DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #5534 from agile6v/master

Browse source 
Add annotation ssl-prefer-server-ciphers.
This commit is contained in:
Kubernetes Prow Robot 2020-05-29 08:35:16 -07:00 committed by GitHub
commit ee02d897d5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 73 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

4
internal/ingress/annotations/annotations.go
View file

@ -108,7 +108,7 @@ type Ingress struct {
UpstreamVhost string
Whitelist ipwhitelist.SourceRange
XForwardedPrefix string
SSLCiphers string
SSLCipher sslcipher.Config
Logs log.Config
InfluxDB influxdb.Config
ModSecurity modsecurity.Config
@ -156,7 +156,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
"UpstreamVhost": upstreamvhost.NewParser(cfg),
"Whitelist": ipwhitelist.NewParser(cfg),
"XForwardedPrefix": xforwardedprefix.NewParser(cfg),
"SSLCiphers": sslcipher.NewParser(cfg),
"SSLCipher": sslcipher.NewParser(cfg),
"Logs": log.NewParser(cfg),
"InfluxDB": influxdb.NewParser(cfg),
"BackendProtocol": backendprotocol.NewParser(cfg),

27
internal/ingress/annotations/sslcipher/main.go
View file

@ -27,13 +27,36 @@ type sslCipher struct {
r resolver.Resolver
}
// Config contains the ssl-ciphers & ssl-prefer-server-ciphers configuration
type Config struct {
SSLCiphers string
SSLPreferServerCiphers string
}
// NewParser creates a new sslCipher annotation parser
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
return sslCipher{r}
}
// Parse parses the annotations contained in the ingress rule
// used to add ssl-ciphers to the server name
// used to add ssl-ciphers & ssl-prefer-server-ciphers to the server name
func (sc sslCipher) Parse(ing *networking.Ingress) (interface{}, error) {
return parser.GetStringAnnotation("ssl-ciphers", ing)
config := &Config{}
var err error
var sslPreferServerCiphers bool
sslPreferServerCiphers, err = parser.GetBoolAnnotation("ssl-prefer-server-ciphers", ing)
if err != nil {
config.SSLPreferServerCiphers = ""
} else {
if sslPreferServerCiphers {
config.SSLPreferServerCiphers = "on"
} else {
config.SSLPreferServerCiphers = "off"
}
}
config.SSLCiphers, _ = parser.GetStringAnnotation("ssl-ciphers", ing)
return config, nil
}

24
internal/ingress/annotations/sslcipher/main_test.go
View file

@ -17,6 +17,7 @@ limitations under the License.
package sslcipher
import (
"reflect"
"testing"
api "k8s.io/api/core/v1"
@ -27,22 +28,27 @@ import (
)
func TestParse(t *testing.T) {
annotation := parser.GetAnnotationWithPrefix("ssl-ciphers")
ap := NewParser(&resolver.Mock{})
if ap == nil {
t.Fatalf("expected a parser.IngressAnnotation but returned nil")
}
annotationSSLCiphers := parser.GetAnnotationWithPrefix("ssl-ciphers")
annotationSSLPreferServerCiphers := parser.GetAnnotationWithPrefix("ssl-prefer-server-ciphers")
testCases := []struct {
annotations map[string]string
expected string
expected Config
}{
{map[string]string{annotation: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"},
{map[string]string{annotation: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"},
"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"},
{map[string]string{annotation: ""}, ""},
{map[string]string{}, ""},
{nil, ""},
{map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}},
{map[string]string{annotationSSLCiphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"},
Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}},
{map[string]string{annotationSSLCiphers: ""}, Config{"", ""}},
{map[string]string{annotationSSLPreferServerCiphers: "true"}, Config{"", "on"}},
{map[string]string{annotationSSLPreferServerCiphers: "false"}, Config{"", "off"}},
{map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", annotationSSLPreferServerCiphers: "true"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", "on"}},
{map[string]string{}, Config{"", ""}},
{nil, Config{"", ""}},
}
ing := &networking.Ingress{
@ -56,7 +62,7 @@ func TestParse(t *testing.T) {
for _, testCase := range testCases {
ing.SetAnnotations(testCase.annotations)
result, _ := ap.Parse(ing)
if result != testCase.expected {
if !reflect.DeepEqual(result, &testCase.expected) {
t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
}
}