7356c4f40f
Lua: Extract external auth into file. ( #12250 )
...
Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
2024-10-29 13:22:54 +00:00
7b4e4e2fa1
Enable security features by default ( #11819 )
2024-08-23 04:45:51 +01:00
6807537a70
upgrade go 1.21.5 ( #10732 )
...
* upgrade go 1.21.5
Signed-off-by: James Strong <strong.james.e@gmail.com>
* update golang gha
Signed-off-by: James Strong <strong.james.e@gmail.com>
* supgrade golang lint ci to v1.55.2
* sfix all golang lint ci errors
* sget a nginx build as well
* srevert some e2e changes
* srevert some e2e changes
---------
Signed-off-by: James Strong <strong.james.e@gmail.com>
2023-12-08 01:52:14 +01:00
cf889c6c47
Disable user snippets per default ( #10393 )
...
* Disable user snippets per default
* Enable snippet on tests
2023-09-10 20:02:10 -07:00
b3060bfbd0
Fix golangci-lint errors ( #10196 )
...
* Fix golangci-lint errors
Signed-off-by: z1cheng <imchench@gmail.com>
* Fix dupl errors
Signed-off-by: z1cheng <imchench@gmail.com>
* Fix comments
Signed-off-by: z1cheng <imchench@gmail.com>
* Fix errcheck lint errors
Signed-off-by: z1cheng <imchench@gmail.com>
* Fix assert in e2e test
Signed-off-by: z1cheng <imchench@gmail.com>
* Not interrupt the waitForPodsReady
Signed-off-by: z1cheng <imchench@gmail.com>
* Replace string with constant
Signed-off-by: z1cheng <imchench@gmail.com>
* Fix comments
Signed-off-by: z1cheng <imchench@gmail.com>
* Revert write file permision
Signed-off-by: z1cheng <imchench@gmail.com>
---------
Signed-off-by: z1cheng <imchench@gmail.com>
2023-08-31 00:36:48 -07:00
5d8185c9d7
Handle request_id variable correctly in auth requests ( #9219 )
...
* Handle $request_id variable correctly in auth requests
* Make share_all_vars configurable
* Fix test name
2023-08-07 06:16:32 -07:00
60bf6ba642
chore: move httpbun to be part of framework ( #9955 )
...
Signed-off-by: Spazzy <brendankamp757@gmail.com>
2023-06-12 03:25:49 -07:00
0bdb64373c
chore: update httpbin to httpbun ( #9919 )
...
Signed-off-by: Spazzy <brendankamp757@gmail.com>
2023-05-10 07:43:02 -07:00
66a760794f
update to golang 1.20 ( #9690 )
...
update alpine and golang
remove nano
update go modules
remove need for openssl external cli
fix stale
Signed-off-by: James Strong <james.strong@chainguard.dev>
2023-03-11 20:38:39 -08:00
01c9a2bf25
Revert Implement pathType validation ( #9511 ) ( #9607 )
...
Signed-off-by: James Strong <strong.james.e@gmail.com>
2023-02-12 22:57:29 -08:00
d1af3b5cca
Add CORS template check inside location for externalAuth.SignURL ( #8814 )
...
* Add CORS template check inside location for externalAuth.SignURL
* Add testcase for CORS header for auth-signin redirect with CORS enabled.
2023-01-19 06:58:36 -08:00
3aa53aaf5b
fix: missing CORS headers when auth fails ( #9251 )
2022-12-04 17:49:01 -08:00
5b0cc8edca
migrate ginkgo to v2 ( #8826 )
...
* Migrate ginkgo to v2
* Update test/e2e/annotations/ipwhitelist.go
Co-authored-by: Jintao Zhang <tao12345666333@163.com>
* Update test/e2e/annotations/modsecurity/modsecurity.go
Co-authored-by: Jintao Zhang <tao12345666333@163.com>
* Update test/e2e/settings/access_log.go
Co-authored-by: Jintao Zhang <tao12345666333@163.com>
* remove unnecessary blank line
* re-order packages
* less change
Co-authored-by: Jintao Zhang <tao12345666333@163.com>
2022-07-31 09:16:28 -07:00
2c27e66cc7
feat: always set auth cookie ( #8213 )
...
* feat: always set auth cookie
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* feat: Add annotation to always set auth cookie
* Add annotation
* Add global configmap key
* Provide unit tests and e2e tests
* Fix e2e documentation autogen script
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Regenerate e2e tests
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-05-19 15:27:53 -07:00
83ce21b4dd
Add keepalive support for auth requests ( #8219 )
...
* Add keepalive support for auth requests
* Fix typo
* Address PR comments
* Log warning when auth-url contains variable in its host:port
* Generate upstream name without replacing dots to underscores in server name
* Add comment in the nginx template when the keepalive upstream block is referenced
* Workaround for auth_request module ignores keepalive in upstream block
* The `auth_request` module does not support HTTP keepalives in upstream block:
https://trac.nginx.org/nginx/ticket/1579
* As a workaround we use ngx.location.capture but unfortunately it does not
support HTTP/2 so `use-http2` configuration parameter is needed.
* Handle PR comments
* Address PR comments
* Handle invalid values for int parameters
* Handle PR comments
* Fix e2e test
2022-04-08 20:22:04 -07:00
1e2ce80846
fix: deny locations with invalid auth-url annotation ( #8256 )
...
* fix: deny locations with invalid auth-url annotation
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
* Delete duplicate test
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2022-03-01 02:13:51 -08:00
90c79689c4
Release v1 ( #7470 )
...
* Drop v1beta1 from ingress nginx (#7156 )
* Drop v1beta1 from ingress nginx
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Fix intorstr logic in controller
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* fixing admission
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* more intorstr fixing
* correct template rendering
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Fix e2e tests for v1 api
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Fix gofmt errors
* This is finally working...almost there...
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Re-add removed validation of AdmissionReview
* Prepare for v1.0.0-alpha.1 release
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Update changelog and matrix table for v1.0.0-alpha.1 (#7274 )
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* add docs for syslog feature (#7219 )
* Fix link to e2e-tests.md in developer-guide (#7201 )
* Use ENV expansion for namespace in args (#7146 )
Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does.
* chart: using Helm builtin capabilities check (#7190 )
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
* Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944 )
It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780
* Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107 )
* Fix MaxWorkerOpenFiles calculation on high cores nodes
* Add e2e test for rlimit_nofile
* Fix doc for max-worker-open-files
* ingress/tcp: add additional error logging on failed (#7208 )
* Add file containing stable release (#7313 )
* Handle named (non-numeric) ports correctly (#7311 )
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
* Updated v1beta1 to v1 as its deprecated (#7308 )
* remove mercurial from build (#7031 )
* Retry to download maxmind DB if it fails (#7242 )
* Retry to download maxmind DB if it fails.
Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>
* Add retries count arg, move retry logic into DownloadGeoLite2DB function
Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>
* Reorder parameters in DownloadGeoLite2DB
Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>
* Remove hardcoded value
Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com>
* Release v1.0.0-alpha.1
* Add changelog for v1.0.0-alpha.2
* controller: ignore non-service backends (#7332 )
* controller: ignore non-service backends
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
* update per feedback
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
* fix: allow scope/tcp/udp configmap namespace to altered (#7161 )
* Lower webhook timeout for digital ocean (#7319 )
* Lower webhook timeout for digital ocean
* Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29
* update OWNERS and aliases files (#7365 ) (#7366 )
Signed-off-by: Carlos Panato <ctadeu@gmail.com>
* Downgrade Lua modules for s390x (#7355 )
Downgrade Lua modules to last known working version.
* Fix IngressClass logic for newer releases (#7341 )
* Fix IngressClass logic for newer releases
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Change e2e tests for the new IngressClass presence
* Fix chart and admission tests
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Fix helm chart test
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
* Fix reviews
* Remove ingressclass code from admission
* update tag to v1.0.0-beta.1
* update readme and changelog for v1.0.0-beta.1
* Release v1.0.0-beta.1 - helm and manifests (#7422 )
* Change the order of annotation just to trigger a new helm release (#7425 )
* [cherry-pick] Add dev-v1 branch into helm releaser (#7428 )
* Add dev-v1 branch into helm releaser (#7424 )
* chore: add link for artifacthub.io/prerelease annotations
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
* k8s job ci pipeline for dev-v1 br v1.22.0 (#7453 )
* k8s job ci pipeline for dev-v1 br v1.22.0
Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>
* k8s job ci pipeline for dev-v1 br v1.21.2
Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>
* remove v1.21.1 version
Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com>
* Add controller.watchIngressWithoutClass config option (#7459 )
Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com>
* Release new helm chart with certgen fixed (#7478 )
* Update go version, modules and remove ioutil
* Release new helm chart with certgen fixed
* changed appversion, chartversion, TAG, image (#7490 )
* Fix CI conflict
* Fix CI conflict
* Fix build.sh from rebase process
* Fix controller_test post rebase
Co-authored-by: Tianhao Guo <rggth09@gmail.com>
Co-authored-by: Ray <61553+rctay@users.noreply.github.com>
Co-authored-by: Bill Cassidy <cassid4@gmail.com>
Co-authored-by: Jintao Zhang <tao12345666333@163.com>
Co-authored-by: Sathish Ramani <rsathishx87@gmail.com>
Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com>
Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com>
Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>
Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com>
Co-authored-by: Tom Hayward <thayward@infoblox.com>
Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com>
Co-authored-by: Tore <tore.lonoy@gmail.com>
Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl>
Co-authored-by: Shahid <shahid@us.ibm.com>
Co-authored-by: James Strong <strong.james.e@gmail.com>
Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com>
Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com>
Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com>
Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com>
2021-08-21 13:42:00 -07:00
9a9ad47857
Fix forwarding of auth-response-headers to gRPC backends ( #7331 )
...
* add e2e test for auth-response-headers annotation
* add e2e test for grpc with auth-response-headers
* fix forwarding of auth header to GRPC backends
* add test case for proxySetHeader(nil)
2021-08-10 11:24:39 -07:00
e3a3ea8826
Merge pull request #6294 from ianbuss/auth-error-redirect-param
...
Allow customisation of redirect URL parameter in external auth redirects
2020-11-23 01:27:37 -08:00
8a218687e3
Enable external auth e2e tests
2020-11-12 22:33:31 -03:00
41cf628bdf
Add a configurable URL redirect parameter for error URLs
2020-10-08 12:53:46 +01:00
7fe5eccbc6
Rollback to Poll instead of PollImmediate
2020-08-20 20:50:51 -04:00
351248fabb
Fix wait times in e2e tests
2020-08-09 09:19:37 -04:00
a4ec5c8a88
Validate endpoints are ready in e2e tests
2020-07-21 09:53:03 -04:00
b392fed580
Test pull requests using github actions
2020-07-02 20:12:05 -04:00
7767230e6a
fix undefined variable $auth_cookie error when location is denied
...
(add) isLocationAllowed check before setting the cookie
2020-06-08 13:59:52 -04:00
a46126a034
Update client-go methods to support context and and new create and delete options
2020-03-27 19:52:51 -03:00
f9624cbe46
Refactor e2e tests to use testify y httpexpect
2020-02-19 19:42:50 -03:00
cc318cdec1
Cleanup and standardization of e2e test definitions ( #5090 )
2020-02-16 15:27:58 -03:00
71e35c9100
Make sure set-cookie is retained from external auth endpoint ( #5067 )
2020-02-14 01:41:11 -03:00
f9e2b7c14b
Fix status code
2020-01-04 13:23:16 -03:00
5c30820d1f
Remove hard-coded annotation and don't use map pointers
2019-12-13 03:05:20 -03:00
786a3b6862
Add support for configmap of headers to be sent to external auth service
2019-09-24 10:53:23 -04:00
376b862c23
Add annotation to support map of user/pass pairs in basic auth
2019-09-13 11:33:33 -04:00
c85450c1e7
Remove hard-coded names from e2e test and use local docker dependencies ( #4502 )
2019-09-01 14:16:52 -04:00
fcd3054f13
Lint code using staticcheck ( #4471 )
2019-08-23 12:08:40 -04:00
23504db770
feat: auth-req caching
...
add a way to configure the `proxy_cache_*` [1] directive for external-auth.
The user-defined cache_key may contain sensitive information
(e.g. Authorization header).
We want to store *only* a hash of that key, not the key itself on disk.
[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2019-07-17 18:39:04 +02:00
5e249d3366
Refactor e2e tests to use the service ClusterIP
2019-02-24 20:04:07 -03:00
fdeeac3606
Wait for the right number of endpoints ( #3497 )
2018-11-30 20:17:18 -03:00
c3ff68e9ca
Adjust default timeout for e2e tests ( #3495 )
2018-11-30 18:55:53 -03:00
334c38255d
Fix flaky auth test
2018-11-30 10:18:52 -03:00
2f71c12add
Since dynamic mode only checking for 'return 503' is not valid anymore
2018-11-30 09:37:48 -03:00
a51136b863
Refactor assertions
2018-11-18 10:53:05 -03:00
b511333130
add support for auth-snippet annotation
...
add test for new auth-snippet annotation
document auth-snippet annotation
add e2e test for auth-snippet annotation
add log warning and update documentation
2018-11-05 16:02:29 -06:00
83dc4607c5
Remove e2e boilerplate
2018-10-29 22:38:15 -03:00
44a11898d8
Refactor e2e Tests to use common helper function
...
Each e2e test is creating the same(or similar) Ingress Resource in
different ways. This makes common ingress resource creation be
performed by a framework method, reducing code duplication
2018-10-09 11:12:11 -05:00
3ce0ad988f
Add e2e test for external auth
2018-07-21 16:22:48 +09:00
564f2a9fe4
Add retries to auth test checks
2018-05-26 16:27:45 -04:00
e224259e38
Resolves issue with proxy-redirect nginx configuration
...
Resolves an issue where the proxy-redirect annotations were not generating the
correct configuration possibly because of user error. This is done by only
setting the proxy_redirect if both proxy-redirect-from and proxy-redirect-to
have valid values. Also adds the e2e tests.
Fixes #2074
2018-05-17 11:22:31 -05:00
ff3e182350
Add support for grpc_set_header
2018-05-17 08:35:11 -04:00
Ricardo Katz
James Strong
Chen Chen
Gabor Lekeny
Brendan Kamp
Harpreet singh
Johannes Würbach
Lien Li
Maksim Nabokikh
Gabor Lekeny
Tom Hayward
Kubernetes Prow Robot
Manuel Alejandro de Brito Fontes
Ian Buss
Jeff Hui
A Gardner
Moritz Johner
Adnan Baruni
Fernando Diaz
takonomura