kubernetes · aledbf · Oct 5, 2017 · Oct 4, 2017
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -621,6 +621,11 @@ stream {
         # PEM sha: {{ $server.SSLPemChecksum }}
         ssl_certificate                         {{ $server.SSLCertificate }};
         ssl_certificate_key                     {{ $server.SSLCertificate }};
+        {{ if not (empty $server.SSLFullChainCertificate)}}
+        ssl_trusted_certificate                 {{ $server.SSLFullChainCertificate }};        
+        ssl_stapling                            on;
+        ssl_stapling_verify                     on;
+        {{ end }}
         {{ end }}
 
         {{ if (and (not (empty $server.SSLCertificate)) $all.Cfg.HSTS) }}

diff --git a/core/pkg/ingress/controller/controller.go b/core/pkg/ingress/controller/controller.go
@@ -1056,6 +1056,7 @@ func (ic *GenericController) createServers(data []*extensions.Ingress,
 			}
 
 			servers[host].SSLCertificate = cert.PemFileName
+			servers[host].SSLFullChainCertificate = cert.FullChainPemFileName
 			servers[host].SSLPemChecksum = cert.PemSHA
 			servers[host].SSLExpireTime = cert.ExpireTime
 

diff --git a/core/pkg/ingress/sort_ingress.go b/core/pkg/ingress/sort_ingress.go
@@ -32,6 +32,9 @@ type SSLCert struct {
 	CAFileName string `json:"caFileName"`
 	// PemFileName contains the path to the file with the certificate and key concatenated
 	PemFileName string `json:"pemFileName"`
+	// FullChainPemFileName contains the path to the file with the certificate and key concatenated
+	// This certificate contains the full chain (ca + intermediates + cert)
+	FullChainPemFileName string `json:"fullChainPemFileName"`
 	// PemSHA contains the sha1 of the pem file.
 	// This is used to detect changes in the secret that contains the certificates
 	PemSHA string `json:"pemSha"`

diff --git a/core/pkg/ingress/types.go b/core/pkg/ingress/types.go
@@ -220,6 +220,9 @@ type Server struct {
 	SSLPassthrough bool `json:"sslPassthrough"`
 	// SSLCertificate path to the SSL certificate on disk
 	SSLCertificate string `json:"sslCertificate"`
+	// SSLFullChainCertificate path to the SSL certificate on disk
+	// This certificate contains the full chain (ca + intermediates + cert)
+	SSLFullChainCertificate string `json:"sslFullChainCertificate"`
 	// SSLExpireTime has the expire date of this certificate
 	SSLExpireTime time.Time `json:"sslExpireTime"`
 	// SSLPemChecksum returns the checksum of the certificate file on disk.

diff --git a/core/pkg/net/ssl/ssl.go b/core/pkg/net/ssl/ssl.go
@@ -34,6 +34,7 @@ import (
 	"time"
 
 	"github.com/golang/glog"
+	"github.com/zakjan/cert-chain-resolver/certUtil"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 
@@ -49,6 +50,7 @@ var (
 func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert, error) {
 	pemName := fmt.Sprintf("%v.pem", name)
 	pemFileName := fmt.Sprintf("%v/%v", ingress.DefaultSSLDirectory, pemName)
+	fullChainPemFileName := fmt.Sprintf("%v/%v-full-chain.pem", ingress.DefaultSSLDirectory, name)
 
 	tempPemFile, err := ioutil.TempFile(ingress.DefaultSSLDirectory, pemName)
 
@@ -170,13 +172,23 @@ func AddOrUpdateCertAndKey(name string, cert, key, ca []byte) (*ingress.SSLCert,
 		}, nil
 	}
 
-	return &ingress.SSLCert{
+	s := &ingress.SSLCert{
 		Certificate: pemCert,
 		PemFileName: pemFileName,
 		PemSHA:      file.SHA1(pemFileName),
 		CN:          cn.List(),
 		ExpireTime:  pemCert.NotAfter,
-	}, nil
+	}
+
+	err = fullChainCert(pemFileName, fullChainPemFileName)
+	if err != nil {
+		glog.Errorf("unexpected error generating SSL certificate with full chain: %v", err)
+		return s, nil
+	}
+
+	s.FullChainPemFileName = fullChainPemFileName
+
+	return s, nil
 }
 
 func getExtension(c *x509.Certificate, id asn1.ObjectIdentifier) []pkix.Extension {
@@ -376,3 +388,33 @@ func GetFakeSSLCert() ([]byte, []byte) {
 
 	return cert, key
 }
+
+func fullChainCert(in, out string) error {
+	inputFile, err := os.Open(in)
+	if err != nil {
+		return err
+	}
+
+	data, err := ioutil.ReadAll(inputFile)
+	if err != nil {
+		return err
+	}
+
+	cert, err := certUtil.DecodeCertificate(data)
+	if err != nil {
+		return err
+	}
+
+	certs, err := certUtil.FetchCertificateChain(cert)
+	if err != nil {
+		return err
+	}
+
+	certs, err = certUtil.AddRootCA(certs)
+	if err != nil {
+		return err
+	}
+
+	data = certUtil.EncodeCertificates(certs)
+	return ioutil.WriteFile(out, data, 0644)
+}
diff --git a/vendor/github.com/fullsailor/pkcs7/.gitignore b/vendor/github.com/fullsailor/pkcs7/.gitignore
diff --git a/vendor/github.com/fullsailor/pkcs7/.travis.yml b/vendor/github.com/fullsailor/pkcs7/.travis.yml
diff --git a/vendor/github.com/fullsailor/pkcs7/LICENSE b/vendor/github.com/fullsailor/pkcs7/LICENSE
diff --git a/vendor/github.com/fullsailor/pkcs7/README.md b/vendor/github.com/fullsailor/pkcs7/README.md