DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/internal/admission/controller/main_test.go
Thibault Jamet 1cd17cd12c
Implement a validation webhook 
In case some ingress have a syntax error in the snippet configuration,
the freshly generated configuration will not be reloaded to prevent tearing down existing rules.
Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster.
To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses.
In case the generated configuration is not validated by nginx, deny the insertion of the ingress.

In case certificates are mounted using kubernetes secrets, when those
changes, keys are automatically updated in the container volume, and the
controller reloads it using the filewatcher.

Related changes:

- Update vendors
- Extract useful functions to check configuration with an additional ingress
- Update documentation for validating webhook
- Add validating webhook examples
- Add a metric for each syntax check success and errors
- Add more certificate generation examples
2019-04-18 19:07:04 +02:00

109 lines
3 KiB
Go
Raw Blame History

/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"fmt"
"testing"
"k8s.io/api/admission/v1beta1"
extensions "k8s.io/api/extensions/v1beta1"
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/json"
)
const testIngressName = "testIngressName"
type failTestChecker struct {
t *testing.T
}
func (ftc failTestChecker) CheckIngress(ing *extensions.Ingress) error {
ftc.t.Error("checker should not be called")
return nil
}
type testChecker struct {
t *testing.T
err error
}
func (tc testChecker) CheckIngress(ing *extensions.Ingress) error {
if ing.ObjectMeta.Name != testIngressName {
tc.t.Errorf("CheckIngress should be called with %v ingress, but got %v", testIngressName, ing.ObjectMeta.Name)
}
return tc.err
}
func TestHandleAdmission(t *testing.T) {
adm := &IngressAdmission{
Checker: failTestChecker{t: t},
}
review := &v1beta1.AdmissionReview{
Request: &v1beta1.AdmissionRequest{
Resource: v1.GroupVersionResource{Group: "", Version: "v1", Resource: "pod"},
},
}
err := adm.HandleAdmission(review)
if !review.Response.Allowed {
t.Errorf("with a non ingress resource, the check should pass")
}
if err != nil {
t.Errorf("with a non ingress resource, no error should be returned")
}
review.Request.Resource = v1.GroupVersionResource{Group: extensions.SchemeGroupVersion.Group, Version: extensions.SchemeGroupVersion.Version, Resource: "ingresses"}
review.Request.Object.Raw = []byte{0xff}
err = adm.HandleAdmission(review)
if review.Response.Allowed {
t.Errorf("when the request object is not decodable, the request should not be allowed")
}
if err == nil {
t.Errorf("when the request object is not decodable, an error should be returned")
}
raw, err := json.Marshal(extensions.Ingress{ObjectMeta: v1.ObjectMeta{Name: testIngressName}})
if err != nil {
t.Errorf("failed to prepare test ingress data: %v", err.Error())
}
review.Request.Object.Raw = raw
adm.Checker = testChecker{
t: t,
err: fmt.Errorf("this is a test error"),
}
err = adm.HandleAdmission(review)
if review.Response.Allowed {
t.Errorf("when the checker returns an error, the request should not be allowed")
}
if err == nil {
t.Errorf("when the checker returns an error, an error should be returned")
}
adm.Checker = testChecker{
t: t,
err: nil,
}
err = adm.HandleAdmission(review)
if !review.Response.Allowed {
t.Errorf("when the checker returns no error, the request should be allowed")
}
if err != nil {
t.Errorf("when the checker returns no error, no error should be returned")
}
}
Reference in a new issue View git blame Copy permalink