Add example

2016-06-09 18:00:05 -04:00 · 2016-06-09 18:00:05 -04:00 · 17e42ed902
commit 17e42ed902
parent e792e940b2
6 changed files with 155 additions and 17 deletions
--- a/controllers/nginx/controller.go
+++ b/controllers/nginx/controller.go
@ -698,7 +698,7 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg config.Configuratio
 				glog.V(3).Infof("error parsing rewrite annotations for Ingress rule %v/%v: %v", ing.GetNamespace(), ing.GetName(), err)
 			}

-			wl, err := ipwhitelist.ParseAnnotations(ngxCfg.WhiteList, ing)
+			wl, err := ipwhitelist.ParseAnnotations(ngxCfg.WhitelistSourceRange, ing)
 			glog.V(3).Infof("nginx white list %v", wl)
 			if err != nil {
 				glog.V(3).Infof("error reading white list annotation in Ingress %v/%v: %v", ing.GetNamespace(), ing.GetName(), err)
--- a/controllers/nginx/examples/whitelist/README.md
+++ b/controllers/nginx/examples/whitelist/README.md
@ -0,0 +1,122 @@
+
+This example shows how is possible to restrict access
+
+echo "
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: whitelist
+  annotations:
+    ingress.kubernetes.io/whitelist-source-range: "1.1.1.1/24"
+spec:
+  rules:
+  - host: foo.bar.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: echoheaders
+          servicePort: 80
+" | kubectl create -f -
+
+
+Check the annotation is present in the Ingress rule:
+```
+$ kubectl get ingress whitelist -o yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  annotations:
+    ingress.kubernetes.io/whitelist-source-range: 1.1.1.1/24
+  creationTimestamp: 2016-06-09T21:39:06Z
+  generation: 2
+  name: whitelist
+  namespace: default
+  resourceVersion: "419363"
+  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/whitelist
+  uid: 97b74737-2e8a-11e6-90db-080027d2dc94
+spec:
+  rules:
+  - host: whitelist.bar.com
+    http:
+      paths:
+      - backend:
+          serviceName: echoheaders
+          servicePort: 80
+        path: /
+status:
+  loadBalancer:
+    ingress:
+    - ip: 172.17.4.99
+``
+
+Finally test is not possible to access the URL
+
+```
+$ curl -v http://172.17.4.99/ -H 'Host: whitelist.bar.com'
+*   Trying 172.17.4.99...
+* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
+> GET / HTTP/1.1
+> Host: whitelist.bar.com
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+< HTTP/1.1 403 Forbidden
+< Server: nginx/1.11.1
+< Date: Thu, 09 Jun 2016 21:56:17 GMT
+< Content-Type: text/html
+< Content-Length: 169
+< Connection: keep-alive
+<
+<html>
+<head><title>403 Forbidden</title></head>
+<body bgcolor="white">
+<center><h1>403 Forbidden</h1></center>
+<hr><center>nginx/1.11.1</center>
+</body>
+</html>
+* Connection #0 to host 172.17.4.99 left intact
+```
+
+Removing the annotation removes the restriction
+
+```
+*   Trying 172.17.4.99...
+* Connected to 172.17.4.99 (172.17.4.99) port 80 (#0)
+> GET / HTTP/1.1
+> Host: whitelist.bar.com
+> User-Agent: curl/7.43.0
+> Accept: */*
+>
+< HTTP/1.1 200 OK
+< Server: nginx/1.11.1
+< Date: Thu, 09 Jun 2016 21:57:44 GMT
+< Content-Type: text/plain
+< Transfer-Encoding: chunked
+< Connection: keep-alive
+<
+CLIENT VALUES:
+client_address=10.2.89.7
+command=GET
+real path=/
+query=nil
+request_version=1.1
+request_uri=http://whitelist.bar.com:8080/
+
+SERVER VALUES:
+server_version=nginx: 1.9.11 - lua: 10001
+
+HEADERS RECEIVED:
+accept=*/*
+connection=close
+host=whitelist.bar.com
+user-agent=curl/7.43.0
+x-forwarded-for=10.2.89.1
+x-forwarded-host=whitelist.bar.com
+x-forwarded-port=80
+x-forwarded-proto=http
+x-real-ip=10.2.89.1
+BODY:
+* Connection #0 to host 172.17.4.99 left intact
+```
+
--- a/controllers/nginx/nginx/config/config.go
+++ b/controllers/nginx/nginx/config/config.go
@ -233,9 +233,9 @@ type Configuration struct {
 	// Responses with the “text/html” type are always compressed if UseGzip is enabled
 	GzipTypes string `structs:"gzip-types,omitempty"`

-	// WhiteList allows limiting access to certain client addresses.
+	// WhitelistSourceRange allows limiting access to certain client addresses
 	// http://nginx.org/en/docs/http/ngx_http_access_module.html
-	WhiteList []string `structs:"whitelist,omitempty"`
+	WhitelistSourceRange []string `structs:"whitelist-source-range,omitempty"`

 	// Defines the number of worker processes. By default auto means number of available CPU cores
 	// http://nginx.org/en/docs/ngx_core_module.html#worker_processes
@ -274,7 +274,7 @@ func NewDefault() Configuration {
 		VtsStatusZoneSize:        "10m",
 		UseHTTP2:                 true,
 		CustomHTTPErrors:         make([]int, 0),
-		WhiteList:                make([]string, 0),
+		WhitelistSourceRange:     make([]string, 0),
 	}

 	if glog.V(5) {
--- a/controllers/nginx/nginx/ipwhitelist/main.go
+++ b/controllers/nginx/nginx/ipwhitelist/main.go
@ -18,13 +18,14 @@ package ipwhitelist

 import (
 	"errors"
+	"strings"

 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/util/net/sets"
 )

 const (
-	whitelist = "ingress.kubernetes.io/whitelist"
+	whitelist = "ingress.kubernetes.io/whitelist-source-range"
 )

 var (
@ -37,8 +38,8 @@ var (
 	ErrInvalidCIDR = errors.New("the annotation does not contains a valid IP address or network")
 )

-// Whitelist returns the CIDR
-type Whitelist struct {
+// SourceRange returns the CIDR
+type SourceRange struct {
 	CIDR []string
 }

@ -50,24 +51,27 @@ func (a ingAnnotations) whitelist() ([]string, error) {
 		return nil, ErrMissingWhitelist
 	}

-	ipnet, err := sets.ParseIPNets(val)
+	values := strings.Split(val, ",")
+	ipnets, err := sets.ParseIPNets(values...)
 	if err != nil {
 		return nil, ErrInvalidCIDR
 	}

-	nets := make([]string, 0)
-	for k := range ipnet {
-		nets = append(nets, k)
+	cidrs := make([]string, 0)
+	for k := range ipnets {
+		cidrs = append(cidrs, k)
 	}

-	return nets, nil
+	return cidrs, nil
 }

 // ParseAnnotations parses the annotations contained in the ingress
-// rule used to configure upstream check parameters
-func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*Whitelist, error) {
+// rule used to limit access to certain client addresses or networks.
+// Multiple ranges can specified using commas as separator
+// e.g. `18.0.0.0/8,56.0.0.0/8`
+func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*SourceRange, error) {
 	if ing.GetAnnotations() == nil {
-		return &Whitelist{whiteList}, ErrMissingWhitelist
+		return &SourceRange{whiteList}, ErrMissingWhitelist
 	}

 	wl, err := ingAnnotations(ing.GetAnnotations()).whitelist()
@ -75,5 +79,5 @@ func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*Whitelist,
 		wl = whiteList
 	}

-	return &Whitelist{wl}, err
+	return &SourceRange{wl}, err
 }
--- a/controllers/nginx/nginx/ipwhitelist/main_test.go
+++ b/controllers/nginx/nginx/ipwhitelist/main_test.go
@ -83,4 +83,16 @@ func TestAnnotations(t *testing.T) {
 	if !reflect.DeepEqual(wl, enet) {
 		t.Errorf("Expected %v but returned %s", enet, wl)
 	}
+
+	data[whitelist] = "10.0.0.0/24,10.0.1.0/25"
+	ing.SetAnnotations(data)
+
+	wl, err = ingAnnotations(ing.GetAnnotations()).whitelist()
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+
+	if len(wl) != 2 {
+		t.Errorf("Expected 2 netwotks but %v was returned", len(wl))
+	}
 }
--- a/controllers/nginx/nginx/nginx.go
+++ b/controllers/nginx/nginx/nginx.go
@ -100,7 +100,7 @@ type Location struct {
 	RateLimit      ratelimit.RateLimit
 	Redirect       rewrite.Redirect
 	SecureUpstream bool
-	Whitelist      ipwhitelist.Whitelist
+	Whitelist      ipwhitelist.SourceRange
 }

 // LocationByPath sorts location by path