// ParseAnnotations parses the annotations contained in the ingress // rule used to limit access to certain client addresses or networks. // Multiple ranges can specified using commas as separator // e.g. `18.0.0.0/8,56.0.0.0/8` func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*SourceRange, error) { sort.Strings(cfg.WhitelistSourceRange) if ing.GetAnnotations() == nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, parser.ErrMissingAnnotations } val, err := parser.GetStringAnnotation(whitelist, ing) if err != nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, err } values := strings.Split(val, ",") ipnets, err := sets.ParseIPNets(values...) if err != nil { return &SourceRange{CIDR: cfg.WhitelistSourceRange}, ErrInvalidCIDR } cidrs := []string{} for k := range ipnets { cidrs = append(cidrs, k) } sort.Strings(cidrs) return &SourceRange{cidrs}, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to configure upstream check parameters func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) *Configuration { if ing == nil || ing.GetAnnotations() == nil { return &Configuration{ cfg.ProxyConnectTimeout, cfg.ProxySendTimeout, cfg.ProxyReadTimeout, cfg.ProxyBufferSize, } } ct, err := parser.GetIntAnnotation(connect, ing) if err != nil { ct = cfg.ProxyConnectTimeout } st, err := parser.GetIntAnnotation(send, ing) if err != nil { st = cfg.ProxySendTimeout } rt, err := parser.GetIntAnnotation(read, ing) if err != nil { rt = cfg.ProxyReadTimeout } bs, err := parser.GetStringAnnotation(bufferSize, ing) if err != nil || bs == "" { bs = cfg.ProxyBufferSize } return &Configuration{ct, st, rt, bs} }
// ParseAnnotations parses the annotations contained in the ingress // rule used to use an external URL as source for authentication func ParseAnnotations(ing *extensions.Ingress) (External, error) { if ing.GetAnnotations() == nil { return External{}, parser.ErrMissingAnnotations } str, err := parser.GetStringAnnotation(authURL, ing) if err != nil { return External{}, err } if str == "" { return External{}, fmt.Errorf("an empty string is not a valid URL") } ur, err := url.Parse(str) if err != nil { return External{}, err } if ur.Scheme == "" { return External{}, fmt.Errorf("url scheme is empty") } if ur.Host == "" { return External{}, fmt.Errorf("url host is empty") } if strings.Contains(ur.Host, "..") { return External{}, fmt.Errorf("invalid url host") } m, _ := parser.GetStringAnnotation(authMethod, ing) if len(m) != 0 && !validMethod(m) { return External{}, fmt.Errorf("invalid HTTP method") } sb, _ := parser.GetBoolAnnotation(authBody, ing) return External{ URL: str, Method: m, SendBody: sb, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to add authentication in the paths defined in the rule // and generated an htpasswd compatible file to be used as source // during the authentication process func ParseAnnotations(ing *extensions.Ingress, authDir string, fn func(string) (*api.Secret, error)) (*BasicDigest, error) { if ing.GetAnnotations() == nil { return &BasicDigest{}, parser.ErrMissingAnnotations } at, err := parser.GetStringAnnotation(authType, ing) if err != nil { return &BasicDigest{}, err } if !authTypeRegex.MatchString(at) { return &BasicDigest{}, ErrInvalidAuthType } s, err := parser.GetStringAnnotation(authSecret, ing) if err != nil { return &BasicDigest{}, err } secret, err := fn(fmt.Sprintf("%v/%v", ing.Namespace, s)) if err != nil { return &BasicDigest{}, err } realm, _ := parser.GetStringAnnotation(authRealm, ing) passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName()) err = dumpSecret(passFile, secret) if err != nil { return &BasicDigest{}, err } return &BasicDigest{ Type: at, Realm: realm, File: passFile, Secured: true, }, nil }
// ParseAnnotations parses the annotations contained in the ingress // rule used to rewrite the defined paths func ParseAnnotations(cfg defaults.Backend, ing *extensions.Ingress) (*Redirect, error) { if ing.GetAnnotations() == nil { return &Redirect{}, errors.New("no annotations present") } sslRe, err := parser.GetBoolAnnotation(sslRedirect, ing) if err != nil { sslRe = cfg.SSLRedirect } rt, _ := parser.GetStringAnnotation(rewriteTo, ing) abu, _ := parser.GetBoolAnnotation(addBaseURL, ing) return &Redirect{ Target: rt, AddBaseURL: abu, SSLRedirect: sslRe, }, nil }
// secrReferenced checks if a secret is referenced or not by one or more Ingress rules func (ic *GenericController) secrReferenced(name, namespace string) bool { for _, ingIf := range ic.ingLister.Store.List() { ing := ingIf.(*extensions.Ingress) str, err := parser.GetStringAnnotation("ingress.kubernetes.io/auth-tls-secret", ing) if err == nil && str == fmt.Sprintf("%v/%v", namespace, name) { return true } if ing.Namespace != namespace { continue } for _, tls := range ing.Spec.TLS { if tls.SecretName == name { return true } } } return false }
// ParseAnnotations parses the annotations contained in the ingress // rule used to use an external URL as source for authentication func ParseAnnotations(ing *extensions.Ingress, fn func(secret string) (*SSLCert, error)) (*SSLCert, error) { if ing.GetAnnotations() == nil { return &SSLCert{}, parser.ErrMissingAnnotations } str, err := parser.GetStringAnnotation(authTLSSecret, ing) if err != nil { return &SSLCert{}, err } if str == "" { return &SSLCert{}, fmt.Errorf("an empty string is not a valid secret name") } _, _, err = k8s.ParseNameNS(str) if err != nil { return &SSLCert{}, err } return fn(str) }