Merge branch 'master' into nginx/extauth_headers

core/pkg/ingress/annotations/auth/main.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path"
 	"regexp"
 
 	"github.com/pkg/errors"
@@ -59,8 +60,17 @@ type auth struct {
 
 // NewParser creates a new authentication annotation parser
 func NewParser(authDirectory string, sr resolver.Secret) parser.IngressAnnotation {
-	// TODO: check permissions required
-	os.MkdirAll(authDirectory, 0655)
+	os.MkdirAll(authDirectory, 0755)
+
+	currPath := authDirectory
+	for currPath != "/" {
+		currPath = path.Dir(currPath)
+		err := os.Chmod(currPath, 0755)
+		if err != nil {
+			break
+		}
+	}
+
 	return auth{sr, authDirectory}
 }
 

core/pkg/ingress/annotations/authreq/main.go

@@ -100,7 +100,11 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
 		return nil, ing_errors.NewLocationDenied("invalid url host")
 	}
 
-	m, _ := parser.GetStringAnnotation(authMethod, ing)
+	m, err := parser.GetStringAnnotation(authMethod, ing)
+	if err != nil {
+		return nil, err
+	}
+
 	if len(m) != 0 && !validMethod(m) {
 		return nil, ing_errors.NewLocationDenied("invalid HTTP method")
 	}

core/pkg/ingress/annotations/authtls/main.go

@@ -28,11 +28,16 @@ import (
 
 const (
 	// name of the secret
-	authTLSSecret = "ingress.kubernetes.io/auth-tls-secret"
+	annotationAuthTLSSecret = "ingress.kubernetes.io/auth-tls-secret"
+	annotationAuthTLSDepth  = "ingress.kubernetes.io/auth-tls-verify-depth"
+	defaultAuthTLSDepth     = 1
 )
 
-type authTLS struct {
-	certResolver resolver.AuthCertificate
+// AuthSSLConfig contains the AuthSSLCert used for muthual autentication
+// and the configured ValidationDepth
+type AuthSSLConfig struct {
+	AuthSSLCert     resolver.AuthSSLCert
+	ValidationDepth int `json:"validationDepth"`
 }
 
 // NewParser creates a new TLS authentication annotation parser
@@ -40,29 +45,42 @@ func NewParser(resolver resolver.AuthCertificate) parser.IngressAnnotation {
 	return authTLS{resolver}
 }
 
-// ParseAnnotations parses the annotations contained in the ingress
-// rule used to use an external URL as source for authentication
+type authTLS struct {
+	certResolver resolver.AuthCertificate
+}
+
+// Parse parses the annotations contained in the ingress
+// rule used to use a Certificate as authentication method
 func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
-	str, err := parser.GetStringAnnotation(authTLSSecret, ing)
+
+	tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing)
 	if err != nil {
-		return nil, err
+		return &AuthSSLConfig{}, err
 	}
 
-	if str == "" {
-		return nil, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
+	if tlsauthsecret == "" {
+		return &AuthSSLConfig{}, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
 	}
 
-	_, _, err = k8s.ParseNameNS(str)
+	_, _, err = k8s.ParseNameNS(tlsauthsecret)
 	if err != nil {
-		return nil, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
+		return &AuthSSLConfig{}, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
 	}
 
-	authCert, err := a.certResolver.GetAuthCertificate(str)
+	tlsdepth, err := parser.GetIntAnnotation(annotationAuthTLSDepth, ing)
+	if err != nil || tlsdepth == 0 {
+		tlsdepth = defaultAuthTLSDepth
+	}
+
+	authCert, err := a.certResolver.GetAuthCertificate(tlsauthsecret)
 	if err != nil {
-		return nil, ing_errors.LocationDenied{
+		return &AuthSSLConfig{}, ing_errors.LocationDenied{
 			Reason: errors.Wrap(err, "error obtaining certificate"),
 		}
 	}
 
-	return authCert, nil
+	return &AuthSSLConfig{
+		AuthSSLCert:     *authCert,
+		ValidationDepth: tlsdepth,
+	}, nil
 }

core/pkg/ingress/annotations/proxy/main.go

@@ -24,11 +24,13 @@ import (
 )
 
 const (
-	bodySize   = "ingress.kubernetes.io/proxy-body-size"
-	connect    = "ingress.kubernetes.io/proxy-connect-timeout"
-	send       = "ingress.kubernetes.io/proxy-send-timeout"
-	read       = "ingress.kubernetes.io/proxy-read-timeout"
-	bufferSize = "ingress.kubernetes.io/proxy-buffer-size"
+	bodySize     = "ingress.kubernetes.io/proxy-body-size"
+	connect      = "ingress.kubernetes.io/proxy-connect-timeout"
+	send         = "ingress.kubernetes.io/proxy-send-timeout"
+	read         = "ingress.kubernetes.io/proxy-read-timeout"
+	bufferSize   = "ingress.kubernetes.io/proxy-buffer-size"
+	cookiePath   = "ingress.kubernetes.io/proxy-cookie-path"
+	cookieDomain = "ingress.kubernetes.io/proxy-cookie-domain"
 )
 
 // Configuration returns the proxy timeout to use in the upstream server/s
@@ -38,6 +40,8 @@ type Configuration struct {
 	SendTimeout    int    `json:"sendTimeout"`
 	ReadTimeout    int    `json:"readTimeout"`
 	BufferSize     string `json:"bufferSize"`
+	CookieDomain   string `json:"cookieDomain"`
+	CookiePath     string `json:"cookiePath"`
 }
 
 type proxy struct {
@@ -73,10 +77,20 @@ func (a proxy) Parse(ing *extensions.Ingress) (interface{}, error) {
 		bufs = defBackend.ProxyBufferSize
 	}
 
+	cp, err := parser.GetStringAnnotation(cookiePath, ing)
+	if err != nil || cp == "" {
+		cp = defBackend.ProxyCookiePath
+	}
+
+	cd, err := parser.GetStringAnnotation(cookieDomain, ing)
+	if err != nil || cd == "" {
+		cd = defBackend.ProxyCookieDomain
+	}
+
 	bs, err := parser.GetStringAnnotation(bodySize, ing)
 	if err != nil || bs == "" {
 		bs = defBackend.ProxyBodySize
 	}
 
-	return &Configuration{bs, ct, st, rt, bufs}, nil
+	return &Configuration{bs, ct, st, rt, bufs, cd, cp}, nil
 }

core/pkg/ingress/annotations/rewrite/main.go

@@ -52,11 +52,7 @@ func NewParser(br resolver.DefaultBackend) parser.IngressAnnotation {
 // ParseAnnotations parses the annotations contained in the ingress
 // rule used to rewrite the defined paths
 func (a rewrite) Parse(ing *extensions.Ingress) (interface{}, error) {
-	rt, err := parser.GetStringAnnotation(rewriteTo, ing)
-	if err != nil {
-		return nil, err
-	}
-
+	rt, _ := parser.GetStringAnnotation(rewriteTo, ing)
 	sslRe, err := parser.GetBoolAnnotation(sslRedirect, ing)
 	if err != nil {
 		sslRe = a.backendResolver.GetDefaultBackend().SSLRedirect

core/pkg/ingress/annotations/rewrite/main_test.go

@@ -76,8 +76,8 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend {
 func TestWithoutAnnotations(t *testing.T) {
 	ing := buildIngress()
 	_, err := NewParser(mockBackend{}).Parse(ing)
-	if err == nil {
-		t.Error("Expected error with ingress without annotations")
+	if err != nil {
+		t.Errorf("unexpected error with ingress without annotations: %v", err)
 	}
 }
 

core/pkg/ingress/annotations/sessionaffinity/main.go

@@ -0,0 +1,118 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sessionaffinity
+
+import (
+	"regexp"
+
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/apis/extensions"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+)
+
+const (
+	annotationAffinityType = "ingress.kubernetes.io/affinity"
+	// If a cookie with this name exists,
+	// its value is used as an index into the list of available backends.
+	annotationAffinityCookieName = "ingress.kubernetes.io/session-cookie-name"
+	defaultAffinityCookieName    = "INGRESSCOOKIE"
+	// This is the algorithm used by nginx to generate a value for the session cookie, if
+	// one isn't supplied and affinity is set to "cookie".
+	annotationAffinityCookieHash = "ingress.kubernetes.io/session-cookie-hash"
+	defaultAffinityCookieHash    = "md5"
+)
+
+var (
+	affinityCookieHashRegex = regexp.MustCompile(`^(index|md5|sha1)$`)
+)
+
+// AffinityConfig describes the per ingress session affinity config
+type AffinityConfig struct {
+	// The type of affinity that will be used
+	AffinityType string `json:"type"`
+	CookieConfig
+}
+
+// CookieConfig describes the Config of cookie type affinity
+type CookieConfig struct {
+	// The name of the cookie that will be used in case of cookie affinity type.
+	Name string `json:"name"`
+	// The hash that will be used to encode the cookie in case of cookie affinity type
+	Hash string `json:"hash"`
+}
+
+// CookieAffinityParse gets the annotation values related to Cookie Affinity
+// It also sets default values when no value or incorrect value is found
+func CookieAffinityParse(ing *extensions.Ingress) *CookieConfig {
+
+	sn, err := parser.GetStringAnnotation(annotationAffinityCookieName, ing)
+
+	if err != nil || sn == "" {
+		glog.V(3).Infof("Ingress %v: No value found in annotation %v. Using the default %v", ing.Name, annotationAffinityCookieName, defaultAffinityCookieName)
+		sn = defaultAffinityCookieName
+	}
+
+	sh, err := parser.GetStringAnnotation(annotationAffinityCookieHash, ing)
+
+	if err != nil || !affinityCookieHashRegex.MatchString(sh) {
+		glog.V(3).Infof("Invalid or no annotation value found in Ingress %v: %v. Setting it to default %v", ing.Name, annotationAffinityCookieHash, defaultAffinityCookieHash)
+		sh = defaultAffinityCookieHash
+	}
+
+	return &CookieConfig{
+		Name: sn,
+		Hash: sh,
+	}
+}
+
+// NewParser creates a new Affinity annotation parser
+func NewParser() parser.IngressAnnotation {
+	return affinity{}
+}
+
+type affinity struct {
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to configure the affinity directives
+func (a affinity) Parse(ing *extensions.Ingress) (interface{}, error) {
+
+	var cookieAffinityConfig *CookieConfig
+	cookieAffinityConfig = &CookieConfig{}
+
+	// Check the type of affinity that will be used
+	at, err := parser.GetStringAnnotation(annotationAffinityType, ing)
+	if err != nil {
+		at = ""
+	}
+
+	switch at {
+	case "cookie":
+		cookieAffinityConfig = CookieAffinityParse(ing)
+
+	default:
+		glog.V(3).Infof("No default affinity was found for Ingress %v", ing.Name)
+
+	}
+	return &AffinityConfig{
+		AffinityType: at,
+		CookieConfig: *cookieAffinityConfig,
+	}, nil
+
+}

core/pkg/ingress/annotations/sessionaffinity/main_test.go

@@ -0,0 +1,88 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sessionaffinity
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+	"k8s.io/kubernetes/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestIngressAffinityCookieConfig(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[annotationAffinityType] = "cookie"
+	data[annotationAffinityCookieHash] = "sha123"
+	data[annotationAffinityCookieName] = "INGRESSCOOKIE"
+	ing.SetAnnotations(data)
+
+	affin, _ := NewParser().Parse(ing)
+	nginxAffinity, ok := affin.(*AffinityConfig)
+	if !ok {
+		t.Errorf("expected a Config type")
+	}
+
+	if nginxAffinity.AffinityType != "cookie" {
+		t.Errorf("expected cookie as sticky-type but returned %v", nginxAffinity.AffinityType)
+	}
+
+	if nginxAffinity.CookieConfig.Hash != "md5" {
+		t.Errorf("expected md5 as sticky-hash but returned %v", nginxAffinity.CookieConfig.Hash)
+	}
+
+	if nginxAffinity.CookieConfig.Name != "INGRESSCOOKIE" {
+		t.Errorf("expected route as sticky-name but returned %v", nginxAffinity.CookieConfig.Name)
+	}
+}

core/pkg/ingress/annotations/snippet/main.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package snippet
+
+import (
+	"k8s.io/kubernetes/pkg/apis/extensions"
+
+	"k8s.io/ingress/core/pkg/ingress/annotations/parser"
+)
+
+const (
+	annotation = "ingress.kubernetes.io/configuration-snippet"
+)
+
+type snippet struct {
+}
+
+// NewParser creates a new CORS annotation parser
+func NewParser() parser.IngressAnnotation {
+	return snippet{}
+}
+
+// Parse parses the annotations contained in the ingress rule
+// used to indicate if the location/s contains a fragment of
+// configuration to be included inside the paths of the rules
+func (a snippet) Parse(ing *extensions.Ingress) (interface{}, error) {
+	return parser.GetStringAnnotation(annotation, ing)
+}

core/pkg/ingress/annotations/snippet/main_test.go

@@ -0,0 +1,57 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package snippet
+
+import (
+	"testing"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/extensions"
+)
+
+func TestParse(t *testing.T) {
+	ap := NewParser()
+	if ap == nil {
+		t.Fatalf("expected a parser.IngressAnnotation but returned nil")
+	}
+
+	testCases := []struct {
+		annotations map[string]string
+		expected    string
+	}{
+		{map[string]string{annotation: "more_headers"}, "more_headers"},
+		{map[string]string{annotation: "false"}, "false"},
+		{map[string]string{}, ""},
+		{nil, ""},
+	}
+
+	ing := &extensions.Ingress{
+		ObjectMeta: api.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{},
+	}
+
+	for _, testCase := range testCases {
+		ing.SetAnnotations(testCase.annotations)
+		result, _ := ap.Parse(ing)
+		if result != testCase.expected {
+			t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
+		}
+	}
+}