Merge branch 'main' into JIRA-WKTUI-284-multiple-actions

Author: rakillen

documentation/staging/content/navigate/kubernetes/k8s-ingress-controller.md

@@ -49,6 +49,7 @@ cluster attempts to pull the image and start the container.
 - The `Docker Registry Secret Name` field specifies the name of the Kubernetes pull secret to use when pulling the image.
 To create this secret, enable `Create Docker Hub Secret` and fill in the pull secret data in the `Docker Hub Username`, `Docker Hub Password`,
 and `Docker Hub Email Address` fields.
+- For the NGINX ingress controller, if you want to have SSL pass through the ingress route, enable `Allow SSL pass through to target service`.  
 
 #### TLS Secret for Ingress Routes
 Use this pane to configure the Transport Layer Security (TLS) secret containing the certificate and private key data that will be used by the
@@ -86,11 +87,19 @@ When editing a route:
 - Use the `Virtual Host` and `Path Expression` fields to define the matching rules that determine which requests match this route.  
 - All requests in the defined rules are routed to the service specified by the `Target Service` field that resides in the namespace specified by the read-only
 `Target Service Namespace` field and the port specified by the `Target Port` field.  
-- To enable TLS between the client
-and the ingress controller, enable the `Enable TLS` option.  Remember, enabling TLS means that the TLS secret
-information must be provided in the `TLS Secret for Ingress Routes` pane. Different ingress controllers support advanced ingress route configuration using ingress controller-specific annotations.  
+- Specify the `Transport Option` for the ingress route:
+    * Select `Plain HTTP` for unencrypted traffic from the client through the ingress controller to the target service.
+    * Select `SSL terminate at ingress controller` for SSL
+      terminating
+      at the ingress controller and then unencrypted traffic from the ingress controller to the target service.  
+      * Enable `Is target service WebLogic Console?` if the target service is the `WebLogic Console` service.  
+    * Select `SSL pass through` for SSL traffic to pass through the ingress
+      controller and then terminate at the target service.  
+      * If you select this option, you must also specify a valid DNS value in 'Virtual Host', and all SSL traffic from 
+        the`Virtual Host` will be routed to the target service.  
+      * Make sure that the `Target Port` supports SSL.
 - Use the `Ingress Route Annotations` table to
-add annotations to the ingress route, as needed.
+add annotations to the ingress route, as needed.  Do not remove any pre-populated annotations.
 
 ### Code View
 The `Code View` displays shell scripts for installing an ingress controller and for updating ingress routes.  It also

electron/app/js/ipcRendererPreload.js

@@ -229,6 +229,7 @@ contextBridge.exposeInMainWorld(
       isMac: () => osUtils.isMac(),
       isLinux: () => osUtils.isLinux(),
       getApplicationName: () => wktApp.getApplicationName(),
+      getVersion: () => wktApp.getApplicationVersion(),
       getArgv: (name) => osUtils.getArgv(name)
     },
     'i18n': {

electron/app/locales/en/webui.json

@@ -608,6 +608,8 @@
   "ingress-design-ingress-namespace-help": "The Kubernetes namespace to use for the ingress controller.",
   "ingress-design-voyager-provider-label": "Kubernetes Cluster Provider for Voyager",
   "ingress-design-voyager-provider-help": "The Kubernetes cluster provider type to use for Voyager.",
+  "ingress-design-nginx-allow-passthrough-label": "Allow SSL pass through to target service",
+  "ingress-design-nginx-allow-passthrough-help": "Enable this allows creating SSL pass through ingress transport to the target service.",
   "ingress-design-specify-docker-registry-secret-label": "Use Docker Hub Secret",
   "ingress-design-specify-docker-registry-secret-help": "Whether to use a Docker Hub credential secret to pull the ingress controller image.  This is helpful if you encounter a Docker Hub pull limit exceeded error.",
   "ingress-design-ingress-docker-reg-secret-name": "Docker Registry Secret Name",
@@ -629,7 +631,13 @@
   "ingress-design-ingress-route-targetservice-label": "Target Service",
   "ingress-design-ingress-route-targetport-label": "Target Port",
   "ingress-design-ingress-route-path-label": "Path Expression",
-  "ingress-design-ingress-route-tls-label": "Enable TLS",
+  "ingress-design-ingress-route-tls-label": "Transport Options",
+  "ingress-design-ingress-route-tls-help": "Select the transport option for this ingress route",
+  "ingress-design-ingress-route-tlsoption-plain": "Plain HTTP",
+  "ingress-design-ingress-route-tlsoption-ssl-passthrough": "SSL pass through",
+  "ingress-design-ingress-route-tlsoption-ssl-terminate-ingress": "SSL terminate at ingress controller",
+  "ingress-design-ingress-route-is-console-svc-label": "Is target service WebLogic Console?",
+  "ingress-design-ingress-route-is-console-svc-help": "For SSL terminating at ingress and accessing WebLogic Console Service, turn on this option. Your domain must have 'WeblogicPluginEnabled: true' in the 'resources->WebAppContainer' section",
   "ingress-design-ingress-route-name-label": "Name",
   "ingress-design-ingress-route-dialog-title": "Edit Ingress Route",
   "ingress-design-ingress-route-annotation-label": "Annotation",
@@ -645,10 +653,13 @@
   "ingress-design-ingress-route-annotation-value-help": "The value for the annotation used for this ingress route.",
   "ingress-design-ingress-route-annotation-add-row": "Add Annotation",
   "ingress-design-ingress-route-annotation-delete-row": "Delete Annotation",
+  "ingress-design-ingress-route-traefik-mw-label": "Traefik Middleware",
+  "ingress-design-ingress-route-traefik-mw-help": "Customize Traefik Middlewares Object",
 
   "ingress-design-ingress-route-name-field-validation-error": "Route {{routeName}}",
   "ingress-design-ingress-route-field-validation-error": "Route: {{routeName}}, Field: {{fieldName}}",
-  "ingress-design-ingress-route-field-tls-config-error": "The route {{routeName}} has the {{fieldName}} field enabled but the {{specifyTlsSecretFieldName}} field is disabled.",
+  "ingress-design-ingress-route-field-tls-config-error": "The route '{{routeName}}' has the '{{fieldName}}' set to '{{tlsOption}}' but the '{{specifyTlsSecretFieldName}}' field is disabled.",
+  "ingress-design-ingress-route-field-tls-config-passthrough-error": "The route '{{routeName}}' has the '{{fieldName}}' set to '{{tlsOption}}' but the '{{virtualHostFieldName}}' field is not set, you must provide an valid DNS name in '{{virtualHostFieldName}}'",
 
   "ingress-design-ingress-tls-secret-title": "TLS Secret for Ingress Routes",
   "ingress-design-specify-tls-secret-label": "Use Ingress TLS Secret",

webui/src/js/models/ingress-definition.js

@@ -42,7 +42,7 @@ define(['knockout', 'utils/observable-properties', 'utils/validation-helper'],
 
         this.ingressRouteKeys = [
           'uid', 'name', 'virtualHost', 'targetServiceNameSpace', 'targetService', 'targetPort',
-          'path', 'tlsEnabled', 'annotations', 'accessPoint', 'markedForDeletion'
+          'path', 'annotations', 'accessPoint', 'tlsOption', 'markedForDeletion', 'isConsoleService'
         ];
         this.ingressRoutes = props.createListProperty(this.ingressRouteKeys).persistByKey('uid');
 
@@ -59,7 +59,7 @@ define(['knockout', 'utils/observable-properties', 'utils/validation-helper'],
         this.createTLSSecret = props.createProperty(false);
         this.ingressTLSSecretName = props.createProperty('');
         this.ingressTLSSecretName.addValidator(...validationHelper.getK8sNameValidators());
-
+        this.allowNginxSSLPassThrough = props.createProperty(false);
         this.generateTLSFiles = props.createProperty(false);
         this.ingressTLSSubject = props.createProperty('');
 

webui/src/js/utils/ingress-controller-installer.js

@@ -246,6 +246,9 @@ function(IngressActionsBase, project, wktConsole, k8sHelper, i18n, dialogHelper,
         helmChartData['kubernetes.namespaces'] =
           `{${ingressControllerNamespace},${this.project.k8sDomain.kubernetesNamespace.value}}`;
       }
+      if (ingressControllerProvider === 'nginx' && this.project.ingress.allowNginxSSLPassThrough) {
+        helmChartData['controller.extraArgs.enable-ssl-passthrough'] = true;
+      }
       return helmChartData;
     }
   }

webui/src/js/utils/ingress-resource-generator.js

@@ -41,13 +41,14 @@ define(['models/wkt-project', 'js-yaml'],
 
       createVoyagerRoutesAsYaml(item) {
         const namespace = item['targetServiceNameSpace'] || 'default';
-
+        const version = window.api.process.getVersion();
         const result = {
           apiVersion: 'voyager.appscode.com/v1beta1',
           kind: 'Ingress',
           metadata: {
             name: item['name'],
             namespace: namespace,
+            labels: { createdByWtkUIVersion: version}
           },
           spec: {
             rules: [
@@ -67,29 +68,28 @@ define(['models/wkt-project', 'js-yaml'],
             ]
           }
         };
+
         this.addTlsSpec(result, item);
         this.addVirtualHost(result, item);
         this.addAnnotations(result, item);
         return jsYaml.dump(result);
       }
 
       createNginxRoutesAsYaml(item) {
-        return this._createStandardRoutesAsYaml(item);
-      }
-
-      createTraefikRoutesAsYaml(item) {
-        return this._createStandardRoutesAsYaml(item);
-      }
-
-      _createStandardRoutesAsYaml(item) {
         const namespace = item['targetServiceNameSpace'] || 'default';
+        const version = window.api.process.getVersion();
+        let path = item['path'];
+        if (this.isSSLPassThrough(item)) {
+          path = '/';
+        }
 
         const result = {
           apiVersion: 'networking.k8s.io/v1',
           kind: 'Ingress',
           metadata: {
             name: item['name'],
             namespace: namespace,
+            labels: { createdByWtkUIVersion: version}
           },
           spec: {
             rules: [
@@ -105,7 +105,7 @@ define(['models/wkt-project', 'js-yaml'],
                           }
                         }
                       },
-                      path: item['path'],
+                      path: path,
                       pathType: 'Prefix'
                     }
                   ]
@@ -114,22 +114,189 @@ define(['models/wkt-project', 'js-yaml'],
             ]
           }
         };
-        this.addTlsSpec(result, item);
+        // No need to set TLS if passthrough
+        if (!this.isSSLPassThrough(item)) {
+          this.addTlsSpec(result, item);
+        }
+
         this.addVirtualHost(result, item);
+
+        if (this.isSSLTerminateAtIngress(item)) {
+          if (!('annotations' in item)) {
+            item['annotations'] = {};
+          }
+          // must have nl at the end
+          item.annotations['nginx.ingress.kubernetes.io/configuration-snippet'] = 'more_clear_input_headers' +
+              ' "WL-Proxy-Client-IP" "WL-Proxy-SSL";\n'
+              + 'more_set_input_headers "X-Forwarded-Proto: https";\n'
+              + 'more_set_input_headers "WL-Proxy-SSL: true";\n';
+          item.annotations['nginx.ingress.kubernetes.io/ingress.allow-http'] = 'false';
+        }
+
         this.addAnnotations(result, item);
         return jsYaml.dump(result);
       }
 
+      isSSLTerminateAtIngress(item) {
+        if (item && item['tlsOption'] === 'ssl_terminate_ingress') {
+          return true;
+        } else {
+          return false;
+        }
+      }
+
+      isSSLPassThrough(item) {
+        if (item && item['tlsOption'] === 'ssl_passthrough') {
+          return true;
+        } else {
+          return false;
+        }
+      }
+
+      isPlainHTTP(item) {
+        if (item && item['tlsOption'] === 'plain') {
+          return true;
+        } else {
+          return false;
+        }
+      }
+
+      createTraefikMiddlewaresAsYaml(item) {
+
+        const namespace = item['targetServiceNameSpace'] || 'default';
+        const version = window.api.process.getVersion();
+
+        const result = {
+          apiVersion: 'traefik.containo.us/v1alpha1',
+          kind: 'Middleware',
+          metadata: {
+            name: item['name'] + '-middleware',
+            namespace: namespace,
+            labels: { createdByWtkUIVersion: version}
+          }
+        };
+
+        if (this.isSSLTerminateAtIngress(item)) {
+          if (item['isConsoleService']) {
+            result.spec = {
+              headers: {
+                sslRedirect: true,
+                customRequestHeaders: {
+                  'X-Custom-Request-Header': '',
+                  'X-Forwarded-For': '',
+                  'WL-Proxy-Client-IP': '',
+                  'WL-Proxy-SSL': 'true'
+                }
+              }
+            };
+
+            return jsYaml.dump(result);
+          }
+
+          if (item['path'].indexOf('.') < 0) {
+            result.spec = { replacePathRegex: { regex: '^' + item['path'] + '(.*)', replacement: item['path'] + '/$1'}};
+            return jsYaml.dump(result);
+          }
+
+        }
+
+      }
+
+      createTraefikRoutesAsYaml(item) {
+
+        let ingressTraefikMiddlewares = this.createTraefikMiddlewaresAsYaml(item);
+        let useMiddlewares = false;
+        if (ingressTraefikMiddlewares) {
+          useMiddlewares = true;
+        }
+
+        const namespace = item['targetServiceNameSpace'] || 'default';
+
+        const result = {
+          apiVersion: 'traefik.containo.us/v1alpha1',
+          kind: 'IngressRoute',
+          metadata: {
+            name: item['name'],
+            namespace: namespace,
+          },
+          spec: {
+            routes: [
+              {
+                kind: 'Rule',
+                match: {},
+                services: [{
+                  kind: 'Service',
+                  name: item['targetService'],
+                  port: Number(item['targetPort'])
+                }]
+              }
+            ]
+          }
+        };
+
+        let matchExpression = '';
+
+        if (item && item['path']) {
+          matchExpression += 'PathPrefix(`' + item['path'] + '`)';
+        }
+
+        if (item['virtualHost']) {
+          if (matchExpression !== '') {
+            matchExpression += ' && ';
+          }
+          matchExpression += 'Host(`' + item['virtualHost'] + '`)';
+        }
+
+        result.spec.routes[0].match = matchExpression;
+
+        // if SSL terminate at ingress
+        if (this.project.ingress.specifyIngressTLSSecret.value && this.isSSLTerminateAtIngress(item)) {
+          if (!item['tlsSecretName']) {
+            item['tlsSecretName'] = this.project.ingress.ingressTLSSecretName.value;
+          }
+          result.spec.tls = { secretName: item['tlsSecretName'] };
+        }
+        // SSL passthrough
+        if (this.project.ingress.specifyIngressTLSSecret.value && this.isSSLPassThrough(item)) {
+          const obj = { passthrough: true };
+          result.spec.tls =  obj;
+
+          // passthrough is a different kind!
+          result.kind = 'IngressRouteTCP';
+          delete result.spec.routes[0].kind;
+          delete result.spec.routes[0].services[0].kind;
+
+          // Set HostSNI
+          if (item && item['virtualHost']) {
+            result.spec.routes[0].match = 'HostSNI(`' + item['virtualHost'] + '`)';
+          }
+        }
+
+        if (useMiddlewares) {
+          result.spec.routes[0].middlewares = [ {name: item['name'] + '-middleware'} ];
+        }
+
+        this.addAnnotations(result, item);
+
+        let yaml = '';
+        if (ingressTraefikMiddlewares) {
+          yaml = ingressTraefikMiddlewares;
+          yaml += '\n---\n';
+        }
+        yaml += jsYaml.dump(result);
+        return yaml;
+      }
+
       addTlsSpec(result, item) {
         // If the Ingress TLS secret is not enabled, do not add the ingress TLS secret name even if it exists.
-        if (this.project.ingress.specifyIngressTLSSecret.value && item && item['tlsEnabled'] === true) {
+        if (this.project.ingress.specifyIngressTLSSecret.value && !this.isPlainHTTP(item)) {
           if (!item['tlsSecretName']) {
             item['tlsSecretName'] = this.project.ingress.ingressTLSSecretName.value;
           }
 
           const obj = { secretName: item['tlsSecretName'] };
           if (item['virtualHost']) {
-            obj['hosts'] = item['virtualHost'];
+            obj['hosts'] = [ item['virtualHost'] ];
           }
           result.spec.tls = [ obj ];
         }