Implement annotation validation (#9673)

* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
2023-07-22 00:32:07 -03:00 · 2023-07-22 00:32:07 -03:00 · c5f348ea2e
commit c5f348ea2e
parent 86c00a2310
109 changed files with 4320 additions and 586 deletions
--- a/internal/ingress/annotations/log/main.go
+++ b/internal/ingress/annotations/log/main.go
@ -23,8 +23,32 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )

+const (
+	enableAccessLogAnnotation  = "enable-access-log"
+	enableRewriteLogAnnotation = "enable-rewrite-log"
+)
+
+var logAnnotations = parser.Annotation{
+	Group: "log",
+	Annotations: parser.AnnotationFields{
+		enableAccessLogAnnotation: {
+			Validator:     parser.ValidateBool,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskLow,
+			Documentation: `This configuration setting allows you to control if this location should generate an access_log`,
+		},
+		enableRewriteLogAnnotation: {
+			Validator:     parser.ValidateBool,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskLow,
+			Documentation: `This configuration setting allows you to control if this location should generate logs from the rewrite feature usage`,
+		},
+	},
+}
+
 type log struct {
-	r resolver.Resolver
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
 }

 // Config contains the configuration to be used in the Ingress
@ -48,7 +72,10 @@ func (bd1 *Config) Equal(bd2 *Config) bool {

 // NewParser creates a new log annotations parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return log{r}
+	return log{
+		r:                r,
+		annotationConfig: logAnnotations,
+	}
 }

 // Parse parses the annotations contained in the ingress
@ -57,15 +84,24 @@ func (l log) Parse(ing *networking.Ingress) (interface{}, error) {
 	var err error
 	config := &Config{}

-	config.Access, err = parser.GetBoolAnnotation("enable-access-log", ing)
+	config.Access, err = parser.GetBoolAnnotation(enableAccessLogAnnotation, ing, l.annotationConfig.Annotations)
 	if err != nil {
 		config.Access = true
 	}

-	config.Rewrite, err = parser.GetBoolAnnotation("enable-rewrite-log", ing)
+	config.Rewrite, err = parser.GetBoolAnnotation(enableRewriteLogAnnotation, ing, l.annotationConfig.Annotations)
 	if err != nil {
 		config.Rewrite = false
 	}

 	return config, nil
 }
+
+func (l log) GetDocumentation() parser.AnnotationFields {
+	return l.annotationConfig.Annotations
+}
+
+func (a log) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, logAnnotations.Annotations)
+}