cf9ae96d72
* Fix indentation of nested list in AuthTLS annotations Also, put `<annotation>`: <description text>` on a single line in Markdown markup, which will match what gets rendered eventually. On the other hand, for the line on auth-tls-secret (This annotation expects the Secret name in the form "namespace/secretName"), its Markdown markup suggests that the author wanted the line to start on its own line, but currently this gets rendered on the same line. It's nice for this to be on its own line, since it's kind of a "note" about the annotation syntax. Format/indent the markup appropriately so that it shows up on its line. * Fix indentation of nested list in CORS annotations Also, put `<annotation>`: <description text>` on a single line in Markdown markup, which will match what gets rendered eventually. On the other hand, for lines noting the allowed characters (This is a multi-valued field...), its Markdown markup suggests that the author wanted the line to start on its own line, but currently this gets rendered on the same line. It's nice for this to be on its own line, since it's kind of a "note" about the annotation syntax. Format/indent the markup appropriately so that it shows up on its line. * Replace f.HTTPTestClientWithTLSConfig() in AuthTLS E2E, the odd one out for requests without client certs * Demonstrate and document that auth-tls-secret enables the other AuthTLS annotations like verify client, depth * Split E2E for auth-tls-error-page and *-pass-certificate-to-upstream
278 lines
8 KiB
Go
278 lines
8 KiB
Go
/*
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package annotations
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/onsi/ginkgo"
|
|
"github.com/stretchr/testify/assert"
|
|
"k8s.io/ingress-nginx/test/e2e/framework"
|
|
)
|
|
|
|
var _ = framework.DescribeAnnotation("auth-tls-*", func() {
|
|
f := framework.NewDefaultFramework("authtls")
|
|
|
|
ginkgo.BeforeEach(func() {
|
|
f.NewEchoDeploymentWithReplicas(2)
|
|
})
|
|
|
|
ginkgo.It("should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret", func() {
|
|
host := "authtls.foo.com"
|
|
nameSpace := f.Namespace
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
f.KubeClientSet,
|
|
host,
|
|
host,
|
|
nameSpace)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
annotations := map[string]string{}
|
|
|
|
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return !strings.Contains(server, "ssl_client_certificate") &&
|
|
!strings.Contains(server, "ssl_verify_client") &&
|
|
!strings.Contains(server, "ssl_verify_depth")
|
|
})
|
|
|
|
annotations = map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
}
|
|
|
|
ing.SetAnnotations(annotations)
|
|
f.UpdateIngress(ing)
|
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
|
|
|
// Send Request without Client Certs
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusBadRequest)
|
|
|
|
// Send Request Passing the Client Certs
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2", func() {
|
|
host := "authtls.foo.com"
|
|
nameSpace := f.Namespace
|
|
|
|
_, err := framework.CreateIngressMASecret(
|
|
f.KubeClientSet,
|
|
host,
|
|
host,
|
|
nameSpace)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-client": "off",
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-depth": "2",
|
|
}
|
|
|
|
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
assertSslClientCertificateConfig(f, host, "off", "2")
|
|
|
|
// Send Request without Client Certs
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should 302 redirect to error page instead of 400 when auth-tls-error-page is set", func() {
|
|
host := "authtls.foo.com"
|
|
nameSpace := f.Namespace
|
|
|
|
errorPath := "/error"
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
f.KubeClientSet,
|
|
host,
|
|
host,
|
|
nameSpace)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
"nginx.ingress.kubernetes.io/auth-tls-error-page": f.GetURL(framework.HTTP) + errorPath,
|
|
}
|
|
|
|
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
|
|
|
sslErrorPage := fmt.Sprintf("error_page 495 496 = %s;", f.GetURL(framework.HTTP)+errorPath)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, sslErrorPage)
|
|
})
|
|
|
|
// Send Request without Client Certs
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusFound).
|
|
Header("Location").Equal(f.GetURL(framework.HTTP) + errorPath)
|
|
|
|
// Send Request Passing the Client Certs
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should pass URL-encoded certificate to upstream", func() {
|
|
host := "authtls.foo.com"
|
|
nameSpace := f.Namespace
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
f.KubeClientSet,
|
|
host,
|
|
host,
|
|
nameSpace)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
"nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream": "true",
|
|
}
|
|
|
|
f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
|
|
|
sslUpstreamClientCert := "proxy_set_header ssl-client-cert $ssl_client_escaped_cert;"
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, sslUpstreamClientCert)
|
|
})
|
|
|
|
// Send Request without Client Certs
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusBadRequest)
|
|
|
|
// Send Request Passing the Client Certs
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK).
|
|
Body().Contains("ssl-client-cert=-----BEGIN%20CERTIFICATE-----%0A")
|
|
})
|
|
|
|
ginkgo.It("should validate auth-tls-verify-client", func() {
|
|
host := "authtls.foo.com"
|
|
nameSpace := f.Namespace
|
|
|
|
clientConfig, err := framework.CreateIngressMASecret(
|
|
f.KubeClientSet,
|
|
host,
|
|
host,
|
|
nameSpace)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-client": "on",
|
|
}
|
|
|
|
ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
|
|
|
|
assertSslClientCertificateConfig(f, host, "on", "1")
|
|
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusBadRequest)
|
|
|
|
annotations = map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host,
|
|
"nginx.ingress.kubernetes.io/auth-tls-verify-client": "off",
|
|
}
|
|
|
|
ing.SetAnnotations(annotations)
|
|
f.UpdateIngress(ing)
|
|
|
|
assertSslClientCertificateConfig(f, host, "off", "1")
|
|
|
|
f.HTTPTestClientWithTLSConfig(clientConfig).
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithURL(f.GetURL(framework.HTTPS)).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
})
|
|
})
|
|
|
|
func assertSslClientCertificateConfig(f *framework.Framework, host string, verifyClient string, verifyDepth string) {
|
|
sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", f.Namespace, host)
|
|
sslVerify := fmt.Sprintf("ssl_verify_client %s;", verifyClient)
|
|
sslVerifyDepth := fmt.Sprintf("ssl_verify_depth %s;", verifyDepth)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, sslClientCertDirective) &&
|
|
strings.Contains(server, sslVerify) &&
|
|
strings.Contains(server, sslVerifyDepth)
|
|
})
|
|
}
|