in internal/ingress/controller/controller.go [1114:1373]
func (n *NGINXController) createServers(data []*ingress.Ingress,
upstreams map[string]*ingress.Backend,
du *ingress.Backend) map[string]*ingress.Server {
servers := make(map[string]*ingress.Server, len(data))
allAliases := make(map[string][]string, len(data))
bdef := n.store.GetDefaultBackend()
ngxProxy := proxy.Config{
BodySize: bdef.ProxyBodySize,
ConnectTimeout: bdef.ProxyConnectTimeout,
SendTimeout: bdef.ProxySendTimeout,
ReadTimeout: bdef.ProxyReadTimeout,
BuffersNumber: bdef.ProxyBuffersNumber,
BufferSize: bdef.ProxyBufferSize,
CookieDomain: bdef.ProxyCookieDomain,
CookiePath: bdef.ProxyCookiePath,
NextUpstream: bdef.ProxyNextUpstream,
NextUpstreamTimeout: bdef.ProxyNextUpstreamTimeout,
NextUpstreamTries: bdef.ProxyNextUpstreamTries,
RequestBuffering: bdef.ProxyRequestBuffering,
ProxyRedirectFrom: bdef.ProxyRedirectFrom,
ProxyBuffering: bdef.ProxyBuffering,
ProxyHTTPVersion: bdef.ProxyHTTPVersion,
ProxyMaxTempFileSize: bdef.ProxyMaxTempFileSize,
}
// initialize default server and root location
pathTypePrefix := networking.PathTypePrefix
servers[defServerName] = &ingress.Server{
Hostname: defServerName,
SSLCert: n.getDefaultSSLCertificate(),
Locations: []*ingress.Location{
{
Path: rootLocation,
PathType: &pathTypePrefix,
IsDefBackend: true,
Backend: du.Name,
Proxy: ngxProxy,
Service: du.Service,
Logs: log.Config{
Access: n.store.GetBackendConfiguration().EnableAccessLogForDefaultBackend,
Rewrite: false,
},
},
}}
// initialize all other servers
for _, ing := range data {
ingKey := k8s.MetaNamespaceKey(ing)
anns := ing.ParsedAnnotations
if !n.store.GetBackendConfiguration().AllowSnippetAnnotations {
dropSnippetDirectives(anns, ingKey)
}
// default upstream name
un := du.Name
if anns.Canary.Enabled {
klog.V(2).Infof("Ingress %v is marked as Canary, ignoring", ingKey)
continue
}
if ing.Spec.DefaultBackend != nil && ing.Spec.DefaultBackend.Service != nil {
defUpstream := upstreamName(ing.Namespace, ing.Spec.DefaultBackend.Service)
if backendUpstream, ok := upstreams[defUpstream]; ok {
// use backend specified in Ingress as the default backend for all its rules
un = backendUpstream.Name
// special "catch all" case, Ingress with a backend but no rule
defLoc := servers[defServerName].Locations[0]
defLoc.Backend = backendUpstream.Name
defLoc.Service = backendUpstream.Service
defLoc.Ingress = ing
if defLoc.IsDefBackend && len(ing.Spec.Rules) == 0 {
klog.V(2).Infof("Ingress %q defines a backend but no rule. Using it to configure the catch-all server %q", ingKey, defServerName)
defLoc.IsDefBackend = false
// TODO: Redirect and rewrite can affect the catch all behavior, skip for now
originalRedirect := defLoc.Redirect
originalRewrite := defLoc.Rewrite
locationApplyAnnotations(defLoc, anns)
defLoc.Redirect = originalRedirect
defLoc.Rewrite = originalRewrite
} else {
klog.V(3).Infof("Ingress %q defines both a backend and rules. Using its backend as default upstream for all its rules.", ingKey)
}
}
}
for _, rule := range ing.Spec.Rules {
host := rule.Host
if host == "" {
host = defServerName
}
if _, ok := servers[host]; ok {
// server already configured
continue
}
loc := &ingress.Location{
Path: rootLocation,
PathType: &pathTypePrefix,
IsDefBackend: true,
Backend: un,
Ingress: ing,
Service: &apiv1.Service{},
}
locationApplyAnnotations(loc, anns)
servers[host] = &ingress.Server{
Hostname: host,
Locations: []*ingress.Location{
loc,
},
SSLPassthrough: anns.SSLPassthrough,
SSLCiphers: anns.SSLCipher.SSLCiphers,
SSLPreferServerCiphers: anns.SSLCipher.SSLPreferServerCiphers,
}
}
}
// configure default location, alias, and SSL
for _, ing := range data {
ingKey := k8s.MetaNamespaceKey(ing)
anns := ing.ParsedAnnotations
if !n.store.GetBackendConfiguration().AllowSnippetAnnotations {
dropSnippetDirectives(anns, ingKey)
}
if anns.Canary.Enabled {
klog.V(2).Infof("Ingress %v is marked as Canary, ignoring", ingKey)
continue
}
for _, rule := range ing.Spec.Rules {
host := rule.Host
if host == "" {
host = defServerName
}
if len(servers[host].Aliases) == 0 {
servers[host].Aliases = anns.Aliases
if aliases := allAliases[host]; len(aliases) == 0 {
allAliases[host] = anns.Aliases
}
} else {
klog.Warningf("Aliases already configured for server %q, skipping (Ingress %q)", host, ingKey)
}
if anns.ServerSnippet != "" {
if servers[host].ServerSnippet == "" {
servers[host].ServerSnippet = anns.ServerSnippet
} else {
klog.Warningf("Server snippet already configured for server %q, skipping (Ingress %q)",
host, ingKey)
}
}
// only add SSL ciphers if the server does not have them previously configured
if servers[host].SSLCiphers == "" && anns.SSLCipher.SSLCiphers != "" {
servers[host].SSLCiphers = anns.SSLCipher.SSLCiphers
}
// only add SSLPreferServerCiphers if the server does not have them previously configured
if servers[host].SSLPreferServerCiphers == "" && anns.SSLCipher.SSLPreferServerCiphers != "" {
servers[host].SSLPreferServerCiphers = anns.SSLCipher.SSLPreferServerCiphers
}
// only add a certificate if the server does not have one previously configured
if servers[host].SSLCert != nil {
continue
}
if len(ing.Spec.TLS) == 0 {
klog.V(3).Infof("Ingress %q does not contains a TLS section.", ingKey)
continue
}
tlsSecretName := extractTLSSecretName(host, ing, n.store.GetLocalSSLCert)
if tlsSecretName == "" {
klog.V(3).Infof("Host %q is listed in the TLS section but secretName is empty. Using default certificate", host)
servers[host].SSLCert = n.getDefaultSSLCertificate()
continue
}
secrKey := fmt.Sprintf("%v/%v", ing.Namespace, tlsSecretName)
cert, err := n.store.GetLocalSSLCert(secrKey)
if err != nil {
klog.Warningf("Error getting SSL certificate %q: %v. Using default certificate", secrKey, err)
servers[host].SSLCert = n.getDefaultSSLCertificate()
continue
}
if cert.Certificate == nil {
klog.Warningf("SSL certificate %q does not contain a valid SSL certificate for server %q", secrKey, host)
klog.Warningf("Using default certificate")
servers[host].SSLCert = n.getDefaultSSLCertificate()
continue
}
err = cert.Certificate.VerifyHostname(host)
if err != nil {
klog.Warningf("Unexpected error validating SSL certificate %q for server %q: %v", secrKey, host, err)
klog.Warning("Validating certificate against DNS names. This will be deprecated in a future version")
// check the Common Name field
// https://github.com/golang/go/issues/22922
err := verifyHostname(host, cert.Certificate)
if err != nil {
klog.Warningf("SSL certificate %q does not contain a Common Name or Subject Alternative Name for server %q: %v", secrKey, host, err)
klog.Warningf("Using default certificate")
servers[host].SSLCert = n.getDefaultSSLCertificate()
continue
}
}
servers[host].SSLCert = cert
now := time.Now()
if cert.ExpireTime.Before(now) {
klog.Warningf("SSL certificate for server %q expired (%v)", host, cert.ExpireTime)
} else if cert.ExpireTime.Before(now.Add(240 * time.Hour)) {
klog.Warningf("SSL certificate for server %q is about to expire (%v)", host, cert.ExpireTime)
}
}
}
for host, hostAliases := range allAliases {
if _, ok := servers[host]; !ok {
continue
}
uniqAliases := sets.NewString()
for _, alias := range hostAliases {
if alias == host {
continue
}
if _, ok := servers[alias]; ok {
continue
}
if uniqAliases.Has(alias) {
continue
}
uniqAliases.Insert(alias)
}
servers[host].Aliases = uniqAliases.List()
}
return servers
}