Merge pull request #5664 from jeffrey-hui/master

fix undefined variable $auth_cookie error due to when location is denied

rootfs/etc/nginx/template/nginx.tmpl

@@ -1018,7 +1018,7 @@ stream {
         }
         {{ end }}
 
-
+        {{ if isLocationAllowed $location }}
         {{ if $externalAuth.SigninURL }}
         location {{ buildAuthSignURLLocation $location.Path $externalAuth.SigninURL }} {
             internal;
@@ -1028,6 +1028,7 @@ stream {
             return 302 {{ buildAuthSignURL $externalAuth.SigninURL }};
         }
         {{ end }}
+        {{ end }}
 
         location {{ $path }} {
             {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.Path) }}

test/e2e/annotations/auth.go

@@ -29,6 +29,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	corev1 "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"k8s.io/ingress-nginx/test/e2e/framework"
@@ -353,6 +354,8 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
 
 	ginkgo.Context("when external authentication is configured", func() {
 		host := "auth"
+		var annotations map[string]string
+		var ing *networking.Ingress
 
 		ginkgo.BeforeEach(func() {
 			f.NewHttpbinDeployment()
@@ -367,12 +370,12 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
 
 			httpbinIP = e.Subsets[0].Addresses[0].IP
 
-			annotations := map[string]string{
+			annotations = map[string]string{
 				"nginx.ingress.kubernetes.io/auth-url":    fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
 				"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
 			}
 
-			ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 			f.EnsureIngress(ing)
 
 			f.WaitForNginxServer(host, func(server string) bool {
@@ -399,6 +402,30 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
 				Status(http.StatusFound).
 				Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d")))
 		})
+
+		ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() {
+			annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+			annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
+			annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+			f.UpdateIngress(ing)
+
+			anotherHost := "different"
+			anotherAnnotations := map[string]string{}
+
+			anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations)
+			f.EnsureIngress(anotherIng)
+
+			f.WaitForNginxServer(anotherHost,
+				func(server string) bool {
+					return strings.Contains(server, "server_name "+anotherHost)
+				})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", anotherHost).
+				Expect().
+				Status(http.StatusOK)
+		})
 	})
 
 	ginkgo.Context("when external authentication with caching is configured", func() {