This is an automated email from the ASF dual-hosted git repository.
alinsran pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix-ingress-controller.git
The following commit(s) were added to refs/heads/master by this push:
new 4cd10056 feat: support auth-type for ingress annotations (#2636)
4cd10056 is described below
commit 4cd100568558e482b96f8fcdd5d91a3bbeb18d0d
Author: AlinsRan <[email protected]>
AuthorDate: Thu Oct 30 11:28:54 2025 +0800
feat: support auth-type for ingress annotations (#2636)
---
.../annotations/plugins/authorization.go | 61 +++++++++++
.../adc/translator/annotations/plugins/plugins.go | 2 +
internal/adc/translator/annotations_test.go | 22 ++++
test/e2e/ingress/annotations.go | 119 +++++++++++++++++++++
4 files changed, 204 insertions(+)
diff --git a/internal/adc/translator/annotations/plugins/authorization.go
b/internal/adc/translator/annotations/plugins/authorization.go
new file mode 100644
index 00000000..83b64c5b
--- /dev/null
+++ b/internal/adc/translator/annotations/plugins/authorization.go
@@ -0,0 +1,61 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package plugins
+
+import (
+ adctypes "github.com/apache/apisix-ingress-controller/api/adc"
+
"github.com/apache/apisix-ingress-controller/internal/adc/translator/annotations"
+)
+
+type basicAuth struct{}
+
+// NewkeyBasicHandler creates a handler to convert
+// annotations about basicAuth control to APISIX basic-auth plugin.
+func NewBasicAuthHandler() PluginAnnotationsHandler {
+ return &basicAuth{}
+}
+
+func (b *basicAuth) PluginName() string {
+ return "basic-auth"
+}
+
+func (b *basicAuth) Handle(e annotations.Extractor) (interface{}, error) {
+ if e.GetStringAnnotation(annotations.AnnotationsAuthType) !=
"basicAuth" {
+ return nil, nil
+ }
+ plugin := adctypes.BasicAuthConfig{}
+ return &plugin, nil
+}
+
+type keyAuth struct{}
+
+// NewkeyAuthHandler creates a handler to convert
+// annotations about keyAuth control to APISIX key-auth plugin.
+func NewKeyAuthHandler() PluginAnnotationsHandler {
+ return &keyAuth{}
+}
+
+func (k *keyAuth) PluginName() string {
+ return "key-auth"
+}
+
+func (k *keyAuth) Handle(e annotations.Extractor) (interface{}, error) {
+ if e.GetStringAnnotation(annotations.AnnotationsAuthType) != "keyAuth" {
+ return nil, nil
+ }
+ plugin := adctypes.KeyAuthConfig{}
+ return &plugin, nil
+}
diff --git a/internal/adc/translator/annotations/plugins/plugins.go
b/internal/adc/translator/annotations/plugins/plugins.go
index 2dd8e5f8..8ebb0fb3 100644
--- a/internal/adc/translator/annotations/plugins/plugins.go
+++ b/internal/adc/translator/annotations/plugins/plugins.go
@@ -40,6 +40,8 @@ var (
NewCorsHandler(),
NewCSRFHandler(),
NewFaultInjectionHandler(),
+ NewBasicAuthHandler(),
+ NewKeyAuthHandler(),
}
)
diff --git a/internal/adc/translator/annotations_test.go
b/internal/adc/translator/annotations_test.go
index c94416d0..9b9c2dd4 100644
--- a/internal/adc/translator/annotations_test.go
+++ b/internal/adc/translator/annotations_test.go
@@ -257,6 +257,28 @@ func TestTranslateIngressAnnotations(t *testing.T) {
},
},
},
+ {
+ name: "auth type basicAuth",
+ anno: map[string]string{
+ annotations.AnnotationsAuthType: "basicAuth",
+ },
+ expected: &IngressConfig{
+ Plugins: adctypes.Plugins{
+ "basic-auth":
&adctypes.BasicAuthConfig{},
+ },
+ },
+ },
+ {
+ name: "auth type keyAuth",
+ anno: map[string]string{
+ annotations.AnnotationsAuthType: "keyAuth",
+ },
+ expected: &IngressConfig{
+ Plugins: adctypes.Plugins{
+ "key-auth": &adctypes.KeyAuthConfig{},
+ },
+ },
+ },
}
for _, tt := range tests {
diff --git a/test/e2e/ingress/annotations.go b/test/e2e/ingress/annotations.go
index ad559528..f7a19a1f 100644
--- a/test/e2e/ingress/annotations.go
+++ b/test/e2e/ingress/annotations.go
@@ -382,6 +382,48 @@ spec:
name: httpbin-service-e2e-test
port:
number: 80
+`
+ ingressKeyAuth = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: key-auth
+ annotations:
+ k8s.apisix.apache.org/auth-type: "keyAuth"
+spec:
+ ingressClassName: %s
+ rules:
+ - host: httpbin.example
+ http:
+ paths:
+ - path: /ip
+ pathType: Exact
+ backend:
+ service:
+ name: httpbin-service-e2e-test
+ port:
+ number: 80
+`
+ ingressBasicAuth = `
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: basic-auth
+ annotations:
+ k8s.apisix.apache.org/auth-type: "basicAuth"
+spec:
+ ingressClassName: %s
+ rules:
+ - host: httpbin.example
+ http:
+ paths:
+ - path: /get
+ pathType: Exact
+ backend:
+ service:
+ name: httpbin-service-e2e-test
+ port:
+ number: 80
`
)
BeforeEach(func() {
@@ -610,5 +652,82 @@ spec:
s.RequestAssert(test)
}
})
+ It("authentication", func() {
+ var (
+ keyAuth = `
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: key
+spec:
+ ingressClassName: %s
+ authParameter:
+ keyAuth:
+ value:
+ key: test-key
+`
+ basicAuth = `
+apiVersion: apisix.apache.org/v2
+kind: ApisixConsumer
+metadata:
+ name: basic
+spec:
+ ingressClassName: %s
+ authParameter:
+ basicAuth:
+ value:
+ username: test-user
+ password: test-password
+`
+ )
+ Expect(s.CreateResourceFromString(fmt.Sprintf(keyAuth,
s.Namespace()))).ShouldNot(HaveOccurred(), "creating ApisixConsumer for
keyAuth")
+
Expect(s.CreateResourceFromString(fmt.Sprintf(basicAuth,
s.Namespace()))).ShouldNot(HaveOccurred(), "creating ApisixConsumer for
basicAuth")
+
Expect(s.CreateResourceFromString(fmt.Sprintf(ingressKeyAuth,
s.Namespace()))).ShouldNot(HaveOccurred(), "creating Ingress")
+
Expect(s.CreateResourceFromString(fmt.Sprintf(ingressBasicAuth,
s.Namespace()))).ShouldNot(HaveOccurred(), "creating Ingress")
+
+ tests := []*scaffold.RequestAssert{
+ {
+ Method: "GET",
+ Path: "/get",
+ Host: "httpbin.example",
+ BasicAuth: &scaffold.BasicAuth{
+ Username: "test-user",
+ Password: "test-password",
+ },
+ Check:
scaffold.WithExpectedStatus(http.StatusOK),
+ },
+ {
+ Method: "GET",
+ Path: "/get",
+ Host: "httpbin.example",
+ BasicAuth: &scaffold.BasicAuth{
+ Username: "invalid-user",
+ Password: "invalid-password",
+ },
+ Check:
scaffold.WithExpectedStatus(http.StatusUnauthorized),
+ },
+ {
+ Method: "GET",
+ Path: "/ip",
+ Host: "httpbin.example",
+ Headers: map[string]string{
+ "apikey": "test-key",
+ },
+ Check:
scaffold.WithExpectedStatus(http.StatusOK),
+ },
+ {
+ Method: "GET",
+ Path: "/ip",
+ Host: "httpbin.example",
+ Headers: map[string]string{
+ "apikey": "invalid-key",
+ },
+ Check:
scaffold.WithExpectedStatus(http.StatusUnauthorized),
+ },
+ }
+ for _, test := range tests {
+ s.RequestAssert(test)
+ }
+ })
})
})
