feat: auth-req caching

[moolen]

What this PR does / why we need it:
This PR adds a way to configure the proxy_cache_* (docs) directive for external authentication.

It adds these annotations, as proposed by @Stono in #2862 :

• nginx.ingress.kubernetes.io/auth-cache-key
• nginx.ingress.kubernetes.io/auth-cache-duration

The first one sets the proxy_cache_key (e.g. $uri$cookie__auth_proxy) and enables the feature. The latter sets the cache duration (defaults to 10m)

Note:
The user-defined cache_key may contain sensitive information (e.g. Authorization header). That's why we want to store only a hash of that key, not the key itself on disk.

fixes #2862

[k8s-ci-robot]

Welcome @moolen!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @moolen. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[aledbf]

@moolen please add e2e tests

[aledbf]

/ok-to-test

[aledbf]

/hold

[codecov-io]

Codecov Report

Merging #4278 into master will increase coverage by 0.16%.
The diff coverage is 82.75%.

@@            Coverage Diff             @@
##           master    #4278      +/-   ##
==========================================
+ Coverage    58.3%   58.47%   +0.16%     
==========================================
  Files          87       87              
  Lines        6478     6528      +50     
==========================================
+ Hits         3777     3817      +40     
- Misses       2274     2282       +8     
- Partials      427      429       +2

Impacted Files	Coverage Δ
internal/ingress/controller/config/config.go	98.57% <100%> (ø)	⬆️
internal/ingress/controller/template/configmap.go	76.63% <66.66%> (-0.52%)	⬇️
internal/ingress/annotations/authreq/main.go	70.83% <85.41%> (+6.27%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 84af99b...23504db. Read the comment docs.

[moolen]

/retest

[aledbf]

@moolen two comments:

• I think auth-cache-key should prepend the nginx server_name variable
• auth-cache-duration could be a list to allow different durations (not sure 10 minutes is ok for 401)

[moolen]

@aledbf Thanks for your feedback!

I think auth-cache-key should prepend the nginx server_name variable

good catch, that makes sense!

auth-cache-duration could be a list to allow different durations

You're right, it should be a list to allow configuration of multiple durations.

But while i think about that i'm not really sure if we really need this annotation at all. The user could set proxy_cache_valid using the auth-snippet annotation anyway. It would be semantically more precise to use a specific annotation, but adds more complexity to the codebase.

I'll implement it as a list for now. If you like using auth-snippet better i can remove it again (not a big deal).

not sure 10 minutes is ok for 401

It depends on the user's context i would say. For my use-case ($corp internal web-apps) i use Authorization header as cache_key and i want every auth-response (!= 5xx) to be cached.

I'd propose to lower the default value to 5m. The user can override the value using the duration annotation. What do you think?

[moolen]

i did touch this; The last runs indicate this test is flaky; let's retest and maybe dig deeper.
/test pull-ingress-nginx-test

[aledbf]

I'll implement it as a list for now.

👍

I'd propose to lower the default value to 5m

👍

Also, please squash the commits

[aledbf]

/approve

[ElvinEfendi]

I think auth-cache-key should prepend the nginx server_name variable

should it include location identifier too? since one can configure different external authentication for different locations in the same server.

[moolen]

again, that flaky test :/
/test pull-ingress-nginx-test

[aledbf]

again, that flaky test :/

Apologies for that :(
We are removing the static SSL feature in this release. With that, this will not be an issue anymore.

[moolen]

@ElvinEfendi i added the location identifier and squashed the commits.

[ElvinEfendi]

Is there any way to not duplicate this logic? @aledbf do we have means to share code between here and annotation? like a utils package or something

[moolen]

I centralized the "parsing" logic for now in d6b9014. Let me know if you want it in a utils package. I digged into this topic - it seems there's a bunch of code that is copy/pasted with slight adaptions (e.g. returning vs. logging an error).

[ElvinEfendi]

Can you add a test to assert that the cache key includes location and server identifiers? For location the test would like like this

1. Sign in on i.e /foo
2. Kill the external auth server
3. Assert that /foo still works
4. Assert that /bar does not work

[moolen]

Thanks for your feedback!

I added tests to verify the scope of the cache key (location/server) and addressed the other comments too.
I'm not sure about introducing a utils package. I centralized the logic for now. please let me know if that works for you!

[moolen]

/test pull-ingress-nginx-e2e-1-12

[ElvinEfendi]

Should we make a note that this will be hashed and encoded?

[moolen]

I think the implementation details are not important - the mechanics are tho!

I appended this:

Each server and location has it's own keyspace. Hence a cached response is only valid on a per-server and per-location basis

[ElvinEfendi]

@moolen this is looking great! Once you squash the commits we can merge this.

[ElvinEfendi]

/test pull-ingress-nginx-e2e-1-12

[ElvinEfendi]

/lgtm

thanks @moolen !

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi, moolen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ElvinEfendi,aledbf]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Stono]

Hey a quick one - thanks for all your effort in this everyone, finally able to rid it of my monkeypatch

[vaskozl]

Isn't this dangerous in the case where the user specified cache key ends up being an empty variable?

E.g. if the cache key is set to $cookie_foo and the upstream auth provider decides to change the auth cookie name form foo to bar, then $cookie_foo would become empty and we start caching simply on { $server.Hostname }}{{ $authPath }} which as I see it will let everyone through for the duration of the cache?