ingress-nginx-helm/internal/ingress/annotations/connection/main.go

/*
Copyright 2016 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package connection

import (
	"regexp"

	networking "k8s.io/api/networking/v1"

	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
	"k8s.io/ingress-nginx/internal/ingress/resolver"
)

const (
	connectionProxyHeaderAnnotation = "connection-proxy-header"
)

var (
	validConnectionHeaderValue = regexp.MustCompile(`^(close|keep-alive)$`)
)

var connectionHeadersAnnotations = parser.Annotation{
	Group: "backend",
	Annotations: parser.AnnotationFields{
		connectionProxyHeaderAnnotation: {
			Validator:     parser.ValidateRegex(*validConnectionHeaderValue, true),
			Scope:         parser.AnnotationScopeLocation,
			Risk:          parser.AnnotationRiskLow,
			Documentation: `This annotation allows setting a specific value for "proxy_set_header Connection" directive. Right now it is restricted to "close" or "keep-alive"`,
		},
	},
}

// Config returns the connection header configuration for an Ingress rule
type Config struct {
	Header  string `json:"header"`
	Enabled bool   `json:"enabled"`
}

type connection struct {
	r                resolver.Resolver
	annotationConfig parser.Annotation
}

// NewParser creates a new port in redirect annotation parser
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
	return connection{
		r:                r,
		annotationConfig: connectionHeadersAnnotations,
	}
}

// Parse parses the annotations contained in the ingress
// rule used to indicate if the connection header should be overridden.
func (a connection) Parse(ing *networking.Ingress) (interface{}, error) {
	cp, err := parser.GetStringAnnotation(connectionProxyHeaderAnnotation, ing, a.annotationConfig.Annotations)
	if err != nil {
		return &Config{
			Enabled: false,
		}, err
	}
	return &Config{
		Enabled: true,
		Header:  cp,
	}, nil
}

// Equal tests for equality between two Connection types
func (r1 *Config) Equal(r2 *Config) bool {
	if r1 == r2 {
		return true
	}
	if r1 == nil || r2 == nil {
		return false
	}
	if r1.Enabled != r2.Enabled {
		return false
	}
	if r1.Header != r2.Header {
		return false
	}

	return true
}

func (a connection) GetDocumentation() parser.AnnotationFields {
	return a.annotationConfig.Annotations
}

func (a connection) Validate(anns map[string]string) error {
	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
	return parser.CheckAnnotationRisk(anns, maxrisk, connectionHeadersAnnotations.Annotations)
}
Add connection-proxy-header annotation (#1999) This is the override the default connection header 2018-01-30 04:29:03 +00:00			`/*`
			`Copyright 2016 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package connection`

			`import (`
Implement annotation validation (#9673) * Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk 2023-07-22 03:32:07 +00:00			`"regexp"`

Release v1 (#7470) * Drop v1beta1 from ingress nginx (#7156) * Drop v1beta1 from ingress nginx Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix intorstr logic in controller Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * fixing admission Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * more intorstr fixing * correct template rendering Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix e2e tests for v1 api Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix gofmt errors * This is finally working...almost there... Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Re-add removed validation of AdmissionReview * Prepare for v1.0.0-alpha.1 release Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Update changelog and matrix table for v1.0.0-alpha.1 (#7274) Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * add docs for syslog feature (#7219) * Fix link to e2e-tests.md in developer-guide (#7201) * Use ENV expansion for namespace in args (#7146) Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does. * chart: using Helm builtin capabilities check (#7190) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944) It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780 * Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107) * Fix MaxWorkerOpenFiles calculation on high cores nodes * Add e2e test for rlimit_nofile * Fix doc for max-worker-open-files * ingress/tcp: add additional error logging on failed (#7208) * Add file containing stable release (#7313) * Handle named (non-numeric) ports correctly (#7311) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Updated v1beta1 to v1 as its deprecated (#7308) * remove mercurial from build (#7031) * Retry to download maxmind DB if it fails (#7242) * Retry to download maxmind DB if it fails. Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Add retries count arg, move retry logic into DownloadGeoLite2DB function Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Reorder parameters in DownloadGeoLite2DB Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Remove hardcoded value Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Release v1.0.0-alpha.1 * Add changelog for v1.0.0-alpha.2 * controller: ignore non-service backends (#7332) * controller: ignore non-service backends Signed-off-by: Carlos Panato <ctadeu@gmail.com> * update per feedback Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix: allow scope/tcp/udp configmap namespace to altered (#7161) * Lower webhook timeout for digital ocean (#7319) * Lower webhook timeout for digital ocean * Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29 * update OWNERS and aliases files (#7365) (#7366) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Downgrade Lua modules for s390x (#7355) Downgrade Lua modules to last known working version. * Fix IngressClass logic for newer releases (#7341) * Fix IngressClass logic for newer releases Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Change e2e tests for the new IngressClass presence * Fix chart and admission tests Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix helm chart test Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix reviews * Remove ingressclass code from admission * update tag to v1.0.0-beta.1 * update readme and changelog for v1.0.0-beta.1 * Release v1.0.0-beta.1 - helm and manifests (#7422) * Change the order of annotation just to trigger a new helm release (#7425) * [cherry-pick] Add dev-v1 branch into helm releaser (#7428) * Add dev-v1 branch into helm releaser (#7424) * chore: add link for artifacthub.io/prerelease annotations Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> * k8s job ci pipeline for dev-v1 br v1.22.0 (#7453) * k8s job ci pipeline for dev-v1 br v1.22.0 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * k8s job ci pipeline for dev-v1 br v1.21.2 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * remove v1.21.1 version Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * Add controller.watchIngressWithoutClass config option (#7459) Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com> * Release new helm chart with certgen fixed (#7478) * Update go version, modules and remove ioutil * Release new helm chart with certgen fixed * changed appversion, chartversion, TAG, image (#7490) * Fix CI conflict * Fix CI conflict * Fix build.sh from rebase process * Fix controller_test post rebase Co-authored-by: Tianhao Guo <rggth09@gmail.com> Co-authored-by: Ray <61553+rctay@users.noreply.github.com> Co-authored-by: Bill Cassidy <cassid4@gmail.com> Co-authored-by: Jintao Zhang <tao12345666333@163.com> Co-authored-by: Sathish Ramani <rsathishx87@gmail.com> Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com> Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com> Co-authored-by: Tom Hayward <thayward@infoblox.com> Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com> Co-authored-by: Tore <tore.lonoy@gmail.com> Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl> Co-authored-by: Shahid <shahid@us.ibm.com> Co-authored-by: James Strong <strong.james.e@gmail.com> Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com> Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com> Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com> 2021-08-21 20:42:00 +00:00			`networking "k8s.io/api/networking/v1"`
Add connection-proxy-header annotation (#1999) This is the override the default connection header 2018-01-30 04:29:03 +00:00
			`"k8s.io/ingress-nginx/internal/ingress/annotations/parser"`
			`"k8s.io/ingress-nginx/internal/ingress/resolver"`
			`)`

Implement annotation validation (#9673) * Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk 2023-07-22 03:32:07 +00:00			`const (`
			`connectionProxyHeaderAnnotation = "connection-proxy-header"`
			`)`

			`var (`
			validConnectionHeaderValue = regexp.MustCompile(`^(close\|keep-alive)$`)
			`)`

			`var connectionHeadersAnnotations = parser.Annotation{`
			`Group: "backend",`
			`Annotations: parser.AnnotationFields{`
			`connectionProxyHeaderAnnotation: {`
			`Validator: parser.ValidateRegex(*validConnectionHeaderValue, true),`
			`Scope: parser.AnnotationScopeLocation,`
			`Risk: parser.AnnotationRiskLow,`
			Documentation: `This annotation allows setting a specific value for "proxy_set_header Connection" directive. Right now it is restricted to "close" or "keep-alive"`,
			`},`
			`},`
			`}`

Add connection-proxy-header annotation (#1999) This is the override the default connection header 2018-01-30 04:29:03 +00:00			`// Config returns the connection header configuration for an Ingress rule`
			`type Config struct {`
			Header string `json:"header"`
			Enabled bool `json:"enabled"`
			`}`

			`type connection struct {`
Implement annotation validation (#9673) * Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk 2023-07-22 03:32:07 +00:00			`r resolver.Resolver`
			`annotationConfig parser.Annotation`
Add connection-proxy-header annotation (#1999) This is the override the default connection header 2018-01-30 04:29:03 +00:00			`}`

			`// NewParser creates a new port in redirect annotation parser`
			`func NewParser(r resolver.Resolver) parser.IngressAnnotation {`
Implement annotation validation (#9673) * Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk 2023-07-22 03:32:07 +00:00			`return connection{`
			`r: r,`
			`annotationConfig: connectionHeadersAnnotations,`
			`}`
Add connection-proxy-header annotation (#1999) This is the override the default connection header 2018-01-30 04:29:03 +00:00			`}`

			`// Parse parses the annotations contained in the ingress`
			`// rule used to indicate if the connection header should be overridden.`
Migrate to new networking.k8s.io/v1beta1 package 2019-06-09 22:49:59 +00:00			`func (a connection) Parse(ing *networking.Ingress) (interface{}, error) {`
Implement annotation validation (#9673) * Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk 2023-07-22 03:32:07 +00:00			`cp, err := parser.GetStringAnnotation(connectionProxyHeaderAnnotation, ing, a.annotationConfig.Annotations)`
Add connection-proxy-header annotation (#1999) This is the override the default connection header 2018-01-30 04:29:03 +00:00			`if err != nil {`
			`return &Config{`
			`Enabled: false,`
			`}, err`
			`}`
			`return &Config{`
			`Enabled: true,`
			`Header: cp,`
			`}, nil`
			`}`

			`// Equal tests for equality between two Connection types`
			`func (r1 Config) Equal(r2 Config) bool {`
			`if r1 == r2 {`
			`return true`
			`}`
			`if r1 == nil \|\| r2 == nil {`
			`return false`
			`}`
			`if r1.Enabled != r2.Enabled {`
			`return false`
			`}`
			`if r1.Header != r2.Header {`
			`return false`
			`}`

			`return true`
			`}`
Implement annotation validation (#9673) * Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk 2023-07-22 03:32:07 +00:00
			`func (a connection) GetDocumentation() parser.AnnotationFields {`
			`return a.annotationConfig.Annotations`
			`}`

			`func (a connection) Validate(anns map[string]string) error {`
			`maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)`
			`return parser.CheckAnnotationRisk(anns, maxrisk, connectionHeadersAnnotations.Annotations)`
			`}`