Merge pull request #1533 from aledbf/remove-send-body

Remove authentication send body annotation

configuration.md

@@ -252,7 +252,7 @@ For more information please see http://nginx.org/en/docs/http/ngx_http_core_modu
 ### External Authentication
 
 To use an existing service that provides authentication the Ingress rule can be annotated with `ingress.kubernetes.io/auth-url` to indicate the URL where the HTTP request should be sent.
-Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default).
+Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST).
 
 ```
 ingress.kubernetes.io/auth-url: "URL to the authentication service"

pkg/ingress/annotations/authreq/main.go

@@ -32,7 +32,6 @@ const (
 	authURL       = "ingress.kubernetes.io/auth-url"
 	authSigninURL = "ingress.kubernetes.io/auth-signin"
 	authMethod    = "ingress.kubernetes.io/auth-method"
-	authBody      = "ingress.kubernetes.io/auth-send-body"
 	authHeaders   = "ingress.kubernetes.io/auth-response-headers"
 )
 
@@ -43,7 +42,6 @@ type External struct {
 	Host            string   `json:"host"`
 	SigninURL       string   `json:"signinUrl"`
 	Method          string   `json:"method"`
-	SendBody        bool     `json:"sendBody"`
 	ResponseHeaders []string `json:"responseHeaders,omitEmpty"`
 }
 
@@ -67,9 +65,6 @@ func (e1 *External) Equal(e2 *External) bool {
 	if e1.Method != e2.Method {
 		return false
 	}
-	if e1.SendBody != e2.SendBody {
-		return false
-	}
 	if e1.Method != e2.Method {
 		return false
 	}
@@ -170,14 +165,11 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
 		}
 	}
 
-	sb, _ := parser.GetBoolAnnotation(authBody, ing)
-
 	return &External{
 		URL:             str,
 		Host:            ur.Hostname(),
 		SigninURL:       signin,
 		Method:          m,
-		SendBody:        sb,
 		ResponseHeaders: h,
 	}, nil
 }

pkg/ingress/annotations/authreq/main_test.go

@@ -74,22 +74,20 @@ func TestAnnotations(t *testing.T) {
 		url       string
 		signinURL string
 		method    string
-		sendBody  bool
 		expErr    bool
 	}{
-		{"empty", "", "", "", false, true},
+		{"empty", "", "", "", true},
-		{"no scheme", "bar", "bar", "", false, true},
+		{"no scheme", "bar", "bar", "", true},
-		{"invalid host", "http://", "http://", "", false, true},
+		{"invalid host", "http://", "http://", "", true},
-		{"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", false, true},
+		{"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", true},
-		{"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false, false},
+		{"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false},
-		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", true, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", false},
-		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", true, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", false},
 	}
 
 	for _, test := range tests {
 		data[authURL] = test.url
 		data[authSigninURL] = test.signinURL
-		data[authBody] = fmt.Sprintf("%v", test.sendBody)
 		data[authMethod] = fmt.Sprintf("%v", test.method)
 
 		i, err := NewParser().Parse(ing)
@@ -112,9 +110,6 @@ func TestAnnotations(t *testing.T) {
 		if u.Method != test.method {
 			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
 		}
-		if u.SendBody != test.sendBody {
-			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.sendBody, u.SendBody)
-		}
 	}
 }
 

rootfs/etc/nginx/template/nginx.tmpl

@@ -625,23 +625,24 @@ stream {
         {{ if not (empty $authPath) }}
         location = {{ $authPath }} {
             internal;
-            set $proxy_upstream_name "internal";
+            set $proxy_upstream_name "external-authentication";
 
-            {{ if not $location.ExternalAuth.SendBody }}
             proxy_pass_request_body     off;
             proxy_set_header            Content-Length "";
-            {{ end }}
+
             {{ if not (empty $location.ExternalAuth.Method) }}
             proxy_method                {{ $location.ExternalAuth.Method }};
             proxy_set_header            X-Original-URI          $request_uri;
             proxy_set_header            X-Scheme                $pass_access_scheme;
             {{ end }}
-            proxy_pass_request_headers  on;
+
             proxy_set_header            Host                    {{ $location.ExternalAuth.Host }};
             proxy_set_header            X-Original-URL          $scheme://$http_host$request_uri;
             proxy_set_header            X-Auth-Request-Redirect $request_uri;
-            proxy_ssl_server_name       on;
+            proxy_set_header            X-Sent-From             "nginx-ingress-controller";
 
+            proxy_ssl_server_name       on;
+            proxy_pass_request_headers  on;
             client_max_body_size        "{{ $location.Proxy.BodySize }}";
             {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }}
             client_body_buffer_size     {{ $location.ClientBodyBufferSize }};
@@ -651,6 +652,7 @@ stream {
             proxy_pass $target;
         }
         {{ end }}
+
         location {{ $path }} {
             {{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }}