Implement annotation validation (#9673)
* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
This commit is contained in:
Ricardo Katz
GitHub
parent
86c00a2310
commit
c5f348ea2e
109 changed files with 4320 additions and 586 deletions
|
|
@ -17,14 +17,54 @@ limitations under the License.
|
|||
package upstreamhashby
|
||||
|
||||
import (
|
||||
"regexp"
|
||||
|
||||
networking "k8s.io/api/networking/v1"
|
||||
|
||||
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
|
||||
"k8s.io/ingress-nginx/internal/ingress/errors"
|
||||
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
||||
)
|
||||
|
||||
const (
|
||||
upstreamHashByAnnotation = "upstream-hash-by"
|
||||
upstreamHashBySubsetAnnotation = "upstream-hash-by-subset"
|
||||
upstreamHashBySubsetSize = "upstream-hash-by-subset-size"
|
||||
)
|
||||
|
||||
var (
|
||||
specialChars = regexp.QuoteMeta("_${}")
|
||||
hashByRegex = regexp.MustCompilePOSIX(`^[A-Za-z0-9\-` + specialChars + `]*$`)
|
||||
)
|
||||
|
||||
var upstreamHashByAnnotations = parser.Annotation{
|
||||
Group: "backend",
|
||||
Annotations: parser.AnnotationFields{
|
||||
upstreamHashByAnnotation: {
|
||||
Validator: parser.ValidateRegex(*hashByRegex, true),
|
||||
Scope: parser.AnnotationScopeLocation,
|
||||
Risk: parser.AnnotationRiskHigh, // High, this annotation allows accessing NGINX variables
|
||||
Documentation: `This annotation defines the nginx variable, text value or any combination thereof to use for consistent hashing.
|
||||
For example: nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri" or nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri$host" or nginx.ingress.kubernetes.io/upstream-hash-by: "${request_uri}-text-value" to consistently hash upstream requests by the current request URI.`,
|
||||
},
|
||||
upstreamHashBySubsetAnnotation: {
|
||||
Validator: parser.ValidateBool,
|
||||
Scope: parser.AnnotationScopeLocation,
|
||||
Risk: parser.AnnotationRiskLow,
|
||||
Documentation: `This annotation maps requests to subset of nodes instead of a single one.`,
|
||||
},
|
||||
upstreamHashBySubsetSize: {
|
||||
Validator: parser.ValidateInt,
|
||||
Scope: parser.AnnotationScopeLocation,
|
||||
Risk: parser.AnnotationRiskLow,
|
||||
Documentation: `This annotation determines the size of each subset (default 3)`,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
type upstreamhashby struct {
|
||||
r resolver.Resolver
|
||||
r resolver.Resolver
|
||||
annotationConfig parser.Annotation
|
||||
}
|
||||
|
||||
// Config contains the Consistent hash configuration to be used in the Ingress
|
||||
|
|
@ -36,14 +76,26 @@ type Config struct {
|
|||
|
||||
// NewParser creates a new UpstreamHashBy annotation parser
|
||||
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
|
||||
return upstreamhashby{r}
|
||||
return upstreamhashby{
|
||||
r: r,
|
||||
annotationConfig: upstreamHashByAnnotations,
|
||||
}
|
||||
}
|
||||
|
||||
// Parse parses the annotations contained in the ingress rule
|
||||
func (a upstreamhashby) Parse(ing *networking.Ingress) (interface{}, error) {
|
||||
upstreamHashBy, _ := parser.GetStringAnnotation("upstream-hash-by", ing)
|
||||
upstreamHashBySubset, _ := parser.GetBoolAnnotation("upstream-hash-by-subset", ing)
|
||||
upstreamHashbySubsetSize, _ := parser.GetIntAnnotation("upstream-hash-by-subset-size", ing)
|
||||
upstreamHashBy, err := parser.GetStringAnnotation(upstreamHashByAnnotation, ing, a.annotationConfig.Annotations)
|
||||
if err != nil && !errors.IsMissingAnnotations(err) {
|
||||
return nil, err
|
||||
}
|
||||
upstreamHashBySubset, err := parser.GetBoolAnnotation(upstreamHashBySubsetAnnotation, ing, a.annotationConfig.Annotations)
|
||||
if err != nil && !errors.IsMissingAnnotations(err) {
|
||||
return nil, err
|
||||
}
|
||||
upstreamHashbySubsetSize, err := parser.GetIntAnnotation(upstreamHashBySubsetSize, ing, a.annotationConfig.Annotations)
|
||||
if err != nil && !errors.IsMissingAnnotations(err) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if upstreamHashbySubsetSize == 0 {
|
||||
upstreamHashbySubsetSize = 3
|
||||
|
|
@ -51,3 +103,12 @@ func (a upstreamhashby) Parse(ing *networking.Ingress) (interface{}, error) {
|
|||
|
||||
return &Config{upstreamHashBy, upstreamHashBySubset, upstreamHashbySubsetSize}, nil
|
||||
}
|
||||
|
||||
func (a upstreamhashby) GetDocumentation() parser.AnnotationFields {
|
||||
return a.annotationConfig.Annotations
|
||||
}
|
||||
|
||||
func (a upstreamhashby) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, upstreamHashByAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ import (
|
|||
)
|
||||
|
||||
func TestParse(t *testing.T) {
|
||||
annotation := parser.GetAnnotationWithPrefix("upstream-hash-by")
|
||||
annotation := parser.GetAnnotationWithPrefix(upstreamHashByAnnotation)
|
||||
|
||||
ap := NewParser(&resolver.Mock{})
|
||||
if ap == nil {
|
||||
|
|
@ -37,12 +37,15 @@ func TestParse(t *testing.T) {
|
|||
testCases := []struct {
|
||||
annotations map[string]string
|
||||
expected string
|
||||
expectErr bool
|
||||
}{
|
||||
{map[string]string{annotation: "$request_uri"}, "$request_uri"},
|
||||
{map[string]string{annotation: "$request_uri$scheme"}, "$request_uri$scheme"},
|
||||
{map[string]string{annotation: "false"}, "false"},
|
||||
{map[string]string{}, ""},
|
||||
{nil, ""},
|
||||
{map[string]string{annotation: "$request_URI"}, "$request_URI", false},
|
||||
{map[string]string{annotation: "$request_uri$scheme"}, "$request_uri$scheme", false},
|
||||
{map[string]string{annotation: "xpto;[]"}, "", true},
|
||||
{map[string]string{annotation: "lalal${scheme_test}"}, "lalal${scheme_test}", false},
|
||||
{map[string]string{annotation: "false"}, "false", false},
|
||||
{map[string]string{}, "", false},
|
||||
{nil, "", false},
|
||||
}
|
||||
|
||||
ing := &networking.Ingress{
|
||||
|
|
@ -55,14 +58,19 @@ func TestParse(t *testing.T) {
|
|||
|
||||
for _, testCase := range testCases {
|
||||
ing.SetAnnotations(testCase.annotations)
|
||||
result, _ := ap.Parse(ing)
|
||||
uc, ok := result.(*Config)
|
||||
if !ok {
|
||||
t.Fatalf("expected a Config type")
|
||||
result, err := ap.Parse(ing)
|
||||
if (err != nil) != testCase.expectErr {
|
||||
t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations)
|
||||
}
|
||||
if !testCase.expectErr {
|
||||
uc, ok := result.(*Config)
|
||||
if !ok {
|
||||
t.Fatalf("expected a Config type")
|
||||
}
|
||||
|
||||
if uc.UpstreamHashBy != testCase.expected {
|
||||
t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
|
||||
if uc.UpstreamHashBy != testCase.expected {
|
||||
t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue