Add validations to CI

2023-07-09 17:45:43 +00:00 · 2023-07-09 17:45:43 +00:00 · 68d8d643c3
commit 68d8d643c3
parent 490d0f4196
12 changed files with 74 additions and 12 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -319,6 +319,55 @@ jobs:
          name: e2e-test-reports-${{ matrix.k8s }}
          path: 'test/junitreports/report*.xml'

+  kubernetes-validations:
+    name: Kubernetes with Validations
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+      - build
+    if: |
+      (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }}
+
+    strategy:
+      matrix:
+        k8s: [v1.27.1]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
+      - name: cache
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: docker.tar.gz
+
+      - name: Create Kubernetes ${{ matrix.k8s }} cluster
+        id: kind
+        run: |
+          kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
+
+      - name: Load images from cache
+        run: |
+          echo "loading docker images..."
+          pigz -dc docker.tar.gz | docker load
+
+      - name: Run e2e tests
+        env:
+          KIND_CLUSTER_NAME: kind
+          SKIP_CLUSTER_CREATION: true
+          SKIP_IMAGE_CREATION: true
+          ENABLE_VALIDATIONS: true
+        run: |
+          kind get kubeconfig > $HOME/.kube/kind-config-kind
+          make kind-e2e-test
+
+      - name: Upload e2e junit-reports
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        if: success() || failure()
+        with:
+          name: e2e-test-reports-${{ matrix.k8s }}
+          path: 'test/junitreports/report*.xml'
+

  kubernetes-chroot:
    name: Kubernetes chroot
--- a/charts/ingress-nginx/templates/_params.tpl
+++ b/charts/ingress-nginx/templates/_params.tpl
@ -1,5 +1,8 @@
 {{- define "ingress-nginx.params" -}}
 - /nginx-ingress-controller
+{{- if .Values.controller.enableValidations }}
+- --enable-annotation-validation=true
+{{- end }}
 {{- if .Values.defaultBackend.enabled }}
 - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }}
 {{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -15,6 +15,7 @@ commonLabels: {}

 controller:
  name: controller
+  enableValidations: false
  image:
    ## Keep false as default for now!
    chroot: false
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@ -15,7 +15,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment
 | `--default-backend-service`        | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. |
 | `--default-server-port`            | Port to use for exposing the default server (catch-all). (default 8181) |
 | `--default-ssl-certificate`        | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". |
-| `--disable-annotation-validation`  | If true, will disable the annotation validation feature. This value will be defaulted to false on a future release. |
+| `--enable-annotation-validation`  | If true, will enable the annotation validation feature. This value will be defaulted to true on a future release. |
 | `--disable-catch-all`              | Disable support for catch-all Ingresses. (default false) |
 | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated  (full test of all ingresses is enabled by default). |
 | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) |
--- a/internal/ingress/annotations/alias/main_test.go
+++ b/internal/ingress/annotations/alias/main_test.go
@ -63,10 +63,10 @@ func TestParse(t *testing.T) {
 	for _, testCase := range testCases {
 		ing.SetAnnotations(testCase.annotations)
 		if testCase.skipValidation {
-			parser.DisableAnnotationValidation = true
+			parser.EnableAnnotationValidation = false
 		}
 		defer func() {
-			parser.DisableAnnotationValidation = false
+			parser.EnableAnnotationValidation = true
 		}()
 		result, err := ap.Parse(ing)
 		if (err != nil) != testCase.wantErr {
--- a/internal/ingress/annotations/parser/main.go
+++ b/internal/ingress/annotations/parser/main.go
@ -30,15 +30,15 @@ import (

 // DefaultAnnotationsPrefix defines the common prefix used in the nginx ingress controller
 const (
-	DefaultAnnotationsPrefix           = "nginx.ingress.kubernetes.io"
-	DefaultDisableAnnotationValidation = false
+	DefaultAnnotationsPrefix          = "nginx.ingress.kubernetes.io"
+	DefaultEnableAnnotationValidation = true
 )

 var (
 	// AnnotationsPrefix is the mutable attribute that the controller explicitly refers to
 	AnnotationsPrefix = DefaultAnnotationsPrefix
-	// DisableAnnotationValidation is the mutable attribute for enabling or disabling the validation functions
-	DisableAnnotationValidation = DefaultDisableAnnotationValidation
+	// Enable is the mutable attribute for enabling or disabling the validation functions
+	EnableAnnotationValidation = DefaultEnableAnnotationValidation
 )

 // AnnotationGroup defines the group that this annotation may belong
--- a/internal/ingress/annotations/parser/validators.go
+++ b/internal/ingress/annotations/parser/validators.go
@ -216,7 +216,7 @@ func checkAnnotation(name string, ing *networking.Ingress, fields AnnotationFiel
 			}
 		}
 		// We don't run validation against empty values
-		if !DisableAnnotationValidation && annotationValue != "" {
+		if EnableAnnotationValidation && annotationValue != "" {
 			if err := validateFunc(annotationValue); err != nil {
 				klog.Warningf("validation error on ingress %s/%s: annotation %s contains invalid value %s", ing.GetNamespace(), ing.GetName(), name, annotationValue)
 				return "", ing_errors.NewValidationError(annotationFullName)
--- a/pkg/flags/flags.go
+++ b/pkg/flags/flags.go
@ -152,8 +152,8 @@ Requires the update-status parameter.`)
 		annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix,
 			`Prefix of the Ingress annotations specific to the NGINX controller.`)

-		disableAnnotationValidation = flags.Bool("disable-annotation-validation", true,
-			`If true, will disable the annotation validation feature. This value will be defaulted to false on a future release`)
+		enableAnnotationValidation = flags.Bool("enable-annotation-validation", false,
+			`If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`)

 		enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false,
 			`Autocomplete SSL certificate chains with missing intermediate CA certificates.
@ -252,7 +252,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 	}

 	parser.AnnotationsPrefix = *annotationsPrefix
-	parser.DisableAnnotationValidation = *disableAnnotationValidation
+	parser.EnableAnnotationValidation = *enableAnnotationValidation

 	// check port collisions
 	if !ing_net.IsPortAvailable(*httpPort) {
--- a/test/e2e/framework/exec.go
+++ b/test/e2e/framework/exec.go
@ -116,7 +116,12 @@ func (f *Framework) newIngressController(namespace string, namespaceOverlay stri
 	if !ok {
 		isChroot = "false"
 	}
-	cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot)
+
+	enableValidations, ok := os.LookupEnv("ENABLE_VALIDATIONS")
+	if !ok {
+		enableValidations = "false"
+	}
+	cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot, enableValidations)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("unexpected error waiting for ingress controller deployment: %v.\nLogs:\n%v", err, string(out))
--- a/test/e2e/run-e2e-suite.sh
+++ b/test/e2e/run-e2e-suite.sh
@ -78,6 +78,7 @@ kubectl run --rm \
  --env="E2E_NODES=${E2E_NODES}" \
  --env="FOCUS=${FOCUS}" \
  --env="IS_CHROOT=${IS_CHROOT:-false}"\
+  --env="ENABLE_VALIDATIONS=${ENABLE_VALIDATIONS:-false}"\
  --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \
  --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \
  --env="HTTPBUN_IMAGE=${HTTPBUN_IMAGE}" \
--- a/test/e2e/run-kind-e2e.sh
+++ b/test/e2e/run-kind-e2e.sh
@ -39,6 +39,7 @@ fi

 KIND_LOG_LEVEL="1"
 IS_CHROOT="${IS_CHROOT:-false}"
+ENABLE_VALIDATIONS="${ENABLE_VALIDATIONS:-false}"
 export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev}
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # Use 1.0.0-dev to make sure we use the latest configuration in the helm template
--- a/test/e2e/wait-for-nginx.sh
+++ b/test/e2e/wait-for-nginx.sh
@ -24,6 +24,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 export NAMESPACE=$1
 export NAMESPACE_OVERLAY=$2
 export IS_CHROOT=$3
+export ENABLE_VALIDATIONS=$4

 echo "deploying NGINX Ingress controller in namespace $NAMESPACE"

@ -68,6 +69,7 @@ else
 # TODO: remove the need to use fullnameOverride
 fullnameOverride: nginx-ingress
 controller:
+  enableValidations: ${ENABLE_VALIDATIONS}
  image:
    repository: ingress-controller/controller
    chroot: ${IS_CHROOT}