newSvc.ObjectMeta.Annotations[service.NamedPortAnnotation] = string(data)
+		glog.Infof("updating service %v with new named port mappings", svc.Name)
+		_, err = ic.cfg.Client.Services(svc.Namespace).Update(newSvc)
+		if err != nil {
+			return fmt.Errorf("error syncing service %v/%v: %v", svc.Namespace, svc.Name, err)
+		}
+
+		return nil
+	}
+
+	return nil
+}
--- a/core/pkg/ingress/controller/util.go
+++ b/core/pkg/ingress/controller/util.go
@ -0,0 +1,95 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"strings"
+
+	"k8s.io/ingress/core/pkg/ingress"
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+// newDefaultServer return an UpstreamServer to be use as default server that returns 503.
+func newDefaultServer() ingress.UpstreamServer {
+	return ingress.UpstreamServer{Address: "127.0.0.1", Port: "8181"}
+}
+
+// newUpstream creates an upstream without servers.
+func newUpstream(name string) *ingress.Upstream {
+	return &ingress.Upstream{
+		Name:     name,
+		Backends: []ingress.UpstreamServer{},
+	}
+}
+
+func isHostValid(host string, cert *ingress.SSLCert) bool {
+	if cert == nil {
+		return false
+	}
+	for _, cn := range cert.CN {
+		if matchHostnames(cn, host) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func matchHostnames(pattern, host string) bool {
+	host = strings.TrimSuffix(host, ".")
+	pattern = strings.TrimSuffix(pattern, ".")
+
+	if len(pattern) == 0 || len(host) == 0 {
+		return false
+	}
+
+	patternParts := strings.Split(pattern, ".")
+	hostParts := strings.Split(host, ".")
+
+	if len(patternParts) != len(hostParts) {
+		return false
+	}
+
+	for i, patternPart := range patternParts {
+		if i == 0 && patternPart == "*" {
+			continue
+		}
+		if patternPart != hostParts[i] {
+			return false
+		}
+	}
+
+	return true
+}
+
+// IsValidClass returns true if the given Ingress either doesn't specify
+// the ingress.class annotation, or it's set to the configured in the
+// ingress controller.
+func IsValidClass(ing *extensions.Ingress, class string) bool {
+	if class == "" {
+		return true
+	}
+
+	cc, _ := parser.GetStringAnnotation(ingressClassKey, ing)
+	if cc == "" {
+		return true
+	}
+
+	return cc == class
+}
--- a/core/pkg/ingress/controller/util_test.go
+++ b/core/pkg/ingress/controller/util_test.go
@ -0,0 +1,50 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+func TestIsValidClass(t *testing.T) {
+	ing := &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+	}
+
+	b := IsValidClass(ing, "")
+	if !b {
+		t.Error("Expected a valid class (missing annotation)")
+	}
+
+	data := map[string]string{}
+	data[ingressClassKey] = "custom"
+	ing.SetAnnotations(data)
+	b = IsValidClass(ing, "custom")
+	if !b {
+		t.Errorf("Expected valid class but %v returned", b)
+	}
+	b = IsValidClass(ing, "nginx")
+	if b {
+		t.Errorf("Expected invalid class but %v returned", b)
+	}
+}
--- a/core/pkg/ingress/defaults/main.go
+++ b/core/pkg/ingress/defaults/main.go
@ -0,0 +1,60 @@
+package defaults
+
+// Backend defines the mandatory configuration that an Ingress controller must provide
+// The reason of this requirements is the annotations are generic. If some implementation do not supports
+// one or more annotations it just can provides defaults
+type Backend struct {
+	// enables which HTTP codes should be passed for processing with the error_page directive
+	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors
+	// http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
+	// By default this is disabled
+	CustomHTTPErrors []int `structs:"custom-http-errors,-"`
+
+	// Defines a timeout for establishing a connection with a proxied server.
+	// It should be noted that this timeout cannot usually exceed 75 seconds.
+	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout
+	ProxyConnectTimeout int `structs:"proxy-connect-timeout"`
+
+	// Timeout in seconds for reading a response from the proxied server. The timeout is set only between
+	// two successive read operations, not for the transmission of the whole response
+	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout
+	ProxyReadTimeout int `structs:"proxy-read-timeout"`
+
+	// Timeout in seconds for transmitting a request to the proxied server. The timeout is set only between
+	// two successive write operations, not for the transmission of the whole request.
+	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout
+	ProxySendTimeout int `structs:"proxy-send-timeout"`
+
+	// Sets the size of the buffer used for reading the first part of the response received from the
+	// proxied server. This part usually contains a small response header.
+	// http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size)
+	ProxyBufferSize string `structs:"proxy-buffer-size"`
+
+	// Configures name servers used to resolve names of upstream servers into addresses
+	// http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
+	Resolver string `structs:"resolver"`
+
+	// SkipAccessLogURLs sets a list of URLs that should not appear in the NGINX access log
+	// This is useful with urls like `/health` or `health-check` that make "complex" reading the logs
+	// By default this list is empty
+	SkipAccessLogURLs []string `structs:"skip-access-log-urls,-"`
+
+	// Enables or disables the redirect (301) to the HTTPS port
+	SSLRedirect bool `structs:"ssl-redirect"`
+
+	// Number of unsuccessful attempts to communicate with the server that should happen in the
+	// duration set by the fail_timeout parameter to consider the server unavailable
+	// http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream
+	// Default: 0, ie use platform liveness probe
+	UpstreamMaxFails int `structs:"upstream-max-fails"`
+
+	// Time during which the specified number of unsuccessful attempts to communicate with
+	// the server should happen to consider the server unavailable
+	// http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream
+	// Default: 0, ie use platform liveness probe
+	UpstreamFailTimeout int `structs:"upstream-fail-timeout"`
+
+	// WhitelistSourceRange allows limiting access to certain client addresses
+	// http://nginx.org/en/docs/http/ngx_http_access_module.html
+	WhitelistSourceRange []string `structs:"whitelist-source-range,-"`
+}
--- a/core/pkg/ingress/status/election.go
+++ b/core/pkg/ingress/status/election.go
@ -0,0 +1,119 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package status
+
+import (
+	"encoding/json"
+	"os"
+	"time"
+
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/errors"
+	client "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	"k8s.io/kubernetes/pkg/client/leaderelection"
+	"k8s.io/kubernetes/pkg/client/leaderelection/resourcelock"
+	"k8s.io/kubernetes/pkg/client/record"
+)
+
+func getCurrentLeader(electionID, namespace string, c client.Interface) (string, *api.Endpoints, error) {
+	endpoints, err := c.Core().Endpoints(namespace).Get(electionID)
+	if err != nil {
+		return "", nil, err
+	}
+	val, found := endpoints.Annotations[resourcelock.LeaderElectionRecordAnnotationKey]
+	if !found {
+		return "", endpoints, nil
+	}
+	electionRecord := resourcelock.LeaderElectionRecord{}
+	if err = json.Unmarshal([]byte(val), &electionRecord); err != nil {
+		return "", nil, err
+	}
+	return electionRecord.HolderIdentity, endpoints, err
+}
+
+// NewElection creates an election.  'namespace'/'election' should be an existing Kubernetes Service
+// 'id' is the id if this leader, should be unique.
+func NewElection(electionID,
+	id,
+	namespace string,
+	ttl time.Duration,
+	callback func(leader string),
+	c client.Interface) (*leaderelection.LeaderElector, error) {
+
+	_, err := c.Core().Endpoints(namespace).Get(electionID)
+	if err != nil {
+		if errors.IsNotFound(err) {
+			_, err = c.Core().Endpoints(namespace).Create(&api.Endpoints{
+				ObjectMeta: api.ObjectMeta{
+					Name: electionID,
+				},
+			})
+			if err != nil && !errors.IsConflict(err) {
+				return nil, err
+			}
+		} else {
+			return nil, err
+		}
+	}
+
+	callbacks := leaderelection.LeaderCallbacks{
+		OnStartedLeading: func(stop <-chan struct{}) {
+			callback(id)
+		},
+		OnStoppedLeading: func() {
+			leader, _, err := getCurrentLeader(electionID, namespace, c)
+			if err != nil {
+				glog.Errorf("failed to get leader: %v", err)
+				// empty string means leader is unknown
+				callback("")
+				return
+			}
+			callback(leader)
+		},
+	}
+
+	broadcaster := record.NewBroadcaster()
+	hostname, err := os.Hostname()
+	if err != nil {
+		return nil, err
+	}
+	recorder := broadcaster.NewRecorder(api.EventSource{
+		Component: "ingress-leader-elector",
+		Host:      hostname,
+	})
+
+	lock := resourcelock.EndpointsLock{
+		EndpointsMeta: api.ObjectMeta{Namespace: namespace, Name: electionID},
+		Client:        c,
+		LockConfig: resourcelock.ResourceLockConfig{
+			Identity:      id,
+			EventRecorder: recorder,
+		},
+	}
+
+	config := leaderelection.LeaderElectionConfig{
+		Lock:          &lock,
+		LeaseDuration: ttl,
+		RenewDeadline: ttl / 2,
+		RetryPeriod:   ttl / 4,
+		Callbacks:     callbacks,
+	}
+
+	return leaderelection.NewLeaderElector(config)
+}
--- a/core/pkg/ingress/status/status.go
+++ b/core/pkg/ingress/status/status.go
@ -0,0 +1,283 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package status
+
+import (
+	"sort"
+	"sync"
+	"time"
+
+	"github.com/golang/glog"
+
+	cache_store "k8s.io/ingress/core/pkg/cache"
+	"k8s.io/ingress/core/pkg/k8s"
+	strings "k8s.io/ingress/core/pkg/strings"
+	"k8s.io/ingress/core/pkg/task"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	"k8s.io/kubernetes/pkg/client/leaderelection"
+	"k8s.io/kubernetes/pkg/labels"
+	"k8s.io/kubernetes/pkg/util/wait"
+)
+
+const (
+	updateInterval = 30 * time.Second
+)
+
+// Sync ...
+type Sync interface {
+	Run(stopCh <-chan struct{})
+	Shutdown()
+}
+
+// Config ...
+type Config struct {
+	Client         clientset.Interface
+	PublishService string
+	IngressLister  cache_store.StoreToIngressLister
+}
+
+// statusSync keeps the status IP in each Ingress rule updated executing a periodic check
+// in all the defined rules. To simplify the process leader election is used so the update
+// is executed only in one node (Ingress controllers can be scaled to more than one)
+// If the controller is running with the flag --publish-service (with a valid service)
+// the IP address behind the service is used, if not the source is the IP/s of the node/s
+type statusSync struct {
+	Config
+	// pod contains runtime information about this pod
+	pod *k8s.PodInfo
+
+	elector *leaderelection.LeaderElector
+	// workqueue used to keep in sync the status IP/s
+	// in the Ingress rules
+	syncQueue *task.Queue
+
+	runLock *sync.Mutex
+}
+
+// Run starts the loop to keep the status in sync
+func (s statusSync) Run(stopCh <-chan struct{}) {
+	go wait.Forever(s.elector.Run, 0)
+	go s.run()
+
+	go s.syncQueue.Run(time.Second, stopCh)
+
+	<-stopCh
+}
+
+// Shutdown stop the sync. In case the instance is the leader it will remove the current IP
+// if there is no other instances running.
+func (s statusSync) Shutdown() {
+	go s.syncQueue.Shutdown()
+	// remove IP from Ingress
+	if !s.elector.IsLeader() {
+		return
+	}
+
+	glog.Infof("updating status of Ingress rules (remove)")
+
+	ips, err := s.getRunningIPs()
+	if err != nil {
+		glog.Errorf("error obtaining running IPs: %v", ips)
+		return
+	}
+
+	if len(ips) > 1 {
+		// leave the job to the next leader
+		glog.Infof("leaving status update for next leader (%v)", len(ips))
+		return
+	}
+
+	glog.Infof("removing my ip (%v)", ips)
+	s.updateStatus([]api.LoadBalancerIngress{})
+}
+
+func (s *statusSync) run() {
+	err := wait.PollInfinite(updateInterval, func() (bool, error) {
+		if s.syncQueue.IsShuttingDown() {
+			return true, nil
+		}
+		// send a dummy object to the queue to force a sync
+		s.syncQueue.Enqueue("dummy")
+		return false, nil
+	})
+	if err != nil {
+		glog.Errorf("error waiting shutdown: %v", err)
+	}
+}
+
+func (s *statusSync) sync(key interface{}) error {
+	s.runLock.Lock()
+	defer s.runLock.Unlock()
+
+	if !s.elector.IsLeader() {
+		glog.V(2).Infof("skipping Ingress status update (I am not the current leader)")
+		return nil
+	}
+
+	ips, err := s.getRunningIPs()
+	if err != nil {
+		return err
+	}
+	s.updateStatus(sliceToStatus(ips))
+
+	return nil
+}
+
+// callback invoked function when a new leader is elected
+func (s *statusSync) callback(leader string) {
+	if s.syncQueue.IsShuttingDown() {
+		return
+	}
+
+	glog.V(2).Infof("new leader elected (%v)", leader)
+	if leader == s.pod.Name {
+		glog.V(2).Infof("I am the new status update leader")
+	}
+}
+
+func (s statusSync) keyfunc(input interface{}) (interface{}, error) {
+	return input, nil
+}
+
+// NewStatusSyncer returns a new Sync instance
+func NewStatusSyncer(config Config) Sync {
+	pod, err := k8s.GetPodDetails(config.Client)
+	if err != nil {
+		glog.Fatalf("unexpected error obtaining pod information: %v", err)
+	}
+
+	st := statusSync{
+		pod:     pod,
+		runLock: &sync.Mutex{},
+		Config:  config,
+	}
+	st.syncQueue = task.NewCustomTaskQueue(st.sync, st.keyfunc)
+
+	le, err := NewElection("ingress-controller-leader",
+		pod.Name, pod.Namespace, 30*time.Second,
+		st.callback, config.Client)
+	if err != nil {
+		glog.Fatalf("unexpected error starting leader election: %v", err)
+	}
+	st.elector = le
+	return st
+}
+
+func (s *statusSync) getRunningIPs() ([]string, error) {
+	if s.PublishService != "" {
+		ns, name, _ := k8s.ParseNameNS(s.PublishService)
+		svc, err := s.Client.Core().Services(ns).Get(name)
+		if err != nil {
+			return nil, err
+		}
+
+		ips := []string{}
+		for _, ip := range svc.Status.LoadBalancer.Ingress {
+			ips = append(ips, ip.IP)
+		}
+
+		return ips, nil
+	}
+
+	// get information about all the pods running the ingress controller
+	pods, err := s.Client.Core().Pods(s.pod.Namespace).List(api.ListOptions{
+		LabelSelector: labels.SelectorFromSet(s.pod.Labels),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	ips := []string{}
+	for _, pod := range pods.Items {
+		if !strings.StringInSlice(pod.Status.HostIP, ips) {
+			ips = append(ips, pod.Status.HostIP)
+		}
+	}
+	return ips, nil
+}
+
+func sliceToStatus(ips []string) []api.LoadBalancerIngress {
+	lbi := []api.LoadBalancerIngress{}
+	for _, ip := range ips {
+		lbi = append(lbi, api.LoadBalancerIngress{IP: ip})
+	}
+
+	sort.Sort(loadBalancerIngressByIP(lbi))
+	return lbi
+}
+
+func (s *statusSync) updateStatus(newIPs []api.LoadBalancerIngress) {
+	ings := s.IngressLister.List()
+	var wg sync.WaitGroup
+	wg.Add(len(ings))
+	for _, cur := range ings {
+		ing := cur.(*extensions.Ingress)
+		go func(wg *sync.WaitGroup) {
+			defer wg.Done()
+			ingClient := s.Client.Extensions().Ingresses(ing.Namespace)
+			currIng, err := ingClient.Get(ing.Name)
+			if err != nil {
+				glog.Errorf("unexpected error searching Ingress %v/%v: %v", ing.Namespace, ing.Name, err)
+				return
+			}
+
+			curIPs := ing.Status.LoadBalancer.Ingress
+			sort.Sort(loadBalancerIngressByIP(curIPs))
+			if ingressSliceEqual(newIPs, curIPs) {
+				glog.V(3).Infof("skipping update of Ingress %v/%v (there is no change)", currIng.Namespace, currIng.Name)
+				return
+			}
+
+			glog.Infof("updating Ingress %v/%v status to %v", currIng.Namespace, currIng.Name, newIPs)
+			currIng.Status.LoadBalancer.Ingress = newIPs
+			_, err = ingClient.UpdateStatus(currIng)
+			if err != nil {
+				glog.Warningf("error updating ingress rule: %v", err)
+			}
+		}(&wg)
+	}
+
+	wg.Wait()
+}
+
+func ingressSliceEqual(lhs, rhs []api.LoadBalancerIngress) bool {
+	if len(lhs) != len(rhs) {
+		return false
+	}
+
+	for i := range lhs {
+		if lhs[i].IP != rhs[i].IP {
+			return false
+		}
+		if lhs[i].Hostname != rhs[i].Hostname {
+			return false
+		}
+	}
+	return true
+}
+
+// loadBalancerIngressByIP sorts LoadBalancerIngress using the field IP
+type loadBalancerIngressByIP []api.LoadBalancerIngress
+
+func (c loadBalancerIngressByIP) Len() int      { return len(c) }
+func (c loadBalancerIngressByIP) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
+func (c loadBalancerIngressByIP) Less(i, j int) bool {
+	return c[i].IP < c[j].IP
+}
--- a/core/pkg/ingress/types.go
+++ b/core/pkg/ingress/types.go
@ -0,0 +1,214 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ingress
+
+import (
+	"os/exec"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/auth"
+	"k8s.io/ingress/core/pkg/ingress/annotations/authreq"
+	"k8s.io/ingress/core/pkg/ingress/annotations/authtls"
+	"k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist"
+	"k8s.io/ingress/core/pkg/ingress/annotations/proxy"
+	"k8s.io/ingress/core/pkg/ingress/annotations/ratelimit"
+	"k8s.io/ingress/core/pkg/ingress/annotations/rewrite"
+	"k8s.io/ingress/core/pkg/ingress/defaults"
+)
+
+var (
+	// DefaultSSLDirectory defines the location where the SSL certificates will be generated
+	DefaultSSLDirectory = "/ingress-controller/ssl"
+)
+
+// Controller ...
+type Controller interface {
+	// Start returns the command is executed to start the backend.
+	// The command must run in foreground.
+	Start()
+	// Stop stops the backend
+	Stop() error
+	// Restart reload the backend with the a configuration file returning
+	// the combined output of Stdout and Stderr
+	Restart(data []byte) ([]byte, error)
+	// Tests returns a commands that checks if the configuration file is valid
+	// Example: nginx -t -c <file>
+	Test(file string) *exec.Cmd
+	// OnUpdate callback invoked from the sync queue https://k8s.io/ingress/core/blob/master/pkg/ingress/controller/controller.go#L355
+	// when an update occurs. This is executed frequently because Ingress
+	// controllers watches changes in:
+	// - Ingresses: main work
+	// - Secrets: referenced from Ingress rules with TLS configured
+	// - ConfigMaps: where the controller reads custom configuration
+	// - Services: referenced from Ingress rules and required to obtain
+	//	 information about ports and annotations
+	// - Endpoints: referenced from Services and what the backend uses
+	//	 to route traffic
+	//
+	// ConfigMap content of --configmap
+	// Configuration returns the translation from Ingress rules containing
+	// information about all the upstreams (service endpoints ) "virtual"
+	// servers (FQDN)
+	// and all the locations inside each server. Each location contains
+	// information about all the annotations were configured
+	// https://k8s.io/ingress/core/blob/master/pkg/ingress/types.go#L48
+	OnUpdate(*api.ConfigMap, Configuration) ([]byte, error)
+	// UpstreamDefaults returns the minimum settings required to configure the
+	// communication to upstream servers (endpoints)
+	UpstreamDefaults() defaults.Backend
+	// IsReloadRequired checks if the backend must be reloaded or not.
+	// The parameter contains the new rendered template
+	IsReloadRequired([]byte) bool
+	// Info returns information about the ingress controller
+	// This can include build version, repository, etc.
+	Info() string
+}
+
+// Configuration describes
+type Configuration struct {
+	HealthzURL           string
+	Upstreams            []*Upstream
+	Servers              []*Server
+	TCPUpstreams         []*Location
+	UDPUpstreams         []*Location
+	PassthroughUpstreams []*SSLPassthroughUpstreams
+}
+
+// Upstream describes an upstream server (endpoint)
+type Upstream struct {
+	// Secure indicates if the communication with the en
+	Secure bool
+	// Name represents an unique api.Service name formatted
+	// as <namespace>-<name>-<port>
+	Name string
+	// Backends
+	Backends []UpstreamServer
+}
+
+// SSLPassthroughUpstreams describes an SSL upstream server configured
+// as passthrough (no TLS termination)
+type SSLPassthroughUpstreams struct {
+	Upstream
+
+	Host string
+}
+
+// UpstreamByNameServers sorts upstreams by name
+type UpstreamByNameServers []*Upstream
+
+func (c UpstreamByNameServers) Len() int      { return len(c) }
+func (c UpstreamByNameServers) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
+func (c UpstreamByNameServers) Less(i, j int) bool {
+	return c[i].Name < c[j].Name
+}
+
+// UpstreamServer describes a server in an upstream
+type UpstreamServer struct {
+	// Address IP address of the endpoint
+	Address string
+	Port    string
+	// MaxFails returns the maximum number of check failures
+	// allowed before this should be considered dow.
+	// Setting 0 indicates that the check is performed by a Kubernetes probe
+	MaxFails    int
+	FailTimeout int
+}
+
+// Server describes a virtual server
+type Server struct {
+	Name           string
+	SSL            bool
+	SSLPassthrough bool
+	SSLCertificate string
+	//SSLCertificateKey string
+	SSLPemChecksum string
+	Locations      []*Location
+}
+
+// Location describes a server location
+type Location struct {
+	IsDefBackend    bool
+	SecureUpstream  bool
+	EnableCORS      bool
+	Path            string
+	Upstream        Upstream
+	BasicDigestAuth auth.BasicDigest
+	RateLimit       ratelimit.RateLimit
+	Redirect        rewrite.Redirect
+	Whitelist       ipwhitelist.SourceRange
+	ExternalAuth    authreq.External
+	Proxy           proxy.Configuration
+	CertificateAuth authtls.SSLCert
+}
+
+// UpstreamServerByAddrPort sorts upstream servers by address and port
+type UpstreamServerByAddrPort []UpstreamServer
+
+func (c UpstreamServerByAddrPort) Len() int      { return len(c) }
+func (c UpstreamServerByAddrPort) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
+func (c UpstreamServerByAddrPort) Less(i, j int) bool {
+	iName := c[i].Address
+	jName := c[j].Address
+	if iName != jName {
+		return iName < jName
+	}
+
+	iU := c[i].Port
+	jU := c[j].Port
+	return iU < jU
+}
+
+// ServerByName sorts server by name
+type ServerByName []*Server
+
+func (c ServerByName) Len() int      { return len(c) }
+func (c ServerByName) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
+func (c ServerByName) Less(i, j int) bool {
+	return c[i].Name < c[j].Name
+}
+
+// LocationByPath sorts location by path
+// Location / is the last one
+type LocationByPath []*Location
+
+func (c LocationByPath) Len() int      { return len(c) }
+func (c LocationByPath) Swap(i, j int) { c[i], c[j] = c[j], c[i] }
+func (c LocationByPath) Less(i, j int) bool {
+	return c[i].Path > c[j].Path
+}
+
+// SSLCert describes a SSL certificate to be used in a server
+type SSLCert struct {
+	api.ObjectMeta
+
+	//CertFileName string
+	//KeyFileName  string
+	CAFileName string
+
+	// PemFileName contains the path to the file with the certificate and key concatenated
+	PemFileName string
+	// PemSHA contains the sha1 of the pem file.
+	// This is used to detect changes in the secret that contains the certificates
+	PemSHA string
+	// CN contains all the common names defined in the SSL certificate
+	CN []string
+}
+
+// GetObjectKind implements the ObjectKind interface as a noop
+func (s SSLCert) GetObjectKind() unversioned.ObjectKind { return unversioned.EmptyObjectKind }