fix: Ensure changes in MatchCN annotation are detected (#11173)
This commit is contained in:
wdullaer
GitHub
parent
6a111a974b
commit
bcb98c0c8d
3 changed files with 55 additions and 0 deletions
|
|
@ -122,6 +122,9 @@ func (assl1 *Config) Equal(assl2 *Config) bool {
|
||||||
if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
|
if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
if assl1.MatchCN != assl2.MatchCN {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -333,6 +333,15 @@ func TestEquals(t *testing.T) {
|
||||||
}
|
}
|
||||||
cfg2.PassCertToUpstream = true
|
cfg2.PassCertToUpstream = true
|
||||||
|
|
||||||
|
// Different MatchCN
|
||||||
|
cfg1.MatchCN = "CN=(hello-app|goodbye)"
|
||||||
|
cfg2.MatchCN = "CN=(hello-app)"
|
||||||
|
result = cfg1.Equal(cfg2)
|
||||||
|
if result != false {
|
||||||
|
t.Errorf("Expected false")
|
||||||
|
}
|
||||||
|
cfg2.MatchCN = "CN=(hello-app|goodbye)"
|
||||||
|
|
||||||
// Equal Configs
|
// Equal Configs
|
||||||
result = cfg1.Equal(cfg2)
|
result = cfg1.Equal(cfg2)
|
||||||
if result != true {
|
if result != true {
|
||||||
|
|
|
||||||
|
|
@ -322,6 +322,49 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
|
||||||
Status(http.StatusOK)
|
Status(http.StatusOK)
|
||||||
})
|
})
|
||||||
|
|
||||||
|
ginkgo.It("should reload the nginx config when auth-tls-match-cn is updated", func() {
|
||||||
|
host := authTLSFooHost
|
||||||
|
nameSpace := f.Namespace
|
||||||
|
|
||||||
|
clientConfig, err := framework.CreateIngressMASecret(
|
||||||
|
f.KubeClientSet,
|
||||||
|
host,
|
||||||
|
host,
|
||||||
|
nameSpace)
|
||||||
|
assert.Nil(ginkgo.GinkgoT(), err)
|
||||||
|
|
||||||
|
// First add an annotation that forbids our connection
|
||||||
|
annotations := map[string]string{
|
||||||
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
||||||
|
"nginx.ingress.kubernetes.io/auth-tls-verify-client": "on",
|
||||||
|
"nginx.ingress.kubernetes.io/auth-tls-match-cn": "CN=notvalid",
|
||||||
|
}
|
||||||
|
|
||||||
|
ingress := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
||||||
|
|
||||||
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
||||||
|
|
||||||
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
||||||
|
GET("/").
|
||||||
|
WithURL(f.GetURL(framework.HTTPS)).
|
||||||
|
WithHeader("Host", host).
|
||||||
|
Expect().
|
||||||
|
Status(http.StatusForbidden)
|
||||||
|
|
||||||
|
// Update the annotation to something that allows the connection
|
||||||
|
ingress.Annotations["nginx.ingress.kubernetes.io/auth-tls-match-cn"] = "CN=authtls"
|
||||||
|
f.UpdateIngress(ingress)
|
||||||
|
|
||||||
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
||||||
|
|
||||||
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
||||||
|
GET("/").
|
||||||
|
WithURL(f.GetURL(framework.HTTPS)).
|
||||||
|
WithHeader("Host", host).
|
||||||
|
Expect().
|
||||||
|
Status(http.StatusOK)
|
||||||
|
})
|
||||||
|
|
||||||
ginkgo.It("should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client", func() {
|
ginkgo.It("should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client", func() {
|
||||||
host := authTLSFooHost
|
host := authTLSFooHost
|
||||||
nameSpace := f.Namespace
|
nameSpace := f.Namespace
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue