func()

in pkg/appgw/ingress_rules.go [62:137]

• 52 lines of code
• 12 McCabe index (conditional complexity)

func (c *appGwConfigBuilder) processIngressRuleWithTLS(rule *networking.IngressRule, ingress *networking.Ingress, env environment.EnvVariables) (map[Port]interface{}, map[listenerIdentifier]listenerAzConfig) {
	frontendPorts := make(map[Port]interface{})

	// certificate from ingress TLS spec
	ingressHostNamesecretIDMap := c.newHostToSecretMap(ingress)

	listeners := make(map[listenerIdentifier]listenerAzConfig)

	// Override the defaults 80,443 ports use for the listener
	overrideFrontendPortFromAnnotation, _ := annotations.OverrideFrontendPort(ingress)
	overrideFrontendPortForIngress := Port(overrideFrontendPortFromAnnotation)

	// Private IP is used when either annotation use-private-ip or USE_PRIVATE_IP env variable is true.
	usePrivateIPFromAnnotation, _ := annotations.UsePrivateIP(ingress)
	usePrivateIPForIngress := usePrivateIPFromAnnotation || env.UsePrivateIP

	appgwCertName, _ := annotations.GetAppGwSslCertificate(ingress)
	if len(appgwCertName) > 0 {
		// logging to see the namespace of the ingress annotated with appgw-ssl-certificate
		klog.V(3).Infof("Found annotation appgw-ssl-certificate: %s in ingress %s/%s", appgwCertName, ingress.Namespace, ingress.Name)
	}

	appgwProfileName, _ := annotations.GetAppGwSslProfile(ingress)
	if len(appgwProfileName) > 0 {
		// logging to see the namespace of the ingress annotated with appgw-ssl-certificate
		klog.V(3).Infof("Found annotation appgw-ssl-profile: %s in ingress %s/%s", appgwProfileName, ingress.Namespace, ingress.Name)
	}

	cert, secID := c.getCertificate(ingress, rule.Host, ingressHostNamesecretIDMap)
	hasTLS := (cert != nil || len(appgwCertName) > 0)

	sslRedirect, _ := annotations.IsSslRedirect(ingress)

	// If a certificate is available we enable only HTTPS; unless ingress is annotated with ssl-redirect - then
	// we enable HTTPS as well as HTTP, and redirect HTTP to HTTPS;
	if hasTLS {
		listenerID := generateListenerID(ingress, rule, n.ApplicationGatewayProtocolHTTPS, &overrideFrontendPortForIngress, usePrivateIPForIngress)
		frontendPorts[Port(listenerID.FrontendPort)] = nil
		// Only associate the Listener with a Redirect if redirect is enabled
		redirect := ""
		if sslRedirect {
			redirect = generateSSLRedirectConfigurationName(listenerID)
		}

		azConf := listenerAzConfig{
			Protocol:                     n.ApplicationGatewayProtocolHTTPS,
			SslRedirectConfigurationName: redirect,
		}
		// appgw-ssl-certificate annotation will be ignored if TLS spec found
		if cert != nil {
			azConf.Secret = *secID

		} else if len(appgwCertName) > 0 {
			// the cert annotated can be referred across namespace,
			// set namespace to "" to ignore namespace
			azConf.Secret = secretIdentifier{
				Name:      appgwCertName,
				Namespace: "",
			}
		}
		if len(appgwProfileName) > 0 {
			azConf.SslProfile = appgwProfileName
		}

		listeners[listenerID] = azConf
	}
	// Enable HTTP only if HTTPS is not configured OR if ingress annotated with 'ssl-redirect'
	if sslRedirect || !hasTLS {
		listenerID := generateListenerID(ingress, rule, n.ApplicationGatewayProtocolHTTP, &overrideFrontendPortForIngress, usePrivateIPForIngress)
		frontendPorts[Port(listenerID.FrontendPort)] = nil
		listeners[listenerID] = listenerAzConfig{
			Protocol: n.ApplicationGatewayProtocolHTTP,
		}
	}
	return frontendPorts, listeners
}