Make the TLS certificates management dynamic.

2017-11-09 12:16:03 +01:00 · 2017-11-09 12:16:03 +01:00 · c469e669fd
commit c469e669fd
parent f6aa147c78
36 changed files with 1257 additions and 513 deletions
--- a/provider/docker/docker.go
+++ b/provider/docker/docker.go
@ -523,6 +523,11 @@ func (p *Provider) getMaxConnExtractorFunc(container dockerData) string {
 }

 func (p *Provider) containerFilter(container dockerData) bool {
+	if !isContainerEnabled(container, p.ExposedByDefault) {
+		log.Debugf("Filtering disabled container %s", container.Name)
+		return false
+	}
+
 	var err error
 	portLabel := "traefik.port label"
 	if p.hasServices(container) {
@ -536,11 +541,6 @@ func (p *Provider) containerFilter(container dockerData) bool {
 		return false
 	}

-	if !isContainerEnabled(container, p.ExposedByDefault) {
-		log.Debugf("Filtering disabled container %s", container.Name)
-		return false
-	}
-
 	constraintTags := strings.Split(container.Labels[types.LabelTags], ",")
 	if ok, failingConstraint := p.MatchConstraints(constraintTags); !ok {
 		if failingConstraint != nil {
--- a/provider/file/file.go
+++ b/provider/file/file.go
@ -3,13 +3,16 @@ package file
 import (
 	"fmt"
 	"io/ioutil"
+	"os"
 	"path"
+	"path/filepath"
 	"strings"

 	"github.com/BurntSushi/toml"
 	"github.com/containous/traefik/log"
 	"github.com/containous/traefik/provider"
 	"github.com/containous/traefik/safe"
+	"github.com/containous/traefik/tls"
 	"github.com/containous/traefik/types"
 	"gopkg.in/fsnotify.v1"
 )
@ -37,7 +40,7 @@ func (p *Provider) Provide(configurationChan chan<- types.ConfigMessage, pool *s
 		if p.Directory != "" {
 			watchItem = p.Directory
 		} else {
-			watchItem = p.Filename
+			watchItem = filepath.Dir(p.Filename)
 		}

 		if err := p.addWatcher(pool, watchItem, configurationChan, p.watcherCallback); err != nil {
@ -63,7 +66,15 @@ func (p *Provider) addWatcher(pool *safe.Pool, directory string, configurationCh
 			case <-stop:
 				return
 			case evt := <-watcher.Events:
-				callback(configurationChan, evt)
+				if p.Directory == "" {
+					_, evtFileName := filepath.Split(evt.Name)
+					_, confFileName := filepath.Split(p.Filename)
+					if evtFileName == confFileName {
+						callback(configurationChan, evt)
+					}
+				} else {
+					callback(configurationChan, evt)
+				}
 			case err := <-watcher.Errors:
 				log.Errorf("Watcher event error: %s", err)
 			}
@ -92,28 +103,39 @@ func loadFileConfig(filename string) (*types.Configuration, error) {
 	return configuration, nil
 }

-func loadFileConfigFromDirectory(directory string) (*types.Configuration, error) {
+func loadFileConfigFromDirectory(directory string, configuration *types.Configuration) (*types.Configuration, error) {
 	fileList, err := ioutil.ReadDir(directory)

 	if err != nil {
-		return nil, fmt.Errorf("unable to read directory %s: %v", directory, err)
+		return configuration, fmt.Errorf("unable to read directory %s: %v", directory, err)
 	}

-	configuration := &types.Configuration{
-		Frontends: make(map[string]*types.Frontend),
-		Backends:  make(map[string]*types.Backend),
+	if configuration == nil {
+		configuration = &types.Configuration{
+			Frontends:        make(map[string]*types.Frontend),
+			Backends:         make(map[string]*types.Backend),
+			TLSConfiguration: make([]*tls.Configuration, 0),
+		}
 	}

-	for _, file := range fileList {
-		if !strings.HasSuffix(file.Name(), ".toml") {
+	configTLSMaps := make(map[*tls.Configuration]struct{})
+	for _, item := range fileList {
+
+		if item.IsDir() {
+			configuration, err = loadFileConfigFromDirectory(filepath.Join(directory, item.Name()), configuration)
+			if err != nil {
+				return configuration, fmt.Errorf("unable to load content configuration from subdirectory %s: %v", item, err)
+			}
+			continue
+		} else if !strings.HasSuffix(item.Name(), ".toml") {
 			continue
 		}

 		var c *types.Configuration
-		c, err = loadFileConfig(path.Join(directory, file.Name()))
+		c, err = loadFileConfig(path.Join(directory, item.Name()))

 		if err != nil {
-			return nil, err
+			return configuration, err
 		}

 		for backendName, backend := range c.Backends {
@ -131,12 +153,33 @@ func loadFileConfigFromDirectory(directory string) (*types.Configuration, error)
 				configuration.Frontends[frontendName] = frontend
 			}
 		}
-	}

+		for _, conf := range c.TLSConfiguration {
+			if _, exists := configTLSMaps[conf]; exists {
+				log.Warnf("TLS Configuration %v already configured, skipping", conf)
+			} else {
+				configTLSMaps[conf] = struct{}{}
+			}
+		}
+
+	}
+	for conf := range configTLSMaps {
+		configuration.TLSConfiguration = append(configuration.TLSConfiguration, conf)
+	}
 	return configuration, nil
 }

 func (p *Provider) watcherCallback(configurationChan chan<- types.ConfigMessage, event fsnotify.Event) {
+	watchItem := p.Filename
+	if p.Directory != "" {
+		watchItem = p.Directory
+	}
+
+	if _, err := os.Stat(watchItem); err != nil {
+		log.Debugf("Unable to watch %s : %v", watchItem, err)
+		return
+	}
+
 	configuration, err := p.loadConfig()

 	if err != nil {
@ -149,7 +192,7 @@ func (p *Provider) watcherCallback(configurationChan chan<- types.ConfigMessage,

 func (p *Provider) loadConfig() (*types.Configuration, error) {
 	if p.Directory != "" {
-		return loadFileConfigFromDirectory(p.Directory)
+		return loadFileConfigFromDirectory(p.Directory, nil)
 	}

 	return loadFileConfig(p.Filename)
--- a/provider/file/file_test.go
+++ b/provider/file/file_test.go
@ -20,13 +20,15 @@ func TestProvideSingleFileAndWatch(t *testing.T) {

 	expectedNumFrontends := 2
 	expectedNumBackends := 2
+	expectedNumTLSConf := 2

 	tempFile := createFile(t,
 		tempDir, "simple.toml",
 		createFrontendConfiguration(expectedNumFrontends),
-		createBackendConfiguration(expectedNumBackends))
+		createBackendConfiguration(expectedNumBackends),
+		createTLSConfiguration(expectedNumTLSConf))

-	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends)
+	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends, &expectedNumTLSConf)

 	provide(configurationChan, watch, withFile(tempFile))

@ -37,14 +39,15 @@ func TestProvideSingleFileAndWatch(t *testing.T) {
 	// Now test again with single frontend and backend
 	expectedNumFrontends = 1
 	expectedNumBackends = 1
+	expectedNumTLSConf = 1

 	createFile(t,
 		tempDir, "simple.toml",
 		createFrontendConfiguration(expectedNumFrontends),
-		createBackendConfiguration(expectedNumBackends))
+		createBackendConfiguration(expectedNumBackends),
+		createTLSConfiguration(expectedNumTLSConf))

-	// Must fail because we don't watch the change
-	err = waitForSignal(signal, 2*time.Second, "single frontend and backend")
+	err = waitForSignal(signal, 2*time.Second, "single frontend, backend, TLS configuration")
 	assert.NoError(t, err)
 }

@ -54,13 +57,15 @@ func TestProvideSingleFileAndNotWatch(t *testing.T) {

 	expectedNumFrontends := 2
 	expectedNumBackends := 2
+	expectedNumTLSConf := 2

 	tempFile := createFile(t,
 		tempDir, "simple.toml",
 		createFrontendConfiguration(expectedNumFrontends),
-		createBackendConfiguration(expectedNumBackends))
+		createBackendConfiguration(expectedNumBackends),
+		createTLSConfiguration(expectedNumTLSConf))

-	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends)
+	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends, &expectedNumTLSConf)

 	provide(configurationChan, withFile(tempFile))

@ -71,14 +76,16 @@ func TestProvideSingleFileAndNotWatch(t *testing.T) {
 	// Now test again with single frontend and backend
 	expectedNumFrontends = 1
 	expectedNumBackends = 1
+	expectedNumTLSConf = 1

 	createFile(t,
 		tempDir, "simple.toml",
 		createFrontendConfiguration(expectedNumFrontends),
-		createBackendConfiguration(expectedNumBackends))
+		createBackendConfiguration(expectedNumBackends),
+		createTLSConfiguration(expectedNumTLSConf))

 	// Must fail because we don't watch the changes
-	err = waitForSignal(signal, 2*time.Second, "single frontend and backend")
+	err = waitForSignal(signal, 2*time.Second, "single frontend, backend and TLS configuration")
 	assert.Error(t, err)
 }

@ -88,11 +95,13 @@ func TestProvideDirectoryAndWatch(t *testing.T) {

 	expectedNumFrontends := 2
 	expectedNumBackends := 2
+	expectedNumTLSConf := 2

 	tempFile1 := createRandomFile(t, tempDir, createFrontendConfiguration(expectedNumFrontends))
 	tempFile2 := createRandomFile(t, tempDir, createBackendConfiguration(expectedNumBackends))
+	tempFile3 := createRandomFile(t, tempDir, createTLSConfiguration(expectedNumTLSConf))

-	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends)
+	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends, &expectedNumTLSConf)

 	provide(configurationChan, watch, withDirectory(tempDir))

@ -103,6 +112,7 @@ func TestProvideDirectoryAndWatch(t *testing.T) {
 	// Now remove the backends file
 	expectedNumFrontends = 2
 	expectedNumBackends = 0
+	expectedNumTLSConf = 2
 	os.Remove(tempFile2.Name())
 	err = waitForSignal(signal, 2*time.Second, "remove the backends file")
 	assert.NoError(t, err)
@ -110,22 +120,34 @@ func TestProvideDirectoryAndWatch(t *testing.T) {
 	// Now remove the frontends file
 	expectedNumFrontends = 0
 	expectedNumBackends = 0
+	expectedNumTLSConf = 2
 	os.Remove(tempFile1.Name())
 	err = waitForSignal(signal, 2*time.Second, "remove the frontends file")
 	assert.NoError(t, err)
+
+	// Now remove the TLS configuration file
+	expectedNumFrontends = 0
+	expectedNumBackends = 0
+	expectedNumTLSConf = 0
+	os.Remove(tempFile3.Name())
+	err = waitForSignal(signal, 2*time.Second, "remove the TLS configuration file")
+	assert.NoError(t, err)
 }

 func TestProvideDirectoryAndNotWatch(t *testing.T) {
 	tempDir := createTempDir(t, "testdir")
+	tempTLSDir := createSubDir(t, tempDir, "tls")
 	defer os.RemoveAll(tempDir)

 	expectedNumFrontends := 2
 	expectedNumBackends := 2
+	expectedNumTLSConf := 2

 	createRandomFile(t, tempDir, createFrontendConfiguration(expectedNumFrontends))
 	tempFile2 := createRandomFile(t, tempDir, createBackendConfiguration(expectedNumBackends))
+	createRandomFile(t, tempTLSDir, createTLSConfiguration(expectedNumTLSConf))

-	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends)
+	configurationChan, signal := createConfigurationRoutine(t, &expectedNumFrontends, &expectedNumBackends, &expectedNumTLSConf)

 	provide(configurationChan, withDirectory(tempDir))

@ -136,6 +158,7 @@ func TestProvideDirectoryAndNotWatch(t *testing.T) {
 	// Now remove the backends file
 	expectedNumFrontends = 2
 	expectedNumBackends = 0
+	expectedNumTLSConf = 2
 	os.Remove(tempFile2.Name())

 	// Must fail because we don't watch the changes
@ -144,7 +167,7 @@ func TestProvideDirectoryAndNotWatch(t *testing.T) {

 }

-func createConfigurationRoutine(t *testing.T, expectedNumFrontends *int, expectedNumBackends *int) (chan types.ConfigMessage, chan interface{}) {
+func createConfigurationRoutine(t *testing.T, expectedNumFrontends *int, expectedNumBackends *int, expectedNumTLSConfigurations *int) (chan types.ConfigMessage, chan interface{}) {
 	configurationChan := make(chan types.ConfigMessage)
 	signal := make(chan interface{})

@ -154,6 +177,7 @@ func createConfigurationRoutine(t *testing.T, expectedNumFrontends *int, expecte
 			assert.Equal(t, "file", data.ProviderName)
 			assert.Len(t, data.Configuration.Frontends, *expectedNumFrontends)
 			assert.Len(t, data.Configuration.Backends, *expectedNumBackends)
+			assert.Len(t, data.Configuration.TLSConfiguration, *expectedNumTLSConfigurations)
 			signal <- nil
 		}
 	})
@ -207,6 +231,7 @@ func createRandomFile(t *testing.T, tempDir string, contents ...string) *os.File

 // createFile Helper
 func createFile(t *testing.T, tempDir string, name string, contents ...string) *os.File {
+	t.Helper()
 	fileName := path.Join(tempDir, name)

 	tempFile, err := os.Create(fileName)
@ -231,6 +256,7 @@ func createFile(t *testing.T, tempDir string, name string, contents ...string) *

 // createTempDir Helper
 func createTempDir(t *testing.T, dir string) string {
+	t.Helper()
 	d, err := ioutil.TempDir("", dir)
 	if err != nil {
 		t.Fatal(err)
@ -238,6 +264,16 @@ func createTempDir(t *testing.T, dir string) string {
 	return d
 }

+// createDir Helper
+func createSubDir(t *testing.T, rootDir, dir string) string {
+	t.Helper()
+	err := os.Mkdir(rootDir+"/"+dir, 0775)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return rootDir + "/" + dir
+}
+
 // createFrontendConfiguration Helper
 func createFrontendConfiguration(n int) string {
 	conf := "[frontends]\n"
@ -260,3 +296,17 @@ func createBackendConfiguration(n int) string {
 	}
 	return conf
 }
+
+// createTLSConfiguration Helper
+func createTLSConfiguration(n int) string {
+	var conf string
+	for i := 1; i <= n; i++ {
+		conf += fmt.Sprintf(`[[TLSConfiguration]]
+	EntryPoints = ["https"]
+	[TLSConfiguration.Certificate]
+	CertFile = "integration/fixtures/https/snitest%[1]d.com.cert"
+	KeyFile = "integration/fixtures/https/snitest%[1]d.com.key"
+`, i)
+	}
+	return conf
+}