Implement annotation validation (#9673)

* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
2023-07-22 00:32:07 -03:00 · 2023-07-22 00:32:07 -03:00 · c5f348ea2e
commit c5f348ea2e
parent 86c00a2310
109 changed files with 4320 additions and 586 deletions
--- a/internal/ingress/annotations/opentracing/main.go
+++ b/internal/ingress/annotations/opentracing/main.go
@ -23,8 +23,33 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )

+const (
+	enableOpentracingAnnotation    = "enable-opentracing"
+	opentracingTrustSpanAnnotation = "opentracing-trust-incoming-span"
+)
+
+var opentracingAnnotations = parser.Annotation{
+	Group: "opentracing",
+	Annotations: parser.AnnotationFields{
+		enableOpentracingAnnotation: {
+			Validator: parser.ValidateBool,
+			Scope:     parser.AnnotationScopeLocation,
+			Risk:      parser.AnnotationRiskLow,
+			Documentation: `This annotation defines if Opentracing collector should be enable for this location. Opentracing should 
+			already be configured by Ingress administrator`,
+		},
+		opentracingTrustSpanAnnotation: {
+			Validator:     parser.ValidateBool,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskLow,
+			Documentation: `This annotation enables or disables using spans from incoming requests as parent for created ones`,
+		},
+	},
+}
+
 type opentracing struct {
-	r resolver.Resolver
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
 }

 // Config contains the configuration to be used in the Ingress
@ -58,19 +83,31 @@ func (bd1 *Config) Equal(bd2 *Config) bool {

 // NewParser creates a new serviceUpstream annotation parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return opentracing{r}
+	return opentracing{
+		r:                r,
+		annotationConfig: opentracingAnnotations,
+	}
 }

 func (s opentracing) Parse(ing *networking.Ingress) (interface{}, error) {
-	enabled, err := parser.GetBoolAnnotation("enable-opentracing", ing)
+	enabled, err := parser.GetBoolAnnotation(enableOpentracingAnnotation, ing, s.annotationConfig.Annotations)
 	if err != nil {
 		return &Config{}, nil
 	}

-	trustSpan, err := parser.GetBoolAnnotation("opentracing-trust-incoming-span", ing)
+	trustSpan, err := parser.GetBoolAnnotation(opentracingTrustSpanAnnotation, ing, s.annotationConfig.Annotations)
 	if err != nil {
 		return &Config{Set: true, Enabled: enabled}, nil
 	}

 	return &Config{Set: true, Enabled: enabled, TrustSet: true, TrustEnabled: trustSpan}, nil
 }
+
+func (s opentracing) GetDocumentation() parser.AnnotationFields {
+	return s.annotationConfig.Annotations
+}
+
+func (a opentracing) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, opentracingAnnotations.Annotations)
+}
--- a/internal/ingress/annotations/opentracing/main_test.go
+++ b/internal/ingress/annotations/opentracing/main_test.go
@ -73,7 +73,7 @@ func TestIngressAnnotationOpentracingSetTrue(t *testing.T) {
 	ing := buildIngress()

 	data := map[string]string{}
-	data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true"
+	data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "true"
 	ing.SetAnnotations(data)

 	val, _ := NewParser(&resolver.Mock{}).Parse(ing)
@ -92,7 +92,7 @@ func TestIngressAnnotationOpentracingSetFalse(t *testing.T) {

 	// Test with explicitly set to false
 	data := map[string]string{}
-	data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "false"
+	data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "false"
 	ing.SetAnnotations(data)

 	val, _ := NewParser(&resolver.Mock{}).Parse(ing)
@ -110,8 +110,8 @@ func TestIngressAnnotationOpentracingTrustSetTrue(t *testing.T) {
 	ing := buildIngress()

 	data := map[string]string{}
-	data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true"
-	data[parser.GetAnnotationWithPrefix("opentracing-trust-incoming-span")] = "true"
+	data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "true"
+	data[parser.GetAnnotationWithPrefix(opentracingTrustSpanAnnotation)] = "true"
 	ing.SetAnnotations(data)

 	val, _ := NewParser(&resolver.Mock{}).Parse(ing)