90c79689c4
* Drop v1beta1 from ingress nginx (#7156) * Drop v1beta1 from ingress nginx Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix intorstr logic in controller Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * fixing admission Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * more intorstr fixing * correct template rendering Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix e2e tests for v1 api Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix gofmt errors * This is finally working...almost there... Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Re-add removed validation of AdmissionReview * Prepare for v1.0.0-alpha.1 release Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Update changelog and matrix table for v1.0.0-alpha.1 (#7274) Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * add docs for syslog feature (#7219) * Fix link to e2e-tests.md in developer-guide (#7201) * Use ENV expansion for namespace in args (#7146) Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does. * chart: using Helm builtin capabilities check (#7190) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944) It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780 * Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107) * Fix MaxWorkerOpenFiles calculation on high cores nodes * Add e2e test for rlimit_nofile * Fix doc for max-worker-open-files * ingress/tcp: add additional error logging on failed (#7208) * Add file containing stable release (#7313) * Handle named (non-numeric) ports correctly (#7311) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Updated v1beta1 to v1 as its deprecated (#7308) * remove mercurial from build (#7031) * Retry to download maxmind DB if it fails (#7242) * Retry to download maxmind DB if it fails. Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Add retries count arg, move retry logic into DownloadGeoLite2DB function Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Reorder parameters in DownloadGeoLite2DB Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Remove hardcoded value Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Release v1.0.0-alpha.1 * Add changelog for v1.0.0-alpha.2 * controller: ignore non-service backends (#7332) * controller: ignore non-service backends Signed-off-by: Carlos Panato <ctadeu@gmail.com> * update per feedback Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix: allow scope/tcp/udp configmap namespace to altered (#7161) * Lower webhook timeout for digital ocean (#7319) * Lower webhook timeout for digital ocean * Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29 * update OWNERS and aliases files (#7365) (#7366) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Downgrade Lua modules for s390x (#7355) Downgrade Lua modules to last known working version. * Fix IngressClass logic for newer releases (#7341) * Fix IngressClass logic for newer releases Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Change e2e tests for the new IngressClass presence * Fix chart and admission tests Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix helm chart test Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix reviews * Remove ingressclass code from admission * update tag to v1.0.0-beta.1 * update readme and changelog for v1.0.0-beta.1 * Release v1.0.0-beta.1 - helm and manifests (#7422) * Change the order of annotation just to trigger a new helm release (#7425) * [cherry-pick] Add dev-v1 branch into helm releaser (#7428) * Add dev-v1 branch into helm releaser (#7424) * chore: add link for artifacthub.io/prerelease annotations Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> * k8s job ci pipeline for dev-v1 br v1.22.0 (#7453) * k8s job ci pipeline for dev-v1 br v1.22.0 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * k8s job ci pipeline for dev-v1 br v1.21.2 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * remove v1.21.1 version Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * Add controller.watchIngressWithoutClass config option (#7459) Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com> * Release new helm chart with certgen fixed (#7478) * Update go version, modules and remove ioutil * Release new helm chart with certgen fixed * changed appversion, chartversion, TAG, image (#7490) * Fix CI conflict * Fix CI conflict * Fix build.sh from rebase process * Fix controller_test post rebase Co-authored-by: Tianhao Guo <rggth09@gmail.com> Co-authored-by: Ray <61553+rctay@users.noreply.github.com> Co-authored-by: Bill Cassidy <cassid4@gmail.com> Co-authored-by: Jintao Zhang <tao12345666333@163.com> Co-authored-by: Sathish Ramani <rsathishx87@gmail.com> Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com> Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com> Co-authored-by: Tom Hayward <thayward@infoblox.com> Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com> Co-authored-by: Tore <tore.lonoy@gmail.com> Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl> Co-authored-by: Shahid <shahid@us.ibm.com> Co-authored-by: James Strong <strong.james.e@gmail.com> Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com> Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com> Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com>
736 lines
22 KiB
Go
736 lines
22 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package annotations
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"os/exec"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/onsi/ginkgo"
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
networking "k8s.io/api/networking/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
|
|
"k8s.io/ingress-nginx/test/e2e/framework"
|
|
)
|
|
|
|
var _ = framework.DescribeAnnotation("auth-*", func() {
|
|
f := framework.NewDefaultFramework("auth")
|
|
|
|
ginkgo.BeforeEach(func() {
|
|
f.NewEchoDeployment()
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when no authentication is configured", func() {
|
|
host := "auth"
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusOK).
|
|
Body().Contains(fmt.Sprintf("host=%v", host))
|
|
})
|
|
|
|
ginkgo.It("should return status code 503 when authentication is configured with an invalid secret", func() {
|
|
host := "auth"
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-type": "basic",
|
|
"nginx.ingress.kubernetes.io/auth-secret": "something",
|
|
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusServiceUnavailable).
|
|
Body().Contains("503 Service Temporarily Unavailable")
|
|
})
|
|
|
|
ginkgo.It("should return status code 401 when authentication is configured but Authorization header is not configured", func() {
|
|
host := "auth"
|
|
|
|
s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-type": "basic",
|
|
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
|
|
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
Expect().
|
|
Status(http.StatusUnauthorized).
|
|
Body().Contains("401 Authorization Required")
|
|
})
|
|
|
|
ginkgo.It("should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials", func() {
|
|
host := "auth"
|
|
|
|
s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-type": "basic",
|
|
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
|
|
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("user", "pass").
|
|
Expect().
|
|
Status(http.StatusUnauthorized).
|
|
Body().Contains("401 Authorization Required")
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when authentication is configured and Authorization header is sent", func() {
|
|
host := "auth"
|
|
|
|
s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-type": "basic",
|
|
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
|
|
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("foo", "bar").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when authentication is configured with a map and Authorization header is sent", func() {
|
|
host := "auth"
|
|
|
|
s := f.EnsureSecret(buildMapSecret("foo", "bar", "test", f.Namespace))
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-type": "basic",
|
|
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
|
|
"nginx.ingress.kubernetes.io/auth-secret-type": "auth-map",
|
|
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("foo", "bar").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should return status code 401 when authentication is configured with invalid content and Authorization header is sent", func() {
|
|
host := "auth"
|
|
|
|
s := f.EnsureSecret(
|
|
&corev1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: "test",
|
|
Namespace: f.Namespace,
|
|
},
|
|
Data: map[string][]byte{
|
|
// invalid content
|
|
"auth": []byte("foo:"),
|
|
},
|
|
Type: corev1.SecretTypeOpaque,
|
|
},
|
|
)
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-type": "basic",
|
|
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
|
|
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("foo", "bar").
|
|
Expect().
|
|
Status(http.StatusUnauthorized)
|
|
})
|
|
|
|
ginkgo.It(`should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured`, func() {
|
|
host := "auth"
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password",
|
|
"nginx.ingress.kubernetes.io/auth-snippet": `
|
|
proxy_set_header My-Custom-Header 42;`,
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, `proxy_set_header My-Custom-Header 42;`)
|
|
})
|
|
})
|
|
|
|
ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() {
|
|
host := "auth"
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-snippet": `
|
|
proxy_set_header My-Custom-Header 42;`,
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return !strings.Contains(server, `proxy_set_header My-Custom-Header 42;`)
|
|
})
|
|
})
|
|
|
|
ginkgo.It(`should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set`, func() {
|
|
host := "auth"
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password",
|
|
"nginx.ingress.kubernetes.io/auth-proxy-set-headers": f.Namespace + "/auth-headers",
|
|
}
|
|
|
|
f.CreateConfigMap("auth-headers", map[string]string{
|
|
"My-Custom-Header": "42",
|
|
})
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return strings.Contains(server, `proxy_set_header 'My-Custom-Header' '42';`)
|
|
})
|
|
})
|
|
|
|
ginkgo.It(`should set cache_key when external auth cache is configured`, func() {
|
|
host := "auth"
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password",
|
|
"nginx.ingress.kubernetes.io/auth-cache-key": "foo",
|
|
"nginx.ingress.kubernetes.io/auth-cache-duration": "200 202 401 30m",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
cacheRegex := regexp.MustCompile(`\$cache_key.*foo`)
|
|
|
|
f.WaitForNginxServer(host,
|
|
func(server string) bool {
|
|
return cacheRegex.MatchString(server) &&
|
|
strings.Contains(server, `proxy_cache_valid 200 202 401 30m;`)
|
|
|
|
})
|
|
})
|
|
|
|
ginkgo.It("retains cookie set by external authentication server", func() {
|
|
host := "auth-check-cookies"
|
|
|
|
cfg := `#
|
|
events {
|
|
worker_connections 1024;
|
|
multi_accept on;
|
|
}
|
|
|
|
http {
|
|
default_type 'text/plain';
|
|
client_max_body_size 0;
|
|
|
|
server {
|
|
access_log on;
|
|
access_log /dev/stdout;
|
|
|
|
listen 80;
|
|
|
|
location ~ ^/cookies/set/(?<key>.*)/(?<value>.*) {
|
|
content_by_lua_block {
|
|
ngx.header['Set-Cookie'] = {ngx.var.key.."="..ngx.var.value}
|
|
ngx.say("OK")
|
|
}
|
|
}
|
|
|
|
location / {
|
|
return 200;
|
|
}
|
|
}
|
|
}
|
|
`
|
|
|
|
f.NGINXWithConfigDeployment(framework.HTTPBinService, cfg)
|
|
|
|
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint")
|
|
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint")
|
|
|
|
httpbinIP := e.Subsets[0].Addresses[0].IP
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbinIP),
|
|
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
|
|
}
|
|
|
|
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host, func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithQuery("a", "b").
|
|
WithQuery("c", "d").
|
|
Expect().
|
|
Status(http.StatusOK).
|
|
Header("Set-Cookie").Contains("alma=armud")
|
|
})
|
|
|
|
ginkgo.Context("when external authentication is configured", func() {
|
|
host := "auth"
|
|
var annotations map[string]string
|
|
var ing *networking.Ingress
|
|
|
|
ginkgo.BeforeEach(func() {
|
|
f.NewHttpbinDeployment()
|
|
|
|
err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint")
|
|
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint")
|
|
|
|
httpbinIP := e.Subsets[0].Addresses[0].IP
|
|
|
|
annotations = map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
|
|
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
|
|
}
|
|
|
|
ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host, func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when signed in", func() {
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should redirect to signin url when not signed in", func() {
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithQuery("a", "b").
|
|
WithQuery("c", "d").
|
|
Expect().
|
|
Status(http.StatusFound).
|
|
Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d")))
|
|
})
|
|
|
|
ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() {
|
|
annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
|
|
annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
|
|
annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
|
|
f.UpdateIngress(ing)
|
|
|
|
anotherHost := "different"
|
|
anotherAnnotations := map[string]string{}
|
|
|
|
anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations)
|
|
f.EnsureIngress(anotherIng)
|
|
|
|
f.WaitForNginxServer(anotherHost,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name "+anotherHost)
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", anotherHost).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should overwrite Foo header with auth response", func() {
|
|
var (
|
|
rewriteHeader = "Foo"
|
|
rewriteVal = "bar"
|
|
)
|
|
annotations["nginx.ingress.kubernetes.io/auth-response-headers"] = rewriteHeader
|
|
f.UpdateIngress(ing)
|
|
|
|
f.WaitForNginxServer(host, func(server string) bool {
|
|
return strings.Contains(server, fmt.Sprintf("proxy_set_header '%s' $authHeader0;", rewriteHeader))
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithHeader(rewriteHeader, rewriteVal).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK).
|
|
Body().
|
|
NotContainsFold(fmt.Sprintf("%s=%s", rewriteHeader, rewriteVal))
|
|
})
|
|
})
|
|
|
|
ginkgo.Context("when external authentication is configured with a custom redirect param", func() {
|
|
host := "auth"
|
|
var annotations map[string]string
|
|
var ing *networking.Ingress
|
|
|
|
ginkgo.BeforeEach(func() {
|
|
f.NewHttpbinDeployment()
|
|
|
|
var httpbinIP string
|
|
|
|
err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
httpbinIP = e.Subsets[0].Addresses[0].IP
|
|
|
|
annotations = map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
|
|
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
|
|
"nginx.ingress.kubernetes.io/auth-signin-redirect-param": "orig",
|
|
}
|
|
|
|
ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(ing)
|
|
|
|
f.WaitForNginxServer(host, func(server string) bool {
|
|
return strings.Contains(server, "server_name auth")
|
|
})
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when signed in", func() {
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should redirect to signin url when not signed in", func() {
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", host).
|
|
WithQuery("a", "b").
|
|
WithQuery("c", "d").
|
|
Expect().
|
|
Status(http.StatusFound).
|
|
Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?orig=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d")))
|
|
})
|
|
|
|
ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() {
|
|
annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
|
|
annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
|
|
annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
|
|
f.UpdateIngress(ing)
|
|
|
|
anotherHost := "different"
|
|
anotherAnnotations := map[string]string{}
|
|
|
|
anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations)
|
|
f.EnsureIngress(anotherIng)
|
|
|
|
f.WaitForNginxServer(anotherHost,
|
|
func(server string) bool {
|
|
return strings.Contains(server, "server_name "+anotherHost)
|
|
})
|
|
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", anotherHost).
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
})
|
|
|
|
ginkgo.Context("when external authentication with caching is configured", func() {
|
|
thisHost := "auth"
|
|
thatHost := "different"
|
|
|
|
fooPath := "/foo"
|
|
barPath := "/bar"
|
|
|
|
ginkgo.BeforeEach(func() {
|
|
f.NewHttpbinDeployment()
|
|
|
|
err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
framework.Sleep(1 * time.Second)
|
|
|
|
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint")
|
|
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint")
|
|
|
|
httpbinIP := e.Subsets[0].Addresses[0].IP
|
|
|
|
annotations := map[string]string{
|
|
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
|
|
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
|
|
"nginx.ingress.kubernetes.io/auth-cache-key": "fixed",
|
|
"nginx.ingress.kubernetes.io/auth-cache-duration": "200 201 401 30m",
|
|
}
|
|
|
|
for _, host := range []string{thisHost, thatHost} {
|
|
ginkgo.By("Adding an ingress rule for /foo")
|
|
fooIng := framework.NewSingleIngress(fmt.Sprintf("foo-%s-ing", host), fooPath, host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(fooIng)
|
|
f.WaitForNginxServer(host, func(server string) bool {
|
|
return strings.Contains(server, "location /foo")
|
|
})
|
|
|
|
ginkgo.By("Adding an ingress rule for /bar")
|
|
barIng := framework.NewSingleIngress(fmt.Sprintf("bar-%s-ing", host), barPath, host, f.Namespace, framework.EchoService, 80, annotations)
|
|
f.EnsureIngress(barIng)
|
|
f.WaitForNginxServer(host, func(server string) bool {
|
|
return strings.Contains(server, "location /bar")
|
|
})
|
|
}
|
|
|
|
framework.Sleep()
|
|
})
|
|
|
|
ginkgo.It("should return status code 200 when signed in after auth backend is deleted ", func() {
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", thisHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
err := f.DeleteDeployment(framework.HTTPBinService)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
framework.Sleep()
|
|
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", thisHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
})
|
|
|
|
ginkgo.It("should deny login for different location on same server", func() {
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", thisHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
err := f.DeleteDeployment(framework.HTTPBinService)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
framework.Sleep()
|
|
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", thisHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
ginkgo.By("receiving an internal server error without cache on location /bar")
|
|
f.HTTPTestClient().
|
|
GET(barPath).
|
|
WithHeader("Host", thisHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusInternalServerError)
|
|
})
|
|
|
|
ginkgo.It("should deny login for different servers", func() {
|
|
ginkgo.By("logging into server thisHost /foo")
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", thisHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
err := f.DeleteDeployment(framework.HTTPBinService)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
framework.Sleep()
|
|
|
|
ginkgo.By("receiving an internal server error without cache on thisHost location /bar")
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", thisHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusOK)
|
|
|
|
f.HTTPTestClient().
|
|
GET(fooPath).
|
|
WithHeader("Host", thatHost).
|
|
WithBasicAuth("user", "password").
|
|
Expect().
|
|
Status(http.StatusInternalServerError)
|
|
})
|
|
|
|
ginkgo.It("should redirect to signin url when not signed in", func() {
|
|
f.HTTPTestClient().
|
|
GET("/").
|
|
WithHeader("Host", thisHost).
|
|
WithQuery("a", "b").
|
|
WithQuery("c", "d").
|
|
Expect().
|
|
Status(http.StatusFound).
|
|
Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", thisHost, thisHost, url.QueryEscape("/?a=b&c=d")))
|
|
})
|
|
})
|
|
})
|
|
|
|
// TODO: test Digest Auth
|
|
// 401
|
|
// Realm name
|
|
// Auth ok
|
|
// Auth error
|
|
|
|
func buildSecret(username, password, name, namespace string) *corev1.Secret {
|
|
out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput()
|
|
encpass := fmt.Sprintf("%v:%s\n", username, out)
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
return &corev1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: name,
|
|
Namespace: namespace,
|
|
DeletionGracePeriodSeconds: framework.NewInt64(1),
|
|
},
|
|
Data: map[string][]byte{
|
|
"auth": []byte(encpass),
|
|
},
|
|
Type: corev1.SecretTypeOpaque,
|
|
}
|
|
}
|
|
|
|
func buildMapSecret(username, password, name, namespace string) *corev1.Secret {
|
|
out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput()
|
|
assert.Nil(ginkgo.GinkgoT(), err)
|
|
|
|
return &corev1.Secret{
|
|
ObjectMeta: metav1.ObjectMeta{
|
|
Name: name,
|
|
Namespace: namespace,
|
|
DeletionGracePeriodSeconds: framework.NewInt64(1),
|
|
},
|
|
Data: map[string][]byte{
|
|
username: []byte(out),
|
|
},
|
|
Type: corev1.SecretTypeOpaque,
|
|
}
|
|
}
|