MINOR: Accept patternfiles in whitelist/blacklists

As a special case, if whitelist or blacklist start with `patterns/`,
use this map directly. This enables centrally managing IP ranges and
using them in many Ingresses. For example:

```
--
kind: ConfigMap
apiVersion: v1
metadata:
  name: patternfiles
  namespace: haproxy-controller
data:
  ips: |
    192.168.0.0/24
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: http-restricted-echo
  annotations:
    ingress.class: haproxy
    haproxy.org/whitelist: patterns/ips
spec:
  rules:
    - host: localhost
      http:
        paths:
          - path: /restricted
            pathType: Prefix
            backend:
              service:
                name: http-echo
                port:
                  name: http
```

E2e test is marked sequential as it modifies global state
(patternfiles).

Author: thriqon

controller/annotations/ingress/accessControl.go

@@ -36,14 +36,23 @@ func (a *AccessControl) Process(k store.K8s, annotations ...map[string]string) (
 	if input == "" {
 		return
 	}
+
+	if strings.HasPrefix(input, "patterns/") {
+		a.rules.Add(&rules.ReqDeny{
+			SrcIPsMap: maps.Path(input),
+			Whitelist: a.whitelist,
+		})
+
+		return
+	}
+
 	var mapName maps.Name
-	var whitelist bool
 	if a.whitelist {
 		mapName = maps.Name("whitelist-" + utils.Hash([]byte(input)))
-		whitelist = true
 	} else {
 		mapName = maps.Name("blacklist-" + utils.Hash([]byte(input)))
 	}
+
 	if !a.maps.Exists(mapName) {
 		for _, address := range strings.Split(input, ",") {
 			address = strings.TrimSpace(address)
@@ -57,7 +66,7 @@ func (a *AccessControl) Process(k store.K8s, annotations ...map[string]string) (
 	}
 	a.rules.Add(&rules.ReqDeny{
 		SrcIPsMap: maps.GetPath(mapName),
-		Whitelist: whitelist,
+		Whitelist: a.whitelist,
 	})
 	return
 }

deploy/tests/e2e/access-control/access_control_test.go

@@ -0,0 +1,92 @@
+// Copyright 2019 HAProxy Technologies LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build e2e_sequential
+
+package accesscontrol
+
+import (
+	"net/http"
+
+	"github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e"
+)
+
+func (suite *AccessControlSuite) eventuallyReturns(clientIP string, httpStatus int) {
+	suite.Eventually(func() bool {
+		suite.client.Req.Header = map[string][]string{
+			"X-Client-IP": {clientIP},
+		}
+		res, cls, err := suite.client.Do()
+		if err != nil {
+			suite.T().Logf("Connection ERROR: %s", err.Error())
+			return false
+		}
+		defer cls()
+		return res.StatusCode == httpStatus
+	}, e2e.WaitDuration, e2e.TickDuration, "waiting for call with client IP %v to return %v expired", clientIP, httpStatus)
+}
+
+func (suite *AccessControlSuite) Test_Whitelist() {
+	suite.Run("Inline", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"whitelist", " 192.168.2.0/24"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+
+		suite.eventuallyReturns("192.168.2.3", http.StatusOK)
+		suite.eventuallyReturns("192.168.5.3", http.StatusForbidden)
+	})
+
+	suite.Run("Patternfile", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"whitelist", " patterns/ips"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+		suite.NoError(suite.test.Apply("config/patternfile-a.yml", "", nil))
+
+		suite.eventuallyReturns("192.168.0.3", http.StatusOK)
+		suite.eventuallyReturns("192.168.2.3", http.StatusForbidden)
+	})
+}
+
+func (suite *AccessControlSuite) Test_Blacklist() {
+	suite.Run("Inline", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"blacklist", " 192.168.2.0/24"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+
+		suite.eventuallyReturns("192.168.2.3", http.StatusForbidden)
+		suite.eventuallyReturns("192.168.5.3", http.StatusOK)
+	})
+
+	suite.Run("Patternfile", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"blacklist", " patterns/ips"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+		suite.NoError(suite.test.Apply("config/patternfile-a.yml", "", nil))
+
+		suite.eventuallyReturns("192.168.0.3", http.StatusForbidden)
+		suite.eventuallyReturns("192.168.2.3", http.StatusOK)
+	})
+}

deploy/tests/e2e/access-control/config/deploy.yaml.tmpl

@@ -0,0 +1,64 @@
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: http-echo
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: http-echo
+  template:
+    metadata:
+      labels:
+        app: http-echo
+    spec:
+      containers:
+        - name: http-echo
+          image: haproxytech/http-echo:latest
+          imagePullPolicy: Never
+          args:
+          - --default-response=hostname
+          ports:
+            - name: http
+              containerPort: 8888
+              protocol: TCP
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: http-echo
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 80
+      targetPort: http
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: https
+  selector:
+    app: http-echo
+---
+kind: Ingress
+apiVersion: networking.k8s.io/v1beta1
+metadata:
+  name: http-echo
+  annotations:
+    ingress.class: haproxy
+{{range .IngAnnotations}}
+    {{ .Key }}: {{ .Value }}
+{{end}}
+spec:
+  rules:
+    - host: {{ .Host }}
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: http-echo
+              servicePort: http

deploy/tests/e2e/access-control/config/patternfile-a.yml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: patternfiles
+  namespace: haproxy-controller
+data:
+  ips: |
+    192.168.0.0/24
+    192.168.1.0/24

deploy/tests/e2e/access-control/config/patternfile-empty.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: patternfiles
+  namespace: haproxy-controller
+data: {}

deploy/tests/e2e/access-control/suite_test.go

@@ -0,0 +1,57 @@
+// Copyright 2019 HAProxy Technologies LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build e2e_sequential
+
+package accesscontrol
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/suite"
+
+	"github.com/haproxytech/kubernetes-ingress/deploy/tests/e2e"
+)
+
+type AccessControlSuite struct {
+	suite.Suite
+	test     e2e.Test
+	client   *e2e.Client
+	tmplData tmplData
+}
+
+type tmplData struct {
+	IngAnnotations []struct{ Key, Value string }
+	Host           string
+}
+
+func (suite *AccessControlSuite) SetupSuite() {
+	var err error
+	suite.test, err = e2e.NewTest()
+	suite.NoError(err)
+	suite.tmplData = tmplData{Host: suite.test.GetNS() + ".test"}
+	suite.client, err = e2e.NewHTTPClient(suite.tmplData.Host)
+	suite.NoError(err)
+
+	suite.NoError(suite.test.Apply("config/patternfile-empty.yml", "", nil))
+}
+
+func (suite *AccessControlSuite) TearDownSuite() {
+	suite.test.Apply("config/patternfile-empty.yml", "", nil)
+	suite.test.TearDown()
+}
+
+func TestAccessControlSuite(t *testing.T) {
+	suite.Run(t, new(AccessControlSuite))
+}

documentation/README.md

@@ -17,7 +17,7 @@ This is autogenerated from [doc.yaml](doc.yaml). Description can be found in [ge
 | [auth-type](#authentication) | string |  |  |:large_blue_circle:|:large_blue_circle:|:white_circle:|
 | [auth-secret](#authentication) | string |  | auth-type |:large_blue_circle:|:large_blue_circle:|:white_circle:|
 | [auth-realm](#authentication) | string | "Protected Content" | auth-type, auth-secret |:large_blue_circle:|:large_blue_circle:|:white_circle:|
-| [blacklist](#access-control) | IPs or CIDRs |  |  |:large_blue_circle:|:large_blue_circle:|:white_circle:|
+| [blacklist](#access-control) | IPs/CIDRs or pattern file |  |  |:large_blue_circle:|:large_blue_circle:|:white_circle:|
 | [check](#backend-checks) | [bool](#bool) | "true" |  |:large_blue_circle:|:large_blue_circle:|:large_blue_circle:|
 | [check-http](#backend-checks) | string |  | check |:large_blue_circle:|:large_blue_circle:|:large_blue_circle:|
 | [check-interval](#backend-checks) | [time](#time) |  | check |:large_blue_circle:|:large_blue_circle:|:large_blue_circle:|
@@ -84,7 +84,7 @@ This is autogenerated from [doc.yaml](doc.yaml). Description can be found in [ge
 | [timeout-server](#timeouts) | [time](#time) | "50s" |  |:large_blue_circle:|:white_circle:|:white_circle:|
 | [timeout-server-fin](#timeouts) | [time](#time) |  |  |:large_blue_circle:|:white_circle:|:white_circle:|
 | [timeout-tunnel](#timeouts) | [time](#time) | "1h" |  |:large_blue_circle:|:white_circle:|:white_circle:|
-| [whitelist](#access-control) | IPs or CIDRs |  |  |:large_blue_circle:|:large_blue_circle:|:white_circle:|
+| [whitelist](#access-control) | IPs/CIDRs or pattern file |  |  |:large_blue_circle:|:large_blue_circle:|:white_circle:|
 | [tls-alpn](#https) | string | "h2,http/1.1" |  |:large_blue_circle:|:white_circle:|:white_circle:|
 
 > :information_source: Annotations have hierarchy: `default` <- `Configmap` <- `Ingress` <- `Service`
@@ -234,9 +234,12 @@ cors-max-age: "1m"
 
   Available on:  `configmap`  `ingress`
 
+  :information_source: The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
+
 Possible values:
 
 - Comma-separated list of IP addresses and/or CIDR ranges
+- Path to a pattern file, e.g. `pattern/ips`
 
 Example:
 
@@ -250,9 +253,12 @@ blacklist: "192.168.1.0/24, 192.168.2.100"
 
   Available on:  `configmap`  `ingress`
 
+  :information_source: The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
+
 Possible values:
 
 - Comma-separated list of IP addresses and/or CIDR ranges
+- Path to a pattern file, e.g. `pattern/ips`
 
 Example:
 

documentation/doc.yaml

@@ -490,15 +490,17 @@ annotations:
     version_min: "1.5"
     example: ["auth-realm: Admin Area"]
   - title: blacklist
-    type: IPs or CIDRs
+    type: IPs/CIDRs or pattern file
     group: access-control
     dependencies: ""
     default: ""
     description:
       - Blocks given IP addresses and/or IP address ranges.
-    tip: []
+    tip:
+      - The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
     values:
       - Comma-separated list of IP addresses and/or CIDR ranges
+      - Path to a pattern file, e.g. `pattern/ips`
     applies_to:
       - configmap
       - ingress
@@ -1726,15 +1728,17 @@ annotations:
     version_min: "1.4"
     example: ["timeout-tunnel: 30m"]
   - title: whitelist
-    type: IPs or CIDRs
+    type: IPs/CIDRs or pattern file
     group: access-control
     dependencies: ""
     default: ""
     description:
       - Blocks all IP addresses except the whitelisted ones (annotation value).
-    tip: []
+    tip:
+      - The value is treated as a pattern file (see `--configmap-patternfiles`) if it starts with `patterns/`. It should consist of a list of IPs or CIDRs, one per line.
     values:
       - Comma-separated list of IP addresses and/or CIDR ranges
+      - Path to a pattern file, e.g. `pattern/ips`
     applies_to:
       - configmap
       - ingress