From 97e39e79e2d69a9eba45ad83ae2d19e70330e2f2 Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Sun, 10 Oct 2021 20:18:37 -0300 Subject: [PATCH] Add e2e test for non ingressclass enabled ingress (#7785) --- cmd/nginx/main.go | 5 +- go.mod | 1 + go.sum | 1 + test/e2e/settings/ingress_class.go | 90 ++++++++++++++++++++++++++++++ 4 files changed, 93 insertions(+), 4 deletions(-) diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index aa5a0372b..69d12d05e 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -110,15 +110,12 @@ func main() { _, err = kubeClient.NetworkingV1().IngressClasses().List(context.TODO(), metav1.ListOptions{}) if err != nil { if !errors.IsNotFound(err) { - if errors.IsUnauthorized(err) { - klog.Fatalf("Error searching IngressClass: Please verify your RBAC and allow Ingress Controller to list and get Ingress Classes: %v", err) - } else if errors.IsForbidden(err) { + if errors.IsForbidden(err) { klog.Warningf("No permissions to list and get Ingress Classes: %v, IngressClass feature will be disabled", err) conf.IngressClassConfiguration.IgnoreIngressClass = true } } } - conf.Client = kubeClient err = k8s.GetIngressPod(kubeClient) diff --git a/go.mod b/go.mod index fafe8d3eb..8925d1296 100644 --- a/go.mod +++ b/go.mod @@ -78,6 +78,7 @@ require ( github.com/go-openapi/jsonreference v0.19.3 // indirect github.com/go-openapi/spec v0.19.5 // indirect github.com/go-openapi/swag v0.19.5 // indirect + github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect github.com/godbus/dbus/v5 v5.0.4 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect diff --git a/go.sum b/go.sum index 0517f1627..d2755d925 100644 --- a/go.sum +++ b/go.sum @@ -267,6 +267,7 @@ github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2K github.com/go-openapi/validate v0.19.8/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM= github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA= diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go index 9740eef38..09134ccba 100644 --- a/test/e2e/settings/ingress_class.go +++ b/test/e2e/settings/ingress_class.go @@ -18,6 +18,7 @@ package settings import ( "context" + "fmt" "net/http" "strings" "sync" @@ -26,6 +27,8 @@ import ( "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" networkingv1 "k8s.io/api/networking/v1" + rbacv1 "k8s.io/api/rbac/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -578,4 +581,91 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) }) + + ginkgo.Context("Without IngressClass Cluster scoped Permission", func() { + + ginkgo.BeforeEach(func() { + icname := fmt.Sprintf("ic-%s", f.Namespace) + + newRole := &rbacv1.ClusterRoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: icname, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "ClusterRole", + Name: icname, + }, + Subjects: []rbacv1.Subject{ + { + APIGroup: "", + Kind: "ServiceAccount", + Namespace: f.Namespace, + Name: "blablabla", + }, + }, + } + _, err := f.KubeClientSet.RbacV1().ClusterRoleBindings().Update(context.TODO(), newRole, metav1.UpdateOptions{}) + + assert.Nil(ginkgo.GinkgoT(), err, "Updating IngressClass ClusterRoleBinding") + + // Force the correct annotation value just for the re-deployment + err = f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := []string{} + for _, v := range deployment.Spec.Template.Spec.Containers[0].Args { + if strings.Contains(v, "--ingress-class=testclass") { + continue + } + + args = append(args, v) + } + args = append(args, "--ingress-class=testclass") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") + }) + + ginkgo.It("should watch Ingress with correct annotation", func() { + + validHost := "foo" + annotations := map[string]string{ + ingressclass.IngressKey: "testclass", + } + ing := framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, annotations) + ing.Spec.IngressClassName = nil + f.EnsureIngress(ing) + + f.WaitForNginxConfiguration(func(cfg string) bool { + return strings.Contains(cfg, "server_name foo") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", validHost). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("should ignore Ingress with only IngressClassName", func() { + + invalidHost := "noclassforyou" + + ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil) + f.EnsureIngress(ing) + + f.WaitForNginxConfiguration(func(cfg string) bool { + return !strings.Contains(cfg, "server_name noclassforyou") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", invalidHost). + Expect(). + Status(http.StatusNotFound) + }) + + }) })