Add the missing pass-client-tls annotation to the kubernetes provider

2018-10-29 16:02:06 +01:00 · 2018-10-29 16:02:06 +01:00 · 450471d30a
commit 450471d30a
parent 7eeecd23ac
7 changed files with 183 additions and 65 deletions
--- a/provider/kubernetes/kubernetes.go
+++ b/provider/kubernetes/kubernetes.go
@ -62,7 +62,7 @@ type Provider struct {
 	Token                  string           `description:"Kubernetes bearer token (not needed for in-cluster client)"`
 	CertAuthFilePath       string           `description:"Kubernetes certificate authority file path (not needed for in-cluster client)"`
 	DisablePassHostHeaders bool             `description:"Kubernetes disable PassHost Headers" export:"true"`
-	EnablePassTLSCert      bool             `description:"Kubernetes enable Pass TLS Client Certs" export:"true"`
+	EnablePassTLSCert      bool             `description:"Kubernetes enable Pass TLS Client Certs" export:"true"` // Deprecated
 	Namespaces             Namespaces       `description:"Kubernetes namespaces" export:"true"`
 	LabelSelector          string           `description:"Kubernetes Ingress label selector to use" export:"true"`
 	IngressClass           string           `description:"Value of kubernetes.io/ingress.class annotation to watch for" export:"true"`
@ -275,22 +275,23 @@ func (p *Provider) loadIngresses(k8sClient Client) (*types.Configuration, error)
 					}

 					passHostHeader := getBoolValue(i.Annotations, annotationKubernetesPreserveHost, !p.DisablePassHostHeaders)
-					passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert)
+					passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert) // Deprecated
 					entryPoints := getSliceStringValue(i.Annotations, annotationKubernetesFrontendEntryPoints)

 					frontend = &types.Frontend{
-						Backend:        baseName,
-						PassHostHeader: passHostHeader,
-						PassTLSCert:    passTLSCert,
-						Routes:         make(map[string]types.Route),
-						Priority:       priority,
-						WhiteList:      getWhiteList(i),
-						Redirect:       getFrontendRedirect(i, baseName, pa.Path),
-						EntryPoints:    entryPoints,
-						Headers:        getHeader(i),
-						Errors:         getErrorPages(i),
-						RateLimit:      getRateLimit(i),
-						Auth:           auth,
+						Backend:           baseName,
+						PassHostHeader:    passHostHeader,
+						PassTLSCert:       passTLSCert,
+						PassTLSClientCert: getPassTLSClientCert(i),
+						Routes:            make(map[string]types.Route),
+						Priority:          priority,
+						WhiteList:         getWhiteList(i),
+						Redirect:          getFrontendRedirect(i, baseName, pa.Path),
+						EntryPoints:       entryPoints,
+						Headers:           getHeader(i),
+						Errors:            getErrorPages(i),
+						RateLimit:         getRateLimit(i),
+						Auth:              auth,
 					}
 				}

@ -532,22 +533,23 @@ func (p *Provider) addGlobalBackend(cl Client, i *extensionsv1beta1.Ingress, tem
 	}

 	passHostHeader := getBoolValue(i.Annotations, annotationKubernetesPreserveHost, !p.DisablePassHostHeaders)
-	passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert)
+	passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert) // Deprecated
 	priority := getIntValue(i.Annotations, annotationKubernetesPriority, 0)
 	entryPoints := getSliceStringValue(i.Annotations, annotationKubernetesFrontendEntryPoints)

 	templateObjects.Frontends[defaultFrontendName] = &types.Frontend{
-		Backend:        defaultBackendName,
-		PassHostHeader: passHostHeader,
-		PassTLSCert:    passTLSCert,
-		Routes:         make(map[string]types.Route),
-		Priority:       priority,
-		WhiteList:      getWhiteList(i),
-		Redirect:       getFrontendRedirect(i, defaultFrontendName, "/"),
-		EntryPoints:    entryPoints,
-		Headers:        getHeader(i),
-		Errors:         getErrorPages(i),
-		RateLimit:      getRateLimit(i),
+		Backend:           defaultBackendName,
+		PassHostHeader:    passHostHeader,
+		PassTLSCert:       passTLSCert,
+		PassTLSClientCert: getPassTLSClientCert(i),
+		Routes:            make(map[string]types.Route),
+		Priority:          priority,
+		WhiteList:         getWhiteList(i),
+		Redirect:          getFrontendRedirect(i, defaultFrontendName, "/"),
+		EntryPoints:       entryPoints,
+		Headers:           getHeader(i),
+		Errors:            getErrorPages(i),
+		RateLimit:         getRateLimit(i),
 	}

 	templateObjects.Frontends[defaultFrontendName].Routes["/"] = types.Route{
@ -1084,6 +1086,22 @@ func getRateLimit(i *extensionsv1beta1.Ingress) *types.RateLimit {
 	return rateLimit
 }

+func getPassTLSClientCert(i *extensionsv1beta1.Ingress) *types.TLSClientHeaders {
+	var passTLSClientCert *types.TLSClientHeaders
+
+	passRaw := getStringValue(i.Annotations, annotationKubernetesPassTLSClientCert, "")
+	if len(passRaw) > 0 {
+		passTLSClientCert = &types.TLSClientHeaders{}
+		err := yaml.Unmarshal([]byte(passRaw), passTLSClientCert)
+		if err != nil {
+			log.Error(err)
+			return nil
+		}
+	}
+
+	return passTLSClientCert
+}
+
 func templateSafeString(value string) error {
 	_, err := strconv.Unquote(`"` + value + `"`)
 	return err