Merge remote-tracking branch 'origin/master' into feat/ingress-anno-regex

Signed-off-by: Ashing Zheng <axingfly@gmail.com>

Author: ronething

docs/en/latest/concepts/gateway-api.md

@@ -59,7 +59,7 @@ By supporting Gateway API, the APISIX Ingress controller can realize richer func
 
 For configuration examples, see the Gateway API tabs in [Configuration Examples](../reference/example.md).
 
-For a complete list of configuration options, refer to the [Gateway API Reference](https://gateway-api.sigs.k8s.io/reference/spec/). Be aware that some fields are not supported, or partially supported.
+For a complete list of configuration options, refer to the [Gateway API Reference](https://gateway-api.sigs.k8s.io/reference/1.3/spec/). Be aware that some fields are not supported, or partially supported.
 
 ## Unsupported / Partially Supported Fields
 

internal/adc/translator/annotations/plugins/forward-auth.go

@@ -0,0 +1,48 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package plugins
+
+import (
+	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
+	"github.com/apache/apisix-ingress-controller/internal/adc/translator/annotations"
+)
+
+type forwardAuth struct{}
+
+// NewForwardAuthHandler creates a handler to convert
+// annotations about forward authentication to APISIX forward-auth plugin.
+func NewForwardAuthHandler() PluginAnnotationsHandler {
+	return &forwardAuth{}
+}
+
+func (i *forwardAuth) PluginName() string {
+	return "forward-auth"
+}
+
+func (i *forwardAuth) Handle(e annotations.Extractor) (any, error) {
+	uri := e.GetStringAnnotation(annotations.AnnotationsForwardAuthURI)
+	sslVerify := e.GetStringAnnotation(annotations.AnnotationsForwardAuthSSLVerify) != annotations.FalseString
+	if len(uri) > 0 {
+		return &adctypes.ForwardAuthConfig{
+			URI:             uri,
+			SSLVerify:       sslVerify,
+			RequestHeaders:  e.GetStringsAnnotation(annotations.AnnotationsForwardAuthRequestHeaders),
+			UpstreamHeaders: e.GetStringsAnnotation(annotations.AnnotationsForwardAuthUpstreamHeaders),
+			ClientHeaders:   e.GetStringsAnnotation(annotations.AnnotationsForwardAuthClientHeaders),
+		}, nil
+	}
+
+	return nil, nil
+}

internal/adc/translator/annotations/plugins/ip_restriction.go

@@ -0,0 +1,47 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugins
+
+import (
+	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
+	"github.com/apache/apisix-ingress-controller/internal/adc/translator/annotations"
+)
+
+type ipRestriction struct{}
+
+// NewIPRestrictionHandler creates a handler to convert
+// annotations about client IP control to APISIX ip-restriction plugin.
+func NewIPRestrictionHandler() PluginAnnotationsHandler {
+	return &ipRestriction{}
+}
+
+func (i *ipRestriction) PluginName() string {
+	return "ip-restriction"
+}
+
+func (i *ipRestriction) Handle(e annotations.Extractor) (any, error) {
+	allowlist := e.GetStringsAnnotation(annotations.AnnotationsAllowlistSourceRange)
+	blocklist := e.GetStringsAnnotation(annotations.AnnotationsBlocklistSourceRange)
+
+	if allowlist == nil && blocklist == nil {
+		return nil, nil
+	}
+
+	return &adctypes.IPRestrictConfig{
+		Allowlist: allowlist,
+		Blocklist: blocklist,
+	}, nil
+}

internal/adc/translator/annotations/plugins/ip_restriction_test.go

@@ -0,0 +1,72 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugins
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
+	"github.com/apache/apisix-ingress-controller/internal/adc/translator/annotations"
+)
+
+func TestIPRestrictionHandler(t *testing.T) {
+	// Test with allowlist only
+	anno := map[string]string{
+		annotations.AnnotationsAllowlistSourceRange: "10.2.2.2,192.168.0.0/16",
+	}
+	p := NewIPRestrictionHandler()
+	out, err := p.Handle(annotations.NewExtractor(anno))
+	assert.Nil(t, err, "checking given error")
+	assert.NotNil(t, out, "checking output is not nil")
+	config := out.(*adctypes.IPRestrictConfig)
+	assert.Len(t, config.Allowlist, 2, "checking size of allowlist")
+	assert.Equal(t, "10.2.2.2", config.Allowlist[0])
+	assert.Equal(t, "192.168.0.0/16", config.Allowlist[1])
+	assert.Nil(t, config.Blocklist, "checking blocklist is nil")
+	assert.Equal(t, "ip-restriction", p.PluginName())
+
+	// Test with both allowlist and blocklist
+	anno[annotations.AnnotationsBlocklistSourceRange] = "172.17.0.0/16,127.0.0.1"
+	out, err = p.Handle(annotations.NewExtractor(anno))
+	assert.Nil(t, err, "checking given error")
+	assert.NotNil(t, out, "checking output is not nil")
+	config = out.(*adctypes.IPRestrictConfig)
+	assert.Len(t, config.Allowlist, 2, "checking size of allowlist")
+	assert.Equal(t, "10.2.2.2", config.Allowlist[0])
+	assert.Equal(t, "192.168.0.0/16", config.Allowlist[1])
+	assert.Len(t, config.Blocklist, 2, "checking size of blocklist")
+	assert.Equal(t, "172.17.0.0/16", config.Blocklist[0])
+	assert.Equal(t, "127.0.0.1", config.Blocklist[1])
+
+	// Test with blocklist only
+	delete(anno, annotations.AnnotationsAllowlistSourceRange)
+	out, err = p.Handle(annotations.NewExtractor(anno))
+	assert.Nil(t, err, "checking given error")
+	assert.NotNil(t, out, "checking output is not nil")
+	config = out.(*adctypes.IPRestrictConfig)
+	assert.Nil(t, config.Allowlist, "checking allowlist is nil")
+	assert.Len(t, config.Blocklist, 2, "checking size of blocklist")
+	assert.Equal(t, "172.17.0.0/16", config.Blocklist[0])
+	assert.Equal(t, "127.0.0.1", config.Blocklist[1])
+
+	// Test with neither allowlist nor blocklist
+	delete(anno, annotations.AnnotationsBlocklistSourceRange)
+	out, err = p.Handle(annotations.NewExtractor(anno))
+	assert.Nil(t, err, "checking given error")
+	assert.Nil(t, out, "checking the given ip-restriction plugin config is nil")
+}

internal/adc/translator/annotations/plugins/plugins.go

@@ -44,6 +44,8 @@ var (
 		NewBasicAuthHandler(),
 		NewKeyAuthHandler(),
 		NewResponseRewriteHandler(),
+		NewIPRestrictionHandler(),
+		NewForwardAuthHandler(),
 	}
 )
 

internal/adc/translator/annotations/types.go

@@ -91,6 +91,10 @@ const (
 	AnnotationsSvcNamespace = AnnotationsPrefix + "svc-namespace"
 )
 
+const (
+	FalseString = "false"
+)
+
 // Handler abstracts the behavior so that the apisix-ingress-controller knows
 type IngressAnnotationsParser interface {
 	// Handle parses the target annotation and converts it to the type-agnostic structure.

internal/adc/translator/annotations_test.go

@@ -288,6 +288,47 @@ func TestTranslateIngressAnnotations(t *testing.T) {
 				ServiceNamespace: "custom-namespace",
 			},
 		},
+		{
+			name: "forward auth",
+			anno: map[string]string{
+				annotations.AnnotationsForwardAuthURI:             "http://127.0.0.1:9080",
+				annotations.AnnotationsForwardAuthRequestHeaders:  "Authorization",
+				annotations.AnnotationsForwardAuthClientHeaders:   "Location",
+				annotations.AnnotationsForwardAuthUpstreamHeaders: "X-User-ID",
+			},
+			expected: &IngressConfig{
+				Plugins: adctypes.Plugins{
+					"forward-auth": &adctypes.ForwardAuthConfig{
+						URI:             "http://127.0.0.1:9080",
+						SSLVerify:       true,
+						RequestHeaders:  []string{"Authorization"},
+						UpstreamHeaders: []string{"X-User-ID"},
+						ClientHeaders:   []string{"Location"},
+					},
+				},
+			},
+		},
+		{
+			name: "forward auth with ssl-verify false",
+			anno: map[string]string{
+				annotations.AnnotationsForwardAuthURI:             "http://127.0.0.1:9080",
+				annotations.AnnotationsForwardAuthSSLVerify:       "false",
+				annotations.AnnotationsForwardAuthRequestHeaders:  "Authorization",
+				annotations.AnnotationsForwardAuthClientHeaders:   "Location",
+				annotations.AnnotationsForwardAuthUpstreamHeaders: "X-User-ID",
+			},
+			expected: &IngressConfig{
+				Plugins: adctypes.Plugins{
+					"forward-auth": &adctypes.ForwardAuthConfig{
+						URI:             "http://127.0.0.1:9080",
+						SSLVerify:       false,
+						RequestHeaders:  []string{"Authorization"},
+						UpstreamHeaders: []string{"X-User-ID"},
+						ClientHeaders:   []string{"Location"},
+					},
+				},
+			},
+		},
 		{
 			name: "regex",
 			anno: map[string]string{

internal/webhook/v1/ingress_webhook.go

@@ -38,15 +38,7 @@ var ingresslog = logf.Log.WithName("ingress-resource")
 
 // unsupportedAnnotations contains all the APISIX Ingress annotations that are not supported in 2.0.0
 // ref: https://apisix.apache.org/docs/ingress-controller/upgrade-guide/#limited-support-for-ingress-annotations
-var unsupportedAnnotations = []string{
-	"k8s.apisix.apache.org/auth-uri",
-	"k8s.apisix.apache.org/auth-ssl-verify",
-	"k8s.apisix.apache.org/auth-request-headers",
-	"k8s.apisix.apache.org/auth-upstream-headers",
-	"k8s.apisix.apache.org/auth-client-headers",
-	"k8s.apisix.apache.org/allowlist-source-range",
-	"k8s.apisix.apache.org/blocklist-source-range",
-}
+var unsupportedAnnotations = []string{}
 
 // checkUnsupportedAnnotations checks if the Ingress contains any unsupported annotations
 // and returns appropriate warnings

test/e2e/framework/manifests/nginx.yaml

@@ -51,6 +51,19 @@ data:
           }
         }
 
+        location /auth {
+          content_by_lua_block {
+            local auth = ngx.req.get_headers()["Authorization"]
+            if auth == "123" then
+              ngx.header["X-User-ID"] = "user-123"
+              ngx.exit(200)
+            else
+              ngx.header["Location"] = "http://example.com/auth"
+              ngx.exit(401)
+            end
+          }
+        }
+
         location /ws {
           content_by_lua_block {
             local server = require "resty.websocket.server"