90c79689c4
* Drop v1beta1 from ingress nginx (#7156) * Drop v1beta1 from ingress nginx Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix intorstr logic in controller Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * fixing admission Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * more intorstr fixing * correct template rendering Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix e2e tests for v1 api Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix gofmt errors * This is finally working...almost there... Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Re-add removed validation of AdmissionReview * Prepare for v1.0.0-alpha.1 release Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Update changelog and matrix table for v1.0.0-alpha.1 (#7274) Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * add docs for syslog feature (#7219) * Fix link to e2e-tests.md in developer-guide (#7201) * Use ENV expansion for namespace in args (#7146) Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does. * chart: using Helm builtin capabilities check (#7190) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944) It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780 * Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107) * Fix MaxWorkerOpenFiles calculation on high cores nodes * Add e2e test for rlimit_nofile * Fix doc for max-worker-open-files * ingress/tcp: add additional error logging on failed (#7208) * Add file containing stable release (#7313) * Handle named (non-numeric) ports correctly (#7311) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Updated v1beta1 to v1 as its deprecated (#7308) * remove mercurial from build (#7031) * Retry to download maxmind DB if it fails (#7242) * Retry to download maxmind DB if it fails. Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Add retries count arg, move retry logic into DownloadGeoLite2DB function Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Reorder parameters in DownloadGeoLite2DB Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Remove hardcoded value Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Release v1.0.0-alpha.1 * Add changelog for v1.0.0-alpha.2 * controller: ignore non-service backends (#7332) * controller: ignore non-service backends Signed-off-by: Carlos Panato <ctadeu@gmail.com> * update per feedback Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix: allow scope/tcp/udp configmap namespace to altered (#7161) * Lower webhook timeout for digital ocean (#7319) * Lower webhook timeout for digital ocean * Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29 * update OWNERS and aliases files (#7365) (#7366) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Downgrade Lua modules for s390x (#7355) Downgrade Lua modules to last known working version. * Fix IngressClass logic for newer releases (#7341) * Fix IngressClass logic for newer releases Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Change e2e tests for the new IngressClass presence * Fix chart and admission tests Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix helm chart test Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix reviews * Remove ingressclass code from admission * update tag to v1.0.0-beta.1 * update readme and changelog for v1.0.0-beta.1 * Release v1.0.0-beta.1 - helm and manifests (#7422) * Change the order of annotation just to trigger a new helm release (#7425) * [cherry-pick] Add dev-v1 branch into helm releaser (#7428) * Add dev-v1 branch into helm releaser (#7424) * chore: add link for artifacthub.io/prerelease annotations Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> * k8s job ci pipeline for dev-v1 br v1.22.0 (#7453) * k8s job ci pipeline for dev-v1 br v1.22.0 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * k8s job ci pipeline for dev-v1 br v1.21.2 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * remove v1.21.1 version Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * Add controller.watchIngressWithoutClass config option (#7459) Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com> * Release new helm chart with certgen fixed (#7478) * Update go version, modules and remove ioutil * Release new helm chart with certgen fixed * changed appversion, chartversion, TAG, image (#7490) * Fix CI conflict * Fix CI conflict * Fix build.sh from rebase process * Fix controller_test post rebase Co-authored-by: Tianhao Guo <rggth09@gmail.com> Co-authored-by: Ray <61553+rctay@users.noreply.github.com> Co-authored-by: Bill Cassidy <cassid4@gmail.com> Co-authored-by: Jintao Zhang <tao12345666333@163.com> Co-authored-by: Sathish Ramani <rsathishx87@gmail.com> Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com> Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com> Co-authored-by: Tom Hayward <thayward@infoblox.com> Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com> Co-authored-by: Tore <tore.lonoy@gmail.com> Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl> Co-authored-by: Shahid <shahid@us.ibm.com> Co-authored-by: James Strong <strong.james.e@gmail.com> Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com> Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com> Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com>
262 lines
8.6 KiB
Go
262 lines
8.6 KiB
Go
/*
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package settings
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/onsi/ginkgo"
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
networking "k8s.io/api/networking/v1"
|
|
"k8s.io/ingress-nginx/test/e2e/framework"
|
|
)
|
|
|
|
var _ = framework.DescribeSetting("[Security] global-auth-url", func() {
|
|
f := framework.NewDefaultFramework("global-external-auth")
|
|
|
|
host := "global-external-auth"
|
|
|
|
echoServiceName := framework.EchoService
|
|
|
|
globalExternalAuthURLSetting := "global-auth-url"
|
|
|
|
fooPath := "/foo"
|
|
barPath := "/bar"
|
|
|
|
noAuthSetting := "no-auth-locations"
|
|
noAuthLocations := barPath
|
|
|
|
enableGlobalExternalAuthAnnotation := "nginx.ingress.kubernetes.io/enable-global-auth"
|
|
|
|
ginkgo.BeforeEach(func() {
|
|
f.NewEchoDeployment()
|
|
f.NewHttpbinDeployment()
|
|
})
|
|
|
|
ginkgo.Context("when global external authentication is configured", func() {
|
|
|
|
ginkgo.BeforeEach(func() {
|
|
globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBinService, f.Namespace)
|
|
|
|
ginkgo.By("Adding an ingress rule for /foo")
|
|
fooIng := framework.NewSingleIngress("foo-ingress", fooPath, host, f.Namespace, echoServiceName, 80, nil)
|
|
f.EnsureIngress(fooIng)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "location /foo")
|
|
})
|
|
|
|
ginkgo.By("Adding an ingress rule for /bar")
|
|
barIng := framework.NewSingleIngress("bar-ingress", barPath, host, f.Namespace, echoServiceName, 80, nil)
|
|
f.EnsureIngress(barIng)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "location /bar")
|
|
})
|
|
|
|
ginkgo.By("Adding a global-auth-url to configMap")
|
|
f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, globalExternalAuthURL)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, globalExternalAuthURL)
|
|
})
|
|
})
|
|
|
|
ginkgo.It("should return status code 401 when request any protected service", func() {
|
|
|
|
ginkgo.By("Sending a request to protected service /foo")
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusUnauthorized)
|
|
|
|
ginkgo.By("Sending a request to protected service /bar")
|
|
f.HTTPTestClient().
|
|
GET(barPath).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusUnauthorized)
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service", func() {
|
|
|
|
ginkgo.By("Adding a no-auth-locations for /bar to configMap")
|
|
f.UpdateNginxConfigMapData(noAuthSetting, noAuthLocations)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, noAuthLocations)
|
|
})
|
|
|
|
ginkgo.By("Sending a request to protected service /foo")
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusUnauthorized)
|
|
|
|
ginkgo.By("Sending a request to whitelisted service /bar")
|
|
f.HTTPTestClient().
|
|
GET(barPath).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service", func() {
|
|
|
|
ginkgo.By("Adding an ingress rule for /bar with annotation enable-global-auth = false")
|
|
err := framework.UpdateIngress(f.KubeClientSet, f.Namespace, "bar-ingress", func(ingress *networking.Ingress) error {
|
|
ingress.ObjectMeta.Annotations[enableGlobalExternalAuthAnnotation] = "false"
|
|
return nil
|
|
})
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "location /bar")
|
|
})
|
|
|
|
ginkgo.By("Sending a request to protected service /foo")
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusUnauthorized)
|
|
|
|
ginkgo.By("Sending a request to whitelisted service /bar")
|
|
f.HTTPTestClient().
|
|
GET(barPath).
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should still return status code 200 after auth backend is deleted using cache ", func() {
|
|
|
|
globalExternalAuthCacheKeySetting := "global-auth-cache-key"
|
|
globalExternalAuthCacheKey := "foo"
|
|
globalExternalAuthCacheDurationSetting := "global-auth-cache-duration"
|
|
globalExternalAuthCacheDuration := "200 201 401 30m"
|
|
globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBinService, f.Namespace)
|
|
|
|
ginkgo.By("Adding a global-auth-cache-key to configMap")
|
|
f.SetNginxConfigMapData(map[string]string{
|
|
globalExternalAuthCacheKeySetting: globalExternalAuthCacheKey,
|
|
globalExternalAuthCacheDurationSetting: globalExternalAuthCacheDuration,
|
|
globalExternalAuthURLSetting: globalExternalAuthURL,
|
|
})
|
|
|
|
cacheRegex := regexp.MustCompile(`\$cache_key.*foo`)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return cacheRegex.MatchString(server) &&
|
|
strings.Contains(server, `proxy_cache_valid 200 201 401 30m;`)
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET(barPath).
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
err := f.DeleteDeployment(framework.HTTPBinService)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
framework.Sleep()
|
|
|
|
f.HTTPTestClient().
|
|
GET(barPath).
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It(`should proxy_method method when global-auth-method is configured`, func() {
|
|
|
|
globalExternalAuthMethodSetting := "global-auth-method"
|
|
globalExternalAuthMethod := "GET"
|
|
|
|
ginkgo.By("Adding a global-auth-method to configMap")
|
|
f.UpdateNginxConfigMapData(globalExternalAuthMethodSetting, globalExternalAuthMethod)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "proxy_method")
|
|
})
|
|
})
|
|
|
|
ginkgo.It(`should add custom error page when global-auth-signin url is configured`, func() {
|
|
|
|
globalExternalAuthSigninSetting := "global-auth-signin"
|
|
globalExternalAuthSignin := "http://foo.com/global-error-page"
|
|
|
|
ginkgo.By("Adding a global-auth-signin to configMap")
|
|
f.UpdateNginxConfigMapData(globalExternalAuthSigninSetting, globalExternalAuthSignin)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "error_page 401 = ")
|
|
})
|
|
})
|
|
|
|
ginkgo.It(`should add auth headers when global-auth-response-headers is configured`, func() {
|
|
|
|
globalExternalAuthResponseHeadersSetting := "global-auth-response-headers"
|
|
globalExternalAuthResponseHeaders := "Foo, Bar"
|
|
|
|
ginkgo.By("Adding a global-auth-response-headers to configMap")
|
|
f.UpdateNginxConfigMapData(globalExternalAuthResponseHeadersSetting, globalExternalAuthResponseHeaders)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "auth_request_set $authHeader0 $upstream_http_foo;") &&
|
|
strings.Contains(server, "auth_request_set $authHeader1 $upstream_http_bar;")
|
|
})
|
|
})
|
|
|
|
ginkgo.It(`should set request-redirect when global-auth-request-redirect is configured`, func() {
|
|
|
|
globalExternalAuthRequestRedirectSetting := "global-auth-request-redirect"
|
|
globalExternalAuthRequestRedirect := "Foo-Redirect"
|
|
|
|
ginkgo.By("Adding a global-auth-request-redirect to configMap")
|
|
f.UpdateNginxConfigMapData(globalExternalAuthRequestRedirectSetting, globalExternalAuthRequestRedirect)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, globalExternalAuthRequestRedirect)
|
|
})
|
|
})
|
|
|
|
ginkgo.It(`should set snippet when global external auth is configured`, func() {
|
|
globalExternalAuthSnippetSetting := "global-auth-snippet"
|
|
globalExternalAuthSnippet := "proxy_set_header My-Custom-Header 42;"
|
|
|
|
ginkgo.By("Adding a global-auth-snippet to configMap")
|
|
f.UpdateNginxConfigMapData(globalExternalAuthSnippetSetting, globalExternalAuthSnippet)
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, globalExternalAuthSnippet)
|
|
})
|
|
})
|
|
|
|
})
|
|
|
|
})
|