kubernetes · Dean-Coakley · Aug 11, 2025 · Aug 11, 2025 · Aug 19, 2025 · Aug 19, 2025
diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
@@ -42,50 +42,50 @@ const (
 
 var (
 	authVerifyClientRegex = regexp.MustCompile(`^(on|off|optional|optional_no_ca)$`)
-	redirectRegex         = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-.]+(:\d+)?)?(/[A-Za-z0-9\-_.]+)*/?$`)
-)
-
-var authTLSAnnotations = parser.Annotation{
-	Group: "authentication",
-	Annotations: parser.AnnotationFields{
-		annotationAuthTLSSecret: {
-			Validator:     parser.ValidateRegex(parser.BasicCharsRegex, true),
-			Scope:         parser.AnnotationScopeLocation,
-			Risk:          parser.AnnotationRiskMedium, // Medium as it allows a subset of chars
-			Documentation: `This annotation defines the secret that contains the certificate chain of allowed certs`,
-		},
-		annotationAuthTLSVerifyClient: {
-			Validator:     parser.ValidateRegex(authVerifyClientRegex, true),
-			Scope:         parser.AnnotationScopeLocation,
-			Risk:          parser.AnnotationRiskMedium, // Medium as it allows a subset of chars
-			Documentation: `This annotation enables verification of client certificates. Can be "on", "off", "optional" or "optional_no_ca"`,
-		},
-		annotationAuthTLSVerifyDepth: {
-			Validator:     parser.ValidateInt,
-			Scope:         parser.AnnotationScopeLocation,
-			Risk:          parser.AnnotationRiskLow,
-			Documentation: `This annotation defines validation depth between the provided client certificate and the Certification Authority chain.`,
-		},
-		annotationAuthTLSErrorPage: {
-			Validator:     parser.ValidateRegex(redirectRegex, true),
-			Scope:         parser.AnnotationScopeLocation,
-			Risk:          parser.AnnotationRiskHigh,
-			Documentation: `This annotation defines the URL/Page that user should be redirected in case of a Certificate Authentication Error`,
+	redirectRegex         = regexp.MustCompile(`^(@[A-Za-z0-9_-]+|((https?://)?[A-Za-z0-9\-.]+(:\d+)?)?(/[A-Za-z0-9\-_.]+)*/?)$`)
+
+	authTLSAnnotations = parser.Annotation{
+		Group: "authentication",
+		Annotations: parser.AnnotationFields{
+			annotationAuthTLSSecret: {
+				Validator:     parser.ValidateRegex(parser.BasicCharsRegex, true),
+				Scope:         parser.AnnotationScopeLocation,
+				Risk:          parser.AnnotationRiskMedium, // Medium as it allows a subset of chars
+				Documentation: `This annotation defines the secret that contains the certificate chain of allowed certs`,
+			},
+			annotationAuthTLSVerifyClient: {
+				Validator:     parser.ValidateRegex(authVerifyClientRegex, true),
+				Scope:         parser.AnnotationScopeLocation,
+				Risk:          parser.AnnotationRiskMedium, // Medium as it allows a subset of chars
+				Documentation: `This annotation enables verification of client certificates. Can be "on", "off", "optional" or "optional_no_ca"`,
+			},
+			annotationAuthTLSVerifyDepth: {
+				Validator:     parser.ValidateInt,
+				Scope:         parser.AnnotationScopeLocation,
+				Risk:          parser.AnnotationRiskLow,
+				Documentation: `This annotation defines validation depth between the provided client certificate and the Certification Authority chain.`,
+			},
+			annotationAuthTLSErrorPage: {
+				Validator:     parser.ValidateRegex(redirectRegex, true),
+				Scope:         parser.AnnotationScopeLocation,
+				Risk:          parser.AnnotationRiskHigh,
+				Documentation: `This annotation defines the URL/Page that user should be redirected in case of a Certificate Authentication Error`,
+			},
+			annotationAuthTLSPassCertToUpstream: {
+				Validator:     parser.ValidateBool,
+				Scope:         parser.AnnotationScopeLocation,
+				Risk:          parser.AnnotationRiskLow,
+				Documentation: `This annotation defines if the received certificates should be passed or not to the upstream server in the header "ssl-client-cert"`,
+			},
+			annotationAuthTLSMatchCN: {
+				Validator:     parser.CommonNameAnnotationValidator,
+				Scope:         parser.AnnotationScopeLocation,
+				Risk:          parser.AnnotationRiskHigh,
+				Documentation: `This annotation adds a sanity check for the CN of the client certificate that is sent over using a string / regex starting with "CN="`,
+			},
 		},
-		annotationAuthTLSPassCertToUpstream: {
-			Validator:     parser.ValidateBool,
-			Scope:         parser.AnnotationScopeLocation,
-			Risk:          parser.AnnotationRiskLow,
-			Documentation: `This annotation defines if the received certificates should be passed or not to the upstream server in the header "ssl-client-cert"`,
-		},
-		annotationAuthTLSMatchCN: {
-			Validator:     parser.CommonNameAnnotationValidator,
-			Scope:         parser.AnnotationScopeLocation,
-			Risk:          parser.AnnotationRiskHigh,
-			Documentation: `This annotation adds a sanity check for the CN of the client certificate that is sent over using a string / regex starting with "CN="`,
-		},
-	},
-}
+	}
+)
 
 // Config contains the AuthSSLCert used for mutual authentication
 // and the configured ValidationDepth
@@ -148,12 +148,12 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
 	var err error
 	config := &Config{}
 
-	tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing, a.annotationConfig.Annotations)
+	authTLSSecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing, a.annotationConfig.Annotations)
 	if err != nil {
 		return &Config{}, err
 	}
 
-	ns, _, err := k8s.ParseNameNS(tlsauthsecret)
+	ns, _, err := k8s.ParseNameNS(authTLSSecret)
 	if err != nil {
 		return &Config{}, ing_errors.NewLocationDenied(err.Error())
 	}
@@ -166,7 +166,7 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
 		return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported")
 	}
 
-	authCert, err := a.r.GetAuthCertificate(tlsauthsecret)
+	authCert, err := a.r.GetAuthCertificate(authTLSSecret)
 	if err != nil {
 		e := fmt.Errorf("error obtaining certificate: %w", err)
 		return &Config{}, ing_errors.LocationDeniedError{Reason: e}

diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go
@@ -48,14 +48,7 @@ func buildIngress() *networking.Ingress {
 			Namespace: api.NamespaceDefault,
 		},
 		Spec: networking.IngressSpec{
-			DefaultBackend: &networking.IngressBackend{
-				Service: &networking.IngressServiceBackend{
-					Name: "default-backend",
-					Port: networking.ServiceBackendPort{
-						Number: 80,
-					},
-				},
-			},
+			DefaultBackend: &defaultBackend,
 			Rules: []networking.IngressRule{
 				{
 					Host: "foo.bar.com",
@@ -163,15 +156,38 @@ func TestAnnotations(t *testing.T) {
 	if u.ValidationDepth != 2 {
 		t.Errorf("expected %v but got %v", 2, u.ValidationDepth)
 	}
-	if u.ErrorPage != "ok.com/error" {
-		t.Errorf("expected %v but got %v", "ok.com/error", u.ErrorPage)
-	}
 	if u.PassCertToUpstream != true {
 		t.Errorf("expected %v but got %v", true, u.PassCertToUpstream)
 	}
 	if u.MatchCN != "CN=(hello-app|ok|goodbye)" {
 		t.Errorf("expected %v but got %v", "CN=(hello-app|ok|goodbye)", u.MatchCN)
 	}
+
+	for _, tc := range []struct {
+		name      string
+		errorPage string
+		want      string
+	}{
+		{"url redirect", "ok.com/error", "ok.com/error"},
+		{"named redirect numeric", "@401", "@401"},
+		{"named redirect alphanumeric with underscores", "@four_oh_one", "@four_oh_one"},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			data[parser.GetAnnotationWithPrefix(annotationAuthTLSErrorPage)] = tc.errorPage
+			ing.SetAnnotations(data)
+			i, err := NewParser(fakeSecret).Parse(ing)
+			if err != nil {
+				t.Errorf("Unexpected error with ingress: %v", err)
+			}
+			u, ok := i.(*Config)
+			if !ok {
+				t.Errorf("expected *Config but got %v", u)
+			}
+			if u.ErrorPage != tc.want {
+				t.Errorf("expected %v but got %v", tc.want, u.ErrorPage)
+			}
+		})
+	}
 }
 
 func TestInvalidAnnotations(t *testing.T) {