Implement annotation validation (#9673)
* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
This commit is contained in:
Ricardo Katz
GitHub
parent
86c00a2310
commit
c5f348ea2e
109 changed files with 4320 additions and 586 deletions
|
|
@ -23,8 +23,32 @@ import (
|
|||
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
||||
)
|
||||
|
||||
const (
|
||||
enableAccessLogAnnotation = "enable-access-log"
|
||||
enableRewriteLogAnnotation = "enable-rewrite-log"
|
||||
)
|
||||
|
||||
var logAnnotations = parser.Annotation{
|
||||
Group: "log",
|
||||
Annotations: parser.AnnotationFields{
|
||||
enableAccessLogAnnotation: {
|
||||
Validator: parser.ValidateBool,
|
||||
Scope: parser.AnnotationScopeLocation,
|
||||
Risk: parser.AnnotationRiskLow,
|
||||
Documentation: `This configuration setting allows you to control if this location should generate an access_log`,
|
||||
},
|
||||
enableRewriteLogAnnotation: {
|
||||
Validator: parser.ValidateBool,
|
||||
Scope: parser.AnnotationScopeLocation,
|
||||
Risk: parser.AnnotationRiskLow,
|
||||
Documentation: `This configuration setting allows you to control if this location should generate logs from the rewrite feature usage`,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
type log struct {
|
||||
r resolver.Resolver
|
||||
r resolver.Resolver
|
||||
annotationConfig parser.Annotation
|
||||
}
|
||||
|
||||
// Config contains the configuration to be used in the Ingress
|
||||
|
|
@ -48,7 +72,10 @@ func (bd1 *Config) Equal(bd2 *Config) bool {
|
|||
|
||||
// NewParser creates a new log annotations parser
|
||||
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
|
||||
return log{r}
|
||||
return log{
|
||||
r: r,
|
||||
annotationConfig: logAnnotations,
|
||||
}
|
||||
}
|
||||
|
||||
// Parse parses the annotations contained in the ingress
|
||||
|
|
@ -57,15 +84,24 @@ func (l log) Parse(ing *networking.Ingress) (interface{}, error) {
|
|||
var err error
|
||||
config := &Config{}
|
||||
|
||||
config.Access, err = parser.GetBoolAnnotation("enable-access-log", ing)
|
||||
config.Access, err = parser.GetBoolAnnotation(enableAccessLogAnnotation, ing, l.annotationConfig.Annotations)
|
||||
if err != nil {
|
||||
config.Access = true
|
||||
}
|
||||
|
||||
config.Rewrite, err = parser.GetBoolAnnotation("enable-rewrite-log", ing)
|
||||
config.Rewrite, err = parser.GetBoolAnnotation(enableRewriteLogAnnotation, ing, l.annotationConfig.Annotations)
|
||||
if err != nil {
|
||||
config.Rewrite = false
|
||||
}
|
||||
|
||||
return config, nil
|
||||
}
|
||||
|
||||
func (l log) GetDocumentation() parser.AnnotationFields {
|
||||
return l.annotationConfig.Annotations
|
||||
}
|
||||
|
||||
func (a log) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, logAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -73,7 +73,7 @@ func TestIngressAccessLogConfig(t *testing.T) {
|
|||
ing := buildIngress()
|
||||
|
||||
data := map[string]string{}
|
||||
data[parser.GetAnnotationWithPrefix("enable-access-log")] = "false"
|
||||
data[parser.GetAnnotationWithPrefix(enableAccessLogAnnotation)] = "false"
|
||||
ing.SetAnnotations(data)
|
||||
|
||||
log, _ := NewParser(&resolver.Mock{}).Parse(ing)
|
||||
|
|
@ -91,7 +91,7 @@ func TestIngressRewriteLogConfig(t *testing.T) {
|
|||
ing := buildIngress()
|
||||
|
||||
data := map[string]string{}
|
||||
data[parser.GetAnnotationWithPrefix("enable-rewrite-log")] = "true"
|
||||
data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "true"
|
||||
ing.SetAnnotations(data)
|
||||
|
||||
log, _ := NewParser(&resolver.Mock{}).Parse(ing)
|
||||
|
|
@ -104,3 +104,21 @@ func TestIngressRewriteLogConfig(t *testing.T) {
|
|||
t.Errorf("expected rewrite log to be enabled but it is disabled")
|
||||
}
|
||||
}
|
||||
|
||||
func TestInvalidBoolConfig(t *testing.T) {
|
||||
ing := buildIngress()
|
||||
|
||||
data := map[string]string{}
|
||||
data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "blo"
|
||||
ing.SetAnnotations(data)
|
||||
|
||||
log, _ := NewParser(&resolver.Mock{}).Parse(ing)
|
||||
nginxLogs, ok := log.(*Config)
|
||||
if !ok {
|
||||
t.Errorf("expected a Config type")
|
||||
}
|
||||
|
||||
if !nginxLogs.Access {
|
||||
t.Errorf("expected access log to be enabled due to invalid config, but it is disabled")
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue