Server level proxy_ssl parameters are applied again, following the co…

…mments received.
kubernetes · Oct 26, 2019 · f65cd96 · f65cd96
1 parent 37fe9c9
commit f65cd96
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 4 deletions.
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
@@ -491,6 +491,17 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in
 					server.Hostname, ingKey)
 			}
 
+			if server.ProxySSL.CAFileName == "" {
+				server.ProxySSL = anns.ProxySSL
+				if server.ProxySSL.Secret != "" && server.ProxySSL.CAFileName == "" {
+					klog.V(3).Infof("Secret %q has no 'ca.crt' key, client cert authentication disabled for Ingress %q",
+						server.ProxySSL.Secret, ingKey)
+				}
+			} else {
+				klog.V(3).Infof("Server %q is already configured for client cert authentication (Ingress %q)",
+					server.Hostname, ingKey)
+			}
+
 			if rule.HTTP == nil {
 				klog.V(3).Infof("Ingress %q does not contain any HTTP rule, using default backend", ingKey)
 				continue

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -825,8 +825,8 @@ stream {
         {{ end }}
 
         {{ if not (empty $server.ProxySSL.PemFileName) }}
-        proxy_ssl_certificate                   {{ $server.ProxySSL.CAFileName }};
-        proxy_ssl_certificate_key               {{ $server.ProxySSL.CAFileName }};
+        proxy_ssl_certificate                   {{ $server.ProxySSL.PemFileName }};
+        proxy_ssl_certificate_key               {{ $server.ProxySSL.PemFileName }};
         {{ end }}
 
         {{ if not (empty $server.SSLCiphers) }}
@@ -1299,8 +1299,8 @@ stream {
             {{ end }}
 
             {{ if not (empty $location.ProxySSL.PemFileName) }}
-            proxy_ssl_certificate                   {{ $location.ProxySSL.CAFileName }};
-            proxy_ssl_certificate_key               {{ $location.ProxySSL.CAFileName }};
+            proxy_ssl_certificate                   {{ $location.ProxySSL.PemFileName }};
+            proxy_ssl_certificate_key               {{ $location.ProxySSL.PemFileName }};
             {{ end }}
         }
         {{ end }}