2016-12-29 20:02:06 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
package annotations
|
2016-12-29 20:02:06 +00:00
|
|
|
|
|
|
|
|
import (
|
2017-11-07 16:36:51 +00:00
|
|
|
"github.com/imdario/mergo"
|
2018-09-18 18:05:32 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
|
2018-11-04 04:14:27 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity"
|
2019-07-17 00:23:32 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl"
|
2018-01-31 16:53:07 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher"
|
2020-08-08 23:31:02 +00:00
|
|
|
"k8s.io/klog/v2"
|
2017-09-17 18:42:31 +00:00
|
|
|
|
2018-05-26 23:08:07 +00:00
|
|
|
apiv1 "k8s.io/api/core/v1"
|
2019-06-09 22:49:59 +00:00
|
|
|
networking "k8s.io/api/networking/v1beta1"
|
2017-11-07 16:36:51 +00:00
|
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
|
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/alias"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/auth"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
|
2018-11-27 16:12:17 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/authreqglobal"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/authtls"
|
2018-08-05 22:43:45 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/backendprotocol"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/clientbodybuffersize"
|
2018-01-30 04:29:03 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/connection"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/cors"
|
2018-10-25 16:35:48 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/customhttperrors"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/defaultbackend"
|
2019-07-31 14:39:21 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi"
|
2020-12-24 16:39:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit"
|
2018-10-12 19:48:10 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload"
|
2018-05-17 12:25:38 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/influxdb"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist"
|
2018-03-09 21:09:41 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/loadbalancing"
|
2018-02-25 14:38:54 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/log"
|
2019-07-30 19:43:13 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/mirror"
|
2019-10-30 03:30:01 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/opentracing"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/portinredirect"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/proxy"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/redirect"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/rewrite"
|
2019-02-11 21:34:55 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/satisfy"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/secureupstream"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/serversnippet"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/serviceupstream"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/snippet"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/sslpassthrough"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/upstreamhashby"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/upstreamvhost"
|
2017-12-06 20:11:18 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/xforwardedprefix"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/errors"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
2016-12-29 20:02:06 +00:00
|
|
|
)
|
|
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
// DeniedKeyName name of the key that contains the reason to deny a location
|
|
|
|
|
const DeniedKeyName = "Denied"
|
|
|
|
|
|
|
|
|
|
// Ingress defines the valid annotations present in one NGINX Ingress rule
|
|
|
|
|
type Ingress struct {
|
|
|
|
|
metav1.ObjectMeta
|
2018-08-05 22:43:45 +00:00
|
|
|
BackendProtocol string
|
2019-08-26 14:58:44 +00:00
|
|
|
Aliases []string
|
2017-11-07 16:36:51 +00:00
|
|
|
BasicDigestAuth auth.Config
|
2018-09-18 18:05:32 +00:00
|
|
|
Canary canary.Config
|
2017-11-07 16:36:51 +00:00
|
|
|
CertificateAuth authtls.Config
|
|
|
|
|
ClientBodyBufferSize string
|
|
|
|
|
ConfigurationSnippet string
|
2018-01-30 04:29:03 +00:00
|
|
|
Connection connection.Config
|
2017-11-07 16:36:51 +00:00
|
|
|
CorsConfig cors.Config
|
2018-10-25 16:35:48 +00:00
|
|
|
CustomHTTPErrors []int
|
2018-05-26 23:08:07 +00:00
|
|
|
DefaultBackend *apiv1.Service
|
2019-02-22 15:14:09 +00:00
|
|
|
//TODO: Change this back into an error when https://github.com/imdario/mergo/issues/100 is resolved
|
2019-07-31 14:39:21 +00:00
|
|
|
FastCGI fastcgi.Config
|
2019-02-22 16:48:13 +00:00
|
|
|
Denied *string
|
2019-02-22 15:19:40 +00:00
|
|
|
ExternalAuth authreq.Config
|
2018-11-27 16:12:17 +00:00
|
|
|
EnableGlobalAuth bool
|
2019-02-22 15:19:40 +00:00
|
|
|
HTTP2PushPreload bool
|
2019-10-30 03:30:01 +00:00
|
|
|
Opentracing opentracing.Config
|
2019-02-22 15:19:40 +00:00
|
|
|
Proxy proxy.Config
|
2019-07-17 00:23:32 +00:00
|
|
|
ProxySSL proxyssl.Config
|
2019-02-22 15:19:40 +00:00
|
|
|
RateLimit ratelimit.Config
|
2020-12-24 16:39:12 +00:00
|
|
|
GlobalRateLimit globalratelimit.Config
|
2019-02-22 15:19:40 +00:00
|
|
|
Redirect redirect.Config
|
|
|
|
|
Rewrite rewrite.Config
|
|
|
|
|
Satisfy string
|
|
|
|
|
SecureUpstream secureupstream.Config
|
|
|
|
|
ServerSnippet string
|
|
|
|
|
ServiceUpstream bool
|
|
|
|
|
SessionAffinity sessionaffinity.Config
|
|
|
|
|
SSLPassthrough bool
|
|
|
|
|
UsePortInRedirects bool
|
|
|
|
|
UpstreamHashBy upstreamhashby.Config
|
|
|
|
|
LoadBalancing string
|
|
|
|
|
UpstreamVhost string
|
|
|
|
|
Whitelist ipwhitelist.SourceRange
|
2019-03-11 16:23:14 +00:00
|
|
|
XForwardedPrefix string
|
2020-05-11 08:31:08 +00:00
|
|
|
SSLCipher sslcipher.Config
|
2019-02-22 15:19:40 +00:00
|
|
|
Logs log.Config
|
|
|
|
|
InfluxDB influxdb.Config
|
|
|
|
|
ModSecurity modsecurity.Config
|
2019-07-30 19:43:13 +00:00
|
|
|
Mirror mirror.Config
|
2017-11-07 16:36:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Extractor defines the annotation parsers to be used in the extraction of annotations
|
|
|
|
|
type Extractor struct {
|
2017-11-08 20:58:57 +00:00
|
|
|
annotations map[string]parser.IngressAnnotation
|
2016-12-29 20:02:06 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
// NewAnnotationExtractor creates a new annotations extractor
|
2017-11-08 20:58:57 +00:00
|
|
|
func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
|
2017-11-07 16:36:51 +00:00
|
|
|
return Extractor{
|
2016-12-29 20:02:06 +00:00
|
|
|
map[string]parser.IngressAnnotation{
|
2019-08-26 14:58:44 +00:00
|
|
|
"Aliases": alias.NewParser(cfg),
|
2017-02-23 18:10:32 +00:00
|
|
|
"BasicDigestAuth": auth.NewParser(auth.AuthDirectory, cfg),
|
2018-09-18 18:05:32 +00:00
|
|
|
"Canary": canary.NewParser(cfg),
|
2017-02-23 18:10:32 +00:00
|
|
|
"CertificateAuth": authtls.NewParser(cfg),
|
2017-11-08 20:58:57 +00:00
|
|
|
"ClientBodyBufferSize": clientbodybuffersize.NewParser(cfg),
|
|
|
|
|
"ConfigurationSnippet": snippet.NewParser(cfg),
|
2018-01-30 04:29:03 +00:00
|
|
|
"Connection": connection.NewParser(cfg),
|
2017-11-08 20:58:57 +00:00
|
|
|
"CorsConfig": cors.NewParser(cfg),
|
2018-10-25 16:35:48 +00:00
|
|
|
"CustomHTTPErrors": customhttperrors.NewParser(cfg),
|
2017-11-07 16:36:51 +00:00
|
|
|
"DefaultBackend": defaultbackend.NewParser(cfg),
|
2019-07-31 14:39:21 +00:00
|
|
|
"FastCGI": fastcgi.NewParser(cfg),
|
2017-11-08 20:58:57 +00:00
|
|
|
"ExternalAuth": authreq.NewParser(cfg),
|
2018-11-27 16:12:17 +00:00
|
|
|
"EnableGlobalAuth": authreqglobal.NewParser(cfg),
|
2018-10-12 19:48:10 +00:00
|
|
|
"HTTP2PushPreload": http2pushpreload.NewParser(cfg),
|
2019-10-30 03:30:01 +00:00
|
|
|
"Opentracing": opentracing.NewParser(cfg),
|
2017-02-23 18:10:32 +00:00
|
|
|
"Proxy": proxy.NewParser(cfg),
|
2019-07-17 00:23:32 +00:00
|
|
|
"ProxySSL": proxyssl.NewParser(cfg),
|
2017-08-13 06:52:20 +00:00
|
|
|
"RateLimit": ratelimit.NewParser(cfg),
|
2020-12-24 16:39:12 +00:00
|
|
|
"GlobalRateLimit": globalratelimit.NewParser(cfg),
|
2017-11-08 20:58:57 +00:00
|
|
|
"Redirect": redirect.NewParser(cfg),
|
2017-08-19 21:13:02 +00:00
|
|
|
"Rewrite": rewrite.NewParser(cfg),
|
2019-02-11 21:34:55 +00:00
|
|
|
"Satisfy": satisfy.NewParser(cfg),
|
2017-05-14 22:14:27 +00:00
|
|
|
"SecureUpstream": secureupstream.NewParser(cfg),
|
2017-11-08 20:58:57 +00:00
|
|
|
"ServerSnippet": serversnippet.NewParser(cfg),
|
|
|
|
|
"ServiceUpstream": serviceupstream.NewParser(cfg),
|
|
|
|
|
"SessionAffinity": sessionaffinity.NewParser(cfg),
|
|
|
|
|
"SSLPassthrough": sslpassthrough.NewParser(cfg),
|
2017-11-07 16:36:51 +00:00
|
|
|
"UsePortInRedirects": portinredirect.NewParser(cfg),
|
2017-11-08 20:58:57 +00:00
|
|
|
"UpstreamHashBy": upstreamhashby.NewParser(cfg),
|
2018-03-09 21:09:41 +00:00
|
|
|
"LoadBalancing": loadbalancing.NewParser(cfg),
|
2017-11-08 20:58:57 +00:00
|
|
|
"UpstreamVhost": upstreamvhost.NewParser(cfg),
|
2017-11-07 16:36:51 +00:00
|
|
|
"Whitelist": ipwhitelist.NewParser(cfg),
|
2017-12-06 20:11:18 +00:00
|
|
|
"XForwardedPrefix": xforwardedprefix.NewParser(cfg),
|
2020-05-11 08:31:08 +00:00
|
|
|
"SSLCipher": sslcipher.NewParser(cfg),
|
2018-02-25 14:38:54 +00:00
|
|
|
"Logs": log.NewParser(cfg),
|
2018-05-17 12:25:38 +00:00
|
|
|
"InfluxDB": influxdb.NewParser(cfg),
|
2018-08-05 22:43:45 +00:00
|
|
|
"BackendProtocol": backendprotocol.NewParser(cfg),
|
2018-11-04 04:14:27 +00:00
|
|
|
"ModSecurity": modsecurity.NewParser(cfg),
|
2019-07-30 19:43:13 +00:00
|
|
|
"Mirror": mirror.NewParser(cfg),
|
2016-12-29 20:02:06 +00:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
// Extract extracts the annotations from an Ingress
|
2019-06-09 22:49:59 +00:00
|
|
|
func (e Extractor) Extract(ing *networking.Ingress) *Ingress {
|
2017-11-07 16:36:51 +00:00
|
|
|
pia := &Ingress{
|
|
|
|
|
ObjectMeta: ing.ObjectMeta,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
data := make(map[string]interface{})
|
2016-12-29 20:02:06 +00:00
|
|
|
for name, annotationParser := range e.annotations {
|
|
|
|
|
val, err := annotationParser.Parse(ing)
|
2020-10-26 19:08:55 +00:00
|
|
|
klog.V(5).InfoS("Parsing Ingress annotation", "name", name, "ingress", klog.KObj(ing), "value", val)
|
2016-12-29 20:02:06 +00:00
|
|
|
if err != nil {
|
2017-01-12 22:00:42 +00:00
|
|
|
if errors.IsMissingAnnotations(err) {
|
2016-12-29 20:02:06 +00:00
|
|
|
continue
|
|
|
|
|
}
|
2017-01-12 22:00:42 +00:00
|
|
|
|
2017-08-25 15:50:08 +00:00
|
|
|
if !errors.IsLocationDenied(err) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-25 20:20:14 +00:00
|
|
|
if name == "CertificateAuth" && data[name] == nil {
|
|
|
|
|
data[name] = authtls.Config{
|
|
|
|
|
AuthTLSError: err.Error(),
|
|
|
|
|
}
|
|
|
|
|
// avoid mapping the result from the annotation
|
|
|
|
|
val = nil
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
_, alreadyDenied := data[DeniedKeyName]
|
2017-01-12 22:00:42 +00:00
|
|
|
if !alreadyDenied {
|
2019-02-22 16:48:13 +00:00
|
|
|
errString := err.Error()
|
|
|
|
|
data[DeniedKeyName] = &errString
|
2020-10-26 19:08:55 +00:00
|
|
|
klog.ErrorS(err, "error reading Ingress annotation", "name", name, "ingress", klog.KObj(ing))
|
2016-12-29 20:02:06 +00:00
|
|
|
continue
|
|
|
|
|
}
|
2017-01-12 22:00:42 +00:00
|
|
|
|
2020-10-26 19:08:55 +00:00
|
|
|
klog.V(5).ErrorS(err, "error reading Ingress annotation", "name", name, "ingress", klog.KObj(ing))
|
2016-12-29 20:02:06 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if val != nil {
|
2017-11-07 16:36:51 +00:00
|
|
|
data[name] = val
|
2016-12-29 20:02:06 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-11 18:26:36 +00:00
|
|
|
err := mergo.MapWithOverwrite(pia, data)
|
2017-08-22 20:16:59 +00:00
|
|
|
if err != nil {
|
2020-09-27 20:32:40 +00:00
|
|
|
klog.ErrorS(err, "unexpected error merging extracted annotations")
|
2017-08-22 20:16:59 +00:00
|
|
|
}
|
2017-09-30 21:29:16 +00:00
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
return pia
|
2017-09-30 21:29:16 +00:00
|
|
|
}
|
