feat: support auth-type for ingress annotations (#2636)

Author: AlinsRan

internal/adc/translator/annotations/plugins/authorization.go

@@ -0,0 +1,61 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugins
+
+import (
+	adctypes "github.com/apache/apisix-ingress-controller/api/adc"
+	"github.com/apache/apisix-ingress-controller/internal/adc/translator/annotations"
+)
+
+type basicAuth struct{}
+
+// NewkeyBasicHandler creates a handler to convert
+// annotations about basicAuth control to APISIX basic-auth plugin.
+func NewBasicAuthHandler() PluginAnnotationsHandler {
+	return &basicAuth{}
+}
+
+func (b *basicAuth) PluginName() string {
+	return "basic-auth"
+}
+
+func (b *basicAuth) Handle(e annotations.Extractor) (interface{}, error) {
+	if e.GetStringAnnotation(annotations.AnnotationsAuthType) != "basicAuth" {
+		return nil, nil
+	}
+	plugin := adctypes.BasicAuthConfig{}
+	return &plugin, nil
+}
+
+type keyAuth struct{}
+
+// NewkeyAuthHandler creates a handler to convert
+// annotations about keyAuth control to APISIX key-auth plugin.
+func NewKeyAuthHandler() PluginAnnotationsHandler {
+	return &keyAuth{}
+}
+
+func (k *keyAuth) PluginName() string {
+	return "key-auth"
+}
+
+func (k *keyAuth) Handle(e annotations.Extractor) (interface{}, error) {
+	if e.GetStringAnnotation(annotations.AnnotationsAuthType) != "keyAuth" {
+		return nil, nil
+	}
+	plugin := adctypes.KeyAuthConfig{}
+	return &plugin, nil
+}

internal/adc/translator/annotations/plugins/plugins.go

@@ -40,6 +40,8 @@ var (
 		NewCorsHandler(),
 		NewCSRFHandler(),
 		NewFaultInjectionHandler(),
+		NewBasicAuthHandler(),
+		NewKeyAuthHandler(),
 	}
 )
 

internal/adc/translator/annotations_test.go

@@ -257,6 +257,28 @@ func TestTranslateIngressAnnotations(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "auth type basicAuth",
+			anno: map[string]string{
+				annotations.AnnotationsAuthType: "basicAuth",
+			},
+			expected: &IngressConfig{
+				Plugins: adctypes.Plugins{
+					"basic-auth": &adctypes.BasicAuthConfig{},
+				},
+			},
+		},
+		{
+			name: "auth type keyAuth",
+			anno: map[string]string{
+				annotations.AnnotationsAuthType: "keyAuth",
+			},
+			expected: &IngressConfig{
+				Plugins: adctypes.Plugins{
+					"key-auth": &adctypes.KeyAuthConfig{},
+				},
+			},
+		},
 	}
 
 	for _, tt := range tests {

test/e2e/ingress/annotations.go

@@ -382,6 +382,48 @@ spec:
             name: httpbin-service-e2e-test
             port:
               number: 80
+`
+			ingressKeyAuth = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: key-auth
+  annotations:
+    k8s.apisix.apache.org/auth-type: "keyAuth"
+spec:
+  ingressClassName: %s
+  rules:
+  - host: httpbin.example
+    http:
+      paths:
+      - path: /ip
+        pathType: Exact
+        backend:
+          service:
+            name: httpbin-service-e2e-test
+            port:
+              number: 80
+`
+			ingressBasicAuth = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: basic-auth
+  annotations:
+    k8s.apisix.apache.org/auth-type: "basicAuth"
+spec:
+  ingressClassName: %s
+  rules:
+  - host: httpbin.example
+    http:
+      paths:
+      - path: /get
+        pathType: Exact
+        backend:
+          service:
+            name: httpbin-service-e2e-test
+            port:
+              number: 80
 `
 		)
 		BeforeEach(func() {
@@ -610,5 +652,82 @@ spec:
 				s.RequestAssert(test)
 			}
 		})
+		It("authentication", func() {
+			var (
+				keyAuth = `
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: key
+spec:
+  ingressClassName: %s
+  authParameter:
+    keyAuth:
+      value:
+        key: test-key
+`
+				basicAuth = `
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+  name: basic
+spec:
+  ingressClassName: %s
+  authParameter:
+    basicAuth:
+      value:
+        username: test-user
+        password: test-password
+`
+			)
+			Expect(s.CreateResourceFromString(fmt.Sprintf(keyAuth, s.Namespace()))).ShouldNot(HaveOccurred(), "creating ApisixConsumer for keyAuth")
+			Expect(s.CreateResourceFromString(fmt.Sprintf(basicAuth, s.Namespace()))).ShouldNot(HaveOccurred(), "creating ApisixConsumer for basicAuth")
+			Expect(s.CreateResourceFromString(fmt.Sprintf(ingressKeyAuth, s.Namespace()))).ShouldNot(HaveOccurred(), "creating Ingress")
+			Expect(s.CreateResourceFromString(fmt.Sprintf(ingressBasicAuth, s.Namespace()))).ShouldNot(HaveOccurred(), "creating Ingress")
+
+			tests := []*scaffold.RequestAssert{
+				{
+					Method: "GET",
+					Path:   "/get",
+					Host:   "httpbin.example",
+					BasicAuth: &scaffold.BasicAuth{
+						Username: "test-user",
+						Password: "test-password",
+					},
+					Check: scaffold.WithExpectedStatus(http.StatusOK),
+				},
+				{
+					Method: "GET",
+					Path:   "/get",
+					Host:   "httpbin.example",
+					BasicAuth: &scaffold.BasicAuth{
+						Username: "invalid-user",
+						Password: "invalid-password",
+					},
+					Check: scaffold.WithExpectedStatus(http.StatusUnauthorized),
+				},
+				{
+					Method: "GET",
+					Path:   "/ip",
+					Host:   "httpbin.example",
+					Headers: map[string]string{
+						"apikey": "test-key",
+					},
+					Check: scaffold.WithExpectedStatus(http.StatusOK),
+				},
+				{
+					Method: "GET",
+					Path:   "/ip",
+					Host:   "httpbin.example",
+					Headers: map[string]string{
+						"apikey": "invalid-key",
+					},
+					Check: scaffold.WithExpectedStatus(http.StatusUnauthorized),
+				},
+			}
+			for _, test := range tests {
+				s.RequestAssert(test)
+			}
+		})
 	})
 })