// ParseAnnotations parses the annotations contained in the ingress // rule used to configure upstream check parameters func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) *Configuration { if ing == nil || ing.GetAnnotations() == nil { return &Configuration{ cfg.ProxyConnectTimeout, cfg.ProxySendTimeout, cfg.ProxyReadTimeout, cfg.ProxyBufferSize, } } ct, err := parser.GetIntAnnotation(connect, ing) if err != nil { ct = cfg.ProxyConnectTimeout } st, err := parser.GetIntAnnotation(send, ing) if err != nil { st = cfg.ProxySendTimeout } rt, err := parser.GetIntAnnotation(read, ing) if err != nil { rt = cfg.ProxyReadTimeout } bs, err := parser.GetStringAnnotation(bufferSize, ing) if err != nil || bs == "" { bs = cfg.ProxyBufferSize } return &Configuration{ct, st, rt, bs} }
// ParseAnnotations parses the annotations contained in the ingress // rule used to indicate if the upstream servers should use SSL func ParseAnnotations(ing *extensions.Ingress) (bool, error) { if ing.GetAnnotations() == nil { return false, errors.New("no annotations present") } return ingAnnotations(ing.GetAnnotations()).secureUpstream(), nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to rewrite the defined paths func ParseAnnotations(ing *extensions.Ingress) (*RateLimit, error) { if ing.GetAnnotations() == nil { return &RateLimit{}, ErrMissingAnnotations } rps := ingAnnotations(ing.GetAnnotations()).limitRPS() conn := ingAnnotations(ing.GetAnnotations()).limitIP() if rps == 0 && conn == 0 { return &RateLimit{ Connections: Zone{}, RPS: Zone{}, }, ErrInvalidRateLimit } zoneName := fmt.Sprintf("%v_%v", ing.GetNamespace(), ing.GetName()) return &RateLimit{ Connections: Zone{ Name: fmt.Sprintf("%v_conn", zoneName), Limit: conn, Burst: conn * defBurst, SharedSize: defSharedSize, }, RPS: Zone{ Name: fmt.Sprintf("%v_rps", zoneName), Limit: rps, Burst: conn * defBurst, SharedSize: defSharedSize, }, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to limit access to certain client addresses or networks. // Multiple ranges can specified using commas as separator // e.g. `18.0.0.0/8,56.0.0.0/8` func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*SourceRange, error) { sort.Strings(cfg.WhitelistSourceRange) if ing.GetAnnotations() == nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, parser.ErrMissingAnnotations } val, err := parser.GetStringAnnotation(whitelist, ing) if err != nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, err } values := strings.Split(val, ",") ipnets, err := sets.ParseIPNets(values...) if err != nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, ErrInvalidCIDR } cidrs := []string{} for k := range ipnets { cidrs = append(cidrs, k) } sort.Strings(cidrs) return &SourceRange{cidrs}, nil }
// GetIntAnnotation ... func GetIntAnnotation(name string, ing *extensions.Ingress) (int, error) { if ing == nil || ing.GetAnnotations() == nil { return 0, ErrMissingAnnotations } if name == "" { return 0, ErrInvalidName } return ingAnnotations(ing.GetAnnotations()).parseInt(name) }
// GetBoolAnnotation ... func GetBoolAnnotation(name string, ing *extensions.Ingress) (bool, error) { if ing == nil || ing.GetAnnotations() == nil { return false, ErrMissingAnnotations } if name == "" { return false, ErrInvalidName } return ingAnnotations(ing.GetAnnotations()).parseBool(name) }
// ParseAnnotations parses the annotations contained in the ingress // rule used to limit access to certain client addresses or networks. // Multiple ranges can specified using commas as separator // e.g. `18.0.0.0/8,56.0.0.0/8` func ParseAnnotations(whiteList []string, ing *extensions.Ingress) (*SourceRange, error) { if ing.GetAnnotations() == nil { return &SourceRange{whiteList}, ErrMissingWhitelist } wl, err := ingAnnotations(ing.GetAnnotations()).whitelist() if err != nil { wl = whiteList } return &SourceRange{wl}, err }
// ParseAnnotations parses the annotations contained in the ingress // rule used to indicate if is required to configure func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (bool, error) { if ing.GetAnnotations() == nil { return false, parser.ErrMissingAnnotations } if len(ing.Spec.TLS) == 0 { return false, fmt.Errorf("ingres rule %v/%v does not contains a TLS section", ing.Name, ing.Namespace) } return parser.GetBoolAnnotation(passthrough, ing) }
// ParseAnnotations parses the annotations contained in the ingress // rule used to rewrite the defined paths func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*Redirect, error) { if ing.GetAnnotations() == nil { return &Redirect{}, errors.New("no annotations present") } sslRe, err := parser.GetBoolAnnotation(sslRedirect, ing) if err != nil { sslRe = cfg.SSLRedirect } rt, _ := parser.GetStringAnnotation(rewriteTo, ing) abu, _ := parser.GetBoolAnnotation(addBaseURL, ing) return &Redirect{ Target: rt, AddBaseURL: abu, SSLRedirect: sslRe, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to rewrite the defined paths func ParseAnnotations(cfg config.Configuration, ing *extensions.Ingress) (*Redirect, error) { if ing.GetAnnotations() == nil { return &Redirect{}, errors.New("no annotations present") } annotations := ingAnnotations(ing.GetAnnotations()) sslRe, err := annotations.sslRedirect() if err != nil { sslRe = cfg.SSLRedirect } rt := annotations.rewriteTo() abu := annotations.addBaseURL() return &Redirect{ Target: rt, AddBaseURL: abu, SSLRedirect: sslRe, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to use an external URL as source for authentication func ParseAnnotations(ing *extensions.Ingress) (External, error) { if ing.GetAnnotations() == nil { return External{}, parser.ErrMissingAnnotations } str, err := parser.GetStringAnnotation(authURL, ing) if err != nil { return External{}, err } if str == "" { return External{}, fmt.Errorf("an empty string is not a valid URL") } ur, err := url.Parse(str) if err != nil { return External{}, err } if ur.Scheme == "" { return External{}, fmt.Errorf("url scheme is empty") } if ur.Host == "" { return External{}, fmt.Errorf("url host is empty") } if strings.Contains(ur.Host, "..") { return External{}, fmt.Errorf("invalid url host") } m, _ := parser.GetStringAnnotation(authMethod, ing) if len(m) != 0 && !validMethod(m) { return External{}, fmt.Errorf("invalid HTTP method") } sb, _ := parser.GetBoolAnnotation(authBody, ing) return External{ URL: str, Method: m, SendBody: sb, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to use an external URL as source for authentication func ParseAnnotations(ing *extensions.Ingress, fn func(secret string) (*SSLCert, error)) (*SSLCert, error) { if ing.GetAnnotations() == nil { return &SSLCert{}, parser.ErrMissingAnnotations } str, err := parser.GetStringAnnotation(authTLSSecret, ing) if err != nil { return &SSLCert{}, err } if str == "" { return &SSLCert{}, fmt.Errorf("an empty string is not a valid secret name") } _, _, err = k8s.ParseNameNS(str) if err != nil { return &SSLCert{}, err } return fn(str) }
// ParseAnnotations parses the annotations contained in the ingress // rule used to use an external URL as source for authentication func ParseAnnotations(ing *extensions.Ingress) (Auth, error) { if ing.GetAnnotations() == nil { return Auth{}, ErrMissingAnnotations } str, err := ingAnnotations(ing.GetAnnotations()).url() if err != nil { return Auth{}, err } if str == "" { return Auth{}, fmt.Errorf("an empty string is not a valid URL") } ur, err := url.Parse(str) if err != nil { return Auth{}, err } if ur.Scheme == "" { return Auth{}, fmt.Errorf("url scheme is empty") } if ur.Host == "" { return Auth{}, fmt.Errorf("url host is empty") } if strings.Index(ur.Host, "..") != -1 { return Auth{}, fmt.Errorf("invalid url host") } m := ingAnnotations(ing.GetAnnotations()).method() if len(m) != 0 && !validMethod(m) { return Auth{}, fmt.Errorf("invalid HTTP method") } sb := ingAnnotations(ing.GetAnnotations()).sendBody() return Auth{ URL: str, Method: m, SendBody: sb, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to configure upstream check parameters func ParseAnnotations(cfg config.Configuration, ing *extensions.Ingress) *Upstream { if ing.GetAnnotations() == nil { return &Upstream{cfg.UpstreamMaxFails, cfg.UpstreamFailTimeout} } mf, err := ingAnnotations(ing.GetAnnotations()).maxFails() if err != nil { mf = cfg.UpstreamMaxFails } ft, err := ingAnnotations(ing.GetAnnotations()).failTimeout() if err != nil { ft = cfg.UpstreamFailTimeout } return &Upstream{mf, ft} }
// ParseAnnotations parses the annotations contained in the ingress // rule used to add authentication in the paths defined in the rule // and generated an htpasswd compatible file to be used as source // during the authentication process func ParseAnnotations(ing *extensions.Ingress, authDir string, fn func(string) (*api.Secret, error)) (*BasicDigest, error) { if ing.GetAnnotations() == nil { return &BasicDigest{}, parser.ErrMissingAnnotations } at, err := parser.GetStringAnnotation(authType, ing) if err != nil { return &BasicDigest{}, err } if !authTypeRegex.MatchString(at) { return &BasicDigest{}, ErrInvalidAuthType } s, err := parser.GetStringAnnotation(authSecret, ing) if err != nil { return &BasicDigest{}, err } secret, err := fn(fmt.Sprintf("%v/%v", ing.Namespace, s)) if err != nil { return &BasicDigest{}, err } realm, _ := parser.GetStringAnnotation(authRealm, ing) passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName()) err = dumpSecret(passFile, secret) if err != nil { return &BasicDigest{}, err } return &BasicDigest{ Type: at, Realm: realm, File: passFile, Secured: true, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to add authentication in the paths defined in the rule // and generated an htpasswd compatible file to be used as source // during the authentication process func ParseAnnotations(kubeClient client.Interface, ing *extensions.Ingress, authDir string) (*Nginx, error) { if ing.GetAnnotations() == nil { return &Nginx{}, ErrMissingAnnotations } at, err := ingAnnotations(ing.GetAnnotations()).authType() if err != nil { return &Nginx{}, err } s, err := ingAnnotations(ing.GetAnnotations()).secretName() if err != nil { return &Nginx{}, err } secret, err := kubeClient.Secrets(ing.Namespace).Get(s) if err != nil { return &Nginx{}, err } realm := ingAnnotations(ing.GetAnnotations()).realm() passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName()) err = dumpSecret(passFile, secret) if err != nil { return &Nginx{}, err } return &Nginx{ Type: at, Realm: realm, File: passFile, Secured: true, }, nil }