Merge pull request #269 from mythi/engine

ConfigMap: add options to set ssl-engine and ssl-mode-async
jcmoraisjr · Jan 6, 2019 · 63a4be3 · 63a4be3
2 parents 2bfc439 + f812356
commit 63a4be3
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -365,7 +365,9 @@ The following parameters are supported:
 ||[`ssl-ciphers`](#ssl-ciphers)|colon-separated list|[link to code](https://github.com/jcmoraisjr/haproxy-ingress/blob/v0.6/pkg/controller/config.go#L40)|
 ||[`ssl-dh-default-max-size`](#ssl-dh-default-max-size)|number|`1024`|
 ||[`ssl-dh-param`](#ssl-dh-param)|namespace/secret name|no custom DH param|
+||[`ssl-engine`](#ssl-engine)|OpenSSL engine name and parameters|no engine set|
 ||[`ssl-headers-prefix`](#ssl-headers-prefix)|prefix|`X-SSL`|
+||[`ssl-mode-async`](#ssl-engine)|[true\|false]|`false`|
 ||[`ssl-options`](#ssl-options)|space-separated list|`no-sslv3` `no-tls-tickets`|
 ||[`ssl-redirect`](#ssl-redirect)|[true\|false]|`true`|
 ||[`stats-auth`](#stats)|user:passwd|no auth|
@@ -744,6 +746,19 @@ resulting secret.
 
 http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#3.1-ssl-dh-param-file
 
+### ssl-engine
+
+Set the name of the OpenSSL engine to use. The string shall include the engine name
+and its parameters.
+
+Additionally, ssl-mode-async can be set to enable asynchronous TLS I/O operations if
+the ssl-engine used supports it.
+
+Reference:
+
+* http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ssl-engine
+* http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#ssl-mode-async
+
 ### ssl-headers-prefix
 
 Define the http header prefix that should be used with certificate parameters such as

diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -148,6 +148,8 @@ func newHAProxyConfig(haproxyController *HAProxyController) *types.HAProxyConfig
 		CookieKey:              "Ingress",
 		StrictHost:             true,
 		DynamicScaling:         false,
+		SSLEngine:              "",
+		SSLModeAsync:           false,
 		StatsSocket:            "/var/run/haproxy-stats.sock",
 		UseProxyProtocol:       false,
 		StatsProxyProtocol:     false,

diff --git a/pkg/types/types.go b/pkg/types/types.go
@@ -96,6 +96,8 @@ type (
 		CookieKey              string `json:"cookie-key"`
 		StrictHost             bool   `json:"strict-host"`
 		DynamicScaling         bool   `json:"dynamic-scaling"`
+		SSLEngine              string `json:"ssl-engine"`
+		SSLModeAsync           bool   `json:"ssl-mode-async"`
 		StatsSocket            string
 		UseProxyProtocol       bool   `json:"use-proxy-protocol"`
 		StatsProxyProtocol     bool   `json:"stats-proxy-protocol"`

diff --git a/rootfs/etc/haproxy/template/haproxy.tmpl b/rootfs/etc/haproxy/template/haproxy.tmpl
@@ -31,6 +31,12 @@ global
     ssl-dh-param-file {{ $cfg.SSLDHParam.Filename }}
 {{- else }}
     tune.ssl.default-dh-param {{ $cfg.SSLDHParam.DefaultMaxSize }}
+{{- end }}
+{{- if ne $cfg.SSLEngine "" }}
+    ssl-engine {{ $cfg.SSLEngine }}
+{{- if $cfg.SSLModeAsync }}
+    ssl-mode-async
+{{- end }}
 {{- end }}
     ssl-default-bind-ciphers {{ $cfg.SSLCiphers }}
     ssl-default-bind-options {{ $cfg.SSLOptions }}