Merge remote-tracking branch 'upstream/master' into nginx/extauth_headers

# Conflicts: # core/pkg/ingress/annotations/authreq/main.go
2017-03-13 15:04:37 -04:00 · 2017-03-13 15:04:37 -04:00 · 7034e1de69
commit 7034e1de69
parent d5ede33f88 0cb8f59f70
82 changed files with 3053 additions and 724 deletions
--- a/core/pkg/ingress/annotations/authreq/main.go
+++ b/core/pkg/ingress/annotations/authreq/main.go
@ -29,17 +29,19 @@ import (

 const (
 	// external URL that provides the authentication
-	authURL     = "ingress.kubernetes.io/auth-url"
-	authMethod  = "ingress.kubernetes.io/auth-method"
-	authBody    = "ingress.kubernetes.io/auth-send-body"
+	authURL       = "ingress.kubernetes.io/auth-url"
+	authSigninURL = "ingress.kubernetes.io/auth-signin"
+	authMethod    = "ingress.kubernetes.io/auth-method"
+	authBody      = "ingress.kubernetes.io/auth-send-body"
 	authHeaders = "ingress.kubernetes.io/auth-response-headers"
 )

 // External returns external authentication configuration for an Ingress rule
 type External struct {
-	URL             string `json:"url"`
-	Method          string `json:"method"`
-	SendBody        bool   `json:"sendBody"`
+	URL       string `json:"url"`
+	SigninURL string `json:"signinUrl"`
+	Method    string `json:"method"`
+	SendBody  bool   `json:"sendBody"`
 	ResponseHeaders []string `json:"responseHeaders"`
 }

@ -85,6 +87,8 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
 		return nil, ing_errors.NewLocationDenied("an empty string is not a valid URL")
 	}

+	signin, _ := parser.GetStringAnnotation(authSigninURL, ing)
+
 	ur, err := url.Parse(str)
 	if err != nil {
 		return nil, err
@ -100,11 +104,7 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
 		return nil, ing_errors.NewLocationDenied("invalid url host")
 	}

-	m, err := parser.GetStringAnnotation(authMethod, ing)
-	if err != nil {
-		return nil, err
-	}
-
+	m, _ := parser.GetStringAnnotation(authMethod, ing)
 	if len(m) != 0 && !validMethod(m) {
 		return nil, ing_errors.NewLocationDenied("invalid HTTP method")
 	}
@ -128,9 +128,10 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
 	sb, _ := parser.GetBoolAnnotation(authBody, ing)

 	return &External{
-		URL:      str,
-		Method:   m,
-		SendBody: sb,
+		URL:       str,
+		SigninURL: signin,
+		Method:    m,
+		SendBody:  sb,
 		ResponseHeaders: h,
 	}, nil
 }
--- a/core/pkg/ingress/annotations/authreq/main_test.go
+++ b/core/pkg/ingress/annotations/authreq/main_test.go
@ -68,23 +68,25 @@ func TestAnnotations(t *testing.T) {
 	ing.SetAnnotations(data)

 	tests := []struct {
-		title    string
-		url      string
-		method   string
-		sendBody bool
-		expErr   bool
+		title     string
+		url       string
+		signinURL string
+		method    string
+		sendBody  bool
+		expErr    bool
 	}{
-		{"empty", "", "", false, true},
-		{"no scheme", "bar", "", false, true},
-		{"invalid host", "http://", "", false, true},
-		{"invalid host (multiple dots)", "http://foo..bar.com", "", false, true},
-		{"valid URL", "http://bar.foo.com/external-auth", "", false, false},
-		{"valid URL - send body", "http://foo.com/external-auth", "POST", true, false},
-		{"valid URL - send body", "http://foo.com/external-auth", "GET", true, false},
+		{"empty", "", "", "", false, true},
+		{"no scheme", "bar", "bar", "", false, true},
+		{"invalid host", "http://", "http://", "", false, true},
+		{"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", false, true},
+		{"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", true, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", true, false},
 	}

 	for _, test := range tests {
 		data[authURL] = test.url
+		data[authSigninURL] = test.signinURL
 		data[authBody] = fmt.Sprintf("%v", test.sendBody)
 		data[authMethod] = fmt.Sprintf("%v", test.method)

@ -102,6 +104,9 @@ func TestAnnotations(t *testing.T) {
 		if u.URL != test.url {
 			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
 		}
+		if u.SigninURL != test.signinURL {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.signinURL, u.SigninURL)
+		}
 		if u.Method != test.method {
 			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
 		}
--- a/core/pkg/ingress/annotations/class/main.go
+++ b/core/pkg/ingress/annotations/class/main.go
@ -0,0 +1,55 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package class
+
+import (
+	"github.com/golang/glog"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+	"k8s.io/ingress/core/pkg/ingress/errors"
+)
+
+const (
+	// IngressKey picks a specific "class" for the Ingress.
+	// The controller only processes Ingresses with this annotation either
+	// unset, or set to either the configured value or the empty string.
+	IngressKey = "kubernetes.io/ingress.class"
+)
+
+// IsValid returns true if the given Ingress either doesn't specify
+// the ingress.class annotation, or it's set to the configured in the
+// ingress controller.
+func IsValid(ing *extensions.Ingress, controller, defClass string) bool {
+	ingress, err := parser.GetStringAnnotation(IngressKey, ing)
+	if err != nil && !errors.IsMissingAnnotations(err) {
+		glog.Warningf("unexpected error reading ingress annotation: %v", err)
+	}
+
+	// we have 2 valid combinations
+	// 1 - ingress with default class | blank annotation on ingress
+	// 2 - ingress with specific class | same annotation on ingress
+	//
+	// and 2 invalid combinations
+	// 3 - ingress with default class | fixed annotation on ingress
+	// 4 - ingress with specific class | different annotation on ingress
+	if ingress == "" && controller == defClass {
+		return true
+	}
+
+	return ingress == controller
+}
--- a/core/pkg/ingress/annotations/class/main_test.go
+++ b/core/pkg/ingress/annotations/class/main_test.go
@ -0,0 +1,58 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package class
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+func TestIsValidClass(t *testing.T) {
+	tests := []struct {
+		ingress    string
+		controller string
+		defClass   string
+		isValid    bool
+	}{
+		{"", "", "nginx", true},
+		{"", "nginx", "nginx", true},
+		{"nginx", "nginx", "nginx", true},
+		{"custom", "custom", "nginx", true},
+		{"", "killer", "nginx", false},
+		{"", "", "nginx", true},
+		{"custom", "nginx", "nginx", false},
+	}
+
+	ing := &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+	}
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+	for _, test := range tests {
+		ing.Annotations[IngressKey] = test.ingress
+		b := IsValid(ing, test.controller, test.defClass)
+		if b != test.isValid {
+			t.Errorf("test %v - expected %v but %v was returned", test, test.isValid, b)
+		}
+	}
+}
--- a/core/pkg/ingress/annotations/ratelimit/main.go
+++ b/core/pkg/ingress/annotations/ratelimit/main.go
@ -36,10 +36,10 @@ const (
 	defSharedSize = 5
 )

-// RateLimit returns rate limit configuration for an Ingress rule
-// Is possible to limit the number of connections per IP address or
-// connections per second.
-// Note: Is possible to specify both limits
+// RateLimit returns rate limit configuration for an Ingress rule limiting the
+// number of connections per IP address and/or connections per second.
+// If you both annotations are specified in a single Ingress rule, RPS limits
+// takes precedence
 type RateLimit struct {
 	// Connections indicates a limit with the number of connections per IP address
 	Connections Zone `json:"connections"`
--- a/core/pkg/ingress/annotations/rewrite/main.go
+++ b/core/pkg/ingress/annotations/rewrite/main.go
@ -24,9 +24,10 @@ import (
 )

 const (
-	rewriteTo   = "ingress.kubernetes.io/rewrite-target"
-	addBaseURL  = "ingress.kubernetes.io/add-base-url"
-	sslRedirect = "ingress.kubernetes.io/ssl-redirect"
+	rewriteTo        = "ingress.kubernetes.io/rewrite-target"
+	addBaseURL       = "ingress.kubernetes.io/add-base-url"
+	sslRedirect      = "ingress.kubernetes.io/ssl-redirect"
+	forceSSLRedirect = "ingress.kubernetes.io/force-ssl-redirect"
 )

 // Redirect describes the per location redirect config
@ -38,6 +39,8 @@ type Redirect struct {
 	AddBaseURL bool `json:"addBaseUrl"`
 	// SSLRedirect indicates if the location section is accessible SSL only
 	SSLRedirect bool `json:"sslRedirect"`
+	// ForceSSLRedirect indicates if the location section is accessible SSL only
+	ForceSSLRedirect bool `json:"forceSSLRedirect"`
 }

 type rewrite struct {
@ -57,10 +60,15 @@ func (a rewrite) Parse(ing *extensions.Ingress) (interface{}, error) {
 	if err != nil {
 		sslRe = a.backendResolver.GetDefaultBackend().SSLRedirect
 	}
+	fSslRe, err := parser.GetBoolAnnotation(forceSSLRedirect, ing)
+	if err != nil {
+		fSslRe = a.backendResolver.GetDefaultBackend().ForceSSLRedirect
+	}
 	abu, _ := parser.GetBoolAnnotation(addBaseURL, ing)
 	return &Redirect{
-		Target:      rt,
-		AddBaseURL:  abu,
-		SSLRedirect: sslRe,
+		Target:           rt,
+		AddBaseURL:       abu,
+		SSLRedirect:      sslRe,
+		ForceSSLRedirect: fSslRe,
 	}, nil
 }
--- a/core/pkg/ingress/annotations/rewrite/main_test.go
+++ b/core/pkg/ingress/annotations/rewrite/main_test.go
@ -117,10 +117,6 @@ func TestSSLRedirect(t *testing.T) {
 		t.Errorf("Expected true but returned false")
 	}

-	if !redirect.SSLRedirect {
-		t.Errorf("Expected true but returned false")
-	}
-
 	data[sslRedirect] = "false"
 	ing.SetAnnotations(data)

@ -133,3 +129,32 @@ func TestSSLRedirect(t *testing.T) {
 		t.Errorf("Expected false but returned true")
 	}
 }
+
+func TestForceSSLRedirect(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[rewriteTo] = defRoute
+	ing.SetAnnotations(data)
+
+	i, _ := NewParser(mockBackend{true}).Parse(ing)
+	redirect, ok := i.(*Redirect)
+	if !ok {
+		t.Errorf("expected a Redirect type")
+	}
+	if redirect.ForceSSLRedirect {
+		t.Errorf("Expected false but returned true")
+	}
+
+	data[forceSSLRedirect] = "true"
+	ing.SetAnnotations(data)
+
+	i, _ = NewParser(mockBackend{false}).Parse(ing)
+	redirect, ok = i.(*Redirect)
+	if !ok {
+		t.Errorf("expected a Redirect type")
+	}
+	if !redirect.ForceSSLRedirect {
+		t.Errorf("Expected true but returned false")
+	}
+}