8000 Improve VirtualServer/VirtualServerRoute warnings for policies by pleshakov · Pull Request #1322 · nginx/kubernetes-ingress · GitHub
[go: up one dir, main page]
Skip to content

Improve VirtualServer/VirtualServerRoute warnings for policies #1322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jan 29, 2021
Merged

Improve VirtualServer/VirtualServerRoute warnings for policies #1322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3bfe42b
Remove unreachable code
pleshakov Jan 22, 2021
54ea11c
Improve warnings
pleshakov Jan 20, 2021
3104716
Add a missing test case
pleshakov Jan 22, 2021
c5e4ff7
Update python test for JWT policy
pleshakov Jan 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 22 additions & 32 deletions internal/configs/virtualserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -673,13 +673,13 @@ func (p *policiesCfg) addRateLimitConfig(
} else {
curOptions := generateLimitReqOptions(rateLimit)
if curOptions.DryRun != p.LimitReqOptions.DryRun {
res.addWarningf("RateLimit policy %q with limit request option dryRun=%v is overridden to dryRun=%v by the first policy reference in this context", polKey, curOptions.DryRun, p.LimitReqOptions.DryRun)
res.addWarningf("RateLimit policy %s with limit request option dryRun='%v' is overridden to dryRun='%v' by the first policy reference in this context", polKey, curOptions.DryRun, p.LimitReqOptions.DryRun)
}
if curOptions.LogLevel != p.LimitReqOptions.LogLevel {
res.addWarningf("RateLimit policy %q with limit request option logLevel=%v is overridden to logLevel=%v by the first policy reference in this context", polKey, curOptions.LogLevel, p.LimitReqOptions.LogLevel)
res.addWarningf("RateLimit policy %s with limit request option logLevel='%v' is overridden to logLevel='%v' by the first policy reference in this context", polKey, curOptions.LogLevel, p.LimitReqOptions.LogLevel)
}
if curOptions.RejectCode != p.LimitReqOptions.RejectCode {
res.addWarningf("RateLimit policy %q with limit request option rejectCode=%v is overridden to rejectCode=%v by the first policy reference in this context", polKey, curOptions.RejectCode, p.LimitReqOptions.RejectCode)
res.addWarningf("RateLimit policy %s with limit request option rejectCode='%v' is overridden to rejectCode='%v' by the first policy reference in this context", polKey, curOptions.RejectCode, p.LimitReqOptions.RejectCode)
}
}
return res
Expand All @@ -693,7 +693,7 @@ func (p *policiesCfg) addJWTAuthConfig(
) *validationResults {
res := newValidationResults()
if p.JWTAuth != nil {
res.addWarningf("Multiple jwt policies in the same context is not valid. JWT policy %q will be ignored", polKey)
res.addWarningf("Multiple jwt policies in the same context is not valid. JWT policy %s will be ignored", polKey)
return res
}

Expand All @@ -704,11 +704,11 @@ func (p *policiesCfg) addJWTAuthConfig(
secretType = secretRef.Secret.Type
}
if secretType != "" && secretType != secrets.SecretTypeJWK {
res.addWarningf("JWT policy %q references a Secret of an incorrect type %q", polKey, secretType)
res.addWarningf("JWT policy %s references a secret %s of a wrong type '%s', must be '%s'", polKey, jwtSecretKey, secretType, secrets.SecretTypeJWK)
res.isError = true
return res
} else if secretRef.Error != nil {
res.addWarningf("JWT policy %q references an invalid Secret: %v", polKey, secretRef.Error)
res.addWarningf("JWT policy %s references an invalid secret %s: %v", polKey, jwtSecretKey, secretRef.Error)
res.isError = true
return res
}
Expand All @@ -731,17 +731,17 @@ func (p *policiesCfg) addIngressMTLSConfig(
) *validationResults {
res := newValidationResults()
if !tls {
res.addWarningf("TLS configuration needed for IngressMTLS policy")
res.addWarningf("TLS must be enabled in VirtualServer for IngressMTLS policy %s", polKey)
res.isError = true
return res
}
if context != specContext {
res.addWarningf("IngressMTLS policy is not allowed in the %v context", context)
res.addWarningf("IngressMTLS policy %s is not allowed in the %v context", polKey, context)
res.isError = true
return res
}
if p.IngressMTLS != nil {
res.addWarningf("Multiple ingressMTLS policies are not allowed. IngressMTLS policy %q will be ignored", polKey)
res.addWarningf("Multiple ingressMTLS policies are not allowed. IngressMTLS policy %s will be ignored", polKey)
return res
}

Expand All @@ -752,11 +752,11 @@ func (p *policiesCfg) addIngressMTLSConfig(
secretType = secretRef.Secret.Type
}
if secretType != "" && secretType != secrets.SecretTypeCA {
res.addWarningf("IngressMTLS policy %q references a Secret of an incorrect type %q", polKey, secretType)
res.addWarningf("IngressMTLS policy %s references a secret %s of a wrong type '%s', must be '%s'", polKey, secretKey, secretType, secrets.SecretTypeCA)
res.isError = true
return res
} else if secretRef.Error != nil {
res.addWarningf("IngressMTLS policy %q references an invalid Secret: %v", polKey, secretRef.Error)
res.addWarningf("IngressMTLS policy %q references an invalid secret %s: %v", polKey, secretKey, secretRef.Error)
res.isError = true
return res
}
Expand Down Expand Up @@ -787,7 +787,7 @@ func (p *policiesCfg) addEgressMTLSConfig(
res := newValidationResults()
if p.EgressMTLS != nil {
res.addWarningf(
"Multiple egressMTLS policies in the same context is not valid. EgressMTLS policy %q will be ignored",
"Multiple egressMTLS policies in the same context is not valid. EgressMTLS policy %s will be ignored",
polKey,
)
return res
Expand All @@ -804,11 +804,11 @@ func (p *policiesCfg) addEgressMTLSConfig(
secretType = secretRef.Secret.Type
}
if secretType != "" && secretType != api_v1.SecretTypeTLS {
res.addWarningf("EgressMTLS policy %q references a Secret of an incorrect type %q", polKey, secretType)
res.addWarningf("EgressMTLS policy %s references a secret %s of a wrong type '%s', must be '%s'", polKey, egressTLSSecret, secretType, api_v1.SecretTypeTLS)
res.isError = true
return res
} else if secretRef.Error != nil {
res.addWarningf("EgressMTLS policy %q references an invalid Secret: %v", polKey, secretRef.Error)
res.addWarningf("EgressMTLS policy %s references an invalid secret %s: %v", polKey, egressTLSSecret, secretRef.Error)
res.isError = true
return res
}
Expand All @@ -827,11 +827,11 @@ func (p *policiesCfg) addEgressMTLSConfig(
secretType = secretRef.Secret.Type
}
if secretType != "" && secretType != secrets.SecretTypeCA {
res.addWarningf("EgressMTLS policy %q references a Secret of an incorrect type %q", polKey, secretType)
res.addWarningf("EgressMTLS policy %s references a secret %s of a wrong type '%s', must be '%s'", polKey, trustedCertSecret, secretType, secrets.SecretTypeCA)
res.isError = true
return res
} else if secretRef.Error != nil {
res.addWarningf("EgressMTLS policy %q references an invalid Secret: %v", polKey, secretRef.Error)
res.addWarningf("EgressMTLS policy %s references an invalid secret %s: %v", polKey, trustedCertSecret, secretRef.Error)
res.isError = true
return res
}
Expand Down Expand Up @@ -864,7 +864,7 @@ func (p *policiesCfg) addOIDCConfig(
res := newValidationResults()
if p.OIDC {
res.addWarningf(
"Multiple oidc policies in the same context is not valid. OIDC policy %q will be ignored",
"Multiple oidc policies in the same context is not valid. OIDC policy %s will be ignored",
polKey,
)
return res
Expand All @@ -873,7 +873,7 @@ func (p *policiesCfg) addOIDCConfig(
if oidcPolCfg.oidc != nil {
if oidcPolCfg.key != polKey {
res.addWarningf(
"Only one OIDC policy is allowed in a VirtualServer and its VirtualServerRoutes. Can't use %q. Use %q",
"Only one oidc policy is allowed in a VirtualServer and its VirtualServerRoutes. Can't use %s. Use %s",
polKey,
oidcPolCfg.key,
)
8000 Expand All @@ -882,33 +882,23 @@ func (p *policiesCfg) addOIDCConfig(
}
} else {
secretKey := fmt.Sprintf("%v/%v", polNamespace, oidc.ClientSecret)
secretRef, exists := secretRefs[secretKey]
if !exists {
res.addWarningf("OIDC policy %q references a non-existent Secret %v", polKey, secretKey)
res.isError = true
return res
}
secretRef := secretRefs[secretKey]

var secretType api_v1.SecretType
if secretRef.Secret != nil {
secretType = secretRef.Secret.Type
}
if secretType != "" && secretType != secrets.SecretTypeOIDC {
res.addWarningf("OIDC policy %q references a Secret of an incorrect type %q", polKey, secretType)
res.addWarningf("OIDC policy %s references a secret %s of a wrong type '%s', must be '%s'", polKey, secretKey, secretType, secrets.SecretTypeOIDC)
res.isError = true
return res
} else if secretRef.Error != nil {
res.addWarningf("OIDC policy %q references an invalid Secret: %v", polKey, secretRef.Error)
res.addWarningf("OIDC policy %s references an invalid secret %s: %v", polKey, secretKey, secretRef.Error)
res.isError = true
return res
}

clientSecret, exists := secretRef.Secret.Data[ClientSecretKey]
if !exists {
res.addWarningf("OIDC policy %q references a Secret without the data field %v", polKey, ClientSecretKey)
res.isError = true
return res
}
clientSecret := secretRef.Secret.Data[ClientSecretKey]

redirectURI := oidc.RedirectURI
if redirectURI == "" {
Expand Down
Loading
0