diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md index f7bcdccbc6..e5beaa9a08 100644 --- a/docs/kubectl-plugin.md +++ b/docs/kubectl-plugin.md @@ -121,11 +121,6 @@ $ kubectl ingress-nginx backends -n ingress-nginx } }, "port": 0, - "secureCACert": { - "secret": "", - "caFilename": "", - "caSha": "" - }, "sslPassthrough": false, "endpoints": [ { diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 0c0aa0c777..8d0c4c7524 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -78,7 +78,6 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/enable-rewrite-log](#enable-rewrite-log)|"true" or "false"| |[nginx.ingress.kubernetes.io/rewrite-target](#rewrite)|URI| |[nginx.ingress.kubernetes.io/satisfy](#satisfy)|string| -|[nginx.ingress.kubernetes.io/secure-verify-ca-secret](#secure-backends)|string| |[nginx.ingress.kubernetes.io/server-alias](#server-alias)|string| |[nginx.ingress.kubernetes.io/server-snippet](#server-snippet)|string| |[nginx.ingress.kubernetes.io/service-upstream](#service-upstream)|"true" or "false"| diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go index a496cd9ba2..0c9bcc9b2e 100644 --- a/internal/ingress/annotations/annotations_test.go +++ b/internal/ingress/annotations/annotations_test.go @@ -110,41 +110,6 @@ func buildIngress() *networking.Ingress { } } -func TestSecureVerifyCACert(t *testing.T) { - ec := NewAnnotationExtractor(mockCfg{ - MockSecrets: map[string]*apiv1.Secret{ - "default/secure-verify-ca": { - ObjectMeta: metav1.ObjectMeta{ - Name: "secure-verify-ca", - }, - }, - }, - }) - - anns := []struct { - it int - annotations map[string]string - exists bool - }{ - {1, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert: "not"}, false}, - {2, map[string]string{backendProtocol: "HTTP", annotationSecureVerifyCACert: "secure-verify-ca"}, false}, - {3, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert: "secure-verify-ca"}, true}, - {4, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert + "_not": "secure-verify-ca"}, false}, - {5, map[string]string{backendProtocol: "HTTPS"}, false}, - {6, map[string]string{}, false}, - {7, nil, false}, - } - - for _, ann := range anns { - ing := buildIngress() - ing.SetAnnotations(ann.annotations) - su := ec.Extract(ing).SecureUpstream - if (su.CACert.CAFileName != "") != ann.exists { - t.Errorf("Expected exists was %v on iteration %v", ann.exists, ann.it) - } - } -} - func TestSSLPassthrough(t *testing.T) { ec := NewAnnotationExtractor(mockCfg{}) ing := buildIngress() diff --git a/internal/ingress/annotations/secureupstream/main.go b/internal/ingress/annotations/secureupstream/main.go index 7efb0b9a14..6f02047520 100644 --- a/internal/ingress/annotations/secureupstream/main.go +++ b/internal/ingress/annotations/secureupstream/main.go @@ -17,10 +17,8 @@ limitations under the License. package secureupstream import ( - "fmt" - - "github.com/pkg/errors" networking "k8s.io/api/networking/v1beta1" + "k8s.io/klog" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/resolver" @@ -42,28 +40,9 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // Parse parses the annotations contained in the ingress // rule used to indicate if the upstream servers should use SSL -func (a su) Parse(ing *networking.Ingress) (interface{}, error) { - bp, _ := parser.GetStringAnnotation("backend-protocol", ing) - ca, _ := parser.GetStringAnnotation("secure-verify-ca-secret", ing) - secure := &Config{ - CACert: resolver.AuthSSLCert{}, - } - - if (bp != "HTTPS" && bp != "GRPCS") && ca != "" { - return secure, - errors.Errorf("trying to use CA from secret %v/%v on a non secure backend", ing.Namespace, ca) - } - if ca == "" { - return secure, nil - } - caCert, err := a.r.GetAuthCertificate(fmt.Sprintf("%v/%v", ing.Namespace, ca)) - if err != nil { - return secure, errors.Wrap(err, "error obtaining certificate") - } - if caCert == nil { - return secure, nil +func (a su) Parse(ing *networking.Ingress) (secure interface{}, err error) { + if ca, _ := parser.GetStringAnnotation("secure-verify-ca-secret", ing); ca != "" { + klog.Errorf("NOTE! secure-verify-ca-secret is not suppored anymore. Please use proxy-ssl-secret instead") } - return &Config{ - CACert: *caCert, - }, nil + return } diff --git a/internal/ingress/annotations/secureupstream/main_test.go b/internal/ingress/annotations/secureupstream/main_test.go index a2028acbb5..508d54a84d 100644 --- a/internal/ingress/annotations/secureupstream/main_test.go +++ b/internal/ingress/annotations/secureupstream/main_test.go @@ -116,7 +116,7 @@ func TestSecretNotFound(t *testing.T) { data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" ing.SetAnnotations(data) _, err := NewParser(mockCfg{}).Parse(ing) - if err == nil { + if err != nil { t.Error("Expected secret not found error on ingress") } } @@ -132,7 +132,24 @@ func TestSecretOnNonSecure(t *testing.T) { "default/secure-verify-ca": {}, }, }).Parse(ing) - if err == nil { + if err != nil { t.Error("Expected CA secret on non secure backend error on ingress") } } + +func TestUnsupportedAnnotation(t *testing.T) { + ing := buildIngress() + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" + data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" + ing.SetAnnotations(data) + + _, err := NewParser(mockCfg{ + certs: map[string]resolver.AuthSSLCert{ + "default/secure-verify-ca": {}, + }, + }).Parse(ing) + if err != nil { + t.Errorf("Unexpected error on ingress: %v", err) + } +} diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index e84e85f790..aa5382002e 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -706,8 +706,6 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B klog.V(3).Infof("Creating upstream %q", defBackend) upstreams[defBackend] = newUpstream(defBackend) - upstreams[defBackend].SecureCACert = anns.SecureUpstream.CACert - upstreams[defBackend].UpstreamHashBy.UpstreamHashBy = anns.UpstreamHashBy.UpstreamHashBy upstreams[defBackend].UpstreamHashBy.UpstreamHashBySubset = anns.UpstreamHashBy.UpstreamHashBySubset upstreams[defBackend].UpstreamHashBy.UpstreamHashBySubsetSize = anns.UpstreamHashBy.UpstreamHashBySubsetSize @@ -771,8 +769,6 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B upstreams[name] = newUpstream(name) upstreams[name].Port = path.Backend.ServicePort - upstreams[name].SecureCACert = anns.SecureUpstream.CACert - upstreams[name].UpstreamHashBy.UpstreamHashBy = anns.UpstreamHashBy.UpstreamHashBy upstreams[name].UpstreamHashBy.UpstreamHashBySubset = anns.UpstreamHashBy.UpstreamHashBySubset upstreams[name].UpstreamHashBy.UpstreamHashBySubsetSize = anns.UpstreamHashBy.UpstreamHashBySubsetSize diff --git a/internal/ingress/types.go b/internal/ingress/types.go index 9dd58a4f7d..263c137f48 100644 --- a/internal/ingress/types.go +++ b/internal/ingress/types.go @@ -39,7 +39,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/redirect" "k8s.io/ingress-nginx/internal/ingress/annotations/rewrite" - "k8s.io/ingress-nginx/internal/ingress/resolver" ) var ( @@ -86,9 +85,6 @@ type Backend struct { Name string `json:"name"` Service *apiv1.Service `json:"service,omitempty"` Port intstr.IntOrString `json:"port"` - // SecureCACert has the filename and SHA1 of the certificate authorities used to validate - // a secured connection to the backend - SecureCACert resolver.AuthSSLCert `json:"secureCACert"` // SSLPassthrough indicates that Ingress controller will delegate TLS termination to the endpoints. SSLPassthrough bool `json:"sslPassthrough"` // Endpoints contains the list of endpoints currently running diff --git a/internal/ingress/types_equals.go b/internal/ingress/types_equals.go index 88815c1a4b..8108ed95ab 100644 --- a/internal/ingress/types_equals.go +++ b/internal/ingress/types_equals.go @@ -113,9 +113,6 @@ func (b1 *Backend) Equal(b2 *Backend) bool { if b1.Port != b2.Port { return false } - if !(&b1.SecureCACert).Equal(&b2.SecureCACert) { - return false - } if b1.SSLPassthrough != b2.SSLPassthrough { return false } diff --git a/internal/ingress/zz_generated.deepcopy.go b/internal/ingress/zz_generated.deepcopy.go index c6f95123cb..f34574cba8 100644 --- a/internal/ingress/zz_generated.deepcopy.go +++ b/internal/ingress/zz_generated.deepcopy.go @@ -33,7 +33,6 @@ func (in *Backend) DeepCopyInto(out *Backend) { (*in).DeepCopyInto(*out) } out.Port = in.Port - out.SecureCACert = in.SecureCACert if in.Endpoints != nil { in, out := &in.Endpoints, &out.Endpoints *out = make([]Endpoint, len(*in)) diff --git a/rootfs/etc/nginx/lua/test/balancer_test.lua b/rootfs/etc/nginx/lua/test/balancer_test.lua index a3a0048967..a45aeb2cc7 100644 --- a/rootfs/etc/nginx/lua/test/balancer_test.lua +++ b/rootfs/etc/nginx/lua/test/balancer_test.lua @@ -33,7 +33,6 @@ local function reset_backends() backends = { { name = "access-router-production-web-80", port = "80", secure = false, - secureCACert = { secret = "", caFilename = "", caSha = "" }, sslPassthrough = false, endpoints = { { address = "10.184.7.40", port = "8080", maxFails = 0, failTimeout = 0 },