Skip to content

Commit

Permalink
Merge pull request #23500 from tam7t/tls-sni-routing
Browse files Browse the repository at this point in the history
Auto commit by PR queue bot
  • Loading branch information
k8s-merge-robot committed Mar 29, 2016
2 parents e35efb5 + 4d22c2f commit fb5181a
Show file tree
Hide file tree
Showing 9 changed files with 18 additions and 31 deletions.
2 changes: 1 addition & 1 deletion api/swagger-spec/extensions_v1beta1.json
Original file line number Diff line number Diff line change
Expand Up @@ -8291,7 +8291,7 @@
"items": {
"$ref": "v1beta1.IngressTLS"
},
"description": "TLS configuration. Currently the Ingress only supports a single TLS port, 443, and assumes TLS termination. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension."
"description": "TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI."
},
"rules": {
"type": "array",
Expand Down
4 changes: 2 additions & 2 deletions docs/api-reference/extensions/v1beta1/definitions.html
Original file line number Diff line number Diff line change
Expand Up @@ -806,7 +806,7 @@ <h3 id="_v1beta1_ingressspec">v1beta1.IngressSpec</h3>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">tls</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">TLS configuration. Currently the Ingress only supports a single TLS port, 443, and assumes TLS termination. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_ingresstls">v1beta1.IngressTLS</a> array</p></td>
<td class="tableblock halign-left valign-top"></td>
Expand Down Expand Up @@ -5910,7 +5910,7 @@ <h3 id="_any">any</h3>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2016-03-25 18:19:00 UTC
Last updated 2016-03-28 22:44:09 UTC
</div>
</div>
</body>
Expand Down
9 changes: 5 additions & 4 deletions pkg/apis/extensions/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -655,10 +655,11 @@ type IngressSpec struct {
// specify a global default.
Backend *IngressBackend `json:"backend,omitempty"`

// TLS is the TLS configuration. Currently the Ingress only supports a single TLS
// port, 443, and assumes TLS termination. If multiple members of this
// list specify different hosts, they will be multiplexed on the same
// port according to the hostname specified through the SNI TLS extension.
// TLS configuration. Currently the Ingress only supports a single TLS
// port, 443. If multiple members of this list specify different hosts, they
// will be multiplexed on the same port according to the hostname specified
// through the SNI TLS extension, if the ingress controller fulfilling the
// ingress supports SNI.
TLS []IngressTLS `json:"tls,omitempty"`

// A list of host rules used to configure the Ingress. If unspecified, or
Expand Down
7 changes: 4 additions & 3 deletions pkg/apis/extensions/v1beta1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -667,9 +667,10 @@ type IngressSpec struct {
Backend *IngressBackend `json:"backend,omitempty"`

// TLS configuration. Currently the Ingress only supports a single TLS
// port, 443, and assumes TLS termination. If multiple members of this
// list specify different hosts, they will be multiplexed on the same
// port according to the hostname specified through the SNI TLS extension.
// port, 443. If multiple members of this list specify different hosts, they
// will be multiplexed on the same port according to the hostname specified
// through the SNI TLS extension, if the ingress controller fulfilling the
// ingress supports SNI.
TLS []IngressTLS `json:"tls,omitempty"`

// A list of host rules used to configure the Ingress. If unspecified, or
Expand Down
2 changes: 1 addition & 1 deletion pkg/apis/extensions/v1beta1/types_swagger_doc_generated.go
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,7 @@ func (IngressRuleValue) SwaggerDoc() map[string]string {
var map_IngressSpec = map[string]string{
"": "IngressSpec describes the Ingress the user wishes to exist.",
"backend": "A default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default.",
"tls": "TLS configuration. Currently the Ingress only supports a single TLS port, 443, and assumes TLS termination. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension.",
"tls": "TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.",
"rules": "A list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.",
}

Expand Down
7 changes: 0 additions & 7 deletions pkg/apis/extensions/validation/validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -526,13 +526,6 @@ func ValidateIngressName(name string, prefix bool) (bool, string) {

func validateIngressTLS(spec *extensions.IngressSpec, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
// Currently the Ingress only supports HTTP(S), so a secretName is required.
// This will not be the case if we support SSL routing at L4 via SNI.
for i, t := range spec.TLS {
if t.SecretName == "" {
allErrs = append(allErrs, field.Required(fldPath.Index(i).Child("secretName"), spec.TLS[i].SecretName))
}
}
// TODO: Perform a more thorough validation of spec.TLS.Hosts that takes
// the wildcard spec from RFC 6125 into account.
return allErrs
Expand Down
3 changes: 0 additions & 3 deletions pkg/apis/extensions/validation/validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1327,8 +1327,6 @@ func TestValidateIngress(t *testing.T) {
badHostIP := newValid()
badHostIP.Spec.Rules[0].Host = hostIP
badHostIPErr := fmt.Sprintf("spec.rules[0].host: Invalid value: '%v'", hostIP)
noSecretName := newValid()
noSecretName.Spec.TLS = []extensions.IngressTLS{{SecretName: ""}}

errorCases := map[string]extensions.Ingress{
"spec.backend.serviceName: Required value": servicelessBackend,
Expand All @@ -1337,7 +1335,6 @@ func TestValidateIngress(t *testing.T) {
"spec.rules[0].host: Invalid value": badHost,
"spec.rules[0].http.paths: Required value": noPaths,
"spec.rules[0].http.paths[0].path: Invalid value": noForwardSlashPath,
"spec.tls[0].secretName: Required value": noSecretName,
}
errorCases[badPathErr] = badRegexPath
errorCases[badHostIPErr] = badHostIP
Expand Down
6 changes: 5 additions & 1 deletion pkg/kubectl/describe.go
Original file line number Diff line number Diff line change
Expand Up @@ -1264,7 +1264,11 @@ func (i *IngressDescriber) describeIngress(ing *extensions.Ingress) (string, err
func describeIngressTLS(out io.Writer, ingTLS []extensions.IngressTLS) {
fmt.Fprintf(out, "TLS:\n")
for _, t := range ingTLS {
fmt.Fprintf(out, " %v terminates %v\n", t.SecretName, strings.Join(t.Hosts, ","))
if t.SecretName == "" {
fmt.Fprintf(out, " SNI routes %v\n", strings.Join(t.Hosts, ","))
} else {
fmt.Fprintf(out, " %v terminates %v\n", t.SecretName, strings.Join(t.Hosts, ","))
}
}
return
}
Expand Down
9 changes: 0 additions & 9 deletions pkg/registry/ingress/etcd/etcd_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -163,15 +163,6 @@ func TestUpdate(t *testing.T) {
"foo.bar.com": {"/invalid[": "svc"}})
return object
},

func(obj runtime.Object) runtime.Object {
object := obj.(*extensions.Ingress)
object.Spec.TLS = append(object.Spec.TLS, extensions.IngressTLS{
Hosts: []string{"foo.bar.com"},
SecretName: "",
})
return object
},
)
}

Expand Down

1 comment on commit fb5181a

@k8s-teamcity-mesosphere

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TeamCity OSS :: Kubernetes Mesos :: 4 - Smoke Tests Build 20132 outcome was SUCCESS
Summary: Tests passed: 1, ignored: 267 Build time: 00:08:54

Please sign in to comment.