HTTPS Termination #140

kate-osborn · 2022-07-12T16:50:35Z

This commit adds support for HTTPS listeners with a TLS mode of Terminate.
Multiple HTTPS listeners are supported provided their hostnames do not conflict.
Additionally, a gateway can have an HTTP and HTTPS listener with the same
hostname.

Limitations:

HTTPS listeners must listen on port 443
Supports a single reference to a Kubernetes Secret of type kubernetes.io/tls
Secret must be in the same namespace as the Gateway
Secret must be created before the HTTPRoutes are created
Secret rotation is not supported

Checklist

I have read the CONTRIBUTING doc
I have added tests that prove my fix is effective or that my feature works
I have checked that all unit tests pass after adding my changes
I have updated necessary documentation
I have rebased my branch onto main
I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

internal/implementations/secret/secret_test.go

pleshakov

Hi @kate-osborn Please see my review

internal/events/loop.go

internal/manager/manager.go

internal/nginx/config/template.go

internal/state/graph.go

internal/state/secrets.go

internal/state/configuration_test.go

internal/state/graph_test.go

internal/state/secrets_test.go

This commit adds support for HTTPS listeners with a TLS mode of Terminate. Multiple HTTPS listeners are supported provided their hostnames do not conflict. Additionally, a gateway can have an HTTP and HTTPS listener with the same hostname. Limitations: - HTTPS listeners must listen on port 443 - Supports a single reference to a Kubernetes Secret of type kubernetes.io/tls - Secret must be in the same namespace as the Gateway - Secret must be created before the HTTPRoutes are created - Secret rotation is not supported

…estedSecrets

pleshakov

hi @kate-osborn
a few more suggestions and questions based on the new code

examples/advanced-routing/gateway.yaml

internal/nginx/config/generator.go

internal/state/change_processor_test.go

internal/state/listener.go

internal/state/secrets.go

internal/state/secrets_test.go

pleshakov

a few more comments/suggestions

internal/state/file_manager.go

internal/state/secrets_test.go

pleshakov

👍

kate-osborn requested review from pleshakov and f5yacobucci July 12, 2022 16:50

kate-osborn commented Jul 12, 2022

View reviewed changes

internal/implementations/secret/secret_test.go Outdated Show resolved Hide resolved

pleshakov suggested changes Jul 14, 2022

View reviewed changes

kate-osborn added 26 commits July 18, 2022 17:40

Add nolint for test certs

e33be3a

Another nolint

514c63f

Last nolint

79b1daa

Lint warning fixes

23f91c8

Add event loop config object

62fdc19

Const block

365abb3

Add listener file to state package

209288d

Fix secret filepath

fa85921

Remove ignored namespaces

8da6df2

Fix len comparison

374a6ec

Indent if/else/end block in template

d4bcc0a

rules -> rulesPerHost

e8a5194

secretCache -> secretStore

643129b

SecretMemoryManager -> SecretDiskMemoryManager

1f1bdbf

store -> request

ed16702

Do not use default server secret

5a9c672

Fix test httproute names

57a81dd

Don't configure invalid listeners

64b8222

collision -> collisions

4b6b9ad

validateHTTPSListener

bfb6c7b

Fix up secrets tests and rename WriteAllStoredSecrets to WriteAllRequ…

8bfd551

…estedSecrets

Generate default http server

7c34024

HTTPServer -> VirtualServer and HTTPSServers -> SSLServers

445974e

Fix missing semicolon

3d1d472

Change ns of gateway in example

84adfd0

kate-osborn added 2 commits July 19, 2022 10:36

Add gateways to each example

623f125

Standardize on implementation package and add test suite files

f2b6cbe

kate-osborn force-pushed the tls-termination branch from 10a9e0e to f2b6cbe Compare July 19, 2022 16:58

kate-osborn added 2 commits July 19, 2022 11:07

Fix linting error

1405fc0

Fix some typos

97a4921

kate-osborn requested a review from pleshakov July 19, 2022 18:31

pleshakov suggested changes Jul 20, 2022

View reviewed changes

kate-osborn added 8 commits July 21, 2022 09:28

Add FileManager interface to unit test file i/o

02fde36

Move listener tests into listener_test.go

6f8a3dc

Remove namespace from example resources

a8e4a54

Update capacity

08a84db

Add fixme

d05d2c1

Add doc string

67958f6

Fix typo

2909f0e

Add fixme for concurrency question

9eb07ec

kate-osborn requested a review from pleshakov July 21, 2022 17:47

pleshakov reviewed Jul 22, 2022

View reviewed changes

internal/state/file_manager.go Show resolved Hide resolved

internal/state/secrets_test.go Outdated Show resolved Hide resolved

internal/state/secrets_test.go Outdated Show resolved Hide resolved

internal/state/secrets_test.go Outdated Show resolved Hide resolved

kate-osborn added 4 commits July 25, 2022 08:59

Move file i/o tests under secret disk memory manager describe

37571b6

Use impl in tests

5070b28

Rewrite error tests as table

57472ba

Fix template spacing

530249e

pleshakov approved these changes Jul 27, 2022

View reviewed changes

kate-osborn merged commit 1e4b4d2 into nginxinc:main Jul 27, 2022

lucacome added the enhancement New feature or request label Aug 19, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HTTPS Termination #140

HTTPS Termination #140

kate-osborn commented Jul 12, 2022

pleshakov left a comment

pleshakov left a comment

pleshakov left a comment

pleshakov left a comment

HTTPS Termination #140

HTTPS Termination #140

Conversation

kate-osborn commented Jul 12, 2022

Checklist

pleshakov left a comment

Choose a reason for hiding this comment

pleshakov left a comment

Choose a reason for hiding this comment

pleshakov left a comment

Choose a reason for hiding this comment

pleshakov left a comment

Choose a reason for hiding this comment