Merge pull request #6150 from timmysilv/master

Reject ingresses that use the default annotation if a custom one was provided

cmd/nginx/flags.go

@@ -126,7 +126,7 @@ Requires the update-status parameter.`)
 		enableSSLPassthrough = flags.Bool("enable-ssl-passthrough", false,
 			`Enable SSL Passthrough.`)
 
-		annotationsPrefix = flags.String("annotations-prefix", "nginx.ingress.kubernetes.io",
+		annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix,
 			`Prefix of the Ingress annotations specific to the NGINX controller.`)
 
 		enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false,

internal/ingress/annotations/parser/main.go

@@ -28,9 +28,12 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/errors"
 )
 
+// DefaultAnnotationsPrefix defines the common prefix used in the nginx ingress controller
+const DefaultAnnotationsPrefix = "nginx.ingress.kubernetes.io"
+
 var (
-	// AnnotationsPrefix defines the common prefix used in the nginx ingress controller
+	// AnnotationsPrefix is the mutable attribute that the controller explicitly refers to
-	AnnotationsPrefix = "nginx.ingress.kubernetes.io"
+	AnnotationsPrefix = DefaultAnnotationsPrefix
 )
 
 // IngressAnnotation has a method to parse annotations located in Ingress

internal/ingress/controller/controller.go

@@ -35,6 +35,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/annotations"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/class"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/log"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/proxy"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
 	"k8s.io/ingress-nginx/internal/k8s"
@@ -216,6 +217,14 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error {
 		return nil
 	}
 
+	if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix {
+		for key := range ing.ObjectMeta.GetAnnotations() {
+			if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.DefaultAnnotationsPrefix)) {
+				return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix)
+			}
+		}
+	}
+
 	filter := func(toCheck *ingress.Ingress) bool {
 		return toCheck.ObjectMeta.Namespace == ing.ObjectMeta.Namespace &&
 			toCheck.ObjectMeta.Name == ing.ObjectMeta.Name

internal/ingress/controller/controller_test.go

@@ -42,6 +42,7 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/canary"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl"
 	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 	ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config"
@@ -243,6 +244,18 @@ func TestCheckIngress(t *testing.T) {
 			}
 		})
 
+		t.Run("When the default annotation prefix is used despite an override", func(t *testing.T) {
+			parser.AnnotationsPrefix = "ingress.kubernetes.io"
+			ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/backend-protocol"] = "GRPC"
+			nginx.command = testNginxTestCommand{
+				t:   t,
+				err: nil,
+			}
+			if nginx.CheckIngress(ing) == nil {
+				t.Errorf("with a custom annotation prefix, ingresses using the default should be rejected")
+			}
+		})
+
 		t.Run("When the ingress is in a different namespace than the watched one", func(t *testing.T) {
 			nginx.command = testNginxTestCommand{
 				t:   t,