DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/internal/admission/controller/server_test.go
Thibault Jamet 1cd17cd12c
Implement a validation webhook 
In case some ingress have a syntax error in the snippet configuration,
the freshly generated configuration will not be reloaded to prevent tearing down existing rules.
Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster.
To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses.
In case the generated configuration is not validated by nginx, deny the insertion of the ingress.

In case certificates are mounted using kubernetes secrets, when those
changes, keys are automatically updated in the container volume, and the
controller reloads it using the filewatcher.

Related changes:

- Update vendors
- Extract useful functions to check configuration with an additional ingress
- Update documentation for validating webhook
- Add validating webhook examples
- Add a metric for each syntax check success and errors
- Add more certificate generation examples
2019-04-18 19:07:04 +02:00

97 lines
2.8 KiB
Go
Raw Blame History

/*
Copyright 2019 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package controller
import (
"bytes"
"fmt"
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/google/uuid"
"k8s.io/api/admission/v1beta1"
"k8s.io/apimachinery/pkg/types"
)
type testAdmissionHandler struct{}
func (testAdmissionHandler) HandleAdmission(ar *v1beta1.AdmissionReview) error {
ar.Response = &v1beta1.AdmissionResponse{
UID: types.UID(uuid.New().String()),
Allowed: true,
}
return nil
}
type errorReader struct{}
func (errorReader) Read(p []byte) (n int, err error) {
return 0, fmt.Errorf("this is a test error")
}
type errorWriter struct{}
func (errorWriter) Write(p []byte) (n int, err error) {
return 0, fmt.Errorf("this is a test error")
}
func (errorWriter) Header() http.Header {
return nil
}
func (errorWriter) WriteHeader(statusCode int) {}
func TestServer(t *testing.T) {
w := httptest.NewRecorder()
b := bytes.NewBuffer(nil)
writeAdmissionReview(b, &v1beta1.AdmissionReview{})
// Happy path
r := httptest.NewRequest("GET", "http://test.ns.svc", b)
NewAdmissionControllerServer(testAdmissionHandler{}).ServeHTTP(w, r)
ar, err := parseAdmissionReview(codecs.UniversalDeserializer(), w.Body)
if w.Code != http.StatusOK {
t.Errorf("when the admission review allows the request, the http status should be OK")
}
if err != nil {
t.Errorf("failed to parse admission response when the admission controller returns a value")
}
if !ar.Response.Allowed {
t.Errorf("when the admission review allows the request, the parsed body returns not allowed")
}
// Ensure the code does not panic when failing to handle the request
NewAdmissionControllerServer(testAdmissionHandler{}).ServeHTTP(errorWriter{}, r)
w = httptest.NewRecorder()
NewAdmissionControllerServer(testAdmissionHandler{}).ServeHTTP(w, httptest.NewRequest("GET", "http://test.ns.svc", strings.NewReader("invalid-json")))
if w.Code != http.StatusBadRequest {
t.Errorf("when the server fails to read the request, the replied status should be bad request")
}
}
func TestParseAdmissionReview(t *testing.T) {
ar, err := parseAdmissionReview(codecs.UniversalDeserializer(), errorReader{})
if ar != nil {
t.Errorf("when reading from request fails, no AdmissionRewiew should be returned")
}
if err == nil {
t.Errorf("when reading from request fails, an error should be returned")
}
}
Reference in a new issue View git blame Copy permalink