disable TLS per domain suffix

docs/operator_guide.md

@@ -146,6 +146,7 @@ Used to configure how the ingress will be annotated for issuing a TLS certificat
 * `tls-certificate-issuer` sets the _value_ of the annotation, for example to decide between production and staging versions of an issuer in different namespaces
 * `tls-certificate-issuer-type-default` sets the default for the _key_ of the annotation, for example to use either `certmanager.k8s.io/cluster-issuer` (the default) or `certmanager.k8s.io/issuer`
 * `tls-certificate-issuer-type-overrides` allows specifying a mapping between the suffix of a domain and the issuer-type, to override the default. For example, assuming the 'cluster-issuer' type as the default, then specifying `--tls-certificate-issuer-type-overrides foo.example.com=certmanager.k8s.io/issuer` would mean that foo.example.com and any of its subdomains will use the 'issuer' type instead. In the case of multiple matching suffixes, the more specific (i.e. longest) will be used.
+* `disable-tls-for-domain-suffixes` disable tls for specified domain suffixes when `use-ingress-tls` is set to `default_on`. for example if you to enable tls for all domain suffixes except `internal.example.com` set `disable-tls-for-domain-suffixes internal.example.com` .
 
 ### use-in-memory-emptydirs
 

fiaas_deploy_daemon/config.py

@@ -74,7 +74,7 @@
 Enable fiaas-deploy-daemon to extend ingress objects to support https.
 
 Option `default_on` will, when creating ingress objects for an application, enable https unless explicitly set to
-disabled in the configuration for an application.
+disabled in the configuration for an application. You can also disable https for specific domains by setting --disable-tls-for-domain-suffixes.
 
 Option `default_off` will, when creating ingress objects for an application, not enable https unless explicitly set
 to enabled in the configuration for an application.
@@ -257,6 +257,9 @@ def _parse_args(self, args):
         tls_parser.add_argument("--tls-certificate-issuer-type-overrides", help="Issuers to use for specified domain suffixes",
                                 default=[],
                                 action="append", type=KeyValue, dest="tls_certificate_issuer_type_overrides")
+        tls_parser.add_argument("--disable-tls-for-domain-suffixes", help="Disable tls for specified domain suffixes when --use-ingress-tls is set to default_on",
+                                default=[],
+                                action="append", dest="disable_tls_for_domain_suffixes")
 
         parser.parse_args(args, namespace=self)
         self.global_env = {env_var.key: env_var.value for env_var in self.global_env}

fiaas_deploy_daemon/deployer/kubernetes/ingress.py

@@ -240,11 +240,12 @@ class IngressTls(object):
     def __init__(self, config):
         self._use_ingress_tls = config.use_ingress_tls
         self._cert_issuer = config.tls_certificate_issuer
+        self._disable_tls_for_domain_suffixes = config.disable_tls_for_domain_suffixes
         self._shortest_suffix = sorted(config.ingress_suffixes, key=len)[0] if config.ingress_suffixes else None
         self.enable_deprecated_tls_entry_per_host = config.enable_deprecated_tls_entry_per_host
 
     def apply(self, ingress, app_spec, hosts, issuer_type, use_suffixes=True):
-        if self._should_have_ingress_tls(app_spec):
+        if self._should_have_ingress_tls(app_spec,hosts):
             tls_annotations = {}
             if self._cert_issuer or app_spec.ingress_tls.certificate_issuer:
                 issuer = app_spec.ingress_tls.certificate_issuer if app_spec.ingress_tls.certificate_issuer else self._cert_issuer
@@ -279,11 +280,19 @@ def _collapse_hosts(self, app_spec, hosts):
                 LOG.error("Failed to generate a short name to use as Common Name")
         return hosts
 
-    def _should_have_ingress_tls(self, app_spec):
+    def _should_have_ingress_tls(self, app_spec, hosts):
+        print(app_spec.ingress_tls.enabled)
         if self._use_ingress_tls == 'disabled' or app_spec.ingress_tls.enabled is False:
             return False
+        elif app_spec.ingress_tls.enabled:
+            return True
         else:
-            return self._use_ingress_tls == 'default_on' or app_spec.ingress_tls.enabled is True
+            #Check if tls is disabled for any host of the ingress
+            for suffix in self._disable_tls_for_domain_suffixes:
+                for host in hosts:
+                    if host == suffix or host.endswith("." + suffix):
+                        return False
+            return self._use_ingress_tls == 'default_on'
 
     def _generate_short_host(self, app_spec):
         h = hashlib.sha1()

tests/fiaas_deploy_daemon/deployer/kubernetes/test_ingress_deploy.py

@@ -712,56 +712,66 @@ def tls(self, request, config):
         config.tls_certificate_issuer = request.param["cert_issuer"]
         config.ingress_suffixes = ["short.suffix", "really.quite.long.suffix"]
         config.enable_deprecated_tls_entry_per_host = request.param["enable_deprecated_tls_entry_per_host"]
+        config.disable_tls_for_domain_suffixes = request.param["disable_tls_for_domain_suffixes"]
         return IngressTls(config)
 
     @pytest.mark.parametrize("tls, app_spec, spec_tls, issuer_type, tls_annotations", [
-        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": ["common.name"]},
+          app_spec(ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)),
+        [], DEFAULT_TLS_ISSUER, None), 
+        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": ["common.name"]},
+          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
+        [], DEFAULT_TLS_ISSUER, None),    
+        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": ["common.name"]},
+          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
+        INGRESS_SPEC_TLS, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}),    
+        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
          INGRESS_SPEC_TLS, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}),
-        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
-        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
          INGRESS_SPEC_TLS, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}),
-        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
-        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
-        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
-        ({"use_ingress_tls": "default_off", "cert_issuer": "letsencrypt", "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_off", "cert_issuer": "letsencrypt", "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
          INGRESS_SPEC_TLS,
          "overwrite-issuer",
          {"overwrite-issuer": "letsencrypt"}),
-        ({"use_ingress_tls": "default_off", "cert_issuer": "letsencrypt", "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_off", "cert_issuer": "letsencrypt", "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
          INGRESS_SPEC_TLS,
          DEFAULT_TLS_ISSUER,
          DEFAULT_TLS_ANNOTATIONS),
-        ({"use_ingress_tls": "default_off", "cert_issuer": "letsencrypt", "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_off", "cert_issuer": "letsencrypt", "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer="myoverwrite")),
          INGRESS_SPEC_TLS,
          DEFAULT_TLS_ISSUER,
          {"certmanager.k8s.io/cluster-issuer": "myoverwrite"}),
-        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True},
+        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": True, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer="myoverwrite")),
          INGRESS_SPEC_TLS,
          DEFAULT_TLS_ISSUER,
          {"certmanager.k8s.io/cluster-issuer": "myoverwrite"}),
-        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False},
+        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
          INGRESS_SPEC_TLS_COLLAPSED_ONLY, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}),
-        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False},
+        ({"use_ingress_tls": "default_off", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
-        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False},
+        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)),
          INGRESS_SPEC_TLS_COLLAPSED_ONLY, DEFAULT_TLS_ISSUER, {"kubernetes.io/tls-acme": "true"}),
-        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False},
+        ({"use_ingress_tls": "default_on", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
-        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False},
+        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=True, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
-        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False},
+        ({"use_ingress_tls": "disabled", "cert_issuer": None, "enable_deprecated_tls_entry_per_host": False, "disable_tls_for_domain_suffixes": []},
          app_spec(ingress_tls=IngressTlsSpec(enabled=False, certificate_issuer=None)), [], DEFAULT_TLS_ISSUER, None),
     ], indirect=['tls'])
     def test_apply_tls(self, tls, app_spec, spec_tls, issuer_type, tls_annotations):

tests/fiaas_deploy_daemon/test_config.py

@@ -167,6 +167,14 @@ def test_tls_issuers(self):
             "foo.bar.com": "issuer",
             "woo.foo.bar.com": "other"
         }
+    def test_disable_tls_for_domain_suffixes(self):
+        disable_tls_for_domain_suffixes = ["foo.bar.com", "example.foo.bar.org"]
+        args = ["--disable-tls-for-domain-suffixes=%s" % suffix for suffix in disable_tls_for_domain_suffixes]
+        config = Configuration(args)
+        assert config.disable_tls_for_domain_suffixes == [
+            "foo.bar.com",
+            "example.foo.bar.org"
+        ]
 
 
 class TestHostRewriteRule(object):