Define TLS options on the Router configuration for Kubernetes
Co-authored-by: juliens <julien@containo.us>
This commit is contained in:
Jean-Baptiste Doumenjou
Traefiker Bot
parent
69cf05df9a
commit
80b35575df
48 changed files with 2374 additions and 53 deletions
|
|
@ -2,6 +2,7 @@ package server
|
|||
|
||||
import (
|
||||
"github.com/containous/traefik/pkg/config"
|
||||
"github.com/containous/traefik/pkg/log"
|
||||
"github.com/containous/traefik/pkg/server/internal"
|
||||
"github.com/containous/traefik/pkg/tls"
|
||||
)
|
||||
|
|
@ -21,6 +22,7 @@ func mergeConfiguration(configurations config.Configurations) config.Configurati
|
|||
TLSStores: make(map[string]tls.Store),
|
||||
}
|
||||
|
||||
var defaultTLSOptionProviders []string
|
||||
for provider, configuration := range configurations {
|
||||
if configuration.HTTP != nil {
|
||||
for routerName, router := range configuration.HTTP.Routers {
|
||||
|
|
@ -48,10 +50,25 @@ func mergeConfiguration(configurations config.Configurations) config.Configurati
|
|||
conf.TLSStores[key] = store
|
||||
}
|
||||
|
||||
for key, config := range configuration.TLSOptions {
|
||||
conf.TLSOptions[key] = config
|
||||
for tlsOptionsName, config := range configuration.TLSOptions {
|
||||
if tlsOptionsName != "default" {
|
||||
tlsOptionsName = internal.MakeQualifiedName(provider, tlsOptionsName)
|
||||
} else {
|
||||
defaultTLSOptionProviders = append(defaultTLSOptionProviders, provider)
|
||||
}
|
||||
|
||||
conf.TLSOptions[tlsOptionsName] = config
|
||||
}
|
||||
}
|
||||
|
||||
if len(defaultTLSOptionProviders) == 0 {
|
||||
conf.TLSOptions["default"] = tls.TLS{}
|
||||
} else if len(defaultTLSOptionProviders) > 1 {
|
||||
log.WithoutContext().Errorf("Default TLS Options defined multiple times in %v", defaultTLSOptionProviders)
|
||||
// We do not set an empty tls.TLS{} as above so that we actually get a "cascading failure" later on,
|
||||
// i.e. routers depending on this missing TLS option will fail to initialize as well.
|
||||
delete(conf.TLSOptions, "default")
|
||||
}
|
||||
|
||||
return conf
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ import (
|
|||
"testing"
|
||||
|
||||
"github.com/containous/traefik/pkg/config"
|
||||
"github.com/containous/traefik/pkg/tls"
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
|
|
@ -108,3 +109,170 @@ func TestAggregator(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestAggregator_tlsoptions(t *testing.T) {
|
||||
testCases := []struct {
|
||||
desc string
|
||||
given config.Configurations
|
||||
expected map[string]tls.TLS
|
||||
}{
|
||||
{
|
||||
desc: "Nil returns an empty configuration",
|
||||
given: nil,
|
||||
expected: map[string]tls.TLS{
|
||||
"default": {},
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "Returns fully qualified elements from a mono-provider configuration map",
|
||||
given: config.Configurations{
|
||||
"provider-1": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: map[string]tls.TLS{
|
||||
"default": {},
|
||||
"foo@provider-1": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "Returns fully qualified elements from a multi-provider configuration map",
|
||||
given: config.Configurations{
|
||||
"provider-1": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
},
|
||||
},
|
||||
"provider-2": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: map[string]tls.TLS{
|
||||
"default": {},
|
||||
"foo@provider-1": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
"foo@provider-2": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "Create a valid default tls option when appears only in one provider",
|
||||
given: config.Configurations{
|
||||
"provider-1": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
"default": {
|
||||
MinVersion: "VersionTLS11",
|
||||
},
|
||||
},
|
||||
},
|
||||
"provider-2": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: map[string]tls.TLS{
|
||||
"default": {
|
||||
MinVersion: "VersionTLS11",
|
||||
},
|
||||
"foo@provider-1": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
"foo@provider-2": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "No default tls option if it is defined in multiple providers",
|
||||
given: config.Configurations{
|
||||
"provider-1": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
"default": {
|
||||
MinVersion: "VersionTLS11",
|
||||
},
|
||||
},
|
||||
},
|
||||
"provider-2": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
"default": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: map[string]tls.TLS{
|
||||
"foo@provider-1": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
"foo@provider-2": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "Create a default TLS Options configuration if none was provided",
|
||||
given: config.Configurations{
|
||||
"provider-1": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
},
|
||||
},
|
||||
"provider-2": &config.Configuration{
|
||||
TLSOptions: map[string]tls.TLS{
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: map[string]tls.TLS{
|
||||
"default": {},
|
||||
"foo@provider-1": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
"foo@provider-2": {
|
||||
MinVersion: "VersionTLS13",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range testCases {
|
||||
test := test
|
||||
|
||||
t.Run(test.desc, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
actual := mergeConfiguration(test.given)
|
||||
assert.Equal(t, test.expected, actual.TLSOptions)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -81,8 +81,9 @@ func (m *Manager) BuildHandlers(rootCtx context.Context, entryPoints []string) m
|
|||
func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string]*config.TCPRouterInfo, configsHTTP map[string]*config.RouterInfo, handlerHTTP http.Handler, handlerHTTPS http.Handler) (*tcp.Router, error) {
|
||||
router := &tcp.Router{}
|
||||
router.HTTPHandler(handlerHTTP)
|
||||
const defaultTLSConfigName = "default"
|
||||
|
||||
defaultTLSConf, err := m.tlsManager.Get("default", "default")
|
||||
defaultTLSConf, err := m.tlsManager.Get("default", defaultTLSConfigName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -90,7 +91,7 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
|
|||
router.HTTPSHandler(handlerHTTPS, defaultTLSConf)
|
||||
|
||||
for routerHTTPName, routerHTTPConfig := range configsHTTP {
|
||||
if len(routerHTTPConfig.TLS.Options) == 0 || routerHTTPConfig.TLS.Options == "default" {
|
||||
if len(routerHTTPConfig.TLS.Options) == 0 || routerHTTPConfig.TLS.Options == defaultTLSConfigName {
|
||||
continue
|
||||
}
|
||||
|
||||
|
|
@ -111,7 +112,12 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
|
|||
|
||||
for _, domain := range domains {
|
||||
if routerHTTPConfig.TLS != nil {
|
||||
tlsConf, err := m.tlsManager.Get("default", routerHTTPConfig.TLS.Options)
|
||||
tlsOptionsName := routerHTTPConfig.TLS.Options
|
||||
if tlsOptionsName != defaultTLSConfigName {
|
||||
tlsOptionsName = internal.GetQualifiedName(ctxRouter, routerHTTPConfig.TLS.Options)
|
||||
}
|
||||
|
||||
tlsConf, err := m.tlsManager.Get("default", tlsOptionsName)
|
||||
if err != nil {
|
||||
routerHTTPConfig.Err = err.Error()
|
||||
logger.Debug(err)
|
||||
|
|
@ -149,12 +155,17 @@ func (m *Manager) buildEntryPointHandler(ctx context.Context, configs map[string
|
|||
if routerConfig.TLS.Passthrough {
|
||||
router.AddRoute(domain, handler)
|
||||
} else {
|
||||
configName := "default"
|
||||
if len(routerConfig.TLS.Options) > 0 {
|
||||
configName = routerConfig.TLS.Options
|
||||
tlsOptionsName := routerConfig.TLS.Options
|
||||
|
||||
if len(tlsOptionsName) == 0 {
|
||||
tlsOptionsName = defaultTLSConfigName
|
||||
}
|
||||
|
||||
tlsConf, err := m.tlsManager.Get("default", configName)
|
||||
if tlsOptionsName != defaultTLSConfigName {
|
||||
tlsOptionsName = internal.GetQualifiedName(ctxRouter, tlsOptionsName)
|
||||
}
|
||||
|
||||
tlsConf, err := m.tlsManager.Get("default", tlsOptionsName)
|
||||
if err != nil {
|
||||
routerConfig.Err = err.Error()
|
||||
logger.Debug(err)
|
||||
|
|
|
|||
|
|
@ -204,6 +204,9 @@ func TestRuntimeConfiguration(t *testing.T) {
|
|||
tlsManager.UpdateConfigs(
|
||||
map[string]tls.Store{},
|
||||
map[string]tls.TLS{
|
||||
"default": {
|
||||
MinVersion: "VersionTLS10",
|
||||
},
|
||||
"foo": {
|
||||
MinVersion: "VersionTLS12",
|
||||
},
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue