Config/Annotations: Add relative-redirects. (#12161)

2024-11-13 22:02:48 +01:00 · 2024-11-13 22:02:48 +01:00 · 698960e9b7
commit 698960e9b7
parent 0207d1878a
8 changed files with 182 additions and 0 deletions
--- a/internal/ingress/annotations/redirect/redirect.go
+++ b/internal/ingress/annotations/redirect/redirect.go
@ -38,6 +38,7 @@ type Config struct {
 	URL       string `json:"url"`
 	Code      int    `json:"code"`
 	FromToWWW bool   `json:"fromToWWW"`
+	Relative  bool   `json:"relative"`
 }

 const (
@ -46,6 +47,7 @@ const (
 	temporalRedirectAnnotationCode  = "temporal-redirect-code"
 	permanentRedirectAnnotation     = "permanent-redirect"
 	permanentRedirectAnnotationCode = "permanent-redirect-code"
+	relativeRedirectsAnnotation     = "relative-redirects"
 )

 var redirectAnnotations = parser.Annotation{
@ -83,6 +85,12 @@ var redirectAnnotations = parser.Annotation{
 			Risk:          parser.AnnotationRiskLow, // Low, as it allows just a set of options
 			Documentation: `This annotation allows you to modify the status code used for permanent redirects.`,
 		},
+		relativeRedirectsAnnotation: {
+			Validator:     parser.ValidateBool,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskLow,
+			Documentation: `If enabled, redirects issued by nginx will be relative. See https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect`,
+		},
 	},
 }

@ -109,6 +117,11 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) {
 		return nil, err
 	}

+	rr, err := parser.GetBoolAnnotation(relativeRedirectsAnnotation, ing, r.annotationConfig.Annotations)
+	if err != nil && !errors.IsMissingAnnotations(err) {
+		return nil, err
+	}
+
 	tr, err := parser.GetStringAnnotation(temporalRedirectAnnotation, ing, r.annotationConfig.Annotations)
 	if err != nil && !errors.IsMissingAnnotations(err) {
 		return nil, err
@ -132,6 +145,7 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) {
 			URL:       tr,
 			Code:      trc,
 			FromToWWW: r3w,
+			Relative:  rr,
 		}, nil
 	}

@ -154,6 +168,13 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) {
 			URL:       pr,
 			Code:      prc,
 			FromToWWW: r3w,
+			Relative:  rr,
+		}, nil
+	}
+
+	if rr {
+		return &Config{
+			Relative: rr,
 		}, nil
 	}

@ -177,6 +198,9 @@ func (r1 *Config) Equal(r2 *Config) bool {
 	if r1.FromToWWW != r2.FromToWWW {
 		return false
 	}
+	if r1.Relative != r2.Relative {
+		return false
+	}
 	return true
 }

--- a/internal/ingress/annotations/redirect/redirect_test.go
+++ b/internal/ingress/annotations/redirect/redirect_test.go
@ -193,3 +193,22 @@ func TestIsValidURL(t *testing.T) {
 		t.Errorf("expected nil but got %v", err)
 	}
 }
+
+func TestParseAnnotations(t *testing.T) {
+	ing := new(networking.Ingress)
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix(relativeRedirectsAnnotation)] = "true"
+	ing.SetAnnotations(data)
+
+	_, err := NewParser(&resolver.Mock{}).Parse(ing)
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	// test ingress using the annotation without a TLS section
+	_, err = NewParser(&resolver.Mock{}).Parse(ing)
+	if err != nil {
+		t.Errorf("unexpected error parsing ingress with relative-redirects")
+	}
+}
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -549,6 +549,10 @@ type Configuration struct {
 	// https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors
 	DisableProxyInterceptErrors bool `json:"disable-proxy-intercept-errors,omitempty"`

+	// Disable absolute redirects and enables relative redirects.
+	// https://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect
+	RelativeRedirects bool `json:"relative-redirects"`
+
 	// Sets the ipv4 addresses on which the server will accept requests.
 	BindAddressIpv4 []string `json:"bind-address-ipv4,omitempty"`

@ -834,6 +838,7 @@ func NewDefault() Configuration {
 		VariablesHashMaxSize:             2048,
 		UseHTTP2:                         true,
 		DisableProxyInterceptErrors:      false,
+		RelativeRedirects:                false,
 		ProxyStreamTimeout:               "600s",
 		ProxyStreamNextUpstream:          true,
 		ProxyStreamNextUpstreamTimeout:   "600s",
@ -857,6 +862,7 @@ func NewDefault() Configuration {
 			SSLRedirect:                 true,
 			CustomHTTPErrors:            []int{},
 			DisableProxyInterceptErrors: false,
+			RelativeRedirects:           false,
 			DenylistSourceRange:         []string{},
 			WhitelistSourceRange:        []string{},
 			SkipAccessLogURLs:           []string{},
--- a/internal/ingress/defaults/main.go
+++ b/internal/ingress/defaults/main.go
@ -125,6 +125,11 @@ type Backend struct {
 	// Default: false
 	UsePortInRedirects bool `json:"use-port-in-redirects"`

+	// Enables or disables relative redirects. By default nginx uses absolute redirects.
+	// http://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect
+	// Default: false
+	RelativeRedirects bool `json:"relative-redirects"`
+
 	// Enable stickiness by client-server mapping based on a NGINX variable, text or a combination of both.
 	// A consistent hashing method will be used which ensures only a few keys would be remapped to different
 	// servers on upstream group changes