Fix dynamic variable name

kubernetes · Jun 2, 2017 · b70e9ca · b70e9ca
1 parent 32f2438
commit b70e9ca
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
@@ -24,13 +24,15 @@ import (
 	"net"
 	"os"
 	"os/exec"
+	"regexp"
 	"strings"
 	text_template "text/template"
 
 	"k8s.io/apimachinery/pkg/util/sets"
 
 	"github.com/golang/glog"
 
+	"github.com/pborman/uuid"
 	"k8s.io/ingress/controllers/nginx/pkg/config"
 	"k8s.io/ingress/core/pkg/ingress"
 	ing_net "k8s.io/ingress/core/pkg/net"
@@ -136,6 +138,7 @@ var (
 		"buildResolvers":           buildResolvers,
 		"isLocationAllowed":        isLocationAllowed,
 		"buildLogFormatUpstream":   buildLogFormatUpstream,
+		"buildDenyVariable":        buildDenyVariable,
 		"getenv":                   os.Getenv,
 		"contains":                 strings.Contains,
 		"hasPrefix":                strings.HasPrefix,
@@ -372,3 +375,23 @@ func isLocationAllowed(input interface{}) bool {
 
 	return loc.Denied == nil
 }
+
+var (
+	nonAlpha        = regexp.MustCompile("[^a-zA-Z0-9]+")
+	denyPathSlugMap = map[string]string{}
+)
+
+// buildDenyVariable returns a nginx variable for a location in a
+// server to be used in the whitelist check
+// This method uses a unique id generator library to reduce the
+// size of the string to be used as a variable in nginx to avoid
+// issue with the size of the variable bucket size directive
+func buildDenyVariable(a interface{}) string {
+	l := a.(string)
+
+	if _, ok := denyPathSlugMap[l]; !ok {
+		denyPathSlugMap[l] = uuid.New()
+	}
+
+	return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
+}
diff --git a/controllers/nginx/pkg/template/template_test.go b/controllers/nginx/pkg/template/template_test.go
@@ -198,3 +198,11 @@ func BenchmarkTemplateWithData(b *testing.B) {
 		ngxTpl.Write(dat)
 	}
 }
+
+func TestBuildDenyVariable(t *testing.T) {
+	a := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
+	b := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
+	if !reflect.DeepEqual(a, b) {
+		t.Errorf("Expected '%v' but returned '%v'", a, b)
+	}
+}
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -245,7 +245,7 @@ http {
 
     {{ if isLocationAllowed $location }}
     {{ if gt (len $location.Whitelist.CIDR) 0 }}
-    geo $the_real_ip $deny_{{ $server.Hostname }}_{{ $path }} {
+    geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_"  $path) }} {
         default 1;
 
         {{ range $ip := $location.Whitelist.CIDR }}
@@ -337,7 +337,7 @@ http {
 
             {{ if isLocationAllowed $location }}
             {{ if gt (len $location.Whitelist.CIDR) 0 }}
-            if ($deny_{{ $server.Hostname }}_{{ $path }}) {
+            if ({{ buildDenyVariable (print $server.Hostname "_"  $path) }}) {
                 return 403;
             }
             {{ end }}