From 9faee4b41ba4b6d018485a1b94430952860280e2 Mon Sep 17 00:00:00 2001
From: Chase Kiefer <112438922+chase-kiefer@users.noreply.github.com>
Date: Wed, 25 Jan 2023 14:02:34 -0600
Subject: [PATCH] Add missing OSS internal routes (#3481)

During testing a bug was found that prevented NSM to egress through
NIC OSS. The root cause of the bug was found to be a few missing
configuration blocks in the OSS NIC template files.

This adds in the server blocks necessary for internal routes to
function as expected.

(cherry picked from commit 21f5377dfea5b078d4b9b52f954384e5f7b0372f)
---
 internal/configs/version1/nginx.ingress.tmpl  | 25 +++++++++++++++++++
 internal/configs/version1/nginx.tmpl          | 12 +++++++++
 .../configs/version2/nginx.virtualserver.tmpl |  9 +++++++
 3 files changed, 46 insertions(+)

diff --git a/internal/configs/version1/nginx.ingress.tmpl b/internal/configs/version1/nginx.ingress.tmpl
index db32bfb496..e473f7731a 100644
--- a/internal/configs/version1/nginx.ingress.tmpl
+++ b/internal/configs/version1/nginx.ingress.tmpl
@@ -10,6 +10,12 @@ upstream {{$upstream.Name}} {
 
 {{range $server := .Servers}}
 server {
+	{{if $server.SpiffeCerts}}
+	listen 443 ssl;
+	{{if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}}
+	ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+	ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+	{{else}}
 	{{if not $server.GRPCOnly}}
 	{{range $port := $server.Ports}}
 	listen {{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};
@@ -35,6 +41,7 @@ server {
 	ssl_certificate_key {{$server.SSLCertificateKey}};
 	{{end}}
 	{{end}}
+	{{end}}
 
 	{{range $setRealIPFrom := $server.SetRealIPFrom}}
 	set_real_ip_from {{$setRealIPFrom}};{{end}}
@@ -142,6 +149,15 @@ server {
 		{{- if $location.ProxyBufferSize}}
 		grpc_buffer_size {{$location.ProxyBufferSize}};
 		{{- end}}
+		{{if $.SpiffeClientCerts}}
+		grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+		grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+		grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+		grpc_ssl_server_name on;
+		grpc_ssl_verify on;
+		grpc_ssl_verify_depth 25;
+		grpc_ssl_name {{$location.ProxySSLName}};
+		{{end}}
 		{{if $location.SSL}}
 		grpc_pass grpcs://{{$location.Upstream.Name}}{{$location.Rewrite}};
 		{{else}}
@@ -187,6 +203,15 @@ server {
 		{{- if $location.ProxyMaxTempFileSize}}
 		proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}};
 		{{- end}}
+		{{if $.SpiffeClientCerts}}
+		proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+		proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+		proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+		proxy_ssl_server_name on;
+		proxy_ssl_verify on;
+		proxy_ssl_verify_depth 25;
+		proxy_ssl_name {{$location.ProxySSLName}};
+		{{end}}
 		{{if $location.SSL}}
 		proxy_pass https://{{$location.Upstream.Name}}{{$location.Rewrite}};
 		{{else}}
diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl
index 9786d318ce..eb415edb05 100644
--- a/internal/configs/version1/nginx.tmpl
+++ b/internal/configs/version1/nginx.tmpl
@@ -210,6 +210,18 @@ http {
 
         return 418;
     }
+    {{if .InternalRouteServer}}
+    server {
+        listen 443 ssl;
+        {{if not .DisableIPV6}}listen [::]:443 ssl;{{end}}
+        server_name {{.InternalRouteServerName}};
+        ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+        ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+        ssl_client_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+        ssl_verify_client on;
+        ssl_verify_depth 25;
+    }
+    {{end}}
 }
 
 stream {
diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl
index 09576e965b..d3de0d7022 100644
--- a/internal/configs/version2/nginx.virtualserver.tmpl
+++ b/internal/configs/version2/nginx.virtualserver.tmpl
@@ -356,6 +356,15 @@ server {
             {{ end }}
             {{ range $h := $l.AddHeaders }}
         add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }};
+            {{ end }}
+            {{ if $.SpiffeCerts }}
+        {{ $proxyOrGRPC }}_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
+        {{ $proxyOrGRPC }}_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
+        {{ $proxyOrGRPC }}_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
+        {{ $proxyOrGRPC }}_ssl_server_name on;
+        {{ $proxyOrGRPC }}_ssl_verify on;
+        {{ $proxyOrGRPC }}_ssl_verify_depth 25;
+        {{ $proxyOrGRPC }}_ssl_name {{ $l.ProxySSLName }};
             {{ end }}
             {{if $l.GRPCPass}}
         grpc_pass {{ $l.GRPCPass }};