ingress-nginx-helm/internal/ingress/annotations/authtls/main.go

/*
Copyright 2015 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package authtls

import (
	"fmt"

	networking "k8s.io/api/networking/v1"

	"regexp"

	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
	"k8s.io/ingress-nginx/internal/ingress/resolver"
	"k8s.io/ingress-nginx/internal/k8s"
)

const (
	defaultAuthTLSDepth     = 1
	defaultAuthVerifyClient = "on"
)

var (
	authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`)
	commonNameRegex       = regexp.MustCompile(`CN=`)
)

// Config contains the AuthSSLCert used for mutual authentication
// and the configured ValidationDepth
type Config struct {
	resolver.AuthSSLCert
	VerifyClient       string `json:"verify_client"`
	ValidationDepth    int    `json:"validationDepth"`
	ErrorPage          string `json:"errorPage"`
	PassCertToUpstream bool   `json:"passCertToUpstream"`
	MatchCN            string `json:"matchCN"`
	AuthTLSError       string
}

// Equal tests for equality between two Config types
func (assl1 *Config) Equal(assl2 *Config) bool {
	if assl1 == assl2 {
		return true
	}
	if assl1 == nil || assl2 == nil {
		return false
	}
	if !(&assl1.AuthSSLCert).Equal(&assl2.AuthSSLCert) {
		return false
	}
	if assl1.VerifyClient != assl2.VerifyClient {
		return false
	}
	if assl1.ValidationDepth != assl2.ValidationDepth {
		return false
	}
	if assl1.ErrorPage != assl2.ErrorPage {
		return false
	}
	if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
		return false
	}

	return true
}

// NewParser creates a new TLS authentication annotation parser
func NewParser(resolver resolver.Resolver) parser.IngressAnnotation {
	return authTLS{resolver}
}

type authTLS struct {
	r resolver.Resolver
}

// Parse parses the annotations contained in the ingress
// rule used to use a Certificate as authentication method
func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
	var err error
	config := &Config{}

	tlsauthsecret, err := parser.GetStringAnnotation("auth-tls-secret", ing)
	if err != nil {
		return &Config{}, err
	}

	_, _, err = k8s.ParseNameNS(tlsauthsecret)
	if err != nil {
		return &Config{}, ing_errors.NewLocationDenied(err.Error())
	}

	authCert, err := a.r.GetAuthCertificate(tlsauthsecret)
	if err != nil {
		e := fmt.Errorf("error obtaining certificate: %w", err)
		return &Config{}, ing_errors.LocationDenied{Reason: e}
	}
	config.AuthSSLCert = *authCert

	config.VerifyClient, err = parser.GetStringAnnotation("auth-tls-verify-client", ing)
	if err != nil || !authVerifyClientRegex.MatchString(config.VerifyClient) {
		config.VerifyClient = defaultAuthVerifyClient
	}

	config.ValidationDepth, err = parser.GetIntAnnotation("auth-tls-verify-depth", ing)
	if err != nil || config.ValidationDepth == 0 {
		config.ValidationDepth = defaultAuthTLSDepth
	}

	config.ErrorPage, err = parser.GetStringAnnotation("auth-tls-error-page", ing)
	if err != nil {
		config.ErrorPage = ""
	}

	config.PassCertToUpstream, err = parser.GetBoolAnnotation("auth-tls-pass-certificate-to-upstream", ing)
	if err != nil {
		config.PassCertToUpstream = false
	}

	config.MatchCN, err = parser.GetStringAnnotation("auth-tls-match-cn", ing)
	if err != nil || !commonNameRegex.MatchString(config.MatchCN) {
		config.MatchCN = ""
	}

	return config, nil
}
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`/*`
			`Copyright 2015 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package authtls`

			`import (`
Remove deprecated libraries, update other libs, add ci v1.23 (#8118) 2022-01-10 00:29:12 +00:00			`"fmt"`
added new auth-tls-match-cn annotation (#8434) * added new auth-tls-match-cn annotation * added few more tests 2022-04-15 19:59:10 +00:00
Release v1 (#7470) * Drop v1beta1 from ingress nginx (#7156) * Drop v1beta1 from ingress nginx Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix intorstr logic in controller Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * fixing admission Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * more intorstr fixing * correct template rendering Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix e2e tests for v1 api Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix gofmt errors * This is finally working...almost there... Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Re-add removed validation of AdmissionReview * Prepare for v1.0.0-alpha.1 release Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Update changelog and matrix table for v1.0.0-alpha.1 (#7274) Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * add docs for syslog feature (#7219) * Fix link to e2e-tests.md in developer-guide (#7201) * Use ENV expansion for namespace in args (#7146) Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does. * chart: using Helm builtin capabilities check (#7190) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944) It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780 * Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107) * Fix MaxWorkerOpenFiles calculation on high cores nodes * Add e2e test for rlimit_nofile * Fix doc for max-worker-open-files * ingress/tcp: add additional error logging on failed (#7208) * Add file containing stable release (#7313) * Handle named (non-numeric) ports correctly (#7311) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Updated v1beta1 to v1 as its deprecated (#7308) * remove mercurial from build (#7031) * Retry to download maxmind DB if it fails (#7242) * Retry to download maxmind DB if it fails. Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Add retries count arg, move retry logic into DownloadGeoLite2DB function Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Reorder parameters in DownloadGeoLite2DB Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Remove hardcoded value Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Release v1.0.0-alpha.1 * Add changelog for v1.0.0-alpha.2 * controller: ignore non-service backends (#7332) * controller: ignore non-service backends Signed-off-by: Carlos Panato <ctadeu@gmail.com> * update per feedback Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix: allow scope/tcp/udp configmap namespace to altered (#7161) * Lower webhook timeout for digital ocean (#7319) * Lower webhook timeout for digital ocean * Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29 * update OWNERS and aliases files (#7365) (#7366) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Downgrade Lua modules for s390x (#7355) Downgrade Lua modules to last known working version. * Fix IngressClass logic for newer releases (#7341) * Fix IngressClass logic for newer releases Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Change e2e tests for the new IngressClass presence * Fix chart and admission tests Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix helm chart test Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix reviews * Remove ingressclass code from admission * update tag to v1.0.0-beta.1 * update readme and changelog for v1.0.0-beta.1 * Release v1.0.0-beta.1 - helm and manifests (#7422) * Change the order of annotation just to trigger a new helm release (#7425) * [cherry-pick] Add dev-v1 branch into helm releaser (#7428) * Add dev-v1 branch into helm releaser (#7424) * chore: add link for artifacthub.io/prerelease annotations Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> * k8s job ci pipeline for dev-v1 br v1.22.0 (#7453) * k8s job ci pipeline for dev-v1 br v1.22.0 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * k8s job ci pipeline for dev-v1 br v1.21.2 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * remove v1.21.1 version Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * Add controller.watchIngressWithoutClass config option (#7459) Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com> * Release new helm chart with certgen fixed (#7478) * Update go version, modules and remove ioutil * Release new helm chart with certgen fixed * changed appversion, chartversion, TAG, image (#7490) * Fix CI conflict * Fix CI conflict * Fix build.sh from rebase process * Fix controller_test post rebase Co-authored-by: Tianhao Guo <rggth09@gmail.com> Co-authored-by: Ray <61553+rctay@users.noreply.github.com> Co-authored-by: Bill Cassidy <cassid4@gmail.com> Co-authored-by: Jintao Zhang <tao12345666333@163.com> Co-authored-by: Sathish Ramani <rsathishx87@gmail.com> Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com> Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com> Co-authored-by: Tom Hayward <thayward@infoblox.com> Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com> Co-authored-by: Tore <tore.lonoy@gmail.com> Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl> Co-authored-by: Shahid <shahid@us.ibm.com> Co-authored-by: James Strong <strong.james.e@gmail.com> Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com> Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com> Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com> 2021-08-21 20:42:00 +00:00			`networking "k8s.io/api/networking/v1"`
Add Generic interface 2016-11-16 18:24:26 +00:00
Refactor annotations 2017-11-07 16:36:51 +00:00			`"regexp"`

Rename package pkg to internal 2017-11-07 22:02:12 +00:00			`"k8s.io/ingress-nginx/internal/ingress/annotations/parser"`
			`ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"`
			`"k8s.io/ingress-nginx/internal/ingress/resolver"`
			`"k8s.io/ingress-nginx/internal/k8s"`
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`)`

			`const (`
Add prefix nginx to annotations 2017-11-08 20:58:57 +00:00			`defaultAuthTLSDepth = 1`
			`defaultAuthVerifyClient = "on"`
configurable ssl_verify_client 2017-10-05 11:26:07 +00:00			`)`

			`var (`
			authVerifyClientRegex = regexp.MustCompile(`on\|off\|optional\|optional_no_ca`)
added new auth-tls-match-cn annotation (#8434) * added new auth-tls-match-cn annotation * added few more tests 2022-04-15 19:59:10 +00:00			commonNameRegex = regexp.MustCompile(`CN=`)
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`)`

Typo fix: muthual autentication -> mutual authentication 2018-05-31 06:18:08 +00:00			`// Config contains the AuthSSLCert used for mutual authentication`
Adds correct support for TLS Muthual autentication and depth verification modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml 2017-02-06 18:16:36 +00:00			`// and the configured ValidationDepth`
Refactor annotations 2017-11-07 16:36:51 +00:00			`type Config struct {`
Move certificate authentication from location to server 2017-08-22 20:16:59 +00:00			`resolver.AuthSSLCert`
Add annotation to enable passing the certificate to the upstream server 2017-11-18 00:28:45 +00:00			VerifyClient string `json:"verify_client"`
			ValidationDepth int `json:"validationDepth"`
			ErrorPage string `json:"errorPage"`
			PassCertToUpstream bool `json:"passCertToUpstream"`
added new auth-tls-match-cn annotation (#8434) * added new auth-tls-match-cn annotation * added few more tests 2022-04-15 19:59:10 +00:00			MatchCN string `json:"matchCN"`
In case of TLS errors do not allow traffic (#2146) 2018-02-25 20:20:14 +00:00			`AuthTLSError string`
Deny location mapping in case of specific errors 2016-12-29 20:02:06 +00:00			`}`

Refactor annotations 2017-11-07 16:36:51 +00:00			`// Equal tests for equality between two Config types`
			`func (assl1 Config) Equal(assl2 Config) bool {`
WIP: Avoid reloads implementing Equals in structs 2017-06-14 21:33:12 +00:00			`if assl1 == assl2 {`
			`return true`
			`}`
			`if assl1 == nil \|\| assl2 == nil {`
			`return false`
			`}`
Implement Equaler 2017-06-14 23:40:25 +00:00			`if !(&assl1.AuthSSLCert).Equal(&assl2.AuthSSLCert) {`
WIP: Avoid reloads implementing Equals in structs 2017-06-14 21:33:12 +00:00			`return false`
			`}`
configurable ssl_verify_client 2017-10-05 11:26:07 +00:00			`if assl1.VerifyClient != assl2.VerifyClient {`
			`return false`
			`}`
WIP: Avoid reloads implementing Equals in structs 2017-06-14 21:33:12 +00:00			`if assl1.ValidationDepth != assl2.ValidationDepth {`
			`return false`
			`}`
Adds support for error page in Client Certificate Authentication 2017-09-03 20:12:03 +00:00			`if assl1.ErrorPage != assl2.ErrorPage {`
			`return false`
			`}`
Add annotation to enable passing the certificate to the upstream server 2017-11-18 00:28:45 +00:00			`if assl1.PassCertToUpstream != assl2.PassCertToUpstream {`
			`return false`
			`}`

WIP: Avoid reloads implementing Equals in structs 2017-06-14 21:33:12 +00:00			`return true`
			`}`

Deny location mapping in case of specific errors 2016-12-29 20:02:06 +00:00			`// NewParser creates a new TLS authentication annotation parser`
Add prefix nginx to annotations 2017-11-08 20:58:57 +00:00			`func NewParser(resolver resolver.Resolver) parser.IngressAnnotation {`
Deny location mapping in case of specific errors 2016-12-29 20:02:06 +00:00			`return authTLS{resolver}`
			`}`

Adds correct support for TLS Muthual autentication and depth verification modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml 2017-02-06 18:16:36 +00:00			`type authTLS struct {`
Add prefix nginx to annotations 2017-11-08 20:58:57 +00:00			`r resolver.Resolver`
Adds correct support for TLS Muthual autentication and depth verification modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml 2017-02-06 18:16:36 +00:00			`}`

			`// Parse parses the annotations contained in the ingress`
			`// rule used to use a Certificate as authentication method`
Migrate to new networking.k8s.io/v1beta1 package 2019-06-09 22:49:59 +00:00			`func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {`
Improve parsing of annotations and use of Ingress wrapper 2018-11-30 22:56:11 +00:00			`var err error`
			`config := &Config{}`
Adds correct support for TLS Muthual autentication and depth verification modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml 2017-02-06 18:16:36 +00:00
Simplify annotations 2017-11-23 16:46:23 +00:00			`tlsauthsecret, err := parser.GetStringAnnotation("auth-tls-secret", ing)`
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`if err != nil {`
Refactor annotations 2017-11-07 16:36:51 +00:00			`return &Config{}, err`
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`}`

Adds correct support for TLS Muthual autentication and depth verification modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml 2017-02-06 18:16:36 +00:00			`_, _, err = k8s.ParseNameNS(tlsauthsecret)`
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`if err != nil {`
Refactor annotations 2017-11-07 16:36:51 +00:00			`return &Config{}, ing_errors.NewLocationDenied(err.Error())`
Adds correct support for TLS Muthual autentication and depth verification modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml 2017-02-06 18:16:36 +00:00			`}`

Add prefix nginx to annotations 2017-11-08 20:58:57 +00:00			`authCert, err := a.r.GetAuthCertificate(tlsauthsecret)`
Address comments about consistency in the code 2017-01-12 22:00:42 +00:00			`if err != nil {`
Remove deprecated libraries, update other libs, add ci v1.23 (#8118) 2022-01-10 00:29:12 +00:00			`e := fmt.Errorf("error obtaining certificate: %w", err)`
In case of TLS errors do not allow traffic (#2146) 2018-02-25 20:20:14 +00:00			`return &Config{}, ing_errors.LocationDenied{Reason: e}`
Address comments about consistency in the code 2017-01-12 22:00:42 +00:00			`}`
Improve parsing of annotations and use of Ingress wrapper 2018-11-30 22:56:11 +00:00			`config.AuthSSLCert = *authCert`

			`config.VerifyClient, err = parser.GetStringAnnotation("auth-tls-verify-client", ing)`
			`if err != nil \|\| !authVerifyClientRegex.MatchString(config.VerifyClient) {`
			`config.VerifyClient = defaultAuthVerifyClient`
			`}`

			`config.ValidationDepth, err = parser.GetIntAnnotation("auth-tls-verify-depth", ing)`
			`if err != nil \|\| config.ValidationDepth == 0 {`
			`config.ValidationDepth = defaultAuthTLSDepth`
			`}`
Address comments about consistency in the code 2017-01-12 22:00:42 +00:00
Improve parsing of annotations and use of Ingress wrapper 2018-11-30 22:56:11 +00:00			`config.ErrorPage, err = parser.GetStringAnnotation("auth-tls-error-page", ing)`
Annotations cannot being empty 2018-12-02 18:35:12 +00:00			`if err != nil {`
Improve parsing of annotations and use of Ingress wrapper 2018-11-30 22:56:11 +00:00			`config.ErrorPage = ""`
Adds support for error page in Client Certificate Authentication 2017-09-03 20:12:03 +00:00			`}`

Improve parsing of annotations and use of Ingress wrapper 2018-11-30 22:56:11 +00:00			`config.PassCertToUpstream, err = parser.GetBoolAnnotation("auth-tls-pass-certificate-to-upstream", ing)`
Add annotation to enable passing the certificate to the upstream server 2017-11-18 00:28:45 +00:00			`if err != nil {`
Improve parsing of annotations and use of Ingress wrapper 2018-11-30 22:56:11 +00:00			`config.PassCertToUpstream = false`
Add annotation to enable passing the certificate to the upstream server 2017-11-18 00:28:45 +00:00			`}`

added new auth-tls-match-cn annotation (#8434) * added new auth-tls-match-cn annotation * added few more tests 2022-04-15 19:59:10 +00:00			`config.MatchCN, err = parser.GetStringAnnotation("auth-tls-match-cn", ing)`
			`if err != nil \|\| !commonNameRegex.MatchString(config.MatchCN) {`
			`config.MatchCN = ""`
			`}`

Improve parsing of annotations and use of Ingress wrapper 2018-11-30 22:56:11 +00:00			`return config, nil`
Split implementations from generic code 2016-11-10 22:56:29 +00:00			`}`