Add the missing pass-client-tls annotation to the kubernetes provider

provider/kubernetes/annotations.go

@@ -22,7 +22,8 @@ const (
 	annotationKubernetesWhiteListSourceRange       = "ingress.kubernetes.io/whitelist-source-range"
 	annotationKubernetesWhiteListUseXForwardedFor  = "ingress.kubernetes.io/whitelist-x-forwarded-for"
 	annotationKubernetesPreserveHost               = "ingress.kubernetes.io/preserve-host"
-	annotationKubernetesPassTLSCert                = "ingress.kubernetes.io/pass-tls-cert"
+	annotationKubernetesPassTLSCert                = "ingress.kubernetes.io/pass-tls-cert" // Deprecated
+	annotationKubernetesPassTLSClientCert          = "ingress.kubernetes.io/pass-client-tls-cert"
 	annotationKubernetesFrontendEntryPoints        = "ingress.kubernetes.io/frontend-entry-points"
 	annotationKubernetesPriority                   = "ingress.kubernetes.io/priority"
 	annotationKubernetesCircuitBreakerExpression   = "ingress.kubernetes.io/circuit-breaker-expression"

provider/kubernetes/builder_configuration_test.go

@@ -382,12 +382,34 @@ func limitPeriod(period time.Duration) func(*types.Rate) {
 	}
 }
 
+// Deprecated
 func passTLSCert() func(*types.Frontend) {
 	return func(f *types.Frontend) {
 		f.PassTLSCert = true
 	}
 }
 
+func passTLSClientCert() func(*types.Frontend) {
+	return func(f *types.Frontend) {
+		f.PassTLSClientCert = &types.TLSClientHeaders{
+			PEM: true,
+			Infos: &types.TLSClientCertificateInfos{
+				NotAfter:  true,
+				NotBefore: true,
+				Subject: &types.TLSCLientCertificateSubjectInfos{
+					Country:      true,
+					Province:     true,
+					Locality:     true,
+					Organization: true,
+					CommonName:   true,
+					SerialNumber: true,
+				},
+				Sans: true,
+			},
+		}
+	}
+}
+
 func routes(opts ...func(*types.Route) string) func(*types.Frontend) {
 	return func(f *types.Frontend) {
 		f.Routes = make(map[string]types.Route)

provider/kubernetes/kubernetes.go

@@ -62,7 +62,7 @@ type Provider struct {
 	Token                  string           `description:"Kubernetes bearer token (not needed for in-cluster client)"`
 	CertAuthFilePath       string           `description:"Kubernetes certificate authority file path (not needed for in-cluster client)"`
 	DisablePassHostHeaders bool             `description:"Kubernetes disable PassHost Headers" export:"true"`
-	EnablePassTLSCert      bool             `description:"Kubernetes enable Pass TLS Client Certs" export:"true"`
+	EnablePassTLSCert      bool             `description:"Kubernetes enable Pass TLS Client Certs" export:"true"` // Deprecated
 	Namespaces             Namespaces       `description:"Kubernetes namespaces" export:"true"`
 	LabelSelector          string           `description:"Kubernetes Ingress label selector to use" export:"true"`
 	IngressClass           string           `description:"Value of kubernetes.io/ingress.class annotation to watch for" export:"true"`
@@ -275,22 +275,23 @@ func (p *Provider) loadIngresses(k8sClient Client) (*types.Configuration, error)
 					}
 
 					passHostHeader := getBoolValue(i.Annotations, annotationKubernetesPreserveHost, !p.DisablePassHostHeaders)
-					passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert)
+					passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert) // Deprecated
 					entryPoints := getSliceStringValue(i.Annotations, annotationKubernetesFrontendEntryPoints)
 
 					frontend = &types.Frontend{
-						Backend:        baseName,
-						PassHostHeader: passHostHeader,
-						PassTLSCert:    passTLSCert,
-						Routes:         make(map[string]types.Route),
-						Priority:       priority,
-						WhiteList:      getWhiteList(i),
-						Redirect:       getFrontendRedirect(i, baseName, pa.Path),
-						EntryPoints:    entryPoints,
-						Headers:        getHeader(i),
-						Errors:         getErrorPages(i),
-						RateLimit:      getRateLimit(i),
-						Auth:           auth,
+						Backend:           baseName,
+						PassHostHeader:    passHostHeader,
+						PassTLSCert:       passTLSCert,
+						PassTLSClientCert: getPassTLSClientCert(i),
+						Routes:            make(map[string]types.Route),
+						Priority:          priority,
+						WhiteList:         getWhiteList(i),
+						Redirect:          getFrontendRedirect(i, baseName, pa.Path),
+						EntryPoints:       entryPoints,
+						Headers:           getHeader(i),
+						Errors:            getErrorPages(i),
+						RateLimit:         getRateLimit(i),
+						Auth:              auth,
 					}
 				}
 
@@ -532,22 +533,23 @@ func (p *Provider) addGlobalBackend(cl Client, i *extensionsv1beta1.Ingress, tem
 	}
 
 	passHostHeader := getBoolValue(i.Annotations, annotationKubernetesPreserveHost, !p.DisablePassHostHeaders)
-	passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert)
+	passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert) // Deprecated
 	priority := getIntValue(i.Annotations, annotationKubernetesPriority, 0)
 	entryPoints := getSliceStringValue(i.Annotations, annotationKubernetesFrontendEntryPoints)
 
 	templateObjects.Frontends[defaultFrontendName] = &types.Frontend{
-		Backend:        defaultBackendName,
-		PassHostHeader: passHostHeader,
-		PassTLSCert:    passTLSCert,
-		Routes:         make(map[string]types.Route),
-		Priority:       priority,
-		WhiteList:      getWhiteList(i),
-		Redirect:       getFrontendRedirect(i, defaultFrontendName, "/"),
-		EntryPoints:    entryPoints,
-		Headers:        getHeader(i),
-		Errors:         getErrorPages(i),
-		RateLimit:      getRateLimit(i),
+		Backend:           defaultBackendName,
+		PassHostHeader:    passHostHeader,
+		PassTLSCert:       passTLSCert,
+		PassTLSClientCert: getPassTLSClientCert(i),
+		Routes:            make(map[string]types.Route),
+		Priority:          priority,
+		WhiteList:         getWhiteList(i),
+		Redirect:          getFrontendRedirect(i, defaultFrontendName, "/"),
+		EntryPoints:       entryPoints,
+		Headers:           getHeader(i),
+		Errors:            getErrorPages(i),
+		RateLimit:         getRateLimit(i),
 	}
 
 	templateObjects.Frontends[defaultFrontendName].Routes["/"] = types.Route{
@@ -1084,6 +1086,22 @@ func getRateLimit(i *extensionsv1beta1.Ingress) *types.RateLimit {
 	return rateLimit
 }
 
+func getPassTLSClientCert(i *extensionsv1beta1.Ingress) *types.TLSClientHeaders {
+	var passTLSClientCert *types.TLSClientHeaders
+
+	passRaw := getStringValue(i.Annotations, annotationKubernetesPassTLSClientCert, "")
+	if len(passRaw) > 0 {
+		passTLSClientCert = &types.TLSClientHeaders{}
+		err := yaml.Unmarshal([]byte(passRaw), passTLSClientCert)
+		if err != nil {
+			log.Error(err)
+			return nil
+		}
+	}
+
+	return passTLSClientCert
+}
+
 func templateSafeString(value string) error {
 	_, err := strconv.Unquote(`"` + value + `"`)
 	return err

provider/kubernetes/kubernetes_test.go

@@ -728,6 +728,7 @@ func TestGetPassHostHeader(t *testing.T) {
 	assert.Equal(t, expected, actual)
 }
 
+// Deprecated
 func TestGetPassTLSCert(t *testing.T) {
 	ingresses := []*extensionsv1beta1.Ingress{
 		buildIngress(iNamespace("awesome"),
@@ -1102,6 +1103,20 @@ func TestIngressAnnotations(t *testing.T) {
 		buildIngress(
 			iNamespace("testing"),
 			iAnnotation(annotationKubernetesPassTLSCert, "true"),
+			iAnnotation(annotationKubernetesPassTLSClientCert, `
+pem: true
+infos:
+  notafter: true
+  notbefore: true
+  sans: true
+  subject:
+    country: true
+    province: true
+    locality: true
+    organization: true
+    commonname: true
+    serialnumber: true
+`),
 			iAnnotation(annotationKubernetesIngressClass, traefikDefaultRealm),
 			iRules(
 				iRule(
@@ -1500,13 +1515,7 @@ rateset:
 			),
 			frontend("other/sslstuff",
 				passHostHeader(),
-				passTLSCert(),
-				routes(
-					route("/sslstuff", "PathPrefix:/sslstuff"),
-					route("other", "Host:other")),
-			),
-			frontend("other/sslstuff",
-				passHostHeader(),
+				passTLSClientCert(),
 				passTLSCert(),
 				routes(
 					route("/sslstuff", "PathPrefix:/sslstuff"),