kubernetes · k8s-ci-robot · Aug 18, 2019 · Jul 17, 2019 · Aug 14, 2019 · Aug 16, 2019
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
@@ -67,6 +67,11 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/proxy-redirect-from](#proxy-redirect)|string|
 |[nginx.ingress.kubernetes.io/proxy-redirect-to](#proxy-redirect)|string|
 |[nginx.ingress.kubernetes.io/proxy-http-version](#proxy-http-version)|"1.0" or "1.1"|
+|[nginx.ingress.kubernetes.io/proxy-ssl-secret](#backend-certificate-authentication)|string|
+|[nginx.ingress.kubernetes.io/proxy-ssl-ciphers](#backend-certificate-authentication)|string|
+|[nginx.ingress.kubernetes.io/proxy-ssl-protocols](#backend-certificate-authentication)|string|
+|[nginx.ingress.kubernetes.io/proxy-ssl-verify](#backend-certificate-authentication)|string|
+|[nginx.ingress.kubernetes.io/proxy-ssl-verify-depth](#backend-certificate-authentication)|number|
 |[nginx.ingress.kubernetes.io/enable-rewrite-log](#enable-rewrite-log)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/rewrite-target](#rewrite)|URI|
 |[nginx.ingress.kubernetes.io/satisfy](#satisfy)|string|
@@ -235,6 +240,21 @@ The annotations are:
 
     Only Authenticated Origin Pulls are allowed and can be configured by following their tutorial: [https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls](https://support.cloudflare.com/hc/en-us/articles/204494148-Setting-up-NGINX-to-use-TLS-Authenticated-Origin-Pulls)
 
+### Backend Certificate Authentication
+
+It is possible to authenticate to a proxied HTTPS backend with certificate using additional annotations in Ingress Rule.
+
+* `nginx.ingress.kubernetes.io/proxy-ssl-secret: secretName`:
+  Specifies a Secret with the certificate `tls.crt`, key `tls.key` in PEM format used for authentication to a proxied HTTPS server. It should also contain trusted CA certificates `ca.crt` in PEM format used to verify the certificate of the proxied HTTPS server.
+  This annotation also accepts the alternative form "namespace/secretName", in which case the Secret lookup is performed in the referenced namespace instead of the Ingress namespace.
+* `nginx.ingress.kubernetes.io/proxy-ssl-verify`:
+  Enables or disables verification of the proxied HTTPS server certificate. (default: off)
+* `nginx.ingress.kubernetes.io/proxy-ssl-verify-depth`:
+  Sets the verification depth in the proxied HTTPS server certificates chain. (default: 1)
+* `nginx.ingress.kubernetes.io/proxy-ssl-ciphers`:
+  Specifies the enabled [ciphers](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_ciphers) for requests to a proxied HTTPS server. The ciphers are specified in the format understood by the OpenSSL library.
+* `nginx.ingress.kubernetes.io/proxy-ssl-protocols`:
+  Enables the specified [protocols](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_protocols) for requests to a proxied HTTPS server.
 
 ### Configuration snippet
 

diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go
@@ -20,6 +20,7 @@ import (
 	"github.com/imdario/mergo"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher"
 	"k8s.io/klog"
 
@@ -90,6 +91,7 @@ type Ingress struct {
 	EnableGlobalAuth   bool
 	HTTP2PushPreload   bool
 	Proxy              proxy.Config
+	ProxySSL           proxyssl.Config
 	RateLimit          ratelimit.Config
 	Redirect           redirect.Config
 	Rewrite            rewrite.Config
@@ -137,6 +139,7 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
 			"EnableGlobalAuth":     authreqglobal.NewParser(cfg),
 			"HTTP2PushPreload":     http2pushpreload.NewParser(cfg),
 			"Proxy":                proxy.NewParser(cfg),
+			"ProxySSL":             proxyssl.NewParser(cfg),
 			"RateLimit":            ratelimit.NewParser(cfg),
 			"Redirect":             redirect.NewParser(cfg),
 			"Rewrite":              rewrite.NewParser(cfg),

diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go
@@ -0,0 +1,157 @@
+/*
+Copyright 2019 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package proxyssl
+
+import (
+	"regexp"
+	"sort"
+	"strings"
+
+	"github.com/pkg/errors"
+	networking "k8s.io/api/networking/v1beta1"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+	"k8s.io/ingress-nginx/internal/k8s"
+)
+
+const (
+	defaultProxySSLCiphers     = "DEFAULT"
+	defaultProxySSLProtocols   = "TLSv1 TLSv1.1 TLSv1.2"
+	defaultProxySSLVerify      = "off"
+	defaultProxySSLVerifyDepth = 1
+)
+
+var (
+	proxySSLOnOffRegex    = regexp.MustCompile(`^(on|off)$`)
+	proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3)$`)
+)
+
+// Config contains the AuthSSLCert used for mutual authentication
+// and the configured VerifyDepth
+type Config struct {
+	resolver.AuthSSLCert
+	Ciphers     string `json:"ciphers"`
+	Protocols   string `json:"protocols"`
+	Verify      string `json:"verify"`
+	VerifyDepth int    `json:"verifyDepth"`
+}
+
+// Equal tests for equality between two Config types
+func (pssl1 *Config) Equal(pssl2 *Config) bool {
+	if pssl1 == pssl2 {
+		return true
+	}
+	if pssl1 == nil || pssl2 == nil {
+		return false
+	}
+	if !(&pssl1.AuthSSLCert).Equal(&pssl2.AuthSSLCert) {
+		return false
+	}
+	if pssl1.Ciphers != pssl2.Ciphers {
+		return false
+	}
+	if pssl1.Protocols != pssl2.Protocols {
+		return false
+	}
+	if pssl1.Verify != pssl2.Verify {
+		return false
+	}
+	if pssl1.VerifyDepth != pssl2.VerifyDepth {
+		return false
+	}
+	return true
+}
+
+// NewParser creates a new TLS authentication annotation parser
+func NewParser(resolver resolver.Resolver) parser.IngressAnnotation {
+	return proxySSL{resolver}
+}
+
+type proxySSL struct {
+	r resolver.Resolver
+}
+
+func sortProtocols(protocols string) string {
+	protolist := strings.Split(protocols, " ")
+
+	n := 0
+	for _, proto := range protolist {
+		proto = strings.TrimSpace(proto)
+		if proto == "" || !proxySSLProtocolRegex.MatchString(proto) {
+			continue
+		}
+		protolist[n] = proto
+		n++
+	}
+
+	if n == 0 {
+		return defaultProxySSLProtocols
+	}
+
+	protolist = protolist[:n]
+	sort.Strings(protolist)
+	return strings.Join(protolist, " ")
+}
+
+// Parse parses the annotations contained in the ingress
+// rule used to use a Certificate as authentication method
+func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) {
+	var err error
+	config := &Config{}
+
+	proxysslsecret, err := parser.GetStringAnnotation("proxy-ssl-secret", ing)
+	if err != nil {
+		return &Config{}, err
+	}
+
+	_, _, err = k8s.ParseNameNS(proxysslsecret)
+	if err != nil {
+		return &Config{}, ing_errors.NewLocationDenied(err.Error())
+	}
+
+	proxyCert, err := p.r.GetAuthCertificate(proxysslsecret)
+	if err != nil {
+		e := errors.Wrap(err, "error obtaining certificate")
+		return &Config{}, ing_errors.LocationDenied{Reason: e}
+	}
+	config.AuthSSLCert = *proxyCert
+
+	config.Ciphers, err = parser.GetStringAnnotation("proxy-ssl-ciphers", ing)
+	if err != nil {
+		config.Ciphers = defaultProxySSLCiphers
+	}
+
+	config.Protocols, err = parser.GetStringAnnotation("proxy-ssl-protocols", ing)
+	if err != nil {
+		config.Protocols = defaultProxySSLProtocols
+	} else {
+		config.Protocols = sortProtocols(config.Protocols)
+	}
+
+	config.Verify, err = parser.GetStringAnnotation("proxy-ssl-verify", ing)
+	if err != nil || !proxySSLOnOffRegex.MatchString(config.Verify) {
+		config.Verify = defaultProxySSLVerify
+	}
+
+	config.VerifyDepth, err = parser.GetIntAnnotation("proxy-ssl-verify-depth", ing)
+	if err != nil || config.VerifyDepth == 0 {
+		config.VerifyDepth = defaultProxySSLVerifyDepth
+	}
+
+	return config, nil
+}