diff --git a/pomerium/ingress_annotations.go b/pomerium/ingress_annotations.go index c14e248e..6119c774 100644 --- a/pomerium/ingress_annotations.go +++ b/pomerium/ingress_annotations.go @@ -23,46 +23,46 @@ import ( var ( baseAnnotations = boolMap([]string{ - "cors_allow_preflight", - "allow_public_unauthenticated_access", "allow_any_authenticated_user", - "timeout", - "idle_timeout", + "allow_public_unauthenticated_access", "allow_spdy", "allow_websockets", - "set_request_headers", - "remove_request_headers", - "set_response_headers", - "rewrite_response_headers", - "preserve_host_header", - "host_rewrite", - "host_rewrite_header", + "cors_allow_preflight", "host_path_regex_rewrite_pattern", "host_path_regex_rewrite_substitution", + "host_rewrite_header", + "host_rewrite", + "idle_timeout", "pass_identity_headers", - "tls_skip_verify", - "tls_server_name", "prefix_rewrite", + "preserve_host_header", "regex_rewrite_pattern", "regex_rewrite_substitution", + "remove_request_headers", + "rewrite_response_headers", + "set_request_headers", + "set_response_headers", + "timeout", + "tls_server_name", + "tls_skip_verify", }) policyAnnotations = boolMap([]string{ - "allowed_users", "allowed_domains", "allowed_idp_claims", + "allowed_users", "policy", }) envoyAnnotations = boolMap([]string{ "health_checks", - "outlier_detection", "lb_policy", "least_request_lb_config", - "ring_hash_lb_config", "maglev_lb_config", + "outlier_detection", + "ring_hash_lb_config", }) tlsAnnotations = boolMap([]string{ - model.TLSCustomCASecret, model.TLSClientSecret, + model.TLSCustomCASecret, model.TLSDownstreamClientCASecret, }) secretAnnotations = boolMap([]string{ @@ -71,10 +71,10 @@ var ( model.SetResponseHeadersSecret, }) handledElsewhere = boolMap([]string{ - model.SecureUpstream, model.PathRegex, - model.UseServiceProxy, + model.SecureUpstream, model.TCPUpstream, + model.UseServiceProxy, }) unsupported = map[string]string{ "allowed_groups": "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync", @@ -140,13 +140,25 @@ func removeKeyPrefix(src map[string]string, prefix string) (*keys, error) { } func toJSON(src map[string]string) ([]byte, error) { - dst := make(map[string]interface{}, len(src)) + dst := make(map[string]any, len(src)) for k, v := range src { - out := new(interface{}) - if err := yaml.Unmarshal([]byte(v), out); err != nil { + var out any + if err := yaml.Unmarshal([]byte(v), &out); err != nil { return nil, fmt.Errorf("%s: %w", k, err) } - dst[k] = *out + + // https://github.com/pomerium/pomerium/issues/4014 allow non-string values and convert them + if k == "set_request_headers" || k == "set_response_headers" { + if m, ok := out.(map[string]any); ok { + sm := map[string]string{} + for kk, vv := range m { + sm[kk] = fmt.Sprint(vv) + } + out = sm + } + } + + dst[k] = out } return json.Marshal(dst) @@ -162,11 +174,11 @@ func applyAnnotations( return err } - if err = unmarshallAnnotations(r, kv.Base); err != nil { + if err = unmarshalAnnotations(r, kv.Base); err != nil { return err } r.EnvoyOpts = new(envoy_config_cluster_v3.Cluster) - if err = unmarshallAnnotations(r.EnvoyOpts, kv.Envoy); err != nil { + if err = unmarshalAnnotations(r.EnvoyOpts, kv.Envoy); err != nil { return err } if err = applyTLSAnnotations(r, kv.TLS, ic.Secrets, ic.Ingress.Namespace); err != nil { @@ -177,19 +189,19 @@ func applyAnnotations( } p := new(pomerium.Policy) r.Policies = []*pomerium.Policy{p} - if err := unmarshallPolicyAnnotations(p, kv.Policy); err != nil { + if err := unmarshalPolicyAnnotations(p, kv.Policy); err != nil { return fmt.Errorf("applying policy annotations: %w", err) } return nil } -func unmarshallPolicyAnnotations(p *pomerium.Policy, kvs map[string]string) error { +func unmarshalPolicyAnnotations(p *pomerium.Policy, kvs map[string]string) error { ppl, hasPPL := kvs["policy"] if hasPPL { delete(kvs, "policy") } - if err := unmarshallAnnotations(p, kvs); err != nil { + if err := unmarshalAnnotations(p, kvs); err != nil { return err } @@ -214,7 +226,7 @@ func unmarshallPolicyAnnotations(p *pomerium.Policy, kvs map[string]string) erro return nil } -func unmarshallAnnotations(m protoreflect.ProtoMessage, kvs map[string]string) error { +func unmarshalAnnotations(m protoreflect.ProtoMessage, kvs map[string]string) error { if len(kvs) == 0 { return nil } diff --git a/pomerium/ingress_annotations_test.go b/pomerium/ingress_annotations_test.go index ba6922c3..33e2acb8 100644 --- a/pomerium/ingress_annotations_test.go +++ b/pomerium/ingress_annotations_test.go @@ -27,9 +27,7 @@ import ( "github.com/pomerium/ingress-controller/model" ) -var ( - testPPL = `{"allow":{"or":[{"domain":{"is":"pomerium.com"}}]}}` -) +var testPPL = `{"allow":{"or":[{"domain":{"is":"pomerium.com"}}]}}` func TestAnnotations(t *testing.T) { strp := func(txt string) *string { return &txt } @@ -54,7 +52,7 @@ func TestAnnotations(t *testing.T) { "a/set_request_headers": `{"a": "aaa"}`, "a/set_request_headers_secret": `request_headers`, "a/remove_request_headers": `["a"]`, - "a/set_response_headers": `{"c": "ccc"}`, + "a/set_response_headers": `{"disable": true}`, "a/set_response_headers_secret": `response_headers`, "a/rewrite_response_headers": `[{"header": "a", "prefix": "b", "value": "c"}]`, "a/preserve_host_header": "true", @@ -135,7 +133,7 @@ func TestAnnotations(t *testing.T) { KubernetesServiceAccountToken: "k8s-token-data", SetRequestHeaders: map[string]string{"a": "aaa", "req_key_1": "req_data1", "req_key_2": "req_data2"}, RemoveRequestHeaders: []string{"a"}, - SetResponseHeaders: map[string]string{"c": "ccc", "res_key_1": "res_data1", "res_key_2": "res_data2"}, + SetResponseHeaders: map[string]string{"disable": "true", "res_key_1": "res_data1", "res_key_2": "res_data2"}, RewriteResponseHeaders: []*pb.RouteRewriteHeader{{ Header: "a", Matcher: &pb.RouteRewriteHeader_Prefix{Prefix: "b"},