Skip to content

Commit

Permalink
Added snippet check to transport server validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@soneillf5
soneillf5 committed Mar 10, 2021
1 parent 1ab1650 commit a165403
Show file tree
Hide file tree
Showing 6 changed files with 57 additions and 8 deletions.
2 changes: 1 addition & 1 deletion cmd/nginx-ingress/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -604,7 +604,7 @@ func main() {
templateExecutorV2, *nginxPlus, isWildcardEnabled, plusCollector, *enablePrometheusMetrics, latencyCollector, *enableLatencyMetrics)
controllerNamespace := os.Getenv("POD_NAMESPACE")

transportServerValidator := cr_validation.NewTransportServerValidator(*enableTLSPassthrough)
transportServerValidator := cr_validation.NewTransportServerValidator(*enableTLSPassthrough, *enableSnippets)
virtualServerValidator := cr_validation.NewVirtualServerValidator(*nginxPlus)

lbcInput := k8s.NewLoadBalancerControllerInput{
Expand Down
1 change: 1 addition & 0 deletions examples-of-custom-resources/basic-tcp-udp/transport-server-tcp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ kind: TransportServer
metadata:
name: dns-tcp
spec:
serverSnippets: "deny 192.168.123.123;"
listener:
name: dns-tcp
protocol: TCP
Expand Down
3 changes: 0 additions & 3 deletions internal/configs/transportserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,6 @@ func generateTransportServerConfig(transportServerEx *TransportServerEx, listene
}

serverSnippets := generateSnippets(snippetsEnabled, transportServerEx.TransportServer.Spec.ServerSnippets, []string{})
if !snippetsEnabled && (transportServerEx.TransportServer.Spec.ServerSnippets != "") {
return nil, fmt.Errorf("snippet specified but snippets feature is not enabled")
}

statusZone := transportServerEx.TransportServer.Spec.Listener.Name
if transportServerEx.TransportServer.Spec.Listener.Name == conf_v1alpha1.TLSPassthroughListenerName {
Expand Down
3 changes: 2 additions & 1 deletion internal/k8s/configuration_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ func createTestConfiguration() *Configuration {
appProtectEnabled := false
internalRoutesEnabled := false
isTLSPassthroughEnabled := true
snippetsEnabled := true
return NewConfiguration(
lbc.HasCorrectIngressClass,
isPlus,
Expand All @@ -32,7 +33,7 @@ func createTestConfiguration() *Configuration {
80: true,
443: true,
}),
validation.NewTransportServerValidator(isTLSPassthroughEnabled),
validation.NewTransportServerValidator(isTLSPassthroughEnabled, snippetsEnabled),
isTLSPassthroughEnabled,
)
}
Expand Down
19 changes: 16 additions & 3 deletions pkg/apis/configuration/validation/transportserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,15 @@ import (

// TransportServerValidator validates a TransportServer resource.
type TransportServerValidator struct {
tlsPassthrough bool
tlsPassthrough bool
snippetsEnabled bool
}

// NewTransportServerValidator creates a new TransportServerValidator.
func NewTransportServerValidator(tlsPassthrough bool) *TransportServerValidator {
func NewTransportServerValidator(tlsPassthrough bool, snippetsEnabled bool) *TransportServerValidator {
return &TransportServerValidator{
tlsPassthrough: tlsPassthrough,
tlsPassthrough: tlsPassthrough,
snippetsEnabled: snippetsEnabled,
}
}

Expand Down Expand Up @@ -48,6 +50,17 @@ func (tsv *TransportServerValidator) validateTransportServerSpec(spec *v1alpha1.
allErrs = append(allErrs, validateTransportServerAction(spec.Action, fieldPath.Child("action"), upstreamNames)...)
}

allErrs = append(allErrs, validateSnippets(spec.ServerSnippets, fieldPath.Child("serverSnippets"), tsv.snippetsEnabled)...)

return allErrs
}

func validateSnippets(serverSnippet string, fieldPath *field.Path, snippetsEnabled bool) field.ErrorList {
allErrs := field.ErrorList{}
if !snippetsEnabled && serverSnippet != "" {
return append(allErrs, field.Forbidden(fieldPath, "snippet specified but snippets feature is not enabled"))
}

return allErrs
}

Expand Down
37 changes: 37 additions & 0 deletions pkg/apis/configuration/validation/transportserver_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,43 @@ func TestValidateTransportServerHost(t *testing.T) {
}
}

func TestValidateTransportServerSnippet(t *testing.T) {
tests := []struct {
snippet string
isSnippetsEnabled bool
expectError bool
}{
{
snippet: "",
isSnippetsEnabled: false,
expectError: false,
},
{
snippet: "deny 192.168.1.1;",
isSnippetsEnabled: false,
expectError: true,
},
{
snippet: "deny 192.168.1.1;",
isSnippetsEnabled: true,
expectError: false,
},
}

for _, test := range tests {
allErrs := validateSnippets(test.snippet, field.NewPath("serverSnippet"), test.isSnippetsEnabled)
if test.expectError {
if len(allErrs) < 1 {
t.Errorf("validateSnippets(%q, %v) failed to return an error for invalid input", test.snippet, test.isSnippetsEnabled)
}
} else {
if len(allErrs) > 0 {
t.Errorf("validateSnippets(%q, %v) returned errors %v for valid input", test.snippet, test.isSnippetsEnabled, allErrs)
}
}
}
}

func TestValidateTransportServerHostFails(t *testing.T) {
tests := []struct {
host string
Expand Down

0 comments on commit a165403

Please sign in to comment.