Beispiel #1
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to configure upstream check parameters
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) *Configuration {
	if ing == nil || ing.GetAnnotations() == nil {
		return &Configuration{
			cfg.ProxyConnectTimeout,
			cfg.ProxySendTimeout,
			cfg.ProxyReadTimeout,
			cfg.ProxyBufferSize,
		}
	}

	ct, err := parser.GetIntAnnotation(connect, ing)
	if err != nil {
		ct = cfg.ProxyConnectTimeout
	}

	st, err := parser.GetIntAnnotation(send, ing)
	if err != nil {
		st = cfg.ProxySendTimeout
	}

	rt, err := parser.GetIntAnnotation(read, ing)
	if err != nil {
		rt = cfg.ProxyReadTimeout
	}

	bs, err := parser.GetStringAnnotation(bufferSize, ing)
	if err != nil || bs == "" {
		bs = cfg.ProxyBufferSize
	}

	return &Configuration{ct, st, rt, bs}
}
Beispiel #2
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to indicate if the upstream servers should use SSL
func ParseAnnotations(ing *extensions.Ingress) (bool, error) {
	if ing.GetAnnotations() == nil {
		return false, errors.New("no annotations present")
	}

	return ingAnnotations(ing.GetAnnotations()).secureUpstream(), nil
}
Beispiel #3
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to rewrite the defined paths
func ParseAnnotations(ing *extensions.Ingress) (*RateLimit, error) {
	if ing.GetAnnotations() == nil {
		return &RateLimit{}, ErrMissingAnnotations
	}

	rps := ingAnnotations(ing.GetAnnotations()).limitRPS()
	conn := ingAnnotations(ing.GetAnnotations()).limitIP()

	if rps == 0 && conn == 0 {
		return &RateLimit{
			Connections: Zone{},
			RPS:         Zone{},
		}, ErrInvalidRateLimit
	}

	zoneName := fmt.Sprintf("%v_%v", ing.GetNamespace(), ing.GetName())

	return &RateLimit{
		Connections: Zone{
			Name:       fmt.Sprintf("%v_conn", zoneName),
			Limit:      conn,
			Burst:      conn * defBurst,
			SharedSize: defSharedSize,
		},
		RPS: Zone{
			Name:       fmt.Sprintf("%v_rps", zoneName),
			Limit:      rps,
			Burst:      conn * defBurst,
			SharedSize: defSharedSize,
		},
	}, nil
}
Beispiel #4
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to limit access to certain client addresses or networks.
// Multiple ranges can specified using commas as separator
// e.g. `18.0.0.0/8,56.0.0.0/8`
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*SourceRange, error) {
	sort.Strings(cfg.WhitelistSourceRange)
	if ing.GetAnnotations() == nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, parser.ErrMissingAnnotations
	}

	val, err := parser.GetStringAnnotation(whitelist, ing)
	if err != nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, err
	}

	values := strings.Split(val, ",")
	ipnets, err := sets.ParseIPNets(values...)
	if err != nil {
		return &SourceRange{CIDR: cfg.WhitelistSourceRange}, ErrInvalidCIDR
	}

	cidrs := []string{}
	for k := range ipnets {
		cidrs = append(cidrs, k)
	}

	sort.Strings(cidrs)

	return &SourceRange{cidrs}, nil
}
Beispiel #5
0
// GetIntAnnotation ...
func GetIntAnnotation(name string, ing *extensions.Ingress) (int, error) {
	if ing == nil || ing.GetAnnotations() == nil {
		return 0, ErrMissingAnnotations
	}
	if name == "" {
		return 0, ErrInvalidName
	}

	return ingAnnotations(ing.GetAnnotations()).parseInt(name)
}
Beispiel #6
0
// GetBoolAnnotation ...
func GetBoolAnnotation(name string, ing *extensions.Ingress) (bool, error) {
	if ing == nil || ing.GetAnnotations() == nil {
		return false, ErrMissingAnnotations
	}
	if name == "" {
		return false, ErrInvalidName
	}

	return ingAnnotations(ing.GetAnnotations()).parseBool(name)
}
Beispiel #7
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to limit access to certain client addresses or networks.
// Multiple ranges can specified using commas as separator
// e.g. `18.0.0.0/8,56.0.0.0/8`
func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*SourceRange, error) {
	if ing.GetAnnotations() == nil {
		return &SourceRange{whiteList}, ErrMissingWhitelist
	}

	wl, err := ingAnnotations(ing.GetAnnotations()).whitelist()
	if err != nil {
		wl = whiteList
	}

	return &SourceRange{wl}, err
}
Beispiel #8
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to indicate if is required to configure
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (bool, error) {

	if ing.GetAnnotations() == nil {
		return false, parser.ErrMissingAnnotations
	}

	if len(ing.Spec.TLS) == 0 {
		return false, fmt.Errorf("ingres rule %v/%v does not contains a TLS section", ing.Name, ing.Namespace)
	}

	return parser.GetBoolAnnotation(passthrough, ing)
}
Beispiel #9
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to rewrite the defined paths
func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*Redirect, error) {
	if ing.GetAnnotations() == nil {
		return &Redirect{}, errors.New("no annotations present")
	}

	sslRe, err := parser.GetBoolAnnotation(sslRedirect, ing)
	if err != nil {
		sslRe = cfg.SSLRedirect
	}

	rt, _ := parser.GetStringAnnotation(rewriteTo, ing)
	abu, _ := parser.GetBoolAnnotation(addBaseURL, ing)
	return &Redirect{
		Target:      rt,
		AddBaseURL:  abu,
		SSLRedirect: sslRe,
	}, nil
}
Beispiel #10
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to rewrite the defined paths
func ParseAnnotations(cfg config.Configuration, ing *extensions.Ingress) (*Redirect, error) {
	if ing.GetAnnotations() == nil {
		return &Redirect{}, errors.New("no annotations present")
	}

	annotations := ingAnnotations(ing.GetAnnotations())

	sslRe, err := annotations.sslRedirect()
	if err != nil {
		sslRe = cfg.SSLRedirect
	}

	rt := annotations.rewriteTo()
	abu := annotations.addBaseURL()
	return &Redirect{
		Target:      rt,
		AddBaseURL:  abu,
		SSLRedirect: sslRe,
	}, nil
}
Beispiel #11
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to use an external URL as source for authentication
func ParseAnnotations(ing *extensions.Ingress) (External, error) {
	if ing.GetAnnotations() == nil {
		return External{}, parser.ErrMissingAnnotations
	}

	str, err := parser.GetStringAnnotation(authURL, ing)
	if err != nil {
		return External{}, err
	}
	if str == "" {
		return External{}, fmt.Errorf("an empty string is not a valid URL")
	}

	ur, err := url.Parse(str)
	if err != nil {
		return External{}, err
	}
	if ur.Scheme == "" {
		return External{}, fmt.Errorf("url scheme is empty")
	}
	if ur.Host == "" {
		return External{}, fmt.Errorf("url host is empty")
	}

	if strings.Contains(ur.Host, "..") {
		return External{}, fmt.Errorf("invalid url host")
	}

	m, _ := parser.GetStringAnnotation(authMethod, ing)
	if len(m) != 0 && !validMethod(m) {
		return External{}, fmt.Errorf("invalid HTTP method")
	}

	sb, _ := parser.GetBoolAnnotation(authBody, ing)

	return External{
		URL:      str,
		Method:   m,
		SendBody: sb,
	}, nil
}
Beispiel #12
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to use an external URL as source for authentication
func ParseAnnotations(ing *extensions.Ingress,
	fn func(secret string) (*SSLCert, error)) (*SSLCert, error) {
	if ing.GetAnnotations() == nil {
		return &SSLCert{}, parser.ErrMissingAnnotations
	}

	str, err := parser.GetStringAnnotation(authTLSSecret, ing)
	if err != nil {
		return &SSLCert{}, err
	}

	if str == "" {
		return &SSLCert{}, fmt.Errorf("an empty string is not a valid secret name")
	}

	_, _, err = k8s.ParseNameNS(str)
	if err != nil {
		return &SSLCert{}, err
	}

	return fn(str)
}
Beispiel #13
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to use an external URL as source for authentication
func ParseAnnotations(ing *extensions.Ingress) (Auth, error) {
	if ing.GetAnnotations() == nil {
		return Auth{}, ErrMissingAnnotations
	}

	str, err := ingAnnotations(ing.GetAnnotations()).url()
	if err != nil {
		return Auth{}, err
	}
	if str == "" {
		return Auth{}, fmt.Errorf("an empty string is not a valid URL")
	}

	ur, err := url.Parse(str)
	if err != nil {
		return Auth{}, err
	}
	if ur.Scheme == "" {
		return Auth{}, fmt.Errorf("url scheme is empty")
	}
	if ur.Host == "" {
		return Auth{}, fmt.Errorf("url host is empty")
	}

	if strings.Index(ur.Host, "..") != -1 {
		return Auth{}, fmt.Errorf("invalid url host")
	}

	m := ingAnnotations(ing.GetAnnotations()).method()
	if len(m) != 0 && !validMethod(m) {
		return Auth{}, fmt.Errorf("invalid HTTP method")
	}

	sb := ingAnnotations(ing.GetAnnotations()).sendBody()

	return Auth{
		URL:      str,
		Method:   m,
		SendBody: sb,
	}, nil
}
Beispiel #14
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to configure upstream check parameters
func ParseAnnotations(cfg config.Configuration, ing *extensions.Ingress) *Upstream {
	if ing.GetAnnotations() == nil {
		return &Upstream{cfg.UpstreamMaxFails, cfg.UpstreamFailTimeout}
	}

	mf, err := ingAnnotations(ing.GetAnnotations()).maxFails()
	if err != nil {
		mf = cfg.UpstreamMaxFails
	}

	ft, err := ingAnnotations(ing.GetAnnotations()).failTimeout()
	if err != nil {
		ft = cfg.UpstreamFailTimeout
	}

	return &Upstream{mf, ft}
}
Beispiel #15
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to add authentication in the paths defined in the rule
// and generated an htpasswd compatible file to be used as source
// during the authentication process
func ParseAnnotations(ing *extensions.Ingress, authDir string, fn func(string) (*api.Secret, error)) (*BasicDigest, error) {
	if ing.GetAnnotations() == nil {
		return &BasicDigest{}, parser.ErrMissingAnnotations
	}

	at, err := parser.GetStringAnnotation(authType, ing)
	if err != nil {
		return &BasicDigest{}, err
	}

	if !authTypeRegex.MatchString(at) {
		return &BasicDigest{}, ErrInvalidAuthType
	}

	s, err := parser.GetStringAnnotation(authSecret, ing)
	if err != nil {
		return &BasicDigest{}, err
	}

	secret, err := fn(fmt.Sprintf("%v/%v", ing.Namespace, s))
	if err != nil {
		return &BasicDigest{}, err
	}

	realm, _ := parser.GetStringAnnotation(authRealm, ing)

	passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
	err = dumpSecret(passFile, secret)
	if err != nil {
		return &BasicDigest{}, err
	}

	return &BasicDigest{
		Type:    at,
		Realm:   realm,
		File:    passFile,
		Secured: true,
	}, nil
}
Beispiel #16
0
// ParseAnnotations parses the annotations contained in the ingress
// rule used to add authentication in the paths defined in the rule
// and generated an htpasswd compatible file to be used as source
// during the authentication process
func ParseAnnotations(kubeClient client.Interface, ing *extensions.Ingress, authDir string) (*Nginx, error) {
	if ing.GetAnnotations() == nil {
		return &Nginx{}, ErrMissingAnnotations
	}

	at, err := ingAnnotations(ing.GetAnnotations()).authType()
	if err != nil {
		return &Nginx{}, err
	}

	s, err := ingAnnotations(ing.GetAnnotations()).secretName()
	if err != nil {
		return &Nginx{}, err
	}

	secret, err := kubeClient.Secrets(ing.Namespace).Get(s)
	if err != nil {
		return &Nginx{}, err
	}

	realm := ingAnnotations(ing.GetAnnotations()).realm()

	passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
	err = dumpSecret(passFile, secret)
	if err != nil {
		return &Nginx{}, err
	}

	return &Nginx{
		Type:    at,
		Realm:   realm,
		File:    passFile,
		Secured: true,
	}, nil
}