Implement annotation validation (#9673)

* Add validation to all annotations

* Add annotation validation for fcgi

* Fix reviews and fcgi e2e

* Add flag to disable cross namespace validation

* Add risk, flag for validation, tests

* Add missing formating

* Enable validation by default on tests

* Test validation flag

* remove ajp from list

* Finalize validation changes

* Add validations to CI

* Update helm docs

* Fix code review

* Use a better name for annotation risk

internal/ingress/annotations/backendprotocol/main.go

@@ -17,49 +17,72 @@ limitations under the License.
 package backendprotocol
 
 import (
-	"regexp"
-	"strings"
-
 	networking "k8s.io/api/networking/v1"
 	"k8s.io/klog/v2"
 
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )
 
-// HTTP protocol
-const HTTP = "HTTP"
-
 var (
-	validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|GRPC|GRPCS|FCGI)$`)
+	validProtocols = []string{"auto_http", "http", "https", "grpc", "grpcs", "fcgi"}
 )
 
+const (
+	http                      = "HTTP"
+	backendProtocolAnnotation = "backend-protocol"
+)
+
+var backendProtocolConfig = parser.Annotation{
+	Group: "backend",
+	Annotations: parser.AnnotationFields{
+		backendProtocolAnnotation: {
+			Validator: parser.ValidateOptions(validProtocols, false, true),
+			Scope:     parser.AnnotationScopeLocation,
+			Risk:      parser.AnnotationRiskLow, // Low, as it allows just a set of options
+			Documentation: `this annotation can be used to define which protocol should 
+			be used to communicate with backends`,
+		},
+	},
+}
+
 type backendProtocol struct {
-	r resolver.Resolver
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
 }
 
 // NewParser creates a new backend protocol annotation parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return backendProtocol{r}
+	return backendProtocol{
+		r:                r,
+		annotationConfig: backendProtocolConfig,
+	}
+}
+
+func (a backendProtocol) GetDocumentation() parser.AnnotationFields {
+	return a.annotationConfig.Annotations
 }
 
 // ParseAnnotations parses the annotations contained in the ingress
 // rule used to indicate the backend protocol.
 func (a backendProtocol) Parse(ing *networking.Ingress) (interface{}, error) {
 	if ing.GetAnnotations() == nil {
-		return HTTP, nil
+		return http, nil
 	}
 
-	proto, err := parser.GetStringAnnotation("backend-protocol", ing)
+	proto, err := parser.GetStringAnnotation(backendProtocolAnnotation, ing, a.annotationConfig.Annotations)
 	if err != nil {
-		return HTTP, nil
-	}
-
-	proto = strings.TrimSpace(strings.ToUpper(proto))
-	if !validProtocols.MatchString(proto) {
-		klog.Warningf("Protocol %v is not a valid value for the backend-protocol annotation. Using HTTP as protocol", proto)
-		return HTTP, nil
+		if errors.IsValidationError(err) {
+			klog.Warningf("validation error %s. Using HTTP as protocol", err)
+		}
+		return http, nil
 	}
 
 	return proto, nil
 }
+
+func (a backendProtocol) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, backendProtocolConfig.Annotations)
+}

internal/ingress/annotations/backendprotocol/main_test.go

@@ -77,7 +77,7 @@ func TestParseInvalidAnnotations(t *testing.T) {
 	}
 
 	// Test invalid annotation set
-	data[parser.GetAnnotationWithPrefix("backend-protocol")] = "INVALID"
+	data[parser.GetAnnotationWithPrefix(backendProtocolAnnotation)] = "INVALID"
 	ing.SetAnnotations(data)
 
 	i, err = NewParser(&resolver.Mock{}).Parse(ing)
@@ -97,7 +97,7 @@ func TestParseAnnotations(t *testing.T) {
 	ing := buildIngress()
 
 	data := map[string]string{}
-	data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS"
+	data[parser.GetAnnotationWithPrefix(backendProtocolAnnotation)] = "  HTTPS  "
 	ing.SetAnnotations(data)
 
 	i, err := NewParser(&resolver.Mock{}).Parse(ing)