configmap: option to not trust incoming tracing spans (#7045)

* validate the sender of tracing spans * add location-specific setting
2021-10-24 17:36:21 -04:00 · 2021-10-24 17:36:21 -04:00 · 7d5452d00b
commit 7d5452d00b
parent e4001df41e
9 changed files with 124 additions and 34 deletions
--- a/internal/ingress/annotations/opentracing/main.go
+++ b/internal/ingress/annotations/opentracing/main.go
@ -29,8 +29,10 @@ type opentracing struct {

 // Config contains the configuration to be used in the Ingress
 type Config struct {
-	Enabled bool `json:"enabled"`
-	Set     bool `json:"set"`
+	Enabled      bool `json:"enabled"`
+	Set          bool `json:"set"`
+	TrustEnabled bool `json:"trust-enabled"`
+	TrustSet     bool `json:"trust-set"`
 }

 // Equal tests for equality between two Config types
@ -43,6 +45,14 @@ func (bd1 *Config) Equal(bd2 *Config) bool {
 		return false
 	}

+	if bd1.TrustSet != bd2.TrustSet {
+		return false
+	}
+
+	if bd1.TrustEnabled != bd2.TrustEnabled {
+		return false
+	}
+
 	return true
 }

@ -54,8 +64,13 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation {
 func (s opentracing) Parse(ing *networking.Ingress) (interface{}, error) {
 	enabled, err := parser.GetBoolAnnotation("enable-opentracing", ing)
 	if err != nil {
-		return &Config{Set: false, Enabled: false}, nil
+		return &Config{}, nil
 	}

-	return &Config{Set: true, Enabled: enabled}, nil
+	trustSpan, err := parser.GetBoolAnnotation("opentracing-trust-incoming-span", ing)
+	if err != nil {
+		return &Config{Set: true, Enabled: enabled}, nil
+	}
+
+	return &Config{Set: true, Enabled: enabled, TrustSet: true, TrustEnabled: trustSpan}, nil
 }
--- a/internal/ingress/annotations/opentracing/main_test.go
+++ b/internal/ingress/annotations/opentracing/main_test.go
@ -106,6 +106,29 @@ func TestIngressAnnotationOpentracingSetFalse(t *testing.T) {
 	}
 }

+func TestIngressAnnotationOpentracingTrustSetTrue(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true"
+	data[parser.GetAnnotationWithPrefix("opentracing-trust-incoming-span")] = "true"
+	ing.SetAnnotations(data)
+
+	val, _ := NewParser(&resolver.Mock{}).Parse(ing)
+	openTracing, ok := val.(*Config)
+	if !ok {
+		t.Errorf("expected a Config type")
+	}
+
+	if !openTracing.Enabled {
+		t.Errorf("expected annotation value to be true, got false")
+	}
+
+	if !openTracing.TrustEnabled {
+		t.Errorf("expected annotation value to be true, got false")
+	}
+}
+
 func TestIngressAnnotationOpentracingUnset(t *testing.T) {
 	ing := buildIngress()