From f98b57fdf4ce624245722c625758851475fddfe4 Mon Sep 17 00:00:00 2001 From: Piotr Majkrzak Date: Thu, 12 Sep 2019 12:44:05 +0300 Subject: [PATCH] Fix wrong handling of insecure tls auth forward ingress annotation --- provider/kubernetes/kubernetes.go | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/provider/kubernetes/kubernetes.go b/provider/kubernetes/kubernetes.go index a9b1403fd..4145354ad 100644 --- a/provider/kubernetes/kubernetes.go +++ b/provider/kubernetes/kubernetes.go @@ -993,12 +993,12 @@ func getForwardAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*type } authSecretName := getStringValue(i.Annotations, annotationKubernetesAuthForwardTLSSecret, "") - if len(authSecretName) > 0 { - authSecretCert, authSecretKey, err := loadAuthTLSSecret(i.Namespace, authSecretName, k8sClient) - if err != nil { - return nil, fmt.Errorf("failed to load auth secret: %s", err) - } + authSecretCert, authSecretKey, err := loadAuthTLSSecret(i.Namespace, authSecretName, k8sClient) + if err != nil { + return nil, fmt.Errorf("failed to load auth secret: %s", err) + } + if authSecretCert != "" || authSecretKey != "" { forwardAuth.TLS = &types.ClientTLS{ Cert: authSecretCert, Key: authSecretKey, @@ -1006,10 +1006,20 @@ func getForwardAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*type } } + if forwardAuth.TLS == nil && label.Has(i.Annotations, getAnnotationName(i.Annotations, annotationKubernetesAuthForwardTLSInsecure)) { + forwardAuth.TLS = &types.ClientTLS{ + InsecureSkipVerify: getBoolValue(i.Annotations, annotationKubernetesAuthForwardTLSInsecure, false), + } + } + return forwardAuth, nil } func loadAuthTLSSecret(namespace, secretName string, k8sClient Client) (string, string, error) { + if len(secretName) == 0 { + return "", "", nil + } + secret, exists, err := k8sClient.GetSecret(namespace, secretName) if err != nil { return "", "", fmt.Errorf("failed to fetch secret %q/%q: %s", namespace, secretName, err)