fix: allow global auth to be disabled by default

docs/user-guide/nginx-configuration/configmap.md

@@ -220,6 +220,7 @@ The following table shows a configuration option's name, type, and the default v
 |[global-auth-cache-key](#global-auth-cache-key)|string|""||
 |[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"||
 |[global-auth-always-set-cookie](#global-auth-always-set-cookie)|bool|"false"||
+|[global-auth-default-enable](#global-auth-default-enable)|bool|"true"||
 |[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"||
 |[block-cidrs](#block-cidrs)|[]string|""||
 |[block-user-agents](#block-user-agents)|[]string|""||
@@ -1348,6 +1349,10 @@ Enables caching for global auth requests. Specify a lookup key for auth response
 
 Set a caching time for auth responses based on their response codes, e.g. `200 202 30m`. See [proxy_cache_valid](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid) for details. You may specify multiple, comma-separated values: `200 202 10m, 401 5m`. defaults to `200 202 401 5m`.
 
+## global-auth-default-enable
+
+TODO : Set a caching time for auth responses based on their response codes, e.g. `200 202 30m`. See [proxy_cache_valid](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid) for details. You may specify multiple, comma-separated values: `200 202 10m, 401 5m`. defaults to `200 202 401 5m`.
+
 ## global-auth-always-set-cookie
 
 Always set a cookie returned by auth request. By default, the cookie will be set only if an upstream reports with the code 200, 201, 204, 206, 301, 302, 303, 304, 307, or 308.

internal/ingress/controller/template/configmap.go

@@ -64,6 +64,7 @@ const (
 	globalAuthCacheKey            = "global-auth-cache-key"
 	globalAuthCacheDuration       = "global-auth-cache-duration"
 	globalAuthAlwaysSetCookie     = "global-auth-always-set-cookie"
+	globalAuthDefaultEnable       = "global-auth-default-enable"
 	luaSharedDictsKey             = "lua-shared-dicts"
 	plugins                       = "plugins"
 	debugConnections              = "debug-connections"
@@ -343,6 +344,17 @@ func ReadConfig(src map[string]string) config.Configuration {
 		to.GlobalExternalAuth.AlwaysSetCookie = alwaysSetCookie
 	}
 
+	// Verify that the configured global external authorization default enable is valid
+	if val, ok := conf[globalAuthDefaultEnable]; ok {
+		delete(conf, globalAuthDefaultEnable)
+
+		authDefaultEnable, err := strconv.ParseBool(val)
+		if err != nil {
+			klog.Warningf("Global auth location denied - %s", fmt.Errorf("cannot convert %s to bool: %v", globalAuthDefaultEnable, err))
+		}
+		to.GlobalExternalAuth.DefaultEnable = authDefaultEnable
+	}
+
 	// Verify that the configured timeout is parsable as a duration. if not, set the default value
 	if val, ok := conf[proxyHeaderTimeout]; ok {
 		delete(conf, proxyHeaderTimeout)

internal/ingress/controller/template/configmap_test.go

@@ -263,6 +263,34 @@ func TestGlobalExternalAlwaysSetCookie(t *testing.T) {
 	}
 }
 
+func TestGlobalExternalDefaultEnable(t *testing.T) {
+	testCases := map[string]struct {
+		defaultEnable string
+		result        bool
+	}{
+		"true": {
+			defaultEnable: "true",
+			result:        true,
+		},
+		"false": {
+			defaultEnable: "false",
+		},
+		"set empty": {
+			defaultEnable: "true",
+		},
+		"error": {
+			defaultEnable: "error string",
+		},
+	}
+
+	for n, tc := range testCases {
+		cfg := ReadConfig(map[string]string{"global-auth-default-enable": tc.defaultEnable})
+		if cfg.GlobalExternalAuth.DefaultEnable != tc.result {
+			t.Errorf("Testing %v. Expected \"%v\" but \"%v\" was returned", n, tc.result, cfg.GlobalExternalAuth.DefaultEnable)
+		}
+	}
+}
+
 func TestGlobalExternalAuthSigninRedirectParamParsing(t *testing.T) {
 	testCases := map[string]struct {
 		param  string