Add keepalive support for auth requests (#8219)

* Add keepalive support for auth requests * Fix typo * Address PR comments * Log warning when auth-url contains variable in its host:port * Generate upstream name without replacing dots to underscores in server name * Add comment in the nginx template when the keepalive upstream block is referenced * Workaround for auth_request module ignores keepalive in upstream block * The `auth_request` module does not support HTTP keepalives in upstream block: https://trac.nginx.org/nginx/ticket/1579 * As a workaround we use ngx.location.capture but unfortunately it does not support HTTP/2 so `use-http2` configuration parameter is needed. * Handle PR comments * Address PR comments * Handle invalid values for int parameters * Handle PR comments * Fix e2e test
2022-04-09 05:22:04 +02:00 · 2022-04-09 05:22:04 +02:00 · 83ce21b4dd
commit 83ce21b4dd
parent 5e322f79a1
7 changed files with 570 additions and 12 deletions
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -476,6 +476,99 @@ http {
 				Body().
 				NotContainsFold(fmt.Sprintf("%s=%s", rewriteHeader, rewriteVal))
 		})
+
+		ginkgo.It(`should not create additional upstream block when auth-keepalive is not set`, func() {
+			f.UpdateNginxConfigMapData("use-http2", "false")
+			defer func() {
+				f.UpdateNginxConfigMapData("use-http2", "true")
+			}()
+			// Sleep a while just to guarantee that the configmap is applied
+			framework.Sleep()
+
+			annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path"
+			f.UpdateIngress(ing)
+
+			f.WaitForNginxServer("",
+				func(server string) bool {
+					return strings.Contains(server, "http://foo.bar.baz:5000/path") &&
+						!strings.Contains(server, `upstream auth-external-auth`)
+				})
+		})
+
+		ginkgo.It(`should not create additional upstream block when host part of auth-url contains a variable`, func() {
+			f.UpdateNginxConfigMapData("use-http2", "false")
+			defer func() {
+				f.UpdateNginxConfigMapData("use-http2", "true")
+			}()
+			// Sleep a while just to guarantee that the configmap is applied
+			framework.Sleep()
+
+			annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://$host/path"
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123"
+			f.UpdateIngress(ing)
+
+			f.WaitForNginxServer("",
+				func(server string) bool {
+					return strings.Contains(server, "http://$host/path") &&
+						!strings.Contains(server, `upstream auth-external-auth`) &&
+						!strings.Contains(server, `keepalive 123;`)
+				})
+		})
+
+		ginkgo.It(`should not create additional upstream block when auth-keepalive is negative`, func() {
+			f.UpdateNginxConfigMapData("use-http2", "false")
+			defer func() {
+				f.UpdateNginxConfigMapData("use-http2", "true")
+			}()
+			// Sleep a while just to guarantee that the configmap is applied
+			framework.Sleep()
+
+			annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path"
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "-1"
+			f.UpdateIngress(ing)
+
+			f.WaitForNginxServer("",
+				func(server string) bool {
+					return strings.Contains(server, "http://foo.bar.baz:5000/path") &&
+						!strings.Contains(server, `upstream auth-external-auth`)
+				})
+		})
+
+		ginkgo.It(`should not create additional upstream block when auth-keepalive is set with HTTP/2`, func() {
+			annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path"
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123"
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive-requests"] = "456"
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive-timeout"] = "789"
+			f.UpdateIngress(ing)
+
+			f.WaitForNginxServer("",
+				func(server string) bool {
+					return strings.Contains(server, "http://foo.bar.baz:5000/path") &&
+						!strings.Contains(server, `upstream auth-external-auth`)
+				})
+		})
+
+		ginkgo.It(`should create additional upstream block when auth-keepalive is set with HTTP/1.x`, func() {
+			f.UpdateNginxConfigMapData("use-http2", "false")
+			defer func() {
+				f.UpdateNginxConfigMapData("use-http2", "true")
+			}()
+			// Sleep a while just to guarantee that the configmap is applied
+			framework.Sleep()
+
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123"
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive-requests"] = "456"
+			annotations["nginx.ingress.kubernetes.io/auth-keepalive-timeout"] = "789"
+			f.UpdateIngress(ing)
+
+			f.WaitForNginxServer("",
+				func(server string) bool {
+					return strings.Contains(server, `upstream auth-external-auth`) &&
+						strings.Contains(server, `keepalive 123;`) &&
+						strings.Contains(server, `keepalive_requests 456;`) &&
+						strings.Contains(server, `keepalive_timeout 789s;`)
+				})
+		})
 	})

 	ginkgo.Context("when external authentication is configured with a custom redirect param", func() {