Add TLS support for vs/vsr upstreams

nginx · Jul 16, 2019 · f5ac669 · f5ac669
1 parent f04246d
commit f5ac669
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 11 deletions.
diff --git a/docs/virtualserver-and-virtualserverroute.md b/docs/virtualserver-and-virtualserverroute.md
@@ -17,6 +17,7 @@ This document is the reference documentation for the resources. To see additiona
     - [VirtualServerRoute.Subroute](#VirtualServerRouteSubroute)
   - [Common Parts of the VirtualServer and VirtualServerRoute](#Common-Parts-of-the-VirtualServer-and-VirtualServerRoute)
     - [Upstream](#Upstream)
+    - [Upstream.TLS](#UpstreamTLS)
     - [Split](#Split)
     - [Rules](#Rules)
     - [Condition](#Condition)
@@ -183,6 +184,8 @@ keepalive: 32
 connect-timeout: 30s
 read-timeout: 30s
 send-timeout: 30s
+tls:
+  enable: True
 ```
 
 | Field | Description | Type | Required |
@@ -197,6 +200,12 @@ send-timeout: 30s
 `connect-timeout` | The timeout for establishing a connection with an upstream server. See the [proxy_connect_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) directive. The default is specified in the `proxy-connect-timeout` ConfigMap key. | `string` | No
 `read-timeout` | The timeout for reading a response from an upstream server. See the [proxy_read_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) directive.  The default is specified in the `proxy-read-timeout` ConfigMap key. | `string` | No
 `send-timeout` | The timeout for transmitting a request to an upstream server. See the [proxy_send_timeout](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) directive. The default is specified in the `proxy-send-timeout` ConfigMap key. | `string` | No
+| `tls` | The TLS configuration for the Upstream. | [`tls`](#UpstreamTLS) | No |
+
+### Upstream.TLS
+| Field | Description | Type | Required |
+| ----- | ----------- | ---- | -------- |
+| `enable` | Enables HTTPS for requests to upstream servers. The default is `False`, meaning that HTTP will be used. | `boolean` | No |
 
 ### Split
 

diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go
@@ -257,6 +257,13 @@ func upstreamHasKeepalive(upstream conf_v1alpha1.Upstream, cfgParams *ConfigPara
 	return cfgParams.Keepalive != 0
 }
 
+func generateProxyPassProtocol(upstream conf_v1alpha1.Upstream) string {
+	if upstream.TLS.Enable {
+		return "https"
+	}
+	return "http"
+}
+
 func generateLocation(path string, upstreamName string, upstream conf_v1alpha1.Upstream, cfgParams *ConfigParams) version2.Location {
 	return version2.Location{
 		Path:                 path,
@@ -269,7 +276,7 @@ func generateLocation(path string, upstreamName string, upstream conf_v1alpha1.U
 		ProxyBuffering:       cfgParams.ProxyBuffering,
 		ProxyBuffers:         cfgParams.ProxyBuffers,
 		ProxyBufferSize:      cfgParams.ProxyBufferSize,
-		ProxyPass:            fmt.Sprintf("http://%v", upstreamName),
+		ProxyPass:            fmt.Sprintf("%v://%v", generateProxyPassProtocol(upstream), upstreamName),
 		HasKeepalive:         upstreamHasKeepalive(upstream, cfgParams),
 	}
 }

diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go
@@ -868,6 +868,33 @@ func TestGenerateUpstreamForZeroEndpoints(t *testing.T) {
 	}
 }
 
+func TestGenerateProxyPassProtocol(t *testing.T) {
+	tests := []struct {
+		upstream conf_v1alpha1.Upstream
+		expected string
+	}{
+		{
+			upstream: conf_v1alpha1.Upstream{},
+			expected: "http",
+		},
+		{
+			upstream: conf_v1alpha1.Upstream{
+				TLS: conf_v1alpha1.UpstreamTLS{
+					Enable: true,
+				},
+			},
+			expected: "https",
+		},
+	}
+
+	for _, test := range tests {
+		result := generateProxyPassProtocol(test.upstream)
+		if result != test.expected {
+			t.Errorf("generateProxyPassProtocol() returned %v but expected %v", result, test.expected)
+		}
+	}
+}
+
 func TestGenerateLocation(t *testing.T) {
 	cfgParams := ConfigParams{
 		ProxyConnectTimeout:  "30s",

diff --git a/pkg/apis/configuration/v1alpha1/types.go b/pkg/apis/configuration/v1alpha1/types.go
@@ -25,16 +25,22 @@ type VirtualServerSpec struct {
 
 // Upstream defines an upstream.
 type Upstream struct {
-	Name                string `json:"name"`
-	Service             string `json:"service"`
-	Port                uint16 `json:"port"`
-	LBMethod            string `json:"lb-method"`
-	FailTimeout         string `json:"fail-timeout"`
-	MaxFails            *int   `json:"max-fails"`
-	Keepalive           *int   `json:"keepalive"`
-	ProxyConnectTimeout string `json:"connect-timeout"`
-	ProxyReadTimeout    string `json:"read-timeout"`
-	ProxySendTimeout    string `json:"send-timeout"`
+	Name                string      `json:"name"`
+	Service             string      `json:"service"`
+	Port                uint16      `json:"port"`
+	LBMethod            string      `json:"lb-method"`
+	FailTimeout         string      `json:"fail-timeout"`
+	MaxFails            *int        `json:"max-fails"`
+	Keepalive           *int        `json:"keepalive"`
+	ProxyConnectTimeout string      `json:"connect-timeout"`
+	ProxyReadTimeout    string      `json:"read-timeout"`
+	ProxySendTimeout    string      `json:"send-timeout"`
+	TLS                 UpstreamTLS `json:"tls"`
+}
+
+// UpstreamTLS defines a TLS configuration for an Upstream.
+type UpstreamTLS struct {
+	Enable bool `json:"enable"`
 }
 
 // Route defines a route.

diff --git a/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go