Ability to use "X-Forwarded-For" as a source of IP for white list.

2018-03-23 17:40:04 +01:00 · 2018-03-23 17:40:04 +01:00 · d2766b1b4f
commit d2766b1b4f
parent 4802484729
50 changed files with 1496 additions and 599 deletions
--- a/provider/kubernetes/annotations.go
+++ b/provider/kubernetes/annotations.go
@ -5,31 +5,32 @@ import (
 )

 const (
-	annotationKubernetesIngressClass             = "kubernetes.io/ingress.class"
-	annotationKubernetesAuthRealm                = "ingress.kubernetes.io/auth-realm"
-	annotationKubernetesAuthType                 = "ingress.kubernetes.io/auth-type"
-	annotationKubernetesAuthSecret               = "ingress.kubernetes.io/auth-secret"
-	annotationKubernetesRewriteTarget            = "ingress.kubernetes.io/rewrite-target"
-	annotationKubernetesWhitelistSourceRange     = "ingress.kubernetes.io/whitelist-source-range"
-	annotationKubernetesPreserveHost             = "ingress.kubernetes.io/preserve-host"
-	annotationKubernetesPassTLSCert              = "ingress.kubernetes.io/pass-tls-cert"
-	annotationKubernetesFrontendEntryPoints      = "ingress.kubernetes.io/frontend-entry-points"
-	annotationKubernetesPriority                 = "ingress.kubernetes.io/priority"
-	annotationKubernetesCircuitBreakerExpression = "ingress.kubernetes.io/circuit-breaker-expression"
-	annotationKubernetesLoadBalancerMethod       = "ingress.kubernetes.io/load-balancer-method"
-	annotationKubernetesAffinity                 = "ingress.kubernetes.io/affinity"
-	annotationKubernetesSessionCookieName        = "ingress.kubernetes.io/session-cookie-name"
-	annotationKubernetesRuleType                 = "ingress.kubernetes.io/rule-type"
-	annotationKubernetesRedirectEntryPoint       = "ingress.kubernetes.io/redirect-entry-point"
-	annotationKubernetesRedirectPermanent        = "ingress.kubernetes.io/redirect-permanent"
-	annotationKubernetesRedirectRegex            = "ingress.kubernetes.io/redirect-regex"
-	annotationKubernetesRedirectReplacement      = "ingress.kubernetes.io/redirect-replacement"
-	annotationKubernetesMaxConnAmount            = "ingress.kubernetes.io/max-conn-amount"
-	annotationKubernetesMaxConnExtractorFunc     = "ingress.kubernetes.io/max-conn-extractor-func"
-	annotationKubernetesRateLimit                = "ingress.kubernetes.io/rate-limit"
-	annotationKubernetesErrorPages               = "ingress.kubernetes.io/error-pages"
-	annotationKubernetesBuffering                = "ingress.kubernetes.io/buffering"
-	annotationKubernetesAppRoot                  = "ingress.kubernetes.io/app-root"
+	annotationKubernetesIngressClass              = "kubernetes.io/ingress.class"
+	annotationKubernetesAuthRealm                 = "ingress.kubernetes.io/auth-realm"
+	annotationKubernetesAuthType                  = "ingress.kubernetes.io/auth-type"
+	annotationKubernetesAuthSecret                = "ingress.kubernetes.io/auth-secret"
+	annotationKubernetesRewriteTarget             = "ingress.kubernetes.io/rewrite-target"
+	annotationKubernetesWhiteListSourceRange      = "ingress.kubernetes.io/whitelist-source-range"
+	annotationKubernetesWhiteListUseXForwardedFor = "ingress.kubernetes.io/whitelist-x-forwarded-for"
+	annotationKubernetesPreserveHost              = "ingress.kubernetes.io/preserve-host"
+	annotationKubernetesPassTLSCert               = "ingress.kubernetes.io/pass-tls-cert"
+	annotationKubernetesFrontendEntryPoints       = "ingress.kubernetes.io/frontend-entry-points"
+	annotationKubernetesPriority                  = "ingress.kubernetes.io/priority"
+	annotationKubernetesCircuitBreakerExpression  = "ingress.kubernetes.io/circuit-breaker-expression"
+	annotationKubernetesLoadBalancerMethod        = "ingress.kubernetes.io/load-balancer-method"
+	annotationKubernetesAffinity                  = "ingress.kubernetes.io/affinity"
+	annotationKubernetesSessionCookieName         = "ingress.kubernetes.io/session-cookie-name"
+	annotationKubernetesRuleType                  = "ingress.kubernetes.io/rule-type"
+	annotationKubernetesRedirectEntryPoint        = "ingress.kubernetes.io/redirect-entry-point"
+	annotationKubernetesRedirectPermanent         = "ingress.kubernetes.io/redirect-permanent"
+	annotationKubernetesRedirectRegex             = "ingress.kubernetes.io/redirect-regex"
+	annotationKubernetesRedirectReplacement       = "ingress.kubernetes.io/redirect-replacement"
+	annotationKubernetesMaxConnAmount             = "ingress.kubernetes.io/max-conn-amount"
+	annotationKubernetesMaxConnExtractorFunc      = "ingress.kubernetes.io/max-conn-extractor-func"
+	annotationKubernetesRateLimit                 = "ingress.kubernetes.io/rate-limit"
+	annotationKubernetesErrorPages                = "ingress.kubernetes.io/error-pages"
+	annotationKubernetesBuffering                 = "ingress.kubernetes.io/buffering"
+	annotationKubernetesAppRoot                   = "ingress.kubernetes.io/app-root"

 	annotationKubernetesSSLRedirect             = "ingress.kubernetes.io/ssl-redirect"
 	annotationKubernetesHSTSMaxAge              = "ingress.kubernetes.io/hsts-max-age"
--- a/provider/kubernetes/builder_configuration_test.go
+++ b/provider/kubernetes/builder_configuration_test.go
@ -202,9 +202,13 @@ func basicAuth(auth ...string) func(*types.Frontend) {
 	}
 }

-func whitelistSourceRange(ranges ...string) func(*types.Frontend) {
+func whiteList(useXFF bool, ranges ...string) func(*types.Frontend) {
 	return func(f *types.Frontend) {
-		f.WhitelistSourceRange = ranges
+		if f.WhiteList == nil {
+			f.WhiteList = &types.WhiteList{}
+		}
+		f.WhiteList.UseXForwardedFor = useXFF
+		f.WhiteList.SourceRange = ranges
 	}
 }

--- a/provider/kubernetes/kubernetes.go
+++ b/provider/kubernetes/kubernetes.go
@ -200,21 +200,20 @@ func (p *Provider) loadIngresses(k8sClient Client) (*types.Configuration, error)
 					passTLSCert := getBoolValue(i.Annotations, annotationKubernetesPassTLSCert, p.EnablePassTLSCert)
 					priority := getIntValue(i.Annotations, annotationKubernetesPriority, 0)
 					entryPoints := getSliceStringValue(i.Annotations, annotationKubernetesFrontendEntryPoints)
-					whitelistSourceRange := getSliceStringValue(i.Annotations, annotationKubernetesWhitelistSourceRange)

 					templateObjects.Frontends[baseName] = &types.Frontend{
-						Backend:              baseName,
-						PassHostHeader:       passHostHeader,
-						PassTLSCert:          passTLSCert,
-						Routes:               make(map[string]types.Route),
-						Priority:             priority,
-						BasicAuth:            basicAuthCreds,
-						WhitelistSourceRange: whitelistSourceRange,
-						Redirect:             getFrontendRedirect(i),
-						EntryPoints:          entryPoints,
-						Headers:              getHeader(i),
-						Errors:               getErrorPages(i),
-						RateLimit:            getRateLimit(i),
+						Backend:        baseName,
+						PassHostHeader: passHostHeader,
+						PassTLSCert:    passTLSCert,
+						Routes:         make(map[string]types.Route),
+						Priority:       priority,
+						BasicAuth:      basicAuthCreds,
+						WhiteList:      getWhiteList(i),
+						Redirect:       getFrontendRedirect(i),
+						EntryPoints:    entryPoints,
+						Headers:        getHeader(i),
+						Errors:         getErrorPages(i),
+						RateLimit:      getRateLimit(i),
 					}
 				}

@ -457,7 +456,7 @@ func getTLS(ingress *extensionsv1beta1.Ingress, k8sClient Client) ([]*tls.Config

 func endpointPortNumber(servicePort corev1.ServicePort, endpointPorts []corev1.EndpointPort) int {
 	if len(endpointPorts) > 0 {
-		//name is optional if there is only one port
+		// name is optional if there is only one port
 		port := endpointPorts[0]
 		for _, endpointPort := range endpointPorts {
 			if servicePort.Name == endpointPort.Name {
@ -510,6 +509,18 @@ func getFrontendRedirect(i *extensionsv1beta1.Ingress) *types.Redirect {
 	return nil
 }

+func getWhiteList(i *extensionsv1beta1.Ingress) *types.WhiteList {
+	ranges := getSliceStringValue(i.Annotations, annotationKubernetesWhiteListSourceRange)
+	if len(ranges) <= 0 {
+		return nil
+	}
+
+	return &types.WhiteList{
+		SourceRange:      ranges,
+		UseXForwardedFor: getBoolValue(i.Annotations, annotationKubernetesWhiteListUseXForwardedFor, false),
+	}
+}
+
 func getBuffering(service *corev1.Service) *types.Buffering {
 	var buffering *types.Buffering

--- a/provider/kubernetes/kubernetes_test.go
+++ b/provider/kubernetes/kubernetes_test.go
@ -665,7 +665,8 @@ func TestIngressAnnotations(t *testing.T) {
 		),
 		buildIngress(
 			iNamespace("testing"),
-			iAnnotation(annotationKubernetesWhitelistSourceRange, "1.1.1.1/24, 1234:abcd::42/32"),
+			iAnnotation(annotationKubernetesWhiteListSourceRange, "1.1.1.1/24, 1234:abcd::42/32"),
+			iAnnotation(annotationKubernetesWhiteListUseXForwardedFor, "true"),
 			iRules(
 				iRule(
 					iHost("test"),
@ -984,7 +985,7 @@ rateset:
 			),
 			frontend("test/whitelist-source-range",
 				passHostHeader(),
-				whitelistSourceRange("1.1.1.1/24", "1234:abcd::42/32"),
+				whiteList(true, "1.1.1.1/24", "1234:abcd::42/32"),
 				routes(
 					route("/whitelist-source-range", "PathPrefix:/whitelist-source-range"),
 					route("test", "Host:test")),