diff --git a/configuration.md b/configuration.md index bc948d47c..d463f0697 100644 --- a/configuration.md +++ b/configuration.md @@ -252,7 +252,7 @@ For more information please see http://nginx.org/en/docs/http/ngx_http_core_modu ### External Authentication To use an existing service that provides authentication the Ingress rule can be annotated with `ingress.kubernetes.io/auth-url` to indicate the URL where the HTTP request should be sent. -Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST) and `ingress.kubernetes.io/auth-send-body` to true or false (default). +Additionally it is possible to set `ingress.kubernetes.io/auth-method` to specify the HTTP method to use (GET or POST). ``` ingress.kubernetes.io/auth-url: "URL to the authentication service" diff --git a/pkg/ingress/annotations/authreq/main.go b/pkg/ingress/annotations/authreq/main.go index 1ca77c7ac..89ec8d8c1 100644 --- a/pkg/ingress/annotations/authreq/main.go +++ b/pkg/ingress/annotations/authreq/main.go @@ -32,7 +32,6 @@ const ( authURL = "ingress.kubernetes.io/auth-url" authSigninURL = "ingress.kubernetes.io/auth-signin" authMethod = "ingress.kubernetes.io/auth-method" - authBody = "ingress.kubernetes.io/auth-send-body" authHeaders = "ingress.kubernetes.io/auth-response-headers" ) @@ -43,7 +42,6 @@ type External struct { Host string `json:"host"` SigninURL string `json:"signinUrl"` Method string `json:"method"` - SendBody bool `json:"sendBody"` ResponseHeaders []string `json:"responseHeaders,omitEmpty"` } @@ -67,9 +65,6 @@ func (e1 *External) Equal(e2 *External) bool { if e1.Method != e2.Method { return false } - if e1.SendBody != e2.SendBody { - return false - } if e1.Method != e2.Method { return false } @@ -170,14 +165,11 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) { } } - sb, _ := parser.GetBoolAnnotation(authBody, ing) - return &External{ URL: str, Host: ur.Hostname(), SigninURL: signin, Method: m, - SendBody: sb, ResponseHeaders: h, }, nil } diff --git a/pkg/ingress/annotations/authreq/main_test.go b/pkg/ingress/annotations/authreq/main_test.go index de9249443..1fc75fcbc 100644 --- a/pkg/ingress/annotations/authreq/main_test.go +++ b/pkg/ingress/annotations/authreq/main_test.go @@ -74,22 +74,20 @@ func TestAnnotations(t *testing.T) { url string signinURL string method string - sendBody bool expErr bool }{ - {"empty", "", "", "", false, true}, - {"no scheme", "bar", "bar", "", false, true}, - {"invalid host", "http://", "http://", "", false, true}, - {"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", false, true}, - {"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false, false}, - {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", true, false}, - {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", true, false}, + {"empty", "", "", "", true}, + {"no scheme", "bar", "bar", "", true}, + {"invalid host", "http://", "http://", "", true}, + {"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", true}, + {"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false}, + {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", false}, + {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", false}, } for _, test := range tests { data[authURL] = test.url data[authSigninURL] = test.signinURL - data[authBody] = fmt.Sprintf("%v", test.sendBody) data[authMethod] = fmt.Sprintf("%v", test.method) i, err := NewParser().Parse(ing) @@ -112,9 +110,6 @@ func TestAnnotations(t *testing.T) { if u.Method != test.method { t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method) } - if u.SendBody != test.sendBody { - t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.sendBody, u.SendBody) - } } } diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 803329327..6107933b9 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -625,23 +625,24 @@ stream { {{ if not (empty $authPath) }} location = {{ $authPath }} { internal; - set $proxy_upstream_name "internal"; + set $proxy_upstream_name "external-authentication"; - {{ if not $location.ExternalAuth.SendBody }} proxy_pass_request_body off; proxy_set_header Content-Length ""; - {{ end }} + {{ if not (empty $location.ExternalAuth.Method) }} proxy_method {{ $location.ExternalAuth.Method }}; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Scheme $pass_access_scheme; {{ end }} - proxy_pass_request_headers on; + proxy_set_header Host {{ $location.ExternalAuth.Host }}; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Auth-Request-Redirect $request_uri; - proxy_ssl_server_name on; + proxy_set_header X-Sent-From "nginx-ingress-controller"; + proxy_ssl_server_name on; + proxy_pass_request_headers on; client_max_body_size "{{ $location.Proxy.BodySize }}"; {{ if isValidClientBodyBufferSize $location.ClientBodyBufferSize }} client_body_buffer_size {{ $location.ClientBodyBufferSize }}; @@ -651,6 +652,7 @@ stream { proxy_pass $target; } {{ end }} + location {{ $path }} { {{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }}