Test the ACL example using helm deployment.

38270bfb · Geoff Simmons · 6d970389 · 38270bfb · 38270bfb · 38270bfb
Commit 38270bfb authored Aug 18, 2020 by Geoff Simmons
5 changed files
--- a/examples/acl/deploy_helm.sh
+++ b/examples/acl/deploy_helm.sh
+#! /bin/bash -ex
+
+MYDIR=$(dirname ${BASH_SOURCE[0]})
+
+helm install viking-ingress ${MYDIR}/../hello/charts --values values.yaml
--- a/examples/acl/undeploy_helm.sh
+++ b/examples/acl/undeploy_helm.sh
+#! /bin/bash -ex
+
+MYDIR=$(dirname ${BASH_SOURCE[0]})
+source ${MYDIR}/../../test/utils.sh
+
+helm uninstall viking-ingress
+
+echo "Waiting until varnish-ingress Pods are not configured for Ingress"
+wait_until_not_configured app.kubernetes.io/name=varnish-ingress
--- a/examples/acl/values.yaml
+++ b/examples/acl/values.yaml
+apps:
+  coffee:
+    image: nginxdemos/hello:plain-text
+    replicas: 2
+  tea:
+    image: nginxdemos/hello:plain-text
+    replicas: 3
+
+ingress:
+  name: cafe-ingress
+  rules:
+  - host: cafe.example.com
+    paths:
+    - path: /tea
+      app: tea
+    - path: /coffee
+      app: coffee
+
+# vikingAdmSvc is required, and identifies the Service name of Varnish
+# services in the same namespace to which this config is to be
+# applied.
+vikingAdmSvc: varnish-ingress-admin
+
+# This config defines two whitelists and two blacklists.
+# The order of the elements in acl is significant -- ACL matches are
+# run in order, until the first set of conditions that leads to a
+# failure status is matched, or all of them run without failing.
+acls:
+
+  # This ACL defines the address ranges for IPv4 loopback addresses
+  # and private networks:
+  # 127.0.0.0/8, 10.0.0.0/24, 172.16.0.0/12 and 192.168.0.0/16
+  #
+  # comparand is the default: client.ip, as interpreted in VCL
+  # (either the client IP forwarded by the PROXY protocol, or
+  # the peer address of the connection if PROXY is not used).
+  #
+  # fail-status is the default (403 Forbidden).
+  #
+  # type is default (whitelist) -- the failure status is returned
+  # if client.ip does not match the ACL.
+  #
+  # The conditions field is not defined -- this ACL is matched for
+  # all client requests.
+  - name: local-private-ip4
+    addrs:
+    - addr: 127.0.0.0
+      mask-bits: 8
+    - addr: 10.0.0.0
+      mask-bits: 24
+    - addr: 172.16.0.0
+      mask-bits: 12
+    - addr: 192.168.0.0
+      mask-bits: 16
+
+  # This is the ACL shown as an example in vcl(7):
+  # https://varnish-cache.org/docs/6.3/reference/vcl.html#access-control-list-acl
+  # The ACL matches:
+  # - the IP resolved for "localhost" at VCL load time
+  # - 192.0.2.0/24
+  # - but it does *not* match the IP 192.0.2.23 (since the negate
+  #   field for that address is set to true).
+  #
+  # comparand is the client request header X-Real-IP. The header
+  # must contain an IP address, otherwise it will not match the ACL.
+  #
+  # fail-status is default 403.
+  #
+  # type is whitelist.
+  #
+  # The conditions specify that the ACL match is executed when:
+  # - the URL path begins with "/tea", and
+  # - the Host header is exactly equal to "cafe.example.com"
+  # (According to the Ingress rules of the cafe example, requests
+  # are routed to the Service tea-svc under these conditions).
+  #
+  # The result-header config means that the client request header
+  # X-Tea-Whitelisted is set to "true" if the address from X-Real-IP
+  # is on the whitelist (the "success" string is assigned if the
+  # fail-status is not invoked); set to "false" otherwise.
+  - name: man-vcl-example
+    addrs:
+    - addr: localhost
+    - addr: 192.0.2.0
+      mask-bits: 24
+    - addr: 192.0.2.23
+      negate: true
+    comparand: req.http.X-Real-IP
+    type: whitelist
+    conditions:
+    - comparand: req.url
+      compare: match
+      value: ^/tea(/|$)
+    - comparand: req.http.Host
+      value: cafe.example.com
+    result-header:
+      header: req.http.X-Tea-Whitelisted
+      success: "true"
+      failure: "false"
+
+  # This ACL defines a blacklist:
+  # 192.0.20/24 and 198.51.100.0/24
+  #
+  # comparand xff-first means that the IP address to be matched
+  # is in the first comma-separated field in the X-Forwarded-For
+  # header. This field must contain an IP address, otherwise it
+  # will not match the ACL.
+  #
+  # fail-status is 404 Not Found (making it appear to non-matching
+  # clients that they used an invalid URL).
+  #
+  # type is blacklist -- the failure status is returned if the
+  # IP address (from X-Forwarded-For) matches the ACL.
+  #
+  # The conditions specify that the ACL match is executed when:
+  # - the URL path begins with "/coffee/black", and
+  # - the Host header is exactly equal to "cafe.example.com"
+  #
+  # The result-header config means that the client request header
+  # X-Coffee-Blacklist is set to "true" if the address from
+  # X-Forwarded-For is on the blacklist (the "failure" string is
+  # assigned if the fail-status is invoked); set to "false"
+  # otherwise.
+  - name: xff-first-example
+    addrs:
+    - addr: 192.0.2.0
+      mask-bits: 24
+    - addr: 198.51.100.0
+      mask-bits: 24
+    comparand: xff-first
+    type: blacklist
+    fail-status: 404
+    conditions:
+    - comparand: req.url
+      compare: match
+      value: ^/coffee/black(/|$)
+    - comparand: req.http.Host
+      compare: equal
+      value: cafe.example.com
+    result-header:
+      header: req.http.X-Coffee-Blacklist
+      failure: "true"
+      success: "false"
+
+  # This ACL defines a blacklist for 203.0.113.0/24.
+  #
+  # comparand xff-2ndlast means that the IP address to be matched
+  # is in the next-to-last comma-separated field in the X-Forwarded-For
+  # header, *after* Varnish appends the client IP to X-Forwarded-For.
+  # In other words, it is the last field in X-Forwarded-For when
+  # Varnish receives the request. As with xff-first, the field must
+  # contain an IP address.
+  #
+  # fail-status is default 403.
+  #
+  # type is blacklist.
+  #
+  # The conditions specify that the ACL match is executed when:
+  # - the URL path begins with "/coffee", and
+  # - the Host header is exactly equal to "cafe.example.com"
+  # (According to the Ingress rules of the cafe example, requests
+  # are routed to the Service coffee-svc under these conditions).
+  - name: xff-2ndlast-example
+    addrs:
+    - addr: 203.0.113.0
+      mask-bits: 24
+    comparand: xff-2ndlast
+    type: blacklist
+    conditions:
+    - comparand: req.url
+      compare: match
+      value: ^/coffee(/|$)
+    - comparand: req.http.Host
+      value: cafe.example.com
--- a/examples/hello/charts/templates/varnishconfig.yaml
+++ b/examples/hello/charts/templates/varnishconfig.yaml
+{{ if .Values.acls -}}
+{{ if empty .Values.vikingAdmSvc -}}
+  {{ fail "Viking admin Service must be specified" -}}
+{{ end -}}
+apiVersion: "ingress.varnish-cache.org/v1alpha1"
+kind: VarnishConfig
+metadata:
+  name: {{ include "viking-ingress.fullname" . }}-vcfg
+  labels:
+    app.kubernetes.io/name: {{ .Values.ingress.name }}
+    app.kubernetes.io/component: varnishConfig
+    {{- include "viking-ingress.labels" . | nindent 4 }}
+spec:
+  services:
+    - {{ .Values.vikingAdmSvc }}
+
+  {{- if .Values.acls }}
+  acl:
+    {{ toYaml .Values.acls | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/examples/hello/charts/values.yaml
+++ b/examples/hello/charts/values.yaml
@@ -31,3 +31,12 @@ ingress:
  # - name: tls-secret
  #   crt: <certificate>
  #   key: <key>
+
+# The admin Service for the viking workload to implement the Ingress
+# and VarnishConfig. Required for VarnishConfig. If empty, then
+# default rules apply for Ingress -- typically the one such Service in
+# the same namespace.
+vikingAdmSvc: ""
+
+# ACL elements for VarnishConfig
+acls: []