Welcome @moolen!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

Hi @moolen. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

@moolen please add e2e tests

/ok-to-test

/hold

Codecov Report

Merging #4278 into master will increase coverage by 0.16%.
The diff coverage is 82.75%.

@@            Coverage Diff             @@
##           master    #4278      +/-   ##
==========================================
+ Coverage    58.3%   58.47%   +0.16%     
==========================================
  Files          87       87              
  Lines        6478     6528      +50     
==========================================
+ Hits         3777     3817      +40     
- Misses       2274     2282       +8     
- Partials      427      429       +2

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 84af99b...23504db. Read the comment docs.

/retest

@moolen two comments:

• I think auth-cache-key should prepend the nginx server_name variable
• auth-cache-duration could be a list to allow different durations (not sure 10 minutes is ok for 401)

@aledbf Thanks for your feedback!

I think auth-cache-key should prepend the nginx server_name variable

good catch, that makes sense!

auth-cache-duration could be a list to allow different durations

You're right, it should be a list to allow configuration of multiple durations.

But while i think about that i'm not really sure if we really need this annotation at all. The user could set proxy_cache_valid using the auth-snippet annotation anyway. It would be semantically more precise to use a specific annotation, but adds more complexity to the codebase.

I'll implement it as a list for now. If you like using auth-snippet better i can remove it again (not a big deal).

not sure 10 minutes is ok for 401

It depends on the user's context i would say. For my use-case ($corp internal web-apps) i use Authorization header as cache_key and i want every auth-response (!= 5xx) to be cached.

I'd propose to lower the default value to 5m. The user can override the value using the duration annotation. What do you think?

i did touch this; The last runs indicate this test is flaky; let's retest and maybe dig deeper.
/test pull-ingress-nginx-test

I'll implement it as a list for now.

👍

I'd propose to lower the default value to 5m

👍

Also, please squash the commits

/approve

I think auth-cache-key should prepend the nginx server_name variable

should it include location identifier too? since one can configure different external authentication for different locations in the same server.

again, that flaky test :/
/test pull-ingress-nginx-test

again, that flaky test :/

Apologies for that :(
We are removing the static SSL feature in this release. With that, this will not be an issue anymore.

@ElvinEfendi i added the location identifier and squashed the commits.

Can you add a test to assert that the cache key includes location and server identifiers? For location the test would like like this

1. Sign in on i.e /foo
2. Kill the external auth server
3. Assert that /foo still works
4. Assert that /bar does not work

Thanks for your feedback!

I added tests to verify the scope of the cache key (location/server) and addressed the other comments too.
I'm not sure about introducing a utils package. I centralized the logic for now. please let me know if that works for you!

/test pull-ingress-nginx-e2e-1-12

@moolen this is looking great! Once you squash the commits we can merge this.

/test pull-ingress-nginx-e2e-1-12

/lgtm

thanks @moolen !

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi, moolen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Hey a quick one - thanks for all your effort in this everyone, finally able to rid it of my monkeypatch

Isn't this dangerous in the case where the user specified cache key ends up being an empty variable?

E.g. if the cache key is set to $cookie_foo and the upstream auth provider decides to change the auth cookie name form foo to bar, then $cookie_foo would become empty and we start caching simply on { $server.Hostname }}{{ $authPath }} which as I see it will let everyone through for the duration of the cache?