DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #4779 from aledbf/update-image

Browse source 
Remove lua-resty-waf feature
This commit is contained in:
Kubernetes Prow Robot 2019-11-27 11:45:05 -08:00 committed by GitHub
commit a85d5ed93a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 12 additions and 565 deletions
Download patch file Download diff file Expand all files Collapse all files

4
internal/ingress/controller/config/config.go
View file

@ -610,10 +610,6 @@ type Configuration struct {
// +optional
GlobalExternalAuth GlobalExternalAuth `json:"global-external-auth"`
// DisableLuaRestyWAF disables lua-resty-waf globally regardless
// of whether there's an ingress that has enabled the WAF using annotation
DisableLuaRestyWAF bool `json:"disable-lua-resty-waf"`
// EnableInfluxDB enables the nginx InfluxDB extension
// http://github.com/influxdata/nginx-influxdb-module/
// By default this is disabled

1
internal/ingress/controller/controller.go
View file

@ -1178,7 +1178,6 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress)
loc.UsePortInRedirects = anns.UsePortInRedirects
loc.Connection = anns.Connection
loc.Logs = anns.Logs
loc.LuaRestyWAF = anns.LuaRestyWAF
loc.InfluxDB = anns.InfluxDB
loc.DefaultBackend = anns.DefaultBackend
loc.BackendProtocol = anns.BackendProtocol

36
internal/ingress/controller/template/template.go
View file

@ -93,11 +93,6 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) {
outCmdBuf := t.bp.Get()
defer t.bp.Put(outCmdBuf)
// TODO: remove once we found a fix for coredump running luarocks install lrexlib
if runtime.GOARCH == "arm" {
conf.Cfg.DisableLuaRestyWAF = true
}
if klog.V(3) {
b, err := json.Marshal(conf)
if err != nil {
@ -134,7 +129,6 @@ var (
return true
},
"escapeLiteralDollar": escapeLiteralDollar,
"shouldConfigureLuaRestyWAF": shouldConfigureLuaRestyWAF,
"buildLuaSharedDictionaries": buildLuaSharedDictionaries,
"luaConfigurationRequestBodySize": luaConfigurationRequestBodySize,
"buildLocation": buildLocation,
@ -225,15 +219,7 @@ func quote(input interface{}) string {
return fmt.Sprintf("%q", inputStr)
}
func shouldConfigureLuaRestyWAF(disableLuaRestyWAF bool, mode string) bool {
if !disableLuaRestyWAF && len(mode) > 0 {
return true
}
return false
}
func buildLuaSharedDictionaries(c interface{}, s interface{}, disableLuaRestyWAF bool) string {
func buildLuaSharedDictionaries(c interface{}, s interface{}) string {
var out []string
cfg, ok := c.(config.Configuration)
@ -241,7 +227,8 @@ func buildLuaSharedDictionaries(c interface{}, s interface{}, disableLuaRestyWAF
klog.Errorf("expected a 'config.Configuration' type but %T was returned", c)
return ""
}
servers, ok := s.([]*ingress.Server)
_, ok = s.([]*ingress.Server)
if !ok {
klog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s)
return ""
@ -251,23 +238,6 @@ func buildLuaSharedDictionaries(c interface{}, s interface{}, disableLuaRestyWAF
out = append(out, fmt.Sprintf("lua_shared_dict %s %dM", name, size))
}
// TODO: there must be a better place for this
if _, ok := cfg.LuaSharedDicts["waf_storage"]; !ok && !disableLuaRestyWAF {
luaRestyWAFEnabled := func() bool {
for _, server := range servers {
for _, location := range server.Locations {
if len(location.LuaRestyWAF.Mode) > 0 {
return true
}
}
}
return false
}()
if luaRestyWAFEnabled {
out = append(out, "lua_shared_dict waf_storage 64M")
}
}
sort.Strings(out)
return strings.Join(out, ";\n") + ";\n"

20
internal/ingress/controller/template/template_test.go
View file

@ -38,7 +38,6 @@ import (
"k8s.io/ingress-nginx/internal/ingress"
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
"k8s.io/ingress-nginx/internal/ingress/annotations/influxdb"
"k8s.io/ingress-nginx/internal/ingress/annotations/luarestywaf"
"k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity"
"k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit"
"k8s.io/ingress-nginx/internal/ingress/annotations/rewrite"
@ -189,7 +188,7 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
"configuration_data": 10, "certificate_data": 20,
},
}
actual := buildLuaSharedDictionaries(cfg, invalidType, true)
actual := buildLuaSharedDictionaries(cfg, invalidType)
if !reflect.DeepEqual(expected, actual) {
t.Errorf("Expected '%v' but returned '%v'", expected, actual)
@ -198,32 +197,23 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
servers := []*ingress.Server{
{
Hostname: "foo.bar",
Locations: []*ingress.Location{{Path: "/", LuaRestyWAF: luarestywaf.Config{}}},
Locations: []*ingress.Location{{Path: "/"}},
},
{
Hostname: "another.host",
Locations: []*ingress.Location{{Path: "/", LuaRestyWAF: luarestywaf.Config{}}},
Locations: []*ingress.Location{{Path: "/"}},
},
}
// returns value from config
configuration := buildLuaSharedDictionaries(cfg, servers, false)
configuration := buildLuaSharedDictionaries(cfg, servers)
if !strings.Contains(configuration, "lua_shared_dict configuration_data 10M;\n") {
t.Errorf("expected to include 'configuration_data' but got %s", configuration)
}
if !strings.Contains(configuration, "lua_shared_dict certificate_data 20M;\n") {
t.Errorf("expected to include 'certificate_data' but got %s", configuration)
}
if strings.Contains(configuration, "waf_storage") {
t.Errorf("expected to not include 'waf_storage' but got %s", configuration)
}
servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Mode: "ACTIVE"}
configuration = buildLuaSharedDictionaries(cfg, servers, false)
if !strings.Contains(configuration, "lua_shared_dict waf_storage") {
t.Errorf("expected to configure 'waf_storage', but got %s", configuration)
}
// test invalid config
configuration = buildLuaSharedDictionaries(invalidType, servers, false)
configuration = buildLuaSharedDictionaries(invalidType, servers)
if configuration != "" {
t.Errorf("expected an empty string, but got %s", configuration)
}