disable tls for a specific daomain suffix

fiaas · Nov 29, 2021 · 9be2b76 · 9be2b76
1 parent 9787b51
commit 9be2b76
Show file tree

Hide file tree

Showing 12 changed files with 391 additions and 60 deletions.
diff --git a/docs/operator_guide.md b/docs/operator_guide.md
@@ -146,6 +146,7 @@ Used to configure how the ingress will be annotated for issuing a TLS certificat
 * `tls-certificate-issuer` sets the _value_ of the annotation, for example to decide between production and staging versions of an issuer in different namespaces
 * `tls-certificate-issuer-type-default` sets the default for the _key_ of the annotation, for example to use either `certmanager.k8s.io/cluster-issuer` (the default) or `certmanager.k8s.io/issuer`
 * `tls-certificate-issuer-type-overrides` allows specifying a mapping between the suffix of a domain and the issuer-type, to override the default. For example, assuming the 'cluster-issuer' type as the default, then specifying `--tls-certificate-issuer-type-overrides foo.example.com=certmanager.k8s.io/issuer` would mean that foo.example.com and any of its subdomains will use the 'issuer' type instead. In the case of multiple matching suffixes, the more specific (i.e. longest) will be used.
+* `tls-certificate-issuer-disable-for-domain-suffixes` disable tls for specified domain suffixes when `use-ingress-tls` is set to `default_on`. for example if you to enable tls for all domain suffixes except `internal.example.com` set `tls-certificate-issuer-disable-for-domain-suffixes internal.example.com` .
 
 ### use-in-memory-emptydirs
 

diff --git a/fiaas_deploy_daemon/config.py b/fiaas_deploy_daemon/config.py
@@ -74,7 +74,7 @@
 Enable fiaas-deploy-daemon to extend ingress objects to support https.
 
 Option `default_on` will, when creating ingress objects for an application, enable https unless explicitly set to
-disabled in the configuration for an application.
+disabled in the configuration for an application. You can also disable https for specific domains by setting --tls-certificate-issuer-disable-for-domain-suffixes.
 
 Option `default_off` will, when creating ingress objects for an application, not enable https unless explicitly set
 to enabled in the configuration for an application.
@@ -267,6 +267,9 @@ def _parse_args(self, args):
         tls_parser.add_argument("--tls-certificate-issuer-type-overrides", help="Issuers to use for specified domain suffixes",
                                 default=[],
                                 action="append", type=KeyValue, dest="tls_certificate_issuer_type_overrides")
+        tls_parser.add_argument("--tls-certificate-issuer-disable-for-domain-suffixes", help="Disable tls for specified domain suffixes when --use-ingress-tls is set to default_on",
+                                default=[],
+                                action="append", dest="tls_certificate_issuer_disable_for_domain_suffixes")
 
         parser.parse_args(args, namespace=self)
         self.global_env = {env_var.key: env_var.value for env_var in self.global_env}

diff --git a/fiaas_deploy_daemon/deployer/kubernetes/ingress.py b/fiaas_deploy_daemon/deployer/kubernetes/ingress.py
@@ -122,29 +122,39 @@ def _group_ingresses(self, app_spec):
                                            default=True)
         ingresses = [default_ingress]
         override_issuer_ingresses = {}
+        notls_ingresses = {}
         for ingress_item in ingress_items:
             issuer_type = self._get_issuer_type(ingress_item.host)
             next_name = "{}-{}".format(app_spec.name, len(ingresses))
             if ingress_item.annotations:
                 annotated_ingresses = AnnotatedIngress(name=next_name, ingress_items=[ingress_item],
-                                                       annotations=ingress_item.annotations,
-                                                       explicit_host=True, issuer_type=issuer_type,
-                                                       default=False)
+                                                        annotations=ingress_item.annotations,
+                                                        explicit_host=True, issuer_type=issuer_type,
+                                                        default=False)
                 ingresses.append(annotated_ingresses)
+            elif self._ingress_tls._should_disable_ingress_tls([ingress_item.host]) is True:
+                notls_ingress = notls_ingresses.setdefault("no_tls",
+                                                                            AnnotatedIngress(name=next_name,
+                                                                                            ingress_items=[],
+                                                                                            annotations={},
+                                                                                            explicit_host=explicit_host,
+                                                                                            issuer_type=issuer_type,
+                                                                                            default=False))
+                notls_ingress.ingress_items.append(ingress_item)
             elif issuer_type != self._tls_issuer_type_default:
                 annotated_ingress = override_issuer_ingresses.setdefault(issuer_type,
-                                                                         AnnotatedIngress(name=next_name,
-                                                                                          ingress_items=[],
-                                                                                          annotations={},
-                                                                                          explicit_host=explicit_host,
-                                                                                          issuer_type=issuer_type,
-                                                                                          default=False))
+                                                                            AnnotatedIngress(name=next_name,
+                                                                                            ingress_items=[],
+                                                                                            annotations={},
+                                                                                            explicit_host=explicit_host,
+                                                                                            issuer_type=issuer_type,
+                                                                                            default=False))
                 annotated_ingress.ingress_items.append(ingress_item)
             else:
                 default_ingress.ingress_items.append(ingress_item)
 
         ingresses.extend(i for i in override_issuer_ingresses.values())
-
+        ingresses.extend(i for i in notls_ingresses.values())
         return ingresses
 
     @retry_on_upsert_conflict
@@ -240,11 +250,12 @@ class IngressTls(object):
     def __init__(self, config):
         self._use_ingress_tls = config.use_ingress_tls
         self._cert_issuer = config.tls_certificate_issuer
+        self._tls_certificate_issuer_disable_for_domain_suffixes = config.tls_certificate_issuer_disable_for_domain_suffixes
         self._shortest_suffix = sorted(config.ingress_suffixes, key=len)[0] if config.ingress_suffixes else None
         self.enable_deprecated_tls_entry_per_host = config.enable_deprecated_tls_entry_per_host
 
     def apply(self, ingress, app_spec, hosts, issuer_type, use_suffixes=True):
-        if self._should_have_ingress_tls(app_spec):
+        if self._should_have_ingress_tls(app_spec,hosts):
             tls_annotations = {}
             if self._cert_issuer or app_spec.ingress_tls.certificate_issuer:
                 issuer = app_spec.ingress_tls.certificate_issuer if app_spec.ingress_tls.certificate_issuer else self._cert_issuer
@@ -279,11 +290,23 @@ def _collapse_hosts(self, app_spec, hosts):
                 LOG.error("Failed to generate a short name to use as Common Name")
         return hosts
 
-    def _should_have_ingress_tls(self, app_spec):
+    def _should_have_ingress_tls(self, app_spec, hosts):
         if self._use_ingress_tls == 'disabled' or app_spec.ingress_tls.enabled is False:
             return False
-        else:
-            return self._use_ingress_tls == 'default_on' or app_spec.ingress_tls.enabled is True
+        elif app_spec.ingress_tls.enabled is True:
+            return True
+        elif self._should_disable_ingress_tls(hosts) is True:
+            return False
+        else: 
+            return self._use_ingress_tls == 'default_on'
+
+    def _should_disable_ingress_tls(self, hosts):
+        #Check if any ingress host is part of atleast one domain suffix that shoudln't have tls 
+        for suffix in self._tls_certificate_issuer_disable_for_domain_suffixes:
+            for host in hosts:
+                if host == suffix or host.endswith("." + suffix):
+                    return True
+        return False
 
     def _generate_short_host(self, app_spec):
         h = hashlib.sha1()