Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use whitelist-source-range from configmap when no annotation on ingress. #517

Merged
merged 1 commit into from
Mar 29, 2017
Merged

Use whitelist-source-range from configmap when no annotation on ingress. #517

merged 1 commit into from
Mar 29, 2017

Conversation

ashb
Copy link
Contributor

@ashb ashb commented Mar 28, 2017

Even though we were returning a SourceRange it was being ignored because we were also returning an error. Detect the case (and add tests) when the annotation is not present and use the BackendConfig in that case.

fixes #473
fixes #312

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 28, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.04%) to 43.854% when pulling 5ba8475 on ashb:nginx-configmap-ipwhitelist into 0aaffc9 on kubernetes:master.

@@ -56,8 +56,16 @@ func (a ipwhitelist) Parse(ing *extensions.Ingress) (interface{}, error) {
sort.Strings(defBackend.WhitelistSourceRange)

val, err := parser.GetStringAnnotation(whitelist, ing)
if err != nil {
return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, err
// A missing annotation is not a problem, just use the default
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please change all this section to something like

	if err == ing_errors.ErrMissingAnnotations {
		return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, nil
	}

Copy link
Contributor Author

@ashb ashb Mar 29, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean get rid of the else if err != nil block?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated (and force pushed since it's such a small change)

Even though we were returning a SourceRange it was being ignored because
we were also returning an error. Detect the case (and add tests) when
the annotation is not present and use the BackendConfig in that case.

Fixes #473.
@aledbf aledbf self-assigned this Mar 29, 2017
@aledbf
Copy link
Member

aledbf commented Mar 29, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 29, 2017
@coveralls
Copy link

Coverage Status

Coverage increased (+0.009%) to 43.875% when pulling 6ac7a12 on ashb:nginx-configmap-ipwhitelist into 39feaf1 on kubernetes:master.

@aledbf aledbf merged commit e385c05 into kubernetes:master Mar 29, 2017
@aledbf
Copy link
Member

aledbf commented Mar 29, 2017

@ashb thanks!

@ashb ashb deleted the nginx-configmap-ipwhitelist branch March 29, 2017 12:34
return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, err
// A missing annotation is not a problem, just use the default
if err == ing_errors.ErrMissingAnnotations {
return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this broke my annotation "ingress.kubernetes.io/whitelist-source-range", should this return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, err ?

#558

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

&SourceRange{CIDR: defBackend.WhitelistSourceRange}, err is what it used to return, and the value was ignored because of the error, so I don't think so. But I'm not sure what's causing the issue.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gianrubio this error is returned only when there is no annotation. Can you run the controller with --v=3?

Copy link
Contributor

@gianrubio gianrubio Apr 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aledbf @ashb This code fix my issue, sorry but I'm not sure if it's easy to read

if err != nil{
		if err == ing_errors.ErrMissingAnnotations &&
			len(defBackend.WhitelistSourceRange) > 0 {
			return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, nil
		}
		return &SourceRange{CIDR: defBackend.WhitelistSourceRange}, err
	}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gianrubio That seems like an odd fix because the template already has that exact conditional https://github.com/kubernetes/ingress/blob/7ca7652ab26e1a5775f3066f53f28d5ea5eb3bb7/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl#L285:

            {{ if gt (len $location.Whitelist.CIDR) 0 }}
            {{ range $ip := $location.Whitelist.CIDR }}
            allow {{ $ip }};{{ end }}
            deny all;
            {{ end }}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashb I was wrong, the issue is related to 8552351 #527

@jcmoraisjr could you help me?

Why are you doing this if we already mergeLocationAnnotations on https://github.com/kubernetes/ingress/blob/8552351af0d5b919fd581c978c1c211b02006443/core/pkg/ingress/controller/controller.go#L667:L679

// Add annotations to location of default backend (root context)
			if len(server.Locations) > 0 {
				loc := server.Locations[0]
				mergeLocationAnnotations(loc, anns)
			}

This is breaking #558

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gianrubio Those mergeLocationAnnotations doesn't configure the implicit default backend without an explicit path. This is used eg by app-root. I can fix this issue rewriting #527 in a proper way - merging only annotations that are relevant to the root context. I can create another PR in a couple of hours. And sorry about the mess.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No worries :) Let me know when you fix so I can test before merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ConfigMap setting whitelist-source-ranges doesn't work
7 participants