Add missing OSS internal routes (#3481)

During testing a bug was found that prevented NSM to egress through NIC OSS. The root cause of the bug was found to be a few missing configuration blocks in the OSS NIC template files. This adds in the server blocks necessary for internal routes to function as expected. (cherry picked from commit 21f5377)
nginx · Jan 25, 2023 · 9faee4b · 9faee4b
1 parent 119fc48
commit 9faee4b
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/internal/configs/version1/nginx.ingress.tmpl b/internal/configs/version1/nginx.ingress.tmpl
@@ -10,6 +10,12 @@ upstream {{$upstream.Name}} {
 
 {{range $server := .Servers}}
 server {
+	{{if $server.SpiffeCerts}}
+	listen 443 ssl;
+	{{if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}}
+	ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+	ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+	{{else}}
 	{{if not $server.GRPCOnly}}
 	{{range $port := $server.Ports}}
 	listen {{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};
@@ -35,6 +41,7 @@ server {
 	ssl_certificate_key {{$server.SSLCertificateKey}};
 	{{end}}
 	{{end}}
+	{{end}}
 
 	{{range $setRealIPFrom := $server.SetRealIPFrom}}
 	set_real_ip_from {{$setRealIPFrom}};{{end}}
@@ -142,6 +149,15 @@ server {
 		{{- if $location.ProxyBufferSize}}
 		grpc_buffer_size {{$location.ProxyBufferSize}};
 		{{- end}}
+		{{if $.SpiffeClientCerts}}
+		grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+		grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+		grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+		grpc_ssl_server_name on;
+		grpc_ssl_verify on;
+		grpc_ssl_verify_depth 25;
+		grpc_ssl_name {{$location.ProxySSLName}};
+		{{end}}
 		{{if $location.SSL}}
 		grpc_pass grpcs://{{$location.Upstream.Name}}{{$location.Rewrite}};
 		{{else}}
@@ -187,6 +203,15 @@ server {
 		{{- if $location.ProxyMaxTempFileSize}}
 		proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}};
 		{{- end}}
+		{{if $.SpiffeClientCerts}}
+		proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+		proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+		proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+		proxy_ssl_server_name on;
+		proxy_ssl_verify on;
+		proxy_ssl_verify_depth 25;
+		proxy_ssl_name {{$location.ProxySSLName}};
+		{{end}}
 		{{if $location.SSL}}
 		proxy_pass https://{{$location.Upstream.Name}}{{$location.Rewrite}};
 		{{else}}

diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl
@@ -210,6 +210,18 @@ http {
 
         return 418;
     }
+    {{if .InternalRouteServer}}
+    server {
+        listen 443 ssl;
+        {{if not .DisableIPV6}}listen [::]:443 ssl;{{end}}
+        server_name {{.InternalRouteServerName}};
+        ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+        ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+        ssl_client_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+        ssl_verify_client on;
+        ssl_verify_depth 25;
+    }
+    {{end}}
 }
 
 stream {

diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl
@@ -356,6 +356,15 @@ server {
             {{ end }}
             {{ range $h := $l.AddHeaders }}
         add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }};
+            {{ end }}
+            {{ if $.SpiffeCerts }}
+        {{ $proxyOrGRPC }}_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+        {{ $proxyOrGRPC }}_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+        {{ $proxyOrGRPC }}_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+        {{ $proxyOrGRPC }}_ssl_server_name on;
+        {{ $proxyOrGRPC }}_ssl_verify on;
+        {{ $proxyOrGRPC }}_ssl_verify_depth 25;
+        {{ $proxyOrGRPC }}_ssl_name {{ $l.ProxySSLName }};
             {{ end }}
             {{if $l.GRPCPass}}
         grpc_pass {{ $l.GRPCPass }};