diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index aa8f4c4b92..4042a6016e 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -46,6 +46,7 @@ import ( "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/internal/nginx" "k8s.io/ingress-nginx/pkg/apis/ingress" + "k8s.io/ingress-nginx/pkg/tcpproxy" utilingress "k8s.io/ingress-nginx/pkg/util/ingress" "k8s.io/klog/v2" ) @@ -185,6 +186,44 @@ func (n *NGINXController) syncIngress(interface{}) error { n.metricCollector.SetSSLExpireTime(servers) n.metricCollector.SetSSLInfo(servers) + if n.cfg.EnableSSLPassthrough { + servers := []*tcpproxy.TCPServer{} + for _, pb := range pcfg.PassthroughBackends { + svc := pb.Service + if svc == nil { + klog.Warningf("Missing Service for SSL Passthrough backend %q", pb.Backend) + continue + } + port, err := strconv.Atoi(pb.Port.String()) // #nosec + if err != nil { + for _, sp := range svc.Spec.Ports { + if sp.Name == pb.Port.String() { + port = int(sp.Port) + break + } + } + } else { + for _, sp := range svc.Spec.Ports { + //nolint:gosec // Ignore G109 error + if sp.Port == int32(port) { + port = int(sp.Port) + break + } + } + } + + // TODO: Allow PassthroughBackends to specify they support proxy-protocol + servers = append(servers, &tcpproxy.TCPServer{ + Hostname: pb.Hostname, + IP: svc.Spec.ClusterIP, + Port: port, + ProxyProtocol: false, + }) + } + + n.Proxy.ServerList = servers + } + if n.runningConfig.Equal(pcfg) { klog.V(3).Infof("No configuration change detected, skipping backend reload") return nil diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 7d6dcc3fa6..2b837fb2f5 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -455,44 +455,6 @@ func (n *NGINXController) DefaultEndpoint() ingress.Endpoint { // //nolint:gocritic // the cfg shouldn't be changed, and shouldn't be mutated by other processes while being rendered. func (n *NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressCfg ingress.Configuration) ([]byte, error) { - if n.cfg.EnableSSLPassthrough { - servers := []*tcpproxy.TCPServer{} - for _, pb := range ingressCfg.PassthroughBackends { - svc := pb.Service - if svc == nil { - klog.Warningf("Missing Service for SSL Passthrough backend %q", pb.Backend) - continue - } - port, err := strconv.Atoi(pb.Port.String()) // #nosec - if err != nil { - for _, sp := range svc.Spec.Ports { - if sp.Name == pb.Port.String() { - port = int(sp.Port) - break - } - } - } else { - for _, sp := range svc.Spec.Ports { - //nolint:gosec // Ignore G109 error - if sp.Port == int32(port) { - port = int(sp.Port) - break - } - } - } - - // TODO: Allow PassthroughBackends to specify they support proxy-protocol - servers = append(servers, &tcpproxy.TCPServer{ - Hostname: pb.Hostname, - IP: svc.Spec.ClusterIP, - Port: port, - ProxyProtocol: false, - }) - } - - n.Proxy.ServerList = servers - } - // NGINX cannot resize the hash tables used to store server names. For // this reason we check if the current size is correct for the host // names defined in the Ingress rules and adjust the value if