Merge pull request #5534 from agile6v/master

Add annotation ssl-prefer-server-ciphers.

internal/ingress/annotations/annotations.go

@@ -108,7 +108,7 @@ type Ingress struct {
 	UpstreamVhost      string
 	Whitelist          ipwhitelist.SourceRange
 	XForwardedPrefix   string
-	SSLCiphers         string
+	SSLCipher          sslcipher.Config
 	Logs               log.Config
 	InfluxDB           influxdb.Config
 	ModSecurity        modsecurity.Config
@@ -156,7 +156,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
 			"UpstreamVhost":        upstreamvhost.NewParser(cfg),
 			"Whitelist":            ipwhitelist.NewParser(cfg),
 			"XForwardedPrefix":     xforwardedprefix.NewParser(cfg),
-			"SSLCiphers":           sslcipher.NewParser(cfg),
+			"SSLCipher":            sslcipher.NewParser(cfg),
 			"Logs":                 log.NewParser(cfg),
 			"InfluxDB":             influxdb.NewParser(cfg),
 			"BackendProtocol":      backendprotocol.NewParser(cfg),

internal/ingress/annotations/sslcipher/main.go

@@ -27,13 +27,36 @@ type sslCipher struct {
 	r resolver.Resolver
 }
 
+// Config contains the ssl-ciphers & ssl-prefer-server-ciphers configuration
+type Config struct {
+	SSLCiphers             string
+	SSLPreferServerCiphers string
+}
+
 // NewParser creates a new sslCipher annotation parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
 	return sslCipher{r}
 }
 
 // Parse parses the annotations contained in the ingress rule
-// used to add ssl-ciphers to the server name
+// used to add ssl-ciphers & ssl-prefer-server-ciphers to the server name
 func (sc sslCipher) Parse(ing *networking.Ingress) (interface{}, error) {
-	return parser.GetStringAnnotation("ssl-ciphers", ing)
+	config := &Config{}
+	var err error
+	var sslPreferServerCiphers bool
+
+	sslPreferServerCiphers, err = parser.GetBoolAnnotation("ssl-prefer-server-ciphers", ing)
+	if err != nil {
+		config.SSLPreferServerCiphers = ""
+	} else {
+		if sslPreferServerCiphers {
+			config.SSLPreferServerCiphers = "on"
+		} else {
+			config.SSLPreferServerCiphers = "off"
+		}
+	}
+
+	config.SSLCiphers, _ = parser.GetStringAnnotation("ssl-ciphers", ing)
+
+	return config, nil
 }

internal/ingress/annotations/sslcipher/main_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package sslcipher
 
 import (
+	"reflect"
 	"testing"
 
 	api "k8s.io/api/core/v1"
@@ -27,22 +28,27 @@ import (
 )
 
 func TestParse(t *testing.T) {
-	annotation := parser.GetAnnotationWithPrefix("ssl-ciphers")
 	ap := NewParser(&resolver.Mock{})
 	if ap == nil {
 		t.Fatalf("expected a parser.IngressAnnotation but returned nil")
 	}
 
+	annotationSSLCiphers := parser.GetAnnotationWithPrefix("ssl-ciphers")
+	annotationSSLPreferServerCiphers := parser.GetAnnotationWithPrefix("ssl-prefer-server-ciphers")
+
 	testCases := []struct {
 		annotations map[string]string
-		expected    string
+		expected    Config
 	}{
-		{map[string]string{annotation: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"},
-		{map[string]string{annotation: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"},
-			"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"},
-		{map[string]string{annotation: ""}, ""},
-		{map[string]string{}, ""},
-		{nil, ""},
+		{map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}},
+		{map[string]string{annotationSSLCiphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"},
+			Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}},
+		{map[string]string{annotationSSLCiphers: ""}, Config{"", ""}},
+		{map[string]string{annotationSSLPreferServerCiphers: "true"}, Config{"", "on"}},
+		{map[string]string{annotationSSLPreferServerCiphers: "false"}, Config{"", "off"}},
+		{map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", annotationSSLPreferServerCiphers: "true"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", "on"}},
+		{map[string]string{}, Config{"", ""}},
+		{nil, Config{"", ""}},
 	}
 
 	ing := &networking.Ingress{
@@ -56,7 +62,7 @@ func TestParse(t *testing.T) {
 	for _, testCase := range testCases {
 		ing.SetAnnotations(testCase.annotations)
 		result, _ := ap.Parse(ing)
-		if result != testCase.expected {
+		if !reflect.DeepEqual(result, &testCase.expected) {
 			t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
 		}
 	}

internal/ingress/controller/controller.go

@@ -1051,8 +1051,9 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 				Locations: []*ingress.Location{
 					loc,
 				},
-				SSLPassthrough: anns.SSLPassthrough,
-				SSLCiphers:     anns.SSLCiphers,
+				SSLPassthrough:         anns.SSLPassthrough,
+				SSLCiphers:             anns.SSLCipher.SSLCiphers,
+				SSLPreferServerCiphers: anns.SSLCipher.SSLPreferServerCiphers,
 			}
 		}
 	}
@@ -1092,8 +1093,13 @@ func (n *NGINXController) createServers(data []*ingress.Ingress,
 			}
 
 			// only add SSL ciphers if the server does not have them previously configured
-			if servers[host].SSLCiphers == "" && anns.SSLCiphers != "" {
-				servers[host].SSLCiphers = anns.SSLCiphers
+			if servers[host].SSLCiphers == "" && anns.SSLCipher.SSLCiphers != "" {
+				servers[host].SSLCiphers = anns.SSLCipher.SSLCiphers
+			}
+
+			// only add SSLPreferServerCiphers if the server does not have them previously configured
+			if servers[host].SSLPreferServerCiphers == "" && anns.SSLCipher.SSLPreferServerCiphers != "" {
+				servers[host].SSLPreferServerCiphers = anns.SSLCipher.SSLPreferServerCiphers
 			}
 
 			// only add a certificate if the server does not have one previously configured

internal/ingress/types.go

@@ -200,6 +200,9 @@ type Server struct {
 	ServerSnippet string `json:"serverSnippet"`
 	// SSLCiphers returns list of ciphers to be enabled
 	SSLCiphers string `json:"sslCiphers,omitempty"`
+	// SSLPreferServerCiphers indicates that server ciphers should be preferred
+	// over client ciphers when using the SSLv3 and TLS protocols.
+	SSLPreferServerCiphers string `sslPreferServerCiphers,omitempty`
 	// AuthTLSError contains the reason why the access to a server should be denied
 	AuthTLSError string `json:"authTLSError,omitempty"`
 }

internal/ingress/types_equals.go

@@ -308,6 +308,9 @@ func (s1 *Server) Equal(s2 *Server) bool {
 	if s1.SSLCiphers != s2.SSLCiphers {
 		return false
 	}
+	if s1.SSLPreferServerCiphers != s2.SSLPreferServerCiphers {
+		return false
+	}
 	if s1.AuthTLSError != s2.AuthTLSError {
 		return false
 	}