fix: Ensure changes in MatchCN annotation are detected (#11173)

wdullaer · web-flow · commit bcb98c0c8dec · 2024-07-01T13:48:24.000-07:00
diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
@@ -122,6 +122,9 @@ func (assl1 *Config) Equal(assl2 *Config) bool {
 	if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
 		return false
 	}
+	if assl1.MatchCN != assl2.MatchCN {
+		return false
+	}
 
 	return true
 }
diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go
@@ -333,6 +333,15 @@ func TestEquals(t *testing.T) {
 	}
 	cfg2.PassCertToUpstream = true
 
+	// Different MatchCN
+	cfg1.MatchCN = "CN=(hello-app|goodbye)"
+	cfg2.MatchCN = "CN=(hello-app)"
+	result = cfg1.Equal(cfg2)
+	if result != false {
+		t.Errorf("Expected false")
+	}
+	cfg2.MatchCN = "CN=(hello-app|goodbye)"
+
 	// Equal Configs
 	result = cfg1.Equal(cfg2)
 	if result != true {
diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go
@@ -322,6 +322,49 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() {
 			Status(http.StatusOK)
 	})
 
+	ginkgo.It("should reload the nginx config when auth-tls-match-cn is updated", func() {
+		host := authTLSFooHost
+		nameSpace := f.Namespace
+
+		clientConfig, err := framework.CreateIngressMASecret(
+			f.KubeClientSet,
+			host,
+			host,
+			nameSpace)
+		assert.Nil(ginkgo.GinkgoT(), err)
+
+		// First add an annotation that forbids our connection
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-tls-secret":        nameSpace + "/" + host,
+			"nginx.ingress.kubernetes.io/auth-tls-verify-client": "on",
+			"nginx.ingress.kubernetes.io/auth-tls-match-cn":      "CN=notvalid",
+		}
+
+		ingress := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations))
+
+		assertSslClientCertificateConfig(f, host, "on", "1")
+
+		f.HTTPTestClientWithTLSConfig(clientConfig).
+			GET("/").
+			WithURL(f.GetURL(framework.HTTPS)).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusForbidden)
+
+		// Update the annotation to something that allows the connection
+		ingress.Annotations["nginx.ingress.kubernetes.io/auth-tls-match-cn"] = "CN=authtls"
+		f.UpdateIngress(ingress)
+
+		assertSslClientCertificateConfig(f, host, "on", "1")
+
+		f.HTTPTestClientWithTLSConfig(clientConfig).
+			GET("/").
+			WithURL(f.GetURL(framework.HTTPS)).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
+	})
+
 	ginkgo.It("should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client", func() {
 		host := authTLSFooHost
 		nameSpace := f.Namespace

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,9 @@ func (assl1 Config) Equal(assl2 Config) bool {`
`122`	`122`	`if assl1.PassCertToUpstream != assl2.PassCertToUpstream {`
`123`	`123`	`return false`
`124`	`124`	`}`
	`125`	`+ if assl1.MatchCN != assl2.MatchCN {`
	`126`	`+ return false`
	`127`	`+ }`
`125`	`128`
`126`	`129`	`return true`
`127`	`130`	`}`