feat: auth-req caching

add a way to configure the `proxy_cache_*` [1] directive for external-auth.
The user-defined cache_key may contain sensitive information
(e.g. Authorization header).
We want to store *only* a hash of that key, not the key itself on disk.

[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

internal/ingress/controller/template/configmap_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/kylelemons/godebug/pretty"
 	"github.com/mitchellh/hashstructure"
 
+	"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
 	"k8s.io/ingress-nginx/internal/ingress/controller/config"
 )
 
@@ -280,3 +281,25 @@ func TestGlobalExternalAuthSnippetParsing(t *testing.T) {
 		}
 	}
 }
+
+func TestGlobalExternalAuthCacheDurationParsing(t *testing.T) {
+	testCases := map[string]struct {
+		durations string
+		expect    []string
+	}{
+		"nothing":                         {"", []string{authreq.DefaultCacheDuration}},
+		"spaces":                          {"  ", []string{authreq.DefaultCacheDuration}},
+		"one duration":                    {"5m", []string{"5m"}},
+		"two durations and empty entries": {",200 5m,,401 30m,", []string{"200 5m", "401 30m"}},
+		"only status code provided":       {"200", []string{authreq.DefaultCacheDuration}},
+		"mixed valid/invalid":             {"5m, xaxax", []string{authreq.DefaultCacheDuration}},
+	}
+
+	for n, tc := range testCases {
+		cfg := ReadConfig(map[string]string{"global-auth-cache-duration": tc.durations})
+
+		if !reflect.DeepEqual(cfg.GlobalExternalAuth.AuthCacheDuration, tc.expect) {
+			t.Errorf("Testing %v. Expected \"%v\" but \"%v\" was returned", n, tc.expect, cfg.GlobalExternalAuth.AuthCacheDuration)
+		}
+	}
+}