Add SSL services annotation

Julian Strobl · Julian Strobl · commit 8354d4e6e262 · 2016-11-03T08:24:11.000+01:00
If an application in a container requires HTTPS, one needs to set the 'proxy_path https://...' instead of 'proxy_pass http://...'. With this patch one can use the annotation: 'nginx.org/ssl-services: "service1[,service2,...]"' to specify, which services require HTTPS. Fixes #61
diff --git a/examples/ssl-services/README.md b/examples/ssl-services/README.md
@@ -0,0 +1,34 @@
+# SSL Services Support
+
+To load balance an application that requires HTTPS with NGINX Ingress controllers, you need to add the **nginx.org/ssl-services** annotation to your Ingress resource definition. The annotation specifies which services are SSL services. The annotation syntax is as follows:
+```
+nginx.org/ssl-services: "service1[,service2,...]"
+```
+
+In the following example we load balance three applications, one of which requires HTTPS:
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: cafe-ingress
+  annotations:
+    nginx.org/ssl-services: "ssl-svc"
+spec:
+  rules:
+  - host: cafe.example.com
+    http:
+      paths:
+      - path: /tea
+        backend:
+          serviceName: tea-svc
+          servicePort: 80
+      - path: /coffee
+        backend:
+          serviceName: coffee-svc
+          servicePort: 80
+      - path: /ssl
+        backend:
+          serviceName: ssl-svc
+          servicePort: 443
+```
+*ssl-svc* is a service for an HTTPS application. The service becomes available at the `/ssl` path. Note how we used the **nginx.org/ssl-services** annotation.
diff --git a/nginx-controller/nginx/configurator.go b/nginx-controller/nginx/configurator.go
@@ -80,6 +80,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 	upstreams := make(map[string]Upstream)
 
 	wsServices := getWebsocketServices(ingEx)
+	sslServices := getSSLServices(ingEx)
 
 	if ingEx.Ingress.Spec.Backend != nil {
 		name := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.Backend.ServiceName)
@@ -119,7 +120,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 				upstreams[upsName] = upstream
 			}
 
-			loc := createLocation(pathOrDefault(path.Path), upstreams[upsName], &ingCfg, wsServices[path.Backend.ServiceName])
+			loc := createLocation(pathOrDefault(path.Path), upstreams[upsName], &ingCfg, wsServices[path.Backend.ServiceName], sslServices[path.Backend.ServiceName])
 			locations = append(locations, loc)
 
 			if loc.Path == "/" {
@@ -129,7 +130,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 
 		if rootLocation == false && ingEx.Ingress.Spec.Backend != nil {
 			upsName := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.Backend.ServiceName)
-			loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName])
+			loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName], sslServices[ingEx.Ingress.Spec.Backend.ServiceName])
 			locations = append(locations, loc)
 		}
 
@@ -150,7 +151,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 
 		upsName := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.Backend.ServiceName)
 
-		loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName])
+		loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName], sslServices[ingEx.Ingress.Spec.Backend.ServiceName])
 		locations = append(locations, loc)
 
 		server.Locations = locations
@@ -187,14 +188,27 @@ func getWebsocketServices(ingEx *IngressEx) map[string]bool {
 	return wsServices
 }
 
-func createLocation(path string, upstream Upstream, cfg *Config, websocket bool) Location {
+func getSSLServices(ingEx *IngressEx) map[string]bool {
+	sslServices := make(map[string]bool)
+
+	if services, exists := ingEx.Ingress.Annotations["nginx.org/ssl-services"]; exists {
+		for _, svc := range strings.Split(services, ",") {
+			sslServices[svc] = true
+		}
+	}
+
+	return sslServices
+}
+
+func createLocation(path string, upstream Upstream, cfg *Config, websocket bool, ssl bool) Location {
 	loc := Location{
 		Path:                path,
 		Upstream:            upstream,
 		ProxyConnectTimeout: cfg.ProxyConnectTimeout,
 		ProxyReadTimeout:    cfg.ProxyReadTimeout,
 		ClientMaxBodySize:   cfg.ClientMaxBodySize,
 		Websocket:           websocket,
+		SSL:                 ssl,
 	}
 
 	return loc
diff --git a/nginx-controller/nginx/ingress.tmpl b/nginx-controller/nginx/ingress.tmpl
@@ -39,6 +39,10 @@ server {
 		proxy_set_header X-Forwarded-Host $host;
 		proxy_set_header X-Forwarded-Port $server_port;
 		proxy_set_header X-Forwarded-Proto $scheme;
+		{{if $location.SSL}}
+		proxy_pass https://{{$location.Upstream.Name}};
+		{{else}}
 		proxy_pass http://{{$location.Upstream.Name}};
+		{{end}}
 	}{{end}}
 }{{end}}
diff --git a/nginx-controller/nginx/nginx.go b/nginx-controller/nginx/nginx.go
@@ -53,6 +53,7 @@ type Location struct {
 	ProxyReadTimeout    string
 	ClientMaxBodySize   string
 	Websocket           bool
+	SSL                 bool
 }
 
 // NginxMainConfig describe the main NGINX configuration file
diff --git a/nginx-plus-controller/nginx/configurator.go b/nginx-plus-controller/nginx/configurator.go
@@ -87,6 +87,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 
 	wsServices := getWebsocketServices(ingEx)
 	spServices := getSessionPersistenceServices(ingEx)
+	sslServices := getSSLServices(ingEx)
 
 	if ingEx.Ingress.Spec.Backend != nil {
 		name := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.Backend.ServiceName)
@@ -128,7 +129,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 				upstreams[upsName] = upstream
 			}
 
-			loc := createLocation(pathOrDefault(path.Path), upstreams[upsName], &ingCfg, wsServices[path.Backend.ServiceName])
+			loc := createLocation(pathOrDefault(path.Path), upstreams[upsName], &ingCfg, wsServices[path.Backend.ServiceName], sslServices[path.Backend.ServiceName])
 			locations = append(locations, loc)
 
 			if loc.Path == "/" {
@@ -138,7 +139,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 
 		if rootLocation == false && ingEx.Ingress.Spec.Backend != nil {
 			upsName := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.Backend.ServiceName)
-			loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName])
+			loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName], sslServices[ingEx.Ingress.Spec.Backend.ServiceName])
 			locations = append(locations, loc)
 		}
 
@@ -163,7 +164,7 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 
 		upsName := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.Backend.ServiceName)
 
-		loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName])
+		loc := createLocation(pathOrDefault("/"), upstreams[upsName], &ingCfg, wsServices[ingEx.Ingress.Spec.Backend.ServiceName], sslServices[ingEx.Ingress.Spec.Backend.ServiceName])
 		locations = append(locations, loc)
 
 		server.Locations = locations
@@ -200,6 +201,18 @@ func getWebsocketServices(ingEx *IngressEx) map[string]bool {
 	return wsServices
 }
 
+func getSSLServices(ingEx *IngressEx) map[string]bool {
+	sslServices := make(map[string]bool)
+
+	if services, exists := ingEx.Ingress.Annotations["nginx.org/ssl-services"]; exists {
+		for _, svc := range strings.Split(services, ",") {
+			sslServices[svc] = true
+		}
+	}
+
+	return sslServices
+}
+
 func getSessionPersistenceServices(ingEx *IngressEx) map[string]string {
 	spServices := make(map[string]string)
 
@@ -231,14 +244,15 @@ func parseStickyService(service string) (serviceName string, stickyCookie string
 	return svcNameParts[1], parts[1], nil
 }
 
-func createLocation(path string, upstream Upstream, cfg *Config, websocket bool) Location {
+func createLocation(path string, upstream Upstream, cfg *Config, websocket bool, ssl bool) Location {
 	loc := Location{
 		Path:                path,
 		Upstream:            upstream,
 		ProxyConnectTimeout: cfg.ProxyConnectTimeout,
 		ProxyReadTimeout:    cfg.ProxyReadTimeout,
 		ClientMaxBodySize:   cfg.ClientMaxBodySize,
 		Websocket:           websocket,
+		SSL:                 ssl,
 	}
 
 	return loc
diff --git a/nginx-plus-controller/nginx/ingress.tmpl b/nginx-plus-controller/nginx/ingress.tmpl
@@ -44,6 +44,10 @@ server {
 		proxy_set_header X-Forwarded-Host $host;
 		proxy_set_header X-Forwarded-Port $server_port;
 		proxy_set_header X-Forwarded-Proto $scheme;
+		{{if $location.SSL}}
+		proxy_pass https://{{$location.Upstream.Name}};
+		{{else}}
 		proxy_pass http://{{$location.Upstream.Name}};
+		{{end}}
 	}{{end}}
 }{{end}}
diff --git a/nginx-plus-controller/nginx/nginx.go b/nginx-plus-controller/nginx/nginx.go
@@ -76,6 +76,7 @@ type Location struct {
 	ProxyReadTimeout    string
 	ClientMaxBodySize   string
 	Websocket           bool
+	SSL                 bool
 }
 
 // NginxMainConfig describe the main NGINX configuration file

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ type Location struct {`
`53`	`53`	`ProxyReadTimeout string`
`54`	`54`	`ClientMaxBodySize string`
`55`	`55`	`Websocket bool`
	`56`	`+ SSL bool`
`56`	`57`	`}`
`57`	`58`
`58`	`59`	`// NginxMainConfig describe the main NGINX configuration file`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ type Location struct {`
`76`	`76`	`ProxyReadTimeout string`
`77`	`77`	`ClientMaxBodySize string`
`78`	`78`	`Websocket bool`
	`79`	`+ SSL bool`
`79`	`80`	`}`
`80`	`81`
`81`	`82`	`// NginxMainConfig describe the main NGINX configuration file`