DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into refactor-stores

Browse source
This commit is contained in:
Manuel Alejandro de Brito Fontes 2017-11-19 16:10:32 -03:00 committed by GitHub
commit 134cd35484
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 52 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
cmd/nginx/main.go
View file

@ -65,7 +65,7 @@ func main() {
ns, name, err := k8s.ParseNameNS(conf.DefaultService) ns, name, err := k8s.ParseNameNS(conf.DefaultService)
if err != nil { if err != nil {
glog.Fatalf("invalid format for service %v: %v", conf.DefaultService, err) glog.Fatal(err)
} }
_, err = kubeClient.CoreV1().Services(ns).Get(name, metav1.GetOptions{}) _, err = kubeClient.CoreV1().Services(ns).Get(name, metav1.GetOptions{})
@ -80,7 +80,7 @@ func main() {
if conf.PublishService != "" { if conf.PublishService != "" {
ns, name, err := k8s.ParseNameNS(conf.PublishService) ns, name, err := k8s.ParseNameNS(conf.PublishService)
if err != nil { if err != nil {
glog.Fatalf("invalid service format: %v", err) glog.Fatal(err)
} }
svc, err := kubeClient.CoreV1().Services(ns).Get(name, metav1.GetOptions{}) svc, err := kubeClient.CoreV1().Services(ns).Get(name, metav1.GetOptions{})
@ -103,7 +103,7 @@ func main() {
if conf.Namespace != "" { if conf.Namespace != "" {
_, err = kubeClient.CoreV1().Namespaces().Get(conf.Namespace, metav1.GetOptions{}) _, err = kubeClient.CoreV1().Namespaces().Get(conf.Namespace, metav1.GetOptions{})
if err != nil { if err != nil {
glog.Fatalf("no watchNamespace with name %v found: %v", conf.Namespace, err) glog.Fatalf("no namespace with name %v found: %v", conf.Namespace, err)
} }
} }
@ -116,10 +116,16 @@ func main() {
if err != nil { if err != nil {
glog.Errorf("Failed to mkdir SSL directory: %v", err) glog.Errorf("Failed to mkdir SSL directory: %v", err)
} }
// create the default SSL certificate (dummy) // create the default SSL certificate (dummy)
sha, pem := createDefaultSSLCertificate() defCert, defKey := ssl.GetFakeSSLCert()
conf.FakeCertificatePath = pem c, err := ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{})
conf.FakeCertificateSHA = sha if err != nil {
glog.Fatalf("Error generating self signed certificate: %v", err)
}
conf.FakeCertificatePath = c.PemFileName
conf.FakeCertificateSHA = c.PemSHA
conf.Client = kubeClient conf.Client = kubeClient
@ -301,6 +307,12 @@ func registerHandlers(enableProfiling bool, port int, ic *controller.NGINXContro
if enableProfiling { if enableProfiling {
mux.HandleFunc("/debug/pprof/", pprof.Index) mux.HandleFunc("/debug/pprof/", pprof.Index)
mux.HandleFunc("/debug/pprof/heap", pprof.Index)
mux.HandleFunc("/debug/pprof/mutex", pprof.Index)
mux.HandleFunc("/debug/pprof/goroutine", pprof.Index)
mux.HandleFunc("/debug/pprof/threadcreate", pprof.Index)
mux.HandleFunc("/debug/pprof/block", pprof.Index)
mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
mux.HandleFunc("/debug/pprof/profile", pprof.Profile) mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol) mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
mux.HandleFunc("/debug/pprof/trace", pprof.Trace) mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
@ -309,16 +321,8 @@ func registerHandlers(enableProfiling bool, port int, ic *controller.NGINXContro
server := &http.Server{ server := &http.Server{
Addr: fmt.Sprintf(":%v", port), Addr: fmt.Sprintf(":%v", port),
Handler: mux, Handler: mux,
ReadTimeout: 10 * time.Second,
WriteTimeout: 30 * time.Second,
} }
glog.Fatal(server.ListenAndServe()) glog.Fatal(server.ListenAndServe())
} }
func createDefaultSSLCertificate() (string, string) {
defCert, defKey := ssl.GetFakeSSLCert()
c, err := ssl.AddOrUpdateCertAndKey(fakeCertificate, defCert, defKey, []byte{})
if err != nil {
glog.Fatalf("Error generating self signed certificate: %v", err)
}
return c.PemSHA, c.PemFileName
}

2
docs/examples/affinity/cookie/README.md
View file

@ -55,7 +55,7 @@ Last-Modified: Tue, 24 Jan 2017 14:02:19 GMT
ETag: "58875e6b-264" ETag: "58875e6b-264"
Accept-Ranges: bytes Accept-Ranges: bytes
``` ```
In the example above, you can see a line containing the 'Set-Cookie: route' setting the right defined stickness cookie. In the example above, you can see a line containing the 'Set-Cookie: route' setting the right defined stickyness cookie.
This cookie is created by NGINX containing the hash of the used upstream in that request. This cookie is created by NGINX containing the hash of the used upstream in that request.
If the user changes this cookie, NGINX creates a new one and redirect the user to another upstream. If the user changes this cookie, NGINX creates a new one and redirect the user to another upstream.

2
docs/examples/customization/custom-vts-metrics-prometheus/README.md
View file

@ -72,7 +72,7 @@ nginx_bytes_total{direction="out",ingress_class="nginx",namespace="",server_zone
### Customize metrics ### Customize metrics
The default [vts vhost key](https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key) is `$geoip_country_code country::*` that expose metrics groupped by server and country code. The example below show how to have metrics grouped by server and server path. The default [vts vhost key](https://github.com/vozlt/nginx-module-vts#vhost_traffic_status_filter_by_set_key) is `$geoip_country_code country::*` that expose metrics grouped by server and country code. The example below show how to have metrics grouped by server and server path.
![vts dashboard](imgs/vts-dashboard-filter-key-path.png) ![vts dashboard](imgs/vts-dashboard-filter-key-path.png)

2
docs/examples/docker-registry/README.md
View file

@ -39,7 +39,7 @@ Deploy [kube lego](https://github.com/jetstack/kube-lego) use [Let's Encrypt](ht
### Testing ### Testing
To test the regstry is working correctly we download a known image from [docker hub](https://hub.docker.com), create a tag pointing to the new registry and upload the image: To test the registry is working correctly we download a known image from [docker hub](https://hub.docker.com), create a tag pointing to the new registry and upload the image:
```console ```console
docker pull ubuntu:16.04 docker pull ubuntu:16.04

2
docs/troubleshooting.md
View file

@ -61,7 +61,7 @@ The Ingress controller needs information from apiserver. Therefore, authenticati
2. _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`. 2. _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`.
The format of the file is identical to `~/.kube/config` which is used by kubectl to connect to the API server. See 'kubeconfig' section for details. The format of the file is identical to `~/.kube/config` which is used by kubectl to connect to the API server. See 'kubeconfig' section for details.
3. _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecure api server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/). 3. _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured api server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/).
Please do not use this approach in production. Please do not use this approach in production.
In the diagram below you can see the full authentication flow with all options, starting with the browser In the diagram below you can see the full authentication flow with all options, starting with the browser

8
docs/user-guide/annotations.md
View file

@ -14,6 +14,7 @@ The following annotations are supported:
|[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number| |[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number|
|[ingress.kubernetes.io/auth-tls-verify-client](#certificate-authentication)|string| |[ingress.kubernetes.io/auth-tls-verify-client](#certificate-authentication)|string|
|[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string| |[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string|
|[ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream](#certificate-authentication)|string|
|[ingress.kubernetes.io/auth-url](#external-authentication)|string| |[ingress.kubernetes.io/auth-url](#external-authentication)|string|
|[ingress.kubernetes.io/base-url-scheme](#rewrite)|string| |[ingress.kubernetes.io/base-url-scheme](#rewrite)|string|
|[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string| |[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
@ -149,6 +150,13 @@ ingress.kubernetes.io/auth-tls-error-page
The URL/Page that user should be redirected in case of a Certificate Authentication Error The URL/Page that user should be redirected in case of a Certificate Authentication Error
```
ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream
```
Indicates if the received certificates should be passed or not to the upstream server.
By default this is disabled.
Please check the [tls-auth](../examples/auth/client-certs/README.md) example. Please check the [tls-auth](../examples/auth/client-certs/README.md) example.
**Important:** **Important:**

4
docs/user-guide/configmap.md
View file

@ -148,7 +148,7 @@ By default this is disabled.
#### enable-owasp-modsecurity-crs #### enable-owasp-modsecurity-crs
Eenables the OWASP ModSecurity Core Rule Set (CRS) Enables the OWASP ModSecurity Core Rule Set (CRS)
By default this is disabled. By default this is disabled.
#### disable-ipv6 #### disable-ipv6
@ -346,7 +346,7 @@ Sets the time during which the specified number of unsuccessful attempts to comm
Enables or disables compression of HTTP responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html). Enables or disables compression of HTTP responses using the ["gzip" module](http://nginx.org/en/docs/http/ngx_http_gzip_module.html).
The default mime type list to compress is: `application/atom+xml application/javascript aplication/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. The default mime type list to compress is: `application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`.
#### use-http2 #### use-http2

4
docs/user-guide/custom-errors.md
View file

@ -6,11 +6,11 @@ Each request to the default backend includes two headers:
- `X-Code` indicates the HTTP code to be returned to the client. - `X-Code` indicates the HTTP code to be returned to the client.
- `X-Format` the value of the `Accept` header. - `X-Format` the value of the `Accept` header.
**Important:** the custom backend must return the correct HTTP status code to be returned. NGINX do not changes the reponse from the custom default backend. **Important:** the custom backend must return the correct HTTP status code to be returned. NGINX do not changes the response from the custom default backend.
Using this two headers is possible to use a custom backend service like [this one](https://github.com/kubernetes/ingress-nginx/tree/master/examples/customization/custom-errors/nginx) that inspect each request and returns a custom error page with the format expected by the client. Please check the example [custom-errors](examples/customization/custom-errors/README.md) Using this two headers is possible to use a custom backend service like [this one](https://github.com/kubernetes/ingress-nginx/tree/master/examples/customization/custom-errors/nginx) that inspect each request and returns a custom error page with the format expected by the client. Please check the example [custom-errors](examples/customization/custom-errors/README.md)
NGINX sends aditional headers that can be used to build custom response: NGINX sends additional headers that can be used to build custom response:
- X-Original-URI - X-Original-URI
- X-Namespace - X-Namespace

2
docs/user-guide/default-ssl-certificate.md
View file

@ -1,6 +1,6 @@
# Default SSL Certificate # Default SSL Certificate
NGINX provides the option to configure a server as a cath-all with [server name _](http://nginx.org/en/docs/http/server_names.html) for requests that do not match any of the configured server names. This configuration works without issues for HTTP traffic. NGINX provides the option to configure a server as a catch-all with [server name _](http://nginx.org/en/docs/http/server_names.html) for requests that do not match any of the configured server names. This configuration works without issues for HTTP traffic.
In case of HTTPS, NGINX requires a certificate. In case of HTTPS, NGINX requires a certificate.
For this reason the Ingress controller provides the flag `--default-ssl-certificate`. The secret behind this flag contains the default certificate to be used in the mentioned scenario. If this flag is not provided NGINX will use a self signed certificate. For this reason the Ingress controller provides the flag `--default-ssl-certificate`. The secret behind this flag contains the default certificate to be used in the mentioned scenario. If this flag is not provided NGINX will use a self signed certificate.

2
docs/user-guide/opentracing.md
View file

@ -37,6 +37,6 @@ $ curl -v http://$(minikube ip)
$ curl -v http://$(minikube ip) $ curl -v http://$(minikube ip)
``` ```
In the zipkin inteface we can see the details: In the zipkin interface we can see the details:
![zipkin screenshot](../images/zipkin-demo.png "zipkin collector screenshot") ![zipkin screenshot](../images/zipkin-demo.png "zipkin collector screenshot")

2
docs/user-guide/tls.md
View file

@ -9,7 +9,7 @@
## Default SSL Certificate ## Default SSL Certificate
NGINX provides the option to configure a server as a cath-all with [server name _](http://nginx.org/en/docs/http/server_names.html) for requests that do not match any of the configured server names. This configuration works without issues for HTTP traffic. NGINX provides the option to configure a server as a catch-all with [server name _](http://nginx.org/en/docs/http/server_names.html) for requests that do not match any of the configured server names. This configuration works without issues for HTTP traffic.
In case of HTTPS, NGINX requires a certificate. In case of HTTPS, NGINX requires a certificate.
For this reason the Ingress controller provides the flag `--default-ssl-certificate`. The secret behind this flag contains the default certificate to be used in the mentioned scenario. If this flag is not provided NGINX will use a self signed certificate. For this reason the Ingress controller provides the flag `--default-ssl-certificate`. The secret behind this flag contains the default certificate to be used in the mentioned scenario. If this flag is not provided NGINX will use a self signed certificate.

2
internal/ingress/status/status.go
View file

@ -342,7 +342,7 @@ func runUpdate(ing *extensions.Ingress, status []apiv1.LoadBalancerIngress,
return true, nil return true, nil
} }
ingClient := client.Extensions().Ingresses(ing.Namespace) ingClient := client.ExtensionsV1beta1().Ingresses(ing.Namespace)
currIng, err := ingClient.Get(ing.Name, metav1.GetOptions{}) currIng, err := ingClient.Get(ing.Name, metav1.GetOptions{})
if err != nil { if err != nil {

6
internal/ingress/status/status_test.go
View file

@ -285,7 +285,7 @@ func TestStatusActions(t *testing.T) {
newIPs := []apiv1.LoadBalancerIngress{{ newIPs := []apiv1.LoadBalancerIngress{{
IP: "11.0.0.2", IP: "11.0.0.2",
}} }}
fooIngress1, err1 := fk.Client.Extensions().Ingresses(apiv1.NamespaceDefault).Get("foo_ingress_1", metav1.GetOptions{}) fooIngress1, err1 := fk.Client.ExtensionsV1beta1().Ingresses(apiv1.NamespaceDefault).Get("foo_ingress_1", metav1.GetOptions{})
if err1 != nil { if err1 != nil {
t.Fatalf("unexpected error") t.Fatalf("unexpected error")
} }
@ -298,7 +298,7 @@ func TestStatusActions(t *testing.T) {
fk.Shutdown() fk.Shutdown()
// ingress should be empty // ingress should be empty
newIPs2 := []apiv1.LoadBalancerIngress{} newIPs2 := []apiv1.LoadBalancerIngress{}
fooIngress2, err2 := fk.Client.Extensions().Ingresses(apiv1.NamespaceDefault).Get("foo_ingress_1", metav1.GetOptions{}) fooIngress2, err2 := fk.Client.ExtensionsV1beta1().Ingresses(apiv1.NamespaceDefault).Get("foo_ingress_1", metav1.GetOptions{})
if err2 != nil { if err2 != nil {
t.Fatalf("unexpected error") t.Fatalf("unexpected error")
} }
@ -307,7 +307,7 @@ func TestStatusActions(t *testing.T) {
t.Fatalf("returned %v but expected %v", fooIngress2CurIPs, newIPs2) t.Fatalf("returned %v but expected %v", fooIngress2CurIPs, newIPs2)
} }
oic, err := fk.Client.Extensions().Ingresses(api.NamespaceDefault).Get("foo_ingress_different_class", metav1.GetOptions{}) oic, err := fk.Client.ExtensionsV1beta1().Ingresses(api.NamespaceDefault).Get("foo_ingress_different_class", metav1.GetOptions{})
if err != nil { if err != nil {
t.Fatalf("unexpected error") t.Fatalf("unexpected error")
} }

4
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -756,7 +756,11 @@ stream {
# Pass the extracted client certificate to the backend # Pass the extracted client certificate to the backend
{{ if not (empty $server.CertificateAuth.CAFileName) }} {{ if not (empty $server.CertificateAuth.CAFileName) }}
{{ if $server.CertificateAuth.PassCertToUpstream }}
proxy_set_header ssl-client-cert $ssl_client_raw_cert; proxy_set_header ssl-client-cert $ssl_client_raw_cert;
{{ else }}
proxy_set_header ssl-client-cert "";
{{ end }}
proxy_set_header ssl-client-verify $ssl_client_verify; proxy_set_header ssl-client-verify $ssl_client_verify;
proxy_set_header ssl-client-dn $ssl_client_s_dn; proxy_set_header ssl-client-dn $ssl_client_s_dn;
{{ else }} {{ else }}

6
test/e2e/e2e.go
View file

@ -28,9 +28,9 @@ import (
"k8s.io/ingress-nginx/test/e2e/framework" "k8s.io/ingress-nginx/test/e2e/framework"
// _ "k8s.io/ingress-nginx/test/e2e/annotations" _ "k8s.io/ingress-nginx/test/e2e/annotations"
// _ "k8s.io/ingress-nginx/test/e2e/defaultbackend" _ "k8s.io/ingress-nginx/test/e2e/defaultbackend"
// _ "k8s.io/ingress-nginx/test/e2e/settings" _ "k8s.io/ingress-nginx/test/e2e/settings"
_ "k8s.io/ingress-nginx/test/e2e/ssl" _ "k8s.io/ingress-nginx/test/e2e/ssl"
) )