diff --git a/.gcloudignore b/.gcloudignore new file mode 100644 index 000000000..e69de29bb diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 469e00834..e15a2cd2b 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -60,7 +60,7 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers - **How was the ingress-nginx-controller installed**: - If helm was used then please show output of `helm ls -A | grep -i ingress` - - If helm was used then please show output of `helm -n get values ` + - If helm was used then please show output of `helm -n get values ` - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used - if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances @@ -71,7 +71,7 @@ kubectl exec -it $POD_NAME -n $POD_NAMESPACE -- /nginx-ingress-controller --vers - `kubectl -n describe svc ` - **Current state of ingress object, if applicable**: - - `kubectl -n get all,ing -o wide` + - `kubectl -n get all,ing -o wide` - `kubectl -n describe ing ` - If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 0e892d626..406a7ad0a 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -7,16 +7,6 @@ assignees: '' --- - - diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index e3781887a..c1c815678 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,5 +1,6 @@ + ## What this PR does / why we need it: @@ -33,36 +34,3 @@ fixes # - [ ] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide - [ ] I have added unit and/or e2e tests to cover my changes. - [ ] All new and existing tests passed. -- [ ] Added Release Notes. - -## Does my pull request need a release note? -Any user-visible or operator-visible change qualifies for a release note. This could be a: - -- CLI change -- API change -- UI change -- configuration schema change -- behavioral change -- change in non-functional attributes such as efficiency or availability, availability of a new platform -- a warning about a deprecation -- fix of a previous Known Issue -- fix of a vulnerability (CVE) - -No release notes are required for changes to the following: - -- Tests -- Build infrastructure -- Fixes for unreleased bugs - -For more tips on writing good release notes, check out the [Release Notes Handbook](https://github.com/kubernetes/sig-release/tree/master/release-team/role-handbooks/release-notes) - - -```release-note -PLACE RELEASE NOTES HERE -``` diff --git a/.github/actions/mkdocs/Dockerfile b/.github/actions/mkdocs/Dockerfile index b5b564d3e..378128978 100644 --- a/.github/actions/mkdocs/Dockerfile +++ b/.github/actions/mkdocs/Dockerfile @@ -1,6 +1,4 @@ -FROM squidfunk/mkdocs-material:6.2.4 - -RUN pip install mkdocs-awesome-pages-plugin +FROM squidfunk/mkdocs-material:9.4.5 COPY action.sh /action.sh diff --git a/.github/actions/mkdocs/action.sh b/.github/actions/mkdocs/action.sh index 07ddbddb9..d9f8ecbfc 100644 --- a/.github/actions/mkdocs/action.sh +++ b/.github/actions/mkdocs/action.sh @@ -16,7 +16,7 @@ set -e -REQUIREMENTS="${GITHUB_WORKSPACE}/requirements.txt" +REQUIREMENTS="${GITHUB_WORKSPACE}/docs/requirements.txt" if [ -f "${REQUIREMENTS}" ]; then pip install -r "${REQUIREMENTS}" diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 28a5e5580..5ad21ca95 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -17,3 +17,11 @@ updates: - "area/dependency" - "release-note-none" - "ok-to-test" + - package-ecosystem: "docker" + directory: "/images" + schedule: + interval: "weekly" + labels: + - "area/dependency" + - "release-note-none" + - "ok-to-test" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 61f5970db..0fb0a7e8c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,13 +7,19 @@ on: paths-ignore: - 'docs/**' - 'deploy/**' + - '**.md' + - 'images/**' # Images changes should be tested on their own workflow + - '!images/nginx-1.25/**' push: branches: - main + - release-* paths-ignore: - 'docs/**' - 'deploy/**' + - '**.md' + - 'images/**' # Images changes should be tested on their own workflow workflow_dispatch: inputs: @@ -22,6 +28,7 @@ on: required: false type: boolean + permissions: contents: read @@ -35,13 +42,14 @@ jobs: outputs: go: ${{ steps.filter.outputs.go }} charts: ${{ steps.filter.outputs.charts }} + baseimage: ${{ steps.filter.outputs.baseimage }} steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 + - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 id: filter with: token: ${{ secrets.GITHUB_TOKEN }} @@ -58,60 +66,8 @@ jobs: - 'charts/ingress-nginx/Chart.yaml' - 'charts/ingress-nginx/**/*' - 'NGINX_BASE' - - - security: - runs-on: ubuntu-latest - steps: - - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - - name: Run Gosec Security Scanner - uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # v2.14.0 - with: - # G601 for zz_generated.deepcopy.go - # G306 TODO: Expect WriteFile permissions to be 0600 or less - # G307 TODO: Deferring unsafe method "Close" - args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./... - - lint: - runs-on: ubuntu-latest - needs: changes - if: | - (needs.changes.outputs.go == 'true') - steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - - name: Set up Go - id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 - with: - go-version: '1.19' - check-latest: true - - - name: Run Lint - run: ./hack/verify-golint.sh - - gofmt: - runs-on: ubuntu-latest - needs: changes - if: | - (needs.changes.outputs.go == 'true') - steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - - name: Set up Go - id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 - with: - go-version: '1.19' - check-latest: true - - - name: Run go-fmt - run: ./hack/verify-gofmt.sh + baseimage: + - 'images/nginx-1.25/**' test-go: runs-on: ubuntu-latest @@ -120,13 +76,16 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Get go version + run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV + - name: Set up Go id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.19' + go-version: ${{ env.GOLANG_VERSION }} check-latest: true - name: Run test @@ -136,26 +95,35 @@ jobs: name: Build runs-on: ubuntu-latest needs: changes + outputs: + golangversion: ${{ steps.golangversion.outputs.version }} if: | - (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} - + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') + + env: + PLATFORMS: linux/amd64 steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Get go version + id: golangversion + run: | + echo "version=$(cat GOLANG_VERSION)" >> "$GITHUB_OUTPUT" - name: Set up Go id: go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.19' + go-version: ${{ steps.golangversion.outputs.version }} check-latest: true - name: Set up QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: version: latest @@ -164,12 +132,17 @@ jobs: - name: Prepare Host run: | - sudo apt-get -qq update || true - sudo apt-get install -y pigz - curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.25.5/bin/linux/amd64/kubectl + curl -LO https://dl.k8s.io/release/v1.27.3/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl - + + - name: Build NGINX Base image + if: | + needs.changes.outputs.baseimage == 'true' + run: | + export TAG=$(cat images/nginx-1.25/TAG) + cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t gcr.io/k8s-staging-ingress-nginx/nginx-1.25:${TAG} . + - name: Build images env: TAG: 1.0.0-dev @@ -177,7 +150,8 @@ jobs: REGISTRY: ingress-controller run: | echo "building images..." - make clean-image build image image-chroot + export TAGNGINX=$(cat images/nginx-1.25/TAG) + make BASE_IMAGE=gcr.io/k8s-staging-ingress-nginx/nginx-1.25:${TAGNGINX} clean-image build image image-chroot make -C test/e2e-image image echo "creating images cache..." @@ -185,14 +159,14 @@ jobs: nginx-ingress-controller:e2e \ ingress-controller/controller:1.0.0-dev \ ingress-controller/controller-chroot:1.0.0-dev \ - | pigz > docker.tar.gz + | gzip > docker.tar.gz - name: cache - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: docker.tar.gz path: docker.tar.gz - + retention-days: 5 helm: name: Helm chart runs-on: ubuntu-latest @@ -200,24 +174,32 @@ jobs: - changes - build if: | - (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} + (needs.changes.outputs.charts == 'true') || (needs.changes.outputs.baseimage == 'true') strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0] steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.19' + go-version: ${{ needs.build.outputs.golangversion }} check-latest: true + - name: Install Helm Unit Test Plugin + run: | + helm plugin install https://github.com/helm-unittest/helm-unittest + + - name: Run Helm Unit Tests + run: | + helm unittest charts/ingress-nginx -d + - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 with: name: docker.tar.gz @@ -254,241 +236,61 @@ jobs: run: | kind create cluster --image=kindest/node:${{ matrix.k8s }} - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 - with: - name: docker.tar.gz - failOnError: false - - name: Load images from cache run: | echo "loading docker images..." - pigz -dc docker.tar.gz | docker load + gzip -dc docker.tar.gz | docker load - name: Test env: KIND_CLUSTER_NAME: kind SKIP_CLUSTER_CREATION: true SKIP_IMAGE_CREATION: true + SKIP_INGRESS_IMAGE_CREATION: true run: | kind get kubeconfig > $HOME/.kube/kind-config-kind make kind-e2e-chart-tests kubernetes: name: Kubernetes - runs-on: ubuntu-latest needs: - changes - build if: | - (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} - + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] + k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0] + uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml + with: + k8s-version: ${{ matrix.k8s }} - steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 - with: - name: docker.tar.gz - - - name: Create Kubernetes ${{ matrix.k8s }} cluster - id: kind - run: | - kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 - with: - name: docker.tar.gz - failOnError: false - - - name: Load images from cache - run: | - echo "loading docker images..." - pigz -dc docker.tar.gz | docker load - - - name: Run e2e tests - env: - KIND_CLUSTER_NAME: kind - SKIP_CLUSTER_CREATION: true - SKIP_IMAGE_CREATION: true - run: | - kind get kubeconfig > $HOME/.kube/kind-config-kind - make kind-e2e-test - - - name: Uplaod e2e junit-reports - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 - if: success() || failure() - with: - name: e2e-test-reports-${{ matrix.k8s }} - path: 'test/junitreports/report*.xml' + kubernetes-validations: + name: Kubernetes with Validations + needs: + - changes + - build + if: | + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') + strategy: + matrix: + k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0] + uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml + with: + k8s-version: ${{ matrix.k8s }} + variation: "VALIDATIONS" kubernetes-chroot: name: Kubernetes chroot - runs-on: ubuntu-latest needs: - changes - build if: | - (needs.changes.outputs.go == 'true') || ${{ inputs.run_e2e }} - + (needs.changes.outputs.go == 'true') || (needs.changes.outputs.baseimage == 'true') strategy: matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] - - steps: - - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - - name: cache - uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1 - with: - name: docker.tar.gz - - - name: Create Kubernetes ${{ matrix.k8s }} cluster - id: kind - run: | - kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml - - - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0 - with: - name: docker.tar.gz - failOnError: false - - - name: Load images from cache - run: | - echo "loading docker images..." - pigz -dc docker.tar.gz | docker load - - - name: Run e2e tests - env: - KIND_CLUSTER_NAME: kind - SKIP_CLUSTER_CREATION: true - SKIP_IMAGE_CREATION: true - IS_CHROOT: true - run: | - kind get kubeconfig > $HOME/.kube/kind-config-kind - make kind-e2e-test - - - name: Uplaod e2e junit-reports - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 - if: success() || failure() - with: - name: e2e-test-reports-chroot-${{ matrix.k8s }} - path: 'test/junitreports/report*.xml' - - - test-image-build: - permissions: - contents: read # for dorny/paths-filter to fetch a list of changed files - pull-requests: read # for dorny/paths-filter to read pull requests - runs-on: ubuntu-latest - env: - PLATFORMS: linux/amd64,linux/arm64 - steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: filter-images - with: - token: ${{ secrets.GITHUB_TOKEN }} - filters: | - custom-error-pages: - - 'images/custom-error-pages/**' - cfssl: - - 'images/cfssl/**' - fastcgi-helloserver: - - 'images/fastcgi-helloserver/**' - echo: - - 'images/echo/**' - go-grpc-greeter-server: - - 'images/go-grpc-greeter-server/**' - httpbin: - - 'images/httpbin/**' - kube-webhook-certgen: - - 'images/kube-webhook-certgen/**' - ext-auth-example-authsvc: - - 'images/ext-auth-example-authsvc/**' - - - name: custom-error-pages image build - if: ${{ steps.filter-images.outputs.custom-error-pages == 'true' }} - run: | - cd images/custom-error-pages && make build - - name: cfssl image build - if: ${{ steps.filter-images.outputs.cfssl == 'true' }} - run: | - cd images/cfssl && make build - - name: fastcgi-helloserver - if: ${{ steps.filter-images.outputs.fastcgi-helloserver == 'true' }} - run: | - cd images/fastcgi-helloserver && make build - - name: echo image build - if: ${{ steps.filter-images.outputs.echo == 'true' }} - run: | - cd images/echo && make build - - name: go-grpc-greeter-server image build - if: ${{ steps.filter-images.outputs.go-grpc-greeter-server == 'true' }} - run: | - cd images/go-grpc-greeter-server && make build - - name: httpbin image build - if: ${{ steps.filter-images.outputs.httpbin == 'true' }} - run: | - cd images/httpbin && make build - - name: kube-webhook-certgen image build - if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - run: | - cd images/kube-webhook-certgen && make build - - name: ext-auth-example-authsvc - if: ${{ steps.filter-images.outputs.ext-auth-example-authsvc == 'true' }} - run: | - cd images/ext-auth-example-authsvc && make build - - test-image: - permissions: - contents: read # for dorny/paths-filter to fetch a list of changed files - pull-requests: read # for dorny/paths-filter to read pull requests - - runs-on: ubuntu-latest - - env: - PLATFORMS: linux/amd64 - - strategy: - matrix: - k8s: [v1.23.13, v1.24.7, v1.25.3, v1.26.0] - - steps: - - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 - - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 - id: filter-images - with: - token: ${{ secrets.GITHUB_TOKEN }} - filters: | - kube-webhook-certgen: - - 'images/kube-webhook-certgen/**' - - - name: Create Kubernetes cluster - id: kind - if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - run: | - kind create cluster --image=kindest/node:${{ matrix.k8s }} - - - name: Set up Go - id: go - if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 - with: - go-version: '1.19' - check-latest: true - - - name: kube-webhook-certgen image build - if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - run: | - cd images/kube-webhook-certgen && make test test-e2e + k8s: [v1.26.6, v1.27.3, v1.28.0, v1.29.0] + uses: ./.github/workflows/zz-tmpl-k8s-e2e.yaml + with: + k8s-version: ${{ matrix.k8s }} + variation: "CHROOT" diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 758e4b95f..68822744d 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # v3.0.2 + uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 241921ecf..18aac62ac 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,9 +23,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 + - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 id: filter with: token: ${{ secrets.GITHUB_TOKEN }} @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml new file mode 100644 index 000000000..16c3fe8fc --- /dev/null +++ b/.github/workflows/golangci-lint.yml @@ -0,0 +1,34 @@ +name: golangci-lint + +on: + pull_request: + branches: + - "*" + paths: + - '**/*.go' + +permissions: + contents: read + +jobs: + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Get go version + run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV + + - name: Set up Go + id: go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GOLANG_VERSION }} + check-latest: true + + - name: golangci-lint + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + with: + version: v1.55.2 diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 5d96507a1..46327244a 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -23,9 +23,21 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 + - name: Run Artifact Hub lint + run: | + wget https://github.com/artifacthub/hub/releases/download/v1.5.0/ah_1.5.0_linux_amd64.tar.gz + echo 'ad0e44c6ea058ab6b85dbf582e88bad9fdbc64ded0d1dd4edbac65133e5c87da *ah_1.5.0_linux_amd64.tar.gz' | shasum -c + tar -xzvf ah_1.5.0_linux_amd64.tar.gz ah + ./ah lint -p charts/ingress-nginx || exit 1 + rm -f ./ah ./ah_1.5.0_linux_amd64.tar.gz + + - name: Lint + run: | + ./build/run-in-docker.sh ./hack/verify-chart-lint.sh + + - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 id: filter with: token: ${{ secrets.GITHUB_TOKEN }} @@ -49,7 +61,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 @@ -61,9 +73,9 @@ jobs: git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Helm Chart Releaser - uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # v1.4.1 + uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 env: - CR_SKIP_EXISTING: "false" + CR_SKIP_EXISTING: true CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}" with: diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml new file mode 100644 index 000000000..71e3a81e6 --- /dev/null +++ b/.github/workflows/images.yaml @@ -0,0 +1,241 @@ +name: Container Images + +on: + pull_request: + branches: + - "*" + paths: + - 'images/**' + + push: + branches: + - main + paths: + - 'images/**' + +permissions: + contents: write + packages: write + +env: + PLATFORMS: linux/amd64 + +jobs: + changes: + permissions: + contents: read # for dorny/paths-filter to fetch a list of changed files + pull-requests: read # for dorny/paths-filter to read pull requests + runs-on: ubuntu-latest + outputs: + custom-error-pages: ${{ steps.filter.outputs.custom-error-pages }} + cfssl: ${{ steps.filter.outputs.cfssl }} + fastcgi-helloserver: ${{ steps.filter.outputs.fastcgi-helloserver }} + e2e-test-echo: ${{ steps.filter.outputs.e2e-test-echo }} + go-grpc-greeter-server: ${{ steps.filter.outputs.go-grpc-greeter-server }} + httpbun: ${{ steps.filter.outputs.httpbun }} + kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }} + ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }} + nginx: ${{ steps.filter.outputs.nginx }} + nginx125: ${{ steps.filter.outputs.nginx125 }} + opentelemetry: ${{ steps.filter.outputs.opentelemetry }} + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 + id: filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + filters: | + custom-error-pages: + - 'images/custom-error-pages/**' + cfssl: + - 'images/cfssl/**' + fastcgi-helloserver: + - 'images/fastcgi-helloserver/**' + e2e-test-echo: + - 'images/e2e-test-echo/**' + go-grpc-greeter-server: + - 'images/go-grpc-greeter-server/**' + httpbun: + - 'images/httpbun/**' + kube-webhook-certgen: + - 'images/kube-webhook-certgen/**' + ext-auth-example-authsvc: + - 'images/ext-auth-example-authsvc/**' + nginx: + - 'images/nginx/**' + opentelemetry: + - 'images/opentelemetry/**' + nginx125: + - 'images/nginx-1.25/TAG' + + #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here) + cfssl: + needs: changes + if: | + (needs.changes.outputs.cfssl == 'true') + uses: ./.github/workflows/zz-tmpl-images.yaml + with: + name: cfssl + secrets: inherit + + custom-error-pages: + needs: changes + if: | + (needs.changes.outputs.custom-error-pages == 'true') + uses: ./.github/workflows/zz-tmpl-images.yaml + with: + name: custom-error-pages + secrets: inherit + + + e2e-test-echo: + needs: changes + if: | + (needs.changes.outputs.e2e-test-echo == 'true') + uses: ./.github/workflows/zz-tmpl-images.yaml + with: + name: e2e-test-echo + secrets: inherit + + ext-auth-example-authsvc: + needs: changes + if: | + (needs.changes.outputs.ext-auth-example-authsvc == 'true') + uses: ./.github/workflows/zz-tmpl-images.yaml + with: + name: ext-auth-example-authsvc + secrets: inherit + + fastcgi-helloserver: + needs: changes + if: | + (needs.changes.outputs.fastcgi-helloserver == 'true') + uses: ./.github/workflows/zz-tmpl-images.yaml + with: + name: fastcgi-helloserver + secrets: inherit + + go-grpc-greeter-server: + needs: changes + if: | + (needs.changes.outputs.go-grpc-greeter-server == 'true') + uses: ./.github/workflows/zz-tmpl-images.yaml + with: + name: go-grpc-greeter-server + secrets: inherit + + httpbun: + needs: changes + if: | + (needs.changes.outputs.httpbun == 'true') + uses: ./.github/workflows/zz-tmpl-images.yaml + with: + name: httpbun + secrets: inherit + + kube-webhook-certgen: + runs-on: ubuntu-latest + needs: changes + if: | + (needs.changes.outputs.kube-webhook-certgen == 'true') + strategy: + matrix: + k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0, v1.29.0] + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Get go version + run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV + + - name: Set up Go + id: go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GOLANG_VERSION }} + check-latest: true + - name: image build + run: | + cd images/ && make NAME=kube-webhook-certgen build + - name: Create Kubernetes cluster + id: kind + run: | + kind create cluster --image=kindest/node:${{ matrix.k8s }} + - name: image test + run: | + cd images/ && make NAME=kube-webhook-certgen test test-e2e + + nginx: + runs-on: ubuntu-latest + needs: changes + if: | + (needs.changes.outputs.nginx == 'true') + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: nginx-base-image + run: | + cd images/nginx/rootfs && docker build -t docker.io/nginx-test-workflow/nginx:${{ github.sha }} . + - name: Run Trivy on NGINX Image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'docker.io/nginx-test-workflow/nginx:${{ github.sha }}' + format: 'sarif' + ignore-unfixed: true + output: 'trivy-results.sarif' + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3.23.2 + with: + sarif_file: 'trivy-results.sarif' + + opentelemetry: + runs-on: ubuntu-latest + env: + PLATFORMS: linux/amd64,linux/arm,linux/arm64 + needs: changes + if: | + (needs.changes.outputs.opentelemetry == 'true') + strategy: + matrix: + nginx: ['1.25.3', '1.21.6'] + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: image build + run: | + cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build + + nginx125: + permissions: + contents: write + packages: write + runs-on: ubuntu-latest + needs: changes + if: | + (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx125 == 'true') + env: + PLATFORMS: linux/amd64,linux/arm,linux/arm64 + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Set up QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + with: + version: latest + platforms: ${{ env.PLATFORMS }} + - name: Login to GitHub Container Registry + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: build-image + run: | + export TAG=$(cat images/nginx-1.25/TAG) + cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx-1.25:${TAG} . + + \ No newline at end of file diff --git a/.github/workflows/junit-reports.yaml b/.github/workflows/junit-reports.yaml index eb25bbeca..3b3318def 100644 --- a/.github/workflows/junit-reports.yaml +++ b/.github/workflows/junit-reports.yaml @@ -9,9 +9,10 @@ jobs: report: runs-on: ubuntu-latest steps: - - uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0 + - uses: dorny/test-reporter@eaa763f6ffc21c7a37837f56cd5f9737f27fc6c8 # v1.8.0 with: artifact: /e2e-test-reports-(.*)/ name: JEST Tests $1 # Name of the check run which will be created path: 'report*.xml' # Path to test results (inside artifact .zip) reporter: jest-junit # Format of test results + fail-on-empty: 'true' diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index 89dfdfad6..7f62fedf4 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index 779cd1da8..fe99b2444 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -1,13 +1,8 @@ name: kubectl plugin on: - push: - branches: - - "main" - paths: - - "cmd/plugin/**" - tags: - - "v*" + release: + types: [published] permissions: contents: write # for goreleaser/goreleaser-action @@ -17,25 +12,39 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 + - name: Get go version + run: echo "GOLANG_VERSION=$(cat GOLANG_VERSION)" >> $GITHUB_ENV + - name: Set up Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: 1.19 + go-version: ${{ env.GOLANG_VERSION }} check-latest: true - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0 + - name: Run GoReleaser Snapshot + if: ${{ ! startsWith(github.ref, 'refs/tags/') }} + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest - args: release --rm-dist + args: release --snapshot --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Run GoReleaser + if: ${{ startsWith(github.ref, 'refs/tags/') }} + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + version: latest + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Update new version in krew-index - uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # v0.0.43 + if: ${{ startsWith(github.ref, 'refs/tags/') }} + uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46 with: krew_template_file: cmd/plugin/krew.yaml diff --git a/.github/workflows/project.yml b/.github/workflows/project.yml index d75435712..95537e16c 100644 --- a/.github/workflows/project.yml +++ b/.github/workflows/project.yml @@ -13,7 +13,7 @@ jobs: repository-projects: write issues: write steps: - - uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 # v0.4.0 + - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0 with: project-url: https://github.com/orgs/kubernetes/projects/104 github-token: ${{ secrets.PROJECT_WRITER }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 6af70e691..7544e3fb3 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,12 +27,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -51,7 +51,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 with: name: SARIF file path: results.sarif @@ -59,6 +59,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37 + uses: github/codeql-action/upload-sarif@25f779c0f271790cfca54f1c5e868acc372ba6f1 # v2.1.37 with: sarif_file: results.sarif diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml new file mode 100644 index 000000000..a7c245295 --- /dev/null +++ b/.github/workflows/stale.yaml @@ -0,0 +1,24 @@ +name: 'Stale Issues and PRs' + +on: + schedule: + - cron: '30 1 * * *' + +jobs: + stale: + runs-on: ubuntu-latest + + permissions: + issues: write + pull-requests: write + + steps: + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 + with: + stale-issue-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." + stale-pr-message: "This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach `#ingress-nginx-dev` on Kubernetes Slack." + stale-issue-label: lifecycle/frozen + stale-pr-label: lifecycle/frozen + days-before-issue-stale: 30 + days-before-pr-stale: 45 + days-before-close: -1 # dont not close issues/prs diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index 67fad3187..d805103a3 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 @@ -42,7 +42,7 @@ jobs: echo "${SHORT_TAGS[0]},${SHORT_TAGS[1]},${SHORT_TAGS[2]}" TAGS_JSON="[\"${SHORT_TAGS[0]}\",\"${SHORT_TAGS[1]}\",\"${SHORT_TAGS[2]}\"]" echo "${TAGS_JSON}" - echo "::set-output name=TAGS::${TAGS_JSON}" + echo "TAGS=${TAGS_JSON}" >> $GITHUB_OUTPUT scan: runs-on: ubuntu-latest @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - shell: bash id: test @@ -60,7 +60,7 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0 + uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1 with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' @@ -75,7 +75,7 @@ jobs: # This step checks out a copy of your repository. - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37 + uses: github/codeql-action/upload-sarif@25f779c0f271790cfca54f1c5e868acc372ba6f1 # v2.1.37 with: token: ${{ github.token }} # Path to SARIF file relative to the root of the repository diff --git a/.github/workflows/zz-tmpl-images.yaml b/.github/workflows/zz-tmpl-images.yaml new file mode 100644 index 000000000..c96c97350 --- /dev/null +++ b/.github/workflows/zz-tmpl-images.yaml @@ -0,0 +1,81 @@ +#### THIS IS A TEMPLATE #### +# This workflow is created to be a template for every time an e2e teest is required, + +on: + workflow_call: + inputs: + name: + required: true + type: string + platforms-test: + type: string + default: linux/amd64 + platforms-publish: + type: string + default: linux/amd64 + +env: + PLATFORMS: ${{ inputs.platforms-test }} + +permissions: + contents: write + packages: write + +jobs: + changestag: + permissions: + contents: read # for dorny/paths-filter to fetch a list of changed files + runs-on: ubuntu-latest + outputs: + tag: ${{ steps.filter.outputs.tag }} + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: dorny/paths-filter@0bc4621a3135347011ad047f9ecf449bf72ce2bd # v3.0.0 + id: filter + with: + token: ${{ secrets.GITHUB_TOKEN }} + filters: | + tag: + - 'images/**/TAG' + + image-build: + name: Build + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Build + run: | + cd images/ && make NAME=${{ inputs.name }} build + + image-push: + name: Push + needs: changestag + if: | + (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository == 'kubernetes/ingress-nginx' && needs.changestag.outputs.tag == 'true') + runs-on: ubuntu-latest + permissions: + contents: write + packages: write + env: + PLATFORMS: ${{ inputs.platforms-publish }} + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Push + run: | + cd images/ && make REGISTRY=ingressnginx NAME=${{ inputs.name }} push + diff --git a/.github/workflows/zz-tmpl-k8s-e2e.yaml b/.github/workflows/zz-tmpl-k8s-e2e.yaml new file mode 100644 index 000000000..6943a0854 --- /dev/null +++ b/.github/workflows/zz-tmpl-k8s-e2e.yaml @@ -0,0 +1,58 @@ +#### THIS IS A TEMPLATE #### +# This workflow is created to be a template for every time an e2e teest is required, + +on: + workflow_call: + inputs: + k8s-version: + required: true + type: string + variation: + type: string + +permissions: + contents: read + +jobs: + kubernetes: + name: Kubernetes ${{ inputs.variation }} + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: cache + uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 + with: + name: docker.tar.gz + + - name: Create Kubernetes ${{ inputs.k8s-version }} cluster + id: kind + run: | + kind create cluster --image=kindest/node:${{ inputs.k8s-version }} --config test/e2e/kind.yaml + + - name: Load images from cache + run: | + echo "loading docker images..." + gzip -dc docker.tar.gz | docker load + + - name: Run e2e tests ${{ inputs.variation }} + env: + KIND_CLUSTER_NAME: kind + SKIP_CLUSTER_CREATION: true + SKIP_INGRESS_IMAGE_CREATION: true + SKIP_E2E_IMAGE_CREATION: true + ENABLE_VALIDATIONS: ${{ inputs.variation == 'VALIDATIONS' }} + IS_CHROOT: ${{ inputs.variation == 'CHROOT' }} + run: | + kind get kubeconfig > $HOME/.kube/kind-config-kind + make kind-e2e-test + + - name: Upload e2e junit-reports ${{ inputs.variation }} + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 + if: success() || failure() + with: + name: e2e-test-reports-${{ inputs.k8s-version }}${{ inputs.variation }} + path: 'test/junitreports/report*.xml' + diff --git a/.gitignore b/.gitignore index 2c0accad7..73108f627 100644 --- a/.gitignore +++ b/.gitignore @@ -60,3 +60,5 @@ cmd/plugin/release/ingress-nginx.yaml cmd/plugin/release/*.tar.gz cmd/plugin/release/LICENSE tmp/ +test/junitreports/ +tests/__snapshot__ diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 000000000..5da8f0399 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,241 @@ +run: + timeout: 10m + allow-parallel-runners: true + + # Maximum issues count per one linter. Set to 0 to disable. Default is 50. + max-issues-per-linter: 0 + + # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. + max-same-issues: 0 +linters: + disable-all: true + enable: + - asasalint + - asciicheck + - bidichk + - bodyclose + - contextcheck + - decorder + - dogsled + - dupl + - durationcheck + - errcheck + - errchkjson + - errname + - execinquery + - ginkgolinter + - gocheckcompilerdirectives + - goconst + - gocritic + - gocyclo + - godox + - gofmt + - gofumpt + - goheader + - goimports + - gomoddirectives + - gomodguard + - goprintffuncname + - gosec + - gosimple + - govet + - grouper + - importas + - ineffassign + - loggercheck + - makezero + - misspell + - musttag + - nakedret + - nolintlint + - nosprintfhostport + - prealloc + - predeclared + - promlinter + - reassign + - revive + - rowserrcheck + - sqlclosecheck + - staticcheck + - stylecheck + - tenv + - testableexamples + - typecheck + - unconvert + - unparam + - unused + - usestdlibvars + - whitespace + # - containedctx + # - cyclop + # - dupword + # - errorlint + # - exhaustive + # - exhaustruct + # - exportloopref + # - forbidigo + # - forcetypeassert + # - funlen + # - gci + # - gochecknoglobals + # - gochecknoinits + # - gocognit + # - godot + # - goerr113 + # - gomnd + # - interfacebloat + # - ireturn + # - lll + # - maintidx + # - nestif + # - nilerr + # - nilnil + # - nlreturn + # - noctx + # - nonamedreturns + # - paralleltest + # - tagliatelle + # - testpackage + # - thelper + # - tparallel + # - varnamelen + # - wastedassign + # - wrapcheck + # - wsl +linters-settings: + gocyclo: + min-complexity: 40 + godox: + keywords: + - BUG + - FIXME + - HACK + errcheck: + check-type-assertions: true + check-blank: true + gocritic: + enabled-checks: + # Diagnostic + - appendAssign + - argOrder + - badCall + - badCond + - badLock + - badRegexp + - badSorting + - builtinShadowDecl + - caseOrder + - codegenComment + - commentedOutCode + - deferInLoop + - deprecatedComment + - dupArg + - dupBranchBody + - dupCase + - dupSubExpr + - dynamicFmtString + - emptyDecl + - evalOrder + - exitAfterDefer + - externalErrorReassign + - filepathJoin + - flagDeref + - flagName + - mapKey + - nilValReturn + - offBy1 + - regexpPattern + - returnAfterHttpError + - sloppyReassign + - sloppyTypeAssert + - sortSlice + - sprintfQuotedString + - sqlQuery + - syncMapLoadAndDelete + - truncateCmp + - unnecessaryDefer + - weakCond + + # Performance + - appendCombine + - equalFold + - hugeParam + - indexAlloc + - preferDecodeRune + - preferFprint + - preferStringWriter + - preferWriteByte + - rangeExprCopy + - rangeValCopy + - sliceClear + - stringXbytes + + # Style + - assignOp + - boolExprSimplify + - captLocal + - commentFormatting + - commentedOutImport + - defaultCaseOrder + - deferUnlambda + - docStub + - dupImport + - elseif + - emptyFallthrough + - emptyStringTest + - exposedSyncMutex + - hexLiteral + - httpNoBody + - ifElseChain + - methodExprCall + - newDeref + - octalLiteral + - preferFilepathJoin + - redundantSprint + - regexpMust + - regexpSimplify + - ruleguard + - singleCaseSwitch + - sloppyLen + - stringConcatSimplify + - stringsCompare + - switchTrue + - timeCmpSimplify + - timeExprSimplify + - todoCommentWithoutDetail + - tooManyResultsChecker + - typeAssertChain + - typeDefFirst + - typeSwitchVar + - underef + - unlabelStmt + - unlambda + - unslice + - valSwap + - whyNoLint + - wrapperFunc + - yodaStyleExpr + + # Opinionated + - builtinShadow + - importShadow + - initClause + - nestingReduce + - paramTypeCombine + - ptrToRefParam + - typeUnparen + - unnamedResult + - unnecessaryBlock + nolintlint: + # Enable to ensure that nolint directives are all used. Default is true. + allow-unused: false + # Disable to ensure that nolint directives don't have a leading space. Default is true. + # TODO(lint): Enforce machine-readable `nolint` directives + allow-leading-space: true + # Exclude following linters from requiring an explanation. Default is []. + allow-no-explanation: [] + # Enable to require an explanation of nonzero length after each nolint directive. Default is false. + # TODO(lint): Enforce explanations for `nolint` directives + require-explanation: false + # Enable to require nolint directives to mention the specific linter being suppressed. Default is false. + require-specific: true diff --git a/GOLANG_VERSION b/GOLANG_VERSION new file mode 100644 index 000000000..6e83421e4 --- /dev/null +++ b/GOLANG_VERSION @@ -0,0 +1 @@ +1.21.6 \ No newline at end of file diff --git a/RELEASE.md b/MANUAL_RELEASE.md similarity index 96% rename from RELEASE.md rename to MANUAL_RELEASE.md index ca0faa4e1..d7144b85d 100644 --- a/RELEASE.md +++ b/MANUAL_RELEASE.md @@ -103,7 +103,7 @@ Promoting the images basically means that images, that were pushed to staging co - Fork that other project (if you don't have a fork already). -- Other project to fork [Github repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) +- Other project to fork [GitHub repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) - Fetch --all and rebase to upstream if already forked. @@ -111,7 +111,7 @@ Promoting the images basically means that images, that were pushed to staging co - In the related branch, of your fork, edit the file /registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml. -- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. +- For making, it easier, you can edit your branch directly in the browser. But be careful about making any mistake. - Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before @@ -132,7 +132,7 @@ Promoting the images basically means that images, that were pushed to staging co - Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/controller). -- This involves editing of several different files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers. +- This involves editing of several files. So carefully follow the steps below and double check all changes with diff/grep etc., repeatedly. Mistakes here impact endusers. ### a. Make sure your git workspace is ready @@ -160,7 +160,7 @@ Promoting the images basically means that images, that were pushed to staging co - [TAG](https://github.com/kubernetes/ingress-nginx/blob/main/TAG#L1) ### c. Edit the helm Chart - - Change the below mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml) + - Change the below-mentioned [Fields in Chart.yaml](https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/Chart.yaml) - version - appVersion - kubeVersion (**ONLY if applicable**) @@ -168,7 +168,7 @@ Promoting the images basically means that images, that were pushed to staging co - artifacthub.io/prerelease: "true" - artifacthub.io/changes: | - Replace this line and other lines under this annotation with the Changelog. One process to generate the Changelog is described below - - Install and configure github cli as per the docs of gh-cli https://cli.github.com/, + - Install and configure GitHub cli as per the docs of gh-cli https://cli.github.com/, - Change dir to your clone, of your fork, of the ingress-nginx project - Run the below command and save the output to a txt file diff --git a/Makefile b/Makefile index 5099b4645..8ff0f0ca0 100644 --- a/Makefile +++ b/Makefile @@ -29,9 +29,14 @@ SHELL=/bin/bash -o pipefail -o errexit # Use the 0.0 tag for testing, it shouldn't clobber any release builds TAG ?= $(shell cat TAG) +# The env below is called GO_VERSION and not GOLANG_VERSION because +# the gcb image we use to build already defines GOLANG_VERSION and is a +# really old version +GO_VERSION ?= $(shell cat GOLANG_VERSION) + # e2e settings # Allow limiting the scope of the e2e tests. By default run everything -FOCUS ?= .* +FOCUS ?= # number of parallel test E2E_NODES ?= 7 # run e2e test suite with tests that check for memory leaks? (default is false) @@ -68,7 +73,6 @@ image: clean-image ## Build image for a particular arch. docker build \ ${PLATFORM_FLAG} ${PLATFORM} \ --no-cache \ - --pull \ --build-arg BASE_IMAGE="$(BASE_IMAGE)" \ --build-arg VERSION="$(TAG)" \ --build-arg TARGETARCH="$(ARCH)" \ @@ -85,7 +89,6 @@ image-chroot: clean-chroot-image ## Build image for a particular arch. echo "Building docker image ($(ARCH))..." docker build \ --no-cache \ - --pull \ --build-arg BASE_IMAGE="$(BASE_IMAGE)" \ --build-arg VERSION="$(TAG)" \ --build-arg TARGETARCH="$(ARCH)" \ @@ -107,7 +110,7 @@ clean-chroot-image: ## Removes local image .PHONY: build build: ## Build ingress controller, debug tool and pre-stop hook. - build/run-in-docker.sh \ + E2E_IMAGE=golang:$(GO_VERSION)-alpine3.19 USE_SHELL=/bin/sh build/run-in-docker.sh \ MAC_OS=$(MAC_OS) \ PKG=$(PKG) \ ARCH=$(ARCH) \ @@ -128,6 +131,12 @@ static-check: ## Run verification script for boilerplate, codegen, gofmt, golint MAC_OS=$(MAC_OS) \ hack/verify-all.sh +.PHONY: golint-check +golint-check: + @build/run-in-docker.sh \ + MAC_OS=$(MAC_OS) \ + hack/verify-golint.sh + ############################### # Tests for ingress-nginx ############################### @@ -147,17 +156,16 @@ test: ## Run go unit tests. .PHONY: lua-test lua-test: ## Run lua unit tests. @build/run-in-docker.sh \ - BUSTED_ARGS=$(BUSTED_ARGS) \ MAC_OS=$(MAC_OS) \ test/test-lua.sh .PHONY: e2e-test e2e-test: ## Run e2e tests (expects access to a working Kubernetes cluster). - @build/run-e2e-suite.sh + @test/e2e/run-e2e-suite.sh .PHONY: kind-e2e-test kind-e2e-test: ## Run e2e tests using kind. - @test/e2e/run.sh + @test/e2e/run-kind-e2e.sh .PHONY: kind-e2e-chart-tests kind-e2e-chart-tests: ## Run helm chart e2e tests @@ -201,13 +209,13 @@ dev-env-stop: ## Deletes local Kubernetes cluster created by kind. live-docs: ## Build and launch a local copy of the documentation website in http://localhost:8000 @docker build ${PLATFORM_FLAG} ${PLATFORM} \ --no-cache \ - $(MAC_DOCKER_FLAGS) \ -t ingress-nginx-docs .github/actions/mkdocs @docker run ${PLATFORM_FLAG} ${PLATFORM} --rm -it \ -p 8000:8000 \ -v ${PWD}:/docs \ - --entrypoint mkdocs \ - ingress-nginx-docs serve --dev-addr=0.0.0.0:8000 + --entrypoint /bin/bash \ + ingress-nginx-docs \ + -c "pip install -r /docs/docs/requirements.txt && mkdocs serve --dev-addr=0.0.0.0:8000" .PHONY: misspell misspell: ## Check for spelling errors. @@ -229,8 +237,8 @@ ensure-buildx: show-version: echo -n $(TAG) -PLATFORMS ?= amd64 arm arm64 s390x -BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64,linux/s390x +PLATFORMS ?= amd64 arm arm64 +BUILDX_PLATFORMS ?= linux/amd64,linux/arm,linux/arm64 .PHONY: release # Build a multi-arch docker image release: ensure-buildx clean @@ -241,6 +249,7 @@ release: ensure-buildx clean docker buildx build \ --no-cache \ + $(MAC_DOCKER_FLAGS) \ --push \ --pull \ --progress plain \ @@ -253,6 +262,7 @@ release: ensure-buildx clean docker buildx build \ --no-cache \ + $(MAC_DOCKER_FLAGS) \ --push \ --pull \ --progress plain \ @@ -262,3 +272,8 @@ release: ensure-buildx clean --build-arg COMMIT_SHA="$(COMMIT_SHA)" \ --build-arg BUILD_ID="$(BUILD_ID)" \ -t $(REGISTRY)/controller-chroot:$(TAG) rootfs -f rootfs/Dockerfile-chroot + +.PHONY: build-docs +build-docs: + pip install -r docs/requirements.txt + mkdocs build --config-file mkdocs.yml diff --git a/NEW_RELEASE_PROCESS.md b/NEW_RELEASE_PROCESS.md new file mode 100644 index 000000000..cdb683abf --- /dev/null +++ b/NEW_RELEASE_PROCESS.md @@ -0,0 +1,9 @@ +# Semi-Automated Release Process + +1. Update TAG +2. Cloud Build +3. k8s.io PR +4. git pull origin main +5. git checkout -b $RELEASE_VERSION +6. mage release:newrelease $RELEASE_VERSION +7. Wait for PR \ No newline at end of file diff --git a/NGINX_BASE b/NGINX_BASE index 72093c593..058a89bb1 100644 --- a/NGINX_BASE +++ b/NGINX_BASE @@ -1 +1 @@ -registry.k8s.io/ingress-nginx/nginx:21aa7f55a3325c1c26de0dfb62ede4c0a809a994@sha256:da6b877ed96dada46ed6e379051c2dd461dd5d329af7a7531820ad3e16197e20 \ No newline at end of file +registry.k8s.io/ingress-nginx/nginx:v20231208-4c39e6acc@sha256:03508408458d00ba4e219d2693ba2a039ba66d4151ab9b43794f61877e0abb73 \ No newline at end of file diff --git a/OWNERS b/OWNERS index 71f3328f1..da1da1b2e 100644 --- a/OWNERS +++ b/OWNERS @@ -9,3 +9,4 @@ reviewers: emeritus_approvers: - aledbf # 2020-04-02 - bowei # 2022-10-12 +- ElvinEfendi # 2023-04-23 diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 49806abdb..44fc67d2e 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -11,27 +11,32 @@ aliases: - strongjz ingress-nginx-maintainers: - - ElvinEfendi - rikatz - strongjz + - cpanato + - puerco - tao12345666333 ingress-nginx-reviewers: - - ElvinEfendi - rikatz - strongjz + - puerco + - cpanato - tao12345666333 ingress-nginx-helm-maintainers: - - ChiefAlexander - cpanato + - Gacko + - strongjz + - ubergesundheit ingress-nginx-helm-reviewers: - - ChiefAlexander - cpanato + - Gacko + - strongjz + - ubergesundheit ingress-nginx-docs-maintainers: - - IamNoah1 - longwuyuan - tao12345666333 diff --git a/README.md b/README.md index 73baa8fd2..e955cd359 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ ## Overview -ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load +ingress-nginx is an Ingress controller for Kubernetes using [NGINX](https://www.nginx.org/) as a reverse proxy and load balancer. [Learn more about Ingress on the main Kubernetes documentation site](https://kubernetes.io/docs/concepts/services-networking/ingress/). @@ -20,64 +20,65 @@ See the [Getting Started](https://kubernetes.github.io/ingress-nginx/deploy/) do ## Troubleshooting -If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), -[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the +If you encounter issues, review the [troubleshooting docs](docs/troubleshooting.md), +[file an issue](https://github.com/kubernetes/ingress-nginx/issues), or talk to us on the [#ingress-nginx channel](https://kubernetes.slack.com/messages/ingress-nginx) on the Kubernetes Slack server. ## Changelog -See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) to find out about feature changes. -For detailed changes for each release; please check the [Changelog.md](Changelog.md) file. -For detailed changes on the `ingress-nginx` helm chart, please check the following -[CHANGELOG.md](charts/ingress-nginx/CHANGELOG.md) file. +See [the list of releases](https://github.com/kubernetes/ingress-nginx/releases) for all changes. +For detailed changes for each release, please check the [changelog-$version.md](./changelog) file for the release version. +For detailed changes on the `ingress-nginx` helm chart, please check the changelog folder for a specific version +[CHANGELOG-$current-version.md](./charts/ingress-nginx/changelog) file. -### Supported Versions table +### Supported Versions table Supported versions for the ingress-nginx project mean that we have completed E2E tests, and they are passing for -the versions listed. Ingress-Nginx versions may work on older versions but the project does not make that guarantee. +the versions listed. Ingress-Nginx versions **may** work on older versions, but the project does not make that guarantee. -| Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | -|-----------------------|------------------------------|----------------|---------------| -| v1.5.2 | 1.26, 1.25, 1.24, 1.23 | 3.17.2 | 1.21.6 | -| v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | -| v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | -| v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | -| v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | -| v1.2.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.6 | 1.19.10† | -| v1.1.3 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.4 | 1.19.10† | -| v1.1.2 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.1.1 | 1.23, 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.1.0 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.5 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.4 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.3 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.2 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.1 | 1.22, 1.21, 1.20, 1.19 | 3.14.2 | 1.19.9† | -| v1.0.0 | 1.22, 1.21, 1.20, 1.19 | 3.13.5 | 1.20.1 | +| Supported | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | +|:--:|-----------------------|------------------------------|----------------|---------------|------------------------------| +| 🔄 | **v1.9.6** | 1.29, 1.28, 1.27, 1.26, 1.25 | 3.19.0 | 1.21.6 | 4.9.1* | +| 🔄 | **v1.9.5** | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.9.0* | +| 🔄 | **v1.9.4** | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.3 | +| 🔄 | **v1.9.3** | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.* | +| 🔄 | **v1.9.1** | 1.28, 1.27, 1.26, 1.25 | 3.18.4 | 1.21.6 | 4.8.* | +| 🔄 | **v1.9.0** | 1.28, 1.27, 1.26, 1.25 | 3.18.2 | 1.21.6 | 4.8.* | +| 🔄 | **v1.8.4** | 1.27, 1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* | +| 🔄 | **v1.8.2** | 1.27, 1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* | +| 🔄 | **v1.8.1** | 1.27, 1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* | +| 🔄 | **v1.8.0** | 1.27, 1.26, 1.25, 1.24 | 3.18.0 | 1.21.6 | 4.7.* | +| | **v1.7.1** | 1.27, 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | +| | **v1.7.0** | 1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | +| | v1.6.4 | 1.26, 1.25, 1.24, 1.23 | 3.17.0 | 1.21.6 | 4.5.* | +| | v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 | 4.4.* | +| | v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† | 4.3.0 | +| | v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† | 4.2.5 | +| | v1.3.0 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.0 | 1.19.10† | 4.2.3 | - -† _This build is -[patched against CVE-2021-23017](https://github.com/openresty/openresty/commit/4b5ec7edd78616f544abc194308e0cf4b788725b#diff-42ef841dc27fe0b5aa2d06bd31308bb63a59cdcddcbcddd917248349d22020a3)._ - -See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable -Ingress API. +See [this article](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) if you want upgrade to the stable +Ingress API. ## Get Involved Thanks for taking the time to join our community and start contributing! -- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). +- This project adheres to the [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md). By participating in this project, you agree to abide by its terms. -- **Contributing**: Contributions of all kind are welcome! - - - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we +- **Contributing**: Contributions of all kinds are welcome! + + - Read [`CONTRIBUTING.md`](CONTRIBUTING.md) for information about setting up your environment, the workflow that we expect, and instructions on the developer certificate of origin that we require. - Join our Kubernetes Slack channel for developer discussion : [#ingress-nginx-dev](https://kubernetes.slack.com/archives/C021E147ZA4). - - Submit GitHub issues for any feature enhancements, bugs or documentation problems. Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. - - **Support**: Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. + - Submit GitHub issues for any feature enhancements, bugs, or documentation problems. + - Please make sure to read the [Issue Reporting Checklist](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md#issue-reporting-guidelines) before opening an issue. Issues not conforming to the guidelines **may be closed immediately**. + - Join our [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) + +- **Support**: + - Join the [#ingress-nginx-users](https://kubernetes.slack.com/messages/CANQGM8BA/) channel inside the [Kubernetes Slack](http://slack.kubernetes.io/) to ask questions or get support from the maintainers and other users. - The [GitHub issues](https://github.com/kubernetes/ingress-nginx/issues) in the repository are **exclusively** for bug reports and feature requests. - - **Discuss**: Tweet using the `#IngressNginx` hashtag. + - **Discuss**: Tweet using the `#IngressNginx` hashtag or sharing with us [@IngressNginx](https://twitter.com/IngressNGINX). ## License diff --git a/TAG b/TAG index c9b3c015f..57d503d1e 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.5.1 \ No newline at end of file +v1.9.5 diff --git a/build/build.sh b/build/build.sh index 1ae505d91..bbcaf78e8 100755 --- a/build/build.sh +++ b/build/build.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh # Copyright 2018 The Kubernetes Authors. # @@ -25,24 +25,15 @@ set -o errexit set -o nounset set -o pipefail -declare -a mandatory -mandatory=( - PKG - ARCH - COMMIT_SHA - REPO_INFO - TAG -) -for var in "${mandatory[@]}"; do - if [[ -z "${!var:-}" ]]; then - echo "Environment variable $var must be set" - exit 1 - fi -done +if [ -z "$PKG" ] || [ -z "$ARCH" ] || [ -z "$COMMIT_SHA" ] || [ -z "$REPO_INFO" ] || [ -z "$TAG" ]; then + echo "Environments PKG, ARCH, COMMIT_SHA, REPO_INFO and TAG are required" + exit 1 +fi + export CGO_ENABLED=0 -export GOARCH=${ARCH} +export GOARCH="${ARCH}" TARGETS_DIR="rootfs/bin/${ARCH}" echo "Building targets for ${ARCH}, generated targets in ${TARGETS_DIR} directory." @@ -75,4 +66,4 @@ ${GO_BUILD_CMD} \ -X ${PKG}/version.COMMIT=${COMMIT_SHA} \ -X ${PKG}/version.REPO=${REPO_INFO}" \ -buildvcs=false \ - -o "${TARGETS_DIR}/wait-shutdown" "${PKG}/cmd/waitshutdown" + -o "${TARGETS_DIR}/wait-shutdown" "${PKG}/cmd/waitshutdown" \ No newline at end of file diff --git a/build/dev-env.sh b/build/dev-env.sh index 09609367a..93ed3de40 100755 --- a/build/dev-env.sh +++ b/build/dev-env.sh @@ -45,14 +45,16 @@ if ! command -v helm &> /dev/null; then exit 1 fi +function ver { printf "%d%03d%03d" $(echo "$1" | tr '.' ' '); } + HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true echo $HELM_VERSION -if [[ ${HELM_VERSION} -lt 3.10.0 ]]; then +if [[ $(ver $HELM_VERSION) -lt $(ver "3.10.0") ]]; then echo "Please upgrade helm to v3.10.0 or higher" exit 1 fi -KUBE_CLIENT_VERSION=$(kubectl version --client --short 2>/dev/null | grep Client | awk '{print $3}' | cut -d. -f2) || true +KUBE_CLIENT_VERSION=$(kubectl version --client -oyaml 2>/dev/null | grep "minor:" | awk '{print $2}' | tr -d '"') || true if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then echo "Please update kubectl to 1.24.2 or higher" exit 1 @@ -62,7 +64,7 @@ echo "[dev-env] building image" make build image docker tag "${REGISTRY}/controller:${TAG}" "${DEV_IMAGE}" -export K8S_VERSION=${K8S_VERSION:-v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace} +export K8S_VERSION=${K8S_VERSION:-v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f} KIND_CLUSTER_NAME="ingress-nginx-dev" diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 44ca2d5f7..367f6138a 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -44,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20240126-760bf8eb@sha256:5e676bf2e5d5d035adfc6e093abee040af08327011e72fef640fa20da73cea2e} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest @@ -76,18 +76,13 @@ fi USER=${USER:-nobody} -#echo "..printing env & other vars to stdout" -#echo "HOSTNAME=`hostname`" -#uname -a -#env -#echo "DIND_ENABLED=$DOCKER_IN_DOCKER_ENABLED" -#echo "done..printing env & other vars to stdout" +USE_SHELL=${USE_SHELL:-"/bin/bash"} if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then echo "..reached DIND check TRUE block, inside run-in-docker.sh" echo "FLAGS=$FLAGS" #go env - go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.15.0 find / -type f -name ginkgo 2>/dev/null which ginkgo /bin/bash -c "${FLAGS}" @@ -100,5 +95,5 @@ else args="$args -v /var/run/docker.sock:/var/run/docker.sock" fi - ${RUNTIME} run $args ${E2E_IMAGE} /bin/bash -c "${FLAGS}" -fi + ${RUNTIME} run $args ${E2E_IMAGE} ${USE_SHELL} -c "${FLAGS}" +fi \ No newline at end of file diff --git a/changelog/Changelog-1.5.2.md b/changelog/controller-1.6.4.md similarity index 51% rename from changelog/Changelog-1.5.2.md rename to changelog/controller-1.6.4.md index 8b2617924..256e5ec09 100644 --- a/changelog/Changelog-1.5.2.md +++ b/changelog/controller-1.6.4.md @@ -1,13 +1,61 @@ # Changelog -### 1.5.2 +### 1.6.4 + Images: - * registry.k8s.io/ingress-nginx/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655 - * registry.k8s.io/ingress-nginx/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b - -### All Changes: +* registry.k8s.io/controller:controller-v1.6.4@sha256:15be4666c53052484dd2992efacf2f50ea77a78ae8aa21ccd91af6baaa7ea22f +* registry.k8s.io/controller-chroot:controller-v1.6.4@sha256:0de01e2c316c3ca7847ca13b32d077af7910d07f21a4a82f81061839764f8f81 +### All changes: + +* remove tests and regex path checks (#9626) +* Fix incorrect annotation name in upstream hashing configuration (#9617) +* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614) +* Revert Implement pathType validation (#9511) (#9607) +* update history and allow to pass a target test (#9605) +* Allow to pass a target test (#9542) +* Replace deprecated command with environment file (#9581) +* build 1.6.2 to fix (#9569) +* add lint on chart before release (#9570) +* tcpproxy: increase buffer size to 16K (#9548) +* Move and spell-check Kubernetes 1.22 migration FAQ (#9544) +* Add CORS template check inside location for externalAuth.SignURL (#8814) +* fix(grafana-dashboard): remove hardcoded namespace references (#9523) +* Replace deprecated command with environment file (#9581) +* add lint on chart before release (#9570) +* Switch logic on path type validation and setting it to false (#9543) +* tcpproxy: increase buffer size to 16K (#9548) +* Move and spell-check Kubernetes 1.22 migration FAQ (#9544) +* Add CORS template check inside location for externalAuth.SignURL (#8814) +* fix(grafana-dashboard): remove hardcoded namespace references (#9523) +* Align default value for keepalive_request with NGINX default (#9518) +* feat(configmap): expose gzip-disable (#9505) +* Values: Add missing `controller.metrics.service.labels`. (#9501) +* Add docs about orphan_ingress metric (#9514) +* Add new prometheus metric for orphaned ingress (#8230) +* Sanitise request metrics in monitoring docs (#9384) +* Change default value of enable-brotli (#9500) +* feat: support topology aware hints (#9165) +* Remove 1.5.2 from readme (#9498) +* Remove nonexistent load flag from docker build commands (#9122) +* added option to disable sync event creation (#8528) +* Add buildResolvers to the stream module (#9184) +* fix: disable auth access logs (#9049) +* Adding ipdenylist annotation (#8795) +* Add update updateStrategy and minReadySeconds for defaultBackend (#8506) +* Fix indentation on serviceAccount annotation (#9129) +* Update monitoring.md (#9269) +* add github actions stale bot (#9439) +* Admission Webhooks/Job: Add `NetworkPolicy`. (#9218) +* update OpenTelemetry image (#9491) +* bump OpenTelemetry (#9489) +* Optional podman support (#9294) +* fix change images (#9463) +* move tests to gh actions (#9461) +* Automated Release Controller 1.5.2 (#9455) +* Add sslpassthrough tests (#9457) +* updated the link in RELEASE.md file (#9456) * restart 1.5.2 release process (#9450) * Update command line arguments documentation (#9224) * start release 1.5.2 (#9445) @@ -43,7 +91,6 @@ Images: * remove the configmap related permissions (#9310) * remove hardcoded datasource from grafana dashboard (#9284) * update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277) -* Validate ingress path fields (#9309) * added SAN to cert create command (#9295) * Missing controller.ingressClass (#9304) * OpenTelemetry static linking (#9286) @@ -53,7 +100,19 @@ Images: * PDB: Add `maxUnavailable`. (#9278) * add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242) -### Dependencies updates: +### Dependency updates: + +* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555) +* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553) +* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552) +* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512) +* Bump `client-go` to remove dependence on go-autorest dependency (#9488) +* Bump google.golang.org/grpc from 1.52.0 to 1.52.3 (#9555) +* Bump k8s.io/klog/v2 from 2.80.1 to 2.90.0 (#9553) +* Bump sigs.k8s.io/controller-runtime from 0.13.1 to 0.14.2 (#9552) +* Bump google.golang.org/grpc from 1.51.0 to 1.52.0 (#9512) +* Bump `client-go` to remove dependence on go-autorest dependency (#9488) +* Bump golang.org/x/crypto from 0.4.0 to 0.5.0 (#9494) * Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432) * Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421) @@ -75,5 +134,5 @@ Images: * Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.1 (#9317) * Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301) * Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300) - -**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.6.4 diff --git a/changelog/controller-1.7.0.md b/changelog/controller-1.7.0.md new file mode 100644 index 000000000..97f0ebf22 --- /dev/null +++ b/changelog/controller-1.7.0.md @@ -0,0 +1,80 @@ +# Changelog + +### 1.7.0 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.7.0@sha256:7612338342a1e7b8090bef78f2a04fffcadd548ccaabe8a47bf7758ff549a5f7 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.0@sha256:e84ef3b44c8efeefd8b0aa08770a886bfea1f04c53b61b4ba9a7204e9f1a7edc + +### All changes: + +* kick off 1.7.0 build (#9775) +* Update exposing-tcp-udp-services.md (#9777) +* feat: OpenTelemetry module integration (#9062) +* drop k8s 1.23 support (#9772) +* Fix canary-weight-total annotation ignored in rule backends (#9729) +* fix: controller psp's volume config (#9740) +* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709) +* docs(helm): fix value key in readme for enabling certManager (#9640) +* updated digest and sha for e2e-test-echo (#9760) +* updated digest and sha for e2e-test-fastcgi-helloserver (#9759) +* updated digest and sha for opentelemetry (#9758) +* updated digest and sha for e2e-test-cfssl (#9757) +* updated kube-webhook-certgen digest and tags (#9756) +* updated nginx-error digest and tags (#9755) +* added upgrade ginkgo documentation for contributors (#9753) +* changes Makefile of echo folder to trigger code-build (#9754) +* Chart: Drop `controller.headers`, rework DH param secret. (#9659) +* updated NGINX_BASE image with latest tag (#9747) +* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732) +* bumped ginkgo to v2.9.0 (#9722) +* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731) +* update to golang 1.20 (#9690) +* Indent values.yaml using 2 instead of 4 spaces (#9656) +* fix some comments (#9688) +* migrate mitchellh/hashstructure to v2 (#9651) +* changed v1.6.3 to v1.6.4 on deploy docs (#9647) +* controller: Don't panic when ready condition in a endpointslice is missing (#9550) +* Rework Ginkgo usage (#9522) +* code clean for fsnotify (#9571) +* Optimize the document for readability (#9551) +* sets.String is deprecated: use generic Set instead. new ways: s1 := Set[string]{} s2 := New[string]() (#9589) +* Adjust the import package order and use http library variables (#9587) +* Optimize the judgment mode to remove redundant transformations (#9588) +* Fix rewrite example (#9633) +* remove tests and regex path checks (#9626) +* Fix incorrect annotation name in upstream hashing configuration (#9617) +* Release docs for Controller v1.6.3 and Helm v4.5.0 (#9614) + +### Dependency updates: + +* Bump aquasecurity/trivy-action from 0.8.0 to 0.9.2 (#9767) +* Bump k8s.io/component-base from 0.26.2 to 0.26.3 (#9764) +* Bump actions/dependency-review-action from 3.0.3 to 3.0.4 (#9766) +* Bump actions/add-to-project from 0.4.0 to 0.4.1 (#9765) +* Bump actions/dependency-review-action from 3.0.2 to 3.0.3 (#9727) +* Bump github.com/prometheus/common from 0.41.0 to 0.42.0 (#9724) +* Bump golang.org/x/crypto from 0.6.0 to 0.7.0 (#9723) +* Bump actions/download-artifact from 3.0.1 to 3.0.2 (#9721) +* Bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (#9718) +* Bump actions/upload-artifact from 3.1.1 to 3.1.2 (#9717) +* Bump docker/setup-buildx-action from 2.2.1 to 2.5.0 (#9719) +* Bump helm/chart-releaser-action from 1.4.1 to 1.5.0 (#9720) +* Bump github.com/onsi/ginkgo/v2 from 2.6.1 to 2.9.0 (#9695) +* Bump k8s.io/klog/v2 from 2.90.0 to 2.90.1 (#9694) +* Bump golang.org/x/crypto in /magefiles (#9691) +* Bump k8s.io/component-base from 0.26.1 to 0.26.2 (#9696) +* Bump github.com/prometheus/common from 0.40.0 to 0.41.0 (#9698) +* Bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.5 (#9697) +* Bump golang.org/x/net in /magefiles (#9692) +* Bump golang.org/x/sys in /images/custom-error-pages/rootfs (#9671) +* Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#9675) +* Bump github.com/prometheus/common from 0.39.0 to 0.40.0 (#9653) +* Bump golang.org/x/net from 0.6.0 to 0.7.0 (#9646) +* Bump golang.org/x/net in /images/kube-webhook-certgen/rootfs (#9645) +* Bump google.golang.org/grpc from 1.52.3 to 1.53.0 (#9610) +* Bump github.com/prometheus/client_golang (#9630) +* Bump golang.org/x/crypto from 0.5.0 to 0.6.0 (#9609) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.6.3...controller-controller-v1.7.0 diff --git a/changelog/controller-1.7.1.md b/changelog/controller-1.7.1.md new file mode 100644 index 000000000..632ffe963 --- /dev/null +++ b/changelog/controller-1.7.1.md @@ -0,0 +1,54 @@ +# Changelog + +### 1.7.1 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.7.1@sha256:7244b95ea47bddcb8267c1e625fb163fc183ef55448855e3ac52a7b260a60407 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.7.1@sha256:e35d5ab487861b9d419c570e3530589229224a0762c7b4d2e2222434abb8d988 + +### All changes: + +* Update TAG - 1.7.1 (#9922) +* Update dependabot to watch docker images (#9600) +* [helm] Support custom port configuration for internal service (#9846) +* Add support for --container flag (#9703) +* Fix typo in OpenTelemetry (#9903) +* ensure make lua-test runs locally (#9902) +* update k8s.io dependecies to v0.26.4 (#9893) +* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803) +* I have not been able to fulfill my maintainer responsibilities for a while already, making it official now. (#9883) +* Update k8s versions (#9879) +* README: Update `external-dns` link. (#9866) +* Fastcgi configmap should be on the same namespace of ingress (#9863) +* Deprecate and remove influxdb feature (#9861) +* Remove deprecated annotation secure-upstream (#9862) +* Exclude socket metrics (#9770) +* Chart: Improve `README.md`. (#9831) +* update all container tags with date and sha, upgrade all containers (#9834) +* updated NGINX_BASE image in project (#9829) +* ISO 8601 date format (#9682) +* Values: Fix indention of commented values. (#9812) +* The Ingress-Nginx project recently released version 1.7.0 of the controller, but the deployment documentation still referenced version 1.6.4. This commit updates the documentation to reference the latest version, ensuring that users have access to the most up-to-date information. Fixes#9787 (#9788) + +### Dependency updates: + +* Bump github.com/opencontainers/runc from 1.1.6 to 1.1.7 (#9912) +* Bump github.com/prometheus/client_golang from 1.14.0 to 1.15.0 (#9868) +* Bump aquasecurity/trivy-action from 0.9.2 to 0.10.0 (#9888) +* Bump github.com/opencontainers/runc from 1.1.5 to 1.1.6 (#9867) +* Bump actions/checkout from 3.5.0 to 3.5.2 (#9870) +* Bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#9838) +* Bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#9839) +* Bump actions/add-to-project from 0.4.1 to 0.5.0 (#9840) +* Bump actions/checkout from 3.4.0 to 3.5.0 (#9798) +* Bump ossf/scorecard-action from 2.1.2 to 2.1.3 (#9823) +* Bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#9806) +* Bump actions/stale from 7.0.0 to 8.0.0 (#9799) +* Bump rajatjindal/krew-release-bot from 0.0.43 to 0.0.46 (#9797) +* Bump actions/setup-go from 3.5.0 to 4.0.0 (#9796) +* Bump github.com/imdario/mergo from 0.3.13 to 0.3.15 (#9795) +* Bump google.golang.org/grpc from 1.53.0 to 1.54.0 (#9794) +* Bump sigs.k8s.io/controller-runtime from 0.14.5 to 0.14.6 (#9822) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.0...controller-controller-v1.7.1 diff --git a/changelog/controller-1.8.0.md b/changelog/controller-1.8.0.md new file mode 100644 index 000000000..48b4cdefa --- /dev/null +++ b/changelog/controller-1.8.0.md @@ -0,0 +1,64 @@ +# Changelog + +### 1.8.0 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.8.0@sha256:744ae2afd433a395eeb13dc03d3313facba92e96ad71d9feaafc85925493fee3 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.0@sha256:a45e41cd2b7670adf829759878f512d4208d0aec1869dae593a0fecd09a5e49e + +### Important changes: + +* Validate path types (#9967) +* images: upgrade to Alpine 3.18 (#9997) +* Update documentation to reflect project name; Ingress-Nginx Controller + +For improving security, our 1.8.0 release includes a [new, **optional** validation ](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) that limits the characters accepted on ".spec paths.path" when pathType=Exact or athType=Prefix, to alphanumeric characters only. + +More information can be found on our [Google doc](https://docs.google.com/document/d/1HPvaEwHRuMSkXYkVIJ-w7IpijKdHfNynm_4N2Akt0CQ/edit?usp=sharing), our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) or in our [docs](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) + +### Community Updates + +We are now posting updates and release to our twitter handle, [@IngressNginx](https://twitter.com/IngressNGINX) and +on our new [ingress-nginx-dev mailing list](https://groups.google.com/a/kubernetes.io/g/ingress-nginx-dev/c/ebbBMo-zX-w) + +### All changes: + +* Add legacy to OpenTelemetry migration doc (#10011) +* changed tagsha to recent builds (#10001) +* change to alpine318 baseimage (#10000) +* images: upgrade to Alpine 3.18 (#9997) +* openssl CVE fix (#9996) +* PodDisruptionBudget spec logic update (#9904) +* Admission warning (#9975) +* Add OPA examples on pathType restrictions (#9992) +* updated testrunner image tag+sha (#9987) +* bumped ginkgo to v2.9.5 (#9985) +* helm: Fix opentelemetry module installation for daemonset (#9792) +* OpenTelemetry default config (#9978) +* Correct annotations in monitoring docs (#9976) +* fix: avoid builds and tests for changes to markdown (#9962) +* Validate path types (#9967) +* HPA: Use capabilites & align manifests. (#9521) +* Use dl.k8s.io instead of hardcoded GCS URIs (#9946) +* add option for annotations in PodDisruptionBudget (#9843) +* chore: update httpbin to httpbun (#9919) +* image_update (#9942) +* Add geoname id value into $geoip2_*_geoname_id variables (#9527) +* Update annotations.md (#9933) +* Update charts/* to keep project name display aligned (#9931) +* Keep project name display aligned (#9920) + +### Dependencies updates: +* Bump github.com/imdario/mergo from 0.3.15 to 0.3.16 (#10008) +* Bump github.com/prometheus/common from 0.43.0 to 0.44.0 (#10007) +* Bump k8s.io/klog/v2 from 2.90.1 to 2.100.1 (#9913) +* Bump github.com/onsi/ginkgo/v2 from 2.9.0 to 2.9.5 (#9980) +* Bump golang.org/x/crypto from 0.8.0 to 0.9.0 (#9982) +* Bump actions/setup-go from 4.0.0 to 4.0.1 (#9984) +* Bump securego/gosec from 2.15.0 to 2.16.0 (#9983) +* Bump github.com/prometheus/common from 0.42.0 to 0.43.0 (#9981) +* Bump github.com/prometheus/client_model from 0.3.0 to 0.4.0 (#9937) +* Bump google.golang.org/grpc from 1.54.0 to 1.55.0 (#9936) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.7.1...controller-controller-v1.8.0 diff --git a/changelog/controller-1.8.1.md b/changelog/controller-1.8.1.md new file mode 100644 index 000000000..16d4a8409 --- /dev/null +++ b/changelog/controller-1.8.1.md @@ -0,0 +1,69 @@ +# Changelog + +### 1.8.1 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd +* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.1@sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627 + +### All changes: + +* netlify: Only trigger preview when there are changes in docs. (#10144) +* changed to updated baseimage and reverted tag (#10143) +* Fix loadBalancerClass value (#10139) +* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406) +* Set grpc :authority header from request header (#8912) +* bump pinned golang to 1.20.5 (#10127) +* update test runner (#10125) +* chore: remove echo from snippet tests (#10110) +* Update typo in docs for lb scheme (#10117) +* golang 1.20.5 bump (#10120) +* feat(helm): Add loadBalancerClass (#9562) +* chore: remove echo friom canary tests (#10089) +* fix: obsolete warnings (#10029) +* docs: change Dockefile url ref main (#10087) +* Revert "Remove fastcgi feature" (#10081) +* docs: add netlify configuration (#10073) +* add distroless otel init (#10035) +* chore: move httpbun to be part of framework (#9955) +* Remove fastcgi feature (#9864) +* Fix mirror-target values without path separator and port (#9889) +* Adding feature to upgrade Oracle Cloud Infrastructure's Flexible Load Balancer and adjusting Health Check that were critical in the previous configuration (#9961) +* add support for keda fallback settings (#9993) +* unnecessary use of fmt.Sprint (S1039) (#10049) +* chore: pkg imported more than once (#10048) +* tracing: upgrade to dd-opentracing-cpp v1.3.7 (#10031) +* fix: add canary to sidebar in examples (#10068) +* docs: add lua testing documentation (#10060) +* docs: canary weighted deployments example (#10067) +* Update Internal Load Balancer docs (#10062) +* fix broken kubernetes.io/user-guide/ docs links (#10055) +* docs: Updated the content of deploy/rbac.md (#10054) +* ensured hpa mem spec before cpu spec (#10043) +* Fix typo in controller_test (#10034) +* chore(dep): upgrade github.com/emicklei/go-restful/v3 to 3.10 (#10028) +* Upgrade to Golang 1.20.4 (#10016) +* perf: avoid unnecessary byte/string conversion (#10012) +* added note on dns for localtesting (#10021) +* added helmshowvalues example (#10019) +* release controller 1.8.0 and chart 4.7.0 (#10017) + +### Dependency updates: + +* Bump ossf/scorecard-action from 2.1.3 to 2.2.0 (#10133) +* Bump google.golang.org/grpc from 1.56.0 to 1.56.1 (#10134) +* Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 (#10106) +* Bump golang.org/x/crypto from 0.9.0 to 0.10.0 (#10105) +* Bump google.golang.org/grpc from 1.55.0 to 1.56.0 (#10103) +* Bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (#10101) +* Bump docker/setup-buildx-action from 2.6.0 to 2.7.0 (#10102) +* Bump actions/checkout from 3.5.2 to 3.5.3 (#10076) +* Bump docker/setup-qemu-action from 2.1.0 to 2.2.0 (#10075) +* Bump aquasecurity/trivy-action from 0.10.0 to 0.11.2 (#10078) +* Bump docker/setup-buildx-action from 2.5.0 to 2.6.0 (#10077) +* Bump actions/dependency-review-action from 3.0.4 to 3.0.6 (#10042) +* Bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#10041) +* Bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#10005) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.0...controller-controller-v1.8.1 diff --git a/changelog/controller-1.8.2.md b/changelog/controller-1.8.2.md new file mode 100644 index 000000000..0c20decc9 --- /dev/null +++ b/changelog/controller-1.8.2.md @@ -0,0 +1,19 @@ +# Changelog + +### 1.8.2 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.8.2@sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133 + +### All changes: + +* Release v1.8.2 and Update Go to v1.21.1 (#10379) +* Making auth access logs optional (#10380) +* [release-1.8] Disable Modsecurity from internal processing which affects large ingresses (#10375) +* promote distroless otel init image (#10270) +* [release-1.8] Update images tags after adding git data in gcloud (#10233) +* [release-1.8] Golang 1.20.6 for test runner (#10231) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.1...controller-controller-v1.8.2 diff --git a/changelog/controller-1.9.0-beta.0.md b/changelog/controller-1.9.0-beta.0.md new file mode 100644 index 000000000..79ecf596e --- /dev/null +++ b/changelog/controller-1.9.0-beta.0.md @@ -0,0 +1,95 @@ +# Changelog + +### 1.9.0-beta.0 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.9.0-beta.0@sha256:531377e4cc9dc62af40d742402222603259673f5a755a64d74122f256dfad8f9 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0-beta.0@sha256:60b4c95349ce2a81a3b2a76423ee483b847b89d3fa8cb148468434f606f3fa0c + +### All changes: + +* Rework mage (#10418) +* Start release of v1.9.0 beta0 (#10407) +* Update k8s versions on CI (#10406) +* Add a flag to enable or disable aio_write (#10394) +* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372) +* Fix e2e test suite doc (#10396) +* Disable user snippets per default (#10393) +* Deployment/DaemonSet: Fix templating & value. (#10240) +* Fix deferInLoop error (#10387) +* Remove gofmt (#10385) +* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259) +* release notes 1.8.2 (#10389) +* fix: remove curl on base container #9716 (#10306) +* Fix http default backend test (#10382) +* Add golangci github action and replace the deprecated golint (#10187) +* BUGFIX incorrect indentation (#10254) +* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352) +* fix: path with sepecial characters warning #10281 #10308 (#10330) +* Fix golangci-lint errors (#10196) +* chore(build): Fix Run make dev-env syntax error (#10294) +* Add firewall configuration to quick start documentation (#10357) +* Making auth access logs optional (#10335) +* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350) +* fix: update action file to auto release plugin #10197 (#10321) +* Use gzip instead of pigz in CI (#10348) +* Disable Modsecurity from internal processing which affects large ingresses (#10316) +* fix: add /etc/mime.types #10309 (#10310) +* Remove curl dependencies in e2e tests #9716 (#10296) +* docs: swap explanation to match example (#10220) +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* Updated index.md - Fix typos (#10256) +* Handle request_id variable correctly in auth requests (#9219) +* test kind updates (#10272) +* promote distroless otel init image (#10257) +* [helm] configure allow to configure hostAliases (#10180) +* Add rolling update strategy to each static deployment file (#10129) +* Implement annotation validation (#9673) +* Golang 1.20.6 for test runner (#10230) +* [helm] pass service annotations through helm tpl engine (#10084) +* Ignore deployment template's replicas if KEDA is enabled (#9534) +* chore: bump OpenResty to v1.21.4.2 (#10219) +* Scanning port 10247 lead to tcp connection 502 error (#9815) +* revise Datadog trace sampling configuration (#10151) +* Clarify TCP/UDP service docs (#10146) +* Exposed continent data as variable in the case of Maxmind city files (#10157) +* Cleanup errcheck code (#10166) +* Fix golang-ci linter errors (#10128) +* Deprecate and remove AJP support (#10158) +* release notes 1.8.1 (#10161) + +### Dependency updates: + +* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355) +* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403) +* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402) +* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404) +* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400) +* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398) +* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401) +* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373) +* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374) +* Bump Go version to 1.21.1 (#10377) +* Bump Go version to 1.21.1 on testrunner (#10378) +* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365) +* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353) +* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354) +* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313) +* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332) +* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314) +* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298) +* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282) +* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258) +* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280) +* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244) +* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193) +* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207) +* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192) +* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191) +* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0-beta.0 diff --git a/changelog/controller-1.9.0.md b/changelog/controller-1.9.0.md new file mode 100644 index 000000000..25442894f --- /dev/null +++ b/changelog/controller-1.9.0.md @@ -0,0 +1,95 @@ +# Changelog + +### 1.9.0 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0@sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5 + +### All changes: + +* Rework mage (#10418) +* Start release of v1.9.0 beta0 (#10407) +* Update k8s versions on CI (#10406) +* Add a flag to enable or disable aio_write (#10394) +* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372) +* Fix e2e test suite doc (#10396) +* Disable user snippets per default (#10393) +* Deployment/DaemonSet: Fix templating & value. (#10240) +* Fix deferInLoop error (#10387) +* Remove gofmt (#10385) +* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259) +* release notes 1.8.2 (#10389) +* fix: remove curl on base container #9716 (#10306) +* Fix http default backend test (#10382) +* Add golangci github action and replace the deprecated golint (#10187) +* BUGFIX incorrect indentation (#10254) +* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352) +* fix: path with sepecial characters warning #10281 #10308 (#10330) +* Fix golangci-lint errors (#10196) +* chore(build): Fix Run make dev-env syntax error (#10294) +* Add firewall configuration to quick start documentation (#10357) +* Making auth access logs optional (#10335) +* Fix “dev-env” Makefile target to work with kubectl 1.28+ (#10350) +* fix: update action file to auto release plugin #10197 (#10321) +* Use gzip instead of pigz in CI (#10348) +* Disable Modsecurity from internal processing which affects large ingresses (#10316) +* fix: add /etc/mime.types #10309 (#10310) +* Remove curl dependencies in e2e tests #9716 (#10296) +* docs: swap explanation to match example (#10220) +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* Updated index.md - Fix typos (#10256) +* Handle request_id variable correctly in auth requests (#9219) +* test kind updates (#10272) +* promote distroless otel init image (#10257) +* [helm] configure allow to configure hostAliases (#10180) +* Add rolling update strategy to each static deployment file (#10129) +* Implement annotation validation (#9673) +* Golang 1.20.6 for test runner (#10230) +* [helm] pass service annotations through helm tpl engine (#10084) +* Ignore deployment template's replicas if KEDA is enabled (#9534) +* chore: bump OpenResty to v1.21.4.2 (#10219) +* Scanning port 10247 lead to tcp connection 502 error (#9815) +* revise Datadog trace sampling configuration (#10151) +* Clarify TCP/UDP service docs (#10146) +* Exposed continent data as variable in the case of Maxmind city files (#10157) +* Cleanup errcheck code (#10166) +* Fix golang-ci linter errors (#10128) +* Deprecate and remove AJP support (#10158) +* release notes 1.8.1 (#10161) + +### Dependency updates: + +* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355) +* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403) +* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402) +* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404) +* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400) +* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398) +* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401) +* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373) +* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374) +* Bump Go version to 1.21.1 (#10377) +* Bump Go version to 1.21.1 on testrunner (#10378) +* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365) +* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353) +* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354) +* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313) +* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332) +* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314) +* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298) +* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282) +* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258) +* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280) +* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244) +* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193) +* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207) +* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192) +* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191) +* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0 diff --git a/changelog/controller-1.9.1.md b/changelog/controller-1.9.1.md new file mode 100644 index 000000000..b05c88eae --- /dev/null +++ b/changelog/controller-1.9.1.md @@ -0,0 +1,21 @@ +# Changelog + +### 1.9.1 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.9.1@sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.1@sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836 + +### All changes: + +* upgrade owasp modsecurity core rule set to v3.3.5 (#10437) +* Start v1.9.1 release (#10463) +* Accept backend protocol on any case (#10461) +* Chart: Rework network policies. (#10438) + +### Dependency updates: + +* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.0...controller-controller-v1.9.1 diff --git a/changelog/controller-1.9.3.md b/changelog/controller-1.9.3.md new file mode 100644 index 000000000..59ba545d9 --- /dev/null +++ b/changelog/controller-1.9.3.md @@ -0,0 +1,29 @@ +# Changelog + +### 1.9.3 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.9.3@sha256:8fd21d59428507671ce0fb47f818b1d859c92d2ad07bb7c947268d433030ba98 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.3@sha256:df4931fd6859fbf1a71e785f02a44b2f9a16f010ae852c442e9bb779cbefdc86 + +### All changes: + +* update nginx base, httpbun, e2e, helm webhook cert gen (#10506) +* added warning for configuration-snippets usage (#10492) +* Remove legacy GeoIP from controller (#10495) +* add upstream patch for CVE-2023-44487 (#10494) +* Revert "Remove curl from nginx base image (#10477)" (#10479) +* update error and otel to have all the arch we support (#10476) +* Remove curl from nginx base image (#10477) + +### Dependency updates: + +* Bump x/net (#10514) +* Bump curl and Go version (#10503) +* Bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#10496) +* Bump github.com/prometheus/client_model (#10486) +* Bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#10487) +* Bump golang.org/x/crypto from 0.13.0 to 0.14.0 (#10485) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.1...controller-controller-v1.9.3 diff --git a/changelog/controller-1.9.4.md b/changelog/controller-1.9.4.md new file mode 100644 index 000000000..69c6ad2e3 --- /dev/null +++ b/changelog/controller-1.9.4.md @@ -0,0 +1,14 @@ +# Changelog + +### 1.9.4 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.9.4@sha256:5b161f051d017e55d358435f295f5e9a297e66158f136321d9b04520ec6c48a3 +* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.4@sha256:5976b1067cfbca8a21d0ba53d71f83543a73316a61ea7f7e436d6cf84ddf9b26 + +### All changes: + +* Cherry pick fcgi fix and release v1.9.4 (#10544) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.9.3...controller-controller-v1.9.4 diff --git a/changelog/controller-1.9.5.md b/changelog/controller-1.9.5.md new file mode 100644 index 000000000..51b23ba64 --- /dev/null +++ b/changelog/controller-1.9.5.md @@ -0,0 +1,37 @@ +# Changelog + +### controller-v1.9.5 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.9.5@sha256:b3aba22b1da80e7acfc52b115cae1d4c687172cbf2b742d5b502419c25ff340e +* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.5@sha256:9a8d7b25a846a6461cd044b9aea9cf6cad972bcf2e64d9fd246c0279979aad2d + +### All changes: + +* update nginx build (#10781) +* update images from golang upgrade (#10762) +* fix: remove tcpproxy copy error handling (#10715) +* Ignore fake certificate for NGINXCertificateExpiry (#10694) +* Comment NGINXCertificateExpiry alert label matcher (#10692) +* chart: allow setting allocateLoadBalancerNodePorts (#10693) +* [release-1.9] feat(helm): add documentation about metric args (#10695) +* chore(dep): change lua-resty-cookie's repo (#10691) +* annotation validation - extended URLWithNginxVariableRegex from alphaNumericChars to extendedAlphaNumeric (#10656) +* fix: adjust unfulfillable validation check for session-cookie-samesite annotation (#10604) +* fix: Validate x-forwarded-prefix annotation with RegexPathWithCapture (#10603) +* Increase HSTS max-age to default to one year (#10580) +* [release-1.9] update nginx base, httpbun, e2e, helm webhook cert gen (#10507) +* [release-1.9] add upstream patch for CVE-2023-44487 (#10499) +* fix brotli build issues (#10468) +* upgrade owasp modsecurity core rule set to v3.3.5 (#10437) +* Accept backend protocol on any case (#10461) +* Chart: Rework network policies. (#10438) +* Rework mage (#10418) + +### Dependency updates: + +* Bump x/net (#10517) +* Bump google.golang.org/grpc from 1.58.0 to 1.58.1 (#10436) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.4...controller-v1.9.5 diff --git a/changelog/controller-1.9.6.md b/changelog/controller-1.9.6.md new file mode 100644 index 000000000..ccc382644 --- /dev/null +++ b/changelog/controller-1.9.6.md @@ -0,0 +1,21 @@ +# Changelog + +### controller-v1.9.6 + +Images: + +* registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c +* registry.k8s.io/ingress-nginx/controller-chroot:v1.9.6@sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096 + +### All changes: + +* update web hook cert gen to latest release v20231226-1a7112e06 +* annotation validation: validate regex in common name annotation (#10880) +* change MODSECURITY_VERSION_LIB to 3.0.11 (#10879) +* Include SECLEVEL and STRENGTH as part of ssl-cipher list validation (#10871) + +### Dependency updates: + +* Bump github.com/opencontainers/runc from 1.1.10 to 1.1.11 (#10878) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-v1.9.5...controller-v1.9.6 diff --git a/changelog/controller.md.gotmpl b/changelog/controller.md.gotmpl new file mode 100644 index 000000000..0d7ad5588 --- /dev/null +++ b/changelog/controller.md.gotmpl @@ -0,0 +1,22 @@ +# Changelog + +### {{ .NewControllerVersion }} +{{ with .ControllerImages }} +Images: +{{ range . }} +* {{ .Registry }}/{{ .Name }}:{{ .Tag}}@{{ .Digest }} +{{- end }} +{{ end }} +{{- with .Updates }} +### All changes: +{{ range . }} +* {{ . }} +{{- end }} +{{ end }} +{{- with .DepUpdates }} +### Dependency updates: +{{ range . }} +* {{ . }} +{{- end }} +{{ end }} +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/{{ .PreviousControllerVersion }}...{{ .NewControllerVersion }} diff --git a/charts/ingress-nginx/.helmignore b/charts/ingress-nginx/.helmignore index 50af03172..109b40811 100644 --- a/charts/ingress-nginx/.helmignore +++ b/charts/ingress-nginx/.helmignore @@ -20,3 +20,4 @@ .idea/ *.tmproj .vscode/ +__snapshot__ diff --git a/charts/ingress-nginx/CHANGELOG.md b/charts/ingress-nginx/CHANGELOG.md deleted file mode 100644 index 7d81ac1bd..000000000 --- a/charts/ingress-nginx/CHANGELOG.md +++ /dev/null @@ -1,460 +0,0 @@ -# Changelog - -This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). - -### 4.4.0 - -* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238 -* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186 -* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133 -* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123 - -### 4.3.0 -- Support for Kubernetes v.1.25.0 was added and support for endpoint slices -- Support for Kubernetes v1.20.0 and v1.21.0 was removed -- [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices -- [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191 -- [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name -- [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations - -### 4.2.1 - -- The sha of kube-webhook-certgen image & the opentelemetry image, in values file, was changed to new images built on alpine-v3.16.1 -- "[8896](https://github.com/kubernetes/ingress-nginx/pull/8896) updated to new images built today" - -### 4.2.0 - -- Support for Kubernetes v1.19.0 was removed -- "[8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0" -- "[8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name" -- "[8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1" -- "[8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16" -- "[8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process" -- "[8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix" -- "[8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check" -- "[8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16" -- "[8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0" -- "[8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process" -- "[8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable" -- "[8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15" -- "[8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2" -- "[8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format" -- "[8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API" -- "[8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide" -- "[8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs" -- "[8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14" -- "[8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0" -- "[8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5" -- "[8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement" -- "[8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver" -- "[8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step" -- "[8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha" -- "[8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path" -- "[8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases" -- "[8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds" -- "[8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps" -- "[8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image)" -- "[8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard" -- "[8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0" -- "[8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2" -- "[8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos" -- "[8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it" -- "[8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0" -- "[8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0" -- "[8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3" -- "[8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1" - -### 4.1.2 - -- "[8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed" -- "[8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter" -- "[8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart" - -### 4.1.0 - -- "[8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script" -- "[8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6" -- "[8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod" -- "[8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty" -- "[8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector" -- "[8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies" -- "[8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md" -- "[8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing" -- "[8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist" -- "[8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one" -- "[8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement" -- "[8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation" -- "[8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0" - -### 4.0.18 - -- "[8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build" -- "[8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build" -- "[8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge" -- "[8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241" -- "[8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts" -- "[8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error" -- "[8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation" -- "[8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric" -- "[8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code." -- "[8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image" -- "[8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests" -- "[8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint" -- "[8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1" -- "[8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0" -- "[8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint" -- "[8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial" -- "[8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera" -- "[8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment" -- "[8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation" -- "[8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell" -- "[8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor" -- "[8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations" -- "[8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0" -- "[8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account" -- "[8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description" -- "[8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests" -- "[8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values" -- "[8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1" -- "[8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs" -- "[8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits" -- "[8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations" -- "[8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT" - - -### 4.0.15 - -- [8120] https://github.com/kubernetes/ingress-nginx/pull/8120 Update go in runner and release v1.1.1 -- [8119] https://github.com/kubernetes/ingress-nginx/pull/8119 Update to go v1.17.6 -- [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs -- [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors -- [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release -- [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P… -- [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch -- [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable -- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart -- [8058] https://github.com/kubernetes/ingress-nginx/pull/8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 -- [8054] https://github.com/kubernetes/ingress-nginx/pull/8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0 -- [8051] https://github.com/kubernetes/ingress-nginx/pull/8051 align bug report with feature request regarding kind documentation -- [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045) -- [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues -- [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543 -- [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name -- [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners -- [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option -- [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags -- [8021] https://github.com/kubernetes/ingress-nginx/pull/8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified -- [8019] https://github.com/kubernetes/ingress-nginx/pull/8019 Revise main documentation page -- [8018] https://github.com/kubernetes/ingress-nginx/pull/8018 Preserve order of plugin invocation -- [8015] https://github.com/kubernetes/ingress-nginx/pull/8015 Add newline indenting to admission webhook annotations -- [8014] https://github.com/kubernetes/ingress-nginx/pull/8014 Add link to example error page manifest in docs -- [8009] https://github.com/kubernetes/ingress-nginx/pull/8009 Fix spelling in documentation and top-level files -- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml -- [8003] https://github.com/kubernetes/ingress-nginx/pull/8003 Minor improvements (formatting, consistency) in install guide -- [8001] https://github.com/kubernetes/ingress-nginx/pull/8001 fix: go-grpc Dockerfile -- [7999] https://github.com/kubernetes/ingress-nginx/pull/7999 images: use k8s-staging-test-infra/gcb-docker-gcloud -- [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement -- [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation. -- [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs -- [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server -- [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog -- [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition - -### 4.0.14 - -- [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md - -### 4.0.13 - -- [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml - -### 4.0.12 - -- [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs - -### 4.0.11 - -- [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional. - -### 4.0.10 - -- [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0 - -### 4.0.9 - -- [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources - -### 4.0.7 - -- [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx -- [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service - -### 4.0.6 - -- [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx -- [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart -- [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode -- [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1 - -### 4.0.5 - -- [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx - -### 4.0.3 - -- [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx - -### 4.0.2 - -- [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx - -### 4.0.1 - -- [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx - -### 3.34.0 - -- [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates - -### 3.33.0 - -- [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1 - -### 3.32.0 - -- [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA - -### 3.31.0 - -- [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes - -### 3.30.0 - -- [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints - -### 3.29.0 - -- [X] [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor - -### 3.28.0 - -- [ ] [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs - -### 3.27.0 - -- Update ingress-nginx v0.45.0 - -### 3.26.0 - -- [X] [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics - -### 3.25.0 - -- [X] [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken - -### 3.24.0 - -- [X] [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment - -### 3.23.0 - -- Update ingress-nginx v0.44.0 - -### 3.22.0 - -- [X] [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file -- [X] [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart - -### 3.21.0 - -- [X] [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject -- [X] [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values -- [X] [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled -- [X] [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1 - -### 3.20.1 - -- Do not create KEDA in case of DaemonSets. -- Fix KEDA v2 definition - -### 3.20.0 - -- [X] [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled. - -### 3.19.0 - -- Update ingress-nginx v0.43.0 - -### 3.18.0 - -- [X] [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy -- [X] [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters - -### 3.17.0 - -- Update ingress-nginx v0.42.0 - -### 3.16.1 - -- Fix chart-releaser action - -### 3.16.0 - -- [X] [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service - -### 3.15.1 - -- Fix chart-releaser action - -### 3.15.0 - -- [X] [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml - -### 3.14.0 - -- [X] [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend - -### 3.13.0 - -- [X] [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable - -### 3.12.0 - -- [X] [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs - -### 3.11.1 - -- [X] [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling - -### 3.11.0 - -- Support Keda Autoscaling - -### 3.10.1 - -- Fix regression introduced in 0.41.0 with external authentication - -### 3.10.0 - -- Fix routing regression introduced in 0.41.0 with PathType Exact - -### 3.9.0 - -- [X] [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling - -### 3.8.0 - -- [X] [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image -- [X] [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs -- [X] [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend -- [X] [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations -- [X] [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog - -### 3.7.1 - -- [X] [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart - -### 3.7.0 - -- [X] [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315) - -### 3.6.0 - -- [X] [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector - -### 3.5.1 - -- [X] [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release - -### 3.5.0 - -- [X] [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations - -### 3.4.0 - -- [X] [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288 - -### 3.3.1 - -- [X] [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart -- [X] [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link -- [X] [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0 - -### 3.3.1 - -- [X] [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test - -### 3.3.0 - -- [X] [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values -- [X] [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort -- [X] [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression -- [X] [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules - -### 3.0.0 - -- [X] [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements - -### 2.16.0 - -- [X] [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller - -### 2.15.0 - -- [X] [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec - -### 2.14.0 - -- [X] [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration - -### 2.13.0 - -- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 - -### 2.13.0 - -- [X] [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 -- [X] [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip - -### 2.12.1 - -- [X] [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples - -### 2.12.0 - -- [X] [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels -- [X] [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting - -### 2.11.3 - -- [X] [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH - -### 2.11.2 - -- [X] [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version - -### 2.11.1 - -- [X] [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1 - -### 2.11.0 - -- [X] [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0 -- [X] [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe - -### 2.10.0 - -- [X] [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image - -### 2.9.1 - -- [X] [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823) - -### 2.9.0 - -- [X] [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues - - -### TODO - -Keep building the changelog using *git log charts* checking the tag diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index 4b2753061..df4f6fe63 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,31 +1,23 @@ +annotations: + artifacthub.io/changes: |- + - "update web hook cert gen to latest release v20231226-1a7112e06" + - "Update Ingress-Nginx version controller-v1.9.6" + artifacthub.io/prerelease: "false" apiVersion: v2 -name: ingress-nginx -# When the version is modified, make sure the artifacthub.io/changes list is updated -# Also update CHANGELOG.md -version: 4.8.1 -appVersion: 1.9.1 +appVersion: 1.9.6 +description: Ingress controller for Kubernetes using NGINX as a reverse proxy and + load balancer home: https://github.com/kubernetes/ingress-nginx -description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png keywords: - - ingress - - nginx -sources: - - https://github.com/kubernetes/ingress-nginx +- ingress +- nginx +kubeVersion: '>=1.20.0-0' maintainers: - - name: rikatz - - name: strongjz - - name: tao12345666333 -engine: gotpl -kubeVersion: ">=1.20.0-0" -annotations: - # Use this annotation to indicate that this chart version is a pre-release. - # https://artifacthub.io/docs/topics/annotations/helm/ - artifacthub.io/prerelease: "false" - # List of changes for the release in artifacthub.io - # https://artifacthub.io/packages/helm/ingress-nginx/ingress-nginx?modal=changelog - artifacthub.io/changes: | - - Adding support for disabling liveness and readiness probes to the Helm chart - - add:(admission-webhooks) ability to set securityContext - - Updated Helm chart to use the fullname for the electionID if not specified - - Rename controller-wehbooks-networkpolicy.yaml +- name: rikatz +- name: strongjz +- name: tao12345666333 +name: ingress-nginx +sources: +- https://github.com/kubernetes/ingress-nginx +version: 4.9.1 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index b0604e2bd..c0318e12f 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,16 +2,15 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.4.2](https://img.shields.io/badge/Version-4.4.2-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square) +![Version: 4.9.1](https://img.shields.io/badge/Version-4.9.1-informational?style=flat-square) ![AppVersion: 1.9.6](https://img.shields.io/badge/AppVersion-1.9.6-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -## Prerequisites +## Requirements -- Chart version 3.x.x: Kubernetes v1.16+ -- Chart version 4.x.x and above: Kubernetes v1.19+ +Kubernetes: `>=1.20.0-0` ## Get Repo Info @@ -52,10 +51,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ -### Upgrading With Zero Downtime in Production - -By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8). - ### Migrating from stable/nginx-ingress There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: @@ -66,7 +61,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing 1. Redirect your DNS traffic from the old controller to the new controller 1. Log traffic from both controllers during this changeover 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it - 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production) Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. @@ -85,14 +79,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https: ### Prometheus Metrics -The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. +The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`) ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. @@ -100,7 +94,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block, ### ExternalDNS Service Configuration -Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: +Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: ```yaml controller: @@ -126,19 +120,6 @@ controller: service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' ``` -### AWS route53-mapper - -To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/blob/be63d4f1a7a46daaf1c4c482527328236850f111/addons/route53-mapper/README.md), add the `domainName` annotation and `dns` label: - -```yaml -controller: - service: - labels: - dns: "route53" - annotations: - domainName: "kubernetes-example.com" -``` - ### Additional Internal Load Balancer This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application. @@ -162,8 +143,10 @@ controller: internal: enabled: true annotations: - # Create internal ELB - service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. ``` @@ -206,13 +189,15 @@ controller: # Any other annotation can be declared here. ``` +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). + An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. ### Ingress Admission Webhooks -With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. **This feature is enabled by default since 0.31.0.** With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) @@ -221,14 +206,14 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. -2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate. 3. Validating and Mutating webhook configurations are created in the cluster. 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations #### Alternatives It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. -You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enable` value to true. +You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true. Please ensure that cert-manager is correctly installed and configured. @@ -244,10 +229,6 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. -## Requirements - -Kubernetes: `>=1.20.0-0` - ## Values | Key | Type | Default | Description | @@ -259,8 +240,9 @@ Kubernetes: `>=1.20.0-0` | controller.admissionWebhooks.certManager.enabled | bool | `false` | | | controller.admissionWebhooks.certManager.rootCert.duration | string | `""` | | | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` | | +| controller.admissionWebhooks.createSecretJob.name | string | `"create"` | | | controller.admissionWebhooks.createSecretJob.resources | object | `{}` | | -| controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.admissionWebhooks.createSecretJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for secret creation containers | | controller.admissionWebhooks.enabled | bool | `true` | | | controller.admissionWebhooks.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.admissionWebhooks.existingScc | string | `""` | Use an existing SCC instead of creating one | @@ -269,25 +251,25 @@ Kubernetes: `>=1.20.0-0` | controller.admissionWebhooks.failurePolicy | string | `"Fail"` | Admission Webhook failure policy to use | | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks | +| controller.admissionWebhooks.name | string | `"admission"` | | | controller.admissionWebhooks.namespaceSelector | object | `{}` | | -| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | -| controller.admissionWebhooks.patch.image.digest | string | `"sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f"` | | +| controller.admissionWebhooks.patch.image.digest | string | `"sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084"` | | | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` | | | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` | | | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` | | -| controller.admissionWebhooks.patch.image.tag | string | `"v20220916-gd32f8c343"` | | +| controller.admissionWebhooks.patch.image.tag | string | `"v20231226-1a7112e06"` | | | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources | +| controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | -| controller.admissionWebhooks.patch.securityContext.fsGroup | int | `2000` | | -| controller.admissionWebhooks.patch.securityContext.runAsNonRoot | bool | `true` | | -| controller.admissionWebhooks.patch.securityContext.runAsUser | int | `2000` | | +| controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods | | controller.admissionWebhooks.patch.tolerations | list | `[]` | | +| controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | -| controller.admissionWebhooks.patchWebhookJob.securityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.admissionWebhooks.patchWebhookJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for webhook patch containers | | controller.admissionWebhooks.port | int | `8443` | | | controller.admissionWebhooks.service.annotations | object | `{}` | | | controller.admissionWebhooks.service.externalIPs | list | `[]` | | @@ -295,10 +277,9 @@ Kubernetes: `>=1.20.0-0` | controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | -| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | +| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | -| controller.autoscaling.apiVersion | string | `"autoscaling/v2"` | | | controller.autoscaling.behavior | object | `{}` | | | controller.autoscaling.enabled | bool | `false` | | | controller.autoscaling.maxReplicas | int | `11` | | @@ -311,37 +292,45 @@ Kubernetes: `>=1.20.0-0` | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) | | controller.containerName | string | `"controller"` | Configures the controller container name | | controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on | +| controller.containerSecurityContext | object | `{}` | Security context for controller containers | | controller.customTemplate.configMapKey | string | `""` | | | controller.customTemplate.configMapName | string | `""` | | | controller.dnsConfig | object | `{}` | Optionally customize the pod dnsConfig. | | controller.dnsPolicy | string | `"ClusterFirst"` | Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. | | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | +| controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | +| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.existingScc | string | `""` | Use an existing SCC instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to nginx-ingress-controller E.g. to specify the default SSL certificate you can use | +| controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | | controller.extraEnvs | list | `[]` | Additional environment variables to set | | controller.extraInitContainers | list | `[]` | Containers, which are run before the app containers are started. | | controller.extraModules | list | `[]` | Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module | | controller.extraVolumeMounts | list | `[]` | Additional volumeMounts to the controller main container. | | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | -| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the ingress nginx controller is running in the `hostNetwork: true` mode. | +| controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | +| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | | controller.hostPort.ports.http | int | `80` | 'hostPort' http port | | controller.hostPort.ports.https | int | `443` | 'hostPort' https port | | controller.hostname | object | `{}` | Optionally customize the pod hostname. | -| controller.image.allowPrivilegeEscalation | bool | `true` | | +| controller.image.allowPrivilegeEscalation | bool | `false` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629"` | | -| controller.image.digestChroot | string | `"sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345"` | | +| controller.image.digest | string | `"sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c"` | | +| controller.image.digestChroot | string | `"sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | +| controller.image.readOnlyRootFilesystem | bool | `false` | | | controller.image.registry | string | `"registry.k8s.io"` | | +| controller.image.runAsNonRoot | bool | `true` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.5.1"` | | +| controller.image.seccompProfile.type | string | `"RuntimeDefault"` | | +| controller.image.tag | string | `"v1.9.6"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | @@ -378,11 +367,13 @@ Kubernetes: `>=1.20.0-0` | controller.metrics.prometheusRule.enabled | bool | `false` | | | controller.metrics.prometheusRule.rules | list | `[]` | | | controller.metrics.service.annotations | object | `{}` | | -| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| controller.metrics.service.externalIPs | list | `[]` | List of IP addresses at which the stats-exporter service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | +| controller.metrics.service.labels | object | `{}` | Labels to be added to the metrics service resource | | controller.metrics.service.loadBalancerSourceRanges | list | `[]` | | | controller.metrics.service.servicePort | int | `10254` | | | controller.metrics.service.type | string | `"ClusterIP"` | | | controller.metrics.serviceMonitor.additionalLabels | object | `{}` | | +| controller.metrics.serviceMonitor.annotations | object | `{}` | | | controller.metrics.serviceMonitor.enabled | bool | `false` | | | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` | | | controller.metrics.serviceMonitor.namespace | string | `""` | | @@ -390,16 +381,28 @@ Kubernetes: `>=1.20.0-0` | controller.metrics.serviceMonitor.relabelings | list | `[]` | | | controller.metrics.serviceMonitor.scrapeInterval | string | `"30s"` | | | controller.metrics.serviceMonitor.targetLabels | list | `[]` | | -| controller.minAvailable | int | `1` | Define either 'minAvailable' or 'maxUnavailable', never both. | +| controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | -| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | +| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | +| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | +| controller.opentelemetry.containerSecurityContext.capabilities.drop[0] | string | `"ALL"` | | +| controller.opentelemetry.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | | +| controller.opentelemetry.containerSecurityContext.runAsNonRoot | bool | `true` | | +| controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. | +| controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230107-helm-chart-4.4.2-2-g96b3d2165@sha256:331b9bebd6acfcd2d3048abbdd86555f5be76b7e3d0b5af4300b04235c6056c9"` | | +| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.image.distroless | bool | `true` | | +| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` | | +| controller.opentelemetry.image.registry | string | `"registry.k8s.io"` | | +| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` | | +| controller.opentelemetry.name | string | `"opentelemetry"` | | +| controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | -| controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | +| controller.podSecurityContext | object | `{}` | Security context for controller pods | | controller.priorityClassName | string | `""` | | | controller.proxySetHeaders | object | `{}` | Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers | | controller.publishService | object | `{"enabled":true,"pathOverride":""}` | Allows customization of the source of the IP address or FQDN to report in the ingress status field. By default, it reads the information provided by the service. If disable, the status field reports the IP address of the node or nodes where an ingress controller pod is running. | @@ -414,38 +417,58 @@ Kubernetes: `>=1.20.0-0` | controller.readinessProbe.successThreshold | int | `1` | | | controller.readinessProbe.timeoutSeconds | int | `1` | | | controller.replicaCount | int | `1` | | -| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | +| controller.reportNodeInternalIp | bool | `false` | Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply | | controller.resources.requests.cpu | string | `"100m"` | | | controller.resources.requests.memory | string | `"90Mi"` | | | controller.scope.enabled | bool | `false` | Enable 'scope' or not | | controller.scope.namespace | string | `""` | Namespace to limit the controller to; defaults to $(POD_NAMESPACE) | | controller.scope.namespaceSelector | string | `""` | When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces. | -| controller.service.annotations | object | `{}` | | -| controller.service.appProtocol | bool | `true` | If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http It allows choosing the protocol for each backend specified in the Kubernetes service. See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 Will be ignored for Kubernetes versions older than 1.20 # | -| controller.service.enableHttp | bool | `true` | | -| controller.service.enableHttps | bool | `true` | | -| controller.service.enabled | bool | `true` | | -| controller.service.external.enabled | bool | `true` | | -| controller.service.externalIPs | list | `[]` | List of IP addresses at which the controller services are available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | -| controller.service.internal.annotations | object | `{}` | Annotations are mandatory for the load balancer to come up. Varies with the cloud service. | -| controller.service.internal.enabled | bool | `false` | Enables an additional internal load balancer (besides the external one). | -| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. | -| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | -| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack-ness requested or required by this Service. Possible values are SingleStack, PreferDualStack or RequireDualStack. The ipFamilies and clusterIPs fields depend on the value of this field. # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ | -| controller.service.labels | object | `{}` | | -| controller.service.loadBalancerIP | string | `""` | Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | -| controller.service.loadBalancerSourceRanges | list | `[]` | | -| controller.service.nodePorts.http | string | `""` | | -| controller.service.nodePorts.https | string | `""` | | -| controller.service.nodePorts.tcp | object | `{}` | | -| controller.service.nodePorts.udp | object | `{}` | | -| controller.service.ports.http | int | `80` | | -| controller.service.ports.https | int | `443` | | -| controller.service.targetPorts.http | string | `"http"` | | -| controller.service.targetPorts.https | string | `"https"` | | -| controller.service.type | string | `"LoadBalancer"` | | +| controller.service.annotations | object | `{}` | Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. | +| controller.service.appProtocol | bool | `true` | Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | +| controller.service.clusterIP | string | `""` | Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. | +| controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. | +| controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. | +| controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. | +| controller.service.externalIPs | list | `[]` | List of node IP addresses at which the external controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | +| controller.service.externalTrafficPolicy | string | `""` | External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.annotations | object | `{}` | Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer | +| controller.service.internal.appProtocol | bool | `true` | Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol | +| controller.service.internal.clusterIP | string | `""` | Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address | +| controller.service.internal.enabled | bool | `false` | Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. | +| controller.service.internal.externalIPs | list | `[]` | List of node IP addresses at which the internal controller service is available. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips | +| controller.service.internal.externalTrafficPolicy | string | `""` | External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | +| controller.service.internal.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.internal.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.internal.loadBalancerClass | string | `""` | Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | +| controller.service.internal.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | +| controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. | +| controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 | +| controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | +| controller.service.internal.ports | object | `{}` | | +| controller.service.internal.sessionAffinity | string | `""` | Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.internal.targetPorts | object | `{}` | | +| controller.service.internal.type | string | `""` | Type of the internal controller service. Defaults to the value of `controller.service.type`. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | +| controller.service.ipFamilies | list | `["IPv4"]` | List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.ipFamilyPolicy | string | `"SingleStack"` | Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. Fields `ipFamilies` and `clusterIP` depend on the value of this field. Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | +| controller.service.labels | object | `{}` | Labels to be added to both controller services. | +| controller.service.loadBalancerClass | string | `""` | Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class | +| controller.service.loadBalancerIP | string | `""` | Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer | +| controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. | +| controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. | +| controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp: 8080: 30080 | +| controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp: 53: 30053 | +| controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. | +| controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. | +| controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity | +| controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. | +| controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. | +| controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | | controller.shareProcessNamespace | bool | `false` | | -| controller.sysctls | object | `{}` | See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls | +| controller.sysctls | object | `{}` | sysctls for controller pods # Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ | | controller.tcp.annotations | object | `{}` | Annotations to be added to the tcp config configmap | | controller.tcp.configMapNamespace | string | `""` | Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE) | | controller.terminationGracePeriodSeconds | int | `300` | `terminationGracePeriodSeconds` to avoid killing pods before we are ready # wait up to five minutes for the drain of connections # | @@ -462,11 +485,12 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.autoscaling.minReplicas | int | `1` | | | defaultBackend.autoscaling.targetCPUUtilizationPercentage | int | `50` | | | defaultBackend.autoscaling.targetMemoryUtilizationPercentage | int | `50` | | -| defaultBackend.containerSecurityContext | object | `{}` | Security Context policies for controller main container. See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | +| defaultBackend.containerSecurityContext | object | `{}` | Security context for default backend containers | | defaultBackend.enabled | bool | `false` | | | defaultBackend.existingPsp | string | `""` | Use an existing PSP instead of creating one | | defaultBackend.existingScc | string | `""` | Use an existing SCC instead of creating one | | defaultBackend.extraArgs | object | `{}` | | +| defaultBackend.extraConfigMaps | list | `[]` | | | defaultBackend.extraEnvs | list | `[]` | Additional environment variables to set for defaultBackend pods | | defaultBackend.extraVolumeMounts | list | `[]` | | | defaultBackend.extraVolumes | list | `[]` | | @@ -477,6 +501,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.image.registry | string | `"registry.k8s.io"` | | | defaultBackend.image.runAsNonRoot | bool | `true` | | | defaultBackend.image.runAsUser | int | `65534` | | +| defaultBackend.image.seccompProfile.type | string | `"RuntimeDefault"` | | | defaultBackend.image.tag | string | `"1.5"` | | | defaultBackend.labels | object | `{}` | Labels to be added to the default backend resources | | defaultBackend.livenessProbe.failureThreshold | int | `3` | | @@ -485,11 +510,13 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.livenessProbe.successThreshold | int | `1` | | | defaultBackend.livenessProbe.timeoutSeconds | int | `5` | | | defaultBackend.minAvailable | int | `1` | | +| defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | -| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ # | +| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | +| defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | -| defaultBackend.podSecurityContext | object | `{}` | Security Context policies for controller pods See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls # | +| defaultBackend.podSecurityContext | object | `{}` | Security context for default backend pods | | defaultBackend.port | int | `8080` | | | defaultBackend.priorityClassName | string | `""` | | | defaultBackend.readinessProbe.failureThreshold | int | `6` | | @@ -500,7 +527,7 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.replicaCount | int | `1` | | | defaultBackend.resources | object | `{}` | | | defaultBackend.service.annotations | object | `{}` | | -| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/user-guide/services/#external-ips # | +| defaultBackend.service.externalIPs | list | `[]` | List of IP addresses at which the default backend service is available # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips # | | defaultBackend.service.loadBalancerSourceRanges | list | `[]` | | | defaultBackend.service.servicePort | int | `80` | | | defaultBackend.service.type | string | `"ClusterIP"` | | @@ -508,8 +535,10 @@ Kubernetes: `>=1.20.0-0` | defaultBackend.serviceAccount.create | bool | `true` | | | defaultBackend.serviceAccount.name | string | `""` | | | defaultBackend.tolerations | list | `[]` | Node tolerations for server scheduling to nodes with taints # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ # | -| dhParam | string | `nil` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | +| defaultBackend.updateStrategy | object | `{}` | The update strategy to apply to the Deployment or DaemonSet # | +| dhParam | string | `""` | A base64-encoded Diffie-Hellman parameter. This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` # Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param | | imagePullSecrets | list | `[]` | Optional array of imagePullSecrets containing private registry credentials # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | +| namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace | | podSecurityPolicy.enabled | bool | `false` | | | portNamePrefix | string | `""` | Prefix for TCP and UDP ports names in ingress controller service # Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration | | rbac.create | bool | `true` | | @@ -522,4 +551,3 @@ Kubernetes: `>=1.20.0-0` | serviceAccount.name | string | `""` | | | tcp | object | `{}` | TCP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # | | udp | object | `{}` | UDP service key-value pairs # Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md # | - diff --git a/charts/ingress-nginx/README.md.gotmpl b/charts/ingress-nginx/README.md.gotmpl index 78e4f38d4..17b029bbf 100644 --- a/charts/ingress-nginx/README.md.gotmpl +++ b/charts/ingress-nginx/README.md.gotmpl @@ -7,10 +7,7 @@ To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.c This chart bootstraps an ingress-nginx deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. -## Prerequisites - -- Chart version 3.x.x: Kubernetes v1.16+ -- Chart version 4.x.x and above: Kubernetes v1.19+ +{{ template "chart.requirementsSection" . }} ## Get Repo Info @@ -51,10 +48,6 @@ helm upgrade [RELEASE_NAME] [CHART] --install _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ -### Upgrading With Zero Downtime in Production - -By default the ingress-nginx controller has service interruptions whenever it's pods are restarted or redeployed. In order to fix that, see the excellent blog post by Lindsay Landry from Codecademy: [Kubernetes: Nginx and Zero Downtime in Production](https://medium.com/codecademy-engineering/kubernetes-nginx-and-zero-downtime-in-production-2c910c6a5ed8). - ### Migrating from stable/nginx-ingress There are two main ways to migrate a release from `stable/nginx-ingress` to `ingress-nginx/ingress-nginx` chart: @@ -65,7 +58,6 @@ There are two main ways to migrate a release from `stable/nginx-ingress` to `ing 1. Redirect your DNS traffic from the old controller to the new controller 1. Log traffic from both controllers during this changeover 1. [Uninstall](#uninstall-chart) the old controller once traffic has fully drained from it - 1. For details on all of these steps see [Upgrading With Zero Downtime in Production](#upgrading-with-zero-downtime-in-production) Note that there are some different and upgraded configurations between the two charts, described by Rimas Mocevicius from JFrog in the "Upgrading to ingress-nginx Helm chart" section of [Migrating from Helm chart nginx-ingress to ingress-nginx](https://rimusz.net/migrating-to-ingress-nginx). As the `ingress-nginx/ingress-nginx` chart continues to update, you will want to check current differences by running [helm configuration](#configuration) commands on both charts. @@ -84,14 +76,14 @@ else it would make it impossible to evacuate a node. See [gh issue #7127](https: ### Prometheus Metrics -The Nginx ingress controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. +The Ingress-Nginx Controller can export Prometheus metrics, by setting `controller.metrics.enabled` to `true`. You can add Prometheus annotations to the metrics service using `controller.metrics.service.annotations`. Alternatively, if you use the Prometheus Operator, you can enable ServiceMonitor creation using `controller.metrics.serviceMonitor.enabled`. And set `controller.metrics.serviceMonitor.additionalLabels.release="prometheus"`. "release=prometheus" should match the label configured in the prometheus servicemonitor ( see `kubectl get servicemonitor prometheus-kube-prom-prometheus -oyaml -n prometheus`) ### ingress-nginx nginx\_status page/stats server -Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in nginx ingress controller: +Previous versions of this chart had a `controller.stats.*` configuration block, which is now obsolete due to the following changes in Ingress-Nginx Controller: - In [0.16.1](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0161), the vts (virtual host traffic status) dashboard was removed - In [0.23.0](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0230), the status page at port 18080 is now a unix socket webserver only available at localhost. @@ -99,7 +91,7 @@ Previous versions of this chart had a `controller.stats.*` configuration block, ### ExternalDNS Service Configuration -Add an [ExternalDNS](https://github.com/kubernetes-incubator/external-dns) annotation to the LoadBalancer service: +Add an [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) annotation to the LoadBalancer service: ```yaml controller: @@ -125,19 +117,6 @@ controller: service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' ``` -### AWS route53-mapper - -To configure the LoadBalancer service with the [route53-mapper addon](https://github.com/kubernetes/kops/blob/be63d4f1a7a46daaf1c4c482527328236850f111/addons/route53-mapper/README.md), add the `domainName` annotation and `dns` label: - -```yaml -controller: - service: - labels: - dns: "route53" - annotations: - domainName: "kubernetes-example.com" -``` - ### Additional Internal Load Balancer This setup is useful when you need both external and internal load balancers but don't want to have multiple ingress controllers and multiple ingress objects per application. @@ -161,8 +140,10 @@ controller: internal: enabled: true annotations: - # Create internal ELB - service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # Create internal NLB + service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" + # Create internal ELB(Deprecated) + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" # Any other annotation can be declared here. ``` @@ -205,13 +186,15 @@ controller: # Any other annotation can be declared here. ``` +The load balancer annotations of more cloud service providers can be found: [Internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer). + An use case for this scenario is having a split-view DNS setup where the public zone CNAME records point to the external balancer URL while the private zone CNAME records point to the internal balancer URL. This way, you only need one ingress kubernetes object. Optionally you can set `controller.service.loadBalancerIP` if you need a static IP for the resulting `LoadBalancer`. ### Ingress Admission Webhooks -With nginx-ingress-controller version 0.25+, the nginx ingress controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. +With nginx-ingress-controller version 0.25+, the Ingress-Nginx Controller pod exposes an endpoint that will integrate with the `validatingwebhookconfiguration` Kubernetes feature to prevent bad ingress from being added to the cluster. **This feature is enabled by default since 0.31.0.** With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fix [this issue](https://github.com/kubernetes/ingress-nginx/pull/4521) @@ -220,14 +203,14 @@ With nginx-ingress-controller in 0.25.* work only with kubernetes 1.14+, 0.26 fi A validating and configuration requires the endpoint to which the request is sent to use TLS. It is possible to set up custom certificates to do this, but in most cases, a self-signed certificate is enough. The setup of this component requires some more complex orchestration when using helm. The steps are created to be idempotent and to allow turning the feature on and off without running into helm quirks. 1. A pre-install hook provisions a certificate into the same namespace using a format compatible with provisioning using end user certificates. If the certificate already exists, the hook exits. -2. The ingress nginx controller pod is configured to use a TLS proxy container, which will load that certificate. +2. The Ingress-Nginx Controller pod is configured to use a TLS proxy container, which will load that certificate. 3. Validating and Mutating webhook configurations are created in the cluster. 4. A post-install hook reads the CA from the secret created by step 1 and patches the Validating and Mutating webhook configurations. This process will allow a custom CA provisioned by some other process to also be patched into the webhook configurations. The chosen failure policy is also patched into the webhook configurations #### Alternatives It should be possible to use [cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) if a more complete solution is required. -You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enable` value to true. +You can enable automatic self-signed TLS certificate provisioning via cert-manager by setting the `controller.admissionWebhooks.certManager.enabled` value to true. Please ensure that cert-manager is correctly installed and configured. @@ -243,8 +226,4 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered. -{{ template "chart.requirementsSection" . }} - {{ template "chart.valuesSection" . }} - -{{ template "helm-docs.versionFooter" . }} diff --git a/charts/ingress-nginx/changelog/helm-chart-2.10.0.md b/charts/ingress-nginx/changelog/helm-chart-2.10.0.md new file mode 100644 index 000000000..b42d6c28b --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.10.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.10.0 + +* [#5843](https://github.com/kubernetes/ingress-nginx/pull/5843) Update jettech/kube-webhook-certgen image + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.1...ingress-nginx-2.10.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.0.md b/charts/ingress-nginx/changelog/helm-chart-2.11.0.md new file mode 100644 index 000000000..e549b3867 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.11.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.0 + +* [#5879](https://github.com/kubernetes/ingress-nginx/pull/5879) Update helm chart for v0.34.0 +* [#5671](https://github.com/kubernetes/ingress-nginx/pull/5671) Make liveness probe more fault tolerant than readiness probe + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.10.0...ingress-nginx-2.11.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.1.md b/charts/ingress-nginx/changelog/helm-chart-2.11.1.md new file mode 100644 index 000000000..d910d3bf4 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.11.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.1 + +* [#5900](https://github.com/kubernetes/ingress-nginx/pull/5900) Release helm chart for v0.34.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.0...ingress-nginx-2.11.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.2.md b/charts/ingress-nginx/changelog/helm-chart-2.11.2.md new file mode 100644 index 000000000..9f7821005 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.11.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.2 + +* [#5951](https://github.com/kubernetes/ingress-nginx/pull/5951) Bump chart patch version + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.1...ingress-nginx-2.11.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.11.3.md b/charts/ingress-nginx/changelog/helm-chart-2.11.3.md new file mode 100644 index 000000000..344769163 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.11.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.11.3 + +* [#6038](https://github.com/kubernetes/ingress-nginx/pull/6038) Bump chart version PATCH + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.2...ingress-nginx-2.11.3 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.12.0.md b/charts/ingress-nginx/changelog/helm-chart-2.12.0.md new file mode 100644 index 000000000..5cb3888aa --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.12.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.12.0 + +* [#6039](https://github.com/kubernetes/ingress-nginx/pull/6039) Add configurable serviceMonitor metricRelabelling and targetLabels +* [#6044](https://github.com/kubernetes/ingress-nginx/pull/6044) Fix YAML linting + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.11.3...ingress-nginx-2.12.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.12.1.md b/charts/ingress-nginx/changelog/helm-chart-2.12.1.md new file mode 100644 index 000000000..94d121db5 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.12.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.12.1 + +* [#6075](https://github.com/kubernetes/ingress-nginx/pull/6075) Sync helm chart affinity examples + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.0...ingress-nginx-2.12.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.13.0.md b/charts/ingress-nginx/changelog/helm-chart-2.13.0.md new file mode 100644 index 000000000..01fe0b15d --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.13.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.13.0 + +* [#6093](https://github.com/kubernetes/ingress-nginx/pull/6093) Release v0.35.0 +* [#6080](https://github.com/kubernetes/ingress-nginx/pull/6080) Switch images to k8s.gcr.io after Vanity Domain Flip + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.12.1...ingress-nginx-2.13.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.14.0.md b/charts/ingress-nginx/changelog/helm-chart-2.14.0.md new file mode 100644 index 000000000..2fb7a5a76 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.14.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.14.0 + +* [#6104](https://github.com/kubernetes/ingress-nginx/pull/6104) Misc fixes for nginx-ingress chart for better keel and prometheus-operator integration + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.13.0...ingress-nginx-2.14.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.15.0.md b/charts/ingress-nginx/changelog/helm-chart-2.15.0.md new file mode 100644 index 000000000..543a55927 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.15.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.15.0 + +* [#6087](https://github.com/kubernetes/ingress-nginx/pull/6087) Adding parameter for externalTrafficPolicy in internal controller service spec + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.14.0...ingress-nginx-2.15.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.16.0.md b/charts/ingress-nginx/changelog/helm-chart-2.16.0.md new file mode 100644 index 000000000..996f4489e --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.16.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.16.0 + +* [#6154](https://github.com/kubernetes/ingress-nginx/pull/6154) add `topologySpreadConstraint` to controller + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.15.0...ingress-nginx-2.16.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.9.0.md b/charts/ingress-nginx/changelog/helm-chart-2.9.0.md new file mode 100644 index 000000000..11c5f5fed --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.9.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.9.0 + +* [#5795](https://github.com/kubernetes/ingress-nginx/pull/5795) Use fully qualified images to avoid cri-o issues + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-TODO...ingress-nginx-2.9.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-2.9.1.md b/charts/ingress-nginx/changelog/helm-chart-2.9.1.md new file mode 100644 index 000000000..7d4314d9c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-2.9.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 2.9.1 + +* [#5823](https://github.com/kubernetes/ingress-nginx/pull/5823) Add quoting to sysctls because numeric values need to be presented as strings (#5823) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.9.0...ingress-nginx-2.9.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.0.0.md b/charts/ingress-nginx/changelog/helm-chart-3.0.0.md new file mode 100644 index 000000000..a7d50ee3a --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.0.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.0.0 + +* [#6167](https://github.com/kubernetes/ingress-nginx/pull/6167) Update chart requirements + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-2.16.0...ingress-nginx-3.0.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.10.0.md b/charts/ingress-nginx/changelog/helm-chart-3.10.0.md new file mode 100644 index 000000000..3369bed03 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.10.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.10.0 + +* Fix routing regression introduced in 0.41.0 with PathType Exact + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.9.0...ingress-nginx-3.10.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.10.1.md b/charts/ingress-nginx/changelog/helm-chart-3.10.1.md new file mode 100644 index 000000000..6ff682e52 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.10.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.10.1 + +* Fix regression introduced in 0.41.0 with external authentication + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.10.0...ingress-nginx-3.10.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.11.0.md b/charts/ingress-nginx/changelog/helm-chart-3.11.0.md new file mode 100644 index 000000000..69ba5506b --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.11.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.11.0 + +* Support Keda Autoscaling + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.10.1...ingress-nginx-3.11.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.11.1.md b/charts/ingress-nginx/changelog/helm-chart-3.11.1.md new file mode 100644 index 000000000..4e81f4b41 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.11.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.11.1 + +* [#6505](https://github.com/kubernetes/ingress-nginx/pull/6505) Reorder HPA resource list to work with GitOps tooling + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.11.0...ingress-nginx-3.11.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.12.0.md b/charts/ingress-nginx/changelog/helm-chart-3.12.0.md new file mode 100644 index 000000000..41b9744de --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.12.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.12.0 + +* [#6514](https://github.com/kubernetes/ingress-nginx/pull/6514) Remove helm2 support and update docs + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.11.1...ingress-nginx-3.12.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.13.0.md b/charts/ingress-nginx/changelog/helm-chart-3.13.0.md new file mode 100644 index 000000000..0855a7913 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.13.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.13.0 + +* [#6544](https://github.com/kubernetes/ingress-nginx/pull/6544) Fix default backend HPA name variable + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.12.0...ingress-nginx-3.13.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.14.0.md b/charts/ingress-nginx/changelog/helm-chart-3.14.0.md new file mode 100644 index 000000000..e07880bf4 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.14.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.14.0 + +* [#6469](https://github.com/kubernetes/ingress-nginx/pull/6469) Allow custom service names for controller and backend + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.13.0...ingress-nginx-3.14.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.15.0.md b/charts/ingress-nginx/changelog/helm-chart-3.15.0.md new file mode 100644 index 000000000..3053a3548 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.15.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.15.0 + +* [#6586](https://github.com/kubernetes/ingress-nginx/pull/6586) Fix 'maxmindLicenseKey' location in values.yaml + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.14.0...ingress-nginx-3.15.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.15.1.md b/charts/ingress-nginx/changelog/helm-chart-3.15.1.md new file mode 100644 index 000000000..f11ee0a76 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.15.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.15.1 + +* Fix chart-releaser action + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.15.0...ingress-nginx-3.15.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.16.0.md b/charts/ingress-nginx/changelog/helm-chart-3.16.0.md new file mode 100644 index 000000000..fba30b171 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.16.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.16.0 + +* [#6646](https://github.com/kubernetes/ingress-nginx/pull/6646) Added LoadBalancerIP value for internal service + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.15.1...helm-chart-3.16.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.16.1.md b/charts/ingress-nginx/changelog/helm-chart-3.16.1.md new file mode 100644 index 000000000..650d1b8fa --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.16.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.16.1 + +* Fix chart-releaser action + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.16.0...helm-chart-3.16.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.17.0.md b/charts/ingress-nginx/changelog/helm-chart-3.17.0.md new file mode 100644 index 000000000..175c7a264 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.17.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.17.0 + +* Update ingress-nginx v0.42.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.16.1...helm-chart-3.17.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.18.0.md b/charts/ingress-nginx/changelog/helm-chart-3.18.0.md new file mode 100644 index 000000000..31b815e4e --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.18.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.18.0 + +* [#6688](https://github.com/kubernetes/ingress-nginx/pull/6688) Allow volume-type emptyDir in controller podsecuritypolicy +* [#6691](https://github.com/kubernetes/ingress-nginx/pull/6691) Improve parsing of helm parameters + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.17.0...helm-chart-3.18.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.19.0.md b/charts/ingress-nginx/changelog/helm-chart-3.19.0.md new file mode 100644 index 000000000..0970bf02c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.19.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.19.0 + +* Update ingress-nginx v0.43.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.18.0...helm-chart-3.19.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.20.0.md b/charts/ingress-nginx/changelog/helm-chart-3.20.0.md new file mode 100644 index 000000000..4b81ae42f --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.20.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.20.0 + +* [#6730](https://github.com/kubernetes/ingress-nginx/pull/6730) Do not create HPA for defaultBackend if not enabled. + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.19.0...helm-chart-3.20.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.20.1.md b/charts/ingress-nginx/changelog/helm-chart-3.20.1.md new file mode 100644 index 000000000..952bf2bd3 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.20.1.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.20.1 + +* Do not create KEDA in case of DaemonSets. +* Fix KEDA v2 definition + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.20.0...helm-chart-3.20.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.21.0.md b/charts/ingress-nginx/changelog/helm-chart-3.21.0.md new file mode 100644 index 000000000..25edbefd9 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.21.0.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.21.0 + +* [#6783](https://github.com/kubernetes/ingress-nginx/pull/6783) Add custom annotations to ScaledObject +* [#6761](https://github.com/kubernetes/ingress-nginx/pull/6761) Adding quotes in the serviceAccount name in Helm values +* [#6767](https://github.com/kubernetes/ingress-nginx/pull/6767) Remove ClusterRole when scope option is enabled +* [#6785](https://github.com/kubernetes/ingress-nginx/pull/6785) Update kube-webhook-certgen image to v1.5.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.20.1...helm-chart-3.21.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.22.0.md b/charts/ingress-nginx/changelog/helm-chart-3.22.0.md new file mode 100644 index 000000000..147d66421 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.22.0.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.22.0 + +* [#6802](https://github.com/kubernetes/ingress-nginx/pull/6802) Add value for configuring a custom Diffie-Hellman parameters file +* [#6815](https://github.com/kubernetes/ingress-nginx/pull/6815) Allow use of numeric namespaces in helm chart + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.21.0...helm-chart-3.22.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.23.0.md b/charts/ingress-nginx/changelog/helm-chart-3.23.0.md new file mode 100644 index 000000000..5dcb50fa8 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.23.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.23.0 + +* Update ingress-nginx v0.44.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.22.0...helm-chart-3.23.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.24.0.md b/charts/ingress-nginx/changelog/helm-chart-3.24.0.md new file mode 100644 index 000000000..d7db808b1 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.24.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.24.0 + +* [#6908](https://github.com/kubernetes/ingress-nginx/pull/6908) Add volumes to default-backend deployment + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.23.0...helm-chart-3.24.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.25.0.md b/charts/ingress-nginx/changelog/helm-chart-3.25.0.md new file mode 100644 index 000000000..f9679a124 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.25.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.25.0 + +* [#6957](https://github.com/kubernetes/ingress-nginx/pull/6957) Add ability to specify automountServiceAccountToken + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.24.0...helm-chart-3.25.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.26.0.md b/charts/ingress-nginx/changelog/helm-chart-3.26.0.md new file mode 100644 index 000000000..0c3a1df68 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.26.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.26.0 + +* [#6979](https://github.com/kubernetes/ingress-nginx/pull/6979) Changed servicePort value for metrics + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.25.0...helm-chart-3.26.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.27.0.md b/charts/ingress-nginx/changelog/helm-chart-3.27.0.md new file mode 100644 index 000000000..8113d7b9b --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.27.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.27.0 + +* Update ingress-nginx v0.45.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.26.0...helm-chart-3.27.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.28.0.md b/charts/ingress-nginx/changelog/helm-chart-3.28.0.md new file mode 100644 index 000000000..eee0ccbec --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.28.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.28.0 + +* [#6900](https://github.com/kubernetes/ingress-nginx/pull/6900) Support existing PSPs + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.27.0...helm-chart-3.28.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.29.0.md b/charts/ingress-nginx/changelog/helm-chart-3.29.0.md new file mode 100644 index 000000000..f0fabdce1 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.29.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.29.0 + +* [#6945](https://github.com/kubernetes/ingress-nginx/pull/7020) Add option to specify job label for ServiceMonitor + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.28.0...helm-chart-3.29.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.3.0.md b/charts/ingress-nginx/changelog/helm-chart-3.3.0.md new file mode 100644 index 000000000..09fab3756 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.3.0.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.3.0 + +* [#6203](https://github.com/kubernetes/ingress-nginx/pull/6203) Refactor parsing of key values +* [#6162](https://github.com/kubernetes/ingress-nginx/pull/6162) Add helm chart options to expose metrics service as NodePort +* [#6180](https://github.com/kubernetes/ingress-nginx/pull/6180) Fix helm chart admissionReviewVersions regression +* [#6169](https://github.com/kubernetes/ingress-nginx/pull/6169) Fix Typo in example prometheus rules + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.0.0...ingress-nginx-3.3.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.3.1.md b/charts/ingress-nginx/changelog/helm-chart-3.3.1.md new file mode 100644 index 000000000..81f44fdbd --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.3.1.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.3.1 + +* [#6259](https://github.com/kubernetes/ingress-nginx/pull/6259) Release helm chart +* [#6258](https://github.com/kubernetes/ingress-nginx/pull/6258) Fix chart markdown link +* [#6253](https://github.com/kubernetes/ingress-nginx/pull/6253) Release v0.40.0 +* [#6233](https://github.com/kubernetes/ingress-nginx/pull/6233) Add admission controller e2e test + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.3.0...ingress-nginx-3.3.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.30.0.md b/charts/ingress-nginx/changelog/helm-chart-3.30.0.md new file mode 100644 index 000000000..77ad6b41b --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.30.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.30.0 + +* [#7092](https://github.com/kubernetes/ingress-nginx/pull/7092) Removes the possibility of using localhost in ExternalNames as endpoints + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.29.0...helm-chart-3.30.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.31.0.md b/charts/ingress-nginx/changelog/helm-chart-3.31.0.md new file mode 100644 index 000000000..bc07fed76 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.31.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.31.0 + +* [7137] https://github.com/kubernetes/ingress-nginx/pull/7137 Add support for custom probes + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.30.0...helm-chart-3.31.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.32.0.md b/charts/ingress-nginx/changelog/helm-chart-3.32.0.md new file mode 100644 index 000000000..68f7ed6b2 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.32.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.32.0 + +* [7117] https://github.com/kubernetes/ingress-nginx/pull/7117 Add annotations for HPA + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.31.0...helm-chart-3.32.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.33.0.md b/charts/ingress-nginx/changelog/helm-chart-3.33.0.md new file mode 100644 index 000000000..b56c5fc1e --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.33.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.33.0 + +* [7164] https://github.com/kubernetes/ingress-nginx/pull/7164 Update nginx to v1.20.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.32.0...helm-chart-3.33.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.34.0.md b/charts/ingress-nginx/changelog/helm-chart-3.34.0.md new file mode 100644 index 000000000..a28cd0282 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.34.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.34.0 + +* [7256] https://github.com/kubernetes/ingress-nginx/pull/7256 Add namespace field in the namespace scoped resource templates + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.33.0...helm-chart-3.34.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.4.0.md b/charts/ingress-nginx/changelog/helm-chart-3.4.0.md new file mode 100644 index 000000000..3b4ca9353 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.4.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.4.0 + +* [#6268](https://github.com/kubernetes/ingress-nginx/pull/6268) Update to 0.40.2 in helm chart #6288 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.3.1...ingress-nginx-3.4.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.5.0.md b/charts/ingress-nginx/changelog/helm-chart-3.5.0.md new file mode 100644 index 000000000..44991b3bb --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.5.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.5.0 + +* [#6260](https://github.com/kubernetes/ingress-nginx/pull/6260) Allow Helm Chart to customize admission webhook's annotations, timeoutSeconds, namespaceSelector, objectSelector and cert files locations + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.4.0...ingress-nginx-3.5.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.5.1.md b/charts/ingress-nginx/changelog/helm-chart-3.5.1.md new file mode 100644 index 000000000..740f00c45 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.5.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.5.1 + +* [#6299](https://github.com/kubernetes/ingress-nginx/pull/6299) Fix helm chart release + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.5.0...ingress-nginx-3.5.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.6.0.md b/charts/ingress-nginx/changelog/helm-chart-3.6.0.md new file mode 100644 index 000000000..4af7f11a1 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.6.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.6.0 + +* [#6305](https://github.com/kubernetes/ingress-nginx/pull/6305) Add default linux nodeSelector + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.5.1...ingress-nginx-3.6.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.7.0.md b/charts/ingress-nginx/changelog/helm-chart-3.7.0.md new file mode 100644 index 000000000..a6b12994b --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.7.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.7.0 + +* [#6316](https://github.com/kubernetes/ingress-nginx/pull/6316) Numerals in podAnnotations in quotes [#6315](https://github.com/kubernetes/ingress-nginx/issues/6315) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.6.0...ingress-nginx-3.7.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.7.1.md b/charts/ingress-nginx/changelog/helm-chart-3.7.1.md new file mode 100644 index 000000000..6ba12df91 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.7.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.7.1 + +* [#6326](https://github.com/kubernetes/ingress-nginx/pull/6326) Fix liveness and readiness probe path in daemonset chart + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.7.0...ingress-nginx-3.7.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.8.0.md b/charts/ingress-nginx/changelog/helm-chart-3.8.0.md new file mode 100644 index 000000000..8df250a98 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.8.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.8.0 + +* [#6395](https://github.com/kubernetes/ingress-nginx/pull/6395) Update jettech/kube-webhook-certgen image +* [#6377](https://github.com/kubernetes/ingress-nginx/pull/6377) Added loadBalancerSourceRanges for internal lbs +* [#6356](https://github.com/kubernetes/ingress-nginx/pull/6356) Add securitycontext settings on defaultbackend +* [#6401](https://github.com/kubernetes/ingress-nginx/pull/6401) Fix controller service annotations +* [#6403](https://github.com/kubernetes/ingress-nginx/pull/6403) Initial helm chart changelog + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.7.1...ingress-nginx-3.8.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-3.9.0.md b/charts/ingress-nginx/changelog/helm-chart-3.9.0.md new file mode 100644 index 000000000..e8c9def51 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-3.9.0.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 3.9.0 + +* [#6423](https://github.com/kubernetes/ingress-nginx/pull/6423) Add Default backend HPA autoscaling + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/ingress-nginx-3.8.0...ingress-nginx-3.9.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.1.md b/charts/ingress-nginx/changelog/helm-chart-4.0.1.md new file mode 100644 index 000000000..7a187b350 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.1 + +* [7535] https://github.com/kubernetes/ingress-nginx/pull/7535 Release v1.0.0 ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-3.34.0...helm-chart-4.0.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.10.md b/charts/ingress-nginx/changelog/helm-chart-4.0.10.md new file mode 100644 index 000000000..c5d651670 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.10.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.10 + +* [7964] https://github.com/kubernetes/ingress-nginx/pull/7964 Update controller version to v1.1.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.9...helm-chart-4.0.10 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.11.md b/charts/ingress-nginx/changelog/helm-chart-4.0.11.md new file mode 100644 index 000000000..554182355 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.11.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.11 + +* [7873] https://github.com/kubernetes/ingress-nginx/pull/7873 Makes the [appProtocol](https://kubernetes.io/docs/concepts/services-networking/_print/#application-protocol) field optional. + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.10...helm-chart-4.0.11 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.12.md b/charts/ingress-nginx/changelog/helm-chart-4.0.12.md new file mode 100644 index 000000000..320f6f546 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.12.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.12 + +* [7978] https://github.com/kubernetes/ingress-nginx/pull/7979 Support custom annotations in admissions Jobs + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.11...helm-chart-4.0.12 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.13.md b/charts/ingress-nginx/changelog/helm-chart-4.0.13.md new file mode 100644 index 000000000..edd922814 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.13.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.13 + +* [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.12...helm-chart-4.0.13 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.14.md b/charts/ingress-nginx/changelog/helm-chart-4.0.14.md new file mode 100644 index 000000000..e92701039 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.14.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.14 + +* [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 Using helm-docs to populate values table in README.md + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.13...helm-chart-4.0.14 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.15.md b/charts/ingress-nginx/changelog/helm-chart-4.0.15.md new file mode 100644 index 000000000..d3d14a98d --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.15.md @@ -0,0 +1,43 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.15 + +* [8120] https://github.com/kubernetes/ingress-nginx/pull/8120 Update go in runner and release v1.1.1 +* [8119] https://github.com/kubernetes/ingress-nginx/pull/8119 Update to go v1.17.6 +* [8118] https://github.com/kubernetes/ingress-nginx/pull/8118 Remove deprecated libraries, update other libs +* [8117] https://github.com/kubernetes/ingress-nginx/pull/8117 Fix codegen errors +* [8115] https://github.com/kubernetes/ingress-nginx/pull/8115 chart/ghaction: set the correct permission to have access to push a release +* [8098] https://github.com/kubernetes/ingress-nginx/pull/8098 generating SHA for CA only certs in backend_ssl.go + comparison of P… +* [8088] https://github.com/kubernetes/ingress-nginx/pull/8088 Fix Edit this page link to use main branch +* [8072] https://github.com/kubernetes/ingress-nginx/pull/8072 Expose GeoIP2 Continent code as variable +* [8061] https://github.com/kubernetes/ingress-nginx/pull/8061 docs(charts): using helm-docs for chart +* [8058] https://github.com/kubernetes/ingress-nginx/pull/8058 Bump github.com/spf13/cobra from 1.2.1 to 1.3.0 +* [8054] https://github.com/kubernetes/ingress-nginx/pull/8054 Bump google.golang.org/grpc from 1.41.0 to 1.43.0 +* [8051] https://github.com/kubernetes/ingress-nginx/pull/8051 align bug report with feature request regarding kind documentation +* [8046] https://github.com/kubernetes/ingress-nginx/pull/8046 Report expired certificates (#8045) +* [8044] https://github.com/kubernetes/ingress-nginx/pull/8044 remove G109 check till gosec resolves issues +* [8042] https://github.com/kubernetes/ingress-nginx/pull/8042 docs_multiple_instances_one_cluster_ticket_7543 +* [8041] https://github.com/kubernetes/ingress-nginx/pull/8041 docs: fix typo'd executable name +* [8035] https://github.com/kubernetes/ingress-nginx/pull/8035 Comment busy owners +* [8029] https://github.com/kubernetes/ingress-nginx/pull/8029 Add stream-snippet as a ConfigMap and Annotation option +* [8023] https://github.com/kubernetes/ingress-nginx/pull/8023 fix nginx compilation flags +* [8021] https://github.com/kubernetes/ingress-nginx/pull/8021 Disable default modsecurity_rules_file if modsecurity-snippet is specified +* [8019] https://github.com/kubernetes/ingress-nginx/pull/8019 Revise main documentation page +* [8018] https://github.com/kubernetes/ingress-nginx/pull/8018 Preserve order of plugin invocation +* [8015] https://github.com/kubernetes/ingress-nginx/pull/8015 Add newline indenting to admission webhook annotations +* [8014] https://github.com/kubernetes/ingress-nginx/pull/8014 Add link to example error page manifest in docs +* [8009] https://github.com/kubernetes/ingress-nginx/pull/8009 Fix spelling in documentation and top-level files +* [8008] https://github.com/kubernetes/ingress-nginx/pull/8008 Add relabelings in controller-servicemonitor.yaml +* [8003] https://github.com/kubernetes/ingress-nginx/pull/8003 Minor improvements (formatting, consistency) in install guide +* [8001] https://github.com/kubernetes/ingress-nginx/pull/8001 fix: go-grpc Dockerfile +* [7999] https://github.com/kubernetes/ingress-nginx/pull/7999 images: use k8s-staging-test-infra/gcb-docker-gcloud +* [7996] https://github.com/kubernetes/ingress-nginx/pull/7996 doc: improvement +* [7983] https://github.com/kubernetes/ingress-nginx/pull/7983 Fix a couple of misspellings in the annotations documentation. +* [7979] https://github.com/kubernetes/ingress-nginx/pull/7979 allow set annotations for admission Jobs +* [7977] https://github.com/kubernetes/ingress-nginx/pull/7977 Add ssl_reject_handshake to default server +* [7975] https://github.com/kubernetes/ingress-nginx/pull/7975 add legacy version update v0.50.0 to main changelog +* [7972] https://github.com/kubernetes/ingress-nginx/pull/7972 updated service upstream definition + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.14...helm-chart-4.0.15 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.18.md b/charts/ingress-nginx/changelog/helm-chart-4.0.18.md new file mode 100644 index 000000000..30a8f75c1 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.18.md @@ -0,0 +1,40 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.18 + +* [8291](https://github.com/kubernetes/ingress-nginx/pull/8291) remove git tag env from cloud build +* [8286](https://github.com/kubernetes/ingress-nginx/pull/8286) Fix OpenTelemetry sidecar image build +* [8277](https://github.com/kubernetes/ingress-nginx/pull/8277) Add OpenSSF Best practices badge +* [8273](https://github.com/kubernetes/ingress-nginx/pull/8273) Issue#8241 +* [8267](https://github.com/kubernetes/ingress-nginx/pull/8267) Add fsGroup value to admission-webhooks/job-patch charts +* [8262](https://github.com/kubernetes/ingress-nginx/pull/8262) Updated confusing error +* [8256](https://github.com/kubernetes/ingress-nginx/pull/8256) fix: deny locations with invalid auth-url annotation +* [8253](https://github.com/kubernetes/ingress-nginx/pull/8253) Add a certificate info metric +* [8236](https://github.com/kubernetes/ingress-nginx/pull/8236) webhook: remove useless code. +* [8227](https://github.com/kubernetes/ingress-nginx/pull/8227) Update libraries in webhook image +* [8225](https://github.com/kubernetes/ingress-nginx/pull/8225) fix inconsistent-label-cardinality for prometheus metrics: nginx_ingress_controller_requests +* [8221](https://github.com/kubernetes/ingress-nginx/pull/8221) Do not validate ingresses with unknown ingress class in admission webhook endpoint +* [8210](https://github.com/kubernetes/ingress-nginx/pull/8210) Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.1 +* [8209](https://github.com/kubernetes/ingress-nginx/pull/8209) Bump google.golang.org/grpc from 1.43.0 to 1.44.0 +* [8204](https://github.com/kubernetes/ingress-nginx/pull/8204) Add Artifact Hub lint +* [8203](https://github.com/kubernetes/ingress-nginx/pull/8203) Fix Indentation of example and link to cert-manager tutorial +* [8201](https://github.com/kubernetes/ingress-nginx/pull/8201) feat(metrics): add path and method labels to requests countera +* [8199](https://github.com/kubernetes/ingress-nginx/pull/8199) use functional options to reduce number of methods creating an EchoDeployment +* [8196](https://github.com/kubernetes/ingress-nginx/pull/8196) docs: fix inconsistent controller annotation +* [8191](https://github.com/kubernetes/ingress-nginx/pull/8191) Using Go install for misspell +* [8186](https://github.com/kubernetes/ingress-nginx/pull/8186) prometheus+grafana using servicemonitor +* [8185](https://github.com/kubernetes/ingress-nginx/pull/8185) Append elements on match, instead of removing for cors-annotations +* [8179](https://github.com/kubernetes/ingress-nginx/pull/8179) Bump github.com/opencontainers/runc from 1.0.3 to 1.1.0 +* [8173](https://github.com/kubernetes/ingress-nginx/pull/8173) Adding annotations to the controller service account +* [8163](https://github.com/kubernetes/ingress-nginx/pull/8163) Update the $req_id placeholder description +* [8162](https://github.com/kubernetes/ingress-nginx/pull/8162) Versioned static manifests +* [8159](https://github.com/kubernetes/ingress-nginx/pull/8159) Adding some geoip variables and default values +* [8155](https://github.com/kubernetes/ingress-nginx/pull/8155) #7271 feat: avoid-pdb-creation-when-default-backend-disabled-and-replicas-gt-1 +* [8151](https://github.com/kubernetes/ingress-nginx/pull/8151) Automatically generate helm docs +* [8143](https://github.com/kubernetes/ingress-nginx/pull/8143) Allow to configure delay before controller exits +* [8136](https://github.com/kubernetes/ingress-nginx/pull/8136) add ingressClass option to helm chart - back compatibility with ingress.class annotations +* [8126](https://github.com/kubernetes/ingress-nginx/pull/8126) Example for JWT + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.15...helm-chart-4.0.18 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.2.md b/charts/ingress-nginx/changelog/helm-chart-4.0.2.md new file mode 100644 index 000000000..9dbd003a9 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.2 + +* [7681] https://github.com/kubernetes/ingress-nginx/pull/7681 Release v1.0.1 of ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.1...helm-chart-4.0.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.3.md b/charts/ingress-nginx/changelog/helm-chart-4.0.3.md new file mode 100644 index 000000000..09b89f66c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.3 + +* [7707] https://github.com/kubernetes/ingress-nginx/pull/7707 Release v1.0.2 of ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.2...helm-chart-4.0.3 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.5.md b/charts/ingress-nginx/changelog/helm-chart-4.0.5.md new file mode 100644 index 000000000..be67704ba --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.5.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.5 + +* [7740] https://github.com/kubernetes/ingress-nginx/pull/7740 Release v1.0.3 of ingress-nginx + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.3...helm-chart-4.0.5 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.6.md b/charts/ingress-nginx/changelog/helm-chart-4.0.6.md new file mode 100644 index 000000000..25276e2be --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.6.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.6 + +* [7804] https://github.com/kubernetes/ingress-nginx/pull/7804 Release v1.0.4 of ingress-nginx +* [7651] https://github.com/kubernetes/ingress-nginx/pull/7651 Support ipFamilyPolicy and ipFamilies fields in Helm Chart +* [7798] https://github.com/kubernetes/ingress-nginx/pull/7798 Exoscale: use HTTP Healthcheck mode +* [7793] https://github.com/kubernetes/ingress-nginx/pull/7793 Update kube-webhook-certgen to v1.1.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.5...helm-chart-4.0.6 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.7.md b/charts/ingress-nginx/changelog/helm-chart-4.0.7.md new file mode 100644 index 000000000..50fd9227c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.7.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.7 + +* [7923] https://github.com/kubernetes/ingress-nginx/pull/7923 Release v1.0.5 of ingress-nginx +* [7806] https://github.com/kubernetes/ingress-nginx/pull/7806 Choice option for internal/external loadbalancer type service + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.6...helm-chart-4.0.7 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.0.9.md b/charts/ingress-nginx/changelog/helm-chart-4.0.9.md new file mode 100644 index 000000000..f2f725c93 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.0.9.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.0.9 + +* [6992] https://github.com/kubernetes/ingress-nginx/pull/6992 Add ability to specify labels for all resources + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.7...helm-chart-4.0.9 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.1.0.md b/charts/ingress-nginx/changelog/helm-chart-4.1.0.md new file mode 100644 index 000000000..24aaf49ae --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.1.0.md @@ -0,0 +1,21 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.1.0 + +* [8481](https://github.com/kubernetes/ingress-nginx/pull/8481) Fix log creation in chroot script +* [8479](https://github.com/kubernetes/ingress-nginx/pull/8479) changed nginx base img tag to img built with alpine3.14.6 +* [8478](https://github.com/kubernetes/ingress-nginx/pull/8478) update base images and protobuf gomod +* [8468](https://github.com/kubernetes/ingress-nginx/pull/8468) Fallback to ngx.var.scheme for redirectScheme with use-forward-headers when X-Forwarded-Proto is empty +* [8456](https://github.com/kubernetes/ingress-nginx/pull/8456) Implement object deep inspector +* [8455](https://github.com/kubernetes/ingress-nginx/pull/8455) Update dependencies +* [8454](https://github.com/kubernetes/ingress-nginx/pull/8454) Update index.md +* [8447](https://github.com/kubernetes/ingress-nginx/pull/8447) typo fixing +* [8446](https://github.com/kubernetes/ingress-nginx/pull/8446) Fix suggested annotation-value-word-blocklist +* [8444](https://github.com/kubernetes/ingress-nginx/pull/8444) replace deprecated topology key in example with current one +* [8443](https://github.com/kubernetes/ingress-nginx/pull/8443) Add dependency review enforcement +* [8434](https://github.com/kubernetes/ingress-nginx/pull/8434) added new auth-tls-match-cn annotation +* [8426](https://github.com/kubernetes/ingress-nginx/pull/8426) Bump github.com/prometheus/common from 0.32.1 to 0.33.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.0.18...helm-chart-4.1.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.1.2.md b/charts/ingress-nginx/changelog/helm-chart-4.1.2.md new file mode 100644 index 000000000..0a1d80cf1 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.1.2.md @@ -0,0 +1,11 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.1.2 + +* [8587](https://github.com/kubernetes/ingress-nginx/pull/8587) Add CAP_SYS_CHROOT to DS/PSP when needed +* [8458](https://github.com/kubernetes/ingress-nginx/pull/8458) Add portNamePreffix Helm chart parameter +* [8522](https://github.com/kubernetes/ingress-nginx/pull/8522) Add documentation for controller.service.loadBalancerIP in Helm chart + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.0...helm-chart-4.1.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.2.0.md b/charts/ingress-nginx/changelog/helm-chart-4.2.0.md new file mode 100644 index 000000000..2074a0953 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.2.0.md @@ -0,0 +1,47 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.2.0 + +* Support for Kubernetes v1.19.0 was removed +* [8810](https://github.com/kubernetes/ingress-nginx/pull/8810) Prepare for v1.3.0 +* [8808](https://github.com/kubernetes/ingress-nginx/pull/8808) revert arch var name +* [8805](https://github.com/kubernetes/ingress-nginx/pull/8805) Bump k8s.io/klog/v2 from 2.60.1 to 2.70.1 +* [8803](https://github.com/kubernetes/ingress-nginx/pull/8803) Update to nginx base with alpine v3.16 +* [8802](https://github.com/kubernetes/ingress-nginx/pull/8802) chore: start v1.3.0 release process +* [8798](https://github.com/kubernetes/ingress-nginx/pull/8798) Add v1.24.0 to test matrix +* [8796](https://github.com/kubernetes/ingress-nginx/pull/8796) fix: add MAC_OS variable for static-check +* [8793](https://github.com/kubernetes/ingress-nginx/pull/8793) changed to alpine-v3.16 +* [8781](https://github.com/kubernetes/ingress-nginx/pull/8781) Bump github.com/stretchr/testify from 1.7.5 to 1.8.0 +* [8778](https://github.com/kubernetes/ingress-nginx/pull/8778) chore: remove stable.txt from release process +* [8775](https://github.com/kubernetes/ingress-nginx/pull/8775) Remove stable +* [8773](https://github.com/kubernetes/ingress-nginx/pull/8773) Bump github/codeql-action from 2.1.14 to 2.1.15 +* [8772](https://github.com/kubernetes/ingress-nginx/pull/8772) Bump ossf/scorecard-action from 1.1.1 to 1.1.2 +* [8771](https://github.com/kubernetes/ingress-nginx/pull/8771) fix bullet md format +* [8770](https://github.com/kubernetes/ingress-nginx/pull/8770) Add condition for monitoring.coreos.com/v1 API +* [8769](https://github.com/kubernetes/ingress-nginx/pull/8769) Fix typos and add links to developer guide +* [8767](https://github.com/kubernetes/ingress-nginx/pull/8767) change v1.2.0 to v1.2.1 in deploy doc URLs +* [8765](https://github.com/kubernetes/ingress-nginx/pull/8765) Bump github/codeql-action from 1.0.26 to 2.1.14 +* [8752](https://github.com/kubernetes/ingress-nginx/pull/8752) Bump github.com/spf13/cobra from 1.4.0 to 1.5.0 +* [8751](https://github.com/kubernetes/ingress-nginx/pull/8751) Bump github.com/stretchr/testify from 1.7.2 to 1.7.5 +* [8750](https://github.com/kubernetes/ingress-nginx/pull/8750) added announcement +* [8740](https://github.com/kubernetes/ingress-nginx/pull/8740) change sha e2etestrunner and echoserver +* [8738](https://github.com/kubernetes/ingress-nginx/pull/8738) Update docs to make it easier for noobs to follow step by step +* [8737](https://github.com/kubernetes/ingress-nginx/pull/8737) updated baseimage sha +* [8736](https://github.com/kubernetes/ingress-nginx/pull/8736) set ld-musl-path +* [8733](https://github.com/kubernetes/ingress-nginx/pull/8733) feat: migrate leaderelection lock to leases +* [8726](https://github.com/kubernetes/ingress-nginx/pull/8726) prometheus metric: upstream_latency_seconds +* [8720](https://github.com/kubernetes/ingress-nginx/pull/8720) Ci pin deps +* [8719](https://github.com/kubernetes/ingress-nginx/pull/8719) Working OpenTelemetry sidecar (base nginx image) +* [8714](https://github.com/kubernetes/ingress-nginx/pull/8714) Create Openssf scorecard +* [8708](https://github.com/kubernetes/ingress-nginx/pull/8708) Bump github.com/prometheus/common from 0.34.0 to 0.35.0 +* [8703](https://github.com/kubernetes/ingress-nginx/pull/8703) Bump actions/dependency-review-action from 1 to 2 +* [8701](https://github.com/kubernetes/ingress-nginx/pull/8701) Fix several typos +* [8699](https://github.com/kubernetes/ingress-nginx/pull/8699) fix the gosec test and a make target for it +* [8698](https://github.com/kubernetes/ingress-nginx/pull/8698) Bump actions/upload-artifact from 2.3.1 to 3.1.0 +* [8697](https://github.com/kubernetes/ingress-nginx/pull/8697) Bump actions/setup-go from 2.2.0 to 3.2.0 +* [8695](https://github.com/kubernetes/ingress-nginx/pull/8695) Bump actions/download-artifact from 2 to 3 +* [8694](https://github.com/kubernetes/ingress-nginx/pull/8694) Bump crazy-max/ghaction-docker-buildx from 1.6.2 to 3.3.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.1.2...helm-chart-4.2.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.2.1.md b/charts/ingress-nginx/changelog/helm-chart-4.2.1.md new file mode 100644 index 000000000..7965bb1c2 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.2.1.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.2.1 + +* The sha of kube-webhook-certgen image & the opentelemetry image, in values file, was changed to new images built on alpine-v3.16.1 +* [8896](https://github.com/kubernetes/ingress-nginx/pull/8896) updated to new images built today + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.2.0...helm-chart-4.2.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.3.0.md b/charts/ingress-nginx/changelog/helm-chart-4.3.0.md new file mode 100644 index 000000000..f9dca22d9 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.3.0.md @@ -0,0 +1,14 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.3.0 + +* Support for Kubernetes v.1.25.0 was added and support for endpoint slices +* Support for Kubernetes v1.20.0 and v1.21.0 was removed +* [8890](https://github.com/kubernetes/ingress-nginx/pull/8890) migrate to endpointslices +* [9059](https://github.com/kubernetes/ingress-nginx/pull/9059) kubewebhookcertgen sha change after go1191 +* [9046](https://github.com/kubernetes/ingress-nginx/pull/9046) Parameterize metrics port name +* [9104](https://github.com/kubernetes/ingress-nginx/pull/9104) Fix yaml formatting error with multiple annotations + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.2.1...helm-chart-4.3.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.4.0.md b/charts/ingress-nginx/changelog/helm-chart-4.4.0.md new file mode 100644 index 000000000..20f9e2336 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.4.0.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.4.0 + +* Adding support for disabling liveness and readiness probes to the Helm chart by @njegosrailic in https://github.com/kubernetes/ingress-nginx/pull/9238 +* add:(admission-webhooks) ability to set securityContext by @ybelMekk in https://github.com/kubernetes/ingress-nginx/pull/9186 +* #7652 - Updated Helm chart to use the fullname for the electionID if not specified. by @FutureMatt in https://github.com/kubernetes/ingress-nginx/pull/9133 +* Rename controller-wehbooks-networkpolicy.yaml. by @Gacko in https://github.com/kubernetes/ingress-nginx/pull/9123 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.3.0...helm-chart-4.4.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.5.2.md b/charts/ingress-nginx/changelog/helm-chart-4.5.2.md new file mode 100644 index 000000000..b6d8a3b0c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.5.2.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.5.2 + +* add lint on chart before release (#9570) +* ci: remove setup-helm step (#9404) +* feat(helm): Optionally use cert-manager instead admission patch (#9279) +* run helm release on main only and when the chart/value changes only (#9290) +* Update Ingress-Nginx version controller-v1.6.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.4.3...helm-chart-4.5.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.6.0.md b/charts/ingress-nginx/changelog/helm-chart-4.6.0.md new file mode 100644 index 000000000..469aaba8c --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.6.0.md @@ -0,0 +1,24 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.5.3 + +* docs(helm): fix value key in readme for enabling certManager (#9640) +* Upgrade alpine 3.17.2 +* Upgrade golang 1.20 +* Drop testing/support for Kubernetes 1.23 +* docs(helm): fix value key in readme for enabling certManager (#9640) +* Update Ingress-Nginx version controller-v1.7.0 +* feat: OpenTelemetry module integration (#9062) +* canary-weight-total annotation ignored in rule backends (#9729) +* fix controller psp's volume config (#9740) +* Fix several Helm YAML issues with extraModules and extraInitContainers (#9709) +* Chart: Drop `controller.headers`, rework DH param secret. (#9659) +* Deployment/DaemonSet: Label pods using `ingress-nginx.labels`. (#9732) +* HPA: autoscaling/v2beta1 deprecated, bump apiVersion to v2 for defaultBackend (#9731) +* Fix incorrect annotation name in upstream hashing configuration (#9617) + +* Update Ingress-Nginx version controller-v1.7.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.5.2...helm-chart-4.6.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.6.1.md b/charts/ingress-nginx/changelog/helm-chart-4.6.1.md new file mode 100644 index 000000000..57d99b8db --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.6.1.md @@ -0,0 +1,11 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.6.1 + +* [helm] Support custom port configuration for internal service (#9846) +* Adding resource type to default HPA configuration to resolve issues with Terraform helm chart usage (#9803) +* Update Ingress-Nginx version controller-v1.7.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.0...helm-chart-4.6.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.7.0.md b/charts/ingress-nginx/changelog/helm-chart-4.7.0.md new file mode 100644 index 000000000..7399da777 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.7.0.md @@ -0,0 +1,14 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.0 + +* helm: Fix opentelemetry module installation for daemonset (#9792) +* Update charts/* to keep project name display aligned (#9931) +* HPA: Use capabilites & align manifests. (#9521) +* PodDisruptionBudget spec logic update (#9904) +* add option for annotations in PodDisruptionBudget (#9843) +* Update Ingress-Nginx version controller-v1.8.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.6.1...helm-chart-4.7.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.7.1.md b/charts/ingress-nginx/changelog/helm-chart-4.7.1.md new file mode 100644 index 000000000..4d69a7117 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.7.1.md @@ -0,0 +1,12 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.1 + +* Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406) +* feat(helm): Add loadBalancerClass (#9562) +* added helmshowvalues example (#10019) +* Update Ingress-Nginx version controller-v1.8.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.0...helm-chart-4.7.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.7.2.md b/charts/ingress-nginx/changelog/helm-chart-4.7.2.md new file mode 100644 index 000000000..57b17b982 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.7.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.2 + +* Update Ingress-Nginx version controller-v1.8.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md b/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md new file mode 100644 index 000000000..9072a75b4 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.8.0-beta.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0-beta.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0-beta.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.0.md b/charts/ingress-nginx/changelog/helm-chart-4.8.0.md new file mode 100644 index 000000000..af8f1241f --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.8.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.1.md b/charts/ingress-nginx/changelog/helm-chart-4.8.1.md new file mode 100644 index 000000000..53a4493de --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.8.1.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.1 + +* Update Ingress-Nginx version controller-v1.9.1 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.0...helm-chart-4.8.1 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.2.md b/charts/ingress-nginx/changelog/helm-chart-4.8.2.md new file mode 100644 index 000000000..9957c1a85 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.8.2.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.2 + +* update nginx base, httpbun, e2e, helm webhook cert gen (#10506) +* Update Ingress-Nginx version controller-v1.9.3 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.1...helm-chart-4.8.2 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.8.3.md b/charts/ingress-nginx/changelog/helm-chart-4.8.3.md new file mode 100644 index 000000000..b8d4d56b3 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.8.3.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.3 + +* Update Ingress-Nginx version controller-v1.9.4 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.2...helm-chart-4.8.3 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.9.0.md b/charts/ingress-nginx/changelog/helm-chart-4.9.0.md new file mode 100644 index 000000000..5c7729866 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.9.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.9.0 + +* - "Add controller.metrics.serviceMonitor.annotations in Helm chart" +* - "fix(labels): use complete labels variable on default-backend deployment" +* - "chart: allow setting allocateLoadBalancerNodePorts (#10693)" +* - "[release-1.9] feat(helm): add documentation about metric args (#10695)" +* - "Update Ingress-Nginx version controller-v1.9.5" + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.8.3...helm-chart-4.9.0 diff --git a/charts/ingress-nginx/changelog/helm-chart-4.9.1.md b/charts/ingress-nginx/changelog/helm-chart-4.9.1.md new file mode 100644 index 000000000..c6120e736 --- /dev/null +++ b/charts/ingress-nginx/changelog/helm-chart-4.9.1.md @@ -0,0 +1,10 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.9.1 + +* - "update web hook cert gen to latest release v20231226-1a7112e06" +* - "Update Ingress-Nginx version controller-v1.9.6" + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.9.0...helm-chart-4.9.1 diff --git a/charts/ingress-nginx/changelog.md.gotmpl b/charts/ingress-nginx/changelog/helm-chart.md.gotmpl similarity index 83% rename from charts/ingress-nginx/changelog.md.gotmpl rename to charts/ingress-nginx/changelog/helm-chart.md.gotmpl index de9885670..ef5add55d 100644 --- a/charts/ingress-nginx/changelog.md.gotmpl +++ b/charts/ingress-nginx/changelog/helm-chart.md.gotmpl @@ -2,8 +2,10 @@ This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). -### {{ .NewHelmChartVersion }} +### {{ .NewHelmChartVersion }} {{ with .HelmUpdates }} -{{ range . }}* {{ . }} -{{ end }}{{ end }} +{{- range . }} +* {{ . }} +{{- end }} +{{ end }} **Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{ .PreviousHelmChartVersion }}...helm-chart-{{ .NewHelmChartVersion }} diff --git a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml index f299dbf1c..52a32fcbd 100644 --- a/charts/ingress-nginx/ci/daemonset-extra-modules.yaml +++ b/charts/ingress-nginx/ci/daemonset-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml index 2310c344e..91b1b98a8 100644 --- a/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml +++ b/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml @@ -9,4 +9,7 @@ controller: allowPrivilegeEscalation: false extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml index bd2f011cc..b6013c7d0 100644 --- a/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml +++ b/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml @@ -7,6 +7,9 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest containerSecurityContext: allowPrivilegeEscalation: false diff --git a/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/charts/ingress-nginx/ci/deployment-extra-modules.yaml index ec5923548..2fbe1cc01 100644 --- a/charts/ingress-nginx/ci/deployment-extra-modules.yaml +++ b/charts/ingress-nginx/ci/deployment-extra-modules.yaml @@ -7,4 +7,7 @@ controller: type: ClusterIP extraModules: - name: opentelemetry - image: busybox + image: + registry: registry.k8s.io + image: busybox + tag: latest diff --git a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml index fd8df8de5..663ccb9d1 100644 --- a/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml +++ b/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml @@ -11,3 +11,9 @@ controller: enabled: true annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true" + ports: + http: 443 + https: 80 + targetPorts: + http: 443 + https: 80 diff --git a/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml b/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml new file mode 100644 index 000000000..fb3ef4446 --- /dev/null +++ b/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml @@ -0,0 +1,9 @@ +controller: + image: + repository: ingress-controller/controller + tag: 1.0.0-dev + digest: null + service: + type: ClusterIP + opentelemetry: + enabled: true diff --git a/charts/ingress-nginx/templates/NOTES.txt b/charts/ingress-nginx/templates/NOTES.txt index 8985c56c0..f4923007e 100644 --- a/charts/ingress-nginx/templates/NOTES.txt +++ b/charts/ingress-nginx/templates/NOTES.txt @@ -6,24 +6,24 @@ Get the application URL by running these commands: {{- if (not (empty .Values.controller.service.nodePorts.http)) }} export HTTP_NODE_PORT={{ .Values.controller.service.nodePorts.http }} {{- else }} - export HTTP_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[0].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) + export HTTP_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[0].nodePort}") {{- end }} {{- if (not (empty .Values.controller.service.nodePorts.https)) }} export HTTPS_NODE_PORT={{ .Values.controller.service.nodePorts.https }} {{- else }} - export HTTPS_NODE_PORT=$(kubectl --namespace {{ .Release.Namespace }} get services -o jsonpath="{.spec.ports[1].nodePort}" {{ include "ingress-nginx.controller.fullname" . }}) + export HTTPS_NODE_PORT=$(kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output jsonpath="{.spec.ports[1].nodePort}") {{- end }} - export NODE_IP=$(kubectl --namespace {{ .Release.Namespace }} get nodes -o jsonpath="{.items[0].status.addresses[1].address}") + export NODE_IP="$(kubectl get nodes --output jsonpath="{.items[0].status.addresses[1].address}")" - echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP." - echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS." + echo "Visit http://${NODE_IP}:${HTTP_NODE_PORT} to access your application via HTTP." + echo "Visit https://${NODE_IP}:${HTTPS_NODE_PORT} to access your application via HTTPS." {{- else if contains "LoadBalancer" .Values.controller.service.type }} -It may take a few minutes for the LoadBalancer IP to be available. -You can watch the status by running 'kubectl --namespace {{ .Release.Namespace }} get services -o wide -w {{ include "ingress-nginx.controller.fullname" . }}' +It may take a few minutes for the load balancer IP to be available. +You can watch the status by running 'kubectl get service --namespace {{ include "ingress-nginx.namespace" . }} {{ include "ingress-nginx.controller.fullname" . }} --output wide --watch' {{- else if contains "ClusterIP" .Values.controller.service.type }} Get the application URL by running these commands: - export POD_NAME=$(kubectl --namespace {{ .Release.Namespace }} get pods -o jsonpath="{.items[0].metadata.name}" -l "app={{ template "ingress-nginx.name" . }},component={{ .Values.controller.name }},release={{ .Release.Name }}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 + export POD_NAME="$(kubectl get pods --namespace {{ include "ingress-nginx.namespace" . }} --selector app.kubernetes.io/name={{ include "ingress-nginx.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=controller --output jsonpath="{.items[0].metadata.name}")" + kubectl port-forward --namespace {{ include "ingress-nginx.namespace" . }} "${POD_NAME}" 8080:80 echo "Visit http://127.0.0.1:8080 to access your application." {{- end }} @@ -71,10 +71,3 @@ If TLS is enabled for the Ingress, a Secret containing the certificate and key m tls.crt: tls.key: type: kubernetes.io/tls - -{{- if .Values.controller.headers }} -################################################################################# -###### WARNING: `controller.headers` has been deprecated! ##### -###### It has been renamed to `controller.proxySetHeaders`. ##### -################################################################################# -{{- end }} diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index df2810b07..ba4269a6f 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -30,25 +30,40 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- end -}} {{- end -}} +{{/* +Expand the namespace of the release. +Allows overriding it for multi-namespace deployments in combined charts. +*/}} +{{- define "ingress-nginx.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{/* -Container SecurityContext. +Controller container security context. */}} -{{- define "controller.containerSecurityContext" -}} +{{- define "ingress-nginx.controller.containerSecurityContext" -}} {{- if .Values.controller.containerSecurityContext -}} {{- toYaml .Values.controller.containerSecurityContext -}} {{- else -}} +runAsNonRoot: {{ .Values.controller.image.runAsNonRoot }} +runAsUser: {{ .Values.controller.image.runAsUser }} +allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} +{{- if .Values.controller.image.seccompProfile }} +seccompProfile: {{ toYaml .Values.controller.image.seccompProfile | nindent 2 }} +{{- end }} capabilities: drop: - ALL add: - NET_BIND_SERVICE {{- if .Values.controller.image.chroot }} + {{- if .Values.controller.image.seccompProfile }} + - SYS_ADMIN + {{- end }} - SYS_CHROOT {{- end }} -runAsUser: {{ .Values.controller.image.runAsUser }} -allowPrivilegeEscalation: {{ .Values.controller.image.allowPrivilegeEscalation }} -{{- end }} +readOnlyRootFilesystem: {{ .Values.controller.image.readOnlyRootFilesystem }} +{{- end -}} {{- end -}} {{/* @@ -102,7 +117,6 @@ By convention this will simply use the / to match th service generated. Users can provide an override for an explicit service they want bound via `.Values.controller.publishService.pathOverride` - */}} {{- define "ingress-nginx.controller.publishServicePath" -}} {{- $defServiceName := printf "%s/%s" "$(POD_NAMESPACE)" (include "ingress-nginx.controller.fullname" .) -}} @@ -110,14 +124,6 @@ Users can provide an override for an explicit service they want bound via `.Valu {{- print $servicePath | trimSuffix "-" -}} {{- end -}} -{{/* -Create a default fully qualified default backend name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "ingress-nginx.defaultBackend.fullname" -}} -{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{/* Common labels */}} @@ -153,6 +159,38 @@ Create the name of the controller service account to use {{- end -}} {{- end -}} +{{/* +Create a default fully qualified admission webhook name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.admissionWebhooks.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified admission webhook secret creation job name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.admissionWebhooks.createSecretJob.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.createSecretJob.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified admission webhook patch job name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patchWebhookJob.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified default backend name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "ingress-nginx.defaultBackend.fullname" -}} +{{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.defaultBackend.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled */}} @@ -164,6 +202,26 @@ Create the name of the backend service account to use - only used when podsecuri {{- end -}} {{- end -}} +{{/* +Default backend container security context. +*/}} +{{- define "ingress-nginx.defaultBackend.containerSecurityContext" -}} +{{- if .Values.defaultBackend.containerSecurityContext -}} +{{- toYaml .Values.defaultBackend.containerSecurityContext -}} +{{- else -}} +runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} +runAsUser: {{ .Values.defaultBackend.image.runAsUser }} +allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} +{{- if .Values.defaultBackend.image.seccompProfile }} +seccompProfile: {{ toYaml .Values.defaultBackend.image.seccompProfile | nindent 2 }} +{{- end }} +capabilities: + drop: + - ALL +readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem }} +{{- end -}} +{{- end -}} + {{/* Return the appropriate apiGroup for PodSecurityPolicy. */}} @@ -199,19 +257,27 @@ Extra modules. */}} {{- define "extraModules" -}} - name: {{ .name }} - image: {{ .image }} - {{- if .distroless | default false }} - command: ['/init_module'] + {{- with .image }} + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} + command: + {{- if .distroless }} + - /init_module {{- else }} - command: ['sh', '-c', '/usr/local/bin/init_module.sh'] + - sh + - -c + - /usr/local/bin/init_module.sh + {{- end }} {{- end }} {{- if .containerSecurityContext }} - securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} + securityContext: {{ toYaml .containerSecurityContext | nindent 4 }} + {{- end }} + {{- if .resources }} + resources: {{ toYaml .resources | nindent 4 }} {{- end }} {{- if .resources }} resources: {{ .resources | toYaml | nindent 4 }} {{- end }} volumeMounts: - - name: {{ toYaml "modules"}} - mountPath: {{ toYaml "/modules_mount"}} -{{- end -}} \ No newline at end of file + - name: modules + mountPath: /modules_mount +{{- end -}} diff --git a/charts/ingress-nginx/templates/_params.tpl b/charts/ingress-nginx/templates/_params.tpl index 66c581fa6..47d024e85 100644 --- a/charts/ingress-nginx/templates/_params.tpl +++ b/charts/ingress-nginx/templates/_params.tpl @@ -1,5 +1,8 @@ {{- define "ingress-nginx.params" -}} - /nginx-ingress-controller +{{- if .Values.controller.enableAnnotationValidations }} +- --enable-annotation-validation=true +{{- end }} {{- if .Values.defaultBackend.enabled }} - --default-backend-service=$(POD_NAMESPACE)/{{ include "ingress-nginx.defaultBackend.fullname" . }} {{- end }} @@ -51,6 +54,9 @@ {{- if .Values.controller.watchIngressWithoutClass }} - --watch-ingress-without-class=true {{- end }} +{{- if .Values.controller.enableTopologyAwareRouting }} +- --enable-topology-aware-routing=true +{{- end }} {{- range $key, $value := .Values.controller.extraArgs }} {{- /* Accept keys without values or with false as value */}} {{- if eq ($value | quote | len) 2 }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml index 55fab471c..db2946c3d 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml @@ -6,7 +6,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "ingress-nginx.fullname" . }}-self-signed-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selfSigned: {} --- @@ -15,7 +15,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "ingress-nginx.fullname" . }}-root-cert - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: secretName: {{ include "ingress-nginx.fullname" . }}-root-cert duration: {{ .Values.controller.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }} @@ -32,7 +32,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "ingress-nginx.fullname" . }}-root-issuer - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: ca: secretName: {{ include "ingress-nginx.fullname" . }}-root-cert @@ -42,10 +42,10 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: - secretName: {{ include "ingress-nginx.fullname" . }}-admission + secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} duration: {{ .Values.controller.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }} issuerRef: {{- if .Values.controller.admissionWebhooks.certManager.issuerRef }} @@ -55,8 +55,8 @@ spec: {{- end }} dnsNames: - {{ include "ingress-nginx.controller.fullname" . }}-admission - - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }} - - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ .Release.Namespace }}.svc + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }} + - {{ include "ingress-nginx.controller.fullname" . }}-admission.{{ include "ingress-nginx.namespace" . }}.svc subject: organizations: - ingress-nginx-admission diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index f9ec70974..8271dc404 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -21,14 +21,13 @@ rules: - get - update {{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: + - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] + resources: ['podsecuritypolicies'] + verbs: ['use'] {{- with .Values.controller.admissionWebhooks.existingPsp }} - - {{ . }} + resourceNames: [{{ . }}] {{- else }} - - {{ include "ingress-nginx.fullname" . }}-admission + resourceNames: [{{ include "ingress-nginx.admissionWebhooks.fullname" . }}] {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 002abd43b..3fe842d1f 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -15,9 +15,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace | quote }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index d93433ecd..0a21f856a 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -2,8 +2,8 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-create - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -23,7 +23,7 @@ spec: {{- end }} template: metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-create + name: {{ include "ingress-nginx.admissionWebhooks.createSecretJob.fullname" . }} {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} {{- end }} @@ -43,14 +43,14 @@ spec: containers: - name: create {{- with .Values.controller.admissionWebhooks.patch.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: - create - --host={{ include "ingress-nginx.controller.fullname" . }}-admission,{{ include "ingress-nginx.controller.fullname" . }}-admission.$(POD_NAMESPACE).svc - --namespace=$(POD_NAMESPACE) - - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }} env: - name: POD_NAMESPACE valueFrom: @@ -66,15 +66,14 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} {{- end }} - {{- if .Values.controller.admissionWebhooks.patch.securityContext }} - securityContext: - {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} - {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.securityContext }} + securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index 0fa3ff9a2..ce9985aa5 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -2,8 +2,8 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-patch - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -23,7 +23,7 @@ spec: {{- end }} template: metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission-patch + name: {{ include "ingress-nginx.admissionWebhooks.patchWebhookJob.fullname" . }} {{- if .Values.controller.admissionWebhooks.patch.podAnnotations }} annotations: {{ toYaml .Values.controller.admissionWebhooks.patch.podAnnotations | nindent 8 }} {{- end }} @@ -43,15 +43,15 @@ spec: containers: - name: patch {{- with .Values.controller.admissionWebhooks.patch.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.controller.admissionWebhooks.patch.image.pullPolicy }} args: - patch - - --webhook-name={{ include "ingress-nginx.fullname" . }}-admission + - --webhook-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }} - --namespace=$(POD_NAMESPACE) - --patch-mutating=false - - --secret-name={{ include "ingress-nginx.fullname" . }}-admission + - --secret-name={{ include "ingress-nginx.admissionWebhooks.fullname" . }} - --patch-failure-policy={{ .Values.controller.admissionWebhooks.failurePolicy }} env: - name: POD_NAMESPACE @@ -68,15 +68,14 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.fullname" . }}-admission + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.controller.admissionWebhooks.patch.tolerations }} tolerations: {{ toYaml .Values.controller.admissionWebhooks.patch.tolerations | nindent 8 }} {{- end }} - {{- if .Values.controller.admissionWebhooks.patch.securityContext }} - securityContext: - {{- toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} - {{- end }} + {{- if .Values.controller.admissionWebhooks.patch.securityContext }} + securityContext: {{ toYaml .Values.controller.admissionWebhooks.patch.securityContext | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml new file mode 100644 index 000000000..a8f38df96 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.networkPolicy.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: admission-webhook + policyTypes: + - Ingress + - Egress + egress: + - {} +{{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml index e19c95572..8e5dc72ac 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/psp.yaml @@ -1,12 +1,13 @@ {{- if (semverCompare "<1.25.0-0" .Capabilities.KubeVersion.Version) }} -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.podSecurityPolicy.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} +{{- if and .Values.podSecurityPolicy.enabled .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (empty .Values.controller.admissionWebhooks.existingPsp) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: admission-webhook @@ -14,28 +15,38 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - allowPrivilegeEscalation: false + privileged: false + hostPID: false + hostIPC: false + hostNetwork: false + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected fsGroup: - ranges: - - max: 65535 - min: 1 rule: MustRunAs - requiredDropCapabilities: - - ALL + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true runAsUser: rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL seLinux: rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index 2aab6f4b1..5b05d9b00 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml index 60c3f4ff0..48a175566 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded @@ -16,9 +16,9 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace | quote }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml index 00be54ec5..91bbf22bb 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -2,8 +2,8 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "ingress-nginx.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded diff --git a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml index f27244dc9..4cd36a62e 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml @@ -6,8 +6,8 @@ kind: ValidatingWebhookConfiguration metadata: annotations: {{- if .Values.controller.admissionWebhooks.certManager.enabled }} - certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} - cert-manager.io/inject-ca-from: {{ printf "%s/%s-admission" .Release.Namespace (include "ingress-nginx.fullname" .) | quote }} + certmanager.k8s.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }} + cert-manager.io/inject-ca-from: {{ printf "%s/%s" (include "ingress-nginx.namespace" .) (include "ingress-nginx.admissionWebhooks.fullname" .) | quote }} {{- end }} {{- if .Values.controller.admissionWebhooks.annotations }} {{- toYaml .Values.controller.admissionWebhooks.annotations | nindent 4 }} @@ -18,7 +18,7 @@ metadata: {{- with .Values.controller.admissionWebhooks.labels }} {{- toYaml . | nindent 4 }} {{- end }} - name: {{ include "ingress-nginx.fullname" . }}-admission + name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} webhooks: - name: validate.nginx.ingress.kubernetes.io matchPolicy: Equivalent @@ -38,8 +38,8 @@ webhooks: - v1 clientConfig: service: - namespace: {{ .Release.Namespace | quote }} name: {{ include "ingress-nginx.controller.fullname" . }}-admission + namespace: {{ include "ingress-nginx.namespace" . }} path: /networking/v1/ingresses {{- if .Values.controller.admissionWebhooks.timeoutSeconds }} timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }} diff --git a/charts/ingress-nginx/templates/clusterrolebinding.yaml b/charts/ingress-nginx/templates/clusterrolebinding.yaml index acbbd8b10..8f91aac80 100644 --- a/charts/ingress-nginx/templates/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/clusterrolebinding.yaml @@ -15,5 +15,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml index dfd49a126..4e4bd1310 100644 --- a/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-addheaders.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-custom-add-headers - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ toYaml .Values.controller.addHeaders | nindent 2 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml index f8d15faf9..0a22600db 100644 --- a/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-proxyheaders.yaml @@ -1,4 +1,4 @@ -{{- if or .Values.controller.proxySetHeaders .Values.controller.headers -}} +{{- if .Values.controller.proxySetHeaders -}} apiVersion: v1 kind: ConfigMap metadata: @@ -9,11 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-custom-proxy-headers - namespace: {{ .Release.Namespace }} -data: -{{- if .Values.controller.proxySetHeaders }} -{{ toYaml .Values.controller.proxySetHeaders | indent 2 }} -{{ else if and .Values.controller.headers (not .Values.controller.proxySetHeaders) }} -{{ toYaml .Values.controller.headers | indent 2 }} -{{- end }} + namespace: {{ include "ingress-nginx.namespace" . }} +data: {{ toYaml .Values.controller.proxySetHeaders | nindent 2 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml index 0f6088ea9..131a9ad51 100644 --- a/charts/ingress-nginx/templates/controller-configmap-tcp.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-tcp.yaml @@ -12,6 +12,6 @@ metadata: annotations: {{ toYaml .Values.controller.tcp.annotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-tcp - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ tpl (toYaml .Values.tcp) . | nindent 2 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap-udp.yaml b/charts/ingress-nginx/templates/controller-configmap-udp.yaml index 3772ec514..7137da9ad 100644 --- a/charts/ingress-nginx/templates/controller-configmap-udp.yaml +++ b/charts/ingress-nginx/templates/controller-configmap-udp.yaml @@ -12,6 +12,6 @@ metadata: annotations: {{ toYaml .Values.controller.udp.annotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-udp - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: {{ tpl (toYaml .Values.udp) . | nindent 2 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-configmap.yaml b/charts/ingress-nginx/templates/controller-configmap.yaml index f28b26e1e..662a16204 100644 --- a/charts/ingress-nginx/templates/controller-configmap.yaml +++ b/charts/ingress-nginx/templates/controller-configmap.yaml @@ -11,19 +11,18 @@ metadata: annotations: {{ toYaml .Values.controller.configAnnotations | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} data: allow-snippet-annotations: "{{ .Values.controller.allowSnippetAnnotations }}" {{- if .Values.controller.addHeaders }} - add-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers + add-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-add-headers {{- end }} -{{- if or .Values.controller.proxySetHeaders .Values.controller.headers }} - proxy-set-headers: {{ .Release.Namespace }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers +{{- if .Values.controller.proxySetHeaders }} + proxy-set-headers: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.fullname" . }}-custom-proxy-headers {{- end }} {{- if .Values.dhParam }} - ssl-dh-param: {{ printf "%s/%s" .Release.Namespace (include "ingress-nginx.controller.fullname" .) }} + ssl-dh-param: {{ include "ingress-nginx.namespace" . }}/{{ include "ingress-nginx.controller.fullname" . }} {{- end }} {{- range $key, $value := .Values.controller.config }} - {{- $key | nindent 2 }}: {{ $value | quote }} + {{- $key | nindent 2 }}: {{ $value | quote }} {{- end }} - diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index e6721566b..718e20c52 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -1,4 +1,4 @@ -{{- if or (eq .Values.controller.kind "DaemonSet") (eq .Values.controller.kind "Both") -}} +{{- if eq .Values.controller.kind "DaemonSet" -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: DaemonSet @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} @@ -33,7 +33,7 @@ spec: {{- end }} {{- end }} labels: - {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + {{- include "ingress-nginx.labels" . | nindent 8 }} app.kubernetes.io/component: controller {{- with .Values.controller.labels }} {{- toYaml . | nindent 8 }} @@ -45,6 +45,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} @@ -53,20 +56,20 @@ spec: imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- end }} {{- if .Values.controller.priorityClassName }} - priorityClassName: {{ .Values.controller.priorityClassName }} + priorityClassName: {{ .Values.controller.priorityClassName | quote }} {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: - {{- end }} - {{- if .Values.controller.podSecurityContext }} + {{- if .Values.controller.podSecurityContext }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} + {{- end }} + {{- if .Values.controller.sysctls }} sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} @@ -74,15 +77,14 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} {{- end }} - args: - {{- include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }} + args: {{ include "ingress-nginx.params" . | nindent 12 }} + securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }} env: - name: POD_NAME valueFrom: @@ -143,11 +145,15 @@ spec: hostPort: {{ $key }} {{- end }} {{- end }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumeMounts: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules + {{- if .Values.controller.image.chroot }} + mountPath: /chroot/modules_mount + {{- else }} mountPath: /modules_mount + {{- end }} {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template @@ -167,26 +173,23 @@ spec: resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} {{- if .Values.controller.extraContainers }} - {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} - - - {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules) }} + {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - - name: {{ .Name }} - image: {{ .Image }} - command: ['sh', '-c', '/usr/local/bin/init_module.sh'] - {{- if (or $.Values.controller.containerSecurityContext .containerSecurityContext) }} - securityContext: {{ .containerSecurityContext | default $.Values.controller.containerSecurityContext | toYaml | nindent 14 }} - {{- end }} - volumeMounts: - - name: modules - mountPath: /modules_mount + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.opentelemetry.enabled }} + {{- with .Values.controller.opentelemetry }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} {{- end }} @@ -203,13 +206,13 @@ spec: affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} - {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules) }} + {{- if (or .Values.controller.customTemplate.configMapName .Values.controller.extraVolumeMounts .Values.controller.admissionWebhooks.enabled .Values.controller.extraVolumes .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} volumes: - {{- if .Values.controller.extraModules }} + {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled)}} - name: modules emptyDir: {} {{- end }} @@ -224,7 +227,7 @@ spec: {{- if .Values.controller.admissionWebhooks.enabled }} - name: webhook-cert secret: - secretName: {{ include "ingress-nginx.fullname" . }}-admission + secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }} items: - key: tls.crt diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index c20c3a866..5ff45585b 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -1,4 +1,4 @@ -{{- if or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both") -}} +{{- if eq .Values.controller.kind "Deployment" -}} {{- include "isControllerTagValid" . -}} apiVersion: apps/v1 kind: Deployment @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.annotations }} annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} {{- end }} @@ -19,13 +19,12 @@ spec: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if not .Values.controller.autoscaling.enabled }} + {{- if not (or .Values.controller.autoscaling.enabled .Values.controller.keda.enabled) }} replicas: {{ .Values.controller.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- if .Values.controller.updateStrategy }} - strategy: - {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} minReadySeconds: {{ .Values.controller.minReadySeconds }} template: @@ -37,7 +36,7 @@ spec: {{- end }} {{- end }} labels: - {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + {{- include "ingress-nginx.labels" . | nindent 8 }} app.kubernetes.io/component: controller {{- with .Values.controller.labels }} {{- toYaml . | nindent 8 }} @@ -49,6 +48,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} @@ -61,16 +63,16 @@ spec: {{- end }} {{- if or .Values.controller.podSecurityContext .Values.controller.sysctls }} securityContext: - {{- end }} - {{- if .Values.controller.podSecurityContext }} + {{- if .Values.controller.podSecurityContext }} {{- toYaml .Values.controller.podSecurityContext | nindent 8 }} - {{- end }} - {{- if .Values.controller.sysctls }} + {{- end }} + {{- if .Values.controller.sysctls }} sysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - name: {{ $sysctl | quote }} - value: {{ $value | quote }} - {{- end }} + {{- range $sysctl, $value := .Values.controller.sysctls }} + - name: {{ $sysctl | quote }} + value: {{ $value | quote }} + {{- end }} + {{- end }} {{- end }} {{- if .Values.controller.shareProcessNamespace }} shareProcessNamespace: {{ .Values.controller.shareProcessNamespace }} @@ -78,15 +80,14 @@ spec: containers: - name: {{ .Values.controller.containerName }} {{- with .Values.controller.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{- end -}}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ include "ingress-nginx.image" . }}{{ end }}:{{ .tag }}{{ include "ingress-nginx.imageDigest" . }} {{- end }} imagePullPolicy: {{ .Values.controller.image.pullPolicy }} {{- if .Values.controller.lifecycle }} lifecycle: {{ toYaml .Values.controller.lifecycle | nindent 12 }} {{- end }} - args: - {{- include "ingress-nginx.params" . | nindent 12 }} - securityContext: {{ include "controller.containerSecurityContext" . | nindent 12 }} + args: {{ include "ingress-nginx.params" . | nindent 12 }} + securityContext: {{ include "ingress-nginx.controller.containerSecurityContext" . | nindent 12 }} env: - name: POD_NAME valueFrom: @@ -151,11 +152,11 @@ spec: volumeMounts: {{- if (or .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} - name: modules - {{ if .Values.controller.image.chroot }} + {{- if .Values.controller.image.chroot }} mountPath: /chroot/modules_mount - {{ else }} + {{- else }} mountPath: /modules_mount - {{ end }} + {{- end }} {{- end }} {{- if .Values.controller.customTemplate.configMapName }} - mountPath: /etc/nginx/template @@ -175,23 +176,25 @@ spec: resources: {{ toYaml .Values.controller.resources | nindent 12 }} {{- end }} {{- if .Values.controller.extraContainers }} - {{ toYaml .Values.controller.extraContainers | nindent 8 }} + {{- toYaml .Values.controller.extraContainers | nindent 8 }} {{- end }} {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled) }} initContainers: {{- if .Values.controller.extraInitContainers }} - {{ toYaml .Values.controller.extraInitContainers | nindent 8 }} + {{- toYaml .Values.controller.extraInitContainers | nindent 8 }} {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext | nindent 8) }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.controller.opentelemetry.enabled }} + {{- with .Values.controller.opentelemetry }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext "resources" .resources) | nindent 8 }} {{- end }} {{- end }} - {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "distroless" true "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} - {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} hostNetwork: {{ .Values.controller.hostNetwork }} @@ -206,7 +209,7 @@ spec: affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} @@ -227,7 +230,7 @@ spec: {{- if .Values.controller.admissionWebhooks.enabled }} - name: webhook-cert secret: - secretName: {{ include "ingress-nginx.fullname" . }}-admission + secretName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} {{- if .Values.controller.admissionWebhooks.certManager.enabled }} items: - key: tls.crt diff --git a/charts/ingress-nginx/templates/controller-hpa.yaml b/charts/ingress-nginx/templates/controller-hpa.yaml index d1e78bdfc..ec9ad7380 100644 --- a/charts/ingress-nginx/templates/controller-hpa.yaml +++ b/charts/ingress-nginx/templates/controller-hpa.yaml @@ -1,12 +1,9 @@ -{{- if and .Values.controller.autoscaling.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} -{{- if not .Values.controller.keda.enabled }} - -apiVersion: {{ .Values.controller.autoscaling.apiVersion }} +{{- if and (eq .Values.controller.kind "Deployment") .Values.controller.autoscaling.enabled (not .Values.controller.keda.enabled) -}} +apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: - annotations: {{- with .Values.controller.autoscaling.annotations }} - {{- toYaml . | trimSuffix "\n" | nindent 4 }} + annotations: {{ toYaml . | nindent 4 }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -15,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: scaleTargetRef: apiVersion: apps/v1 @@ -48,5 +45,3 @@ spec: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} -{{- end }} - diff --git a/charts/ingress-nginx/templates/controller-keda.yaml b/charts/ingress-nginx/templates/controller-keda.yaml index 875157ea4..6ff9c0b22 100644 --- a/charts/ingress-nginx/templates/controller-keda.yaml +++ b/charts/ingress-nginx/templates/controller-keda.yaml @@ -1,6 +1,4 @@ -{{- if and .Values.controller.keda.enabled (or (eq .Values.controller.kind "Deployment") (eq .Values.controller.kind "Both")) -}} -# https://keda.sh/docs/ - +{{- if and .Values.controller.keda.enabled (eq .Values.controller.kind "Deployment") -}} apiVersion: {{ .Values.controller.keda.apiVersion }} kind: ScaledObject metadata: @@ -11,6 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.controller.keda.scaledObject.annotations }} annotations: {{ toYaml .Values.controller.keda.scaledObject.annotations | nindent 4 }} {{- end }} @@ -25,6 +24,11 @@ spec: cooldownPeriod: {{ .Values.controller.keda.cooldownPeriod }} minReplicaCount: {{ .Values.controller.keda.minReplicas }} maxReplicaCount: {{ .Values.controller.keda.maxReplicas }} +{{- with .Values.controller.keda.fallback }} + fallback: + failureThreshold: {{ .failureThreshold | default 3 }} + replicas: {{ .replicas | default $.Values.controller.keda.maxReplicas }} +{{- end }} triggers: {{- with .Values.controller.keda.triggers }} {{ toYaml . | indent 2 }} diff --git a/charts/ingress-nginx/templates/controller-networkpolicy.yaml b/charts/ingress-nginx/templates/controller-networkpolicy.yaml new file mode 100644 index 000000000..e68f9916d --- /dev/null +++ b/charts/ingress-nginx/templates/controller-networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if .Values.controller.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + policyTypes: + - Ingress + - Egress + ingress: + - ports: + {{- range $key, $value := .Values.controller.containerPort }} + - protocol: TCP + port: {{ $value }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - protocol: TCP + port: {{ .Values.controller.metrics.port }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - protocol: TCP + port: {{ .Values.controller.admissionWebhooks.port }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - protocol: TCP + port: {{ $key }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - protocol: UDP + port: {{ $key }} + {{- end }} + egress: + - {} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml index 899d3cc5d..8cb7d4b97 100644 --- a/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/controller-poddisruptionbudget.yaml @@ -9,13 +9,16 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} + {{- if .Values.controller.annotations }} + annotations: {{ toYaml .Values.controller.annotations | nindent 4 }} + {{- end }} spec: selector: matchLabels: {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: controller - {{- if .Values.controller.minAvailable }} + {{- if and .Values.controller.minAvailable (not (hasKey .Values.controller "maxUnavailable")) }} minAvailable: {{ .Values.controller.minAvailable }} {{- else if .Values.controller.maxUnavailable }} maxUnavailable: {{ .Values.controller.maxUnavailable }} diff --git a/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/charts/ingress-nginx/templates/controller-prometheusrules.yaml index 78b5362e8..f0b93cc8c 100644 --- a/charts/ingress-nginx/templates/controller-prometheusrules.yaml +++ b/charts/ingress-nginx/templates/controller-prometheusrules.yaml @@ -4,7 +4,9 @@ kind: PrometheusRule metadata: name: {{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.controller.metrics.prometheusRule.namespace }} - namespace: {{ .Values.controller.metrics.prometheusRule.namespace | quote }} + namespace: {{ .Values.controller.metrics.prometheusRule.namespace }} +{{- else }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/charts/ingress-nginx/templates/controller-psp.yaml b/charts/ingress-nginx/templates/controller-psp.yaml index 2e0499ce9..aad1d2736 100644 --- a/charts/ingress-nginx/templates/controller-psp.yaml +++ b/charts/ingress-nginx/templates/controller-psp.yaml @@ -4,6 +4,8 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "ingress-nginx.fullname" . }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: controller @@ -11,84 +13,88 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - allowedCapabilities: - - NET_BIND_SERVICE - {{- if .Values.controller.image.chroot }} - - SYS_CHROOT - {{- end }} -{{- if .Values.controller.sysctls }} - allowedUnsafeSysctls: - {{- range $sysctl, $value := .Values.controller.sysctls }} - - {{ $sysctl }} - {{- end }} -{{- end }} privileged: false - allowPrivilegeEscalation: true - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - #- 'projected' - - 'secret' - #- 'downwardAPI' -{{- if .Values.controller.hostNetwork }} + hostPID: false + hostIPC: false hostNetwork: {{ .Values.controller.hostNetwork }} -{{- end }} {{- if or .Values.controller.hostNetwork .Values.controller.hostPort.enabled }} hostPorts: -{{- if .Values.controller.hostNetwork }} -{{- range $key, $value := .Values.controller.containerPort }} - # {{ $key }} - - min: {{ $value }} - max: {{ $value }} + {{- if .Values.controller.hostNetwork }} + {{- range $key, $value := .Values.controller.containerPort }} + # controller.containerPort.{{ $key }} + - min: {{ $value }} + max: {{ $value }} + {{- end }} + {{- else if .Values.controller.hostPort.enabled }} + {{- range $key, $value := .Values.controller.hostPort.ports }} + # controller.hostPort.ports.{{ $key }} + - min: {{ $value }} + max: {{ $value }} + {{- end }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + # controller.metrics.port + - min: {{ .Values.controller.metrics.port }} + max: {{ .Values.controller.metrics.port }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + # controller.admissionWebhooks.port + - min: {{ .Values.controller.admissionWebhooks.port }} + max: {{ .Values.controller.admissionWebhooks.port }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + # tcp.{{ $key }} + - min: {{ $key }} + max: {{ $key }} + {{- end }} + {{- range $key, $value := .Values.udp }} + # udp.{{ $key }} + - min: {{ $key }} + max: {{ $key }} + {{- end }} {{- end }} -{{- else if .Values.controller.hostPort.enabled }} -{{- range $key, $value := .Values.controller.hostPort.ports }} - # {{ $key }} - - min: {{ $value }} - max: {{ $value }} -{{- end }} -{{- end }} -{{- if .Values.controller.metrics.enabled }} - # metrics - - min: {{ .Values.controller.metrics.port }} - max: {{ .Values.controller.metrics.port }} -{{- end }} -{{- if .Values.controller.admissionWebhooks.enabled }} - # admission webhooks - - min: {{ .Values.controller.admissionWebhooks.port }} - max: {{ .Values.controller.admissionWebhooks.port }} -{{- end }} -{{- range $key, $value := .Values.tcp }} - # {{ $key }}-tcp - - min: {{ $key }} - max: {{ $key }} -{{- end }} -{{- range $key, $value := .Values.udp }} - # {{ $key }}-udp - - min: {{ $key }} - max: {{ $key }} -{{- end }} -{{- end }} - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected fsGroup: - rule: 'MustRunAs' + rule: MustRunAs ranges: - # Forbid adding the root group. - min: 1 max: 65535 readOnlyRootFilesystem: false + runAsUser: + rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: {{ or .Values.controller.image.allowPrivilegeEscalation .Values.controller.image.chroot }} + requiredDropCapabilities: + - ALL + allowedCapabilities: + - NET_BIND_SERVICE + {{- if .Values.controller.image.chroot }} + {{- if .Values.controller.image.seccompProfile }} + - SYS_ADMIN + {{- end }} + - SYS_CHROOT + {{- end }} seLinux: - rule: 'RunAsAny' + rule: RunAsAny +{{- if .Values.controller.sysctls }} + allowedUnsafeSysctls: + {{- range $sysctl, $value := .Values.controller.sysctls }} + - {{ $sysctl }} + {{- end }} +{{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-role.yaml b/charts/ingress-nginx/templates/controller-role.yaml index 52e8ceb0d..c1a21f027 100644 --- a/charts/ingress-nginx/templates/controller-role.yaml +++ b/charts/ingress-nginx/templates/controller-role.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} rules: - apiGroups: - "" @@ -44,12 +44,15 @@ rules: - get - list - watch + # Omit Ingress status permissions if `--update-status` is disabled. + {{- if ne (index .Values.controller.extraArgs "update-status") "false" }} - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - update + {{- end }} - apiGroups: - networking.k8s.io resources: diff --git a/charts/ingress-nginx/templates/controller-rolebinding.yaml b/charts/ingress-nginx/templates/controller-rolebinding.yaml index e846a1183..153430aa2 100644 --- a/charts/ingress-nginx/templates/controller-rolebinding.yaml +++ b/charts/ingress-nginx/templates/controller-rolebinding.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-secret.yaml b/charts/ingress-nginx/templates/controller-secret.yaml new file mode 100644 index 000000000..f20f53469 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-secret.yaml @@ -0,0 +1,15 @@ +{{- if .Values.dhParam -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} +data: + dhparam.pem: {{ .Values.dhParam }} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-internal.yaml b/charts/ingress-nginx/templates/controller-service-internal.yaml index aae3e155e..950eb8f05 100644 --- a/charts/ingress-nginx/templates/controller-service-internal.yaml +++ b/charts/ingress-nginx/templates/controller-service-internal.yaml @@ -1,10 +1,10 @@ -{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations}} +{{- if and .Values.controller.service.enabled .Values.controller.service.internal.enabled .Values.controller.service.internal.annotations -}} apiVersion: v1 kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.internal.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -13,42 +13,68 @@ metadata: {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-internal - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: - type: "{{ .Values.controller.service.type }}" + type: {{ .Values.controller.service.internal.type | default .Values.controller.service.type }} +{{- if .Values.controller.service.internal.clusterIP }} + clusterIP: {{ .Values.controller.service.internal.clusterIP }} +{{- end }} +{{- if .Values.controller.service.internal.externalIPs }} + externalIPs: {{ toYaml .Values.controller.service.internal.externalIPs | nindent 4 }} +{{- end }} {{- if .Values.controller.service.internal.loadBalancerIP }} loadBalancerIP: {{ .Values.controller.service.internal.loadBalancerIP }} {{- end }} {{- if .Values.controller.service.internal.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.internal.loadBalancerSourceRanges | nindent 4 }} {{- end }} +{{- if .Values.controller.service.internal.loadBalancerClass }} + loadBalancerClass: {{ .Values.controller.service.internal.loadBalancerClass }} +{{- end }} +{{- if hasKey .Values.controller.service.internal "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.internal.allocateLoadBalancerNodePorts }} +{{- end }} {{- if .Values.controller.service.internal.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.internal.externalTrafficPolicy }} +{{- end }} +{{- if .Values.controller.service.internal.sessionAffinity }} + sessionAffinity: {{ .Values.controller.service.internal.sessionAffinity }} +{{- end }} +{{- if .Values.controller.service.internal.healthCheckNodePort }} + healthCheckNodePort: {{ .Values.controller.service.internal.healthCheckNodePort }} +{{- end }} +{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} +{{- if .Values.controller.service.internal.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.controller.service.internal.ipFamilyPolicy }} +{{- end }} +{{- if .Values.controller.service.internal.ipFamilies }} + ipFamilies: {{ toYaml .Values.controller.service.internal.ipFamilies | nindent 4 }} +{{- end }} {{- end }} ports: {{- $setNodePorts := (or (eq .Values.controller.service.type "NodePort") (eq .Values.controller.service.type "LoadBalancer")) }} {{- if .Values.controller.service.enableHttp }} - name: http - port: {{ .Values.controller.service.ports.http }} + port: {{ .Values.controller.service.internal.ports.http | default .Values.controller.service.ports.http }} protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.http }} - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + targetPort: {{ .Values.controller.service.internal.targetPorts.http | default .Values.controller.service.targetPorts.http }} + {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }} appProtocol: http {{- end }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.http))) }} - nodePort: {{ .Values.controller.service.nodePorts.http }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.http))) }} + nodePort: {{ .Values.controller.service.internal.nodePorts.http }} {{- end }} {{- end }} {{- if .Values.controller.service.enableHttps }} - name: https - port: {{ .Values.controller.service.ports.https }} + port: {{ .Values.controller.service.internal.ports.https | default .Values.controller.service.ports.https }} protocol: TCP - targetPort: {{ .Values.controller.service.targetPorts.https }} - {{- if semverCompare ">=1.20" .Capabilities.KubeVersion.Version }} + targetPort: {{ .Values.controller.service.internal.targetPorts.https | default .Values.controller.service.targetPorts.https }} + {{- if and (semverCompare ">=1.20" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }} appProtocol: https {{- end }} - {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.https))) }} - nodePort: {{ .Values.controller.service.nodePorts.https }} + {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.https))) }} + nodePort: {{ .Values.controller.service.internal.nodePorts.https }} {{- end }} {{- end }} {{- range $key, $value := .Values.tcp }} @@ -56,9 +82,9 @@ spec: port: {{ $key }} protocol: TCP targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp - {{- if $.Values.controller.service.nodePorts.tcp }} - {{- if index $.Values.controller.service.nodePorts.tcp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.tcp $key }} + {{- if $.Values.controller.service.internal.nodePorts.tcp }} + {{- if index $.Values.controller.service.internal.nodePorts.tcp $key }} + nodePort: {{ index $.Values.controller.service.internal.nodePorts.tcp $key }} {{- end }} {{- end }} {{- end }} @@ -67,9 +93,9 @@ spec: port: {{ $key }} protocol: UDP targetPort: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-udp - {{- if $.Values.controller.service.nodePorts.udp }} - {{- if index $.Values.controller.service.nodePorts.udp $key }} - nodePort: {{ index $.Values.controller.service.nodePorts.udp $key }} + {{- if $.Values.controller.service.internal.nodePorts.udp }} + {{- if index $.Values.controller.service.internal.nodePorts.udp $key }} + nodePort: {{ index $.Values.controller.service.internal.nodePorts.udp $key }} {{- end }} {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-service-metrics.yaml b/charts/ingress-nginx/templates/controller-service-metrics.yaml index b178401c9..7c153295f 100644 --- a/charts/ingress-nginx/templates/controller-service-metrics.yaml +++ b/charts/ingress-nginx/templates/controller-service-metrics.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml .Values.controller.metrics.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-metrics - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.metrics.service.type }} {{- if .Values.controller.metrics.service.clusterIP }} diff --git a/charts/ingress-nginx/templates/controller-service-webhook.yaml b/charts/ingress-nginx/templates/controller-service-webhook.yaml index 2aae24fcf..2d02e23aa 100644 --- a/charts/ingress-nginx/templates/controller-service-webhook.yaml +++ b/charts/ingress-nginx/templates/controller-service-webhook.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }}-admission - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.admissionWebhooks.service.type }} {{- if .Values.controller.admissionWebhooks.service.clusterIP }} diff --git a/charts/ingress-nginx/templates/controller-service.yaml b/charts/ingress-nginx/templates/controller-service.yaml index 2b28196de..74f608536 100644 --- a/charts/ingress-nginx/templates/controller-service.yaml +++ b/charts/ingress-nginx/templates/controller-service.yaml @@ -4,7 +4,7 @@ kind: Service metadata: annotations: {{- range $key, $value := .Values.controller.service.annotations }} - {{ $key }}: {{ $value | quote }} + {{ $key }}: {{ tpl ($value | toString) $ | quote }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -13,7 +13,7 @@ metadata: {{- toYaml .Values.controller.service.labels | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.controller.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.controller.service.type }} {{- if .Values.controller.service.clusterIP }} @@ -28,6 +28,12 @@ spec: {{- if .Values.controller.service.loadBalancerSourceRanges }} loadBalancerSourceRanges: {{ toYaml .Values.controller.service.loadBalancerSourceRanges | nindent 4 }} {{- end }} +{{- if .Values.controller.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.controller.service.loadBalancerClass }} +{{- end }} +{{- if hasKey .Values.controller.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.controller.service.allocateLoadBalancerNodePorts }} +{{- end }} {{- if .Values.controller.service.externalTrafficPolicy }} externalTrafficPolicy: {{ .Values.controller.service.externalTrafficPolicy }} {{- end }} @@ -41,8 +47,6 @@ spec: {{- if .Values.controller.service.ipFamilyPolicy }} ipFamilyPolicy: {{ .Values.controller.service.ipFamilyPolicy }} {{- end }} -{{- end }} -{{- if semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version -}} {{- if .Values.controller.service.ipFamilies }} ipFamilies: {{ toYaml .Values.controller.service.ipFamilies | nindent 4 }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml index e6e776d09..df83de3d0 100644 --- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -9,10 +9,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ template "ingress-nginx.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- if .Values.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} + annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 8ab16f0b2..62301da45 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -4,7 +4,9 @@ kind: ServiceMonitor metadata: name: {{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.controller.metrics.serviceMonitor.namespace }} - namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }} + namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }} +{{- else }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} @@ -12,6 +14,9 @@ metadata: {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }} {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }} {{- end }} + {{- if .Values.controller.metrics.serviceMonitor.annotations }} + annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }} + {{- end }} spec: endpoints: - port: {{ .Values.controller.metrics.portName }} @@ -33,7 +38,7 @@ spec: {{- else }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "ingress-nginx.namespace" . }} {{- end }} {{- if .Values.controller.metrics.serviceMonitor.targetLabels }} targetLabels: diff --git a/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml b/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml deleted file mode 100644 index f74c2fbf3..000000000 --- a/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.controller.admissionWebhooks.enabled }} -{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }} - -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow - namespace: {{ .Release.Namespace }} -spec: - ingress: - - {} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} - policyTypes: - - Ingress - -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-deployment.yaml b/charts/ingress-nginx/templates/default-backend-deployment.yaml index fd3e96e9e..d342c8c35 100644 --- a/charts/ingress-nginx/templates/default-backend-deployment.yaml +++ b/charts/ingress-nginx/templates/default-backend-deployment.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selector: matchLabels: @@ -19,13 +19,18 @@ spec: replicas: {{ .Values.defaultBackend.replicaCount }} {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.defaultBackend.updateStrategy }} + strategy: + {{ toYaml .Values.defaultBackend.updateStrategy | nindent 4 }} + {{- end }} + minReadySeconds: {{ .Values.defaultBackend.minReadySeconds }} template: metadata: {{- if .Values.defaultBackend.podAnnotations }} annotations: {{ toYaml .Values.defaultBackend.podAnnotations | nindent 8 }} {{- end }} labels: - {{- include "ingress-nginx.selectorLabels" . | nindent 8 }} + {{- include "ingress-nginx.labels" . | nindent 8 }} app.kubernetes.io/component: default-backend {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 8 }} @@ -46,7 +51,7 @@ spec: containers: - name: {{ template "ingress-nginx.name" . }}-default-backend {{- with .Values.defaultBackend.image }} - image: "{{- if .repository -}}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{- end -}}:{{ .tag }}{{- if (.digest) -}} @{{.digest}} {{- end -}}" + image: {{ if .repository }}{{ .repository }}{{ else }}{{ .registry }}/{{ .image }}{{ end }}:{{ .tag }}{{ if .digest }}@{{ .digest }}{{ end }} {{- end }} imagePullPolicy: {{ .Values.defaultBackend.image.pullPolicy }} {{- if .Values.defaultBackend.extraArgs }} @@ -60,14 +65,7 @@ spec: {{- end }} {{- end }} {{- end }} - securityContext: - capabilities: - drop: - - ALL - runAsUser: {{ .Values.defaultBackend.image.runAsUser }} - runAsNonRoot: {{ .Values.defaultBackend.image.runAsNonRoot }} - allowPrivilegeEscalation: {{ .Values.defaultBackend.image.allowPrivilegeEscalation }} - readOnlyRootFilesystem: {{ .Values.defaultBackend.image.readOnlyRootFilesystem}} + securityContext: {{ include "ingress-nginx.defaultBackend.containerSecurityContext" . | nindent 12 }} {{- if .Values.defaultBackend.extraEnvs }} env: {{ toYaml .Values.defaultBackend.extraEnvs | nindent 12 }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml b/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml new file mode 100644 index 000000000..9af56cf38 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-extra-configmaps.yaml @@ -0,0 +1,23 @@ +{{- if .Values.defaultBackend.enabled }} +{{- range .Values.defaultBackend.extraConfigMaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "ingress-nginx.labels" $ | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with $.Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ .name }} + namespace: {{ include "ingress-nginx.namespace" $ }} +data: + {{- with .data }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-hpa.yaml b/charts/ingress-nginx/templates/default-backend-hpa.yaml index 594d26525..699323897 100644 --- a/charts/ingress-nginx/templates/default-backend-hpa.yaml +++ b/charts/ingress-nginx/templates/default-backend-hpa.yaml @@ -1,33 +1,40 @@ {{- if and .Values.defaultBackend.enabled .Values.defaultBackend.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: {{ ternary "autoscaling/v2" "autoscaling/v2beta2" (.Capabilities.APIVersions.Has "autoscaling/v2") }} kind: HorizontalPodAutoscaler metadata: + {{- with .Values.defaultBackend.autoscaling.annotations }} + annotations: {{ toYaml . | nindent 4 }} + {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend {{- with .Values.defaultBackend.labels }} {{- toYaml . | nindent 4 }} {{- end }} - name: {{ template "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ template "ingress-nginx.defaultBackend.fullname" . }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} minReplicas: {{ .Values.defaultBackend.autoscaling.minReplicas }} maxReplicas: {{ .Values.defaultBackend.autoscaling.maxReplicas }} metrics: -{{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ . }} -{{- end }} -{{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ . }} -{{- end }} + {{- with .Values.defaultBackend.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} + {{- with .Values.defaultBackend.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ . }} + {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml b/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml new file mode 100644 index 000000000..90b3c2ba0 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ include "ingress-nginx.namespace" . }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: {{ .Values.defaultBackend.port }} +{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml index 00891cee5..f869e4530 100644 --- a/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml +++ b/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: selector: matchLabels: diff --git a/charts/ingress-nginx/templates/default-backend-psp.yaml b/charts/ingress-nginx/templates/default-backend-psp.yaml index c144c8fbf..424109109 100644 --- a/charts/ingress-nginx/templates/default-backend-psp.yaml +++ b/charts/ingress-nginx/templates/default-backend-psp.yaml @@ -4,6 +4,8 @@ apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: {{ include "ingress-nginx.fullname" . }}-backend + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*" labels: {{- include "ingress-nginx.labels" . | nindent 4 }} app.kubernetes.io/component: default-backend @@ -11,28 +13,38 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: - allowPrivilegeEscalation: false + privileged: false + hostPID: false + hostIPC: false + hostNetwork: false + volumes: + - configMap + - downwardAPI + - emptyDir + - secret + - projected fsGroup: - ranges: - - max: 65535 - min: 1 rule: MustRunAs - requiredDropCapabilities: - - ALL + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true runAsUser: rule: MustRunAsNonRoot + runAsGroup: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + supplementalGroups: + rule: MustRunAs + ranges: + - min: 1 + max: 65535 + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL seLinux: rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI {{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-role.yaml b/charts/ingress-nginx/templates/default-backend-role.yaml index 1ee127d27..b8017469b 100644 --- a/charts/ingress-nginx/templates/default-backend-role.yaml +++ b/charts/ingress-nginx/templates/default-backend-role.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} rules: {{- if .Values.securityContextConstraints.enabled }} - apiGroups: [{{ template "podSecurityPolicy.apiGroup" . }}] diff --git a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml index dbaa516b9..3203b6f57 100644 --- a/charts/ingress-nginx/templates/default-backend-rolebinding.yaml +++ b/charts/ingress-nginx/templates/default-backend-rolebinding.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.fullname" . }}-backend - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -17,5 +17,5 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-service.yaml b/charts/ingress-nginx/templates/default-backend-service.yaml index 5f1d09a95..2cccd6e9e 100644 --- a/charts/ingress-nginx/templates/default-backend-service.yaml +++ b/charts/ingress-nginx/templates/default-backend-service.yaml @@ -12,7 +12,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ include "ingress-nginx.defaultBackend.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} spec: type: {{ .Values.defaultBackend.service.type }} {{- if .Values.defaultBackend.service.clusterIP }} diff --git a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml index b45a95ad2..2afaf0c04 100644 --- a/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml @@ -9,6 +9,6 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "ingress-nginx.namespace" . }} automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/templates/dh-param-secret.yaml b/charts/ingress-nginx/templates/dh-param-secret.yaml deleted file mode 100644 index 12e7a4f63..000000000 --- a/charts/ingress-nginx/templates/dh-param-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- with .Values.dhParam -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "ingress-nginx.controller.fullname" $ }} - labels: - {{- include "ingress-nginx.labels" $ | nindent 4 }} -data: - dhparam.pem: {{ . }} -{{- end }} diff --git a/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml b/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml new file mode 100644 index 000000000..e831d50c0 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-configmap-addheaders_test.yaml @@ -0,0 +1,27 @@ +suite: Controller > ConfigMap > Add Headers +templates: + - controller-configmap-addheaders.yaml + +tests: + - it: should not create a ConfigMap if `controller.addHeaders` is not set + set: + controller.addHeaders: null + asserts: + - hasDocuments: + count: 0 + + - it: should create a ConfigMap if `controller.addHeaders` is set + set: + controller.addHeaders: + X-Another-Custom-Header: Value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-custom-add-headers + - equal: + path: data.X-Another-Custom-Header + value: Value diff --git a/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml b/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml new file mode 100644 index 000000000..0634a3739 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-configmap-proxyheaders_test.yaml @@ -0,0 +1,27 @@ +suite: Controller > ConfigMap > Proxy Headers +templates: + - controller-configmap-proxyheaders.yaml + +tests: + - it: should not create a ConfigMap if `controller.proxySetHeaders` is not set + set: + controller.proxySetHeaders: null + asserts: + - hasDocuments: + count: 0 + + - it: should create a ConfigMap if `controller.proxySetHeaders` is set + set: + controller.proxySetHeaders: + X-Custom-Header: Value + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-custom-proxy-headers + - equal: + path: data.X-Custom-Header + value: Value diff --git a/charts/ingress-nginx/tests/controller-configmap_test.yaml b/charts/ingress-nginx/tests/controller-configmap_test.yaml new file mode 100644 index 000000000..038760338 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-configmap_test.yaml @@ -0,0 +1,14 @@ +suite: Controller > ConfigMap +templates: + - controller-configmap.yaml + +tests: + - it: should create a ConfigMap + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/charts/ingress-nginx/tests/controller-daemonset_test.yaml new file mode 100644 index 000000000..2e85848b6 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-daemonset_test.yaml @@ -0,0 +1,16 @@ +suite: Controller > DaemonSet +templates: + - controller-daemonset.yaml + +tests: + - it: should create a DaemonSet if `controller.kind` is "DaemonSet" + set: + controller.kind: DaemonSet + asserts: + - hasDocuments: + count: 1 + - isKind: + of: DaemonSet + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/charts/ingress-nginx/tests/controller-deployment_test.yaml b/charts/ingress-nginx/tests/controller-deployment_test.yaml new file mode 100644 index 000000000..01844612e --- /dev/null +++ b/charts/ingress-nginx/tests/controller-deployment_test.yaml @@ -0,0 +1,34 @@ +suite: Controller > Deployment +templates: + - controller-deployment.yaml + +tests: + - it: should create a Deployment + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a Deployment with 3 replicas if `controller.replicaCount` is 3 + set: + controller.replicaCount: 3 + asserts: + - equal: + path: spec.replicas + value: 3 + + - it: should create a Deployment with resource limits if `controller.resources.limits` is set + set: + controller.resources.limits.cpu: 500m + controller.resources.limits.memory: 512Mi + asserts: + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 500m + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 512Mi diff --git a/charts/ingress-nginx/tests/controller-hpa_test.yaml b/charts/ingress-nginx/tests/controller-hpa_test.yaml new file mode 100644 index 000000000..7cd668509 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-hpa_test.yaml @@ -0,0 +1,17 @@ +suite: Controller > HPA +templates: + - controller-hpa.yaml + +tests: + - it: should create a HPA if `controller.kind` is "Deployment" and `controller.autoscaling.enabled` is true + set: + controller.kind: Deployment + controller.autoscaling.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: HorizontalPodAutoscaler + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/charts/ingress-nginx/tests/controller-keda_test.yaml b/charts/ingress-nginx/tests/controller-keda_test.yaml new file mode 100644 index 000000000..e6ca8dbfe --- /dev/null +++ b/charts/ingress-nginx/tests/controller-keda_test.yaml @@ -0,0 +1,17 @@ +suite: Controller > KEDA +templates: + - controller-keda.yaml + +tests: + - it: should create a ScaledObject if `controller.kind` is "Deployment" and `controller.keda.enabled` is true + set: + controller.kind: Deployment + controller.keda.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ScaledObject + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml b/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml new file mode 100644 index 000000000..5de12e9c4 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-networkpolicy_test.yaml @@ -0,0 +1,23 @@ +suite: Controller > NetworkPolicy +templates: + - controller-networkpolicy.yaml + +tests: + - it: should not create a NetworkPolicy if `controller.networkPolicy.enabled` is false + set: + controller.networkPolicy.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a NetworkPolicy if `controller.networkPolicy.enabled` is true + set: + controller.networkPolicy.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: NetworkPolicy + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller diff --git a/charts/ingress-nginx/tests/controller-service-internal_test.yaml b/charts/ingress-nginx/tests/controller-service-internal_test.yaml new file mode 100644 index 000000000..5465e1a2b --- /dev/null +++ b/charts/ingress-nginx/tests/controller-service-internal_test.yaml @@ -0,0 +1,25 @@ +suite: Controller > Service > Internal +templates: + - controller-service-internal.yaml + +tests: + - it: should not create an internal Service if `controller.service.internal.enabled` is false + set: + controller.service.internal.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create an internal Service if `controller.service.internal.enabled` is true and `controller.service.internal.annotations` are set + set: + controller.service.internal.enabled: true + controller.service.internal.annotations: + test.annotation: "true" + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-internal diff --git a/charts/ingress-nginx/tests/controller-service-metrics_test.yaml b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml new file mode 100644 index 000000000..afdb94046 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-service-metrics_test.yaml @@ -0,0 +1,23 @@ +suite: Controller > Service > Metrics +templates: + - controller-service-metrics.yaml + +tests: + - it: should not create a metrics Service if `controller.metrics.enabled` is false + set: + controller.metrics.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a metrics Service if `controller.metrics.enabled` is true + set: + controller.metrics.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller-metrics diff --git a/charts/ingress-nginx/tests/controller-service_test.yaml b/charts/ingress-nginx/tests/controller-service_test.yaml new file mode 100644 index 000000000..10574f227 --- /dev/null +++ b/charts/ingress-nginx/tests/controller-service_test.yaml @@ -0,0 +1,32 @@ +suite: Controller > Service +templates: + - controller-service.yaml + +tests: + - it: should not create a Service if `controller.service.external.enabled` is false + set: + controller.service.external.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service if `controller.service.external.enabled` is true + set: + controller.service.external.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-controller + + - it: should create a Service of type "NodePort" if `controller.service.external.enabled` is true and `controller.service.type` is "NodePort" + set: + controller.service.external.enabled: true + controller.service.type: NodePort + asserts: + - equal: + path: spec.type + value: NodePort diff --git a/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml b/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml new file mode 100644 index 000000000..aa600e749 --- /dev/null +++ b/charts/ingress-nginx/tests/default-backend-extra-configmaps_test.yaml @@ -0,0 +1,50 @@ +suite: Default Backend > Extra ConfigMaps +templates: + - default-backend-extra-configmaps.yaml + +tests: + - it: should not create a ConfigMap if `defaultBackend.extraConfigMaps` is empty + set: + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: [] + asserts: + - hasDocuments: + count: 0 + + - it: should create one ConfigMap if `defaultBackend.extraConfigMaps` has one element + set: + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: + - name: my-configmap-1 + data: + key1: value1 + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - equal: + path: metadata.name + value: my-configmap-1 + - equal: + path: data.key1 + value: value1 + + - it: should create two ConfigMaps if `defaultBackend.extraConfigMaps` has two elements + set: + defaultBackend.enabled: true + defaultBackend.extraConfigMaps: + - name: my-configmap-1 + data: + key1: value1 + - name: my-configmap-2 + data: + key2: value2 + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ConfigMap + - matchRegex: + path: metadata.name + pattern: my-configmap-(1|2) diff --git a/charts/ingress-nginx/tests/default-backend-service_test.yaml b/charts/ingress-nginx/tests/default-backend-service_test.yaml new file mode 100644 index 000000000..f16904f9f --- /dev/null +++ b/charts/ingress-nginx/tests/default-backend-service_test.yaml @@ -0,0 +1,32 @@ +suite: Default Backend > Service +templates: + - default-backend-service.yaml + +tests: + - it: should not create a Service if `defaultBackend.enabled` is false + set: + defaultBackend.enabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a Service if `defaultBackend.enabled` is true + set: + defaultBackend.enabled: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: Service + - equal: + path: metadata.name + value: RELEASE-NAME-ingress-nginx-defaultbackend + + - it: should create a Service with port 80 if `defaultBackend.service.port` is 80 + set: + defaultBackend.enabled: true + defaultBackend.service.port: 80 + asserts: + - equal: + path: spec.ports[0].port + value: 80 diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 4cf654bf4..5e76d2fb4 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -7,6 +7,8 @@ # nameOverride: # fullnameOverride: +# -- Override the deployment namespace; defaults to .Release.Namespace +namespaceOverride: "" ## Labels to apply to all resources ## commonLabels: {} @@ -24,13 +26,17 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.9.1" - digest: sha256:605a737877de78969493a4b1213b21de4ee425d2926906857b98050f57a95b25 - digestChroot: sha256:2ac744ef08850ee86ad7162451a6879f47c1a41c6a757f6b6f913c52103b8836 + tag: "v1.9.6" + digest: sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c + digestChroot: sha256:7eb46ff733429e0e46892903c7394aff149ac6d284d92b3946f3baf7ff26a096 pullPolicy: IfNotPresent + runAsNonRoot: true # www-data -> uid 101 runAsUser: 101 - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: false # -- Use an existing PSP instead of creating one existingPsp: "" # -- Configures the controller container name @@ -124,13 +130,15 @@ controller: podLabels: {} # key: value - # -- Security Context policies for controller pods + # -- Security context for controller pods podSecurityContext: {} - # -- See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls + # -- sysctls for controller pods + ## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ sysctls: {} # sysctls: # "net.core.somaxconn": "8192" - + # -- Security context for controller containers + containerSecurityContext: {} # -- Allows customization of the source of the IP address or FQDN to report # in the ingress status field. By default, it reads the information provided # by the service. If disable, the status field reports the IP address of the @@ -170,6 +178,9 @@ controller: extraArgs: {} ## extraArgs: ## default-ssl-certificate: "/" + ## time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10" + ## length-buckets: "10,20,30,40,50,60,70,80,90,100" + ## size-buckets: "10,100,1000,10000,100000,1e+06,1e+07" # -- Additional environment variables to set extraEnvs: [] @@ -336,7 +347,7 @@ controller: # -- Minimum available pods set in PodDisruptionBudget. # Define either 'minAvailable' or 'maxUnavailable', never both. minAvailable: 1 - # -- Maximum unavalaile pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. # maxUnavailable: 1 ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes @@ -432,96 +443,170 @@ controller: configMapName: "" configMapKey: "" service: + # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. enabled: true - # -- If enabled is adding an appProtocol option for Kubernetes service. An appProtocol field replacing annotations that were - # using for setting a backend protocol. Here is an example for AWS: service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # It allows choosing the protocol for each backend specified in the Kubernetes service. - # See the following GitHub issue for more details about the purpose: https://github.com/kubernetes/kubernetes/issues/40244 - # Will be ignored for Kubernetes versions older than 1.20 - ## - appProtocol: true - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. + external: + # -- Enable the external controller service or not. Useful for internal-only deployments. + enabled: true + # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service. annotations: {} + # -- Labels to be added to both controller services. labels: {} - # clusterIP: "" - - # -- List of IP addresses at which the controller services are available - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips - ## + # -- Type of the external controller service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: LoadBalancer + # -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIP: "" + # -- List of node IP addresses at which the external controller service is available. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips externalIPs: [] - # -- Used by cloud providers to connect the resulting `LoadBalancer` to a pre-existing static IP according to https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + # -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" + # -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. loadBalancerSourceRanges: [] - # -- Used by cloud providers to select a load balancer implementation other than the cloud provider default. https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + # -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class loadBalancerClass: "" - enableHttp: true - enableHttps: true - ## Set external traffic policy to: "Local" to preserve source IP on providers supporting it. - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" + # -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + # allocateLoadBalancerNodePorts: true - ## Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". - ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - # sessionAffinity: "" - - ## Specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, - ## the service controller allocates a port from your cluster’s NodePort range. - ## Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: "" + # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". + # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity + sessionAffinity: "" + # -- Specifies the health check node port (numeric port number) for the external controller service. + # If not specified, the service controller allocates a port from your cluster's node port range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip # healthCheckNodePort: 0 - # -- Represents the dual-stack-ness requested or required by this Service. Possible values are - # SingleStack, PreferDualStack or RequireDualStack. - # The ipFamilies and clusterIPs fields depend on the value of this field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ - ipFamilyPolicy: "SingleStack" - # -- List of IP families (e.g. IPv4, IPv6) assigned to the service. This field is usually assigned automatically - # based on cluster configuration and the ipFamilyPolicy field. - ## Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/ + # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. + # Fields `ipFamilies` and `clusterIP` depend on the value of this field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: SingleStack + # -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services ipFamilies: - IPv4 + # -- Enable the HTTP listener on both controller services or not. + enableHttp: true + # -- Enable the HTTPS listener on both controller services or not. + enableHttps: true ports: + # -- Port the external HTTP listener is published with. http: 80 + # -- Port the external HTTPS listener is published with. https: 443 targetPorts: + # -- Port of the ingress controller the external HTTP listener is mapped to. http: http + # -- Port of the ingress controller the external HTTPS listener is mapped to. https: https - type: LoadBalancer - ## type: NodePort - ## nodePorts: - ## http: 32080 - ## https: 32443 - ## tcp: - ## 8080: 32808 + # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + appProtocol: true nodePorts: + # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. http: "" + # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. https: "" + # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # tcp: + # 8080: 30080 tcp: {} + # -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # udp: + # 53: 30053 udp: {} - external: - enabled: true internal: - # -- Enables an additional internal load balancer (besides the external one). + # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this. enabled: false - # -- Annotations are mandatory for the load balancer to come up. Varies with the cloud service. Values passed through helm tpl engine. + # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer annotations: {} - # -- Used by cloud providers to connect the resulting internal LoadBalancer to a pre-existing static IP. Make sure to add to the service the needed annotation to specify the subnet which the static IP belongs to. For instance, `networking.gke.io/internal-load-balancer-subnet` for GCP and `service.beta.kubernetes.io/aws-load-balancer-subnets` for AWS. + # -- Type of the internal controller service. + # Defaults to the value of `controller.service.type`. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: "" + # -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services. + # This value is immutable. Set once, it can not be changed without deleting and re-creating the service. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + clusterIP: "" + # -- List of node IP addresses at which the internal controller service is available. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + externalIPs: [] + # -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer loadBalancerIP: "" - # -- Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + # -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. loadBalancerSourceRanges: [] - ## Set external traffic policy to: "Local" to preserve source IP on - ## providers supporting it - ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - # externalTrafficPolicy: "" + # -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + # -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + # allocateLoadBalancerNodePorts: true - # -- Custom port mapping for internal service + # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + externalTrafficPolicy: "" + # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". + # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity + sessionAffinity: "" + # -- Specifies the health check node port (numeric port number) for the internal controller service. + # If not specified, the service controller allocates a port from your cluster's node port range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack. + # Fields `ipFamilies` and `clusterIP` depend on the value of this field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: SingleStack + # -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field. + # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilies: + - IPv4 ports: {} - # http: 80 - # https: 443 + # -- Port the internal HTTP listener is published with. + # Defaults to the value of `controller.service.ports.http`. + # http: 80 + # -- Port the internal HTTPS listener is published with. + # Defaults to the value of `controller.service.ports.https`. + # https: 443 - # -- Custom target port mapping for internal service targetPorts: {} - # http: http - # https: https + # -- Port of the ingress controller the internal HTTP listener is mapped to. + # Defaults to the value of `controller.service.targetPorts.http`. + # http: http + # -- Port of the ingress controller the internal HTTPS listener is mapped to. + # Defaults to the value of `controller.service.targetPorts.https`. + # https: https + + # -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol. + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + appProtocol: true + nodePorts: + # -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. + http: "" + # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. + https: "" + # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # tcp: + # 8080: 30080 + tcp: {} + # -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. + # Example: + # udp: + # 53: 30053 + udp: {} # shareProcessNamespace enables process namespace sharing within the pod. # This can be used for example to signal log rotation using `kill -USR1` from a sidecar. shareProcessNamespace: false @@ -568,9 +653,26 @@ controller: # -- Modules, which are mounted into the core nginx image. See values.yaml for a sample to add opentelemetry module extraModules: [] # - name: mytestmodule - # image: registry.k8s.io/ingress-nginx/mytestmodule + # image: + # registry: registry.k8s.io + # image: ingress-nginx/mytestmodule + # ## for backwards compatibility consider setting the full image url via the repository value below + # ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # ## repository: + # tag: "v1.0.0" + # digest: "" + # distroless: false # containerSecurityContext: + # runAsNonRoot: true + # runAsUser: # allowPrivilegeEscalation: false + # seccompProfile: + # type: RuntimeDefault + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # resources: {} # # The image must contain a `/usr/local/bin/init_module.sh` executable, which # will be executed as initContainers, to move its config files within the @@ -578,11 +680,30 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 + name: opentelemetry + image: + registry: registry.k8s.io + image: ingress-nginx/opentelemetry + ## for backwards compatibility consider setting the full image url via the repository value below + ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + ## repository: + tag: "v20230721-3e2062ee5" + digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 + distroless: true containerSecurityContext: + runAsNonRoot: true + # -- The image's default user, inherited from its base image `cgr.dev/chainguard/static`. + runAsUser: 65532 allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true resources: {} admissionWebhooks: + name: admission annotations: {} # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". @@ -619,8 +740,18 @@ controller: servicePort: 443 type: ClusterIP createSecretJob: + name: create + # -- Security context for secret creation containers securityContext: + runAsNonRoot: true + runAsUser: 65532 allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true resources: {} # limits: # cpu: 10m @@ -629,8 +760,18 @@ controller: # cpu: 10m # memory: 20Mi patchWebhookJob: + name: patch + # -- Security context for webhook patch containers securityContext: + runAsNonRoot: true + runAsUser: 65532 allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true resources: {} patch: enabled: true @@ -640,22 +781,24 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: v20230407 - digest: sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b + tag: v20231226-1a7112e06 + digest: sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 pullPolicy: IfNotPresent # -- Provide a priority class name to the webhook patching job ## priorityClassName: "" podAnnotations: {} + # NetworkPolicy for webhook patch + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false nodeSelector: kubernetes.io/os: linux tolerations: [] # -- Labels to be added to patch job resources labels: {} - securityContext: - runAsNonRoot: true - runAsUser: 2000 - fsGroup: 2000 + # -- Security context for secret creation & webhook patch pods + securityContext: {} # Use certmanager to generate webhook certs certManager: enabled: false @@ -695,11 +838,12 @@ controller: serviceMonitor: enabled: false additionalLabels: {} + annotations: {} ## The label to use to retrieve the job name from. ## jobLabel: "app.kubernetes.io/name" namespace: "" namespaceSelector: {} - ## Default: scrape .Release.Namespace only + ## Default: scrape .Release.Namespace or namespaceOverride only ## To scrape all, use the following: ## namespaceSelector: ## any: true @@ -722,8 +866,13 @@ controller: # annotations: # description: bad ingress config - nginx config test failed # summary: uninstall the latest ingress changes to allow config reloads to resume + # # By default a fake self-signed certificate is generated as default and + # # it is fine if it expires. If `--default-ssl-certificate` flag is used + # # and a valid certificate passed please do not filter for `host` label! + # # (i.e. delete `{host!="_"}` so also the default SSL certificate is + # # checked for expiration) # - alert: NGINXCertificateExpiry - # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800 # for: 1s # labels: # severity: critical @@ -776,11 +925,13 @@ defaultBackend: ## repository: tag: "1.5" pullPolicy: IfNotPresent + runAsNonRoot: true # nobody user -> uid 65534 runAsUser: 65534 - runAsNonRoot: true - readOnlyRootFilesystem: true allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + readOnlyRootFilesystem: true # -- Use an existing PSP instead of creating one existingPsp: "" extraArgs: {} @@ -826,15 +977,9 @@ defaultBackend: # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} - # -- Security Context policies for controller pods - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## + # -- Security context for default backend pods podSecurityContext: {} - # -- Security Context policies for controller main container. - # See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for - # notes on enabling and using sysctls - ## + # -- Security context for default backend containers containerSecurityContext: {} # -- Labels to add to the pod container metadata podLabels: {} @@ -868,6 +1013,21 @@ defaultBackend: # - name: copy-portal-skins # emptyDir: {} + extraConfigMaps: [] + ## Additional configmaps to the default backend pod. + # - name: my-extra-configmap-1 + # labels: + # type: config-1 + # data: + # extra_file_1.html: | + # + # - name: my-extra-configmap-2 + # labels: + # type: config-2 + # data: + # extra_file_2.html: | + # + autoscaling: annotations: {} enabled: false @@ -931,4 +1091,4 @@ portNamePrefix: "" # -- (string) A base64-encoded Diffie-Hellman parameter. # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64` ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param -dhParam: "" \ No newline at end of file +dhParam: "" diff --git a/cmd/dataplane/main.go b/cmd/dataplane/main.go index 0ab978429..65f898df6 100644 --- a/cmd/dataplane/main.go +++ b/cmd/dataplane/main.go @@ -18,10 +18,8 @@ package main import ( "fmt" - "math/rand" // #nosec "net/http" "os" - "time" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/collectors" @@ -41,8 +39,6 @@ import ( func main() { klog.InitFlags(nil) - rand.Seed(time.Now().UnixNano()) - fmt.Println(version.String()) var err error showVersion, conf, err := ingressflags.ParseFlags() @@ -70,7 +66,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { // TODO: Ingress class is not a part of dataplane anymore - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } diff --git a/cmd/dbg/main.go b/cmd/dbg/main.go index 41a3c2772..b63bcf5fe 100644 --- a/cmd/dbg/main.go +++ b/cmd/dbg/main.go @@ -114,7 +114,6 @@ func main() { fmt.Println(err) os.Exit(1) } - } func backendsAll() { @@ -155,10 +154,16 @@ func backendsList() { fmt.Println(unmarshalErr) return } - backends := f.([]interface{}) + backends, ok := f.([]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", f) + } for _, backendi := range backends { - backend := backendi.(map[string]interface{}) + backend, ok := backendi.(map[string]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", backendi) + } fmt.Println(backend["name"].(string)) } } @@ -180,12 +185,22 @@ func backendsGet(name string) { fmt.Println(unmarshalErr) return } - backends := f.([]interface{}) + backends, ok := f.([]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", f) + } for _, backendi := range backends { - backend := backendi.(map[string]interface{}) + backend, ok := backendi.(map[string]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", backendi) + } if backend["name"].(string) == name { - printed, _ := json.MarshalIndent(backend, "", " ") + printed, err := json.MarshalIndent(backend, "", " ") + if err != nil { + fmt.Println(err) + return + } fmt.Println(string(printed)) return } @@ -213,18 +228,7 @@ func certGet(host string) { } func general() { - //TODO: refactor to obtain ingress-nginx pod count from the api server - /* - statusCode, body, requestErr := nginx.NewGetStatusRequest(generalPath) - if requestErr != nil { - fmt.Println(requestErr) - return - } - if statusCode != 200 { - fmt.Printf("Nginx returned code %v\n", statusCode) - return - } - */ + // TODO: refactor to obtain ingress-nginx pod count from the api server var prettyBuffer bytes.Buffer indentErr := json.Indent(&prettyBuffer, []byte("{}"), "", " ") diff --git a/cmd/nginx/logger.go b/cmd/nginx/logger.go index 13ec095fa..323085c83 100644 --- a/cmd/nginx/logger.go +++ b/cmd/nginx/logger.go @@ -47,5 +47,4 @@ func logger(address string) { server.Wait() klog.Infof("Stopping logger") - } diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index 9f0973ec9..1d30091ef 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -19,7 +19,6 @@ package main import ( "context" "fmt" - "math/rand" // #nosec "net/http" "os" "path/filepath" @@ -54,8 +53,6 @@ import ( func main() { klog.InitFlags(nil) - rand.Seed(time.Now().UnixNano()) - fmt.Println(version.String()) showVersion, conf, err := ingressflags.ParseFlags() @@ -133,7 +130,7 @@ func main() { mc := metric.NewDummyCollector() if conf.EnableMetrics { - mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets) + mc, err = metric.NewCollector(conf.MetricsPerHost, conf.ReportStatusClasses, reg, conf.IngressClassConfiguration.Controller, *conf.MetricsBuckets, conf.ExcludeSocketMetrics) if err != nil { klog.Fatalf("Error creating prometheus collector: %v", err) } @@ -156,7 +153,6 @@ func main() { if errExists == nil { conf.IsChroot = true go logger(conf.InternalLoggerAddress) - } go metrics.StartHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux) @@ -285,10 +281,10 @@ func checkService(key string, kubeClient *kubernetes.Clientset) error { } if errors.IsNotFound(err) { - return fmt.Errorf("No service with name %v found in namespace %v: %v", name, ns, err) + return fmt.Errorf("no service with name %v found in namespace %v: %v", name, ns, err) } - return fmt.Errorf("Unexpected error searching service with name %v in namespace %v: %v", name, ns, err) + return fmt.Errorf("unexpected error searching service with name %v in namespace %v: %v", name, ns, err) } return nil diff --git a/cmd/nginx/main_test.go b/cmd/nginx/main_test.go index f57c02c5e..13f1e9eec 100644 --- a/cmd/nginx/main_test.go +++ b/cmd/nginx/main_test.go @@ -47,7 +47,7 @@ func TestCreateApiserverClient(t *testing.T) { func init() { // the default value of nginx.TemplatePath assumes the template exists in // the root filesystem and not in the rootfs directory - path, err := filepath.Abs(filepath.Join("../../rootfs/", nginx.TemplatePath)) + path, err := filepath.Abs(filepath.Join("..", "..", "rootfs", nginx.TemplatePath)) if err == nil { nginx.TemplatePath = path } @@ -87,14 +87,14 @@ func TestHandleSigterm(t *testing.T) { ingressflags.ResetForTesting(func() { t.Fatal("bad parse") }) - os.Setenv("POD_NAME", podName) - os.Setenv("POD_NAMESPACE", namespace) + t.Setenv("POD_NAME", podName) + t.Setenv("POD_NAMESPACE", namespace) oldArgs := os.Args defer func() { - os.Setenv("POD_NAME", "") - os.Setenv("POD_NAMESPACE", "") + t.Setenv("POD_NAME", "") + t.Setenv("POD_NAMESPACE", "") os.Args = oldArgs }() diff --git a/cmd/plugin/commands/backends/backends.go b/cmd/plugin/commands/backends/backends.go index 341c62a9c..ff44fd9c2 100644 --- a/cmd/plugin/commands/backends/backends.go +++ b/cmd/plugin/commands/backends/backends.go @@ -30,7 +30,7 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "backends", Short: "Inspect the dynamic backend information of an ingress-nginx instance", @@ -47,7 +47,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return fmt.Errorf("--list and --backend cannot both be specified") } - util.PrintError(backends(flags, *pod, *deployment, *selector, backend, onlyList)) + util.PrintError(backends(flags, *pod, *deployment, *selector, *container, backend, onlyList)) return nil }, } @@ -55,6 +55,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) cmd.Flags().String("backend", "", "Output only the information for the given backend") cmd.Flags().Bool("list", false, "Output a newline-separated list of backend names") @@ -62,13 +63,14 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return cmd } -func backends(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, backend string, onlyList bool) error { +func backends(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, backend string, onlyList bool) error { var command []string - if onlyList { + switch { + case onlyList: command = []string{"/dbg", "backends", "list"} - } else if backend != "" { + case backend != "": command = []string{"/dbg", "backends", "get", backend} - } else { + default: command = []string{"/dbg", "backends", "all"} } @@ -77,7 +79,7 @@ func backends(flags *genericclioptions.ConfigFlags, podName string, deployment s return err } - out, err := kubectl.PodExecString(flags, &pod, command) + out, err := kubectl.PodExecString(flags, &pod, container, command) if err != nil { return err } diff --git a/cmd/plugin/commands/certs/certs.go b/cmd/plugin/commands/certs/certs.go index 07fd08ad3..ee27cf1b1 100644 --- a/cmd/plugin/commands/certs/certs.go +++ b/cmd/plugin/commands/certs/certs.go @@ -18,6 +18,7 @@ package certs import ( "fmt" + "os" "github.com/spf13/cobra" @@ -30,7 +31,7 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "certs", Short: "Output the certificate data stored in an ingress-nginx pod", @@ -40,21 +41,25 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return err } - util.PrintError(certs(flags, *pod, *deployment, *selector, host)) + util.PrintError(certs(flags, *pod, *deployment, *selector, *container, host)) return nil }, } cmd.Flags().String("host", "", "Get the cert for this hostname") - cobra.MarkFlagRequired(cmd.Flags(), "host") + if err := cobra.MarkFlagRequired(cmd.Flags(), "host"); err != nil { + util.PrintError(err) + os.Exit(1) + } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func certs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, host string) error { +func certs(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, host string) error { command := []string{"/dbg", "certs", "get", host} pod, err := request.ChoosePod(flags, podName, deployment, selector) @@ -62,7 +67,7 @@ func certs(flags *genericclioptions.ConfigFlags, podName string, deployment stri return err } - out, err := kubectl.PodExecString(flags, &pod, command) + out, err := kubectl.PodExecString(flags, &pod, container, command) if err != nil { return err } diff --git a/cmd/plugin/commands/conf/conf.go b/cmd/plugin/commands/conf/conf.go index 5caa2a649..090fb40bb 100644 --- a/cmd/plugin/commands/conf/conf.go +++ b/cmd/plugin/commands/conf/conf.go @@ -32,7 +32,7 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "conf", Short: "Inspect the generated nginx.conf", @@ -42,7 +42,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return err } - util.PrintError(conf(flags, host, *pod, *deployment, *selector)) + util.PrintError(conf(flags, host, *pod, *deployment, *selector, *container)) return nil }, } @@ -50,17 +50,18 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func conf(flags *genericclioptions.ConfigFlags, host string, podName string, deployment string, selector string) error { +func conf(flags *genericclioptions.ConfigFlags, host, podName, deployment, selector, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - nginxConf, err := kubectl.PodExecString(flags, &pod, []string{"/dbg", "conf"}) + nginxConf, err := kubectl.PodExecString(flags, &pod, container, []string{"/dbg", "conf"}) if err != nil { return err } diff --git a/cmd/plugin/commands/exec/exec.go b/cmd/plugin/commands/exec/exec.go index 5f1a31913..8e853c534 100644 --- a/cmd/plugin/commands/exec/exec.go +++ b/cmd/plugin/commands/exec/exec.go @@ -29,19 +29,21 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { opts := execFlags{} - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "exec", Short: "Execute a command inside an ingress-nginx pod", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(exec(flags, *pod, *deployment, *selector, args, opts)) + util.PrintError(exec(flags, *pod, *deployment, *selector, *container, args, opts)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) + cmd.Flags().BoolVarP(&opts.TTY, "tty", "t", false, "Stdin is a TTY") cmd.Flags().BoolVarP(&opts.Stdin, "stdin", "i", false, "Pass stdin to the container") @@ -53,7 +55,7 @@ type execFlags struct { Stdin bool } -func exec(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, cmd []string, opts execFlags) error { +func exec(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string, cmd []string, opts execFlags) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err @@ -67,7 +69,7 @@ func exec(flags *genericclioptions.ConfigFlags, podName string, deployment strin args = append(args, "-i") } - args = append(args, []string{"-n", pod.Namespace, pod.Name, "--"}...) + args = append(args, []string{"-n", pod.Namespace, "-c", container, pod.Name, "--"}...) args = append(args, cmd...) return kubectl.Exec(flags, args) } diff --git a/cmd/plugin/commands/general/general.go b/cmd/plugin/commands/general/general.go index 44e02ca88..cea403562 100644 --- a/cmd/plugin/commands/general/general.go +++ b/cmd/plugin/commands/general/general.go @@ -30,29 +30,30 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "general", Short: "Inspect the other dynamic ingress-nginx information", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(general(flags, *pod, *deployment, *selector)) + util.PrintError(general(flags, *pod, *deployment, *selector, *container)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func general(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string) error { +func general(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - out, err := kubectl.PodExecString(flags, &pod, []string{"/dbg", "general"}) + out, err := kubectl.PodExecString(flags, &pod, container, []string{"/dbg", "general"}) if err != nil { return err } diff --git a/cmd/plugin/commands/ingresses/ingresses.go b/cmd/plugin/commands/ingresses/ingresses.go index dff967103..8a25418db 100644 --- a/cmd/plugin/commands/ingresses/ingresses.go +++ b/cmd/plugin/commands/ingresses/ingresses.go @@ -74,9 +74,9 @@ func ingresses(flags *genericclioptions.ConfigFlags, host string, allNamespaces if host != "" { rowsWithHost := make([]ingressRow, 0) - for _, row := range rows { - if row.Host == host { - rowsWithHost = append(rowsWithHost, row) + for i := range rows { + if rows[i].Host == host { + rowsWithHost = append(rowsWithHost, rows[i]) } } rows = rowsWithHost @@ -91,7 +91,8 @@ func ingresses(flags *genericclioptions.ConfigFlags, host string, allNamespaces fmt.Fprintln(printer, "INGRESS NAME\tHOST+PATH\tADDRESSES\tTLS\tSERVICE\tSERVICE PORT\tENDPOINTS") } - for _, row := range rows { + for i := range rows { + row := &rows[i] var tlsMsg string if row.TLS { tlsMsg = "YES" @@ -134,8 +135,8 @@ type ingressRow struct { func getIngressRows(ingresses *[]networking.Ingress) []ingressRow { rows := make([]ingressRow, 0) - for _, ing := range *ingresses { - + for i := range *ingresses { + ing := &(*ingresses)[i] address := "" for _, lbIng := range ing.Status.LoadBalancer.Ingress { if len(lbIng.IP) > 0 { @@ -182,7 +183,7 @@ func getIngressRows(ingresses *[]networking.Ingress) []ingressRow { for _, rule := range ing.Spec.Rules { _, hasTLS := tlsHosts[rule.Host] - //Handle ingress with no paths + // Handle ingress with no paths if rule.HTTP == nil { row := ingressRow{ Namespace: ing.Namespace, diff --git a/cmd/plugin/commands/ingresses/ingresses_test.go b/cmd/plugin/commands/ingresses/ingresses_test.go index 6a8d8837f..7a90efe46 100644 --- a/cmd/plugin/commands/ingresses/ingresses_test.go +++ b/cmd/plugin/commands/ingresses/ingresses_test.go @@ -24,7 +24,6 @@ import ( ) func TestGetIngressInformation(t *testing.T) { - testcases := map[string]struct { ServiceBackend *networking.IngressServiceBackend wantName string diff --git a/cmd/plugin/commands/lint/main.go b/cmd/plugin/commands/lint/main.go index 2daf8eb87..847fe86c9 100644 --- a/cmd/plugin/commands/lint/main.go +++ b/cmd/plugin/commands/lint/main.go @@ -111,11 +111,13 @@ type lintOptions struct { } func (opts *lintOptions) Validate() error { + //nolint:dogsled // Ignore 3 blank identifiers _, _, _, err := util.ParseVersionString(opts.versionFrom) if err != nil { return err } + //nolint:dogsled // Ignore 3 blank identifiers _, _, _, err = util.ParseVersionString(opts.versionTo) if err != nil { return err @@ -131,9 +133,9 @@ type lint interface { Version() string } -func checkObjectArray(lints []lint, objects []kmeta.Object, opts lintOptions) { +func checkObjectArray(allLints []lint, objects []kmeta.Object, opts lintOptions) { usedLints := make([]lint, 0) - for _, lint := range lints { + for _, lint := range allLints { lintVersion := lint.Version() if lint.Version() == "" { lintVersion = "0.0.0" @@ -189,7 +191,7 @@ func ingresses(opts lintOptions) error { return err } - var iLints []lints.IngressLint = lints.GetIngressLints() + iLints := lints.GetIngressLints() genericLints := make([]lint, len(iLints)) for i := range iLints { genericLints[i] = iLints[i] @@ -216,7 +218,7 @@ func deployments(opts lintOptions) error { return err } - var iLints []lints.DeploymentLint = lints.GetDeploymentLints() + iLints := lints.GetDeploymentLints() genericLints := make([]lint, len(iLints)) for i := range iLints { genericLints[i] = iLints[i] diff --git a/cmd/plugin/commands/logs/logs.go b/cmd/plugin/commands/logs/logs.go index 55cd008dc..22068d469 100644 --- a/cmd/plugin/commands/logs/logs.go +++ b/cmd/plugin/commands/logs/logs.go @@ -31,19 +31,20 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { o := logsFlags{} - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "logs", Short: "Get the kubernetes logs for an ingress-nginx pod", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(logs(flags, *pod, *deployment, *selector, o)) + util.PrintError(logs(flags, *pod, *deployment, *selector, *container, o)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) cmd.Flags().BoolVarP(&o.Follow, "follow", "f", o.Follow, "Specify if the logs should be streamed.") cmd.Flags().BoolVar(&o.Timestamps, "timestamps", o.Timestamps, "Include timestamps on each line in the log output") @@ -94,13 +95,13 @@ func (o *logsFlags) toStrings() []string { return r } -func logs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, opts logsFlags) error { +func logs(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string, opts logsFlags) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - cmd := []string{"logs", "-n", pod.Namespace, pod.Name} + cmd := []string{"logs", "-n", pod.Namespace, "-c", container, pod.Name} cmd = append(cmd, opts.toStrings()...) return kubectl.Exec(flags, cmd) } diff --git a/cmd/plugin/commands/ssh/ssh.go b/cmd/plugin/commands/ssh/ssh.go index 5e8b49fac..a4762d781 100644 --- a/cmd/plugin/commands/ssh/ssh.go +++ b/cmd/plugin/commands/ssh/ssh.go @@ -28,27 +28,28 @@ import ( // CreateCommand creates and returns this cobra subcommand func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { - var pod, deployment, selector *string + var pod, deployment, selector, container *string cmd := &cobra.Command{ Use: "ssh", Short: "ssh into a running ingress-nginx pod", RunE: func(cmd *cobra.Command, args []string) error { - util.PrintError(ssh(flags, *pod, *deployment, *selector)) + util.PrintError(ssh(flags, *pod, *deployment, *selector, *container)) return nil }, } pod = util.AddPodFlag(cmd) deployment = util.AddDeploymentFlag(cmd) selector = util.AddSelectorFlag(cmd) + container = util.AddContainerFlag(cmd) return cmd } -func ssh(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string) error { +func ssh(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err } - return kubectl.Exec(flags, []string{"exec", "-it", "-n", pod.Namespace, pod.Name, "--", "/bin/bash"}) + return kubectl.Exec(flags, []string{"exec", "-it", "-n", pod.Namespace, "-c", container, pod.Name, "--", "/bin/bash"}) } diff --git a/cmd/plugin/krew.yaml b/cmd/plugin/krew.yaml index e68b09f9a..0ef537d34 100644 --- a/cmd/plugin/krew.yaml +++ b/cmd/plugin/krew.yaml @@ -21,7 +21,7 @@ spec: arch: amd64 {{addURIAndSha "https://github.com/kubernetes/ingress-nginx/releases/download/{{ .TagName }}/kubectl-ingress-nginx_darwin_amd64.tar.gz" .TagName }} bin: kubectl-ingress-nginx - selector: + - selector: matchLabels: os: linux arch: amd64 diff --git a/cmd/plugin/kubectl/kubectl.go b/cmd/plugin/kubectl/kubectl.go index c11ba5b77..cb33243fc 100644 --- a/cmd/plugin/kubectl/kubectl.go +++ b/cmd/plugin/kubectl/kubectl.go @@ -31,18 +31,18 @@ import ( // PodExecString takes a pod and a command, uses kubectl exec to run the command in the pod // and returns stdout as a string -func PodExecString(flags *genericclioptions.ConfigFlags, pod *apiv1.Pod, args []string) (string, error) { - args = append([]string{"exec", "-n", pod.Namespace, pod.Name}, args...) +func PodExecString(flags *genericclioptions.ConfigFlags, pod *apiv1.Pod, container string, args []string) (string, error) { + args = append([]string{"exec", "-n", pod.Namespace, "-c", container, pod.Name}, args...) return ExecToString(flags, args) } // ExecToString runs a kubectl subcommand and returns stdout as a string func ExecToString(flags *genericclioptions.ConfigFlags, args []string) (string, error) { - kArgs := getKubectlConfigFlags(flags) - kArgs = append(kArgs, args...) + kubectlArgs := getKubectlConfigFlags(flags) + kubectlArgs = append(kubectlArgs, args...) buf := bytes.NewBuffer(make([]byte, 0)) - err := execToWriter(append([]string{"kubectl"}, kArgs...), buf) + err := execToWriter(append([]string{"kubectl"}, kubectlArgs...), buf) if err != nil { return "", err } @@ -51,9 +51,9 @@ func ExecToString(flags *genericclioptions.ConfigFlags, args []string) (string, // Exec replaces the current process with a kubectl invocation func Exec(flags *genericclioptions.ConfigFlags, args []string) error { - kArgs := getKubectlConfigFlags(flags) - kArgs = append(kArgs, args...) - return execCommand(append([]string{"kubectl"}, kArgs...)) + kubectlArgs := getKubectlConfigFlags(flags) + kubectlArgs = append(kubectlArgs, args...) + return execCommand(append([]string{"kubectl"}, kubectlArgs...)) } // Replaces the currently running process with the given command @@ -70,6 +70,7 @@ func execCommand(args []string) error { // Runs a command and returns stdout func execToWriter(args []string, writer io.Writer) error { + //nolint:gosec // Ignore G204 error cmd := exec.Command(args[0], args[1:]...) op, err := cmd.StdoutPipe() @@ -77,7 +78,9 @@ func execToWriter(args []string, writer io.Writer) error { return err } - go io.Copy(writer, op) + go func() { + io.Copy(writer, op) //nolint:errcheck // Ignore the error + }() err = cmd.Run() if err != nil { return err @@ -104,7 +107,6 @@ func getKubectlConfigFlags(flags *genericclioptions.ConfigFlags) []string { appendStringFlag(o, flags.Password, "password") appendStringFlag(o, flags.ClusterName, "cluster") appendStringFlag(o, flags.AuthInfoName, "user") - //appendStringFlag(o, flags.Namespace, "namespace") appendStringFlag(o, flags.Context, "context") appendStringFlag(o, flags.APIServer, "server") appendBoolFlag(o, flags.Insecure, "insecure-skip-tls-verify") @@ -126,7 +128,7 @@ func appendBoolFlag(out *[]string, in *bool, flag string) { } } -func appendStringArrayFlag(out *[]string, in *[]string, flag string) { +func appendStringArrayFlag(out, in *[]string, flag string) { if in != nil && len(*in) > 0 { *out = append(*out, fmt.Sprintf("--%v=%v'", flag, strings.Join(*in, ","))) } diff --git a/cmd/plugin/lints/deployment.go b/cmd/plugin/lints/deployment.go index a1c473f1e..ce1712284 100644 --- a/cmd/plugin/lints/deployment.go +++ b/cmd/plugin/lints/deployment.go @@ -35,7 +35,10 @@ type DeploymentLint struct { // Check returns true if the lint detects an issue func (lint DeploymentLint) Check(obj kmeta.Object) bool { - cmp := obj.(*v1.Deployment) + cmp, ok := obj.(*v1.Deployment) + if !ok { + util.PrintError(fmt.Errorf("unexpected type: %T", obj)) + } return lint.f(*cmp) } @@ -72,11 +75,11 @@ func removedFlag(flag string, issueNumber int, version string) DeploymentLint { issue: issueNumber, version: version, f: func(dep v1.Deployment) bool { - if !isIngressNginxDeployment(dep) { + if !isIngressNginxDeployment(&dep) { return false } - args := getNginxArgs(dep) + args := getNginxArgs(&dep) for _, arg := range args { if strings.HasPrefix(arg, fmt.Sprintf("--%v", flag)) { return true @@ -88,8 +91,9 @@ func removedFlag(flag string, issueNumber int, version string) DeploymentLint { } } -func getNginxArgs(dep v1.Deployment) []string { - for _, container := range dep.Spec.Template.Spec.Containers { +func getNginxArgs(dep *v1.Deployment) []string { + for i := range dep.Spec.Template.Spec.Containers { + container := &dep.Spec.Template.Spec.Containers[i] if len(container.Args) > 0 && container.Args[0] == "/nginx-ingress-controller" { return container.Args } @@ -97,10 +101,10 @@ func getNginxArgs(dep v1.Deployment) []string { return make([]string, 0) } -func isIngressNginxDeployment(dep v1.Deployment) bool { +func isIngressNginxDeployment(dep *v1.Deployment) bool { containers := dep.Spec.Template.Spec.Containers - for _, container := range containers { - if len(container.Args) > 0 && container.Args[0] == "/nginx-ingress-controller" { + for i := range containers { + if len(containers[i].Args) > 0 && containers[i].Args[0] == "/nginx-ingress-controller" { return true } } diff --git a/cmd/plugin/lints/ingress.go b/cmd/plugin/lints/ingress.go index ea08bfd8b..d5ad42e2c 100644 --- a/cmd/plugin/lints/ingress.go +++ b/cmd/plugin/lints/ingress.go @@ -30,13 +30,16 @@ type IngressLint struct { message string issue int version string - f func(ing networking.Ingress) bool + f func(ing *networking.Ingress) bool } // Check returns true if the lint detects an issue func (lint IngressLint) Check(obj kmeta.Object) bool { - ing := obj.(*networking.Ingress) - return lint.f(*ing) + ing, ok := obj.(*networking.Ingress) + if !ok { + util.PrintError(fmt.Errorf("unexpected type: %T", obj)) + } + return lint.f(ing) } // Message is a description of the lint @@ -94,7 +97,7 @@ func GetIngressLints() []IngressLint { } } -func xForwardedPrefixIsBool(ing networking.Ingress) bool { +func xForwardedPrefixIsBool(ing *networking.Ingress) bool { for name, val := range ing.Annotations { if strings.HasSuffix(name, "/x-forwarded-prefix") && (val == "true" || val == "false") { return true @@ -103,7 +106,7 @@ func xForwardedPrefixIsBool(ing networking.Ingress) bool { return false } -func annotationPrefixIsNginxCom(ing networking.Ingress) bool { +func annotationPrefixIsNginxCom(ing *networking.Ingress) bool { for name := range ing.Annotations { if strings.HasPrefix(name, "nginx.com/") { return true @@ -112,7 +115,7 @@ func annotationPrefixIsNginxCom(ing networking.Ingress) bool { return false } -func annotationPrefixIsNginxOrg(ing networking.Ingress) bool { +func annotationPrefixIsNginxOrg(ing *networking.Ingress) bool { for name := range ing.Annotations { if strings.HasPrefix(name, "nginx.org/") { return true @@ -121,7 +124,7 @@ func annotationPrefixIsNginxOrg(ing networking.Ingress) bool { return false } -func rewriteTargetWithoutCaptureGroup(ing networking.Ingress) bool { +func rewriteTargetWithoutCaptureGroup(ing *networking.Ingress) bool { for name, val := range ing.Annotations { if strings.HasSuffix(name, "/rewrite-target") && !strings.Contains(val, "$1") { return true @@ -135,7 +138,7 @@ func removedAnnotation(annotationName string, issueNumber int, version string) I message: fmt.Sprintf("Contains the removed %v annotation.", annotationName), issue: issueNumber, version: version, - f: func(ing networking.Ingress) bool { + f: func(ing *networking.Ingress) bool { for annotation := range ing.Annotations { if strings.HasSuffix(annotation, "/"+annotationName) { return true @@ -146,7 +149,7 @@ func removedAnnotation(annotationName string, issueNumber int, version string) I } } -func satisfyDirective(ing networking.Ingress) bool { +func satisfyDirective(ing *networking.Ingress) bool { for name, val := range ing.Annotations { if strings.HasSuffix(name, "/configuration-snippet") { return strings.Contains(val, "satisfy") diff --git a/cmd/plugin/main.go b/cmd/plugin/main.go index f3a809715..e9a8ea59a 100644 --- a/cmd/plugin/main.go +++ b/cmd/plugin/main.go @@ -24,7 +24,7 @@ import ( "k8s.io/cli-runtime/pkg/genericclioptions" - //Just importing this is supposed to allow cloud authentication + // Just importing this is supposed to allow cloud authentication // eg GCP, AWS, Azure ... _ "k8s.io/client-go/plugin/pkg/client/auth" diff --git a/cmd/plugin/request/request.go b/cmd/plugin/request/request.go index fd47564a9..55df85d5e 100644 --- a/cmd/plugin/request/request.go +++ b/cmd/plugin/request/request.go @@ -35,7 +35,7 @@ import ( ) // ChoosePod finds a pod either by deployment or by name -func ChoosePod(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string) (apiv1.Pod, error) { +func ChoosePod(flags *genericclioptions.ConfigFlags, podName, deployment, selector string) (apiv1.Pod, error) { if podName != "" { return GetNamedPod(flags, podName) } @@ -54,9 +54,9 @@ func GetNamedPod(flags *genericclioptions.ConfigFlags, name string) (apiv1.Pod, return apiv1.Pod{}, err } - for _, pod := range allPods { - if pod.Name == name { - return pod, nil + for i := range allPods { + if allPods[i].Name == name { + return allPods[i], nil } } @@ -132,7 +132,7 @@ func GetIngressDefinitions(flags *genericclioptions.ConfigFlags, namespace strin } // GetNumEndpoints counts the number of endpointslices adresses for the service with the given name -func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace string, serviceName string) (*int, error) { +func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace, serviceName string) (*int, error) { epss, err := GetEndpointSlicesByName(flags, namespace, serviceName) if err != nil { return nil, err @@ -143,25 +143,26 @@ func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace string, ser } ret := 0 - for _, eps := range epss { - for _, ep := range eps.Endpoints { - ret += len(ep.Addresses) + for i := range epss { + eps := &epss[i] + for j := range eps.Endpoints { + ret += len(eps.Endpoints[j].Addresses) } } return &ret, nil } // GetEndpointSlicesByName returns the endpointSlices for the service with the given name -func GetEndpointSlicesByName(flags *genericclioptions.ConfigFlags, namespace string, name string) ([]discoveryv1.EndpointSlice, error) { +func GetEndpointSlicesByName(flags *genericclioptions.ConfigFlags, namespace, name string) ([]discoveryv1.EndpointSlice, error) { allEndpointsSlices, err := getEndpointSlices(flags, namespace) if err != nil { return nil, err } var eps []discoveryv1.EndpointSlice - for _, slice := range allEndpointsSlices { - if svcName, ok := slice.ObjectMeta.GetLabels()[discoveryv1.LabelServiceName]; ok { + for i := range allEndpointsSlices { + if svcName, ok := allEndpointsSlices[i].ObjectMeta.GetLabels()[discoveryv1.LabelServiceName]; ok { if svcName == name { - eps = append(eps, slice) + eps = append(eps, allEndpointsSlices[i]) } } } @@ -182,7 +183,7 @@ func getEndpointSlices(flags *genericclioptions.ConfigFlags, namespace string) ( tryAllNamespacesEndpointSlicesCache(flags) } - cachedEndpointSlices = tryFilteringEndpointSlicesFromAllNamespacesCache(flags, namespace) + cachedEndpointSlices = tryFilteringEndpointSlicesFromAllNamespacesCache(namespace) if cachedEndpointSlices != nil { return *cachedEndpointSlices, nil @@ -217,13 +218,13 @@ func tryAllNamespacesEndpointSlicesCache(flags *genericclioptions.ConfigFlags) { } } -func tryFilteringEndpointSlicesFromAllNamespacesCache(flags *genericclioptions.ConfigFlags, namespace string) *[]discoveryv1.EndpointSlice { +func tryFilteringEndpointSlicesFromAllNamespacesCache(namespace string) *[]discoveryv1.EndpointSlice { allEndpointSlices := endpointSlicesCache[""] if allEndpointSlices != nil { endpointSlices := make([]discoveryv1.EndpointSlice, 0) - for _, slice := range *allEndpointSlices { - if slice.Namespace == namespace { - endpointSlices = append(endpointSlices, slice) + for i := range *allEndpointSlices { + if (*allEndpointSlices)[i].Namespace == namespace { + endpointSlices = append(endpointSlices, (*allEndpointSlices)[i]) } } endpointSlicesCache[namespace] = &endpointSlices @@ -242,9 +243,9 @@ func GetServiceByName(flags *genericclioptions.ConfigFlags, name string, service services = &servicesArray } - for _, svc := range *services { - if svc.Name == name { - return svc, nil + for i := range *services { + if (*services)[i].Name == name { + return (*services)[i], nil } } @@ -288,7 +289,6 @@ func getLabeledPods(flags *genericclioptions.ConfigFlags, label string) ([]apiv1 pods, err := api.Pods(namespace).List(context.TODO(), metav1.ListOptions{ LabelSelector: label, }) - if err != nil { return make([]apiv1.Pod, 0), err } @@ -303,9 +303,9 @@ func getDeploymentPods(flags *genericclioptions.ConfigFlags, deployment string) } ingressPods := make([]apiv1.Pod, 0) - for _, pod := range pods { - if util.PodInDeployment(pod, deployment) { - ingressPods = append(ingressPods, pod) + for i := range pods { + if util.PodInDeployment(&pods[i], deployment) { + ingressPods = append(ingressPods, pods[i]) } } @@ -331,5 +331,4 @@ func getServices(flags *genericclioptions.ConfigFlags) ([]apiv1.Service, error) } return services.Items, nil - } diff --git a/cmd/plugin/util/util.go b/cmd/plugin/util/util.go index cc9882009..7457b8c53 100644 --- a/cmd/plugin/util/util.go +++ b/cmd/plugin/util/util.go @@ -29,8 +29,9 @@ import ( // The default deployment and service names for ingress-nginx const ( - DefaultIngressDeploymentName = "ingress-nginx-controller" - DefaultIngressServiceName = "ingress-nginx-controller" + DefaultIngressDeploymentName = "ingress-nginx-controller" //#nosec G101 + DefaultIngressServiceName = "ingress-nginx-controller" //#nosec G101 + DefaultIngressContainerName = "controller" ) // IssuePrefix is the github url that we can append an issue number to to link to it @@ -46,17 +47,25 @@ func PrintError(e error) { } // ParseVersionString returns the major, minor, and patch numbers of a version string -func ParseVersionString(v string) (int, int, int, error) { +func ParseVersionString(v string) (major, minor, patch int, err error) { parts := versionRegex.FindStringSubmatch(v) if len(parts) != 4 { return 0, 0, 0, fmt.Errorf("could not parse %v as a version string (like 0.20.3)", v) } - major, _ := strconv.Atoi(parts[1]) - minor, _ := strconv.Atoi(parts[2]) - patch, _ := strconv.Atoi(parts[3]) - + major, err = strconv.Atoi(parts[1]) + if err != nil { + return 0, 0, 0, err + } + minor, err = strconv.Atoi(parts[2]) + if err != nil { + return 0, 0, 0, err + } + patch, err = strconv.Atoi(parts[3]) + if err != nil { + return 0, 0, 0, err + } return major, minor, patch, nil } @@ -89,7 +98,7 @@ func isVersionLessThan(a, b string) bool { // PodInDeployment returns whether a pod is part of a deployment with the given name // a pod is considered to be in {deployment} if it is owned by a replicaset with a name of format {deployment}-otherchars -func PodInDeployment(pod apiv1.Pod, deployment string) bool { +func PodInDeployment(pod *apiv1.Pod, deployment string) bool { for _, owner := range pod.OwnerReferences { if owner.Controller == nil || !*owner.Controller || owner.Kind != "ReplicaSet" { continue @@ -127,10 +136,17 @@ func AddSelectorFlag(cmd *cobra.Command) *string { return &v } +// AddContainerFlag adds a --container flag to a cobra command +func AddContainerFlag(cmd *cobra.Command) *string { + v := "" + cmd.Flags().StringVar(&v, "container", DefaultIngressContainerName, "The name of the ingress-nginx controller container") + return &v +} + // GetNamespace takes a set of kubectl flag values and returns the namespace we should be operating in func GetNamespace(flags *genericclioptions.ConfigFlags) string { namespace, _, err := flags.ToRawKubeConfigLoader().Namespace() - if err != nil || len(namespace) == 0 { + if err != nil || namespace == "" { namespace = apiv1.NamespaceDefault } return namespace diff --git a/deploy/grafana/dashboards/README.md b/deploy/grafana/dashboards/README.md index 26195583b..e16180c3b 100644 --- a/deploy/grafana/dashboards/README.md +++ b/deploy/grafana/dashboards/README.md @@ -4,7 +4,7 @@ Ingress-nginx supports a rich collection of prometheus metrics. If you have pro This folder contains two dashboards that you can import. -## 1. NGINX Ingress Controller +## 1. Ingress-Nginx Controller ![Dashboard](screenshot.png) diff --git a/deploy/grafana/dashboards/nginx.json b/deploy/grafana/dashboards/nginx.json index 85f93c9eb..3c3205b4a 100644 --- a/deploy/grafana/dashboards/nginx.json +++ b/deploy/grafana/dashboards/nginx.json @@ -1312,7 +1312,7 @@ "targets": [ { "exemplar": true, - "expr": "histogram_quantile(0.80, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.80, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1323,7 +1323,7 @@ }, { "exemplar": true, - "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.90, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1335,7 +1335,7 @@ { "editorMode": "code", "exemplar": true, - "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le))", + "expr": "histogram_quantile(0.99, sum(rate(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le))", "format": "time_series", "hide": false, "instant": false, @@ -1377,7 +1377,7 @@ "targets": [ { "exemplar": true, - "expr": "sum(increase(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\",exported_namespace=\"uat\"}[2m])) by (le)", + "expr": "sum(increase(nginx_ingress_controller_request_duration_seconds_bucket{ingress!=\"\",controller_pod=~\"$controller\",controller_class=~\"$controller_class\",controller_namespace=~\"$namespace\",ingress=~\"$ingress\"}[2m])) by (le)", "format": "heatmap", "interval": "", "legendFormat": "{{le}}", diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index fbdf9486a..f73e0fce0 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -359,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -392,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -415,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -426,12 +411,18 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -455,7 +446,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -498,13 +489,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -527,7 +522,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -538,7 +533,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -552,18 +547,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -574,7 +573,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -585,7 +584,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -601,18 +600,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -623,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -636,7 +639,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 73ec24286..7f6019fbb 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" http-snippet: | server { listen 2443; @@ -350,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -368,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -401,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -424,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -435,12 +420,18 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -464,7 +455,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -510,13 +501,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -539,7 +534,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -550,7 +545,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -564,18 +559,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -586,7 +585,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -597,7 +596,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -613,18 +612,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -635,7 +638,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -648,7 +651,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index 9e6e905bb..af484aa73 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -421,12 +406,18 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -449,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -492,13 +483,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -521,7 +516,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -532,7 +527,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -546,18 +541,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -568,7 +567,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -579,7 +578,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -595,18 +594,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -617,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -630,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index dd986a55d..8ac9dedaf 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -388,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -411,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,12 +407,18 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -451,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -494,13 +485,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -523,7 +518,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +529,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -548,18 +543,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -570,7 +569,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -581,7 +580,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -597,18 +596,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -619,7 +622,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -632,7 +635,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 64e0366b4..7a49f28d0 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" use-proxy-protocol: "true" kind: ConfigMap metadata: @@ -344,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -425,12 +410,18 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -454,7 +445,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -497,13 +488,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -526,7 +521,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +532,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -551,18 +546,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -573,7 +572,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +583,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -600,18 +599,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -622,7 +625,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +638,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index d6a40aed9..cf02501a4 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -364,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -397,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -420,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -437,6 +422,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -460,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -503,13 +490,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -523,6 +514,10 @@ spec: - name: webhook-cert secret: secretName: ingress-nginx-admission + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate --- apiVersion: batch/v1 kind: Job @@ -532,7 +527,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -543,7 +538,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -557,18 +552,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -579,7 +578,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -590,7 +589,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -606,18 +605,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -628,7 +631,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -641,7 +644,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index 62ead9e34..d27f83d9d 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -343,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -355,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -387,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -410,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -431,6 +416,8 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -455,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -500,13 +487,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -537,7 +528,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -548,7 +539,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -562,18 +553,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -584,7 +579,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -595,7 +590,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -611,18 +606,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -633,7 +632,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -646,7 +645,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/oracle/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml new file mode 100644 index 000000000..8d2200925 --- /dev/null +++ b/deploy/static/provider/oracle/deploy.yaml @@ -0,0 +1,665 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resourceNames: + - ingress-nginx-leader + resources: + - leases + verbs: + - get + - update +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission +rules: +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: +- kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "false" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/oci-load-balancer-shape: flexible + service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + externalTrafficPolicy: Local + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: LoadBalancer +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + ports: + - appProtocol: https + name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + minReadySeconds: 0 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + spec: + containers: + - args: + - /nginx-ingress-controller + - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller + - --election-id=ingress-nginx-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + - containerPort: 8443 + name: webhook + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /usr/local/certificates/ + name: webhook-cert + readOnly: true + dnsPolicy: ClusterFirst + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission-create + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission-create + spec: + containers: + - args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 + imagePullPolicy: IfNotPresent + name: create + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission +--- +apiVersion: batch/v1 +kind: Job +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission-patch + namespace: ingress-nginx +spec: + template: + metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission-patch + spec: + containers: + - args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 + imagePullPolicy: IfNotPresent + name: patch + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + nodeSelector: + kubernetes.io/os: linux + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: nginx +spec: + controller: k8s.io/ingress-nginx +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/component: admission-webhook + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 + name: ingress-nginx-admission +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: ingress-nginx-controller-admission + namespace: ingress-nginx + path: /networking/v1/ingresses + failurePolicy: Fail + matchPolicy: Equivalent + name: validate.nginx.ingress.kubernetes.io + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + sideEffects: None diff --git a/deploy/static/provider/oracle/kustomization.yaml b/deploy/static/provider/oracle/kustomization.yaml new file mode 100644 index 000000000..5c1dcff96 --- /dev/null +++ b/deploy/static/provider/oracle/kustomization.yaml @@ -0,0 +1,11 @@ +# NOTE: kustomize is not supported. This file exists only to be able to reference it from bases. +# https://kubectl.docs.kubernetes.io/references/kustomize/bases/ +# +# ``` +# namespace: ingress-nginx +# bases: +# - github.com/kubernetes/ingress-nginx/tree/main/deploy/static/provider/oracle +# ``` + +resources: + - deploy.yaml diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index d52f01489..44d91e1af 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx rules: @@ -90,21 +90,6 @@ rules: - get - list - watch -- apiGroups: - - "" - resourceNames: - - ingress-nginx-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create - apiGroups: - coordination.k8s.io resourceNames: @@ -144,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -163,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx rules: - apiGroups: @@ -245,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission rules: - apiGroups: @@ -264,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -284,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -303,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -322,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -335,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" use-proxy-protocol: "true" kind: ConfigMap metadata: @@ -344,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -358,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -391,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -414,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -425,12 +410,18 @@ spec: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + strategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate template: metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.9.6 spec: containers: - args: @@ -454,7 +445,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629 + image: registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -497,13 +488,17 @@ spec: cpu: 100m memory: 90Mi securityContext: - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: add: - NET_BIND_SERVICE drop: - ALL + readOnlyRootFilesystem: false + runAsNonRoot: true runAsUser: 101 + seccompProfile: + type: RuntimeDefault volumeMounts: - mountPath: /usr/local/certificates/ name: webhook-cert @@ -526,7 +521,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -537,7 +532,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-create spec: containers: @@ -551,18 +546,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: create securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: batch/v1 @@ -573,7 +572,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -584,7 +583,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission-patch spec: containers: @@ -600,18 +599,22 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f + image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20231226-1a7112e06@sha256:25d6a5f11211cc5c3f9f2bf552b585374af287b4debf693cacbe2da47daa5084 imagePullPolicy: IfNotPresent name: patch securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault nodeSelector: kubernetes.io/os: linux restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 @@ -622,7 +625,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: nginx spec: controller: k8s.io/ingress-nginx @@ -635,7 +638,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.5.1 + app.kubernetes.io/version: 1.9.6 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/baremetal.md b/docs/deploy/baremetal.md index 7d8076147..f5ff54174 100644 --- a/docs/deploy/baremetal.md +++ b/docs/deploy/baremetal.md @@ -1,14 +1,14 @@ # Bare-metal considerations In traditional *cloud* environments, where network load balancers are available on-demand, a single Kubernetes manifest -suffices to provide a single point of contact to the NGINX Ingress controller to external clients and, indirectly, to +suffices to provide a single point of contact to the Ingress-Nginx Controller to external clients and, indirectly, to any application running inside the cluster. *Bare-metal* environments lack this commodity, requiring a slightly different setup to offer the same kind of access to external consumers. ![Cloud environment](../images/baremetal/cloud_overview.jpg) ![Bare-metal environment](../images/baremetal/baremetal_overview.jpg) -The rest of this document describes a few recommended approaches to deploying the NGINX Ingress controller inside a +The rest of this document describes a few recommended approaches to deploying the Ingress-Nginx Controller inside a Kubernetes cluster running on bare-metal. ## A pure software solution: MetalLB @@ -30,7 +30,7 @@ the traffic for the `ingress-nginx` Service IP. See [Traffic policies][metallb-t yourself by reading the official documentation thoroughly. MetalLB can be deployed either with a simple Kubernetes manifest or with Helm. The rest of this example assumes MetalLB -was deployed following the [Installation][metallb-install] instructions, and that the NGINX Ingress controller was installed +was deployed following the [Installation][metallb-install] instructions, and that the Ingress-Nginx Controller was installed using the steps described in the [quickstart section of the installation guide][install-quickstart]. MetalLB requires a pool of IP addresses in order to be able to take ownership of the `ingress-nginx` Service. This pool @@ -164,7 +164,7 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]). !!! warning This setting effectively **drops packets** sent to Kubernetes nodes which are not running any instance of the NGINX Ingress controller. Consider [assigning NGINX Pods to specific nodes][pod-assign] in order to control on what nodes - the NGINX Ingress controller should be scheduled or not scheduled. + the Ingress-Nginx Controller should be scheduled or not scheduled. !!! example In a Kubernetes cluster composed of 3 nodes (the external IP is added as an example, in most bare-metal environments @@ -193,7 +193,7 @@ field of the `ingress-nginx` Service spec to `Local` ([example][preserve-ip]). * **Ingress status** -Because NodePort Services do not get a LoadBalancerIP assigned by definition, the NGINX Ingress controller **does not +Because NodePort Services do not get a LoadBalancerIP assigned by definition, the Ingress-Nginx Controller **does not update the status of Ingress objects it manages**. ```console @@ -202,12 +202,12 @@ NAME HOSTS ADDRESS PORTS test-ingress myapp.example.com 80 ``` -Despite the fact there is no load balancer providing a public IP address to the NGINX Ingress controller, it is possible +Despite the fact there is no load balancer providing a public IP address to the Ingress-Nginx Controller, it is possible to force the status update of all managed Ingress objects by setting the `externalIPs` field of the `ingress-nginx` Service. !!! warning - There is more to setting `externalIPs` than just enabling the NGINX Ingress controller to update the status of + There is more to setting `externalIPs` than just enabling the Ingress-Nginx Controller to update the status of Ingress objects. Please read about this option in the [Services][external-ips] page of official Kubernetes documentation as well as the section about [External IPs](#external-ips) in this document for more information. @@ -268,11 +268,11 @@ for generating redirect URLs that take into account the URL used by external cli In a setup where there is no external load balancer available but using NodePorts is not an option, one can configure `ingress-nginx` Pods to use the network of the host they run on instead of a dedicated network namespace. The benefit of -this approach is that the NGINX Ingress controller can bind ports 80 and 443 directly to Kubernetes nodes' network +this approach is that the Ingress-Nginx Controller can bind ports 80 and 443 directly to Kubernetes nodes' network interfaces, without the extra network translation imposed by NodePort Services. !!! note - This approach does not leverage any Service object to expose the NGINX Ingress controller. If the `ingress-nginx` + This approach does not leverage any Service object to expose the Ingress-Nginx Controller. If the `ingress-nginx` Service exists in the target cluster, it is **recommended to delete it**. This can be achieved by enabling the `hostNetwork` option in the Pods' spec. @@ -284,7 +284,7 @@ template: ``` !!! danger "Security considerations" - Enabling this option **exposes every system daemon to the NGINX Ingress controller** on any network interface, + Enabling this option **exposes every system daemon to the Ingress-Nginx Controller** on any network interface, including the host's loopback. Please evaluate the impact this may have on the security of your system carefully. !!! example @@ -299,7 +299,7 @@ template: ingress-nginx-controller-5b4cf5fc6-lzrls 1/1 Running 203.0.113.2 host-2 ``` -One major limitation of this deployment approach is that only **a single NGINX Ingress controller Pod** may be scheduled +One major limitation of this deployment approach is that only **a single Ingress-Nginx Controller Pod** may be scheduled on each cluster node, because binding the same port multiple times on the same network interface is technically impossible. Pods that are unschedulable due to such situation fail with the following event: @@ -312,7 +312,7 @@ Events: Warning FailedScheduling default-scheduler 0/3 nodes are available: 3 node(s) didn't have free ports for the requested pod ports. ``` -One way to ensure only schedulable Pods are created is to deploy the NGINX Ingress controller as a *DaemonSet* instead +One way to ensure only schedulable Pods are created is to deploy the Ingress-Nginx Controller as a *DaemonSet* instead of a traditional Deployment. !!! info @@ -334,7 +334,7 @@ expected to resolve internal names for any reason. * **Ingress status** -Because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default +Because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default `--publish-service` flag used in standard cloud setups **does not apply** and the status of all Ingress objects remains blank. @@ -346,7 +346,7 @@ test-ingress myapp.example.com 80 Instead, and because bare-metal nodes usually don't have an ExternalIP, one has to enable the [`--report-node-internal-ip-address`][cli-args] flag, which sets the status of all Ingress objects to the internal IP -address of all nodes running the NGINX Ingress controller. +address of all nodes running the Ingress-Nginx Controller. !!! example Given a `ingress-nginx-controller` DaemonSet composed of 2 replicas diff --git a/docs/deploy/hardening-guide.md b/docs/deploy/hardening-guide.md index d428bc3aa..cfbdb1466 100644 --- a/docs/deploy/hardening-guide.md +++ b/docs/deploy/hardening-guide.md @@ -94,7 +94,7 @@ This guide refers to chapters in the CIS Benchmark. For full explanation you sho | __5 Request Filtering and Restrictions__||| | | ||| | | __5.1 Access Control__||| | -| 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)| OK/ACTION NEEDED | Depends on use case, geo ip module is compiled into nginx ingress controller, there are several ways to use it | If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!) | +| 5.1.1 Ensure allow and deny filters limit access to specific IP addresses (Not Scored)| OK/ACTION NEEDED | Depends on use case, geo ip module is compiled into Ingress-Nginx Controller, there are several ways to use it | If needed set IP restrictions via annotations or work with config snippets (be careful with lets-encrypt-http-challenge!) | | 5.1.2 Ensure only whitelisted HTTP methods are allowed (Not Scored) | OK/ACTION NEEDED | Depends on use case| If required it can be set via config snippet| | ||| | | __5.2 Request Limits__||| | diff --git a/docs/deploy/index.md b/docs/deploy/index.md index 29495b5c0..ae28c2502 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -1,6 +1,6 @@ # Installation Guide -There are multiple ways to install the NGINX ingress controller: +There are multiple ways to install the Ingress-Nginx Controller: - with [Helm](https://helm.sh), using the project repository chart; - with `kubectl apply`, using YAML manifests; @@ -59,10 +59,16 @@ It will install the controller in the `ingress-nginx` namespace, creating that n - if the ingress controller is not installed, it will install it, - if the ingress controller is already installed, it will upgrade it. +**If you want a full list of values that you can set, while installing with Helm,** then run: + +```console +helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx +``` + **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -70,10 +76,15 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont resources as if you had used Helm to install the controller. !!! attention - If you are running an old version of Kubernetes (1.18 or earlier), please read - [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions. - Because of api deprecations, the default manifest may not work on your cluster. - Specific manifests for supported Kubernetes versions are available within a sub-folder of each provider. + If you are running an old version of Kubernetes (1.18 or earlier), please read [this paragraph](#running-on-Kubernetes-versions-older-than-1.19) for specific instructions. + Because of api deprecations, the default manifest may not work on your cluster. + Specific manifests for supported Kubernetes versions are available within a sub-folder of each provider. + +### Firewall configuration + +To check which ports are used by your installation of ingress-nginx, look at the output of `kubectl -n ingress-nginx get pod -o yaml`. In general, you need: +- Port 8443 open between all hosts on which the kubernetes nodes are running. This is used for the ingress-nginx [admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). +- Port 80 (for HTTP) and/or 443 (for HTTPS) open to the public on the kubernetes nodes to which the DNS of your apps are pointing. ### Pre-flight check @@ -93,6 +104,7 @@ kubectl wait --namespace ingress-nginx \ --timeout=120s ``` + ### Local testing Let's create a simple web server and the associated service: @@ -115,7 +127,19 @@ Now, forward a local port to the ingress controller: kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8080:80 ``` -At this point, if you access http://demo.localdev.me:8080/, you should see an HTML page telling you "It works!". +!!! info + A note on DNS & network-connection. + This documentation assumes that a user has awareness of the DNS and the network routing aspects involved in using ingress. + The port-forwarding mentioned above, is the easiest way to demo the working of ingress. The "kubectl port-forward..." command above has forwarded the port number 8080, on the localhost's tcp/ip stack, where the command was typed, to the port number 80, of the service created by the installation of ingress-nginx controller. So now, the traffic sent to port number 8080 on localhost will reach the port number 80, of the ingress-controller's service. + Port-forwarding is not for a production environment use-case. But here we use port-forwarding, to simulate a HTTP request, originating from outside the cluster, to reach the service of the ingress-nginx controller, that is exposed to receive traffic from outside the cluster. + [This issue](https://github.com/kubernetes/ingress-nginx/issues/10014#issuecomment-1567791549described) shows a typical DNS problem and its solution. + +At this point, you can access your deployment using curl ; +```console +curl --resolve demo.localdev.me:8080:127.0.0.1 http://demo.localdev.me:8080 +``` + +You should see a HTML response containing text like **"It works!"**. ### Online testing @@ -192,9 +216,9 @@ doesn't work, you might have to fall back to the `kubectl port-forward` method d Rancher Desktop provides Kubernetes and Container Management on the desktop. Kubernetes is enabled by default in Rancher Desktop. -Rancher Desktop uses K3s under the hood, which in turn uses Traefik as the default ingress controller for the Kubernetes cluster. To use NGINX ingress controller in place of the default Traefik, disable Traefik from Preference > Kubernetes menu. +Rancher Desktop uses K3s under the hood, which in turn uses Traefik as the default ingress controller for the Kubernetes cluster. To use Ingress-Nginx Controller in place of the default Traefik, disable Traefik from Preference > Kubernetes menu. -Once traefik is disabled, the NGINX ingress controller can be installed on Rancher Desktop using the default [quick start](#quick-start) instructions. Follow the instructions described in the [local testing section](#local-testing) to try a sample. +Once traefik is disabled, the Ingress-Nginx Controller can be installed on Rancher Desktop using the default [quick start](#quick-start) instructions. Follow the instructions described in the [local testing section](#local-testing) to try a sample. ### Cloud deployments @@ -214,7 +238,7 @@ options of various cloud providers. #### AWS -In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress controller behind a Service of `Type=LoadBalancer`. +In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Controller behind a Service of `Type=LoadBalancer`. !!! info The provided templates illustrate the setup for legacy in-tree service load balancer for AWS NLB. @@ -225,7 +249,7 @@ In AWS, we use a Network load balancer (NLB) to expose the NGINX Ingress control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -233,10 +257,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -282,7 +306,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -299,7 +323,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -307,7 +331,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -315,7 +339,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -330,7 +354,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` A @@ -357,7 +381,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), @@ -419,14 +443,14 @@ Here is how these Ingress versions are supported in Kubernetes: - from Kubernetes 1.19 to 1.21, both `v1beta1` and `v1` Ingress resources are supported - in Kubernetes 1.22 and above, only `v1` Ingress resources are supported -And here is how these Ingress versions are supported in NGINX Ingress Controller: +And here is how these Ingress versions are supported in Ingress-Nginx Controller: - before version 1.0, only `v1beta1` Ingress resources are supported - in version 1.0 and above, only `v1` Ingress resources are As a result, if you're running Kubernetes 1.19 or later, you should be able to use the latest version of the NGINX Ingress Controller; but if you're using an old version of Kubernetes (1.18 or earlier) you will have to use version 0.X -of the NGINX Ingress Controller (e.g. version 0.49). +of the Ingress-Nginx Controller (e.g. version 0.49). -The Helm chart of the NGINX Ingress Controller switched to version 1 in version 4 of the chart. In other words, if +The Helm chart of the Ingress-Nginx Controller switched to version 1 in version 4 of the chart. In other words, if you're running Kubernetes 1.19 or earlier, you should use version 3.X of the chart (this can be done by adding -`--version='<4'` to the `helm install` command). +`--version='<4'` to the `helm install` command ). diff --git a/docs/deploy/rbac.md b/docs/deploy/rbac.md index 8c36d19a7..70af8ba92 100644 --- a/docs/deploy/rbac.md +++ b/docs/deploy/rbac.md @@ -29,39 +29,38 @@ namespace specific permissions defined by the `Role` named `ingress-nginx`. These permissions are granted in order for the ingress-nginx-controller to be able to function as an ingress across the cluster. These permissions are -granted to the ClusterRole named `ingress-nginx` +granted to the `ClusterRole` named `ingress-nginx` * `configmaps`, `endpoints`, `nodes`, `pods`, `secrets`: list, watch * `nodes`: get -* `services`, `ingresses`: get, list, watch +* `services`, `ingresses`, `ingressclasses`, `endpointslices`: get, list, watch * `events`: create, patch * `ingresses/status`: update +* `leases`: list, watch ### Namespace Permissions These permissions are granted specific to the ingress-nginx namespace. These -permissions are granted to the Role named `ingress-nginx` +permissions are granted to the `Role` named `ingress-nginx` * `configmaps`, `pods`, `secrets`: get * `endpoints`: get Furthermore to support leader-election, the ingress-nginx-controller needs to -have access to a `configmap` using the resourceName `ingress-controller-leader-nginx` +have access to a `leases` using the resourceName `ingress-nginx-leader` > Note that resourceNames can NOT be used to limit requests using the “create” > verb because authorizers only have access to information that can be obtained > from the request URL, method, and headers (resource names in a “create” request > are part of the request body). -* `configmaps`: get, update (for resourceName `ingress-controller-leader-nginx`) -* `configmaps`: create +* `leases`: get, update (for resourceName `ingress-controller-leader`) +* `leases`: create -This resourceName is the concatenation of the `election-id` and the -`ingress-class` as defined by the ingress-controller, which defaults to: +This resourceName is the `election-id` defined by the ingress-controller, which defaults to: * `election-id`: `ingress-controller-leader` -* `ingress-class`: `nginx` -* `resourceName` : `-` +* `resourceName` : `` Please adapt accordingly if you overwrite either parameter when launching the ingress-nginx-controller. diff --git a/docs/developer-guide/code-overview.md b/docs/developer-guide/code-overview.md index c55fb69f9..8e872211d 100644 --- a/docs/developer-guide/code-overview.md +++ b/docs/developer-guide/code-overview.md @@ -53,7 +53,7 @@ This code can be found in [internal/file](https://github.com/kubernetes/ingress- #### Ingress functions -Contains all the logics from NGINX Ingress Controller, with some examples being: +Contains all the logics from Ingress-Nginx Controller, with some examples being: * Expected Golang structures that will be used in templates and other parts of the code - [internal/ingress/types.go](https://github.com/kubernetes/ingress-nginx/blob/main/internal/ingress/types.go). * supported annotations and its parsing logics - [internal/ingress/annotations](https://github.com/kubernetes/ingress-nginx/tree/main/internal/ingress/annotations). @@ -104,7 +104,7 @@ Describe here `kubectl plugin`, `dbg`, `waitshutdown` and cover the hack scripts ### kubectl plugin -It containes kubectl plugin for inspecting your ingress-nginx deployments. +It contains kubectl plugin for inspecting your ingress-nginx deployments. This part of code can be found in [cmd/plugin](https://github.com/kubernetes/ingress-nginx/tree/main/cmd/plugin) directory Detail functions flow and available flow can be found in [kubectl-plugin](https://github.com/kubernetes/ingress-nginx/blob/main/docs/kubectl-plugin.md) diff --git a/docs/developer-guide/getting-started.md b/docs/developer-guide/getting-started.md index 9f4be8fcc..4b7ed46f0 100644 --- a/docs/developer-guide/getting-started.md +++ b/docs/developer-guide/getting-started.md @@ -1,6 +1,6 @@ - Developing for NGINX Ingress Controller + Developing for Ingress-Nginx Controller -This document explains how to get started with developing for NGINX Ingress controller. +This document explains how to get started with developing for Ingress-Nginx Controller. For the really new contributors, who want to contribute to the INGRESS-NGINX project, but need help with understanding some basic concepts, that are needed to work with the Kubernetes ingress resource, here is a link to the [New Contributors Guide](https://github.com/kubernetes/ingress-nginx/blob/main/NEW_CONTRIBUTOR.md). diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index d5aa6cc16..bbcdadfc6 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -6,314 +6,554 @@ Do not try to edit it manually. # e2e test suite for [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx/tree/main/) - -### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L37) - -- [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L46) -- [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L70) - -### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L34) - -- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L85) -- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L102) -- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L126) -- [should still return status code 200 after auth backend is deleted using cache](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L155) -- [should proxy_method method when global-auth-method is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L197) -- [should add custom error page when global-auth-signin url is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L210) -- [should add auth headers when global-auth-response-headers is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L223) -- [should set request-redirect when global-auth-request-redirect is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L237) -- [should set snippet when global external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L250) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L326) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L337) -- [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L348) - -### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L40) - -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L43) - -### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) - -- [should disable the log-format-escape-json by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) -- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) -- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) -- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L66) -- [log-format-escape-json disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L89) - -### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) - -- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) -- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) - -### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) - -- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) -- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) - -### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) - -- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) - -### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) - -- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) -- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) -- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) -- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) - -### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) - -- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) - -### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) - -- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) -- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) - -### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) - -- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) -- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) -- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) -- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) - -### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) - -- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) -- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) - -### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L28) - -- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L40) -- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L48) -- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L59) -- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L68) -- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L77) - -### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27) - -- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L31) -- [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L39) -- [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L49) - -### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L30) - -- [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L70) - -### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L34) - -- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L51) - -### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) - -- [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L58) -- [should exists opentracing directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L71) -- [should include opentracing_trust_incoming_span off directive when disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L85) -- [should not exists opentracing_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L100) -- [should exists opentracing_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L115) -- [should not exists opentracing_location_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L130) -- [should exists opentracing_location_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L145) -- [should enable opentracing using zipkin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L160) -- [should enable opentracing using jaeger](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L172) -- [should enable opentracing using jaeger with sampler host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L184) -- [should propagate the w3c header when configured with jaeger](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L197) -- [should enable opentracing using jaeger with an HTTP endpoint](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L228) -- [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L241) - -### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) - -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) - -### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) - -- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) - -### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L26) - -- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L31) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L41) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L53) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L66) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L79) - -### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) - -- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) -- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) - -### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) - -- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) -- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) -- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) -- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) -- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) -- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) -- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) -- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) -- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) -- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) -- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) -- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) - -### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L27) - -- [reuse port should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L38) -- [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L44) -- [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L52) - -### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) - -- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) -- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) - -### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) - -- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) -- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) - -### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) - -- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L39) - -### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L36) - -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L39) - -### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) - -- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) -- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) - -### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) - -- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) -- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) -- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) - -### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) - -- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) - -### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L28) - -- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L31) - -### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) - -- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) - -### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) - -- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) - -### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) - -- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) -- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) - -### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L31) - -- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L65) -- [enforcing TLS v1.0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L87) -- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L133) -- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L149) -- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L168) -- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L188) -- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L209) -- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L227) - -### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) - -- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) - -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) - -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) - -### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L34) - -- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L41) - -### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) - -- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) -- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) - -### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) - -- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) - -### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) - -- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) -- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) -- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) -- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) -- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) -- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) -- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) - -### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) - -- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) -- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) -- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) - -### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L32) - -- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L48) -- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L70) -- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L100) - -### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L30) - -- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L40) -- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L92) - -### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) - -- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) -- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) - -### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) - -- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) - -### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) - -- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) - -### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) - -- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) - -### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) - -- [should redirect from HTTP to HTTPS when secret is missing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L36) - -### [[SSL] secret update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L33) - -- [should not appear references to secret updates not used in ingress rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L40) -- [should return the fake SSL certificate if the secret is invalid](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L82) - -### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L58) - -- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L61) -- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L94) -- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L128) -- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L152) -- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L183) -- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L216) -- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L247) -- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L310) - -### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) - -- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) - -### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) - -- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) -- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) +### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L39) +- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L74) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L91) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L112) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L129) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L149) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L163) +- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L177) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L211) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L227) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L243) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L263) +### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L43) +- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L50) +- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L72) +- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L107) +- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L129) +- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L202) +- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L234) +- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L257) +- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L279) +- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L303) +- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L329) +- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L361) +- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L381) +- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L421) +- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L444) +- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L467) +### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinitymode.go#L33) +- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinitymode.go#L36) +- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinitymode.go#L69) +### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L31) +- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L38) +- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L64) +- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L89) +### [app-root](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/approot.go#L28) +- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/approot.go#L35) +### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L45) +- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L52) +- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L71) +- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L95) +- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L122) +- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L150) +- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L178) +- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L205) +- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L233) +- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L272) +- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L298) +- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L324) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L433) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L444) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L455) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L494) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L503) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L514) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L538) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L714) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L723) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L734) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L793) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L813) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L841) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L870) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L900) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L908) +### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L31) +- [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L38) +- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L86) +- [should 302 redirect to error page instead of 400 when auth-tls-error-page is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L116) +- [should pass URL-encoded certificate to upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L163) +- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L208) +- [should return 403 using auth-tls-match-cn with no matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L267) +- [should return 200 using auth-tls-match-cn with matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L296) +- [should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L325) +### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L29) +- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L36) +- [should set backend protocol to https:// and use proxy_pass with lowercase annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L51) +- [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L66) +- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L81) +- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L96) +- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L111) +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L36) +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L45) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L89) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L120) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L174) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L232) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L289) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L363) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L445) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L513) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L594) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L647) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L692) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L741) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L790) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L862) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L910) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L952) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L995) +- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1031) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1070) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1104) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1138) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1175) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1242) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1310) +### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L30) +- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L37) +- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L59) +- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L81) +- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L103) +- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L125) +- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L147) +### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/connection.go#L28) +- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/connection.go#L35) +### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L33) +- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L40) +- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L67) +- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L83) +- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L99) +- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L115) +- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L142) +- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L158) +- [should allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L174) +- [should not allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L201) +- [should allow correct origins - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L221) +- [should not break functionality](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L272) +- [should not break functionality - without `*`](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L296) +- [should not break functionality with extra domain](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L319) +- [should not match](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L343) +- [should allow - single origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L363) +- [should not allow - single origin with port and origin without port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L391) +- [should not allow - single origin without port and origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L410) +- [should allow - matching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L430) +- [should not allow - unmatching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L473) +- [should allow - matching origin+port with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L493) +- [should not allow - portless origin with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L520) +- [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L540) +- [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L576) +### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customhttperrors.go#L34) +- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customhttperrors.go#L41) +### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/default_backend.go#L29) +- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/default_backend.go#L37) +### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L28) +- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L35) +- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L53) +- [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L71) +### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L30) +- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L37) +- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L54) +- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L71) +- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L102) +### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/forcesslredirect.go#L27) +- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/forcesslredirect.go#L34) +### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L31) +- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L38) +- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L64) +### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L30) +- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L38) +### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L40) +- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L43) +- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L68) +- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L129) +- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L190) +### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L27) +- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L34) +### [allowlist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipallowlist.go#L27) +- [should set valid ip allowlist range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipallowlist.go#L34) +### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipdenylist.go#L28) +- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipdenylist.go#L35) +- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipdenylist.go#L86) +### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitconnections.go#L31) +- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitconnections.go#L38) +### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitrate.go#L29) +- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitrate.go#L37) +### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/log.go#L27) +- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/log.go#L34) +- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/log.go#L49) +### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L28) +- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L36) +- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L51) +- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L67) +### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L39) +- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L46) +- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L64) +- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L85) +- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L102) +- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L130) +- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L153) +- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L175) +- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L214) +- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L253) +- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L292) +- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L338) +- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L380) +### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L27) +- [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L34) +### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L30) +- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L38) +- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L54) +- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L70) +- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L87) +- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L102) +- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L117) +- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L138) +- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L159) +- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L181) +- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L196) +- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L217) +- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L235) +### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L32) +- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L39) +- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L66) +- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L96) +- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L124) +- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L152) +### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L30) +- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L33) +- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L61) +### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L32) +- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L39) +- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L68) +- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L113) +- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L160) +- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L192) +### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/satisfy.go#L33) +- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/satisfy.go#L40) +- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/satisfy.go#L82) +### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serversnippet.go#L28) +### [service-upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L32) +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L41) +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L69) +- [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L97) +### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L28) +- [set snippet more_set_headers in all locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L34) +- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L73) +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L28) +- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L35) +- [should keep ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L58) +### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L34) +- [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L41) +- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L94) +### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L79) +- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L86) +- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L95) +### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamvhost.go#L27) +- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamvhost.go#L34) +### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L28) +- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L35) +- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L57) +### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L29) +- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L37) +- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L56) +- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L85) +### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/custom_default_backend.go#L33) +- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/custom_default_backend.go#L36) +### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L30) +- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L33) +- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L88) +- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L105) +### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/ssl.go#L26) +- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/ssl.go#L29) +### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/with_hosts.go#L30) +- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/with_hosts.go#L38) +### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/longname.go#L29) +- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/longname.go#L38) +### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/topology.go#L34) +- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/topology.go#L42) +### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/grace_period.go#L32) +- [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/grace_period.go#L35) +### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/shutdown.go#L30) +- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/shutdown.go#L40) +### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/slow_requests.go#L25) +- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/slow_requests.go#L33) +### [[Ingress] DeepInspection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/deep_inspection.go#L27) +- [should drop whole ingress if one path matches invalid regex](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/deep_inspection.go#L34) +### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/multiple_rules.go#L30) +- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/multiple_rules.go#L38) +### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_exact.go#L30) +- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_exact.go#L37) +### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_mixed.go#L30) +- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_mixed.go#L39) +### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_prefix.go#L28) +- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_prefix.go#L35) +### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/without_host.go#L31) +- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/without_host.go#L34) +- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/without_host.go#L55) +### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/leaks/lua_ssl.go#L35) +- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/leaks/lua_ssl.go#L42) +### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/configmap.go#L30) +- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/configmap.go#L37) +### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/ewma.go#L31) +- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/ewma.go#L43) +### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/round_robin.go#L31) +- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/round_robin.go#L39) +### [[Lua] dynamic certificates](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L37) +- [picks up the certificate when we add TLS spec to existing ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L45) +- [picks up the previously missing secret for a given ingress without reloading](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L70) +- [supports requests with domain with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L145) +- [picks up the updated certificate without reloading](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L149) +- [falls back to using default certificate when secret gets deleted without reloading](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L185) +- [picks up a non-certificate only change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L218) +- [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L233) +### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L41) +- [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L49) +- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L61) +- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L86) +- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L124) +- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L170) +### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L36) +- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L50) +- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L72) +### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L99) +- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L102) +- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L114) +- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L121) +### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/security/request_smuggling.go#L32) +- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/security/request_smuggling.go#L39) +### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_backend.go#L34) +- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_backend.go#L37) +- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_backend.go#L55) +### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L38) +- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L41) +- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L78) +- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L118) +- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L148) +- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L184) +- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L225) +- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L261) +- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L344) +### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_nil_backend.go#L31) +- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_nil_backend.go#L38) +### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L27) +- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L31) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L41) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L52) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L64) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L76) +### [aio-write](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L27) +- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L30) +- [should be enabled when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L37) +- [should be disabled when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L46) +### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L29) +- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L36) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L75) +- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L119) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L157) +### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L30) +- [should only compress responses that meet the `brotli-min-length` condition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L38) +### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/configmap_change.go#L29) +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/configmap_change.go#L36) +### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/custom_header.go#L30) +- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/custom_header.go#L40) +- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/custom_header.go#L65) +### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/default_ssl_certificate.go#L35) +- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/default_ssl_certificate.go#L66) +- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/default_ssl_certificate.go#L82) +### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L33) +- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L50) +- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L69) +- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L81) +- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L123) +### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_service_external_name.go#L35) +- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_service_external_name.go#L55) +### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L32) +- [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L35) +- [should create sync events](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L55) +- [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L83) +### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L30) +- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L40) +- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L79) +### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L31) +- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L41) +- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L93) +### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L36) +- [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L45) +- [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L69) +### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L28) +- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L38) +- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L55) +- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L88) +### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L39) +- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L91) +- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L107) +- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L130) +- [should still return status code 200 after auth backend is deleted using cache](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L158) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L322) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L333) +- [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L344) +### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L28) +- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L31) +- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L37) +### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L30) +- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L38) +### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L29) +- [should be disabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L32) +- [should be enabled with default settings](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L39) +- [should set gzip_comp_level to 4](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L56) +- [should set gzip_disable to msie6](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L67) +- [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L78) +- [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L89) +### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L27) +- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L39) +- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L47) +- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L57) +- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L65) +- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L75) +- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L83) +- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L93) +### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L41) +- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L70) +- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L106) +- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L134) +- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L166) +- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L194) +- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L259) +- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L325) +- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L414) +- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L482) +- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L538) +- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L628) +- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L648) +### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L28) +- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L40) +- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L48) +- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L58) +- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L68) +- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L78) +- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L88) +### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/limit_rate.go#L28) +- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/limit_rate.go#L36) +### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L30) +- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L45) +- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L65) +- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L93) +### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L28) +- [should not configure log-format escape by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L39) +- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L46) +- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L54) +- [should enable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L62) +- [should disable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L70) +- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L80) +- [log-format default escape](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L103) +- [log-format-escape-none enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L126) +### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/lua_shared_dicts.go#L26) +- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/lua_shared_dicts.go#L29) +### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/main_snippet.go#L27) +- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/main_snippet.go#L31) +### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) +- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) +### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L27) +- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L31) +- [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L39) +- [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L49) +### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/namespace_selector.go#L30) +- [should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/namespace_selector.go#L62) +### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L33) +- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L54) +- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L68) +- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L82) +### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L27) +- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L30) +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L42) +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L49) +### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L39) +- [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L49) +- [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L62) +- [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L76) +- [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L91) +- [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L106) +### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L52) +- [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L62) +- [should exists opentracing directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L75) +- [should include opentracing_trust_incoming_span off directive when disabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L89) +- [should not exists opentracing_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L104) +- [should exists opentracing_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L119) +- [should not exists opentracing_location_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L134) +- [should exists opentracing_location_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L149) +- [should enable opentracing using zipkin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L164) +- [should enable opentracing using jaeger](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L176) +- [should enable opentracing using jaeger with sampler host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L188) +- [should propagate the w3c header when configured with jaeger](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L201) +- [should enable opentracing using jaeger with an HTTP endpoint](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L232) +- [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L245) +### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L28) +- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L35) +### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy.go#L41) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy.go#L44) +### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy_volumes.go#L37) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy_volumes.go#L40) +### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L29) +- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L37) +- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L53) +### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L28) +- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L36) +- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L65) +### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L28) +- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L36) +### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L38) +- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L48) +- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L85) +- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L121) +- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L164) +### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L29) +- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L37) +- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L53) +### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_send_timeout.go#L29) +- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_send_timeout.go#L37) +- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_send_timeout.go#L53) +### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L27) +- [reuse port should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L38) +- [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L44) +- [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L52) +### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L28) +- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L35) +- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L98) +### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L29) +- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L38) +- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L50) +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_ciphers.go#L28) +- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_ciphers.go#L31) +### [[Flag] enable-ssl-passthrough](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L36) +### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L55) +- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L56) +- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L78) +### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L35) +- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L42) +### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L31) +- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L65) +- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L109) +- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L125) +- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L144) +- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L164) +- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L186) +- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L204) +### [annotation validations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L30) +- [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L33) +- [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L68) +### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/http_redirect.go#L29) +- [should redirect from HTTP to HTTPS when secret is missing](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/http_redirect.go#L36) +### [[SSL] secret update](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/secret_update.go#L33) +- [should not appear references to secret updates not used in ingress rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/secret_update.go#L40) +- [should return the fake SSL certificate if the secret is invalid](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/secret_update.go#L83) +### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/status/update.go#L38) +- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/status/update.go#L43) +### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L38) +- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L46) +- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L80) +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L169) \ No newline at end of file diff --git a/docs/enhancements/20231001-split-containers.md b/docs/enhancements/20231001-split-containers.md new file mode 100644 index 000000000..3c2e85094 --- /dev/null +++ b/docs/enhancements/20231001-split-containers.md @@ -0,0 +1,110 @@ +# Proposal to split containers + +* All the NGINX files should live on one container + * No file other than NGINX files should exist on this container + * This includes not mounting the service account +* All the controller files should live on a different container + * Controller container should have bare minimum to work (just go program) + * ServiceAccount should be mounted just on controller + +* Inside nginx container, there should be a really small http listener just able +to start, stop and reload NGINX + +## Roadmap (what needs to be done) +* Map what needs to be done to mount the SA just on controller container +* Map all the required files for NGINX to work +* Map all the required network calls between controller and NGINX + * eg.: Dynamic lua reconfiguration +* Map problematic features that will need attention + * SSLPassthrough today happens on controller process and needs to happen on NGINX + +### Ports and endpoints on NGINX container +* Public HTTP/HTTPs port - 80 and 443 +* Lua configuration port - 10246 (HTTP) and 10247 (Stream) +* 3333 (temp) - Dataplane controller http server + * /reload - (POST) Reloads the configuration. + * "config" argument is the location of temporary file that should be used / moved to nginx.conf + * /test - (POST) Test the configuration of a given file location + * "config" argument is the location of temporary file that should be tested + +### Mounting empty SA on controller container + +```yaml +kind: Pod +apiVersion: v1 +metadata: + name: test +spec: + containers: + - name: nginx + image: nginx:latest + ports: + - containerPort: 80 + - name: othernginx + image: alpine:latest + command: ["/bin/sh"] + args: ["-c", "while true; do date; sleep 3; done"] + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: emptysecret + volumes: + - name: emptysecret + emptyDir: + sizeLimit: 1Mi +``` + +### Mapped folders on NGINX configuration +**WARNING** We need to be aware of inter mount containers and inode problems. If we +mount a file instead of a directory, it may take time to reflect the file value on +the target container + +* "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;"; - Lua scripts +* "/var/log/nginx" - NGINX logs +* "/tmp/nginx (nginx.pid)" - NGINX pid directory / file, fcgi socket, etc +* " /etc/nginx/geoip" - GeoIP database directory - OK - /etc/ingress-controller/geoip +* /etc/nginx/mime.types - Mime types +* /etc/ingress-controller/ssl - SSL directory (fake cert, auth cert) +* /etc/ingress-controller/auth - Authentication files +* /etc/nginx/modsecurity - Modsecurity configuration +* /etc/nginx/owasp-modsecurity-crs - Modsecurity rules +* /etc/nginx/tickets.key - SSL tickets - OK - /etc/ingress-controller/tickets.key +* /etc/nginx/opentelemetry.toml - OTEL config - OK - /etc/ingress-controller/telemetry +* /etc/nginx/opentracing.json - Opentracing config - OK - /etc/ingress-controller/telemetry +* /etc/nginx/modules - NGINX modules +* /etc/nginx/fastcgi_params (maybe) - fcgi params +* /etc/nginx/template - Template, may be used by controller only + +##### List of modules +``` +ngx_http_auth_digest_module.so ngx_http_modsecurity_module.so +ngx_http_brotli_filter_module.so ngx_http_opentracing_module.so +ngx_http_brotli_static_module.so ngx_stream_geoip2_module.so +ngx_http_geoip2_module.so +``` + +##### List of files that may be removed +``` +-rw-r--r-- 1 www-data www-data 1077 Jun 23 19:44 fastcgi.conf +-rw-r--r-- 1 www-data www-data 1077 Jun 23 19:44 fastcgi.conf.default +-rw-r--r-- 1 www-data www-data 1007 Jun 23 19:44 fastcgi_params +-rw-r--r-- 1 www-data www-data 1007 Jun 23 19:44 fastcgi_params.default +drwxr-xr-x 2 www-data www-data 4096 Jun 23 19:34 geoip +-rw-r--r-- 1 www-data www-data 2837 Jun 23 19:44 koi-utf +-rw-r--r-- 1 www-data www-data 2223 Jun 23 19:44 koi-win +drwxr-xr-x 6 www-data www-data 4096 Sep 19 14:13 lua +-rw-r--r-- 1 www-data www-data 5349 Jun 23 19:44 mime.types +-rw-r--r-- 1 www-data www-data 5349 Jun 23 19:44 mime.types.default +drwxr-xr-x 2 www-data www-data 4096 Jun 23 19:44 modsecurity +drwxr-xr-x 2 www-data www-data 4096 Jun 23 19:44 modules +-rw-r--r-- 1 www-data www-data 18275 Oct 1 21:28 nginx.conf +-rw-r--r-- 1 www-data www-data 2656 Jun 23 19:44 nginx.conf.default +-rwx------ 1 www-data www-data 420 Oct 1 21:28 opentelemetry.toml +-rw-r--r-- 1 www-data www-data 2 Oct 1 21:28 opentracing.json +drwxr-xr-x 7 www-data www-data 4096 Jun 23 19:44 owasp-modsecurity-crs +-rw-r--r-- 1 www-data www-data 636 Jun 23 19:44 scgi_params +-rw-r--r-- 1 www-data www-data 636 Jun 23 19:44 scgi_params.default +drwxr-xr-x 2 www-data www-data 4096 Sep 19 14:13 template +-rw-r--r-- 1 www-data www-data 664 Jun 23 19:44 uwsgi_params +-rw-r--r-- 1 www-data www-data 664 Jun 23 19:44 uwsgi_params.default +-rw-r--r-- 1 www-data www-data 3610 Jun 23 19:44 win-utf +``` diff --git a/docs/examples/affinity/cookie/README.md b/docs/examples/affinity/cookie/README.md index 1920d132b..e66503dd7 100644 --- a/docs/examples/affinity/cookie/README.md +++ b/docs/examples/affinity/cookie/README.md @@ -67,7 +67,7 @@ Accept-Ranges: bytes ``` In the example above, you can see that the response contains a `Set-Cookie` header with the settings we have defined. -This cookie is created by the NGINX Ingress Controller, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive. +This cookie is created by the Ingress-Nginx Controller, it contains a randomly generated key corresponding to the upstream used for that request (selected using [consistent hashing][consistent-hashing]) and has an `Expires` directive. If a client sends a cookie that doesn't correspond to an upstream, NGINX selects an upstream and creates a corresponding cookie. If the backend pool grows NGINX will keep sending the requests through the same server of the first request, even if it's overloaded. diff --git a/docs/examples/auth/oauth-external-auth/README.md b/docs/examples/auth/oauth-external-auth/README.md index a08928720..b64b0e70a 100644 --- a/docs/examples/auth/oauth-external-auth/README.md +++ b/docs/examples/auth/oauth-external-auth/README.md @@ -51,25 +51,72 @@ into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using G ![Register OAuth2 Application](images/register-oauth-app-2.png) -3. Configure oauth2_proxy values in the file [`oauth2-proxy.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml) with the values: +3. Configure values in the file [`oauth2-proxy.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml) with the values: - OAUTH2_PROXY_CLIENT_ID with the github `` - OAUTH2_PROXY_CLIENT_SECRET with the github `` - OAUTH2_PROXY_COOKIE_SECRET with value of `python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'` + - (optional, but recommended) OAUTH2_PROXY_GITHUB_USERS with GitHub usernames to allow to login + - `__INGRESS_HOST__` with a valid FQDN (e.g. `foo.bar.com`) + - `__INGRESS_SECRET__` with a Secret with a valid SSL certificate -4. Customize the contents of the file [`dashboard-ingress.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml): - - Replace `__INGRESS_HOST__` with a valid FQDN and `__INGRESS_SECRET__` with a Secret with a valid SSL certificate. - -5. Deploy the oauth2 proxy and the ingress rules running: +4. Deploy the oauth2 proxy and the ingress rules by running: ```console - $ kubectl create -f oauth2-proxy.yaml,dashboard-ingress.yaml + $ kubectl create -f oauth2-proxy.yaml ``` -### Test +#### Test -Test the oauth integration accessing the configured URL, e.g. `https://foo.bar.com` +Test the integration by accessing the configured URL, e.g. `https://foo.bar.com` + +![Register OAuth2 Application](images/github-auth.png) + +![GitHub authentication](images/oauth-login.png) + +![Kubernetes dashboard](images/dashboard.png) + + +### Example: Vouch Proxy + Kubernetes-Dashboard + +This example will show you how to deploy [`Vouch Proxy`](https://github.com/vouch/vouch-proxy) +into a Kubernetes cluster and use it to protect the Kubernetes Dashboard using GitHub as the OAuth2 provider. + +#### Prepare + +1. Install the kubernetes dashboard + + ```console + kubectl create -f https://raw.githubusercontent.com/kubernetes/kops/master/addons/kubernetes-dashboard/v1.10.1.yaml + ``` + +2. Create a [custom GitHub OAuth application](https://github.com/settings/applications/new) + + ![Register OAuth2 Application](images/register-oauth-app.png) + + - Homepage URL is the FQDN in the Ingress rule, like `https://foo.bar.com` + - Authorization callback URL is the same as the base FQDN plus `/oauth2/auth`, like `https://foo.bar.com/oauth2/auth` + + ![Register OAuth2 Application](images/register-oauth-app-2.png) + +3. Configure Vouch Proxy values in the file [`vouch-proxy.yaml`](https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/auth/oauth-external-auth/vouch-proxy.yaml) with the values: + + - VOUCH_COOKIE_DOMAIN with value of `` + - OAUTH_CLIENT_ID with the github `` + - OAUTH_CLIENT_SECRET with the github `` + - (optional, but recommended) VOUCH_WHITELIST with GitHub usernames to allow to login + - `__INGRESS_HOST__` with a valid FQDN (e.g. `foo.bar.com`) + - `__INGRESS_SECRET__` with a Secret with a valid SSL certificate + +4. Deploy Vouch Proxy and the ingress rules by running: + + ```console + $ kubectl create -f vouch-proxy.yaml + ``` + +#### Test + +Test the integration by accessing the configured URL, e.g. `https://foo.bar.com` ![Register OAuth2 Application](images/github-auth.png) diff --git a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml b/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml deleted file mode 100644 index 198a165f4..000000000 --- a/docs/examples/auth/oauth-external-auth/dashboard-ingress.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" - name: external-auth-oauth2 - namespace: kube-system -spec: - ingressClassName: nginx - rules: - - host: __INGRESS_HOST__ - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: kubernetes-dashboard - port: - number: 80 ---- - -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: oauth2-proxy - namespace: kube-system -spec: - ingressClassName: nginx - rules: - - host: __INGRESS_HOST__ - http: - paths: - - path: /oauth2 - pathType: Prefix - backend: - service: - name: oauth2-proxy - port: - number: 4180 - tls: - - hosts: - - __INGRESS_HOST__ - secretName: __INGRESS_SECRET__ diff --git a/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml b/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml index b383ab95e..3d6d41297 100644 --- a/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml +++ b/docs/examples/auth/oauth-external-auth/oauth2-proxy.yaml @@ -31,6 +31,9 @@ spec: # docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));' - name: OAUTH2_PROXY_COOKIE_SECRET value: SECRET + # Recommended: remove email-domain=* in args and set an allowlist + # - name: OAUTH2_PROXY_GITHUB_USERS + # value: alice,bob image: quay.io/oauth2-proxy/oauth2-proxy:latest imagePullPolicy: Always name: oauth2-proxy @@ -55,3 +58,52 @@ spec: targetPort: 4180 selector: k8s-app: oauth2-proxy + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: oauth2-proxy + namespace: kube-system +spec: + ingressClassName: nginx + rules: + - host: __INGRESS_HOST__ + http: + paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + number: 4180 + tls: + - hosts: + - __INGRESS_HOST__ + secretName: __INGRESS_SECRET__ + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" + name: external-auth-oauth2 + namespace: kube-system +spec: + ingressClassName: nginx + rules: + - host: __INGRESS_HOST__ + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kubernetes-dashboard + port: + number: 80 diff --git a/docs/examples/auth/oauth-external-auth/vouch-proxy.yaml b/docs/examples/auth/oauth-external-auth/vouch-proxy.yaml new file mode 100644 index 000000000..05eae6d11 --- /dev/null +++ b/docs/examples/auth/oauth-external-auth/vouch-proxy.yaml @@ -0,0 +1,110 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + k8s-app: vouch-proxy + name: vouch-proxy + namespace: kube-system +spec: + replicas: 1 + selector: + matchLabels: + k8s-app: vouch-proxy + template: + metadata: + labels: + k8s-app: vouch-proxy + spec: + containers: + - env: + - name: VOUCH_ALLOWALLUSERS + value: true + # Recommended: remove VOUCH_ALLOWALLUSERS and set an allowlist + # - name: VOUCH_WHITELIST + # value: alice,bob + - name: VOUCH_COOKIE_DOMAIN + value: + - name: VOUCH_LISTEN + value: 0.0.0.0 + - name: VOUCH_DOCUMENT_ROOT + value: oauth2 + # See https://github.com/vouch/vouch-proxy/tree/master/config for different provider examples + - name: OAUTH_PROVIDER + value: github + - name: OAUTH_CLIENT_ID + value: + - name: OAUTH_CLIENT_SECRET + value: + image: quay.io/vouch/vouch-proxy:latest + imagePullPolicy: Always + name: vouch-proxy + ports: + - containerPort: 9090 + protocol: TCP + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: vouch-proxy + name: vouch-proxy + namespace: kube-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + k8s-app: vouch-proxy + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: vouch-proxy + namespace: kube-system +spec: + ingressClassName: nginx + rules: + - host: __INGRESS_HOST__ + http: + paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: vouch-proxy + port: + number: 9090 + tls: + - hosts: + - __INGRESS_HOST__ + secretName: __INGRESS_SECRET__ + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/validate" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/login?url=$scheme://$http_host$request_uri" + name: external-auth-oauth2 + namespace: kube-system +spec: + ingressClassName: nginx + rules: + - host: __INGRESS_HOST__ + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kubernetes-dashboard + port: + number: 80 diff --git a/docs/examples/canary/README.md b/docs/examples/canary/README.md new file mode 100644 index 000000000..4124faf6f --- /dev/null +++ b/docs/examples/canary/README.md @@ -0,0 +1,231 @@ +# Canary + +Ingress Nginx Has the ability to handle canary routing by setting specific +annotations, the following is an example of how to configure a canary +deployment with weighted canary routing. + +## Create your main deployment and service + +This is the main deployment of your application with the service that will be +used to route to it + +```bash +echo " +--- +# Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: production + labels: + app: production +spec: + replicas: 1 + selector: + matchLabels: + app: production + template: + metadata: + labels: + app: production + spec: + containers: + - name: production + image: registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4 + ports: + - containerPort: 80 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +--- +# Service +apiVersion: v1 +kind: Service +metadata: + name: production + labels: + app: production +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: production +" | kubectl apply -f - +``` + +## Create the canary deployment and service + +This is the canary deployment that will take a weighted amount of requests +instead of the main deployment + +```bash +echo " +--- +# Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: canary + labels: + app: canary +spec: + replicas: 1 + selector: + matchLabels: + app: canary + template: + metadata: + labels: + app: canary + spec: + containers: + - name: canary + image: registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4 + ports: + - containerPort: 80 + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP +--- +# Service +apiVersion: v1 +kind: Service +metadata: + name: canary + labels: + app: canary +spec: + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http + selector: + app: canary +" | kubectl apply -f - +``` + +## Create Ingress Pointing To Your Main Deployment + +Next you will need to expose your main deployment with an ingress resource, +note there are no canary specific annotations on this ingress + +```bash +echo " +--- +# Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: production + annotations: +spec: + ingressClassName: nginx + rules: + - host: echo.prod.mydomain.com + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: production + port: + number: 80 +" | kubectl apply -f - +``` + +## Create Ingress Pointing To Your Canary Deployment + +You will then create an Ingress that has the canary specific configuration, +please pay special notice of the following: + +- The host name is identical to the main ingress host name +- The `nginx.ingress.kubernetes.io/canary: "true"` annotation is required and + defines this as a canary annotation (if you do not have this the Ingresses + will clash) +- The `nginx.ingress.kubernetes.io/canary-weight: "50"` annotation dictates the + weight of the routing, in this case there is a "50%" chance a request will + hit the canary deployment over the main deployment +```bash +echo " +--- +# Ingress +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: canary + annotations: + nginx.ingress.kubernetes.io/canary: \"true\" + nginx.ingress.kubernetes.io/canary-weight: \"50\" +spec: + ingressClassName: nginx + rules: + - host: echo.prod.mydomain.com + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: canary + port: + number: 80 +" | kubectl apply -f - +``` + +## Testing your setup + +You can use the following command to test your setup (replacing +INGRESS_CONTROLLER_IP with your ingresse controllers IP Address) + +```bash +for i in $(seq 1 10); do curl -s --resolve echo.prod.mydomain.com:80:$INGRESS_CONTROLLER_IP echo.prod.mydomain.com | grep "Hostname"; done +``` + +You will get the following output showing that your canary setup is working as +expected: + +```bash +Hostname: production-5c5f65d859-phqzc +Hostname: canary-6697778457-zkfjf +Hostname: canary-6697778457-zkfjf +Hostname: production-5c5f65d859-phqzc +Hostname: canary-6697778457-zkfjf +Hostname: production-5c5f65d859-phqzc +Hostname: production-5c5f65d859-phqzc +Hostname: production-5c5f65d859-phqzc +Hostname: canary-6697778457-zkfjf +Hostname: production-5c5f65d859-phqzc +``` diff --git a/docs/examples/customization/custom-errors/README.md b/docs/examples/customization/custom-errors/README.md index a137fd6dc..a7c9545b0 100644 --- a/docs/examples/customization/custom-errors/README.md +++ b/docs/examples/customization/custom-errors/README.md @@ -29,7 +29,7 @@ service/nginx-errors ClusterIP 10.0.0.12 80/TCP 10s ## Ingress controller configuration -If you do not already have an instance of the NGINX Ingress controller running, deploy it according to the +If you do not already have an instance of the Ingress-Nginx Controller running, deploy it according to the [deployment guide][deploy], then follow these steps: 1. Edit the `ingress-nginx-controller` Deployment and set the value of the `--default-backend-service` flag to the name of the @@ -37,7 +37,7 @@ If you do not already have an instance of the NGINX Ingress controller running, 2. Edit the `ingress-nginx-controller` ConfigMap and create the key `custom-http-errors` with a value of `404,503`. -3. Take note of the IP address assigned to the NGINX Ingress controller Service. +3. Take note of the IP address assigned to the Ingress-Nginx Controller Service. ``` $ kubectl get svc ingress-nginx NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE diff --git a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml index 670208559..708a93831 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.helm.values.yaml @@ -6,7 +6,7 @@ defaultBackend: image: registry: registry.k8s.io image: ingress-nginx/nginx-errors - tag: "v20220916-gd32f8c343@sha256:09c421ac743bace19ab77979b82186941c5125c95e62cdb40bdf41293b5c275c" + tag: "v20230505@sha256:3600dcd1bbd0d05959bb01af4b272714e94d22d24a64e91838e7183c80e53f7f" extraVolumes: - name: custom-error-pages configMap: diff --git a/docs/examples/customization/custom-errors/custom-default-backend.yaml b/docs/examples/customization/custom-errors/custom-default-backend.yaml index 072beab3b..e606c5b62 100644 --- a/docs/examples/customization/custom-errors/custom-default-backend.yaml +++ b/docs/examples/customization/custom-errors/custom-default-backend.yaml @@ -36,7 +36,7 @@ spec: spec: containers: - name: nginx-error-server - image: registry.k8s.io/ingress-nginx/nginx-errors:v20220916-gd32f8c343@sha256:09c421ac743bace19ab77979b82186941c5125c95e62cdb40bdf41293b5c275c + image: registry.k8s.io/ingress-nginx/nginx-errors:v20230505@sha256:3600dcd1bbd0d05959bb01af4b272714e94d22d24a64e91838e7183c80e53f7f ports: - containerPort: 8080 # Setting the environment variable DEBUG we can see the headers sent diff --git a/docs/examples/customization/custom-headers/README.md b/docs/examples/customization/custom-headers/README.md index 499bfc386..0da12582f 100644 --- a/docs/examples/customization/custom-headers/README.md +++ b/docs/examples/customization/custom-headers/README.md @@ -10,7 +10,7 @@ To work around this limitation, perform a rolling restart of the deployment. ## Example -This example demonstrates configuration of the nginx ingress controller via +This example demonstrates configuration of the Ingress-Nginx Controller via a ConfigMap to pass a custom list of headers to the upstream server. @@ -26,7 +26,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/customization/custom-headers/configmap.yaml ``` -The nginx ingress controller will read the `ingress-nginx/ingress-nginx-controller` ConfigMap, find the `proxy-set-headers` key, read HTTP headers from the `ingress-nginx/custom-headers` ConfigMap, and include those HTTP headers in all requests flowing from nginx to the backends. +The Ingress-Nginx Controller will read the `ingress-nginx/ingress-nginx-controller` ConfigMap, find the `proxy-set-headers` key, read HTTP headers from the `ingress-nginx/custom-headers` ConfigMap, and include those HTTP headers in all requests flowing from nginx to the backends. The above example was for passing a custom list of headers to the upstream server. diff --git a/docs/examples/customization/external-auth-headers/echo-service.yaml b/docs/examples/customization/external-auth-headers/echo-service.yaml index 0fe37be56..fc4461cd8 100644 --- a/docs/examples/customization/external-auth-headers/echo-service.yaml +++ b/docs/examples/customization/external-auth-headers/echo-service.yaml @@ -18,7 +18,7 @@ spec: terminationGracePeriodSeconds: 60 containers: - name: echo-service - image: registry.k8s.io/ingress-nginx/e2e-test-echo:v20220819-ga98c63787@sha256:778ac6d1188c8de8ecabeddd3c37b72c8adc8c712bad2bd7a81fb23a3514934c + image: registry.k8s.io/ingress-nginx/e2e-test-echo:v20230527@sha256:6fc5aa2994c86575975bb20a5203651207029a0d28e3f491d8a127d08baadab4 ports: - containerPort: 8080 resources: diff --git a/docs/examples/customization/ssl-dh-param/README.md b/docs/examples/customization/ssl-dh-param/README.md index 2eae67ce2..fcd80757b 100644 --- a/docs/examples/customization/ssl-dh-param/README.md +++ b/docs/examples/customization/ssl-dh-param/README.md @@ -1,6 +1,6 @@ # Custom DH parameters for perfect forward secrecy -This example aims to demonstrate the deployment of an nginx ingress controller and +This example aims to demonstrate the deployment of an Ingress-Nginx Controller and use a ConfigMap to configure a custom Diffie-Hellman parameters file to help with "Perfect Forward Secrecy". diff --git a/docs/examples/customization/sysctl/patch.json b/docs/examples/customization/sysctl/patch.json index 3f736197b..e87c9affa 100644 --- a/docs/examples/customization/sysctl/patch.json +++ b/docs/examples/customization/sysctl/patch.json @@ -4,7 +4,7 @@ "spec": { "initContainers": [{ "name": "sysctl", - "image": "alpine:3.17.0", + "image": "alpine:3.18", "securityContext": { "privileged": true }, diff --git a/docs/examples/grpc/README.md b/docs/examples/grpc/README.md index cf4597fcd..508b23fb8 100644 --- a/docs/examples/grpc/README.md +++ b/docs/examples/grpc/README.md @@ -20,7 +20,7 @@ This example demonstrates how to route traffic to a gRPC service through the Ing - As an example gRPC application, we can use this app . -- To create a container image for this app, you can use [this Dockerfile](https://github.com/kubernetes/ingress-nginx/blob/5a52d99ae85cfe5ef9535291b8326b0006e75066/images/go-grpc-greeter-server/rootfs/Dockerfile). +- To create a container image for this app, you can use [this Dockerfile](https://github.com/kubernetes/ingress-nginx/blob/main/images/go-grpc-greeter-server/rootfs/Dockerfile). - If you use the Dockerfile mentioned above, to create a image, then you can use the following example Kubernetes manifest to create a deployment resource that uses that image. If necessary edit this manifest to suit your needs. diff --git a/docs/examples/index.md b/docs/examples/index.md index 8a5fd5f51..59745e014 100644 --- a/docs/examples/index.md +++ b/docs/examples/index.md @@ -23,6 +23,7 @@ Customization | [External authentication with response header propagation](custo Customization | [Sysctl tuning](customization/sysctl/README.md) | TODO | TODO Features | [Rewrite](rewrite/README.md) | TODO | TODO Features | [Session stickiness](affinity/cookie/README.md) | route requests consistently to the same endpoint | Advanced +Features | [Canary Deployments](canary/README.md) | weighted canary routing to a seperate deployment | Intermediate Scaling | [Static IP](static-ip/README.md) | a single ingress gets a single static IP | Intermediate TLS | [Multi TLS certificate termination](multi-tls/README.md) | TODO | TODO TLS | [TLS termination](tls-termination/README.md) | TODO | TODO diff --git a/docs/examples/openpolicyagent/README.md b/docs/examples/openpolicyagent/README.md new file mode 100644 index 000000000..2d653a90c --- /dev/null +++ b/docs/examples/openpolicyagent/README.md @@ -0,0 +1,25 @@ +# OpenPolicyAgent and pathType enforcing + +Ingress API allows users to specify different [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) +on Ingress object. + +While pathType `Exact` and `Prefix` should allow only a small set of characters, pathType `ImplementationSpecific` +allows any characters, as it may contain regexes, variables and other features that may be specific of the Ingress +Controller being used. + +This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users +allowed to use `pathType: ImplementationSpecific`, as this may allow arbitrary configuration, and this +configuration may end on the proxy (aka Nginx) configuration. + +## Example +The example in this repo uses [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/) to block the usage of `pathType: ImplementationSpecific`, +allowing just a specific list of namespaces to use it. + +It is recommended that the admin modifies this rules to enforce a specific set of characters when the usage of ImplementationSpecific +is allowed, or in ways that best suits their needs. + +First, the `ConstraintTemplate` from [template.yaml](template.yaml) will define a rule that validates if the Ingress object +is being created on an excempted namespace, and case not, will validate its pathType. + +Then, the rule `K8sBlockIngressPathType` contained in [rule.yaml](rule.yaml) will define the parameters: what kind of +object should be verified (Ingress), what are the excempted namespaces, and what kinds of pathType are blocked. diff --git a/docs/examples/openpolicyagent/rule.yaml b/docs/examples/openpolicyagent/rule.yaml new file mode 100644 index 000000000..fce305241 --- /dev/null +++ b/docs/examples/openpolicyagent/rule.yaml @@ -0,0 +1,14 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sBlockIngressPathType +metadata: + name: implspecificisblocked +spec: + match: + kinds: + - apiGroups: ["networking.k8s.io"] + kinds: ["Ingress"] + parameters: + namespacesExceptions: + - "privileged" + blockedTypes: + - "ImplementationSpecific" diff --git a/docs/examples/openpolicyagent/template.yaml b/docs/examples/openpolicyagent/template.yaml new file mode 100644 index 000000000..ed2a6ba1c --- /dev/null +++ b/docs/examples/openpolicyagent/template.yaml @@ -0,0 +1,40 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: k8sblockingresspathtype + annotations: + metadata.gatekeeper.sh/title: "Block a pathType usage" + description: >- + Users should not be able to use specific pathTypes +spec: + crd: + spec: + names: + kind: K8sBlockIngressPathType + validation: + openAPIV3Schema: + type: object + properties: + blockedTypes: + type: array + items: + type: string + namespacesExceptions: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package K8sBlockIngressPathType + + violation[{"msg": msg}] { + input.review.kind.kind == "Ingress" + ns := input.review.object.metadata.namespace + excemptNS := [good | excempts = input.parameters.namespacesExceptions[_] ; good = excempts == ns] + not any(excemptNS) + pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "") + blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType] + any(blockedPath) + msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType]) + } diff --git a/docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml b/docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml new file mode 100644 index 000000000..974e83555 --- /dev/null +++ b/docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: null + name: simple + namespace: privileged +spec: + rules: + - host: foo1.com + http: + paths: + - backend: + service: + name: svc1 + port: + number: 8080 + path: /bar + pathType: ImplementationSpecific diff --git a/docs/examples/openpolicyagent/tests/should-allow.yaml b/docs/examples/openpolicyagent/tests/should-allow.yaml new file mode 100644 index 000000000..854aff14c --- /dev/null +++ b/docs/examples/openpolicyagent/tests/should-allow.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: null + name: simple +spec: + rules: + - host: foo.com + http: + paths: + - backend: + service: + name: svc1 + port: + number: 8080 + path: /bar + pathType: Exact diff --git a/docs/examples/openpolicyagent/tests/should-deny.yaml b/docs/examples/openpolicyagent/tests/should-deny.yaml new file mode 100644 index 000000000..b732fdc89 --- /dev/null +++ b/docs/examples/openpolicyagent/tests/should-deny.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: null + name: simple +spec: + rules: + - host: foo2.com + http: + paths: + - backend: + service: + name: svc1 + port: + number: 8080 + path: /bar + pathType: ImplementationSpecific diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md index c529c34ef..aadcc1e4b 100644 --- a/docs/examples/rewrite/README.md +++ b/docs/examples/rewrite/README.md @@ -30,6 +30,9 @@ Rewriting can be controlled using the following annotations: !!! note [Captured groups](https://www.regular-expressions.info/refcapture.html) are saved in numbered placeholders, chronologically, in the form `$1`, `$2` ... `$n`. These placeholders can be used as parameters in the `rewrite-target` annotation. +!!! note + Please see the [FAQ](../faq.md#validation-of-path) for Validation Of __`path`__ + Create an Ingress rule with a rewrite annotation: ```console @@ -38,6 +41,7 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: + nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/rewrite-target: /$2 name: rewrite namespace: default @@ -48,7 +52,7 @@ spec: http: paths: - path: /something(/|$)(.*) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: http-svc diff --git a/docs/examples/tls-termination/README.md b/docs/examples/tls-termination/README.md index bd68ddc67..25139b381 100644 --- a/docs/examples/tls-termination/README.md +++ b/docs/examples/tls-termination/README.md @@ -1,6 +1,6 @@ # TLS termination -This example demonstrates how to terminate TLS through the nginx Ingress controller. +This example demonstrates how to terminate TLS through the Ingress-Nginx Controller. ## Prerequisites diff --git a/docs/faq.md b/docs/faq.md new file mode 100644 index 000000000..253378c65 --- /dev/null +++ b/docs/faq.md @@ -0,0 +1,33 @@ + +# FAQ + +## Retaining Client IPAddress + +Please read [Retain Client IPAddress Guide here](./user-guide/retaining-client-ipaddress.md). + +## Kubernetes v1.22 Migration + +If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), and you plan to upgrade your Kubernetes version to K8S 1.22 or above, then please read [the migration guide here](./user-guide/k8s-122-migration.md). + +## Validation Of __`path`__ + +- For improving security and also following desired standards on Kubernetes API spec, the next release, scheduled for v1.8.0, will include a new & optional feature of validating the value for the key `ingress.spec.rules.http.paths.path` . + +- This behavior will be disabled by default on the 1.8.0 release and enabled by default on the next breaking change release, set for 2.0.0. + +- When "`ingress.spec.rules.http.pathType=Exact`" or "`pathType=Prefix`", this validation will limit the characters accepted on the field "`ingress.spec.rules.http.paths.path`", to "`alphanumeric characters`", and `"/," "_," "-."` Also, in this case, the path should start with `"/."` + +- When the ingress resource path contains other characters (like on rewrite configurations), the pathType value should be "`ImplementationSpecific`". + +- API Spec on pathType is documented [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) + +- When this option is enabled, the validation will happen on the Admission Webhook. So if any new ingress object contains characters other than "`alphanumeric characters`", and `"/," "_," "-."` , in the `path` field, but is not using `pathType` value as `ImplementationSpecific`, then the ingress object will be denied admission. + +- The cluster admin should establish validation rules using mechanisms like "`Open Policy Agent`", to validate that only authorized users can use ImplementationSpecific pathType and that only the authorized characters can be used. [The configmap value is here](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#strict-validate-path-type) + +- A complete example of an Openpolicyagent gatekeeper rule is available [here](https://kubernetes.github.io/ingress-nginx/examples/openpolicyagent/) + +- If you have any issues or concerns, please do one of the following: + - Open a GitHub issue + - Comment in our Dev Slack Channel + - Open a thread in our Google Group ingress-nginx-dev@kubernetes.io diff --git a/docs/how-it-works.md b/docs/how-it-works.md index 4ad824dc8..161803210 100644 --- a/docs/how-it-works.md +++ b/docs/how-it-works.md @@ -10,7 +10,7 @@ The goal of this Ingress controller is the assembly of a configuration file (ngi Usually, a Kubernetes Controller utilizes the [synchronization loop pattern][1] to check if the desired state in the controller is updated or a change is required. To this purpose, we need to build a model using different objects from the cluster, in particular (in no special order) Ingresses, Services, Endpoints, Secrets, and Configmaps to generate a point in time configuration file that reflects the state of the cluster. -To get this object from the cluster, we use [Kubernetes Informers][2], in particular, `FilteredSharedInformer`. This informers allows reacting to changes in using [callbacks][3] to individual changes when a new object is added, modified or removed. Unfortunately, there is no way to know if a particular change is going to affect the final configuration file. Therefore on every change, we have to rebuild a new model from scratch based on the state of cluster and compare it to the current model. If the new model equals to the current one, then we avoid generating a new NGINX configuration and triggering a reload. Otherwise, we check if the difference is only about Endpoints. If so we then send the new list of Endpoints to a Lua handler running inside Nginx using HTTP POST request and again avoid generating a new NGINX configuration and triggering a reload. If the difference between running and new model is about more than just Endpoints we create a new NGINX configuration based on the new model, replace the current model and trigger a reload. +To get this object from the cluster, we use [Kubernetes Informers][2], in particular, `FilteredSharedInformer`. These informers allow reacting to change in using [callbacks][3] to individual changes when a new object is added, modified or removed. Unfortunately, there is no way to know if a particular change is going to affect the final configuration file. Therefore on every change, we have to rebuild a new model from scratch based on the state of cluster and compare it to the current model. If the new model equals to the current one, then we avoid generating a new NGINX configuration and triggering a reload. Otherwise, we check if the difference is only about Endpoints. If so we then send the new list of Endpoints to a Lua handler running inside Nginx using HTTP POST request and again avoid generating a new NGINX configuration and triggering a reload. If the difference between running and new model is about more than just Endpoints we create a new NGINX configuration based on the new model, replace the current model and trigger a reload. One of the uses of the model is to avoid unnecessary reloads when there's no change in the state and to detect conflicts in definitions. @@ -60,7 +60,7 @@ In a relatively big cluster with frequently deploying apps this feature saves si Because the ingress controller works using the [synchronization loop pattern](https://coreos.com/kubernetes/docs/latest/replication-controller.html#the-reconciliation-loop-in-detail), it is applying the configuration for all matching objects. In case some Ingress objects have a broken configuration, for example a syntax error in the `nginx.ingress.kubernetes.io/configuration-snippet` annotation, the generated configuration becomes invalid, does not reload and hence no more ingresses will be taken into account. -To prevent this situation to happen, the nginx ingress controller optionally exposes a [validating admission webhook server][8] to ensure the validity of incoming ingress objects. +To prevent this situation to happen, the Ingress-Nginx Controller optionally exposes a [validating admission webhook server][8] to ensure the validity of incoming ingress objects. This webhook appends the incoming ingress objects to the list of ingresses, generates the configuration and calls nginx to ensure the configuration has no syntax errors. [0]: https://github.com/openresty/lua-nginx-module/pull/1259 diff --git a/docs/images/otel-grafana-demo.png b/docs/images/otel-grafana-demo.png new file mode 100644 index 000000000..61b50c861 Binary files /dev/null and b/docs/images/otel-grafana-demo.png differ diff --git a/docs/images/otel-jaeger-demo.png b/docs/images/otel-jaeger-demo.png new file mode 100644 index 000000000..006b23c34 Binary files /dev/null and b/docs/images/otel-jaeger-demo.png differ diff --git a/docs/images/otel-zipkin-demo.png b/docs/images/otel-zipkin-demo.png new file mode 100644 index 000000000..a3af04e46 Binary files /dev/null and b/docs/images/otel-zipkin-demo.png differ diff --git a/docs/index.md b/docs/index.md index fded1b2bc..bd6a825e1 100644 --- a/docs/index.md +++ b/docs/index.md @@ -4,240 +4,9 @@ This is the documentation for the Ingress NGINX Controller. It is built around the [Kubernetes Ingress resource](https://kubernetes.io/docs/concepts/services-networking/ingress/), using a [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) to store the controller configuration. -You can learn more about using [Ingress](http://kubernetes.io/docs/user-guide/ingress/) in the official [Kubernetes documentation](https://docs.k8s.io). +You can learn more about using [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) in the official [Kubernetes documentation](https://docs.k8s.io). -## Getting Started +# Getting Started See [Deployment](./deploy/) for a whirlwind tour that will get you started. - -# FAQ - Migration to apiVersion `networking.k8s.io/v1` - -If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), and you plan to upgrade to Kubernetes v1.22, this section is relevant to you. - -- Please read this [official blog on deprecated Ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) - -- Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) - -## What is an IngressClass and why is it important for users of Ingress-NGINX controller now ? - -IngressClass is a Kubernetes resource. See the description below. It's important because until now, a default install of the Ingress-NGINX controller did not require any IngressClass object. From version 1.0.0 of the Ingress-NGINX Controller, an IngressClass object is required. - -On clusters with more than one instance of the Ingress-NGINX controller, all instances of the controllers must be aware of which Ingress objects they serve. The `ingressClassName` field of an Ingress is the way to let the controller know about that. - -```console -kubectl explain ingressclass -``` -``` -KIND: IngressClass -VERSION: networking.k8s.io/v1 - -DESCRIPTION: - IngressClass represents the class of the Ingress, referenced by the Ingress - Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be - used to indicate that an IngressClass should be considered default. When a - single IngressClass resource has this annotation set to true, new Ingress - resources without a class specified will be assigned this default class. - -FIELDS: - apiVersion - APIVersion defines the versioned schema of this representation of an - object. Servers should convert recognized schemas to the latest internal - value, and may reject unrecognized values. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - - kind - Kind is a string value representing the REST resource this object - represents. Servers may infer this from the endpoint the client submits - requests to. Cannot be updated. In CamelCase. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - - metadata - Standard object's metadata. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - - spec - Spec is the desired state of the IngressClass. More info: - https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status` - -``` - -## What has caused this change in behavior? - -There are 2 reasons primarily. - -### Reason #1 - -Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: - - - `extensions/v1beta1` - - `networking.k8s.io/v1beta1` - -You would get a message about deprecation, but the Ingress resource would get created. - -From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/). - -### Reason #2 - -If you are already using the Ingress-NGINX controller and then upgrade to K8s version v1.22 , there are several scenarios where your existing Ingress objects will not work how you expect. Read this FAQ to check which scenario matches your use case. - -## What is ingressClassName field ? - -`ingressClassName` is a field in the specs of an Ingress object. - -```shell -kubectl explain ingress.spec.ingressClassName -``` -```console -KIND: Ingress -VERSION: networking.k8s.io/v1 - -FIELD: ingressClassName - -DESCRIPTION: - IngressClassName is the name of the IngressClass cluster resource. The - associated IngressClass defines which controller will implement the - resource. This replaces the deprecated `kubernetes.io/ingress.class` - annotation. For backwards compatibility, when that annotation is set, it - must be given precedence over this field. The controller may emit a warning - if the field and annotation have different values. Implementations of this - API should ignore Ingresses without a class specified. An IngressClass - resource may be marked as default, which can be used to set a default value - for this field. For more information, refer to the IngressClass - documentation. -``` - -The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation. - - -## I have only one ingress controller in my cluster. What should I do? - -If a single instance of the Ingress-NGINX controller is the sole Ingress controller running in your cluster, you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, so any new Ingress objects will have this one as default IngressClass. - -When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file. - -If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the Ingress-NGINX controller aware of the old objects: - -- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources. -- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass -- Alternatively you can make the Ingress-NGINX controller watch Ingress objects without the ingressClassName field set by starting your Ingress-NGINX with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class) . When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true` - -You can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. - -We recommend that you create the IngressClass as shown below: -``` ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - name: nginx - annotations: - ingressclass.kubernetes.io/is-default-class: "true" -spec: - controller: k8s.io/ingress-nginx -``` - -And add the value `spec.ingressClassName=nginx` in your Ingress objects. - - -## I have multiple ingress objects in my cluster. What should I do ? -- If you have lot of ingress objects without ingressClass configuration, you can run the ingress-controller with the flag `--watch-ingress-without-class=true`. - - -### What is the flag '--watch-ingress-without-class' ? -- Its a flag that is passed,as an argument, to the `nginx-ingress-controller` executable. In the configuration, it looks like this: -``` -... -... -args: - - /nginx-ingress-controller - - --watch-ingress-without-class=true - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-dev-v1-test-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key -... -... -``` - -## I have more than one controller in my cluster and already use the annotation ? - -No problem. This should still keep working, but we highly recommend you to test! - -Even though `kubernetes.io/ingress.class` is deprecated, the Ingress-NGINX controller still understands that annotation. -If you want to follow good practice, you should consider migrating to use IngressClass and `.spec.ingressClassName`. - -## I have more than one controller running in my cluster, and I want to use the new API ? - -In this scenario, you need to create multiple IngressClasses (see example one). But be aware that IngressClass works in a very specific way: you will need to change the `.spec.controller` value in your IngressClass and configure the controller to expect the exact same value. - -Let's see some example, supposing that you have three IngressClasses: - -- IngressClass `ingress-nginx-one`, with `.spec.controller` equal to `example.com/ingress-nginx1` -- IngressClass `ingress-nginx-two`, with `.spec.controller` equal to `example.com/ingress-nginx2` -- IngressClass `ingress-nginx-three`, with `.spec.controller` equal to `example.com/ingress-nginx1` - -(for private use, you can also use a controller name that doesn't contain a `/`; for example: `ingress-nginx1`) - -When deploying your ingress controllers, you will have to change the `--controller-class` field as follows: - -- Ingress-Nginx A, configured to use controller class name `example.com/ingress-nginx1` -- Ingress-Nginx B, configured to use controller class name `example.com/ingress-nginx2` - -Then, when you create an Ingress object with its `ingressClassName` set to `ingress-nginx-two`, only controllers looking for the `example.com/ingress-nginx2` controller class pay attention to the new object. Given that Ingress-Nginx B is set up that way, it will serve that object, whereas Ingress-Nginx A ignores the new Ingress. - -Bear in mind that, if you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true`, then it will serve: - -1. Ingresses without any `ingressClassName` set -2. Ingresses where the deprecated annotation (`kubernetes.io/ingress.class`) matches the value set in the command line argument `--ingress-class` -3. Ingresses that refer to any IngressClass that has the same `spec.controller` as configured in `--controller-class` - -If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. If you have two Ingress-NGINX controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict. - -## I am seeing this error message in the logs of the Ingress-NGINX controller: "ingress class annotation is not equal to the expected by Ingress Controller". Why ? - -- It is highly likely that you will also see the name of the ingress resource in the same error message. This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in a Ingress resource manifest. It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining. - -## How to easily install multiple instances of the ingress-NGINX controller in the same cluster ? -- Create a new namespace - ``` - kubectl create namespace ingress-nginx-2 - ``` -- Use Helm to install the additional instance of the ingress controller -- Ensure you have Helm working (refer to the [Helm documentation](https://helm.sh/docs/)) -- We have to assume that you have the helm repo for the ingress-NGINX controller already added to your Helm config. But, if you have not added the helm repo then you can do this to add the repo to your helm config; - ``` - helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx - ``` -- Make sure you have updated the helm repo data; - ``` - helm repo update - ``` -- Now, install an additional instance of the ingress-NGINX controller like this: - ``` - helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ - --namespace ingress-nginx-2 \ - --set controller.ingressClassResource.name=nginx-two \ - --set controller.ingressClass=nginx-two \ - --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ - --set controller.ingressClassResource.enabled=true \ - --set controller.ingressClassByName=true - ``` -- If you need to install yet another instance, then repeat the procedure to create a new namespace, change the values such as names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs. -- If you need to install all instances in the same namespace, then you need to specify a different **election id**, like this: - ``` - helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ - --namespace kube-system \ - --set controller.electionID=nginx-two-leader \ - --set controller.ingressClassResource.name=nginx-two \ - --set controller.ingressClass=nginx-two \ - --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ - --set controller.ingressClassResource.enabled=true \ - --set controller.ingressClassByName=true - ``` - - Note, controller.ingressClassResource.name and controller.ingressClass have to be set with the value of the new class as the first is to create the IngressClass object and the other is to modify the deployment of the actuall ingress controller pod. diff --git a/docs/kubectl-plugin.md b/docs/kubectl-plugin.md index 01be19f59..9e5a5dcc6 100644 --- a/docs/kubectl-plugin.md +++ b/docs/kubectl-plugin.md @@ -68,7 +68,7 @@ Use "ingress-nginx [command] --help" for more information about a command. ## Common Flags - Every subcommand supports the basic `kubectl` configuration flags like `--namespace`, `--context`, `--client-key` and so on. -- Subcommands that act on a particular `ingress-nginx` pod (`backends`, `certs`, `conf`, `exec`, `general`, `logs`, `ssh`), support the `--deployment ` and `--pod ` flags to select either a pod from a deployment with the given name, or a pod with the given name. The `--deployment` flag defaults to `ingress-nginx-controller`. +- Subcommands that act on a particular `ingress-nginx` pod (`backends`, `certs`, `conf`, `exec`, `general`, `logs`, `ssh`), support the `--deployment `, `--pod `, and `--container ` flags to select either a pod from a deployment with the given name, or a pod with the given name (and the given container name). The `--deployment` flag defaults to `ingress-nginx-controller`, and the `--container` flag defaults to `controller`. - Subcommands that inspect resources (`ingresses`, `lint`) support the `--all-namespaces` flag, which causes them to inspect resources in every namespace. ## Subcommands @@ -208,6 +208,7 @@ modsecurity modules nginx.conf opentracing.json +opentelemetry.toml owasp-modsecurity-crs template ``` diff --git a/docs/lua_tests.md b/docs/lua_tests.md new file mode 100644 index 000000000..4d3d1fe70 --- /dev/null +++ b/docs/lua_tests.md @@ -0,0 +1,19 @@ +# Lua Tests + +## Running the Lua Tests + +To run the Lua tests you can run the following from the root directory: + +```bash +make lua-test +``` + +This command makes use of docker hence does not need any dependency +installations besides docker + +## Where are the Lua Tests? + +Lua Tests can be found in the [rootfs/etc/nginx/lua/test](../rootfs/etc/nginx/lua/test) directory + + +[1]: https://openresty.org/en/installation.html diff --git a/docs/requirements.txt b/docs/requirements.txt new file mode 100644 index 000000000..5d5943b84 --- /dev/null +++ b/docs/requirements.txt @@ -0,0 +1,4 @@ +mkdocs-material==9.4.5 +mkdocs-awesome-pages-plugin==2.9.2 +mkdocs-minify-plugin==0.7.1 +mkdocs-redirects==1.2.1 \ No newline at end of file diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 4b9820200..e1fd6956e 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -137,7 +137,7 @@ The Ingress controller needs information from apiserver. Therefore, authenticati * _Kubeconfig file:_ In some Kubernetes environments service accounts are not available. In this case a manual configuration is required. The Ingress controller binary can be started with the `--kubeconfig` flag. The value of the flag is a path to a file specifying how to connect to the API server. Using the `--kubeconfig` does not requires the flag `--apiserver-host`. The format of the file is identical to `~/.kube/config` which is used by kubectl to connect to the API server. See 'kubeconfig' section for details. -* _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/user-guide/kubectl/kubectl_proxy/). +* _Using the flag `--apiserver-host`:_ Using this flag `--apiserver-host=http://localhost:8080` it is possible to specify an unsecured API server or reach a remote kubernetes cluster using [kubectl proxy](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#proxy). Please do not use this approach in production. In the diagram below you can see the full authentication flow with all options, starting with the browser @@ -230,7 +230,7 @@ If it is not working, there are two possible reasons: More information: -- [User Guide: Service Accounts](http://kubernetes.io/docs/user-guide/service-accounts/) +- [User Guide: Service Accounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) - [Cluster Administrator Guide: Managing Service Accounts](http://kubernetes.io/docs/admin/service-accounts-admin/) ## Kube-Config diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index ab483b1cd..07a17a271 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -15,14 +15,18 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--default-backend-service` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form "namespace/name". The controller configures NGINX to forward requests to the first port of this Service. | | `--default-server-port` | Port to use for exposing the default server (catch-all). (default 8181) | | `--default-ssl-certificate` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". | +| `--enable-annotation-validation` | If true, will enable the annotation validation feature. This value will be defaulted to true on a future release. | | `--disable-catch-all` | Disable support for catch-all Ingresses. (default false) | | `--disable-full-test` | Disable full test of all merged ingresses at the admission stage and tests the template of the ingress being created or updated (full test of all ingresses is enabled by default). | | `--disable-svc-external-name` | Disable support for Services of type ExternalName. (default false) | +| `--disable-sync-events` | Disables the creation of 'Sync' Event resources, but still logs them | | `--dynamic-configuration-retries` | Number of times to retry failed dynamic configuration before failing to sync an ingress. (default 15) | | `--election-id` | Election id to use for Ingress status updates. (default "ingress-controller-leader") | | `--enable-metrics` | Enables the collection of NGINX metrics. (default true) | | `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default false)| | `--enable-ssl-passthrough` | Enable SSL Passthrough. (default false) | +| `--enable-topology-aware-routing` | Enable topology aware routing feature, needs service object annotation service.kubernetes.io/topology-mode sets to auto. (default false) | +| `--exclude-socket-metrics` | Set of socket request metrics to exclude which won't be exported nor being calculated. The possible socket request metrics to exclude are documented in the monitoring guide e.g. 'nginx_ingress_controller_request_duration_seconds,nginx_ingress_controller_response_size'| | `--health-check-path` | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") | | `--health-check-timeout` | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) | | `--healthz-port` | Port to use for the healthz endpoint. (default 10254) | @@ -65,7 +69,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--validating-webhook` | The address to start an admission controller on to validate incoming ingresses. Takes the form ":port". If not provided, no admission controller is started. | | `--validating-webhook-certificate` | The path of the validating webhook certificate PEM. | | `--validating-webhook-key` | The path of the validating webhook key PEM. | -| `--version` | Show release information about the NGINX Ingress controller and exit. | +| `--version` | Show release information about the Ingress-Nginx Controller and exit. | | `--watch-ingress-without-class` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. (default false) | | `--watch-namespace` | Namespace the controller watches for updates to Kubernetes objects. This includes Ingresses, Services and all configuration resources. All namespaces are watched if this parameter is left empty. | | `--watch-namespace-selector` | The controller will watch namespaces whose labels match the given selector. This flag only takes effective when `--watch-namespace` is empty. | diff --git a/docs/user-guide/exposing-tcp-udp-services.md b/docs/user-guide/exposing-tcp-udp-services.md index 6b595ffae..dbc143ff1 100644 --- a/docs/user-guide/exposing-tcp-udp-services.md +++ b/docs/user-guide/exposing-tcp-udp-services.md @@ -1,7 +1,9 @@ # Exposing TCP and UDP services -Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags `--tcp-services-configmap` and `--udp-services-configmap` to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: -`::[PROXY]:[PROXY]` +While the Kubernetes Ingress resource only officially supports routing external HTTP(s) traffic to services, ingress-nginx can be configured to receive external TCP/UDP traffic from non-HTTP protocols and route them to internal services using TCP/UDP port mappings that are specified within a ConfigMap. + +To support this, the `--tcp-services-configmap` and `--udp-services-configmap` flags can be used to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: +`::[PROXY]:[PROXY]` It is also possible to use a number or the name of the port. The two last fields are optional. Adding `PROXY` in either or both of the two last fields we can use [Proxy Protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol) decoding (listen) and/or encoding (proxy_pass) in a TCP service. @@ -63,3 +65,9 @@ spec: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx ``` +Then, the configmap should be added into ingress controller's deployment args. +``` + args: + - /nginx-ingress-controller + - --tcp-services-configmap=ingress-nginx/tcp-services +``` diff --git a/docs/user-guide/external-articles.md b/docs/user-guide/external-articles.md index d9fd828b8..8a60ad567 100644 --- a/docs/user-guide/external-articles.md +++ b/docs/user-guide/external-articles.md @@ -2,5 +2,6 @@ - [Pain(less) NGINX Ingress](http://danielfm.me/posts/painless-nginx-ingress.html) - [Accessing Kubernetes Pods from Outside of the Cluster](http://alesnosek.com/blog/2017/02/14/accessing-kubernetes-pods-from-outside-of-the-cluster) -- [Kubernetes - Redirect HTTP to HTTPS with ELB and the nginx ingress controller](https://dev.to/tomhoule/kubernetes---redirect-http-to-https-with-elb-and-the-nginx-ingress-controller) +- [Kubernetes - Redirect HTTP to HTTPS with ELB and the Ingress-Nginx Controller](https://dev.to/tomhoule/kubernetes---redirect-http-to-https-with-elb-and-the-nginx-ingress-controller) - [Configure Nginx Ingress Controller for TLS termination on Kubernetes on Azure](https://blogs.technet.microsoft.com/livedevopsinjapan/2017/02/28/configure-nginx-ingress-controller-for-tls-termination-on-kubernetes-on-azure-2/) +- [Secure your Nginx Ingress controller behind Google Cloud Armor or Identity-Aware Proxy (IAP)](https://medium.com/google-cloud/secure-your-nginx-ingress-controller-behind-cloud-armor-805d6109af86?sk=f64029bb5624b4ad5cd2828f4c358af3) diff --git a/docs/user-guide/ingress-path-matching.md b/docs/user-guide/ingress-path-matching.md index 321ddfa8e..dd618e08b 100644 --- a/docs/user-guide/ingress-path-matching.md +++ b/docs/user-guide/ingress-path-matching.md @@ -5,6 +5,9 @@ !!! important Regular expressions and wild cards are not supported in the `spec.rules.host` field. Full hostnames must be used. +!!! note + Please see the [FAQ](../faq.md#validation-of-path) for Validation Of __`path`__ + The ingress controller supports **case insensitive** regular expressions in the `spec.rules.http.paths.path` field. This can be enabled by setting the `nginx.ingress.kubernetes.io/use-regex` annotation to `true` (the default is false). @@ -28,7 +31,7 @@ spec: http: paths: - path: /foo/.* - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: test @@ -95,7 +98,7 @@ spec: http: paths: - path: /foo/bar/(.+) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: service3 @@ -160,7 +163,7 @@ spec: port: number: 80 - path: /foo/bar/[A-Z0-9]{3} - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: test diff --git a/docs/user-guide/k8s-122-migration.md b/docs/user-guide/k8s-122-migration.md new file mode 100644 index 000000000..9a1ca081d --- /dev/null +++ b/docs/user-guide/k8s-122-migration.md @@ -0,0 +1,245 @@ +# FAQ - Migration to Kubernetes 1.22 and apiVersion `networking.k8s.io/v1` + +If you are using Ingress objects in your cluster (running Kubernetes older than v1.22), +and you plan to upgrade to Kubernetes v1.22, this page is relevant to you. + +- Please read this [official blog on deprecated Ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/) +- Please read this [official documentation on the IngressClass object](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) + +## What is an IngressClass and why is it important for users of ingress-nginx controller now? + +IngressClass is a Kubernetes resource. See the description below. +It's important because until now, a default install of the ingress-nginx controller did not require a IngressClass object. +From version 1.0.0 of the ingress-nginx controller, an IngressClass object is required. + +On clusters with more than one instance of the ingress-nginx controller, all instances of the controllers must be aware of which Ingress objects they serve. +The `ingressClassName` field of an Ingress is the way to let the controller know about that. + +```console +kubectl explain ingressclass +``` + +``` +KIND: IngressClass +VERSION: networking.k8s.io/v1 +DESCRIPTION: + IngressClass represents the class of the Ingress, referenced by the Ingress + Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be + used to indicate that an IngressClass should be considered default. When a + single IngressClass resource has this annotation set to true, new Ingress + resources without a class specified will be assigned this default class. +FIELDS: + apiVersion + APIVersion defines the versioned schema of this representation of an + object. Servers should convert recognized schemas to the latest internal + value, and may reject unrecognized values. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + kind + Kind is a string value representing the REST resource this object + represents. Servers may infer this from the endpoint the client submits + requests to. Cannot be updated. In CamelCase. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + metadata + Standard object's metadata. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + spec + Spec is the desired state of the IngressClass. More info: + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status` +``` + +## What has caused this change in behavior? + +There are 2 primary reasons. + +### Reason 1 + +Until K8s version 1.21, it was possible to create an Ingress resource using deprecated versions of the Ingress API, such as: + +- `extensions/v1beta1` +- `networking.k8s.io/v1beta1` + You would get a message about deprecation, but the Ingress resource would get created. + +From K8s version 1.22 onwards, you can **only** access the Ingress API via the stable, `networking.k8s.io/v1` API. +The reason is explained in the [official blog on deprecated ingress API versions](https://kubernetes.io/blog/2021/07/26/update-with-ingress-nginx/). + +### Reason #2 + +If you are already using the ingress-nginx controller and then upgrade to Kubernetes 1.22, +there are several scenarios where your existing Ingress objects will not work how you expect. + +Read this FAQ to check which scenario matches your use case. + +## What is the `ingressClassName` field? + +`ingressClassName` is a field in the spec of an Ingress object. + +```shell +kubectl explain ingress.spec.ingressClassName +``` + +```console +KIND: Ingress +VERSION: networking.k8s.io/v1 +FIELD: ingressClassName +DESCRIPTION: + IngressClassName is the name of the IngressClass cluster resource. The + associated IngressClass defines which controller will implement the + resource. This replaces the deprecated `kubernetes.io/ingress.class` + annotation. For backwards compatibility, when that annotation is set, it + must be given precedence over this field. The controller may emit a warning + if the field and annotation have different values. Implementations of this + API should ignore Ingresses without a class specified. An IngressClass + resource may be marked as default, which can be used to set a default value + for this field. For more information, refer to the IngressClass + documentation. +``` + +The `.spec.ingressClassName` behavior has precedence over the deprecated `kubernetes.io/ingress.class` annotation. + +## I have only one ingress controller in my cluster. What should I do? + +If a single instance of the ingress-nginx controller is the sole Ingress controller running in your cluster, +you should add the annotation "ingressclass.kubernetes.io/is-default-class" in your IngressClass, +so any new Ingress objects will have this one as default IngressClass. + +When using Helm, you can enable this annotation by setting `.controller.ingressClassResource.default: true` in your Helm chart installation's values file. + +If you have any old Ingress objects remaining without an IngressClass set, you can do one or more of the following to make the ingress-nginx controller aware of the old objects: + +- You can manually set the [`.spec.ingressClassName`](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec) field in the manifest of your own Ingress resources. +- You can re-create them after setting the `ingressclass.kubernetes.io/is-default-class` annotation to `true` on the IngressClass +- Alternatively you can make the ingress-nginx controller watch Ingress objects without the ingressClassName field set by starting your ingress-nginx with the flag [--watch-ingress-without-class=true](#what-is-the-flag-watch-ingress-without-class). + When using Helm, you can configure your Helm chart installation's values file with `.controller.watchIngressWithoutClass: true`. + +We recommend that you create the IngressClass as shown below: + +``` +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + name: nginx + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +spec: + controller: k8s.io/ingress-nginx +``` + +and add the value `spec.ingressClassName=nginx` in your Ingress objects. + +## I have many ingress objects in my cluster. What should I do? + +If you have a lot of ingress objects without ingressClass configuration, +you can run the ingress controller with the flag `--watch-ingress-without-class=true`. + +### What is the flag `--watch-ingress-without-class`? + +It's a flag that is passed, as an argument, to the `nginx-ingress-controller` executable. +In the configuration, it looks like this: + +```yaml +# ... +args: + - /nginx-ingress-controller + - --watch-ingress-without-class=true + - --controller-class=k8s.io/ingress-nginx + # ... +# ... +``` + +## I have more than one controller in my cluster, and I'm already using the annotation + +No problem. This should still keep working, but we highly recommend you to test! +Even though `kubernetes.io/ingress.class` is deprecated, the ingress-nginx controller still understands that annotation. +If you want to follow good practice, you should consider migrating to use IngressClass and `.spec.ingressClassName`. + +## I have more than one controller running in my cluster, and I want to use the new API + +In this scenario, you need to create multiple IngressClasses (see the example above). + +Be aware that IngressClass works in a very specific way: you will need to change the `.spec.controller` value in your IngressClass and configure the controller to expect the exact same value. + +Let's see an example, supposing that you have three IngressClasses: + +- IngressClass `ingress-nginx-one`, with `.spec.controller` equal to `example.com/ingress-nginx1` +- IngressClass `ingress-nginx-two`, with `.spec.controller` equal to `example.com/ingress-nginx2` +- IngressClass `ingress-nginx-three`, with `.spec.controller` equal to `example.com/ingress-nginx1` + +For private use, you can also use a controller name that doesn't contain a `/`, e.g. `ingress-nginx1`. + +When deploying your ingress controllers, you will have to change the `--controller-class` field as follows: + +- Ingress-Nginx A, configured to use controller class name `example.com/ingress-nginx1` +- Ingress-Nginx B, configured to use controller class name `example.com/ingress-nginx2` + +When you create an Ingress object with its `ingressClassName` set to `ingress-nginx-two`, +only controllers looking for the `example.com/ingress-nginx2` controller class pay attention to the new object. + +Given that Ingress-Nginx B is set up that way, it will serve that object, whereas Ingress-Nginx A ignores the new Ingress. + +Bear in mind that if you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true`, it will serve: + +1. Ingresses without any `ingressClassName` set +2. Ingresses where the deprecated annotation (`kubernetes.io/ingress.class`) matches the value set in the command line argument `--ingress-class` +3. Ingresses that refer to any IngressClass that has the same `spec.controller` as configured in `--controller-class` +4. If you start Ingress-Nginx B with the command line argument `--watch-ingress-without-class=true` and you run Ingress-Nginx A with the command line argument `--watch-ingress-without-class=false` then this is a supported configuration. + If you have two ingress-nginx controllers for the same cluster, both running with `--watch-ingress-without-class=true` then there is likely to be a conflict. + +## Why am I seeing "ingress class annotation is not equal to the expected by Ingress Controller" in my controller logs? + +It is highly likely that you will also see the name of the ingress resource in the same error message. +This error message has been observed on use the deprecated annotation (`kubernetes.io/ingress.class`) in an Ingress resource manifest. +It is recommended to use the `.spec.ingressClassName` field of the Ingress resource, to specify the name of the IngressClass of the Ingress you are defining. + +## How can I easily install multiple instances of the ingress-nginx controller in the same cluster? + +You can install them in different namespaces. + +- Create a new namespace + ``` + kubectl create namespace ingress-nginx-2 + ``` +- Use Helm to install the additional instance of the ingress controller +- Ensure you have Helm working (refer to the [Helm documentation](https://helm.sh/docs/)) +- We have to assume that you have the helm repo for the ingress-nginx controller already added to your Helm config. + But, if you have not added the helm repo then you can do this to add the repo to your helm config; + ``` + helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx + ``` +- Make sure you have updated the helm repo data; + ``` + helm repo update + ``` +- Now, install an additional instance of the ingress-nginx controller like this: + ``` + helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ + --namespace ingress-nginx-2 \ + --set controller.ingressClassResource.name=nginx-two \ + --set controller.ingressClass=nginx-two \ + --set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ + --set controller.ingressClassResource.enabled=true \ + --set controller.ingressClassByName=true + ``` + +If you need to install yet another instance, then repeat the procedure to create a new namespace, +change the values such as names & namespaces (for example from "-2" to "-3"), or anything else that meets your needs. + +Note that `controller.ingressClassResource.name` and `controller.ingressClass` have to be set correctly. +The first is to create the IngressClass object and the other is to modify the deployment of the actual ingress controller pod. + +### I can't use multiple namespaces, what should I do? + +If you need to install all instances in the same namespace, then you need to specify a different **election id**, like this: + +``` +helm install ingress-nginx-2 ingress-nginx/ingress-nginx \ +--namespace kube-system \ +--set controller.electionID=nginx-two-leader \ +--set controller.ingressClassResource.name=nginx-two \ +--set controller.ingressClass=nginx-two \ +--set controller.ingressClassResource.controllerValue="example.com/ingress-nginx-2" \ +--set controller.ingressClassResource.enabled=true \ +--set controller.ingressClassByName=true +``` diff --git a/docs/user-guide/miscellaneous.md b/docs/user-guide/miscellaneous.md index 196ea17fc..e7d1ac59c 100644 --- a/docs/user-guide/miscellaneous.md +++ b/docs/user-guide/miscellaneous.md @@ -27,12 +27,12 @@ Support for websockets is provided by NGINX out of the box. No special configura The only requirement to avoid the close of connections is the increase of the values of `proxy-read-timeout` and `proxy-send-timeout`. -The default value of this settings is `60 seconds`. +The default value of these settings is `60 seconds`. A more adequate value to support websockets is a value higher than one hour (`3600`). !!! Important - If the NGINX ingress controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP. + If the Ingress-Nginx Controller is exposed with a service `type=LoadBalancer` make sure the protocol between the loadbalancer and NGINX is TCP. ## Optimizing TLS Time To First Byte (TTTFB) @@ -52,4 +52,4 @@ The previous behavior can be restored using `retry-non-idempotent=true` in the c ## Why endpoints and not services -The NGINX ingress controller does not use [Services](http://kubernetes.io/docs/user-guide/services) to route traffic to the pods. Instead it uses the Endpoints API in order to bypass [kube-proxy](http://kubernetes.io/docs/admin/kube-proxy/) to allow NGINX features like session affinity and custom load balancing algorithms. It also removes some overhead, such as conntrack entries for iptables DNAT. +The Ingress-Nginx Controller does not use [Services](http://kubernetes.io/docs/user-guide/services) to route traffic to the pods. Instead it uses the Endpoints API in order to bypass [kube-proxy](http://kubernetes.io/docs/admin/kube-proxy/) to allow NGINX features like session affinity and custom load balancing algorithms. It also removes some overhead, such as conntrack entries for iptables DNAT. diff --git a/docs/user-guide/monitoring.md b/docs/user-guide/monitoring.md index 5c53213ea..28608e850 100644 --- a/docs/user-guide/monitoring.md +++ b/docs/user-guide/monitoring.md @@ -6,14 +6,14 @@ Two different methods to install and configure Prometheus and Grafana are descri ## Prometheus and Grafana installation using Pod Annotations -This tutorial will show you how to install [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/) for scraping the metrics of the NGINX Ingress controller. +This tutorial will show you how to install [Prometheus](https://prometheus.io/) and [Grafana](https://grafana.com/) for scraping the metrics of the Ingress-Nginx Controller. !!! important This example uses `emptyDir` volumes for Prometheus and Grafana. This means once the pod gets terminated you will lose all the data. ### Before You Begin -- The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md). +- The Ingress-Nginx Controller should already be deployed according to the deployment instructions [here](../deploy/index.md). - The controller should be configured for exporting metrics. This requires 3 configurations to the controller. These configurations are : 1. controller.metrics.enabled=true @@ -39,10 +39,9 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/) controller: metrics: enabled: true - service: - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" + podAnnotations: + prometheus.io/port: "10254" + prometheus.io/scrape: "true" .. ``` - If you are **not using helm**, you will have to edit your manifests like this: @@ -50,10 +49,6 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/) ``` apiVersion: v1 kind: Service - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "10254" .. spec: ports: @@ -67,16 +62,20 @@ This tutorial will show you how to install [Prometheus](https://prometheus.io/) ``` apiVersion: v1 kind: Deployment - metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "10254" .. spec: - ports: - - name: prometheus - containerPort: 10254 - .. + template: + metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "10254" + spec: + containers: + - name: controller + ports: + - name: prometheus + containerPort: 10254 + .. ``` @@ -170,7 +169,7 @@ According to the above example, this URL will be http://10.192.0.3:31086 - By default request metrics are labeled with the hostname. When you have a wildcard domain ingress, then there will be no metrics for that ingress (to prevent the metrics from exploding in cardinality). To get metrics in this case you need to run the ingress controller with `--metrics-per-host=false` (you will lose labeling by hostname, but still have labeling by ingress). ### Grafana dashboard using ingress resource - - If you want to expose the dashboard for grafana using a ingress resource, then you can : + - If you want to expose the dashboard for grafana using an ingress resource, then you can : - change the service type of the prometheus-server service and the grafana service to "ClusterIP" like this : ``` kubectl -n ingress-nginx edit svc grafana @@ -178,15 +177,15 @@ According to the above example, this URL will be http://10.192.0.3:31086 - This will open the currently deployed service grafana in the default editor configured in your shell (vi/nvim/nano/other) - scroll down to line 34 that looks like "type: NodePort" - change it to look like "type: ClusterIP". Save and exit. - - create a ingress resource with backend as "grafana" and port as "3000" - - Similarly, you can edit the service "prometheus-server" and add a ingress resource. + - create an ingress resource with backend as "grafana" and port as "3000" + - Similarly, you can edit the service "prometheus-server" and add an ingress resource. ## Prometheus and Grafana installation using Service Monitors This document assumes you're using helm and using the kube-prometheus-stack package to install Prometheus and Grafana. -### Verify NGINX Ingress controller is installed +### Verify Ingress-Nginx Controller is installed -- The NGINX Ingress controller should already be deployed according to the deployment instructions [here](../deploy/index.md). +- The Ingress-Nginx Controller should already be deployed according to the deployment instructions [here](../deploy/index.md). - To check if Ingress controller is deployed, ``` @@ -214,7 +213,7 @@ This document assumes you're using helm and using the kube-prometheus-stack pack - If prometheus is not installed, then you can install from [here](https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack) -### Re-configure NGINX Ingress controller +### Re-configure Ingress-Nginx Controller - The Ingress NGINX controller needs to be reconfigured for exporting metrics. This requires 3 additional configurations to the controller. These configurations are : ``` @@ -355,56 +354,40 @@ Prometheus metrics are exposed on port 10254. ### Request metrics -* `nginx_ingress_controller_request_duration_seconds` Histogram - - The request processing time in milliseconds (affected by client speed) - +* `nginx_ingress_controller_request_duration_seconds` Histogram\ + The request processing (time elapsed between the first bytes were read from the client and the log write after the last bytes were sent to the client) time in seconds (affected by client speed).\ nginx var: `request_time` -* `nginx_ingress_controller_response_duration_seconds` Histogram - - The time spent on receiving the response from the upstream server (affected by client speed) - +* `nginx_ingress_controller_response_duration_seconds` Histogram\ + The time spent on receiving the response from the upstream server in seconds (affected by client speed when the response is bigger than proxy buffers).\ + Note: can be up to several millis bigger than the `nginx_ingress_controller_request_duration_seconds` because of the different measuring method. nginx var: `upstream_response_time` -* `nginx_ingress_controller_header_duration_seconds` Histogram - - The time spent on receiving first header from the upstream server - +* `nginx_ingress_controller_header_duration_seconds` Histogram\ + The time spent on receiving first header from the upstream server\ nginx var: `upstream_header_time` -* `nginx_ingress_controller_connect_duration_seconds` Histogram - - The time spent on establishing a connection with the upstream server - +* `nginx_ingress_controller_connect_duration_seconds` Histogram\ + The time spent on establishing a connection with the upstream server\ nginx var: `upstream_connect_time` -* `nginx_ingress_controller_response_size` Histogram - - The response length (including request line, header, and request body) - +* `nginx_ingress_controller_response_size` Histogram\ + The response length (including request line, header, and request body)\ nginx var: `bytes_sent` -* `nginx_ingress_controller_request_size` Histogram - - The request length (including request line, header, and request body) - +* `nginx_ingress_controller_request_size` Histogram\ + The request length (including request line, header, and request body)\ nginx var: `request_length` -* `nginx_ingress_controller_requests` Counter - +* `nginx_ingress_controller_requests` Counter\ The total number of client requests -* `nginx_ingress_controller_bytes_sent` Histogram - - The number of bytes sent to a client. **Deprecated**, use `nginx_ingress_controller_response_size` - +* `nginx_ingress_controller_bytes_sent` Histogram\ + The number of bytes sent to a client. **Deprecated**, use `nginx_ingress_controller_response_size`\ nginx var: `bytes_sent` -* `nginx_ingress_controller_ingress_upstream_latency_seconds` Summary - - Upstream service latency per Ingress. **Deprecated**, use `nginx_ingress_controller_connect_duration_seconds` - +* `nginx_ingress_controller_ingress_upstream_latency_seconds` Summary\ + Upstream service latency per Ingress. **Deprecated**, use `nginx_ingress_controller_connect_duration_seconds`\ nginx var: `upstream_connect_time` ``` @@ -469,6 +452,8 @@ Prometheus metrics are exposed on port 10254. # TYPE nginx_ingress_controller_ssl_certificate_info gauge # HELP nginx_ingress_controller_success Cumulative number of Ingress controller reload operations # TYPE nginx_ingress_controller_success counter +# HELP nginx_ingress_controller_orphan_ingress Gauge reporting status of ingress orphanity, 1 indicates orphaned ingress. 'namespace' is the string used to identify namespace of ingress, 'ingress' for ingress name and 'type' for 'no-service' or 'no-endpoint' of orphanity +# TYPE nginx_ingress_controller_orphan_ingress gauge ``` ### Admission metrics diff --git a/docs/user-guide/multiple-ingress.md b/docs/user-guide/multiple-ingress.md index 179041727..fca93ee65 100644 --- a/docs/user-guide/multiple-ingress.md +++ b/docs/user-guide/multiple-ingress.md @@ -2,7 +2,7 @@ By default, deploying multiple Ingress controllers (e.g., `ingress-nginx` & `gce`) will result in all controllers simultaneously racing to update Ingress status fields in confusing ways. -To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation is not being preferred or suggested to use as it can be deprecated in future. Better to use the field `ingress.spec.ingressClassName`. +To fix this problem, use [IngressClasses](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). The `kubernetes.io/ingress.class` annotation is not being preferred or suggested to use as it can be deprecated in the future. Better to use the field `ingress.spec.ingressClassName`. But, when user has deployed with `scope.enabled`, then the ingress class resource field is not used. @@ -111,7 +111,7 @@ spec: then setting the corresponding `kubernetes.io/ingress.class: "internal-nginx"` annotation on your Ingresses. -To reiterate, setting the annotation to any value which does not match a valid ingress class will force the NGINX Ingress controller to ignore your Ingress. -If you are only running a single NGINX ingress controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string. +To reiterate, setting the annotation to any value which does not match a valid ingress class will force the Ingress-Nginx Controller to ignore your Ingress. +If you are only running a single Ingress-Nginx Controller, this can be achieved by setting the annotation to any value except "nginx" or an empty string. Do this if you wish to use one of the other Ingress controllers at the same time as the NGINX controller. diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 49e252589..42dc918e3 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -22,7 +22,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/auth-realm](#authentication)|string| |[nginx.ingress.kubernetes.io/auth-secret](#authentication)|string| |[nginx.ingress.kubernetes.io/auth-secret-type](#authentication)|string| -|[nginx.ingress.kubernetes.io/auth-type](#authentication)|basic or digest| +|[nginx.ingress.kubernetes.io/auth-type](#authentication)|"basic" or "digest"| |[nginx.ingress.kubernetes.io/auth-tls-secret](#client-certificate-authentication)|string| |[nginx.ingress.kubernetes.io/auth-tls-verify-depth](#client-certificate-authentication)|number| |[nginx.ingress.kubernetes.io/auth-tls-verify-client](#client-certificate-authentication)|string| @@ -33,12 +33,13 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/auth-cache-key](#external-authentication)|string| |[nginx.ingress.kubernetes.io/auth-cache-duration](#external-authentication)|string| |[nginx.ingress.kubernetes.io/auth-keepalive](#external-authentication)|number| +|[nginx.ingress.kubernetes.io/auth-keepalive-share-vars](#external-authentication)|"true" or "false"| |[nginx.ingress.kubernetes.io/auth-keepalive-requests](#external-authentication)|number| |[nginx.ingress.kubernetes.io/auth-keepalive-timeout](#external-authentication)|number| |[nginx.ingress.kubernetes.io/auth-proxy-set-headers](#external-authentication)|string| |[nginx.ingress.kubernetes.io/auth-snippet](#external-authentication)|string| |[nginx.ingress.kubernetes.io/enable-global-auth](#external-authentication)|"true" or "false"| -|[nginx.ingress.kubernetes.io/backend-protocol](#backend-protocol)|string|HTTP,HTTPS,GRPC,GRPCS,AJP| +|[nginx.ingress.kubernetes.io/backend-protocol](#backend-protocol)|string|HTTP,HTTPS,GRPC,GRPCS| |[nginx.ingress.kubernetes.io/canary](#canary)|"true" or "false"| |[nginx.ingress.kubernetes.io/canary-by-header](#canary)|string| |[nginx.ingress.kubernetes.io/canary-by-header-value](#canary)|string| @@ -96,12 +97,15 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/server-alias](#server-alias)|string| |[nginx.ingress.kubernetes.io/server-snippet](#server-snippet)|string| |[nginx.ingress.kubernetes.io/service-upstream](#service-upstream)|"true" or "false"| -|[nginx.ingress.kubernetes.io/session-cookie-name](#cookie-affinity)|string| -|[nginx.ingress.kubernetes.io/session-cookie-path](#cookie-affinity)|string| -|[nginx.ingress.kubernetes.io/session-cookie-domain](#cookie-affinity)|string| |[nginx.ingress.kubernetes.io/session-cookie-change-on-failure](#cookie-affinity)|"true" or "false"| -|[nginx.ingress.kubernetes.io/session-cookie-samesite](#cookie-affinity)|string| |[nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none](#cookie-affinity)|"true" or "false"| +|[nginx.ingress.kubernetes.io/session-cookie-domain](#cookie-affinity)|string| +|[nginx.ingress.kubernetes.io/session-cookie-expires](#cookie-affinity)|string| +|[nginx.ingress.kubernetes.io/session-cookie-max-age](#cookie-affinity)|string| +|[nginx.ingress.kubernetes.io/session-cookie-name](#cookie-affinity)|string|default "INGRESSCOOKIE"| +|[nginx.ingress.kubernetes.io/session-cookie-path](#cookie-affinity)|string| +|[nginx.ingress.kubernetes.io/session-cookie-samesite](#cookie-affinity)|string|"None", "Lax" or "Strict"| +|[nginx.ingress.kubernetes.io/session-cookie-secure](#cookie-affinity)|string| |[nginx.ingress.kubernetes.io/ssl-redirect](#server-side-https-enforcement-through-redirect)|"true" or "false"| |[nginx.ingress.kubernetes.io/ssl-passthrough](#ssl-passthrough)|"true" or "false"| |[nginx.ingress.kubernetes.io/stream-snippet](#stream-snippet)|string| @@ -109,6 +113,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/x-forwarded-prefix](#x-forwarded-prefix-header)|string| |[nginx.ingress.kubernetes.io/load-balance](#custom-nginx-load-balancing)|string| |[nginx.ingress.kubernetes.io/upstream-vhost](#custom-nginx-upstream-vhost)|string| +|[nginx.ingress.kubernetes.io/denylist-source-range](#denylist-source-range)|CIDR| |[nginx.ingress.kubernetes.io/whitelist-source-range](#whitelist-source-range)|CIDR| |[nginx.ingress.kubernetes.io/proxy-buffering](#proxy-buffering)|string| |[nginx.ingress.kubernetes.io/proxy-buffers-number](#proxy-buffers-number)|number| @@ -120,11 +125,8 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/enable-access-log](#enable-access-log)|"true" or "false"| |[nginx.ingress.kubernetes.io/enable-opentracing](#enable-opentracing)|"true" or "false"| |[nginx.ingress.kubernetes.io/opentracing-trust-incoming-span](#opentracing-trust-incoming-span)|"true" or "false"| -|[nginx.ingress.kubernetes.io/enable-influxdb](#influxdb)|"true" or "false"| -|[nginx.ingress.kubernetes.io/influxdb-measurement](#influxdb)|string| -|[nginx.ingress.kubernetes.io/influxdb-port](#influxdb)|string| -|[nginx.ingress.kubernetes.io/influxdb-host](#influxdb)|string| -|[nginx.ingress.kubernetes.io/influxdb-server-name](#influxdb)|string| +|[nginx.ingress.kubernetes.io/enable-opentelemetry](#enable-opentelemetry)|"true" or "false"| +|[nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-spans)|"true" or "false"| |[nginx.ingress.kubernetes.io/use-regex](#use-regex)|bool| |[nginx.ingress.kubernetes.io/enable-modsecurity](#modsecurity)|bool| |[nginx.ingress.kubernetes.io/enable-owasp-core-rules](#modsecurity)|bool| @@ -194,6 +196,12 @@ Use `nginx.ingress.kubernetes.io/session-cookie-domain` to set the `Domain` attr Use `nginx.ingress.kubernetes.io/session-cookie-samesite` to apply a `SameSite` attribute to the sticky cookie. Browser accepted values are `None`, `Lax`, and `Strict`. Some browsers reject cookies with `SameSite=None`, including those created before the `SameSite=None` specification (e.g. Chrome 5X). Other browsers mistakenly treat `SameSite=None` cookies as `SameSite=Strict` (e.g. Safari running on OSX 14). To omit `SameSite=None` from browsers with these incompatibilities, add the annotation `nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "true"`. +Use `nginx.ingress.kubernetes.io/session-cookie-expires` to control the cookie expires, its value is a number of seconds until the cookie expires. + +Use `nginx.ingress.kubernetes.io/session-cookie-path` to control the cookie path when use-regex is set to true. + +Use `nginx.ingress.kubernetes.io/session-cookie-change-on-failure` to control the cookie change after request failure. + ### Authentication It is possible to add authentication by adding additional annotations in the Ingress rule. The source of the authentication is a secret that contains usernames and passwords. @@ -238,7 +246,7 @@ To enable consistent hashing for a backend: `nginx.ingress.kubernetes.io/upstream-hash-by`: the nginx variable, text value or any combination thereof to use for consistent hashing. For example: `nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri"` or `nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri$host"` or `nginx.ingress.kubernetes.io/upstream-hash-by: "${request_uri}-text-value"` to consistently hash upstream requests by the current request URI. -"subset" hashing can be enabled setting `nginx.ingress.kubernetes.io/upstream-hash-by-subset`: "true". This maps requests to subset of nodes instead of a single one. `upstream-hash-by-subset-size` determines the size of each subset (default 3). +"subset" hashing can be enabled setting `nginx.ingress.kubernetes.io/upstream-hash-by-subset`: "true". This maps requests to subset of nodes instead of a single one. `nginx.ingress.kubernetes.io/upstream-hash-by-subset-size` determines the size of each subset (default 3). Please check the [chashsubset](../../examples/chashsubset/deployment.yaml) example. @@ -469,6 +477,9 @@ Additionally it is possible to set: > Note: does not work with HTTP/2 listener because of a limitation in Lua [subrequests](https://github.com/openresty/lua-nginx-module#spdy-mode-not-fully-supported). > [UseHTTP2](./configmap.md#use-http2) configuration should be disabled! +* `nginx.ingress.kubernetes.io/auth-keepalive-share-vars`: + Whether to share Nginx variables among the current request and the auth request. Example use case is to track requests: when set to "true" X-Request-ID HTTP header will be the same for the backend and the auth request. + Defaults to "false". * `nginx.ingress.kubernetes.io/auth-keepalive-requests`: `` to specify the maximum number of requests that can be served through one keepalive connection. Defaults to `1000` and only applied if `auth-keepalive` is set to higher than `0`. @@ -600,7 +611,7 @@ the User guide. ### Service Upstream -By default the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration. +By default the Ingress-Nginx Controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration. The `nginx.ingress.kubernetes.io/service-upstream` annotation disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port. @@ -638,6 +649,17 @@ To enable this feature use the annotation `nginx.ingress.kubernetes.io/from-to-w !!! attention For HTTPS to HTTPS redirects is mandatory the SSL Certificate defined in the Secret, located in the TLS section of Ingress, contains both FQDN in the common name of the certificate. +### Denylist source range + +You can specify blocked client IP source ranges through the `nginx.ingress.kubernetes.io/denylist-source-range` annotation. +The value is a comma separated list of [CIDRs](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing), e.g. `10.0.0.0/24,172.10.0.1`. + +To configure this setting globally for all Ingress rules, the `denylist-source-range` value may be set in the [NGINX ConfigMap](./configmap.md#denylist-source-range). + +!!! note + Adding an annotation to an Ingress rule overrides any global restriction. + + ### Whitelist source range You can specify allowed client IP source ranges through the `nginx.ingress.kubernetes.io/whitelist-source-range` annotation. @@ -809,6 +831,24 @@ sometimes need to be overridden to enable it or disable it for a specific ingres nginx.ingress.kubernetes.io/opentracing-trust-incoming-span: "true" ``` +### Enable Opentelemetry + +Opentelemetry can be enabled or disabled globally through the ConfigMap but this will sometimes need to be overridden +to enable it or disable it for a specific ingress (e.g. to turn off telemetry of external health check endpoints) + +```yaml +nginx.ingress.kubernetes.io/enable-opentelemetry: "true" +``` + +### Opentelemetry Trust Incoming Span + +The option to trust incoming trace spans can be enabled or disabled globally through the ConfigMap but this will +sometimes need to be overridden to enable it or disable it for a specific ingress (e.g. only enable on a private endpoint) + +```yaml +nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-spans: "true" +``` + ### X-Forwarded-Prefix Header To add the non-standard `X-Forwarded-Prefix` header to the upstream request with a string value, the following annotation can be used: @@ -864,33 +904,10 @@ nginx.ingress.kubernetes.io/modsecurity-snippet: | Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf ``` -### InfluxDB - -Using `influxdb-*` annotations we can monitor requests passing through a Location by sending them to an InfluxDB backend exposing the UDP socket -using the [nginx-influxdb-module](https://github.com/influxdata/nginx-influxdb-module/). - -```yaml -nginx.ingress.kubernetes.io/enable-influxdb: "true" -nginx.ingress.kubernetes.io/influxdb-measurement: "nginx-reqs" -nginx.ingress.kubernetes.io/influxdb-port: "8089" -nginx.ingress.kubernetes.io/influxdb-host: "127.0.0.1" -nginx.ingress.kubernetes.io/influxdb-server-name: "nginx-ingress" -``` - -For the `influxdb-host` parameter you have two options: - -- Use an InfluxDB server configured with the [UDP protocol](https://docs.influxdata.com/influxdb/v1.5/supported_protocols/udp/) enabled. -- Deploy Telegraf as a sidecar proxy to the Ingress controller configured to listen UDP with the [socket listener input](https://github.com/influxdata/telegraf/tree/release-1.6/plugins/inputs/socket_listener) and to write using -anyone of the [outputs plugins](https://github.com/influxdata/telegraf/tree/release-1.7/plugins/outputs) like InfluxDB, Apache Kafka, -Prometheus, etc.. (recommended) - -It's important to remember that there's no DNS resolver at this stage so you will have to configure -an ip address to `nginx.ingress.kubernetes.io/influxdb-host`. If you deploy Influx or Telegraf as sidecar (another container in the same pod) this becomes straightforward since you can directly use `127.0.0.1`. - ### Backend Protocol Using `backend-protocol` annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces `secure-backends` in older versions) -Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI +Valid Values: HTTP, HTTPS, GRPC, GRPCS and FCGI By default NGINX uses `HTTP`. diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md old mode 100755 new mode 100644 index f5d22d11c..75971b9a5 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -25,194 +25,214 @@ data: The following table shows a configuration option's name, type, and the default value: -|name|type|default| -|:---|:---|:------| -|[add-headers](#add-headers)|string|""| -|[allow-backend-server-header](#allow-backend-server-header)|bool|"false"| -|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true| -|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""| -|[hide-headers](#hide-headers)|string array|empty| -|[access-log-params](#access-log-params)|string|""| -|[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"| -|[http-access-log-path](#http-access-log-path)|string|""| -|[stream-access-log-path](#stream-access-log-path)|string|""| -|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"| -|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"| -|[enable-modsecurity](#enable-modsecurity)|bool|"false"| -|[modsecurity-snippet](#modsecurity-snippet)|string|""| -|[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"| -|[client-header-buffer-size](#client-header-buffer-size)|string|"1k"| -|[client-header-timeout](#client-header-timeout)|int|60| -|[client-body-buffer-size](#client-body-buffer-size)|string|"8k"| -|[client-body-timeout](#client-body-timeout)|int|60| -|[disable-access-log](#disable-access-log)|bool|false| -|[disable-ipv6](#disable-ipv6)|bool|false| -|[disable-ipv6-dns](#disable-ipv6-dns)|bool|false| -|[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false| -|[enable-ocsp](#enable-ocsp)|bool|false| -|[ignore-invalid-headers](#ignore-invalid-headers)|bool|true| -|[retry-non-idempotent](#retry-non-idempotent)|bool|"false"| -|[error-log-level](#error-log-level)|string|"notice"| -|[http2-max-field-size](#http2-max-field-size)|string|"4k"| -|[http2-max-header-size](#http2-max-header-size)|string|"16k"| -|[http2-max-requests](#http2-max-requests)|int|1000| -|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128| -|[hsts](#hsts)|bool|"true"| -|[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"| -|[hsts-max-age](#hsts-max-age)|string|"15724800"| -|[hsts-preload](#hsts-preload)|bool|"false"| -|[keep-alive](#keep-alive)|int|75| -|[keep-alive-requests](#keep-alive-requests)|int|100| -|[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"| -|[log-format-escape-none](#log-format-escape-none)|bool|"false"| -|[log-format-escape-json](#log-format-escape-json)|bool|"false"| -|[log-format-upstream](#log-format-upstream)|string|`$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id`| -|[log-format-stream](#log-format-stream)|string|`[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time`| -|[enable-multi-accept](#enable-multi-accept)|bool|"true"| -|[max-worker-connections](#max-worker-connections)|int|16384| -|[max-worker-open-files](#max-worker-open-files)|int|0| -|[map-hash-bucket-size](#max-hash-bucket-size)|int|64| -|[nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist)|[]string|"127.0.0.1"| -|[nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist)|[]string|"::1"| -|[proxy-real-ip-cidr](#proxy-real-ip-cidr)|[]string|"0.0.0.0/0"| -|[proxy-set-headers](#proxy-set-headers)|string|""| -|[server-name-hash-max-size](#server-name-hash-max-size)|int|1024| -|[server-name-hash-bucket-size](#server-name-hash-bucket-size)|int|`` -|[proxy-headers-hash-max-size](#proxy-headers-hash-max-size)|int|512| -|[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64| -|[plugins](#plugins)|[]string| | -|[reuse-port](#reuse-port)|bool|"true"| -|[server-tokens](#server-tokens)|bool|"false"| -|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"| -|[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"| -|[ssl-dh-param](#ssl-dh-param)|string|""| -|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"| -|[ssl-session-cache](#ssl-session-cache)|bool|"true"| -|[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"| -|[ssl-session-tickets](#ssl-session-tickets)|bool|"false"| -|[ssl-session-ticket-key](#ssl-session-ticket-key)|string|`` -|[ssl-session-timeout](#ssl-session-timeout)|string|"10m"| -|[ssl-buffer-size](#ssl-buffer-size)|string|"4k"| -|[use-proxy-protocol](#use-proxy-protocol)|bool|"false"| -|[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"| -|[use-gzip](#use-gzip)|bool|"false"| -|[use-geoip](#use-geoip)|bool|"true"| -|[use-geoip2](#use-geoip2)|bool|"false"| -|[enable-brotli](#enable-brotli)|bool|"false"| -|[brotli-level](#brotli-level)|int|4| -|[brotli-min-length](#brotli-min-length)|int|20| -|[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| -|[use-http2](#use-http2)|bool|"true"| -|[gzip-level](#gzip-level)|int|1| -|[gzip-types](#gzip-types)|string|"application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"| -|[worker-processes](#worker-processes)|string|``| -|[worker-cpu-affinity](#worker-cpu-affinity)|string|""| -|[worker-shutdown-timeout](#worker-shutdown-timeout)|string|"240s"| -|[load-balance](#load-balance)|string|"round_robin"| -|[variables-hash-bucket-size](#variables-hash-bucket-size)|int|128| -|[variables-hash-max-size](#variables-hash-max-size)|int|2048| -|[upstream-keepalive-connections](#upstream-keepalive-connections)|int|320| -|[upstream-keepalive-time](#upstream-keepalive-time)|string|"1h"| -|[upstream-keepalive-timeout](#upstream-keepalive-timeout)|int|60| -|[upstream-keepalive-requests](#upstream-keepalive-requests)|int|10000| -|[limit-conn-zone-variable](#limit-conn-zone-variable)|string|"$binary_remote_addr"| -|[proxy-stream-timeout](#proxy-stream-timeout)|string|"600s"| -|[proxy-stream-next-upstream](#proxy-stream-next-upstream)|bool|"true"| -|[proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout)|string|"600s"| -|[proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries)|int|3| -|[proxy-stream-responses](#proxy-stream-responses)|int|1| -|[bind-address](#bind-address)|[]string|""| -|[use-forwarded-headers](#use-forwarded-headers)|bool|"false"| -|[enable-real-ip](#enable-real-ip)|bool|"false"| -|[forwarded-for-header](#forwarded-for-header)|string|"X-Forwarded-For"| -|[compute-full-forwarded-for](#compute-full-forwarded-for)|bool|"false"| -|[proxy-add-original-uri-header](#proxy-add-original-uri-header)|bool|"false"| -|[generate-request-id](#generate-request-id)|bool|"true"| -|[enable-opentracing](#enable-opentracing)|bool|"false"| -|[opentracing-operation-name](#opentracing-operation-name)|string|""| -|[opentracing-location-operation-name](#opentracing-location-operation-name)|string|""| -|[zipkin-collector-host](#zipkin-collector-host)|string|""| -|[zipkin-collector-port](#zipkin-collector-port)|int|9411| -|[zipkin-service-name](#zipkin-service-name)|string|"nginx"| -|[zipkin-sample-rate](#zipkin-sample-rate)|float|1.0| -|[jaeger-collector-host](#jaeger-collector-host)|string|""| -|[jaeger-collector-port](#jaeger-collector-port)|int|6831| -|[jaeger-endpoint](#jaeger-endpoint)|string|""| -|[jaeger-service-name](#jaeger-service-name)|string|"nginx"| -|[jaeger-propagation-format](#jaeger-propagation-format)|string|"jaeger"| -|[jaeger-sampler-type](#jaeger-sampler-type)|string|"const"| -|[jaeger-sampler-param](#jaeger-sampler-param)|string|"1"| -|[jaeger-sampler-host](#jaeger-sampler-host)|string|"http://127.0.0.1"| -|[jaeger-sampler-port](#jaeger-sampler-port)|int|5778| -|[jaeger-trace-context-header-name](#jaeger-trace-context-header-name)|string|uber-trace-id| -|[jaeger-debug-header](#jaeger-debug-header)|string|uber-debug-id| -|[jaeger-baggage-header](#jaeger-baggage-header)|string|jaeger-baggage| -|[jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix)|string|uberctx-| -|[datadog-collector-host](#datadog-collector-host)|string|""| -|[datadog-collector-port](#datadog-collector-port)|int|8126| -|[datadog-service-name](#datadog-service-name)|string|"nginx"| -|[datadog-environment](#datadog-environment)|string|"prod"| -|[datadog-operation-name-override](#datadog-operation-name-override)|string|"nginx.handle"| -|[datadog-priority-sampling](#datadog-priority-sampling)|bool|"true"| -|[datadog-sample-rate](#datadog-sample-rate)|float|1.0| -|[main-snippet](#main-snippet)|string|""| -|[http-snippet](#http-snippet)|string|""| -|[server-snippet](#server-snippet)|string|""| -|[stream-snippet](#stream-snippet)|string|""| -|[location-snippet](#location-snippet)|string|""| -|[custom-http-errors](#custom-http-errors)|[]int|[]int{}| -|[proxy-body-size](#proxy-body-size)|string|"1m"| -|[proxy-connect-timeout](#proxy-connect-timeout)|int|5| -|[proxy-read-timeout](#proxy-read-timeout)|int|60| -|[proxy-send-timeout](#proxy-send-timeout)|int|60| -|[proxy-buffers-number](#proxy-buffers-number)|int|4| -|[proxy-buffer-size](#proxy-buffer-size)|string|"4k"| -|[proxy-cookie-path](#proxy-cookie-path)|string|"off"| -|[proxy-cookie-domain](#proxy-cookie-domain)|string|"off"| -|[proxy-next-upstream](#proxy-next-upstream)|string|"error timeout"| -|[proxy-next-upstream-timeout](#proxy-next-upstream-timeout)|int|0| -|[proxy-next-upstream-tries](#proxy-next-upstream-tries)|int|3| -|[proxy-redirect-from](#proxy-redirect-from)|string|"off"| -|[proxy-request-buffering](#proxy-request-buffering)|string|"on"| -|[ssl-redirect](#ssl-redirect)|bool|"true"| -|[force-ssl-redirect](#force-ssl-redirect)|bool|"false"| -|[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}| -|[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}| -|[limit-rate](#limit-rate)|int|0| -|[limit-rate-after](#limit-rate-after)|int|0| -|[lua-shared-dicts](#lua-shared-dicts)|string|""| -|[http-redirect-code](#http-redirect-code)|int|308| -|[proxy-buffering](#proxy-buffering)|string|"off"| -|[limit-req-status-code](#limit-req-status-code)|int|503| -|[limit-conn-status-code](#limit-conn-status-code)|int|503| -|[enable-syslog](#enable-syslog)|bool|false| -|[syslog-host](#syslog-host)|string|""| -|[syslog-port](#syslog-port)|int|514| -|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"| -|[global-auth-url](#global-auth-url)|string|""| -|[global-auth-method](#global-auth-method)|string|""| -|[global-auth-signin](#global-auth-signin)|string|""| -|[global-auth-signin-redirect-param](#global-auth-signin-redirect-param)|string|"rd"| -|[global-auth-response-headers](#global-auth-response-headers)|string|""| -|[global-auth-request-redirect](#global-auth-request-redirect)|string|""| -|[global-auth-snippet](#global-auth-snippet)|string|""| -|[global-auth-cache-key](#global-auth-cache-key)|string|""| -|[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"| -|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"| -|[block-cidrs](#block-cidrs)|[]string|""| -|[block-user-agents](#block-user-agents)|[]string|""| -|[block-referers](#block-referers)|[]string|""| -|[proxy-ssl-location-only](#proxy-ssl-location-only)|bool|"false"| -|[default-type](#default-type)|string|"text/html"| -|[global-rate-limit-memcached-host](#global-rate-limit)|string|""| -|[global-rate-limit-memcached-port](#global-rate-limit)|int|11211| -|[global-rate-limit-memcached-connect-timeout](#global-rate-limit)|int|50| -|[global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)|int|10000| -|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50| -|[global-rate-limit-status-code](#global-rate-limit)|int|429| -|[service-upstream](#service-upstream)|bool|"false"| -|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"| -|[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"| +|name|type|default|notes| +|:---|:---|:------|:----| +|[add-headers](#add-headers)|string|""|| +|[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|| +|[allow-cross-namespace-resources](#allow-cross-namespace-resources)|bool|"true"|| +|[allow-snippet-annotations](#allow-snippet-annotations)|bool|false|| +|[annotations-risk-level](#annotations-risk-level)|string|Critical|| +|[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""|| +|[hide-headers](#hide-headers)|string array|empty|| +|[access-log-params](#access-log-params)|string|""|| +|[access-log-path](#access-log-path)|string|"/var/log/nginx/access.log"|| +|[http-access-log-path](#http-access-log-path)|string|""|| +|[stream-access-log-path](#stream-access-log-path)|string|""|| +|[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"|| +|[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"|| +|[enable-modsecurity](#enable-modsecurity)|bool|"false"|| +|[modsecurity-snippet](#modsecurity-snippet)|string|""|| +|[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"|| +|[client-header-buffer-size](#client-header-buffer-size)|string|"1k"|| +|[client-header-timeout](#client-header-timeout)|int|60|| +|[client-body-buffer-size](#client-body-buffer-size)|string|"8k"|| +|[client-body-timeout](#client-body-timeout)|int|60|| +|[disable-access-log](#disable-access-log)|bool|false|| +|[disable-ipv6](#disable-ipv6)|bool|false|| +|[disable-ipv6-dns](#disable-ipv6-dns)|bool|false|| +|[enable-underscores-in-headers](#enable-underscores-in-headers)|bool|false|| +|[enable-ocsp](#enable-ocsp)|bool|false|| +|[ignore-invalid-headers](#ignore-invalid-headers)|bool|true|| +|[retry-non-idempotent](#retry-non-idempotent)|bool|"false"|| +|[error-log-level](#error-log-level)|string|"notice"|| +|[http2-max-field-size](#http2-max-field-size)|string|""|DEPRECATED in favour of [large_client_header_buffers](#large-client-header-buffers)| +|[http2-max-header-size](#http2-max-header-size)|string|""|DEPRECATED in favour of [large_client_header_buffers](#large-client-header-buffers)| +|[http2-max-requests](#http2-max-requests)|int|0|DEPRECATED in favour of [keepalive_requests](#keepalive-requests)| +|[http2-max-concurrent-streams](#http2-max-concurrent-streams)|int|128|| +|[hsts](#hsts)|bool|"true"|| +|[hsts-include-subdomains](#hsts-include-subdomains)|bool|"true"|| +|[hsts-max-age](#hsts-max-age)|string|"31536000"|| +|[hsts-preload](#hsts-preload)|bool|"false"|| +|[keep-alive](#keep-alive)|int|75|| +|[keep-alive-requests](#keep-alive-requests)|int|1000|| +|[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"|| +|[log-format-escape-none](#log-format-escape-none)|bool|"false"|| +|[log-format-escape-json](#log-format-escape-json)|bool|"false"|| +|[log-format-upstream](#log-format-upstream)|string|`$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] [$proxy_alternative_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id`|| +|[log-format-stream](#log-format-stream)|string|`[$remote_addr] [$time_local] $protocol $status $bytes_sent $bytes_received $session_time`|| +|[enable-multi-accept](#enable-multi-accept)|bool|"true"|| +|[max-worker-connections](#max-worker-connections)|int|16384|| +|[max-worker-open-files](#max-worker-open-files)|int|0|| +|[map-hash-bucket-size](#max-hash-bucket-size)|int|64|| +|[nginx-status-ipv4-whitelist](#nginx-status-ipv4-whitelist)|[]string|"127.0.0.1"|| +|[nginx-status-ipv6-whitelist](#nginx-status-ipv6-whitelist)|[]string|"::1"|| +|[proxy-real-ip-cidr](#proxy-real-ip-cidr)|[]string|"0.0.0.0/0"|| +|[proxy-set-headers](#proxy-set-headers)|string|""|| +|[server-name-hash-max-size](#server-name-hash-max-size)|int|1024|| +|[server-name-hash-bucket-size](#server-name-hash-bucket-size)|int|``| +|[proxy-headers-hash-max-size](#proxy-headers-hash-max-size)|int|512|| +|[proxy-headers-hash-bucket-size](#proxy-headers-hash-bucket-size)|int|64|| +|[plugins](#plugins)|[]string| || +|[reuse-port](#reuse-port)|bool|"true"|| +|[server-tokens](#server-tokens)|bool|"false"|| +|[ssl-ciphers](#ssl-ciphers)|string|"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"|| +|[ssl-ecdh-curve](#ssl-ecdh-curve)|string|"auto"|| +|[ssl-dh-param](#ssl-dh-param)|string|""|| +|[ssl-protocols](#ssl-protocols)|string|"TLSv1.2 TLSv1.3"|| +|[ssl-session-cache](#ssl-session-cache)|bool|"true"|| +|[ssl-session-cache-size](#ssl-session-cache-size)|string|"10m"|| +|[ssl-session-tickets](#ssl-session-tickets)|bool|"false"|| +|[ssl-session-ticket-key](#ssl-session-ticket-key)|string|``| +|[ssl-session-timeout](#ssl-session-timeout)|string|"10m"|| +|[ssl-buffer-size](#ssl-buffer-size)|string|"4k"|| +|[use-proxy-protocol](#use-proxy-protocol)|bool|"false"|| +|[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"|| +|[enable-aio-write](#enable-aio-write)|bool|"true"|| +|[use-gzip](#use-gzip)|bool|"false"|| +|[use-geoip](#use-geoip)|bool|"true"|| +|[use-geoip2](#use-geoip2)|bool|"false"|| +|[enable-brotli](#enable-brotli)|bool|"false"|| +|[brotli-level](#brotli-level)|int|4|| +|[brotli-min-length](#brotli-min-length)|int|20|| +|[brotli-types](#brotli-types)|string|"application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"|| +|[use-http2](#use-http2)|bool|"true"|| +|[gzip-disable](#gzip-disable)|string|""|| +|[gzip-level](#gzip-level)|int|1|| +|[gzip-min-length](#gzip-min-length)|int|256|| +|[gzip-types](#gzip-types)|string|"application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component"|| +|[worker-processes](#worker-processes)|string|``|| +|[worker-cpu-affinity](#worker-cpu-affinity)|string|""|| +|[worker-shutdown-timeout](#worker-shutdown-timeout)|string|"240s"|| +|[load-balance](#load-balance)|string|"round_robin"|| +|[variables-hash-bucket-size](#variables-hash-bucket-size)|int|128|| +|[variables-hash-max-size](#variables-hash-max-size)|int|2048|| +|[upstream-keepalive-connections](#upstream-keepalive-connections)|int|320|| +|[upstream-keepalive-time](#upstream-keepalive-time)|string|"1h"|| +|[upstream-keepalive-timeout](#upstream-keepalive-timeout)|int|60|| +|[upstream-keepalive-requests](#upstream-keepalive-requests)|int|10000|| +|[limit-conn-zone-variable](#limit-conn-zone-variable)|string|"$binary_remote_addr"|| +|[proxy-stream-timeout](#proxy-stream-timeout)|string|"600s"|| +|[proxy-stream-next-upstream](#proxy-stream-next-upstream)|bool|"true"|| +|[proxy-stream-next-upstream-timeout](#proxy-stream-next-upstream-timeout)|string|"600s"|| +|[proxy-stream-next-upstream-tries](#proxy-stream-next-upstream-tries)|int|3|| +|[proxy-stream-responses](#proxy-stream-responses)|int|1|| +|[bind-address](#bind-address)|[]string|""|| +|[use-forwarded-headers](#use-forwarded-headers)|bool|"false"|| +|[enable-real-ip](#enable-real-ip)|bool|"false"|| +|[forwarded-for-header](#forwarded-for-header)|string|"X-Forwarded-For"|| +|[compute-full-forwarded-for](#compute-full-forwarded-for)|bool|"false"|| +|[proxy-add-original-uri-header](#proxy-add-original-uri-header)|bool|"false"|| +|[generate-request-id](#generate-request-id)|bool|"true"|| +|[enable-opentracing](#enable-opentracing)|bool|"false"|| +|[opentracing-operation-name](#opentracing-operation-name)|string|""|| +|[opentracing-location-operation-name](#opentracing-location-operation-name)|string|""|| +|[zipkin-collector-host](#zipkin-collector-host)|string|""|| +|[zipkin-collector-port](#zipkin-collector-port)|int|9411|| +|[zipkin-service-name](#zipkin-service-name)|string|"nginx"|| +|[zipkin-sample-rate](#zipkin-sample-rate)|float|1.0|| +|[jaeger-collector-host](#jaeger-collector-host)|string|""|| +|[jaeger-collector-port](#jaeger-collector-port)|int|6831|| +|[jaeger-endpoint](#jaeger-endpoint)|string|""|| +|[jaeger-service-name](#jaeger-service-name)|string|"nginx"|| +|[jaeger-propagation-format](#jaeger-propagation-format)|string|"jaeger"|| +|[jaeger-sampler-type](#jaeger-sampler-type)|string|"const"|| +|[jaeger-sampler-param](#jaeger-sampler-param)|string|"1"|| +|[jaeger-sampler-host](#jaeger-sampler-host)|string|"http://127.0.0.1"|| +|[jaeger-sampler-port](#jaeger-sampler-port)|int|5778|| +|[jaeger-trace-context-header-name](#jaeger-trace-context-header-name)|string|uber-trace-id|| +|[jaeger-debug-header](#jaeger-debug-header)|string|uber-debug-id|| +|[jaeger-baggage-header](#jaeger-baggage-header)|string|jaeger-baggage|| +|[jaeger-trace-baggage-header-prefix](#jaeger-trace-baggage-header-prefix)|string|uberctx-|| +|[datadog-collector-host](#datadog-collector-host)|string|""|| +|[datadog-collector-port](#datadog-collector-port)|int|8126|| +|[datadog-service-name](#datadog-service-name)|string|"nginx"|| +|[datadog-environment](#datadog-environment)|string|"prod"|| +|[datadog-operation-name-override](#datadog-operation-name-override)|string|"nginx.handle"|| +|[datadog-priority-sampling](#datadog-priority-sampling)|bool|"true"|| +|[datadog-sample-rate](#datadog-sample-rate)|float|1.0|| +|[enable-opentelemetry](#enable-opentelemetry)|bool|"false"|| +|[opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span)|bool|"true"|| +|[opentelemetry-operation-name](#opentelemetry-operation-name)|string|""|| +|[opentelemetry-config](#/etc/nginx/opentelemetry.toml)|string|"/etc/nginx/opentelemetry.toml"|| +|[otlp-collector-host](#otlp-collector-host)|string|""|| +|[otlp-collector-port](#otlp-collector-port)|int|4317|| +|[otel-max-queuesize](#otel-max-queuesize)|int||| +|[otel-schedule-delay-millis](#otel-schedule-delay-millis)|int||| +|[otel-max-export-batch-size](#otel-max-export-batch-size)|int||| +|[otel-service-name](#otel-service-name)|string|"nginx"|| +|[otel-sampler](#otel-sampler)|string|"AlwaysOff"|| +|[otel-sampler-parent-based](#otel-sampler-parent-based)|bool|"false"|| +|[otel-sampler-ratio](#otel-sampler-ratio)|float|0.01|| +|[main-snippet](#main-snippet)|string|""|| +|[http-snippet](#http-snippet)|string|""|| +|[server-snippet](#server-snippet)|string|""|| +|[stream-snippet](#stream-snippet)|string|""|| +|[location-snippet](#location-snippet)|string|""|| +|[custom-http-errors](#custom-http-errors)|[]int|[]int{}|| +|[proxy-body-size](#proxy-body-size)|string|"1m"|| +|[proxy-connect-timeout](#proxy-connect-timeout)|int|5|| +|[proxy-read-timeout](#proxy-read-timeout)|int|60|| +|[proxy-send-timeout](#proxy-send-timeout)|int|60|| +|[proxy-buffers-number](#proxy-buffers-number)|int|4|| +|[proxy-buffer-size](#proxy-buffer-size)|string|"4k"|| +|[proxy-cookie-path](#proxy-cookie-path)|string|"off"|| +|[proxy-cookie-domain](#proxy-cookie-domain)|string|"off"|| +|[proxy-next-upstream](#proxy-next-upstream)|string|"error timeout"|| +|[proxy-next-upstream-timeout](#proxy-next-upstream-timeout)|int|0|| +|[proxy-next-upstream-tries](#proxy-next-upstream-tries)|int|3|| +|[proxy-redirect-from](#proxy-redirect-from)|string|"off"|| +|[proxy-request-buffering](#proxy-request-buffering)|string|"on"|| +|[ssl-redirect](#ssl-redirect)|bool|"true"|| +|[force-ssl-redirect](#force-ssl-redirect)|bool|"false"|| +|[denylist-source-range](#denylist-source-range)|[]string|[]string{}|| +|[whitelist-source-range](#whitelist-source-range)|[]string|[]string{}|| +|[skip-access-log-urls](#skip-access-log-urls)|[]string|[]string{}|| +|[limit-rate](#limit-rate)|int|0|| +|[limit-rate-after](#limit-rate-after)|int|0|| +|[lua-shared-dicts](#lua-shared-dicts)|string|""|| +|[http-redirect-code](#http-redirect-code)|int|308|| +|[proxy-buffering](#proxy-buffering)|string|"off"|| +|[limit-req-status-code](#limit-req-status-code)|int|503|| +|[limit-conn-status-code](#limit-conn-status-code)|int|503|| +|[enable-syslog](#enable-syslog)|bool|false|| +|[syslog-host](#syslog-host)|string|""|| +|[syslog-port](#syslog-port)|int|514|| +|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"|| +|[global-auth-url](#global-auth-url)|string|""|| +|[global-auth-method](#global-auth-method)|string|""|| +|[global-auth-signin](#global-auth-signin)|string|""|| +|[global-auth-signin-redirect-param](#global-auth-signin-redirect-param)|string|"rd"|| +|[global-auth-response-headers](#global-auth-response-headers)|string|""|| +|[global-auth-request-redirect](#global-auth-request-redirect)|string|""|| +|[global-auth-snippet](#global-auth-snippet)|string|""|| +|[global-auth-cache-key](#global-auth-cache-key)|string|""|| +|[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"|| +|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"|| +|[block-cidrs](#block-cidrs)|[]string|""|| +|[block-user-agents](#block-user-agents)|[]string|""|| +|[block-referers](#block-referers)|[]string|""|| +|[proxy-ssl-location-only](#proxy-ssl-location-only)|bool|"false"|| +|[default-type](#default-type)|string|"text/html"|| +|[global-rate-limit-memcached-host](#global-rate-limit)|string|""|| +|[global-rate-limit-memcached-port](#global-rate-limit)|int|11211|| +|[global-rate-limit-memcached-connect-timeout](#global-rate-limit)|int|50|| +|[global-rate-limit-memcached-max-idle-timeout](#global-rate-limit)|int|10000|| +|[global-rate-limit-memcached-pool-size](#global-rate-limit)|int|50|| +|[global-rate-limit-status-code](#global-rate-limit)|int|429|| +|[service-upstream](#service-upstream)|bool|"false"|| +|[ssl-reject-handshake](#ssl-reject-handshake)|bool|"false"|| +|[debug-connections](#debug-connections)|[]string|"127.0.0.1,1.1.1.1/24"|| +|[strict-validate-path-type](#strict-validate-path-type)|bool|"false" (v1.7.x)|| ## add-headers @@ -222,13 +242,37 @@ Sets custom headers from named configmap before sending traffic to the client. S Enables the return of the header Server from the backend instead of the generic nginx string. _**default:**_ is disabled +## allow-cross-namespace-resources + +Enables users to consume cross namespace resource on annotations, when was previously enabled . _**default:**_ true + +**Annotations that may be impacted with this change**: +* `auth-secret` +* `auth-proxy-set-header` +* `auth-tls-secret` +* `fastcgi-params-configmap` +* `proxy-ssl-secret` + + +**This option will be defaulted to false in the next major release** + ## allow-snippet-annotations -Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true` +Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false` Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file +**This option will be defaulted to false in the next major release** + +## annotations-risk-level + +Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted. + +Accepted values are `Critical`, `High`, `Medium` and `Low`. + +Defaults to `Critical` but will be changed to `High` on the next minor release + ## annotation-value-word-blocklist Contains a comma-separated value of chars/words that are well known of being used to abuse Ingress configuration @@ -666,6 +710,10 @@ Enables or disables the [PROXY protocol](https://www.nginx.com/resources/admin-g Sets the timeout value for receiving the proxy-protocol headers. The default of 5 seconds prevents the TLS passthrough handler from waiting indefinitely on a dropped connection. _**default:**_ 5s +## enable-aio-write + +Enables or disables the directive [aio_write](https://nginx.org/en/docs/http/ngx_http_core_module.html#aio_write) that writes files asynchronously. _**default:**_ true + ## use-gzip Enables or disables compression of HTTP responses using the ["gzip" module](https://nginx.org/en/docs/http/ngx_http_gzip_module.html). MIME types to compress are controlled by [gzip-types](#gzip-types). _**default:**_ false @@ -692,7 +740,8 @@ _**default:**_ false ## enable-brotli Enables or disables compression of HTTP responses using the ["brotli" module](https://github.com/google/ngx_brotli). -The default mime type list to compress is: `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. _**default:**_ is disabled +The default mime type list to compress is: `application/xml+rss application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component`. +_**default:**_ false > __Note:__ Brotli does not works in Safari < 11. For more information see [https://caniuse.com/#feat=brotli](https://caniuse.com/#feat=brotli) @@ -713,6 +762,10 @@ _**default:**_ `application/xml+rss application/atom+xml application/javascript Enables or disables [HTTP/2](https://nginx.org/en/docs/http/ngx_http_v2_module.html) support in secure connections. +## gzip-disable + +Disables [gzipping](http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable) of responses for requests with "User-Agent" header fields matching any of the specified regular expressions. + ## gzip-level Sets the gzip Compression Level that will be used. _**default:**_ 1 @@ -1001,6 +1054,46 @@ If true disables client-side sampling (thus ignoring `sample_rate`) and enables Specifies sample rate for any traces created. This is effective only when `datadog-priority-sampling` is `false` _**default:**_ 1.0 +## enable-opentelemetry + +Enables the nginx OpenTelemetry extension. _**default:**_ is disabled + +_References:_ +[https://github.com/open-telemetry/opentelemetry-cpp-contrib](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) + +## opentelemetry-operation-name + +Specifies a custom name for the server span. _**default:**_ is empty + +For example, set to "HTTP $request_method $uri". + +## otlp-collector-host + +Specifies the host to use when uploading traces. It must be a valid URL. + +## otlp-collector-port + +Specifies the port to use when uploading traces. _**default:**_ 4317 + +## otel-service-name + +Specifies the service name to use for any traces created. _**default:**_ nginx + +## opentelemetry-trust-incoming-span: "true" +Enables or disables using spans from incoming requests as parent for created ones. _**default:**_ true + +## otel-sampler-parent-based + +Uses sampler implementation which by default will take a sample if parent Activity is sampled. _**default:**_ false + +## otel-sampler-ratio + +Specifies sample rate for any traces created. _**default:**_ 0.01 + +## otel-sampler + +Specifies the sampler to be used when sampling traces. The available samplers are: AlwaysOff, AlwaysOn, TraceIdRatioBased, remote. _**default:**_ AlwaysOff + ## main-snippet Adds custom configuration to the main section of the nginx configuration. @@ -1096,6 +1189,11 @@ _**default:**_ "true" Sets the global value of redirects (308) to HTTPS if the server has a default TLS certificate (defined in extra-args). _**default:**_ "false" +## denylist-source-range + +Sets the default denylisted IPs for each `server` block. This can be overwritten by an annotation on an Ingress rule. +See [ngx_http_access_module](https://nginx.org/en/docs/http/ngx_http_access_module.html). + ## whitelist-source-range Sets the default whitelisted IPs for each `server` block. This can be overwritten by an annotation on an Ingress rule. @@ -1313,3 +1411,17 @@ _**default:**_ "" _References:_ [http://nginx.org/en/docs/ngx_core_module.html#debug_connection](http://nginx.org/en/docs/ngx_core_module.html#debug_connection) + +## strict-validate-path-type +Ingress objects contains a field called pathType that defines the proxy behavior. It can be `Exact`, `Prefix` and `ImplementationSpecific`. + +When pathType is configured as `Exact` or `Prefix`, there should be a more strict validation, allowing only paths starting with "/" and +containing only alphanumeric characters and "-", "_" and additional "/". + +When this option is enabled, the validation will happen on the Admission Webhook, making any Ingress not using pathType `ImplementationSpecific` +and containing invalid characters to be denied. + +This means that Ingress objects that rely on paths containing regex characters should use `ImplementationSpecific` pathType. + +The cluster admin should establish validation rules using mechanisms like [Open Policy Agent](https://www.openpolicyagent.org/) to +validate that only authorized users can use `ImplementationSpecific` pathType and that only the authorized characters can be used. diff --git a/docs/user-guide/retaining-client-ipaddress.md b/docs/user-guide/retaining-client-ipaddress.md new file mode 100644 index 000000000..237bd3004 --- /dev/null +++ b/docs/user-guide/retaining-client-ipaddress.md @@ -0,0 +1,44 @@ + +## Retaining Client IPAddress + +Please read this https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#source-ip-address , to get details of retaining the client IPAddress. + +### Using proxy-protocol + +Please read this https://kubernetes.github.io/ingress-nginx/user-guide/miscellaneous/#proxy-protocol , to use proxy-protocol for retaining client IPAddress + + +### Using the K8S spec service.spec.externalTrafficPolicy + +``` +% kubectl explain service.spec.externalTrafficPolicy +KIND: Service +VERSION: v1 + +FIELD: externalTrafficPolicy + +DESCRIPTION: + externalTrafficPolicy describes how nodes distribute service traffic they + receive on one of the Service's "externally-facing" addresses (NodePorts, + ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will + configure the service in a way that assumes that external load balancers + will take care of balancing the service traffic between nodes, and so each + node will deliver traffic only to the node-local endpoints of the service, + without masquerading the client source IP. (Traffic mistakenly sent to a + node with no endpoints will be dropped.) The default value, "Cluster", uses + the standard behavior of routing to all endpoints evenly (possibly modified + by topology and other features). Note that traffic sent to an External IP or + LoadBalancer IP from within the cluster will always get "Cluster" semantics, + but clients sending to a NodePort from within the cluster may need to take + traffic policy into account when picking a node. + + Possible enum values: + - `"Cluster"` routes traffic to all endpoints. + - `"Local"` preserves the source IP of the traffic by routing only to + endpoints on the same node as the traffic was received on (dropping the + traffic if there are no local endpoints). + +``` + + +- Setting the field `externalTrafficPolicy`, in the ingress-controller service, to a value of `Local` retains the client's ipaddress, within the scope explained above diff --git a/docs/user-guide/third-party-addons/opentelemetry.md b/docs/user-guide/third-party-addons/opentelemetry.md new file mode 100644 index 000000000..d735fca4f --- /dev/null +++ b/docs/user-guide/third-party-addons/opentelemetry.md @@ -0,0 +1,314 @@ +# OpenTelemetry + +Enables requests served by NGINX for distributed telemetry via The OpenTelemetry Project. + +Using the third party module [opentelemetry-cpp-contrib/nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx) the Ingress-Nginx Controller can configure NGINX to enable [OpenTelemetry](http://opentelemetry.io) instrumentation. +By default this feature is disabled. + +Check out this demo showcasing OpenTelemetry in Ingress NGINX. The video provides an overview and +practical demonstration of how OpenTelemetry can be utilized in Ingress NGINX for observability +and monitoring purposes. + +

+ + Video Thumbnail + +

+ +

Demo: OpenTelemetry in Ingress NGINX.

+ +## Usage + +To enable the instrumentation we must enable OpenTelemetry in the configuration ConfigMap: +```yaml +data: + enable-opentelemetry: "true" +``` + +To enable or disable instrumentation for a single Ingress, use +the `enable-opentelemetry` annotation: +```yaml +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/enable-opentelemetry: "true" +``` + +We must also set the host to use when uploading traces: + +```yaml +otlp-collector-host: "otel-coll-collector.otel.svc" +``` +NOTE: While the option is called `otlp-collector-host`, you will need to point this to any backend that receives otlp-grpc. + +Next you will need to deploy a distributed telemetry system which uses OpenTelemetry. +[opentelemetry-collector](https://github.com/open-telemetry/opentelemetry-collector), [Jaeger](https://www.jaegertracing.io/) +[Tempo](https://github.com/grafana/tempo), and [zipkin](https://zipkin.io/) +have been tested. + +Other optional configuration options: +```yaml +# specifies the name to use for the server span +opentelemetry-operation-name + +# sets whether or not to trust incoming telemetry spans +opentelemetry-trust-incoming-span + +# specifies the port to use when uploading traces, Default: 4317 +otlp-collector-port + +# specifies the service name to use for any traces created, Default: nginx +otel-service-name + +# The maximum queue size. After the size is reached data are dropped. +otel-max-queuesize + +# The delay interval in milliseconds between two consecutive exports. +otel-schedule-delay-millis + +# How long the export can run before it is cancelled. +otel-schedule-delay-millis + +# The maximum batch size of every export. It must be smaller or equal to maxQueueSize. +otel-max-export-batch-size + +# specifies sample rate for any traces created, Default: 0.01 +otel-sampler-ratio + +# specifies the sampler to be used when sampling traces. +# The available samplers are: AlwaysOn, AlwaysOff, TraceIdRatioBased, Default: AlwaysOff +otel-sampler + +# Uses sampler implementation which by default will take a sample if parent Activity is sampled, Default: false +otel-sampler-parent-based +``` + +Note that you can also set whether to trust incoming spans (global default is true) per-location using annotations like the following: +```yaml +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/opentelemetry-trust-incoming-span: "true" +``` + +## Examples + +The following examples show how to deploy and test different distributed telemetry systems. These example can be performed using Docker Desktop. + +In the [esigo/nginx-example](https://github.com/esigo/nginx-example) +GitHub repository is an example of a simple hello service: + +```mermaid +graph TB + subgraph Browser + start["http://esigo.dev/hello/nginx"] + end + + subgraph app + sa[service-a] + sb[service-b] + sa --> |name: nginx| sb + sb --> |hello nginx!| sa + end + + subgraph otel + otc["Otel Collector"] + end + + subgraph observability + tempo["Tempo"] + grafana["Grafana"] + backend["Jaeger"] + zipkin["Zipkin"] + end + + subgraph ingress-nginx + ngx[nginx] + end + + subgraph ngx[nginx] + ng[nginx] + om[OpenTelemetry module] + end + + subgraph Node + app + otel + observability + ingress-nginx + om --> |otlp-gRPC| otc --> |jaeger| backend + otc --> |zipkin| zipkin + otc --> |otlp-gRPC| tempo --> grafana + sa --> |otlp-gRPC| otc + sb --> |otlp-gRPC| otc + start --> ng --> sa + end +``` + +To install the example and collectors run: + +1. Enable Ingress addon with: + + ```yaml + opentelemetry: + enabled: true + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 + containerSecurityContext: + allowPrivilegeEscalation: false + ``` + +2. Enable OpenTelemetry and set the otlp-collector-host: + + ```yaml + $ echo ' + apiVersion: v1 + kind: ConfigMap + data: + enable-opentelemetry: "true" + opentelemetry-config: "/etc/nginx/opentelemetry.toml" + opentelemetry-operation-name: "HTTP $request_method $service_name $uri" + opentelemetry-trust-incoming-span: "true" + otlp-collector-host: "otel-coll-collector.otel.svc" + otlp-collector-port: "4317" + otel-max-queuesize: "2048" + otel-schedule-delay-millis: "5000" + otel-max-export-batch-size: "512" + otel-service-name: "nginx-proxy" # Opentelemetry resource name + otel-sampler: "AlwaysOn" # Also: AlwaysOff, TraceIdRatioBased + otel-sampler-ratio: "1.0" + otel-sampler-parent-based: "false" + metadata: + name: ingress-nginx-controller + namespace: ingress-nginx + ' | kubectl replace -f - + ``` + +4. Deploy otel-collector, grafana and Jaeger backend: + + ```bash + # add helm charts needed for grafana and OpenTelemetry collector + helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts + helm repo add grafana https://grafana.github.io/helm-charts + helm repo update + # deply cert-manager needed for OpenTelemetry collector operator + kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.yaml + # create observability namespace + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/namespace.yaml + # install OpenTelemetry collector operator + helm upgrade --install otel-collector-operator -n otel --create-namespace open-telemetry/opentelemetry-operator + # deploy OpenTelemetry collector + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/collector.yaml + # deploy Jaeger all-in-one + kubectl apply -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.37.0/jaeger-operator.yaml -n observability + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/jaeger.yaml -n observability + # deploy zipkin + kubectl apply -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/zipkin.yaml -n observability + # deploy tempo and grafana + helm upgrade --install tempo grafana/tempo --create-namespace -n observability + helm upgrade -f https://raw.githubusercontent.com/esigo/nginx-example/main/observability/grafana/grafana-values.yaml --install grafana grafana/grafana --create-namespace -n observability + ``` + +3. Build and deploy demo app: + + ```bash + # build images + make images + + # deploy demo app: + make deploy-app + ``` + +5. Make a few requests to the Service: + + ```bash + kubectl port-forward --namespace=ingress-nginx service/ingress-nginx-controller 8090:80 + curl http://esigo.dev:8090/hello/nginx + + + StatusCode : 200 + StatusDescription : OK + Content : {"v":"hello nginx!"} + + RawContent : HTTP/1.1 200 OK + Connection: keep-alive + Content-Length: 21 + Content-Type: text/plain; charset=utf-8 + Date: Mon, 10 Oct 2022 17:43:33 GMT + + {"v":"hello nginx!"} + + Forms : {} + Headers : {[Connection, keep-alive], [Content-Length, 21], [Content-Type, text/plain; charset=utf-8], [Date, + Mon, 10 Oct 2022 17:43:33 GMT]} + Images : {} + InputFields : {} + Links : {} + ParsedHtml : System.__ComObject + RawContentLength : 21 + ``` + +6. View the Grafana UI: + + ```bash + kubectl port-forward --namespace=observability service/grafana 3000:80 + ``` + In the Grafana interface we can see the details: + ![grafana screenshot](../../images/otel-grafana-demo.png "grafana screenshot") + +7. View the Jaeger UI: + + ```bash + kubectl port-forward --namespace=observability service/jaeger-all-in-one-query 16686:16686 + ``` + In the Jaeger interface we can see the details: + ![Jaeger screenshot](../../images/otel-jaeger-demo.png "Jaeger screenshot") + +8. View the Zipkin UI: + + ```bash + kubectl port-forward --namespace=observability service/zipkin 9411:9411 + ``` + In the Zipkin interface we can see the details: + ![zipkin screenshot](../../images/otel-zipkin-demo.png "zipkin screenshot") + +## Migration from OpenTracing, Jaeger, Zipkin and Datadog + +If you are migrating from OpenTracing, Jaeger, Zipkin, or Datadog to OpenTelemetry, +you may need to update various annotations and configurations. Here are the mappings +for common annotations and configurations: + +### Annotations + +| Legacy | OpenTelemetry | +|--------------------------------------------------|--------------------------------------------------| +| `nginx.ingress.kubernetes.io/enable-opentracing` | `nginx.ingress.kubernetes.io/enable-opentelemetry` | +| `opentracing-trust-incoming-span` | `opentracing-trust-incoming-span` | + +### Configs + +| Legacy | OpenTelemetry | +|---------------------------------------|----------------------------------------------| +| `opentracing-operation-name` | `opentelemetry-operation-name` | +| `opentracing-location-operation-name` | `opentelemetry-operation-name` | +| `opentracing-trust-incoming-span` | `opentelemetry-trust-incoming-span` | +| `zipkin-collector-port` | `otlp-collector-port` | +| `zipkin-service-name` | `otel-service-name` | +| `zipkin-sample-rate` | `otel-sampler-ratio` | +| `jaeger-collector-port` | `otlp-collector-port` | +| `jaeger-endpoint` | `otlp-collector-port`, `otlp-collector-host` | +| `jaeger-service-name` | `otel-service-name` | +| `jaeger-propagation-format` | `N/A` | +| `jaeger-sampler-type` | `otel-sampler` | +| `jaeger-sampler-param` | `otel-sampler` | +| `jaeger-sampler-host` | `N/A` | +| `jaeger-sampler-port` | `N/A` | +| `jaeger-trace-context-header-name` | `N/A` | +| `jaeger-debug-header` | `N/A` | +| `jaeger-baggage-header` | `N/A` | +| `jaeger-tracer-baggage-header-prefix` | `N/A` | +| `datadog-collector-port` | `otlp-collector-port` | +| `datadog-service-name` | `otel-service-name` | +| `datadog-environment` | `N/A` | +| `datadog-operation-name-override` | `N/A` | +| `datadog-priority-sampling` | `otel-sampler` | +| `datadog-sample-rate` | `otel-sampler-ratio` | diff --git a/docs/user-guide/third-party-addons/opentracing.md b/docs/user-guide/third-party-addons/opentracing.md index 6ed0f195e..f5ec59faf 100644 --- a/docs/user-guide/third-party-addons/opentracing.md +++ b/docs/user-guide/third-party-addons/opentracing.md @@ -2,7 +2,7 @@ Enables requests served by NGINX for distributed tracing via The OpenTracing Project. -Using the third party module [opentracing-contrib/nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing) the NGINX ingress controller can configure NGINX to enable [OpenTracing](http://opentracing.io) instrumentation. +Using the third party module [opentracing-contrib/nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing) the Ingress-Nginx Controller can configure NGINX to enable [OpenTracing](http://opentracing.io) instrumentation. By default this feature is disabled. ## Usage diff --git a/ginkgo_upgrade.md b/ginkgo_upgrade.md new file mode 100644 index 000000000..57db0f28f --- /dev/null +++ b/ginkgo_upgrade.md @@ -0,0 +1,131 @@ +# GINKGO UPGRADE + +#### Bumping ginkgo in the project requires four PRs. + +## 1. Dependabot PR + +- Dependabot automatically updates `ginkgo version` but only in [go.mod ](go.mod) and [go.sum ](go.sum) files. +- This is an automatically generated PR by Dependabot but it needs approval from maintainers to get merged. + +## 2. Edit-hardcoded-version PR + +### a. Make changes to appropriate files in required directories + +- Make changes in files where ginkgo version is hardcoded. These files are : + - [run-in-docker.sh ](build/run-in-docker.sh) + - [Dockerfile ](images/test-runner/rootfs/Dockerfile) + - [run.sh ](test/e2e/run.sh) + - [run-chart-test.sh ](test/e2e/run-chart-test.sh) + +### b. Create PR + +- Open pull request(s) accordingly, to fire cloudbuild for building the component's image (if applicable). + +### c. Merge + +- Merging will fire cloudbuild, which will result in images being promoted to the [staging container registry](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx). + +### d. Make sure cloudbuild is a success + +- Wait for [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx). If you don't have access to cloudbuild, you can also have a look at [this](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), to see the progress of the build. + +- Proceed only after cloud-build is successful in building a new Ingress-Nginx-Controller image. + + +## 3. PROMOTE the new-testrunner-image PR: + +Promoting the images basically means that images, that were pushed to staging container registry in the steps above, now are also pushed to the public container registry. Thus are publicly available. Follow these steps to promote images: +- When you make changes to the `Dockerfile` or other core content under [images directory ](images), it generates a new image in google cloudbuild. This is because kubernetes projects need to use the infra provided for the kubernetes projects. The new image is always only pushed to the staging repository of K8S. From the staging repo, the new image needs to be promoted to the production repo. And once promoted, its possible to use the sha of the new image in the code. + +### a. Get the sha + +- Get the sha of the new image(s) of the controller, from the cloudbuild, from steps above + + - The sha is available in output from [cloud build](https://console.cloud.google.com/cloud-build/builds?project=k8s-staging-ingress-nginx) + + - The sha is also visible [here](https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/e2e-test-runner) + + - The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this: + + ``` + ... + pushing manifest for gcr.io/k8s-staging-ingress-nginx/controller:v1.0.2@sha256:e15fac6e8474d77e1f017edc33d804ce72a184e3c0a30963b2a0d7f0b89f6b16 + ... + ``` + +### b. Add the new image to [k8s.io](http://github.com/kubernetes/k8s.io) + +- The sha(s) from the step before (and the tag(s) for the new image(s) have to be added, as a new line, in a file, of the [k8s.io](http://github.com/kubernetes/k8s.io) project of Kubernetes organization. + +- Fork that other project (if you don't have a fork already). + +- Other project to fork [Github repo kubernetes/k8s.io](http://github.com/kubernetes/k8s.io) + +- Fetch --all and rebase to upstream if already forked. + +- Create a branch in your fork, named as the issue number for this release + +- In the related branch, of your fork, edit the file k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml. + +- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake. + +- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/4499) to see how it was done before + +- Save and commit + +### c. Create PR + +- Open pull request to promote the new e2e-test-runner image. + +### d. Merge + +- Merge success is required. + +- Proceed only after cloud-build is successful in building a new e2e-test-runner image. + + +## 4. Change testrunner-image-sha PR + +### a. Get the sha + +- Make sure to get the tag and sha of the promoted image from the step before, either from cloudbuild or from [here](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/ingress-nginx/e2e-test-runner). + +### a. Make sure your git workspace is ready + +- Get your git workspace ready + + - If not using a pre-existing fork, then Fork the repo kubernetes/ingress-nginx + + - Clone (to laptop or wherever) + + - Add upstream + + - Set upstream url to no_push + + - Checkout & switch to branch, named as per related new-release-issue-number + + - If already forked, and upstream already added, then `git fetch --all` and `git rebase upstream/main` (not origin) + + - Checkout a branch in your fork's clone + + - Perform any other diligence as needed + +- Prefer to edit only and only in your branch, in your Fork + +### b. Change testrunner-image-sha + +- You need update the testrunner-image-sha in the following files : + + - [run-in-docker.sh](https://github.com/kubernetes/ingress-nginx/blob/main/build/run-in-docker.sh#L41) + - [Makefile](https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e-image/Makefile#L3) + +### c. Create PR + +- Look at this PR for how it was done before [example PR](https://github.com/kubernetes/ingress-nginx/pull/9444) +- Create a PR + +### d. Merge + +- Finally merge the PR. + +## END ## \ No newline at end of file diff --git a/go.mod b/go.mod index b074e7c10..6bebebf67 100644 --- a/go.mod +++ b/go.mod @@ -1,96 +1,87 @@ module k8s.io/ingress-nginx -go 1.19 +go 1.21 require ( - github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a + dario.cat/mergo v1.0.0 + github.com/armon/go-proxyproto v0.1.0 github.com/eapache/channels v1.1.0 - github.com/fsnotify/fsnotify v1.6.0 - github.com/imdario/mergo v0.3.13 + github.com/fsnotify/fsnotify v1.7.0 github.com/json-iterator/go v1.1.12 github.com/kylelemons/godebug v1.1.0 github.com/mitchellh/go-ps v1.0.0 - github.com/mitchellh/hashstructure v1.1.0 + github.com/mitchellh/hashstructure/v2 v2.0.2 github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 - github.com/onsi/ginkgo/v2 v2.6.1 - github.com/opencontainers/runc v1.1.4 + github.com/onsi/ginkgo/v2 v2.15.0 + github.com/opencontainers/runc v1.1.11 github.com/pmezard/go-difflib v1.0.0 - github.com/prometheus/client_golang v1.14.0 - github.com/prometheus/client_model v0.3.0 - github.com/prometheus/common v0.39.0 - github.com/spf13/cobra v1.6.1 + github.com/prometheus/client_golang v1.18.0 + github.com/prometheus/client_model v0.5.0 + github.com/prometheus/common v0.46.0 + github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 - github.com/stretchr/testify v1.8.1 + github.com/stretchr/testify v1.8.4 github.com/yudai/gojsondiff v1.0.0 - github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.4.0 - google.golang.org/grpc v1.51.0 + github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30 + golang.org/x/crypto v0.18.0 + google.golang.org/grpc v1.61.0 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.25.4 - k8s.io/apiextensions-apiserver v0.25.0 - k8s.io/apimachinery v0.25.4 - k8s.io/apiserver v0.25.0 - k8s.io/cli-runtime v0.25.0 - k8s.io/client-go v0.25.4 - k8s.io/code-generator v0.25.0 - k8s.io/component-base v0.25.4 - k8s.io/klog/v2 v2.80.1 + k8s.io/api v0.27.6 + k8s.io/apiextensions-apiserver v0.27.6 + k8s.io/apimachinery v0.27.6 + k8s.io/apiserver v0.27.6 + k8s.io/cli-runtime v0.27.6 + k8s.io/client-go v0.27.6 + k8s.io/code-generator v0.27.6 + k8s.io/component-base v0.27.6 + k8s.io/klog/v2 v2.100.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 - sigs.k8s.io/controller-runtime v0.13.1 + sigs.k8s.io/controller-runtime v0.14.6 sigs.k8s.io/mdtoc v1.1.0 ) require ( - cloud.google.com/go/compute v1.12.1 // indirect - cloud.google.com/go/compute/metadata v0.2.1 // indirect - github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.27 // indirect - github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect - github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect - github.com/Azure/go-autorest/logger v0.2.1 // indirect - github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/BurntSushi/toml v1.0.0 // indirect - github.com/PuerkitoBio/purell v1.1.1 // indirect - github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect + github.com/BurntSushi/toml v1.3.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cespare/xxhash/v2 v2.1.2 // indirect - github.com/coreos/go-systemd/v22 v22.3.2 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/coreos/go-systemd/v22 v22.4.0 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/eapache/queue v1.1.0 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/emicklei/go-restful/v3 v3.10.2 // indirect github.com/evanphx/json-patch v4.12.0+incompatible // indirect github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect - github.com/go-errors/errors v1.0.1 // indirect - github.com/go-logr/logr v1.2.3 // indirect - github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.19.5 // indirect - github.com/go-openapi/swag v0.19.14 // indirect + github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa // indirect + github.com/go-errors/errors v1.4.2 // indirect + github.com/go-logr/logr v1.3.0 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/swag v0.22.3 // indirect + github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang-jwt/jwt/v4 v4.2.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/protobuf v1.5.3 // indirect github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 // indirect github.com/google/btree v1.0.1 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.1.0 // indirect + github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect - github.com/google/uuid v1.3.0 // indirect + github.com/google/uuid v1.4.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect - github.com/inconshreveable/mousetrap v1.0.1 // indirect + github.com/imdario/mergo v0.3.6 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/mailru/easyjson v0.7.6 // indirect + github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect github.com/moby/sys/mountinfo v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect @@ -98,37 +89,38 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 // indirect + github.com/onsi/ginkgo v1.16.5 // indirect github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/procfs v0.8.0 // indirect + github.com/prometheus/procfs v0.12.0 // indirect github.com/sergi/go-diff v1.1.0 // indirect - github.com/sirupsen/logrus v1.8.1 // indirect + github.com/sirupsen/logrus v1.9.0 // indirect github.com/xlab/treeprint v1.1.0 // indirect github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - golang.org/x/mod v0.7.0 // indirect - golang.org/x/net v0.4.0 // indirect - golang.org/x/oauth2 v0.3.0 // indirect - golang.org/x/sys v0.3.0 // indirect - golang.org/x/term v0.3.0 // indirect - golang.org/x/text v0.5.0 // indirect - golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect - golang.org/x/tools v0.4.0 // indirect - google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect - google.golang.org/protobuf v1.28.1 // indirect + golang.org/x/mod v0.14.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/oauth2 v0.16.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.3.0 // indirect + golang.org/x/tools v0.16.1 // indirect + google.golang.org/appengine v1.6.8 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect + google.golang.org/protobuf v1.32.0 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 // indirect - k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect - k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed // indirect - sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect - sigs.k8s.io/kustomize/api v0.12.1 // indirect - sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect + k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect + k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/kustomize/api v0.13.2 // indirect + sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/go.sum b/go.sum index 684ae5beb..b2075a17e 100644 --- a/go.sum +++ b/go.sum @@ -19,10 +19,6 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.12.1 h1:gKVJMEyqV5c/UnpzjjQbo3Rjvvqpr9B1DFSbJC4OXr0= -cloud.google.com/go/compute v1.12.1/go.mod h1:e8yNOBcBONZU1vJKCvCoDw/4JQsA0dpM4x/6PIIOocU= -cloud.google.com/go/compute/metadata v0.2.1 h1:efOwf5ymceDhK6PKMnnrTHP4pppY5L22mle96M1yP48= -cloud.google.com/go/compute/metadata v0.2.1/go.mod h1:jgHgmJd2RKBGzXqF5LR2EZMGxBkeanZ9wwa75XHJgOM= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -34,38 +30,20 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= -github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/adal v0.9.20 h1:gJ3E98kMpFB1MFqQCvA1yFab8vthOeD4VlFRQULxahg= -github.com/Azure/go-autorest/autorest/adal v0.9.20/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= -github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= -github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= -github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= -github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= -github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= -github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU= -github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/PuerkitoBio/purell v1.1.1 h1:WEQqlqaGbrPkxLJWfBwQmfEAE1Z7ONdDLqrN38tNFfI= -github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV/sSk/8dngufqelfh6jnri85riMAaF/M= -github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a h1:AP/vsCIvJZ129pdm9Ek7bH7yutN3hByqsMoNrWAxRQc= -github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9hvJ91BbJmGVGSbutW19IC0Q9phDCLGaomwTJbgU= +github.com/armon/go-proxyproto v0.1.0 h1:TWWcSsjco7o2itn6r25/5AqKBiWmsiuzsUDLT/MTl7k= +github.com/armon/go-proxyproto v0.1.0/go.mod h1:Xj90dce2VKbHzRAeiVQAMBtj4M5oidoXJ8lmgyW21mw= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -74,34 +52,29 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= -github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= -github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= -github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= -github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= -github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/coreos/go-systemd/v22 v22.4.0 h1:y9YHcjnjynCd/DVbg5j9L/33jQM3MxJlbj/zWskzfGU= +github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/eapache/channels v1.1.0 h1:F1taHcn7/F0i8DYqKXJnyhJcVpp2kgFcNePxXtnyu4k= github.com/eapache/channels v1.1.0/go.mod h1:jMm2qB5Ubtg9zLd+inMZd2/NUvXgzmWXsDaLyQIGfH0= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE= +github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -110,13 +83,15 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= -github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b h1:074/xhloHUBOpTZwlIzQ28rbPY8pNJvzY7Gcx5KnNOk= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= -github.com/go-errors/errors v1.0.1 h1:LUHzmkK3GUKUrL/1gfBUxAHzcev3apQlezX/+O7ma6w= -github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa h1:RDBNVkRviHZtvDvId8XSGPu3rmpmSe+wKRcEWNgsfWU= +github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= +github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= +github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -126,30 +101,28 @@ github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vb github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0= -github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.19.5 h1:1WJP/wi4OjB4iV8KVbH73rQaoialJrqv8gitZLxGLtM= -github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.6 h1:mkgN1ofwASrYnJ5W6U/BxG15eXXXjirgZc7CLqkcaro= github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -178,8 +151,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7 h1:oKYOfNR7Hp6XpZ4JqolL5u642Js5Z0n7psPVl+S5heo= github.com/gomarkdown/markdown v0.0.0-20210514010506-3b9f47219fe7/go.mod h1:aii0r/K0ZnHv7G0KF7xy1v0A7s2Ljrb5byB7MO5p6TU= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= @@ -198,8 +172,8 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= -github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -212,22 +186,25 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 h1:pUa4ghanp6q4IJHwE9RwLgmVFfReJN+KbQ8ExNEUUoQ= +github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= -github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= -github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= -github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc= -github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= @@ -249,8 +226,9 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -259,21 +237,17 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= -github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc= github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg= -github.com/mitchellh/hashstructure v1.1.0 h1:P6P1hdjqAAknpY/M1CGipelZgp+4y9ja9kmUZPXP+H0= -github.com/mitchellh/hashstructure v1.1.0/go.mod h1:xUDAozZz0Wmdiufv0uyhnHkUTN6/6d8ulp4AwfLKrmA= +github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= +github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mmarkdown/mmark v2.0.40+incompatible h1:vMeUeDzBK3H+/mU0oMVfMuhSXJlIA+DE/DMPQNAj5C4= @@ -291,7 +265,6 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/moul/pb v0.0.0-20220425114252-bca18df4138c h1:1STmblv9zmHLDpru4dbnf1PNL6wrrZNf7yBH+SfQU+s= github.com/moul/pb v0.0.0-20220425114252-bca18df4138c/go.mod h1:jE2HT8eoucYyUPBFJMreiVlC3KPHkDMtN8wn+ef7Y64= -github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= @@ -301,17 +274,23 @@ github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QU github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag= github.com/ncabatoff/process-exporter v0.7.10 h1:+Ere7+3se6QqP54gg7aBRagWcL8bq3u5zNi/GRSWeKQ= github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn6d5plh41Jv6Tmttj7Ek= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.6.1 h1:1xQPCjcqYw/J5LchOcp4/2q/jzJFjiAOc25chhnDw+Q= -github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= -github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E= -github.com/opencontainers/runc v1.1.4 h1:nRCz/8sKg6K6jgYAFLDlXzPeITBZJyX28DBVhWD+5dg= -github.com/opencontainers/runc v1.1.4/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY= +github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/opencontainers/runc v1.1.11 h1:9LjxyVlE0BPMRP2wuQDRlHV4941Jp9rc3F0+YKimopA= +github.com/opencontainers/runc v1.1.11/go.mod h1:S+lQwSfncpBha7XTy/5lBwWgm5+y5Ma/O44Ekby9FK8= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= -github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= @@ -325,46 +304,43 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= -github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= -github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= +github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= +github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= -github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= +github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw= +github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo= github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc= github.com/prometheus/common v0.29.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls= -github.com/prometheus/common v0.39.0 h1:oOyhkDq05hPZKItWVBkJ6g6AtGxi+fy7F4JvUV8uhsI= -github.com/prometheus/common v0.39.0/go.mod h1:6XBZ7lYdLCbkAVhwRsWTZn+IN5AB9F/NXd5w0BbEX0Y= +github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y= +github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ= github.com/prometheus/exporter-toolkit v0.7.0/go.mod h1:ZUBIj498ePooX9t/2xtDjeQYwvRpiPP2lh5u4iblj2g= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA= -github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo= -github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4= +github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo= +github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= -github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= -github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= -github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA= -github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY= +github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= @@ -382,13 +358,10 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= -github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= -github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= -github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU= github.com/xlab/treeprint v1.1.0 h1:G/1DjNkPpfZCFt9CSh6b5/nY4VimlbHF3Rh4obvtzDk= github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yudai/gojsondiff v1.0.0 h1:27cbfqXLVEJ1o8I6v3y9lg8Ydm53EKqHXAOMxEGlCOA= @@ -401,8 +374,9 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a h1:CbXWHAnmrtTKgX+yMVVANuRJP8ld88ELbAYAYnBdLJ4= -github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30 h1:rzHvkiukOVYcf840FqAsHqBMhfLofvQIxWtczkGRklU= +github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30/go.mod h1:/Hzu8ych2oXCs1iNI+MeASyFzWTncQ6nlu/wgqbqC2A= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -411,8 +385,11 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= -go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -422,9 +399,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8= -golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -455,10 +431,12 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA= -golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -471,7 +449,6 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -482,25 +459,25 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/ golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU= -golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8= -golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= +golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ= +golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -511,9 +488,10 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -522,13 +500,13 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191002063906-3421d5a6bb1c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -549,33 +527,37 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ= -golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI= -golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM= -golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858 h1:Dpdu/EMxGMFgq0CeYMh4fazTD2vtlZRYE7wyynxJb9U= -golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -618,14 +600,17 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4= -golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= +gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -648,8 +633,8 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= -google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= -google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM= +google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -680,8 +665,8 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 h1:a2S6M0+660BgMNl++4JPlcAO/CjkqYItDEZwkoDQK7c= -google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 h1:Jyp0Hsi0bmHXG6k9eATXoYtjd6e2UzZ1SCn/wIupY14= +google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17/go.mod h1:oQ5rr10WTTMvP4A36n8JpR1OrO1BEiV4f78CneXZxkA= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -694,8 +679,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U= -google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= +google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= +google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -710,17 +695,16 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= +google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= gopkg.in/go-playground/pool.v3 v3.1.1 h1:4Qcj91IsYTpIeRhe/eo6Fz+w6uKWPEghx8vHFTYMfhw= @@ -730,6 +714,7 @@ gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/mcuadros/go-syslog.v2 v2.3.0 h1:kcsiS+WsTKyIEPABJBJtoG0KkOS6yzvJ+/eZlhD79kk= gopkg.in/mcuadros/go-syslog.v2 v2.3.0/go.mod h1:l5LPIyOOyIdQquNg+oU6Z3524YwrcqEm0aKH+5zpt2U= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -740,7 +725,6 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -750,45 +734,44 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs= -k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ= -k8s.io/apiextensions-apiserver v0.25.0 h1:CJ9zlyXAbq0FIW8CD7HHyozCMBpDSiH7EdrSTCZcZFY= -k8s.io/apiextensions-apiserver v0.25.0/go.mod h1:3pAjZiN4zw7R8aZC5gR0y3/vCkGlAjCazcg1me8iB/E= -k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= -k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= -k8s.io/apiserver v0.25.0 h1:8kl2ifbNffD440MyvHtPaIz1mw4mGKVgWqM0nL+oyu4= -k8s.io/apiserver v0.25.0/go.mod h1:BKwsE+PTC+aZK+6OJQDPr0v6uS91/HWxX7evElAH6xo= -k8s.io/cli-runtime v0.25.0 h1:XBnTc2Fi+w818jcJGzhiJKQuXl8479sZ4FhtV5hVJ1Q= -k8s.io/cli-runtime v0.25.0/go.mod h1:bHOI5ZZInRHhbq12OdUiYZQN8ml8aKZLwQgt9QlLINw= -k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8= -k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw= -k8s.io/code-generator v0.25.0 h1:QP8fJuXu882ztf6dsqJsso/Btm94pMd68TAZC1rE6KI= -k8s.io/code-generator v0.25.0/go.mod h1:B6jZgI3DvDFAualltPitbYMQ74NjaCFxum3YeKZZ+3w= -k8s.io/component-base v0.25.4 h1:n1bjg9Yt+G1C0WnIDJmg2fo6wbEU1UGMRiQSjmj7hNQ= -k8s.io/component-base v0.25.4/go.mod h1:nnZJU8OP13PJEm6/p5V2ztgX2oyteIaAGKGMYb2L2cY= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185 h1:TT1WdmqqXareKxZ/oNXEUSwKlLiHzPMyB0t8BaFeBYI= -k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/api v0.27.6 h1:PBWu/lywJe2qQcshMjubzcBg7+XDZOo7O8JJAWuYtUo= +k8s.io/api v0.27.6/go.mod h1:AQYj0UsFCp3qJE7bOVnUuy4orCsXVkvHefnbYQiNWgk= +k8s.io/apiextensions-apiserver v0.27.6 h1:mOwSBJtThZhpJr+8gEkc3wFDIjq87E3JspR5mtZxIg8= +k8s.io/apiextensions-apiserver v0.27.6/go.mod h1:AVNlLYRrESG5Poo6ASRUhY2pvoKPcNt8y/IuZ4lx3o8= +k8s.io/apimachinery v0.27.6 h1:mGU8jmBq5o8mWBov+mLjdTBcU+etTE19waies4AQ6NE= +k8s.io/apimachinery v0.27.6/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/apiserver v0.27.6 h1:r/eHN8r3lG2buggHrVMy++kKhHlHn1HWSX1dqDtes54= +k8s.io/apiserver v0.27.6/go.mod h1:Xeo9OEXn2kDLK5pqspjdXQx7YKgDyKSpwIB4p0BmpAQ= +k8s.io/cli-runtime v0.27.6 h1:ik1+20C0AvxYcqEzwebH2PHOlqBTKUHZnOuPtG2CCl8= +k8s.io/cli-runtime v0.27.6/go.mod h1:+qSBK08EJL1fFvsfVNlETzsgGtxIhascIGZSuaQXQro= +k8s.io/client-go v0.27.6 h1:vzI8804gpUtpMCNaFjIFyJrifH7u//LJCJPy8fQuYQg= +k8s.io/client-go v0.27.6/go.mod h1:PMsXcDKiJTW7PHJ64oEsIUJF319wm+EFlCj76oE5QXM= +k8s.io/code-generator v0.27.6 h1:1zkSDvylcA11s91aYg5U7fZ24EXMZ+KIDOj/Z3Ti4c8= +k8s.io/code-generator v0.27.6/go.mod h1:DPung1sI5vBgn4AGKtlPRQAyagj/ir/4jI55ipZHVww= +k8s.io/component-base v0.27.6 h1:hF5WxX7Tpi9/dXAbLjPVkIA6CA6Pi6r9JOHyo0uCDYI= +k8s.io/component-base v0.27.6/go.mod h1:NvjLtaneUeb0GgMPpCBF+4LNB9GuhDHi16uUTjBhQfU= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= +k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4= -k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkIFQtZShWqoha7snGixVgEA= -k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4= -k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= +k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg= -sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= -sigs.k8s.io/kustomize/api v0.12.1/go.mod h1:y3JUhimkZkR6sbLNwfJHxvo1TCLwuwm14sCYnkH6S1s= -sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2Tk= -sigs.k8s.io/kustomize/kyaml v0.13.9/go.mod h1:QsRbD0/KcU+wdk0/L0fIp2KLnohkVzs6fQ85/nOXac4= +sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= +sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/kustomize/api v0.13.2 h1:kejWfLeJhUsTGioDoFNJET5LQe/ajzXhJGYoU+pJsiA= +sigs.k8s.io/kustomize/api v0.13.2/go.mod h1:DUp325VVMFVcQSq+ZxyDisA8wtldwHxLZbr1g94UHsw= +sigs.k8s.io/kustomize/kyaml v0.14.1 h1:c8iibius7l24G2wVAGZn/Va2wNys03GXLjYVIcFVxKA= +sigs.k8s.io/kustomize/kyaml v0.14.1/go.mod h1:AN1/IpawKilWD7V+YvQwRGUvuUOOWpjsHu6uHwonSF4= sigs.k8s.io/mdtoc v1.1.0 h1:q3YtqYzmC2e0hgLXRIOm7/QLuPux1CX3ZHCwlbABxZo= sigs.k8s.io/mdtoc v1.1.0/go.mod h1:QZLVEdHH2iNIR4uHAZyvFRtjloHgVItk8lo/mzCtq3w= sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= diff --git a/go.work b/go.work new file mode 100644 index 000000000..463239b63 --- /dev/null +++ b/go.work @@ -0,0 +1,7 @@ +go 1.21 + +use ( + . + ./images/kube-webhook-certgen/rootfs + ./magefiles +) diff --git a/go.work.sum b/go.work.sum new file mode 100644 index 000000000..d73c169de --- /dev/null +++ b/go.work.sum @@ -0,0 +1,272 @@ +cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc= +cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw= +cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go v0.110.8/go.mod h1:Iz8AkXJf1qmxC3Oxoep8R1T36w8B92yU29PcBhHO5fk= +cloud.google.com/go/accessapproval v1.7.1/go.mod h1:JYczztsHRMK7NTXb6Xw+dwbs/WnOJxbo/2mTI+Kgg68= +cloud.google.com/go/accesscontextmanager v1.8.1/go.mod h1:JFJHfvuaTC+++1iL1coPiG1eu5D24db2wXCDWDjIrxo= +cloud.google.com/go/aiplatform v1.45.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA= +cloud.google.com/go/aiplatform v1.50.0/go.mod h1:IRc2b8XAMTa9ZmfJV1BCCQbieWWvDnP1A8znyz5N7y4= +cloud.google.com/go/analytics v0.21.2/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo= +cloud.google.com/go/analytics v0.21.3/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo= +cloud.google.com/go/apigateway v1.6.1/go.mod h1:ufAS3wpbRjqfZrzpvLC2oh0MFlpRJm2E/ts25yyqmXA= +cloud.google.com/go/apigeeconnect v1.6.1/go.mod h1:C4awq7x0JpLtrlQCr8AzVIzAaYgngRqWf9S5Uhg+wWs= +cloud.google.com/go/apigeeregistry v0.7.1/go.mod h1:1XgyjZye4Mqtw7T9TsY4NW10U7BojBvG4RMD+vRDrIw= +cloud.google.com/go/appengine v1.8.1/go.mod h1:6NJXGLVhZCN9aQ/AEDvmfzKEfoYBlfB80/BHiKVputY= +cloud.google.com/go/area120 v0.8.1/go.mod h1:BVfZpGpB7KFVNxPiQBuHkX6Ed0rS51xIgmGyjrAfzsg= +cloud.google.com/go/artifactregistry v1.14.1/go.mod h1:nxVdG19jTaSTu7yA7+VbWL346r3rIdkZ142BSQqhn5E= +cloud.google.com/go/asset v1.14.1/go.mod h1:4bEJ3dnHCqWCDbWJ/6Vn7GVI9LerSi7Rfdi03hd+WTQ= +cloud.google.com/go/assuredworkloads v1.11.1/go.mod h1:+F04I52Pgn5nmPG36CWFtxmav6+7Q+c5QyJoL18Lry0= +cloud.google.com/go/automl v1.13.1/go.mod h1:1aowgAHWYZU27MybSCFiukPO7xnyawv7pt3zK4bheQE= +cloud.google.com/go/baremetalsolution v0.5.0/go.mod h1:dXGxEkmR9BMwxhzBhV0AioD0ULBmuLZI8CdwalUxuss= +cloud.google.com/go/baremetalsolution v1.2.0/go.mod h1:68wi9AwPYkEWIUT4SvSGS9UJwKzNpshjHsH4lzk8iOw= +cloud.google.com/go/batch v0.7.0/go.mod h1:vLZN95s6teRUqRQ4s3RLDsH8PvboqBK+rn1oevL159g= +cloud.google.com/go/batch v1.4.1/go.mod h1:KdBmDD61K0ovcxoRHGrN6GmOBWeAOyCgKD0Mugx4Fkk= +cloud.google.com/go/beyondcorp v0.6.1/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4= +cloud.google.com/go/beyondcorp v1.0.0/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4= +cloud.google.com/go/bigquery v1.52.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4= +cloud.google.com/go/bigquery v1.55.0/go.mod h1:9Y5I3PN9kQWuid6183JFhOGOW3GcirA5LpsKCUn+2ec= +cloud.google.com/go/billing v1.16.0/go.mod h1:y8vx09JSSJG02k5QxbycNRrN7FGZB6F3CAcgum7jvGA= +cloud.google.com/go/billing v1.17.0/go.mod h1:Z9+vZXEq+HwH7bhJkyI4OQcR6TSbeMrjlpEjO2vzY64= +cloud.google.com/go/binaryauthorization v1.6.1/go.mod h1:TKt4pa8xhowwffiBmbrbcxijJRZED4zrqnwZ1lKH51U= +cloud.google.com/go/binaryauthorization v1.7.0/go.mod h1:Zn+S6QqTMn6odcMU1zDZCJxPjU2tZPV1oDl45lWY154= +cloud.google.com/go/certificatemanager v1.7.1/go.mod h1:iW8J3nG6SaRYImIa+wXQ0g8IgoofDFRp5UMzaNk1UqI= +cloud.google.com/go/channel v1.16.0/go.mod h1:eN/q1PFSl5gyu0dYdmxNXscY/4Fi7ABmeHCJNf/oHmc= +cloud.google.com/go/channel v1.17.0/go.mod h1:RpbhJsGi/lXWAUM1eF4IbQGbsfVlg2o8Iiy2/YLfVT0= +cloud.google.com/go/cloudbuild v1.10.1/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU= +cloud.google.com/go/cloudbuild v1.14.0/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU= +cloud.google.com/go/clouddms v1.6.1/go.mod h1:Ygo1vL52Ov4TBZQquhz5fiw2CQ58gvu+PlS6PVXCpZI= +cloud.google.com/go/clouddms v1.7.0/go.mod h1:MW1dC6SOtI/tPNCciTsXtsGNEM0i0OccykPvv3hiYeM= +cloud.google.com/go/cloudtasks v1.11.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM= +cloud.google.com/go/cloudtasks v1.12.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM= +cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI= +cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.21.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/contactcenterinsights v1.9.1/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM= +cloud.google.com/go/contactcenterinsights v1.10.0/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM= +cloud.google.com/go/container v1.22.1/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4= +cloud.google.com/go/container v1.26.0/go.mod h1:YJCmRet6+6jnYYRS000T6k0D0xUXQgBSaJ7VwI8FBj4= +cloud.google.com/go/containeranalysis v0.10.1/go.mod h1:Ya2jiILITMY68ZLPaogjmOMNkwsDrWBSTyBubGXO7j0= +cloud.google.com/go/containeranalysis v0.11.0/go.mod h1:4n2e99ZwpGxpNcz+YsFT1dfOHPQFGcAC8FN2M2/ne/U= +cloud.google.com/go/datacatalog v1.14.1/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4= +cloud.google.com/go/datacatalog v1.17.1/go.mod h1:nCSYFHgtxh2MiEktWIz71s/X+7ds/UT9kp0PC7waCzE= +cloud.google.com/go/dataflow v0.9.1/go.mod h1:Wp7s32QjYuQDWqJPFFlnBKhkAtiFpMTdg00qGbnIHVw= +cloud.google.com/go/dataform v0.8.1/go.mod h1:3BhPSiw8xmppbgzeBbmDvmSWlwouuJkXsXsb8UBih9M= +cloud.google.com/go/datafusion v1.7.1/go.mod h1:KpoTBbFmoToDExJUso/fcCiguGDk7MEzOWXUsJo0wsI= +cloud.google.com/go/datalabeling v0.8.1/go.mod h1:XS62LBSVPbYR54GfYQsPXZjTW8UxCK2fkDciSrpRFdY= +cloud.google.com/go/dataplex v1.8.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE= +cloud.google.com/go/dataplex v1.9.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE= +cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4= +cloud.google.com/go/dataproc/v2 v2.2.0/go.mod h1:lZR7AQtwZPvmINx5J87DSOOpTfof9LVZju6/Qo4lmcY= +cloud.google.com/go/dataqna v0.8.1/go.mod h1:zxZM0Bl6liMePWsHA8RMGAfmTG34vJMapbHAxQ5+WA8= +cloud.google.com/go/datastore v1.12.1/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70= +cloud.google.com/go/datastore v1.14.0/go.mod h1:GAeStMBIt9bPS7jMJA85kgkpsMkvseWWXiaHya9Jes8= +cloud.google.com/go/datastream v1.9.1/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q= +cloud.google.com/go/datastream v1.10.0/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q= +cloud.google.com/go/deploy v1.11.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g= +cloud.google.com/go/deploy v1.13.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g= +cloud.google.com/go/dialogflow v1.38.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4= +cloud.google.com/go/dialogflow v1.43.0/go.mod h1:pDUJdi4elL0MFmt1REMvFkdsUTYSHq+rTCS8wg0S3+M= +cloud.google.com/go/dlp v1.10.1/go.mod h1:IM8BWz1iJd8njcNcG0+Kyd9OPnqnRNkDV8j42VT5KOI= +cloud.google.com/go/documentai v1.20.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E= +cloud.google.com/go/documentai v1.22.1/go.mod h1:LKs22aDHbJv7ufXuPypzRO7rG3ALLJxzdCXDPutw4Qc= +cloud.google.com/go/domains v0.9.1/go.mod h1:aOp1c0MbejQQ2Pjf1iJvnVyT+z6R6s8pX66KaCSDYfE= +cloud.google.com/go/edgecontainer v1.1.1/go.mod h1:O5bYcS//7MELQZs3+7mabRqoWQhXCzenBu0R8bz2rwk= +cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU= +cloud.google.com/go/essentialcontacts v1.6.2/go.mod h1:T2tB6tX+TRak7i88Fb2N9Ok3PvY3UNbUsMag9/BARh4= +cloud.google.com/go/eventarc v1.12.1/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI= +cloud.google.com/go/eventarc v1.13.0/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI= +cloud.google.com/go/filestore v1.7.1/go.mod h1:y10jsorq40JJnjR/lQ8AfFbbcGlw3g+Dp8oN7i7FjV4= +cloud.google.com/go/firestore v1.11.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4= +cloud.google.com/go/firestore v1.13.0/go.mod h1:QojqqOh8IntInDUSTAh0c8ZsPYAr68Ma8c5DWOy8xb8= +cloud.google.com/go/functions v1.15.1/go.mod h1:P5yNWUTkyU+LvW/S9O6V+V423VZooALQlqoXdoPz5AE= +cloud.google.com/go/gkebackup v0.4.0/go.mod h1:byAyBGUwYGEEww7xsbnUTBHIYcOPy/PgUWUtOeRm9Vg= +cloud.google.com/go/gkebackup v1.3.1/go.mod h1:vUDOu++N0U5qs4IhG1pcOnD1Mac79xWy6GoBFlWCWBU= +cloud.google.com/go/gkeconnect v0.8.1/go.mod h1:KWiK1g9sDLZqhxB2xEuPV8V9NYzrqTUmQR9shJHpOZw= +cloud.google.com/go/gkehub v0.14.1/go.mod h1:VEXKIJZ2avzrbd7u+zeMtW00Y8ddk/4V9511C9CQGTY= +cloud.google.com/go/gkemulticloud v0.6.1/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw= +cloud.google.com/go/gkemulticloud v1.0.0/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw= +cloud.google.com/go/gsuiteaddons v1.6.1/go.mod h1:CodrdOqRZcLp5WOwejHWYBjZvfY0kOphkAKpF/3qdZY= +cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= +cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/iam v1.1.2/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/iap v1.8.1/go.mod h1:sJCbeqg3mvWLqjZNsI6dfAtbbV1DL2Rl7e1mTyXYREQ= +cloud.google.com/go/iap v1.9.0/go.mod h1:01OFxd1R+NFrg78S+hoPV5PxEzv22HXaNqUUlmNHFuY= +cloud.google.com/go/ids v1.4.1/go.mod h1:np41ed8YMU8zOgv53MMMoCntLTn2lF+SUzlM+O3u/jw= +cloud.google.com/go/iot v1.7.1/go.mod h1:46Mgw7ev1k9KqK1ao0ayW9h0lI+3hxeanz+L1zmbbbk= +cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/kms v1.15.2/go.mod h1:3hopT4+7ooWRCjc2DxgnpESFxhIraaI2IpAVUEhbT/w= +cloud.google.com/go/language v1.10.1/go.mod h1:CPp94nsdVNiQEt1CNjF5WkTcisLiHPyIbMhvR8H2AW0= +cloud.google.com/go/language v1.11.0/go.mod h1:uDx+pFDdAKTY8ehpWbiXyQdz8tDSYLJbQcXsCkjYyvQ= +cloud.google.com/go/lifesciences v0.9.1/go.mod h1:hACAOd1fFbCGLr/+weUKRAJas82Y4vrL3O5326N//Wc= +cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M= +cloud.google.com/go/logging v1.8.1/go.mod h1:TJjR+SimHwuC8MZ9cjByQulAMgni+RkXeI3wwctHJEI= +cloud.google.com/go/longrunning v0.5.0/go.mod h1:0JNuqRShmscVAhIACGtskSAWtqtOoPkwP0YF1oVEchc= +cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= +cloud.google.com/go/managedidentities v1.6.1/go.mod h1:h/irGhTN2SkZ64F43tfGPMbHnypMbu4RB3yl8YcuEak= +cloud.google.com/go/maps v0.7.0/go.mod h1:3GnvVl3cqeSvgMcpRlQidXsPYuDGQ8naBis7MVzpXsY= +cloud.google.com/go/maps v1.4.0/go.mod h1:6mWTUv+WhnOwAgjVsSW2QPPECmW+s3PcRyOa9vgG/5s= +cloud.google.com/go/mediatranslation v0.8.1/go.mod h1:L/7hBdEYbYHQJhX2sldtTO5SZZ1C1vkapubj0T2aGig= +cloud.google.com/go/memcache v1.10.1/go.mod h1:47YRQIarv4I3QS5+hoETgKO40InqzLP6kpNLvyXuyaA= +cloud.google.com/go/metastore v1.11.1/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA= +cloud.google.com/go/metastore v1.12.0/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA= +cloud.google.com/go/monitoring v1.15.1/go.mod h1:lADlSAlFdbqQuwwpaImhsJXu1QSdd3ojypXrFSMr2rM= +cloud.google.com/go/monitoring v1.16.0/go.mod h1:Ptp15HgAyM1fNICAojDMoNc/wUmn67mLHQfyqbw+poY= +cloud.google.com/go/networkconnectivity v1.12.1/go.mod h1:PelxSWYM7Sh9/guf8CFhi6vIqf19Ir/sbfZRUwXh92E= +cloud.google.com/go/networkconnectivity v1.13.0/go.mod h1:SAnGPes88pl7QRLUen2HmcBSE9AowVAcdug8c0RSBFk= +cloud.google.com/go/networkmanagement v1.8.0/go.mod h1:Ho/BUGmtyEqrttTgWEe7m+8vDdK74ibQc+Be0q7Fof0= +cloud.google.com/go/networkmanagement v1.9.0/go.mod h1:UTUaEU9YwbCAhhz3jEOHr+2/K/MrBk2XxOLS89LQzFw= +cloud.google.com/go/networksecurity v0.9.1/go.mod h1:MCMdxOKQ30wsBI1eI659f9kEp4wuuAueoC9AJKSPWZQ= +cloud.google.com/go/notebooks v1.9.1/go.mod h1:zqG9/gk05JrzgBt4ghLzEepPHNwE5jgPcHZRKhlC1A8= +cloud.google.com/go/notebooks v1.10.0/go.mod h1:SOPYMZnttHxqot0SGSFSkRrwE29eqnKPBJFqgWmiK2k= +cloud.google.com/go/optimization v1.4.1/go.mod h1:j64vZQP7h9bO49m2rVaTVoNM0vEBEN5eKPUPbZyXOrk= +cloud.google.com/go/optimization v1.5.0/go.mod h1:evo1OvTxeBRBu6ydPlrIRizKY/LJKo/drDMMRKqGEUU= +cloud.google.com/go/orchestration v1.8.1/go.mod h1:4sluRF3wgbYVRqz7zJ1/EUNc90TTprliq9477fGobD8= +cloud.google.com/go/orgpolicy v1.11.1/go.mod h1:8+E3jQcpZJQliP+zaFfayC2Pg5bmhuLK755wKhIIUCE= +cloud.google.com/go/osconfig v1.12.1/go.mod h1:4CjBxND0gswz2gfYRCUoUzCm9zCABp91EeTtWXyz0tE= +cloud.google.com/go/oslogin v1.10.1/go.mod h1:x692z7yAue5nE7CsSnoG0aaMbNoRJRXO4sn73R+ZqAs= +cloud.google.com/go/phishingprotection v0.8.1/go.mod h1:AxonW7GovcA8qdEk13NfHq9hNx5KPtfxXNeUxTDxB6I= +cloud.google.com/go/policytroubleshooter v1.7.1/go.mod h1:0NaT5v3Ag1M7U5r0GfDCpUFkWd9YqpubBWsQlhanRv0= +cloud.google.com/go/policytroubleshooter v1.9.0/go.mod h1:+E2Lga7TycpeSTj2FsH4oXxTnrbHJGRlKhVZBLGgU64= +cloud.google.com/go/privatecatalog v0.9.1/go.mod h1:0XlDXW2unJXdf9zFz968Hp35gl/bhF4twwpXZAW50JA= +cloud.google.com/go/pubsub v1.32.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +cloud.google.com/go/pubsub v1.33.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +cloud.google.com/go/pubsublite v1.8.1/go.mod h1:fOLdU4f5xldK4RGJrBMm+J7zMWNj/k4PxwEZXy39QS0= +cloud.google.com/go/recaptchaenterprise/v2 v2.7.2/go.mod h1:kR0KjsJS7Jt1YSyWFkseQ756D45kaYNTlDPPaRAvDBU= +cloud.google.com/go/recommendationengine v0.8.1/go.mod h1:MrZihWwtFYWDzE6Hz5nKcNz3gLizXVIDI/o3G1DLcrE= +cloud.google.com/go/recommender v1.10.1/go.mod h1:XFvrE4Suqn5Cq0Lf+mCP6oBHD/yRMA8XxP5sb7Q7gpA= +cloud.google.com/go/recommender v1.11.0/go.mod h1:kPiRQhPyTJ9kyXPCG6u/dlPLbYfFlkwHNRwdzPVAoII= +cloud.google.com/go/redis v1.13.1/go.mod h1:VP7DGLpE91M6bcsDdMuyCm2hIpB6Vp2hI090Mfd1tcg= +cloud.google.com/go/resourcemanager v1.9.1/go.mod h1:dVCuosgrh1tINZ/RwBufr8lULmWGOkPS8gL5gqyjdT8= +cloud.google.com/go/resourcesettings v1.6.1/go.mod h1:M7mk9PIZrC5Fgsu1kZJci6mpgN8o0IUzVx3eJU3y4Jw= +cloud.google.com/go/retail v1.14.1/go.mod h1:y3Wv3Vr2k54dLNIrCzenyKG8g8dhvhncT2NcNjb/6gE= +cloud.google.com/go/run v0.9.0/go.mod h1:Wwu+/vvg8Y+JUApMwEDfVfhetv30hCG4ZwDR/IXl2Qg= +cloud.google.com/go/run v1.2.0/go.mod h1:36V1IlDzQ0XxbQjUx6IYbw8H3TJnWvhii963WW3B/bo= +cloud.google.com/go/scheduler v1.10.1/go.mod h1:R63Ldltd47Bs4gnhQkmNDse5w8gBRrhObZ54PxgR2Oo= +cloud.google.com/go/secretmanager v1.11.1/go.mod h1:znq9JlXgTNdBeQk9TBW/FnR/W4uChEKGeqQWAJ8SXFw= +cloud.google.com/go/security v1.15.1/go.mod h1:MvTnnbsWnehoizHi09zoiZob0iCHVcL4AUBj76h9fXA= +cloud.google.com/go/securitycenter v1.23.0/go.mod h1:8pwQ4n+Y9WCWM278R8W3nF65QtY172h4S8aXyI9/hsQ= +cloud.google.com/go/servicedirectory v1.10.1/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ= +cloud.google.com/go/servicedirectory v1.11.0/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ= +cloud.google.com/go/shell v1.7.1/go.mod h1:u1RaM+huXFaTojTbW4g9P5emOrrmLE69KrxqQahKn4g= +cloud.google.com/go/spanner v1.47.0/go.mod h1:IXsJwVW2j4UKs0eYDqodab6HgGuA1bViSqW4uH9lfUI= +cloud.google.com/go/spanner v1.49.0/go.mod h1:eGj9mQGK8+hkgSVbHNQ06pQ4oS+cyc4tXXd6Dif1KoM= +cloud.google.com/go/speech v1.17.1/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo= +cloud.google.com/go/speech v1.19.0/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo= +cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E= +cloud.google.com/go/storagetransfer v1.10.0/go.mod h1:DM4sTlSmGiNczmV6iZyceIh2dbs+7z2Ayg6YAiQlYfA= +cloud.google.com/go/talent v1.6.2/go.mod h1:CbGvmKCG61mkdjcqTcLOkb2ZN1SrQI8MDyma2l7VD24= +cloud.google.com/go/texttospeech v1.7.1/go.mod h1:m7QfG5IXxeneGqTapXNxv2ItxP/FS0hCZBwXYqucgSk= +cloud.google.com/go/tpu v1.6.1/go.mod h1:sOdcHVIgDEEOKuqUoi6Fq53MKHJAtOwtz0GuKsWSH3E= +cloud.google.com/go/trace v1.10.1/go.mod h1:gbtL94KE5AJLH3y+WVpfWILmqgc6dXcqgNXdOPAQTYk= +cloud.google.com/go/translate v1.8.1/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs= +cloud.google.com/go/translate v1.9.0/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs= +cloud.google.com/go/video v1.17.1/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU= +cloud.google.com/go/video v1.20.0/go.mod h1:U3G3FTnsvAGqglq9LxgqzOiBc/Nt8zis8S+850N2DUM= +cloud.google.com/go/videointelligence v1.11.1/go.mod h1:76xn/8InyQHarjTWsBR058SmlPCwQjgcvoW0aZykOvo= +cloud.google.com/go/vision/v2 v2.7.2/go.mod h1:jKa8oSYBWhYiXarHPvP4USxYANYUEdEsQrloLjrSwJU= +cloud.google.com/go/vmmigration v1.7.1/go.mod h1:WD+5z7a/IpZ5bKK//YmT9E047AD+rjycCAvyMxGJbro= +cloud.google.com/go/vmwareengine v0.4.1/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0= +cloud.google.com/go/vmwareengine v1.0.0/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0= +cloud.google.com/go/vpcaccess v1.7.1/go.mod h1:FogoD46/ZU+JUBX9D606X21EnxiszYi2tArQwLY4SXs= +cloud.google.com/go/webrisk v1.9.1/go.mod h1:4GCmXKcOa2BZcZPn6DCEvE7HypmEJcJkr4mtM+sqYPc= +cloud.google.com/go/websecurityscanner v1.6.1/go.mod h1:Njgaw3rttgRHXzwCB8kgCYqv5/rGpFCsBOvPbYgszpg= +cloud.google.com/go/workflows v1.11.1/go.mod h1:Z+t10G1wF7h8LgdY/EmRcQY8ptBD/nvofaL6FqlET6g= +cloud.google.com/go/workflows v1.12.0/go.mod h1:PYhSk2b6DhZ508tj8HXKaBh+OFe+xdl0dHF/tJdzPQM= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E= +github.com/chromedp/cdproto v0.0.0-20230802225258-3cf4e6d46a89/go.mod h1:GKljq0VrfU4D5yc+2qA6OVr8pmO/MBbPEWqWQ/oqGEs= +github.com/chromedp/chromedp v0.9.2/go.mod h1:LkSXJKONWTCHAfQasKFUZI+mxqS4tZqhmtGzzhLsnLs= +github.com/chromedp/sysutil v1.0.0/go.mod h1:kgWmDdq8fTzXYcKIBqIYvRRTnYb9aNS9moAV0xufSww= +github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ= +github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk= +github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= +github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/emicklei/go-restful v2.9.5+incompatible h1:spTtZBk5DYEvbxMVutUuTyh1Ao2r4iyvLdACqsl/Ljk= +github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM= +github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= +github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY= +github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.4/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw= +github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= +github.com/googleapis/gax-go/v2 v2.12.0/go.mod h1:y+aIqrI5eb1YGMVJfuV3185Ts/D7qKpsEkdD5+I6QGU= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw= +github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs= +github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= +google.golang.org/api v0.128.0/go.mod h1:Y611qgqaE92On/7g65MQgxYul3c0rEB894kniWLY750= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= +google.golang.org/genproto v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:CCviP9RmpZ1mxVr8MUjCnSiY09IbAXZxhLE6EhHIdPU= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97 h1:SeZZZx0cP0fqUyA+oRzP9k7cSwJlvDFiROO72uwD6i0= +google.golang.org/genproto v0.0.0-20231002182017-d307bd883b97/go.mod h1:t1VqOqqvce95G3hIDCT5FeO3YUc6Q4Oe24L/+rNMxRk= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:RdyHbowztCGQySiCvQPgWQWgWhGnouTdCflKoDBt32U= +google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97/go.mod h1:iargEX0SFPm3xcfMI0d1domjg0ZF4Aa0p2awqyxhvF0= +google.golang.org/genproto/googleapis/bytestream v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:ylj+BE99M198VPbBh6A8d9n3w8fChvyLK3wwBOjXBFA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13/go.mod h1:KSqppvjFjtoCI+KGd4PELB0qLNxdJHRGqRI09mB6pQA= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.57.0/go.mod h1:Sd+9RMTACXwmub0zcNY2c4arhtrbBYD1AUHI/dt16Mo= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= diff --git a/hack/generate-e2e-suite-doc.sh b/hack/generate-e2e-suite-doc.sh deleted file mode 100755 index a4ccc8fc2..000000000 --- a/hack/generate-e2e-suite-doc.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -# Copyright 2020 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$DEBUG" ]; then - set -x -fi - -URL="https://github.com/kubernetes/ingress-nginx/tree/main/" -DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P) - -echo " - -# e2e test suite for [Ingress NGINX Controller]($URL) - -" - -for FILE in $(find $DIR/test/e2e -name "*.go");do - # describe definition - DESCRIBE=$(cat $FILE | grep -n -oP 'Describe.*') - # line number - DESCRIBE_LINE=$(echo $DESCRIBE | cut -f1 -d ':') - # clean describe, extracting the string - DESCRIBE=$(echo $DESCRIBE | sed -En 's/.*("|`)(.*)("|`).*/\2/p') - - FILE_URL=$(echo $FILE | sed "s|${DIR}/|${URL}|g") - echo " -### [$DESCRIBE]($FILE_URL#L$DESCRIBE_LINE) -" - - # extract Tests - ITS=$(cat $FILE | grep -n -oP 'It\(.*') - while IFS= read -r line; do - IT_LINE=$(echo $line | cut -f1 -d ':') - IT=$(echo $line | sed -En 's/.*("|`)(.*)("|`).*/\2/p') - echo "- [$IT]($FILE_URL#L$IT_LINE)" - done <<< "$ITS" -done diff --git a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml index 5b36b3dd2..46f8417c7 100644 --- a/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml +++ b/hack/manifest-templates/provider/aws/nlb-with-tls-termination/values.yaml @@ -1,5 +1,9 @@ # AWS NLB with TLS termination controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/aws/values.yaml b/hack/manifest-templates/provider/aws/values.yaml index 743721fc4..37eac03c2 100644 --- a/hack/manifest-templates/provider/aws/values.yaml +++ b/hack/manifest-templates/provider/aws/values.yaml @@ -1,5 +1,9 @@ # AWS - NLB controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/baremetal/values.yaml b/hack/manifest-templates/provider/baremetal/values.yaml index 3c5a0840b..205a7430c 100644 --- a/hack/manifest-templates/provider/baremetal/values.yaml +++ b/hack/manifest-templates/provider/baremetal/values.yaml @@ -1,5 +1,9 @@ # Baremetal controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: NodePort diff --git a/hack/manifest-templates/provider/cloud/values.yaml b/hack/manifest-templates/provider/cloud/values.yaml index 7d8266c0f..edc5662dd 100644 --- a/hack/manifest-templates/provider/cloud/values.yaml +++ b/hack/manifest-templates/provider/cloud/values.yaml @@ -1,4 +1,8 @@ controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/do/values.yaml b/hack/manifest-templates/provider/do/values.yaml index 2b0578414..aeee47ad6 100644 --- a/hack/manifest-templates/provider/do/values.yaml +++ b/hack/manifest-templates/provider/do/values.yaml @@ -1,5 +1,9 @@ # Digital Ocean controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/exoscale/values.yaml b/hack/manifest-templates/provider/exoscale/values.yaml index 17458cac9..867ecc57e 100644 --- a/hack/manifest-templates/provider/exoscale/values.yaml +++ b/hack/manifest-templates/provider/exoscale/values.yaml @@ -1,6 +1,10 @@ # Exoscale controller: kind: DaemonSet + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/manifest-templates/provider/oracle/kustomization.yaml b/hack/manifest-templates/provider/oracle/kustomization.yaml new file mode 100644 index 000000000..cd6ef95be --- /dev/null +++ b/hack/manifest-templates/provider/oracle/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ../../common diff --git a/hack/manifest-templates/provider/oracle/values.yaml b/hack/manifest-templates/provider/oracle/values.yaml new file mode 100644 index 000000000..600dbfe5c --- /dev/null +++ b/hack/manifest-templates/provider/oracle/values.yaml @@ -0,0 +1,12 @@ +controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + service: + type: LoadBalancer + externalTrafficPolicy: Local + annotations: + service.beta.kubernetes.io/oci-load-balancer-shape: "flexible" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "10" + service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "100" diff --git a/hack/manifest-templates/provider/scw/values.yaml b/hack/manifest-templates/provider/scw/values.yaml index cee5e2b1e..56d351dcd 100644 --- a/hack/manifest-templates/provider/scw/values.yaml +++ b/hack/manifest-templates/provider/scw/values.yaml @@ -1,5 +1,9 @@ # Scaleway controller: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 service: type: LoadBalancer externalTrafficPolicy: Local diff --git a/hack/verify-chart-lint.sh b/hack/verify-chart-lint.sh index 2d59dadce..1c661ae2b 100755 --- a/hack/verify-chart-lint.sh +++ b/hack/verify-chart-lint.sh @@ -19,6 +19,4 @@ set -o nounset set -o pipefail KUBE_ROOT="$( cd "$(dirname "$0")../" >/dev/null 2>&1 ; pwd -P )" -# TODO: This is a temporary workaround while we don't update Helm Chart test -curl https://raw.githubusercontent.com/helm/chart-testing/v3.7.0/etc/chart_schema.yaml -o /tmp/chart_schema.yaml -ct lint --charts ${KUBE_ROOT}/charts/ingress-nginx --validate-maintainers=false --chart-yaml-schema=/tmp/chart_schema.yaml +ct lint --charts ${KUBE_ROOT}/charts/ingress-nginx --validate-maintainers=false diff --git a/hack/verify-golint.sh b/hack/verify-golint.sh index 7c9284880..17bcedd9f 100755 --- a/hack/verify-golint.sh +++ b/hack/verify-golint.sh @@ -22,19 +22,13 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE}")/.. cd "${KUBE_ROOT}" -GOLINT=${GOLINT:-"golint"} -PACKAGES=($(go list ./internal/... | grep -v /vendor/)) -bad_files=() -for package in "${PACKAGES[@]}"; do - out=$("${GOLINT}" -min_confidence=0.9 "${package}" | grep -v -E '(should not use dot imports|internal/file/bindata.go)' || :) - if [[ -n "${out}" ]]; then - bad_files+=("${out}") - fi -done -if [[ "${#bad_files[@]}" -ne 0 ]]; then - echo "!!! '$GOLINT' problems: " - echo "${bad_files[@]}" - exit 1 +LINT=${LINT:-golangci-lint} + +if [[ -z "$(command -v ${LINT})" ]]; then + echo "${LINT} is missing. Installing it now." + # See: https://golangci-lint.run/usage/install/#local-installation + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.3 + LINT=$(go env GOPATH)/bin/golangci-lint fi -# ex: ts=2 sw=2 et filetype=sh +${LINT} run diff --git a/images/kube-webhook-certgen/Makefile b/images/Makefile similarity index 53% rename from images/kube-webhook-certgen/Makefile rename to images/Makefile index f1d3edc5b..990d77231 100644 --- a/images/kube-webhook-certgen/Makefile +++ b/images/Makefile @@ -1,4 +1,4 @@ -# Copyright 2021 The Kubernetes Authors. All rights reserved. +# Copyright 2024 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,15 +14,28 @@ .DEFAULT_GOAL:=build +# set default shell SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh +INIT_BUILDX=$(DIR)/../hack/init-buildx.sh + + +BASE_IMAGE = $(shell cat $(DIR)/../NGINX_BASE) + +# The env below is called GO_VERSION and not GOLANG_VERSION because +# the gcb image we use to build already defines GOLANG_VERSION and is a +# really old version +GO_VERSION = $(shell cat $(DIR)/../GOLANG_VERSION) -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) REGISTRY ?= local +NAME ?= + +IMAGE = $(REGISTRY)/$(NAME) +TAG ?= $(shell cat $(NAME)/TAG) + +EXTRAARGS ?= $(shell cat $(NAME)/EXTRAARGS) -IMAGE = $(REGISTRY)/kube-webhook-certgen # required to enable buildx export DOCKER_CLI_EXPERIMENTAL=enabled @@ -32,17 +45,34 @@ PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x OUTPUT= PROGRESS=plain -build: ensure-buildx + +precheck: +ifndef NAME + $(error NAME variable is required) +endif + +build: precheck ensure-buildx docker buildx build \ + --label=org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx \ + --label=org.opencontainers.image.licenses=Apache-2.0 \ + --label=org.opencontainers.image.description="Ingress NGINX $(NAME) image" \ + --build-arg BASE_IMAGE=$(BASE_IMAGE) \ + --build-arg GOLANG_VERSION=$(GO_VERSION) \ --platform=${PLATFORMS} $(OUTPUT) \ --progress=$(PROGRESS) \ - --pull \ - -t $(IMAGE):$(TAG) rootfs + --pull $(EXTRAARGS) \ + -t $(IMAGE):$(TAG) $(NAME)/rootfs # push the cross built image push: OUTPUT=--push push: build +test: precheck + cd $(NAME)/rootfs && go test ./... + +test-e2e: precheck + cd $(NAME) && ./hack/e2e.sh + # enable buildx ensure-buildx: # this is required for cloudbuild @@ -53,10 +83,4 @@ else endif @echo "done" -test: - cd rootfs && go test ./... - -test-e2e: - ./hack/e2e.sh - -.PHONY: build push ensure-buildx test test-e2e +.PHONY: build push ensure-buildx test test-e2e precheck diff --git a/images/README.md b/images/README.md index 13f6bfc3c..e7e5f71a6 100644 --- a/images/README.md +++ b/images/README.md @@ -13,10 +13,11 @@ Directory | Purpose ------------ | ------------- -custom-error-pages | Example of Custom error pages for the NGINX Ingress controller +custom-error-pages | Example of Custom error pages for the Ingress-Nginx Controller e2e | Image to run e2e tests fastcgi-helloserver | FastCGI application for e2e tests grpc-fortune-teller | grpc server application for the nginx-ingress grpc example -httpbin | A simple HTTP Request & Response Service for e2e tests +httpbun | A simple HTTP Request & Response Service for e2e tests +httpbin | [Removed] we are no longer maintaining the httpbin image due to project being unmaintained nginx | NGINX base image using [alpine linux](https://www.alpinelinux.org) cfssl | Image to run cfssl commands diff --git a/images/cfssl/Makefile b/images/cfssl/Makefile deleted file mode 100644 index b1909abe3..000000000 --- a/images/cfssl/Makefile +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2020 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) -REGISTRY ?= local - -IMAGE = $(REGISTRY)/e2e-test-cfssl - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x -OUTPUT= -PROGRESS=plain - -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - -t $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx diff --git a/images/cfssl/TAG b/images/cfssl/TAG new file mode 100644 index 000000000..7df503e63 --- /dev/null +++ b/images/cfssl/TAG @@ -0,0 +1 @@ +v0.0.4 diff --git a/images/cfssl/cloudbuild.yaml b/images/cfssl/cloudbuild.yaml index 5fb9e0c96..32d91ca83 100644 --- a/images/cfssl/cloudbuild.yaml +++ b/images/cfssl/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -16,7 +14,4 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/cfssl && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" + && cd images && make NAME=cfssl push diff --git a/images/cfssl/rootfs/Dockerfile b/images/cfssl/rootfs/Dockerfile index f9370c210..2afc43c7a 100644 --- a/images/cfssl/rootfs/Dockerfile +++ b/images/cfssl/rootfs/Dockerfile @@ -12,10 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.0 +FROM alpine:3.19.1 RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories -RUN apk add --no-cache \ +RUN apk update \ + && apk upgrade && \ + apk add --no-cache \ bash \ cfssl@testing diff --git a/images/custom-error-pages/Makefile b/images/custom-error-pages/Makefile deleted file mode 100644 index 7564b813d..000000000 --- a/images/custom-error-pages/Makefile +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright 2021 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Container image for nginx-errors. - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) -REGISTRY ?= local - -IMAGE = $(REGISTRY)/nginx-errors - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64 -OUTPUT= -PROGRESS=plain - -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - -t $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx diff --git a/images/custom-error-pages/README.md b/images/custom-error-pages/README.md index 88983591f..cd6df3e0a 100644 --- a/images/custom-error-pages/README.md +++ b/images/custom-error-pages/README.md @@ -1,3 +1,3 @@ # custom-error-pages -Example of Custom error pages for the NGINX Ingress controller +Example of Custom error pages for the Ingress-Nginx Controller diff --git a/images/custom-error-pages/TAG b/images/custom-error-pages/TAG new file mode 100644 index 000000000..8ce995b80 --- /dev/null +++ b/images/custom-error-pages/TAG @@ -0,0 +1 @@ +v0.0.3 \ No newline at end of file diff --git a/images/custom-error-pages/cloudbuild.yaml b/images/custom-error-pages/cloudbuild.yaml index 8c96d289c..bb74da6b8 100644 --- a/images/custom-error-pages/cloudbuild.yaml +++ b/images/custom-error-pages/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -16,7 +14,4 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/custom-error-pages && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" + && cd images/ && make NAME=custom-error-pages push diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index ef825dec1..1529e63f7 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -12,8 +12,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.19.4-alpine3.17 as builder -RUN apk add git +ARG GOLANG_VERSION + +FROM golang:${GOLANG_VERSION}-alpine3.18 as builder + +RUN apk update \ + && apk upgrade && apk add git WORKDIR /go/src/k8s.io/ingress-nginx/images/custom-error-pages @@ -30,6 +34,7 @@ FROM gcr.io/distroless/static:nonroot COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/nginx-errors / COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/www /www +COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/etc /etc USER nonroot:nonroot -CMD ["/nginx-errors"] +CMD ["/nginx-errors"] \ No newline at end of file diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index b39db8b20..37cd1fcbd 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -1,8 +1,8 @@ module k8s.io/ingress-nginx/custom-error-pages -go 1.19 +go 1.21 -require github.com/prometheus/client_golang v1.11.0 +require github.com/prometheus/client_golang v1.11.1 require ( github.com/beorn7/perks v1.0.1 // indirect @@ -12,6 +12,6 @@ require ( github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/common v0.26.0 // indirect github.com/prometheus/procfs v0.6.0 // indirect - golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 // indirect + golang.org/x/sys v0.1.0 // indirect google.golang.org/protobuf v1.28.0 // indirect ) diff --git a/images/custom-error-pages/rootfs/go.sum b/images/custom-error-pages/rootfs/go.sum index 87cd96b26..a5f86cade 100644 --- a/images/custom-error-pages/rootfs/go.sum +++ b/images/custom-error-pages/rootfs/go.sum @@ -66,8 +66,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= -github.com/prometheus/client_golang v1.11.0 h1:HNkLOAEQMIDv/K+04rukrLx6ch7msSRwf3/SASFAGtQ= -github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= +github.com/prometheus/client_golang v1.11.1 h1:+4eQaD7vAZ6DsfsxB15hbE0odUjGI5ARs9yskGu1v4s= +github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M= @@ -113,8 +113,9 @@ golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 h1:JWgyZ1qgdTaF3N3oxC+MdTV7qvEEgHo3otj+HB5CM7Q= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/images/e2e-test-echo/EXTRAARGS b/images/e2e-test-echo/EXTRAARGS new file mode 100644 index 000000000..3db8aaa5c --- /dev/null +++ b/images/e2e-test-echo/EXTRAARGS @@ -0,0 +1 @@ +--build-arg LUAROCKS_VERSION=3.8.0 --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ No newline at end of file diff --git a/images/e2e-test-echo/TAG b/images/e2e-test-echo/TAG new file mode 100644 index 000000000..8ce995b80 --- /dev/null +++ b/images/e2e-test-echo/TAG @@ -0,0 +1 @@ +v0.0.3 \ No newline at end of file diff --git a/images/echo/rootfs/Dockerfile b/images/e2e-test-echo/rootfs/Dockerfile similarity index 77% rename from images/echo/rootfs/Dockerfile rename to images/e2e-test-echo/rootfs/Dockerfile index 4c9b6ab55..eaa919835 100644 --- a/images/echo/rootfs/Dockerfile +++ b/images/e2e-test-echo/rootfs/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_IMAGE FROM ${BASE_IMAGE} -RUN apk add -U perl curl make unzip +RUN apk update && apk upgrade && apk add -U --no-cache perl curl make unzip ARG LUAROCKS_VERSION ARG LUAROCKS_SHA @@ -17,4 +17,4 @@ RUN wget -O /tmp/luarocks.tgz \ RUN luarocks install lua-resty-template -COPY nginx.conf /etc/nginx/nginx.conf +COPY nginx.conf /etc/nginx/nginx.conf \ No newline at end of file diff --git a/images/echo/rootfs/nginx.conf b/images/e2e-test-echo/rootfs/nginx.conf similarity index 100% rename from images/echo/rootfs/nginx.conf rename to images/e2e-test-echo/rootfs/nginx.conf diff --git a/images/echo/Makefile b/images/echo/Makefile deleted file mode 100644 index 500704e81..000000000 --- a/images/echo/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright 2020 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -TAG ?=v1.0.0 -REGISTRY ?= local - -IMAGE = $(REGISTRY)/e2e-test-echo - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -BASE_IMAGE = $(shell cat $(DIR)/../../NGINX_BASE) -# build with buildx -PLATFORMS?=linux/amd64 -OUTPUT= -PROGRESS=plain - -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - --build-arg BASE_IMAGE=${BASE_IMAGE} \ - --build-arg LUAROCKS_VERSION=3.8.0 \ - --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ - -t $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx diff --git a/images/ext-auth-example-authsvc/Makefile b/images/ext-auth-example-authsvc/Makefile deleted file mode 100644 index 85d2f8e6b..000000000 --- a/images/ext-auth-example-authsvc/Makefile +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2022 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -TAG ?=v1.0.0 -REGISTRY ?= local - -IMAGE = $(REGISTRY)/ext-auth-example-authsvc - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x -OUTPUT= -PROGRESS=plain - -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - -t $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx diff --git a/images/ext-auth-example-authsvc/TAG b/images/ext-auth-example-authsvc/TAG new file mode 100644 index 000000000..8ce995b80 --- /dev/null +++ b/images/ext-auth-example-authsvc/TAG @@ -0,0 +1 @@ +v0.0.3 \ No newline at end of file diff --git a/images/ext-auth-example-authsvc/cloudbuild.yaml b/images/ext-auth-example-authsvc/cloudbuild.yaml index fbd5d7b63..506e20111 100644 --- a/images/ext-auth-example-authsvc/cloudbuild.yaml +++ b/images/ext-auth-example-authsvc/cloudbuild.yaml @@ -2,14 +2,12 @@ timeout: 1200s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_8 + machineType: E2_HIGHCPU_8 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -18,7 +16,4 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/ext-auth-example-authsvc && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" + && cd images/ && make NAME=ext-auth-example-authsvc push \ No newline at end of file diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index d54df8ab9..ec611fa54 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,4 +1,6 @@ -FROM golang:1.19.4-alpine3.17 as builder +ARG GOLANG_VERSION + +FROM golang:${GOLANG_VERSION}-alpine3.18 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ @@ -7,4 +9,4 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o authsvc authsvc.go FROM gcr.io/distroless/base-debian11 COPY --from=builder /authsvc/authsvc / EXPOSE 8080 -ENTRYPOINT ["/authsvc"] +ENTRYPOINT ["/authsvc"] \ No newline at end of file diff --git a/images/ext-auth-example-authsvc/rootfs/go.mod b/images/ext-auth-example-authsvc/rootfs/go.mod index 0be630b8b..8c3abdcf2 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.mod +++ b/images/ext-auth-example-authsvc/rootfs/go.mod @@ -1,6 +1,6 @@ module example.com/authsvc -go 1.19 +go 1.21 require k8s.io/apimachinery v0.23.1 diff --git a/images/ext-auth-example-authsvc/rootfs/go.sum b/images/ext-auth-example-authsvc/rootfs/go.sum index 2ca056fae..6e3fab295 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.sum +++ b/images/ext-auth-example-authsvc/rootfs/go.sum @@ -105,7 +105,19 @@ golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHl golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= +golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -129,7 +141,12 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= diff --git a/images/fastcgi-helloserver/TAG b/images/fastcgi-helloserver/TAG new file mode 100644 index 000000000..8ce995b80 --- /dev/null +++ b/images/fastcgi-helloserver/TAG @@ -0,0 +1 @@ +v0.0.3 \ No newline at end of file diff --git a/images/fastcgi-helloserver/cloudbuild.yaml b/images/fastcgi-helloserver/cloudbuild.yaml index cb4ac2e94..e3ab3b375 100644 --- a/images/fastcgi-helloserver/cloudbuild.yaml +++ b/images/fastcgi-helloserver/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -16,7 +14,4 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/fastcgi-helloserver && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" + && cd images/ && make NAME=fastcgi-helloserver push \ No newline at end of file diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index 0213baf87..eec93c844 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -11,8 +11,9 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. +ARG GOLANG_VERSION -FROM golang:1.19.4-alpine3.17 as builder +FROM golang:${GOLANG_VERSION}-alpine3.18 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi @@ -29,4 +30,4 @@ FROM gcr.io/distroless/static:nonroot COPY --from=builder /go/src/k8s.io/ingress-nginx/images/fastcgi/fastcgi-helloserver / USER nonroot:nonroot -CMD ["/fastcgi-helloserver"] +CMD ["/fastcgi-helloserver"] \ No newline at end of file diff --git a/images/fastcgi-helloserver/rootfs/main.go b/images/fastcgi-helloserver/rootfs/main.go index 91db60c26..710f90f2c 100644 --- a/images/fastcgi-helloserver/rootfs/main.go +++ b/images/fastcgi-helloserver/rootfs/main.go @@ -16,15 +16,17 @@ func hello(w http.ResponseWriter, r *http.Request) { } key := keys[0] - fmt.Fprintf(w, "Hello "+string(key)+"!") + fmt.Fprintf(w, "Hello "+key+"!") } func main() { http.HandleFunc("/hello", hello) - l, err := net.Listen("tcp", "0.0.0.0:9000") + l, err := net.Listen("tcp", "0.0.0.0:9000") //nolint:gosec // Ignore the gosec error since it's a hello server if err != nil { panic(err) } - fcgi.Serve(l, nil) + if err := fcgi.Serve(l, nil); err != nil { + panic(err) + } } diff --git a/images/go-grpc-greeter-server/Makefile b/images/go-grpc-greeter-server/Makefile deleted file mode 100644 index 523b83bfb..000000000 --- a/images/go-grpc-greeter-server/Makefile +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2021 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) -REGISTRY ?= local - -IMAGE = $(REGISTRY)/go-grpc-greeter-server - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x -OUTPUT= -PROGRESS=plain - -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - -t $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx diff --git a/images/go-grpc-greeter-server/TAG b/images/go-grpc-greeter-server/TAG new file mode 100644 index 000000000..8ce995b80 --- /dev/null +++ b/images/go-grpc-greeter-server/TAG @@ -0,0 +1 @@ +v0.0.3 \ No newline at end of file diff --git a/images/go-grpc-greeter-server/cloudbuild.yaml b/images/go-grpc-greeter-server/cloudbuild.yaml index f4d6cc6d4..b690ffbec 100644 --- a/images/go-grpc-greeter-server/cloudbuild.yaml +++ b/images/go-grpc-greeter-server/cloudbuild.yaml @@ -2,14 +2,12 @@ timeout: 1200s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_8 + machineType: E2_HIGHCPU_8 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -18,7 +16,4 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/go-grpc-greeter-server && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" + && cd images/ && make NAME=go-grpc-greeter-server push \ No newline at end of file diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index 547842512..79693eaeb 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,4 +1,6 @@ -FROM golang:1.19.4-alpine3.17 as build +ARG GOLANG_VERSION + +FROM golang:${GOLANG_VERSION}-alpine3.18 as build WORKDIR /go/src/greeter-server @@ -13,4 +15,4 @@ COPY --from=build /greeter-server / EXPOSE 50051 -CMD ["/greeter-server"] +CMD ["/greeter-server"] \ No newline at end of file diff --git a/images/go-grpc-greeter-server/rootfs/main.go b/images/go-grpc-greeter-server/rootfs/main.go index 569273dfd..d7fc36208 100644 --- a/images/go-grpc-greeter-server/rootfs/main.go +++ b/images/go-grpc-greeter-server/rootfs/main.go @@ -41,7 +41,7 @@ type hwServer struct { } // SayHello implements helloworld.GreeterServer -func (s *hwServer) SayHello(ctx context.Context, in *hwpb.HelloRequest) (*hwpb.HelloReply, error) { +func (s *hwServer) SayHello(_ context.Context, in *hwpb.HelloRequest) (*hwpb.HelloReply, error) { return &hwpb.HelloReply{Message: "Hello " + in.Name}, nil } @@ -49,7 +49,7 @@ type ecServer struct { ecpb.UnimplementedEchoServer } -func (s *ecServer) UnaryEcho(ctx context.Context, req *ecpb.EchoRequest) (*ecpb.EchoResponse, error) { +func (s *ecServer) UnaryEcho(_ context.Context, req *ecpb.EchoRequest) (*ecpb.EchoResponse, error) { return &ecpb.EchoResponse{Message: req.Message}, nil } diff --git a/images/httpbin/Makefile b/images/httpbin/Makefile deleted file mode 100644 index ac363dfa8..000000000 --- a/images/httpbin/Makefile +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright 2020 The Kubernetes Authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# set default shell -SHELL=/bin/bash -o pipefail -o errexit - -DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) -INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh - -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) -REGISTRY ?= local - -IMAGE = $(REGISTRY)/e2e-test-httpbin - -# required to enable buildx -export DOCKER_CLI_EXPERIMENTAL=enabled - -# build with buildx -PLATFORMS?=linux/amd64,linux/arm,linux/arm64,linux/s390x -OUTPUT= -PROGRESS=plain - -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ - --pull \ - -t $(IMAGE):$(TAG) rootfs - -# push the cross built image -push: OUTPUT=--push -push: build - -# enable buildx -ensure-buildx: -# this is required for cloudbuild -ifeq ("$(wildcard $(INIT_BUILDX))","") - @curl -sSL https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/hack/init-buildx.sh | bash -else - @exec $(INIT_BUILDX) -endif - @echo "done" - -.PHONY: build push ensure-buildx diff --git a/images/httpbin/cloudbuild.yaml b/images/httpbin/cloudbuild.yaml deleted file mode 100644 index 03f269b6e..000000000 --- a/images/httpbin/cloudbuild.yaml +++ /dev/null @@ -1,24 +0,0 @@ -timeout: 1200s -options: - substitution_option: ALLOW_LOOSE - # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_8 -steps: - - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 - entrypoint: bash - env: - - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - - REGISTRY=gcr.io/k8s-staging-ingress-nginx - # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx - # set the home to /root explicitly to if using docker buildx - - HOME=/root - args: - - -c - - | - gcloud auth configure-docker \ - && cd images/httpbin && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/httpbun/TAG b/images/httpbun/TAG new file mode 100644 index 000000000..8ce995b80 --- /dev/null +++ b/images/httpbun/TAG @@ -0,0 +1 @@ +v0.0.3 \ No newline at end of file diff --git a/images/echo/cloudbuild.yaml b/images/httpbun/cloudbuild.yaml similarity index 77% rename from images/echo/cloudbuild.yaml rename to images/httpbun/cloudbuild.yaml index 8349b5a7f..c532a3908 100644 --- a/images/echo/cloudbuild.yaml +++ b/images/httpbun/cloudbuild.yaml @@ -1,13 +1,13 @@ timeout: 1200s options: substitution_option: ALLOW_LOOSE + # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. + machineType: E2_HIGHCPU_8 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -16,7 +16,4 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/echo && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" + && cd images/ && make NAME=httpbun push \ No newline at end of file diff --git a/images/httpbin/rootfs/Dockerfile b/images/httpbun/rootfs/Dockerfile similarity index 59% rename from images/httpbin/rootfs/Dockerfile rename to images/httpbun/rootfs/Dockerfile index 1a9b55ba5..ada137ee9 100644 --- a/images/httpbin/rootfs/Dockerfile +++ b/images/httpbun/rootfs/Dockerfile @@ -12,21 +12,25 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.0 +ARG GOLANG_VERSION + +FROM golang:${GOLANG_VERSION} AS builder ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 +ENV HTTPBUN_COMMIT=a6b387c438b664322734250e426b6966966c2fe4 -RUN apk update \ - && apk add --no-cache \ - python3 python3-dev \ - musl-dev gcc g++ make \ - libffi libffi-dev libstdc++ \ - py3-gevent py3-gunicorn py3-wheel \ - py3-pip \ - && pip3 install httpbin \ - && apk del python3-dev musl-dev gcc g++ make libffi-dev +RUN git clone https://github.com/sharat87/httpbun.git +WORKDIR httpbun +RUN git checkout $HTTPBUN_COMMIT +RUN CGO_ENABLED=0 GOOS=linux go build \ + -installsuffix cgo \ + -trimpath \ + -o bin/httpbun . + +FROM scratch +COPY --from=builder /go/httpbun/bin/httpbun httpbun +ENV HTTPBUN_BIND=0.0.0.0:80 EXPOSE 80 - -CMD ["gunicorn", "-b", "0.0.0.0:80", "httpbin:app", "-k", "gevent"] +ENTRYPOINT ["/httpbun"] \ No newline at end of file diff --git a/images/kube-webhook-certgen/TAG b/images/kube-webhook-certgen/TAG new file mode 100644 index 000000000..95e94cdd3 --- /dev/null +++ b/images/kube-webhook-certgen/TAG @@ -0,0 +1 @@ +v0.0.1 \ No newline at end of file diff --git a/images/kube-webhook-certgen/cloudbuild.yaml b/images/kube-webhook-certgen/cloudbuild.yaml index 127dee6eb..690f13126 100644 --- a/images/kube-webhook-certgen/cloudbuild.yaml +++ b/images/kube-webhook-certgen/cloudbuild.yaml @@ -21,8 +21,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -31,7 +29,4 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/kube-webhook-certgen && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "main" + && cd images/ && make NAME=kube-webhook-certgen push diff --git a/images/kube-webhook-certgen/rootfs/Dockerfile b/images/kube-webhook-certgen/rootfs/Dockerfile index 32847fd39..7ec098a99 100644 --- a/images/kube-webhook-certgen/rootfs/Dockerfile +++ b/images/kube-webhook-certgen/rootfs/Dockerfile @@ -12,10 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.19.4 as builder +ARG GOLANG_VERSION + +FROM --platform=$BUILDPLATFORM golang:${GOLANG_VERSION} as builder + ARG BUILDPLATFORM ARG TARGETARCH + WORKDIR /workspace COPY . . RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -o kube-webhook-certgen main.go @@ -23,6 +27,9 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -a -o kube-webhook-ce FROM --platform=$BUILDPLATFORM gcr.io/distroless/static:nonroot ARG BUILDPLATFORM ARG TARGETARCH + +LABEL org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx + WORKDIR / COPY --from=builder /workspace/kube-webhook-certgen /kube-webhook-certgen USER 65532:65532 diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index b98adf58b..7e321dc49 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -1,48 +1,63 @@ module github.com/jet/kube-webhook-certgen -go 1.19 +go 1.21 require ( github.com/onrik/logrus v0.9.0 - github.com/sirupsen/logrus v1.8.1 - github.com/spf13/cobra v1.1.3 - k8s.io/api v0.22.6 - k8s.io/apimachinery v0.22.6 - k8s.io/client-go v0.22.6 + github.com/sirupsen/logrus v1.9.0 + github.com/spf13/cobra v1.7.0 + k8s.io/api v0.27.6 + k8s.io/apimachinery v0.27.6 + k8s.io/client-go v0.27.6 k8s.io/kube-aggregator v0.22.6 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect - github.com/evanphx/json-patch v4.11.0+incompatible // indirect - github.com/go-logr/logr v0.4.0 // indirect + github.com/emicklei/go-restful/v3 v3.10.2 // indirect + github.com/evanphx/json-patch v4.12.0+incompatible // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/swag v0.22.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/protobuf v1.5.2 // indirect - github.com/google/go-cmp v0.5.5 // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/gnostic v0.5.7-v3refs // indirect + github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect - github.com/googleapis/gnostic v0.5.5 // indirect - github.com/imdario/mergo v0.3.5 // indirect - github.com/inconshreveable/mousetrap v1.0.0 // indirect - github.com/json-iterator/go v1.1.11 // indirect + github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect + github.com/google/uuid v1.3.1 // indirect + github.com/imdario/mergo v0.3.6 // indirect + github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/josharian/intern v1.0.0 // indirect + github.com/json-iterator/go v1.1.12 // indirect + github.com/kr/pretty v0.3.1 // indirect + github.com/mailru/easyjson v0.7.7 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.1 // indirect + github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/onsi/ginkgo/v2 v2.13.0 // indirect + github.com/onsi/gomega v1.27.10 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/stretchr/testify v1.8.4 // indirect github.com/tidwall/gjson v1.14.0 // indirect - golang.org/x/net v0.1.0 // indirect - golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect - golang.org/x/sys v0.1.0 // indirect - golang.org/x/term v0.1.0 // indirect - golang.org/x/text v0.4.0 // indirect - golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect - google.golang.org/appengine v1.6.5 // indirect - google.golang.org/protobuf v1.26.0 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/term v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect + golang.org/x/time v0.3.0 // indirect + golang.org/x/tools v0.14.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - gopkg.in/yaml.v3 v3.0.0 // indirect - k8s.io/klog/v2 v2.9.0 // indirect - k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c // indirect - k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect - sigs.k8s.io/yaml v1.2.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/klog/v2 v2.100.1 // indirect + k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/images/kube-webhook-certgen/rootfs/go.sum b/images/kube-webhook-certgen/rootfs/go.sum index 0270e3297..004bd7d96 100644 --- a/images/kube-webhook-certgen/rootfs/go.sum +++ b/images/kube-webhook-certgen/rootfs/go.sum @@ -77,6 +77,7 @@ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -89,21 +90,22 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= -github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE= +github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v4.11.0+incompatible h1:glyUF9yIYtMHzn8xaKw5rMhdWcwsYV8dZHIq5567/xs= github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= -github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -118,15 +120,25 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc= github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= github.com/go-openapi/jsonreference v0.19.5/go.mod h1:RdybgQwPxbL4UEjuAruzK1x3nE69AqPYEJeo/TWfEeg= +github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= @@ -159,19 +171,23 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA= +github.com/google/gnostic v0.5.7-v3refs h1:FhTMOKj2VhjpouxvWJAV1TL304uMlb9zcDqkl6cEI54= +github.com/google/gnostic v0.5.7-v3refs/go.mod h1:73MKFl6jIHelAJNaBGFzt3SPtZULs9dYrGFt8OiIsHQ= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -181,13 +197,16 @@ github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OI github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 h1:pUa4ghanp6q4IJHwE9RwLgmVFfReJN+KbQ8ExNEUUoQ= +github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU= -github.com/googleapis/gnostic v0.5.5 h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw= github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= @@ -219,18 +238,22 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= -github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= -github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= +github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= +github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8= +github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= -github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= +github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= @@ -245,6 +268,9 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -253,6 +279,8 @@ github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= @@ -272,16 +300,16 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= -github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= +github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onrik/logrus v0.9.0 h1:oT7VstCUxWBoX7fswYK61fi9bzRBSpROq5CR2b7wxQo= @@ -289,16 +317,19 @@ github.com/onrik/logrus v0.9.0/go.mod h1:qfe9NeZVAJfIxviw3cYkZo3kvBtLoPRJriAO8zl github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= -github.com/onsi/ginkgo v1.14.0 h1:2mOpI4JVVPBN+WQRa0WKH2eXR+Ey+uK4n7Zj0aYpIQA= github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= -github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -330,7 +361,11 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= @@ -338,8 +373,9 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= +github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= @@ -348,8 +384,9 @@ github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasO github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cobra v1.1.3 h1:xghbfqPkxzxP3C/f3n5DdpAbdKLj4ZE4BWQI362l53M= github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo= +github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= +github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= @@ -359,13 +396,19 @@ github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5q github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/tidwall/gjson v1.14.0 h1:6aeJ0bzojgWLa82gDQHcx3S0Lr/O51I9bJ5nv6JFx5w= github.com/tidwall/gjson v1.14.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= @@ -484,14 +527,15 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= -golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -545,16 +589,15 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= -golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -562,14 +605,15 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs= golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= +golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -610,10 +654,11 @@ golang.org/x/tools v0.0.0-20200505023115-26f46d2f7ef8/go.mod h1:EkVYQZoAsY45+roY golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= +golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= @@ -629,8 +674,9 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= -google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -678,14 +724,16 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= @@ -694,7 +742,6 @@ gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= -gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -708,10 +755,9 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA= -gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -720,33 +766,43 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.22.6 h1:acjE5ABt0KpsBI9QCtLqaQEPSF94jOtE/LoFxSYasSE= k8s.io/api v0.22.6/go.mod h1:q1F7IfaNrbi/83ebLy3YFQYLjPSNyunZ/IXQxMmbwCg= -k8s.io/apimachinery v0.22.6 h1:z7vxNRkFX0NToA+8D17kzLZ/T4t+DqwzUlqqbqRepRs= +k8s.io/api v0.27.6 h1:PBWu/lywJe2qQcshMjubzcBg7+XDZOo7O8JJAWuYtUo= +k8s.io/api v0.27.6/go.mod h1:AQYj0UsFCp3qJE7bOVnUuy4orCsXVkvHefnbYQiNWgk= k8s.io/apimachinery v0.22.6/go.mod h1:ZvVLP5iLhwVFg2Yx9Gh5W0um0DUauExbRhe+2Z8I1EU= +k8s.io/apimachinery v0.27.6 h1:mGU8jmBq5o8mWBov+mLjdTBcU+etTE19waies4AQ6NE= +k8s.io/apimachinery v0.27.6/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= k8s.io/apiserver v0.22.6/go.mod h1:OlL1rGa2kKWGj2JEXnwBcul/BwC9Twe95gm4ohtiIIs= -k8s.io/client-go v0.22.6 h1:ugAXeC312xeGXsn7zTRz+btgtLBnW3qYhtUUpVQL7YE= k8s.io/client-go v0.22.6/go.mod h1:TffU4AV2idZGeP+g3kdFZP+oHVHWPL1JYFySOALriw0= +k8s.io/client-go v0.27.6 h1:vzI8804gpUtpMCNaFjIFyJrifH7u//LJCJPy8fQuYQg= +k8s.io/client-go v0.27.6/go.mod h1:PMsXcDKiJTW7PHJ64oEsIUJF319wm+EFlCj76oE5QXM= k8s.io/code-generator v0.22.6/go.mod h1:iOZwYADSgFPNGWfqHFfg1V0TNJnl1t0WyZluQp4baqU= k8s.io/component-base v0.22.6/go.mod h1:ngHLefY4J5fq2fApNdbWyj4yh0lvw36do4aAjNN8rc8= k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM= k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kube-aggregator v0.22.6 h1:/iaXzOWia2dqOQkIA9eJtkmfTveJMLz3Dci9ZA/WgmU= k8s.io/kube-aggregator v0.22.6/go.mod h1:0RSTzxqiwsj5HUlov195Z72ZKyE4qgedKXCl6sLKAjM= -k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c h1:jvamsI1tn9V0S8jicyX82qaFC0H/NKxv2e5mbqsgR80= k8s.io/kube-openapi v0.0.0-20211109043538-20434351676c/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw= -k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a h1:8dYfu/Fc9Gz2rNJKB9IQRGgQOh2clmRzNIPPY1xLY5g= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= +k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= -sigs.k8s.io/structured-merge-diff/v4 v4.2.1 h1:bKCqE9GvQ5tiVHn5rfn1r+yao3aLQEaLzkkmAkf+A6Y= sigs.k8s.io/structured-merge-diff/v4 v4.2.1/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4= -sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= +sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= +sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= +sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go index 0034235fb..6018b4253 100644 --- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go +++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s.go @@ -105,7 +105,7 @@ func (k8s *k8s) patchAPIService(ctx context.Context, objectName string, ca []byt return nil } -// PatchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with +// patchWebhookConfigurations will patch validatingWebhook and mutatingWebhook clientConfig configurations with // the provided ca data. If failurePolicy is provided, patch all webhooks with this value func (k8s *k8s) patchWebhookConfigurations( ctx context.Context, diff --git a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go index deaeb3540..f11bef981 100644 --- a/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go +++ b/images/kube-webhook-certgen/rootfs/pkg/k8s/k8s_test.go @@ -3,8 +3,8 @@ package k8s import ( "bytes" "context" + "crypto/rand" "errors" - "math/rand" "testing" "time" diff --git a/images/fastcgi-helloserver/Makefile b/images/nginx-1.25/Makefile similarity index 79% rename from images/fastcgi-helloserver/Makefile rename to images/nginx-1.25/Makefile index c1b54703f..e03197109 100644 --- a/images/fastcgi-helloserver/Makefile +++ b/images/nginx-1.25/Makefile @@ -1,4 +1,4 @@ -# Copyright 2020 The Kubernetes Authors. +# Copyright 2024 The Kubernetes Authors. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Docker image for e2e testing. +.DEFAULT_GOAL:=build # set default shell SHELL=/bin/bash -o pipefail -o errexit @@ -20,10 +20,13 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) -REGISTRY ?= local +# 0.0.0 shouldn't clobber any released builds +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=$(shell cat TAG) -IMAGE = $(REGISTRY)/e2e-test-fastcgi-helloserver +REGISTRY ?= gcr.io/k8s-staging-ingress-nginx + +IMAGE = $(REGISTRY)/nginx-1.25 # required to enable buildx export DOCKER_CLI_EXPERIMENTAL=enabled @@ -32,13 +35,12 @@ export DOCKER_CLI_EXPERIMENTAL=enabled PLATFORMS?=linux/amd64,linux/arm,linux/arm64 OUTPUT= PROGRESS=plain - build: ensure-buildx docker buildx build \ --platform=${PLATFORMS} $(OUTPUT) \ --progress=$(PROGRESS) \ --pull \ - -t $(IMAGE):$(TAG) rootfs + --tag $(IMAGE):$(TAG) rootfs # push the cross built image push: OUTPUT=--push @@ -54,4 +56,4 @@ else endif @echo "done" -.PHONY: build push ensure-buildx +.PHONY: build push ensure-buildx \ No newline at end of file diff --git a/images/nginx-1.25/README.md b/images/nginx-1.25/README.md new file mode 100644 index 000000000..8d5f44a62 --- /dev/null +++ b/images/nginx-1.25/README.md @@ -0,0 +1,3 @@ +NGINX 1.25 base image + +**Don't use in production!!!** \ No newline at end of file diff --git a/images/nginx-1.25/TAG b/images/nginx-1.25/TAG new file mode 100644 index 000000000..8ce995b80 --- /dev/null +++ b/images/nginx-1.25/TAG @@ -0,0 +1 @@ +v0.0.3 \ No newline at end of file diff --git a/images/nginx-1.25/cloudbuild.yaml b/images/nginx-1.25/cloudbuild.yaml new file mode 100644 index 000000000..c94539165 --- /dev/null +++ b/images/nginx-1.25/cloudbuild.yaml @@ -0,0 +1,17 @@ +timeout: 10800s +options: + substitution_option: ALLOW_LOOSE + # job builds a multi-arch docker image for amd64,arm,arm64 + machineType: E2_HIGHCPU_32 +steps: + - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90' + entrypoint: bash + env: + - DOCKER_CLI_EXPERIMENTAL=enabled + - REGISTRY=gcr.io/k8s-staging-ingress-nginx + - HOME=/root + args: + - -c + - | + gcloud auth configure-docker \ + && cd images/nginx-1.25 && make push \ No newline at end of file diff --git a/images/nginx-1.25/rootfs/Dockerfile b/images/nginx-1.25/rootfs/Dockerfile new file mode 100644 index 000000000..385b4ba02 --- /dev/null +++ b/images/nginx-1.25/rootfs/Dockerfile @@ -0,0 +1,74 @@ +# Copyright 2024 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM alpine:3.19.1 as builder + +COPY . / + +RUN apk update \ + && apk upgrade \ + && apk add -U bash --no-cache \ + && /build.sh + +# Use a multi-stage build +FROM alpine:3.19.1 + +ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin + +ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1/?.lua;/usr/local/lib/lua/?.lua;;" +ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;" + +COPY --from=builder /usr/local /usr/local +COPY --from=builder /opt /opt +COPY --from=builder /etc/nginx /etc/nginx + +RUN apk update \ + && apk upgrade \ + && apk add -U --no-cache \ + bash \ + openssl \ + pcre \ + zlib \ + ca-certificates \ + patch \ + yajl \ + lmdb \ + libxml2 \ + libmaxminddb \ + yaml-cpp \ + dumb-init \ + tzdata \ + grpc-cpp \ + libprotobuf \ + && apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-exporter-otlp-common opentelemetry-cpp-exporter-otlp-grpc \ + && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \ + && adduser -S -D -H -u 101 -h /usr/local/nginx \ + -s /sbin/nologin -G www-data -g www-data www-data \ + && bash -eu -c ' \ + writeDirs=( \ + /var/log/nginx \ + /var/lib/nginx/body \ + /var/lib/nginx/fastcgi \ + /var/lib/nginx/proxy \ + /var/lib/nginx/scgi \ + /var/lib/nginx/uwsgi \ + /var/log/audit \ + ); \ + for dir in "${writeDirs[@]}"; do \ + mkdir -p ${dir}; \ + chown -R www-data.www-data ${dir}; \ + done' + +EXPOSE 80 443 + +CMD ["nginx", "-g", "daemon off;"] diff --git a/images/nginx-1.25/rootfs/build.sh b/images/nginx-1.25/rootfs/build.sh new file mode 100755 index 000000000..0fded23d6 --- /dev/null +++ b/images/nginx-1.25/rootfs/build.sh @@ -0,0 +1,598 @@ +#!/bin/bash + +# Copyright 2023 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit +set -o nounset +set -o pipefail + +export NGINX_VERSION=1.25.3 + +# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.3...master +export NDK_VERSION=v0.3.3 + +# Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master +export SETMISC_VERSION=796f5a3e518748eb29a93bd450324e0ad45b704e + +# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.34...master +export MORE_HEADERS_VERSION=v0.37 + +# Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master +export NGINX_DIGEST_AUTH=v1.0.0 + +# Check for recent changes: https://github.com/yaoweibin/ngx_http_substitutions_filter_module/compare/v0.6.4...master +export NGINX_SUBSTITUTIONS=e12e965ac1837ca709709f9a26f572a54d83430e + +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master +export MODSECURITY_VERSION=v1.0.3 + +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master +export MODSECURITY_LIB_VERSION=v3.0.11 + +# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master +export OWASP_MODSECURITY_CRS_VERSION=v3.3.5 + +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.25...master +export LUA_NGX_VERSION=v0.10.26 + +# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.13...master +export LUA_STREAM_NGX_VERSION=v0.0.14 + +# Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master +export LUA_UPSTREAM_VERSION=542be0893543a4e42d89f6dd85372972f5ff2a36 + +# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.11...openresty:master +export LUA_CJSON_VERSION=2.1.0.13 + +# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.4...master +export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 + +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20230410...v2.1-agentzh +export LUAJIT_VERSION=v2.1-20231117 + +# Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master +export LUA_RESTY_BALANCER=1cd4363c0a239afe4765ec607dcfbbb4e5900eea + +# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.13...master +export LUA_RESTY_CACHE=99e7578465b40f36f596d099b82eab404f2b42ed + +# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master +export LUA_RESTY_CORE=v0.1.28 + +# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/v0.1.0...master +export LUA_RESTY_COOKIE_VERSION=f418d77082eaef48331302e84330488fdc810ef4 + +# Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.22...master +export LUA_RESTY_DNS=8bb53516e2933e61c317db740a9b7c2048847c2f + +# Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.16.1...master +export LUA_RESTY_HTTP=v0.17.1 + +# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master +export LUA_RESTY_LOCK=405d0bf4cbfa74d742c6ed3158d442221e6212a9 + +# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master +export LUA_RESTY_UPLOAD_VERSION=979372cce011f3176af3c9aff53fd0e992c4bfd3 + +# Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master +export LUA_RESTY_STRING_VERSION=6f1bc21d86daef804df3cc34d6427ef68da26844 + +# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master +export LUA_RESTY_MEMCACHED_VERSION=2f02b68bf65fa2332cce070674a93a69a6c7239b + +# Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master +export LUA_RESTY_REDIS_VERSION=8641b9f1b6f75cca50c90cf8ca5c502ad8950aa8 + +# Check for recent changes: https://github.com/api7/lua-resty-ipmatcher/compare/v0.6.1...master +export LUA_RESTY_IPMATCHER_VERSION=3e93c53eb8c9884efe939ef070486a0e507cc5be + +# Check for recent changes: https://github.com/ElvinEfendi/lua-resty-global-throttle/compare/v0.2.0...main +export LUA_RESTY_GLOBAL_THROTTLE_VERSION=v0.2.0 + +# Check for recent changes: https://github.com/microsoft/mimalloc/compare/v1.7.6...master +export MIMALOC_VERSION=v2.1.2 + +export BUILD_PATH=/tmp/build + +ARCH=$(uname -m) + +get_src() +{ + hash="$1" + url="$2" + dest="${3-}" + ARGS="" + f=$(basename "$url") + + echo "Downloading $url" + + curl -sSL "$url" -o "$f" + # echo "$hash $f" | sha256sum -c - || exit 10 + if [ ! -z "$dest" ]; then + mkdir ${BUILD_PATH}/${dest} + ARGS="-C ${BUILD_PATH}/${dest} --strip-components=1" + fi + tar xvzf "$f" $ARGS + rm -rf "$f" +} + +# install required packages to build +# Dependencies from "ninja" and below are OTEL dependencies +apk add \ + bash \ + gcc \ + clang \ + libc-dev \ + make \ + automake \ + openssl-dev \ + pcre-dev \ + zlib-dev \ + linux-headers \ + libxslt-dev \ + gd-dev \ + perl-dev \ + libedit-dev \ + mercurial \ + alpine-sdk \ + findutils \ + curl \ + ca-certificates \ + patch \ + libaio-dev \ + openssl \ + cmake \ + util-linux \ + lmdb-tools \ + wget \ + curl-dev \ + libprotobuf \ + git g++ pkgconf flex bison doxygen yajl-dev lmdb-dev libtool autoconf libxml2 libxml2-dev \ + python3 \ + libmaxminddb-dev \ + bc \ + unzip \ + dos2unix \ + yaml-cpp \ + coreutils \ + ninja \ + gtest-dev \ + git \ + build-base \ + pkgconfig \ + c-ares-dev \ + re2-dev \ + grpc-dev \ + protobuf-dev + +apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev + +# There is some bug with some platforms and git, so force HTTP/1.1 +git config --global http.version HTTP/1.1 +git config --global http.postBuffer 157286400 + +mkdir -p /etc/nginx + +mkdir --verbose -p "$BUILD_PATH" +cd "$BUILD_PATH" + +# download, verify and extract the source files +get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ + "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" + +get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ + "https://github.com/vision5/ngx_devel_kit/archive/$NDK_VERSION.tar.gz" "ngx_devel_kit" + +get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ + "https://github.com/openresty/set-misc-nginx-module/archive/$SETMISC_VERSION.tar.gz" "set-misc-nginx-module" + +get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ + "https://github.com/openresty/headers-more-nginx-module/archive/$MORE_HEADERS_VERSION.tar.gz" "headers-more-nginx-module" + +get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ + "https://github.com/atomx/nginx-http-auth-digest/archive/$NGINX_DIGEST_AUTH.tar.gz" "nginx-http-auth-digest" + +get_src a98b48947359166326d58700ccdc27256d2648218072da138ab6b47de47fbd8f \ + "https://github.com/yaoweibin/ngx_http_substitutions_filter_module/archive/$NGINX_SUBSTITUTIONS.tar.gz" "ngx_http_substitutions_filter_module" + +get_src 32a42256616cc674dca24c8654397390adff15b888b77eb74e0687f023c8751b \ + "https://github.com/SpiderLabs/ModSecurity-nginx/archive/$MODSECURITY_VERSION.tar.gz" "ModSecurity-nginx" + +get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ + "https://github.com/openresty/lua-nginx-module/archive/$LUA_NGX_VERSION.tar.gz" "lua-nginx-module" + +get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ + "https://github.com/openresty/stream-lua-nginx-module/archive/$LUA_STREAM_NGX_VERSION.tar.gz" "stream-lua-nginx-module" + +get_src a92c9ee6682567605ece55d4eed5d1d54446ba6fba748cff0a2482aea5713d5f \ + "https://github.com/openresty/lua-upstream-nginx-module/archive/$LUA_UPSTREAM_VERSION.tar.gz" "lua-upstream-nginx-module" + +get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ + "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" "luajit2" + +get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \ + "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" "ngx_http_geoip2_module" + +get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ + "https://github.com/openresty/lua-resty-upload/archive/$LUA_RESTY_UPLOAD_VERSION.tar.gz" "lua-resty-upload" + +get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ + "https://github.com/openresty/lua-resty-string/archive/$LUA_RESTY_STRING_VERSION.tar.gz" "lua-resty-string" + +get_src 16d72ed133f0c6df376a327386c3ef4e9406cf51003a700737c3805770ade7c5 \ + "https://github.com/openresty/lua-resty-balancer/archive/$LUA_RESTY_BALANCER.tar.gz" "lua-resty-balancer" + +get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ + "https://github.com/openresty/lua-resty-core/archive/$LUA_RESTY_CORE.tar.gz" "lua-resty-core" + +get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ + "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" "lua-cjson" + +get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ + "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" "lua-resty-cookie" + +get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ + "https://github.com/openresty/lua-resty-lrucache/archive/$LUA_RESTY_CACHE.tar.gz" "lua-resty-lrucache" + +get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ + "https://github.com/openresty/lua-resty-lock/archive/$LUA_RESTY_LOCK.tar.gz" "lua-resty-lock" + +get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ + "https://github.com/openresty/lua-resty-dns/archive/$LUA_RESTY_DNS.tar.gz" "lua-resty-dns" + +get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ + "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" "lua-resty-http" + +get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ + "https://github.com/openresty/lua-resty-memcached/archive/$LUA_RESTY_MEMCACHED_VERSION.tar.gz" "lua-resty-memcached" + +get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ + "https://github.com/openresty/lua-resty-redis/archive/$LUA_RESTY_REDIS_VERSION.tar.gz" "lua-resty-redis" + +get_src efb767487ea3f6031577b9b224467ddbda2ad51a41c5867a47582d4ad85d609e \ + "https://github.com/api7/lua-resty-ipmatcher/archive/$LUA_RESTY_IPMATCHER_VERSION.tar.gz" "lua-resty-ipmatcher" + +get_src 0fb790e394510e73fdba1492e576aaec0b8ee9ef08e3e821ce253a07719cf7ea \ + "https://github.com/ElvinEfendi/lua-resty-global-throttle/archive/$LUA_RESTY_GLOBAL_THROTTLE_VERSION.tar.gz" "lua-resty-global-throttle" + +get_src d74f86ada2329016068bc5a243268f1f555edd620b6a7d6ce89295e7d6cf18da \ + "https://github.com/microsoft/mimalloc/archive/${MIMALOC_VERSION}.tar.gz" "mimalloc" + +# improve compilation times +CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) + +export MAKEFLAGS=-j${CORES} +export CTEST_BUILD_FLAGS=${MAKEFLAGS} + +# Install luajit from openresty fork +export LUAJIT_LIB=/usr/local/lib +export LUA_LIB_DIR="$LUAJIT_LIB/lua" +export LUAJIT_INC=/usr/local/include/luajit-2.1 + +cd "$BUILD_PATH/luajit2" +make CCDEBUG=-g +make install + +ln -s /usr/local/bin/luajit /usr/local/bin/lua +ln -s "$LUAJIT_INC" /usr/local/include/lua + +cd "$BUILD_PATH" + +# Git tuning +git config --global --add core.compression -1 + +# Get Brotli source and deps +cd "$BUILD_PATH" +git clone --depth=100 https://github.com/google/ngx_brotli.git +cd ngx_brotli +# https://github.com/google/ngx_brotli/issues/156 +git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 +git submodule init +git submodule update + +cd "$BUILD_PATH" +git clone --depth=1 https://github.com/ssdeep-project/ssdeep +cd ssdeep/ + +./bootstrap +./configure + +make +make install + +# build modsecurity library +cd "$BUILD_PATH" +git clone -n https://github.com/SpiderLabs/ModSecurity +cd ModSecurity/ +git checkout $MODSECURITY_LIB_VERSION +git submodule init +git submodule update + +sh build.sh + +# https://github.com/SpiderLabs/ModSecurity/issues/1909#issuecomment-465926762 +sed -i '115i LUA_CFLAGS="${LUA_CFLAGS} -DWITH_LUA_JIT_2_1"' build/lua.m4 +sed -i '117i AC_SUBST(LUA_CFLAGS)' build/lua.m4 + +./configure \ + --disable-doxygen-doc \ + --disable-doxygen-html \ + --disable-examples + +make +make install + +mkdir -p /etc/nginx/modsecurity +cp modsecurity.conf-recommended /etc/nginx/modsecurity/modsecurity.conf +cp unicode.mapping /etc/nginx/modsecurity/unicode.mapping + +# Replace serial logging with concurrent +sed -i 's|SecAuditLogType Serial|SecAuditLogType Concurrent|g' /etc/nginx/modsecurity/modsecurity.conf + +# Concurrent logging implies the log is stored in several files +echo "SecAuditLogStorageDir /var/log/audit/" >> /etc/nginx/modsecurity/modsecurity.conf + +# Download owasp modsecurity crs +cd /etc/nginx/ + +git clone -b $OWASP_MODSECURITY_CRS_VERSION https://github.com/coreruleset/coreruleset +mv coreruleset owasp-modsecurity-crs +cd owasp-modsecurity-crs + +mv crs-setup.conf.example crs-setup.conf +mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf +cd .. + +# OWASP CRS v3 rules +echo " +Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-922-MULTIPART-ATTACK.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf +Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf +" > /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf + +# build nginx +cd "$BUILD_PATH/nginx-$NGINX_VERSION" + +# apply nginx patches +for PATCH in `ls /patches`;do + echo "Patch: $PATCH" + if [[ "$PATCH" == *.txt ]]; then + patch -p0 < /patches/$PATCH + else + patch -p1 < /patches/$PATCH + fi +done + +WITH_FLAGS="--with-debug \ + --with-compat \ + --with-pcre-jit \ + --with-http_ssl_module \ + --with-http_stub_status_module \ + --with-http_realip_module \ + --with-http_auth_request_module \ + --with-http_addition_module \ + --with-http_gzip_static_module \ + --with-http_sub_module \ + --with-http_v2_module \ + --with-stream \ + --with-stream_ssl_module \ + --with-stream_realip_module \ + --with-stream_ssl_preread_module \ + --with-threads \ + --with-http_secure_link_module \ + --with-http_gunzip_module" + +# "Combining -flto with -g is currently experimental and expected to produce unexpected results." +# https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html +CC_OPT="-g -O2 -fPIE -fstack-protector-strong \ + -Wformat \ + -Werror=format-security \ + -Wno-deprecated-declarations \ + -fno-strict-aliasing \ + -D_FORTIFY_SOURCE=2 \ + --param=ssp-buffer-size=4 \ + -DTCP_FASTOPEN=23 \ + -fPIC \ + -Wno-cast-function-type" + +LD_OPT="-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now" + +if [[ ${ARCH} != "aarch64" ]]; then + WITH_FLAGS+=" --with-file-aio" +fi + +if [[ ${ARCH} == "x86_64" ]]; then + CC_OPT+=' -m64 -mtune=generic' +fi + +WITH_MODULES=" \ + --add-module=$BUILD_PATH/ngx_devel_kit \ + --add-module=$BUILD_PATH/set-misc-nginx-module \ + --add-module=$BUILD_PATH/headers-more-nginx-module \ + --add-module=$BUILD_PATH/ngx_http_substitutions_filter_module \ + --add-module=$BUILD_PATH/lua-nginx-module \ + --add-module=$BUILD_PATH/stream-lua-nginx-module \ + --add-module=$BUILD_PATH/lua-upstream-nginx-module \ + --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest \ + --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx \ + --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module \ + --add-dynamic-module=$BUILD_PATH/ngx_brotli" + +./configure \ + --prefix=/usr/local/nginx \ + --conf-path=/etc/nginx/nginx.conf \ + --modules-path=/etc/nginx/modules \ + --http-log-path=/var/log/nginx/access.log \ + --error-log-path=/var/log/nginx/error.log \ + --lock-path=/var/lock/nginx.lock \ + --pid-path=/run/nginx.pid \ + --http-client-body-temp-path=/var/lib/nginx/body \ + --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ + --http-proxy-temp-path=/var/lib/nginx/proxy \ + --http-scgi-temp-path=/var/lib/nginx/scgi \ + --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + ${WITH_FLAGS} \ + --without-mail_pop3_module \ + --without-mail_smtp_module \ + --without-mail_imap_module \ + --without-http_uwsgi_module \ + --without-http_scgi_module \ + --with-cc-opt="${CC_OPT}" \ + --with-ld-opt="${LD_OPT}" \ + --user=www-data \ + --group=www-data \ + ${WITH_MODULES} + +make +make modules +make install + +export OPENTELEMETRY_CONTRIB_COMMIT=aaa51e2297bcb34297f3c7aa44fa790497d2f7f3 +cd "$BUILD_PATH" + +git clone https://github.com/open-telemetry/opentelemetry-cpp-contrib.git opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} + +cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT} +git reset --hard ${OPENTELEMETRY_CONTRIB_COMMIT} + +export OTEL_TEMP_INSTALL=/tmp/otel +mkdir -p ${OTEL_TEMP_INSTALL} + +cd ${BUILD_PATH}/opentelemetry-cpp-contrib-${OPENTELEMETRY_CONTRIB_COMMIT}/instrumentation/nginx +mkdir -p build +cd build +cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_INSTALL_PREFIX=${OTEL_TEMP_INSTALL} \ + -DBUILD_SHARED_LIBS=ON \ + -DNGINX_VERSION=${NGINX_VERSION} \ + .. +cmake --build . -j ${CORES} --target install + +mkdir -p /etc/nginx/modules +cp ${OTEL_TEMP_INSTALL}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so + + +cd "$BUILD_PATH/lua-resty-core" +make install + +cd "$BUILD_PATH/lua-resty-balancer" +make all +make install + +export LUA_INCLUDE_DIR=/usr/local/include/luajit-2.1 +ln -s $LUA_INCLUDE_DIR /usr/include/lua5.1 + +cd "$BUILD_PATH/lua-cjson" +make all +make install + +cd "$BUILD_PATH/lua-resty-cookie" +make all +make install + +cd "$BUILD_PATH/lua-resty-lrucache" +make install + +cd "$BUILD_PATH/lua-resty-dns" +make install + +cd "$BUILD_PATH/lua-resty-lock" +make install + +# required for OCSP verification +cd "$BUILD_PATH/lua-resty-http" +make install + +cd "$BUILD_PATH/lua-resty-upload" +make install + +cd "$BUILD_PATH/lua-resty-string" +make install + +cd "$BUILD_PATH/lua-resty-memcached" +make install + +cd "$BUILD_PATH/lua-resty-redis" +make install + +cd "$BUILD_PATH/lua-resty-ipmatcher" +INST_LUADIR=/usr/local/lib/lua make install + +cd "$BUILD_PATH/lua-resty-global-throttle" +make install + +cd "$BUILD_PATH/mimalloc" +mkdir -p out/release +cd out/release + +cmake ../.. + +make +make install + +# update image permissions +writeDirs=( \ + /etc/nginx \ + /usr/local/nginx \ + /opt/modsecurity/var/log \ + /opt/modsecurity/var/upload \ + /opt/modsecurity/var/audit \ + /var/log/audit \ + /var/log/nginx \ +); + +adduser -S -D -H -u 101 -h /usr/local/nginx -s /sbin/nologin -G www-data -g www-data www-data + +for dir in "${writeDirs[@]}"; do + mkdir -p ${dir}; + chown -R www-data.www-data ${dir}; +done + +rm -rf /etc/nginx/owasp-modsecurity-crs/.git +rm -rf /etc/nginx/owasp-modsecurity-crs/util/regression-tests + +# remove .a files +find /usr/local -name "*.a" -print | xargs /bin/rm diff --git a/images/nginx-1.25/rootfs/patches/drop-alias-root.patch b/images/nginx-1.25/rootfs/patches/drop-alias-root.patch new file mode 100644 index 000000000..a92e08bd0 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/drop-alias-root.patch @@ -0,0 +1,144 @@ +:100644 100644 c7463dcd 00000000 M src/http/ngx_http_core_module.c +diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c +index c7463dcd..e2e45931 100644 +--- a/src/http/ngx_http_core_module.c ++++ b/src/http/ngx_http_core_module.c +@@ -55,7 +55,6 @@ static char *ngx_http_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + static char *ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); +-static char *ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); + static char *ngx_http_core_limit_except(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + static char *ngx_http_core_set_aio(ngx_conf_t *cf, ngx_command_t *cmd, +@@ -323,21 +322,6 @@ static ngx_command_t ngx_http_core_commands[] = { + offsetof(ngx_http_core_loc_conf_t, default_type), + NULL }, + +- { ngx_string("root"), +- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF +- |NGX_CONF_TAKE1, +- ngx_http_core_root, +- NGX_HTTP_LOC_CONF_OFFSET, +- 0, +- NULL }, +- +- { ngx_string("alias"), +- NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, +- ngx_http_core_root, +- NGX_HTTP_LOC_CONF_OFFSET, +- 0, +- NULL }, +- + { ngx_string("limit_except"), + NGX_HTTP_LOC_CONF|NGX_CONF_BLOCK|NGX_CONF_1MORE, + ngx_http_core_limit_except, +@@ -4312,108 +4296,6 @@ ngx_http_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) + } + + +-static char * +-ngx_http_core_root(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +-{ +- ngx_http_core_loc_conf_t *clcf = conf; +- +- ngx_str_t *value; +- ngx_int_t alias; +- ngx_uint_t n; +- ngx_http_script_compile_t sc; +- +- alias = (cmd->name.len == sizeof("alias") - 1) ? 1 : 0; +- +- if (clcf->root.data) { +- +- if ((clcf->alias != 0) == alias) { +- return "is duplicate"; +- } +- +- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, +- "\"%V\" directive is duplicate, " +- "\"%s\" directive was specified earlier", +- &cmd->name, clcf->alias ? "alias" : "root"); +- +- return NGX_CONF_ERROR; +- } +- +- if (clcf->named && alias) { +- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, +- "the \"alias\" directive cannot be used " +- "inside the named location"); +- +- return NGX_CONF_ERROR; +- } +- +- value = cf->args->elts; +- +- if (ngx_strstr(value[1].data, "$document_root") +- || ngx_strstr(value[1].data, "${document_root}")) +- { +- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, +- "the $document_root variable cannot be used " +- "in the \"%V\" directive", +- &cmd->name); +- +- return NGX_CONF_ERROR; +- } +- +- if (ngx_strstr(value[1].data, "$realpath_root") +- || ngx_strstr(value[1].data, "${realpath_root}")) +- { +- ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, +- "the $realpath_root variable cannot be used " +- "in the \"%V\" directive", +- &cmd->name); +- +- return NGX_CONF_ERROR; +- } +- +- clcf->alias = alias ? clcf->name.len : 0; +- clcf->root = value[1]; +- +- if (!alias && clcf->root.len > 0 +- && clcf->root.data[clcf->root.len - 1] == '/') +- { +- clcf->root.len--; +- } +- +- if (clcf->root.data[0] != '$') { +- if (ngx_conf_full_name(cf->cycle, &clcf->root, 0) != NGX_OK) { +- return NGX_CONF_ERROR; +- } +- } +- +- n = ngx_http_script_variables_count(&clcf->root); +- +- ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); +- sc.variables = n; +- +-#if (NGX_PCRE) +- if (alias && clcf->regex) { +- clcf->alias = NGX_MAX_SIZE_T_VALUE; +- n = 1; +- } +-#endif +- +- if (n) { +- sc.cf = cf; +- sc.source = &clcf->root; +- sc.lengths = &clcf->root_lengths; +- sc.values = &clcf->root_values; +- sc.complete_lengths = 1; +- sc.complete_values = 1; +- +- if (ngx_http_script_compile(&sc) != NGX_OK) { +- return NGX_CONF_ERROR; +- } +- } +- +- return NGX_CONF_OK; +-} +- +- + static ngx_http_method_name_t ngx_methods_names[] = { + { (u_char *) "GET", (uint32_t) ~NGX_HTTP_GET }, + { (u_char *) "HEAD", (uint32_t) ~NGX_HTTP_HEAD }, diff --git a/images/nginx/Makefile b/images/nginx/Makefile index 438d0cfe1..b54a7739b 100644 --- a/images/nginx/Makefile +++ b/images/nginx/Makefile @@ -21,7 +21,9 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds -TAG ?= 0.0 +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/nginx diff --git a/images/nginx/TAG b/images/nginx/TAG new file mode 100644 index 000000000..bbdeab622 --- /dev/null +++ b/images/nginx/TAG @@ -0,0 +1 @@ +0.0.5 diff --git a/images/nginx/cloudbuild.yaml b/images/nginx/cloudbuild.yaml index fb9a51225..71051f26d 100644 --- a/images/nginx/cloudbuild.yaml +++ b/images/nginx/cloudbuild.yaml @@ -2,14 +2,12 @@ timeout: 10800s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_32 + machineType: E2_HIGHCPU_32 steps: - name: 'gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90' entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - BASE_REF=$_PULL_BASE_REF - - TAG=$_PULL_BASE_SHA - REGISTRY=gcr.io/k8s-staging-ingress-nginx - HOME=/root args: @@ -17,7 +15,3 @@ steps: - | gcloud auth configure-docker \ && cd images/nginx && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" - _PULL_BASE_SHA: '12345' diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index a9b01ff82..3dd841c6c 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -11,17 +11,17 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.17.0 as builder +FROM alpine:3.19.1 as builder COPY . / RUN apk update \ && apk upgrade \ - && apk add -U bash \ + && apk add -U bash --no-cache \ && /build.sh # Use a multi-stage build -FROM alpine:3.17.0 +FROM alpine:3.19.1 ENV PATH=$PATH:/usr/local/luajit/bin:/usr/local/nginx/sbin:/usr/local/nginx/bin @@ -32,6 +32,8 @@ COPY --from=builder /usr/local /usr/local COPY --from=builder /opt /opt COPY --from=builder /etc/nginx /etc/nginx +LABEL org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx + RUN apk update \ && apk upgrade \ && apk add -U --no-cache \ @@ -39,8 +41,6 @@ RUN apk update \ openssl \ pcre \ zlib \ - geoip \ - curl \ ca-certificates \ patch \ yajl \ @@ -49,7 +49,6 @@ RUN apk update \ libmaxminddb \ yaml-cpp \ dumb-init \ - nano \ tzdata \ && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \ && adduser -S -D -H -u 101 -h /usr/local/nginx \ diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index 8023575c0..cd319a0b9 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -20,14 +20,14 @@ set -o pipefail export NGINX_VERSION=1.21.6 -# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.1...master -export NDK_VERSION=0.3.1 +# Check for recent changes: https://github.com/vision5/ngx_devel_kit/compare/v0.3.2...master +export NDK_VERSION=0.3.2 # Check for recent changes: https://github.com/openresty/set-misc-nginx-module/compare/v0.33...master export SETMISC_VERSION=0.33 -# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.33...master -export MORE_HEADERS_VERSION=0.33 +# Check for recent changes: https://github.com/openresty/headers-more-nginx-module/compare/v0.34...master +export MORE_HEADERS_VERSION=0.34 # Check for recent changes: https://github.com/atomx/nginx-http-auth-digest/compare/v1.0.0...atomx:master export NGINX_DIGEST_AUTH=1.0.0 @@ -53,54 +53,47 @@ export JAEGER_VERSION=0.7.0 # Check for recent changes: https://github.com/msgpack/msgpack-c/compare/cpp-3.3.0...master export MSGPACK_VERSION=3.3.0 -# Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.2...master -export DATADOG_CPP_VERSION=1.3.2 +# Check for recent changes: https://github.com/DataDog/dd-opentracing-cpp/compare/v1.3.7...master +export DATADOG_CPP_VERSION=1.3.7 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity-nginx/compare/v1.0.3...master export MODSECURITY_VERSION=1.0.3 -# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master -export MODSECURITY_LIB_VERSION=e9a7ba4a60be48f761e0328c6dfcc668d70e35a0 +# Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.11...v3/master +export MODSECURITY_LIB_VERSION=bbde9381cbccb49ea73f6194b08b478adc53f3bc # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master -export OWASP_MODSECURITY_CRS_VERSION=v3.3.4 +export OWASP_MODSECURITY_CRS_VERSION=v3.3.5 -# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.21...master -export LUA_NGX_VERSION=0.10.21 +# Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.25...master +export LUA_NGX_VERSION=0.10.25 -# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.11...master -export LUA_STREAM_NGX_VERSION=0.0.11 +# Check for recent changes: https://github.com/openresty/stream-lua-nginx-module/compare/v0.0.13...master +export LUA_STREAM_NGX_VERSION=0.0.13 # Check for recent changes: https://github.com/openresty/lua-upstream-nginx-module/compare/8aa93ead98ba2060d4efd594ae33a35d153589bf...master export LUA_UPSTREAM_VERSION=8aa93ead98ba2060d4efd594ae33a35d153589bf -# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.10...openresty:master -export LUA_CJSON_VERSION=2.1.0.10 +# Check for recent changes: https://github.com/openresty/lua-cjson/compare/2.1.0.11...openresty:master +export LUA_CJSON_VERSION=2.1.0.11 -export NGINX_INFLUXDB_VERSION=5b09391cb7b9a889687c0aa67964c06a2d933e8b +# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.4...master +export GEOIP2_VERSION=a607a41a8115fecfc05b5c283c81532a3d605425 -# Check for recent changes: https://github.com/leev/ngx_http_geoip2_module/compare/3.3...master -export GEOIP2_VERSION=a26c6beed77e81553686852dceb6c7fdacc5970d - -# Check for recent changes: https://github.com/msva/nginx_ajp_module/compare/fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f...master -# This is a fork from https://github.com/yaoweibin/nginx_ajp_module -# Since it has not been updated and is not compatible with NGINX 1.21 -export NGINX_AJP_VERSION=fcbb2ccca4901d317ecd7a9dabb3fec9378ff40f - -# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20220411...v2.1-agentzh -export LUAJIT_VERSION=2.1-20220411 +# Check for recent changes: https://github.com/openresty/luajit2/compare/v2.1-20230410...v2.1-agentzh +export LUAJIT_VERSION=2.1-20230410 # Check for recent changes: https://github.com/openresty/lua-resty-balancer/compare/v0.04...master export LUA_RESTY_BALANCER=0.04 -# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.11...master -export LUA_RESTY_CACHE=0.11 +# Check for recent changes: https://github.com/openresty/lua-resty-lrucache/compare/v0.13...master +export LUA_RESTY_CACHE=0.13 -# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.23...master -export LUA_RESTY_CORE=0.1.23 +# Check for recent changes: https://github.com/openresty/lua-resty-core/compare/v0.1.27...master +export LUA_RESTY_CORE=0.1.27 -# Check for recent changes: https://github.com/cloudflare/lua-resty-cookie/compare/v0.1.0...master -export LUA_RESTY_COOKIE_VERSION=303e32e512defced053a6484bc0745cf9dc0d39e +# Check for recent changes: https://github.com/utix/lua-resty-cookie/compare/9533f47...master +export LUA_RESTY_COOKIE_VERSION=9533f479371663107b515590fc9daf00d61ebf11 # Check for recent changes: https://github.com/openresty/lua-resty-dns/compare/v0.22...master export LUA_RESTY_DNS=0.22 @@ -108,17 +101,17 @@ export LUA_RESTY_DNS=0.22 # Check for recent changes: https://github.com/ledgetech/lua-resty-http/compare/v0.16.1...master export LUA_RESTY_HTTP=0ce55d6d15da140ecc5966fa848204c6fd9074e8 -# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.08...master -export LUA_RESTY_LOCK=0.08 +# Check for recent changes: https://github.com/openresty/lua-resty-lock/compare/v0.09...master +export LUA_RESTY_LOCK=0.09 -# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.10...master -export LUA_RESTY_UPLOAD_VERSION=0.10 +# Check for recent changes: https://github.com/openresty/lua-resty-upload/compare/v0.11...master +export LUA_RESTY_UPLOAD_VERSION=0.11 # Check for recent changes: https://github.com/openresty/lua-resty-string/compare/v0.15...master export LUA_RESTY_STRING_VERSION=0.15 -# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.16...master -export LUA_RESTY_MEMCACHED_VERSION=0.16 +# Check for recent changes: https://github.com/openresty/lua-resty-memcached/compare/v0.17...master +export LUA_RESTY_MEMCACHED_VERSION=0.17 # Check for recent changes: https://github.com/openresty/lua-resty-redis/compare/v0.30...master export LUA_RESTY_REDIS_VERSION=0.30 @@ -171,7 +164,6 @@ apk add \ linux-headers \ libxslt-dev \ gd-dev \ - geoip-dev \ perl-dev \ libedit-dev \ mercurial \ @@ -206,13 +198,13 @@ cd "$BUILD_PATH" get_src 66dc7081488811e9f925719e34d1b4504c2801c81dee2920e5452a86b11405ae \ "https://nginx.org/download/nginx-$NGINX_VERSION.tar.gz" -get_src 0e971105e210d272a497567fa2e2c256f4e39b845a5ba80d373e26ba1abfbd85 \ - "https://github.com/simpl/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz" +get_src aa961eafb8317e0eb8da37eb6e2c9ff42267edd18b56947384e719b85188f58b \ + "https://github.com/vision5/ngx_devel_kit/archive/v$NDK_VERSION.tar.gz" get_src cd5e2cc834bcfa30149e7511f2b5a2183baf0b70dc091af717a89a64e44a2985 \ "https://github.com/openresty/set-misc-nginx-module/archive/v$SETMISC_VERSION.tar.gz" -get_src a3dcbab117a9c103bc1ea5200fc00a7b7d2af97ff7fd525f16f8ac2632e30fbf \ +get_src 0c0d2ced2ce895b3f45eb2b230cd90508ab2a773299f153de14a43e44c1209b3 \ "https://github.com/openresty/headers-more-nginx-module/archive/v$MORE_HEADERS_VERSION.tar.gz" get_src f09851e6309560a8ff3e901548405066c83f1f6ff88aa7171e0763bd9514762b \ @@ -248,10 +240,10 @@ get_src 7d5f3439c8df56046d0564b5857fd8a30296ab1bd6df0f048aed7afb56a0a4c2 \ get_src 99c47c75c159795c9faf76bbb9fa58e5a50b75286c86565ffcec8514b1c74bf9 \ "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" else -get_src 9db756000578efaecb43bea4fc6cf631aaa80988d86ffe5d3afeb9927895ffad \ +get_src bc764db42830aeaf74755754b900253c233ad57498debe7a441cee2c6f4b07c2 \ "https://github.com/openresty/lua-nginx-module/archive/v$LUA_NGX_VERSION.tar.gz" -get_src c7924f28cb014a99636e747ea907724dd55f60e180cb92cde6e8ed48d2278f27 \ +get_src 01b715754a8248cc7228e0c8f97f7488ae429d90208de0481394e35d24cef32f \ "https://github.com/openresty/stream-lua-nginx-module/archive/v$LUA_STREAM_NGX_VERSION.tar.gz" fi @@ -263,23 +255,17 @@ if [[ ${ARCH} == "s390x" ]]; then get_src 266ed1abb70a9806d97cb958537a44b67db6afb33d3b32292a2d68a2acedea75 \ "https://github.com/openresty/luajit2/archive/$LUAJIT_VERSION.tar.gz" else -get_src d3f2c870f8f88477b01726b32accab30f6e5d57ae59c5ec87374ff73d0794316 \ +get_src 77bbcbb24c3c78f51560017288f3118d995fe71240aa379f5818ff6b166712ff \ "https://github.com/openresty/luajit2/archive/v$LUAJIT_VERSION.tar.gz" fi -get_src 586f92166018cc27080d34e17c59d68219b85af745edf3cc9fe41403fc9b4ac6 \ +get_src 8d39c6b23f941a2d11571daaccc04e69539a3fcbcc50a631837560d5861a7b96 \ "https://github.com/DataDog/dd-opentracing-cpp/archive/v$DATADOG_CPP_VERSION.tar.gz" -get_src 1af5a5632dc8b00ae103d51b7bf225de3a7f0df82f5c6a401996c080106e600e \ - "https://github.com/influxdata/nginx-influxdb-module/archive/$NGINX_INFLUXDB_VERSION.tar.gz" - -get_src 4c1933434572226942c65b2f2b26c8a536ab76aa771a3c7f6c2629faa764976b \ +get_src b6c9c09fd43eb34a71e706ad780b2ead26549a9a9f59280fe558f5b7b980b7c6 \ "https://github.com/leev/ngx_http_geoip2_module/archive/$GEOIP2_VERSION.tar.gz" -get_src 778fcca851bd69dabfb382dc827d2ee07662f7eca36b5e66e67d5512bad75ef8 \ - "https://github.com/msva/nginx_ajp_module/archive/$NGINX_AJP_VERSION.tar.gz" - -get_src 5d16e623d17d4f42cc64ea9cfb69ca960d313e12f5d828f785dd227cc483fcbd \ +get_src deb4ab1ffb9f3d962c4b4a2c4bdff692b86a209e3835ae71ebdf3b97189e40a9 \ "https://github.com/openresty/lua-resty-upload/archive/v$LUA_RESTY_UPLOAD_VERSION.tar.gz" get_src bdbf271003d95aa91cab0a92f24dca129e99b33f79c13ebfcdbbcbb558129491 \ @@ -292,20 +278,20 @@ if [[ ${ARCH} == "s390x" ]]; then get_src 8f5f76d2689a3f6b0782f0a009c56a65e4c7a4382be86422c9b3549fe95b0dc4 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" else -get_src efd6b51520429e64b1bcc10f477d370ebed1631c190f7e4dc270d959a743ad7d \ +get_src 39baab9e2b31cc48cecf896cea40ef6e80559054fd8a6e440cc804a858ea84d4 \ "https://github.com/openresty/lua-resty-core/archive/v$LUA_RESTY_CORE.tar.gz" fi -get_src 0c551d6898f89f876e48730f9b55790d0ba07d5bc0aa6c76153277f63c19489f \ +get_src a77b9de160d81712f2f442e1de8b78a5a7ef0d08f13430ff619f79235db974d4 \ "https://github.com/openresty/lua-cjson/archive/$LUA_CJSON_VERSION.tar.gz" -get_src 5ed48c36231e2622b001308622d46a0077525ac2f751e8cc0c9905914254baa4 \ - "https://github.com/cloudflare/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" +get_src a404c790553617424d743b82a9f01feccd0d2930b306b370c665ca3b7c09ccb6 \ + "https://github.com/utix/lua-resty-cookie/archive/$LUA_RESTY_COOKIE_VERSION.tar.gz" -get_src e810ed124fe788b8e4aac2c8960dda1b9a6f8d0ca94ce162f28d3f4d877df8af \ +get_src 573184006b98ccee2594b0d134fa4d05e5d2afd5141cbad315051ccf7e9b6403 \ "https://github.com/openresty/lua-resty-lrucache/archive/v$LUA_RESTY_CACHE.tar.gz" -get_src 2b4683f9abe73e18ca00345c65010c9056777970907a311d6e1699f753141de2 \ +get_src b4ddcd47db347e9adf5c1e1491a6279a6ae2a3aff3155ef77ea0a65c998a69c1 \ "https://github.com/openresty/lua-resty-lock/archive/v$LUA_RESTY_LOCK.tar.gz" get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ @@ -314,7 +300,7 @@ get_src 70e9a01eb32ccade0d5116a25bcffde0445b94ad35035ce06b94ccd260ad1bf0 \ get_src 9fcb6db95bc37b6fce77d3b3dc740d593f9d90dce0369b405eb04844d56ac43f \ "https://github.com/ledgetech/lua-resty-http/archive/$LUA_RESTY_HTTP.tar.gz" -get_src 42893da0e3de4ec180c9bf02f82608d78787290a70c5644b538f29d243147396 \ +get_src 02733575c4aed15f6cab662378e4b071c0a4a4d07940c4ef19a7319e9be943d4 \ "https://github.com/openresty/lua-resty-memcached/archive/v$LUA_RESTY_MEMCACHED_VERSION.tar.gz" get_src c15aed1a01c88a3a6387d9af67a957dff670357f5fdb4ee182beb44635eef3f1 \ @@ -479,8 +465,10 @@ make install # Get Brotli source and deps cd "$BUILD_PATH" -git clone --depth=1 https://github.com/google/ngx_brotli.git +git clone --depth=100 https://github.com/google/ngx_brotli.git cd ngx_brotli +# https://github.com/google/ngx_brotli/issues/156 +git reset --hard 63ca02abdcf79c9e788d2eedcc388d2335902e52 git submodule init git submodule update @@ -594,7 +582,6 @@ WITH_FLAGS="--with-debug \ --with-http_realip_module \ --with-http_auth_request_module \ --with-http_addition_module \ - --with-http_geoip_module \ --with-http_gzip_static_module \ --with-http_sub_module \ --with-http_v2_module \ @@ -638,9 +625,7 @@ WITH_MODULES=" \ --add-module=$BUILD_PATH/lua-nginx-module-$LUA_NGX_VERSION \ --add-module=$BUILD_PATH/stream-lua-nginx-module-$LUA_STREAM_NGX_VERSION \ --add-module=$BUILD_PATH/lua-upstream-nginx-module-$LUA_UPSTREAM_VERSION \ - --add-module=$BUILD_PATH/nginx_ajp_module-${NGINX_AJP_VERSION} \ --add-dynamic-module=$BUILD_PATH/nginx-http-auth-digest-$NGINX_DIGEST_AUTH \ - --add-dynamic-module=$BUILD_PATH/nginx-influxdb-module-$NGINX_INFLUXDB_VERSION \ --add-dynamic-module=$BUILD_PATH/nginx-opentracing-$NGINX_OPENTRACING_VERSION/opentracing \ --add-dynamic-module=$BUILD_PATH/ModSecurity-nginx-$MODSECURITY_VERSION \ --add-dynamic-module=$BUILD_PATH/ngx_http_geoip2_module-${GEOIP2_VERSION} \ diff --git a/images/nginx/rootfs/etc/nginx/geoip/GeoIP.dat b/images/nginx/rootfs/etc/nginx/geoip/GeoIP.dat deleted file mode 100644 index be8b031f7..000000000 Binary files a/images/nginx/rootfs/etc/nginx/geoip/GeoIP.dat and /dev/null differ diff --git a/images/nginx/rootfs/etc/nginx/geoip/GeoIPASNum.dat b/images/nginx/rootfs/etc/nginx/geoip/GeoIPASNum.dat deleted file mode 100644 index 85c2cb329..000000000 Binary files a/images/nginx/rootfs/etc/nginx/geoip/GeoIPASNum.dat and /dev/null differ diff --git a/images/nginx/rootfs/etc/nginx/geoip/GeoLiteCity.dat b/images/nginx/rootfs/etc/nginx/geoip/GeoLiteCity.dat deleted file mode 100644 index 1adb8c3c4..000000000 Binary files a/images/nginx/rootfs/etc/nginx/geoip/GeoLiteCity.dat and /dev/null differ diff --git a/images/nginx/rootfs/patches/nginx-1.21.4-http2.patch b/images/nginx/rootfs/patches/nginx-1.21.4-http2.patch new file mode 100644 index 000000000..3b9d57736 --- /dev/null +++ b/images/nginx/rootfs/patches/nginx-1.21.4-http2.patch @@ -0,0 +1,57 @@ +#commit 6ceef192e7af1c507826ac38a2d43f08bf265fb9 +#repository: https://github.com/nginx/nginx +#Author: Maxim Dounin +#Date: Tue Oct 10 15:13:39 2023 +0300 +diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c +index 7c05ff1e7..410a8be24 100644 +--- a/src/http/v2/ngx_http_v2.c ++++ b/src/http/v2/ngx_http_v2.c +@@ -347,6 +347,7 @@ ngx_http_v2_read_handler(ngx_event_t *rev) + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler"); + + h2c->blocked = 1; ++ h2c->new_streams = 0; + + if (c->close) { + c->close = 0; +@@ -1284,6 +1285,14 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + goto rst_stream; + } + ++ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many streams at once"); ++ ++ status = NGX_HTTP_V2_REFUSED_STREAM; ++ goto rst_stream; ++ } ++ + if (!h2c->settings_ack + && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG) + && h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW) +@@ -1349,6 +1358,12 @@ ngx_http_v2_state_headers(ngx_http_v2_connection_t *h2c, u_char *pos, + + rst_stream: + ++ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) { ++ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, ++ "client sent too many refused streams"); ++ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR); ++ } ++ + if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } +diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h +index cb9014ccf..6751b3026 100644 +--- a/src/http/v2/ngx_http_v2.h ++++ b/src/http/v2/ngx_http_v2.h +@@ -131,6 +131,8 @@ struct ngx_http_v2_connection_s { + ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ++ ngx_uint_t new_streams; ++ ngx_uint_t refused_streams; + ngx_uint_t priority_limit; + + size_t send_window; \ No newline at end of file diff --git a/images/opentelemetry/Makefile b/images/opentelemetry/Makefile index 20fb7ec63..eae435bef 100644 --- a/images/opentelemetry/Makefile +++ b/images/opentelemetry/Makefile @@ -1,4 +1,4 @@ -# Copyright 2021 The Kubernetes Authors. All rights reserved. +# Copyright 2024 The Kubernetes Authors. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +21,9 @@ DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh # 0.0.0 shouldn't clobber any released builds -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= gcr.io/k8s-staging-ingress-nginx IMAGE = $(REGISTRY)/opentelemetry @@ -30,15 +32,25 @@ IMAGE = $(REGISTRY)/opentelemetry export DOCKER_CLI_EXPERIMENTAL=enabled # build with buildx -PLATFORMS?=linux/amd64,linux/arm64 +PLATFORMS?=linux/amd64,linux/arm,linux/arm64 OUTPUT= PROGRESS=plain -build: ensure-buildx + +precheck: +ifndef NGINX_VERSION + $(error NGINX_VERSION variable is required) +endif + +build: precheck ensure-buildx docker buildx build \ + --label=org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx \ + --label=org.opencontainers.image.licenses=Apache-2.0 \ + --label=org.opencontainers.image.description="Ingress NGINX Opentelemetry image" \ --platform=${PLATFORMS} $(OUTPUT) \ --progress=$(PROGRESS) \ + --build-arg=NGINX_VERSION=$(NGINX_VERSION) \ --pull \ - --tag $(IMAGE):$(TAG) rootfs + --tag $(IMAGE)-$(NGINX_VERSION):$(TAG) rootfs # push the cross built image push: OUTPUT=--push @@ -54,4 +66,4 @@ else endif @echo "done" -.PHONY: build push ensure-buildx +.PHONY: build precheck push ensure-buildx diff --git a/images/opentelemetry/TAG b/images/opentelemetry/TAG new file mode 100644 index 000000000..a3dce6cd3 --- /dev/null +++ b/images/opentelemetry/TAG @@ -0,0 +1 @@ +v0.0.2 diff --git a/images/opentelemetry/cloudbuild.yaml b/images/opentelemetry/cloudbuild.yaml index e2aa5a2b2..bc48a93f4 100644 --- a/images/opentelemetry/cloudbuild.yaml +++ b/images/opentelemetry/cloudbuild.yaml @@ -2,14 +2,12 @@ timeout: 10800s options: substitution_option: ALLOW_LOOSE # job builds a multi-arch docker image for amd64,arm,arm64 and s390x. - machineType: N1_HIGHCPU_32 + machineType: E2_HIGHCPU_32 steps: - name: gcr.io/k8s-staging-test-infra/gcb-docker-gcloud:v20211118-2f2d816b90 entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -18,7 +16,5 @@ steps: - -c - | gcloud auth configure-docker \ - && cd images/opentelemetry && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "main" + && cd images/opentelemetry && make NGINX_VERSION=1.25.3 push \ + && make NGINX_VERSION=1.21.6 push diff --git a/images/opentelemetry/rootfs/CMakeLists.txt b/images/opentelemetry/rootfs/CMakeLists.txt index ef90b5805..1c68d6fc6 100644 --- a/images/opentelemetry/rootfs/CMakeLists.txt +++ b/images/opentelemetry/rootfs/CMakeLists.txt @@ -24,7 +24,8 @@ project( set(CMAKE_CXX_STANDARD 17) set(CMAKE_CXX_EXTENSIONS OFF) set(CMAKE_CXX_STANDARD_REQUIRED ON) -set(CMAKE_CXX_FLAGS "-O2") +set(CMAKE_CXX_FLAGS "-O2 -fpic") +set(CMAKE_VERBOSE_MAKEFILE ON CACHE BOOL "ON" FORCE) set(CMAKE_BUILD_TYPE Release @@ -63,31 +64,9 @@ find_package(OpenSSL REQUIRED) message("OpenSSL include dir: ${OPENSSL_INCLUDE_DIR}") message("OpenSSL libraries: ${OPENSSL_LIBRARIES}") -set(GRPC_GIT_TAG - "v1.45.2" - CACHE STRING "gRPC version") - -include(ExternalProject) -ExternalProject_Add( - gRPC - GIT_REPOSITORY https://github.com/grpc/grpc.git - GIT_TAG ${GRPC_GIT_TAG} - GIT_SHALLOW 1 - UPDATE_COMMAND "" - CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=${STAGED_INSTALL_PREFIX} - -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} - -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} - -DgRPC_SSL_PROVIDER=package - -DOPENSSL_ROOT_DIR=OpenSSL - -DgRPC_BUILD_TESTS=OFF - -DBUILD_SHARED_LIBS=OFF - -DgRPC_INSTALL=ON - CMAKE_CACHE_ARGS -DCMAKE_CXX_FLAGS:STRING=${CMAKE_CXX_FLAGS} - TEST_AFTER_INSTALL 0 - DOWNLOAD_NO_PROGRESS 1 - LOG_CONFIGURE 1 - LOG_BUILD 0 - LOG_INSTALL 1) +find_package(Protobuf REQUIRED) +find_package(gRPC REQUIRED) +find_package(OpentelemetryCPP REQUIRED) install( DIRECTORY ${STAGED_INSTALL_PREFIX}/ diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index aa4e219af..bb88ec760 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -13,7 +13,7 @@ # limitations under the License. -FROM alpine:3.17.0 as base +FROM alpine:3.19.1 as base RUN mkdir -p /opt/third_party/install COPY . /opt/third_party/ @@ -21,25 +21,26 @@ COPY . /opt/third_party/ # install build tools RUN apk update \ && apk upgrade \ - && apk add -U bash cmake \ + && apk add -U bash \ && bash /opt/third_party/build.sh -p -# install gRPC -FROM base as grpc -RUN bash /opt/third_party/build.sh -g v1.49.2 - -# install OpenTelemetry-cpp -FROM base as otel-cpp -COPY --from=grpc /opt/third_party/install/ /usr -RUN bash /opt/third_party/build.sh -o v1.8.1 +ENV NINJA_STATUS "[%p/%f/%t] " # install otel_ngx_module.so FROM base as nginx -COPY --from=grpc /opt/third_party/install/ /usr -COPY --from=otel-cpp /opt/third_party/install/ /usr -RUN bash /opt/third_party/build.sh -n +ARG NGINX_VERSION=1.25.3 +RUN bash /opt/third_party/build.sh -n ${NGINX_VERSION} -FROM alpine:3.17.0 as final -COPY --from=base /opt/third_party/init_module.sh /usr/local/bin/init_module.sh +FROM golang:1.21.6-bullseye as build-init + +WORKDIR /go/src/app +COPY . . + +RUN go mod download +RUN CGO_ENABLED=0 go build -o /go/bin/init_module + +FROM gcr.io/distroless/static-debian11 as final +COPY --from=build-init /go/bin/init_module / COPY --from=nginx /etc/nginx/modules /etc/nginx/modules -COPY --from=nginx /opt/third_party/install/lib /etc/nginx/modules + +CMD ["/init_module"] diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh index 6ad4601c6..d46ab9fe5 100755 --- a/images/opentelemetry/rootfs/build.sh +++ b/images/opentelemetry/rootfs/build.sh @@ -17,11 +17,12 @@ set -o errexit set -o nounset set -o pipefail - -export GRPC_GIT_TAG=${GRPC_GIT_TAG:="v1.43.2"} +set -x # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.2.0...main -export OPENTELEMETRY_CPP_VERSION=${OPENTELEMETRY_CPP_VERSION:="1.2.0"} -export INSTAL_DIR=/opt/third_party/install +export OPENTELEMETRY_CPP_VERSION=${OPENTELEMETRY_CPP_VERSION:="v1.11.0"} +export INSTALL_DIR=/opt/third_party/install + +export NGINX_VERSION=${NGINX_VERSION:="1.25.3"} # improve compilation times CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) @@ -40,10 +41,9 @@ Help() # Display Help echo "Add description of the script functions here." echo - echo "Syntax: scriptTemplate [-h|g|o|n|p|]" + echo "Syntax: scriptTemplate [-h|o|n|p|]" echo "options:" echo "h Print Help." - echo "g gRPC git tag" echo "o OpenTelemetry git tag" echo "n install nginx" echo "p prepare" @@ -52,8 +52,11 @@ Help() prepare() { + echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories apk add \ linux-headers \ + cmake \ + ninja \ openssl \ curl-dev \ openssl-dev \ @@ -62,29 +65,26 @@ prepare() pcre-dev \ curl \ git \ - build-base -} + build-base \ + coreutils \ + build-base \ + openssl-dev \ + pkgconfig \ + c-ares-dev \ + re2-dev \ + grpc-dev \ + protobuf-dev \ + opentelemetry-cpp-dev -install_grpc() -{ - mkdir -p $BUILD_PATH/grpc - cd ${BUILD_PATH}/grpc - cmake -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ - -DGRPC_GIT_TAG=${GRPC_GIT_TAG} /opt/third_party \ - -DgRPC_BUILD_GRPC_NODE_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_PHP_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_PHP_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_PYTHON_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_RUBY_PLUGIN=OFF - cmake --build . -j ${CORES} --target all install + git config --global http.version HTTP/1.1 + git config --global http.postBuffer 157286400 } install_otel() { cd ${BUILD_PATH} - export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+LD_LIBRARY_PATH:}${INSTAL_DIR}/lib:/usr/local" - export PATH="${PATH}:${INSTAL_DIR}/bin" + export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+LD_LIBRARY_PATH:}${INSTALL_DIR}/lib:/usr/local" + export PATH="${PATH}:${INSTALL_DIR}/bin" git clone --recurse-submodules -j ${CORES} --depth=1 -b \ ${OPENTELEMETRY_CPP_VERSION} https://github.com/open-telemetry/opentelemetry-cpp.git opentelemetry-cpp-${OPENTELEMETRY_CPP_VERSION} cd "opentelemetry-cpp-${OPENTELEMETRY_CPP_VERSION}" @@ -92,41 +92,29 @@ install_otel() cd .build cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE \ -DWITH_ZIPKIN=OFF \ - -DWITH_JAEGER=OFF \ - -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ + -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ -DBUILD_TESTING=OFF \ + -DWITH_BENCHMARK=OFF \ + -DWITH_FUNC_TESTS=OFF \ -DBUILD_SHARED_LIBS=OFF \ - -DWITH_OTLP=ON \ -DWITH_OTLP_GRPC=ON \ -DWITH_OTLP_HTTP=OFF \ - -DWITH_ABSEIL=OFF \ + -DWITH_ABSEIL=ON \ -DWITH_EXAMPLES=OFF \ + -DWITH_NO_DEPRECATED_CODE=ON \ .. cmake --build . -j ${CORES} --target install } -get_src() -{ - hash="$1" - url="$2" - f=$(basename "$url") - - echo "Downloading $url" - - curl -sSL --fail-with-body "$url" -o "$f" - echo "$hash $f" | sha256sum -c - || exit 10 - tar xzf "$f" - rm -rf "$f" -} - install_nginx() { - export NGINX_VERSION=1.21.6 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/2656a4...main - export OPENTELEMETRY_CONTRIB_COMMIT=1ec94c82095bab61f06c7393b6f3272469d285af + export OPENTELEMETRY_CONTRIB_COMMIT=aaa51e2297bcb34297f3c7aa44fa790497d2f7f3 mkdir -p /etc/nginx cd "$BUILD_PATH" @@ -143,35 +131,28 @@ install_nginx() mkdir -p build cd build cmake -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ - -DBUILD_SHARED_LIBS=ON \ - -DNGINX_VERSION=${NGINX_VERSION} \ - .. + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_INSTALL_PREFIX=${INSTALL_DIR} \ + -DBUILD_SHARED_LIBS=ON \ + -DNGINX_VERSION=${NGINX_VERSION} \ + .. cmake --build . -j ${CORES} --target install mkdir -p /etc/nginx/modules - cp ${INSTAL_DIR}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so - - mkdir -p ${INSTAL_DIR}/lib + cp ${INSTALL_DIR}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so } -while getopts ":hpng:o:" option; do +while getopts ":phn:" option; do case $option in h) # display Help Help exit;; - g) # install gRPC with git tag - GRPC_GIT_TAG=${OPTARG} - install_grpc - exit;; - o) # install OpenTelemetry tag - OPENTELEMETRY_CPP_VERSION=${OPTARG} - install_otel - exit;; p) # prepare prepare exit;; n) # install nginx + NGINX_VERSION=${OPTARG} install_nginx exit;; \?) diff --git a/images/opentelemetry/rootfs/go.mod b/images/opentelemetry/rootfs/go.mod new file mode 100644 index 000000000..9c183ef06 --- /dev/null +++ b/images/opentelemetry/rootfs/go.mod @@ -0,0 +1,3 @@ +module init-otel + +go 1.21 diff --git a/images/opentelemetry/rootfs/init_module.go b/images/opentelemetry/rootfs/init_module.go new file mode 100644 index 000000000..bebec728f --- /dev/null +++ b/images/opentelemetry/rootfs/init_module.go @@ -0,0 +1,104 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "fmt" + "io" + "os" + "path/filepath" +) + +func main() { + // Enable error handling for all operations + err := run() + if err != nil { + fmt.Fprintf(os.Stderr, "Error: %v\n", err) + os.Exit(1) + } +} + +func run() error { + // Create the target directory if it doesn't exist + targetDir := "/modules_mount/etc/nginx/modules/otel" + err := os.MkdirAll(targetDir, os.ModePerm) + if err != nil { + return fmt.Errorf("failed to create target directory: %w", err) + } + + // Copy files from source directory to target directory + sourceDir := "/etc/nginx/modules/" + err = filepath.Walk(sourceDir, func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + // Skip directories + if info.IsDir() { + return nil + } + + // Calculate the destination path + relPath, err := filepath.Rel(sourceDir, path) + if err != nil { + return err + } + destPath := filepath.Join(targetDir, relPath) + + // Create the destination directory if it doesn't exist + destDir := filepath.Dir(destPath) + err = os.MkdirAll(destDir, os.ModePerm) + if err != nil { + return err + } + + // Copy the file + err = copyFile(path, destPath) + if err != nil { + return err + } + + return nil + }) + + if err != nil { + return fmt.Errorf("failed to copy files: %w", err) + } + + return nil +} + +func copyFile(sourcePath, destPath string) error { + sourceFile, err := os.Open(sourcePath) + if err != nil { + return err + } + defer sourceFile.Close() + + destFile, err := os.Create(destPath) + if err != nil { + return err + } + defer destFile.Close() + + _, err = io.Copy(destFile, sourceFile) + if err != nil { + return err + } + + return nil +} diff --git a/images/opentelemetry/rootfs/init_module.sh b/images/opentelemetry/rootfs/init_module.sh deleted file mode 100755 index 5a675aa2b..000000000 --- a/images/opentelemetry/rootfs/init_module.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh - -# Copyright 2021 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -o errexit -set -o nounset -set -o pipefail - -mkdir -p /modules_mount/etc/nginx/modules/otel -cp -R /etc/nginx/modules/* /modules_mount/etc/nginx/modules/otel diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 4d71b8ad5..627475d22 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -18,39 +18,71 @@ SHELL=/bin/bash -o pipefail -o errexit DIR:=$(strip $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))) INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh -TAG ?=v$(shell date +%m%d%Y)-$(shell git rev-parse --short HEAD) +SHORT_SHA ?=$(shell git rev-parse --short HEAD) +TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA) + REGISTRY ?= local IMAGE = $(REGISTRY)/e2e-test-runner NGINX_BASE_IMAGE ?= $(shell cat $(DIR)/../../NGINX_BASE) +# The env below is called GO_VERSION and not GOLANG_VERSION because +# the gcb image we use to build already defines GOLANG_VERSION and is a +# really old version +GO_VERSION ?= $(shell cat $(DIR)/../../GOLANG_VERSION) + # required to enable buildx export DOCKER_CLI_EXPERIMENTAL=enabled # build with buildx PLATFORMS?=linux/amd64,linux/arm64 -OUTPUT= +OUTPUT?= PROGRESS=plain -build: ensure-buildx - docker buildx build \ - --platform=${PLATFORMS} $(OUTPUT) \ - --progress=$(PROGRESS) \ +image: + echo "Building docker image ($(ARCH))..." + docker build \ + ${PLATFORM_FLAG} ${PLATFORM} \ + --no-cache \ --pull \ - --build-arg BASE_IMAGE=$(NGINX_BASE_IMAGE) \ - --build-arg GOLANG_VERSION=1.19.4 \ + --push \ + --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ + --build-arg GOLANG_VERSION=${GO_VERSION} \ --build-arg ETCD_VERSION=3.4.3-0 \ - --build-arg K8S_RELEASE=v1.24.2 \ + --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ --build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \ --build-arg LUAROCKS_VERSION=3.8.0 \ --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ - --build-arg CHART_TESTING_VERSION=3.7.0 \ - --build-arg YAML_LINT_VERSION=1.27.1 \ + --build-arg CHART_TESTING_VERSION=3.8.0 \ + --build-arg YAML_LINT_VERSION=1.33.0 \ --build-arg YAMALE_VERSION=4.0.4 \ - --build-arg HELM_VERSION=v3.9.0 \ - -t $(IMAGE):$(TAG) rootfs + --build-arg HELM_VERSION=3.11.2 \ + --build-arg GINKGO_VERSION=2.15.0 \ + --build-arg GOLINT_VERSION=latest \ + -t ${IMAGE}:${TAG} rootfs + +build: ensure-buildx + docker buildx build \ + --platform=${PLATFORMS} ${OUTPUT} \ + --progress=${PROGRESS} \ + --pull \ + --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ + --build-arg GOLANG_VERSION=${GO_VERSION} \ + --build-arg ETCD_VERSION=3.4.3-0 \ + --build-arg K8S_RELEASE=v1.26.0 \ + --build-arg RESTY_CLI_VERSION=0.27 \ + --build-arg RESTY_CLI_SHA=e5f4f3128af49ba5c4d039d0554e5ae91bbe05866f60eccfa96d3653274bff90 \ + --build-arg LUAROCKS_VERSION=3.8.0 \ + --build-arg LUAROCKS_SHA=ab6612ca9ab87c6984871d2712d05525775e8b50172701a0a1cabddf76de2be7 \ + --build-arg CHART_TESTING_VERSION=3.8.0 \ + --build-arg YAML_LINT_VERSION=1.33.0 \ + --build-arg YAMALE_VERSION=4.0.4 \ + --build-arg HELM_VERSION=3.11.2 \ + --build-arg GINKGO_VERSION=2.15.0 \ + --build-arg GOLINT_VERSION=latest \ + -t ${IMAGE}:${TAG} rootfs # push the cross built image push: OUTPUT=--push diff --git a/images/test-runner/TAG b/images/test-runner/TAG new file mode 100644 index 000000000..95e94cdd3 --- /dev/null +++ b/images/test-runner/TAG @@ -0,0 +1 @@ +v0.0.1 \ No newline at end of file diff --git a/images/test-runner/cloudbuild.yaml b/images/test-runner/cloudbuild.yaml index b1f32d6a2..b17de9b31 100644 --- a/images/test-runner/cloudbuild.yaml +++ b/images/test-runner/cloudbuild.yaml @@ -6,8 +6,6 @@ steps: entrypoint: bash env: - DOCKER_CLI_EXPERIMENTAL=enabled - - TAG=$_GIT_TAG - - BASE_REF=$_PULL_BASE_REF - REGISTRY=gcr.io/k8s-staging-ingress-nginx # default cloudbuild has HOME=/builder/home and docker buildx is in /root/.docker/cli-plugins/docker-buildx # set the home to /root explicitly to if using docker buildx @@ -17,6 +15,3 @@ steps: - | gcloud auth configure-docker \ && cd images/test-runner && make push -substitutions: - _GIT_TAG: "12345" - _PULL_BASE_REF: "master" diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 1e8bc3643..7128bcf70 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -11,16 +11,29 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - ARG BASE_IMAGE ARG GOLANG_VERSION ARG ETCD_VERSION -FROM golang:${GOLANG_VERSION}-alpine3.17 as GO +FROM golang:${GOLANG_VERSION}-alpine3.18 as GO FROM registry.k8s.io/etcd:${ETCD_VERSION} as etcd FROM ${BASE_IMAGE} +ARG RESTY_CLI_VERSION +ARG RESTY_CLI_SHA +ARG LUAROCKS_VERSION +ARG LUAROCKS_SHA +ARG TARGETARCH +ARG K8S_RELEASE +ARG CHART_TESTING_VERSION +ARG HELM_VERSION +ARG YAMALE_VERSION +ARG YAML_LINT_VERSION +ARG GINKGO_VERSION +ARG GOLINT_VERSION + + RUN set -eux; \ if [ -e /etc/nsswitch.conf ]; then \ grep '^hosts: files dns' /etc/nsswitch.conf; \ @@ -28,13 +41,16 @@ RUN set -eux; \ echo 'hosts: files dns' > /etc/nsswitch.conf; \ fi - COPY --from=GO /usr/local/go /usr/local/go +ENV GOPATH /go +ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" + COPY --from=etcd /usr/local/bin/etcd /usr/local/bin/etcd -RUN echo "@testing http://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories +RUN echo "@testing https://nl.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories -RUN apk add --no-cache \ +RUN apk update && apk upgrade && apk add --no-cache \ bash \ ca-certificates \ wget \ @@ -48,19 +64,14 @@ RUN apk add --no-cache \ py-pip \ unzip \ openssl \ - cfssl@testing + cfssl@testing \ + tzdata \ + libc6-compat -ENV GOPATH /go -ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH +RUN go install -v github.com/onsi/ginkgo/v2/ginkgo@v${GINKGO_VERSION} \ + && go install golang.org/x/lint/golint@${GOLINT_VERSION} -RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" - -RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 && go install golang.org/x/lint/golint@latest - -ARG RESTY_CLI_VERSION -ARG RESTY_CLI_SHA - -RUN wget -O /tmp/resty_cli.tgz \ +RUN wget -qO /tmp/resty_cli.tgz \ https://github.com/openresty/resty-cli/archive/v${RESTY_CLI_VERSION}.tar.gz \ && echo "${RESTY_CLI_SHA} */tmp/resty_cli.tgz" | sha256sum -c - \ && tar -C /tmp -xzf /tmp/resty_cli.tgz \ @@ -68,10 +79,7 @@ RUN wget -O /tmp/resty_cli.tgz \ && resty -V \ && rm -rf /tmp/* -ARG LUAROCKS_VERSION -ARG LUAROCKS_SHA - -RUN wget -O /tmp/luarocks.tgz \ +RUN wget -qO /tmp/luarocks.tgz \ https://github.com/luarocks/luarocks/archive/v${LUAROCKS_VERSION}.tar.gz \ && echo "${LUAROCKS_SHA} */tmp/luarocks.tgz" | sha256sum -c - \ && tar -C /tmp -xzf /tmp/luarocks.tgz \ @@ -82,48 +90,51 @@ RUN wget -O /tmp/luarocks.tgz \ RUN luarocks install busted \ && luarocks install luacheck -ARG TARGETARCH - -ARG K8S_RELEASE - -RUN wget -O /usr/local/bin/kubectl \ - https://storage.googleapis.com/kubernetes-release/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kubectl \ +RUN wget -qO /usr/local/bin/kubectl \ + https://dl.k8s.io/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kubectl \ && chmod +x /usr/local/bin/kubectl -RUN wget -O /usr/local/bin/kube-apiserver \ - https://storage.googleapis.com/kubernetes-release/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kube-apiserver \ +RUN wget -qO /usr/local/bin/kube-apiserver \ + https://dl.k8s.io/release/${K8S_RELEASE}/bin/linux/${TARGETARCH}/kube-apiserver \ && chmod +x /usr/local/bin/kube-apiserver -ARG CHART_TESTING_VERSION - -RUN wget -O /tmp/ct-${CHART_TESTING_VERSION}-linux-amd64.tar.gz \ - https://github.com/helm/chart-testing/releases/download/v${CHART_TESTING_VERSION}/chart-testing_${CHART_TESTING_VERSION}_linux_amd64.tar.gz \ +RUN wget -qO /tmp/ct-${CHART_TESTING_VERSION}-linux-${TARGETARCH}.tar.gz \ + https://github.com/helm/chart-testing/releases/download/v${CHART_TESTING_VERSION}/chart-testing_${CHART_TESTING_VERSION}_linux_${TARGETARCH}.tar.gz \ && mkdir -p /tmp/ct-download \ - && tar xzvf /tmp/ct-${CHART_TESTING_VERSION}-linux-amd64.tar.gz -C /tmp/ct-download \ - && rm /tmp/ct-${CHART_TESTING_VERSION}-linux-amd64.tar.gz \ + && tar xzvf /tmp/ct-${CHART_TESTING_VERSION}-linux-${TARGETARCH}.tar.gz -C /tmp/ct-download \ + && rm /tmp/ct-${CHART_TESTING_VERSION}-linux-${TARGETARCH}.tar.gz \ && cp /tmp/ct-download/ct /usr/local/bin \ && mkdir -p /etc/ct \ && cp -R /tmp/ct-download/etc/* /etc/ct \ && rm -rf /tmp/* -RUN wget -O /usr/local/bin/lj-releng \ +RUN wget -qO /usr/local/bin/lj-releng \ https://raw.githubusercontent.com/openresty/openresty-devel-utils/master/lj-releng \ && chmod +x /usr/local/bin/lj-releng -ARG HELM_VERSION -RUN wget -O /tmp/helm.tgz \ - https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz \ +RUN wget -qO /tmp/helm.tgz \ + https://get.helm.sh/helm-v${HELM_VERSION}-linux-${TARGETARCH}.tar.gz \ && tar -C /tmp -xzf /tmp/helm.tgz \ && cp /tmp/linux*/helm /usr/local/bin \ && rm -rf /tmp/* # Install a YAML Linter -ARG YAML_LINT_VERSION -RUN pip install "yamllint==$YAML_LINT_VERSION" +# Pip not working. Check PR https://github.com/kubernetes/ingress-nginx/pull/10874 +# RUN pip install --user "yamllint==$YAML_LINT_VERSION" +RUN apk update -U \ + && apk add yamllint \ + && yamllint --version # Install Yamale YAML schema validator -ARG YAMALE_VERSION -RUN pip install "yamale==$YAMALE_VERSION" +# Commenting pip install yamale because broken cloudbuild https://github.com/kubernetes/ingress-nginx/pull/10885 +# RUN pip install --user "yamale==$YAMALE_VERSION" +RUN wget https://github.com/23andMe/Yamale/archive/master.zip \ + && unzip -d /tmp master.zip \ + && cd /tmp/Yamale-master \ + && python setup.py install \ + && yamale -V + +LABEL org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx WORKDIR $GOPATH diff --git a/ingress-nginx.yaml b/ingress-nginx.yaml new file mode 100644 index 000000000..be66255e0 --- /dev/null +++ b/ingress-nginx.yaml @@ -0,0 +1,68 @@ +CURRENT_VERSION: "v1.5.1" +GOLANG_VERSION: "1.19.2" +GIT_TAG: "controller-v1.5.1" +NGINX_BASE_IMAGE: "registry.k8s.io/ingress-nginx/nginx:0b5e0685112e4537ee20a0bdbba451e9f6158aa3@sha256:3f5e28bb248d5170e77b77fc2a1a385724aeff41a0b34b5afad7dd9cf93de000" +NGINX_VERSION: "1.21.6" +VERSION_TABLE: + - "v1.5.1": + - Alpine: "3.16.2" + - Kubernetes: ["1.25","1.24","1.23"] + - NGINX: "1.21.6" + - CONTROLLER_IMAGE: "registry.k8s.io/ingress-nginx/controller:v1.5.1@sha256:4ba73c697770664c1e00e9f968de14e08f606ff961c76e5d7033a4a9c593c629" + - CHROOT_CONTROLLER_IMAGE: "registry.k8s.io/ingress-nginx/controller-chroot:v1.5.1@sha256:c1c091b88a6c936a83bd7b098662760a87868d12452529bad0d178fb36147345" + - "v1.4.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.3.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.3.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.2.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.3": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.2": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.1.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.5": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.4": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.3": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.2": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.1": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" + - "v1.0.0": + - Alpine: "3.16.2" + - Kubernetes: [ "1.24","1.23", "1.22", "1.21", "1.20" ] + - NGINX: "1.19.10" diff --git a/internal/admission/controller/main.go b/internal/admission/controller/main.go index 645f298b4..888818c89 100644 --- a/internal/admission/controller/main.go +++ b/internal/admission/controller/main.go @@ -33,6 +33,7 @@ import ( // contains invalid instructions type Checker interface { CheckIngress(ing *networking.Ingress) error + CheckWarning(ing *networking.Ingress) ([]string, error) } // IngressAdmission implements the AdmissionController interface @@ -41,19 +42,16 @@ type IngressAdmission struct { Checker Checker } -var ( - ingressResource = metav1.GroupVersionKind{ - Group: networking.GroupName, - Version: "v1", - Kind: "Ingress", - } -) +var ingressResource = metav1.GroupVersionKind{ + Group: networking.GroupName, + Version: "v1", + Kind: "Ingress", +} // HandleAdmission populates the admission Response // with Allowed=false if the Object is an ingress that would prevent nginx to reload the configuration // with Allowed=true otherwise func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object, error) { - review, isV1 := obj.(*admissionv1.AdmissionReview) if !isV1 { return nil, fmt.Errorf("request is not of type AdmissionReview v1 or v1beta1") @@ -85,6 +83,15 @@ func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object, return review, nil } + // Adds the warnings regardless of operation being allowed or not + warning, err := ia.Checker.CheckWarning(&ingress) + if err != nil { + klog.ErrorS(err, "failed to get ingress warnings") + } + if len(warning) > 0 { + status.Warnings = warning + } + if err := ia.Checker.CheckIngress(&ingress); err != nil { klog.ErrorS(err, "invalid ingress configuration", "ingress", fmt.Sprintf("%v/%v", review.Request.Namespace, review.Request.Name)) status.Allowed = false diff --git a/internal/admission/controller/main_test.go b/internal/admission/controller/main_test.go index 7cc3cd7b4..1d223cc9e 100644 --- a/internal/admission/controller/main_test.go +++ b/internal/admission/controller/main_test.go @@ -33,11 +33,16 @@ type failTestChecker struct { t *testing.T } -func (ftc failTestChecker) CheckIngress(ing *networking.Ingress) error { +func (ftc failTestChecker) CheckIngress(_ *networking.Ingress) error { ftc.t.Error("checker should not be called") return nil } +func (ftc failTestChecker) CheckWarning(_ *networking.Ingress) ([]string, error) { + ftc.t.Error("checker should not be called") + return nil, nil +} + type testChecker struct { t *testing.T err error @@ -50,12 +55,19 @@ func (tc testChecker) CheckIngress(ing *networking.Ingress) error { return tc.err } +func (tc testChecker) CheckWarning(ing *networking.Ingress) ([]string, error) { + if ing.ObjectMeta.Name != testIngressName { + tc.t.Errorf("CheckWarning should be called with %v ingress, but got %v", testIngressName, ing.ObjectMeta.Name) + } + return nil, tc.err +} + func TestHandleAdmission(t *testing.T) { adm := &IngressAdmission{ Checker: failTestChecker{t: t}, } - result, err := adm.HandleAdmission(&admissionv1.AdmissionReview{ + _, err := adm.HandleAdmission(&admissionv1.AdmissionReview{ Request: &admissionv1.AdmissionRequest{ Kind: v1.GroupVersionKind{Group: "", Version: "v1", Kind: "Pod"}, }, @@ -64,12 +76,12 @@ func TestHandleAdmission(t *testing.T) { t.Fatalf("with a non ingress resource, the check should not pass") } - result, err = adm.HandleAdmission(nil) + _, err = adm.HandleAdmission(nil) if err == nil { t.Fatalf("with a nil AdmissionReview request, the check should not pass") } - result, err = adm.HandleAdmission(&admissionv1.AdmissionReview{ + result, err := adm.HandleAdmission(&admissionv1.AdmissionReview{ Request: &admissionv1.AdmissionRequest{ Kind: v1.GroupVersionKind{Group: networking.GroupName, Version: "v1", Kind: "Ingress"}, Object: runtime.RawExtension{ @@ -102,7 +114,9 @@ func TestHandleAdmission(t *testing.T) { err: fmt.Errorf("this is a test error"), } - adm.HandleAdmission(review) + if _, err := adm.HandleAdmission(review); err != nil { + t.Errorf("unexpected error: %v", err) + } if review.Response.Allowed { t.Fatalf("when the checker returns an error, the request should not be allowed") } @@ -112,7 +126,9 @@ func TestHandleAdmission(t *testing.T) { err: nil, } - adm.HandleAdmission(review) + if _, err := adm.HandleAdmission(review); err != nil { + t.Errorf("unexpected error: %v", err) + } if !review.Response.Allowed { t.Fatalf("when the checker returns no error, the request should be allowed") } diff --git a/internal/admission/controller/server.go b/internal/admission/controller/server.go index 29449de50..7fc61bcbb 100644 --- a/internal/admission/controller/server.go +++ b/internal/admission/controller/server.go @@ -26,12 +26,12 @@ import ( "k8s.io/klog/v2" ) -var ( - scheme = runtime.NewScheme() -) +var scheme = runtime.NewScheme() func init() { - admissionv1.AddToScheme(scheme) + if err := admissionv1.AddToScheme(scheme); err != nil { + klog.ErrorS(err, "Failed to add scheme") + } } // AdmissionController checks if an object diff --git a/internal/ingress/annotations/alias/main.go b/internal/ingress/annotations/alias/main.go index bd2067c9f..7a33e648e 100644 --- a/internal/ingress/annotations/alias/main.go +++ b/internal/ingress/annotations/alias/main.go @@ -27,19 +27,44 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + serverAliasAnnotation = "server-alias" +) + +var aliasAnnotation = parser.Annotation{ + Group: "alias", + Annotations: parser.AnnotationFields{ + serverAliasAnnotation: { + Validator: parser.ValidateArrayOfServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, // High as this allows regex chars + Documentation: `this annotation can be used to define additional server + aliases for this Ingress`, + }, + }, +} + type alias struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new Alias annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return alias{r} + return alias{ + r: r, + annotationConfig: aliasAnnotation, + } +} + +func (a alias) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations } // Parse parses the annotations contained in the ingress rule // used to add an alias to the provided hosts func (a alias) Parse(ing *networking.Ingress) (interface{}, error) { - val, err := parser.GetStringAnnotation("server-alias", ing) + val, err := parser.GetStringAnnotation(serverAliasAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return []string{}, err } @@ -47,7 +72,7 @@ func (a alias) Parse(ing *networking.Ingress) (interface{}, error) { aliases := sets.NewString() for _, alias := range strings.Split(val, ",") { alias = strings.TrimSpace(alias) - if len(alias) == 0 { + if alias == "" { continue } @@ -61,3 +86,8 @@ func (a alias) Parse(ing *networking.Ingress) (interface{}, error) { return l, nil } + +func (a alias) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, aliasAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/alias/main_test.go b/internal/ingress/annotations/alias/main_test.go index 8e6fca447..f1d68c1f7 100644 --- a/internal/ingress/annotations/alias/main_test.go +++ b/internal/ingress/annotations/alias/main_test.go @@ -27,7 +27,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -var annotation = parser.GetAnnotationWithPrefix("server-alias") +var annotation = parser.GetAnnotationWithPrefix(serverAliasAnnotation) func TestParse(t *testing.T) { ap := NewParser(&resolver.Mock{}) @@ -36,16 +36,20 @@ func TestParse(t *testing.T) { } testCases := []struct { - annotations map[string]string - expected []string + annotations map[string]string + expected []string + skipValidation bool + wantErr bool }{ - {map[string]string{annotation: "a.com, b.com, , c.com"}, []string{"a.com", "b.com", "c.com"}}, - {map[string]string{annotation: "www.example.com"}, []string{"www.example.com"}}, - {map[string]string{annotation: "*.example.com,www.example.*"}, []string{"*.example.com", "www.example.*"}}, - {map[string]string{annotation: `~^www\d+\.example\.com$`}, []string{`~^www\d+\.example\.com$`}}, - {map[string]string{annotation: ""}, []string{}}, - {map[string]string{}, []string{}}, - {nil, []string{}}, + {map[string]string{annotation: "a.com, b.com, , c.com"}, []string{"a.com", "b.com", "c.com"}, false, false}, + {map[string]string{annotation: "www.example.com"}, []string{"www.example.com"}, false, false}, + {map[string]string{annotation: "*.example.com,www.example.*"}, []string{"*.example.com", "www.example.*"}, false, false}, + {map[string]string{annotation: `~^www\d+\.example\.com$`}, []string{`~^www\d+\.example\.com$`}, false, false}, + {map[string]string{annotation: `www.xpto;lala`}, []string{}, false, true}, + {map[string]string{annotation: `www.xpto;lala`}, []string{"www.xpto;lala"}, true, false}, // When we skip validation no error should happen + {map[string]string{annotation: ""}, []string{}, false, true}, + {map[string]string{}, []string{}, false, true}, + {nil, []string{}, false, true}, } ing := &networking.Ingress{ @@ -58,7 +62,16 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) + if testCase.skipValidation { + parser.EnableAnnotationValidation = false + } + t.Cleanup(func() { + parser.EnableAnnotationValidation = true + }) + result, err := ap.Parse(ing) + if (err != nil) != testCase.wantErr { + t.Errorf("ParseAliasAnnotation() annotation: %s, error = %v, wantErr %v", testCase.annotations, err, testCase.wantErr) + } if !reflect.DeepEqual(result, testCase.expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index fe7400ac7..302f0b4b1 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -17,9 +17,12 @@ limitations under the License. package annotations import ( - "github.com/imdario/mergo" + "dario.cat/mergo" + "k8s.io/ingress-nginx/internal/ingress/annotations/canary" + "k8s.io/ingress-nginx/internal/ingress/annotations/disableproxyintercepterrors" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" + "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/sslcipher" "k8s.io/ingress-nginx/internal/ingress/annotations/streamsnippet" @@ -43,12 +46,11 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/http2pushpreload" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" - "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/loadbalancing" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/mirror" - "k8s.io/ingress-nginx/internal/ingress/annotations/opentracing" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/portinredirect" "k8s.io/ingress-nginx/internal/ingress/annotations/proxy" @@ -56,7 +58,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/redirect" "k8s.io/ingress-nginx/internal/ingress/annotations/rewrite" "k8s.io/ingress-nginx/internal/ingress/annotations/satisfy" - "k8s.io/ingress-nginx/internal/ingress/annotations/secureupstream" "k8s.io/ingress-nginx/internal/ingress/annotations/serversnippet" "k8s.io/ingress-nginx/internal/ingress/annotations/serviceupstream" "k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity" @@ -75,48 +76,47 @@ const DeniedKeyName = "Denied" // Ingress defines the valid annotations present in one NGINX Ingress rule type Ingress struct { metav1.ObjectMeta - BackendProtocol string - Aliases []string - BasicDigestAuth auth.Config - Canary canary.Config - CertificateAuth authtls.Config - ClientBodyBufferSize string - ConfigurationSnippet string - Connection connection.Config - CorsConfig cors.Config - CustomHTTPErrors []int - DefaultBackend *apiv1.Service - //TODO: Change this back into an error when https://github.com/imdario/mergo/issues/100 is resolved - FastCGI fastcgi.Config - Denied *string - ExternalAuth authreq.Config - EnableGlobalAuth bool - HTTP2PushPreload bool - Opentracing opentracing.Config - Proxy proxy.Config - ProxySSL proxyssl.Config - RateLimit ratelimit.Config - GlobalRateLimit globalratelimit.Config - Redirect redirect.Config - Rewrite rewrite.Config - Satisfy string - SecureUpstream secureupstream.Config - ServerSnippet string - ServiceUpstream bool - SessionAffinity sessionaffinity.Config - SSLPassthrough bool - UsePortInRedirects bool - UpstreamHashBy upstreamhashby.Config - LoadBalancing string - UpstreamVhost string - Whitelist ipwhitelist.SourceRange - XForwardedPrefix string - SSLCipher sslcipher.Config - Logs log.Config - InfluxDB influxdb.Config - ModSecurity modsecurity.Config - Mirror mirror.Config - StreamSnippet string + BackendProtocol string + Aliases []string + BasicDigestAuth auth.Config + Canary canary.Config + CertificateAuth authtls.Config + ClientBodyBufferSize string + ConfigurationSnippet string + Connection connection.Config + CorsConfig cors.Config + CustomHTTPErrors []int + DisableProxyInterceptErrors bool + DefaultBackend *apiv1.Service + FastCGI fastcgi.Config + Denied *string + ExternalAuth authreq.Config + EnableGlobalAuth bool + HTTP2PushPreload bool + Opentelemetry opentelemetry.Config + Proxy proxy.Config + ProxySSL proxyssl.Config + RateLimit ratelimit.Config + GlobalRateLimit globalratelimit.Config + Redirect redirect.Config + Rewrite rewrite.Config + Satisfy string + ServerSnippet string + ServiceUpstream bool + SessionAffinity sessionaffinity.Config + SSLPassthrough bool + UsePortInRedirects bool + UpstreamHashBy upstreamhashby.Config + LoadBalancing string + UpstreamVhost string + Denylist ipdenylist.SourceRange + XForwardedPrefix string + SSLCipher sslcipher.Config + Logs log.Config + ModSecurity modsecurity.Config + Mirror mirror.Config + StreamSnippet string + Allowlist ipallowlist.SourceRange } // Extractor defines the annotation parsers to be used in the extraction of annotations @@ -128,61 +128,68 @@ type Extractor struct { func NewAnnotationExtractor(cfg resolver.Resolver) Extractor { return Extractor{ map[string]parser.IngressAnnotation{ - "Aliases": alias.NewParser(cfg), - "BasicDigestAuth": auth.NewParser(auth.AuthDirectory, cfg), - "Canary": canary.NewParser(cfg), - "CertificateAuth": authtls.NewParser(cfg), - "ClientBodyBufferSize": clientbodybuffersize.NewParser(cfg), - "ConfigurationSnippet": snippet.NewParser(cfg), - "Connection": connection.NewParser(cfg), - "CorsConfig": cors.NewParser(cfg), - "CustomHTTPErrors": customhttperrors.NewParser(cfg), - "DefaultBackend": defaultbackend.NewParser(cfg), - "FastCGI": fastcgi.NewParser(cfg), - "ExternalAuth": authreq.NewParser(cfg), - "EnableGlobalAuth": authreqglobal.NewParser(cfg), - "HTTP2PushPreload": http2pushpreload.NewParser(cfg), - "Opentracing": opentracing.NewParser(cfg), - "Proxy": proxy.NewParser(cfg), - "ProxySSL": proxyssl.NewParser(cfg), - "RateLimit": ratelimit.NewParser(cfg), - "GlobalRateLimit": globalratelimit.NewParser(cfg), - "Redirect": redirect.NewParser(cfg), - "Rewrite": rewrite.NewParser(cfg), - "Satisfy": satisfy.NewParser(cfg), - "SecureUpstream": secureupstream.NewParser(cfg), - "ServerSnippet": serversnippet.NewParser(cfg), - "ServiceUpstream": serviceupstream.NewParser(cfg), - "SessionAffinity": sessionaffinity.NewParser(cfg), - "SSLPassthrough": sslpassthrough.NewParser(cfg), - "UsePortInRedirects": portinredirect.NewParser(cfg), - "UpstreamHashBy": upstreamhashby.NewParser(cfg), - "LoadBalancing": loadbalancing.NewParser(cfg), - "UpstreamVhost": upstreamvhost.NewParser(cfg), - "Whitelist": ipwhitelist.NewParser(cfg), - "XForwardedPrefix": xforwardedprefix.NewParser(cfg), - "SSLCipher": sslcipher.NewParser(cfg), - "Logs": log.NewParser(cfg), - "InfluxDB": influxdb.NewParser(cfg), - "BackendProtocol": backendprotocol.NewParser(cfg), - "ModSecurity": modsecurity.NewParser(cfg), - "Mirror": mirror.NewParser(cfg), - "StreamSnippet": streamsnippet.NewParser(cfg), + "Aliases": alias.NewParser(cfg), + "BasicDigestAuth": auth.NewParser(auth.AuthDirectory, cfg), + "Canary": canary.NewParser(cfg), + "CertificateAuth": authtls.NewParser(cfg), + "ClientBodyBufferSize": clientbodybuffersize.NewParser(cfg), + "ConfigurationSnippet": snippet.NewParser(cfg), + "Connection": connection.NewParser(cfg), + "CorsConfig": cors.NewParser(cfg), + "CustomHTTPErrors": customhttperrors.NewParser(cfg), + "DisableProxyInterceptErrors": disableproxyintercepterrors.NewParser(cfg), + "DefaultBackend": defaultbackend.NewParser(cfg), + "FastCGI": fastcgi.NewParser(cfg), + "ExternalAuth": authreq.NewParser(cfg), + "EnableGlobalAuth": authreqglobal.NewParser(cfg), + "HTTP2PushPreload": http2pushpreload.NewParser(cfg), + "Opentelemetry": opentelemetry.NewParser(cfg), + "Proxy": proxy.NewParser(cfg), + "ProxySSL": proxyssl.NewParser(cfg), + "RateLimit": ratelimit.NewParser(cfg), + "GlobalRateLimit": globalratelimit.NewParser(cfg), + "Redirect": redirect.NewParser(cfg), + "Rewrite": rewrite.NewParser(cfg), + "Satisfy": satisfy.NewParser(cfg), + "ServerSnippet": serversnippet.NewParser(cfg), + "ServiceUpstream": serviceupstream.NewParser(cfg), + "SessionAffinity": sessionaffinity.NewParser(cfg), + "SSLPassthrough": sslpassthrough.NewParser(cfg), + "UsePortInRedirects": portinredirect.NewParser(cfg), + "UpstreamHashBy": upstreamhashby.NewParser(cfg), + "LoadBalancing": loadbalancing.NewParser(cfg), + "UpstreamVhost": upstreamvhost.NewParser(cfg), + "Allowlist": ipallowlist.NewParser(cfg), + "Denylist": ipdenylist.NewParser(cfg), + "XForwardedPrefix": xforwardedprefix.NewParser(cfg), + "SSLCipher": sslcipher.NewParser(cfg), + "Logs": log.NewParser(cfg), + "BackendProtocol": backendprotocol.NewParser(cfg), + "ModSecurity": modsecurity.NewParser(cfg), + "Mirror": mirror.NewParser(cfg), + "StreamSnippet": streamsnippet.NewParser(cfg), }, } } // Extract extracts the annotations from an Ingress -func (e Extractor) Extract(ing *networking.Ingress) *Ingress { +func (e Extractor) Extract(ing *networking.Ingress) (*Ingress, error) { pia := &Ingress{ ObjectMeta: ing.ObjectMeta, } data := make(map[string]interface{}) for name, annotationParser := range e.annotations { + if err := annotationParser.Validate(ing.GetAnnotations()); err != nil { + return nil, errors.NewRiskyAnnotations(name) + } val, err := annotationParser.Parse(ing) klog.V(5).InfoS("Parsing Ingress annotation", "name", name, "ingress", klog.KObj(ing), "value", val) if err != nil { + if errors.IsValidationError(err) { + klog.ErrorS(err, "ingress contains invalid annotation value") + return nil, err + } if errors.IsMissingAnnotations(err) { continue } @@ -220,5 +227,5 @@ func (e Extractor) Extract(ing *networking.Ingress) *Ingress { klog.ErrorS(err, "unexpected error merging extracted annotations") } - return pia + return pia, nil } diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go index d792801bc..0f4f8f7d7 100644 --- a/internal/ingress/annotations/annotations_test.go +++ b/internal/ingress/annotations/annotations_test.go @@ -64,7 +64,11 @@ func (m mockCfg) GetService(name string) (*apiv1.Service, error) { } func (m mockCfg) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) { - if secret, _ := m.GetSecret(name); secret != nil { + secret, err := m.GetSecret(name) + if err != nil { + return nil, err + } + if secret != nil { return &resolver.AuthSSLCert{ Secret: name, CAFileName: "/opt/ca.pem", @@ -121,6 +125,7 @@ func TestSSLPassthrough(t *testing.T) { ec := NewAnnotationExtractor(mockCfg{}) ing := buildIngress() + //nolint:goconst //already a constant fooAnns := []struct { annotations map[string]string er bool @@ -134,8 +139,11 @@ func TestSSLPassthrough(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).SSLPassthrough - if r != foo.er { + r, err := ec.Extract(ing) + if err != nil { + t.Errorf("Errors should be null: %v", err) + } + if r.SSLPassthrough != foo.er { t.Errorf("Returned %v but expected %v", r, foo.er) } } @@ -158,8 +166,11 @@ func TestUpstreamHashBy(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).UpstreamHashBy.UpstreamHashBy - if r != foo.er { + r, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + if r.UpstreamHashBy.UpstreamHashBy != foo.er { t.Errorf("Returned %v but expected %v", r, foo.er) } } @@ -185,7 +196,11 @@ func TestAffinitySession(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).SessionAffinity + rann, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + r := rann.SessionAffinity t.Logf("Testing pass %v %v", foo.affinitytype, foo.cookiename) if r.Type != foo.affinitytype { @@ -228,7 +243,11 @@ func TestCors(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).CorsConfig + rann, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + r := rann.CorsConfig t.Logf("Testing pass %v %v %v %v %v", foo.corsenabled, foo.methods, foo.headers, foo.origin, foo.credentials) if r.CorsEnabled != foo.corsenabled { @@ -256,9 +275,9 @@ func TestCors(t *testing.T) { if r.CorsAllowCredentials != foo.credentials { t.Errorf("Returned %v but expected %v for Cors Credentials", r.CorsAllowCredentials, foo.credentials) } - } } + func TestCustomHTTPErrors(t *testing.T) { ec := NewAnnotationExtractor(mockCfg{}) ing := buildIngress() @@ -277,7 +296,11 @@ func TestCustomHTTPErrors(t *testing.T) { for _, foo := range fooAnns { ing.SetAnnotations(foo.annotations) - r := ec.Extract(ing).CustomHTTPErrors + rann, err := ec.Extract(ing) + if err != nil { + t.Errorf("error should be null: %v", err) + } + r := rann.CustomHTTPErrors // Check that expected codes were created for i := range foo.er { diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go index 58486c6e8..7c7fde7b8 100644 --- a/internal/ingress/annotations/auth/main.go +++ b/internal/ingress/annotations/auth/main.go @@ -32,13 +32,56 @@ import ( "k8s.io/ingress-nginx/pkg/util/file" ) +const ( + authSecretTypeAnnotation = "auth-secret-type" //#nosec G101 + authRealmAnnotation = "auth-realm" + authTypeAnnotation = "auth-type" + // This should be exported as it is imported by other packages + AuthSecretAnnotation = "auth-secret" //#nosec G101 +) + var ( - authTypeRegex = regexp.MustCompile(`basic|digest`) + authTypeRegex = regexp.MustCompile(`basic|digest`) + authSecretTypeRegex = regexp.MustCompile(`auth-file|auth-map`) + // AuthDirectory default directory used to store files // to authenticate request AuthDirectory = "/etc/ingress-controller/auth" ) +var AuthSecretConfig = parser.AnnotationConfig{ + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation defines the name of the Secret that contains the usernames and passwords which are granted access to the paths defined in the Ingress rules. `, +} + +var authSecretAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + AuthSecretAnnotation: AuthSecretConfig, + authSecretTypeAnnotation: { + Validator: parser.ValidateRegex(authSecretTypeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation what is the format of auth-secret value. Can be "auth-file" that defines the content of an htpasswd file, or "auth-map" where each key + is a user and each value is the password.`, + }, + authRealmAnnotation: { + Validator: parser.ValidateRegex(parser.CharsWithSpace, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation defines the realm (message) that should be shown to user when authentication is requested.`, + }, + authTypeAnnotation: { + Validator: parser.ValidateRegex(authTypeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the basic authentication type. Should be "basic" or "digest"`, + }, + }, +} + const ( fileAuth = "auth-file" mapAuth = "auth-map" @@ -85,13 +128,18 @@ func (bd1 *Config) Equal(bd2 *Config) bool { } type auth struct { - r resolver.Resolver - authDirectory string + r resolver.Resolver + authDirectory string + annotationConfig parser.Annotation } // NewParser creates a new authentication annotation parser func NewParser(authDirectory string, r resolver.Resolver) parser.IngressAnnotation { - return auth{r, authDirectory} + return auth{ + r: r, + authDirectory: authDirectory, + annotationConfig: authSecretAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -99,7 +147,7 @@ func NewParser(authDirectory string, r resolver.Resolver) parser.IngressAnnotati // and generated an htpasswd compatible file to be used as source // during the authentication process func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { - at, err := parser.GetStringAnnotation("auth-type", ing) + at, err := parser.GetStringAnnotation(authTypeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return nil, err } @@ -109,21 +157,24 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { } var secretType string - secretType, err = parser.GetStringAnnotation("auth-secret-type", ing) + secretType, err = parser.GetStringAnnotation(authSecretTypeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return nil, err + } secretType = fileAuth } - s, err := parser.GetStringAnnotation("auth-secret", ing) + s, err := parser.GetStringAnnotation(AuthSecretAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("error reading secret name from annotation: %w", err), } } sns, sname, err := cache.SplitMetaNamespaceKey(s) if err != nil { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("error reading secret name from annotation: %w", err), } } @@ -131,16 +182,26 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { if sns == "" { sns = ing.Namespace } + secCfg := a.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && sns != ing.Namespace { + return nil, ing_errors.LocationDeniedError{ + Reason: fmt.Errorf("cross namespace usage of secrets is not allowed"), + } + } name := fmt.Sprintf("%v/%v", sns, sname) secret, err := a.r.GetSecret(name) if err != nil { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error reading secret %s: %w", name, err), } } - realm, _ := parser.GetStringAnnotation("auth-realm", ing) + realm, err := parser.GetStringAnnotation(authRealmAnnotation, ing, a.annotationConfig.Annotations) + if ing_errors.IsValidationError(err) { + return nil, err + } passFilename := fmt.Sprintf("%v/%v-%v-%v.passwd", a.authDirectory, ing.GetNamespace(), ing.UID, secret.UID) @@ -156,7 +217,7 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { return nil, err } default: - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("invalid auth-secret-type in annotation, must be 'auth-file' or 'auth-map': %w", err), } } @@ -177,14 +238,14 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { func dumpSecretAuthFile(filename string, secret *api.Secret) error { val, ok := secret.Data["auth"] if !ok { - return ing_errors.LocationDenied{ + return ing_errors.LocationDeniedError{ Reason: fmt.Errorf("the secret %s does not contain a key with value auth", secret.Name), } } err := os.WriteFile(filename, val, file.ReadWriteByUser) if err != nil { - return ing_errors.LocationDenied{ + return ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error creating password file: %w", err), } } @@ -197,16 +258,25 @@ func dumpSecretAuthMap(filename string, secret *api.Secret) error { for user, pass := range secret.Data { builder.WriteString(user) builder.WriteString(":") - builder.WriteString(string(pass)) + builder.Write(pass) builder.WriteString("\n") } err := os.WriteFile(filename, []byte(builder.String()), file.ReadWriteByUser) if err != nil { - return ing_errors.LocationDenied{ + return ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error creating password file: %w", err), } } return nil } + +func (a auth) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a auth) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, authSecretAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/auth/main_test.go b/internal/ingress/annotations/auth/main_test.go index d4ec53459..868f31a05 100644 --- a/internal/ingress/annotations/auth/main_test.go +++ b/internal/ingress/annotations/auth/main_test.go @@ -26,11 +26,21 @@ import ( api "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/cache" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +//nolint:gosec // Ignore hardcoded credentials error in testing +const ( + authType = "basic" + authRealm = "-realm-" + defaultDemoSecret = "default/demo-secret" + othernsDemoSecret = "otherns/demo-secret" + demoSecret = "demo-secret" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -79,14 +89,19 @@ type mockSecret struct { } func (m mockSecret) GetSecret(name string) (*api.Secret, error) { - if name != "default/demo-secret" { + if name != defaultDemoSecret && name != othernsDemoSecret { return nil, fmt.Errorf("there is no secret with name %v", name) } + ns, _, err := cache.SplitMetaNamespaceKey(name) + if err != nil { + return nil, err + } + return &api.Secret{ ObjectMeta: meta_v1.ObjectMeta{ - Namespace: api.NamespaceDefault, - Name: "demo-secret", + Namespace: ns, + Name: demoSecret, }, Data: map[string][]byte{"auth": []byte("foo:$apr1$OFG3Xybp$ckL0FHDAkoXYIlH9.cysT0")}, }, nil @@ -106,13 +121,91 @@ func TestIngressAuthBadAuthType(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "invalid" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "invalid" ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) defer os.RemoveAll(dir) - expected := ing_errors.NewLocationDenied("invalid authentication type") + expected := ing_errors.NewValidationError("nginx.ingress.kubernetes.io/auth-type") + _, err := NewParser(dir, &mockSecret{}).Parse(ing) + if err.Error() != expected.Error() { + t.Errorf("expected '%v' but got '%v'", expected, err) + } +} + +func TestIngressInvalidRealm(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "something weird ; location trying to { break }" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = demoSecret + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + expected := ing_errors.NewValidationError("nginx.ingress.kubernetes.io/auth-realm") + _, err := NewParser(dir, &mockSecret{}).Parse(ing) + if err.Error() != expected.Error() { + t.Errorf("expected '%v' but got '%v'", expected, err) + } +} + +func TestIngressInvalidDifferentNamespace(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = othernsDemoSecret + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + expected := ing_errors.LocationDeniedError{ + Reason: errors.New("cross namespace usage of secrets is not allowed"), + } + _, err := NewParser(dir, &mockSecret{}).Parse(ing) + if err.Error() != expected.Error() { + t.Errorf("expected '%v' but got '%v'", expected, err) + } +} + +func TestIngressInvalidDifferentNamespaceAllowed(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = othernsDemoSecret + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + r := mockSecret{} + r.AllowCrossNamespace = true + _, err := NewParser(dir, r).Parse(ing) + if err != nil { + t.Errorf("not expecting an error") + } +} + +func TestIngressInvalidSecretName(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret;xpto" + ing.SetAnnotations(data) + + _, dir, _ := dummySecretContent(t) + defer os.RemoveAll(dir) + + expected := ing_errors.LocationDeniedError{ + Reason: errors.New("error reading secret name from annotation: annotation nginx.ingress.kubernetes.io/auth-secret contains invalid value"), + } _, err := NewParser(dir, &mockSecret{}).Parse(ing) if err.Error() != expected.Error() { t.Errorf("expected '%v' but got '%v'", expected, err) @@ -123,13 +216,13 @@ func TestInvalidIngressAuthNoSecret(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) defer os.RemoveAll(dir) - expected := ing_errors.LocationDenied{ + expected := ing_errors.LocationDeniedError{ Reason: errors.New("error reading secret name from annotation: ingress rule without annotations"), } _, err := NewParser(dir, &mockSecret{}).Parse(ing) @@ -142,9 +235,9 @@ func TestIngressAuth(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" - data[parser.GetAnnotationWithPrefix("auth-secret")] = "demo-secret" - data[parser.GetAnnotationWithPrefix("auth-realm")] = "-realm-" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = demoSecret + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = authRealm ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -158,10 +251,10 @@ func TestIngressAuth(t *testing.T) { if !ok { t.Errorf("expected a BasicDigest type") } - if auth.Type != "basic" { + if auth.Type != authType { t.Errorf("Expected basic as auth type but returned %s", auth.Type) } - if auth.Realm != "-realm-" { + if auth.Realm != authRealm { t.Errorf("Expected -realm- as realm but returned %s", auth.Realm) } if !auth.Secured { @@ -173,9 +266,9 @@ func TestIngressAuthWithoutSecret(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" - data[parser.GetAnnotationWithPrefix("auth-secret")] = "invalid-secret" - data[parser.GetAnnotationWithPrefix("auth-realm")] = "-realm-" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "invalid-secret" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = authRealm ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -191,10 +284,10 @@ func TestIngressAuthInvalidSecretKey(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-type")] = "basic" - data[parser.GetAnnotationWithPrefix("auth-secret")] = "demo-secret" - data[parser.GetAnnotationWithPrefix("auth-secret-type")] = "invalid-type" - data[parser.GetAnnotationWithPrefix("auth-realm")] = "-realm-" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = demoSecret + data[parser.GetAnnotationWithPrefix(authSecretTypeAnnotation)] = "invalid-type" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = authRealm ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -206,7 +299,7 @@ func TestIngressAuthInvalidSecretKey(t *testing.T) { } } -func dummySecretContent(t *testing.T) (string, string, *api.Secret) { +func dummySecretContent(t *testing.T) (fileName, dir string, s *api.Secret) { dir, err := os.MkdirTemp("", fmt.Sprintf("%v", time.Now().Unix())) if err != nil { t.Error(err) @@ -217,7 +310,10 @@ func dummySecretContent(t *testing.T) (string, string, *api.Secret) { t.Error(err) } defer tmpfile.Close() - s, _ := mockSecret{}.GetSecret("default/demo-secret") + s, err = mockSecret{}.GetSecret(defaultDemoSecret) + if err != nil { + t.Errorf("unexpected error: %v", err) + } return tmpfile.Name(), dir, s } diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go index 6a8a4611a..c66b0ed47 100644 --- a/internal/ingress/annotations/authreq/main.go +++ b/internal/ingress/annotations/authreq/main.go @@ -24,6 +24,7 @@ import ( "k8s.io/klog/v2" networking "k8s.io/api/networking/v1" + "k8s.io/client-go/tools/cache" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" @@ -31,6 +32,125 @@ import ( "k8s.io/ingress-nginx/pkg/util/sets" ) +const ( + authReqURLAnnotation = "auth-url" + authReqMethodAnnotation = "auth-method" + authReqSigninAnnotation = "auth-signin" + authReqSigninRedirParamAnnotation = "auth-signin-redirect-param" + authReqSnippetAnnotation = "auth-snippet" + authReqCacheKeyAnnotation = "auth-cache-key" + authReqKeepaliveAnnotation = "auth-keepalive" + authReqKeepaliveShareVarsAnnotation = "auth-keepalive-share-vars" + authReqKeepaliveRequestsAnnotation = "auth-keepalive-requests" + authReqKeepaliveTimeout = "auth-keepalive-timeout" + authReqCacheDuration = "auth-cache-duration" + authReqResponseHeadersAnnotation = "auth-response-headers" + authReqProxySetHeadersAnnotation = "auth-proxy-set-headers" + authReqRequestRedirectAnnotation = "auth-request-redirect" + authReqAlwaysSetCookieAnnotation = "auth-always-set-cookie" + + // This should be exported as it is imported by other packages + AuthSecretAnnotation = "auth-secret" +) + +var authReqAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + authReqURLAnnotation: { + Validator: parser.ValidateRegex(parser.URLWithNginxVariableRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation allows to indicate the URL where the HTTP request should be sent`, + }, + authReqMethodAnnotation: { + Validator: parser.ValidateRegex(methodsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows to specify the HTTP method to use`, + }, + authReqSigninAnnotation: { + Validator: parser.ValidateRegex(parser.URLWithNginxVariableRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation allows to specify the location of the error page`, + }, + authReqSigninRedirParamAnnotation: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the URL parameter in the error page which should contain the original URL for a failed signin request`, + }, + authReqSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskCritical, + Documentation: `This annotation allows to specify a custom snippet to use with external authentication`, + }, + authReqCacheKeyAnnotation: { + Validator: parser.ValidateRegex(parser.NGINXVariable, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation enables caching for auth requests.`, + }, + authReqKeepaliveAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation specifies the maximum number of keepalive connections to auth-url. Only takes effect when no variables are used in the host part of the URL`, + }, + authReqKeepaliveShareVarsAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation specifies whether to share Nginx variables among the current request and the auth request`, + }, + authReqKeepaliveRequestsAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the maximum number of requests that can be served through one keepalive connection`, + }, + authReqKeepaliveTimeout: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation specifies a duration in seconds which an idle keepalive connection to an upstream server will stay open`, + }, + authReqCacheDuration: { + Validator: parser.ValidateRegex(parser.ExtendedCharsRegex, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify a caching time for auth responses based on their response codes, e.g. 200 202 30m`, + }, + authReqResponseHeadersAnnotation: { + Validator: parser.ValidateRegex(parser.HeadersVariable, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets the headers to pass to backend once authentication request completes. They should be separated by comma.`, + }, + authReqProxySetHeadersAnnotation: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets the name of a ConfigMap that specifies headers to pass to the authentication service. + Only ConfigMaps on the same namespace are allowed`, + }, + authReqRequestRedirectAnnotation: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the X-Auth-Request-Redirect header value`, + }, + authReqAlwaysSetCookieAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables setting a cookie returned by auth request. + By default, the cookie will be set only if an upstream reports with the code 200, 201, 204, 206, 301, 302, 303, 304, 307, or 308`, + }, + }, +} + // Config returns external authentication configuration for an Ingress rule type Config struct { URL string `json:"url"` @@ -45,6 +165,7 @@ type Config struct { AuthCacheKey string `json:"authCacheKey"` AuthCacheDuration []string `json:"authCacheDuration"` KeepaliveConnections int `json:"keepaliveConnections"` + KeepaliveShareVars bool `json:"keepaliveShareVars"` KeepaliveRequests int `json:"keepaliveRequests"` KeepaliveTimeout int `json:"keepaliveTimeout"` ProxySetHeaders map[string]string `json:"proxySetHeaders,omitempty"` @@ -57,6 +178,7 @@ const DefaultCacheDuration = "200 202 401 5m" // fallback values when no keepalive parameters are set const ( defaultKeepaliveConnections = 0 + defaultKeepaliveShareVars = false defaultKeepaliveRequests = 1000 defaultKeepaliveTimeout = 60 ) @@ -105,6 +227,10 @@ func (e1 *Config) Equal(e2 *Config) bool { return false } + if e1.KeepaliveShareVars != e2.KeepaliveShareVars { + return false + } + if e1.KeepaliveRequests != e2.KeepaliveRequests { return false } @@ -121,29 +247,20 @@ func (e1 *Config) Equal(e2 *Config) bool { } var ( - methods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "CONNECT", "OPTIONS", "TRACE"} + methodsRegex = regexp.MustCompile("(GET|HEAD|POST|PUT|PATCH|DELETE|CONNECT|OPTIONS|TRACE)") headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`) - statusCodeRegex = regexp.MustCompile(`^[\d]{3}$`) - durationRegex = regexp.MustCompile(`^[\d]+(ms|s|m|h|d|w|M|y)$`) // see http://nginx.org/en/docs/syntax.html + statusCodeRegex = regexp.MustCompile(`^\d{3}$`) + durationRegex = regexp.MustCompile(`^\d+(ms|s|m|h|d|w|M|y)$`) // see http://nginx.org/en/docs/syntax.html ) // ValidMethod checks is the provided string a valid HTTP method func ValidMethod(method string) bool { - if len(method) == 0 { - return false - } - - for _, m := range methods { - if method == m { - return true - } - } - return false + return methodsRegex.MatchString(method) } // ValidHeader checks is the provided string satisfies the header's name regex func ValidHeader(header string) bool { - return headerRegexp.Match([]byte(header)) + return headerRegexp.MatchString(header) } // ValidCacheDuration checks if the provided string is a valid cache duration @@ -156,16 +273,16 @@ func ValidCacheDuration(duration string) bool { seenDuration := false for _, element := range elements { - if len(element) == 0 { + if element == "" { continue } - if statusCodeRegex.Match([]byte(element)) { + if statusCodeRegex.MatchString(element) { if seenDuration { return false // code after duration } continue } - if durationRegex.Match([]byte(element)) { + if durationRegex.MatchString(element) { seenDuration = true } } @@ -173,55 +290,72 @@ func ValidCacheDuration(duration string) bool { } type authReq struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new authentication request annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return authReq{r} + return authReq{ + r: r, + annotationConfig: authReqAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to use an Config URL as source for authentication +// +//nolint:gocyclo // Ignore function complexity error func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { // Required Parameters - urlString, err := parser.GetStringAnnotation("auth-url", ing) + urlString, err := parser.GetStringAnnotation(authReqURLAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return nil, err } authURL, err := parser.StringToURL(urlString) if err != nil { - return nil, ing_errors.LocationDenied{Reason: fmt.Errorf("could not parse auth-url annotation: %v", err)} + return nil, ing_errors.LocationDeniedError{Reason: fmt.Errorf("could not parse auth-url annotation: %v", err)} } - authMethod, _ := parser.GetStringAnnotation("auth-method", ing) - if len(authMethod) != 0 && !ValidMethod(authMethod) { - return nil, ing_errors.NewLocationDenied("invalid HTTP method") + authMethod, err := parser.GetStringAnnotation(authReqMethodAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if ing_errors.IsValidationError(err) { + return nil, ing_errors.NewLocationDenied("invalid HTTP method") + } } // Optional Parameters - signIn, err := parser.GetStringAnnotation("auth-signin", ing) + signIn, err := parser.GetStringAnnotation(authReqSigninAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("%s value is invalid: %s", authReqSigninAnnotation, err) + } klog.V(3).InfoS("auth-signin annotation is undefined and will not be set") } - signInRedirectParam, err := parser.GetStringAnnotation("auth-signin-redirect-param", ing) + signInRedirectParam, err := parser.GetStringAnnotation(authReqSigninRedirParamAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("%s value is invalid: %s", authReqSigninRedirParamAnnotation, err) + } klog.V(3).Infof("auth-signin-redirect-param annotation is undefined and will not be set") } - authSnippet, err := parser.GetStringAnnotation("auth-snippet", ing) + authSnippet, err := parser.GetStringAnnotation(authReqSnippetAnnotation, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("auth-snippet annotation is undefined and will not be set") } - authCacheKey, err := parser.GetStringAnnotation("auth-cache-key", ing) + authCacheKey, err := parser.GetStringAnnotation(authReqCacheKeyAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("%s value is invalid: %s", authReqCacheKeyAnnotation, err) + } klog.V(3).InfoS("auth-cache-key annotation is undefined and will not be set") } - keepaliveConnections, err := parser.GetIntAnnotation("auth-keepalive", ing) + keepaliveConnections, err := parser.GetIntAnnotation(authReqKeepaliveAnnotation, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("auth-keepalive annotation is undefined and will be set to its default value") keepaliveConnections = defaultKeepaliveConnections @@ -238,9 +372,15 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { } } - keepaliveRequests, err := parser.GetIntAnnotation("auth-keepalive-requests", ing) + keepaliveShareVars, err := parser.GetBoolAnnotation(authReqKeepaliveShareVarsAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - klog.V(3).InfoS("auth-keepalive-requests annotation is undefined and will be set to its default value") + klog.V(3).InfoS("auth-keepalive-share-vars annotation is undefined and will be set to its default value") + keepaliveShareVars = defaultKeepaliveShareVars + } + + keepaliveRequests, err := parser.GetIntAnnotation(authReqKeepaliveRequestsAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + klog.V(3).InfoS("auth-keepalive-requests annotation is undefined or invalid and will be set to its default value") keepaliveRequests = defaultKeepaliveRequests } if keepaliveRequests <= 0 { @@ -248,7 +388,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { keepaliveConnections = 0 } - keepaliveTimeout, err := parser.GetIntAnnotation("auth-keepalive-timeout", ing) + keepaliveTimeout, err := parser.GetIntAnnotation(authReqKeepaliveTimeout, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("auth-keepalive-timeout annotation is undefined and will be set to its default value") keepaliveTimeout = defaultKeepaliveTimeout @@ -258,15 +398,21 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { keepaliveConnections = 0 } - durstr, _ := parser.GetStringAnnotation("auth-cache-duration", ing) + durstr, err := parser.GetStringAnnotation(authReqCacheDuration, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, fmt.Errorf("%s contains invalid value", authReqCacheDuration) + } authCacheDuration, err := ParseStringToCacheDurations(durstr) if err != nil { return nil, err } responseHeaders := []string{} - hstr, _ := parser.GetStringAnnotation("auth-response-headers", ing) - if len(hstr) != 0 { + hstr, err := parser.GetStringAnnotation(authReqResponseHeadersAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, ing_errors.NewLocationDenied("validation error") + } + if hstr != "" { harr := strings.Split(hstr, ",") for _, header := range harr { header = strings.TrimSpace(header) @@ -279,9 +425,28 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { } } - proxySetHeaderMap, err := parser.GetStringAnnotation("auth-proxy-set-headers", ing) + proxySetHeaderMap, err := parser.GetStringAnnotation(authReqProxySetHeadersAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - klog.V(3).InfoS("auth-set-proxy-headers annotation is undefined and will not be set") + klog.V(3).InfoS("auth-set-proxy-headers annotation is undefined and will not be set", "err", err) + } + + cns, _, err := cache.SplitMetaNamespaceKey(proxySetHeaderMap) + if err != nil { + return nil, ing_errors.LocationDeniedError{ + Reason: fmt.Errorf("error reading configmap name %s from annotation: %w", proxySetHeaderMap, err), + } + } + + if cns == "" { + cns = ing.Namespace + } + + secCfg := a.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && cns != ing.Namespace { + return nil, ing_errors.LocationDeniedError{ + Reason: fmt.Errorf("cross namespace usage of secrets is not allowed"), + } } var proxySetHeaders map[string]string @@ -301,9 +466,15 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { proxySetHeaders = proxySetHeadersMapContents.Data } - requestRedirect, _ := parser.GetStringAnnotation("auth-request-redirect", ing) + requestRedirect, err := parser.GetStringAnnotation(authReqRequestRedirectAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, fmt.Errorf("%s is invalid: %w", authReqRequestRedirectAnnotation, err) + } - alwaysSetCookie, _ := parser.GetBoolAnnotation("auth-always-set-cookie", ing) + alwaysSetCookie, err := parser.GetBoolAnnotation(authReqAlwaysSetCookieAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return nil, fmt.Errorf("%s is invalid: %w", authReqAlwaysSetCookieAnnotation, err) + } return &Config{ URL: urlString, @@ -317,6 +488,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { AuthCacheKey: authCacheKey, AuthCacheDuration: authCacheDuration, KeepaliveConnections: keepaliveConnections, + KeepaliveShareVars: keepaliveShareVars, KeepaliveRequests: keepaliveRequests, KeepaliveTimeout: keepaliveTimeout, ProxySetHeaders: proxySetHeaders, @@ -329,7 +501,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { // It will always return at least one duration (the default duration) func ParseStringToCacheDurations(input string) ([]string, error) { authCacheDuration := []string{} - if len(input) != 0 { + if input != "" { arr := strings.Split(input, ",") for _, duration := range arr { duration = strings.TrimSpace(duration) @@ -348,3 +520,12 @@ func ParseStringToCacheDurations(input string) ([]string, error) { } return authCacheDuration, nil } + +func (a authReq) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a authReq) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, authReqAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/authreq/main_test.go b/internal/ingress/annotations/authreq/main_test.go index e1325235b..c261795c6 100644 --- a/internal/ingress/annotations/authreq/main_test.go +++ b/internal/ingress/annotations/authreq/main_test.go @@ -17,7 +17,6 @@ limitations under the License. package authreq import ( - "fmt" "reflect" "testing" @@ -100,20 +99,20 @@ func TestAnnotations(t *testing.T) { {"no scheme", "bar", "bar", "", "", "", "", "", false, true}, {"invalid host", "http://", "http://", "", "", "", "", "", false, true}, {"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", "", "", "", "", false, true}, - {"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", "", "", "", "", false, false}, - {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "POST", "", "", "", false, false}, - {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "GET", "", "", "", false, false}, - {"valid URL - request redirect", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "GET", "http://foo.com/redirect-me", "", "", false, false}, - {"auth snippet", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "", "", "proxy_set_header My-Custom-Header 42;", "", false, false}, - {"auth cache ", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "", "", "", "$foo$bar", false, false}, - {"redirect param", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "origUrl", "", "", "", "", true, false}, + {"valid URL", "http://bar.foo.com/external-auth/auth?allowed_groups=snow-group,rain-group", "http://bar.foo.com/external-auth/start?rd=https://$host$escaped_request_uri", "", "", "", "", "", false, false}, + {"valid URL - send body", "http://foo.com/external-auth/auth?allowed_groups=snow-group,rain-group", "http://foo.com/external-auth/start?rd=https://$host$escaped_request_uri", "", "POST", "", "", "", false, false}, + {"valid URL - send body", "http://foo.com/external-auth/auth?allowed_groups=snow-group,rain-group", "http://foo.com/external-auth/start?rd=https://$host$escaped_request_uri", "", "GET", "", "", "", false, false}, + {"valid URL - request redirect", "http://foo.com/external-auth/auth?allowed_groups=snow-group,rain-group", "http://foo.com/external-auth/start?rd=https://$host$escaped_request_uri", "", "GET", "http://foo.com/redirect-me", "", "", false, false}, + {"auth snippet", "http://foo.com/external-auth/auth?allowed_groups=snow-group,rain-group", "http://foo.com/external-auth/start?rd=https://$host$escaped_request_uri", "", "", "", "proxy_set_header My-Custom-Header 42;", "", false, false}, + {"auth cache ", "http://foo.com/external-auth/auth?allowed_groups=snow-group,rain-group", "http://foo.com/external-auth/start?rd=https://$host$escaped_request_uri", "", "", "", "", "$foo$bar", false, false}, + {"redirect param", "http://bar.foo.com/external-auth/auth?allowed_groups=snow-group,rain-group", "http://bar.foo.com/external-auth/start?rd=https://$host$escaped_request_uri", "origUrl", "", "", "", "", true, false}, } for _, test := range tests { data[parser.GetAnnotationWithPrefix("auth-url")] = test.url data[parser.GetAnnotationWithPrefix("auth-signin")] = test.signinURL data[parser.GetAnnotationWithPrefix("auth-signin-redirect-param")] = test.signinURLRedirectParam - data[parser.GetAnnotationWithPrefix("auth-method")] = fmt.Sprintf("%v", test.method) + data[parser.GetAnnotationWithPrefix("auth-method")] = test.method data[parser.GetAnnotationWithPrefix("auth-request-redirect")] = test.requestRedirect data[parser.GetAnnotationWithPrefix("auth-snippet")] = test.authSnippet data[parser.GetAnnotationWithPrefix("auth-cache-key")] = test.authCacheKey @@ -192,11 +191,13 @@ func TestHeaderAnnotations(t *testing.T) { i, err := NewParser(&resolver.Mock{}).Parse(ing) if test.expErr { if err == nil { - t.Error("expected error but retuned nil") + t.Errorf("%v expected error but retuned nil", test.title) } continue } - + if err != nil { + t.Errorf("no error was expected but %v happened in %s", err, test.title) + } u, ok := i.(*Config) if !ok { t.Errorf("%v: expected an External type", test.title) @@ -266,28 +267,31 @@ func TestKeepaliveAnnotations(t *testing.T) { title string url string keepaliveConnections string + keepaliveShareVars string keepaliveRequests string keepaliveTimeout string expectedConnections int + expectedShareVars bool expectedRequests int expectedTimeout int }{ - {"all set", "http://goog.url", "5", "500", "50", 5, 500, 50}, - {"no annotation", "http://goog.url", "", "", "", defaultKeepaliveConnections, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"default for connections", "http://goog.url", "x", "500", "50", defaultKeepaliveConnections, 500, 50}, - {"default for requests", "http://goog.url", "5", "x", "50", 5, defaultKeepaliveRequests, 50}, - {"default for invalid timeout", "http://goog.url", "5", "500", "x", 5, 500, defaultKeepaliveTimeout}, - {"variable in host", "http://$host:5000/a/b", "5", "", "", 0, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"variable in path", "http://goog.url:5000/$path", "5", "", "", 5, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"negative connections", "http://goog.url", "-2", "", "", 0, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"negative requests", "http://goog.url", "5", "-1", "", 0, -1, defaultKeepaliveTimeout}, - {"negative timeout", "http://goog.url", "5", "", "-1", 0, defaultKeepaliveRequests, -1}, - {"negative request and timeout", "http://goog.url", "5", "-2", "-3", 0, -2, -3}, + {"all set", "http://goog.url", "5", "false", "500", "50", 5, false, 500, 50}, + {"no annotation", "http://goog.url", "", "", "", "", defaultKeepaliveConnections, defaultKeepaliveShareVars, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"default for connections", "http://goog.url", "x", "true", "500", "50", defaultKeepaliveConnections, true, 500, 50}, + {"default for requests", "http://goog.url", "5", "x", "dummy", "50", 5, defaultKeepaliveShareVars, defaultKeepaliveRequests, 50}, + {"default for invalid timeout", "http://goog.url", "5", "t", "500", "x", 5, true, 500, defaultKeepaliveTimeout}, + {"variable in host", "http://$host:5000/a/b", "5", "1", "", "", 0, true, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"variable in path", "http://goog.url:5000/$path", "5", "t", "", "", 5, true, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"negative connections", "http://goog.url", "-2", "f", "", "", 0, false, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"negative requests", "http://goog.url", "5", "True", "-1", "", 0, true, -1, defaultKeepaliveTimeout}, + {"negative timeout", "http://goog.url", "5", "0", "", "-1", 0, false, defaultKeepaliveRequests, -1}, + {"negative request and timeout", "http://goog.url", "5", "False", "-2", "-3", 0, false, -2, -3}, } for _, test := range tests { data[parser.GetAnnotationWithPrefix("auth-url")] = test.url data[parser.GetAnnotationWithPrefix("auth-keepalive")] = test.keepaliveConnections + data[parser.GetAnnotationWithPrefix("auth-keepalive-share-vars")] = test.keepaliveShareVars data[parser.GetAnnotationWithPrefix("auth-keepalive-timeout")] = test.keepaliveTimeout data[parser.GetAnnotationWithPrefix("auth-keepalive-requests")] = test.keepaliveRequests @@ -311,6 +315,10 @@ func TestKeepaliveAnnotations(t *testing.T) { t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.expectedConnections, u.KeepaliveConnections) } + if u.KeepaliveShareVars != test.expectedShareVars { + t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.expectedShareVars, u.KeepaliveShareVars) + } + if u.KeepaliveRequests != test.expectedRequests { t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.expectedRequests, u.KeepaliveRequests) } @@ -322,7 +330,6 @@ func TestKeepaliveAnnotations(t *testing.T) { } func TestParseStringToCacheDurations(t *testing.T) { - tests := []struct { title string duration string @@ -337,7 +344,6 @@ func TestParseStringToCacheDurations(t *testing.T) { } for _, test := range tests { - dur, err := ParseStringToCacheDurations(test.duration) if test.expErr { if err == nil { diff --git a/internal/ingress/annotations/authreqglobal/main.go b/internal/ingress/annotations/authreqglobal/main.go index 78dd7d6a5..e8a259047 100644 --- a/internal/ingress/annotations/authreqglobal/main.go +++ b/internal/ingress/annotations/authreqglobal/main.go @@ -23,23 +23,51 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + enableGlobalAuthAnnotation = "enable-global-auth" +) + +var globalAuthAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + enableGlobalAuthAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `Defines if the global external authentication should be enabled.`, + }, + }, +} + type authReqGlobal struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new authentication request annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return authReqGlobal{r} + return authReqGlobal{ + r: r, + annotationConfig: globalAuthAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to enable or disable global external authentication func (a authReqGlobal) Parse(ing *networking.Ingress) (interface{}, error) { - - enableGlobalAuth, err := parser.GetBoolAnnotation("enable-global-auth", ing) + enableGlobalAuth, err := parser.GetBoolAnnotation(enableGlobalAuthAnnotation, ing, a.annotationConfig.Annotations) if err != nil { enableGlobalAuth = true } return enableGlobalAuth, nil } + +func (a authReqGlobal) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a authReqGlobal) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, globalAuthAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/authreqglobal/main_test.go b/internal/ingress/annotations/authreqglobal/main_test.go index 0313edcf5..734f97c0f 100644 --- a/internal/ingress/annotations/authreqglobal/main_test.go +++ b/internal/ingress/annotations/authreqglobal/main_test.go @@ -77,7 +77,10 @@ func TestAnnotation(t *testing.T) { data[parser.GetAnnotationWithPrefix("enable-global-auth")] = "false" ing.SetAnnotations(data) - i, _ := NewParser(&resolver.Mock{}).Parse(ing) + i, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } u, ok := i.(bool) if !ok { t.Errorf("expected a Config type") diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go index 2efd6d176..e288d82c9 100644 --- a/internal/ingress/annotations/authtls/main.go +++ b/internal/ingress/annotations/authtls/main.go @@ -18,11 +18,10 @@ package authtls import ( "fmt" + "regexp" networking "k8s.io/api/networking/v1" - "regexp" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" @@ -32,13 +31,62 @@ import ( const ( defaultAuthTLSDepth = 1 defaultAuthVerifyClient = "on" + + annotationAuthTLSSecret = "auth-tls-secret" //#nosec G101 + annotationAuthTLSVerifyClient = "auth-tls-verify-client" + annotationAuthTLSVerifyDepth = "auth-tls-verify-depth" + annotationAuthTLSErrorPage = "auth-tls-error-page" + annotationAuthTLSPassCertToUpstream = "auth-tls-pass-certificate-to-upstream" //#nosec G101 + annotationAuthTLSMatchCN = "auth-tls-match-cn" ) var ( authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`) - commonNameRegex = regexp.MustCompile(`CN=`) + redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-.]*(:\d+)?/[A-Za-z0-9\-.]*)?$`) ) +var authTLSAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + annotationAuthTLSSecret: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation defines the secret that contains the certificate chain of allowed certs`, + }, + annotationAuthTLSVerifyClient: { + Validator: parser.ValidateRegex(authVerifyClientRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars + Documentation: `This annotation enables verification of client certificates. Can be "on", "off", "optional" or "optional_no_ca"`, + }, + annotationAuthTLSVerifyDepth: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines validation depth between the provided client certificate and the Certification Authority chain.`, + }, + annotationAuthTLSErrorPage: { + Validator: parser.ValidateRegex(redirectRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation defines the URL/Page that user should be redirected in case of a Certificate Authentication Error`, + }, + annotationAuthTLSPassCertToUpstream: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the received certificates should be passed or not to the upstream server in the header "ssl-client-cert"`, + }, + annotationAuthTLSMatchCN: { + Validator: parser.CommonNameAnnotationValidator, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation adds a sanity check for the CN of the client certificate that is sent over using a string / regex starting with "CN="`, + }, + }, +} + // Config contains the AuthSSLCert used for mutual authentication // and the configured ValidationDepth type Config struct { @@ -79,12 +127,16 @@ func (assl1 *Config) Equal(assl2 *Config) bool { } // NewParser creates a new TLS authentication annotation parser -func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { - return authTLS{resolver} +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return authTLS{ + r: r, + annotationConfig: authTLSAnnotations, + } } type authTLS struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Parse parses the annotations contained in the ingress @@ -93,47 +145,75 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - tlsauthsecret, err := parser.GetStringAnnotation("auth-tls-secret", ing) + tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing, a.annotationConfig.Annotations) if err != nil { return &Config{}, err } - _, _, err = k8s.ParseNameNS(tlsauthsecret) + ns, _, err := k8s.ParseNameNS(tlsauthsecret) if err != nil { return &Config{}, ing_errors.NewLocationDenied(err.Error()) } + if ns == "" { + ns = ing.Namespace + } + secCfg := a.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && ns != ing.Namespace { + return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported") + } authCert, err := a.r.GetAuthCertificate(tlsauthsecret) if err != nil { e := fmt.Errorf("error obtaining certificate: %w", err) - return &Config{}, ing_errors.LocationDenied{Reason: e} + return &Config{}, ing_errors.LocationDeniedError{Reason: e} } config.AuthSSLCert = *authCert - config.VerifyClient, err = parser.GetStringAnnotation("auth-tls-verify-client", ing) + config.VerifyClient, err = parser.GetStringAnnotation(annotationAuthTLSVerifyClient, ing, a.annotationConfig.Annotations) + // We can set a default value here in case of validation error if err != nil || !authVerifyClientRegex.MatchString(config.VerifyClient) { config.VerifyClient = defaultAuthVerifyClient } - config.ValidationDepth, err = parser.GetIntAnnotation("auth-tls-verify-depth", ing) + config.ValidationDepth, err = parser.GetIntAnnotation(annotationAuthTLSVerifyDepth, ing, a.annotationConfig.Annotations) + // We can set a default value here in case of validation error if err != nil || config.ValidationDepth == 0 { config.ValidationDepth = defaultAuthTLSDepth } - config.ErrorPage, err = parser.GetStringAnnotation("auth-tls-error-page", ing) + config.ErrorPage, err = parser.GetStringAnnotation(annotationAuthTLSErrorPage, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return &Config{}, err + } config.ErrorPage = "" } - config.PassCertToUpstream, err = parser.GetBoolAnnotation("auth-tls-pass-certificate-to-upstream", ing) + config.PassCertToUpstream, err = parser.GetBoolAnnotation(annotationAuthTLSPassCertToUpstream, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return &Config{}, err + } config.PassCertToUpstream = false } - config.MatchCN, err = parser.GetStringAnnotation("auth-tls-match-cn", ing) - if err != nil || !commonNameRegex.MatchString(config.MatchCN) { + config.MatchCN, err = parser.GetStringAnnotation(annotationAuthTLSMatchCN, ing, a.annotationConfig.Annotations) + if err != nil { + if ing_errors.IsValidationError(err) { + return &Config{}, err + } config.MatchCN = "" } return config, nil } + +func (a authTLS) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a authTLS) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, authTLSAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go index 569f3865b..0dd442e4f 100644 --- a/internal/ingress/annotations/authtls/main_test.go +++ b/internal/ingress/annotations/authtls/main_test.go @@ -27,6 +27,11 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + defaultDemoSecret = "default/demo-secret" + off = "off" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -77,23 +82,22 @@ type mockSecret struct { // GetAuthCertificate from mockSecret mocks the GetAuthCertificate for authTLS func (m mockSecret) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) { - if name != "default/demo-secret" { + if name != defaultDemoSecret { return nil, errors.Errorf("there is no secret with name %v", name) } return &resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", }, nil - } func TestAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "default/demo-secret" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = defaultDemoSecret ing.SetAnnotations(data) @@ -108,7 +112,7 @@ func TestAnnotations(t *testing.T) { t.Errorf("expected *Config but got %v", u) } - secret, err := fakeSecret.GetAuthCertificate("default/demo-secret") + secret, err := fakeSecret.GetAuthCertificate(defaultDemoSecret) if err != nil { t.Errorf("unexpected error getting secret %v", err) } @@ -132,11 +136,11 @@ func TestAnnotations(t *testing.T) { t.Errorf("expected empty string, but got %v", u.MatchCN) } - data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "off" - data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "2" - data[parser.GetAnnotationWithPrefix("auth-tls-error-page")] = "ok.com/error" - data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "true" - data[parser.GetAnnotationWithPrefix("auth-tls-match-cn")] = "CN=hello-app" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyClient)] = off + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyDepth)] = "2" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSErrorPage)] = "ok.com/error" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSPassCertToUpstream)] = "true" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSMatchCN)] = "CN=(hello-app|ok|goodbye)" ing.SetAnnotations(data) @@ -153,8 +157,8 @@ func TestAnnotations(t *testing.T) { if u.AuthSSLCert.Secret != secret.Secret { t.Errorf("expected %v but got %v", secret.Secret, u.AuthSSLCert.Secret) } - if u.VerifyClient != "off" { - t.Errorf("expected %v but got %v", "off", u.VerifyClient) + if u.VerifyClient != off { + t.Errorf("expected %v but got %v", off, u.VerifyClient) } if u.ValidationDepth != 2 { t.Errorf("expected %v but got %v", 2, u.ValidationDepth) @@ -165,8 +169,8 @@ func TestAnnotations(t *testing.T) { if u.PassCertToUpstream != true { t.Errorf("expected %v but got %v", true, u.PassCertToUpstream) } - if u.MatchCN != "CN=hello-app" { - t.Errorf("expected %v but got %v", "CN=hello-app", u.MatchCN) + if u.MatchCN != "CN=(hello-app|ok|goodbye)" { + t.Errorf("expected %v but got %v", "CN=(hello-app|ok|goodbye)", u.MatchCN) } } @@ -182,15 +186,24 @@ func TestInvalidAnnotations(t *testing.T) { } // Invalid NameSpace - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "demo-secret" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "demo-secret" ing.SetAnnotations(data) _, err = NewParser(fakeSecret).Parse(ing) if err == nil { t.Errorf("Expected error with ingress but got nil") } + // Invalid Cross NameSpace + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "nondefault/demo-secret" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + expErr := errors.NewLocationDenied("cross namespace secrets are not supported") + if err.Error() != expErr.Error() { + t.Errorf("received error is different from cross namespace error: %s Expected %s", err, expErr) + } + // Invalid Auth Certificate - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "default/invalid-demo-secret" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "default/invalid-demo-secret" ing.SetAnnotations(data) _, err = NewParser(fakeSecret).Parse(ing) if err == nil { @@ -198,11 +211,38 @@ func TestInvalidAnnotations(t *testing.T) { } // Invalid optional Annotations - data[parser.GetAnnotationWithPrefix("auth-tls-secret")] = "default/demo-secret" - data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "w00t" - data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "abcd" - data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "nahh" - data[parser.GetAnnotationWithPrefix("auth-tls-match-cn")] = "" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "default/demo-secret" + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyClient)] = "w00t" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err != nil { + t.Errorf("Error should be nil and verify client should be defaulted") + } + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyDepth)] = "abcd" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err != nil { + t.Errorf("Error should be nil and verify depth should be defaulted") + } + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSPassCertToUpstream)] = "nahh" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err == nil { + t.Errorf("Expected error with ingress but got nil") + } + delete(data, parser.GetAnnotationWithPrefix(annotationAuthTLSPassCertToUpstream)) + + data[parser.GetAnnotationWithPrefix(annotationAuthTLSMatchCN)] = "" + ing.SetAnnotations(data) + _, err = NewParser(fakeSecret).Parse(ing) + if err == nil { + t.Errorf("Expected error with ingress CN but got nil") + } + delete(data, parser.GetAnnotationWithPrefix(annotationAuthTLSMatchCN)) + ing.SetAnnotations(data) i, err := NewParser(fakeSecret).Parse(ing) @@ -226,28 +266,21 @@ func TestInvalidAnnotations(t *testing.T) { if u.MatchCN != "" { t.Errorf("expected empty string but got %v", u.MatchCN) } - } func TestEquals(t *testing.T) { cfg1 := &Config{} cfg2 := &Config{} - // Same config - result := cfg1.Equal(cfg1) - if result != true { - t.Errorf("Expected true") - } - // compare nil - result = cfg1.Equal(nil) + result := cfg1.Equal(nil) if result != false { t.Errorf("Expected false") } // Different Certs sslCert1 := resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", } @@ -266,7 +299,7 @@ func TestEquals(t *testing.T) { // Different Verify Client cfg1.VerifyClient = "on" - cfg2.VerifyClient = "off" + cfg2.VerifyClient = off result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go index d8ea72386..62674c4e5 100644 --- a/internal/ingress/annotations/backendprotocol/main.go +++ b/internal/ingress/annotations/backendprotocol/main.go @@ -17,49 +17,70 @@ limitations under the License. package backendprotocol import ( - "regexp" - "strings" - networking "k8s.io/api/networking/v1" "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) -// HTTP protocol -const HTTP = "HTTP" +var validProtocols = []string{"auto_http", "http", "https", "grpc", "grpcs", "fcgi"} -var ( - validProtocols = regexp.MustCompile(`^(AUTO_HTTP|HTTP|HTTPS|AJP|GRPC|GRPCS|FCGI)$`) +const ( + http = "HTTP" + backendProtocolAnnotation = "backend-protocol" ) +var backendProtocolConfig = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + backendProtocolAnnotation: { + Validator: parser.ValidateOptions(validProtocols, false, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `this annotation can be used to define which protocol should + be used to communicate with backends`, + }, + }, +} + type backendProtocol struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new backend protocol annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return backendProtocol{r} + return backendProtocol{ + r: r, + annotationConfig: backendProtocolConfig, + } +} + +func (a backendProtocol) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations } // ParseAnnotations parses the annotations contained in the ingress // rule used to indicate the backend protocol. func (a backendProtocol) Parse(ing *networking.Ingress) (interface{}, error) { if ing.GetAnnotations() == nil { - return HTTP, nil + return http, nil } - proto, err := parser.GetStringAnnotation("backend-protocol", ing) + proto, err := parser.GetStringAnnotation(backendProtocolAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - return HTTP, nil - } - - proto = strings.TrimSpace(strings.ToUpper(proto)) - if !validProtocols.MatchString(proto) { - klog.Warningf("Protocol %v is not a valid value for the backend-protocol annotation. Using HTTP as protocol", proto) - return HTTP, nil + if errors.IsValidationError(err) { + klog.Warningf("validation error %s. Using HTTP as protocol", err) + } + return http, nil } return proto, nil } + +func (a backendProtocol) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, backendProtocolConfig.Annotations) +} diff --git a/internal/ingress/annotations/backendprotocol/main_test.go b/internal/ingress/annotations/backendprotocol/main_test.go index e8c018998..cb1ec779f 100644 --- a/internal/ingress/annotations/backendprotocol/main_test.go +++ b/internal/ingress/annotations/backendprotocol/main_test.go @@ -44,6 +44,7 @@ func buildIngress() *networking.Ingress { }, } } + func TestParseInvalidAnnotations(t *testing.T) { ing := buildIngress() @@ -56,7 +57,7 @@ func TestParseInvalidAnnotations(t *testing.T) { if !ok { t.Errorf("expected a string type") } - if val != "HTTP" { + if val != http { t.Errorf("expected HTTPS but %v returned", val) } @@ -72,12 +73,12 @@ func TestParseInvalidAnnotations(t *testing.T) { if !ok { t.Errorf("expected a string type") } - if val != "HTTP" { + if val != http { t.Errorf("expected HTTPS but %v returned", val) } // Test invalid annotation set - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "INVALID" + data[parser.GetAnnotationWithPrefix(backendProtocolAnnotation)] = "INVALID" ing.SetAnnotations(data) i, err = NewParser(&resolver.Mock{}).Parse(ing) @@ -88,7 +89,7 @@ func TestParseInvalidAnnotations(t *testing.T) { if !ok { t.Errorf("expected a string type") } - if val != "HTTP" { + if val != http { t.Errorf("expected HTTPS but %v returned", val) } } @@ -97,7 +98,7 @@ func TestParseAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" + data[parser.GetAnnotationWithPrefix(backendProtocolAnnotation)] = " HTTPS " ing.SetAnnotations(data) i, err := NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/canary/main.go b/internal/ingress/annotations/canary/main.go index d9e53b3b8..be5761675 100644 --- a/internal/ingress/annotations/canary/main.go +++ b/internal/ingress/annotations/canary/main.go @@ -18,14 +18,82 @@ package canary import ( networking "k8s.io/api/networking/v1" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + canaryAnnotation = "canary" + canaryWeightAnnotation = "canary-weight" + canaryWeightTotalAnnotation = "canary-weight-total" + canaryByHeaderAnnotation = "canary-by-header" + canaryByHeaderValueAnnotation = "canary-by-header-value" + canaryByHeaderPatternAnnotation = "canary-by-header-pattern" + canaryByCookieAnnotation = "canary-by-cookie" +) + +var CanaryAnnotations = parser.Annotation{ + Group: "canary", + Annotations: parser.AnnotationFields{ + canaryAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables the Ingress spec to act as an alternative service for requests to route to depending on the rules applied`, + }, + canaryWeightAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the integer based (0 - ) percent of random requests that should be routed to the service specified in the canary Ingress`, + }, + canaryWeightTotalAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation The total weight of traffic. If unspecified, it defaults to 100`, + }, + canaryByHeaderAnnotation: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the header that should be used for notifying the Ingress to route the request to the service specified in the Canary Ingress. + When the request header is set to 'always', it will be routed to the canary. When the header is set to 'never', it will never be routed to the canary. + For any other value, the header will be ignored and the request compared against the other canary rules by precedence`, + }, + canaryByHeaderValueAnnotation: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the header value to match for notifying the Ingress to route the request to the service specified in the Canary Ingress. + When the request header is set to this value, it will be routed to the canary. For any other header value, the header will be ignored and the request compared against the other canary rules by precedence. + This annotation has to be used together with 'canary-by-header'. The annotation is an extension of the 'canary-by-header' to allow customizing the header value instead of using hardcoded values. + It doesn't have any effect if the 'canary-by-header' annotation is not defined`, + }, + canaryByHeaderPatternAnnotation: { + Validator: parser.ValidateRegex(parser.IsValidRegex, false), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation works the same way as canary-by-header-value except it does PCRE Regex matching. + Note that when 'canary-by-header-value' is set this annotation will be ignored. + When the given Regex causes error during request processing, the request will be considered as not matching.`, + }, + canaryByCookieAnnotation: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the cookie that should be used for notifying the Ingress to route the request to the service specified in the Canary Ingress. + When the cookie is set to 'always', it will be routed to the canary. When the cookie is set to 'never', it will never be routed to the canary`, + }, + }, +} + type canary struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config returns the configuration rules for setting up the Canary @@ -41,7 +109,10 @@ type Config struct { // NewParser parses the ingress for canary related annotations func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return canary{r} + return canary{ + r: r, + annotationConfig: CanaryAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -50,45 +121,75 @@ func (c canary) Parse(ing *networking.Ingress) (interface{}, error) { config := &Config{} var err error - config.Enabled, err = parser.GetBoolAnnotation("canary", ing) + config.Enabled, err = parser.GetBoolAnnotation(canaryAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to 'false'", canaryAnnotation) + } config.Enabled = false } - config.Weight, err = parser.GetIntAnnotation("canary-weight", ing) + config.Weight, err = parser.GetIntAnnotation(canaryWeightAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to '0'", canaryWeightAnnotation) + } config.Weight = 0 } - config.WeightTotal, err = parser.GetIntAnnotation("canary-weight-total", ing) + config.WeightTotal, err = parser.GetIntAnnotation(canaryWeightTotalAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to '100'", canaryWeightTotalAnnotation) + } config.WeightTotal = 100 } - config.Header, err = parser.GetStringAnnotation("canary-by-header", ing) + config.Header, err = parser.GetStringAnnotation(canaryByHeaderAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByHeaderAnnotation) + } config.Header = "" } - config.HeaderValue, err = parser.GetStringAnnotation("canary-by-header-value", ing) + config.HeaderValue, err = parser.GetStringAnnotation(canaryByHeaderValueAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByHeaderValueAnnotation) + } config.HeaderValue = "" } - config.HeaderPattern, err = parser.GetStringAnnotation("canary-by-header-pattern", ing) + config.HeaderPattern, err = parser.GetStringAnnotation(canaryByHeaderPatternAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByHeaderPatternAnnotation) + } config.HeaderPattern = "" } - config.Cookie, err = parser.GetStringAnnotation("canary-by-cookie", ing) + config.Cookie, err = parser.GetStringAnnotation(canaryByCookieAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%s is invalid, defaulting to ''", canaryByCookieAnnotation) + } config.Cookie = "" } if !config.Enabled && (config.Weight > 0 || len(config.Header) > 0 || len(config.HeaderValue) > 0 || len(config.Cookie) > 0 || len(config.HeaderPattern) > 0) { - return nil, errors.NewInvalidAnnotationConfiguration("canary", "configured but not enabled") + return nil, errors.NewInvalidAnnotationConfiguration(canaryAnnotation, "configured but not enabled") } return config, nil } + +func (c canary) GetDocumentation() parser.AnnotationFields { + return c.annotationConfig.Annotations +} + +func (c canary) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(c.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, CanaryAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/canary/main_test.go b/internal/ingress/annotations/canary/main_test.go index ddfc0a9c4..1787ddb85 100644 --- a/internal/ingress/annotations/canary/main_test.go +++ b/internal/ingress/annotations/canary/main_test.go @@ -17,6 +17,7 @@ limitations under the License. package canary import ( + "strconv" "testing" api "k8s.io/api/core/v1" @@ -24,8 +25,6 @@ import ( metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "strconv" - "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -93,7 +92,6 @@ func TestCanaryInvalid(t *testing.T) { if val.Weight != 0 { t.Errorf("Expected %v but got %v", 0, val.Weight) } - } func TestAnnotations(t *testing.T) { @@ -133,10 +131,9 @@ func TestAnnotations(t *testing.T) { } continue - } else { - if err != nil { - t.Errorf("%v: expected nil but returned error %v", test.title, err) - } + } + if err != nil { + t.Errorf("%v: expected nil but returned error %v", test.title, err) } canaryConfig, ok := i.(*Config) diff --git a/internal/ingress/annotations/clientbodybuffersize/main.go b/internal/ingress/annotations/clientbodybuffersize/main.go index 9020ee594..c0fa79713 100644 --- a/internal/ingress/annotations/clientbodybuffersize/main.go +++ b/internal/ingress/annotations/clientbodybuffersize/main.go @@ -23,17 +23,49 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + clientBodyBufferSizeAnnotation = "client-body-buffer-size" +) + +var clientBodyBufferSizeConfig = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + clientBodyBufferSizeAnnotation: { + Validator: parser.ValidateRegex(parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Sets buffer size for reading client request body per location. + In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. + By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. + It is usually 16K on other 64-bit platforms. This annotation is applied to each location provided in the ingress rule.`, + }, + }, +} + type clientBodyBufferSize struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new clientBodyBufferSize annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return clientBodyBufferSize{r} + return clientBodyBufferSize{ + r: r, + annotationConfig: clientBodyBufferSizeConfig, + } +} + +func (cbbs clientBodyBufferSize) GetDocumentation() parser.AnnotationFields { + return cbbs.annotationConfig.Annotations } // Parse parses the annotations contained in the ingress rule // used to add an client-body-buffer-size to the provided locations func (cbbs clientBodyBufferSize) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("client-body-buffer-size", ing) + return parser.GetStringAnnotation(clientBodyBufferSizeAnnotation, ing, cbbs.annotationConfig.Annotations) +} + +func (cbbs clientBodyBufferSize) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(cbbs.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, clientBodyBufferSizeConfig.Annotations) } diff --git a/internal/ingress/annotations/clientbodybuffersize/main_test.go b/internal/ingress/annotations/clientbodybuffersize/main_test.go index 9932f8314..62257aeb9 100644 --- a/internal/ingress/annotations/clientbodybuffersize/main_test.go +++ b/internal/ingress/annotations/clientbodybuffersize/main_test.go @@ -39,6 +39,9 @@ func TestParse(t *testing.T) { }{ {map[string]string{annotation: "8k"}, "8k"}, {map[string]string{annotation: "16k"}, "16k"}, + {map[string]string{annotation: "10000"}, "10000"}, + {map[string]string{annotation: "16R"}, ""}, + {map[string]string{annotation: "16kkk"}, ""}, {map[string]string{annotation: ""}, ""}, {map[string]string{}, ""}, {nil, ""}, @@ -54,6 +57,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/connection/main.go b/internal/ingress/annotations/connection/main.go index e9b0c1865..b0242ac23 100644 --- a/internal/ingress/annotations/connection/main.go +++ b/internal/ingress/annotations/connection/main.go @@ -17,12 +17,32 @@ limitations under the License. package connection import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + connectionProxyHeaderAnnotation = "connection-proxy-header" +) + +var validConnectionHeaderValue = regexp.MustCompile(`^(close|keep-alive)$`) + +var connectionHeadersAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + connectionProxyHeaderAnnotation: { + Validator: parser.ValidateRegex(validConnectionHeaderValue, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting a specific value for "proxy_set_header Connection" directive. Right now it is restricted to "close" or "keep-alive"`, + }, + }, +} + // Config returns the connection header configuration for an Ingress rule type Config struct { Header string `json:"header"` @@ -30,18 +50,22 @@ type Config struct { } type connection struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new port in redirect annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return connection{r} + return connection{ + r: r, + annotationConfig: connectionHeadersAnnotations, + } } // Parse parses the annotations contained in the ingress // rule used to indicate if the connection header should be overridden. func (a connection) Parse(ing *networking.Ingress) (interface{}, error) { - cp, err := parser.GetStringAnnotation("connection-proxy-header", ing) + cp, err := parser.GetStringAnnotation(connectionProxyHeaderAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return &Config{ Enabled: false, @@ -70,3 +94,12 @@ func (r1 *Config) Equal(r2 *Config) bool { return true } + +func (a connection) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a connection) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, connectionHeadersAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/connection/main_test.go b/internal/ingress/annotations/connection/main_test.go index 011a2948c..1b9361f31 100644 --- a/internal/ingress/annotations/connection/main_test.go +++ b/internal/ingress/annotations/connection/main_test.go @@ -37,10 +37,12 @@ func TestParse(t *testing.T) { testCases := []struct { annotations map[string]string expected *Config + expectErr bool }{ - {map[string]string{annotation: "keep-alive"}, &Config{Enabled: true, Header: "keep-alive"}}, - {map[string]string{}, &Config{Enabled: false}}, - {nil, &Config{Enabled: false}}, + {map[string]string{annotation: "keep-alive"}, &Config{Enabled: true, Header: "keep-alive"}, false}, + {map[string]string{annotation: "not-allowed-value"}, &Config{Enabled: false}, true}, + {map[string]string{}, &Config{Enabled: false}, true}, + {nil, &Config{Enabled: false}, true}, } ing := &networking.Ingress{ @@ -53,9 +55,14 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - i, _ := ap.Parse(ing) - p, _ := i.(*Config) - + i, err := ap.Parse(ing) + if (err != nil) != testCase.expectErr { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) + } + p, ok := i.(*Config) + if !ok { + t.Fatalf("expected a Config type") + } if !p.Equal(testCase.expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, p, testCase.annotations) } diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index 3888f2909..d6e92b34d 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -24,6 +24,7 @@ import ( "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -38,20 +39,87 @@ var ( // Regex are defined here to prevent information leak, if user tries to set anything not valid // that could cause the Response to contain some internal value/variable (like returning $pid, $upstream_addr, etc) // Origin must contain a http/s Origin (including or not the port) or the value '*' - corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?|\*)?$`) + // This Regex is composed of the following: + // * Sets a group that can be (https?://)?*?.something.com:port? + // * Allows this to be repeated as much as possible, and separated by comma + // Otherwise it should be '*' + corsOriginRegexValidator = regexp.MustCompile(`^((((https?://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)+)|\*)?$`) + // corsOriginRegex defines the regex for validation inside Parse + corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*)?$`) // Method must contain valid methods list (PUT, GET, POST, BLA) // May contain or not spaces between each verb corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`) - // Headers must contain valid values only (X-HEADER12, X-ABC) - // May contain or not spaces between each Header - corsHeadersRegex = regexp.MustCompile(`^([A-Za-z0-9\-\_]+,?\s?)+$`) // Expose Headers must contain valid values only (*, X-HEADER12, X-ABC) // May contain or not spaces between each Header corsExposeHeadersRegex = regexp.MustCompile(`^(([A-Za-z0-9\-\_]+|\*),?\s?)+$`) ) +const ( + corsEnableAnnotation = "enable-cors" + corsAllowOriginAnnotation = "cors-allow-origin" + corsAllowHeadersAnnotation = "cors-allow-headers" + corsAllowMethodsAnnotation = "cors-allow-methods" + corsAllowCredentialsAnnotation = "cors-allow-credentials" //#nosec G101 + corsExposeHeadersAnnotation = "cors-expose-headers" + corsMaxAgeAnnotation = "cors-max-age" +) + +var corsAnnotation = parser.Annotation{ + Group: "cors", + Annotations: parser.AnnotationFields{ + corsEnableAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables Cross-Origin Resource Sharing (CORS) in an Ingress rule`, + }, + corsAllowOriginAnnotation: { + Validator: parser.ValidateRegex(corsOriginRegexValidator, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls what's the accepted Origin for CORS. + This is a multi-valued field, separated by ','. It must follow this format: http(s)://origin-site.com or http(s)://origin-site.com:port + It also supports single level wildcard subdomains and follows this format: http(s)://*.foo.bar, http(s)://*.bar.foo:8080 or http(s)://*.abc.bar.foo:9000`, + }, + corsAllowHeadersAnnotation: { + Validator: parser.ValidateRegex(parser.HeadersVariable, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls which headers are accepted. + This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -`, + }, + corsAllowMethodsAnnotation: { + Validator: parser.ValidateRegex(corsMethodsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls which methods are accepted. + This is a multi-valued field, separated by ',' and accepts only letters (upper and lower case)`, + }, + corsAllowCredentialsAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation controls if credentials can be passed during CORS operations.`, + }, + corsExposeHeadersAnnotation: { + Validator: parser.ValidateRegex(corsExposeHeadersRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation controls which headers are exposed to response. + This is a multi-valued field, separated by ',' and accepts letters, numbers, _, - and *.`, + }, + corsMaxAgeAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation controls how long, in seconds, preflight requests can be cached.`, + }, + }, +} + type cors struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the Cors configuration to be used in the Ingress @@ -67,7 +135,10 @@ type Config struct { // NewParser creates a new CORS annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return cors{r} + return cors{ + r: r, + annotationConfig: corsAnnotation, + } } // Equal tests for equality between two External types @@ -116,17 +187,24 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - config.CorsEnabled, err = parser.GetBoolAnnotation("enable-cors", ing) + config.CorsEnabled, err = parser.GetBoolAnnotation(corsEnableAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("enable-cors is invalid, defaulting to 'false'") + } config.CorsEnabled = false } config.CorsAllowOrigin = []string{} - unparsedOrigins, err := parser.GetStringAnnotation("cors-allow-origin", ing) + unparsedOrigins, err := parser.GetStringAnnotation(corsAllowOriginAnnotation, ing, c.annotationConfig.Annotations) if err == nil { origins := strings.Split(unparsedOrigins, ",") for _, origin := range origins { origin = strings.TrimSpace(origin) + if origin == "" { + continue + } + if origin == "*" { config.CorsAllowOrigin = []string{"*"} break @@ -140,33 +218,53 @@ func (c cors) Parse(ing *networking.Ingress) (interface{}, error) { klog.Infof("Current config.corsAllowOrigin %v", config.CorsAllowOrigin) } } else { + if errors.IsValidationError(err) { + klog.Warningf("cors-allow-origin is invalid, defaulting to '*'") + } config.CorsAllowOrigin = []string{"*"} } - config.CorsAllowHeaders, err = parser.GetStringAnnotation("cors-allow-headers", ing) - if err != nil || !corsHeadersRegex.MatchString(config.CorsAllowHeaders) { + config.CorsAllowHeaders, err = parser.GetStringAnnotation(corsAllowHeadersAnnotation, ing, c.annotationConfig.Annotations) + if err != nil || !parser.HeadersVariable.MatchString(config.CorsAllowHeaders) { config.CorsAllowHeaders = defaultCorsHeaders } - config.CorsAllowMethods, err = parser.GetStringAnnotation("cors-allow-methods", ing) + config.CorsAllowMethods, err = parser.GetStringAnnotation(corsAllowMethodsAnnotation, ing, c.annotationConfig.Annotations) if err != nil || !corsMethodsRegex.MatchString(config.CorsAllowMethods) { config.CorsAllowMethods = defaultCorsMethods } - config.CorsAllowCredentials, err = parser.GetBoolAnnotation("cors-allow-credentials", ing) + config.CorsAllowCredentials, err = parser.GetBoolAnnotation(corsAllowCredentialsAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + if errors.IsValidationError(err) { + klog.Warningf("cors-allow-credentials is invalid, defaulting to 'true'") + } + } config.CorsAllowCredentials = true } - config.CorsExposeHeaders, err = parser.GetStringAnnotation("cors-expose-headers", ing) + config.CorsExposeHeaders, err = parser.GetStringAnnotation(corsExposeHeadersAnnotation, ing, c.annotationConfig.Annotations) if err != nil || !corsExposeHeadersRegex.MatchString(config.CorsExposeHeaders) { config.CorsExposeHeaders = "" } - config.CorsMaxAge, err = parser.GetIntAnnotation("cors-max-age", ing) + config.CorsMaxAge, err = parser.GetIntAnnotation(corsMaxAgeAnnotation, ing, c.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("cors-max-age is invalid, defaulting to %d", defaultCorsMaxAge) + } config.CorsMaxAge = defaultCorsMaxAge } return config, nil } + +func (c cors) GetDocumentation() parser.AnnotationFields { + return c.annotationConfig.Annotations +} + +func (c cors) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(c.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, corsAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/cors/main_test.go b/internal/ingress/annotations/cors/main_test.go index 086a59d89..a69390a17 100644 --- a/internal/ingress/annotations/cors/main_test.go +++ b/internal/ingress/annotations/cors/main_test.go @@ -17,6 +17,7 @@ limitations under the License. package cors import ( + "reflect" "testing" api "k8s.io/api/core/v1" @@ -75,13 +76,13 @@ func TestIngressCorsConfigValid(t *testing.T) { data := map[string]string{} // Valid - data[parser.GetAnnotationWithPrefix("enable-cors")] = "true" - data[parser.GetAnnotationWithPrefix("cors-allow-headers")] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" - data[parser.GetAnnotationWithPrefix("cors-allow-credentials")] = "false" - data[parser.GetAnnotationWithPrefix("cors-allow-methods")] = "GET, PATCH" - data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "https://origin123.test.com:4443" - data[parser.GetAnnotationWithPrefix("cors-expose-headers")] = "*, X-CustomResponseHeader" - data[parser.GetAnnotationWithPrefix("cors-max-age")] = "600" + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "DNT,X-CustomHeader, Keep-Alive,User-Agent" + data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "false" + data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH" + data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443" + data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)] = "*, X-CustomResponseHeader" + data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)] = "600" ing.SetAnnotations(data) corst, err := NewParser(&resolver.Mock{}).Parse(ing) @@ -95,31 +96,31 @@ func TestIngressCorsConfigValid(t *testing.T) { } if !nginxCors.CorsEnabled { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("enable-cors")], nginxCors.CorsEnabled) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled) } if nginxCors.CorsAllowCredentials { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-credentials")], nginxCors.CorsAllowCredentials) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)], nginxCors.CorsAllowCredentials) } if nginxCors.CorsAllowHeaders != "DNT,X-CustomHeader, Keep-Alive,User-Agent" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-headers")], nginxCors.CorsAllowHeaders) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)], nginxCors.CorsAllowHeaders) } if nginxCors.CorsAllowMethods != "GET, PATCH" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-methods")], nginxCors.CorsAllowMethods) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)], nginxCors.CorsAllowMethods) } if nginxCors.CorsAllowOrigin[0] != "https://origin123.test.com:4443" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-allow-origin")], nginxCors.CorsAllowOrigin) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)], nginxCors.CorsAllowOrigin) } if nginxCors.CorsExposeHeaders != "*, X-CustomResponseHeader" { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-expose-headers")], nginxCors.CorsExposeHeaders) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)], nginxCors.CorsExposeHeaders) } if nginxCors.CorsMaxAge != 600 { - t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix("cors-max-age")], nginxCors.CorsMaxAge) + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)], nginxCors.CorsMaxAge) } } @@ -129,13 +130,13 @@ func TestIngressCorsConfigInvalid(t *testing.T) { data := map[string]string{} // Valid - data[parser.GetAnnotationWithPrefix("enable-cors")] = "yes" - data[parser.GetAnnotationWithPrefix("cors-allow-headers")] = "@alright, #ingress" - data[parser.GetAnnotationWithPrefix("cors-allow-credentials")] = "no" - data[parser.GetAnnotationWithPrefix("cors-allow-methods")] = "GET, PATCH, $nginx" - data[parser.GetAnnotationWithPrefix("cors-allow-origin")] = "origin123.test.com:4443" - data[parser.GetAnnotationWithPrefix("cors-expose-headers")] = "@alright, #ingress" - data[parser.GetAnnotationWithPrefix("cors-max-age")] = "abcd" + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "yes" + data[parser.GetAnnotationWithPrefix(corsAllowHeadersAnnotation)] = "@alright, #ingress" + data[parser.GetAnnotationWithPrefix(corsAllowCredentialsAnnotation)] = "no" + data[parser.GetAnnotationWithPrefix(corsAllowMethodsAnnotation)] = "GET, PATCH, $nginx" + data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "origin123.test.com:4443" + data[parser.GetAnnotationWithPrefix(corsExposeHeadersAnnotation)] = "@alright, #ingress" + data[parser.GetAnnotationWithPrefix(corsMaxAgeAnnotation)] = "abcd" ing.SetAnnotations(data) corst, err := NewParser(&resolver.Mock{}).Parse(ing) @@ -172,3 +173,33 @@ func TestIngressCorsConfigInvalid(t *testing.T) { t.Errorf("expected %v but returned %v", defaultCorsMaxAge, nginxCors.CorsMaxAge) } } + +func TestIngresCorsConfigAllowOriginWithTrailingComma(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)] = "true" + + // Include a trailing comma and an empty value between the commas. + data[parser.GetAnnotationWithPrefix(corsAllowOriginAnnotation)] = "https://origin123.test.com:4443, ,https://origin321.test.com:4443," + ing.SetAnnotations(data) + + corst, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("error parsing annotations: %v", err) + } + + nginxCors, ok := corst.(*Config) + if !ok { + t.Errorf("expected a Config type but returned %t", corst) + } + + if !nginxCors.CorsEnabled { + t.Errorf("expected %v but returned %v", data[parser.GetAnnotationWithPrefix(corsEnableAnnotation)], nginxCors.CorsEnabled) + } + + expectedCorsAllowOrigins := []string{"https://origin123.test.com:4443", "https://origin321.test.com:4443"} + if !reflect.DeepEqual(nginxCors.CorsAllowOrigin, expectedCorsAllowOrigins) { + t.Errorf("expected %v but returned %v", expectedCorsAllowOrigins, nginxCors.CorsAllowOrigin) + } +} diff --git a/internal/ingress/annotations/customhttperrors/main.go b/internal/ingress/annotations/customhttperrors/main.go index a05fb16c8..f3c72a22f 100644 --- a/internal/ingress/annotations/customhttperrors/main.go +++ b/internal/ingress/annotations/customhttperrors/main.go @@ -17,6 +17,7 @@ limitations under the License. package customhttperrors import ( + "regexp" "strconv" "strings" @@ -26,25 +27,50 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + customHTTPErrorsAnnotation = "custom-http-errors" +) + +// We accept anything between 400 and 599, on a comma separated. +var arrayOfHTTPErrors = regexp.MustCompile(`^(?:[4,5]\d{2},?)*$`) + +var customHTTPErrorsAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + customHTTPErrorsAnnotation: { + Validator: parser.ValidateRegex(arrayOfHTTPErrors, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `If a default backend annotation is specified on the ingress, the errors code specified on this annotation + will be routed to that annotation's default backend service. Otherwise they will be routed to the global default backend. + A comma-separated list of error codes is accepted (anything between 400 and 599, like 403, 503)`, + }, + }, +} + type customhttperrors struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new custom http errors annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return customhttperrors{r} + return customhttperrors{ + r: r, + annotationConfig: customHTTPErrorsAnnotations, + } } // Parse parses the annotations contained in the ingress to use // custom http errors func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) { - c, err := parser.GetStringAnnotation("custom-http-errors", ing) + c, err := parser.GetStringAnnotation(customHTTPErrorsAnnotation, ing, e.annotationConfig.Annotations) if err != nil { return nil, err } cSplit := strings.Split(c, ",") - var codes []int + codes := make([]int, 0, len(cSplit)) for _, i := range cSplit { num, err := strconv.Atoi(i) if err != nil { @@ -55,3 +81,12 @@ func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) { return codes, nil } + +func (e customhttperrors) GetDocumentation() parser.AnnotationFields { + return e.annotationConfig.Annotations +} + +func (e customhttperrors) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(e.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, customHTTPErrorsAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/defaultbackend/main.go b/internal/ingress/annotations/defaultbackend/main.go index b1685015e..9ae44f052 100644 --- a/internal/ingress/annotations/defaultbackend/main.go +++ b/internal/ingress/annotations/defaultbackend/main.go @@ -25,28 +25,58 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + defaultBackendAnnotation = "default-backend" +) + +var defaultBackendAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + defaultBackendAnnotation: { + Validator: parser.ValidateServiceName, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This service will be used to handle the response when the configured service in the Ingress rule does not have any active endpoints. + It will also be used to handle the error responses if both this annotation and the custom-http-errors annotation are set.`, + }, + }, +} + type backend struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new default backend annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return backend{r} + return backend{ + r: r, + annotationConfig: defaultBackendAnnotations, + } } // Parse parses the annotations contained in the ingress to use // a custom default backend -func (db backend) Parse(ing *networking.Ingress) (interface{}, error) { - s, err := parser.GetStringAnnotation("default-backend", ing) +func (b backend) Parse(ing *networking.Ingress) (interface{}, error) { + s, err := parser.GetStringAnnotation(defaultBackendAnnotation, ing, b.annotationConfig.Annotations) if err != nil { return nil, err } name := fmt.Sprintf("%v/%v", ing.Namespace, s) - svc, err := db.r.GetService(name) + svc, err := b.r.GetService(name) if err != nil { return nil, fmt.Errorf("unexpected error reading service %s: %w", name, err) } return svc, nil } + +func (b backend) GetDocumentation() parser.AnnotationFields { + return b.annotationConfig.Annotations +} + +func (b backend) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(b.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, defaultBackendAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/defaultbackend/main_test.go b/internal/ingress/annotations/defaultbackend/main_test.go index ec23d32c2..214d07803 100644 --- a/internal/ingress/annotations/defaultbackend/main_test.go +++ b/internal/ingress/annotations/defaultbackend/main_test.go @@ -91,21 +91,51 @@ func (m mockService) GetService(name string) (*api.Service, error) { func TestAnnotations(t *testing.T) { ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("default-backend")] = "demo-service" - ing.SetAnnotations(data) - - fakeService := &mockService{} - i, err := NewParser(fakeService).Parse(ing) - if err != nil { - t.Errorf("unexpected error %v", err) + tests := map[string]struct { + expectErr bool + serviceName string + }{ + "valid name": { + serviceName: "demo-service", + expectErr: false, + }, + "not in backend": { + serviceName: "demo1-service", + expectErr: true, + }, + "invalid dns name": { + serviceName: "demo-service.something.tld", + expectErr: true, + }, + "invalid name": { + serviceName: "something/xpto", + expectErr: true, + }, + "invalid characters": { + serviceName: "something;xpto", + expectErr: true, + }, } - svc, ok := i.(*api.Service) - if !ok { - t.Errorf("expected *api.Service but got %v", svc) - } - if svc.Name != "demo-service" { - t.Errorf("expected %v but got %v", "demo-service", svc.Name) + for _, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(defaultBackendAnnotation)] = test.serviceName + ing.SetAnnotations(data) + + fakeService := &mockService{} + i, err := NewParser(fakeService).Parse(ing) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) + } + + if !test.expectErr { + svc, ok := i.(*api.Service) + if !ok { + t.Errorf("expected *api.Service but got %v", svc) + } + if svc.Name != test.serviceName { + t.Errorf("expected %v but got %v", test.serviceName, svc.Name) + } + } } } diff --git a/internal/ingress/annotations/disableproxyintercepterrors/main.go b/internal/ingress/annotations/disableproxyintercepterrors/main.go new file mode 100644 index 000000000..650d29707 --- /dev/null +++ b/internal/ingress/annotations/disableproxyintercepterrors/main.go @@ -0,0 +1,76 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package disableproxyintercepterrors + +import ( + networking "k8s.io/api/networking/v1" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +const ( + disableProxyInterceptErrorsAnnotation = "disable-proxy-intercept-errors" +) + +var disableProxyInterceptErrorsAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + disableProxyInterceptErrorsAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows to disable NGINX proxy-intercept-errors when custom-http-errors are set. + If a default backend annotation is specified on the ingress, the errors will be routed to that annotation's default backend service (instead of the global default backend). + Different ingresses can specify different sets of errors codes and there are UseCases where NGINX shall not intercept all errors returned from upstream.`, + }, + }, +} + +type disableProxyInterceptErrors struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + +func (pie disableProxyInterceptErrors) GetDocumentation() parser.AnnotationFields { + return pie.annotationConfig.Annotations +} + +func (pie disableProxyInterceptErrors) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(pie.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, disableProxyInterceptErrorsAnnotations.Annotations) +} + +// NewParser creates a new disableProxyInterceptErrors annotation parser +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return disableProxyInterceptErrors{ + r: r, + annotationConfig: disableProxyInterceptErrorsAnnotations, + } +} + +func (pie disableProxyInterceptErrors) Parse(ing *networking.Ingress) (interface{}, error) { + val, err := parser.GetBoolAnnotation(disableProxyInterceptErrorsAnnotation, ing, pie.annotationConfig.Annotations) + + // A missing annotation is not a problem, just use the default + if err == errors.ErrMissingAnnotations { + return false, nil // default is false + } + + return val, nil +} diff --git a/internal/ingress/annotations/disableproxyintercepterrors/main_test.go b/internal/ingress/annotations/disableproxyintercepterrors/main_test.go new file mode 100644 index 000000000..1238bb4e0 --- /dev/null +++ b/internal/ingress/annotations/disableproxyintercepterrors/main_test.go @@ -0,0 +1,64 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package disableproxyintercepterrors + +import ( + "testing" + + api "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +func buildIngress() *networking.Ingress { + return &networking.Ingress{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "foo", + Namespace: api.NamespaceDefault, + }, + Spec: networking.IngressSpec{ + DefaultBackend: &networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + }, + } +} + +func TestParseAnnotations(t *testing.T) { + ing := buildIngress() + + _, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("disable-proxy-intercept-errors")] = "true" + ing.SetAnnotations(data) + // test ingress using the annotation without a TLS section + _, err = NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing ingress with disable-proxy-intercept-errors") + } +} diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go index b32b85997..9e7ab3c61 100644 --- a/internal/ingress/annotations/fastcgi/main.go +++ b/internal/ingress/annotations/fastcgi/main.go @@ -19,17 +19,50 @@ package fastcgi import ( "fmt" "reflect" + "regexp" networking "k8s.io/api/networking/v1" "k8s.io/client-go/tools/cache" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + fastCGIIndexAnnotation = "fastcgi-index" + fastCGIParamsAnnotation = "fastcgi-params-configmap" //#nosec G101 +) + +// fast-cgi valid parameters is just a single file name (like index.php) +var ( + regexValidIndexAnnotationAndKey = regexp.MustCompile(`^[A-Za-z0-9.\-\_]+$`) + validFCGIValue = regexp.MustCompile(`^[A-Za-z0-9\-\_\$\{\}/.]*$`) +) + +var fastCGIAnnotations = parser.Annotation{ + Group: "fastcgi", + Annotations: parser.AnnotationFields{ + fastCGIIndexAnnotation: { + Validator: parser.ValidateRegex(regexValidIndexAnnotationAndKey, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation can be used to specify an index file`, + }, + fastCGIParamsAnnotation: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation can be used to specify a ConfigMap containing the fastcgi parameters as a key/value. + Only ConfigMaps on the same namespace of ingress can be used. They key and value from ConfigMap are validated for unauthorized characters.`, + }, + }, +} + type fastcgi struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config describes the per location fastcgi config @@ -57,50 +90,78 @@ func (l1 *Config) Equal(l2 *Config) bool { // NewParser creates a new fastcgiConfig protocol annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return fastcgi{r} + return fastcgi{ + r: r, + annotationConfig: fastCGIAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to indicate the fastcgiConfig. func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { - fcgiConfig := Config{} if ing.GetAnnotations() == nil { return fcgiConfig, nil } - index, err := parser.GetStringAnnotation("fastcgi-index", ing) + index, err := parser.GetStringAnnotation(fastCGIIndexAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return fcgiConfig, err + } index = "" } + fcgiConfig.Index = index - cm, err := parser.GetStringAnnotation("fastcgi-params-configmap", ing) + cm, err := parser.GetStringAnnotation(fastCGIParamsAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + return fcgiConfig, err + } return fcgiConfig, nil } cmns, cmn, err := cache.SplitMetaNamespaceKey(cm) if err != nil { - return fcgiConfig, ing_errors.LocationDenied{ + return fcgiConfig, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("error reading configmap name from annotation: %w", err), } } + secCfg := a.r.GetSecurityConfiguration() - if cmns == "" { - cmns = ing.Namespace + // We don't accept different namespaces for secrets. + if cmns != "" && !secCfg.AllowCrossNamespaceResources && cmns != ing.Namespace { + return fcgiConfig, fmt.Errorf("different namespace is not supported on fast_cgi param configmap") } - cm = fmt.Sprintf("%v/%v", cmns, cmn) + cm = fmt.Sprintf("%v/%v", ing.Namespace, cmn) cmap, err := a.r.GetConfigMap(cm) if err != nil { - return fcgiConfig, ing_errors.LocationDenied{ + return fcgiConfig, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error reading configmap %s: %w", cm, err), } } + for k, v := range cmap.Data { + if !regexValidIndexAnnotationAndKey.MatchString(k) || !validFCGIValue.MatchString(v) { + klog.ErrorS(fmt.Errorf("fcgi contains invalid key or value"), "fcgi annotation error", "configmap", cmap.Name, "namespace", cmap.Namespace, "key", k, "value", v) + return fcgiConfig, ing_errors.NewValidationError(fastCGIParamsAnnotation) + } + } + + fcgiConfig.Index = index fcgiConfig.Params = cmap.Data return fcgiConfig, nil } + +func (a fastcgi) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a fastcgi) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, fastCGIAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/fastcgi/main_test.go b/internal/ingress/annotations/fastcgi/main_test.go index 26d85e7ce..f0bbc9d65 100644 --- a/internal/ingress/annotations/fastcgi/main_test.go +++ b/internal/ingress/annotations/fastcgi/main_test.go @@ -17,13 +17,15 @@ limitations under the License. package fastcgi import ( + "fmt" + "reflect" "testing" api "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/cache" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -48,19 +50,35 @@ func buildIngress() *networking.Ingress { type mockConfigMap struct { resolver.Mock + extraConfigMap map[string]map[string]string } func (m mockConfigMap) GetConfigMap(name string) (*api.ConfigMap, error) { - if name != "default/demo-configmap" { - return nil, errors.Errorf("there is no configmap with name %v", name) + if m.extraConfigMap == nil { + m.extraConfigMap = make(map[string]map[string]string) + } + cmdata, ok := m.extraConfigMap[name] + + if name != "default/demo-configmap" && name != "otherns/demo-configmap" && !ok { + return nil, fmt.Errorf("there is no configmap with name %v", name) + } + + cmns, cmn, err := cache.SplitMetaNamespaceKey(name) + if err != nil { + return nil, fmt.Errorf("invalid configmap name") + } + + data := map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"} + if ok { + data = cmdata } return &api.ConfigMap{ ObjectMeta: meta_v1.ObjectMeta{ - Namespace: api.NamespaceDefault, - Name: "demo-secret", + Namespace: cmns, + Name: cmn, }, - Data: map[string]string{"REDIRECT_STATUS": "200", "SERVER_NAME": "$server_name"}, + Data: data, }, nil } @@ -137,7 +155,6 @@ func TestParseFastCGIInvalidParamsConfigMapAnnotation(t *testing.T) { invalidConfigMapList := []string{"unknown/configMap", "unknown/config/map"} for _, configmap := range invalidConfigMapList { - data := map[string]string{} data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = configmap ing.SetAnnotations(data) @@ -210,8 +227,20 @@ func TestParseFastCGIParamsConfigMapAnnotationWithNS(t *testing.T) { } } -func TestConfigEquality(t *testing.T) { +func TestParseFastCGIParamsConfigMapAnnotationWithDifferentNS(t *testing.T) { + ing := buildIngress() + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = "otherns/demo-configmap" + ing.SetAnnotations(data) + + _, err := NewParser(&mockConfigMap{}).Parse(ing) + if err == nil { + t.Errorf("Different namespace configmap should return an error") + } +} + +func TestConfigEquality(t *testing.T) { var nilConfig *Config config := Config{ @@ -263,3 +292,121 @@ func TestConfigEquality(t *testing.T) { t.Errorf("config4 should be equal to config") } } + +func Test_fastcgi_Parse(t *testing.T) { + tests := []struct { + name string + index string + configmapname string + configmap map[string]string + want interface{} + wantErr bool + }{ + { + name: "valid configuration", + index: "indexxpto-92123.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{ + Index: "indexxpto-92123.php", + Params: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + }, + }, + { + name: "invalid index name", + index: "indexxpto-92123$xx.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{}, + wantErr: true, + }, + { + name: "invalid configmap namespace", + index: "indexxpto-92123.php", + configmapname: "otherns/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + { + name: "invalid configmap namespace name", + index: "indexxpto-92123.php", + configmapname: "otherns/fcgicon;{fig", + configmap: map[string]string{ + "REQUEST_METHOD": "$request_method", + "SCRIPT_FILENAME": "$document_root$fastcgi_script_name", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + { + name: "invalid configmap values key", + index: "indexxpto-92123.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD$XPTO": "$request_method", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + { + name: "invalid configmap values val", + index: "indexxpto-92123.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "REQUEST_METHOD_XPTO": "$request_method{test};a", + }, + want: Config{Index: "indexxpto-92123.php"}, + wantErr: true, + }, + { + name: "invalid configmap values val", + index: "indexxpto-92123.php", + configmapname: "default/fcgiconfig", + configmap: map[string]string{ + "SCRIPT_FILENAME": "/app/src/index.php", + }, + want: Config{Index: "indexxpto-92123.php", Params: map[string]string{ + "SCRIPT_FILENAME": "/app/src/index.php", + }}, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("fastcgi-index")] = tt.index + data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = tt.configmapname + ing.SetAnnotations(data) + + m := &mockConfigMap{ + extraConfigMap: map[string]map[string]string{ + tt.configmapname: tt.configmap, + }, + } + + got, err := NewParser(m).Parse(ing) + if (err != nil) != tt.wantErr { + t.Errorf("fastcgi.Parse() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("fastcgi.Parse() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go index ea9fc4678..0aec29f66 100644 --- a/internal/ingress/annotations/globalratelimit/main.go +++ b/internal/ingress/annotations/globalratelimit/main.go @@ -22,6 +22,7 @@ import ( "time" networking "k8s.io/api/networking/v1" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" @@ -32,6 +33,46 @@ import ( const defaultKey = "$remote_addr" +const ( + globalRateLimitAnnotation = "global-rate-limit" + globalRateLimitWindowAnnotation = "global-rate-limit-window" + globalRateLimitKeyAnnotation = "global-rate-limit-key" + globalRateLimitIgnoredCidrsAnnotation = "global-rate-limit-ignored-cidrs" +) + +var globalRateLimitAnnotationConfig = parser.Annotation{ + Group: "ratelimit", + Annotations: parser.AnnotationFields{ + globalRateLimitAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation configures maximum allowed number of requests per window`, + }, + globalRateLimitWindowAnnotation: { + Validator: parser.ValidateDuration, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `Configures a time window (i.e 1m) that the limit is applied`, + }, + globalRateLimitKeyAnnotation: { + Validator: parser.ValidateRegex(parser.NGINXVariable, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation Configures a key for counting the samples. Defaults to $remote_addr. + You can also combine multiple NGINX variables here, like ${remote_addr}-${http_x_api_client} which would mean the limit will be applied to + requests coming from the same API client (indicated by X-API-Client HTTP request header) with the same source IP address`, + }, + globalRateLimitIgnoredCidrsAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines a comma separated list of IPs and CIDRs to match client IP against. + When there's a match request is not considered for rate limiting.`, + }, + }, +} + // Config encapsulates all global rate limit attributes type Config struct { Namespace string `json:"namespace"` @@ -63,12 +104,16 @@ func (l *Config) Equal(r *Config) bool { } type globalratelimit struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new globalratelimit annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return globalratelimit{r} + return globalratelimit{ + r: r, + annotationConfig: globalRateLimitAnnotationConfig, + } } // Parse extracts globalratelimit annotations from the given ingress @@ -76,32 +121,46 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { config := &Config{} - limit, _ := parser.GetIntAnnotation("global-rate-limit", ing) - rawWindowSize, _ := parser.GetStringAnnotation("global-rate-limit-window", ing) + limit, err := parser.GetIntAnnotation(globalRateLimitAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsInvalidContent(err) { + return nil, err + } + rawWindowSize, err := parser.GetStringAnnotation(globalRateLimitWindowAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsValidationError(err) { + return config, ing_errors.LocationDeniedError{ + Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), + } + } - if limit == 0 || len(rawWindowSize) == 0 { + if limit == 0 || rawWindowSize == "" { return config, nil } windowSize, err := time.ParseDuration(rawWindowSize) if err != nil { - return config, ing_errors.LocationDenied{ + return config, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), } } - key, _ := parser.GetStringAnnotation("global-rate-limit-key", ing) - if len(key) == 0 { + key, err := parser.GetStringAnnotation(globalRateLimitKeyAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + klog.Warningf("invalid %s, defaulting to %s", globalRateLimitKeyAnnotation, defaultKey) + } + if key == "" { key = defaultKey } - rawIgnoredCIDRs, _ := parser.GetStringAnnotation("global-rate-limit-ignored-cidrs", ing) + rawIgnoredCIDRs, err := parser.GetStringAnnotation(globalRateLimitIgnoredCidrsAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && ing_errors.IsInvalidContent(err) { + return nil, err + } ignoredCIDRs, err := net.ParseCIDRs(rawIgnoredCIDRs) if err != nil { return nil, err } - config.Namespace = strings.Replace(string(ing.UID), "-", "", -1) + config.Namespace = strings.ReplaceAll(string(ing.UID), "-", "") config.Limit = limit config.WindowSize = int(windowSize.Seconds()) config.Key = key @@ -109,3 +168,12 @@ func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { return config, nil } + +func (a globalratelimit) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a globalratelimit) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, globalRateLimitAnnotationConfig.Annotations) +} diff --git a/internal/ingress/annotations/globalratelimit/main_test.go b/internal/ingress/annotations/globalratelimit/main_test.go index 815d6cfff..b1a7ab71b 100644 --- a/internal/ingress/annotations/globalratelimit/main_test.go +++ b/internal/ingress/annotations/globalratelimit/main_test.go @@ -30,8 +30,10 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -const UID = "31285d47-b150-4dcf-bd6f-12c46d769f6e" -const expectedUID = "31285d47b1504dcfbd6f12c46d769f6e" +const ( + UID = "31285d47-b150-4dcf-bd6f-12c46d769f6e" + expectedUID = "31285d47b1504dcfbd6f12c46d769f6e" +) func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ @@ -149,6 +151,22 @@ func TestGlobalRateLimiting(t *testing.T) { }, nil, }, + { + "global-rate-limit-complex-key", + map[string]string{ + annRateLimit: "100", + annRateLimitWindow: "2m", + annRateLimitKey: "${http_x_api_user}${otherinfo}", + }, + &Config{ + Namespace: expectedUID, + Limit: 100, + WindowSize: 120, + Key: "${http_x_api_user}${otherinfo}", + IgnoredCIDRs: make([]string, 0), + }, + nil, + }, { "incorrect duration for window", map[string]string{ @@ -157,8 +175,8 @@ func TestGlobalRateLimiting(t *testing.T) { annRateLimitKey: "$http_x_api_user", }, &Config{}, - ing_errors.LocationDenied{ - Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: time: unknown unit \"mb\" in duration \"2mb\""), + ing_errors.ValidationError{ + Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: annotation nginx.ingress.kubernetes.io/global-rate-limit-window contains invalid value"), }, }, } @@ -168,16 +186,25 @@ func TestGlobalRateLimiting(t *testing.T) { i, actualErr := NewParser(mockBackend{}).Parse(ing) if (testCase.expectedErr == nil || actualErr == nil) && testCase.expectedErr != actualErr { - t.Errorf("expected error 'nil' but got '%v'", actualErr) + t.Errorf("%s expected error '%v' but got '%v'", testCase.title, testCase.expectedErr, actualErr) } else if testCase.expectedErr != nil && actualErr != nil && testCase.expectedErr.Error() != actualErr.Error() { t.Errorf("expected error '%v' but got '%v'", testCase.expectedErr, actualErr) } - actualConfig := i.(*Config) + actualConfig, ok := i.(*Config) + if !ok { + t.Errorf("expected Config type but got %T", i) + } if !testCase.expectedConfig.Equal(actualConfig) { - expectedJSON, _ := json.Marshal(testCase.expectedConfig) - actualJSON, _ := json.Marshal(actualConfig) + expectedJSON, err := json.Marshal(testCase.expectedConfig) + if err != nil { + t.Errorf("failed to marshal expected config: %v", err) + } + actualJSON, err := json.Marshal(actualConfig) + if err != nil { + t.Errorf("failed to marshal actual config: %v", err) + } t.Errorf("%v: expected config '%s' but got '%s'", testCase.title, expectedJSON, actualJSON) } } diff --git a/internal/ingress/annotations/http2pushpreload/main.go b/internal/ingress/annotations/http2pushpreload/main.go index 27d3368f4..123940d9d 100644 --- a/internal/ingress/annotations/http2pushpreload/main.go +++ b/internal/ingress/annotations/http2pushpreload/main.go @@ -23,17 +23,46 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + http2PushPreloadAnnotation = "http2-push-preload" +) + +var http2PushPreloadAnnotations = parser.Annotation{ + Group: "http2", + Annotations: parser.AnnotationFields{ + http2PushPreloadAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `Enables automatic conversion of preload links specified in the “Link” response header fields into push requests`, + }, + }, +} + type http2PushPreload struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new http2PushPreload annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return http2PushPreload{r} + return http2PushPreload{ + r: r, + annotationConfig: http2PushPreloadAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to add http2 push preload to the server func (h2pp http2PushPreload) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetBoolAnnotation("http2-push-preload", ing) + return parser.GetBoolAnnotation(http2PushPreloadAnnotation, ing, h2pp.annotationConfig.Annotations) +} + +func (h2pp http2PushPreload) GetDocumentation() parser.AnnotationFields { + return h2pp.annotationConfig.Annotations +} + +func (h2pp http2PushPreload) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(h2pp.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, http2PushPreloadAnnotations.Annotations) } diff --git a/internal/ingress/annotations/http2pushpreload/main_test.go b/internal/ingress/annotations/http2pushpreload/main_test.go index bb98af93f..eb6e9111d 100644 --- a/internal/ingress/annotations/http2pushpreload/main_test.go +++ b/internal/ingress/annotations/http2pushpreload/main_test.go @@ -23,11 +23,12 @@ import ( networking "k8s.io/api/networking/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("http2-push-preload") + annotation := parser.GetAnnotationWithPrefix(http2PushPreloadAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { t.Fatalf("expected a parser.IngressAnnotation but returned nil") @@ -36,12 +37,14 @@ func TestParse(t *testing.T) { testCases := []struct { annotations map[string]string expected bool + expectErr bool }{ - {map[string]string{annotation: "true"}, true}, - {map[string]string{annotation: "1"}, true}, - {map[string]string{annotation: ""}, false}, - {map[string]string{}, false}, - {nil, false}, + {map[string]string{annotation: "true"}, true, false}, + {map[string]string{annotation: "1"}, true, false}, + {map[string]string{annotation: "xpto"}, false, true}, + {map[string]string{annotation: ""}, false, false}, + {map[string]string{}, false, false}, + {nil, false, false}, } ing := &networking.Ingress{ @@ -54,7 +57,10 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) + result, err := ap.Parse(ing) + if ((err != nil) != testCase.expectErr) && !errors.IsInvalidContent(err) && !errors.IsMissingAnnotations(err) { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) + } if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } diff --git a/internal/ingress/annotations/influxdb/main.go b/internal/ingress/annotations/influxdb/main.go deleted file mode 100644 index 1aee91f33..000000000 --- a/internal/ingress/annotations/influxdb/main.go +++ /dev/null @@ -1,101 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package influxdb - -import ( - networking "k8s.io/api/networking/v1" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -type influxdb struct { - r resolver.Resolver -} - -// Config contains the IfluxDB configuration to be used in the Ingress -type Config struct { - InfluxDBEnabled bool `json:"influxDBEnabled"` - InfluxDBMeasurement string `json:"influxDBMeasurement"` - InfluxDBPort string `json:"influxDBPort"` - InfluxDBHost string `json:"influxDBHost"` - InfluxDBServerName string `json:"influxDBServerName"` -} - -// NewParser creates a new InfluxDB annotation parser -func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return influxdb{r} -} - -// Parse parses the annotations to look for InfluxDB configurations -func (c influxdb) Parse(ing *networking.Ingress) (interface{}, error) { - var err error - config := &Config{} - - config.InfluxDBEnabled, err = parser.GetBoolAnnotation("enable-influxdb", ing) - if err != nil { - config.InfluxDBEnabled = false - } - - config.InfluxDBMeasurement, err = parser.GetStringAnnotation("influxdb-measurement", ing) - if err != nil { - config.InfluxDBMeasurement = "default" - } - - config.InfluxDBPort, err = parser.GetStringAnnotation("influxdb-port", ing) - if err != nil { - // This is not the default 8086 port but the port usually used to expose - // influxdb in UDP, the module uses UDP to talk to influx via the line protocol. - config.InfluxDBPort = "8089" - } - - config.InfluxDBHost, err = parser.GetStringAnnotation("influxdb-host", ing) - if err != nil { - config.InfluxDBHost = "127.0.0.1" - } - - config.InfluxDBServerName, err = parser.GetStringAnnotation("influxdb-server-name", ing) - if err != nil { - config.InfluxDBServerName = "nginx-ingress" - } - - return config, nil -} - -// Equal tests for equality between two Config types -func (e1 *Config) Equal(e2 *Config) bool { - if e1 == e2 { - return true - } - if e1 == nil || e2 == nil { - return false - } - if e1.InfluxDBEnabled != e2.InfluxDBEnabled { - return false - } - if e1.InfluxDBPort != e2.InfluxDBPort { - return false - } - if e1.InfluxDBHost != e2.InfluxDBHost { - return false - } - if e1.InfluxDBServerName != e2.InfluxDBServerName { - return false - } - - return true -} diff --git a/internal/ingress/annotations/influxdb/main_test.go b/internal/ingress/annotations/influxdb/main_test.go deleted file mode 100644 index 13d681509..000000000 --- a/internal/ingress/annotations/influxdb/main_test.go +++ /dev/null @@ -1,138 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package influxdb - -import ( - "testing" - - api "k8s.io/api/core/v1" - networking "k8s.io/api/networking/v1" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -func buildIngress() *networking.Ingress { - defaultBackend := networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - } - - return &networking.Ingress{ - ObjectMeta: meta_v1.ObjectMeta{ - Name: "foo", - Namespace: api.NamespaceDefault, - }, - Spec: networking.IngressSpec{ - DefaultBackend: &networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - }, - Rules: []networking.IngressRule{ - { - Host: "foo.bar.com", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/foo", - Backend: defaultBackend, - }, - }, - }, - }, - }, - }, - }, - } -} - -func TestIngressInvalidInfluxDB(t *testing.T) { - ing := buildIngress() - - influx, _ := NewParser(&resolver.Mock{}).Parse(ing) - nginxInflux, ok := influx.(*Config) - if !ok { - t.Errorf("expected a Config type") - } - - if nginxInflux.InfluxDBEnabled == true { - t.Errorf("expected influxdb enabled but returned %v", nginxInflux.InfluxDBEnabled) - } - - if nginxInflux.InfluxDBMeasurement != "default" { - t.Errorf("expected measurement name not found. Found %v", nginxInflux.InfluxDBMeasurement) - } - - if nginxInflux.InfluxDBPort != "8089" { - t.Errorf("expected port not found. Found %v", nginxInflux.InfluxDBPort) - } - - if nginxInflux.InfluxDBHost != "127.0.0.1" { - t.Errorf("expected host not found. Found %v", nginxInflux.InfluxDBHost) - } - - if nginxInflux.InfluxDBServerName != "nginx-ingress" { - t.Errorf("expected server name not found. Found %v", nginxInflux.InfluxDBServerName) - } -} - -func TestIngressInfluxDB(t *testing.T) { - ing := buildIngress() - - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-influxdb")] = "true" - data[parser.GetAnnotationWithPrefix("influxdb-measurement")] = "nginxmeasures" - data[parser.GetAnnotationWithPrefix("influxdb-port")] = "9091" - data[parser.GetAnnotationWithPrefix("influxdb-host")] = "10.99.0.13" - data[parser.GetAnnotationWithPrefix("influxdb-server-name")] = "nginx-test-1" - ing.SetAnnotations(data) - - influx, _ := NewParser(&resolver.Mock{}).Parse(ing) - nginxInflux, ok := influx.(*Config) - if !ok { - t.Errorf("expected a Config type") - } - - if !nginxInflux.InfluxDBEnabled { - t.Errorf("expected influxdb enabled but returned %v", nginxInflux.InfluxDBEnabled) - } - - if nginxInflux.InfluxDBMeasurement != "nginxmeasures" { - t.Errorf("expected measurement name not found. Found %v", nginxInflux.InfluxDBMeasurement) - } - - if nginxInflux.InfluxDBPort != "9091" { - t.Errorf("expected port not found. Found %v", nginxInflux.InfluxDBPort) - } - - if nginxInflux.InfluxDBHost != "10.99.0.13" { - t.Errorf("expected host not found. Found %v", nginxInflux.InfluxDBHost) - } - - if nginxInflux.InfluxDBServerName != "nginx-test-1" { - t.Errorf("expected server name not found. Found %v", nginxInflux.InfluxDBServerName) - } -} diff --git a/internal/ingress/annotations/ipwhitelist/main.go b/internal/ingress/annotations/ipallowlist/main.go similarity index 52% rename from internal/ingress/annotations/ipwhitelist/main.go rename to internal/ingress/annotations/ipallowlist/main.go index 63c049fef..23a3bd9e7 100644 --- a/internal/ingress/annotations/ipwhitelist/main.go +++ b/internal/ingress/annotations/ipallowlist/main.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package ipwhitelist +package ipallowlist import ( "fmt" @@ -30,6 +30,24 @@ import ( "k8s.io/ingress-nginx/pkg/util/sets" ) +const ( + ipWhitelistAnnotation = "whitelist-source-range" + ipAllowlistAnnotation = "allowlist-source-range" +) + +var allowlistAnnotations = parser.Annotation{ + Group: "acl", + Annotations: parser.AnnotationFields{ + ipAllowlistAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access + Documentation: `This annotation allows setting a list of IPs and networks allowed to access this Location`, + AnnotationAliases: []string{ipWhitelistAnnotation}, + }, + }, +} + // SourceRange returns the CIDR type SourceRange struct { CIDR []string `json:"cidr,omitempty"` @@ -47,36 +65,46 @@ func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool { return sets.StringElementsMatch(sr1.CIDR, sr2.CIDR) } -type ipwhitelist struct { - r resolver.Resolver +type ipallowlist struct { + r resolver.Resolver + annotationConfig parser.Annotation } -// NewParser creates a new whitelist annotation parser +// NewParser creates a new ipallowlist annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return ipwhitelist{r} + return ipallowlist{ + r: r, + annotationConfig: allowlistAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to limit access to certain client addresses or networks. // Multiple ranges can specified using commas as separator // e.g. `18.0.0.0/8,56.0.0.0/8` -func (a ipwhitelist) Parse(ing *networking.Ingress) (interface{}, error) { +func (a ipallowlist) Parse(ing *networking.Ingress) (interface{}, error) { defBackend := a.r.GetDefaultBackend() - defaultWhitelistSourceRange := make([]string, len(defBackend.WhitelistSourceRange)) - copy(defaultWhitelistSourceRange, defBackend.WhitelistSourceRange) - sort.Strings(defaultWhitelistSourceRange) + defaultAllowlistSourceRange := make([]string, len(defBackend.WhitelistSourceRange)) + copy(defaultAllowlistSourceRange, defBackend.WhitelistSourceRange) + sort.Strings(defaultAllowlistSourceRange) - val, err := parser.GetStringAnnotation("whitelist-source-range", ing) + val, err := parser.GetStringAnnotation(ipAllowlistAnnotation, ing, a.annotationConfig.Annotations) // A missing annotation is not a problem, just use the default - if err == ing_errors.ErrMissingAnnotations { - return &SourceRange{CIDR: defaultWhitelistSourceRange}, nil + if err != nil { + if err == ing_errors.ErrMissingAnnotations { + return &SourceRange{CIDR: defaultAllowlistSourceRange}, nil + } + + return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDeniedError{ + Reason: err, + } } values := strings.Split(val, ",") ipnets, ips, err := net.ParseIPNets(values...) if err != nil && len(ips) == 0 { - return &SourceRange{CIDR: defaultWhitelistSourceRange}, ing_errors.LocationDenied{ + return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err), } } @@ -93,3 +121,12 @@ func (a ipwhitelist) Parse(ing *networking.Ingress) (interface{}, error) { return &SourceRange{cidrs}, nil } + +func (a ipallowlist) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a ipallowlist) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, allowlistAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/ipallowlist/main_test.go b/internal/ingress/annotations/ipallowlist/main_test.go new file mode 100644 index 000000000..b16b25a5b --- /dev/null +++ b/internal/ingress/annotations/ipallowlist/main_test.go @@ -0,0 +1,262 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipallowlist + +import ( + "testing" + + api "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/defaults" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +func buildIngress() *networking.Ingress { + defaultBackend := networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + } + + return &networking.Ingress{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "foo", + Namespace: api.NamespaceDefault, + }, + Spec: networking.IngressSpec{ + DefaultBackend: &networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "default-backend", + Port: networking.ServiceBackendPort{ + Number: 80, + }, + }, + }, + Rules: []networking.IngressRule{ + { + Host: "foo.bar.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/foo", + Backend: defaultBackend, + }, + }, + }, + }, + }, + }, + }, + } +} + +func TestParseAnnotations(t *testing.T) { + ing := buildIngress() + tests := map[string]struct { + net string + expectCidr []string + expectErr bool + errOut string + }{ + "test parse a valid net": { + net: "10.0.0.0/24", + expectCidr: []string{"10.0.0.0/24"}, + expectErr: false, + }, + "test parse a invalid net": { + net: "ww", + expectErr: true, + errOut: "annotation nginx.ingress.kubernetes.io/allowlist-source-range contains invalid value", + }, + "test parse a empty net": { + net: "", + expectErr: true, + errOut: "the annotation nginx.ingress.kubernetes.io/allowlist-source-range does not contain a valid value ()", + }, + "test parse multiple valid cidr": { + net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", + expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"}, + expectErr: false, + }, + } + + for testName, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(ipAllowlistAnnotation)] = test.net + ing.SetAnnotations(data) + p := NewParser(&resolver.Mock{}) + i, err := p.Parse(ing) + if (err != nil) != test.expectErr { + t.Errorf("%s expected error: %t got error: %t err value: %s. %+v", testName, test.expectErr, err != nil, err, i) + } + if test.expectErr && err != nil { + if err.Error() != test.errOut { + t.Errorf("expected error %s but got %s", test.errOut, err) + } + } + if !test.expectErr { + sr, ok := i.(*SourceRange) + if !ok { + t.Errorf("%v:expected a SourceRange type", testName) + } + if !strsEquals(sr.CIDR, test.expectCidr) { + t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR) + } + } + } +} + +type mockBackend struct { + resolver.Mock +} + +// GetDefaultBackend returns the backend that must be used as default +func (m mockBackend) GetDefaultBackend() defaults.Backend { + return defaults.Backend{ + WhitelistSourceRange: []string{"4.4.4.0/24", "1.2.3.4/32"}, + } +} + +// Test that when we have a allowlist set on the Backend that is used when we +// don't have the annotation +func TestParseAnnotationsWithDefaultConfig(t *testing.T) { + ing := buildIngress() + + mockBackend := mockBackend{} + + tests := map[string]struct { + net string + expectCidr []string + expectErr bool + errOut string + }{ + "test parse a valid net": { + net: "10.0.0.0/24", + expectCidr: []string{"10.0.0.0/24"}, + expectErr: false, + }, + "test parse a invalid net": { + net: "ww", + expectErr: true, + errOut: "annotation nginx.ingress.kubernetes.io/allowlist-source-range contains invalid value", + }, + "test parse a empty net": { + net: "", + expectErr: true, + errOut: "the annotation nginx.ingress.kubernetes.io/allowlist-source-range does not contain a valid value ()", + }, + "test parse multiple valid cidr": { + net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", + expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"}, + expectErr: false, + }, + } + + for testName, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(ipAllowlistAnnotation)] = test.net + ing.SetAnnotations(data) + p := NewParser(mockBackend) + i, err := p.Parse(ing) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) + } + if test.expectErr && err != nil { + if err.Error() != test.errOut { + t.Errorf("expected error %s but got %s", test.errOut, err) + } + } + if !test.expectErr { + sr, ok := i.(*SourceRange) + if !ok { + t.Errorf("%v:expected a SourceRange type", testName) + } + if !strsEquals(sr.CIDR, test.expectCidr) { + t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR) + } + } + } +} + +// Test that when we have a whitelist set on the Backend that is used when we +// don't have the annotation +func TestLegacyAnnotation(t *testing.T) { + ing := buildIngress() + + mockBackend := mockBackend{} + + tests := map[string]struct { + net string + expectCidr []string + expectErr bool + errOut string + }{ + "test parse a valid net": { + net: "10.0.0.0/24", + expectCidr: []string{"10.0.0.0/24"}, + expectErr: false, + }, + "test parse multiple valid cidr": { + net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", + expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"}, + expectErr: false, + }, + } + + for testName, test := range tests { + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(ipWhitelistAnnotation)] = test.net + ing.SetAnnotations(data) + p := NewParser(mockBackend) + i, err := p.Parse(ing) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) + } + if test.expectErr && err != nil { + if err.Error() != test.errOut { + t.Errorf("expected error %s but got %s", test.errOut, err) + } + } + if !test.expectErr { + sr, ok := i.(*SourceRange) + if !ok { + t.Errorf("%v:expected a SourceRange type", testName) + } + if !strsEquals(sr.CIDR, test.expectCidr) { + t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR) + } + } + } +} + +func strsEquals(a, b []string) bool { + if len(a) != len(b) { + return false + } + for i, v := range a { + if v != b[i] { + return false + } + } + return true +} diff --git a/internal/ingress/annotations/ipdenylist/main.go b/internal/ingress/annotations/ipdenylist/main.go new file mode 100644 index 000000000..e8f02fe50 --- /dev/null +++ b/internal/ingress/annotations/ipdenylist/main.go @@ -0,0 +1,129 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ipdenylist + +import ( + "fmt" + "sort" + "strings" + + networking "k8s.io/api/networking/v1" + "k8s.io/ingress-nginx/internal/net" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/resolver" + "k8s.io/ingress-nginx/pkg/util/sets" +) + +const ( + ipDenylistAnnotation = "denylist-source-range" +) + +var denylistAnnotations = parser.Annotation{ + Group: "acl", + Annotations: parser.AnnotationFields{ + ipDenylistAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access + Documentation: `This annotation allows setting a list of IPs and networks that should be blocked to access this Location`, + }, + }, +} + +// SourceRange returns the CIDR +type SourceRange struct { + CIDR []string `json:"cidr,omitempty"` +} + +// Equal tests for equality between two SourceRange types +func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool { + if sr1 == sr2 { + return true + } + if sr1 == nil || sr2 == nil { + return false + } + + return sets.StringElementsMatch(sr1.CIDR, sr2.CIDR) +} + +type ipdenylist struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + +// NewParser creates a new denylist annotation parser +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return ipdenylist{ + r: r, + annotationConfig: denylistAnnotations, + } +} + +// ParseAnnotations parses the annotations contained in the ingress +// rule used to limit access to certain client addresses or networks. +// Multiple ranges can specified using commas as separator +// e.g. `18.0.0.0/8,56.0.0.0/8` +func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) { + defBackend := a.r.GetDefaultBackend() + + defaultDenylistSourceRange := make([]string, len(defBackend.DenylistSourceRange)) + copy(defaultDenylistSourceRange, defBackend.DenylistSourceRange) + sort.Strings(defaultDenylistSourceRange) + + val, err := parser.GetStringAnnotation(ipDenylistAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if err == ing_errors.ErrMissingAnnotations { + return &SourceRange{CIDR: defaultDenylistSourceRange}, nil + } + + return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDeniedError{ + Reason: err, + } + } + + values := strings.Split(val, ",") + ipnets, ips, err := net.ParseIPNets(values...) + if err != nil && len(ips) == 0 { + return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDeniedError{ + Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err), + } + } + + cidrs := []string{} + for k := range ipnets { + cidrs = append(cidrs, k) + } + for k := range ips { + cidrs = append(cidrs, k) + } + + sort.Strings(cidrs) + + return &SourceRange{cidrs}, nil +} + +func (a ipdenylist) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a ipdenylist) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, denylistAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/ipwhitelist/main_test.go b/internal/ingress/annotations/ipdenylist/main_test.go similarity index 75% rename from internal/ingress/annotations/ipwhitelist/main_test.go rename to internal/ingress/annotations/ipdenylist/main_test.go index 5042bb200..ebd81179a 100644 --- a/internal/ingress/annotations/ipwhitelist/main_test.go +++ b/internal/ingress/annotations/ipdenylist/main_test.go @@ -1,5 +1,5 @@ /* -Copyright 2016 The Kubernetes Authors. +Copyright 2023 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package ipwhitelist +package ipdenylist import ( "testing" @@ -86,12 +86,17 @@ func TestParseAnnotations(t *testing.T) { "test parse a invalid net": { net: "ww", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + errOut: "annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value", }, "test parse a empty net": { net: "", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + errOut: "the annotation nginx.ingress.kubernetes.io/denylist-source-range does not contain a valid value ()", + }, + "test parse a malicious escaped string": { + net: `10.0.0.0/8"rm /tmp",11.0.0.0/8`, + expectErr: true, + errOut: `annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value`, }, "test parse multiple valid cidr": { net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", @@ -102,16 +107,16 @@ func TestParseAnnotations(t *testing.T) { for testName, test := range tests { data := map[string]string{} - data[parser.GetAnnotationWithPrefix("whitelist-source-range")] = test.net + data[parser.GetAnnotationWithPrefix(ipDenylistAnnotation)] = test.net ing.SetAnnotations(data) p := NewParser(&resolver.Mock{}) i, err := p.Parse(ing) - if err != nil && !test.expectErr { - t.Errorf("%v:unexpected error: %v", testName, err) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) } - if test.expectErr { + if test.expectErr && err != nil { if err.Error() != test.errOut { - t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + t.Errorf("expected error %s but got %s", test.errOut, err) } } if !test.expectErr { @@ -133,11 +138,11 @@ type mockBackend struct { // GetDefaultBackend returns the backend that must be used as default func (m mockBackend) GetDefaultBackend() defaults.Backend { return defaults.Backend{ - WhitelistSourceRange: []string{"4.4.4.0/24", "1.2.3.4/32"}, + DenylistSourceRange: []string{"4.4.4.0/24", "1.2.3.4/32"}, } } -// Test that when we have a whitelist set on the Backend that is used when we +// Test that when we have a denylist set on the Backend that is used when we // don't have the annotation func TestParseAnnotationsWithDefaultConfig(t *testing.T) { ing := buildIngress() @@ -158,12 +163,12 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) { "test parse a invalid net": { net: "ww", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ww", + errOut: "annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value", }, "test parse a empty net": { net: "", expectErr: true, - errOut: "the annotation does not contain a valid IP address or network: invalid CIDR address: ", + errOut: "the annotation nginx.ingress.kubernetes.io/denylist-source-range does not contain a valid value ()", }, "test parse multiple valid cidr": { net: "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24", @@ -174,16 +179,16 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) { for testName, test := range tests { data := map[string]string{} - data[parser.GetAnnotationWithPrefix("whitelist-source-range")] = test.net + data[parser.GetAnnotationWithPrefix(ipDenylistAnnotation)] = test.net ing.SetAnnotations(data) p := NewParser(mockBackend) i, err := p.Parse(ing) - if err != nil && !test.expectErr { - t.Errorf("%v:unexpected error: %v", testName, err) + if (err != nil) != test.expectErr { + t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i) } - if test.expectErr { + if test.expectErr && err != nil { if err.Error() != test.errOut { - t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error()) + t.Errorf("expected error %s but got %s", test.errOut, err) } } if !test.expectErr { diff --git a/internal/ingress/annotations/loadbalancing/main.go b/internal/ingress/annotations/loadbalancing/main.go index a8b4335e6..ee89d2c1b 100644 --- a/internal/ingress/annotations/loadbalancing/main.go +++ b/internal/ingress/annotations/loadbalancing/main.go @@ -23,18 +23,52 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -type loadbalancing struct { - r resolver.Resolver +// LB Alghorithms are defined in https://github.com/kubernetes/ingress-nginx/blob/d3e75b056f77be54e01bdb18675f1bb46caece31/rootfs/etc/nginx/lua/balancer.lua#L28 + +const ( + loadBalanceAlghoritmAnnotation = "load-balance" +) + +var loadBalanceAlghoritms = []string{"round_robin", "chash", "chashsubset", "sticky_balanced", "sticky_persistent", "ewma"} + +var loadBalanceAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + loadBalanceAlghoritmAnnotation: { + Validator: parser.ValidateOptions(loadBalanceAlghoritms, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the load balancing alghorithm that should be used. If none is specified, defaults to + the default configured by Ingress admin, otherwise to round_robin`, + }, + }, } -// NewParser creates a new CORS annotation parser +type loadbalancing struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + +// NewParser creates a new Load Balancer annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return loadbalancing{r} + return loadbalancing{ + r: r, + annotationConfig: loadBalanceAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a loadbalancing) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("load-balance", ing) + return parser.GetStringAnnotation(loadBalanceAlghoritmAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a loadbalancing) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a loadbalancing) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, loadBalanceAnnotations.Annotations) } diff --git a/internal/ingress/annotations/loadbalancing/main_test.go b/internal/ingress/annotations/loadbalancing/main_test.go index e2be5c0ae..a5205e523 100644 --- a/internal/ingress/annotations/loadbalancing/main_test.go +++ b/internal/ingress/annotations/loadbalancing/main_test.go @@ -38,7 +38,8 @@ func TestParse(t *testing.T) { annotations map[string]string expected string }{ - {map[string]string{annotation: "ip_hash"}, "ip_hash"}, + {map[string]string{annotation: "ewma"}, "ewma"}, + {map[string]string{annotation: "ip_hash"}, ""}, // This is invalid and should not return anything {map[string]string{}, ""}, {nil, ""}, } @@ -53,6 +54,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/log/main.go b/internal/ingress/annotations/log/main.go index 4bc76dcf7..82d50bac3 100644 --- a/internal/ingress/annotations/log/main.go +++ b/internal/ingress/annotations/log/main.go @@ -23,8 +23,32 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + enableAccessLogAnnotation = "enable-access-log" + enableRewriteLogAnnotation = "enable-rewrite-log" +) + +var logAnnotations = parser.Annotation{ + Group: "log", + Annotations: parser.AnnotationFields{ + enableAccessLogAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This configuration setting allows you to control if this location should generate an access_log`, + }, + enableRewriteLogAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This configuration setting allows you to control if this location should generate logs from the rewrite feature usage`, + }, + }, +} + type log struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the configuration to be used in the Ingress @@ -48,7 +72,10 @@ func (bd1 *Config) Equal(bd2 *Config) bool { // NewParser creates a new log annotations parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return log{r} + return log{ + r: r, + annotationConfig: logAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -57,15 +84,24 @@ func (l log) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - config.Access, err = parser.GetBoolAnnotation("enable-access-log", ing) + config.Access, err = parser.GetBoolAnnotation(enableAccessLogAnnotation, ing, l.annotationConfig.Annotations) if err != nil { config.Access = true } - config.Rewrite, err = parser.GetBoolAnnotation("enable-rewrite-log", ing) + config.Rewrite, err = parser.GetBoolAnnotation(enableRewriteLogAnnotation, ing, l.annotationConfig.Annotations) if err != nil { config.Rewrite = false } return config, nil } + +func (l log) GetDocumentation() parser.AnnotationFields { + return l.annotationConfig.Annotations +} + +func (l log) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(l.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, logAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/log/main_test.go b/internal/ingress/annotations/log/main_test.go index c4632b010..950612b5b 100644 --- a/internal/ingress/annotations/log/main_test.go +++ b/internal/ingress/annotations/log/main_test.go @@ -73,10 +73,13 @@ func TestIngressAccessLogConfig(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-access-log")] = "false" + data[parser.GetAnnotationWithPrefix(enableAccessLogAnnotation)] = "false" ing.SetAnnotations(data) - log, _ := NewParser(&resolver.Mock{}).Parse(ing) + log, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } nginxLogs, ok := log.(*Config) if !ok { t.Errorf("expected a Config type") @@ -91,10 +94,13 @@ func TestIngressRewriteLogConfig(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-rewrite-log")] = "true" + data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "true" ing.SetAnnotations(data) - log, _ := NewParser(&resolver.Mock{}).Parse(ing) + log, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing annotations %v", err) + } nginxLogs, ok := log.(*Config) if !ok { t.Errorf("expected a Config type") @@ -104,3 +110,24 @@ func TestIngressRewriteLogConfig(t *testing.T) { t.Errorf("expected rewrite log to be enabled but it is disabled") } } + +func TestInvalidBoolConfig(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "blo" + ing.SetAnnotations(data) + + log, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + nginxLogs, ok := log.(*Config) + if !ok { + t.Errorf("expected a Config type") + } + + if !nginxLogs.Access { + t.Errorf("expected access log to be enabled due to invalid config, but it is disabled") + } +} diff --git a/internal/ingress/annotations/mirror/main.go b/internal/ingress/annotations/mirror/main.go index cd54a9826..d51bdd27c 100644 --- a/internal/ingress/annotations/mirror/main.go +++ b/internal/ingress/annotations/mirror/main.go @@ -18,13 +18,48 @@ package mirror import ( "fmt" + "regexp" "strings" networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" + "k8s.io/klog/v2" ) +const ( + mirrorRequestBodyAnnotation = "mirror-request-body" + mirrorTargetAnnotation = "mirror-target" + mirrorHostAnnotation = "mirror-host" +) + +var OnOffRegex = regexp.MustCompile(`^(on|off)$`) + +var mirrorAnnotation = parser.Annotation{ + Group: "mirror", + Annotations: parser.AnnotationFields{ + mirrorRequestBodyAnnotation: { + Validator: parser.ValidateRegex(OnOffRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the request-body should be sent to the mirror backend. Can be 'on' or 'off'`, + }, + mirrorTargetAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation enables a request to be mirrored to a mirror backend.`, + }, + mirrorHostAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation defines if a specific Host header should be set for mirrored request.`, + }, + }, +} + // Config returns the mirror to use in a given location type Config struct { Source string `json:"source"` @@ -63,12 +98,16 @@ func (m1 *Config) Equal(m2 *Config) bool { } type mirror struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new mirror configuration annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return mirror{r} + return mirror{ + r: r, + annotationConfig: mirrorAnnotation, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -79,29 +118,49 @@ func (a mirror) Parse(ing *networking.Ingress) (interface{}, error) { } var err error - config.RequestBody, err = parser.GetStringAnnotation("mirror-request-body", ing) + config.RequestBody, err = parser.GetStringAnnotation(mirrorRequestBodyAnnotation, ing, a.annotationConfig.Annotations) if err != nil || config.RequestBody != "off" { + if errors.IsValidationError(err) { + klog.Warningf("annotation %s contains invalid value", mirrorRequestBodyAnnotation) + } config.RequestBody = "on" } - config.Target, err = parser.GetStringAnnotation("mirror-target", ing) + config.Target, err = parser.GetStringAnnotation(mirrorTargetAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - config.Target = "" - config.Source = "" + if errors.IsValidationError(err) { + klog.Warningf("annotation %s contains invalid value, defaulting", mirrorTargetAnnotation) + } else { + config.Target = "" + config.Source = "" + } } - config.Host, err = parser.GetStringAnnotation("mirror-host", ing) + config.Host, err = parser.GetStringAnnotation(mirrorHostAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("annotation %s contains invalid value, defaulting", mirrorHostAnnotation) + } if config.Target != "" { - url, err := parser.StringToURL(config.Target) + target := strings.Split(config.Target, "$") + + url, err := parser.StringToURL(target[0]) if err != nil { config.Host = "" } else { - hostname := strings.Split(url.Hostname(), "$") - config.Host = hostname[0] + config.Host = url.Hostname() } } } return config, nil } + +func (a mirror) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a mirror) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, mirrorAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/mirror/main_test.go b/internal/ingress/annotations/mirror/main_test.go index f744ab552..1f6b44d61 100644 --- a/internal/ingress/annotations/mirror/main_test.go +++ b/internal/ingress/annotations/mirror/main_test.go @@ -48,6 +48,24 @@ func TestParse(t *testing.T) { Target: "https://test.env.com/$request_uri", Host: "test.env.com", }}, + {map[string]string{backendURL: "https://test.env.com$request_uri"}, &Config{ + Source: ngxURI, + RequestBody: "on", + Target: "https://test.env.com$request_uri", + Host: "test.env.com", + }}, + {map[string]string{backendURL: "https://test.env.com:8080$request_uri"}, &Config{ + Source: ngxURI, + RequestBody: "on", + Target: "https://test.env.com:8080$request_uri", + Host: "test.env.com", + }}, + {map[string]string{backendURL: "https://test.env.com:8080/$request_uri"}, &Config{ + Source: ngxURI, + RequestBody: "on", + Target: "https://test.env.com:8080/$request_uri", + Host: "test.env.com", + }}, {map[string]string{requestBody: "off"}, &Config{ Source: "", RequestBody: "off", @@ -76,13 +94,13 @@ func TestParse(t *testing.T) { Source: ngxURI, RequestBody: "on", Target: "http://some.test.env.com", - Host: "someInvalidParm.%^&*()_=!@#'\"", + Host: "some.test.env.com", }}, {map[string]string{backendURL: "http://some.test.env.com", host: "_sbrubles-i\"@xpto:12345"}, &Config{ Source: ngxURI, RequestBody: "on", Target: "http://some.test.env.com", - Host: "_sbrubles-i\"@xpto:12345", + Host: "some.test.env.com", }}, } @@ -97,9 +115,12 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) + result, err := ap.Parse(ing) + if err != nil { + t.Errorf(err.Error()) + } if !reflect.DeepEqual(result, testCase.expected) { - t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) + t.Errorf("expected %+v but returned %+v, annotations: %s", testCase.expected, result, testCase.annotations) } } } diff --git a/internal/ingress/annotations/modsecurity/main.go b/internal/ingress/annotations/modsecurity/main.go index c53739441..80ae78937 100644 --- a/internal/ingress/annotations/modsecurity/main.go +++ b/internal/ingress/annotations/modsecurity/main.go @@ -19,9 +19,48 @@ package modsecurity import ( networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" + "k8s.io/klog/v2" ) +const ( + modsecEnableAnnotation = "enable-modsecurity" + modsecEnableOwaspCoreAnnotation = "enable-owasp-core-rules" + modesecTransactionIDAnnotation = "modsecurity-transaction-id" + modsecSnippetAnnotation = "modsecurity-snippet" +) + +var modsecurityAnnotation = parser.Annotation{ + Group: "modsecurity", + Annotations: parser.AnnotationFields{ + modsecEnableAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables ModSecurity`, + }, + modsecEnableOwaspCoreAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables the OWASP Core Rule Set`, + }, + modesecTransactionIDAnnotation: { + Validator: parser.ValidateRegex(parser.NGINXVariable, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation enables passing an NGINX variable to ModSecurity.`, + }, + modsecSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskCritical, + Documentation: `This annotation enables adding a specific snippet configuration for ModSecurity`, + }, + }, +} + // Config contains ModSecurity Configuration items type Config struct { Enable bool `json:"enable-modsecurity"` @@ -59,12 +98,16 @@ func (modsec1 *Config) Equal(modsec2 *Config) bool { } // NewParser creates a new ModSecurity annotation parser -func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { - return modSecurity{resolver} +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return modSecurity{ + r: r, + annotationConfig: modsecurityAnnotation, + } } type modSecurity struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Parse parses the annotations contained in the ingress @@ -74,26 +117,44 @@ func (a modSecurity) Parse(ing *networking.Ingress) (interface{}, error) { config := &Config{} config.EnableSet = true - config.Enable, err = parser.GetBoolAnnotation("enable-modsecurity", ing) + config.Enable, err = parser.GetBoolAnnotation(modsecEnableAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsInvalidContent(err) { + klog.Warningf("annotation %s contains invalid directive, defaulting to false", modsecEnableAnnotation) + } config.Enable = false config.EnableSet = false } - config.OWASPRules, err = parser.GetBoolAnnotation("enable-owasp-core-rules", ing) + config.OWASPRules, err = parser.GetBoolAnnotation(modsecEnableOwaspCoreAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsInvalidContent(err) { + klog.Warningf("annotation %s contains invalid directive, defaulting to false", modsecEnableOwaspCoreAnnotation) + } config.OWASPRules = false } - config.TransactionID, err = parser.GetStringAnnotation("modsecurity-transaction-id", ing) + config.TransactionID, err = parser.GetStringAnnotation(modesecTransactionIDAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsInvalidContent(err) { + klog.Warningf("annotation %s contains invalid directive, defaulting", modesecTransactionIDAnnotation) + } config.TransactionID = "" } - config.Snippet, err = parser.GetStringAnnotation("modsecurity-snippet", ing) + config.Snippet, err = parser.GetStringAnnotation("modsecurity-snippet", ing, a.annotationConfig.Annotations) if err != nil { config.Snippet = "" } return config, nil } + +func (a modSecurity) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a modSecurity) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, modsecurityAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/modsecurity/main_test.go b/internal/ingress/annotations/modsecurity/main_test.go index 2ddbdf7e3..5cb05f201 100644 --- a/internal/ingress/annotations/modsecurity/main_test.go +++ b/internal/ingress/annotations/modsecurity/main_test.go @@ -67,11 +67,17 @@ func TestParse(t *testing.T) { Spec: networking.IngressSpec{}, } - for _, testCase := range testCases { + for i, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) - config := result.(*Config) - if !config.Equal(&testCase.expected) { + result, err := ap.Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + config, ok := result.(*Config) + if !ok { + t.Errorf("unexpected type: %T", result) + } + if !config.Equal(&testCases[i].expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } } diff --git a/internal/ingress/annotations/opentelemetry/main.go b/internal/ingress/annotations/opentelemetry/main.go new file mode 100644 index 000000000..ca9108548 --- /dev/null +++ b/internal/ingress/annotations/opentelemetry/main.go @@ -0,0 +1,155 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package opentelemetry + +import ( + "regexp" + + networking "k8s.io/api/networking/v1" + + "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/ingress/resolver" +) + +const ( + enableOpenTelemetryAnnotation = "enable-opentelemetry" + otelTrustSpanAnnotation = "opentelemetry-trust-incoming-span" + otelOperationNameAnnotation = "opentelemetry-operation-name" +) + +var regexOperationName = regexp.MustCompile(`^[A-Za-z0-9_\-]*$`) + +var otelAnnotations = parser.Annotation{ + Group: "opentelemetry", + Annotations: parser.AnnotationFields{ + enableOpenTelemetryAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if Open Telemetry collector should be enable for this location. OpenTelemetry should + already be configured by Ingress administrator`, + }, + otelTrustSpanAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables using spans from incoming requests as parent for created ones`, + }, + otelOperationNameAnnotation: { + Validator: parser.ValidateRegex(regexOperationName, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines what operation name should be added to the span`, + }, + }, +} + +type opentelemetry struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + +// Config contains the configuration to be used in the Ingress +type Config struct { + Enabled bool `json:"enabled"` + Set bool `json:"set"` + TrustEnabled bool `json:"trust-enabled"` + TrustSet bool `json:"trust-set"` + OperationName string `json:"operation-name"` +} + +// Equal tests for equality between two Config types +func (bd1 *Config) Equal(bd2 *Config) bool { + if bd1.Set != bd2.Set { + return false + } + + if bd1.Enabled != bd2.Enabled { + return false + } + + if bd1.TrustSet != bd2.TrustSet { + return false + } + + if bd1.TrustEnabled != bd2.TrustEnabled { + return false + } + + if bd1.OperationName != bd2.OperationName { + return false + } + + return true +} + +// NewParser creates a new serviceUpstream annotation parser +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return opentelemetry{ + r: r, + annotationConfig: otelAnnotations, + } +} + +// Parse parses the annotations to look for opentelemetry configurations +func (c opentelemetry) Parse(ing *networking.Ingress) (interface{}, error) { + cfg := Config{} + enabled, err := parser.GetBoolAnnotation(enableOpenTelemetryAnnotation, ing, c.annotationConfig.Annotations) + if err != nil { + return &cfg, nil + } + cfg.Set = true + cfg.Enabled = enabled + if !enabled { + return &cfg, nil + } + + trustEnabled, err := parser.GetBoolAnnotation(otelTrustSpanAnnotation, ing, c.annotationConfig.Annotations) + if err != nil { + operationName, err := parser.GetStringAnnotation(otelOperationNameAnnotation, ing, c.annotationConfig.Annotations) + if err != nil { + if errors.IsValidationError(err) { + return nil, err + } + return &cfg, nil + } + cfg.OperationName = operationName + return &cfg, nil + } + + cfg.TrustSet = true + cfg.TrustEnabled = trustEnabled + operationName, err := parser.GetStringAnnotation(otelOperationNameAnnotation, ing, c.annotationConfig.Annotations) + if err != nil { + if errors.IsValidationError(err) { + return nil, err + } + return &cfg, nil + } + cfg.OperationName = operationName + return &cfg, nil +} + +func (c opentelemetry) GetDocumentation() parser.AnnotationFields { + return c.annotationConfig.Annotations +} + +func (c opentelemetry) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(c.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, otelAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/opentracing/main_test.go b/internal/ingress/annotations/opentelemetry/main_test.go similarity index 50% rename from internal/ingress/annotations/opentracing/main_test.go rename to internal/ingress/annotations/opentelemetry/main_test.go index 7bd9d31ff..e5c1de0b3 100644 --- a/internal/ingress/annotations/opentracing/main_test.go +++ b/internal/ingress/annotations/opentelemetry/main_test.go @@ -1,5 +1,5 @@ /* -Copyright 2019 The Kubernetes Authors. +Copyright 2022 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package opentracing +package opentelemetry import ( "testing" @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const enableAnnotation = "true" + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -69,74 +71,127 @@ func buildIngress() *networking.Ingress { } } -func TestIngressAnnotationOpentracingSetTrue(t *testing.T) { +func TestIngressAnnotationOpentelemetrySetTrue(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = enableAnnotation ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) - openTracing, ok := val.(*Config) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + openTelemetry, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") } - if !openTracing.Enabled { + if !openTelemetry.Enabled { t.Errorf("expected annotation value to be true, got false") } -} -func TestIngressAnnotationOpentracingSetFalse(t *testing.T) { - ing := buildIngress() - - // Test with explicitly set to false - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "false" - ing.SetAnnotations(data) - - val, _ := NewParser(&resolver.Mock{}).Parse(ing) - openTracing, ok := val.(*Config) - if !ok { - t.Errorf("expected a Config type") + if !openTelemetry.Set { + t.Errorf("expected annotation value to be true, got false") } - if openTracing.Enabled { + if openTelemetry.TrustSet { t.Errorf("expected annotation value to be false, got true") } } -func TestIngressAnnotationOpentracingTrustSetTrue(t *testing.T) { +func TestIngressAnnotationOpentelemetrySetFalse(t *testing.T) { ing := buildIngress() + // Test with explicitly set to false data := map[string]string{} - data[parser.GetAnnotationWithPrefix("enable-opentracing")] = "true" - data[parser.GetAnnotationWithPrefix("opentracing-trust-incoming-span")] = "true" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "false" ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) - openTracing, ok := val.(*Config) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + openTelemetry, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") } - if !openTracing.Enabled { - t.Errorf("expected annotation value to be true, got false") + if openTelemetry.Enabled { + t.Errorf("expected annotation value to be false, got true") } - if !openTracing.TrustEnabled { + if !openTelemetry.Set { t.Errorf("expected annotation value to be true, got false") } } -func TestIngressAnnotationOpentracingUnset(t *testing.T) { +func TestIngressAnnotationOpentelemetryTrustSetTrue(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + opName := "foo-op" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = enableAnnotation + data[parser.GetAnnotationWithPrefix(otelTrustSpanAnnotation)] = enableAnnotation + data[parser.GetAnnotationWithPrefix(otelOperationNameAnnotation)] = opName + ing.SetAnnotations(data) + + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Fatal(err) + } + openTelemetry, ok := val.(*Config) + if !ok { + t.Errorf("expected a Config type") + } + + if !openTelemetry.Enabled { + t.Errorf("expected annotation value to be true, got false") + } + + if !openTelemetry.Set { + t.Errorf("expected annotation value to be true, got false") + } + + if !openTelemetry.TrustEnabled { + t.Errorf("expected annotation value to be true, got false") + } + + if !openTelemetry.TrustSet { + t.Errorf("expected annotation value to be true, got false") + } + + if openTelemetry.OperationName != opName { + t.Errorf("expected annotation value to be %v, got %v", opName, openTelemetry.OperationName) + } +} + +func TestIngressAnnotationOpentelemetryWithBadOpName(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + opName := "fooxpto_123$la;" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = enableAnnotation + data[parser.GetAnnotationWithPrefix(otelOperationNameAnnotation)] = opName + ing.SetAnnotations(data) + + _, err := NewParser(&resolver.Mock{}).Parse(ing) + if err == nil { + t.Fatalf("This operation should return an error but no error was returned") + } +} + +func TestIngressAnnotationOpentelemetryUnset(t *testing.T) { ing := buildIngress() // Test with no annotation specified data := map[string]string{} ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } _, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") diff --git a/internal/ingress/annotations/opentracing/main.go b/internal/ingress/annotations/opentracing/main.go deleted file mode 100644 index 17ba7eb9f..000000000 --- a/internal/ingress/annotations/opentracing/main.go +++ /dev/null @@ -1,76 +0,0 @@ -/* -Copyright 2019 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package opentracing - -import ( - networking "k8s.io/api/networking/v1" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -type opentracing struct { - r resolver.Resolver -} - -// Config contains the configuration to be used in the Ingress -type Config struct { - Enabled bool `json:"enabled"` - Set bool `json:"set"` - TrustEnabled bool `json:"trust-enabled"` - TrustSet bool `json:"trust-set"` -} - -// Equal tests for equality between two Config types -func (bd1 *Config) Equal(bd2 *Config) bool { - if bd1.Set != bd2.Set { - return false - } - - if bd1.Enabled != bd2.Enabled { - return false - } - - if bd1.TrustSet != bd2.TrustSet { - return false - } - - if bd1.TrustEnabled != bd2.TrustEnabled { - return false - } - - return true -} - -// NewParser creates a new serviceUpstream annotation parser -func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return opentracing{r} -} - -func (s opentracing) Parse(ing *networking.Ingress) (interface{}, error) { - enabled, err := parser.GetBoolAnnotation("enable-opentracing", ing) - if err != nil { - return &Config{}, nil - } - - trustSpan, err := parser.GetBoolAnnotation("opentracing-trust-incoming-span", ing) - if err != nil { - return &Config{Set: true, Enabled: enabled}, nil - } - - return &Config{Set: true, Enabled: enabled, TrustSet: true, TrustEnabled: trustSpan}, nil -} diff --git a/internal/ingress/annotations/parser/main.go b/internal/ingress/annotations/parser/main.go index 107a278b0..554ad9dde 100644 --- a/internal/ingress/annotations/parser/main.go +++ b/internal/ingress/annotations/parser/main.go @@ -29,20 +29,79 @@ import ( ) // DefaultAnnotationsPrefix defines the common prefix used in the nginx ingress controller -const DefaultAnnotationsPrefix = "nginx.ingress.kubernetes.io" +const ( + DefaultAnnotationsPrefix = "nginx.ingress.kubernetes.io" + DefaultEnableAnnotationValidation = true +) var ( // AnnotationsPrefix is the mutable attribute that the controller explicitly refers to AnnotationsPrefix = DefaultAnnotationsPrefix + // Enable is the mutable attribute for enabling or disabling the validation functions + EnableAnnotationValidation = DefaultEnableAnnotationValidation ) +// AnnotationGroup defines the group that this annotation may belong +// eg.: Security, Snippets, Rewrite, etc +type AnnotationGroup string + +// AnnotationScope defines which scope this annotation applies. May be to the whole +// ingress, per location, etc +type AnnotationScope string + +var ( + AnnotationScopeLocation AnnotationScope = "location" + AnnotationScopeIngress AnnotationScope = "ingress" +) + +// AnnotationRisk is a subset of risk that an annotation may represent. +// Based on the Risk, the admin will be able to allow or disallow users to set it +// on their ingress objects +type AnnotationRisk int + +type AnnotationFields map[string]AnnotationConfig + +// AnnotationConfig defines the configuration that a single annotation field +// has, with the Validator and the documentation of this field. +type AnnotationConfig struct { + // Validator defines a function to validate the annotation value + Validator AnnotationValidator + // Documentation defines a user facing documentation for this annotation. This + // field will be used to auto generate documentations + Documentation string + // Risk defines a risk of this annotation being exposed to the user. Annotations + // with bool fields, or to set timeout are usually low risk. Annotations that allows + // string input without a limited set of options may represent a high risk + Risk AnnotationRisk + + // Scope defines which scope this annotation applies, may be to location, to an Ingress object, etc + Scope AnnotationScope + + // AnnotationAliases defines other names this annotation may have. + AnnotationAliases []string +} + +// Annotation defines an annotation feature an Ingress may have. +// It should contain the internal resolver, and all the annotations +// with configs and Validators that should be used for each Annotation +type Annotation struct { + // Annotations contains all the annotations that belong to this feature + Annotations AnnotationFields + // Group defines which annotation group this feature belongs to + Group AnnotationGroup +} + // IngressAnnotation has a method to parse annotations located in Ingress type IngressAnnotation interface { Parse(ing *networking.Ingress) (interface{}, error) + GetDocumentation() AnnotationFields + Validate(anns map[string]string) error } type ingAnnotations map[string]string +// TODO: We already parse all of this on checkAnnotation and can just do a parse over the +// value func (a ingAnnotations) parseBool(name string) (bool, error) { val, ok := a[name] if ok { @@ -59,7 +118,7 @@ func (a ingAnnotations) parseString(name string) (string, error) { val, ok := a[name] if ok { s := normalizeString(val) - if len(s) == 0 { + if s == "" { return "", errors.NewInvalidAnnotationContent(name, val) } @@ -92,21 +151,9 @@ func (a ingAnnotations) parseFloat32(name string) (float32, error) { return 0, errors.ErrMissingAnnotations } -func checkAnnotation(name string, ing *networking.Ingress) error { - if ing == nil || len(ing.GetAnnotations()) == 0 { - return errors.ErrMissingAnnotations - } - if name == "" { - return errors.ErrInvalidAnnotationName - } - - return nil -} - // GetBoolAnnotation extracts a boolean from an Ingress annotation -func GetBoolAnnotation(name string, ing *networking.Ingress) (bool, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetBoolAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (bool, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return false, err } @@ -114,9 +161,8 @@ func GetBoolAnnotation(name string, ing *networking.Ingress) (bool, error) { } // GetStringAnnotation extracts a string from an Ingress annotation -func GetStringAnnotation(name string, ing *networking.Ingress) (string, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetStringAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (string, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return "", err } @@ -125,9 +171,8 @@ func GetStringAnnotation(name string, ing *networking.Ingress) (string, error) { } // GetIntAnnotation extracts an int from an Ingress annotation -func GetIntAnnotation(name string, ing *networking.Ingress) (int, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetIntAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (int, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return 0, err } @@ -135,9 +180,8 @@ func GetIntAnnotation(name string, ing *networking.Ingress) (int, error) { } // GetFloatAnnotation extracts a float32 from an Ingress annotation -func GetFloatAnnotation(name string, ing *networking.Ingress) (float32, error) { - v := GetAnnotationWithPrefix(name) - err := checkAnnotation(v, ing) +func GetFloatAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (float32, error) { + v, err := checkAnnotation(name, ing, fields) if err != nil { return 0, err } @@ -149,6 +193,23 @@ func GetAnnotationWithPrefix(suffix string) string { return fmt.Sprintf("%v/%v", AnnotationsPrefix, suffix) } +func TrimAnnotationPrefix(annotation string) string { + return strings.TrimPrefix(annotation, AnnotationsPrefix+"/") +} + +func StringRiskToRisk(risk string) AnnotationRisk { + switch strings.ToLower(risk) { + case "critical": + return AnnotationRiskCritical + case "high": + return AnnotationRiskHigh + case "medium": + return AnnotationRiskMedium + default: + return AnnotationRiskLow + } +} + func normalizeString(input string) string { trimmedContent := []string{} for _, line := range strings.Split(input, "\n") { @@ -187,13 +248,14 @@ func StringToURL(input string) (*url.URL, error) { return nil, fmt.Errorf("%v is not a valid URL: %v", input, err) } - if parsedURL.Scheme == "" { + switch { + case parsedURL.Scheme == "": return nil, fmt.Errorf("url scheme is empty") - } else if parsedURL.Host == "" { + case parsedURL.Host == "": return nil, fmt.Errorf("url host is empty") - } else if strings.Contains(parsedURL.Host, "..") { + case strings.Contains(parsedURL.Host, ".."): return nil, fmt.Errorf("invalid url host") + default: + return parsedURL, nil } - - return parsedURL, nil } diff --git a/internal/ingress/annotations/parser/main_test.go b/internal/ingress/annotations/parser/main_test.go index 318e024d3..0f7ecb459 100644 --- a/internal/ingress/annotations/parser/main_test.go +++ b/internal/ingress/annotations/parser/main_test.go @@ -38,7 +38,7 @@ func buildIngress() *networking.Ingress { func TestGetBoolAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetBoolAnnotation("", nil) + _, err := GetBoolAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but retuned nil") } @@ -59,8 +59,8 @@ func TestGetBoolAnnotation(t *testing.T) { for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - - u, err := GetBoolAnnotation(test.field, ing) + ing.SetAnnotations(data) + u, err := GetBoolAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but retuned nil", test.name) @@ -68,7 +68,7 @@ func TestGetBoolAnnotation(t *testing.T) { continue } if u != test.exp { - t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.name, test.exp, u) + t.Errorf("%v: expected \"%v\" but \"%v\" was returned, %+v", test.name, test.exp, u, ing) } delete(data, test.field) @@ -78,7 +78,7 @@ func TestGetBoolAnnotation(t *testing.T) { func TestGetStringAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetStringAnnotation("", nil) + _, err := GetStringAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but none returned") } @@ -93,14 +93,16 @@ func TestGetStringAnnotation(t *testing.T) { {"valid - A", "string", "A ", "A", false}, {"valid - B", "string", " B", "B", false}, {"empty", "string", " ", "", true}, - {"valid multiline", "string", ` + { + "valid multiline", "string", ` rewrite (?i)/arcgis/rest/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/rest/services/Utilities/Geometry/GeometryServer$1 break; rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/services/Utilities/Geometry/GeometryServer$1 break; `, ` rewrite (?i)/arcgis/rest/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/rest/services/Utilities/Geometry/GeometryServer$1 break; rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/services/Utilities/Geometry/GeometryServer$1 break; `, - false}, + false, + }, } data := map[string]string{} @@ -109,7 +111,7 @@ rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/serv for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - s, err := GetStringAnnotation(test.field, ing) + s, err := GetStringAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but none returned", test.name) @@ -133,7 +135,7 @@ rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/serv func TestGetFloatAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetFloatAnnotation("", nil) + _, err := GetFloatAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but retuned nil") } @@ -156,7 +158,7 @@ func TestGetFloatAnnotation(t *testing.T) { for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - s, err := GetFloatAnnotation(test.field, ing) + s, err := GetFloatAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but retuned nil", test.name) @@ -174,7 +176,7 @@ func TestGetFloatAnnotation(t *testing.T) { func TestGetIntAnnotation(t *testing.T) { ing := buildIngress() - _, err := GetIntAnnotation("", nil) + _, err := GetIntAnnotation("", nil, nil) if err == nil { t.Errorf("expected error but retuned nil") } @@ -196,7 +198,7 @@ func TestGetIntAnnotation(t *testing.T) { for _, test := range tests { data[GetAnnotationWithPrefix(test.field)] = test.value - s, err := GetIntAnnotation(test.field, ing) + s, err := GetIntAnnotation(test.field, ing, nil) if test.expErr { if err == nil { t.Errorf("%v: expected error but retuned nil", test.name) @@ -213,8 +215,10 @@ func TestGetIntAnnotation(t *testing.T) { func TestStringToURL(t *testing.T) { validURL := "http://bar.foo.com/external-auth" - validParsedURL, _ := url.Parse(validURL) - + validParsedURL, err := url.Parse(validURL) + if err != nil { + t.Errorf("unexpected error: %v", err) + } tests := []struct { title string url string @@ -224,6 +228,7 @@ func TestStringToURL(t *testing.T) { }{ {"empty", "", "url scheme is empty", nil, true}, {"no scheme", "bar", "url scheme is empty", nil, true}, + {"invalid parse", "://lala.com", "://lala.com is not a valid URL: parse \"://lala.com\": missing protocol scheme", nil, true}, {"invalid host", "http://", "url host is empty", nil, true}, {"invalid host (multiple dots)", "http://foo..bar.com", "invalid url host", nil, true}, {"valid URL", validURL, "", validParsedURL, false}, diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go new file mode 100644 index 000000000..64a9d133d --- /dev/null +++ b/internal/ingress/annotations/parser/validators.go @@ -0,0 +1,255 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package parser + +import ( + "errors" + "fmt" + "regexp" + "strconv" + "strings" + "time" + + networking "k8s.io/api/networking/v1" + machineryvalidation "k8s.io/apimachinery/pkg/api/validation" + ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" + "k8s.io/ingress-nginx/internal/net" + "k8s.io/klog/v2" +) + +type AnnotationValidator func(string) error + +const ( + AnnotationRiskLow AnnotationRisk = iota + AnnotationRiskMedium + AnnotationRiskHigh + AnnotationRiskCritical +) + +var ( + alphaNumericChars = `\-\.\_\~a-zA-Z0-9\/:` + extendedAlphaNumeric = alphaNumericChars + ", " + regexEnabledChars = regexp.QuoteMeta(`^$[](){}*+?|&=\`) + urlEnabledChars = regexp.QuoteMeta(`:?&=`) +) + +// IsValidRegex checks if the tested string can be used as a regex, but without any weird character. +// It includes regex characters for paths that may contain regexes +// +//nolint:goconst //already a constant +var IsValidRegex = regexp.MustCompile("^[/" + alphaNumericChars + regexEnabledChars + "]*$") + +// SizeRegex validates sizes understood by NGINX, like 1000, 100k, 1000M +var SizeRegex = regexp.MustCompile(`^(?i)\d+[bkmg]?$`) + +// URLRegex is used to validate a URL but with only a specific set of characters: +// It is alphanumericChar + ":", "?", "&" +// A valid URL would be proto://something.com:port/something?arg=param +var ( + // URLIsValidRegex is used on full URLs, containing query strings (:, ? and &) + URLIsValidRegex = regexp.MustCompile("^[" + alphaNumericChars + urlEnabledChars + "]*$") + // BasicChars is alphanumeric and ".", "-", "_", "~" and ":", usually used on simple host:port/path composition. + // This combination can also be used on fields that may contain characters like / (as ns/name) + BasicCharsRegex = regexp.MustCompile("^[/" + alphaNumericChars + "]*$") + // ExtendedChars is alphanumeric and ".", "-", "_", "~" and ":" plus "," and spaces, usually used on simple host:port/path composition + ExtendedCharsRegex = regexp.MustCompile("^[/" + extendedAlphaNumeric + "]*$") + // CharsWithSpace is like basic chars, but includes the space character + CharsWithSpace = regexp.MustCompile("^[/" + alphaNumericChars + " ]*$") + // NGINXVariable allows entries with alphanumeric characters, -, _ and the special "$" + NGINXVariable = regexp.MustCompile(`^[A-Za-z0-9\-\_\$\{\}]*$`) + // RegexPathWithCapture allows entries that SHOULD start with "/" and may contain alphanumeric + capture + // character for regex based paths, like /something/$1/anything/$2 + RegexPathWithCapture = regexp.MustCompile(`^/?[` + alphaNumericChars + `\/\$]*$`) + // HeadersVariable defines a regex that allows headers separated by comma + HeadersVariable = regexp.MustCompile(`^[A-Za-z0-9-_, ]*$`) + // URLWithNginxVariableRegex defines a url that can contain nginx variables. + // It is a risky operation + URLWithNginxVariableRegex = regexp.MustCompile("^[" + extendedAlphaNumeric + urlEnabledChars + "$]*$") +) + +// ValidateArrayOfServerName validates if all fields on a Server name annotation are +// regexes. They can be *.something*, ~^www\d+\.example\.com$ but not fancy character +func ValidateArrayOfServerName(value string) error { + for _, fqdn := range strings.Split(value, ",") { + if err := ValidateServerName(fqdn); err != nil { + return err + } + } + return nil +} + +// ValidateServerName validates if the passed value is an acceptable server name. The server name +// can contain regex characters, as those are accepted values on nginx configuration +func ValidateServerName(value string) error { + value = strings.TrimSpace(value) + if !IsValidRegex.MatchString(value) { + return fmt.Errorf("value %s is invalid server name", value) + } + return nil +} + +// ValidateRegex receives a regex as an argument and uses it to validate +// the value of the field. +// Annotation can define if the spaces should be trimmed before validating the value +func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator { + return func(s string) error { + if removeSpace { + s = strings.ReplaceAll(s, " ", "") + } + if !regex.MatchString(s) { + return fmt.Errorf("value %s is invalid", s) + } + return nil + } +} + +// CommonNameAnnotationValidator checks whether the annotation value starts with +// 'CN=' and is followed by a valid regex. +func CommonNameAnnotationValidator(s string) error { + if !strings.HasPrefix(s, "CN=") { + return fmt.Errorf("value %s is not a valid Common Name annotation: missing prefix 'CN='", s) + } + + if _, err := regexp.Compile(s[3:]); err != nil { + return fmt.Errorf("value %s is not a valid regex: %w", s, err) + } + + return nil +} + +// ValidateOptions receives an array of valid options that can be the value of annotation. +// If no valid option is found, it will return an error +func ValidateOptions(options []string, caseSensitive, trimSpace bool) AnnotationValidator { + return func(s string) error { + if trimSpace { + s = strings.TrimSpace(s) + } + if !caseSensitive { + s = strings.ToLower(s) + } + for _, option := range options { + if s == option { + return nil + } + } + return fmt.Errorf("value does not match any valid option") + } +} + +// ValidateBool validates if the specified value is a bool +func ValidateBool(value string) error { + _, err := strconv.ParseBool(value) + return err +} + +// ValidateInt validates if the specified value is an integer +func ValidateInt(value string) error { + _, err := strconv.Atoi(value) + return err +} + +// ValidateCIDRs validates if the specified value is an array of IPs and CIDRs +func ValidateCIDRs(value string) error { + _, err := net.ParseCIDRs(value) + return err +} + +// ValidateDuration validates if the specified value is a valid time +func ValidateDuration(value string) error { + _, err := time.ParseDuration(value) + return err +} + +// ValidateNull always return null values and should not be widely used. +// It is used on the "snippet" annotations, as it is up to the admin to allow its +// usage, knowing it can be critical! +func ValidateNull(_ string) error { + return nil +} + +// ValidateServiceName validates if a provided service name is a valid string +func ValidateServiceName(value string) error { + errs := machineryvalidation.NameIsDNS1035Label(value, false) + if len(errs) != 0 { + return fmt.Errorf("annotation does not contain a valid service name: %+v", errs) + } + return nil +} + +// checkAnnotations will check each annotation for: +// 1 - Does it contain the internal validation and docs config? +// 2 - Does the ingress contains annotations? (validate null pointers) +// 3 - Does it contains a validator? Should it contain a validator (not containing is a bug!) +// 4 - Does the annotation contain aliases? So we should use if the alias is defined an the annotation not. +// 4 - Runs the validator on the value +// It will return the full annotation name if all is fine +func checkAnnotation(name string, ing *networking.Ingress, fields AnnotationFields) (string, error) { + var validateFunc AnnotationValidator + if fields != nil { + config, ok := fields[name] + if !ok { + return "", fmt.Errorf("annotation does not contain a valid internal configuration, this is an Ingress Controller issue! Please raise an issue on github.com/kubernetes/ingress-nginx") + } + validateFunc = config.Validator + } + + if ing == nil || len(ing.GetAnnotations()) == 0 { + return "", ing_errors.ErrMissingAnnotations + } + + annotationFullName := GetAnnotationWithPrefix(name) + if annotationFullName == "" { + return "", ing_errors.ErrInvalidAnnotationName + } + + annotationValue := ing.GetAnnotations()[annotationFullName] + if fields != nil { + if validateFunc == nil { + return "", fmt.Errorf("annotation does not contain a validator. This is an ingress-controller bug. Please open an issue") + } + if annotationValue == "" { + for _, annotationAlias := range fields[name].AnnotationAliases { + tempAnnotationFullName := GetAnnotationWithPrefix(annotationAlias) + if aliasVal := ing.GetAnnotations()[tempAnnotationFullName]; aliasVal != "" { + annotationValue = aliasVal + annotationFullName = tempAnnotationFullName + break + } + } + } + // We don't run validation against empty values + if EnableAnnotationValidation && annotationValue != "" { + if err := validateFunc(annotationValue); err != nil { + klog.Warningf("validation error on ingress %s/%s: annotation %s contains invalid value %s", ing.GetNamespace(), ing.GetName(), name, annotationValue) + return "", ing_errors.NewValidationError(annotationFullName) + } + } + } + + return annotationFullName, nil +} + +func CheckAnnotationRisk(annotations map[string]string, maxrisk AnnotationRisk, config AnnotationFields) error { + var err error + for annotation := range annotations { + annPure := TrimAnnotationPrefix(annotation) + if cfg, ok := config[annPure]; ok && cfg.Risk > maxrisk { + err = errors.Join(err, fmt.Errorf("annotation %s is too risky for environment", annotation)) + } + } + return err +} diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go new file mode 100644 index 000000000..8523232a2 --- /dev/null +++ b/internal/ingress/annotations/parser/validators_test.go @@ -0,0 +1,365 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package parser + +import ( + "fmt" + "testing" + + networking "k8s.io/api/networking/v1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func TestValidateArrayOfServerName(t *testing.T) { + tests := []struct { + name string + value string + wantErr bool + }{ + { + name: "should accept common name", + value: "something.com,anything.com", + wantErr: false, + }, + { + name: "should accept wildcard name", + value: "*.something.com,otherthing.com", + wantErr: false, + }, + { + name: "should allow names with spaces between array and some regexes", + value: `~^www\d+\.example\.com$,something.com`, + wantErr: false, + }, + { + name: "should allow names with regexes", + value: `http://some.test.env.com:2121/$someparam=1&$someotherparam=2`, + wantErr: false, + }, + { + name: "should allow names with wildcard in middle common name", + value: "*.so*mething.com,bla.com", + wantErr: false, + }, + { + name: "should deny names with weird characters", + value: "something.com,lolo;xpto.com,nothing.com", + wantErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := ValidateArrayOfServerName(tt.value); (err != nil) != tt.wantErr { + t.Errorf("ValidateArrayOfServerName() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + +func Test_checkAnnotation(t *testing.T) { + type args struct { + name string + ing *networking.Ingress + fields AnnotationFields + } + tests := []struct { + name string + args args + want string + wantErr bool + }{ + { + name: "null ingress should error", + want: "", + args: args{ + name: "some-random-annotation", + }, + wantErr: true, + }, + { + name: "not having a validator for a specific annotation is a bug", + want: "", + args: args{ + name: "some-new-invalid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-new-invalid-annotation"): "xpto", + }, + }, + }, + fields: AnnotationFields{ + "otherannotation": AnnotationConfig{ + Validator: func(value string) error { return nil }, + }, + }, + }, + wantErr: true, + }, + { + name: "annotationconfig found and no validation func defined on annotation is a bug", + want: "", + args: args{ + name: "some-new-invalid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-new-invalid-annotation"): "xpto", + }, + }, + }, + fields: AnnotationFields{ + "some-new-invalid-annotation": AnnotationConfig{}, + }, + }, + wantErr: true, + }, + { + name: "no annotation can turn into a null pointer and should fail", + want: "", + args: args{ + name: "some-new-invalid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{}, + }, + fields: AnnotationFields{ + "some-new-invalid-annotation": AnnotationConfig{}, + }, + }, + wantErr: true, + }, + { + name: "no AnnotationField config should bypass validations", + want: GetAnnotationWithPrefix("some-valid-annotation"), + args: args{ + name: "some-valid-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-valid-annotation"): "xpto", + }, + }, + }, + }, + wantErr: false, + }, + { + name: "annotation with invalid value should fail", + want: "", + args: args{ + name: "some-new-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-new-annotation"): "xpto1", + }, + }, + }, + fields: AnnotationFields{ + "some-new-annotation": AnnotationConfig{ + Validator: func(value string) error { + if value != "xpto" { + return fmt.Errorf("this is an error") + } + return nil + }, + }, + }, + }, + wantErr: true, + }, + { + name: "annotation with valid value should pass", + want: GetAnnotationWithPrefix("some-other-annotation"), + args: args{ + name: "some-other-annotation", + ing: &networking.Ingress{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{ + GetAnnotationWithPrefix("some-other-annotation"): "xpto", + }, + }, + }, + fields: AnnotationFields{ + "some-other-annotation": AnnotationConfig{ + Validator: func(value string) error { + if value != "xpto" { + return fmt.Errorf("this is an error") + } + return nil + }, + }, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := checkAnnotation(tt.args.name, tt.args.ing, tt.args.fields) + if (err != nil) != tt.wantErr { + t.Errorf("checkAnnotation() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("checkAnnotation() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestCheckAnnotationRisk(t *testing.T) { + tests := []struct { + name string + annotations map[string]string + maxrisk AnnotationRisk + config AnnotationFields + wantErr bool + }{ + { + name: "high risk should not be accepted with maximum medium", + maxrisk: AnnotationRiskMedium, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskHigh, + }, + "bli": { + Risk: AnnotationRiskMedium, + }, + }, + wantErr: true, + }, + { + name: "high risk should be accepted with maximum critical", + maxrisk: AnnotationRiskCritical, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskHigh, + }, + "bli": { + Risk: AnnotationRiskMedium, + }, + }, + wantErr: false, + }, + { + name: "low risk should be accepted with maximum low", + maxrisk: AnnotationRiskLow, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskLow, + }, + "bli": { + Risk: AnnotationRiskLow, + }, + }, + wantErr: false, + }, + { + name: "critical risk should be accepted with maximum critical", + maxrisk: AnnotationRiskCritical, + annotations: map[string]string{ + "nginx.ingress.kubernetes.io/bla": "blo", + "nginx.ingress.kubernetes.io/bli": "bl3", + }, + config: AnnotationFields{ + "bla": { + Risk: AnnotationRiskCritical, + }, + "bli": { + Risk: AnnotationRiskCritical, + }, + }, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := CheckAnnotationRisk(tt.annotations, tt.maxrisk, tt.config); (err != nil) != tt.wantErr { + t.Errorf("CheckAnnotationRisk() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} + +func TestCommonNameAnnotationValidator(t *testing.T) { + tests := []struct { + name string + annotation string + wantErr bool + }{ + { + name: "correct example", + annotation: `CN=(my\.common\.name)`, + wantErr: false, + }, + { + name: "no CN= prefix", + annotation: `(my\.common\.name)`, + wantErr: true, + }, + { + name: "invalid prefix", + annotation: `CN(my\.common\.name)`, + wantErr: true, + }, + { + name: "invalid regex", + annotation: `CN=(my\.common\.name]`, + wantErr: true, + }, + { + name: "wildcard regex", + annotation: `CN=(my\..*\.name)`, + wantErr: false, + }, + { + name: "somewhat complex regex", + annotation: "CN=(my\\.app\\.dev|.*\\.bbb\\.aaaa\\.tld)", + wantErr: false, + }, + { + name: "another somewhat complex regex", + annotation: `CN=(my-app.*\.c\.defg\.net|other.app.com)`, + wantErr: false, + }, + { + name: "nested parenthesis regex", + annotation: `CN=(api-one\.(asdf)?qwer\.webpage\.organization\.org)`, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := CommonNameAnnotationValidator(tt.annotation); (err != nil) != tt.wantErr { + t.Errorf("CommonNameAnnotationValidator() error = %v, wantErr %v", err, tt.wantErr) + } + }) + } +} diff --git a/internal/ingress/annotations/portinredirect/main.go b/internal/ingress/annotations/portinredirect/main.go index 25d665558..7392ea3a6 100644 --- a/internal/ingress/annotations/portinredirect/main.go +++ b/internal/ingress/annotations/portinredirect/main.go @@ -23,22 +23,51 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + portsInRedirectAnnotation = "use-port-in-redirects" +) + +var portsInRedirectAnnotations = parser.Annotation{ + Group: "redirect", + Annotations: parser.AnnotationFields{ + portsInRedirectAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Enables or disables specifying the port in absolute redirects issued by nginx.`, + }, + }, +} + type portInRedirect struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new port in redirect annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return portInRedirect{r} + return portInRedirect{ + r: r, + annotationConfig: portsInRedirectAnnotations, + } } // Parse parses the annotations contained in the ingress // rule used to indicate if the redirects must func (a portInRedirect) Parse(ing *networking.Ingress) (interface{}, error) { - up, err := parser.GetBoolAnnotation("use-port-in-redirects", ing) + up, err := parser.GetBoolAnnotation(portsInRedirectAnnotation, ing, a.annotationConfig.Annotations) if err != nil { return a.r.GetDefaultBackend().UsePortInRedirects, nil } return up, nil } + +func (a portInRedirect) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a portInRedirect) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, portsInRedirectAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/portinredirect/main_test.go b/internal/ingress/annotations/portinredirect/main_test.go index 71afd4cdf..f5806e01a 100644 --- a/internal/ingress/annotations/portinredirect/main_test.go +++ b/internal/ingress/annotations/portinredirect/main_test.go @@ -17,7 +17,6 @@ limitations under the License. package portinredirect import ( - "fmt" "testing" api "k8s.io/api/core/v1" @@ -84,23 +83,24 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { func TestPortInRedirect(t *testing.T) { tests := []struct { title string - usePort *bool + usePort string def bool exp bool }{ - {"false - default false", newFalse(), false, false}, - {"false - default true", newFalse(), true, false}, - {"no annotation - default false", nil, false, false}, - {"no annotation - default true", nil, true, true}, - {"true - default true", newTrue(), true, true}, + {"false - default false", "false", false, false}, + {"false - default true", "false", true, false}, + {"no annotation - default false", "", false, false}, + {"no annotation - default false", "not-a-bool", false, false}, + {"no annotation - default true", "", true, true}, + {"true - default true", "true", true, true}, } for _, test := range tests { ing := buildIngress() data := map[string]string{} - if test.usePort != nil { - data[parser.GetAnnotationWithPrefix("use-port-in-redirects")] = fmt.Sprintf("%v", *test.usePort) + if test.usePort != "" { + data[parser.GetAnnotationWithPrefix(portsInRedirectAnnotation)] = test.usePort } ing.SetAnnotations(data) @@ -118,13 +118,3 @@ func TestPortInRedirect(t *testing.T) { } } } - -func newTrue() *bool { - b := true - return &b -} - -func newFalse() *bool { - b := false - return &b -} diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go index 3a89b8855..9d2646261 100644 --- a/internal/ingress/annotations/proxy/main.go +++ b/internal/ingress/annotations/proxy/main.go @@ -17,12 +17,148 @@ limitations under the License. package proxy import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + proxyConnectTimeoutAnnotation = "proxy-connect-timeout" + proxySendTimeoutAnnotation = "proxy-send-timeout" + proxyReadTimeoutAnnotation = "proxy-read-timeout" + proxyBuffersNumberAnnotation = "proxy-buffers-number" + proxyBufferSizeAnnotation = "proxy-buffer-size" + proxyCookiePathAnnotation = "proxy-cookie-path" + proxyCookieDomainAnnotation = "proxy-cookie-domain" + proxyBodySizeAnnotation = "proxy-body-size" + proxyNextUpstreamAnnotation = "proxy-next-upstream" + proxyNextUpstreamTimeoutAnnotation = "proxy-next-upstream-timeout" + proxyNextUpstreamTriesAnnotation = "proxy-next-upstream-tries" + proxyRequestBufferingAnnotation = "proxy-request-buffering" + proxyRedirectFromAnnotation = "proxy-redirect-from" + proxyRedirectToAnnotation = "proxy-redirect-to" + proxyBufferingAnnotation = "proxy-buffering" + proxyHTTPVersionAnnotation = "proxy-http-version" + proxyMaxTempFileSizeAnnotation = "proxy-max-temp-file-size" //#nosec G101 +) + +var validUpstreamAnnotation = regexp.MustCompile(`^((error|timeout|invalid_header|http_500|http_502|http_503|http_504|http_403|http_404|http_429|non_idempotent|off)\s?)+$`) + +var proxyAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + proxyConnectTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the timeout in seconds of the connect operation to the backend.`, + }, + proxySendTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the timeout in seconds of the send operation to the backend.`, + }, + proxyReadTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation allows setting the timeout in seconds of the read operation to the backend.`, + }, + proxyBuffersNumberAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation sets the number of the buffers in proxy_buffers used for reading the first part of the response received from the proxied server. + By default proxy buffers number is set as 4`, + }, + proxyBufferSizeAnnotation: { + Validator: parser.ValidateRegex(parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation sets the size of the buffer proxy_buffer_size used for reading the first part of the response received from the proxied server. + By default proxy buffer size is set as "4k".`, + }, + proxyCookiePathAnnotation: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets a text that should be changed in the path attribute of the "Set-Cookie" header fields of a proxied server response.`, + }, + proxyCookieDomainAnnotation: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation ets a text that should be changed in the domain attribute of the "Set-Cookie" header fields of a proxied server response.`, + }, + proxyBodySizeAnnotation: { + Validator: parser.ValidateRegex(parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows setting the maximum allowed size of a client request body.`, + }, + proxyNextUpstreamAnnotation: { + Validator: parser.ValidateRegex(validUpstreamAnnotation, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines when the next upstream should be used. + This annotation reflect the directive https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_next_upstream + and only the allowed values on upstream are allowed here.`, + }, + proxyNextUpstreamTimeoutAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation limits the time during which a request can be passed to the next server`, + }, + proxyNextUpstreamTriesAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation limits the number of possible tries for passing a request to the next server`, + }, + proxyRequestBufferingAnnotation: { + Validator: parser.ValidateOptions([]string{"on", "off"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables buffering of a client request body.`, + }, + proxyRedirectFromAnnotation: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, + }, + proxyRedirectToAnnotation: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, + }, + proxyBufferingAnnotation: { + Validator: parser.ValidateOptions([]string{"on", "off"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables buffering of responses from the proxied server. It can be "on" or "off"`, + }, + proxyHTTPVersionAnnotation: { + Validator: parser.ValidateOptions([]string{"1.0", "1.1"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotations sets the HTTP protocol version for proxying. Can be "1.0" or "1.1".`, + }, + proxyMaxTempFileSizeAnnotation: { + Validator: parser.ValidateRegex(parser.SizeRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the maximum size of a temporary file when buffering responses.`, + }, + }, +} + // Config returns the proxy timeout to use in the upstream server/s type Config struct { BodySize string `json:"bodySize"` @@ -109,12 +245,16 @@ func (l1 *Config) Equal(l2 *Config) bool { } type proxy struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new reverse proxy configuration annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return proxy{r} + return proxy{ + r: r, + annotationConfig: proxyAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -125,90 +265,99 @@ func (a proxy) Parse(ing *networking.Ingress) (interface{}, error) { var err error - config.ConnectTimeout, err = parser.GetIntAnnotation("proxy-connect-timeout", ing) + config.ConnectTimeout, err = parser.GetIntAnnotation(proxyConnectTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ConnectTimeout = defBackend.ProxyConnectTimeout } - config.SendTimeout, err = parser.GetIntAnnotation("proxy-send-timeout", ing) + config.SendTimeout, err = parser.GetIntAnnotation(proxySendTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.SendTimeout = defBackend.ProxySendTimeout } - config.ReadTimeout, err = parser.GetIntAnnotation("proxy-read-timeout", ing) + config.ReadTimeout, err = parser.GetIntAnnotation(proxyReadTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ReadTimeout = defBackend.ProxyReadTimeout } - config.BuffersNumber, err = parser.GetIntAnnotation("proxy-buffers-number", ing) + config.BuffersNumber, err = parser.GetIntAnnotation(proxyBuffersNumberAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.BuffersNumber = defBackend.ProxyBuffersNumber } - config.BufferSize, err = parser.GetStringAnnotation("proxy-buffer-size", ing) + config.BufferSize, err = parser.GetStringAnnotation(proxyBufferSizeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.BufferSize = defBackend.ProxyBufferSize } - config.CookiePath, err = parser.GetStringAnnotation("proxy-cookie-path", ing) + config.CookiePath, err = parser.GetStringAnnotation(proxyCookiePathAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.CookiePath = defBackend.ProxyCookiePath } - config.CookieDomain, err = parser.GetStringAnnotation("proxy-cookie-domain", ing) + config.CookieDomain, err = parser.GetStringAnnotation(proxyCookieDomainAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.CookieDomain = defBackend.ProxyCookieDomain } - config.BodySize, err = parser.GetStringAnnotation("proxy-body-size", ing) + config.BodySize, err = parser.GetStringAnnotation(proxyBodySizeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.BodySize = defBackend.ProxyBodySize } - config.NextUpstream, err = parser.GetStringAnnotation("proxy-next-upstream", ing) + config.NextUpstream, err = parser.GetStringAnnotation(proxyNextUpstreamAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.NextUpstream = defBackend.ProxyNextUpstream } - config.NextUpstreamTimeout, err = parser.GetIntAnnotation("proxy-next-upstream-timeout", ing) + config.NextUpstreamTimeout, err = parser.GetIntAnnotation(proxyNextUpstreamTimeoutAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.NextUpstreamTimeout = defBackend.ProxyNextUpstreamTimeout } - config.NextUpstreamTries, err = parser.GetIntAnnotation("proxy-next-upstream-tries", ing) + config.NextUpstreamTries, err = parser.GetIntAnnotation(proxyNextUpstreamTriesAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.NextUpstreamTries = defBackend.ProxyNextUpstreamTries } - config.RequestBuffering, err = parser.GetStringAnnotation("proxy-request-buffering", ing) + config.RequestBuffering, err = parser.GetStringAnnotation(proxyRequestBufferingAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.RequestBuffering = defBackend.ProxyRequestBuffering } - config.ProxyRedirectFrom, err = parser.GetStringAnnotation("proxy-redirect-from", ing) + config.ProxyRedirectFrom, err = parser.GetStringAnnotation(proxyRedirectFromAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyRedirectFrom = defBackend.ProxyRedirectFrom } - config.ProxyRedirectTo, err = parser.GetStringAnnotation("proxy-redirect-to", ing) + config.ProxyRedirectTo, err = parser.GetStringAnnotation(proxyRedirectToAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyRedirectTo = defBackend.ProxyRedirectTo } - config.ProxyBuffering, err = parser.GetStringAnnotation("proxy-buffering", ing) + config.ProxyBuffering, err = parser.GetStringAnnotation(proxyBufferingAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyBuffering = defBackend.ProxyBuffering } - config.ProxyHTTPVersion, err = parser.GetStringAnnotation("proxy-http-version", ing) + config.ProxyHTTPVersion, err = parser.GetStringAnnotation(proxyHTTPVersionAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyHTTPVersion = defBackend.ProxyHTTPVersion } - config.ProxyMaxTempFileSize, err = parser.GetStringAnnotation("proxy-max-temp-file-size", ing) + config.ProxyMaxTempFileSize, err = parser.GetStringAnnotation(proxyMaxTempFileSizeAnnotation, ing, a.annotationConfig.Annotations) if err != nil { config.ProxyMaxTempFileSize = defBackend.ProxyMaxTempFileSize } return config, nil } + +func (a proxy) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a proxy) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, proxyAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/proxy/main_test.go b/internal/ingress/annotations/proxy/main_test.go index e377ccb19..9446ae970 100644 --- a/internal/ingress/annotations/proxy/main_test.go +++ b/internal/ingress/annotations/proxy/main_test.go @@ -28,6 +28,12 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + off = "off" + proxyHTTPVersion = "1.0" + proxyMaxTempFileSize = "128k" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -87,7 +93,7 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { ProxyNextUpstreamTimeout: 0, ProxyNextUpstreamTries: 3, ProxyRequestBuffering: "on", - ProxyBuffering: "off", + ProxyBuffering: off, ProxyHTTPVersion: "1.1", ProxyMaxTempFileSize: "1024m", } @@ -103,13 +109,13 @@ func TestProxy(t *testing.T) { data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8" data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k" data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k" - data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = off data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5" data[parser.GetAnnotationWithPrefix("proxy-next-upstream-tries")] = "3" - data[parser.GetAnnotationWithPrefix("proxy-request-buffering")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-request-buffering")] = off data[parser.GetAnnotationWithPrefix("proxy-buffering")] = "on" - data[parser.GetAnnotationWithPrefix("proxy-http-version")] = "1.0" - data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = "128k" + data[parser.GetAnnotationWithPrefix("proxy-http-version")] = proxyHTTPVersion + data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = proxyMaxTempFileSize ing.SetAnnotations(data) i, err := NewParser(mockBackend{}).Parse(ing) @@ -138,7 +144,75 @@ func TestProxy(t *testing.T) { if p.BodySize != "2k" { t.Errorf("expected 2k as body-size but returned %v", p.BodySize) } - if p.NextUpstream != "off" { + if p.NextUpstream != off { + t.Errorf("expected off as next-upstream but returned %v", p.NextUpstream) + } + if p.NextUpstreamTimeout != 5 { + t.Errorf("expected 5 as next-upstream-timeout but returned %v", p.NextUpstreamTimeout) + } + if p.NextUpstreamTries != 3 { + t.Errorf("expected 3 as next-upstream-tries but returned %v", p.NextUpstreamTries) + } + if p.RequestBuffering != off { + t.Errorf("expected off as request-buffering but returned %v", p.RequestBuffering) + } + if p.ProxyBuffering != "on" { + t.Errorf("expected on as proxy-buffering but returned %v", p.ProxyBuffering) + } + if p.ProxyHTTPVersion != proxyHTTPVersion { + t.Errorf("expected 1.0 as proxy-http-version but returned %v", p.ProxyHTTPVersion) + } + if p.ProxyMaxTempFileSize != proxyMaxTempFileSize { + t.Errorf("expected 128k as proxy-max-temp-file-size but returned %v", p.ProxyMaxTempFileSize) + } +} + +func TestProxyComplex(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix("proxy-connect-timeout")] = "1" + data[parser.GetAnnotationWithPrefix("proxy-send-timeout")] = "2" + data[parser.GetAnnotationWithPrefix("proxy-read-timeout")] = "3" + data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8" + data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k" + data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = "error http_502" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream-tries")] = "3" + data[parser.GetAnnotationWithPrefix("proxy-request-buffering")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-buffering")] = "on" + data[parser.GetAnnotationWithPrefix("proxy-http-version")] = proxyHTTPVersion + data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = proxyMaxTempFileSize + ing.SetAnnotations(data) + + i, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Fatalf("unexpected error parsing a valid") + } + p, ok := i.(*Config) + if !ok { + t.Fatalf("expected a Config type") + } + if p.ConnectTimeout != 1 { + t.Errorf("expected 1 as connect-timeout but returned %v", p.ConnectTimeout) + } + if p.SendTimeout != 2 { + t.Errorf("expected 2 as send-timeout but returned %v", p.SendTimeout) + } + if p.ReadTimeout != 3 { + t.Errorf("expected 3 as read-timeout but returned %v", p.ReadTimeout) + } + if p.BuffersNumber != 8 { + t.Errorf("expected 8 as proxy-buffers-number but returned %v", p.BuffersNumber) + } + if p.BufferSize != "1k" { + t.Errorf("expected 1k as buffer-size but returned %v", p.BufferSize) + } + if p.BodySize != "2k" { + t.Errorf("expected 2k as body-size but returned %v", p.BodySize) + } + if p.NextUpstream != "error http_502" { t.Errorf("expected off as next-upstream but returned %v", p.NextUpstream) } if p.NextUpstreamTimeout != 5 { @@ -153,10 +227,10 @@ func TestProxy(t *testing.T) { if p.ProxyBuffering != "on" { t.Errorf("expected on as proxy-buffering but returned %v", p.ProxyBuffering) } - if p.ProxyHTTPVersion != "1.0" { + if p.ProxyHTTPVersion != proxyHTTPVersion { t.Errorf("expected 1.0 as proxy-http-version but returned %v", p.ProxyHTTPVersion) } - if p.ProxyMaxTempFileSize != "128k" { + if p.ProxyMaxTempFileSize != proxyMaxTempFileSize { t.Errorf("expected 128k as proxy-max-temp-file-size but returned %v", p.ProxyMaxTempFileSize) } } diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go index 22f49b3eb..0e854cd21 100644 --- a/internal/ingress/annotations/proxyssl/main.go +++ b/internal/ingress/annotations/proxyssl/main.go @@ -27,6 +27,7 @@ import ( ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/k8s" + "k8s.io/klog/v2" ) const ( @@ -39,9 +40,73 @@ const ( var ( proxySSLOnOffRegex = regexp.MustCompile(`^(on|off)$`) - proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3)$`) + proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3| )*$`) + proxySSLCiphersRegex = regexp.MustCompile(`^[A-Za-z0-9\+:\_\-!]*$`) ) +const ( + proxySSLSecretAnnotation = "proxy-ssl-secret" + proxySSLCiphersAnnotation = "proxy-ssl-ciphers" + proxySSLProtocolsAnnotation = "proxy-ssl-protocols" + proxySSLNameAnnotation = "proxy-ssl-name" + proxySSLVerifyAnnotation = "proxy-ssl-verify" + proxySSLVerifyDepthAnnotation = "proxy-ssl-verify-depth" + proxySSLServerNameAnnotation = "proxy-ssl-server-name" +) + +var proxySSLAnnotation = parser.Annotation{ + Group: "proxy", + Annotations: parser.AnnotationFields{ + proxySSLSecretAnnotation: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation specifies a Secret with the certificate tls.crt, key tls.key in PEM format used for authentication to a proxied HTTPS server. + It should also contain trusted CA certificates ca.crt in PEM format used to verify the certificate of the proxied HTTPS server. + This annotation expects the Secret name in the form "namespace/secretName" + Just secrets on the same namespace of the ingress can be used.`, + }, + proxySSLCiphersAnnotation: { + Validator: parser.ValidateRegex(proxySSLCiphersRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation Specifies the enabled ciphers for requests to a proxied HTTPS server. + The ciphers are specified in the format understood by the OpenSSL library.`, + }, + proxySSLProtocolsAnnotation: { + Validator: parser.ValidateRegex(proxySSLProtocolRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables the specified protocols for requests to a proxied HTTPS server.`, + }, + proxySSLNameAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskHigh, + Documentation: `This annotation allows to set proxy_ssl_name. This allows overriding the server name used to verify the certificate of the proxied HTTPS server. + This value is also passed through SNI when a connection is established to the proxied HTTPS server.`, + }, + proxySSLVerifyAnnotation: { + Validator: parser.ValidateRegex(proxySSLOnOffRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables or disables verification of the proxied HTTPS server certificate. (default: off)`, + }, + proxySSLVerifyDepthAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation Sets the verification depth in the proxied HTTPS server certificates chain. (default: 1).`, + }, + proxySSLServerNameAnnotation: { + Validator: parser.ValidateRegex(proxySSLOnOffRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server.`, + }, + }, +} + // Config contains the AuthSSLCert used for mutual authentication // and the configured VerifyDepth type Config struct { @@ -84,12 +149,16 @@ func (pssl1 *Config) Equal(pssl2 *Config) bool { } // NewParser creates a new TLS authentication annotation parser -func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { - return proxySSL{resolver} +func NewParser(r resolver.Resolver) parser.IngressAnnotation { + return proxySSL{ + r: r, + annotationConfig: proxySSLAnnotation, + } } type proxySSL struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } func sortProtocols(protocols string) string { @@ -120,54 +189,78 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - proxysslsecret, err := parser.GetStringAnnotation("proxy-ssl-secret", ing) + proxysslsecret, err := parser.GetStringAnnotation(proxySSLSecretAnnotation, ing, p.annotationConfig.Annotations) if err != nil { return &Config{}, err } - _, _, err = k8s.ParseNameNS(proxysslsecret) + ns, _, err := k8s.ParseNameNS(proxysslsecret) if err != nil { return &Config{}, ing_errors.NewLocationDenied(err.Error()) } + secCfg := p.r.GetSecurityConfiguration() + // We don't accept different namespaces for secrets. + if !secCfg.AllowCrossNamespaceResources && ns != ing.Namespace { + return &Config{}, ing_errors.NewLocationDenied("cross namespace secrets are not supported") + } + proxyCert, err := p.r.GetAuthCertificate(proxysslsecret) if err != nil { e := fmt.Errorf("error obtaining certificate: %w", err) - return &Config{}, ing_errors.LocationDenied{Reason: e} + return &Config{}, ing_errors.LocationDeniedError{Reason: e} } config.AuthSSLCert = *proxyCert - config.Ciphers, err = parser.GetStringAnnotation("proxy-ssl-ciphers", ing) + config.Ciphers, err = parser.GetStringAnnotation(proxySSLCiphersAnnotation, ing, p.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("invalid value passed to proxy-ssl-ciphers, defaulting to %s", defaultProxySSLCiphers) + } config.Ciphers = defaultProxySSLCiphers } - config.Protocols, err = parser.GetStringAnnotation("proxy-ssl-protocols", ing) + config.Protocols, err = parser.GetStringAnnotation(proxySSLProtocolsAnnotation, ing, p.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("invalid value passed to proxy-ssl-protocols, defaulting to %s", defaultProxySSLProtocols) + } config.Protocols = defaultProxySSLProtocols } else { config.Protocols = sortProtocols(config.Protocols) } - config.ProxySSLName, err = parser.GetStringAnnotation("proxy-ssl-name", ing) + config.ProxySSLName, err = parser.GetStringAnnotation(proxySSLNameAnnotation, ing, p.annotationConfig.Annotations) if err != nil { + if ing_errors.IsValidationError(err) { + klog.Warningf("invalid value passed to proxy-ssl-name, defaulting to empty") + } config.ProxySSLName = "" } - config.Verify, err = parser.GetStringAnnotation("proxy-ssl-verify", ing) + config.Verify, err = parser.GetStringAnnotation(proxySSLVerifyAnnotation, ing, p.annotationConfig.Annotations) if err != nil || !proxySSLOnOffRegex.MatchString(config.Verify) { config.Verify = defaultProxySSLVerify } - config.VerifyDepth, err = parser.GetIntAnnotation("proxy-ssl-verify-depth", ing) + config.VerifyDepth, err = parser.GetIntAnnotation(proxySSLVerifyDepthAnnotation, ing, p.annotationConfig.Annotations) if err != nil || config.VerifyDepth == 0 { config.VerifyDepth = defaultProxySSLVerifyDepth } - config.ProxySSLServerName, err = parser.GetStringAnnotation("proxy-ssl-server-name", ing) + config.ProxySSLServerName, err = parser.GetStringAnnotation(proxySSLServerNameAnnotation, ing, p.annotationConfig.Annotations) if err != nil || !proxySSLOnOffRegex.MatchString(config.ProxySSLServerName) { config.ProxySSLServerName = defaultProxySSLServerName } return config, nil } + +func (p proxySSL) GetDocumentation() parser.AnnotationFields { + return p.annotationConfig.Annotations +} + +func (p proxySSL) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(p.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, proxySSLAnnotation.Annotations) +} diff --git a/internal/ingress/annotations/proxyssl/main_test.go b/internal/ingress/annotations/proxyssl/main_test.go index 29949796c..a20c6813d 100644 --- a/internal/ingress/annotations/proxyssl/main_test.go +++ b/internal/ingress/annotations/proxyssl/main_test.go @@ -27,6 +27,14 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + defaultDemoSecret = "default/demo-secret" + proxySslCiphers = "HIGH:-SHA" + off = "off" + sslServerName = "w00t" + defaultProtocol = "SSLv2 TLSv1 TLSv1.2 TLSv1.3" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -77,28 +85,27 @@ type mockSecret struct { // GetAuthCertificate from mockSecret mocks the GetAuthCertificate for backend certificate authentication func (m mockSecret) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) { - if name != "default/demo-secret" { + if name != defaultDemoSecret { return nil, errors.Errorf("there is no secret with name %v", name) } return &resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", }, nil - } func TestAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("proxy-ssl-secret")] = "default/demo-secret" - data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = "HIGH:-SHA" + data[parser.GetAnnotationWithPrefix(proxySSLSecretAnnotation)] = defaultDemoSecret + data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = proxySslCiphers data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "$host" data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 SSLv2 TLSv1 TLSv1.2" data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "on" - data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = off data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "on" data[parser.GetAnnotationWithPrefix("proxy-ssl-verify-depth")] = "3" @@ -115,7 +122,7 @@ func TestAnnotations(t *testing.T) { t.Errorf("expected *Config but got %v", u) } - secret, err := fakeSecret.GetAuthCertificate("default/demo-secret") + secret, err := fakeSecret.GetAuthCertificate(defaultDemoSecret) if err != nil { t.Errorf("unexpected error getting secret %v", err) } @@ -123,11 +130,11 @@ func TestAnnotations(t *testing.T) { if u.AuthSSLCert.Secret != secret.Secret { t.Errorf("expected %v but got %v", secret.Secret, u.AuthSSLCert.Secret) } - if u.Ciphers != "HIGH:-SHA" { - t.Errorf("expected %v but got %v", "HIGH:-SHA", u.Ciphers) + if u.Ciphers != proxySslCiphers { + t.Errorf("expected %v but got %v", proxySslCiphers, u.Ciphers) } - if u.Protocols != "SSLv2 TLSv1 TLSv1.2 TLSv1.3" { - t.Errorf("expected %v but got %v", "SSLv2 TLSv1 TLSv1.2 TLSv1.3", u.Protocols) + if u.Protocols != defaultProtocol { + t.Errorf("expected %v but got %v", defaultProtocol, u.Protocols) } if u.Verify != "on" { t.Errorf("expected %v but got %v", "on", u.Verify) @@ -141,7 +148,6 @@ func TestAnnotations(t *testing.T) { if u.ProxySSLServerName != "on" { t.Errorf("expected %v but got %v", "on", u.ProxySSLServerName) } - } func TestInvalidAnnotations(t *testing.T) { @@ -172,11 +178,11 @@ func TestInvalidAnnotations(t *testing.T) { } // Invalid optional Annotations - data[parser.GetAnnotationWithPrefix("proxy-ssl-secret")] = "default/demo-secret" + data[parser.GetAnnotationWithPrefix("proxy-ssl-secret")] = defaultDemoSecret data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv111 SSLv1" - data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "w00t" - data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = "w00t" - data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "w00t" + data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = sslServerName + data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = sslServerName + data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = sslServerName data[parser.GetAnnotationWithPrefix("proxy-ssl-verify-depth")] = "abcd" ing.SetAnnotations(data) @@ -207,21 +213,15 @@ func TestEquals(t *testing.T) { cfg1 := &Config{} cfg2 := &Config{} - // Same config - result := cfg1.Equal(cfg1) - if result != true { - t.Errorf("Expected true") - } - // compare nil - result = cfg1.Equal(nil) + result := cfg1.Equal(nil) if result != false { t.Errorf("Expected false") } // Different Certs sslCert1 := resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", } @@ -240,7 +240,7 @@ func TestEquals(t *testing.T) { // Different Ciphers cfg1.Ciphers = "DEFAULT" - cfg2.Ciphers = "HIGH:-SHA" + cfg2.Ciphers = proxySslCiphers result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") @@ -248,22 +248,22 @@ func TestEquals(t *testing.T) { cfg2.Ciphers = "DEFAULT" // Different Protocols - cfg1.Protocols = "SSLv2 TLSv1 TLSv1.2 TLSv1.3" + cfg1.Protocols = defaultProtocol cfg2.Protocols = "SSLv3 TLSv1 TLSv1.2 TLSv1.3" result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") } - cfg2.Protocols = "SSLv2 TLSv1 TLSv1.2 TLSv1.3" + cfg2.Protocols = defaultProtocol // Different Verify - cfg1.Verify = "off" + cfg1.Verify = off cfg2.Verify = "on" result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") } - cfg2.Verify = "off" + cfg2.Verify = off // Different VerifyDepth cfg1.VerifyDepth = 1 @@ -275,13 +275,13 @@ func TestEquals(t *testing.T) { cfg2.VerifyDepth = 1 // Different ProxySSLServerName - cfg1.ProxySSLServerName = "off" + cfg1.ProxySSLServerName = off cfg2.ProxySSLServerName = "on" result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") } - cfg2.ProxySSLServerName = "off" + cfg2.ProxySSLServerName = off // Equal Configs result = cfg1.Equal(cfg2) diff --git a/internal/ingress/annotations/ratelimit/main.go b/internal/ingress/annotations/ratelimit/main.go index 84a5f10f0..e79c698bf 100644 --- a/internal/ingress/annotations/ratelimit/main.go +++ b/internal/ingress/annotations/ratelimit/main.go @@ -24,6 +24,7 @@ import ( networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/net" "k8s.io/ingress-nginx/pkg/util/sets" @@ -58,7 +59,7 @@ type Config struct { ID string `json:"id"` - Whitelist []string `json:"whitelist"` + Allowlist []string `json:"allowlist"` } // Equal tests for equality between two RateLimit types @@ -90,11 +91,11 @@ func (rt1 *Config) Equal(rt2 *Config) bool { if rt1.Name != rt2.Name { return false } - if len(rt1.Whitelist) != len(rt2.Whitelist) { + if len(rt1.Allowlist) != len(rt2.Allowlist) { return false } - return sets.StringElementsMatch(rt1.Whitelist, rt2.Whitelist) + return sets.StringElementsMatch(rt1.Allowlist, rt2.Allowlist) } // Zone returns information about the NGINX rate limit (limit_req_zone) @@ -131,43 +132,121 @@ func (z1 *Zone) Equal(z2 *Zone) bool { return true } +const ( + limitRateAnnotation = "limit-rate" + limitRateAfterAnnotation = "limit-rate-after" + limitRateRPMAnnotation = "limit-rpm" + limitRateRPSAnnotation = "limit-rps" + limitRateConnectionsAnnotation = "limit-connections" + limitRateBurstMultiplierAnnotation = "limit-burst-multiplier" + limitWhitelistAnnotation = "limit-whitelist" // This annotation is an alias for limit-allowlist + limitAllowlistAnnotation = "limit-allowlist" +) + +var rateLimitAnnotations = parser.Annotation{ + Group: "rate-limit", + Annotations: parser.AnnotationFields{ + limitRateAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Limits the rate of response transmission to a client. The rate is specified in bytes per second. + The zero value disables rate limiting. The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit. + References: https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate`, + }, + limitRateAfterAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Sets the initial amount after which the further transmission of a response to a client will be rate limited.`, + }, + limitRateRPMAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Requests per minute that will be allowed.`, + }, + limitRateRPSAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Requests per second that will be allowed.`, + }, + limitRateConnectionsAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Number of connections that will be allowed`, + }, + limitRateBurstMultiplierAnnotation: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `Burst multiplier for a limit-rate enabled location.`, + }, + limitAllowlistAnnotation: { + Validator: parser.ValidateCIDRs, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `List of CIDR/IP addresses that will not be rate-limited.`, + AnnotationAliases: []string{limitWhitelistAnnotation}, + }, + }, +} + type ratelimit struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new ratelimit annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return ratelimit{r} + return ratelimit{ + r: r, + annotationConfig: rateLimitAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress // rule used to rewrite the defined paths func (a ratelimit) Parse(ing *networking.Ingress) (interface{}, error) { defBackend := a.r.GetDefaultBackend() - lr, err := parser.GetIntAnnotation("limit-rate", ing) + lr, err := parser.GetIntAnnotation(limitRateAnnotation, ing, a.annotationConfig.Annotations) if err != nil { lr = defBackend.LimitRate } - lra, err := parser.GetIntAnnotation("limit-rate-after", ing) + lra, err := parser.GetIntAnnotation(limitRateAfterAnnotation, ing, a.annotationConfig.Annotations) if err != nil { lra = defBackend.LimitRateAfter } - rpm, _ := parser.GetIntAnnotation("limit-rpm", ing) - rps, _ := parser.GetIntAnnotation("limit-rps", ing) - conn, _ := parser.GetIntAnnotation("limit-connections", ing) - burstMultiplier, err := parser.GetIntAnnotation("limit-burst-multiplier", ing) + rpm, err := parser.GetIntAnnotation(limitRateRPMAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { + return nil, err + } + rps, err := parser.GetIntAnnotation(limitRateRPSAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { + return nil, err + } + conn, err := parser.GetIntAnnotation(limitRateConnectionsAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { + return nil, err + } + burstMultiplier, err := parser.GetIntAnnotation(limitRateBurstMultiplierAnnotation, ing, a.annotationConfig.Annotations) if err != nil { burstMultiplier = defBurst } - val, _ := parser.GetStringAnnotation("limit-whitelist", ing) - - cidrs, err := net.ParseCIDRs(val) - if err != nil { + val, err := parser.GetStringAnnotation(limitAllowlistAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && errors.IsValidationError(err) { return nil, err } + cidrs, errCidr := net.ParseCIDRs(val) + if errCidr != nil { + return nil, errCidr + } + if rpm == 0 && rps == 0 && conn == 0 { return &Config{ Connections: Zone{}, @@ -203,11 +282,20 @@ func (a ratelimit) Parse(ing *networking.Ingress) (interface{}, error) { LimitRateAfter: lra, Name: zoneName, ID: encode(zoneName), - Whitelist: cidrs, + Allowlist: cidrs, }, nil } func encode(s string) string { str := base64.URLEncoding.EncodeToString([]byte(s)) - return strings.Replace(str, "=", "", -1) + return strings.ReplaceAll(str, "=", "") +} + +func (a ratelimit) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a ratelimit) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, rateLimitAnnotations.Annotations) } diff --git a/internal/ingress/annotations/ratelimit/main_test.go b/internal/ingress/annotations/ratelimit/main_test.go index 9f101cc3b..d3a2cc0e9 100644 --- a/internal/ingress/annotations/ratelimit/main_test.go +++ b/internal/ingress/annotations/ratelimit/main_test.go @@ -25,6 +25,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/defaults" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -85,8 +86,8 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { func TestWithoutAnnotations(t *testing.T) { ing := buildIngress() _, err := NewParser(mockBackend{}).Parse(ing) - if err != nil { - t.Error("unexpected error with ingress without annotations") + if err != nil && !errors.IsMissingAnnotations(err) { + t.Errorf("unexpected error with ingress without annotations: %s", err) } } @@ -94,22 +95,22 @@ func TestRateLimiting(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("limit-connections")] = "0" - data[parser.GetAnnotationWithPrefix("limit-rps")] = "0" - data[parser.GetAnnotationWithPrefix("limit-rpm")] = "0" + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "0" + data[parser.GetAnnotationWithPrefix(limitRateRPSAnnotation)] = "0" + data[parser.GetAnnotationWithPrefix(limitRateRPMAnnotation)] = "0" ing.SetAnnotations(data) _, err := NewParser(mockBackend{}).Parse(ing) if err != nil { - t.Errorf("unexpected error with invalid limits (0)") + t.Errorf("unexpected error with invalid limits (0): %s", err) } data = map[string]string{} - data[parser.GetAnnotationWithPrefix("limit-connections")] = "5" - data[parser.GetAnnotationWithPrefix("limit-rps")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rpm")] = "10" - data[parser.GetAnnotationWithPrefix("limit-rate-after")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rate")] = "10" + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitRateRPSAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateRPMAnnotation)] = "10" + data[parser.GetAnnotationWithPrefix(limitRateAfterAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateAnnotation)] = "10" ing.SetAnnotations(data) @@ -147,12 +148,12 @@ func TestRateLimiting(t *testing.T) { } data = map[string]string{} - data[parser.GetAnnotationWithPrefix("limit-connections")] = "5" - data[parser.GetAnnotationWithPrefix("limit-rps")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rpm")] = "10" - data[parser.GetAnnotationWithPrefix("limit-rate-after")] = "100" - data[parser.GetAnnotationWithPrefix("limit-rate")] = "10" - data[parser.GetAnnotationWithPrefix("limit-burst-multiplier")] = "3" + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitRateRPSAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateRPMAnnotation)] = "10" + data[parser.GetAnnotationWithPrefix(limitRateAfterAnnotation)] = "100" + data[parser.GetAnnotationWithPrefix(limitRateAnnotation)] = "10" + data[parser.GetAnnotationWithPrefix(limitRateBurstMultiplierAnnotation)] = "3" ing.SetAnnotations(data) @@ -189,3 +190,61 @@ func TestRateLimiting(t *testing.T) { t.Errorf("expected 10 in limit by limitrate but %v was returned", rateLimit.LimitRate) } } + +func TestAnnotationCIDR(t *testing.T) { + ing := buildIngress() + + data := map[string]string{} + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitAllowlistAnnotation)] = "192.168.0.5, 192.168.50.32/24" + ing.SetAnnotations(data) + + i, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + + rateLimit, ok := i.(*Config) + if !ok { + t.Errorf("expected a RateLimit type") + } + if len(rateLimit.Allowlist) != 2 { + t.Errorf("expected 2 cidrs in limit by ip but %v was returned", len(rateLimit.Allowlist)) + } + + data = map[string]string{} + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitWhitelistAnnotation)] = "192.168.0.5, 192.168.50.32/24, 10.10.10.1" + ing.SetAnnotations(data) + + i, err = NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + rateLimit, ok = i.(*Config) + if !ok { + t.Errorf("expected a RateLimit type") + } + if len(rateLimit.Allowlist) != 3 { + t.Errorf("expected 3 cidrs in limit by ip but %v was returned", len(rateLimit.Allowlist)) + } + + // Parent annotation surpasses any alias + data = map[string]string{} + data[parser.GetAnnotationWithPrefix(limitRateConnectionsAnnotation)] = "5" + data[parser.GetAnnotationWithPrefix(limitWhitelistAnnotation)] = "192.168.0.5, 192.168.50.32/24, 10.10.10.1" + data[parser.GetAnnotationWithPrefix(limitAllowlistAnnotation)] = "192.168.0.9" + ing.SetAnnotations(data) + + i, err = NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + rateLimit, ok = i.(*Config) + if !ok { + t.Errorf("expected a RateLimit type") + } + if len(rateLimit.Allowlist) != 1 { + t.Errorf("expected 1 cidrs in limit by ip but %v was returned", len(rateLimit.Allowlist)) + } +} diff --git a/internal/ingress/annotations/redirect/redirect.go b/internal/ingress/annotations/redirect/redirect.go index 11b08a4a2..b58e35171 100644 --- a/internal/ingress/annotations/redirect/redirect.go +++ b/internal/ingress/annotations/redirect/redirect.go @@ -37,13 +37,56 @@ type Config struct { FromToWWW bool `json:"fromToWWW"` } +const ( + fromToWWWRedirAnnotation = "from-to-www-redirect" + temporalRedirectAnnotation = "temporal-redirect" + permanentRedirectAnnotation = "permanent-redirect" + permanentRedirectAnnotationCode = "permanent-redirect-code" +) + +var redirectAnnotations = parser.Annotation{ + Group: "redirect", + Annotations: parser.AnnotationFields{ + fromToWWWRedirAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `In some scenarios is required to redirect from www.domain.com to domain.com or vice versa. To enable this feature use this annotation.`, + }, + temporalRedirectAnnotation: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium, as it allows arbitrary URLs that needs to be validated + Documentation: `This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. + For example setting this annotation to https://www.google.com would redirect everything to Google with a Return Code of 302 (Moved Temporarily).`, + }, + permanentRedirectAnnotation: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, // Medium, as it allows arbitrary URLs that needs to be validated + Documentation: `This annotation allows to return a permanent redirect (Return Code 301) instead of sending data to the upstream. + For example setting this annotation https://www.google.com would redirect everything to Google with a code 301`, + }, + permanentRedirectAnnotationCode: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options + Documentation: `This annotation allows you to modify the status code used for permanent redirects.`, + }, + }, +} + type redirect struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new redirect annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return redirect{r} + return redirect{ + r: r, + annotationConfig: redirectAnnotations, + } } // Parse parses the annotations contained in the ingress @@ -51,9 +94,12 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // If the Ingress contains both annotations the execution order is // temporal and then permanent func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) { - r3w, _ := parser.GetBoolAnnotation("from-to-www-redirect", ing) + r3w, err := parser.GetBoolAnnotation(fromToWWWRedirAnnotation, ing, r.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } - tr, err := parser.GetStringAnnotation("temporal-redirect", ing) + tr, err := parser.GetStringAnnotation(temporalRedirectAnnotation, ing, r.annotationConfig.Annotations) if err != nil && !errors.IsMissingAnnotations(err) { return nil, err } @@ -70,12 +116,12 @@ func (r redirect) Parse(ing *networking.Ingress) (interface{}, error) { }, nil } - pr, err := parser.GetStringAnnotation("permanent-redirect", ing) + pr, err := parser.GetStringAnnotation(permanentRedirectAnnotation, ing, r.annotationConfig.Annotations) if err != nil && !errors.IsMissingAnnotations(err) { return nil, err } - prc, err := parser.GetIntAnnotation("permanent-redirect-code", ing) + prc, err := parser.GetIntAnnotation(permanentRedirectAnnotationCode, ing, r.annotationConfig.Annotations) if err != nil && !errors.IsMissingAnnotations(err) { return nil, err } @@ -127,3 +173,12 @@ func isValidURL(s string) error { return nil } + +func (r redirect) GetDocumentation() parser.AnnotationFields { + return r.annotationConfig.Annotations +} + +func (r redirect) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(r.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, redirectAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/redirect/redirect_test.go b/internal/ingress/annotations/redirect/redirect_test.go index b5a87a5d3..bd2f98211 100644 --- a/internal/ingress/annotations/redirect/redirect_test.go +++ b/internal/ingress/annotations/redirect/redirect_test.go @@ -43,7 +43,7 @@ func TestPermanentRedirectWithDefaultCode(t *testing.T) { ing := new(networking.Ingress) data := make(map[string]string, 1) - data[parser.GetAnnotationWithPrefix("permanent-redirect")] = defRedirectURL + data[parser.GetAnnotationWithPrefix(permanentRedirectAnnotation)] = defRedirectURL ing.SetAnnotations(data) i, err := rp.Parse(ing) @@ -81,8 +81,8 @@ func TestPermanentRedirectWithCustomCode(t *testing.T) { ing := new(networking.Ingress) data := make(map[string]string, 2) - data[parser.GetAnnotationWithPrefix("permanent-redirect")] = defRedirectURL - data[parser.GetAnnotationWithPrefix("permanent-redirect-code")] = strconv.Itoa(tc.input) + data[parser.GetAnnotationWithPrefix(permanentRedirectAnnotation)] = defRedirectURL + data[parser.GetAnnotationWithPrefix(permanentRedirectAnnotationCode)] = strconv.Itoa(tc.input) ing.SetAnnotations(data) i, err := rp.Parse(ing) @@ -112,8 +112,8 @@ func TestTemporalRedirect(t *testing.T) { ing := new(networking.Ingress) data := make(map[string]string, 1) - data[parser.GetAnnotationWithPrefix("from-to-www-redirect")] = "true" - data[parser.GetAnnotationWithPrefix("temporal-redirect")] = defRedirectURL + data[parser.GetAnnotationWithPrefix(fromToWWWRedirAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(temporalRedirectAnnotation)] = defRedirectURL ing.SetAnnotations(data) i, err := rp.Parse(ing) @@ -136,7 +136,6 @@ func TestTemporalRedirect(t *testing.T) { } func TestIsValidURL(t *testing.T) { - invalid := "ok.com" urlParse, err := url.Parse(invalid) if err != nil { diff --git a/internal/ingress/annotations/rewrite/main.go b/internal/ingress/annotations/rewrite/main.go index f92d508dc..cd9ed3993 100644 --- a/internal/ingress/annotations/rewrite/main.go +++ b/internal/ingress/annotations/rewrite/main.go @@ -27,6 +27,59 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + rewriteTargetAnnotation = "rewrite-target" + sslRedirectAnnotation = "ssl-redirect" + preserveTrailingSlashAnnotation = "preserve-trailing-slash" + forceSSLRedirectAnnotation = "force-ssl-redirect" + useRegexAnnotation = "use-regex" + appRootAnnotation = "app-root" +) + +var rewriteAnnotations = parser.Annotation{ + Group: "rewrite", + Annotations: parser.AnnotationFields{ + rewriteTargetAnnotation: { + Validator: parser.ValidateRegex(parser.RegexPathWithCapture, false), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the target URI where the traffic must be redirected. It can contain regular characters and captured + groups specified as '$1', '$2', etc.`, + }, + sslRedirectAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the location section is only accessible via SSL`, + }, + preserveTrailingSlashAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines if the trailing slash should be preserved in the URI with 'ssl-redirect'`, + }, + forceSSLRedirectAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation forces the redirection to HTTPS even if the Ingress is not TLS Enabled`, + }, + useRegexAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines if the paths defined on an Ingress use regular expressions. To use regex on path + the pathType should also be defined as 'ImplementationSpecific'.`, + }, + appRootAnnotation: { + Validator: parser.ValidateRegex(parser.RegexPathWithCapture, false), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the Application Root that the Controller must redirect if it's in / context`, + }, + }, +} + // Config describes the per location redirect config type Config struct { // Target URI where the traffic must be redirected @@ -71,12 +124,16 @@ func (r1 *Config) Equal(r2 *Config) bool { } type rewrite struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new rewrite annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return rewrite{r} + return rewrite{ + r: r, + annotationConfig: rewriteAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -85,24 +142,45 @@ func (a rewrite) Parse(ing *networking.Ingress) (interface{}, error) { var err error config := &Config{} - config.Target, _ = parser.GetStringAnnotation("rewrite-target", ing) - config.SSLRedirect, err = parser.GetBoolAnnotation("ssl-redirect", ing) + config.Target, err = parser.GetStringAnnotation(rewriteTargetAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to empty", rewriteTargetAnnotation) + } + config.Target = "" + } + config.SSLRedirect, err = parser.GetBoolAnnotation(sslRedirectAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to '%s'", sslRedirectAnnotation, a.r.GetDefaultBackend().SSLRedirect) + } config.SSLRedirect = a.r.GetDefaultBackend().SSLRedirect } - config.PreserveTrailingSlash, err = parser.GetBoolAnnotation("preserve-trailing-slash", ing) + config.PreserveTrailingSlash, err = parser.GetBoolAnnotation(preserveTrailingSlashAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to '%s'", preserveTrailingSlashAnnotation, a.r.GetDefaultBackend().PreserveTrailingSlash) + } config.PreserveTrailingSlash = a.r.GetDefaultBackend().PreserveTrailingSlash } - config.ForceSSLRedirect, err = parser.GetBoolAnnotation("force-ssl-redirect", ing) + config.ForceSSLRedirect, err = parser.GetBoolAnnotation(forceSSLRedirectAnnotation, ing, a.annotationConfig.Annotations) if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to '%s'", forceSSLRedirectAnnotation, a.r.GetDefaultBackend().ForceSSLRedirect) + } config.ForceSSLRedirect = a.r.GetDefaultBackend().ForceSSLRedirect } - config.UseRegex, _ = parser.GetBoolAnnotation("use-regex", ing) + config.UseRegex, err = parser.GetBoolAnnotation(useRegexAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + if errors.IsValidationError(err) { + klog.Warningf("%sis invalid, defaulting to 'false'", useRegexAnnotation) + } + config.UseRegex = false + } - config.AppRoot, err = parser.GetStringAnnotation("app-root", ing) + config.AppRoot, err = parser.GetStringAnnotation(appRootAnnotation, ing, a.annotationConfig.Annotations) if err != nil { if !errors.IsMissingAnnotations(err) && !errors.IsInvalidContent(err) { klog.Warningf("Annotation app-root contains an invalid value: %v", err) @@ -126,3 +204,12 @@ func (a rewrite) Parse(ing *networking.Ingress) (interface{}, error) { return config, nil } + +func (a rewrite) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a rewrite) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, rewriteAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/rewrite/main_test.go b/internal/ingress/annotations/rewrite/main_test.go index c2cb42c78..b68b901b4 100644 --- a/internal/ingress/annotations/rewrite/main_test.go +++ b/internal/ingress/annotations/rewrite/main_test.go @@ -120,7 +120,10 @@ func TestSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("rewrite-target")] = defRoute ing.SetAnnotations(data) - i, _ := NewParser(mockBackend{redirect: true}).Parse(ing) + i, err := NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok := i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -129,10 +132,43 @@ func TestSSLRedirect(t *testing.T) { t.Errorf("Expected true but returned false") } + data[parser.GetAnnotationWithPrefix("rewrite-target")] = "/xpto/$1/abc/$2" + ing.SetAnnotations(data) + + i, err = NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + redirect, ok = i.(*Config) + if !ok { + t.Errorf("expected a Redirect type") + } + if redirect.Target != "/xpto/$1/abc/$2" { + t.Errorf("Expected /xpto/$1/abc/$2 but returned %s", redirect.Target) + } + + data[parser.GetAnnotationWithPrefix("rewrite-target")] = "/xpto/xas{445}" + ing.SetAnnotations(data) + + i, err = NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + redirect, ok = i.(*Config) + if !ok { + t.Errorf("expected a Redirect type") + } + if redirect.Target != "" { + t.Errorf("Expected empty rewrite target but returned %s", redirect.Target) + } + data[parser.GetAnnotationWithPrefix("ssl-redirect")] = "false" ing.SetAnnotations(data) - i, _ = NewParser(mockBackend{redirect: false}).Parse(ing) + i, err = NewParser(mockBackend{redirect: false}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok = i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -149,7 +185,10 @@ func TestForceSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("rewrite-target")] = defRoute ing.SetAnnotations(data) - i, _ := NewParser(mockBackend{redirect: true}).Parse(ing) + i, err := NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok := i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -161,7 +200,10 @@ func TestForceSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("force-ssl-redirect")] = "true" ing.SetAnnotations(data) - i, _ = NewParser(mockBackend{redirect: false}).Parse(ing) + i, err = NewParser(mockBackend{redirect: false}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok = i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -170,6 +212,7 @@ func TestForceSSLRedirect(t *testing.T) { t.Errorf("Expected true but returned false") } } + func TestAppRoot(t *testing.T) { ap := NewParser(mockBackend{redirect: true}) @@ -217,7 +260,10 @@ func TestUseRegex(t *testing.T) { data[parser.GetAnnotationWithPrefix("use-regex")] = "true" ing.SetAnnotations(data) - i, _ := NewParser(mockBackend{redirect: true}).Parse(ing) + i, err := NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok := i.(*Config) if !ok { t.Errorf("expected a App Context") diff --git a/internal/ingress/annotations/satisfy/main.go b/internal/ingress/annotations/satisfy/main.go index 0d4fd4ff6..13a4532c1 100644 --- a/internal/ingress/annotations/satisfy/main.go +++ b/internal/ingress/annotations/satisfy/main.go @@ -23,18 +23,40 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + satisfyAnnotation = "satisfy" +) + +var satisfyAnnotations = parser.Annotation{ + Group: "authentication", + Annotations: parser.AnnotationFields{ + satisfyAnnotation: { + Validator: parser.ValidateOptions([]string{"any", "all"}, true, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `By default, a request would need to satisfy all authentication requirements in order to be allowed. + By using this annotation, requests that satisfy either any or all authentication requirements are allowed, based on the configuration value. + Valid options are "all" and "any"`, + }, + }, +} + type satisfy struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new SATISFY annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return satisfy{r} + return satisfy{ + r: r, + annotationConfig: satisfyAnnotations, + } } // Parse parses annotation contained in the ingress func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) { - satisfy, err := parser.GetStringAnnotation("satisfy", ing) + satisfy, err := parser.GetStringAnnotation(satisfyAnnotation, ing, s.annotationConfig.Annotations) if err != nil || (satisfy != "any" && satisfy != "all") { satisfy = "" @@ -42,3 +64,12 @@ func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) { return satisfy, nil } + +func (s satisfy) GetDocumentation() parser.AnnotationFields { + return s.annotationConfig.Annotations +} + +func (s satisfy) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(s.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, satisfyAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/satisfy/main_test.go b/internal/ingress/annotations/satisfy/main_test.go index b45205d9f..c8d5782f9 100644 --- a/internal/ingress/annotations/satisfy/main_test.go +++ b/internal/ingress/annotations/satisfy/main_test.go @@ -83,7 +83,7 @@ func TestSatisfyParser(t *testing.T) { annotations := map[string]string{} for input, expected := range data { - annotations[parser.GetAnnotationWithPrefix("satisfy")] = input + annotations[parser.GetAnnotationWithPrefix(satisfyAnnotation)] = input ing.SetAnnotations(annotations) satisfyt, err := NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/secureupstream/main.go b/internal/ingress/annotations/secureupstream/main.go deleted file mode 100644 index ebaea2058..000000000 --- a/internal/ingress/annotations/secureupstream/main.go +++ /dev/null @@ -1,48 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package secureupstream - -import ( - networking "k8s.io/api/networking/v1" - "k8s.io/klog/v2" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -// Config describes SSL backend configuration -type Config struct { - CACert resolver.AuthSSLCert `json:"caCert"` -} - -type su struct { - r resolver.Resolver -} - -// NewParser creates a new secure upstream annotation parser -func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return su{r} -} - -// Parse parses the annotations contained in the ingress -// rule used to indicate if the upstream servers should use SSL -func (a su) Parse(ing *networking.Ingress) (secure interface{}, err error) { - if ca, _ := parser.GetStringAnnotation("secure-verify-ca-secret", ing); ca != "" { - klog.Warningf("NOTE! secure-verify-ca-secret is not supported anymore. Please use proxy-ssl-secret instead") - } - return -} diff --git a/internal/ingress/annotations/secureupstream/main_test.go b/internal/ingress/annotations/secureupstream/main_test.go deleted file mode 100644 index 7546cb5cf..000000000 --- a/internal/ingress/annotations/secureupstream/main_test.go +++ /dev/null @@ -1,162 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package secureupstream - -import ( - "fmt" - "testing" - - api "k8s.io/api/core/v1" - networking "k8s.io/api/networking/v1" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/resolver" -) - -func buildIngress() *networking.Ingress { - defaultBackend := networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - } - - return &networking.Ingress{ - ObjectMeta: meta_v1.ObjectMeta{ - Name: "foo", - Namespace: api.NamespaceDefault, - }, - Spec: networking.IngressSpec{ - DefaultBackend: &networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "default-backend", - Port: networking.ServiceBackendPort{ - Number: 80, - }, - }, - }, - Rules: []networking.IngressRule{ - { - Host: "foo.bar.com", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/foo", - Backend: defaultBackend, - }, - }, - }, - }, - }, - }, - }, - } -} - -type mockCfg struct { - resolver.Mock - certs map[string]resolver.AuthSSLCert -} - -func (cfg mockCfg) GetAuthCertificate(secret string) (*resolver.AuthSSLCert, error) { - if cert, ok := cfg.certs[secret]; ok { - return &cert, nil - } - return nil, fmt.Errorf("secret not found: %v", secret) -} - -func TestNoCA(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - ing.SetAnnotations(data) - - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Errorf("Unexpected error on ingress: %v", err) - } -} - -func TestAnnotations(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Errorf("Unexpected error on ingress: %v", err) - } -} - -func TestSecretNotFound(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - _, err := NewParser(mockCfg{}).Parse(ing) - if err != nil { - t.Error("Expected secret not found error on ingress") - } -} - -func TestSecretOnNonSecure(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTP" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Error("Expected CA secret on non secure backend error on ingress") - } -} - -func TestUnsupportedAnnotation(t *testing.T) { - ing := buildIngress() - data := map[string]string{} - data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS" - data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca" - ing.SetAnnotations(data) - - _, err := NewParser(mockCfg{ - certs: map[string]resolver.AuthSSLCert{ - "default/secure-verify-ca": {}, - }, - }).Parse(ing) - if err != nil { - t.Errorf("Unexpected error on ingress: %v", err) - } -} diff --git a/internal/ingress/annotations/serversnippet/main.go b/internal/ingress/annotations/serversnippet/main.go index 70f0af8e5..aa15608d0 100644 --- a/internal/ingress/annotations/serversnippet/main.go +++ b/internal/ingress/annotations/serversnippet/main.go @@ -23,18 +23,47 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + serverSnippetAnnotation = "server-snippet" +) + +var serverSnippetAnnotations = parser.Annotation{ + Group: "snippets", + Annotations: parser.AnnotationFields{ + serverSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation allows setting a custom NGINX configuration on a server block. This annotation does not contain any validation and it's usage is not recommended!`, + }, + }, +} + type serverSnippet struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new server snippet annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return serverSnippet{r} + return serverSnippet{ + r: r, + annotationConfig: serverSnippetAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a serverSnippet) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("server-snippet", ing) + return parser.GetStringAnnotation(serverSnippetAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a serverSnippet) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a serverSnippet) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, serverSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/serversnippet/main_test.go b/internal/ingress/annotations/serversnippet/main_test.go index c9e0979ad..72e757dc1 100644 --- a/internal/ingress/annotations/serversnippet/main_test.go +++ b/internal/ingress/annotations/serversnippet/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("server-snippet") + annotation := parser.GetAnnotationWithPrefix(serverSnippetAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { @@ -54,6 +54,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/serviceupstream/main.go b/internal/ingress/annotations/serviceupstream/main.go index 4a4879682..d1851bc7b 100644 --- a/internal/ingress/annotations/serviceupstream/main.go +++ b/internal/ingress/annotations/serviceupstream/main.go @@ -24,19 +24,39 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + serviceUpstreamAnnotation = "service-upstream" +) + +var serviceUpstreamAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + serviceUpstreamAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation makes NGINX use Service's Cluster IP and Port instead of Endpoints as the backend endpoints`, + }, + }, +} + type serviceUpstream struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new serviceUpstream annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return serviceUpstream{r} + return serviceUpstream{ + r: r, + annotationConfig: serviceUpstreamAnnotations, + } } func (s serviceUpstream) Parse(ing *networking.Ingress) (interface{}, error) { defBackend := s.r.GetDefaultBackend() - val, err := parser.GetBoolAnnotation("service-upstream", ing) + val, err := parser.GetBoolAnnotation(serviceUpstreamAnnotation, ing, s.annotationConfig.Annotations) // A missing annotation is not a problem, just use the default if err == errors.ErrMissingAnnotations { return defBackend.ServiceUpstream, nil @@ -44,3 +64,12 @@ func (s serviceUpstream) Parse(ing *networking.Ingress) (interface{}, error) { return val, nil } + +func (s serviceUpstream) GetDocumentation() parser.AnnotationFields { + return s.annotationConfig.Annotations +} + +func (s serviceUpstream) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(s.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, serviceUpstreamAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/serviceupstream/main_test.go b/internal/ingress/annotations/serviceupstream/main_test.go index b773e9723..e6216ee5a 100644 --- a/internal/ingress/annotations/serviceupstream/main_test.go +++ b/internal/ingress/annotations/serviceupstream/main_test.go @@ -74,10 +74,13 @@ func TestIngressAnnotationServiceUpstreamEnabled(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("service-upstream")] = "true" + data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "true" ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { t.Errorf("expected a bool type") @@ -93,10 +96,13 @@ func TestIngressAnnotationServiceUpstreamSetFalse(t *testing.T) { // Test with explicitly set to false data := map[string]string{} - data[parser.GetAnnotationWithPrefix("service-upstream")] = "false" + data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "false" ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { t.Errorf("expected a bool type") @@ -110,7 +116,10 @@ func TestIngressAnnotationServiceUpstreamSetFalse(t *testing.T) { data = map[string]string{} ing.SetAnnotations(data) - val, _ = NewParser(&resolver.Mock{}).Parse(ing) + val, err = NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok = val.(bool) if !ok { t.Errorf("expected a bool type") @@ -137,7 +146,10 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { func TestParseAnnotationsWithDefaultConfig(t *testing.T) { ing := buildIngress() - val, _ := NewParser(mockBackend{}).Parse(ing) + val, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { @@ -155,10 +167,13 @@ func TestParseAnnotationsOverridesDefaultConfig(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix("service-upstream")] = "false" + data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "false" ing.SetAnnotations(data) - val, _ := NewParser(mockBackend{}).Parse(ing) + val, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { diff --git a/internal/ingress/annotations/sessionaffinity/main.go b/internal/ingress/annotations/sessionaffinity/main.go index 98a0d64f8..bee4a2094 100644 --- a/internal/ingress/annotations/sessionaffinity/main.go +++ b/internal/ingress/annotations/sessionaffinity/main.go @@ -63,11 +63,95 @@ const ( // This is used to control the cookie change after request failure annotationAffinityCookieChangeOnFailure = "session-cookie-change-on-failure" + + cookieAffinity = "cookie" ) -var ( - affinityCookieExpiresRegex = regexp.MustCompile(`(^0|-?[1-9]\d*$)`) -) +var sessionAffinityAnnotations = parser.Annotation{ + Group: "affinity", + Annotations: parser.AnnotationFields{ + annotationAffinityType: { + Validator: parser.ValidateOptions([]string{cookieAffinity}, true, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation enables and sets the affinity type in all Upstreams of an Ingress. This way, a request will always be directed to the same upstream server. The only affinity type available for NGINX is cookie`, + }, + annotationAffinityMode: { + Validator: parser.ValidateOptions([]string{"balanced", "persistent"}, true, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the stickiness of a session. + Setting this to balanced (default) will redistribute some sessions if a deployment gets scaled up, therefore rebalancing the load on the servers. + Setting this to persistent will not rebalance sessions to new servers, therefore providing maximum stickiness.`, + }, + annotationAffinityCanaryBehavior: { + Validator: parser.ValidateOptions([]string{"sticky", "legacy"}, true, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation defines the behavior of canaries when session affinity is enabled. + Setting this to sticky (default) will ensure that users that were served by canaries, will continue to be served by canaries. + Setting this to legacy will restore original canary behavior, when session affinity was ignored.`, + }, + annotationAffinityCookieName: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation allows to specify the name of the cookie that will be used to route the requests`, + }, + annotationAffinityCookieSecure: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation set the cookie as secure regardless the protocol of the incoming request`, + }, + annotationAffinityCookieExpires: { + Validator: parser.ValidateRegex(affinityCookieExpiresRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation is a legacy version of "session-cookie-max-age" for compatibility with older browsers, generates an "Expires" cookie directive by adding the seconds to the current date`, + }, + annotationAffinityCookieMaxAge: { + Validator: parser.ValidateRegex(affinityCookieExpiresRegex, false), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation sets the time until the cookie expires`, + }, + annotationAffinityCookiePath: { + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the Path that will be set on the cookie (required if your Ingress paths use regular expressions)`, + }, + annotationAffinityCookieDomain: { + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation defines the Domain attribute of the sticky cookie.`, + }, + annotationAffinityCookieSameSite: { + Validator: parser.ValidateOptions([]string{"none", "lax", "strict"}, false, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation is used to apply a SameSite attribute to the sticky cookie. + Browser accepted values are None, Lax, and Strict`, + }, + annotationAffinityCookieConditionalSameSiteNone: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation is used to omit SameSite=None from browsers with SameSite attribute incompatibilities`, + }, + annotationAffinityCookieChangeOnFailure: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation, when set to false will send request to upstream pointed by sticky cookie even if previous attempt failed. + When set to true and previous attempt failed, sticky cookie will be changed to point to another upstream.`, + }, + }, +} + +var affinityCookieExpiresRegex = regexp.MustCompile(`(^0|-?[1-9]\d*$)`) // Config describes the per ingress session affinity config type Config struct { @@ -102,6 +186,11 @@ type Cookie struct { ConditionalSameSiteNone bool `json:"conditional-samesite-none"` } +type affinity struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + // cookieAffinityParse gets the annotation values related to Cookie Affinity // It also sets default values when no value or incorrect value is found func (a affinity) cookieAffinityParse(ing *networking.Ingress) *Cookie { @@ -109,50 +198,50 @@ func (a affinity) cookieAffinityParse(ing *networking.Ingress) *Cookie { cookie := &Cookie{} - cookie.Name, err = parser.GetStringAnnotation(annotationAffinityCookieName, ing) + cookie.Name, err = parser.GetStringAnnotation(annotationAffinityCookieName, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieName, "default", defaultAffinityCookieName) cookie.Name = defaultAffinityCookieName } - cookie.Expires, err = parser.GetStringAnnotation(annotationAffinityCookieExpires, ing) + cookie.Expires, err = parser.GetStringAnnotation(annotationAffinityCookieExpires, ing, a.annotationConfig.Annotations) if err != nil || !affinityCookieExpiresRegex.MatchString(cookie.Expires) { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieExpires) cookie.Expires = "" } - cookie.MaxAge, err = parser.GetStringAnnotation(annotationAffinityCookieMaxAge, ing) + cookie.MaxAge, err = parser.GetStringAnnotation(annotationAffinityCookieMaxAge, ing, a.annotationConfig.Annotations) if err != nil || !affinityCookieExpiresRegex.MatchString(cookie.MaxAge) { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieMaxAge) cookie.MaxAge = "" } - cookie.Path, err = parser.GetStringAnnotation(annotationAffinityCookiePath, ing) + cookie.Path, err = parser.GetStringAnnotation(annotationAffinityCookiePath, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookiePath) } - cookie.Domain, err = parser.GetStringAnnotation(annotationAffinityCookieDomain, ing) + cookie.Domain, err = parser.GetStringAnnotation(annotationAffinityCookieDomain, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieDomain) } - cookie.SameSite, err = parser.GetStringAnnotation(annotationAffinityCookieSameSite, ing) + cookie.SameSite, err = parser.GetStringAnnotation(annotationAffinityCookieSameSite, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieSameSite) } - cookie.Secure, err = parser.GetBoolAnnotation(annotationAffinityCookieSecure, ing) + cookie.Secure, err = parser.GetBoolAnnotation(annotationAffinityCookieSecure, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieSecure) } - cookie.ConditionalSameSiteNone, err = parser.GetBoolAnnotation(annotationAffinityCookieConditionalSameSiteNone, ing) + cookie.ConditionalSameSiteNone, err = parser.GetBoolAnnotation(annotationAffinityCookieConditionalSameSiteNone, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieConditionalSameSiteNone) } - cookie.ChangeOnFailure, err = parser.GetBoolAnnotation(annotationAffinityCookieChangeOnFailure, ing) + cookie.ChangeOnFailure, err = parser.GetBoolAnnotation(annotationAffinityCookieChangeOnFailure, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("Invalid or no annotation value found. Ignoring", "ingress", klog.KObj(ing), "annotation", annotationAffinityCookieChangeOnFailure) } @@ -162,11 +251,10 @@ func (a affinity) cookieAffinityParse(ing *networking.Ingress) *Cookie { // NewParser creates a new Affinity annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return affinity{r} -} - -type affinity struct { - r resolver.Resolver + return affinity{ + r: r, + annotationConfig: sessionAffinityAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -174,28 +262,27 @@ type affinity struct { func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) { cookie := &Cookie{} // Check the type of affinity that will be used - at, err := parser.GetStringAnnotation(annotationAffinityType, ing) + at, err := parser.GetStringAnnotation(annotationAffinityType, ing, a.annotationConfig.Annotations) if err != nil { at = "" } // Check the affinity mode that will be used - am, err := parser.GetStringAnnotation(annotationAffinityMode, ing) + am, err := parser.GetStringAnnotation(annotationAffinityMode, ing, a.annotationConfig.Annotations) if err != nil { am = "" } - cb, err := parser.GetStringAnnotation(annotationAffinityCanaryBehavior, ing) + cb, err := parser.GetStringAnnotation(annotationAffinityCanaryBehavior, ing, a.annotationConfig.Annotations) if err != nil { cb = "" } switch at { - case "cookie": + case cookieAffinity: cookie = a.cookieAffinityParse(ing) default: klog.V(3).InfoS("No default affinity found", "ingress", ing.Name) - } return &Config{ @@ -205,3 +292,12 @@ func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) { Cookie: *cookie, }, nil } + +func (a affinity) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a affinity) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, sessionAffinityAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/sessionaffinity/main_test.go b/internal/ingress/annotations/sessionaffinity/main_test.go index cffe57fec..4b7ea5e61 100644 --- a/internal/ingress/annotations/sessionaffinity/main_test.go +++ b/internal/ingress/annotations/sessionaffinity/main_test.go @@ -79,11 +79,16 @@ func TestIngressAffinityCookieConfig(t *testing.T) { data[parser.GetAnnotationWithPrefix(annotationAffinityCookieMaxAge)] = "3000" data[parser.GetAnnotationWithPrefix(annotationAffinityCookiePath)] = "/foo" data[parser.GetAnnotationWithPrefix(annotationAffinityCookieDomain)] = "foo.bar" + data[parser.GetAnnotationWithPrefix(annotationAffinityCookieSameSite)] = "Strict" data[parser.GetAnnotationWithPrefix(annotationAffinityCookieChangeOnFailure)] = "true" data[parser.GetAnnotationWithPrefix(annotationAffinityCookieSecure)] = "true" ing.SetAnnotations(data) - affin, _ := NewParser(&resolver.Mock{}).Parse(ing) + affin, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing annotations: %v", err) + } + nginxAffinity, ok := affin.(*Config) if !ok { t.Errorf("expected a Config type") @@ -117,6 +122,10 @@ func TestIngressAffinityCookieConfig(t *testing.T) { t.Errorf("expected foo.bar as session-cookie-domain but returned %v", nginxAffinity.Cookie.Domain) } + if nginxAffinity.Cookie.SameSite != "Strict" { + t.Errorf("expected Strict as session-cookie-same-site but returned %v", nginxAffinity.Cookie.SameSite) + } + if !nginxAffinity.Cookie.ChangeOnFailure { t.Errorf("expected change of failure parameter set to true but returned %v", nginxAffinity.Cookie.ChangeOnFailure) } diff --git a/internal/ingress/annotations/snippet/main.go b/internal/ingress/annotations/snippet/main.go index 93ec70cf9..2406093c5 100644 --- a/internal/ingress/annotations/snippet/main.go +++ b/internal/ingress/annotations/snippet/main.go @@ -23,18 +23,47 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + configurationSnippetAnnotation = "configuration-snippet" +) + +var configurationSnippetAnnotations = parser.Annotation{ + Group: "snippets", + Annotations: parser.AnnotationFields{ + configurationSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation allows setting a custom NGINX configuration on a location block. This annotation does not contain any validation and it's usage is not recommended!`, + }, + }, +} + type snippet struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new CORS annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return snippet{r} + return snippet{ + r: r, + annotationConfig: configurationSnippetAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a snippet) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("configuration-snippet", ing) + return parser.GetStringAnnotation(configurationSnippetAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a snippet) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a snippet) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, configurationSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/snippet/main_test.go b/internal/ingress/annotations/snippet/main_test.go index 0defc3c1f..b29b2950d 100644 --- a/internal/ingress/annotations/snippet/main_test.go +++ b/internal/ingress/annotations/snippet/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("configuration-snippet") + annotation := parser.GetAnnotationWithPrefix(configurationSnippetAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { @@ -54,6 +54,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/sslcipher/main.go b/internal/ingress/annotations/sslcipher/main.go index e4e5baad2..7a282d0a0 100644 --- a/internal/ingress/annotations/sslcipher/main.go +++ b/internal/ingress/annotations/sslcipher/main.go @@ -17,14 +17,46 @@ limitations under the License. package sslcipher import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + sslPreferServerCipherAnnotation = "ssl-prefer-server-ciphers" + sslCipherAnnotation = "ssl-ciphers" +) + +// Should cover something like "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" +// (?:@STRENGTH) is included twice so it can appear before or after @SECLEVEL=n +var regexValidSSLCipher = regexp.MustCompile(`^(?:(?:[A-Za-z0-9!:+\-])*(?:@STRENGTH)*(?:@SECLEVEL=[0-5])*(?:@STRENGTH)*)*$`) + +var sslCipherAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + sslPreferServerCipherAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `The following annotation will set the ssl_prefer_server_ciphers directive at the server level. + This configuration specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.`, + }, + sslCipherAnnotation: { + Validator: parser.ValidateRegex(regexValidSSLCipher, true), + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, + Documentation: `Using this annotation will set the ssl_ciphers directive at the server level. This configuration is active for all the paths in the host.`, + }, + }, +} + type sslCipher struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the ssl-ciphers & ssl-prefer-server-ciphers configuration @@ -35,7 +67,10 @@ type Config struct { // NewParser creates a new sslCipher annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return sslCipher{r} + return sslCipher{ + r: r, + annotationConfig: sslCipherAnnotations, + } } // Parse parses the annotations contained in the ingress rule @@ -45,7 +80,7 @@ func (sc sslCipher) Parse(ing *networking.Ingress) (interface{}, error) { var err error var sslPreferServerCiphers bool - sslPreferServerCiphers, err = parser.GetBoolAnnotation("ssl-prefer-server-ciphers", ing) + sslPreferServerCiphers, err = parser.GetBoolAnnotation(sslPreferServerCipherAnnotation, ing, sc.annotationConfig.Annotations) if err != nil { config.SSLPreferServerCiphers = "" } else { @@ -56,7 +91,19 @@ func (sc sslCipher) Parse(ing *networking.Ingress) (interface{}, error) { } } - config.SSLCiphers, _ = parser.GetStringAnnotation("ssl-ciphers", ing) + config.SSLCiphers, err = parser.GetStringAnnotation(sslCipherAnnotation, ing, sc.annotationConfig.Annotations) + if err != nil && !errors.IsInvalidContent(err) && !errors.IsMissingAnnotations(err) { + return config, err + } return config, nil } + +func (sc sslCipher) GetDocumentation() parser.AnnotationFields { + return sc.annotationConfig.Annotations +} + +func (sc sslCipher) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(sc.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, sslCipherAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/sslcipher/main_test.go b/internal/ingress/annotations/sslcipher/main_test.go index 6eb9ec0c2..f1675d4c7 100644 --- a/internal/ingress/annotations/sslcipher/main_test.go +++ b/internal/ingress/annotations/sslcipher/main_test.go @@ -33,22 +33,31 @@ func TestParse(t *testing.T) { t.Fatalf("expected a parser.IngressAnnotation but returned nil") } - annotationSSLCiphers := parser.GetAnnotationWithPrefix("ssl-ciphers") - annotationSSLPreferServerCiphers := parser.GetAnnotationWithPrefix("ssl-prefer-server-ciphers") + annotationSSLCiphers := parser.GetAnnotationWithPrefix(sslCipherAnnotation) + annotationSSLPreferServerCiphers := parser.GetAnnotationWithPrefix(sslPreferServerCipherAnnotation) testCases := []struct { annotations map[string]string expected Config + expectErr bool }{ - {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}}, - {map[string]string{annotationSSLCiphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}, - Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}}, - {map[string]string{annotationSSLCiphers: ""}, Config{"", ""}}, - {map[string]string{annotationSSLPreferServerCiphers: "true"}, Config{"", "on"}}, - {map[string]string{annotationSSLPreferServerCiphers: "false"}, Config{"", "off"}}, - {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", annotationSSLPreferServerCiphers: "true"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", "on"}}, - {map[string]string{}, Config{"", ""}}, - {nil, Config{"", ""}}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}, false}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56@SECLEVEL=2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56@SECLEVEL=2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}, false}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP@STRENGTH"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP@STRENGTH", ""}, false}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP@STRENGTH@SECLEVEL=3"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP@STRENGTH@SECLEVEL=3", ""}, false}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA@STRENGTH:+HIGH@SECLEVEL=5:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA@STRENGTH:+HIGH@SECLEVEL=5:+MEDIUM:+LOW:+SSLv2:+EXP", ""}, false}, + { + map[string]string{annotationSSLCiphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}, + Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}, + false, + }, + {map[string]string{annotationSSLCiphers: ""}, Config{"", ""}, false}, + {map[string]string{annotationSSLPreferServerCiphers: "true"}, Config{"", "on"}, false}, + {map[string]string{annotationSSLPreferServerCiphers: "false"}, Config{"", "off"}, false}, + {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", annotationSSLPreferServerCiphers: "true"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", "on"}, false}, + {map[string]string{annotationSSLCiphers: "ALL:SOMETHING:;locationXPTO"}, Config{"", ""}, true}, + {map[string]string{}, Config{"", ""}, false}, + {nil, Config{"", ""}, false}, } ing := &networking.Ingress{ @@ -59,10 +68,13 @@ func TestParse(t *testing.T) { Spec: networking.IngressSpec{}, } - for _, testCase := range testCases { + for i, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) - if !reflect.DeepEqual(result, &testCase.expected) { + result, err := ap.Parse(ing) + if (err != nil) != testCase.expectErr { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) + } + if !reflect.DeepEqual(result, &testCases[i].expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } } diff --git a/internal/ingress/annotations/sslpassthrough/main.go b/internal/ingress/annotations/sslpassthrough/main.go index d1def7172..c06db8715 100644 --- a/internal/ingress/annotations/sslpassthrough/main.go +++ b/internal/ingress/annotations/sslpassthrough/main.go @@ -24,13 +24,33 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + sslPassthroughAnnotation = "ssl-passthrough" +) + +var sslPassthroughAnnotations = parser.Annotation{ + Group: "", // TBD + Annotations: parser.AnnotationFields{ + sslPassthroughAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set + Documentation: `This annotation instructs the controller to send TLS connections directly to the backend instead of letting NGINX decrypt the communication.`, + }, + }, +} + type sslpt struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new SSL passthrough annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return sslpt{r} + return sslpt{ + r: r, + annotationConfig: sslPassthroughAnnotations, + } } // ParseAnnotations parses the annotations contained in the ingress @@ -40,5 +60,14 @@ func (a sslpt) Parse(ing *networking.Ingress) (interface{}, error) { return false, ing_errors.ErrMissingAnnotations } - return parser.GetBoolAnnotation("ssl-passthrough", ing) + return parser.GetBoolAnnotation(sslPassthroughAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a sslpt) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a sslpt) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, sslPassthroughAnnotations.Annotations) } diff --git a/internal/ingress/annotations/sslpassthrough/main_test.go b/internal/ingress/annotations/sslpassthrough/main_test.go index 5cf2f979a..b712fda19 100644 --- a/internal/ingress/annotations/sslpassthrough/main_test.go +++ b/internal/ingress/annotations/sslpassthrough/main_test.go @@ -54,7 +54,7 @@ func TestParseAnnotations(t *testing.T) { } data := map[string]string{} - data[parser.GetAnnotationWithPrefix("ssl-passthrough")] = "true" + data[parser.GetAnnotationWithPrefix(sslPassthroughAnnotation)] = "true" ing.SetAnnotations(data) // test ingress using the annotation without a TLS section _, err = NewParser(&resolver.Mock{}).Parse(ing) diff --git a/internal/ingress/annotations/streamsnippet/main.go b/internal/ingress/annotations/streamsnippet/main.go index fb22f754c..71ff3b140 100644 --- a/internal/ingress/annotations/streamsnippet/main.go +++ b/internal/ingress/annotations/streamsnippet/main.go @@ -23,18 +23,47 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + streamSnippetAnnotation = "stream-snippet" +) + +var streamSnippetAnnotations = parser.Annotation{ + Group: "snippets", + Annotations: parser.AnnotationFields{ + streamSnippetAnnotation: { + Validator: parser.ValidateNull, + Scope: parser.AnnotationScopeIngress, + Risk: parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations + Documentation: `This annotation allows setting a custom NGINX configuration on a stream block. This annotation does not contain any validation and it's usage is not recommended!`, + }, + }, +} + type streamSnippet struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new server snippet annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return streamSnippet{r} + return streamSnippet{ + r: r, + annotationConfig: streamSnippetAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a streamSnippet) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("stream-snippet", ing) + return parser.GetStringAnnotation("stream-snippet", ing, a.annotationConfig.Annotations) +} + +func (a streamSnippet) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a streamSnippet) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, streamSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/streamsnippet/main_test.go b/internal/ingress/annotations/streamsnippet/main_test.go index 0b8e3e3aa..e8a1ff8d0 100644 --- a/internal/ingress/annotations/streamsnippet/main_test.go +++ b/internal/ingress/annotations/streamsnippet/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("stream-snippet") + annotation := parser.GetAnnotationWithPrefix(streamSnippetAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { @@ -38,7 +38,8 @@ func TestParse(t *testing.T) { annotations map[string]string expected string }{ - {map[string]string{annotation: "server { listen: 8000; proxy_pass 127.0.0.1:80}"}, + { + map[string]string{annotation: "server { listen: 8000; proxy_pass 127.0.0.1:80}"}, "server { listen: 8000; proxy_pass 127.0.0.1:80}", }, {map[string]string{annotation: "false"}, "false"}, @@ -56,6 +57,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/upstreamhashby/main.go b/internal/ingress/annotations/upstreamhashby/main.go index e6bbca6c3..25cc88b8e 100644 --- a/internal/ingress/annotations/upstreamhashby/main.go +++ b/internal/ingress/annotations/upstreamhashby/main.go @@ -17,14 +17,54 @@ limitations under the License. package upstreamhashby import ( + "regexp" + networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" + "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + upstreamHashByAnnotation = "upstream-hash-by" + upstreamHashBySubsetAnnotation = "upstream-hash-by-subset" + upstreamHashBySubsetSize = "upstream-hash-by-subset-size" +) + +var ( + specialChars = regexp.QuoteMeta("_${}") + hashByRegex = regexp.MustCompilePOSIX(`^[A-Za-z0-9\-` + specialChars + `]*$`) +) + +var upstreamHashByAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + upstreamHashByAnnotation: { + Validator: parser.ValidateRegex(hashByRegex, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskHigh, // High, this annotation allows accessing NGINX variables + Documentation: `This annotation defines the nginx variable, text value or any combination thereof to use for consistent hashing. + For example: nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri" or nginx.ingress.kubernetes.io/upstream-hash-by: "$request_uri$host" or nginx.ingress.kubernetes.io/upstream-hash-by: "${request_uri}-text-value" to consistently hash upstream requests by the current request URI.`, + }, + upstreamHashBySubsetAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation maps requests to subset of nodes instead of a single one.`, + }, + upstreamHashBySubsetSize: { + Validator: parser.ValidateInt, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation determines the size of each subset (default 3)`, + }, + }, +} + type upstreamhashby struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // Config contains the Consistent hash configuration to be used in the Ingress @@ -36,14 +76,26 @@ type Config struct { // NewParser creates a new UpstreamHashBy annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return upstreamhashby{r} + return upstreamhashby{ + r: r, + annotationConfig: upstreamHashByAnnotations, + } } // Parse parses the annotations contained in the ingress rule func (a upstreamhashby) Parse(ing *networking.Ingress) (interface{}, error) { - upstreamHashBy, _ := parser.GetStringAnnotation("upstream-hash-by", ing) - upstreamHashBySubset, _ := parser.GetBoolAnnotation("upstream-hash-by-subset", ing) - upstreamHashbySubsetSize, _ := parser.GetIntAnnotation("upstream-hash-by-subset-size", ing) + upstreamHashBy, err := parser.GetStringAnnotation(upstreamHashByAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } + upstreamHashBySubset, err := parser.GetBoolAnnotation(upstreamHashBySubsetAnnotation, ing, a.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } + upstreamHashbySubsetSize, err := parser.GetIntAnnotation(upstreamHashBySubsetSize, ing, a.annotationConfig.Annotations) + if err != nil && !errors.IsMissingAnnotations(err) { + return nil, err + } if upstreamHashbySubsetSize == 0 { upstreamHashbySubsetSize = 3 @@ -51,3 +103,12 @@ func (a upstreamhashby) Parse(ing *networking.Ingress) (interface{}, error) { return &Config{upstreamHashBy, upstreamHashBySubset, upstreamHashbySubsetSize}, nil } + +func (a upstreamhashby) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a upstreamhashby) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, upstreamHashByAnnotations.Annotations) +} diff --git a/internal/ingress/annotations/upstreamhashby/main_test.go b/internal/ingress/annotations/upstreamhashby/main_test.go index d2c2644ca..bdbd9c350 100644 --- a/internal/ingress/annotations/upstreamhashby/main_test.go +++ b/internal/ingress/annotations/upstreamhashby/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("upstream-hash-by") + annotation := parser.GetAnnotationWithPrefix(upstreamHashByAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { @@ -37,12 +37,15 @@ func TestParse(t *testing.T) { testCases := []struct { annotations map[string]string expected string + expectErr bool }{ - {map[string]string{annotation: "$request_uri"}, "$request_uri"}, - {map[string]string{annotation: "$request_uri$scheme"}, "$request_uri$scheme"}, - {map[string]string{annotation: "false"}, "false"}, - {map[string]string{}, ""}, - {nil, ""}, + {map[string]string{annotation: "$request_URI"}, "$request_URI", false}, + {map[string]string{annotation: "$request_uri$scheme"}, "$request_uri$scheme", false}, + {map[string]string{annotation: "xpto;[]"}, "", true}, + {map[string]string{annotation: "lalal${scheme_test}"}, "lalal${scheme_test}", false}, + {map[string]string{annotation: "false"}, "false", false}, + {map[string]string{}, "", false}, + {nil, "", false}, } ing := &networking.Ingress{ @@ -55,14 +58,19 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) - uc, ok := result.(*Config) - if !ok { - t.Fatalf("expected a Config type") + result, err := ap.Parse(ing) + if (err != nil) != testCase.expectErr { + t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) } + if !testCase.expectErr { + uc, ok := result.(*Config) + if !ok { + t.Fatalf("expected a Config type") + } - if uc.UpstreamHashBy != testCase.expected { - t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) + if uc.UpstreamHashBy != testCase.expected { + t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) + } } } } diff --git a/internal/ingress/annotations/upstreamvhost/main.go b/internal/ingress/annotations/upstreamvhost/main.go index 2eed5607e..052ca2344 100644 --- a/internal/ingress/annotations/upstreamvhost/main.go +++ b/internal/ingress/annotations/upstreamvhost/main.go @@ -23,18 +23,48 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + upstreamVhostAnnotation = "upstream-vhost" +) + +var upstreamVhostAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + upstreamVhostAnnotation: { + Validator: parser.ValidateServerName, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set + Documentation: `This configuration setting allows you to control the value for host in the following statement: proxy_set_header Host $host, which forms part of the location block. + This is useful if you need to call the upstream server by something other than $host`, + }, + }, +} + type upstreamVhost struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new upstream VHost annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return upstreamVhost{r} + return upstreamVhost{ + r: r, + annotationConfig: upstreamVhostAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to indicate if the location/s contains a fragment of // configuration to be included inside the paths of the rules func (a upstreamVhost) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("upstream-vhost", ing) + return parser.GetStringAnnotation(upstreamVhostAnnotation, ing, a.annotationConfig.Annotations) +} + +func (a upstreamVhost) GetDocumentation() parser.AnnotationFields { + return a.annotationConfig.Annotations +} + +func (a upstreamVhost) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, upstreamVhostAnnotations.Annotations) } diff --git a/internal/ingress/annotations/upstreamvhost/main_test.go b/internal/ingress/annotations/upstreamvhost/main_test.go index 130d745ee..87324b181 100644 --- a/internal/ingress/annotations/upstreamvhost/main_test.go +++ b/internal/ingress/annotations/upstreamvhost/main_test.go @@ -36,7 +36,7 @@ func TestParse(t *testing.T) { } data := map[string]string{} - data[parser.GetAnnotationWithPrefix("upstream-vhost")] = "ok.com" + data[parser.GetAnnotationWithPrefix(upstreamVhostAnnotation)] = "ok.com" ing.SetAnnotations(data) diff --git a/internal/ingress/annotations/xforwardedprefix/main.go b/internal/ingress/annotations/xforwardedprefix/main.go index 60eed8773..54bb7199a 100644 --- a/internal/ingress/annotations/xforwardedprefix/main.go +++ b/internal/ingress/annotations/xforwardedprefix/main.go @@ -23,17 +23,47 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + xForwardedForPrefixAnnotation = "x-forwarded-prefix" +) + +var xForwardedForAnnotations = parser.Annotation{ + Group: "backend", + Annotations: parser.AnnotationFields{ + xForwardedForPrefixAnnotation: { + Validator: parser.ValidateRegex(parser.RegexPathWithCapture, true), + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskMedium, + Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value. It can + contain regular characters and captured groups specified as '$1', '$2', etc.`, + }, + }, +} + type xforwardedprefix struct { - r resolver.Resolver + r resolver.Resolver + annotationConfig parser.Annotation } // NewParser creates a new xforwardedprefix annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return xforwardedprefix{r} + return xforwardedprefix{ + r: r, + annotationConfig: xForwardedForAnnotations, + } } // Parse parses the annotations contained in the ingress rule // used to add an x-forwarded-prefix header to the request -func (cbbs xforwardedprefix) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation("x-forwarded-prefix", ing) +func (x xforwardedprefix) Parse(ing *networking.Ingress) (interface{}, error) { + return parser.GetStringAnnotation(xForwardedForPrefixAnnotation, ing, x.annotationConfig.Annotations) +} + +func (x xforwardedprefix) GetDocumentation() parser.AnnotationFields { + return x.annotationConfig.Annotations +} + +func (x xforwardedprefix) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(x.r.GetSecurityConfiguration().AnnotationsRiskLevel) + return parser.CheckAnnotationRisk(anns, maxrisk, xForwardedForAnnotations.Annotations) } diff --git a/internal/ingress/annotations/xforwardedprefix/main_test.go b/internal/ingress/annotations/xforwardedprefix/main_test.go index a78c63d04..977e7d372 100644 --- a/internal/ingress/annotations/xforwardedprefix/main_test.go +++ b/internal/ingress/annotations/xforwardedprefix/main_test.go @@ -27,7 +27,7 @@ import ( ) func TestParse(t *testing.T) { - annotation := parser.GetAnnotationWithPrefix("x-forwarded-prefix") + annotation := parser.GetAnnotationWithPrefix(xForwardedForPrefixAnnotation) ap := NewParser(&resolver.Mock{}) if ap == nil { t.Fatalf("expected a parser.IngressAnnotation but returned nil") @@ -40,6 +40,7 @@ func TestParse(t *testing.T) { {map[string]string{annotation: "true"}, "true"}, {map[string]string{annotation: "1"}, "1"}, {map[string]string{annotation: ""}, ""}, + {map[string]string{annotation: "/$1"}, "/$1"}, {map[string]string{}, ""}, {nil, ""}, } @@ -54,6 +55,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/controller/certificate.go b/internal/ingress/controller/certificate.go index e8707c716..76aafec3c 100644 --- a/internal/ingress/controller/certificate.go +++ b/internal/ingress/controller/certificate.go @@ -100,7 +100,7 @@ func matchHostnames(pattern, host string) bool { host = strings.TrimSuffix(host, ".") pattern = strings.TrimSuffix(pattern, ".") - if len(pattern) == 0 || len(host) == 0 { + if pattern == "" || host == "" { return false } diff --git a/internal/ingress/controller/checker.go b/internal/ingress/controller/checker.go index 3229778bb..d1bf19ddf 100644 --- a/internal/ingress/controller/checker.go +++ b/internal/ingress/controller/checker.go @@ -29,7 +29,7 @@ import ( ) // Name returns the healthcheck name -func (n NGINXController) Name() string { +func (n *NGINXController) Name() string { return "nginx-ingress-controller" } diff --git a/internal/ingress/controller/checker_test.go b/internal/ingress/controller/checker_test.go index 5d9fb1baf..5fb6b09fd 100644 --- a/internal/ingress/controller/checker_test.go +++ b/internal/ingress/controller/checker_test.go @@ -32,7 +32,7 @@ import ( ) func TestNginxCheck(t *testing.T) { - var tests = []struct { + tests := []struct { healthzPath string }{ {"/healthz"}, @@ -42,7 +42,6 @@ func TestNginxCheck(t *testing.T) { for _, tt := range tests { testName := fmt.Sprintf("health path: %s", tt.healthzPath) t.Run(testName, func(t *testing.T) { - mux := http.NewServeMux() listener, err := tryListen("tcp", fmt.Sprintf(":%v", nginx.StatusPort)) @@ -50,7 +49,7 @@ func TestNginxCheck(t *testing.T) { t.Fatalf("creating tcp listener: %s", err) } defer listener.Close() - + //nolint:gosec // Ignore not configured ReadHeaderTimeout in testing server := &httptest.Server{ Listener: listener, Config: &http.Server{ @@ -76,7 +75,10 @@ func TestNginxCheck(t *testing.T) { }) // create pid file - os.MkdirAll("/tmp/nginx", file.ReadWriteByUser) + if err := os.MkdirAll("/tmp/nginx", file.ReadWriteByUser); err != nil { + t.Errorf("unexpected error creating pid file: %v", err) + } + pidFile, err := os.Create(nginx.PID) if err != nil { t.Fatalf("unexpected error: %v", err) @@ -90,14 +92,23 @@ func TestNginxCheck(t *testing.T) { // start dummy process to use the PID cmd := exec.Command("sleep", "3600") - cmd.Start() + if err := cmd.Start(); err != nil { + t.Errorf("unexpected error: %v", err) + } pid := cmd.Process.Pid - defer cmd.Process.Kill() + defer func() { + if err := cmd.Process.Kill(); err != nil { + t.Errorf("unexpected error killing the process: %v", err) + } + }() go func() { - cmd.Wait() + cmd.Wait() //nolint:errcheck // Ignore the error }() - pidFile.Write([]byte(fmt.Sprintf("%v", pid))) + if _, err := fmt.Fprintf(pidFile, "%v", pid); err != nil { + t.Errorf("unexpected error writing the pid file: %v", err) + } + pidFile.Close() healthz.InstallPathHandler(mux, tt.healthzPath, n) @@ -109,7 +120,7 @@ func TestNginxCheck(t *testing.T) { }) // pollute pid file - pidFile.Write([]byte(fmt.Sprint("999999"))) + pidFile.WriteString("999999") //nolint:errcheck // Ignore the error pidFile.Close() t.Run("bad pid", func(t *testing.T) { @@ -122,7 +133,7 @@ func TestNginxCheck(t *testing.T) { } func callHealthz(expErr bool, healthzPath string, mux *http.ServeMux) error { - req, err := http.NewRequest("GET", healthzPath, nil) + req, err := http.NewRequest(http.MethodGet, healthzPath, http.NoBody) if err != nil { return fmt.Errorf("healthz error: %v", err) } diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 8bf71b774..bad82b8b0 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -29,10 +29,8 @@ import ( "k8s.io/ingress-nginx/pkg/util/runtime" ) -var ( - // EnableSSLChainCompletion Autocomplete SSL certificate chains with missing intermediate CA certificates. - EnableSSLChainCompletion = false -) +// EnableSSLChainCompletion Autocomplete SSL certificate chains with missing intermediate CA certificates. +var EnableSSLChainCompletion = false const ( // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size @@ -48,7 +46,7 @@ const ( // that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. // https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security // max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. - hstsMaxAge = "15724800" + hstsMaxAge = "31536000" gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component" @@ -91,12 +89,23 @@ const ( // Configuration represents the content of nginx.conf file type Configuration struct { - defaults.Backend `json:",squash"` + defaults.Backend `json:",squash"` //nolint:staticcheck // Ignore unknown JSON option "squash" error // AllowSnippetAnnotations enable users to add their own snippets via ingress annotation. // If disabled, only snippets added via ConfigMap are added to ingress. AllowSnippetAnnotations bool `json:"allow-snippet-annotations"` + // AllowCrossNamespaceResources enables users to consume cross namespace resource on annotations + // Case disabled, attempts to use secrets or configmaps from a namespace different from Ingress will + // be denied + // This value will default to `false` on future releases + AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"` + + // AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations + // with risk High and Critical will not be accepted. + // Default Risk is Critical by default, but this may be changed in future releases + AnnotationsRiskLevel string `json:"annotations-risk-level"` + // AnnotationValueWordBlocklist defines words that should not be part of an user annotation value // (can be used to run arbitrary code or configs, for example) and that should be dropped. // This list should be separated by "," character @@ -120,15 +129,19 @@ type Configuration struct { // By default this is disabled EnableAccessLogForDefaultBackend bool `json:"enable-access-log-for-default-backend"` + // EnableAuthAccessLog enable auth access log + // By default this is disabled + EnableAuthAccessLog bool `json:"enable-auth-access-log"` + // AccessLogPath sets the path of the access logs for both http and stream contexts if enabled // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log // http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log // By default access logs go to /var/log/nginx/access.log AccessLogPath string `json:"access-log-path,omitempty"` - // HttpAccessLogPath sets the path of the access logs for http context globally if enabled + // HTTPAccessLogPath sets the path of the access logs for http context globally if enabled // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log - HttpAccessLogPath string `json:"http-access-log-path,omitempty"` + HTTPAccessLogPath string `json:"http-access-log-path,omitempty"` // StreamAccessLogPath sets the path of the access logs for stream context globally if enabled // http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log @@ -215,16 +228,19 @@ type Configuration struct { // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size // HTTP2MaxFieldSize Limits the maximum size of an HPACK-compressed request header field + // Deprecated: HTTP2MaxFieldSize is deprecated. HTTP2MaxFieldSize string `json:"http2-max-field-size,omitempty"` // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size // HTTP2MaxHeaderSize Limits the maximum size of the entire request header list after HPACK decompression + // Deprecated: HTTP2MaxHeaderSize is deprecated. HTTP2MaxHeaderSize string `json:"http2-max-header-size,omitempty"` // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests // HTTP2MaxRequests Sets the maximum number of requests (including push requests) that can be served // through one HTTP/2 connection, after which the next client request will lead to connection closing // and the need of establishing a new connection. + // Deprecated: HTTP2MaxRequests is deprecated. HTTP2MaxRequests int `json:"http2-max-requests,omitempty"` // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams @@ -408,14 +424,14 @@ type Configuration struct { // Example '60s' ProxyProtocolHeaderTimeout time.Duration `json:"proxy-protocol-header-timeout,omitempty"` + // Enables or disables the directive aio_write that writes files files asynchronously + // https://nginx.org/en/docs/http/ngx_http_core_module.html#aio_write + EnableAioWrite bool `json:"enable-aio-write,omitempty"` + // Enables or disables the use of the nginx module that compresses responses using the "gzip" method // http://nginx.org/en/docs/http/ngx_http_gzip_module.html UseGzip bool `json:"use-gzip,omitempty"` - // Enables or disables the use of the nginx geoip module that creates variables with values depending on the client IP - // http://nginx.org/en/docs/http/ngx_http_geoip_module.html - UseGeoIP bool `json:"use-geoip,omitempty"` - // UseGeoIP2 enables the geoip2 module for NGINX // By default this is disabled UseGeoIP2 bool `json:"use-geoip2,omitempty"` @@ -438,6 +454,11 @@ type Configuration struct { // Default: true UseHTTP2 bool `json:"use-http2,omitempty"` + // Disables gzipping of responses for requests with "User-Agent" header fields matching any of + // the specified regular expressions. + // http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable + GzipDisable string `json:"gzip-disable,omitempty"` + // gzip Compression Level that will be used GzipLevel int `json:"gzip-level,omitempty"` @@ -519,6 +540,10 @@ type Configuration struct { // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version ProxyHTTPVersion string `json:"proxy-http-version"` + // Disables NGINX proxy-intercept-errors when error_page/custom-http-errors are set + // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors + DisableProxyInterceptErrors bool `json:"disable-proxy-intercept-errors,omitempty"` + // Sets the ipv4 addresses on which the server will accept requests. BindAddressIpv4 []string `json:"bind-address-ipv4,omitempty"` @@ -529,7 +554,7 @@ type Configuration struct { UseForwardedHeaders bool `json:"use-forwarded-headers"` // Sets whether to enable the real ip module - EnableRealIp bool `json:"enable-real-ip"` + EnableRealIP bool `json:"enable-real-ip"` // Sets the header field for identifying the originating IP address of a client // Default is X-Forwarded-For @@ -547,116 +572,56 @@ type Configuration struct { // Default: true ProxyAddOriginalURIHeader bool `json:"proxy-add-original-uri-header"` - // EnableOpentracing enables the nginx Opentracing extension - // https://github.com/opentracing-contrib/nginx-opentracing + // EnableOpentelemetry enables the nginx Opentelemetry extension // By default this is disabled - EnableOpentracing bool `json:"enable-opentracing"` + EnableOpentelemetry bool `json:"enable-opentelemetry"` - // OpentracingOperationName specifies a custom name for the server span - OpentracingOperationName string `json:"opentracing-operation-name"` + // OpentelemetryConfig sets the opentelemetry config file + // Default: /etc/nginx/opentelemetry.toml + OpentelemetryConfig string `json:"opentelemetry-config"` - // OpentracingOperationName specifies a custom name for the location span - OpentracingLocationOperationName string `json:"opentracing-location-operation-name"` + // OpentelemetryOperationName specifies a custom name for the server span + OpentelemetryOperationName string `json:"opentelemetry-operation-name"` - // OpentracingTrustIncomingSpan sets whether or not to trust incoming trace spans + // OpentelemetryTrustIncomingSpan sets whether or not to trust incoming trace spans // If false, incoming span headers will be rejected // Default: true - OpentracingTrustIncomingSpan bool `json:"opentracing-trust-incoming-span"` + OpentelemetryTrustIncomingSpan bool `json:"opentelemetry-trust-incoming-span"` - // ZipkinCollectorHost specifies the host to use when uploading traces - ZipkinCollectorHost string `json:"zipkin-collector-host"` + // OtlpCollectorHost specifies the host to use when uploading traces + OtlpCollectorHost string `json:"otlp-collector-host"` - // ZipkinCollectorPort specifies the port to use when uploading traces - // Default: 9411 - ZipkinCollectorPort int `json:"zipkin-collector-port"` + // OtlpCollectorPort specifies the port to use when uploading traces + // Default: 4317 + OtlpCollectorPort string `json:"otlp-collector-port"` - // ZipkinServiceName specifies the service name to use for any traces created + // OtelServiceName specifies the service name to use for any traces created // Default: nginx - ZipkinServiceName string `json:"zipkin-service-name"` + OtelServiceName string `json:"otel-service-name"` - // ZipkinSampleRate specifies sampling rate for traces - // Default: 1.0 - ZipkinSampleRate float32 `json:"zipkin-sample-rate"` + // OtelSampler specifies the sampler to use for any traces created + // Default: AlwaysOn + OtelSampler string `json:"otel-sampler"` - // JaegerCollectorHost specifies the host to use when uploading traces - JaegerCollectorHost string `json:"jaeger-collector-host"` + // OtelSamplerRatio specifies the sampler ratio to use for any traces created + // Default: 0.01 + OtelSamplerRatio float32 `json:"otel-sampler-ratio"` - // JaegerCollectorPort specifies the port to use when uploading traces - // Default: 6831 - JaegerCollectorPort int `json:"jaeger-collector-port"` - - // JaegerEndpoint specifies the enpoint to use when uploading traces to a collector over TCP - JaegerEndpoint string `json:"jaeger-endpoint"` - - // JaegerServiceName specifies the service name to use for any traces created - // Default: nginx - JaegerServiceName string `json:"jaeger-service-name"` - - // JaegerPropagationFormat specifies the traceparent/tracestate propagation format - JaegerPropagationFormat string `json:"jaeger-propagation-format"` - - // JaegerSamplerType specifies the sampler to be used when sampling traces. - // The available samplers are: const, probabilistic, ratelimiting, remote - // Default: const - JaegerSamplerType string `json:"jaeger-sampler-type"` - - // JaegerSamplerParam specifies the argument to be passed to the sampler constructor - // Default: 1 - JaegerSamplerParam string `json:"jaeger-sampler-param"` - - // JaegerSamplerHost specifies the host used for remote sampling consultation - // Default: http://127.0.0.1 - JaegerSamplerHost string `json:"jaeger-sampler-host"` - - // JaegerSamplerHost specifies the host used for remote sampling consultation - // Default: 5778 - JaegerSamplerPort int `json:"jaeger-sampler-port"` - - // JaegerTraceContextHeaderName specifies the header name used for passing trace context - // Default: uber-trace-id - JaegerTraceContextHeaderName string `json:"jaeger-trace-context-header-name"` - - // JaegerDebugHeader specifies the header name used for force sampling - // Default: jaeger-debug-id - JaegerDebugHeader string `json:"jaeger-debug-header"` - - // JaegerBaggageHeader specifies the header name used to submit baggage if there is no root span - // Default: jaeger-baggage - JaegerBaggageHeader string `json:"jaeger-baggage-header"` - - // TraceBaggageHeaderPrefix specifies the header prefix used to propagate baggage - // Default: uberctx- - JaegerTraceBaggageHeaderPrefix string `json:"jaeger-tracer-baggage-header-prefix"` - - // DatadogCollectorHost specifies the datadog agent host to use when uploading traces - DatadogCollectorHost string `json:"datadog-collector-host"` - - // DatadogCollectorPort specifies the port to use when uploading traces - // Default: 8126 - DatadogCollectorPort int `json:"datadog-collector-port"` - - // DatadogEnvironment specifies the environment this trace belongs to. - // Default: prod - DatadogEnvironment string `json:"datadog-environment"` - - // DatadogServiceName specifies the service name to use for any traces created - // Default: nginx - DatadogServiceName string `json:"datadog-service-name"` - - // DatadogOperationNameOverride overrides the operation naem to use for any traces crated - // Default: nginx.handle - DatadogOperationNameOverride string `json:"datadog-operation-name-override"` - - // DatadogPrioritySampling specifies to use client-side sampling - // If true disables client-side sampling (thus ignoring sample_rate) and enables distributed - // priority sampling, where traces are sampled based on a combination of user-assigned + // OtelSamplerParentBased specifies the parent based sampler to be use for any traces created // Default: true - DatadogPrioritySampling bool `json:"datadog-priority-sampling"` + OtelSamplerParentBased bool `json:"otel-sampler-parent-based"` - // DatadogSampleRate specifies sample rate for any traces created. - // This is effective only when datadog-priority-sampling is false - // Default: 1.0 - DatadogSampleRate float32 `json:"datadog-sample-rate"` + // MaxQueueSize specifies the max queue size for uploading traces + // Default: 2048 + OtelMaxQueueSize int32 `json:"otel-max-queuesize"` + + // ScheduleDelayMillis specifies the max delay between uploading traces + // Default: 5000 + OtelScheduleDelayMillis int32 `json:"otel-schedule-delay-millis"` + + // MaxExportBatchSize specifies the max export batch size to used when uploading traces + // Default: 512 + OtelMaxExportBatchSize int32 `json:"otel-max-export-batch-size"` // MainSnippet adds custom configuration to the main section of the nginx configuration MainSnippet string `json:"main-snippet"` @@ -777,6 +742,12 @@ type Configuration struct { // http://nginx.org/en/docs/ngx_core_module.html#debug_connection // Default: "" DebugConnections []string `json:"debug-connections"` + + // StrictValidatePathType enable the strict validation of Ingress Paths + // It enforces that pathType of type Exact or Prefix should start with / and contain only + // alphanumeric chars, "-", "_", "/".In case of additional characters, + // like used on Rewrite configurations the user should use pathType as ImplementationSpecific + StrictValidatePathType bool `json:"strict-validate-path-type"` } // NewDefault returns the default nginx configuration @@ -794,13 +765,15 @@ func NewDefault() Configuration { defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}, false} cfg := Configuration{ - - AllowSnippetAnnotations: true, + AllowSnippetAnnotations: false, + AllowCrossNamespaceResources: true, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", + AnnotationsRiskLevel: "Critical", AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, + EnableAuthAccessLog: false, WorkerCPUAffinity: "", ErrorLogPath: "/var/log/nginx/error.log", BlockCIDRs: defBlockEntity, @@ -816,14 +789,14 @@ func NewDefault() Configuration { EnableUnderscoresInHeaders: false, ErrorLogLevel: errorLevel, UseForwardedHeaders: false, - EnableRealIp: false, + EnableRealIP: false, ForwardedForHeader: "X-Forwarded-For", ComputeFullForwardedFor: false, ProxyAddOriginalURIHeader: false, GenerateRequestID: true, - HTTP2MaxFieldSize: "4k", - HTTP2MaxHeaderSize: "16k", - HTTP2MaxRequests: 1000, + HTTP2MaxFieldSize: "", + HTTP2MaxHeaderSize: "", + HTTP2MaxRequests: 0, HTTP2MaxConcurrentStreams: 128, HTTPRedirectCode: 308, HSTS: true, @@ -835,7 +808,7 @@ func NewDefault() Configuration { GzipMinLength: 256, GzipTypes: gzipTypes, KeepAlive: 75, - KeepAliveRequests: 100, + KeepAliveRequests: 1000, LargeClientHeaderBuffers: "4 8k", LogFormatEscapeJSON: false, LogFormatStream: logFormatStream, @@ -865,44 +838,47 @@ func NewDefault() Configuration { SSLSessionTickets: false, SSLSessionTimeout: sslSessionTimeout, EnableBrotli: false, + EnableAioWrite: true, UseGzip: false, - UseGeoIP: true, UseGeoIP2: false, WorkerProcesses: strconv.Itoa(runtime.NumCPU()), WorkerShutdownTimeout: "240s", VariablesHashBucketSize: 256, VariablesHashMaxSize: 2048, UseHTTP2: true, + DisableProxyInterceptErrors: false, ProxyStreamTimeout: "600s", ProxyStreamNextUpstream: true, ProxyStreamNextUpstreamTimeout: "600s", ProxyStreamNextUpstreamTries: 3, Backend: defaults.Backend{ - ProxyBodySize: bodySize, - ProxyConnectTimeout: 5, - ProxyReadTimeout: 60, - ProxySendTimeout: 60, - ProxyBuffersNumber: 4, - ProxyBufferSize: "4k", - ProxyCookieDomain: "off", - ProxyCookiePath: "off", - ProxyNextUpstream: "error timeout", - ProxyNextUpstreamTimeout: 0, - ProxyNextUpstreamTries: 3, - ProxyRequestBuffering: "on", - ProxyRedirectFrom: "off", - ProxyRedirectTo: "off", - PreserveTrailingSlash: false, - SSLRedirect: true, - CustomHTTPErrors: []int{}, - WhitelistSourceRange: []string{}, - SkipAccessLogURLs: []string{}, - LimitRate: 0, - LimitRateAfter: 0, - ProxyBuffering: "off", - ProxyHTTPVersion: "1.1", - ProxyMaxTempFileSize: "1024m", - ServiceUpstream: false, + ProxyBodySize: bodySize, + ProxyConnectTimeout: 5, + ProxyReadTimeout: 60, + ProxySendTimeout: 60, + ProxyBuffersNumber: 4, + ProxyBufferSize: "4k", + ProxyCookieDomain: "off", + ProxyCookiePath: "off", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: 0, + ProxyNextUpstreamTries: 3, + ProxyRequestBuffering: "on", + ProxyRedirectFrom: "off", + ProxyRedirectTo: "off", + PreserveTrailingSlash: false, + SSLRedirect: true, + CustomHTTPErrors: []int{}, + DisableProxyInterceptErrors: false, + DenylistSourceRange: []string{}, + WhitelistSourceRange: []string{}, + SkipAccessLogURLs: []string{}, + LimitRate: 0, + LimitRateAfter: 0, + ProxyBuffering: "off", + ProxyHTTPVersion: "1.1", + ProxyMaxTempFileSize: "1024m", + ServiceUpstream: false, }, UpstreamKeepaliveConnections: 320, UpstreamKeepaliveTime: "1h", @@ -911,23 +887,16 @@ func NewDefault() Configuration { LimitConnZoneVariable: defaultLimitConnZoneVariable, BindAddressIpv4: defBindAddress, BindAddressIpv6: defBindAddress, - OpentracingTrustIncomingSpan: true, - ZipkinCollectorPort: 9411, - ZipkinServiceName: "nginx", - ZipkinSampleRate: 1.0, - JaegerCollectorPort: 6831, - JaegerPropagationFormat: "jaeger", - JaegerServiceName: "nginx", - JaegerSamplerType: "const", - JaegerSamplerParam: "1", - JaegerSamplerPort: 5778, - JaegerSamplerHost: "http://127.0.0.1", - DatadogServiceName: "nginx", - DatadogEnvironment: "prod", - DatadogCollectorPort: 8126, - DatadogOperationNameOverride: "nginx.handle", - DatadogSampleRate: 1.0, - DatadogPrioritySampling: true, + OpentelemetryTrustIncomingSpan: true, + OpentelemetryConfig: "/etc/ingress-controller/telemetry/opentelemetry.toml", + OtlpCollectorPort: "4317", + OtelServiceName: "nginx", + OtelSampler: "AlwaysOn", + OtelSamplerRatio: 0.01, + OtelSamplerParentBased: true, + OtelScheduleDelayMillis: 5000, + OtelMaxExportBatchSize: 512, + OtelMaxQueueSize: 2048, LimitReqStatusCode: 503, LimitConnStatusCode: 503, SyslogPort: 514, @@ -942,6 +911,7 @@ func NewDefault() Configuration { GlobalRateLimitMemcachedPoolSize: 50, GlobalRateLimitStatucCode: 429, DebugConnections: []string{}, + StrictValidatePathType: false, // TODO: This will be true in future releases } if klog.V(5).Enabled() { @@ -953,41 +923,41 @@ func NewDefault() Configuration { // TemplateConfig contains the nginx configuration to render the file nginx.conf type TemplateConfig struct { - ProxySetHeaders map[string]string - AddHeaders map[string]string - BacklogSize int - Backends []*ingress.Backend - PassthroughBackends []*ingress.SSLPassthroughBackend - Servers []*ingress.Server - TCPBackends []ingress.L4Service - UDPBackends []ingress.L4Service - HealthzURI string - Cfg Configuration - IsIPV6Enabled bool - IsSSLPassthroughEnabled bool - NginxStatusIpv4Whitelist []string - NginxStatusIpv6Whitelist []string - RedirectServers interface{} - ListenPorts *ListenPorts - PublishService *apiv1.Service - EnableMetrics bool - MaxmindEditionFiles *[]string - MonitorMaxBatchSize int - PID string - StatusPath string - StatusPort int - StreamPort int - StreamSnippets []string + ProxySetHeaders map[string]string `json:"ProxySetHeaders"` + AddHeaders map[string]string `json:"AddHeaders"` + BacklogSize int `json:"BacklogSize"` + Backends []*ingress.Backend `json:"Backends"` + PassthroughBackends []*ingress.SSLPassthroughBackend `json:"PassthroughBackends"` + Servers []*ingress.Server `json:"Servers"` + TCPBackends []ingress.L4Service `json:"TCPBackends"` + UDPBackends []ingress.L4Service `json:"UDPBackends"` + HealthzURI string `json:"HealthzURI"` + Cfg Configuration `json:"Cfg"` + IsIPV6Enabled bool `json:"IsIPV6Enabled"` + IsSSLPassthroughEnabled bool `json:"IsSSLPassthroughEnabled"` + NginxStatusIpv4Whitelist []string `json:"NginxStatusIpv4Whitelist"` + NginxStatusIpv6Whitelist []string `json:"NginxStatusIpv6Whitelist"` + RedirectServers interface{} `json:"RedirectServers"` + ListenPorts *ListenPorts `json:"ListenPorts"` + PublishService *apiv1.Service `json:"PublishService"` + EnableMetrics bool `json:"EnableMetrics"` + MaxmindEditionFiles *[]string `json:"MaxmindEditionFiles"` + MonitorMaxBatchSize int `json:"MonitorMaxBatchSize"` + PID string `json:"PID"` + StatusPath string `json:"StatusPath"` + StatusPort int `json:"StatusPort"` + StreamPort int `json:"StreamPort"` + StreamSnippets []string `json:"StreamSnippets"` } // ListenPorts describe the ports required to run the // NGINX Ingress controller type ListenPorts struct { - HTTP int - HTTPS int - Health int - Default int - SSLProxy int + HTTP int `json:"HTTP"` + HTTPS int `json:"HTTPS"` + Health int `json:"Health"` + Default int `json:"Default"` + SSLProxy int `json:"SSLProxy"` } // GlobalExternalAuth describe external authentication configuration for the diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index f60f7a053..cb8d3712c 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -23,7 +23,7 @@ import ( "strings" "time" - "github.com/mitchellh/hashstructure" + "github.com/mitchellh/hashstructure/v2" apiv1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" @@ -33,6 +33,7 @@ import ( "k8s.io/apimachinery/pkg/util/wait" clientset "k8s.io/client-go/kubernetes" "k8s.io/ingress-nginx/internal/ingress/annotations" + "k8s.io/ingress-nginx/internal/ingress/annotations/canary" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/proxy" @@ -50,9 +51,12 @@ import ( ) const ( - defUpstreamName = "upstream-default-backend" - defServerName = "_" - rootLocation = "/" + defUpstreamName = "upstream-default-backend" + defServerName = "_" + rootLocation = "/" + emptyZone = "" + orphanMetricLabelNoService = "no-service" + orphanMetricLabelNoEndpoint = "no-endpoint" ) // Configuration contains all the settings required by an Ingress controller @@ -98,10 +102,11 @@ type Configuration struct { EnableProfiling bool - EnableMetrics bool - MetricsPerHost bool - MetricsBuckets *collectors.HistogramBuckets - ReportStatusClasses bool + EnableMetrics bool + MetricsPerHost bool + MetricsBuckets *collectors.HistogramBuckets + ReportStatusClasses bool + ExcludeSocketMetrics []string FakeCertificate *ingress.SSLCert @@ -109,7 +114,7 @@ type Configuration struct { DisableCatchAll bool - IngressClassConfiguration *ingressclass.IngressClassConfiguration + IngressClassConfiguration *ingressclass.Configuration ValidationWebhook string ValidationWebhookCertPath string @@ -129,10 +134,27 @@ type Configuration struct { DeepInspector bool DynamicConfigurationRetries int + + DisableSyncEvents bool + + EnableTopologyAwareRouting bool +} + +func getIngressPodZone(svc *apiv1.Service) string { + svcKey := k8s.MetaNamespaceKey(svc) + if svcZoneAnnotation, ok := svc.ObjectMeta.GetAnnotations()[apiv1.AnnotationTopologyMode]; ok { + if strings.EqualFold(svcZoneAnnotation, "auto") { + if foundZone, ok := k8s.IngressNodeDetails.GetLabels()[apiv1.LabelTopologyZone]; ok { + klog.V(3).Infof("Svc has topology aware annotation enabled, try to use zone %q where controller pod is running for Service %q ", foundZone, svcKey) + return foundZone + } + } + } + return emptyZone } // GetPublishService returns the Service used to set the load-balancer status of Ingresses. -func (n NGINXController) GetPublishService() *apiv1.Service { +func (n *NGINXController) GetPublishService() *apiv1.Service { s, err := n.store.GetService(n.cfg.PublishService) if err != nil { return nil @@ -167,13 +189,16 @@ func (n *NGINXController) syncIngress(interface{}) error { if !utilingress.IsDynamicConfigurationEnough(pcfg, n.runningConfig) { klog.InfoS("Configuration changes detected, backend reload required") - hash, _ := hashstructure.Hash(pcfg, &hashstructure.HashOptions{ + hash, err := hashstructure.Hash(pcfg, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) + if err != nil { + klog.Errorf("unexpected error hashing configuration: %v", err) + } pcfg.ConfigurationChecksum = fmt.Sprintf("%v", hash) - err := n.OnUpdate(*pcfg) + err = n.OnUpdate(*pcfg) if err != nil { n.metricCollector.IncReloadErrorCount() n.metricCollector.ConfigSuccess(hash, false) @@ -234,6 +259,52 @@ func (n *NGINXController) syncIngress(interface{}) error { return nil } +// GetWarnings returns a list of warnings an Ingress gets when being created. +// The warnings are going to be used in an admission webhook, and they represent +// a list of messages that users need to be aware (like deprecation notices) +// when creating a new ingress object +func (n *NGINXController) CheckWarning(ing *networking.Ingress) ([]string, error) { + warnings := make([]string, 0) + + deprecatedAnnotations := sets.NewString() + deprecatedAnnotations.Insert( + "enable-influxdb", + "influxdb-measurement", + "influxdb-port", + "influxdb-host", + "influxdb-server-name", + "secure-verify-ca-secret", + ) + + // Skip checks if the ingress is marked as deleted + if !ing.DeletionTimestamp.IsZero() { + return warnings, nil + } + + anns := ing.GetAnnotations() + for k := range anns { + trimmedkey := strings.TrimPrefix(k, parser.AnnotationsPrefix+"/") + if deprecatedAnnotations.Has(trimmedkey) { + warnings = append(warnings, fmt.Sprintf("annotation %s is deprecated", k)) + } + } + + // Add each validation as a single warning + // rikatz: I know this is somehow a duplicated code from CheckIngress, but my goal was to deliver fast warning on this behavior. We + // can and should, tho, simplify this in the near future + if err := inspector.ValidatePathType(ing); err != nil { + if errs, is := err.(interface{ Unwrap() []error }); is { + for _, errW := range errs.Unwrap() { + warnings = append(warnings, errW.Error()) + } + } else { + warnings = append(warnings, err.Error()) + } + } + + return warnings, nil +} + // CheckIngress returns an error in case the provided ingress, when added // to the current configuration, generates an invalid configuration func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { @@ -248,11 +319,13 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { if !ing.DeletionTimestamp.IsZero() { return nil } + if n.cfg.DeepInspector { if err := inspector.DeepInspect(ing); err != nil { return fmt.Errorf("invalid object: %w", err) } } + // Do not attempt to validate an ingress that's not meant to be controlled by the current instance of the controller. if ingressClass, err := n.store.GetIngressClass(ing, n.cfg.IngressClassConfiguration); ingressClass == "" { klog.Warningf("ignoring ingress %v in %v based on annotation %v: %v", ing.Name, ing.ObjectMeta.Namespace, ingressClass, err) @@ -265,12 +338,19 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { } if n.cfg.DisableCatchAll && ing.Spec.DefaultBackend != nil { - return fmt.Errorf("This deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.defaultBackend' or set DisableCatchAll flag to false.") + return fmt.Errorf("this deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.defaultBackend' or set DisableCatchAll flag to false") } startRender := time.Now().UnixNano() / 1000000 cfg := n.store.GetBackendConfiguration() cfg.Resolver = n.resolver + // Adds the pathType Validation + if cfg.StrictValidatePathType { + if err := inspector.ValidatePathType(ing); err != nil { + return fmt.Errorf("ingress contains invalid paths: %w", err) + } + } + var arrayBadWords []string if cfg.AnnotationValueWordBlocklist != "" { @@ -278,10 +358,9 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { } for key, value := range ing.ObjectMeta.GetAnnotations() { - if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix { if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.DefaultAnnotationsPrefix)) { - return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix) + return fmt.Errorf("this deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix) } } @@ -297,10 +376,9 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key) } - if len(cfg.GlobalRateLimitMemcachedHost) == 0 && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { + if cfg.GlobalRateLimitMemcachedHost == "" && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap") } - } k8s.SetDefaultNGINXPathType(ing) @@ -312,14 +390,19 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { toCheck.ObjectMeta.Name == ing.ObjectMeta.Name } ings := store.FilterIngresses(allIngresses, filter) + parsed, err := annotations.NewAnnotationExtractor(n.store).Extract(ing) + if err != nil { + n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name) + return err + } ings = append(ings, &ingress.Ingress{ Ingress: *ing, - ParsedAnnotations: annotations.NewAnnotationExtractor(n.store).Extract(ing), + ParsedAnnotations: parsed, }) startTest := time.Now().UnixNano() / 1000000 _, servers, pcfg := n.getConfiguration(ings) - err := checkOverlap(ing, allIngresses, servers) + err = checkOverlap(ing, servers) if err != nil { n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name) return err @@ -370,7 +453,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr return []ingress.L4Service{} } - var svcs []ingress.L4Service + svcs := make([]ingress.L4Service, 0, len(configmap.Data)) var svcProxyProtocol ingress.ProxyProtocol rp := []int{ @@ -407,10 +490,10 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr svcProxyProtocol.Encode = false // Proxy Protocol is only compatible with TCP Services if len(nsSvcPort) >= 3 && proto == apiv1.ProtocolTCP { - if len(nsSvcPort) >= 3 && strings.ToUpper(nsSvcPort[2]) == "PROXY" { + if len(nsSvcPort) >= 3 && strings.EqualFold(nsSvcPort[2], "PROXY") { svcProxyProtocol.Decode = true } - if len(nsSvcPort) == 4 && strings.ToUpper(nsSvcPort[3]) == "PROXY" { + if len(nsSvcPort) == 4 && strings.EqualFold(nsSvcPort[3], "PROXY") { svcProxyProtocol.Encode = true } } @@ -427,6 +510,13 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr var endps []ingress.Endpoint /* #nosec */ targetPort, err := strconv.Atoi(svcPort) // #nosec + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(svc) + } else { + zone = emptyZone + } + if err != nil { // not a port number, fall back to using port name klog.V(3).Infof("Searching Endpoints with %v port name %q for Service %q", proto, svcPort, nsName) @@ -434,7 +524,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr sp := svc.Spec.Ports[i] if sp.Name == svcPort { if sp.Protocol == proto { - endps = getEndpointsFromSlices(svc, &sp, proto, n.store.GetServiceEndpointsSlices) + endps = getEndpointsFromSlices(svc, &sp, proto, zone, n.store.GetServiceEndpointsSlices) break } } @@ -443,9 +533,10 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr klog.V(3).Infof("Searching Endpoints with %v port number %d for Service %q", proto, targetPort, nsName) for i := range svc.Spec.Ports { sp := svc.Spec.Ports[i] + //nolint:gosec // Ignore G109 error if sp.Port == int32(targetPort) { if sp.Protocol == proto { - endps = getEndpointsFromSlices(svc, &sp, proto, n.store.GetServiceEndpointsSlices) + endps = getEndpointsFromSlices(svc, &sp, proto, zone, n.store.GetServiceEndpointsSlices) break } } @@ -485,7 +576,7 @@ func (n *NGINXController) getDefaultUpstream() *ingress.Backend { } svcKey := n.cfg.DefaultService - if len(svcKey) == 0 { + if svcKey == "" { upstream.Endpoints = append(upstream.Endpoints, n.DefaultEndpoint()) return upstream } @@ -496,8 +587,13 @@ func (n *NGINXController) getDefaultUpstream() *ingress.Backend { upstream.Endpoints = append(upstream.Endpoints, n.DefaultEndpoint()) return upstream } - - endps := getEndpointsFromSlices(svc, &svc.Spec.Ports[0], apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(svc) + } else { + zone = emptyZone + } + endps := getEndpointsFromSlices(svc, &svc.Spec.Ports[0], apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) if len(endps) == 0 { klog.Warningf("Service %q does not have any active Endpoint", svcKey) endps = []ingress.Endpoint{n.DefaultEndpoint()} @@ -509,11 +605,11 @@ func (n *NGINXController) getDefaultUpstream() *ingress.Backend { } // getConfiguration returns the configuration matching the standard kubernetes ingress -func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.String, []*ingress.Server, *ingress.Configuration) { +func (n *NGINXController) getConfiguration(ingresses []*ingress.Ingress) (sets.Set[string], []*ingress.Server, *ingress.Configuration) { upstreams, servers := n.getBackendServers(ingresses) var passUpstreams []*ingress.SSLPassthroughBackend - hosts := sets.NewString() + hosts := sets.New[string]() for _, server := range servers { // If a location is defined by a prefix string that ends with the slash character, and requests are processed by one of @@ -596,13 +692,14 @@ func dropSnippetDirectives(anns *annotations.Ingress, ingKey string) { klog.V(3).Infof("Ingress %q tried to use stream-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey) anns.StreamSnippet = "" } - } } // getBackendServers returns a list of Upstream and Server to be used by the // backend. An upstream can be used in multiple servers if the namespace, // service name and port are the same. +// +//nolint:gocyclo // Ignore function complexity error func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*ingress.Backend, []*ingress.Server) { du := n.getDefaultUpstream() upstreams := n.createUpstreams(ingresses, du) @@ -825,7 +922,13 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in } sp := location.DefaultBackend.Spec.Ports[0] - endps := getEndpointsFromSlices(location.DefaultBackend, &sp, apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(location.DefaultBackend) + } else { + zone = emptyZone + } + endps := getEndpointsFromSlices(location.DefaultBackend, &sp, apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) // custom backend is valid only if contains at least one endpoint if len(endps) > 0 { name := fmt.Sprintf("custom-default-backend-%v-%v", location.DefaultBackend.GetNamespace(), location.DefaultBackend.GetName()) @@ -930,14 +1033,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // configure traffic shaping for canary if anns.Canary.Enabled { upstreams[defBackend].NoServer = true - upstreams[defBackend].TrafficShapingPolicy = ingress.TrafficShapingPolicy{ - Weight: anns.Canary.Weight, - WeightTotal: anns.Canary.WeightTotal, - Header: anns.Canary.Header, - HeaderValue: anns.Canary.HeaderValue, - HeaderPattern: anns.Canary.HeaderPattern, - Cookie: anns.Canary.Cookie, - } + upstreams[defBackend].TrafficShapingPolicy = newTrafficShapingPolicy(&anns.Canary) } if len(upstreams[defBackend].Endpoints) == 0 { @@ -961,7 +1057,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B continue } - for _, path := range rule.HTTP.Paths { + for i, path := range rule.HTTP.Paths { if path.Backend.Service == nil { // skip non-service backends klog.V(3).Infof("Ingress %q and path %q does not contain a service backend, using default backend", ingKey, path.Path) @@ -991,7 +1087,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // add the service ClusterIP as a single Endpoint instead of individual Endpoints if anns.ServiceUpstream { - endpoint, err := n.getServiceClusterEndpoint(svcKey, &path.Backend) + endpoint, err := n.getServiceClusterEndpoint(svcKey, &rule.HTTP.Paths[i].Backend) if err != nil { klog.Errorf("Failed to determine a suitable ClusterIP Endpoint for Service %q: %v", svcKey, err) } else { @@ -1002,13 +1098,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // configure traffic shaping for canary if anns.Canary.Enabled { upstreams[name].NoServer = true - upstreams[name].TrafficShapingPolicy = ingress.TrafficShapingPolicy{ - Weight: anns.Canary.Weight, - Header: anns.Canary.Header, - HeaderValue: anns.Canary.HeaderValue, - HeaderPattern: anns.Canary.HeaderPattern, - Cookie: anns.Canary.Cookie, - } + upstreams[name].TrafficShapingPolicy = newTrafficShapingPolicy(&anns.Canary) } if len(upstreams[name].Endpoints) == 0 { @@ -1016,8 +1106,16 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B endp, err := n.serviceEndpoints(svcKey, port.String()) if err != nil { klog.Warningf("Error obtaining Endpoints for Service %q: %v", svcKey, err) + n.metricCollector.IncOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoService) continue } + n.metricCollector.DecOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoService) + + if len(endp) == 0 { + n.metricCollector.IncOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoEndpoint) + } else { + n.metricCollector.DecOrphanIngress(ing.Namespace, ing.Name, orphanMetricLabelNoEndpoint) + } upstreams[name].Endpoints = endp } @@ -1081,7 +1179,12 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres if err != nil { return upstreams, err } - + var zone string + if n.cfg.EnableTopologyAwareRouting { + zone = getIngressPodZone(svc) + } else { + zone = emptyZone + } klog.V(3).Infof("Obtaining ports information for Service %q", svcKey) // Ingress with an ExternalName Service and no port defined for that Service if svc.Spec.Type == apiv1.ServiceTypeExternalName { @@ -1090,7 +1193,7 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres return upstreams, nil } servicePort := externalNamePorts(backendPort, svc) - endps := getEndpointsFromSlices(svc, servicePort, apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + endps := getEndpointsFromSlices(svc, servicePort, apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) if len(endps) == 0 { klog.Warningf("Service %q does not have any active Endpoint.", svcKey) return upstreams, nil @@ -1106,8 +1209,7 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres if strconv.Itoa(int(servicePort.Port)) == backendPort || servicePort.TargetPort.String() == backendPort || servicePort.Name == backendPort { - - endps := getEndpointsFromSlices(svc, &servicePort, apiv1.ProtocolTCP, n.store.GetServiceEndpointsSlices) + endps := getEndpointsFromSlices(svc, &servicePort, apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) if len(endps) == 0 { klog.Warningf("Service %q does not have any active Endpoint.", svcKey) } @@ -1139,8 +1241,8 @@ func (n *NGINXController) getDefaultSSLCertificate() *ingress.SSLCert { // one root location, which uses a default backend if left unspecified. func (n *NGINXController) createServers(data []*ingress.Ingress, upstreams map[string]*ingress.Backend, - du *ingress.Backend) map[string]*ingress.Server { - + du *ingress.Backend, +) map[string]*ingress.Server { servers := make(map[string]*ingress.Server, len(data)) allAliases := make(map[string][]string, len(data)) @@ -1182,7 +1284,8 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, Rewrite: false, }, }, - }} + }, + } // initialize all other servers for _, ing := range data { @@ -1404,7 +1507,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.ExternalAuth = anns.ExternalAuth loc.EnableGlobalAuth = anns.EnableGlobalAuth loc.HTTP2PushPreload = anns.HTTP2PushPreload - loc.Opentracing = anns.Opentracing + loc.Opentelemetry = anns.Opentelemetry loc.Proxy = anns.Proxy loc.ProxySSL = anns.ProxySSL loc.RateLimit = anns.RateLimit @@ -1412,17 +1515,18 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) loc.Redirect = anns.Redirect loc.Rewrite = anns.Rewrite loc.UpstreamVhost = anns.UpstreamVhost - loc.Whitelist = anns.Whitelist + loc.Denylist = anns.Denylist + loc.Allowlist = anns.Allowlist loc.Denied = anns.Denied loc.XForwardedPrefix = anns.XForwardedPrefix loc.UsePortInRedirects = anns.UsePortInRedirects loc.Connection = anns.Connection loc.Logs = anns.Logs - loc.InfluxDB = anns.InfluxDB loc.DefaultBackend = anns.DefaultBackend loc.BackendProtocol = anns.BackendProtocol loc.FastCGI = anns.FastCGI loc.CustomHTTPErrors = anns.CustomHTTPErrors + loc.DisableProxyInterceptErrors = anns.DisableProxyInterceptErrors loc.ModSecurity = anns.ModSecurity loc.Satisfy = anns.Satisfy loc.Mirror = anns.Mirror @@ -1431,7 +1535,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) } // OK to merge canary ingresses iff there exists one or more ingresses to potentially merge into -func nonCanaryIngressExists(ingresses []*ingress.Ingress, canaryIngresses []*ingress.Ingress) bool { +func nonCanaryIngressExists(ingresses, canaryIngresses []*ingress.Ingress) bool { return len(ingresses)-len(canaryIngresses) > 0 } @@ -1439,12 +1543,12 @@ func nonCanaryIngressExists(ingresses []*ingress.Ingress, canaryIngresses []*ing // 1) names of backends do not match and canary doesn't merge into itself // 2) primary name is not the default upstream // 3) the primary has a server -func canMergeBackend(primary *ingress.Backend, alternative *ingress.Backend) bool { +func canMergeBackend(primary, alternative *ingress.Backend) bool { return alternative != nil && primary.Name != alternative.Name && primary.Name != defUpstreamName && !primary.NoServer } // Performs the merge action and checks to ensure that one two alternative backends do not merge into each other -func mergeAlternativeBackend(ing *ingress.Ingress, priUps *ingress.Backend, altUps *ingress.Backend) bool { +func mergeAlternativeBackend(ing *ingress.Ingress, priUps, altUps *ingress.Backend) bool { if priUps.NoServer { klog.Warningf("unable to merge alternative backend %v into primary backend %v because %v is a primary backend", altUps.Name, priUps.Name, priUps.Name) @@ -1462,8 +1566,7 @@ func mergeAlternativeBackend(ing *ingress.Ingress, priUps *ingress.Backend, altU priUps.SessionAffinity.DeepCopyInto(&altUps.SessionAffinity) } - priUps.AlternativeBackends = - append(priUps.AlternativeBackends, altUps.Name) + priUps.AlternativeBackends = append(priUps.AlternativeBackends, altUps.Name) return true } @@ -1473,8 +1576,8 @@ func mergeAlternativeBackend(ing *ingress.Ingress, priUps *ingress.Backend, altU // to a backend's alternative list. // If no match is found, then the serverless backend is deleted. func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingress.Backend, - servers map[string]*ingress.Server) { - + servers map[string]*ingress.Server, +) { // merge catch-all alternative backends if ing.Spec.DefaultBackend != nil { upsName := upstreamName(ing.Namespace, ing.Spec.DefaultBackend.Service) @@ -1484,7 +1587,6 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres if altUps == nil { klog.Warningf("alternative backend %s has already been removed", upsName) } else { - merged := false altEqualsPri := false @@ -1575,8 +1677,8 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres // extractTLSSecretName returns the name of the Secret containing a SSL // certificate for the given host name, or an empty string. func extractTLSSecretName(host string, ing *ingress.Ingress, - getLocalSSLCert func(string) (*ingress.SSLCert, error)) string { - + getLocalSSLCert func(string) (*ingress.SSLCert, error), +) string { if ing == nil { return "" } @@ -1593,7 +1695,6 @@ func extractTLSSecretName(host string, ing *ingress.Ingress, // no TLS host matching host name, try each TLS host for matching SAN or CN for _, tls := range ing.Spec.TLS { - if tls.SecretName == "" { // There's no secretName specified, so it will never be available continue @@ -1652,6 +1753,7 @@ func externalNamePorts(name string, svc *apiv1.Service) *apiv1.ServicePort { } for _, svcPort := range svc.Spec.Ports { + //nolint:gosec // Ignore G109 error if svcPort.Port != int32(port) { continue } @@ -1670,13 +1772,14 @@ func externalNamePorts(name string, svc *apiv1.Service) *apiv1.ServicePort { // ExternalName without port return &apiv1.ServicePort{ - Protocol: "TCP", + Protocol: "TCP", + //nolint:gosec // Ignore G109 error Port: int32(port), TargetPort: intstr.FromInt(port), } } -func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers []*ingress.Server) error { +func checkOverlap(ing *networking.Ingress, servers []*ingress.Server) error { for _, rule := range ing.Spec.Rules { if rule.HTTP == nil { continue @@ -1712,9 +1815,9 @@ func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers } // path overlap. Check if one of the ingresses has a canary annotation - isCanaryEnabled, annotationErr := parser.GetBoolAnnotation("canary", ing) + isCanaryEnabled, annotationErr := parser.GetBoolAnnotation("canary", ing, canary.CanaryAnnotations.Annotations) for _, existing := range existingIngresses { - isExistingCanaryEnabled, existingAnnotationErr := parser.GetBoolAnnotation("canary", existing) + isExistingCanaryEnabled, existingAnnotationErr := parser.GetBoolAnnotation("canary", existing, canary.CanaryAnnotations.Annotations) if isCanaryEnabled && isExistingCanaryEnabled { return fmt.Errorf(`host "%s" and path "%s" is already defined in ingress %s/%s`, rule.Host, path.Path, existing.Namespace, existing.Name) @@ -1741,7 +1844,7 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net continue } - for _, location := range server.Locations { + for i, location := range server.Locations { if location.Path != path { continue } @@ -1750,7 +1853,7 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net continue } - ingresses = append(ingresses, &location.Ingress.Ingress) + ingresses = append(ingresses, &server.Locations[i].Ingress.Ingress) } } @@ -1767,3 +1870,15 @@ func (n *NGINXController) getStreamSnippets(ingresses []*ingress.Ingress) []stri } return snippets } + +// newTrafficShapingPolicy creates new ingress.TrafficShapingPolicy instance using canary configuration +func newTrafficShapingPolicy(cfg *canary.Config) ingress.TrafficShapingPolicy { + return ingress.TrafficShapingPolicy{ + Weight: cfg.Weight, + WeightTotal: cfg.WeightTotal, + Header: cfg.Header, + HeaderValue: cfg.HeaderValue, + HeaderPattern: cfg.HeaderPattern, + Cookie: cfg.Cookie, + } +} diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index da9f10e45..c07fcfadf 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -33,7 +33,7 @@ import ( "github.com/eapache/channels" corev1 "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" + discoveryv1 "k8s.io/api/discovery/v1" networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -44,11 +44,10 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations" "k8s.io/ingress-nginx/internal/ingress/annotations/canary" - "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/sessionaffinity" - "k8s.io/ingress-nginx/internal/ingress/controller/config" ngx_config "k8s.io/ingress-nginx/internal/ingress/controller/config" "k8s.io/ingress-nginx/internal/ingress/controller/ingressclass" "k8s.io/ingress-nginx/internal/ingress/controller/store" @@ -61,44 +60,56 @@ import ( "k8s.io/ingress-nginx/pkg/util/file" ) +const ( + exampleBackend = "example-http-svc-1-80" + TRUE = "true" +) + type fakeIngressStore struct { ingresses []*ingress.Ingress configuration ngx_config.Configuration } -func (fakeIngressStore) GetIngressClass(ing *networking.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) { +func (fakeIngressStore) GetIngressClass(_ *networking.Ingress, _ *ingressclass.Configuration) (string, error) { return "nginx", nil } -func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { +func (fis *fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { return fis.configuration } -func (fakeIngressStore) GetConfigMap(key string) (*corev1.ConfigMap, error) { +func (fis *fakeIngressStore) GetSecurityConfiguration() defaults.SecurityConfiguration { + return defaults.SecurityConfiguration{ + AnnotationsRiskLevel: fis.configuration.AnnotationsRiskLevel, + AllowCrossNamespaceResources: fis.configuration.AllowCrossNamespaceResources, + } +} + +func (fakeIngressStore) GetConfigMap(_ string) (*corev1.ConfigMap, error) { return nil, fmt.Errorf("test error") } -func (fakeIngressStore) GetSecret(key string) (*corev1.Secret, error) { +func (fakeIngressStore) GetSecret(_ string) (*corev1.Secret, error) { return nil, fmt.Errorf("test error") } -func (fakeIngressStore) GetService(key string) (*corev1.Service, error) { +func (fakeIngressStore) GetService(_ string) (*corev1.Service, error) { return nil, fmt.Errorf("test error") } -func (fakeIngressStore) GetServiceEndpointsSlices(key string) ([]*discoveryv1.EndpointSlice, error) { +func (fakeIngressStore) GetServiceEndpointsSlices(_ string) ([]*discoveryv1.EndpointSlice, error) { return nil, fmt.Errorf("test error") } -func (fis fakeIngressStore) ListIngresses() []*ingress.Ingress { +func (fis *fakeIngressStore) ListIngresses() []*ingress.Ingress { return fis.ingresses } -func (fis fakeIngressStore) FilterIngresses(ingresses []*ingress.Ingress, filterFunc store.IngressFilterFunc) []*ingress.Ingress { +func (fis *fakeIngressStore) FilterIngresses(ingresses []*ingress.Ingress, _ store.IngressFilterFunc) []*ingress.Ingress { return ingresses } -func (fakeIngressStore) GetLocalSSLCert(name string) (*ingress.SSLCert, error) { +func (fakeIngressStore) GetLocalSSLCert(_ string) (*ingress.SSLCert, error) { return nil, fmt.Errorf("test error") } @@ -114,7 +125,7 @@ func (fakeIngressStore) GetDefaultBackend() defaults.Backend { return defaults.Backend{} } -func (fakeIngressStore) Run(stopCh chan struct{}) {} +func (fakeIngressStore) Run(_ chan struct{}) {} type testNginxTestCommand struct { t *testing.T @@ -123,7 +134,7 @@ type testNginxTestCommand struct { err error } -func (ntc testNginxTestCommand) ExecCommand(args ...string) *exec.Cmd { +func (ntc testNginxTestCommand) ExecCommand(_ ...string) *exec.Cmd { return nil } @@ -146,7 +157,7 @@ func (ntc testNginxTestCommand) Test(cfg string) ([]byte, error) { type fakeTemplate struct{} -func (fakeTemplate) Write(conf config.TemplateConfig) ([]byte, error) { +func (fakeTemplate) Write(conf *ngx_config.TemplateConfig) ([]byte, error) { r := []byte{} for _, s := range conf.Servers { if len(r) > 0 { @@ -159,7 +170,7 @@ func (fakeTemplate) Write(conf config.TemplateConfig) ([]byte, error) { func TestCheckIngress(t *testing.T) { defer func() { - filepath.Walk(os.TempDir(), func(path string, info os.FileInfo, err error) error { + err := filepath.Walk(os.TempDir(), func(path string, info os.FileInfo, err error) error { if info.IsDir() && os.TempDir() != path { return filepath.SkipDir } @@ -168,6 +179,9 @@ func TestCheckIngress(t *testing.T) { } return nil }) + if err != nil { + t.Errorf("unexpected error: %v", err) + } }() err := file.CreateRequiredDirectories() @@ -177,13 +191,17 @@ func TestCheckIngress(t *testing.T) { // Ensure no panic with wrong arguments var nginx *NGINXController - nginx.CheckIngress(nil) + if err := nginx.CheckIngress(nil); err != nil { + t.Errorf("unexpected error: %v", err) + } nginx = newNGINXController(t) - nginx.CheckIngress(nil) + if err := nginx.CheckIngress(nil); err != nil { + t.Errorf("unexpected error: %v", err) + } nginx.metricCollector = metric.DummyCollector{} nginx.t = fakeTemplate{} - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{}, } @@ -213,7 +231,7 @@ func TestCheckIngress(t *testing.T) { } t.Run("When the hostname is updated", func(t *testing.T) { - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{ { Ingress: *ing, @@ -260,7 +278,7 @@ func TestCheckIngress(t *testing.T) { }) t.Run("When snippets are disabled and user tries to use snippet annotation", func(t *testing.T) { - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{}, configuration: ngx_config.Configuration{ AllowSnippetAnnotations: false, @@ -277,7 +295,7 @@ func TestCheckIngress(t *testing.T) { }) t.Run("When invalid directives are used in annotation values", func(t *testing.T) { - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{}, configuration: ngx_config.Configuration{ AnnotationValueWordBlocklist: "invalid_directive, another_directive", @@ -352,6 +370,112 @@ func TestCheckIngress(t *testing.T) { }) } +func TestCheckWarning(t *testing.T) { + // Ensure no panic with wrong arguments + nginx := &NGINXController{} + + nginx.t = fakeTemplate{} + nginx.store = &fakeIngressStore{ + ingresses: []*ingress.Ingress{}, + } + + ing := &networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-ingress-warning", + Namespace: "user-namespace", + Annotations: map[string]string{}, + }, + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "example.com", + }, + }, + }, + } + t.Run("when a deprecated annotation is used a warning should be returned", func(t *testing.T) { + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = TRUE + defer func() { + ing.ObjectMeta.Annotations = map[string]string{} + }() + + warnings, err := nginx.CheckWarning(ing) + if err != nil { + t.Errorf("no error should be returned, but %s was returned", err) + } + if len(warnings) != 1 { + t.Errorf("expected 1 warning to occur but %d occurred", len(warnings)) + } else { + t.Logf("got warning %s correctly", warnings[0]) + } + }) + + t.Run("When an invalid pathType is used, a warning should be returned", func(t *testing.T) { + rules := ing.Spec.DeepCopy().Rules + ing.Spec.Rules = []networking.IngressRule{ + { + Host: "example.com", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/xpto{$2}", + PathType: &pathTypePrefix, + }, + { + Path: "/ok", + PathType: &pathTypeExact, + }, + }, + }, + }, + }, + } + defer func() { + ing.Spec.Rules = rules + }() + + warnings, err := nginx.CheckWarning(ing) + if err != nil { + t.Errorf("no error should be returned, but %s was returned", err) + } + if len(warnings) != 1 { + t.Errorf("expected 1 warning to occur but %d occurred", len(warnings)) + } else { + t.Logf("got warnings %v correctly", warnings) + } + + t.Run("adding invalid annotations increases the warning count", func(t *testing.T) { + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = TRUE + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = TRUE + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("influxdb-host")] = "blabla" + defer func() { + ing.ObjectMeta.Annotations = map[string]string{} + }() + warnings, err := nginx.CheckWarning(ing) + if err != nil { + t.Errorf("no error should be returned, but %s was returned", err) + } + if len(warnings) != 4 { + t.Errorf("expected 4 warning to occur but %d occurred", len(warnings)) + } else { + t.Logf("got warnings %v correctly", warnings) + } + }) + }) + + t.Run("When the ingress is marked as deleted", func(t *testing.T) { + ing.DeletionTimestamp = &metav1.Time{ + Time: time.Now(), + } + + if warnings, err := nginx.CheckWarning(ing); err != nil || len(warnings) != 0 { + t.Errorf("when the ingress is marked as deleted, no warning should be returned") + } + }) +} + +//nolint:dupl // Ignore dupl errors for similar test case func TestMergeAlternativeBackends(t *testing.T) { testCases := map[string]struct { ingress *ingress.Ingress @@ -1417,12 +1541,12 @@ func TestExtractTLSSecretName(t *testing.T) { } } +//nolint:gocyclo // Ignore function complexity error func TestGetBackendServers(t *testing.T) { - testCases := []struct { Ingresses []*ingress.Ingress Validate func(ingresses []*ingress.Ingress, upstreams []*ingress.Backend, servers []*ingress.Server) - SetConfigMap func(namespace string) *v1.ConfigMap + SetConfigMap func(namespace string) *corev1.ConfigMap }{ { Ingresses: []*ingress.Ingress{ @@ -1958,7 +2082,7 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("server hostname should be 'example.com', got '%s'", s.Hostname) } - if s.Locations[0].Backend != "example-http-svc-1-80" || s.Locations[1].Backend != "example-http-svc-1-80" || s.Locations[2].Backend != "example-http-svc-1-80" { + if s.Locations[0].Backend != exampleBackend || s.Locations[1].Backend != exampleBackend || s.Locations[2].Backend != exampleBackend { t.Errorf("all location backend should be 'example-http-svc-1-80'") } @@ -1967,7 +2091,7 @@ func TestGetBackendServers(t *testing.T) { return } - if upstreams[0].Name != "example-http-svc-1-80" { + if upstreams[0].Name != exampleBackend { t.Errorf("example-http-svc-1-80 should be first upstream, got %s", upstreams[0].Name) return } @@ -1981,6 +2105,7 @@ func TestGetBackendServers(t *testing.T) { SetConfigMap: testConfigMap, }, { + //nolint:dupl // Ignore dupl errors for similar test case Ingresses: []*ingress.Ingress{ { Ingress: networking.Ingress{ @@ -2088,6 +2213,7 @@ func TestGetBackendServers(t *testing.T) { SetConfigMap: testConfigMap, }, { + //nolint:dupl // Ignore dupl errors for similar test case Ingresses: []*ingress.Ingress{ { Ingress: networking.Ingress{ @@ -2192,14 +2318,14 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("location cafilename should be '%s', got '%s'", ingresses[1].ParsedAnnotations.ProxySSL.CAFileName, s.Locations[0].ProxySSL.CAFileName) } }, - SetConfigMap: func(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ + SetConfigMap: func(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), }, Data: map[string]string{ - "proxy-ssl-location-only": "true", + "proxy-ssl-location-only": TRUE, }, } }, @@ -2253,14 +2379,14 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("backend should be upstream-default-backend, got '%s'", s.Locations[0].Backend) } }, - SetConfigMap: func(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ + SetConfigMap: func(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), }, Data: map[string]string{ - "proxy-ssl-location-only": "true", + "proxy-ssl-location-only": TRUE, }, } }, @@ -2305,7 +2431,7 @@ func TestGetBackendServers(t *testing.T) { }, }, ParsedAnnotations: &annotations.Ingress{ - Whitelist: ipwhitelist.SourceRange{CIDR: []string{"10.0.0.0/24"}}, + Allowlist: ipallowlist.SourceRange{CIDR: []string{"10.0.0.0/24"}}, ServerSnippet: "bla", ConfigurationSnippet: "blo", }, @@ -2326,13 +2452,12 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("config snippet should be empty, got '%s'", s.Locations[0].ConfigurationSnippet) } - if len(s.Locations[0].Whitelist.CIDR) != 1 || s.Locations[0].Whitelist.CIDR[0] != "10.0.0.0/24" { + if len(s.Locations[0].Allowlist.CIDR) != 1 || s.Locations[0].Allowlist.CIDR[0] != "10.0.0.0/24" { t.Errorf("allow list was incorrectly dropped, len should be 1 and contain 10.0.0.0/24") } - }, - SetConfigMap: func(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ + SetConfigMap: func(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2352,8 +2477,8 @@ func TestGetBackendServers(t *testing.T) { } } -func testConfigMap(ns string) *v1.ConfigMap { - return &v1.ConfigMap{ +func testConfigMap(ns string) *corev1.ConfigMap { + return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2362,11 +2487,11 @@ func testConfigMap(ns string) *v1.ConfigMap { } func newNGINXController(t *testing.T) *NGINXController { - ns := v1.NamespaceDefault + ns := corev1.NamespaceDefault clientSet := fake.NewSimpleClientset() - configMap := &v1.ConfigMap{ + configMap := &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "config", SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), @@ -2400,10 +2525,11 @@ func newNGINXController(t *testing.T) *NGINXController { channels.NewRingChannel(10), false, true, - &ingressclass.IngressClassConfiguration{ + &ingressclass.Configuration{ Controller: "k8s.io/ingress-nginx", AnnotationValue: "nginx", }, + false, ) sslCert := ssl.GetFakeSSLCert() @@ -2432,8 +2558,8 @@ func fakeX509Cert(dnsNames []string) *x509.Certificate { } } -func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.ConfigMap) *NGINXController { - ns := v1.NamespaceDefault +func newDynamicNginxController(t *testing.T, setConfigMap func(string) *corev1.ConfigMap) *NGINXController { + ns := corev1.NamespaceDefault clientSet := fake.NewSimpleClientset() configMap := setConfigMap(ns) @@ -2465,10 +2591,11 @@ func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.Confi channels.NewRingChannel(10), false, true, - &ingressclass.IngressClassConfiguration{ + &ingressclass.Configuration{ Controller: "k8s.io/ingress-nginx", AnnotationValue: "nginx", - }) + }, + false) sslCert := ssl.GetFakeSSLCert() config := &Configuration{ @@ -2479,8 +2606,9 @@ func newDynamicNginxController(t *testing.T, setConfigMap func(string) *v1.Confi } return &NGINXController{ - store: storer, - cfg: config, - command: NewNginxCommand(), + store: storer, + cfg: config, + command: NewNginxCommand(), + metricCollector: metric.DummyCollector{}, } } diff --git a/internal/ingress/controller/endpointslices.go b/internal/ingress/controller/endpointslices.go index 5a24c3880..4f98e3ce7 100644 --- a/internal/ingress/controller/endpointslices.go +++ b/internal/ingress/controller/endpointslices.go @@ -34,10 +34,10 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) -// getEndpoints returns a list of Endpoint structs for a given service/target port combination. -func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto corev1.Protocol, - getServiceEndpointsSlices func(string) ([]*discoveryv1.EndpointSlice, error)) []ingress.Endpoint { - +// getEndpointsFromSlices returns a list of Endpoint structs for a given service/target port combination. +func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto corev1.Protocol, zoneForHints string, + getServiceEndpointsSlices func(string) ([]*discoveryv1.EndpointSlice, error), +) []ingress.Endpoint { upsServers := []ingress.Endpoint{} if s == nil || port == nil { @@ -49,6 +49,7 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c processedUpstreamServers := make(map[string]struct{}) svcKey := k8s.MetaNamespaceKey(s) + var useTopologyHints bool // ExternalName services if s.Spec.Type == corev1.ServiceTypeExternalName { @@ -93,7 +94,7 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c if !reflect.DeepEqual(*epPort.Protocol, proto) { continue } - var targetPort int32 = 0 + var targetPort int32 if port.Name == "" { // port.Name is optional if there is only one port targetPort = *epPort.Port @@ -111,12 +112,38 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c ports = append(ports, targetPort) } } + useTopologyHints = false + if zoneForHints != emptyZone { + useTopologyHints = true + // check if all endpointslices has zone hints + for _, ep := range eps.Endpoints { + if ep.Hints == nil || len(ep.Hints.ForZones) == 0 { + useTopologyHints = false + break + } + } + if useTopologyHints { + klog.V(3).Infof("All endpoint slices has zone hint, using zone %q for Service %q", zoneForHints, svcKey) + } + } + for _, ep := range eps.Endpoints { - if !(*ep.Conditions.Ready) { + if (ep.Conditions.Ready != nil) && !(*ep.Conditions.Ready) { continue } + epHasZone := false + if useTopologyHints { + for _, epzone := range ep.Hints.ForZones { + if epzone.Name == zoneForHints { + epHasZone = true + break + } + } + } - // ep.Hints + if useTopologyHints && !epHasZone { + continue + } for _, epPort := range ports { for _, epAddress := range ep.Addresses { diff --git a/internal/ingress/controller/endpointslices_test.go b/internal/ingress/controller/endpointslices_test.go index e404c4949..69ef3ef1b 100644 --- a/internal/ingress/controller/endpointslices_test.go +++ b/internal/ingress/controller/endpointslices_test.go @@ -27,12 +27,14 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) +//nolint:dupl // Ignore dupl errors for similar test case func TestGetEndpointsFromSlices(t *testing.T) { tests := []struct { name string svc *corev1.Service port *corev1.ServicePort proto corev1.Protocol + zone string fn func(string) ([]*discoveryv1.EndpointSlice, error) result []ingress.Endpoint }{ @@ -41,6 +43,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { nil, nil, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return nil, nil }, @@ -51,6 +54,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { &corev1.Service{}, nil, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return nil, nil }, @@ -61,6 +65,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { &corev1.Service{}, &corev1.ServicePort{Name: "default"}, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -75,6 +80,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { }, &corev1.ServicePort{Name: "default"}, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -99,6 +105,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -123,6 +130,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -147,6 +155,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -176,6 +185,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -205,6 +215,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{}, nil }, @@ -229,6 +240,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return nil, fmt.Errorf("unexpected error") }, @@ -253,6 +265,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -296,6 +309,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -339,6 +353,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -382,6 +397,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -430,6 +446,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromInt(80), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -478,6 +495,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{ { @@ -552,6 +570,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{ { @@ -622,6 +641,7 @@ func TestGetEndpointsFromSlices(t *testing.T) { TargetPort: intstr.FromString("port-1"), }, corev1.ProtocolTCP, + "", func(string) ([]*discoveryv1.EndpointSlice, error) { return []*discoveryv1.EndpointSlice{{ ObjectMeta: metav1.ObjectMeta{ @@ -656,11 +676,251 @@ func TestGetEndpointsFromSlices(t *testing.T) { }, }, }, + { + "should return one endpoint which belongs to zone", + &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + Ports: []corev1.ServicePort{ + { + Name: "default", + TargetPort: intstr.FromString("port-1"), + }, + }, + }, + }, + &corev1.ServicePort{ + Name: "port-1", + TargetPort: intstr.FromString("port-1"), + }, + corev1.ProtocolTCP, + "eu-west-1b", + func(string) ([]*discoveryv1.EndpointSlice, error) { + return []*discoveryv1.EndpointSlice{{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{discoveryv1.LabelServiceName: "default"}, + }, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"1.1.1.1"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.2"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1a", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.3"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1c", + }}, + }}[0], + }, + }, + Ports: []discoveryv1.EndpointPort{ + { + Protocol: &[]corev1.Protocol{corev1.ProtocolTCP}[0], + Port: &[]int32{80}[0], + Name: &[]string{"port-1"}[0], + }, + }, + }}, nil + }, + []ingress.Endpoint{ + { + Address: "1.1.1.1", + Port: "80", + }, + }, + }, + { + "should return all endpoints because one is missing zone hint", + &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + Ports: []corev1.ServicePort{ + { + Name: "default", + TargetPort: intstr.FromString("port-1"), + }, + }, + }, + }, + &corev1.ServicePort{ + Name: "port-1", + TargetPort: intstr.FromString("port-1"), + }, + corev1.ProtocolTCP, + "eu-west-1b", + func(string) ([]*discoveryv1.EndpointSlice, error) { + return []*discoveryv1.EndpointSlice{{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{discoveryv1.LabelServiceName: "default"}, + }, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"1.1.1.1"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.2"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.3"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{}}[0], + }, + }, + Ports: []discoveryv1.EndpointPort{ + { + Protocol: &[]corev1.Protocol{corev1.ProtocolTCP}[0], + Port: &[]int32{80}[0], + Name: &[]string{"port-1"}[0], + }, + }, + }}, nil + }, + []ingress.Endpoint{ + { + Address: "1.1.1.1", + Port: "80", + }, + { + Address: "1.1.1.2", + Port: "80", + }, + { + Address: "1.1.1.3", + Port: "80", + }, + }, + }, + { + "should return all endpoints because no zone from controller node", + &corev1.Service{ + Spec: corev1.ServiceSpec{ + Type: corev1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + Ports: []corev1.ServicePort{ + { + Name: "default", + TargetPort: intstr.FromString("port-1"), + }, + }, + }, + }, + &corev1.ServicePort{ + Name: "port-1", + TargetPort: intstr.FromString("port-1"), + }, + corev1.ProtocolTCP, + "", + func(string) ([]*discoveryv1.EndpointSlice, error) { + return []*discoveryv1.EndpointSlice{{ + ObjectMeta: metav1.ObjectMeta{ + Labels: map[string]string{discoveryv1.LabelServiceName: "default"}, + }, + Endpoints: []discoveryv1.Endpoint{ + { + Addresses: []string{"1.1.1.1"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1a", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.2"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1b", + }}, + }}[0], + }, + { + Addresses: []string{"1.1.1.3"}, + Conditions: discoveryv1.EndpointConditions{ + Ready: &[]bool{true}[0], + }, + Hints: &[]discoveryv1.EndpointHints{{ + ForZones: []discoveryv1.ForZone{{ + Name: "eu-west-1c", + }}, + }}[0], + }, + }, + Ports: []discoveryv1.EndpointPort{ + { + Protocol: &[]corev1.Protocol{corev1.ProtocolTCP}[0], + Port: &[]int32{80}[0], + Name: &[]string{"port-1"}[0], + }, + }, + }}, nil + }, + []ingress.Endpoint{ + { + Address: "1.1.1.1", + Port: "80", + }, + { + Address: "1.1.1.2", + Port: "80", + }, + { + Address: "1.1.1.3", + Port: "80", + }, + }, + }, } for _, testCase := range tests { t.Run(testCase.name, func(t *testing.T) { - result := getEndpointsFromSlices(testCase.svc, testCase.port, testCase.proto, testCase.fn) + result := getEndpointsFromSlices(testCase.svc, testCase.port, testCase.proto, testCase.zone, testCase.fn) if len(testCase.result) != len(result) { t.Errorf("Expected %d Endpoints but got %d", len(testCase.result), len(result)) } diff --git a/internal/ingress/controller/ingressclass/ingressclass.go b/internal/ingress/controller/ingressclass/ingressclass.go index 95bd98d0f..90c6a4d67 100644 --- a/internal/ingress/controller/ingressclass/ingressclass.go +++ b/internal/ingress/controller/ingressclass/ingressclass.go @@ -29,9 +29,9 @@ const ( DefaultAnnotationValue = "nginx" ) -// IngressClassConfiguration defines the various aspects of IngressClass parsing +// Configuration defines the various aspects of IngressClass parsing // and how the controller should behave in each case -type IngressClassConfiguration struct { +type Configuration struct { // Controller defines the controller value this daemon watch to. // Defaults to "k8s.io/ingress-nginx" defined in flags Controller string @@ -45,7 +45,7 @@ type IngressClassConfiguration struct { // IgnoreIngressClass defines if Controller should ignore the IngressClass Object if no permissions are // granted on IngressClass IgnoreIngressClass bool - //IngressClassByName defines if the Controller should watch for Ingress Classes by + // IngressClassByName defines if the Controller should watch for Ingress Classes by // .metadata.name together with .spec.Controller IngressClassByName bool } diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 4b543ea2f..578d5b4e8 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -22,6 +22,7 @@ import ( "encoding/json" "errors" "fmt" + "io/fs" "net" "net/http" "os" @@ -113,7 +114,7 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro if n.cfg.ValidationWebhook != "" { n.validationWebhookServer = &http.Server{ Addr: config.ValidationWebhook, - //G112 (CWE-400): Potential Slowloris Attack + // G112 (CWE-400): Potential Slowloris Attack ReadHeaderTimeout: 10 * time.Second, Handler: adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}), TLSConfig: ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(), @@ -136,7 +137,8 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro n.updateCh, config.DisableCatchAll, config.DeepInspector, - config.IngressClassConfiguration) + config.IngressClassConfiguration, + config.DisableSyncEvents) n.syncQueue = task.NewTaskQueue(n.syncIngress) @@ -179,7 +181,11 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro } filesToWatch := []string{} - err = filepath.Walk("/etc/nginx/geoip/", func(path string, info os.FileInfo, err error) error { + + if err := os.Mkdir("/etc/ingress-controller/geoip/", 0o755); err != nil && !os.IsExist(err) { + klog.Fatalf("Error creating geoip dir: %v", err) + } + err = filepath.WalkDir("/etc/ingress-controller/geoip/", func(path string, info fs.DirEntry, err error) error { if err != nil { return err } @@ -247,8 +253,7 @@ type NGINXController struct { store store.Storer - metricCollector metric.Collector - admissionCollector metric.Collector + metricCollector metric.Collector validationWebhookServer *http.Server @@ -429,7 +434,7 @@ func (n *NGINXController) start(cmd *exec.Cmd) { } // DefaultEndpoint returns the default endpoint to be use as default server that returns 404. -func (n NGINXController) DefaultEndpoint() ingress.Endpoint { +func (n *NGINXController) DefaultEndpoint() ingress.Endpoint { return ingress.Endpoint{ Address: "127.0.0.1", Port: fmt.Sprintf("%v", n.cfg.ListenPorts.Default), @@ -438,8 +443,9 @@ func (n NGINXController) DefaultEndpoint() ingress.Endpoint { } // generateTemplate returns the nginx configuration file content -func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressCfg ingress.Configuration) ([]byte, error) { - +// +//nolint:gocritic // the cfg shouldn't be changed, and shouldn't be mutated by other processes while being rendered. +func (n *NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressCfg ingress.Configuration) ([]byte, error) { if n.cfg.EnableSSLPassthrough { servers := []*tcpproxy.TCPServer{} for _, pb := range ingressCfg.PassthroughBackends { @@ -458,6 +464,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC } } else { for _, sp := range svc.Spec.Ports { + //nolint:gosec // Ignore G109 error if sp.Port == int32(port) { port = int(sp.Port) break @@ -563,7 +570,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC if err != nil { klog.Warningf("Error reading Secret %q from local store: %v", secretName, err) } else { - nsSecName := strings.Replace(secretName, "/", "-", -1) + nsSecName := strings.ReplaceAll(secretName, "/", "-") dh, ok := secret.Data["dhparam.pem"] if ok { pemFileName, err := ssl.AddOrUpdateDHParam(nsSecName, dh) @@ -589,7 +596,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC } } - tc := ngx_config.TemplateConfig{ + tc := &ngx_config.TemplateConfig{ ProxySetHeaders: setHeaders, AddHeaders: addHeaders, BacklogSize: sysctlSomaxconn(), @@ -623,7 +630,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC // testTemplate checks if the NGINX configuration inside the byte array is valid // running the command "nginx -t" using a temporal file. -func (n NGINXController) testTemplate(cfg []byte) error { +func (n *NGINXController) testTemplate(cfg []byte) error { if len(cfg) == 0 { return fmt.Errorf("invalid NGINX configuration (empty)") } @@ -658,6 +665,8 @@ Error: %v // changes were detected. The received backend Configuration is merged with the // configuration ConfigMap before generating the final configuration file. // Returns nil in case the backend was successfully reloaded. +// +//nolint:gocritic // the cfg shouldn't be changed, and shouldn't be mutated by other processes while being rendered. func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { cfg := n.store.GetBackendConfiguration() cfg.Resolver = n.resolver @@ -667,7 +676,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { return err } - err = createOpentracingCfg(cfg) + err = createOpentelemetryCfg(&cfg) if err != nil { return err } @@ -678,7 +687,10 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { } if klog.V(2).Enabled() { - src, _ := os.ReadFile(cfgPath) + src, err := os.ReadFile(cfgPath) + if err != nil { + return err + } if !bytes.Equal(src, content) { tmpfile, err := os.CreateTemp("", "new-nginx-cfg") if err != nil { @@ -689,11 +701,14 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { if err != nil { return err } - + //nolint:gosec //Ignore G204 error diffOutput, err := exec.Command("diff", "-I", "'# Configuration.*'", "-u", cfgPath, tmpfile.Name()).CombinedOutput() if err != nil { if exitError, ok := err.(*exec.ExitError); ok { - ws := exitError.Sys().(syscall.WaitStatus) + ws, ok := exitError.Sys().(syscall.WaitStatus) + if !ok { + klog.Errorf("unexpected type: %T", exitError.Sys()) + } if ws.ExitStatus() == 2 { klog.Warningf("Failed to executing diff command: %v", err) } @@ -793,45 +808,6 @@ func (n *NGINXController) setupSSLProxy() { }() } -// Helper function to clear Certificates from the ingress configuration since they should be ignored when -// checking if the new configuration changes can be applied dynamically if dynamic certificates is on -func clearCertificates(config *ingress.Configuration) { - var clearedServers []*ingress.Server - for _, server := range config.Servers { - copyOfServer := *server - copyOfServer.SSLCert = nil - clearedServers = append(clearedServers, ©OfServer) - } - config.Servers = clearedServers -} - -// Helper function to clear endpoints from the ingress configuration since they should be ignored when -// checking if the new configuration changes can be applied dynamically. -func clearL4serviceEndpoints(config *ingress.Configuration) { - var clearedTCPL4Services []ingress.L4Service - var clearedUDPL4Services []ingress.L4Service - for _, service := range config.TCPEndpoints { - copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, - Endpoints: []ingress.Endpoint{}, - Service: nil, - } - clearedTCPL4Services = append(clearedTCPL4Services, copyofService) - } - for _, service := range config.UDPEndpoints { - copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, - Endpoints: []ingress.Endpoint{}, - Service: nil, - } - clearedUDPL4Services = append(clearedUDPL4Services, copyofService) - } - config.TCPEndpoints = clearedTCPL4Services - config.UDPEndpoints = clearedUDPL4Services -} - // configureDynamically encodes new Backends in JSON format and POSTs the // payload to an internal HTTP endpoint handled by Lua. func (n *NGINXController) configureDynamically(pcfg *ingress.Configuration) error { @@ -862,9 +838,10 @@ func (n *NGINXController) configureDynamically(pcfg *ingress.Configuration) erro return nil } -func updateStreamConfiguration(TCPEndpoints []ingress.L4Service, UDPEndpoints []ingress.L4Service) error { +func updateStreamConfiguration(tcpEndpoints, udpEndpoints []ingress.L4Service) error { streams := make([]ingress.Backend, 0) - for _, ep := range TCPEndpoints { + for i := range tcpEndpoints { + ep := &tcpEndpoints[i] var service *apiv1.Service if ep.Service != nil { service = &apiv1.Service{Spec: ep.Service.Spec} @@ -878,7 +855,8 @@ func updateStreamConfiguration(TCPEndpoints []ingress.L4Service, UDPEndpoints [] Service: service, }) } - for _, ep := range UDPEndpoints { + for i := range udpEndpoints { + ep := &udpEndpoints[i] var service *apiv1.Service if ep.Service != nil { service = &apiv1.Service{Spec: ep.Service.Spec} @@ -1018,76 +996,41 @@ func configureCertificates(rawServers []*ingress.Server) error { return nil } -const zipkinTmpl = `{ - "service_name": "{{ .ZipkinServiceName }}", - "collector_host": "{{ .ZipkinCollectorHost }}", - "collector_port": {{ .ZipkinCollectorPort }}, - "sample_rate": {{ .ZipkinSampleRate }} -}` +const otelTmpl = ` +exporter = "otlp" +processor = "batch" -const jaegerTmpl = `{ - "service_name": "{{ .JaegerServiceName }}", - "propagation_format": "{{ .JaegerPropagationFormat }}", - "sampler": { - "type": "{{ .JaegerSamplerType }}", - "param": {{ .JaegerSamplerParam }}, - "samplingServerURL": "{{ .JaegerSamplerHost }}:{{ .JaegerSamplerPort }}/sampling" - }, - "reporter": { - "endpoint": "{{ .JaegerEndpoint }}", - "localAgentHostPort": "{{ .JaegerCollectorHost }}:{{ .JaegerCollectorPort }}" - }, - "headers": { - "TraceContextHeaderName": "{{ .JaegerTraceContextHeaderName }}", - "jaegerDebugHeader": "{{ .JaegerDebugHeader }}", - "jaegerBaggageHeader": "{{ .JaegerBaggageHeader }}", - "traceBaggageHeaderPrefix": "{{ .JaegerTraceBaggageHeaderPrefix }}" - } -}` +[exporters.otlp] +# Alternatively the OTEL_EXPORTER_OTLP_ENDPOINT environment variable can also be used. +host = "{{ .OtlpCollectorHost }}" +port = {{ .OtlpCollectorPort }} -const datadogTmpl = `{ - "service": "{{ .DatadogServiceName }}", - "agent_host": "{{ .DatadogCollectorHost }}", - "agent_port": {{ .DatadogCollectorPort }}, - "environment": "{{ .DatadogEnvironment }}", - "operation_name_override": "{{ .DatadogOperationNameOverride }}", - "sample_rate": {{ .DatadogSampleRate }}, - "dd.priority.sampling": {{ .DatadogPrioritySampling }} -}` +[processors.batch] +max_queue_size = {{ .OtelMaxQueueSize }} +schedule_delay_millis = {{ .OtelScheduleDelayMillis }} +max_export_batch_size = {{ .OtelMaxExportBatchSize }} -func createOpentracingCfg(cfg ngx_config.Configuration) error { - var tmpl *template.Template - var err error +[service] +name = "{{ .OtelServiceName }}" # Opentelemetry resource name - if cfg.ZipkinCollectorHost != "" { - tmpl, err = template.New("zipkin").Parse(zipkinTmpl) - if err != nil { - return err - } - } else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" { - tmpl, err = template.New("jaeger").Parse(jaegerTmpl) - if err != nil { - return err - } - } else if cfg.DatadogCollectorHost != "" { - tmpl, err = template.New("datadog").Parse(datadogTmpl) - if err != nil { - return err - } - } else { - tmpl, _ = template.New("empty").Parse("{}") +[sampler] +name = "{{ .OtelSampler }}" # Also: AlwaysOff, TraceIdRatioBased +ratio = {{ .OtelSamplerRatio }} +parent_based = {{ .OtelSamplerParentBased }} +` + +func createOpentelemetryCfg(cfg *ngx_config.Configuration) error { + tmpl, err := template.New("otel").Parse(otelTmpl) + if err != nil { + return err } - tmplBuf := bytes.NewBuffer(make([]byte, 0)) err = tmpl.Execute(tmplBuf, cfg) if err != nil { return err } - // Expand possible environment variables before writing the configuration to file. - expanded := os.ExpandEnv(tmplBuf.String()) - - return os.WriteFile("/etc/nginx/opentracing.json", []byte(expanded), file.ReadWriteByUser) + return os.WriteFile(cfg.OpentelemetryConfig, tmplBuf.Bytes(), file.ReadWriteByUser) } func cleanTempNginxCfg() error { @@ -1101,7 +1044,10 @@ func cleanTempNginxCfg() error { return filepath.SkipDir } - dur, _ := time.ParseDuration("-5m") + dur, err := time.ParseDuration("-5m") + if err != nil { + return err + } fiveMinutesAgo := time.Now().Add(dur) if strings.HasPrefix(info.Name(), tempNginxPattern) && info.ModTime().Before(fiveMinutesAgo) { files = append(files, path) diff --git a/internal/ingress/controller/nginx_test.go b/internal/ingress/controller/nginx_test.go index 4d3155194..c68b0b188 100644 --- a/internal/ingress/controller/nginx_test.go +++ b/internal/ingress/controller/nginx_test.go @@ -58,11 +58,12 @@ func TestConfigureDynamically(t *testing.T) { server := &httptest.Server{ Listener: listener, + //nolint:gosec // Ignore not configured ReadHeaderTimeout in testing Config: &http.Server{ Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusCreated) - if r.Method != "POST" { + if r.Method != http.MethodPost { t.Errorf("expected a 'POST' request, got '%s'", r.Method) } @@ -76,23 +77,17 @@ func TestConfigureDynamically(t *testing.T) { switch r.URL.Path { case "/configuration/backends": - { - if strings.Contains(body, "target") { - t.Errorf("unexpected target reference in JSON content: %v", body) - } + if strings.Contains(body, "target") { + t.Errorf("unexpected target reference in JSON content: %v", body) + } - if !strings.Contains(body, "service") { - t.Errorf("service reference should be present in JSON content: %v", body) - } + if !strings.Contains(body, "service") { + t.Errorf("service reference should be present in JSON content: %v", body) } case "/configuration/general": - { - } case "/configuration/servers": - { - if !strings.Contains(body, `{"certificates":{},"servers":{"myapp.fake":"-1"}}`) { - t.Errorf("should be present in JSON content: %v", body) - } + if !strings.Contains(body, `{"certificates":{},"servers":{"myapp.fake":"-1"}}`) { + t.Errorf("should be present in JSON content: %v", body) } default: t.Errorf("unknown request to %s", r.URL.Path) @@ -218,11 +213,12 @@ func TestConfigureCertificates(t *testing.T) { server := &httptest.Server{ Listener: listener, + //nolint:gosec // Ignore not configured ReadHeaderTimeout in testing Config: &http.Server{ Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusCreated) - if r.Method != "POST" { + if r.Method != http.MethodPost { t.Errorf("expected a 'POST' request, got '%s'", r.Method) } @@ -414,6 +410,7 @@ func TestCleanTempNginxCfg(t *testing.T) { } } +//nolint:unparam // Ingnore `network` always receives `"tcp"` error func tryListen(network, address string) (l net.Listener, err error) { condFunc := func() (bool, error) { l, err = net.Listen(network, address) diff --git a/internal/ingress/controller/process/nginx.go b/internal/ingress/controller/process/nginx.go index 70227ac2e..fdf501616 100644 --- a/internal/ingress/controller/process/nginx.go +++ b/internal/ingress/controller/process/nginx.go @@ -30,7 +30,10 @@ func IsRespawnIfRequired(err error) bool { return false } - waitStatus := exitError.Sys().(syscall.WaitStatus) + waitStatus, ok := exitError.Sys().(syscall.WaitStatus) + if !ok { + return false + } klog.Warningf(` ------------------------------------------------------------------------------- NGINX master process died (%v): %v diff --git a/internal/ingress/controller/status.go b/internal/ingress/controller/status.go index 3b0a41ab8..e061b2cb7 100644 --- a/internal/ingress/controller/status.go +++ b/internal/ingress/controller/status.go @@ -50,7 +50,7 @@ func setupLeaderElection(config *leaderElectionConfig) { var cancelContext context.CancelFunc - var newLeaderCtx = func(ctx context.Context) context.CancelFunc { + newLeaderCtx := func(ctx context.Context) context.CancelFunc { // allow to cancel the context in case we stop being the leader leaderCtx, cancel := context.WithCancel(ctx) go elector.Run(leaderCtx) @@ -86,8 +86,10 @@ func setupLeaderElection(config *leaderElectionConfig) { } broadcaster := record.NewBroadcaster() - hostname, _ := os.Hostname() - + hostname, err := os.Hostname() + if err != nil { + klog.Errorf("unexpected error getting hostname: %v", err) + } recorder := broadcaster.NewRecorder(scheme.Scheme, apiv1.EventSource{ Component: "ingress-leader-elector", Host: hostname, @@ -107,7 +109,7 @@ func setupLeaderElection(config *leaderElectionConfig) { ttl := 30 * time.Second - elector, err := leaderelection.NewLeaderElector(leaderelection.LeaderElectionConfig{ + elector, err = leaderelection.NewLeaderElector(leaderelection.LeaderElectionConfig{ Lock: lock, LeaseDuration: ttl, RenewDeadline: ttl / 2, diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go index 6f0fcf189..81b508cd2 100644 --- a/internal/ingress/controller/store/backend_ssl.go +++ b/internal/ingress/controller/store/backend_ssl.go @@ -88,10 +88,11 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error auth := secret.Data["auth"] // namespace/secretName -> namespace-secretName - nsSecName := strings.Replace(secretName, "/", "-", -1) + nsSecName := strings.ReplaceAll(secretName, "/", "-") var sslCert *ingress.SSLCert - if okcert && okkey { + switch { + case okcert && okkey: if cert == nil { return nil, fmt.Errorf("key 'tls.crt' missing from Secret %q", secretName) } @@ -144,7 +145,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error } klog.V(3).InfoS(msg) - } else if len(ca) > 0 { + case len(ca) > 0: sslCert, err = ssl.CreateCACert(ca) if err != nil { return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err) @@ -166,7 +167,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error // makes this secret in 'syncSecret' to be used for Certificate Authentication // this does not enable Certificate Authentication klog.V(3).InfoS("Configuring Secret for TLS authentication", "secret", secretName) - } else { + default: if auth != nil { return nil, ErrSecretForAuth } diff --git a/internal/ingress/controller/store/endpointslice.go b/internal/ingress/controller/store/endpointslice.go index 78d088695..61bc63ae7 100644 --- a/internal/ingress/controller/store/endpointslice.go +++ b/internal/ingress/controller/store/endpointslice.go @@ -38,7 +38,7 @@ func (s *EndpointSliceLister) MatchByKey(key string) ([]*discoveryv1.EndpointSli keyNsLen = 0 } else { // count '/' char - keyNsLen += 1 + keyNsLen++ } // filter endpointSlices owned by svc for _, listKey := range s.ListKeys() { diff --git a/internal/ingress/controller/store/endpointslice_test.go b/internal/ingress/controller/store/endpointslice_test.go index e12a98c2f..5d423a3a6 100644 --- a/internal/ingress/controller/store/endpointslice_test.go +++ b/internal/ingress/controller/store/endpointslice_test.go @@ -59,7 +59,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } endpointSlice = &discoveryv1.EndpointSlice{ ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace", @@ -69,7 +71,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } endpointSlice = &discoveryv1.EndpointSlice{ ObjectMeta: metav1.ObjectMeta{ Namespace: "namespace", @@ -79,9 +83,10 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } eps, err := el.MatchByKey(key) - if err != nil { t.Errorf("unexpeted error %v", err) } @@ -108,7 +113,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice) + if err := el.Add(endpointSlice); err != nil { + t.Errorf("unexpected error %v", err) + } endpointSlice2 := &discoveryv1.EndpointSlice{ ObjectMeta: metav1.ObjectMeta{ Namespace: ns2, @@ -118,7 +125,9 @@ func TestEndpointSliceLister(t *testing.T) { }, }, } - el.Add(endpointSlice2) + if err := el.Add(endpointSlice2); err != nil { + t.Errorf("unexpected error %v", err) + } eps, err := el.MatchByKey(key) if err != nil { t.Errorf("unexpeted error %v", err) diff --git a/internal/ingress/controller/store/objectref.go b/internal/ingress/controller/store/objectref.go index 9ef13bf07..89ea47251 100644 --- a/internal/ingress/controller/store/objectref.go +++ b/internal/ingress/controller/store/objectref.go @@ -37,13 +37,13 @@ type ObjectRefMap interface { type objectRefMap struct { sync.Mutex - v map[string]sets.String + v map[string]sets.Set[string] } // NewObjectRefMap returns a new ObjectRefMap. func NewObjectRefMap() ObjectRefMap { return &objectRefMap{ - v: make(map[string]sets.String), + v: make(map[string]sets.Set[string]), } } @@ -54,7 +54,7 @@ func (o *objectRefMap) Insert(consumer string, ref ...string) { for _, r := range ref { if _, ok := o.v[r]; !ok { - o.v[r] = sets.NewString(consumer) + o.v[r] = sets.New[string](consumer) continue } o.v[r].Insert(consumer) @@ -112,7 +112,7 @@ func (o *objectRefMap) Reference(ref string) []string { if !ok { return make([]string, 0) } - return consumers.List() + return consumers.UnsortedList() } // ReferencedBy returns all objects referenced by the given object. diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 7f493bd8a..4288785de 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -36,7 +36,6 @@ import ( "k8s.io/apimachinery/pkg/labels" k8sruntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/util/runtime" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" "k8s.io/client-go/informers" clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" @@ -59,7 +58,6 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/pkg/apis/ingress" - ingressutils "k8s.io/ingress-nginx/pkg/util/ingress" ) // IngressFilterFunc decides if an Ingress should be omitted or not @@ -71,6 +69,9 @@ type Storer interface { // GetBackendConfiguration returns the nginx configuration stored in a configmap GetBackendConfiguration() ngx_config.Configuration + // GetSecurityConfiguration returns the configuration options from Ingress + GetSecurityConfiguration() defaults.SecurityConfiguration + // GetConfigMap returns the ConfigMap matching key. GetConfigMap(key string) (*corev1.ConfigMap, error) @@ -104,7 +105,7 @@ type Storer interface { Run(stopCh chan struct{}) // GetIngressClass validates given ingress against ingress class configuration and returns the ingress class. - GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) + GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.Configuration) (string, error) } // EventType type of event associated with an informer @@ -241,7 +242,9 @@ type k8sStore struct { defaultSSLCertificate string } -// New creates a new object store to be used in the ingress controller +// New creates a new object store to be used in the ingress controller. +// +//nolint:gocyclo // Ignore function complexity error. func New( namespace string, namespaceSelector labels.Selector, @@ -251,8 +254,9 @@ func New( updateCh *channels.RingChannel, disableCatchAll bool, deepInspector bool, - icConfig *ingressclass.IngressClassConfiguration) Storer { - + icConfig *ingressclass.Configuration, + disableSyncEvents bool, +) Storer { store := &k8sStore{ informers: &Informer{}, listers: &Lister{}, @@ -267,9 +271,11 @@ func New( eventBroadcaster := record.NewBroadcaster() eventBroadcaster.StartLogging(klog.Infof) - eventBroadcaster.StartRecordingToSink(&clientcorev1.EventSinkImpl{ - Interface: client.CoreV1().Events(namespace), - }) + if !disableSyncEvents { + eventBroadcaster.StartRecordingToSink(&clientcorev1.EventSinkImpl{ + Interface: client.CoreV1().Events(namespace), + }) + } recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{ Component: "nginx-ingress-controller", }) @@ -403,7 +409,10 @@ func New( return } - store.listers.IngressWithAnnotation.Delete(ing) + if err := store.listers.IngressWithAnnotation.Delete(ing); err != nil { + klog.ErrorS(err, "Error while deleting ingress from store", "ingress", klog.KObj(ing)) + return + } key := k8s.MetaNamespaceKey(ing) store.secretIngressMap.Delete(key) @@ -467,7 +476,8 @@ func New( _, errOld = store.GetIngressClass(oldIng, icConfig) classCur, errCur = store.GetIngressClass(curIng, icConfig) } - if errOld != nil && errCur == nil { + switch { + case errOld != nil && errCur == nil: if hasCatchAllIngressRule(curIng.Spec) && disableCatchAll { klog.InfoS("ignoring update for catch-all ingress because of --disable-catch-all", "ingress", klog.KObj(curIng)) return @@ -475,11 +485,11 @@ func New( klog.InfoS("creating ingress", "ingress", klog.KObj(curIng), "ingressclass", classCur) recorder.Eventf(curIng, corev1.EventTypeNormal, "Sync", "Scheduled for sync") - } else if errOld == nil && errCur != nil { + case errOld == nil && errCur != nil: klog.InfoS("removing ingress because of unknown ingressclass", "ingress", klog.KObj(curIng)) ingDeleteHandler(old) return - } else if errCur == nil && !reflect.DeepEqual(old, cur) { + case errCur == nil && !reflect.DeepEqual(old, cur): if hasCatchAllIngressRule(curIng.Spec) && disableCatchAll { klog.InfoS("ignoring update for catch-all ingress and delete old one because of --disable-catch-all", "ingress", klog.KObj(curIng)) ingDeleteHandler(old) @@ -487,7 +497,7 @@ func New( } recorder.Eventf(curIng, corev1.EventTypeNormal, "Sync", "Scheduled for sync") - } else { + default: klog.V(3).InfoS("No changes on ingress. Skipping update", "ingress", klog.KObj(curIng)) return } @@ -512,7 +522,10 @@ func New( ingressClassEventHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - ingressclass := obj.(*networkingv1.IngressClass) + ingressclass, ok := obj.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } foundClassByName := false if icConfig.IngressClassByName && ingressclass.Name == icConfig.AnnotationValue { klog.InfoS("adding ingressclass as ingress-class-by-name is configured", "ingressclass", klog.KObj(ingressclass)) @@ -534,7 +547,10 @@ func New( } }, DeleteFunc: func(obj interface{}) { - ingressclass := obj.(*networkingv1.IngressClass) + ingressclass, ok := obj.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } if ingressclass.Spec.Controller != icConfig.Controller { klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(ingressclass)) return @@ -550,8 +566,14 @@ func New( } }, UpdateFunc: func(old, cur interface{}) { - oic := old.(*networkingv1.IngressClass) - cic := cur.(*networkingv1.IngressClass) + oic, ok := old.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", old) + } + cic, ok := cur.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } if cic.Spec.Controller != icConfig.Controller { klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(cic)) return @@ -574,7 +596,10 @@ func New( secrEventHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - sec := obj.(*corev1.Secret) + sec, ok := obj.(*corev1.Secret) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } key := k8s.MetaNamespaceKey(sec) if store.defaultSSLCertificate == key { @@ -601,7 +626,10 @@ func New( }, UpdateFunc: func(old, cur interface{}) { if !reflect.DeepEqual(old, cur) { - sec := cur.(*corev1.Secret) + sec, ok := cur.(*corev1.Secret) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } key := k8s.MetaNamespaceKey(sec) if !watchedNamespace(sec.Namespace) { @@ -688,8 +716,14 @@ func New( } }, UpdateFunc: func(old, cur interface{}) { - oeps := old.(*discoveryv1.EndpointSlice) - ceps := cur.(*discoveryv1.EndpointSlice) + oeps, ok := old.(*discoveryv1.EndpointSlice) + if !ok { + klog.Errorf("unexpected type: %T", old) + } + ceps, ok := cur.(*discoveryv1.EndpointSlice) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } if !reflect.DeepEqual(ceps.Endpoints, oeps.Endpoints) { updateCh.In() <- Event{ Type: UpdateEvent, @@ -699,7 +733,6 @@ func New( }, } - // TODO: add e2e test to verify that changes to one or more configmap trigger an update changeTriggerUpdate := func(name string) bool { return name == configmap || name == tcp || name == udp } @@ -744,7 +777,10 @@ func New( cmEventHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - cfgMap := obj.(*corev1.ConfigMap) + cfgMap, ok := obj.(*corev1.ConfigMap) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } key := k8s.MetaNamespaceKey(cfgMap) handleCfgMapEvent(key, cfgMap, "CREATE") }, @@ -753,7 +789,10 @@ func New( return } - cfgMap := cur.(*corev1.ConfigMap) + cfgMap, ok := cur.(*corev1.ConfigMap) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } key := k8s.MetaNamespaceKey(cfgMap) handleCfgMapEvent(key, cfgMap, "UPDATE") }, @@ -761,7 +800,10 @@ func New( serviceHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - svc := obj.(*corev1.Service) + svc, ok := obj.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } if svc.Spec.Type == corev1.ServiceTypeExternalName { updateCh.In() <- Event{ Type: CreateEvent, @@ -770,7 +812,10 @@ func New( } }, DeleteFunc: func(obj interface{}) { - svc := obj.(*corev1.Service) + svc, ok := obj.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } if svc.Spec.Type == corev1.ServiceTypeExternalName { updateCh.In() <- Event{ Type: DeleteEvent, @@ -779,8 +824,14 @@ func New( } }, UpdateFunc: func(old, cur interface{}) { - oldSvc := old.(*corev1.Service) - curSvc := cur.(*corev1.Service) + oldSvc, ok := old.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", old) + } + curSvc, ok := cur.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } if reflect.DeepEqual(oldSvc, curSvc) { return @@ -793,17 +844,32 @@ func New( }, } - store.informers.Ingress.AddEventHandler(ingEventHandler) - if !icConfig.IgnoreIngressClass { - store.informers.IngressClass.AddEventHandler(ingressClassEventHandler) + if _, err := store.informers.Ingress.AddEventHandler(ingEventHandler); err != nil { + klog.Errorf("Error adding ingress event handler: %v", err) + } + if !icConfig.IgnoreIngressClass { + if _, err := store.informers.IngressClass.AddEventHandler(ingressClassEventHandler); err != nil { + klog.Errorf("Error adding ingress class event handler: %v", err) + } + } + if _, err := store.informers.EndpointSlice.AddEventHandler(epsEventHandler); err != nil { + klog.Errorf("Error adding endpoint slice event handler: %v", err) + } + if _, err := store.informers.Secret.AddEventHandler(secrEventHandler); err != nil { + klog.Errorf("Error adding secret event handler: %v", err) + } + if _, err := store.informers.ConfigMap.AddEventHandler(cmEventHandler); err != nil { + klog.Errorf("Error adding configmap event handler: %v", err) + } + if _, err := store.informers.Service.AddEventHandler(serviceHandler); err != nil { + klog.Errorf("Error adding service event handler: %v", err) } - store.informers.EndpointSlice.AddEventHandler(epsEventHandler) - store.informers.Secret.AddEventHandler(secrEventHandler) - store.informers.ConfigMap.AddEventHandler(cmEventHandler) - store.informers.Service.AddEventHandler(serviceHandler) // do not wait for informers to read the configmap configuration - ns, name, _ := k8s.ParseNameNS(configmap) + ns, name, err := k8s.ParseNameNS(configmap) + if err != nil { + klog.Errorf("unexpected error parsing name and ns: %v", err) + } cm, err := client.CoreV1().ConfigMaps(ns).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { klog.Warningf("Unexpected error reading configuration configmap: %v", err) @@ -819,10 +885,10 @@ func hasCatchAllIngressRule(spec networkingv1.IngressSpec) bool { return spec.DefaultBackend != nil } -func checkBadAnnotationValue(annotations map[string]string, badwords string) error { +func checkBadAnnotationValue(annotationMap map[string]string, badwords string) error { arraybadWords := strings.Split(strings.TrimSpace(badwords), ",") - for annotation, value := range annotations { + for annotation, value := range annotationMap { if strings.HasPrefix(annotation, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) { for _, forbiddenvalue := range arraybadWords { if strings.Contains(value, forbiddenvalue) { @@ -862,18 +928,19 @@ func (s *k8sStore) syncIngress(ing *networkingv1.Ingress) { if path.Path == "" { copyIng.Spec.Rules[ri].HTTP.Paths[pi].Path = "/" } - if !ingressutils.IsSafePath(copyIng, path.Path) { - klog.Warningf("ingress %s contains invalid path %s", key, path.Path) - return - } } } k8s.SetDefaultNGINXPathType(copyIng) - err := s.listers.IngressWithAnnotation.Update(&ingress.Ingress{ + parsed, err := s.annotations.Extract(ing) + if err != nil { + klog.Error(err) + return + } + err = s.listers.IngressWithAnnotation.Update(&ingress.Ingress{ Ingress: *copyIng, - ParsedAnnotations: s.annotations.Extract(ing), + ParsedAnnotations: parsed, }) if err != nil { klog.Error(err) @@ -909,8 +976,10 @@ func (s *k8sStore) updateSecretIngressMap(ing *networkingv1.Ingress) { "proxy-ssl-secret", "secure-verify-ca-secret", } + + secConfig := s.GetSecurityConfiguration().AllowCrossNamespaceResources for _, ann := range secretAnnotations { - secrKey, err := objectRefAnnotationNsKey(ann, ing) + secrKey, err := objectRefAnnotationNsKey(ann, ing, secConfig) if err != nil && !errors.IsMissingAnnotations(err) { klog.Errorf("error reading secret reference in annotation %q: %s", ann, err) continue @@ -926,8 +995,9 @@ func (s *k8sStore) updateSecretIngressMap(ing *networkingv1.Ingress) { // objectRefAnnotationNsKey returns an object reference formatted as a // 'namespace/name' key from the given annotation name. -func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress) (string, error) { - annValue, err := parser.GetStringAnnotation(ann, ing) +func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress, allowCrossNamespace bool) (string, error) { + // We pass nil fields, as this is an internal process and we don't need to validate it. + annValue, err := parser.GetStringAnnotation(ann, ing, nil) if err != nil { return "", err } @@ -940,6 +1010,9 @@ func objectRefAnnotationNsKey(ann string, ing *networkingv1.Ingress) (string, er if secrNs == "" { return fmt.Sprintf("%v/%v", ing.Namespace, secrName), nil } + if !allowCrossNamespace && secrNs != ing.Namespace { + return "", fmt.Errorf("cross namespace secret is not supported") + } return annValue, nil } @@ -974,7 +1047,7 @@ func (s *k8sStore) GetService(key string) (*corev1.Service, error) { return s.listers.Service.ByKey(key) } -func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) { +func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.Configuration) (string, error) { // First we try ingressClassName if !icConfig.IgnoreIngressClass && ing.Spec.IngressClassName != nil { iclass, err := s.listers.IngressClass.ByKey(*ing.Spec.IngressClassName) @@ -985,11 +1058,11 @@ func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressc } // Then we try annotation - if ingressclass, ok := ing.GetAnnotations()[ingressclass.IngressKey]; ok { - if ingressclass != icConfig.AnnotationValue { + if class, ok := ing.GetAnnotations()[ingressclass.IngressKey]; ok { + if class != icConfig.AnnotationValue { return "", fmt.Errorf("ingress class annotation is not equal to the expected by Ingress Controller") } - return ingressclass, nil + return class, nil } // Then we accept if the WithoutClass is enabled @@ -1030,7 +1103,10 @@ func (s *k8sStore) ListIngresses() []*ingress.Ingress { // filter ingress rules ingresses := make([]*ingress.Ingress, 0) for _, item := range s.listers.IngressWithAnnotation.List() { - ing := item.(*ingress.Ingress) + ing, ok := item.(*ingress.Ingress) + if !ok { + klog.Errorf("unexpected type: %T", item) + } ingresses = append(ingresses, ing) } @@ -1114,6 +1190,17 @@ func (s *k8sStore) GetBackendConfiguration() ngx_config.Configuration { return s.backendConfig } +func (s *k8sStore) GetSecurityConfiguration() defaults.SecurityConfiguration { + s.backendConfigMu.RLock() + defer s.backendConfigMu.RUnlock() + + secConfig := defaults.SecurityConfiguration{ + AllowCrossNamespaceResources: s.backendConfig.AllowCrossNamespaceResources, + AnnotationsRiskLevel: s.backendConfig.AnnotationsRiskLevel, + } + return secConfig +} + func (s *k8sStore) setConfig(cmap *corev1.ConfigMap) { s.backendConfigMu.Lock() defer s.backendConfigMu.Unlock() @@ -1128,7 +1215,7 @@ func (s *k8sStore) setConfig(cmap *corev1.ConfigMap) { s.backendConfig.UseGeoIP2 = false } - s.writeSSLSessionTicketKey(cmap, "/etc/nginx/tickets.key") + s.writeSSLSessionTicketKey(cmap, "/etc/ingress-controller/tickets.key") } // Run initiates the synchronization of the informers and the initial @@ -1141,7 +1228,7 @@ func (s *k8sStore) Run(stopCh chan struct{}) { var runtimeScheme = k8sruntime.NewScheme() func init() { - utilruntime.Must(networkingv1.AddToScheme(runtimeScheme)) + runtime.Must(networkingv1.AddToScheme(runtimeScheme)) } func toIngress(obj interface{}) (*networkingv1.Ingress, bool) { diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go index 9b8947f9c..317c0f36c 100644 --- a/internal/ingress/controller/store/store_test.go +++ b/internal/ingress/controller/store/store_test.go @@ -44,29 +44,27 @@ import ( var pathPrefix networking.PathType = networking.PathTypePrefix -var DefaultClassConfig = &ingressclass.IngressClassConfiguration{ +var DefaultClassConfig = &ingressclass.Configuration{ Controller: ingressclass.DefaultControllerName, AnnotationValue: ingressclass.DefaultAnnotationValue, WatchWithoutClass: false, } -var ( - commonIngressSpec = networking.IngressSpec{ - Rules: []networking.IngressRule{ - { - Host: "dummy", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/", - PathType: &pathPrefix, - Backend: networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "http-svc", - Port: networking.ServiceBackendPort{ - Number: 80, - }, +var commonIngressSpec = networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "dummy", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/", + PathType: &pathPrefix, + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "http-svc", + Port: networking.ServiceBackendPort{ + Number: 80, }, }, }, @@ -75,12 +73,15 @@ var ( }, }, }, - } -) + }, +} +const updateDummyHost = "update-dummy" + +//nolint:gocyclo // Ignore function complexity error func TestStore(t *testing.T) { - //TODO: move env definition to docker image? - os.Setenv("KUBEBUILDER_ASSETS", "/usr/local/bin") + // TODO: move env definition to docker image? + t.Setenv("KUBEBUILDER_ASSETS", "/usr/local/bin") pathPrefix = networking.PathTypePrefix @@ -90,9 +91,12 @@ func TestStore(t *testing.T) { t.Fatalf("error: %v", err) } - emptySelector, _ := labels.Parse("") + emptySelector, err := labels.Parse("") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } - defer te.Stop() + defer te.Stop() //nolint:errcheck // Ignore the error clientSet, err := kubernetes.NewForConfig(cfg) if err != nil { @@ -125,7 +129,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -175,7 +180,11 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } + if e.Obj == nil { continue } @@ -206,7 +215,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) ic := createIngressClass(clientSet, t, "not-k8s.io/not-ingress-nginx") @@ -228,7 +238,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) ni := ing.DeepCopy() - ni.Spec.Rules[0].Host = "update-dummy" + ni.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(ni, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -279,7 +289,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -310,7 +323,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) validSpec := commonIngressSpec @@ -340,7 +354,7 @@ func TestStore(t *testing.T) { defer deleteIngress(invalidIngress, clientSet, t) ni := ing.DeepCopy() - ni.Spec.Rules[0].Host = "update-dummy" + ni.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(ni, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -389,7 +403,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -408,7 +425,7 @@ func TestStore(t *testing.T) { } }(updateCh) - ingressClassconfig := &ingressclass.IngressClassConfiguration{ + ingressClassconfig := &ingressclass.Configuration{ Controller: ingressclass.DefaultControllerName, AnnotationValue: ingressclass.DefaultAnnotationValue, WatchWithoutClass: true, @@ -426,7 +443,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - ingressClassconfig) + ingressClassconfig, + false) storer.Run(stopCh) @@ -459,7 +477,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) validIngressUpdated := validIngress1.DeepCopy() - validIngressUpdated.Spec.Rules[0].Host = "update-dummy" + validIngressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(validIngressUpdated, clientSet, t) if err != nil { t.Errorf("error updating ingress: %v", err) @@ -519,7 +537,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -538,7 +559,7 @@ func TestStore(t *testing.T) { } }(updateCh) - ingressClassconfig := &ingressclass.IngressClassConfiguration{ + ingressClassconfig := &ingressclass.Configuration{ Controller: ingressclass.DefaultControllerName, AnnotationValue: ic, IngressClassByName: true, @@ -556,7 +577,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - ingressClassconfig) + ingressClassconfig, + false) storer.Run(stopCh) validSpec := commonIngressSpec @@ -576,7 +598,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) ingressUpdated := ing.DeepCopy() - ingressUpdated.Spec.Rules[0].Host = "update-dummy" + ingressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(ingressUpdated, clientSet, t) if err != nil { t.Errorf("error updating ingress: %v", err) @@ -625,7 +647,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -656,7 +681,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -678,7 +704,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) invalidIngressUpdated := invalidIngress.DeepCopy() - invalidIngressUpdated.Spec.Rules[0].Host = "update-dummy" + invalidIngressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(invalidIngressUpdated, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -719,7 +745,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -750,7 +779,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) invalidSpec := commonIngressSpec @@ -771,7 +801,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) invalidIngressUpdated := invalidIngress.DeepCopy() - invalidIngressUpdated.Spec.Rules[0].Host = "update-dummy" + invalidIngressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(invalidIngressUpdated, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -809,7 +839,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -836,7 +869,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -900,7 +934,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -932,7 +969,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -999,7 +1037,6 @@ func TestStore(t *testing.T) { if atomic.LoadUint64(&del) != 1 { t.Errorf("expected 1 events of type Delete but %v occurred", del) } - }) t.Run("should create an ingress with a secret which does not exist", func(t *testing.T) { @@ -1023,7 +1060,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -1056,7 +1096,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -1149,7 +1190,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -1164,7 +1208,10 @@ func TestStore(t *testing.T) { } }(updateCh) - namesapceSelector, _ := labels.Parse("foo=bar") + namesapceSelector, err := labels.Parse("foo=bar") + if err != nil { + t.Errorf("unexpected error: %v", err) + } storer := New( ns, namesapceSelector, @@ -1177,7 +1224,8 @@ func TestStore(t *testing.T) { updateCh, false, true, - DefaultClassConfig) + DefaultClassConfig, + false) storer.Run(stopCh) @@ -1225,7 +1273,6 @@ func TestStore(t *testing.T) { if atomic.LoadUint64(&del) != 0 { t.Errorf("expected 0 events of type Delete but %v occurred", del) } - }) // test add ingress with secret it doesn't exists and then add secret // check secret is generated on fs @@ -1263,16 +1310,16 @@ func deleteNamespace(ns string, clientSet kubernetes.Interface, t *testing.T) { func createIngressClass(clientSet kubernetes.Interface, t *testing.T, controller string) string { t.Helper() - ingressclass := &networking.IngressClass{ + class := &networking.IngressClass{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("ingress-nginx-%v", time.Now().Unix()), - //Namespace: "xpto" // TODO: We don't support namespaced ingress-class yet + // Namespace: "xpto" // TODO: We don't support namespaced ingress-class yet }, Spec: networking.IngressClassSpec{ Controller: controller, }, } - ic, err := clientSet.NetworkingV1().IngressClasses().Create(context.TODO(), ingressclass, metav1.CreateOptions{}) + ic, err := clientSet.NetworkingV1().IngressClasses().Create(context.TODO(), class, metav1.CreateOptions{}) if err != nil { t.Errorf("error creating ingress class: %v", err) } @@ -1288,7 +1335,7 @@ func deleteIngressClass(ic string, clientSet kubernetes.Interface, t *testing.T) } } -func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) string { +func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) { t.Helper() configMap := &v1.ConfigMap{ @@ -1297,51 +1344,47 @@ func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) st }, } - cm, err := clientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configMap, metav1.CreateOptions{}) + _, err := clientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configMap, metav1.CreateOptions{}) if err != nil { t.Errorf("error creating the configuration map: %v", err) } - - return cm.Name } -func ensureIngress(ingress *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) *networking.Ingress { +func ensureIngress(ing *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) *networking.Ingress { t.Helper() - ing, err := clientSet.NetworkingV1().Ingresses(ingress.Namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{}) - + newIngress, err := clientSet.NetworkingV1().Ingresses(ing.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) if err != nil { if k8sErrors.IsNotFound(err) { - t.Logf("Ingress %v not found, creating", ingress) + t.Logf("Ingress %v not found, creating", ing) - ing, err = clientSet.NetworkingV1().Ingresses(ingress.Namespace).Create(context.TODO(), ingress, metav1.CreateOptions{}) + newIngress, err = clientSet.NetworkingV1().Ingresses(ing.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) if err != nil { - t.Fatalf("error creating ingress %+v: %v", ingress, err) + t.Fatalf("error creating ingress %+v: %v", ing, err) } - t.Logf("Ingress %+v created", ingress) - return ing + t.Logf("Ingress %+v created", ing) + return newIngress } - t.Fatalf("error updating ingress %+v: %v", ingress, err) + t.Fatalf("error updating ingress %+v: %v", ing, err) } - return ing + return newIngress } -func deleteIngress(ingress *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) { +func deleteIngress(ing *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) { t.Helper() - err := clientSet.NetworkingV1().Ingresses(ingress.Namespace).Delete(context.TODO(), ingress.Name, metav1.DeleteOptions{}) - + err := clientSet.NetworkingV1().Ingresses(ing.Namespace).Delete(context.TODO(), ing.Name, metav1.DeleteOptions{}) if err != nil { - t.Errorf("failed to delete ingress %+v: %v", ingress, err) + t.Errorf("failed to delete ingress %+v: %v", ing, err) } - t.Logf("Ingress %+v deleted", ingress) + t.Logf("Ingress %+v deleted", ing) } // newStore creates a new mock object store for tests which do not require the // use of Informers. -func newStore(t *testing.T) *k8sStore { +func newStore() *k8sStore { return &k8sStore{ listers: &Lister{ // add more listers if needed @@ -1358,7 +1401,7 @@ func newStore(t *testing.T) *k8sStore { } func TestUpdateSecretIngressMap(t *testing.T) { - s := newStore(t) + s := newStore() ingTpl := &networking.Ingress{ ObjectMeta: metav1.ObjectMeta{ @@ -1366,14 +1409,18 @@ func TestUpdateSecretIngressMap(t *testing.T) { Namespace: "testns", }, } - s.listers.Ingress.Add(ingTpl) + if err := s.listers.Ingress.Add(ingTpl); err != nil { + t.Errorf("error adding the Ingress template: %v", err) + } t.Run("with TLS secret", func(t *testing.T) { ing := ingTpl.DeepCopy() ing.Spec = networking.IngressSpec{ TLS: []networking.IngressTLS{{SecretName: "tls"}}, } - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("testns/tls")) { @@ -1386,7 +1433,9 @@ func TestUpdateSecretIngressMap(t *testing.T) { ing.ObjectMeta.SetAnnotations(map[string]string{ parser.GetAnnotationWithPrefix("auth-secret"): "auth", }) - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("testns/auth")) { @@ -1397,22 +1446,41 @@ func TestUpdateSecretIngressMap(t *testing.T) { t.Run("with annotation in namespace/name format", func(t *testing.T) { ing := ingTpl.DeepCopy() ing.ObjectMeta.SetAnnotations(map[string]string{ - parser.GetAnnotationWithPrefix("auth-secret"): "otherns/auth", + parser.GetAnnotationWithPrefix("auth-secret"): "testns/auth", }) - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) - if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("otherns/auth")) { + if l := s.secretIngressMap.Len(); !(l == 1 && s.secretIngressMap.Has("testns/auth")) { t.Errorf("Expected \"otherns/auth\" to be the only referenced Secret (got %d)", l) } }) + t.Run("with annotation in namespace/name format should not be supported", func(t *testing.T) { + ing := ingTpl.DeepCopy() + ing.ObjectMeta.SetAnnotations(map[string]string{ + parser.GetAnnotationWithPrefix("auth-secret"): "anotherns/auth", + }) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } + s.updateSecretIngressMap(ing) + + if l := s.secretIngressMap.Len(); l != 0 { + t.Errorf("Expected \"otherns/auth\" to be denied as it contains a different namespace (got %d)", l) + } + }) + t.Run("with annotation in invalid format", func(t *testing.T) { ing := ingTpl.DeepCopy() ing.ObjectMeta.SetAnnotations(map[string]string{ parser.GetAnnotationWithPrefix("auth-secret"): "ns/name/garbage", }) - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); l != 0 { @@ -1422,7 +1490,7 @@ func TestUpdateSecretIngressMap(t *testing.T) { } func TestListIngresses(t *testing.T) { - s := newStore(t) + s := newStore() invalidIngressClass := "something" validIngressClass := ingressclass.DefaultControllerName @@ -1446,7 +1514,9 @@ func TestListIngresses(t *testing.T) { }, }, } - s.listers.IngressWithAnnotation.Add(ingressToIgnore) + if err := s.listers.IngressWithAnnotation.Add(ingressToIgnore); err != nil { + t.Errorf("error adding the Ingress: %v", err) + } ingressWithoutPath := &ingress.Ingress{ Ingress: networking.Ingress{ @@ -1481,8 +1551,9 @@ func TestListIngresses(t *testing.T) { }, }, } - s.listers.IngressWithAnnotation.Add(ingressWithoutPath) - + if err := s.listers.IngressWithAnnotation.Add(ingressWithoutPath); err != nil { + t.Errorf("error adding the Ingress: %v", err) + } ingressWithNginxClassAnnotation := &ingress.Ingress{ Ingress: networking.Ingress{ ObjectMeta: metav1.ObjectMeta{ @@ -1520,8 +1591,9 @@ func TestListIngresses(t *testing.T) { }, }, } - s.listers.IngressWithAnnotation.Add(ingressWithNginxClassAnnotation) - + if err := s.listers.IngressWithAnnotation.Add(ingressWithNginxClassAnnotation); err != nil { + t.Errorf("error adding the Ingress: %v", err) + } ingresses := s.ListIngresses() if s := len(ingresses); s != 3 { @@ -1548,7 +1620,7 @@ func TestWriteSSLSessionTicketKey(t *testing.T) { } for _, test := range tests { - s := newStore(t) + s := newStore() cmap := &v1.ConfigMap{ Data: map[string]string{ diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index 35a0e4536..9dc019bcc 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -26,7 +26,7 @@ import ( "k8s.io/klog/v2" - "github.com/mitchellh/hashstructure" + "github.com/mitchellh/hashstructure/v2" "github.com/mitchellh/mapstructure" "k8s.io/apimachinery/pkg/util/sets" @@ -41,6 +41,7 @@ const ( customHTTPErrors = "custom-http-errors" skipAccessLogUrls = "skip-access-log-urls" whitelistSourceRange = "whitelist-source-range" + denylistSourceRange = "denylist-source-range" proxyRealIPCIDR = "proxy-real-ip-cidr" bindAddress = "bind-address" httpRedirectCode = "http-redirect-code" @@ -90,6 +91,8 @@ const ( ) // ReadConfig obtains the configuration defined by the user merged with the defaults. +// +//nolint:gocyclo // Ignore function complexity error func ReadConfig(src map[string]string) config.Configuration { conf := map[string]string{} // we need to copy the configmap data because the content is altered @@ -100,6 +103,7 @@ func ReadConfig(src map[string]string) config.Configuration { to := config.NewDefault() errors := make([]int, 0) skipUrls := make([]string, 0) + denyList := make([]string, 0) whiteList := make([]string, 0) proxyList := make([]string, 0) hideHeadersList := make([]string, 0) @@ -114,12 +118,12 @@ func ReadConfig(src map[string]string) config.Configuration { luaSharedDicts := make(map[string]int) debugConnectionsList := make([]string, 0) - //parse lua shared dict values + // parse lua shared dict values if val, ok := conf[luaSharedDictsKey]; ok { delete(conf, luaSharedDictsKey) lsd := splitAndTrimSpace(val, ",") for _, v := range lsd { - v = strings.Replace(v, " ", "", -1) + v = strings.ReplaceAll(v, " ", "") results := strings.SplitN(v, ":", 2) dictName := results[0] size := dictStrToKb(results[1]) @@ -169,6 +173,11 @@ func ReadConfig(src map[string]string) config.Configuration { skipUrls = splitAndTrimSpace(val, ",") } + if val, ok := conf[denylistSourceRange]; ok { + delete(conf, denylistSourceRange) + denyList = append(denyList, splitAndTrimSpace(val, ",")...) + } + if val, ok := conf[whitelistSourceRange]; ok { delete(conf, whitelistSourceRange) whiteList = append(whiteList, splitAndTrimSpace(val, ",")...) @@ -189,7 +198,7 @@ func ReadConfig(src map[string]string) config.Configuration { if ing_net.IsIPV6(ns) { bindAddressIpv6List = append(bindAddressIpv6List, fmt.Sprintf("[%v]", ns)) } else { - bindAddressIpv4List = append(bindAddressIpv4List, fmt.Sprintf("%v", ns)) + bindAddressIpv4List = append(bindAddressIpv4List, ns.String()) } } else { klog.Warningf("%v is not a valid textual representation of an IP address", i) @@ -243,7 +252,7 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[globalAuthMethod]; ok { delete(conf, globalAuthMethod) - if len(val) != 0 && !authreq.ValidMethod(val) { + if val != "" && !authreq.ValidMethod(val) { klog.Warningf("Global auth location denied - %v.", "invalid HTTP method") } else { to.GlobalExternalAuth.Method = val @@ -254,7 +263,10 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[globalAuthSignin]; ok { delete(conf, globalAuthSignin) - signinURL, _ := parser.StringToURL(val) + signinURL, err := parser.StringToURL(val) + if err != nil { + klog.Errorf("string to URL conversion failed: %v", err) + } if signinURL == nil { klog.Warningf("Global auth location denied - %v.", "global-auth-signin setting is undefined and will not be set") } else { @@ -267,7 +279,10 @@ func ReadConfig(src map[string]string) config.Configuration { delete(conf, globalAuthSigninRedirectParam) redirectParam := strings.TrimSpace(val) - dummySigninURL, _ := parser.StringToURL(fmt.Sprintf("%s?%s=dummy", to.GlobalExternalAuth.SigninURL, redirectParam)) + dummySigninURL, err := parser.StringToURL(fmt.Sprintf("%s?%s=dummy", to.GlobalExternalAuth.SigninURL, redirectParam)) + if err != nil { + klog.Errorf("string to URL conversion failed: %v", err) + } if dummySigninURL == nil { klog.Warningf("Global auth redirect parameter denied - %v.", "global-auth-signin-redirect-param setting is invalid and will not be set") } else { @@ -279,7 +294,7 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[globalAuthResponseHeaders]; ok { delete(conf, globalAuthResponseHeaders) - if len(val) != 0 { + if val != "" { harr := splitAndTrimSpace(val, ",") for _, header := range harr { if !authreq.ValidHeader(header) { @@ -378,8 +393,8 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[debugConnections]; ok { delete(conf, debugConnections) for _, i := range splitAndTrimSpace(val, ",") { - validIp := net.ParseIP(i) - if validIp != nil { + validIP := net.ParseIP(i) + if validIP != nil { debugConnectionsList = append(debugConnectionsList, i) } else { _, _, err := net.ParseCIDR(i) @@ -395,6 +410,7 @@ func ReadConfig(src map[string]string) config.Configuration { to.CustomHTTPErrors = filterErrors(errors) to.SkipAccessLogURLs = skipUrls + to.DenylistSourceRange = denyList to.WhitelistSourceRange = whiteList to.ProxyRealIPCIDR = proxyList to.BindAddressIpv4 = bindAddressIpv4List @@ -407,14 +423,14 @@ func ReadConfig(src map[string]string) config.Configuration { to.DisableIpv6DNS = !ing_net.IsIPv6Enabled() to.LuaSharedDicts = luaSharedDicts - config := &mapstructure.DecoderConfig{ + decoderConfig := &mapstructure.DecoderConfig{ Metadata: nil, WeaklyTypedInput: true, Result: &to, TagName: "json", } - decoder, err := mapstructure.NewDecoder(config) + decoder, err := mapstructure.NewDecoder(decoderConfig) if err != nil { klog.Warningf("unexpected error merging defaults: %v", err) } @@ -423,7 +439,7 @@ func ReadConfig(src map[string]string) config.Configuration { klog.Warningf("unexpected error merging defaults: %v", err) } - hash, err := hashstructure.Hash(to, &hashstructure.HashOptions{ + hash, err := hashstructure.Hash(to, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { @@ -448,6 +464,7 @@ func filterErrors(codes []int) []int { return fa } +//nolint:unparam // Ignore `sep` always receives `,` error func splitAndTrimSpace(s, sep string) []string { f := func(c rune) bool { return strings.EqualFold(string(c), sep) @@ -466,8 +483,11 @@ func dictStrToKb(sizeStr string) int { if sizeMatch == nil { return -1 } - size, _ := strconv.Atoi(sizeMatch[1]) // validated already with regex - if sizeMatch[2] == "" || strings.ToLower(sizeMatch[2]) == "m" { + size, err := strconv.Atoi(sizeMatch[1]) // validated already with regex + if err != nil { + klog.Errorf("unexpected error converting size string %s to int: %v", sizeStr, err) + } + if sizeMatch[2] == "" || strings.EqualFold(sizeMatch[2], "m") { size *= 1024 } return size diff --git a/internal/ingress/controller/template/configmap_test.go b/internal/ingress/controller/template/configmap_test.go index be3ffb0ce..dad841694 100644 --- a/internal/ingress/controller/template/configmap_test.go +++ b/internal/ingress/controller/template/configmap_test.go @@ -23,7 +23,7 @@ import ( "time" "github.com/kylelemons/godebug/pretty" - "github.com/mitchellh/hashstructure" + "github.com/mitchellh/hashstructure/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/authreq" "k8s.io/ingress-nginx/internal/ingress/controller/config" @@ -64,6 +64,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { "access-log-path": "/var/log/test/access.log", "error-log-path": "/var/log/test/error.log", "use-gzip": "false", + "gzip-disable": "msie6", "gzip-level": "9", "gzip-min-length": "1024", "gzip-types": "text/html", @@ -87,6 +88,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.ProxyReadTimeout = 1 def.ProxySendTimeout = 2 def.UseProxyProtocol = true + def.GzipDisable = "msie6" def.GzipLevel = 9 def.GzipMinLength = 1024 def.GzipTypes = "text/html" @@ -102,7 +104,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.DefaultType = "text/plain" def.DebugConnections = []string{"127.0.0.1", "1.1.1.1/24", "::1"} - hash, err := hashstructure.Hash(def, &hashstructure.HashOptions{ + hash, err := hashstructure.Hash(def, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { @@ -132,7 +134,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.LuaSharedDicts = defaultLuaSharedDicts def.DisableIpv6DNS = true - hash, err = hashstructure.Hash(def, &hashstructure.HashOptions{ + hash, err = hashstructure.Hash(def, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { @@ -149,10 +151,11 @@ func TestMergeConfigMapToStruct(t *testing.T) { def = config.NewDefault() def.LuaSharedDicts = defaultLuaSharedDicts + def.DenylistSourceRange = []string{"2.2.2.2/32"} def.WhitelistSourceRange = []string{"1.1.1.1/32"} def.DisableIpv6DNS = true - hash, err = hashstructure.Hash(def, &hashstructure.HashOptions{ + hash, err = hashstructure.Hash(def, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) if err != nil { @@ -161,6 +164,7 @@ func TestMergeConfigMapToStruct(t *testing.T) { def.Checksum = fmt.Sprintf("%v", hash) to = ReadConfig(map[string]string{ + "denylist-source-range": "2.2.2.2/32", "whitelist-source-range": "1.1.1.1/32", "disable-ipv6-dns": "true", }) diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 315262150..f08eee498 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -18,13 +18,14 @@ package template import ( "bytes" + "crypto/rand" "crypto/sha1" // #nosec "encoding/base64" "encoding/hex" "encoding/json" "fmt" "io" - "math/rand" // #nosec + "math/big" "net" "net/url" "os" @@ -34,13 +35,11 @@ import ( "strconv" "strings" text_template "text/template" - "time" networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/klog/v2" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit" "k8s.io/ingress-nginx/internal/ingress/controller/config" @@ -53,6 +52,12 @@ const ( nonIdempotent = "non_idempotent" defBufferSize = 65535 writeIndentOnEmptyLines = true // backward-compatibility + httpProtocol = "HTTP" + autoHTTPProtocol = "AUTO_HTTP" + httpsProtocol = "HTTPS" + grpcProtocol = "GRPC" + grpcsProtocol = "GRPCS" + fcgiProtocol = "FCGI" ) const ( @@ -65,13 +70,13 @@ type Writer interface { // Write renders the template. // NOTE: Implementors must ensure that the content of the returned slice is not modified by the implementation // after the return of this function. - Write(conf config.TemplateConfig) ([]byte, error) + Write(conf *config.TemplateConfig) ([]byte, error) } -// Template ... +// Template ingress template type Template struct { tmpl *text_template.Template - //fw watch.FileWatcher + bp *BufferPool } @@ -98,7 +103,7 @@ func NewTemplate(file string) (*Template, error) { // 2. Collapses multiple empty lines to single one // 3. Re-indent // (ATW: always returns nil) -func cleanConf(in *bytes.Buffer, out *bytes.Buffer) error { +func cleanConf(in, out *bytes.Buffer) error { depth := 0 lineStarted := false emptyLineWritten := false @@ -177,7 +182,7 @@ func cleanConf(in *bytes.Buffer, out *bytes.Buffer) error { // Write populates a buffer using a template with NGINX configuration // and the servers and upstreams created by Ingress rules -func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) { +func (t *Template) Write(conf *config.TemplateConfig) ([]byte, error) { tmplBuf := t.bp.Get() defer t.bp.Put(tmplBuf) @@ -185,14 +190,14 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) { defer t.bp.Put(outCmdBuf) if klog.V(3).Enabled() { - b, err := json.Marshal(conf) + b, err := json.Marshal(*conf) if err != nil { klog.Errorf("unexpected error: %v", err) } klog.InfoS("NGINX", "configuration", string(b)) } - err := t.tmpl.Execute(tmplBuf, conf) + err := t.tmpl.Execute(tmplBuf, *conf) if err != nil { return nil, err } @@ -212,77 +217,73 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) { return res, nil } -var ( - funcMap = text_template.FuncMap{ - "empty": func(input interface{}) bool { - check, ok := input.(string) - if ok { - return len(check) == 0 - } - return true - }, - "escapeLiteralDollar": escapeLiteralDollar, - "buildLuaSharedDictionaries": buildLuaSharedDictionaries, - "luaConfigurationRequestBodySize": luaConfigurationRequestBodySize, - "buildLocation": buildLocation, - "buildAuthLocation": buildAuthLocation, - "shouldApplyGlobalAuth": shouldApplyGlobalAuth, - "buildAuthResponseHeaders": buildAuthResponseHeaders, - "buildAuthUpstreamLuaHeaders": buildAuthUpstreamLuaHeaders, - "buildAuthProxySetHeaders": buildAuthProxySetHeaders, - "buildAuthUpstreamName": buildAuthUpstreamName, - "shouldApplyAuthUpstream": shouldApplyAuthUpstream, - "extractHostPort": extractHostPort, - "changeHostPort": changeHostPort, - "buildProxyPass": buildProxyPass, - "filterRateLimits": filterRateLimits, - "buildRateLimitZones": buildRateLimitZones, - "buildRateLimit": buildRateLimit, - "configForLua": configForLua, - "locationConfigForLua": locationConfigForLua, - "buildResolvers": buildResolvers, - "buildUpstreamName": buildUpstreamName, - "isLocationInLocationList": isLocationInLocationList, - "isLocationAllowed": isLocationAllowed, - "buildDenyVariable": buildDenyVariable, - "getenv": os.Getenv, - "contains": strings.Contains, - "split": strings.Split, - "hasPrefix": strings.HasPrefix, - "hasSuffix": strings.HasSuffix, - "trimSpace": strings.TrimSpace, - "toUpper": strings.ToUpper, - "toLower": strings.ToLower, - "formatIP": formatIP, - "quote": quote, - "buildNextUpstream": buildNextUpstream, - "getIngressInformation": getIngressInformation, - "serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} { - return struct{ First, Second interface{} }{all, server} - }, - "isValidByteSize": isValidByteSize, - "buildForwardedFor": buildForwardedFor, - "buildAuthSignURL": buildAuthSignURL, - "buildAuthSignURLLocation": buildAuthSignURLLocation, - "buildOpentracing": buildOpentracing, - "proxySetHeader": proxySetHeader, - "buildInfluxDB": buildInfluxDB, - "enforceRegexModifier": enforceRegexModifier, - "buildCustomErrorDeps": buildCustomErrorDeps, - "buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer, - "shouldLoadModSecurityModule": shouldLoadModSecurityModule, - "buildHTTPListener": buildHTTPListener, - "buildHTTPSListener": buildHTTPSListener, - "buildOpentracingForLocation": buildOpentracingForLocation, - "shouldLoadOpentracingModule": shouldLoadOpentracingModule, - "buildModSecurityForLocation": buildModSecurityForLocation, - "buildMirrorLocations": buildMirrorLocations, - "shouldLoadAuthDigestModule": shouldLoadAuthDigestModule, - "shouldLoadInfluxDBModule": shouldLoadInfluxDBModule, - "buildServerName": buildServerName, - "buildCorsOriginRegex": buildCorsOriginRegex, - } -) +var funcMap = text_template.FuncMap{ + "empty": func(input interface{}) bool { + check, ok := input.(string) + if ok { + return check == "" + } + return true + }, + "escapeLiteralDollar": escapeLiteralDollar, + "buildLuaSharedDictionaries": buildLuaSharedDictionaries, + "luaConfigurationRequestBodySize": luaConfigurationRequestBodySize, + "buildLocation": buildLocation, + "buildAuthLocation": buildAuthLocation, + "shouldApplyGlobalAuth": shouldApplyGlobalAuth, + "buildAuthResponseHeaders": buildAuthResponseHeaders, + "buildAuthUpstreamLuaHeaders": buildAuthUpstreamLuaHeaders, + "buildAuthProxySetHeaders": buildAuthProxySetHeaders, + "buildAuthUpstreamName": buildAuthUpstreamName, + "shouldApplyAuthUpstream": shouldApplyAuthUpstream, + "extractHostPort": extractHostPort, + "changeHostPort": changeHostPort, + "buildProxyPass": buildProxyPass, + "filterRateLimits": filterRateLimits, + "buildRateLimitZones": buildRateLimitZones, + "buildRateLimit": buildRateLimit, + "configForLua": configForLua, + "locationConfigForLua": locationConfigForLua, + "buildResolvers": buildResolvers, + "buildUpstreamName": buildUpstreamName, + "isLocationInLocationList": isLocationInLocationList, + "isLocationAllowed": isLocationAllowed, + "buildDenyVariable": buildDenyVariable, + "getenv": os.Getenv, + "contains": strings.Contains, + "split": strings.Split, + "hasPrefix": strings.HasPrefix, + "hasSuffix": strings.HasSuffix, + "trimSpace": strings.TrimSpace, + "toUpper": strings.ToUpper, + "toLower": strings.ToLower, + "formatIP": formatIP, + "quote": quote, + "buildNextUpstream": buildNextUpstream, + "getIngressInformation": getIngressInformation, + "serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} { + return struct{ First, Second interface{} }{all, server} + }, + "isValidByteSize": isValidByteSize, + "buildForwardedFor": buildForwardedFor, + "buildAuthSignURL": buildAuthSignURL, + "buildAuthSignURLLocation": buildAuthSignURLLocation, + "buildOpentelemetry": buildOpentelemetry, + "proxySetHeader": proxySetHeader, + "enforceRegexModifier": enforceRegexModifier, + "buildCustomErrorDeps": buildCustomErrorDeps, + "buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer, + "shouldLoadModSecurityModule": shouldLoadModSecurityModule, + "buildHTTPListener": buildHTTPListener, + "buildHTTPSListener": buildHTTPSListener, + "buildOpentelemetryForLocation": buildOpentelemetryForLocation, + "shouldLoadOpentelemetryModule": shouldLoadOpentelemetryModule, + "buildModSecurityForLocation": buildModSecurityForLocation, + "buildMirrorLocations": buildMirrorLocations, + "shouldLoadAuthDigestModule": shouldLoadAuthDigestModule, + "buildServerName": buildServerName, + "buildCorsOriginRegex": buildCorsOriginRegex, +} // escapeLiteralDollar will replace the $ character with ${literal_dollar} // which is made to work via the following configuration in the http section of @@ -296,7 +297,7 @@ func escapeLiteralDollar(input interface{}) string { if !ok { return "" } - return strings.Replace(inputStr, `$`, `${literal_dollar}`, -1) + return strings.ReplaceAll(inputStr, `$`, `${literal_dollar}`) } // formatIP will wrap IPv6 addresses in [] and return IPv4 addresses @@ -328,9 +329,7 @@ func quote(input interface{}) string { return fmt.Sprintf("%q", inputStr) } -func buildLuaSharedDictionaries(c interface{}, s interface{}) string { - var out []string - +func buildLuaSharedDictionaries(c, s interface{}) string { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -343,6 +342,7 @@ func buildLuaSharedDictionaries(c interface{}, s interface{}) string { return "" } + out := make([]string, 0, len(cfg.LuaSharedDicts)) for name, size := range cfg.LuaSharedDicts { sizeStr := dictKbToStr(size) out = append(out, fmt.Sprintf("lua_shared_dict %s %s", name, sizeStr)) @@ -364,7 +364,7 @@ func luaConfigurationRequestBodySize(c interface{}) string { if size < cfg.LuaSharedDicts["certificate_data"] { size = cfg.LuaSharedDicts["certificate_data"] } - size = size + 1024 + size += 1024 return dictKbToStr(size) } @@ -418,7 +418,7 @@ func configForLua(input interface{}) string { } // locationConfigForLua formats some location specific configuration into Lua table represented as string -func locationConfigForLua(l interface{}, a interface{}) string { +func locationConfigForLua(l, a interface{}) string { location, ok := l.(*ingress.Location) if !ok { klog.Errorf("expected an '*ingress.Location' type but %T was given", l) @@ -459,7 +459,7 @@ func locationConfigForLua(l interface{}, a interface{}) string { } // buildResolvers returns the resolvers reading the /etc/resolv.conf file -func buildResolvers(res interface{}, disableIpv6 interface{}) string { +func buildResolvers(res, disableIpv6 interface{}) string { // NGINX need IPV6 addresses to be surrounded by brackets nss, ok := res.([]net.IP) if !ok { @@ -484,7 +484,7 @@ func buildResolvers(res interface{}, disableIpv6 interface{}) string { } r = append(r, fmt.Sprintf("[%v]", ns)) } else { - r = append(r, fmt.Sprintf("%v", ns)) + r = append(r, ns.String()) } } r = append(r, "valid=30s") @@ -554,7 +554,7 @@ func buildAuthLocation(input interface{}, globalExternalAuthURL string) string { str := base64.URLEncoding.EncodeToString([]byte(location.Path)) // removes "=" after encoding - str = strings.Replace(str, "=", "", -1) + str = strings.ReplaceAll(str, "=", "") pathType := "default" if location.PathType != nil { @@ -644,7 +644,7 @@ func buildAuthUpstreamName(input interface{}, host string) string { // shouldApplyAuthUpstream returns true only in case when ExternalAuth.URL and // ExternalAuth.KeepaliveConnections are all set -func shouldApplyAuthUpstream(l interface{}, c interface{}) bool { +func shouldApplyAuthUpstream(l, c interface{}) bool { location, ok := l.(*ingress.Location) if !ok { klog.Errorf("expected an '*ingress.Location' type but %T was returned", l) @@ -672,14 +672,14 @@ func shouldApplyAuthUpstream(l interface{}, c interface{}) bool { } // extractHostPort will extract the host:port part from the URL specified by url -func extractHostPort(url string) string { - if url == "" { +func extractHostPort(newURL string) string { + if newURL == "" { return "" } - authURL, err := parser.StringToURL(url) + authURL, err := parser.StringToURL(newURL) if err != nil { - klog.Errorf("expected a valid URL but %s was returned", url) + klog.Errorf("expected a valid URL but %s was returned", newURL) return "" } @@ -687,14 +687,14 @@ func extractHostPort(url string) string { } // changeHostPort will change the host:port part of the url to value -func changeHostPort(url string, value string) string { - if url == "" { +func changeHostPort(newURL, value string) string { + if newURL == "" { return "" } - authURL, err := parser.StringToURL(url) + authURL, err := parser.StringToURL(newURL) if err != nil { - klog.Errorf("expected a valid URL but %s was returned", url) + klog.Errorf("expected a valid URL but %s was returned", newURL) return "" } @@ -707,7 +707,7 @@ func changeHostPort(url string, value string) string { // (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation) // If the annotation nginx.ingress.kubernetes.io/add-base-url:"true" is specified it will // add a base tag in the head of the response from the service -func buildProxyPass(host string, b interface{}, loc interface{}) string { +func buildProxyPass(_ string, b, loc interface{}) string { backends, ok := b.([]*ingress.Backend) if !ok { klog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b) @@ -725,21 +725,18 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { proxyPass := "proxy_pass" - switch location.BackendProtocol { - case "AUTO_HTTP": + switch strings.ToUpper(location.BackendProtocol) { + case autoHTTPProtocol: proto = "$scheme://" - case "HTTPS": + case httpsProtocol: proto = "https://" - case "GRPC": + case grpcProtocol: proto = "grpc://" proxyPass = "grpc_pass" - case "GRPCS": + case grpcsProtocol: proto = "grpcs://" proxyPass = "grpc_pass" - case "AJP": - proto = "" - proxyPass = "ajp_pass" - case "FCGI": + case fcgiProtocol: proto = "" proxyPass = "fastcgi_pass" } @@ -751,7 +748,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { if backend.SSLPassthrough { proto = "https://" - if location.BackendProtocol == "GRPCS" { + if location.BackendProtocol == grpcsProtocol { proto = "grpcs://" } } @@ -778,7 +775,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { var xForwardedPrefix string if len(location.XForwardedPrefix) > 0 { - xForwardedPrefix = fmt.Sprintf("%s X-Forwarded-Prefix \"%s\";\n", proxySetHeader(location), location.XForwardedPrefix) + xForwardedPrefix = fmt.Sprintf("%s X-Forwarded-Prefix %q;\n", proxySetHeader(location), location.XForwardedPrefix) } return fmt.Sprintf(` @@ -792,7 +789,7 @@ rewrite "(?i)%s" %s break; func filterRateLimits(input interface{}) []ratelimit.Config { ratelimits := []ratelimit.Config{} - found := sets.String{} + found := sets.Set[string]{} servers, ok := input.([]*ingress.Server) if !ok { @@ -815,12 +812,12 @@ func filterRateLimits(input interface{}) []ratelimit.Config { // for connection limit by IP address, one for limiting requests per minute, and // one for limiting requests per second. func buildRateLimitZones(input interface{}) []string { - zones := sets.String{} + zones := sets.Set[string]{} servers, ok := input.([]*ingress.Server) if !ok { klog.Errorf("expected a '[]*ingress.Server' type but %T was returned", input) - return zones.List() + return zones.UnsortedList() } for _, server := range servers { @@ -859,7 +856,7 @@ func buildRateLimitZones(input interface{}) []string { } } - return zones.List() + return zones.UnsortedList() } // buildRateLimit produces an array of limit_req to be used inside the Path of @@ -938,9 +935,7 @@ func isLocationAllowed(input interface{}) bool { return loc.Denied == nil } -var ( - denyPathSlugMap = map[string]string{} -) +var denyPathSlugMap = map[string]string{} // buildDenyVariable returns a nginx variable for a location in a // server to be used in the whitelist check @@ -980,7 +975,11 @@ func buildNextUpstream(i, r interface{}) string { return "" } - retryNonIdempotent := r.(bool) + retryNonIdempotent, ok := r.(bool) + if !ok { + klog.Errorf("expected a 'bool' type but %T was returned", i) + return "" + } parts := strings.Split(nextUpstream, " ") @@ -1005,8 +1004,10 @@ func buildNextUpstream(i, r interface{}) string { // refer to http://nginx.org/en/docs/syntax.html // Nginx differentiates between size and offset // offset directives support gigabytes in addition -var nginxSizeRegex = regexp.MustCompile("^[0-9]+[kKmM]{0,1}$") -var nginxOffsetRegex = regexp.MustCompile("^[0-9]+[kKmMgG]{0,1}$") +var ( + nginxSizeRegex = regexp.MustCompile(`^\d+[kKmM]?$`) + nginxOffsetRegex = regexp.MustCompile(`^\d+[kKmMgG]?$`) +) // isValidByteSize validates size units valid in nginx // http://nginx.org/en/docs/syntax.html @@ -1156,13 +1157,17 @@ func buildForwardedFor(input interface{}) string { return "" } - ffh := strings.Replace(s, "-", "_", -1) + ffh := strings.ReplaceAll(s, "-", "_") ffh = strings.ToLower(ffh) return fmt.Sprintf("$http_%v", ffh) } func buildAuthSignURL(authSignURL, authRedirectParam string) string { - u, _ := url.Parse(authSignURL) + u, err := url.Parse(authSignURL) + if err != nil { + klog.Errorf("error parsing authSignURL: %v", err) + return "" + } q := u.Query() if authRedirectParam == "" { authRedirectParam = defaultGlobalAuthRedirectParam @@ -1187,20 +1192,21 @@ func buildAuthSignURLLocation(location, authSignURL string) string { var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") -func init() { - rand.Seed(time.Now().UnixNano()) -} - func randomString() string { b := make([]rune, 32) for i := range b { - b[i] = letters[rand.Intn(len(letters))] // #nosec + idx, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) + if err != nil { + klog.Errorf("unexpected error generating random index: %v", err) + return "" + } + b[i] = letters[idx.Int64()] } return string(b) } -func buildOpentracing(c interface{}, s interface{}) string { +func buildOpentelemetry(c, s interface{}) string { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1213,55 +1219,20 @@ func buildOpentracing(c interface{}, s interface{}) string { return "" } - if !shouldLoadOpentracingModule(cfg, servers) { + if !shouldLoadOpentelemetryModule(cfg, servers) { return "" } buf := bytes.NewBufferString("") - if cfg.DatadogCollectorHost != "" { - buf.WriteString("opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;") - } else if cfg.ZipkinCollectorHost != "" { - buf.WriteString("opentracing_load_tracer /usr/local/lib/libzipkin_opentracing_plugin.so /etc/nginx/opentracing.json;") - } else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" { - buf.WriteString("opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/nginx/opentracing.json;") - } - buf.WriteString("\r\n") - if cfg.OpentracingOperationName != "" { - buf.WriteString(fmt.Sprintf("opentracing_operation_name \"%s\";\n", cfg.OpentracingOperationName)) + if cfg.OpentelemetryOperationName != "" { + fmt.Fprintf(buf, "opentelemetry_operation_name \"%s\";\n", cfg.OpentelemetryOperationName) } - if cfg.OpentracingLocationOperationName != "" { - buf.WriteString(fmt.Sprintf("opentracing_location_operation_name \"%s\";\n", cfg.OpentracingLocationOperationName)) - } - return buf.String() } -// buildInfluxDB produces the single line configuration -// needed by the InfluxDB module to send request's metrics -// for the current resource -func buildInfluxDB(input interface{}) string { - cfg, ok := input.(influxdb.Config) - if !ok { - klog.Errorf("expected an 'influxdb.Config' type but %T was returned", input) - return "" - } - - if !cfg.InfluxDBEnabled { - return "" - } - - return fmt.Sprintf( - "influxdb server_name=%s host=%s port=%s measurement=%s enabled=true;", - cfg.InfluxDBServerName, - cfg.InfluxDBHost, - cfg.InfluxDBPort, - cfg.InfluxDBMeasurement, - ) -} - func proxySetHeader(loc interface{}) string { location, ok := loc.(*ingress.Location) if !ok { @@ -1269,7 +1240,7 @@ func proxySetHeader(loc interface{}) string { return "proxy_set_header" } - if location.BackendProtocol == "GRPC" || location.BackendProtocol == "GRPCS" { + if location.BackendProtocol == grpcProtocol || location.BackendProtocol == grpcsProtocol { return "grpc_set_header" } @@ -1278,7 +1249,7 @@ func proxySetHeader(loc interface{}) string { // buildCustomErrorDeps is a utility function returning a struct wrapper with // the data required to build the 'CUSTOM_ERRORS' template -func buildCustomErrorDeps(upstreamName string, errorCodes []int, enableMetrics bool, modsecurityEnabled bool) interface{} { +func buildCustomErrorDeps(upstreamName string, errorCodes []int, enableMetrics, modsecurityEnabled bool) interface{} { return struct { UpstreamName string ErrorCodes []int @@ -1348,22 +1319,17 @@ func buildCustomErrorLocationsPerServer(input interface{}) []errorLocation { return errorLocations } -func opentracingPropagateContext(location *ingress.Location) string { +func opentelemetryPropagateContext(location *ingress.Location) string { if location == nil { return "" } - - if location.BackendProtocol == "GRPC" || location.BackendProtocol == "GRPCS" { - return "opentracing_grpc_propagate_context;" - } - - return "opentracing_propagate_context;" + return "opentelemetry_propagate;" } // shouldLoadModSecurityModule determines whether or not the ModSecurity module needs to be loaded. // First, it checks if `enable-modsecurity` is set in the ConfigMap. If it is not, it iterates over all locations to // check if ModSecurity is enabled by the annotation `nginx.ingress.kubernetes.io/enable-modsecurity`. -func shouldLoadModSecurityModule(c interface{}, s interface{}) bool { +func shouldLoadModSecurityModule(c, s interface{}) bool { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1394,7 +1360,7 @@ func shouldLoadModSecurityModule(c interface{}, s interface{}) bool { return false } -func buildHTTPListener(t interface{}, s interface{}) string { +func buildHTTPListener(t, s interface{}) string { var out []string tc, ok := t.(config.TemplateConfig) @@ -1414,9 +1380,9 @@ func buildHTTPListener(t interface{}, s interface{}) string { addrV4 = tc.Cfg.BindAddressIpv4 } - co := commonListenOptions(tc, hostname) + co := commonListenOptions(&tc, hostname) - out = append(out, httpListener(addrV4, co, tc)...) + out = append(out, httpListener(addrV4, co, &tc)...) if !tc.IsIPV6Enabled { return strings.Join(out, "\n") @@ -1427,12 +1393,12 @@ func buildHTTPListener(t interface{}, s interface{}) string { addrV6 = tc.Cfg.BindAddressIpv6 } - out = append(out, httpListener(addrV6, co, tc)...) + out = append(out, httpListener(addrV6, co, &tc)...) return strings.Join(out, "\n") } -func buildHTTPSListener(t interface{}, s interface{}) string { +func buildHTTPSListener(t, s interface{}) string { var out []string tc, ok := t.(config.TemplateConfig) @@ -1447,14 +1413,14 @@ func buildHTTPSListener(t interface{}, s interface{}) string { return "" } - co := commonListenOptions(tc, hostname) + co := commonListenOptions(&tc, hostname) addrV4 := []string{""} if len(tc.Cfg.BindAddressIpv4) > 0 { addrV4 = tc.Cfg.BindAddressIpv4 } - out = append(out, httpsListener(addrV4, co, tc)...) + out = append(out, httpsListener(addrV4, co, &tc)...) if !tc.IsIPV6Enabled { return strings.Join(out, "\n") @@ -1465,12 +1431,12 @@ func buildHTTPSListener(t interface{}, s interface{}) string { addrV6 = tc.Cfg.BindAddressIpv6 } - out = append(out, httpsListener(addrV6, co, tc)...) + out = append(out, httpsListener(addrV6, co, &tc)...) return strings.Join(out, "\n") } -func commonListenOptions(template config.TemplateConfig, hostname string) string { +func commonListenOptions(template *config.TemplateConfig, hostname string) string { var out []string if template.Cfg.UseProxyProtocol { @@ -1494,7 +1460,7 @@ func commonListenOptions(template config.TemplateConfig, hostname string) string return strings.Join(out, " ") } -func httpListener(addresses []string, co string, tc config.TemplateConfig) []string { +func httpListener(addresses []string, co string, tc *config.TemplateConfig) []string { out := make([]string, 0) for _, address := range addresses { lo := []string{"listen"} @@ -1505,15 +1471,14 @@ func httpListener(addresses []string, co string, tc config.TemplateConfig) []str lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTP)) } - lo = append(lo, co) - lo = append(lo, ";") + lo = append(lo, co, ";") out = append(out, strings.Join(lo, " ")) } return out } -func httpsListener(addresses []string, co string, tc config.TemplateConfig) []string { +func httpsListener(addresses []string, co string, tc *config.TemplateConfig) []string { out := make([]string, 0) for _, address := range addresses { lo := []string{"listen"} @@ -1536,49 +1501,47 @@ func httpsListener(addresses []string, co string, tc config.TemplateConfig) []st } } - lo = append(lo, co) - lo = append(lo, "ssl") + lo = append(lo, co, "ssl;") - if tc.Cfg.UseHTTP2 { - lo = append(lo, "http2") - } - - lo = append(lo, ";") out = append(out, strings.Join(lo, " ")) } return out } -func buildOpentracingForLocation(isOTEnabled bool, isOTTrustSet bool, location *ingress.Location) string { - isOTEnabledInLoc := location.Opentracing.Enabled - isOTSetInLoc := location.Opentracing.Set +func buildOpentelemetryForLocation(isOTEnabled, isOTTrustSet bool, location *ingress.Location) string { + isOTEnabledInLoc := location.Opentelemetry.Enabled + isOTSetInLoc := location.Opentelemetry.Set if isOTEnabled { if isOTSetInLoc && !isOTEnabledInLoc { - return "opentracing off;" + return "opentelemetry off;" } } else if !isOTSetInLoc || !isOTEnabledInLoc { return "" } - opc := opentracingPropagateContext(location) + opc := opentelemetryPropagateContext(location) if opc != "" { - opc = fmt.Sprintf("opentracing on;\n%v", opc) + opc = fmt.Sprintf("opentelemetry on;\n%v", opc) } - if (!isOTTrustSet && !location.Opentracing.TrustSet) || - (location.Opentracing.TrustSet && !location.Opentracing.TrustEnabled) { - opc = opc + "\nopentracing_trust_incoming_span off;" + if location.Opentelemetry.OperationName != "" { + opc += "\nopentelemetry_operation_name " + location.Opentelemetry.OperationName + ";" } + if (!isOTTrustSet && !location.Opentelemetry.TrustSet) || + (location.Opentelemetry.TrustSet && !location.Opentelemetry.TrustEnabled) { + opc += "\nopentelemetry_trust_incoming_spans off;" + } else { + opc += "\nopentelemetry_trust_incoming_spans on;" + } return opc } -// shouldLoadOpentracingModule determines whether or not the Opentracing module needs to be loaded. -// First, it checks if `enable-opentracing` is set in the ConfigMap. If it is not, it iterates over all locations to -// check if Opentracing is enabled by the annotation `nginx.ingress.kubernetes.io/enable-opentracing`. -func shouldLoadOpentracingModule(c interface{}, s interface{}) bool { +// shouldLoadOpentelemetryModule determines whether or not the Opentelemetry module needs to be loaded. +// It checks if `enable-opentelemetry` is set in the ConfigMap. +func shouldLoadOpentelemetryModule(c, s interface{}) bool { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1591,21 +1554,21 @@ func shouldLoadOpentracingModule(c interface{}, s interface{}) bool { return false } - if cfg.EnableOpentracing { + if cfg.EnableOpentelemetry { return true } for _, server := range servers { for _, location := range server.Locations { - if location.Opentracing.Enabled { + if location.Opentelemetry.Enabled { return true } } } - return false } +//nolint:gocritic // Ignore passing cfg by pointer error func buildModSecurityForLocation(cfg config.Configuration, location *ingress.Location) string { isMSEnabledInLoc := location.ModSecurity.Enable isMSEnableSetInLoc := location.ModSecurity.EnableSet @@ -1654,10 +1617,10 @@ func buildModSecurityForLocation(cfg config.Configuration, location *ingress.Loc func buildMirrorLocations(locs []*ingress.Location) string { var buffer bytes.Buffer - mapped := sets.String{} + mapped := sets.Set[string]{} for _, loc := range locs { - if loc.Mirror.Source == "" || loc.Mirror.Target == "" { + if loc.Mirror.Source == "" || loc.Mirror.Target == "" || loc.Mirror.Host == "" { continue } @@ -1668,8 +1631,8 @@ func buildMirrorLocations(locs []*ingress.Location) string { mapped.Insert(loc.Mirror.Source) buffer.WriteString(fmt.Sprintf(`location = %v { internal; -proxy_set_header Host %v; -proxy_pass %v; +proxy_set_header Host "%v"; +proxy_pass "%v"; } `, loc.Mirror.Source, loc.Mirror.Host, loc.Mirror.Target)) @@ -1701,25 +1664,6 @@ func shouldLoadAuthDigestModule(s interface{}) bool { return false } -// shouldLoadInfluxDBModule determines whether or not the ngx_http_auth_digest_module module needs to be loaded. -func shouldLoadInfluxDBModule(s interface{}) bool { - servers, ok := s.([]*ingress.Server) - if !ok { - klog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s) - return false - } - - for _, server := range servers { - for _, location := range server.Locations { - if location.InfluxDB.InfluxDBEnabled { - return true - } - } - } - - return false -} - // buildServerName ensures wildcard hostnames are valid func buildServerName(hostname string) string { if !strings.HasPrefix(hostname, "*") { @@ -1732,7 +1676,7 @@ func buildServerName(hostname string) string { return `~^(?[\w-]+)\.` + strings.Join(parts, "\\.") + `$` } -// parseComplexNGINXVar parses things like "$my${complex}ngx\$var" into +// parseComplexNginxVarIntoLuaTable parses things like "$my${complex}ngx\$var" into // [["$var", "complex", "my", "ngx"]]. In other words, 2nd and 3rd elements // in the result are actual NGINX variable names, whereas first and 4th elements // are string literals. @@ -1758,7 +1702,7 @@ func convertGoSliceIntoLuaTable(goSliceInterface interface{}, emptyStringAsNil b switch kind { case reflect.String: - if emptyStringAsNil && len(goSlice.Interface().(string)) == 0 { + if emptyStringAsNil && goSlice.Interface().(string) == "" { return "nil", nil } return fmt.Sprintf(`"%v"`, goSlice.Interface()), nil @@ -1791,17 +1735,17 @@ func buildCorsOriginRegex(corsOrigins []string) string { return "set $http_origin *;\nset $cors 'true';" } - var originsRegex string = "if ($http_origin ~* (" + originsRegex := "if ($http_origin ~* (" for i, origin := range corsOrigins { originTrimmed := strings.TrimSpace(origin) if len(originTrimmed) > 0 { builtOrigin := buildOriginRegex(originTrimmed) originsRegex += builtOrigin if i != len(corsOrigins)-1 { - originsRegex = originsRegex + "|" + originsRegex += "|" } } } - originsRegex = originsRegex + ")$ ) { set $cors 'true'; }" + originsRegex += ")$ ) { set $cors 'true'; }" return originsRegex } diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index cb1ebd1b7..3089e3b32 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -35,9 +35,8 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/authreq" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" - "k8s.io/ingress-nginx/internal/ingress/annotations/opentracing" + "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit" "k8s.io/ingress-nginx/internal/ingress/annotations/rewrite" "k8s.io/ingress-nginx/internal/ingress/controller/config" @@ -48,9 +47,9 @@ import ( func init() { // the default value of nginx.TemplatePath assumes the template exists in // the root filesystem and not in the rootfs directory - path, err := filepath.Abs(filepath.Join("../../../../rootfs/", nginx.TemplatePath)) + absPath, err := filepath.Abs(filepath.Join("..", "..", "..", "..", "rootfs", nginx.TemplatePath)) if err == nil { - nginx.TemplatePath = path + nginx.TemplatePath = absPath } } @@ -63,7 +62,7 @@ var ( Target string Location string ProxyPass string - AutoHttpProxyPass string + AutoHTTPProxyPass string Sticky bool XForwardedPrefix string SecureBackend bool @@ -200,6 +199,12 @@ proxy_pass $scheme://upstream_balancer;`, } ) +const ( + defaultBackend = "upstream-name" + defaultHost = "example.com" + fooAuthHost = "foo.com/auth" +) + func getTestDataDir() (string, error) { pwd, err := os.Getwd() if err != nil { @@ -326,9 +331,6 @@ func TestBuildLocation(t *testing.T) { } func TestBuildProxyPass(t *testing.T) { - defaultBackend := "upstream-name" - defaultHost := "example.com" - for k, tc := range tmplFuncTestcases { loc := &ingress.Location{ Path: tc.Path, @@ -339,7 +341,7 @@ func TestBuildProxyPass(t *testing.T) { } if tc.SecureBackend { - loc.BackendProtocol = "HTTPS" + loc.BackendProtocol = httpsProtocol } backend := &ingress.Backend{ @@ -367,9 +369,6 @@ func TestBuildProxyPass(t *testing.T) { } func TestBuildProxyPassAutoHttp(t *testing.T) { - defaultBackend := "upstream-name" - defaultHost := "example.com" - for k, tc := range tmplFuncTestcases { loc := &ingress.Location{ Path: tc.Path, @@ -379,9 +378,9 @@ func TestBuildProxyPassAutoHttp(t *testing.T) { } if tc.SecureBackend { - loc.BackendProtocol = "HTTPS" + loc.BackendProtocol = httpsProtocol } else { - loc.BackendProtocol = "AUTO_HTTP" + loc.BackendProtocol = autoHTTPProtocol } backend := &ingress.Backend{ @@ -402,7 +401,7 @@ func TestBuildProxyPassAutoHttp(t *testing.T) { backends := []*ingress.Backend{backend} pp := buildProxyPass(defaultHost, backends, loc) - if !strings.EqualFold(tc.AutoHttpProxyPass, pp) { + if !strings.EqualFold(tc.AutoHTTPProxyPass, pp) { t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, tc.ProxyPass, pp) } } @@ -417,7 +416,7 @@ func TestBuildAuthLocation(t *testing.T) { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - authURL := "foo.com/auth" + authURL := fooAuthHost globalAuthURL := "foo.com/global-auth" loc := &ingress.Location{ @@ -428,7 +427,7 @@ func TestBuildAuthLocation(t *testing.T) { EnableGlobalAuth: true, } - encodedAuthURL := strings.Replace(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "", -1) + encodedAuthURL := strings.ReplaceAll(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "") externalAuthPath := fmt.Sprintf("/_external-auth-%v-default", encodedAuthURL) testCases := []struct { @@ -460,8 +459,7 @@ func TestBuildAuthLocation(t *testing.T) { } func TestShouldApplyGlobalAuth(t *testing.T) { - - authURL := "foo.com/auth" + authURL := fooAuthHost globalAuthURL := "foo.com/global-auth" loc := &ingress.Location{ @@ -579,12 +577,12 @@ func TestBuildAuthUpstreamName(t *testing.T) { loc := &ingress.Location{ ExternalAuth: authreq.Config{ - URL: "foo.com/auth", + URL: fooAuthHost, }, Path: "/cat", } - encodedAuthURL := strings.Replace(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "", -1) + encodedAuthURL := strings.ReplaceAll(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "") externalAuthPath := fmt.Sprintf("external-auth-%v-default", encodedAuthURL) testCases := []struct { @@ -606,7 +604,7 @@ func TestBuildAuthUpstreamName(t *testing.T) { } func TestShouldApplyAuthUpstream(t *testing.T) { - authURL := "foo.com/auth" + authURL := fooAuthHost loc := &ingress.Location{ ExternalAuth: authreq.Config{ @@ -702,7 +700,10 @@ func TestChangeHostPort(t *testing.T) { } func TestTemplateWithData(t *testing.T) { - pwd, _ := os.Getwd() + pwd, err := os.Getwd() + if err != nil { + t.Errorf("unexpected error: %v", err) + } f, err := os.Open(path.Join(pwd, "../../../../test/data/config.json")) if err != nil { t.Errorf("unexpected error reading json file: %v", err) @@ -727,7 +728,7 @@ func TestTemplateWithData(t *testing.T) { dat.Cfg.DefaultSSLCertificate = &ingress.SSLCert{} - rt, err := ngxTpl.Write(dat) + rt, err := ngxTpl.Write(&dat) if err != nil { t.Errorf("invalid NGINX template: %v", err) } @@ -746,7 +747,10 @@ func TestTemplateWithData(t *testing.T) { } func BenchmarkTemplateWithData(b *testing.B) { - pwd, _ := os.Getwd() + pwd, err := os.Getwd() + if err != nil { + b.Errorf("unexpected error: %v", err) + } f, err := os.Open(path.Join(pwd, "../../../../test/data/config.json")) if err != nil { b.Errorf("unexpected error reading json file: %v", err) @@ -767,7 +771,9 @@ func BenchmarkTemplateWithData(b *testing.B) { } for i := 0; i < b.N; i++ { - ngxTpl.Write(dat) + if _, err := ngxTpl.Write(&dat); err != nil { + b.Errorf("unexpected error writing template: %v", err) + } } } @@ -1064,9 +1070,6 @@ func TestBuildUpstreamName(t *testing.T) { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - defaultBackend := "upstream-name" - defaultHost := "example.com" - for k, tc := range tmplFuncTestcases { loc := &ingress.Location{ Path: tc.Path, @@ -1077,7 +1080,7 @@ func TestBuildUpstreamName(t *testing.T) { } if tc.SecureBackend { - loc.BackendProtocol = "HTTPS" + loc.BackendProtocol = httpsProtocol } backend := &ingress.Backend{ @@ -1130,20 +1133,19 @@ func TestEscapeLiteralDollar(t *testing.T) { } } -func TestOpentracingPropagateContext(t *testing.T) { +func TestOpentelemetryPropagateContext(t *testing.T) { tests := map[*ingress.Location]string{ - {BackendProtocol: "HTTP"}: "opentracing_propagate_context;", - {BackendProtocol: "HTTPS"}: "opentracing_propagate_context;", - {BackendProtocol: "AUTO_HTTP"}: "opentracing_propagate_context;", - {BackendProtocol: "GRPC"}: "opentracing_grpc_propagate_context;", - {BackendProtocol: "GRPCS"}: "opentracing_grpc_propagate_context;", - {BackendProtocol: "AJP"}: "opentracing_propagate_context;", - {BackendProtocol: "FCGI"}: "opentracing_propagate_context;", - nil: "", + {BackendProtocol: httpProtocol}: "opentelemetry_propagate;", + {BackendProtocol: httpsProtocol}: "opentelemetry_propagate;", + {BackendProtocol: autoHTTPProtocol}: "opentelemetry_propagate;", + {BackendProtocol: grpcProtocol}: "opentelemetry_propagate;", + {BackendProtocol: grpcsProtocol}: "opentelemetry_propagate;", + {BackendProtocol: fcgiProtocol}: "opentelemetry_propagate;", + nil: "", } for loc, expectedDirective := range tests { - actualDirective := opentracingPropagateContext(loc) + actualDirective := opentelemetryPropagateContext(loc) if actualDirective != expectedDirective { t.Errorf("Expected %v but returned %v", expectedDirective, actualDirective) } @@ -1151,7 +1153,6 @@ func TestOpentracingPropagateContext(t *testing.T) { } func TestGetIngressInformation(t *testing.T) { - testcases := map[string]struct { Ingress interface{} Host string @@ -1605,7 +1606,7 @@ func TestProxySetHeader(t *testing.T) { { name: "gRPC backend", loc: &ingress.Location{ - BackendProtocol: "GRPC", + BackendProtocol: grpcProtocol, }, expected: "grpc_set_header", }, @@ -1619,108 +1620,35 @@ func TestProxySetHeader(t *testing.T) { } } -func TestBuildInfluxDB(t *testing.T) { +func TestBuildOpenTelemetry(t *testing.T) { invalidType := &ingress.Ingress{} expected := "" - actual := buildInfluxDB(invalidType) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } - - cfg := influxdb.Config{ - InfluxDBEnabled: true, - InfluxDBServerName: "ok.com", - InfluxDBHost: "host.com", - InfluxDBPort: "5252", - InfluxDBMeasurement: "ok", - } - expected = "influxdb server_name=ok.com host=host.com port=5252 measurement=ok enabled=true;" - actual = buildInfluxDB(cfg) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } -} - -func TestBuildOpenTracing(t *testing.T) { - invalidType := &ingress.Ingress{} - expected := "" - actual := buildOpentracing(invalidType, []*ingress.Server{}) + actual := buildOpentelemetry(invalidType, []*ingress.Server{}) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } cfgNoHost := config.Configuration{ - EnableOpentracing: true, + EnableOpentelemetry: true, } expected = "\r\n" - actual = buildOpentracing(cfgNoHost, []*ingress.Server{}) + actual = buildOpentelemetry(cfgNoHost, []*ingress.Server{}) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - cfgJaeger := config.Configuration{ - EnableOpentracing: true, - JaegerCollectorHost: "jaeger-host.com", + cfgOpenTelemetry := config.Configuration{ + EnableOpentelemetry: true, + OpentelemetryOperationName: "my-operation-name", } - expected = "opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/nginx/opentracing.json;\r\n" - actual = buildOpentracing(cfgJaeger, []*ingress.Server{}) - + expected = "\r\n" + expected += "opentelemetry_operation_name \"my-operation-name\";\n" + actual = buildOpentelemetry(cfgOpenTelemetry, []*ingress.Server{}) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - - cfgZipkin := config.Configuration{ - EnableOpentracing: true, - ZipkinCollectorHost: "zipkin-host.com", - } - expected = "opentracing_load_tracer /usr/local/lib/libzipkin_opentracing_plugin.so /etc/nginx/opentracing.json;\r\n" - actual = buildOpentracing(cfgZipkin, []*ingress.Server{}) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } - - cfgDatadog := config.Configuration{ - EnableOpentracing: true, - DatadogCollectorHost: "datadog-host.com", - } - expected = "opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n" - actual = buildOpentracing(cfgDatadog, []*ingress.Server{}) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } - - cfgJaegerEndpoint := config.Configuration{ - EnableOpentracing: true, - JaegerEndpoint: "http://jaeger-collector.com:14268/api/traces", - } - expected = "opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/nginx/opentracing.json;\r\n" - actual = buildOpentracing(cfgJaegerEndpoint, []*ingress.Server{}) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } - - cfgOpenTracing := config.Configuration{ - EnableOpentracing: true, - DatadogCollectorHost: "datadog-host.com", - OpentracingOperationName: "my-operation-name", - OpentracingLocationOperationName: "my-location-operation-name", - } - expected = "opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;\r\n" - expected += "opentracing_operation_name \"my-operation-name\";\n" - expected += "opentracing_location_operation_name \"my-location-operation-name\";\n" - actual = buildOpentracing(cfgOpenTracing, []*ingress.Server{}) - - if expected != actual { - t.Errorf("Expected '%v' but returned '%v'", expected, actual) - } - } func TestEnforceRegexModifier(t *testing.T) { @@ -1750,6 +1678,7 @@ func TestEnforceRegexModifier(t *testing.T) { } } +//nolint:dupl // Ignore dupl errors for similar test case func TestShouldLoadModSecurityModule(t *testing.T) { // ### Invalid argument type tests ### // The first tests should return false. @@ -1803,15 +1732,16 @@ func TestShouldLoadModSecurityModule(t *testing.T) { } } -func TestOpentracingForLocation(t *testing.T) { +func TestOpentelemetryForLocation(t *testing.T) { trueVal := true falseVal := false - loadOT := `opentracing on; -opentracing_propagate_context;` - loadOTUntrustedSpan := `opentracing on; -opentracing_propagate_context; -opentracing_trust_incoming_span off;` + loadOT := `opentelemetry on; +opentelemetry_propagate; +opentelemetry_trust_incoming_spans on;` + loadOTUntrustedSpan := `opentelemetry on; +opentelemetry_propagate; +opentelemetry_trust_incoming_spans off;` testCases := []struct { description string globalOT bool @@ -1833,16 +1763,16 @@ opentracing_trust_incoming_span off;` for _, testCase := range testCases { il := &ingress.Location{ - Opentracing: opentracing.Config{Set: testCase.isSetInLoc, TrustSet: testCase.isTrustSetInLoc}, + Opentelemetry: opentelemetry.Config{Set: testCase.isSetInLoc, TrustSet: testCase.isTrustSetInLoc}, } - if il.Opentracing.Set { - il.Opentracing.Enabled = *testCase.isOTInLoc + if il.Opentelemetry.Set { + il.Opentelemetry.Enabled = *testCase.isOTInLoc } - if il.Opentracing.TrustSet { - il.Opentracing.TrustEnabled = *testCase.isTrustInLoc + if il.Opentelemetry.TrustSet { + il.Opentelemetry.TrustEnabled = *testCase.isTrustInLoc } - actual := buildOpentracingForLocation(testCase.globalOT, testCase.globalTrust, il) + actual := buildOpentelemetryForLocation(testCase.globalOT, testCase.globalTrust, il) if testCase.expected != actual { t.Errorf("%v: expected '%v' but returned '%v'", testCase.description, testCase.expected, actual) @@ -1850,24 +1780,25 @@ opentracing_trust_incoming_span off;` } } -func TestShouldLoadOpentracingModule(t *testing.T) { +//nolint:dupl // Ignore dupl errors for similar test case +func TestShouldLoadOpentelemetryModule(t *testing.T) { // ### Invalid argument type tests ### // The first tests should return false. expected := false invalidType := &ingress.Ingress{} - actual := shouldLoadOpentracingModule(config.Configuration{}, invalidType) + actual := shouldLoadOpentelemetryModule(config.Configuration{}, invalidType) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - actual = shouldLoadOpentracingModule(invalidType, []*ingress.Server{}) + actual = shouldLoadOpentelemetryModule(invalidType, []*ingress.Server{}) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } // ### Functional tests ### - actual = shouldLoadOpentracingModule(config.Configuration{}, []*ingress.Server{}) + actual = shouldLoadOpentelemetryModule(config.Configuration{}, []*ingress.Server{}) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } @@ -1875,8 +1806,8 @@ func TestShouldLoadOpentracingModule(t *testing.T) { // All further tests should return true. expected = true - configuration := config.Configuration{EnableOpentracing: true} - actual = shouldLoadOpentracingModule(configuration, []*ingress.Server{}) + configuration := config.Configuration{EnableOpentelemetry: true} + actual = shouldLoadOpentelemetryModule(configuration, []*ingress.Server{}) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } @@ -1885,19 +1816,19 @@ func TestShouldLoadOpentracingModule(t *testing.T) { { Locations: []*ingress.Location{ { - Opentracing: opentracing.Config{ + Opentelemetry: opentelemetry.Config{ Enabled: true, }, }, }, }, } - actual = shouldLoadOpentracingModule(config.Configuration{}, servers) + actual = shouldLoadOpentelemetryModule(config.Configuration{}, servers) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - actual = shouldLoadOpentracingModule(configuration, servers) + actual = shouldLoadOpentelemetryModule(configuration, servers) if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } @@ -1976,7 +1907,6 @@ func TestModSecurityForLocation(t *testing.T) { } func TestBuildServerName(t *testing.T) { - testCases := []struct { title string hostname string diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go index 6562dd17c..8851f323f 100644 --- a/internal/ingress/controller/util.go +++ b/internal/ingress/controller/util.go @@ -135,11 +135,13 @@ func (nc NginxCommand) ExecCommand(args ...string) *exec.Cmd { cmdArgs = append(cmdArgs, "-c", cfgPath) cmdArgs = append(cmdArgs, args...) + //nolint:gosec // Ignore G204 error return exec.Command(nc.Binary, cmdArgs...) } // Test checks if config file is a syntax valid nginx configuration func (nc NginxCommand) Test(cfg string) ([]byte, error) { + //nolint:gosec // Ignore G204 error return exec.Command(nc.Binary, "-c", cfg, "-t").CombinedOutput() } diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go index bc9734257..2bb58c858 100644 --- a/internal/ingress/defaults/main.go +++ b/internal/ingress/defaults/main.go @@ -34,6 +34,13 @@ type Backend struct { // toggles whether or not to remove trailing slashes during TLS redirects PreserveTrailingSlash bool `json:"preserve-trailing-slash"` + // allows usage of CustomHTTPErrors without intercepting service errors + // e.g. custom 404 and 503 when service-a does not exist or is not available + // but service-a can return 404 and 503 error codes without intercept + // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors + // By default this is false + DisableProxyInterceptErrors bool `json:"disable-proxy-intercept-errors"` + // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size // Sets the maximum allowed size of the client request body ProxyBodySize string `json:"proxy-body-size"` @@ -100,7 +107,7 @@ type Backend struct { // Name server/s used to resolve names of upstream servers into IP addresses. // The file /etc/resolv.conf is used as DNS resolution configuration. - Resolver []net.IP + Resolver []net.IP `json:"Resolver"` // SkipAccessLogURLs sets a list of URLs that should not appear in the NGINX access log // This is useful with urls like `/health` or `health-check` that make "complex" reading the logs @@ -139,6 +146,10 @@ type Backend struct { // http://nginx.org/en/docs/http/ngx_http_access_module.html WhitelistSourceRange []string `json:"whitelist-source-range"` + // DenylistSourceRange allows limiting access to certain client addresses + // http://nginx.org/en/docs/http/ngx_http_access_module.html + DenylistSourceRange []string `json:"denylist-source-range"` + // Limits the rate of response transmission to a client. // The rate is specified in bytes per second. The zero value disables rate limiting. // The limit is set per a request, and so if a client simultaneously opens two connections, @@ -166,3 +177,15 @@ type Backend struct { // It disables that behavior and instead uses a single upstream in NGINX, the service's Cluster IP and port. ServiceUpstream bool `json:"service-upstream"` } + +type SecurityConfiguration struct { + // AllowCrossNamespaceResources enables users to consume cross namespace resource on annotations + // Case disabled, attempts to use secrets or configmaps from a namespace different from Ingress will + // be denied + // This valid will default to `false` on future releases + AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"` + + // AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations + // with risk High and Critical will not be accepted + AnnotationsRiskLevel string `json:"annotations-risk-level"` +} diff --git a/internal/ingress/errors/errors.go b/internal/ingress/errors/errors.go index 93c9ee5e0..d70218334 100644 --- a/internal/ingress/errors/errors.go +++ b/internal/ingress/errors/errors.go @@ -33,57 +33,57 @@ var ( // NewInvalidAnnotationConfiguration returns a new InvalidConfiguration error for use when // annotations are not correctly configured -func NewInvalidAnnotationConfiguration(name string, reason string) error { - return InvalidConfiguration{ +func NewInvalidAnnotationConfiguration(name, reason string) error { + return InvalidConfigurationError{ Name: fmt.Sprintf("the annotation %v does not contain a valid configuration: %v", name, reason), } } // NewInvalidAnnotationContent returns a new InvalidContent error func NewInvalidAnnotationContent(name string, val interface{}) error { - return InvalidContent{ + return InvalidContentError{ Name: fmt.Sprintf("the annotation %v does not contain a valid value (%v)", name, val), } } // NewLocationDenied returns a new LocationDenied error func NewLocationDenied(reason string) error { - return LocationDenied{ - Reason: fmt.Errorf("Location denied, reason: %v", reason), + return LocationDeniedError{ + Reason: fmt.Errorf("location denied, reason: %v", reason), } } -// InvalidConfiguration Error -type InvalidConfiguration struct { +// InvalidConfigurationError +type InvalidConfigurationError struct { Name string } -func (e InvalidConfiguration) Error() string { +func (e InvalidConfigurationError) Error() string { return e.Name } -// InvalidContent error -type InvalidContent struct { +// InvalidContentError +type InvalidContentError struct { Name string } -func (e InvalidContent) Error() string { +func (e InvalidContentError) Error() string { return e.Name } -// LocationDenied error -type LocationDenied struct { +// LocationDeniedError +type LocationDeniedError struct { Reason error } -func (e LocationDenied) Error() string { +func (e LocationDeniedError) Error() string { return e.Reason.Error() } // IsLocationDenied checks if the err is an error which // indicates a location should return HTTP code 503 func IsLocationDenied(e error) bool { - _, ok := e.(LocationDenied) + _, ok := e.(LocationDeniedError) return ok } @@ -96,7 +96,7 @@ func IsMissingAnnotations(e error) bool { // IsInvalidContent checks if the err is an error which // indicates an annotations value is not valid func IsInvalidContent(e error) bool { - _, ok := e.(InvalidContent) + _, ok := e.(InvalidContentError) return ok } @@ -110,3 +110,47 @@ func New(m string) error { func Errorf(format string, args ...interface{}) error { return fmt.Errorf(format, args...) } + +type ValidationError struct { + Reason error +} + +type RiskyAnnotationError struct { + Reason error +} + +func (e ValidationError) Error() string { + return e.Reason.Error() +} + +// NewValidationError returns a new LocationDenied error +func NewValidationError(annotation string) error { + return ValidationError{ + Reason: fmt.Errorf("annotation %s contains invalid value", annotation), + } +} + +// IsValidationError checks if the err is an error which +// indicates that some annotation value is invalid +func IsValidationError(e error) bool { + _, ok := e.(ValidationError) + return ok +} + +// NewValidationError returns a new LocationDenied error +func NewRiskyAnnotations(name string) error { + return RiskyAnnotationError{ + Reason: fmt.Errorf("annotation group %s contains risky annotation based on ingress configuration", name), + } +} + +// IsRiskyAnnotationError checks if the err is an error which +// indicates that some annotation value is invalid +func IsRiskyAnnotationError(e error) bool { + _, ok := e.(ValidationError) + return ok +} + +func (e RiskyAnnotationError) Error() string { + return e.Reason.Error() +} diff --git a/internal/ingress/inspector/ingress_test.go b/internal/ingress/inspector/ingress_test.go index bfd9f6b93..52ad8d431 100644 --- a/internal/ingress/inspector/ingress_test.go +++ b/internal/ingress/inspector/ingress_test.go @@ -24,7 +24,6 @@ import ( ) func makeSimpleIngress(hostname string, paths ...string) *networking.Ingress { - newIngress := networking.Ingress{ ObjectMeta: v1.ObjectMeta{ Name: "test1", diff --git a/internal/ingress/inspector/inspector.go b/internal/ingress/inspector/inspector.go index 98f257997..b41e18d9e 100644 --- a/internal/ingress/inspector/inspector.go +++ b/internal/ingress/inspector/inspector.go @@ -17,6 +17,9 @@ limitations under the License. package inspector import ( + "errors" + "fmt" + corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" "k8s.io/klog/v2" @@ -26,13 +29,37 @@ import ( // if an object contains invalid configurations that may represent a security risk, // and returning an error in this case func DeepInspect(obj interface{}) error { - switch obj.(type) { + switch obj := obj.(type) { case *networking.Ingress: - return InspectIngress(obj.(*networking.Ingress)) + return InspectIngress(obj) case *corev1.Service: - return InspectService(obj.(*corev1.Service)) + return InspectService(obj) default: klog.Warningf("received invalid object to inspect: %T", obj) return nil } } + +var implSpecific = networking.PathTypeImplementationSpecific + +func ValidatePathType(ing *networking.Ingress) error { + if ing == nil { + return fmt.Errorf("received null ingress") + } + var err error + for _, rule := range ing.Spec.Rules { + if rule.HTTP != nil { + for _, path := range rule.HTTP.Paths { + if path.Path == "" { + continue + } + if path.PathType == nil || *path.PathType != implSpecific { + if isValid := validPathType.MatchString(path.Path); !isValid { + err = errors.Join(err, fmt.Errorf("path %s cannot be used with pathType %s", path.Path, string(*path.PathType))) + } + } + } + } + } + return err +} diff --git a/internal/ingress/inspector/inspector_test.go b/internal/ingress/inspector/inspector_test.go new file mode 100644 index 000000000..36b029cff --- /dev/null +++ b/internal/ingress/inspector/inspector_test.go @@ -0,0 +1,191 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package inspector + +import ( + "errors" + "fmt" + "testing" + + networking "k8s.io/api/networking/v1" +) + +var ( + exact = networking.PathTypeExact + prefix = networking.PathTypePrefix +) + +var ( + validIngress = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/test", + }, + { + PathType: &prefix, + Path: "/xpto/ab0/x_ss-9", + }, + { + PathType: &exact, + Path: "/bla/", + }, + }, + }, + }, + }, + }, + }, + } + + emptyIngress = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + PathType: &exact, + }, + }, + }, + }, + }, + }, + }, + } + + invalidIngress = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + PathType: &exact, + Path: "/foo.+", + }, + { + PathType: &exact, + Path: "xpto/lala", + }, + { + PathType: &exact, + Path: "/xpto/lala", + }, + { + PathType: &prefix, + Path: "/foo/bar/[a-z]{3}", + }, + { + PathType: &prefix, + Path: "/lala/xp\ntest", + }, + }, + }, + }, + }, + }, + }, + } + + validImplSpecific = &networking.Ingress{ + Spec: networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + PathType: &implSpecific, + Path: "/foo.+", + }, + { + PathType: &implSpecific, + Path: "xpto/lala", + }, + }, + }, + }, + }, + }, + }, + } +) + +var aErr = func(s, pathType string) error { + return fmt.Errorf("path %s cannot be used with pathType %s", s, pathType) +} + +func TestValidatePathType(t *testing.T) { + tests := []struct { + name string + ing *networking.Ingress + wantErr bool + err error + }{ + { + name: "nil should return an error", + ing: nil, + wantErr: true, + err: fmt.Errorf("received null ingress"), + }, + { + name: "valid should not return an error", + ing: validIngress, + wantErr: false, + }, + { + name: "empty should not return an error", + ing: emptyIngress, + wantErr: false, + }, + { + name: "empty should not return an error", + ing: validImplSpecific, + wantErr: false, + }, + { + name: "invalid should return multiple errors", + ing: invalidIngress, + wantErr: true, + err: errors.Join( + aErr("/foo.+", "Exact"), + aErr("xpto/lala", "Exact"), + aErr("/foo/bar/[a-z]{3}", "Prefix"), + aErr("/lala/xp\ntest", "Prefix"), + ), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := ValidatePathType(tt.ing) + if (err != nil) != tt.wantErr { + t.Errorf("ValidatePathType() error = %v, wantErr %v", err, tt.wantErr) + } + if (err != nil && tt.err != nil) && tt.err.Error() != err.Error() { + t.Errorf("received invalid error: want = %v, expected %v", tt.err, err) + } + }) + } +} diff --git a/internal/ingress/inspector/rules.go b/internal/ingress/inspector/rules.go index ab573b7fe..8388efdd5 100644 --- a/internal/ingress/inspector/rules.go +++ b/internal/ingress/inspector/rules.go @@ -28,6 +28,14 @@ var ( invalidSecretsDir = regexp.MustCompile(`/var/run/secrets`) invalidByLuaDirective = regexp.MustCompile(`.*_by_lua.*`) + // validPathType enforces alphanumeric, -, _ and / characters. + // The field (?i) turns this regex case insensitive + // The remaining regex says that the string must start with a "/" (^/) + // the group [[:alnum:]\_\-\/]* says that any amount of characters (A-Za-z0-9), _, - and / + // are accepted until the end of the line + // Nothing else is accepted. + validPathType = regexp.MustCompile(`(?i)^/[[:alnum:]\_\-/]*$`) + invalidRegex = []regexp.Regexp{} ) @@ -44,8 +52,8 @@ func init() { // CheckRegex receives a value/configuration and validates if it matches with one of the // forbidden regexes. func CheckRegex(value string) error { - for _, regex := range invalidRegex { - if regex.MatchString(value) { + for i := range invalidRegex { + if invalidRegex[i].MatchString(value) { return fmt.Errorf("invalid value found: %s", value) } } diff --git a/internal/ingress/inspector/rules_test.go b/internal/ingress/inspector/rules_test.go index 6ed6dbe87..3945a3bd4 100644 --- a/internal/ingress/inspector/rules_test.go +++ b/internal/ingress/inspector/rules_test.go @@ -19,7 +19,6 @@ package inspector import "testing" func TestCheckRegex(t *testing.T) { - tests := []struct { name string value string diff --git a/internal/ingress/inspector/service.go b/internal/ingress/inspector/service.go index 27ed27a8c..8be08490b 100644 --- a/internal/ingress/inspector/service.go +++ b/internal/ingress/inspector/service.go @@ -21,6 +21,6 @@ import ( ) // InspectService will be used to inspect service objects for possible invalid configurations -func InspectService(svc *corev1.Service) error { +func InspectService(_ *corev1.Service) error { return nil } diff --git a/internal/ingress/metric/collectors/admission.go b/internal/ingress/metric/collectors/admission.go index cf42fbaa1..7b84325c0 100644 --- a/internal/ingress/metric/collectors/admission.go +++ b/internal/ingress/metric/collectors/admission.go @@ -104,7 +104,7 @@ func NewAdmissionCollector(pod, namespace, class string) *AdmissionCollector { } // Describe implements prometheus.Collector -func (am AdmissionCollector) Describe(ch chan<- *prometheus.Desc) { +func (am *AdmissionCollector) Describe(ch chan<- *prometheus.Desc) { am.testedIngressLength.Describe(ch) am.testedIngressTime.Describe(ch) am.renderingIngressLength.Describe(ch) @@ -114,7 +114,7 @@ func (am AdmissionCollector) Describe(ch chan<- *prometheus.Desc) { } // Collect implements the prometheus.Collector interface. -func (am AdmissionCollector) Collect(ch chan<- prometheus.Metric) { +func (am *AdmissionCollector) Collect(ch chan<- prometheus.Metric) { am.testedIngressLength.Collect(ch) am.testedIngressTime.Collect(ch) am.renderingIngressLength.Collect(ch) @@ -139,7 +139,7 @@ func ByteFormat(bytes int64) string { } // SetAdmissionMetrics sets the values for AdmissionMetrics that can be called externally -func (am *AdmissionCollector) SetAdmissionMetrics(testedIngressLength float64, testedIngressTime float64, renderingIngressLength float64, renderingIngressTime float64, testedConfigurationSize float64, admissionTime float64) { +func (am *AdmissionCollector) SetAdmissionMetrics(testedIngressLength, testedIngressTime, renderingIngressLength, renderingIngressTime, testedConfigurationSize, admissionTime float64) { am.testedIngressLength.Set(testedIngressLength) am.testedIngressTime.Set(testedIngressTime) am.renderingIngressLength.Set(renderingIngressLength) diff --git a/internal/ingress/metric/collectors/controller.go b/internal/ingress/metric/collectors/controller.go index 5822f0d57..e1d6789bb 100644 --- a/internal/ingress/metric/collectors/controller.go +++ b/internal/ingress/metric/collectors/controller.go @@ -32,6 +32,7 @@ var ( ingressOperation = []string{"controller_namespace", "controller_class", "controller_pod", "namespace", "ingress"} sslLabelHost = []string{"namespace", "class", "host", "secret_name"} sslInfoLabels = []string{"namespace", "class", "host", "secret_name", "identifier", "issuer_organization", "issuer_common_name", "serial_number", "public_key_algorithm"} + orphanityLabels = []string{"controller_namespace", "controller_class", "controller_pod", "namespace", "ingress", "type"} ) // Controller defines base metrics about the ingress controller @@ -48,6 +49,7 @@ type Controller struct { checkIngressOperationErrors *prometheus.CounterVec sslExpireTime *prometheus.GaugeVec sslInfo *prometheus.GaugeVec + OrphanIngress *prometheus.GaugeVec constLabels prometheus.Labels labels prometheus.Labels @@ -171,6 +173,15 @@ func NewController(pod, namespace, class string) *Controller { }, []string{"name"}, ), + OrphanIngress: prometheus.NewGaugeVec( + prometheus.GaugeOpts{ + Namespace: PrometheusNamespace, + Name: "orphan_ingress", + Help: `Gauge reporting status of ingress orphanity, 1 indicates orphaned ingress. + 'namespace' is the string used to identify namespace of ingress, 'ingress' for ingress name and 'type' for 'no-service' or 'no-endpoint' of orphanity`, + }, + orphanityLabels, + ), } return cm @@ -214,6 +225,26 @@ func (cm *Controller) IncCheckErrorCount(namespace, name string) { cm.checkIngressOperationErrors.MustCurryWith(cm.constLabels).With(labels).Inc() } +// IncOrphanIngress sets the the orphaned ingress gauge to one +func (cm *Controller) IncOrphanIngress(namespace, name, orphanityType string) { + labels := prometheus.Labels{ + "namespace": namespace, + "ingress": name, + "type": orphanityType, + } + cm.OrphanIngress.MustCurryWith(cm.constLabels).With(labels).Set(1.0) +} + +// DecOrphanIngress sets the the orphaned ingress gauge to zero (all services has their endpoints) +func (cm *Controller) DecOrphanIngress(namespace, name, orphanityType string) { + labels := prometheus.Labels{ + "namespace": namespace, + "ingress": name, + "type": orphanityType, + } + cm.OrphanIngress.MustCurryWith(cm.constLabels).With(labels).Set(0.0) +} + // ConfigSuccess set a boolean flag according to the output of the controller configuration reload func (cm *Controller) ConfigSuccess(hash uint64, success bool) { if success { @@ -230,7 +261,7 @@ func (cm *Controller) ConfigSuccess(hash uint64, success bool) { } // Describe implements prometheus.Collector -func (cm Controller) Describe(ch chan<- *prometheus.Desc) { +func (cm *Controller) Describe(ch chan<- *prometheus.Desc) { cm.configHash.Describe(ch) cm.configSuccess.Describe(ch) cm.configSuccessTime.Describe(ch) @@ -242,10 +273,11 @@ func (cm Controller) Describe(ch chan<- *prometheus.Desc) { cm.sslInfo.Describe(ch) cm.leaderElection.Describe(ch) cm.buildInfo.Describe(ch) + cm.OrphanIngress.Describe(ch) } // Collect implements the prometheus.Collector interface. -func (cm Controller) Collect(ch chan<- prometheus.Metric) { +func (cm *Controller) Collect(ch chan<- prometheus.Metric) { cm.configHash.Collect(ch) cm.configSuccess.Collect(ch) cm.configSuccessTime.Collect(ch) @@ -257,46 +289,51 @@ func (cm Controller) Collect(ch chan<- prometheus.Metric) { cm.sslInfo.Collect(ch) cm.leaderElection.Collect(ch) cm.buildInfo.Collect(ch) + cm.OrphanIngress.Collect(ch) } // SetSSLExpireTime sets the expiration time of SSL Certificates func (cm *Controller) SetSSLExpireTime(servers []*ingress.Server) { for _, s := range servers { - if s.Hostname != "" && s.SSLCert != nil && s.SSLCert.ExpireTime.Unix() > 0 { - labels := make(prometheus.Labels, len(cm.labels)+1) - for k, v := range cm.labels { - labels[k] = v - } - labels["host"] = s.Hostname - labels["secret_name"] = s.SSLCert.Name - - cm.sslExpireTime.With(labels).Set(float64(s.SSLCert.ExpireTime.Unix())) + if !(s.Hostname != "" && s.SSLCert != nil && s.SSLCert.ExpireTime.Unix() > 0) { + continue } + + labels := make(prometheus.Labels, len(cm.labels)+1) + for k, v := range cm.labels { + labels[k] = v + } + labels["host"] = s.Hostname + labels["secret_name"] = s.SSLCert.Name + + cm.sslExpireTime.With(labels).Set(float64(s.SSLCert.ExpireTime.Unix())) } } // SetSSLInfo creates a metric with all certificates informations func (cm *Controller) SetSSLInfo(servers []*ingress.Server) { for _, s := range servers { - if s.SSLCert != nil && s.SSLCert.Certificate != nil && s.SSLCert.Certificate.SerialNumber != nil { - labels := make(prometheus.Labels, len(cm.labels)+1) - for k, v := range cm.labels { - labels[k] = v - } - labels["identifier"] = s.SSLCert.Identifier() - labels["host"] = s.Hostname - labels["secret_name"] = s.SSLCert.Name - labels["namespace"] = s.SSLCert.Namespace - labels["issuer_common_name"] = s.SSLCert.Certificate.Issuer.CommonName - labels["issuer_organization"] = "" - if len(s.SSLCert.Certificate.Issuer.Organization) > 0 { - labels["issuer_organization"] = s.SSLCert.Certificate.Issuer.Organization[0] - } - labels["serial_number"] = s.SSLCert.Certificate.SerialNumber.String() - labels["public_key_algorithm"] = s.SSLCert.Certificate.PublicKeyAlgorithm.String() - - cm.sslInfo.With(labels).Set(1) + if s.SSLCert == nil || s.SSLCert.Certificate == nil || s.SSLCert.Certificate.SerialNumber == nil { + continue } + + labels := make(prometheus.Labels, len(cm.labels)+1) + for k, v := range cm.labels { + labels[k] = v + } + labels["identifier"] = s.SSLCert.Identifier() + labels["host"] = s.Hostname + labels["secret_name"] = s.SSLCert.Name + labels["namespace"] = s.SSLCert.Namespace + labels["issuer_common_name"] = s.SSLCert.Certificate.Issuer.CommonName + labels["issuer_organization"] = "" + if len(s.SSLCert.Certificate.Issuer.Organization) > 0 { + labels["issuer_organization"] = s.SSLCert.Certificate.Issuer.Organization[0] + } + labels["serial_number"] = s.SSLCert.Certificate.SerialNumber.String() + labels["public_key_algorithm"] = s.SSLCert.Certificate.PublicKeyAlgorithm.String() + + cm.sslInfo.With(labels).Set(1) } } diff --git a/internal/ingress/metric/collectors/controller_test.go b/internal/ingress/metric/collectors/controller_test.go index ef80bc96a..15735df42 100644 --- a/internal/ingress/metric/collectors/controller_test.go +++ b/internal/ingress/metric/collectors/controller_test.go @@ -76,9 +76,12 @@ func TestControllerCounters(t *testing.T) { { name: "should set SSL certificates metrics", test: func(cm *Controller) { - t1, _ := time.Parse( + t1, err := time.Parse( time.RFC3339, "2012-11-01T22:08:41+00:00") + if err != nil { + t.Errorf("unexpected error: %v", err) + } servers := []*ingress.Server{ { @@ -106,7 +109,6 @@ func TestControllerCounters(t *testing.T) { { name: "should set SSL certificates infos metrics", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -143,7 +145,6 @@ func TestControllerCounters(t *testing.T) { { name: "should ignore certificates without serial number", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -168,7 +169,6 @@ func TestControllerCounters(t *testing.T) { { name: "should ignore certificates with nil x509 pointer", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -193,7 +193,6 @@ func TestControllerCounters(t *testing.T) { { name: "should ignore servers without certificates", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -232,9 +231,12 @@ func TestRemoveMetrics(t *testing.T) { t.Errorf("registering collector failed: %s", err) } - t1, _ := time.Parse( + t1, err := time.Parse( time.RFC3339, "2012-11-01T22:08:41+00:00") + if err != nil { + t.Errorf("Unexpected error: %v", err) + } servers := []*ingress.Server{ { @@ -279,10 +281,12 @@ func TestRemoveAllSSLMetrics(t *testing.T) { t.Errorf("registering collector failed: %s", err) } - t1, _ := time.Parse( + t1, err := time.Parse( time.RFC3339, "2012-11-01T22:08:41+00:00") - + if err != nil { + t.Errorf("unexpected error: %v", err) + } servers := []*ingress.Server{ { Hostname: "demo", diff --git a/internal/ingress/metric/collectors/main.go b/internal/ingress/metric/collectors/main.go index 2c57ad774..b2479929b 100644 --- a/internal/ingress/metric/collectors/main.go +++ b/internal/ingress/metric/collectors/main.go @@ -17,4 +17,4 @@ limitations under the License. package collectors // PrometheusNamespace default metric namespace -var PrometheusNamespace = "nginx_ingress_controller" +var PrometheusNamespace = "nginx_ingress_controller" //#nosec G101 diff --git a/internal/ingress/metric/collectors/nginx_status.go b/internal/ingress/metric/collectors/nginx_status.go index 5aaa787de..f3afdc334 100644 --- a/internal/ingress/metric/collectors/nginx_status.go +++ b/internal/ingress/metric/collectors/nginx_status.go @@ -75,7 +75,6 @@ type NGINXStatusCollector interface { // NewNGINXStatus returns a new prometheus collector the default nginx status module func NewNGINXStatus(podName, namespace, ingressClass string) (NGINXStatusCollector, error) { - p := nginxStatusCollector{ scrapeChan: make(chan scrapeRequest), } diff --git a/internal/ingress/metric/collectors/nginx_status_test.go b/internal/ingress/metric/collectors/nginx_status_test.go index 4dc67c425..ec535745d 100644 --- a/internal/ingress/metric/collectors/nginx_status_test.go +++ b/internal/ingress/metric/collectors/nginx_status_test.go @@ -106,7 +106,7 @@ func TestStatusCollector(t *testing.T) { server := &httptest.Server{ Listener: listener, - Config: &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + Config: &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { //nolint:gosec // Ignore the gosec error in testing w.WriteHeader(http.StatusOK) if r.URL.Path == "/nginx_status" { diff --git a/internal/ingress/metric/collectors/process.go b/internal/ingress/metric/collectors/process.go index 23f533876..3803a47ae 100644 --- a/internal/ingress/metric/collectors/process.go +++ b/internal/ingress/metric/collectors/process.go @@ -53,6 +53,8 @@ type BinaryNameMatcher struct { // MatchAndName returns false if the match failed, otherwise // true and the resulting name. +// +//nolint:gocritic // nacl param cannot be a pointer since it's to implement common.MatchNamer interface func (em BinaryNameMatcher) MatchAndName(nacl common.ProcAttributes) (bool, string) { if len(nacl.Cmdline) == 0 { return false, "" @@ -94,8 +96,10 @@ type NGINXProcessCollector interface { Stop() } -var name = "nginx" -var binary = "/usr/bin/nginx" +var ( + name = "nginx" + binary = "/usr/bin/nginx" +) // NewNGINXProcess returns a new prometheus collector for the nginx process func NewNGINXProcess(pod, namespace, ingressClass string) (NGINXProcessCollector, error) { @@ -106,7 +110,7 @@ func NewNGINXProcess(pod, namespace, ingressClass string) (NGINXProcessCollector nm := newBinaryNameMatcher(name, binary) - p := namedProcess{ + p := &namedProcess{ scrapeChan: make(chan scrapeRequest), Grouper: proc.NewGrouper(nm, true, false, false, false), fs: fs, @@ -164,7 +168,7 @@ func NewNGINXProcess(pod, namespace, ingressClass string) (NGINXProcessCollector } // Describe implements prometheus.Collector. -func (p namedProcess) Describe(ch chan<- *prometheus.Desc) { +func (p *namedProcess) Describe(ch chan<- *prometheus.Desc) { ch <- p.data.cpuSecs ch <- p.data.numProcs ch <- p.data.readBytes @@ -175,13 +179,13 @@ func (p namedProcess) Describe(ch chan<- *prometheus.Desc) { } // Collect implements prometheus.Collector. -func (p namedProcess) Collect(ch chan<- prometheus.Metric) { +func (p *namedProcess) Collect(ch chan<- prometheus.Metric) { req := scrapeRequest{results: ch, done: make(chan struct{})} p.scrapeChan <- req <-req.done } -func (p namedProcess) Start() { +func (p *namedProcess) Start() { for req := range p.scrapeChan { ch := req.results p.scrape(ch) @@ -189,18 +193,19 @@ func (p namedProcess) Start() { } } -func (p namedProcess) Stop() { +func (p *namedProcess) Stop() { close(p.scrapeChan) } -func (p namedProcess) scrape(ch chan<- prometheus.Metric) { +func (p *namedProcess) scrape(ch chan<- prometheus.Metric) { _, groups, err := p.Update(p.fs.AllProcs()) if err != nil { klog.Warningf("unexpected error obtaining nginx process info: %v", err) return } - for _, gcounts := range groups { + for i := range groups { + gcounts := groups[i] ch <- prometheus.MustNewConstMetric(p.data.numProcs, prometheus.GaugeValue, float64(gcounts.Procs)) ch <- prometheus.MustNewConstMetric(p.data.memResidentbytes, diff --git a/internal/ingress/metric/collectors/process_test.go b/internal/ingress/metric/collectors/process_test.go index 45170572b..588cbafef 100644 --- a/internal/ingress/metric/collectors/process_test.go +++ b/internal/ingress/metric/collectors/process_test.go @@ -48,8 +48,11 @@ func TestProcessCollector(t *testing.T) { done := make(chan struct{}) go func() { - cmd.Wait() - status := cmd.ProcessState.Sys().(syscall.WaitStatus) + cmd.Wait() //nolint:errcheck // Ignore the error + status, ok := cmd.ProcessState.Sys().(syscall.WaitStatus) + if !ok { + t.Errorf("unexpected type: %T", cmd.ProcessState.Sys()) + } if status.Signaled() { t.Logf("Signal: %v", status.Signal()) } else { @@ -69,7 +72,7 @@ func TestProcessCollector(t *testing.T) { defer func() { cm.Stop() - cmd.Process.Kill() + cmd.Process.Kill() //nolint:errcheck // Ignore the error <-done close(done) }() diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 9c0376cd3..a70024c57 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -21,6 +21,7 @@ import ( "io" "net" "os" + "strings" "syscall" jsoniter "github.com/json-iterator/go" @@ -43,14 +44,11 @@ type socketData struct { Latency float64 `json:"upstreamLatency"` HeaderTime float64 `json:"upstreamHeaderTime"` ResponseTime float64 `json:"upstreamResponseTime"` - //ResponseLength float64 `json:"upstreamResponseLength"` - //Status string `json:"upstreamStatus"` - - Namespace string `json:"namespace"` - Ingress string `json:"ingress"` - Service string `json:"service"` - Canary string `json:"canary"` - Path string `json:"path"` + Namespace string `json:"namespace"` + Ingress string `json:"ingress"` + Service string `json:"service"` + Canary string `json:"canary"` + Path string `json:"path"` } // HistogramBuckets allow customizing prometheus histogram buckets values @@ -60,6 +58,8 @@ type HistogramBuckets struct { SizeBuckets []float64 } +type metricMapping map[string]prometheus.Collector + // SocketCollector stores prometheus metrics and ingress meta-data type SocketCollector struct { prometheus.Collector @@ -78,27 +78,25 @@ type SocketCollector struct { listener net.Listener - metricMapping map[string]interface{} + metricMapping metricMapping - hosts sets.String + hosts sets.Set[string] metricsPerHost bool reportStatusClasses bool } -var ( - requestTags = []string{ - "status", +var requestTags = []string{ + "status", - "method", - "path", + "method", + "path", - "namespace", - "ingress", - "service", - "canary", - } -) + "namespace", + "ingress", + "service", + "canary", +} // DefObjectives was removed in https://github.com/prometheus/client_golang/pull/262 // updating the library to latest version changed the output of the metrics @@ -106,9 +104,10 @@ var defObjectives = map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001} // NewSocketCollector creates a new SocketCollector instance using // the ingress watch namespace and class used by the controller -func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStatusClasses bool, buckets HistogramBuckets) (*SocketCollector, error) { +func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStatusClasses bool, buckets HistogramBuckets, excludeMetrics []string) (*SocketCollector, error) { socket := "/tmp/nginx/prometheus-nginx.socket" // unix sockets must be unlink()ed before being used + //nolint:errcheck // Ignore unlink error _ = syscall.Unlink(socket) listener, err := net.Listen("unix", socket) @@ -116,7 +115,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat return nil, err } - err = os.Chmod(socket, 0777) // #nosec + err = os.Chmod(socket, 0o777) // #nosec if err != nil { return nil, err } @@ -132,14 +131,24 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat requestTags = append(requestTags, "host") } + em := make(map[string]struct{}, len(excludeMetrics)) + for _, m := range excludeMetrics { + // remove potential nginx_ingress_controller prefix from the metric name + // TBD: how to handle fully qualified histogram metrics e.g. _buckets and _sum. Should we just remove the suffix and remove the histogram metric or ignore it? + em[strings.TrimPrefix(m, "nginx_ingress_controller_")] = struct{}{} + } + + // create metric mapping with only the metrics that are not excluded + mm := make(metricMapping) + sc := &SocketCollector{ listener: listener, metricsPerHost: metricsPerHost, reportStatusClasses: reportStatusClasses, - connectTime: prometheus.NewHistogramVec( - prometheus.HistogramOpts{ + connectTime: histogramMetric( + &prometheus.HistogramOpts{ Name: "connect_duration_seconds", Help: "The time spent on establishing a connection with the upstream server", Namespace: PrometheusNamespace, @@ -147,9 +156,12 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - headerTime: prometheus.NewHistogramVec( - prometheus.HistogramOpts{ + + headerTime: histogramMetric( + &prometheus.HistogramOpts{ Name: "header_duration_seconds", Help: "The time spent on receiving first header from the upstream server", Namespace: PrometheusNamespace, @@ -157,9 +169,11 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - responseTime: prometheus.NewHistogramVec( - prometheus.HistogramOpts{ + responseTime: histogramMetric( + &prometheus.HistogramOpts{ Name: "response_duration_seconds", Help: "The time spent on receiving the response from the upstream server", Namespace: PrometheusNamespace, @@ -167,9 +181,12 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - requestTime: prometheus.NewHistogramVec( - prometheus.HistogramOpts{ + + requestTime: histogramMetric( + &prometheus.HistogramOpts{ Name: "request_duration_seconds", Help: "The request processing time in milliseconds", Namespace: PrometheusNamespace, @@ -177,10 +194,12 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.TimeBuckets, }, requestTags, + em, + mm, ), - responseLength: prometheus.NewHistogramVec( - prometheus.HistogramOpts{ + responseLength: histogramMetric( + &prometheus.HistogramOpts{ Name: "response_size", Help: "The response length (including request line, header, and request body)", Namespace: PrometheusNamespace, @@ -188,30 +207,37 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Buckets: buckets.LengthBuckets, }, requestTags, + em, + mm, ), - requestLength: prometheus.NewHistogramVec( - prometheus.HistogramOpts{ + + requestLength: histogramMetric( + &prometheus.HistogramOpts{ Name: "request_size", Help: "The request length (including request line, header, and request body)", Namespace: PrometheusNamespace, - Buckets: buckets.LengthBuckets, ConstLabels: constLabels, + Buckets: buckets.LengthBuckets, }, requestTags, + em, + mm, ), - requests: prometheus.NewCounterVec( - prometheus.CounterOpts{ + requests: counterMetric( + &prometheus.CounterOpts{ Name: "requests", Help: "The total number of client requests", Namespace: PrometheusNamespace, ConstLabels: constLabels, }, requestTags, + em, + mm, ), - bytesSent: prometheus.NewHistogramVec( - prometheus.HistogramOpts{ + bytesSent: histogramMetric( + &prometheus.HistogramOpts{ Name: "bytes_sent", Help: "DEPRECATED The number of bytes sent to a client", Namespace: PrometheusNamespace, @@ -219,10 +245,12 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ConstLabels: constLabels, }, requestTags, + em, + mm, ), - upstreamLatency: prometheus.NewSummaryVec( - prometheus.SummaryOpts{ + upstreamLatency: summaryMetric( + &prometheus.SummaryOpts{ Name: "ingress_upstream_latency_seconds", Help: "DEPRECATED Upstream service latency per Ingress", Namespace: PrometheusNamespace, @@ -230,28 +258,59 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat Objectives: defObjectives, }, []string{"ingress", "namespace", "service", "canary"}, + em, + mm, ), } - sc.metricMapping = map[string]interface{}{ - prometheus.BuildFQName(PrometheusNamespace, "", "requests"): sc.requests, - - prometheus.BuildFQName(PrometheusNamespace, "", "connect_duration_seconds"): sc.connectTime, - prometheus.BuildFQName(PrometheusNamespace, "", "header_duration_seconds"): sc.headerTime, - prometheus.BuildFQName(PrometheusNamespace, "", "response_duration_seconds"): sc.responseTime, - prometheus.BuildFQName(PrometheusNamespace, "", "request_duration_seconds"): sc.requestTime, - - prometheus.BuildFQName(PrometheusNamespace, "", "request_size"): sc.requestLength, - prometheus.BuildFQName(PrometheusNamespace, "", "response_size"): sc.responseLength, - - prometheus.BuildFQName(PrometheusNamespace, "", "bytes_sent"): sc.bytesSent, - - prometheus.BuildFQName(PrometheusNamespace, "", "ingress_upstream_latency_seconds"): sc.upstreamLatency, - } - + sc.metricMapping = mm return sc, nil } +func containsMetric(excludeMetrics map[string]struct{}, name string) bool { + if _, ok := excludeMetrics[name]; ok { + klog.V(3).InfoS("Skipping metric", "metric", name) + return true + } + return false +} + +func summaryMetric(opts *prometheus.SummaryOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.SummaryVec { + if containsMetric(excludeMetrics, opts.Name) { + return nil + } + m := prometheus.NewSummaryVec( + *opts, + requestTags, + ) + metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m + return m +} + +func counterMetric(opts *prometheus.CounterOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.CounterVec { + if containsMetric(excludeMetrics, opts.Name) { + return nil + } + m := prometheus.NewCounterVec( + *opts, + requestTags, + ) + metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m + return m +} + +func histogramMetric(opts *prometheus.HistogramOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.HistogramVec { + if containsMetric(excludeMetrics, opts.Name) { + return nil + } + m := prometheus.NewHistogramVec( + *opts, + requestTags, + ) + metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m + return m +} + func (sc *SocketCollector) handleMessage(msg []byte) { klog.V(5).InfoS("Metric", "message", string(msg)) @@ -263,7 +322,8 @@ func (sc *SocketCollector) handleMessage(msg []byte) { return } - for _, stats := range statsBatch { + for i := range statsBatch { + stats := &statsBatch[i] if sc.metricsPerHost && !sc.hosts.Has(stats.Host) { klog.V(3).InfoS("Skipping metric for host not being served", "host", stats.Host) continue @@ -305,30 +365,36 @@ func (sc *SocketCollector) handleMessage(msg []byte) { "canary": stats.Canary, } - requestsMetric, err := sc.requests.GetMetricWith(collectorLabels) - if err != nil { - klog.ErrorS(err, "Error fetching requests metric") - } else { - requestsMetric.Inc() + if sc.requests != nil { + requestsMetric, err := sc.requests.GetMetricWith(collectorLabels) + if err != nil { + klog.ErrorS(err, "Error fetching requests metric") + } else { + requestsMetric.Inc() + } } if stats.Latency != -1 { - connectTimeMetric, err := sc.connectTime.GetMetricWith(requestLabels) - if err != nil { - klog.ErrorS(err, "Error fetching connect time metric") - } else { - connectTimeMetric.Observe(stats.Latency) + if sc.connectTime != nil { + connectTimeMetric, err := sc.connectTime.GetMetricWith(requestLabels) + if err != nil { + klog.ErrorS(err, "Error fetching connect time metric") + } else { + connectTimeMetric.Observe(stats.Latency) + } } - latencyMetric, err := sc.upstreamLatency.GetMetricWith(latencyLabels) - if err != nil { - klog.ErrorS(err, "Error fetching latency metric") - } else { - latencyMetric.Observe(stats.Latency) + if sc.upstreamLatency != nil { + latencyMetric, err := sc.upstreamLatency.GetMetricWith(latencyLabels) + if err != nil { + klog.ErrorS(err, "Error fetching latency metric") + } else { + latencyMetric.Observe(stats.Latency) + } } } - if stats.HeaderTime != -1 { + if stats.HeaderTime != -1 && sc.headerTime != nil { headerTimeMetric, err := sc.headerTime.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching header time metric") @@ -337,7 +403,7 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } } - if stats.RequestTime != -1 { + if stats.RequestTime != -1 && sc.requestTime != nil { requestTimeMetric, err := sc.requestTime.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching request duration metric") @@ -346,7 +412,7 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } } - if stats.RequestLength != -1 { + if stats.RequestLength != -1 && sc.requestLength != nil { requestLengthMetric, err := sc.requestLength.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching request length metric") @@ -355,7 +421,7 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } } - if stats.ResponseTime != -1 { + if stats.ResponseTime != -1 && sc.responseTime != nil { responseTimeMetric, err := sc.responseTime.GetMetricWith(requestLabels) if err != nil { klog.ErrorS(err, "Error fetching upstream response time metric") @@ -365,18 +431,22 @@ func (sc *SocketCollector) handleMessage(msg []byte) { } if stats.ResponseLength != -1 { - bytesSentMetric, err := sc.bytesSent.GetMetricWith(requestLabels) - if err != nil { - klog.ErrorS(err, "Error fetching bytes sent metric") - } else { - bytesSentMetric.Observe(stats.ResponseLength) + if sc.bytesSent != nil { + bytesSentMetric, err := sc.bytesSent.GetMetricWith(requestLabels) + if err != nil { + klog.ErrorS(err, "Error fetching bytes sent metric") + } else { + bytesSentMetric.Observe(stats.ResponseLength) + } } - responseSizeMetric, err := sc.responseLength.GetMetricWith(requestLabels) - if err != nil { - klog.ErrorS(err, "Error fetching bytes sent metric") - } else { - responseSizeMetric.Observe(stats.ResponseLength) + if sc.responseLength != nil { + responseSizeMetric, err := sc.responseLength.GetMetricWith(requestLabels) + if err != nil { + klog.ErrorS(err, "Error fetching bytes sent metric") + } else { + responseSizeMetric.Observe(stats.ResponseLength) + } } } } @@ -470,42 +540,22 @@ func (sc *SocketCollector) RemoveMetrics(ingresses []string, registry prometheus } // Describe implements prometheus.Collector -func (sc SocketCollector) Describe(ch chan<- *prometheus.Desc) { - sc.connectTime.Describe(ch) - sc.headerTime.Describe(ch) - sc.responseTime.Describe(ch) - sc.requestTime.Describe(ch) - - sc.requestLength.Describe(ch) - sc.responseLength.Describe(ch) - - sc.requests.Describe(ch) - - sc.upstreamLatency.Describe(ch) - - sc.bytesSent.Describe(ch) +func (sc *SocketCollector) Describe(ch chan<- *prometheus.Desc) { + for _, metric := range sc.metricMapping { + metric.Describe(ch) + } } // Collect implements the prometheus.Collector interface. -func (sc SocketCollector) Collect(ch chan<- prometheus.Metric) { - sc.connectTime.Collect(ch) - sc.headerTime.Collect(ch) - sc.responseTime.Collect(ch) - sc.requestTime.Collect(ch) - - sc.requestLength.Collect(ch) - sc.responseLength.Collect(ch) - - sc.requests.Collect(ch) - - sc.upstreamLatency.Collect(ch) - - sc.bytesSent.Collect(ch) +func (sc *SocketCollector) Collect(ch chan<- prometheus.Metric) { + for _, metric := range sc.metricMapping { + metric.Collect(ch) + } } // SetHosts sets the hostnames that are being served by the ingress controller // This set of hostnames is used to filter the metrics to be exposed -func (sc *SocketCollector) SetHosts(hosts sets.String) { +func (sc *SocketCollector) SetHosts(hosts sets.Set[string]) { sc.hosts = hosts } diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index f175828cc..71e9097c9 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -30,6 +30,7 @@ import ( func TestNewUDPLogListener(t *testing.T) { var count uint64 + //nolint:unparam // Unused `message` param is required by the handleMessages function fn := func(message []byte) { atomic.AddUint64(&count, 1) } @@ -57,8 +58,13 @@ func TestNewUDPLogListener(t *testing.T) { } }() - conn, _ := net.Dial("unix", tmpFile) - conn.Write([]byte("message")) + conn, err := net.Dial("unix", tmpFile) + if err != nil { + t.Errorf("unexpected error connecting to unix socket: %v", err) + } + if _, err := conn.Write([]byte("message")); err != nil { + t.Errorf("unexpected error writing to unix socket: %v", err) + } conn.Close() time.Sleep(1 * time.Millisecond) @@ -68,7 +74,6 @@ func TestNewUDPLogListener(t *testing.T) { } func TestCollector(t *testing.T) { - buckets := struct { TimeBuckets []float64 LengthBuckets []float64 @@ -84,6 +89,7 @@ func TestCollector(t *testing.T) { data []string metrics []string useStatusClasses bool + excludeMetrics []string wantBefore string removeIngresses []string wantAfter string @@ -470,13 +476,126 @@ func TestCollector(t *testing.T) { wantAfter: ` `, }, + { + name: "basic exclude metrics test", + data: []string{`[{ + "host":"testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"nginx_ingress_controller_connect_duration_seconds"}, + metrics: []string{"nginx_ingress_controller_connect_duration_seconds", "nginx_ingress_controller_response_duration_seconds"}, + useStatusClasses: true, + wantBefore: ` + # HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server + # TYPE nginx_ingress_controller_response_duration_seconds histogram + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.005"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.01"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.025"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.05"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.25"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="2.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="10"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="+Inf"} 1 + nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 200 + nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 + `, + }, + { + name: "remove metrics with the short metric name", + data: []string{`[{ + "host":"testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"response_duration_seconds"}, + metrics: []string{"nginx_ingress_controller_response_duration_seconds"}, + useStatusClasses: true, + wantBefore: ` + `, + }, + { + name: "exclude metrics make sure to only remove exactly matched metrics", + data: []string{`[{ + "host":"testshop.com", + "status":"200", + "bytesSent":150.0, + "method":"GET", + "path":"/admin", + "requestLength":300.0, + "requestTime":60.0, + "upstreamLatency":1.0, + "upstreamHeaderTime":5.0, + "upstreamName":"test-upstream", + "upstreamIP":"1.1.1.1:8080", + "upstreamResponseTime":200, + "upstreamStatus":"220", + "namespace":"test-app-production", + "ingress":"web-yml", + "service":"test-app", + "canary":"" + }]`}, + excludeMetrics: []string{"response_duration_seconds2", "test.*", "nginx_ingress_.*", "response_duration_secon"}, + metrics: []string{"nginx_ingress_controller_response_duration_seconds"}, + useStatusClasses: true, + wantBefore: ` + # HELP nginx_ingress_controller_response_duration_seconds The time spent on receiving the response from the upstream server + # TYPE nginx_ingress_controller_response_duration_seconds histogram + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.005"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.01"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.025"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.05"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.25"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="0.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="1"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="2.5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="5"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="10"} 0 + nginx_ingress_controller_response_duration_seconds_bucket{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx",le="+Inf"} 1 + nginx_ingress_controller_response_duration_seconds_sum{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 200 + nginx_ingress_controller_response_duration_seconds_count{canary="",controller_class="ingress",controller_namespace="default",controller_pod="pod",host="testshop.com",ingress="web-yml",method="GET",namespace="test-app-production",path="/admin",service="test-app",status="2xx"} 1 + `, + }, } for _, c := range cases { t.Run(c.name, func(t *testing.T) { registry := prometheus.NewPedanticRegistry() - sc, err := NewSocketCollector("pod", "default", "ingress", true, c.useStatusClasses, buckets) + sc, err := NewSocketCollector("pod", "default", "ingress", true, c.useStatusClasses, buckets, c.excludeMetrics) if err != nil { t.Errorf("%v: unexpected error creating new SocketCollector: %v", c.name, err) } @@ -485,7 +604,7 @@ func TestCollector(t *testing.T) { t.Errorf("registering collector failed: %s", err) } - sc.SetHosts(sets.NewString("testshop.com")) + sc.SetHosts(sets.New[string]("testshop.com")) for _, d := range c.data { sc.handleMessage([]byte(d)) diff --git a/internal/ingress/metric/collectors/testutils.go b/internal/ingress/metric/collectors/testutils.go index 8c5c27b62..669e89e17 100644 --- a/internal/ingress/metric/collectors/testutils.go +++ b/internal/ingress/metric/collectors/testutils.go @@ -31,7 +31,7 @@ import ( // GatherAndCompare retrieves all metrics exposed by a collector and compares it // to an expected output in the Prometheus text exposition format. // metricNames allows only comparing the given metrics. All are compared if it's nil. -func GatherAndCompare(c prometheus.Collector, expected string, metricNames []string, reg prometheus.Gatherer) error { +func GatherAndCompare(_ prometheus.Collector, expected string, metricNames []string, reg prometheus.Gatherer) error { expected = removeUnusedWhitespace(expected) metrics, err := reg.Gather() @@ -77,9 +77,7 @@ metric output does not match expectation; want: got: -'%s' - -`, buf2.String(), buf1.String()) +'%s'`, buf2.String(), buf1.String()) } return nil } diff --git a/internal/ingress/metric/dummy.go b/internal/ingress/metric/dummy.go index 4a6366b84..a619ccbd8 100644 --- a/internal/ingress/metric/dummy.go +++ b/internal/ingress/metric/dummy.go @@ -29,44 +29,50 @@ func NewDummyCollector() Collector { // DummyCollector dummy implementation for mocks in tests type DummyCollector struct{} -// ConfigSuccess ... +// ConfigSuccess dummy implementation func (dc DummyCollector) ConfigSuccess(uint64, bool) {} -// SetAdmissionMetrics ... +// SetAdmissionMetrics dummy implementation func (dc DummyCollector) SetAdmissionMetrics(float64, float64, float64, float64, float64, float64) {} -// IncReloadCount ... +// IncReloadCount dummy implementation func (dc DummyCollector) IncReloadCount() {} -// IncReloadErrorCount ... +// IncReloadErrorCount dummy implementation func (dc DummyCollector) IncReloadErrorCount() {} -// IncCheckCount ... +// IncOrphanIngress dummy implementation +func (dc DummyCollector) IncOrphanIngress(string, string, string) {} + +// DecOrphanIngress dummy implementation +func (dc DummyCollector) DecOrphanIngress(string, string, string) {} + +// IncCheckCount dummy implementation func (dc DummyCollector) IncCheckCount(string, string) {} -// IncCheckErrorCount ... +// IncCheckErrorCount dummy implementation func (dc DummyCollector) IncCheckErrorCount(string, string) {} -// RemoveMetrics ... -func (dc DummyCollector) RemoveMetrics(ingresses, endpoints, certificates []string) {} +// RemoveMetrics dummy implementation +func (dc DummyCollector) RemoveMetrics(_, _, _ []string) {} -// Start ... -func (dc DummyCollector) Start(admissionStatus string) {} +// Start dummy implementation +func (dc DummyCollector) Start(_ string) {} -// Stop ... -func (dc DummyCollector) Stop(admissionStatus string) {} +// Stop dummy implementation +func (dc DummyCollector) Stop(_ string) {} -// SetSSLInfo ... +// SetSSLInfo dummy implementation func (dc DummyCollector) SetSSLInfo([]*ingress.Server) {} -// SetSSLExpireTime ... +// SetSSLExpireTime dummy implementation func (dc DummyCollector) SetSSLExpireTime([]*ingress.Server) {} -// SetHosts ... -func (dc DummyCollector) SetHosts(hosts sets.String) {} +// SetHosts dummy implementation +func (dc DummyCollector) SetHosts(_ sets.Set[string]) {} // OnStartedLeading indicates the pod is not the current leader -func (dc DummyCollector) OnStartedLeading(electionID string) {} +func (dc DummyCollector) OnStartedLeading(_ string) {} // OnStoppedLeading indicates the pod is not the current leader -func (dc DummyCollector) OnStoppedLeading(electionID string) {} +func (dc DummyCollector) OnStoppedLeading(_ string) {} diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index b3323c7fe..aa35a5c51 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -43,6 +43,8 @@ type Collector interface { IncCheckCount(string, string) IncCheckErrorCount(string, string) + IncOrphanIngress(string, string, string) + DecOrphanIngress(string, string, string) RemoveMetrics(ingresses, endpoints, certificates []string) @@ -50,7 +52,7 @@ type Collector interface { SetSSLInfo(servers []*ingress.Server) // SetHosts sets the hostnames that are being served by the ingress controller - SetHosts(sets.String) + SetHosts(set sets.Set[string]) Start(string) Stop(string) @@ -69,7 +71,7 @@ type collector struct { } // NewCollector creates a new metric collector the for ingress controller -func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets) (Collector, error) { +func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus.Registry, ingressclass string, buckets collectors.HistogramBuckets, excludedSocketMetrics []string) (Collector, error) { podNamespace := os.Getenv("POD_NAMESPACE") if podNamespace == "" { podNamespace = "default" @@ -87,7 +89,7 @@ func NewCollector(metricsPerHost, reportStatusClasses bool, registry *prometheus return nil, err } - s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, reportStatusClasses, buckets) + s, err := collectors.NewSocketCollector(podName, podNamespace, ingressclass, metricsPerHost, reportStatusClasses, buckets, excludedSocketMetrics) if err != nil { return nil, err } @@ -113,11 +115,11 @@ func (c *collector) ConfigSuccess(hash uint64, success bool) { c.ingressController.ConfigSuccess(hash, success) } -func (c *collector) IncCheckCount(namespace string, name string) { +func (c *collector) IncCheckCount(namespace, name string) { c.ingressController.IncCheckCount(namespace, name) } -func (c *collector) IncCheckErrorCount(namespace string, name string) { +func (c *collector) IncCheckErrorCount(namespace, name string) { c.ingressController.IncCheckErrorCount(namespace, name) } @@ -181,11 +183,19 @@ func (c *collector) SetSSLInfo(servers []*ingress.Server) { c.ingressController.SetSSLInfo(servers) } -func (c *collector) SetHosts(hosts sets.String) { +func (c *collector) IncOrphanIngress(namespace, name, orphanityType string) { + c.ingressController.IncOrphanIngress(namespace, name, orphanityType) +} + +func (c *collector) DecOrphanIngress(namespace, name, orphanityType string) { + c.ingressController.DecOrphanIngress(namespace, name, orphanityType) +} + +func (c *collector) SetHosts(hosts sets.Set[string]) { c.socket.SetHosts(hosts) } -func (c *collector) SetAdmissionMetrics(testedIngressLength float64, testedIngressTime float64, renderingIngressLength float64, renderingIngressTime float64, testedConfigurationSize float64, admissionTime float64) { +func (c *collector) SetAdmissionMetrics(testedIngressLength, testedIngressTime, renderingIngressLength, renderingIngressTime, testedConfigurationSize, admissionTime float64) { c.admissionController.SetAdmissionMetrics( testedIngressLength, testedIngressTime, @@ -209,9 +219,7 @@ func (c *collector) OnStoppedLeading(electionID string) { c.ingressController.RemoveAllSSLMetrics(c.registry) } -var ( - currentLeader uint32 -) +var currentLeader uint32 func setLeader(leader bool) { var i uint32 diff --git a/internal/ingress/resolver/main.go b/internal/ingress/resolver/main.go index e05a2aaae..7d17f4e16 100644 --- a/internal/ingress/resolver/main.go +++ b/internal/ingress/resolver/main.go @@ -26,6 +26,9 @@ type Resolver interface { // GetDefaultBackend returns the backend that must be used as default GetDefaultBackend() defaults.Backend + // GetSecurityConfiguration returns the configuration options from Ingress + GetSecurityConfiguration() defaults.SecurityConfiguration + // GetConfigMap searches for configmap containing the namespace and name usting the character / GetConfigMap(string) (*apiv1.ConfigMap, error) diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 62c5c6db9..679c3b13c 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -26,7 +26,9 @@ import ( // Mock implements the Resolver interface type Mock struct { - ConfigMaps map[string]*apiv1.ConfigMap + ConfigMaps map[string]*apiv1.ConfigMap + AnnotationsRiskLevel string + AllowCrossNamespace bool } // GetDefaultBackend returns the backend that must be used as default @@ -34,6 +36,17 @@ func (m Mock) GetDefaultBackend() defaults.Backend { return defaults.Backend{} } +func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration { + defRisk := m.AnnotationsRiskLevel + if defRisk == "" { + defRisk = "Critical" + } + return defaults.SecurityConfiguration{ + AnnotationsRiskLevel: defRisk, + AllowCrossNamespaceResources: m.AllowCrossNamespace, + } +} + // GetSecret searches for secrets contenating the namespace and name using a the character / func (m Mock) GetSecret(string) (*apiv1.Secret, error) { return nil, nil diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index 2e53682a0..81fb9044a 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -29,6 +29,7 @@ import ( pool "gopkg.in/go-playground/pool.v3" apiv1 "k8s.io/api/core/v1" + v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/wait" @@ -43,7 +44,7 @@ import ( // which the status should check if an update is required. var UpdateInterval = 60 -// Syncer ... +// Syncer is an interface that implements syncer type Syncer interface { Run(chan struct{}) @@ -55,7 +56,7 @@ type ingressLister interface { ListIngresses() []*ingress.Ingress } -// Config ... +// Config is a structure that implements Client interfaces type Config struct { Client clientset.Interface @@ -86,7 +87,7 @@ type statusSync struct { } // Start starts the loop to keep the status in sync -func (s statusSync) Run(stopCh chan struct{}) { +func (s *statusSync) Run(stopCh chan struct{}) { go s.syncQueue.Run(time.Second, stopCh) // trigger initial sync @@ -94,15 +95,19 @@ func (s statusSync) Run(stopCh chan struct{}) { // when this instance is the leader we need to enqueue // an item to trigger the update of the Ingress status. - wait.PollUntil(time.Duration(UpdateInterval)*time.Second, func() (bool, error) { + //nolint:staticcheck // TODO: will replace it since wait.PollUntil is deprecated + err := wait.PollUntil(time.Duration(UpdateInterval)*time.Second, func() (bool, error) { s.syncQueue.EnqueueTask(task.GetDummyObject("sync status")) return false, nil }, stopCh) + if err != nil { + klog.ErrorS(err, "error running poll") + } } // Shutdown stops the sync. In case the instance is the leader it will remove the current IP // if there is no other instances running. -func (s statusSync) Shutdown() { +func (s *statusSync) Shutdown() { go s.syncQueue.Shutdown() if !s.UpdateStatusOnShutdown { @@ -128,10 +133,10 @@ func (s statusSync) Shutdown() { } klog.InfoS("removing value from ingress status", "address", addrs) - s.updateStatus([]apiv1.LoadBalancerIngress{}) + s.updateStatus([]v1.IngressLoadBalancerIngress{}) } -func (s *statusSync) sync(key interface{}) error { +func (s *statusSync) sync(_ interface{}) error { if s.syncQueue.IsShuttingDown() { klog.V(2).InfoS("skipping Ingress status update (shutting down in progress)") return nil @@ -146,13 +151,13 @@ func (s *statusSync) sync(key interface{}) error { return nil } -func (s statusSync) keyfunc(input interface{}) (interface{}, error) { +func (s *statusSync) keyfunc(input interface{}) (interface{}, error) { return input, nil } // NewStatusSyncer returns a new Syncer instance func NewStatusSyncer(config Config) Syncer { - st := statusSync{ + st := &statusSync{ Config: config, } st.syncQueue = task.NewCustomTaskQueue(st.sync, st.keyfunc) @@ -160,21 +165,21 @@ func NewStatusSyncer(config Config) Syncer { return st } -func nameOrIPToLoadBalancerIngress(nameOrIP string) apiv1.LoadBalancerIngress { +func nameOrIPToLoadBalancerIngress(nameOrIP string) v1.IngressLoadBalancerIngress { if net.ParseIP(nameOrIP) != nil { - return apiv1.LoadBalancerIngress{IP: nameOrIP} + return v1.IngressLoadBalancerIngress{IP: nameOrIP} } - return apiv1.LoadBalancerIngress{Hostname: nameOrIP} + return v1.IngressLoadBalancerIngress{Hostname: nameOrIP} } // runningAddresses returns a list of IP addresses and/or FQDN where the // ingress controller is currently running -func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) { +func (s *statusSync) runningAddresses() ([]v1.IngressLoadBalancerIngress, error) { if s.PublishStatusAddress != "" { re := regexp.MustCompile(`,\s*`) multipleAddrs := re.Split(s.PublishStatusAddress, -1) - addrs := make([]apiv1.LoadBalancerIngress, len(multipleAddrs)) + addrs := make([]v1.IngressLoadBalancerIngress, len(multipleAddrs)) for i, addr := range multipleAddrs { addrs[i] = nameOrIPToLoadBalancerIngress(addr) } @@ -193,7 +198,7 @@ func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) { return nil, err } - addrs := make([]apiv1.LoadBalancerIngress, 0) + addrs := make([]v1.IngressLoadBalancerIngress, 0) for i := range pods.Items { pod := pods.Items[i] // only Running pods are valid @@ -225,7 +230,6 @@ func (s *statusSync) runningAddresses() ([]apiv1.LoadBalancerIngress, error) { } func (s *statusSync) isRunningMultiplePods() bool { - // As a standard, app.kubernetes.io are "reserved well-known" labels. // In our case, we add those labels as identifiers of the Ingress // deployment in this namespace, so we can select it as a set of Ingress instances. @@ -250,7 +254,7 @@ func (s *statusSync) isRunningMultiplePods() bool { // standardizeLoadBalancerIngresses sorts the list of loadbalancer by // IP -func standardizeLoadBalancerIngresses(lbi []apiv1.LoadBalancerIngress) []apiv1.LoadBalancerIngress { +func standardizeLoadBalancerIngresses(lbi []v1.IngressLoadBalancerIngress) []v1.IngressLoadBalancerIngress { sort.SliceStable(lbi, func(a, b int) bool { return lbi[a].IP < lbi[b].IP }) @@ -259,7 +263,7 @@ func standardizeLoadBalancerIngresses(lbi []apiv1.LoadBalancerIngress) []apiv1.L } // updateStatus changes the status information of Ingress rules -func (s *statusSync) updateStatus(newIngressPoint []apiv1.LoadBalancerIngress) { +func (s *statusSync) updateStatus(newIngressPoint []v1.IngressLoadBalancerIngress) { ings := s.IngressLister.ListIngresses() p := pool.NewLimited(10) @@ -283,8 +287,9 @@ func (s *statusSync) updateStatus(newIngressPoint []apiv1.LoadBalancerIngress) { batch.WaitAll() } -func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress, - client clientset.Interface) pool.WorkFunc { +func runUpdate(ing *ingress.Ingress, status []v1.IngressLoadBalancerIngress, + client clientset.Interface, +) pool.WorkFunc { return func(wu pool.WorkUnit) (interface{}, error) { if wu.IsCancelled() { return nil, nil @@ -307,7 +312,7 @@ func runUpdate(ing *ingress.Ingress, status []apiv1.LoadBalancerIngress, } } -func lessLoadBalancerIngress(addrs []apiv1.LoadBalancerIngress) func(int, int) bool { +func lessLoadBalancerIngress(addrs []v1.IngressLoadBalancerIngress) func(int, int) bool { return func(a, b int) bool { switch strings.Compare(addrs[a].Hostname, addrs[b].Hostname) { case -1: @@ -319,7 +324,7 @@ func lessLoadBalancerIngress(addrs []apiv1.LoadBalancerIngress) func(int, int) b } } -func ingressSliceEqual(lhs, rhs []apiv1.LoadBalancerIngress) bool { +func ingressSliceEqual(lhs, rhs []v1.IngressLoadBalancerIngress) bool { if len(lhs) != len(rhs) { return false } @@ -336,8 +341,11 @@ func ingressSliceEqual(lhs, rhs []apiv1.LoadBalancerIngress) bool { return true } -func statusAddressFromService(service string, kubeClient clientset.Interface) ([]apiv1.LoadBalancerIngress, error) { - ns, name, _ := k8s.ParseNameNS(service) +func statusAddressFromService(service string, kubeClient clientset.Interface) ([]v1.IngressLoadBalancerIngress, error) { + ns, name, err := k8s.ParseNameNS(service) + if err != nil { + return nil, err + } svc, err := kubeClient.CoreV1().Services(ns).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return nil, err @@ -345,28 +353,28 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ switch svc.Spec.Type { case apiv1.ServiceTypeExternalName: - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ Hostname: svc.Spec.ExternalName, }}, nil case apiv1.ServiceTypeClusterIP: - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ IP: svc.Spec.ClusterIP, }}, nil case apiv1.ServiceTypeNodePort: if svc.Spec.ExternalIPs == nil { - return []apiv1.LoadBalancerIngress{{ + return []v1.IngressLoadBalancerIngress{{ IP: svc.Spec.ClusterIP, }}, nil } - addrs := make([]apiv1.LoadBalancerIngress, len(svc.Spec.ExternalIPs)) - for i, ip := range svc.Spec.ExternalIPs { - addrs[i] = apiv1.LoadBalancerIngress{IP: ip} + addrs := make([]v1.IngressLoadBalancerIngress, 0, len(svc.Spec.ExternalIPs)) + for _, ip := range svc.Spec.ExternalIPs { + addrs = append(addrs, v1.IngressLoadBalancerIngress{IP: ip}) } return addrs, nil case apiv1.ServiceTypeLoadBalancer: - addrs := make([]apiv1.LoadBalancerIngress, len(svc.Status.LoadBalancer.Ingress)) + addrs := make([]v1.IngressLoadBalancerIngress, 0, len(svc.Status.LoadBalancer.Ingress)) for i, ingress := range svc.Status.LoadBalancer.Ingress { - addrs[i] = apiv1.LoadBalancerIngress{} + addrs = append(addrs, v1.IngressLoadBalancerIngress{}) if ingress.Hostname != "" { addrs[i].Hostname = ingress.Hostname } @@ -376,7 +384,7 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ } for _, ip := range svc.Spec.ExternalIPs { if !stringInIngresses(ip, addrs) { - addrs = append(addrs, apiv1.LoadBalancerIngress{IP: ip}) + addrs = append(addrs, v1.IngressLoadBalancerIngress{IP: ip}) } } return addrs, nil @@ -386,7 +394,7 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ } // stringInSlice returns true if s is in list -func stringInIngresses(s string, list []apiv1.LoadBalancerIngress) bool { +func stringInIngresses(s string, list []v1.IngressLoadBalancerIngress) bool { for _, v := range list { if v.IP == s || v.Hostname == s { return true diff --git a/internal/ingress/status/status_test.go b/internal/ingress/status/status_test.go index d4ef09e7c..01419708b 100644 --- a/internal/ingress/status/status_test.go +++ b/internal/ingress/status/status_test.go @@ -18,7 +18,6 @@ package status import ( "context" - "os" "reflect" "testing" "time" @@ -34,8 +33,10 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) -func buildLoadBalancerIngressByIP() []apiv1.LoadBalancerIngress { - return []apiv1.LoadBalancerIngress{ +const localhost = "127.0.0.1" + +func buildLoadBalancerIngressByIP() []networking.IngressLoadBalancerIngress { + return []networking.IngressLoadBalancerIngress{ { IP: "10.0.0.1", Hostname: "foo1", @@ -123,17 +124,9 @@ func buildSimpleClientSet() *testclient.Clientset { }, }}, &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Status: apiv1.ServiceStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: buildLoadBalancerIngressByIP(), - }, - }, - }, + // This is commented out as the ServiceStatus.LoadBalancer field expects a LoadBalancerStatus object + // which is incompatible with the current Ingress struct which expects a IngressLoadBalancerStatus object + // TODO: update this service when the ServiceStatus struct gets updated { ObjectMeta: metav1.ObjectMeta{ Name: "foo_non_exist", @@ -182,7 +175,8 @@ func buildSimpleClientSet() *testclient.Clientset { Name: "ingress-controller-leader", Namespace: apiv1.NamespaceDefault, }, - }}}, + }, + }}, &networking.IngressList{Items: buildExtensionsIngresses()}, ) } @@ -199,8 +193,8 @@ func buildExtensionsIngresses() []networking.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{ { IP: "10.0.0.1", Hostname: "foo1", @@ -218,8 +212,8 @@ func buildExtensionsIngresses() []networking.Ingress { }, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{ { IP: "0.0.0.0", Hostname: "foo.bar.com", @@ -234,38 +228,41 @@ func buildExtensionsIngresses() []networking.Ingress { Namespace: apiv1.NamespaceDefault, }, Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{}, + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: []networking.IngressLoadBalancerIngress{}, }, }, }, } } -type testIngressLister struct { -} +type testIngressLister struct{} func (til *testIngressLister) ListIngresses() []*ingress.Ingress { var ingresses []*ingress.Ingress - ingresses = append(ingresses, &ingress.Ingress{ - Ingress: networking.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo_ingress_non_01", - Namespace: apiv1.NamespaceDefault, - }}}) - - ingresses = append(ingresses, &ingress.Ingress{ - Ingress: networking.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo_ingress_1", - Namespace: apiv1.NamespaceDefault, - }, - Status: networking.IngressStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: buildLoadBalancerIngressByIP(), + ingresses = append(ingresses, + &ingress.Ingress{ + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo_ingress_non_01", + Namespace: apiv1.NamespaceDefault, }, }, - }}) + }, + &ingress.Ingress{ + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo_ingress_1", + Namespace: apiv1.NamespaceDefault, + }, + Status: networking.IngressStatus{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: buildLoadBalancerIngressByIP(), + }, + }, + }, + }, + ) return ingresses } @@ -287,8 +284,8 @@ func buildStatusSync() statusSync { func TestStatusActions(t *testing.T) { // make sure election can be created - os.Setenv("POD_NAME", "foo1") - os.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) + t.Setenv("POD_NAME", "foo1") + t.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) c := Config{ Client: buildSimpleClientSet(), PublishService: "", @@ -312,7 +309,10 @@ func TestStatusActions(t *testing.T) { t.Fatalf("expected a valid Sync") } - fk := fkSync.(statusSync) + fk, ok := fkSync.(*statusSync) + if !ok { + t.Errorf("unexpected type: %T", fkSync) + } // start it and wait for the election and syn actions stopCh := make(chan struct{}) @@ -322,10 +322,12 @@ func TestStatusActions(t *testing.T) { // wait for the election time.Sleep(100 * time.Millisecond) // execute sync - fk.sync("just-test") + if err := fk.sync("just-test"); err != nil { + t.Errorf("unexpected error: %v", err) + } // PublishService is empty, so the running address is: ["11.0.0.2"] // after updated, the ingress's ip should only be "11.0.0.2" - newIPs := []apiv1.LoadBalancerIngress{{ + newIPs := []networking.IngressLoadBalancerIngress{{ IP: "11.0.0.2", }} fooIngress1, err1 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{}) @@ -342,7 +344,7 @@ func TestStatusActions(t *testing.T) { // execute shutdown fk.Shutdown() // ingress should be empty - newIPs2 := []apiv1.LoadBalancerIngress{} + var newIPs2 []networking.IngressLoadBalancerIngress fooIngress2, err2 := fk.Client.NetworkingV1().Ingresses(apiv1.NamespaceDefault).Get(context.TODO(), "foo_ingress_1", metav1.GetOptions{}) if err2 != nil { t.Fatalf("unexpected error") @@ -361,7 +363,7 @@ func TestStatusActions(t *testing.T) { } } -func TestCallback(t *testing.T) { +func TestCallback(_ *testing.T) { buildStatusSync() } @@ -370,7 +372,6 @@ func TestKeyfunc(t *testing.T) { i := "foo_base_pod" r, err := fk.keyfunc(i) - if err != nil { t.Fatalf("unexpected error") } @@ -382,120 +383,125 @@ func TestKeyfunc(t *testing.T) { func TestRunningAddressesWithPublishService(t *testing.T) { testCases := map[string]struct { fakeClient *testclient.Clientset - expected []apiv1.LoadBalancerIngress + expected []networking.IngressLoadBalancerIngress errExpected bool }{ "service type ClusterIP": { testclient.NewSimpleClientset( - &apiv1.PodList{Items: []apiv1.Pod{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.PodSpec{ - NodeName: "foo_node", - }, - Status: apiv1.PodStatus{ - Phase: apiv1.PodRunning, + &apiv1.PodList{ + Items: []apiv1.Pod{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.PodSpec{ + NodeName: "foo_node", + }, + Status: apiv1.PodStatus{ + Phase: apiv1.PodRunning, + }, }, }, }, - }, - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeClusterIP, - ClusterIP: "1.1.1.1", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + }, }, }, }, - }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, }, false, }, "service type NodePort": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeNodePort, - ClusterIP: "1.1.1.1", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeNodePort, + ClusterIP: "1.1.1.1", + }, }, }, }, - }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, }, false, }, "service type ExternalName": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeExternalName, - ExternalName: "foo.bar", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeExternalName, + ExternalName: "foo.bar", + }, }, }, }, - }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {Hostname: "foo.bar"}, }, false, }, "service type LoadBalancer": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeLoadBalancer, - }, - Status: apiv1.ServiceStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ - { - IP: "10.0.0.1", - }, - { - IP: "", - Hostname: "foo", - }, - { - IP: "10.0.0.2", - Hostname: "10-0-0-2.cloudprovider.example.net", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeLoadBalancer, + }, + Status: apiv1.ServiceStatus{ + LoadBalancer: apiv1.LoadBalancerStatus{ + Ingress: []apiv1.LoadBalancerIngress{ + { + IP: "10.0.0.1", + }, + { + IP: "", + Hostname: "foo", + }, + { + IP: "10.0.0.2", + Hostname: "10-0-0-2.cloudprovider.example.net", + }, }, }, }, }, }, }, - }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, {Hostname: "foo"}, { @@ -507,45 +513,47 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, "service type LoadBalancer with same externalIP and ingress IP": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeLoadBalancer, - ExternalIPs: []string{"10.0.0.1"}, - }, - Status: apiv1.ServiceStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ - { - IP: "10.0.0.1", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeLoadBalancer, + ExternalIPs: []string{"10.0.0.1"}, + }, + Status: apiv1.ServiceStatus{ + LoadBalancer: apiv1.LoadBalancerStatus{ + Ingress: []apiv1.LoadBalancerIngress{ + { + IP: "10.0.0.1", + }, }, }, }, }, }, }, - }, ), - []apiv1.LoadBalancerIngress{ + []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, }, false, }, "invalid service type": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, }, }, }, - }, ), nil, true, @@ -554,7 +562,6 @@ func TestRunningAddressesWithPublishService(t *testing.T) { for title, tc := range testCases { t.Run(title, func(t *testing.T) { - fk := buildStatusSync() fk.Config.Client = tc.fakeClient @@ -568,7 +575,7 @@ func TestRunningAddressesWithPublishService(t *testing.T) { } if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } if !reflect.DeepEqual(tc.expected, ra) { @@ -582,9 +589,13 @@ func TestRunningAddressesWithPods(t *testing.T) { fk := buildStatusSync() fk.PublishService = "" - r, _ := fk.runningAddresses() + r, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if r == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(r) if len(r) != 1 { @@ -592,25 +603,28 @@ func TestRunningAddressesWithPods(t *testing.T) { } rv := r[0] if rv.IP != "11.0.0.2" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "11.0.0.2"}) + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "11.0.0.2"}) } } func TestRunningAddressesWithPublishStatusAddress(t *testing.T) { fk := buildStatusSync() - fk.PublishStatusAddress = "127.0.0.1" + fk.PublishStatusAddress = localhost - ra, _ := fk.runningAddresses() + ra, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(ra) if len(ra) != 1 { t.Errorf("returned %v but expected %v", rl, 1) } rv := ra[0] - if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + if rv.IP != localhost { + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: localhost}) } } @@ -618,9 +632,12 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { fk := buildStatusSync() fk.PublishStatusAddress = "127.0.0.1,1.1.1.1" - ra, _ := fk.runningAddresses() + ra, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } rl := len(ra) if len(ra) != 2 { @@ -628,11 +645,11 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { } rv := ra[0] rv2 := ra[1] - if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + if rv.IP != localhost { + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: localhost}) } if rv2.IP != "1.1.1.1" { - t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"}) + t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) } } @@ -640,9 +657,12 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { fk := buildStatusSync() fk.PublishStatusAddress = "127.0.0.1, 1.1.1.1" - ra, _ := fk.runningAddresses() + ra, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } if ra == nil { - t.Fatalf("returned nil but expected valid []apiv1.LoadBalancerIngresst") + t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngresst") } rl := len(ra) if len(ra) != 2 { @@ -650,16 +670,16 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { } rv := ra[0] rv2 := ra[1] - if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, apiv1.LoadBalancerIngress{IP: "127.0.0.1"}) + if rv.IP != localhost { + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: localhost}) } if rv2.IP != "1.1.1.1" { - t.Errorf("returned %v but expected %v", rv2, apiv1.LoadBalancerIngress{IP: "1.1.1.1"}) + t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) } } func TestStandardizeLoadBalancerIngresses(t *testing.T) { - fkEndpoints := []apiv1.LoadBalancerIngress{ + fkEndpoints := []networking.IngressLoadBalancerIngress{ {IP: "2001:db8::68"}, {IP: "10.0.0.1"}, {Hostname: "opensource-k8s-ingress"}, @@ -668,7 +688,7 @@ func TestStandardizeLoadBalancerIngresses(t *testing.T) { r := standardizeLoadBalancerIngresses(fkEndpoints) if r == nil { - t.Fatalf("returned nil but expected a valid []apiv1.LoadBalancerIngress") + t.Fatalf("returned nil but expected a valid []networking.IngressLoadBalancerIngress") } rl := len(r) if rl != 3 { @@ -676,21 +696,21 @@ func TestStandardizeLoadBalancerIngresses(t *testing.T) { } re1 := r[0] if re1.Hostname != "opensource-k8s-ingress" { - t.Fatalf("returned %v but expected %v", re1, apiv1.LoadBalancerIngress{Hostname: "opensource-k8s-ingress"}) + t.Fatalf("returned %v but expected %v", re1, networking.IngressLoadBalancerIngress{Hostname: "opensource-k8s-ingress"}) } re2 := r[1] if re2.IP != "10.0.0.1" { - t.Fatalf("returned %v but expected %v", re2, apiv1.LoadBalancerIngress{IP: "10.0.0.1"}) + t.Fatalf("returned %v but expected %v", re2, networking.IngressLoadBalancerIngress{IP: "10.0.0.1"}) } re3 := r[2] if re3.IP != "2001:db8::68" { - t.Fatalf("returned %v but expected %v", re3, apiv1.LoadBalancerIngress{IP: "2001:db8::68"}) + t.Fatalf("returned %v but expected %v", re3, networking.IngressLoadBalancerIngress{IP: "2001:db8::68"}) } } func TestIngressSliceEqual(t *testing.T) { fk1 := buildLoadBalancerIngressByIP() - fk2 := append(buildLoadBalancerIngressByIP(), apiv1.LoadBalancerIngress{ + fk2 := append(buildLoadBalancerIngressByIP(), networking.IngressLoadBalancerIngress{ IP: "10.0.0.5", Hostname: "foo5", }) @@ -700,8 +720,8 @@ func TestIngressSliceEqual(t *testing.T) { fk4[2].IP = "11.0.0.3" fooTests := []struct { - lhs []apiv1.LoadBalancerIngress - rhs []apiv1.LoadBalancerIngress + lhs []networking.IngressLoadBalancerIngress + rhs []networking.IngressLoadBalancerIngress er bool }{ {fk1, fk1, true}, @@ -710,7 +730,7 @@ func TestIngressSliceEqual(t *testing.T) { {fk4, fk1, false}, {fk1, nil, false}, {nil, nil, true}, - {[]apiv1.LoadBalancerIngress{}, []apiv1.LoadBalancerIngress{}, true}, + {[]networking.IngressLoadBalancerIngress{}, []networking.IngressLoadBalancerIngress{}, true}, } for _, fooTest := range fooTests { diff --git a/internal/k8s/main.go b/internal/k8s/main.go index 5332631a7..5e93e560d 100644 --- a/internal/k8s/main.go +++ b/internal/k8s/main.go @@ -33,7 +33,7 @@ import ( ) // ParseNameNS parses a string searching a namespace and name -func ParseNameNS(input string) (string, string, error) { +func ParseNameNS(input string) (ns, name string, err error) { nsName := strings.Split(input, "/") if len(nsName) != 2 { return "", "", fmt.Errorf("invalid format (namespace/name) found in '%v'", input) @@ -78,6 +78,8 @@ func GetNodeIPOrName(kubeClient clientset.Interface, name string, useInternalIP var ( // IngressPodDetails hold information about the ingress-nginx pod IngressPodDetails *PodInfo + // IngressNodeDetails hold information about the node running ingress-nginx pod + IngressNodeDetails *NodeInfo ) // PodInfo contains runtime information about the pod running the Ingres controller @@ -87,6 +89,12 @@ type PodInfo struct { metav1.ObjectMeta } +// NodeInfo contains runtime information about the node pod running the Ingres controller, eg. zone where pod is running +type NodeInfo struct { + metav1.TypeMeta + metav1.ObjectMeta +} + // GetIngressPod load the ingress-nginx pod func GetIngressPod(kubeClient clientset.Interface) error { podName := os.Getenv("POD_NAME") @@ -108,6 +116,18 @@ func GetIngressPod(kubeClient clientset.Interface) error { pod.ObjectMeta.DeepCopyInto(&IngressPodDetails.ObjectMeta) IngressPodDetails.SetLabels(pod.GetLabels()) + IngressNodeDetails = &NodeInfo{ + TypeMeta: metav1.TypeMeta{APIVersion: "v1", Kind: "Node"}, + } + // Try to get node info/labels to determine topology zone where pod is running + node, err := kubeClient.CoreV1().Nodes().Get(context.TODO(), pod.Spec.NodeName, metav1.GetOptions{}) + if err != nil { + klog.Warningf("Unable to get NODE information: %v", err) + } else { + node.ObjectMeta.DeepCopyInto(&IngressNodeDetails.ObjectMeta) + IngressNodeDetails.SetLabels(node.GetLabels()) + } + return nil } @@ -128,7 +148,10 @@ const IngressNGINXController = "k8s.io/ingress-nginx" // NetworkingIngressAvailable checks if the package "k8s.io/api/networking/v1" // is available or not and if Ingress V1 is supported (k8s >= v1.19.0) func NetworkingIngressAvailable(client clientset.Interface) bool { - version119, _ := version.ParseGeneric("v1.19.0") + version119, err := version.ParseGeneric("v1.19.0") + if err != nil { + return false + } serverVersion, err := client.Discovery().ServerVersion() if err != nil { diff --git a/internal/k8s/main_test.go b/internal/k8s/main_test.go index f3f8b652e..1721c1fb2 100644 --- a/internal/k8s/main_test.go +++ b/internal/k8s/main_test.go @@ -17,7 +17,6 @@ limitations under the License. package k8s import ( - "os" "testing" apiv1 "k8s.io/api/core/v1" @@ -203,7 +202,8 @@ func TestGetNodeIP(t *testing.T) { }, }, }}}), - "demo", "10.0.0.2", true}, + "demo", "10.0.0.2", true, + }, } for _, fk := range fKNodes { @@ -216,32 +216,32 @@ func TestGetNodeIP(t *testing.T) { func TestGetIngressPod(t *testing.T) { // POD_NAME & POD_NAMESPACE not exist - os.Setenv("POD_NAME", "") - os.Setenv("POD_NAMESPACE", "") + t.Setenv("POD_NAME", "") + t.Setenv("POD_NAMESPACE", "") err := GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") } // POD_NAME not exist - os.Setenv("POD_NAME", "") - os.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) + t.Setenv("POD_NAME", "") + t.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) err = GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") } // POD_NAMESPACE not exist - os.Setenv("POD_NAME", "testpod") - os.Setenv("POD_NAMESPACE", "") + t.Setenv("POD_NAME", "testpod") + t.Setenv("POD_NAMESPACE", "") err = GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") } // POD not exist - os.Setenv("POD_NAME", "testpod") - os.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) + t.Setenv("POD_NAME", "testpod") + t.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) err = GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") diff --git a/internal/net/dns/dns.go b/internal/net/dns/dns.go index 7dfbbd177..6b250e8cb 100644 --- a/internal/net/dns/dns.go +++ b/internal/net/dns/dns.go @@ -38,7 +38,7 @@ func GetSystemNameServers() ([]net.IP, error) { lines := strings.Split(string(file), "\n") for l := range lines { trimmed := strings.TrimSpace(lines[l]) - if len(trimmed) == 0 || trimmed[0] == '#' || trimmed[0] == ';' { + if trimmed == "" || trimmed[0] == '#' || trimmed[0] == ';' { continue } fields := strings.Fields(trimmed) diff --git a/internal/net/dns/dns_test.go b/internal/net/dns/dns_test.go index 708e3c6df..7e030e17a 100644 --- a/internal/net/dns/dns_test.go +++ b/internal/net/dns/dns_test.go @@ -40,13 +40,16 @@ func TestGetDNSServers(t *testing.T) { defer f.Close() defer os.Remove(f.Name()) - os.WriteFile(f.Name(), []byte(` + err = os.WriteFile(f.Name(), []byte(` # comment ; comment nameserver 2001:4860:4860::8844 nameserver 2001:4860:4860::8888 nameserver 8.8.8.8 `), file.ReadWriteByUser) + if err != nil { + t.Errorf("unexpected error: %v", err) + } defResolvConf = f.Name() s, err = GetSystemNameServers() diff --git a/internal/net/ipnet_test.go b/internal/net/ipnet_test.go index 95e6b9c32..8e460aae9 100644 --- a/internal/net/ipnet_test.go +++ b/internal/net/ipnet_test.go @@ -36,13 +36,17 @@ func TestNewIPSet(t *testing.T) { } func TestParseCIDRs(t *testing.T) { - cidr, _ := ParseCIDRs("invalid.com") + cidr, err := ParseCIDRs("invalid.com") + if err == nil { + t.Errorf("expected error but got nil") + } + if cidr != nil { t.Errorf("expected %v but got %v", nil, cidr) } expected := []string{"192.0.0.1", "192.0.1.0/24"} - cidr, err := ParseCIDRs("192.0.0.1, 192.0.1.0/24") + cidr, err = ParseCIDRs("192.0.0.1, 192.0.1.0/24") if err != nil { t.Errorf("unexpected error %v", err) } diff --git a/internal/net/net.go b/internal/net/net.go index 712262f3a..b0952d9cc 100644 --- a/internal/net/net.go +++ b/internal/net/net.go @@ -30,11 +30,12 @@ func IsIPV6(ip _net.IP) bool { // IsPortAvailable checks if a TCP port is available or not func IsPortAvailable(p int) bool { ln, err := _net.Listen("tcp", fmt.Sprintf(":%v", p)) - if err != nil { - return false - } - defer ln.Close() - return true + defer func() { + if ln != nil { + ln.Close() + } + }() + return err == nil } // IsIPv6Enabled checks if IPV6 is enabled or not and we have @@ -51,7 +52,10 @@ func IsIPv6Enabled() bool { } for _, addr := range addrs { - ip, _, _ := _net.ParseCIDR(addr.String()) + ip, _, err := _net.ParseCIDR(addr.String()) + if err != nil { + return false + } if IsIPV6(ip) { return true } diff --git a/internal/net/net_test.go b/internal/net/net_test.go index f2f37a838..f7a4f52e1 100644 --- a/internal/net/net_test.go +++ b/internal/net/net_test.go @@ -47,7 +47,7 @@ func TestIsPortAvailable(t *testing.T) { t.Fatal("expected port 0 to be available (random port) but returned false") } - ln, err := net.Listen("tcp", ":0") + ln, err := net.Listen("tcp", ":0") //nolint:gosec // Ignore the gosec error in testing if err != nil { t.Fatalf("unexpected error: %v", err) } diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go index 05ec10bc5..26fd706e1 100644 --- a/internal/net/ssl/ssl.go +++ b/internal/net/ssl/ssl.go @@ -52,17 +52,15 @@ import ( // certificate generated by the ingress controller var FakeSSLCertificateUID = "00000000-0000-0000-0000-000000000000" -var ( - oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17} -) +var oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17} const ( - fakeCertificateName = "default-fake-certificate" + fakeCertificateName = "default-fake-certificate" //#nosec G101 ) // getPemFileName returns absolute file path and file name of pem cert related to given fullSecretName -func getPemFileName(fullSecretName string) (string, string) { - pemName := fmt.Sprintf("%v.pem", fullSecretName) +func getPemFileName(fullSecretName string) (filePath, pemName string) { + pemName = fmt.Sprintf("%v.pem", fullSecretName) return fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, pemName), pemName } @@ -81,7 +79,7 @@ func CreateSSLCert(cert, key []byte, uid string) (*ingress.SSLCert, error) { } } - pemCertBuffer.Write([]byte("\n")) + pemCertBuffer.WriteString("\n") pemCertBuffer.Write(key) pemBlock, _ := pem.Decode(pemCertBuffer.Bytes()) @@ -192,15 +190,15 @@ func StoreSSLCertOnDisk(name string, sslCert *ingress.SSLCert) (string, error) { // ConfigureCACertWithCertAndKey appends ca into existing PEM file consisting of cert and key // and sets relevant fields in sslCert object -func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLCert) error { +func ConfigureCACertWithCertAndKey(_ string, ca []byte, sslCert *ingress.SSLCert) error { var buffer bytes.Buffer - _, err := buffer.Write([]byte(sslCert.PemCertKey)) + _, err := buffer.WriteString(sslCert.PemCertKey) if err != nil { return fmt.Errorf("could not append newline to cert file %v: %v", sslCert.CAFileName, err) } - _, err = buffer.Write([]byte("\n")) + _, err = buffer.WriteString("\n") if err != nil { return fmt.Errorf("could not append newline to cert file %v: %v", sslCert.CAFileName, err) } @@ -210,12 +208,12 @@ func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLC return fmt.Errorf("could not write ca data to cert file %v: %v", sslCert.CAFileName, err) } - return os.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0644) + //nolint:gosec // Not change permission to avoid possible issues + return os.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0o644) } // ConfigureCRL creates a CRL file and append it into the SSLCert func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error { - crlName := fmt.Sprintf("crl-%v.pem", name) crlFileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, crlName) @@ -228,12 +226,13 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error { return fmt.Errorf("CRL file %v contains invalid data, and must be created only with PEM formatted certificates", name) } - _, err := x509.ParseCRL(pemCRLBlock.Bytes) + _, err := x509.ParseRevocationList(pemCRLBlock.Bytes) if err != nil { - return fmt.Errorf(err.Error()) + return err } - err = os.WriteFile(crlFileName, crl, 0644) + //nolint:gosec // Not change permission to avoid possible issues + err = os.WriteFile(crlFileName, crl, 0o644) if err != nil { return fmt.Errorf("could not write CRL file %v: %v", crlFileName, err) } @@ -242,7 +241,6 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error { sslCert.CRLSHA = file.SHA1(crlFileName) return nil - } // ConfigureCACert is similar to ConfigureCACertWithCertAndKey but it creates a separate file @@ -251,7 +249,8 @@ func ConfigureCACert(name string, ca []byte, sslCert *ingress.SSLCert) error { caName := fmt.Sprintf("ca-%v.pem", name) fileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, caName) - err := os.WriteFile(fileName, ca, 0644) + //nolint:gosec // Not change permission to avoid possible issues + err := os.WriteFile(fileName, ca, 0o644) if err != nil { return fmt.Errorf("could not write CA file %v: %v", fileName, err) } @@ -293,14 +292,14 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre var seq asn1.RawValue var rest []byte if rest, err = asn1.Unmarshal(value, &seq); err != nil { - return + return dnsNames, emailAddresses, ipAddresses, err } else if len(rest) != 0 { err = errors.New("x509: trailing data after X.509 extension") - return + return dnsNames, emailAddresses, ipAddresses, err } if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 { err = asn1.StructuralError{Msg: "bad SAN sequence"} - return + return dnsNames, emailAddresses, ipAddresses, err } rest = seq.Bytes @@ -308,7 +307,7 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre var v asn1.RawValue rest, err = asn1.Unmarshal(rest, &v) if err != nil { - return + return dnsNames, emailAddresses, ipAddresses, err } switch v.Tag { case 1: @@ -321,12 +320,12 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre ipAddresses = append(ipAddresses, v.Bytes) default: err = errors.New("x509: certificate contained IP address of length " + strconv.Itoa(len(v.Bytes))) - return + return dnsNames, emailAddresses, ipAddresses, err } } } - return + return dnsNames, emailAddresses, ipAddresses, err } // AddOrUpdateDHParam creates a dh parameters file with the specified name @@ -396,7 +395,7 @@ func GetFakeSSLCert() *ingress.SSLCert { return sslCert } -func getFakeHostSSLCert(host string) ([]byte, []byte) { +func getFakeHostSSLCert(host string) (cert, key []byte) { var priv interface{} var err error @@ -412,7 +411,6 @@ func getFakeHostSSLCert(host string) ([]byte, []byte) { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { klog.Fatalf("failed to generate fake serial number: %v", err) } @@ -436,9 +434,9 @@ func getFakeHostSSLCert(host string) ([]byte, []byte) { klog.Fatalf("Failed to create fake certificate: %v", err) } - cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) + cert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) - key := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))}) + key = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))}) return cert, key } @@ -508,9 +506,14 @@ func NewTLSListener(certificate, key string) *TLSListener { l.load() - _, _ = file.NewFileWatcher(certificate, l.load) - _, _ = file.NewFileWatcher(key, l.load) - + _, err := file.NewFileWatcher(certificate, l.load) + if err != nil { + klog.Errorf("unexpected error: %v", err) + } + _, err = file.NewFileWatcher(key, l.load) + if err != nil { + klog.Errorf("unexpected error: %v", err) + } return &l } diff --git a/internal/net/ssl/ssl_test.go b/internal/net/ssl/ssl_test.go index e251d01d1..9f8c5eeae 100644 --- a/internal/net/ssl/ssl_test.go +++ b/internal/net/ssl/ssl_test.go @@ -20,7 +20,6 @@ import ( "bytes" "crypto" "crypto/rand" - cryptorand "crypto/rand" "crypto/rsa" "crypto/tls" "crypto/x509" @@ -43,7 +42,7 @@ import ( ) // generateRSACerts generates a self signed certificate using a self generated ca -func generateRSACerts(host string) (*keyPair, *keyPair, error) { +func generateRSACerts(host string) (newCert, newCa *keyPair, err error) { ca, err := newCA("self-sign-ca") if err != nil { return nil, nil, err @@ -58,7 +57,7 @@ func generateRSACerts(host string) (*keyPair, *keyPair, error) { CommonName: host, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, } - cert, err := newSignedCert(config, key, ca.Cert, ca.Key) + cert, err := newSignedCert(&config, key, ca.Cert, ca.Key) if err != nil { return nil, nil, fmt.Errorf("unable to sign the server certificate: %v", err) } @@ -140,11 +139,11 @@ func TestCACert(t *testing.T) { func TestGetFakeSSLCert(t *testing.T) { sslCert := GetFakeSSLCert() - if len(sslCert.PemCertKey) == 0 { + if sslCert.PemCertKey == "" { t.Fatalf("expected PemCertKey to not be empty") } - if len(sslCert.PemFileName) == 0 { + if sslCert.PemFileName == "" { t.Fatalf("expected PemFileName to not be empty") } @@ -196,7 +195,7 @@ func TestConfigureCRL(t *testing.T) { // Demo CRL from https://csrc.nist.gov/projects/pki-testing/sample-certificates-and-crls // Converted to PEM to be tested // SHA: ef21f9c97ec2ef84ba3b2ab007c858a6f760d813 - var crl = []byte(`-----BEGIN X509 CRL----- + crl := []byte(`-----BEGIN X509 CRL----- MIIBYDCBygIBATANBgkqhkiG9w0BAQUFADBDMRMwEQYKCZImiZPyLGQBGRYDY29t MRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTETMBEGA1UEAxMKRXhhbXBsZSBDQRcN MDUwMjA1MTIwMDAwWhcNMDUwMjA2MTIwMDAwWjAiMCACARIXDTA0MTExOTE1NTcw @@ -238,6 +237,7 @@ fUNCdMGmr8FVF6IzTNYGmCuk/C4= t.Fatalf("the expected CRL SHA wasn't found") } } + func TestCreateSSLCert(t *testing.T) { cert, _, err := generateRSACerts("echoheaders") if err != nil { @@ -336,16 +336,16 @@ const ( // newPrivateKey creates an RSA private key func newPrivateKey() (*rsa.PrivateKey, error) { - return rsa.GenerateKey(cryptorand.Reader, rsaKeySize) + return rsa.GenerateKey(rand.Reader, rsaKeySize) } // newSignedCert creates a signed certificate using the given CA certificate and key -func newSignedCert(cfg certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { +func newSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) if err != nil { return nil, err } - if len(cfg.CommonName) == 0 { + if cfg.CommonName == "" { return nil, errors.New("must specify a CommonName") } if len(cfg.Usages) == 0 { @@ -365,7 +365,7 @@ func newSignedCert(cfg certutil.Config, key crypto.Signer, caCert *x509.Certific KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, ExtKeyUsage: cfg.Usages, } - certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &certTmpl, caCert, key.Public(), caKey) + certDERBytes, err := x509.CreateCertificate(rand.Reader, &certTmpl, caCert, key.Public(), caKey) if err != nil { return nil, err } @@ -390,7 +390,7 @@ func encodeCertPEM(cert *x509.Certificate) []byte { return pem.EncodeToMemory(&block) } -func newFakeCertificate(t *testing.T) ([]byte, string, string) { +func newFakeCertificate(t *testing.T) (sslCert []byte, certFileName, keyFileName string) { cert, key := getFakeHostSSLCert("localhost") certFile, err := os.CreateTemp("", "crt-") @@ -398,7 +398,9 @@ func newFakeCertificate(t *testing.T) ([]byte, string, string) { t.Errorf("failed to write test key: %v", err) } - certFile.Write(cert) + if _, err := certFile.Write(cert); err != nil { + t.Errorf("failed to write cert: %v", err) + } defer certFile.Close() keyFile, err := os.CreateTemp("", "key-") @@ -406,7 +408,9 @@ func newFakeCertificate(t *testing.T) ([]byte, string, string) { t.Errorf("failed to write test key: %v", err) } - keyFile.Write(key) + if _, err := keyFile.Write(key); err != nil { + t.Errorf("failed to write key: %v", err) + } defer keyFile.Close() return cert, certFile.Name(), keyFile.Name() @@ -420,10 +424,9 @@ func dialTestServer(port string, rootCertificates ...[]byte) error { return fmt.Errorf("failed to add root certificate") } } - resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{ + resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{ //nolint:gosec // Ignore the gosec error in testing RootCAs: roots, }) - if err != nil { return err } @@ -470,15 +473,14 @@ func TestTLSKeyReloader(t *testing.T) { } }) - //TODO: fix - /* - // simulate watch.NewFileWatcher to call the load function - watcher.load() - t.Run("when the certificate is reloaded", func(t *testing.T) { - if err := dialTestServer(port, cert); err != nil { - t.Errorf("TLS dial should succeed, got error: %v", err) - } - }) + /*TODO: fix + // simulate watch.NewFileWatcher to call the load function + watcher.load() + t.Run("when the certificate is reloaded", func(t *testing.T) { + if err := dialTestServer(port, cert); err != nil { + t.Errorf("TLS dial should succeed, got error: %v", err) + } + }) */ }) } diff --git a/internal/nginx/main.go b/internal/nginx/main.go index ae319fe1f..fc586e9e8 100644 --- a/internal/nginx/main.go +++ b/internal/nginx/main.go @@ -62,7 +62,7 @@ var StatusPath = "/nginx_status" var StreamPort = 10247 // NewGetStatusRequest creates a new GET request to the internal NGINX status server -func NewGetStatusRequest(path string) (int, []byte, error) { +func NewGetStatusRequest(path string) (statusCode int, data []byte, err error) { url := fmt.Sprintf("http://127.0.0.1:%v%v", StatusPort, path) client := http.Client{} @@ -72,7 +72,7 @@ func NewGetStatusRequest(path string) (int, []byte, error) { } defer res.Body.Close() - data, err := io.ReadAll(res.Body) + data, err = io.ReadAll(res.Body) if err != nil { return 0, nil, err } @@ -81,7 +81,7 @@ func NewGetStatusRequest(path string) (int, []byte, error) { } // NewPostStatusRequest creates a new POST request to the internal NGINX status server -func NewPostStatusRequest(path, contentType string, data interface{}) (int, []byte, error) { +func NewPostStatusRequest(path, contentType string, data interface{}) (statusCode int, body []byte, err error) { url := fmt.Sprintf("http://127.0.0.1:%v%v", StatusPort, path) buf, err := json.Marshal(data) @@ -96,7 +96,7 @@ func NewPostStatusRequest(path, contentType string, data interface{}) (int, []by } defer res.Body.Close() - body, err := io.ReadAll(res.Body) + body, err = io.ReadAll(res.Body) if err != nil { return 0, nil, err } @@ -105,7 +105,7 @@ func NewPostStatusRequest(path, contentType string, data interface{}) (int, []by } // GetServerBlock takes an nginx.conf file and a host and tries to find the server block for that host -func GetServerBlock(conf string, host string) (string, error) { +func GetServerBlock(conf, host string) (string, error) { startMsg := fmt.Sprintf("## start server %v\n", host) endMsg := fmt.Sprintf("## end server %v", host) @@ -113,7 +113,7 @@ func GetServerBlock(conf string, host string) (string, error) { if blockStart < 0 { return "", fmt.Errorf("host %v was not found in the controller's nginx.conf", host) } - blockStart = blockStart + len(startMsg) + blockStart += len(startMsg) blockEnd := strings.Index(conf, endMsg) if blockEnd < 0 { @@ -163,7 +163,10 @@ func Version() string { // IsRunning returns true if a process with the name 'nginx' is found func IsRunning() bool { - processes, _ := ps.Processes() + processes, err := ps.Processes() + if err != nil { + klog.ErrorS(err, "unexpected error obtaining process list") + } for _, p := range processes { if p.Executable() == "nginx" { return true diff --git a/internal/nginx/maxmind.go b/internal/nginx/maxmind.go index df9fd2231..1dc2f4d4e 100644 --- a/internal/nginx/maxmind.go +++ b/internal/nginx/maxmind.go @@ -56,7 +56,7 @@ var MaxmindRetriesTimeout = time.Second * 0 const minimumRetriesCount = 1 const ( - geoIPPath = "/etc/nginx/geoip" + geoIPPath = "/etc/ingress-controller/geoip" dbExtension = ".mmdb" maxmindURL = "https://download.maxmind.com/app/geoip_download?license_key=%v&edition_id=%v&suffix=tar.gz" @@ -101,7 +101,7 @@ func DownloadGeoLite2DB(attempts int, period time.Duration) error { var lastErr error retries := 0 - _ = wait.ExponentialBackoff(defaultRetry, func() (bool, error) { + lastErr = wait.ExponentialBackoff(defaultRetry, func() (bool, error) { var dlError error for _, dbName := range strings.Split(MaxmindEditionIDs, ",") { dlError = downloadDatabase(dbName) @@ -139,8 +139,8 @@ func createURL(mirror, licenseKey, dbName string) string { } func downloadDatabase(dbName string) error { - url := createURL(MaxmindMirror, MaxmindLicenseKey, dbName) - req, err := http.NewRequest(http.MethodGet, url, nil) + newURL := createURL(MaxmindMirror, MaxmindLicenseKey, dbName) + req, err := http.NewRequest(http.MethodGet, newURL, http.NoBody) if err != nil { return err } @@ -165,7 +165,7 @@ func downloadDatabase(dbName string) error { mmdbFile := dbName + dbExtension tarReader := tar.NewReader(archive) - for true { + for { header, err := tarReader.Next() if err == io.EOF { break @@ -175,24 +175,23 @@ func downloadDatabase(dbName string) error { return err } - switch header.Typeflag { - case tar.TypeReg: + if header.Typeflag == tar.TypeReg { if !strings.HasSuffix(header.Name, mmdbFile) { continue } + return func() error { + outFile, err := os.Create(path.Join(geoIPPath, mmdbFile)) + if err != nil { + return err + } - outFile, err := os.Create(path.Join(geoIPPath, mmdbFile)) - if err != nil { - return err - } + defer outFile.Close() - defer outFile.Close() - - if _, err := io.CopyN(outFile, tarReader, header.Size); err != nil { - return err - } - - return nil + if _, err := io.CopyN(outFile, tarReader, header.Size); err != nil { + return err + } + return nil + }() } } diff --git a/internal/task/queue.go b/internal/task/queue.go index ff6b20f62..f92f2a501 100644 --- a/internal/task/queue.go +++ b/internal/task/queue.go @@ -28,9 +28,7 @@ import ( "k8s.io/client-go/util/workqueue" ) -var ( - keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc -) +var keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc // Queue manages a time work queue through an independent worker that invokes the // given sync function for every work item inserted. @@ -117,7 +115,10 @@ func (t *Queue) worker() { } ts := time.Now().UnixNano() - item := key.(Element) + item, ok := key.(Element) + if !ok { + klog.ErrorS(nil, "invalid item type", "key", key) + } if item.Timestamp != 0 && t.lastSync > item.Timestamp { klog.V(3).InfoS("skipping sync", "key", item.Key, "last", t.lastSync, "now", item.Timestamp) t.queue.Forget(key) @@ -168,7 +169,7 @@ func NewTaskQueue(syncFn func(interface{}) error) *Queue { return NewCustomTaskQueue(syncFn, nil) } -// NewCustomTaskQueue ... +// NewCustomTaskQueue creates a new custom task queue with the given sync function. func NewCustomTaskQueue(syncFn func(interface{}) error, fn func(interface{}) (interface{}, error)) *Queue { q := &Queue{ queue: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()), diff --git a/magefiles/exec.go b/magefiles/exec.go new file mode 100644 index 000000000..0acd557c6 --- /dev/null +++ b/magefiles/exec.go @@ -0,0 +1,27 @@ +//go:build ignore + +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + "os" + + "github.com/magefile/mage/mage" +) + +func main() { os.Exit(mage.Main()) } diff --git a/magefiles/go.mod b/magefiles/go.mod new file mode 100644 index 000000000..25610b647 --- /dev/null +++ b/magefiles/go.mod @@ -0,0 +1,38 @@ +module k8s.io/ingress-nginx/magefiles + +go 1.21 + +require ( + github.com/blang/semver/v4 v4.0.0 + github.com/google/go-github/v48 v48.2.0 + github.com/helm/helm v2.17.0+incompatible + github.com/magefile/mage v1.15.0 + github.com/vmware-labs/yaml-jsonpath v0.3.2 + golang.org/x/oauth2 v0.12.0 + gopkg.in/yaml.v3 v3.0.1 +) + +require ( + github.com/BurntSushi/toml v1.3.2 // indirect + github.com/Masterminds/semver v1.5.0 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect + github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 // indirect + github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/ghodss/yaml v1.0.0 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/go-querystring v1.1.0 // indirect + github.com/kr/pretty v0.3.1 // indirect + github.com/onsi/ginkgo v1.16.5 // indirect + github.com/onsi/gomega v1.27.10 // indirect + github.com/rogpeppe/go-internal v1.11.0 // indirect + github.com/stretchr/testify v1.8.4 // indirect + golang.org/x/crypto v0.17.0 // indirect + golang.org/x/net v0.17.0 // indirect + google.golang.org/appengine v1.6.7 // indirect + google.golang.org/protobuf v1.31.0 // indirect + gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + k8s.io/apimachinery v0.27.6 // indirect + k8s.io/helm v2.17.0+incompatible // indirect +) diff --git a/magefiles/go.sum b/magefiles/go.sum new file mode 100644 index 000000000..f9b01b2ef --- /dev/null +++ b/magefiles/go.sum @@ -0,0 +1,162 @@ +github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= +github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 h1:aRd8M7HJVZOqn/vhOzrGcQH0lNAMkqMn+pXUYkatmcA= +github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960/go.mod h1:9HQzr9D/0PGwMEbC3d5AB7oi67+h4TsQqItC1GVYG58= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-github/v48 v48.2.0 h1:68puzySE6WqUY9KWmpOsDEQfDZsso98rT6pZcz9HqcE= +github.com/google/go-github/v48 v48.2.0/go.mod h1:dDlehKBDo850ZPvCTK0sEqTCVWcrGl2LcDiajkYi89Y= +github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= +github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU= +github.com/helm/helm v2.17.0+incompatible h1:0iy95yMXrfWpwaoOA9XRP+cTvitTrq+LcJV9DvR5n1Y= +github.com/helm/helm v2.17.0+incompatible/go.mod h1:ahXhuvluW4YnSL6W6hDVetZsVK8Pv4BP8OwKli7aMqo= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg= +github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= +github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= +github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= +github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= +github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk= +github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= +golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= +google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20191026110619-0b21df46bc1d/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +k8s.io/apimachinery v0.27.6 h1:mGU8jmBq5o8mWBov+mLjdTBcU+etTE19waies4AQ6NE= +k8s.io/apimachinery v0.27.6/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= +k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= +k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= diff --git a/magefiles/mage.go b/magefiles/mage.go new file mode 100644 index 000000000..1dfaa4dbd --- /dev/null +++ b/magefiles/mage.go @@ -0,0 +1,24 @@ +//go:build mage + +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package main + +import ( + //mage:import + _ "k8s.io/ingress-nginx/magefiles/steps" +) diff --git a/magefiles/steps/helm.go b/magefiles/steps/helm.go new file mode 100644 index 000000000..b53283f78 --- /dev/null +++ b/magefiles/steps/helm.go @@ -0,0 +1,188 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package steps + +import ( + "bytes" + "fmt" + "os" + "strings" + + semver "github.com/blang/semver/v4" + "github.com/helm/helm/pkg/chartutil" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + yamlpath "github.com/vmware-labs/yaml-jsonpath/pkg/yamlpath" + "gopkg.in/yaml.v3" + + utils "k8s.io/ingress-nginx/magefiles/utils" +) + +const ( + HelmChartPath = "charts/ingress-nginx/Chart.yaml" + HelmChartValues = "charts/ingress-nginx/values.yaml" +) + +type Helm mg.Namespace + +// UpdateVersion Update Helm Version of the Chart +func (Helm) UpdateVersion(version string) { + updateVersion(version) +} + +func currentChartVersion() string { + chart, err := chartutil.LoadChartfile(HelmChartPath) + utils.CheckIfError(err, "HELM Could not Load Chart") + return chart.Version +} + +func updateVersion(version string) { + utils.Info("HELM Reading File %v", HelmChartPath) + + chart, err := chartutil.LoadChartfile(HelmChartPath) + utils.CheckIfError(err, "HELM Could not Load Chart") + + // Get the current tag + // appVersionV, err := getIngressNGINXVersion() + // utils.CheckIfError(err, "HELM Issue Retrieving the Current Ingress Nginx Version") + + // remove the v from TAG + appVersion := version + + utils.Info("HELM Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + if appVersion == chart.AppVersion { + utils.Warning("HELM Ingress NGINX Version didnt change Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + return + } + + controllerSemVer, err := semver.Parse(version) + utils.CheckIfError(err, "error parsing semver of new app") + isPreRelease := len(controllerSemVer.Pre) > 0 + oldControllerSemVer, err := semver.Parse(chart.AppVersion) + utils.CheckIfError(err, "error parsing semver of old chart") + isBreakingChange := controllerSemVer.Major > oldControllerSemVer.Major || controllerSemVer.Minor > oldControllerSemVer.Minor + + // Update the helm chart + chart.AppVersion = appVersion + cTag, err := semver.Make(chart.Version) + utils.CheckIfError(err, "HELM Creating Chart Version: %v", err) + + incrFunc := cTag.IncrementPatch + if isBreakingChange { + cTag.Patch = 0 + incrFunc = cTag.IncrementMinor + + } + + if isPreRelease { + chart.Annotations["artifacthub.io/prerelease"] = "true" + cTag.Pre = controllerSemVer.Pre + } + + if err = incrFunc(); err != nil { + utils.ErrorF("HELM Incrementing Chart Version: %v", err) + os.Exit(1) + } + chart.Version = cTag.String() + utils.Debug("HELM Updated Chart Version: %v", chart.Version) + + err = chartutil.SaveChartfile(HelmChartPath, chart) + utils.CheckIfError(err, "HELM Saving new Chart") +} + +func updateChartReleaseNotes(releasesNotes []string) { + utils.Info("HELM Updating the Chart Release notes") + chart, err := chartutil.LoadChartfile(HelmChartPath) + utils.CheckIfError(err, "HELM Could not Load Chart to update release notes %s", HelmChartPath) + for i := range releasesNotes { + releasesNotes[i] = fmt.Sprintf("- %q", releasesNotes[i]) + } + releaseNoteString := strings.Join(releasesNotes, "\n") + utils.Info("HELM Release note string %s", releaseNoteString) + chart.Annotations["artifacthub.io/changes"] = releaseNoteString + err = chartutil.SaveChartfile(HelmChartPath, chart) + utils.CheckIfError(err, "HELM Saving updated release notes for Chart") +} + +// UpdateChartValue Updates the Helm ChartValue +func (Helm) UpdateChartValue(key, value string) { + updateChartValue(key, value) +} + +func updateChartValue(key, value string) { + utils.Info("HELM Updating Chart %s %s:%s", HelmChartValues, key, value) + + // read current values.yaml + data, err := os.ReadFile(HelmChartValues) + utils.CheckIfError(err, "HELM Could not Load Helm Chart Values files %s", HelmChartValues) + + // var valuesStruct IngressChartValue + var n yaml.Node + utils.CheckIfError(yaml.Unmarshal(data, &n), "HELM Could not Unmarshal %s", HelmChartValues) + + // update value + // keyParse := parsePath(key) + p, err := yamlpath.NewPath(key) + utils.CheckIfError(err, "HELM cannot create path") + + q, err := p.Find(&n) + utils.CheckIfError(err, "HELM unexpected error finding path") + + for _, i := range q { + utils.Info("HELM Found %s at %s", i.Value, key) + i.Value = value + utils.Info("HELM Updated %s at %s", i.Value, key) + } + + //// write to file + var b bytes.Buffer + yamlEncoder := yaml.NewEncoder(&b) + yamlEncoder.SetIndent(2) + err = yamlEncoder.Encode(&n) + utils.CheckIfError(err, "HELM Could not Marshal new Values file") + err = os.WriteFile(HelmChartValues, b.Bytes(), 0o644) + utils.CheckIfError(err, "HELM Could not write new Values file to %s", HelmChartValues) + + utils.Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) +} + +func (Helm) Helmdocs() error { + return runHelmDocs() +} + +func runHelmDocs() error { + err := installHelmDocs() + if err != nil { + return err + } + err = sh.RunV("helm-docs", "--chart-search-root=${PWD}/charts") + if err != nil { + return err + } + return nil +} + +func installHelmDocs() error { + utils.Info("HELM Install HelmDocs") + g0 := sh.RunCmd("go") + + err := g0("install", "github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0") + if err != nil { + return err + } + return nil +} diff --git a/magefiles/steps/release.go b/magefiles/steps/release.go new file mode 100644 index 000000000..1ed09850f --- /dev/null +++ b/magefiles/steps/release.go @@ -0,0 +1,396 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package steps + +import ( + "context" + "errors" + "fmt" + "os" + "regexp" + "strings" + + "github.com/google/go-github/v48/github" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + "golang.org/x/oauth2" + "gopkg.in/yaml.v3" + + utils "k8s.io/ingress-nginx/magefiles/utils" +) + +type Release mg.Namespace + +var ( + INGRESS_ORG = "kubernetes" // the owner so we can test from forks + INGRESS_REPO = "ingress-nginx" // the repo to pull from + RELEASE_BRANCH = "main" // we only release from main + GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API + K8S_IO_ORG = "kubernetes" // the owner or organization for the k8s.io repo + K8S_IO_REPO = "k8s.io" // the repo that holds the images yaml for production promotion + INGRESS_REGISTRY = "registry.k8s.io" // Container registry for storage Ingress-nginx images + KUSTOMIZE_INSTALL_VERSION = "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4" // static deploys needs kustomize to generate the template +) + +// ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR +var ( + IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml" + ctx = context.Background() // Context used for GitHub Client +) + +const ( + INDEX_DOCS = "docs/deploy/index.md" // index.md has a version of the controller and needs to updated + CHANGELOG = "Changelog.md" // Name of the changelog +) + +// init will set the GitHub token from the committers/releasers env var +func init() { + GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") +} + +// Release Create a new release of ingress nginx controller +func (Release) NewRelease(version string) { + newRelease(version, "") +} + +func (Release) NewReleaseFromOld(version, oldversion string) { + newRelease(version, oldversion) +} + +func (Release) E2EDocs() { + e2edocs, err := utils.GenerateE2EDocs() + utils.CheckIfError(err, "error on template") + err = os.WriteFile("docs/e2e-tests.md", []byte(e2edocs), 644) + utils.CheckIfError(err, "Could not write new e2e test file ") +} + +func newRelease(version, oldversion string) { + // newRelease := Release{} + + // update ingress-nginx version + // This is the step that kicks all the release process + // it is already done, so it kicks off the gcloud build of the controller images + // mg.Deps(mg.F(Tag.BumpNginx, version)) + + tag, err := getIngressNGINXVersion() + utils.CheckIfError(err, "RELEASE Retrieving the current Ingress Nginx Version") + + utils.Info("RELEASE Checking Current Version %s to New Version %s", tag, version) + // if the version were upgrading does not match the TAG file, lets update the TAG file + if tag[1:] != version { + utils.Warning("RELEASE Ingress Nginx TAG %s and new version %s do not match", tag, version) + mg.Deps(mg.F(Tag.BumpNginx, fmt.Sprintf("v%s", version))) + } + + // update git controller tag controller-v$version + mg.Deps(mg.F(Tag.NewControllerTag, version)) + + // make release notes + releaseNotes, err := makeReleaseNotes(version, oldversion) + utils.CheckIfError(err, "RELEASE Creating Release Notes for version %s", version) + utils.Info("RELEASE Release Notes %s completed", releaseNotes.Version) + + // update chart values.yaml new controller tag and image digest + releaseNotes.PreviousHelmChartVersion = currentChartVersion() + + // controller tag + updateChartValue("controller.image.tag", fmt.Sprintf("v%s", releaseNotes.Version)) + utils.Debug("releaseNotes.ControllerImages[0].Name %s", releaseNotes.ControllerImages[0].Name) + utils.Debug("releaseNotes.ControllerImages[1].Name %s", releaseNotes.ControllerImages[1].Name) + // controller digest + if releaseNotes.ControllerImages[0].Name == "ingress-nginx/controller" { + utils.Debug("Updating Chart Value %s with %s", "controller.image.digest", releaseNotes.ControllerImages[0].Digest) + updateChartValue("controller.image.digest", releaseNotes.ControllerImages[0].Digest) + } + // controller chroot digest + if releaseNotes.ControllerImages[1].Name == "ingress-nginx/controller-chroot" { + utils.Debug("Updating Chart Value %s with %s", "controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) + updateChartValue("controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) + } + + // update helm chart app version + mg.Deps(mg.F(Helm.UpdateVersion, version)) + + releaseNotes.NewHelmChartVersion = currentChartVersion() + + // update helm chart release notes + updateChartReleaseNotes(releaseNotes.HelmUpdates) + + // Run helm docs update + utils.CheckIfError(runHelmDocs(), "Error Updating Helm Docs ") + + releaseNotes.HelmTemplate() + + // update static manifest + utils.CheckIfError(updateStaticManifest(), "Error Updating Static manifests") + + ////update e2e docs + mg.Deps(mg.F(Release.E2EDocs)) + + // update documentation with ingress-nginx version + utils.CheckIfError(updateIndexMD(releaseNotes.PreviousControllerVersion, releaseNotes.NewControllerVersion), "Error Updating %s", INDEX_DOCS) + + // keeping these manual for now + // git commit TODO + // make Pull Request TODO + // make release TODO + // mg.Deps(mg.F(Release.CreateRelease, version)) +} + +// the index.md doc needs the controller version updated +func updateIndexMD(old, new string) error { + utils.Info("Updating Deploy docs with new version") + data, err := os.ReadFile(INDEX_DOCS) + utils.CheckIfError(err, "Could not read INDEX_DOCS file %s", INDEX_DOCS) + datString := string(data) + datString = strings.Replace(datString, old, new, -1) + err = os.WriteFile(INDEX_DOCS, []byte(datString), 644) + if err != nil { + utils.ErrorF("Could not write new %s %s", INDEX_DOCS, err) + return err + } + return nil +} + +// The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed +func installKustomize() error { + utils.Info("Install Kustomize") + g0 := sh.RunCmd("go") + // somewhere in your main code + err := g0("install", KUSTOMIZE_INSTALL_VERSION) + if err != nil { + return err + } + return nil +} + +func updateStaticManifest() error { + utils.CheckIfError(installKustomize(), "error installing kustomize") + // hack/generate-deploy-scripts.sh + err := sh.RunV("./hack/generate-deploy-scripts.sh") + if err != nil { + return err + } + return nil +} + +//// CreateRelease Creates a new GitHub Release +//func (Release) CreateRelease(name string) { +// releaser, err := gh_release.NewReleaser(INGRESS_ORG, INGRESS_REPO, GITHUB_TOKEN) +// utils.CheckIfError(err, "GitHub Release Client error") +// newRelease, err := releaser.Create(fmt.Sprintf("controller-%s", name)) +// utils.CheckIfError(err, "Create release error") +// utils.Info("New Release: Tag %v, ID: %v", newRelease.TagName, newRelease.ID) +//} + +// Returns a GitHub client ready for use +func githubClient() *github.Client { + ts := oauth2.StaticTokenSource( + &oauth2.Token{AccessToken: GITHUB_TOKEN}, + ) + oauthClient := oauth2.NewClient(ctx, ts) + return github.NewClient(oauthClient) +} + +// LatestCommitLogs Retrieves the commit log between the latest two controller versions. +func (Release) LatestCommitLogs() { + commitLog := commitsBetweenTags("", "") + for i, s := range commitLog { + utils.Info("#%v Version %v", i, s) + } +} + +func commitsBetweenTags(newversion, oldversion string) []string { + + var newTag, oldTag string + tags := getAllControllerTags() + newTag, oldTag = tags[0], tags[1] + if newversion != "" { + newTag = newversion + } + if oldversion != "" { + oldTag = oldversion + } + + utils.Info("Getting Commits between %v and %v", newTag, oldTag) + commitLog, err := git("log", "--full-history", "--pretty", "--oneline", fmt.Sprintf("%v..%v", oldTag, newTag)) + + if commitLog == "" { + utils.Warning("All Controller Tags is empty") + } + utils.CheckIfError(err, "Retrieving Commit log") + return strings.Split(commitLog, "\n") +} + +// Generate Release Notes +func (Release) ReleaseNotes(newVersion string) error { + notes, err := makeReleaseNotes(newVersion, "") + utils.CheckIfError(err, "Creating Release Notes for version %s", newVersion) + utils.Info("Release Notes %s completed", notes.Version) + return nil +} + +func makeReleaseNotes(newVersion, oldVersion string) (*utils.ReleaseNote, error) { + newReleaseNotes := utils.ReleaseNote{} + + newReleaseNotes.Version = newVersion + allControllerTags := getAllControllerTags() + + // new version + newReleaseNotes.NewControllerVersion = allControllerTags[0] + newControllerVersion := fmt.Sprintf("controller-v%s", newVersion) + + // the newControllerVersion should match the latest tag + if newControllerVersion != allControllerTags[0] { + return nil, errors.New(fmt.Sprintf("Generating release new version %s didnt match the current latest tag %s", newControllerVersion, allControllerTags[0])) + } + // previous version + newReleaseNotes.PreviousControllerVersion = allControllerTags[1] + if oldVersion != "" { + newReleaseNotes.PreviousControllerVersion = oldVersion + } + + utils.Info("New Version: %s Old Version: %s", newReleaseNotes.NewControllerVersion, newReleaseNotes.PreviousControllerVersion) + + commits := commitsBetweenTags(newReleaseNotes.NewControllerVersion, newReleaseNotes.PreviousControllerVersion) + + // dependency_updates + // all_updates + var allUpdates []string + var depUpdates []string + var helmUpdates []string + prRegex := regexp.MustCompile("\\(#\\d+\\)") + depBot := regexp.MustCompile("^(\\w){1,10} Bump ") + helmRegex := regexp.MustCompile("helm|chart") + for i, s := range commits { + // matches on PR + if prRegex.Match([]byte(s)) { + // matches a dependant bot update + if depBot.Match([]byte(s)) { // + utils.Debug("#%v DEPENDABOT %v", i, s) + u := strings.SplitN(s, " ", 2) + depUpdates = append(depUpdates, u[1]) + } else { // add it to the all updates slice + utils.Debug("#%v ALL UPDATES %v", i, s) + u := strings.SplitN(s, " ", 2) + allUpdates = append(allUpdates, u[1]) + + // helm chart updates + if helmRegex.Match([]byte(s)) { + u := strings.SplitN(s, " ", 2) + helmUpdates = append(helmUpdates, u[1]) + } + } + } + } + helmUpdates = append(helmUpdates, fmt.Sprintf("Update Ingress-Nginx version %s", newReleaseNotes.NewControllerVersion)) + + newReleaseNotes.Updates = allUpdates + newReleaseNotes.DepUpdates = depUpdates + newReleaseNotes.HelmUpdates = helmUpdates + + // controller_image_digests + imagesYaml, err := utils.DownloadFile(IMAGES_YAML) + if err != nil { + utils.ErrorF("Could not download file %s : %s", IMAGES_YAML, err) + return nil, err + } + utils.Debug("%s", imagesYaml) + + data := utils.ImageYamls{} + + err = yaml.Unmarshal([]byte(imagesYaml), &data) + if err != nil { + utils.ErrorF("Could not unmarshal images yaml %s", err) + return nil, err + } + + // controller + controllerDigest := utils.FindImageDigest(data, "controller", newVersion) + if len(controllerDigest) == 0 { + utils.ErrorF("Controller Digest could not be found") + return nil, errors.New("Controller digest could not be found") + } + + controllerChrootDigest := utils.FindImageDigest(data, "controller-chroot", newVersion) + if len(controllerChrootDigest) == 0 { + utils.ErrorF("Controller Chroot Digest could not be found") + return nil, errors.New("Controller Chroot digest could not be found") + } + + utils.Debug("Latest Controller Digest %v", controllerDigest) + utils.Debug("Latest Controller Chroot Digest %v", controllerChrootDigest) + c1 := utils.ControllerImage{ + Digest: controllerDigest, + Registry: INGRESS_REGISTRY, + Name: "ingress-nginx/controller", + Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), + } + + c2 := utils.ControllerImage{ + Digest: controllerChrootDigest, + Registry: INGRESS_REGISTRY, + Name: "ingress-nginx/controller-chroot", + Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), + } + + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c1) + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c2) + utils.Debug("New Release Controller Images %s %s", newReleaseNotes.ControllerImages[0].Digest, newReleaseNotes.ControllerImages[1].Digest) + + if utils.DEBUG { + newReleaseNotes.PrintRelease() + } + + // write it all out to the changelog file + newReleaseNotes.Template() + + return &newReleaseNotes, nil +} + +// Latest returns latest Github Release +func (Release) Latest() error { + r, _, err := latestRelease() + if err != nil { + utils.ErrorF("Latest Release error %s", err) + return err + } + utils.Info("Latest Release %v", r.String()) + return nil +} + +func (Release) ReleaseByTag(tag string) error { + r, _, err := releaseByTag(tag) + if err != nil { + utils.ErrorF("Release retrieve tag %s error %s", tag, err) + return err + } + + utils.Info("Latest Release %v", r.String()) + + return nil +} + +func releaseByTag(tag string) (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetReleaseByTag(ctx, INGRESS_ORG, INGRESS_REPO, tag) +} + +func latestRelease() (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetLatestRelease(ctx, INGRESS_ORG, INGRESS_REPO) +} diff --git a/magefiles/steps/tags.go b/magefiles/steps/tags.go new file mode 100644 index 000000000..e3c811f8c --- /dev/null +++ b/magefiles/steps/tags.go @@ -0,0 +1,147 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package steps + +import ( + "fmt" + "os" + "strings" + + semver "github.com/blang/semver/v4" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + + utils "k8s.io/ingress-nginx/magefiles/utils" +) + +type Tag mg.Namespace + +var git = sh.OutCmd("git") + +// Nginx returns the ingress-nginx current version +func (Tag) Nginx() { + tag, err := getIngressNGINXVersion() + utils.CheckIfError(err, "") + fmt.Printf("%v", tag) +} + +func getIngressNGINXVersion() (string, error) { + dat, err := os.ReadFile("TAG") + utils.CheckIfError(err, "Could not read TAG file") + datString := string(dat) + // remove newline + datString = strings.Replace(datString, "\n", "", -1) + return datString, nil +} + +func checkSemVer(currentVersion, newVersion string) bool { + utils.Info("Checking Sem Ver between current %s and new %s", currentVersion, newVersion) + cVersion, err := semver.Make(currentVersion[1:]) + if err != nil { + utils.ErrorF("TAG Error Current Tag %v Making Semver : %v", currentVersion[1:], err) + return false + } + nVersion, err := semver.Make(newVersion) + if err != nil { + utils.ErrorF("TAG %v Error Making Semver %v \n", newVersion, err) + return false + } + + err = nVersion.Validate() + if err != nil { + utils.ErrorF("TAG %v not a valid Semver %v \n", newVersion, err) + return false + } + + //The result will be + //0 if newVersion == currentVersion + //-1 if newVersion < currentVersion + //+1 if newVersion > currentVersion. + utils.Info("TAG Comparing Old %s to New %s", cVersion.String(), nVersion.String()) + comp := nVersion.Compare(cVersion) + if comp <= 0 { + utils.Warning("SemVer:%v is not an update\n", newVersion) + return false + } + return true +} + +// BumpNginx will update the nginx TAG +func (Tag) BumpNginx(newTag string) { + utils.Info("TAG BumpNginx version %v", newTag) + currentTag, err := getIngressNGINXVersion() + utils.CheckIfError(err, "Getting Ingress-nginx Version") + bump(currentTag, newTag) +} + +func bump(currentTag, newTag string) { + // check if semver is valid + if !checkSemVer(currentTag, newTag) { + utils.ErrorF("ERROR: Semver is not valid %v", newTag) + os.Exit(1) + } + + utils.Info("Updating Tag %v to %v", currentTag, newTag) + err := os.WriteFile("TAG", []byte(newTag), 0o666) + utils.CheckIfError(err, "Error Writing New Tag File") +} + +// Git Returns the latest git tag +func (Tag) Git() { + tag, err := getGitTag() + utils.CheckIfError(err, "Retrieving Git Tag") + utils.Info("Git tag: %v", tag) +} + +func getGitTag() (string, error) { + return git("describe", "--tags", "--match", "controller-v*", "--abbrev=0") +} + +// ControllerTag Creates a new Git Tag for the ingress controller +func (Tag) NewControllerTag(version string) { + utils.Info("Create Ingress Nginx Controller Tag v%s", version) + tag, err := controllerTag(version) + utils.CheckIfError(err, "Creating git tag") + utils.Debug("Git Tag: %s", tag) +} + +func controllerTag(version string) (string, error) { + return git("tag", "-a", "-m", fmt.Sprintf("-m \"Automated Controller release %v\"", version), fmt.Sprintf("controller-v%s", version)) +} + +func (Tag) AllControllerTags() { + tags := getAllControllerTags() + for i, s := range tags { + utils.Info("#%v Version %v", i, s) + } +} + +func getAllControllerTags() []string { + allControllerTags, err := git("tag", "-l", "--sort=-v:refname", "controller-v*") + utils.CheckIfError(err, "Retrieving git tags") + if !sh.CmdRan(err) { + utils.Warning("Issue Running Command") + } + if allControllerTags == "" { + utils.Warning("All Controller Tags is empty") + } + utils.Debug("Controller Tags: %v", allControllerTags) + + temp := strings.Split(allControllerTags, "\n") + utils.Debug("There are %v controller tags", len(temp)) + return temp +} diff --git a/magefiles/utils/common.go b/magefiles/utils/common.go new file mode 100644 index 000000000..19cad7bba --- /dev/null +++ b/magefiles/utils/common.go @@ -0,0 +1,113 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "errors" + "fmt" + "io" + "net" + "net/http" + "os" + "strings" + "time" +) + +var DEBUG bool + +func init() { + DEBUG = false + debugENV := os.Getenv("MAGE_DEBUG") + if debugENV == "true" { + DEBUG = true + } +} + +// CheckArgs should be used to ensure the right command line arguments are +// passed before executing an example. +func CheckArgs(arg ...string) { + if len(os.Args) < len(arg)+1 { + ErrorF("Usage: %s %s", os.Args[0], strings.Join(arg, " ")) + os.Exit(1) + } +} + +// CheckIfError should be used to naively panics if an error is not nil. +func CheckIfError(err error, format string, args ...interface{}) { + if err == nil { + return + } + + fmt.Printf("\x1b[31;1m%s ERROR %s %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...), err) + os.Exit(1) +} + +// Info should be used to describe the example commands that are about to run. +func Info(format string, args ...interface{}) { + fmt.Printf("\x1b[34;1m%s INFO: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} + +func timeStamp() string { + t := time.Now() + return t.Format(time.RFC3339) +} + +// Warning should be used to display a warning +func Warning(format string, args ...interface{}) { + fmt.Printf("\x1b[36;1m%s WARNING: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} + +// Info should be used to describe the example commands that are about to run. +func Debug(format string, args ...interface{}) { + if DEBUG { + fmt.Printf("\x1b[34;1m%s DEBUG: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) + } +} + +// Info should be used to describe the example commands that are about to run. +func ErrorF(format string, args ...interface{}) { + fmt.Printf("\x1b[31;1m%s ERROR: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) +} + +func DownloadFile(url string) (string, error) { + client := &http.Client{ + Transport: &http.Transport{ + DialContext: (&net.Dialer{ + Timeout: 5 * time.Second, + KeepAlive: 5 * time.Second, + }).DialContext, + TLSHandshakeTimeout: 5 * time.Second, + ResponseHeaderTimeout: 5 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + MaxIdleConnsPerHost: -1, + }, + } + resp, err := client.Get(url) + if err != nil { + return "", nil + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return "", errors.New(fmt.Sprintf("could not retrieve file, response from server %d for file %s", resp.StatusCode, url)) + } + bodyBytes, err := io.ReadAll(resp.Body) + if err != nil { + return "", nil + } + return string(bodyBytes), nil +} diff --git a/magefiles/utils/controller.go b/magefiles/utils/controller.go new file mode 100644 index 000000000..c8e250a36 --- /dev/null +++ b/magefiles/utils/controller.go @@ -0,0 +1,68 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "fmt" + + "github.com/google/go-github/v48/github" +) + +// ControllerImage - struct with info about controllers +type ControllerImage struct { + Tag string + Digest string + Registry string + Name string +} + +// IngressRelease All the information about an ingress-nginx release that gets updated +type IngressRelease struct { + ControllerVersion string + ControllerImage ControllerImage + ReleaseNote ReleaseNote + Release *github.RepositoryRelease +} + +// IMAGES_YAML returns this data structure +type ImageYamls []ImageElement + +// ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions +type ImageElement struct { + Name string `json:"name"` + Dmap map[string][]string `json:"dmap"` +} + +func (i ControllerImage) print() string { + return fmt.Sprintf("%s/%s:%s@%s", i.Registry, i.Name, i.Tag, i.Digest) +} + +func FindImageDigest(yaml ImageYamls, image, version string) string { + version = fmt.Sprintf("v%s", version) + Info("Searching Digest for %s:%s", image, version) + for i := range yaml { + if yaml[i].Name == image { + for k, v := range yaml[i].Dmap { + if v[0] == version { + return k + } + } + return "" + } + } + return "" +} diff --git a/magefiles/utils/e2edocs.go b/magefiles/utils/e2edocs.go new file mode 100644 index 000000000..2edc2ca40 --- /dev/null +++ b/magefiles/utils/e2edocs.go @@ -0,0 +1,140 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "bufio" + "bytes" + "embed" + "fmt" + "io/fs" + "os" + "path/filepath" + "regexp" + "strings" + "text/template" + + "slices" +) + +//go:embed templates/e2edocs.tpl +var tplContent embed.FS + +var ( + skipFiles = []string{ + "test/e2e/framework/framework.go", + "test/e2e/e2e.go", + "test/e2e/e2e_test.go", + } +) + +const ( + testDir = "test/e2e" + describe = "Describe" + URL = "https://github.com/kubernetes/ingress-nginx/tree/main/" +) + +var ( + betweenquotes = regexp.MustCompile(`("|\')(?P.*)("|\')`) +) + +type E2ETemplate struct { + URL string + Tests []string +} + +func getDescription(linetext, path, url string, lineN int, isDescription bool) string { + var descriptionLine string + prefix := "-" + if isDescription { + prefix = "###" + } + + matches := betweenquotes.FindStringSubmatch(linetext) + contentIndex := betweenquotes.SubexpIndex("TestDescription") + if len(matches) < 2 || contentIndex == -1 { + return "" + } + + fileName := fmt.Sprintf("%s/%s", url, path) + descriptionLine = fmt.Sprintf("%s [%s](%s#L%d)", prefix, matches[contentIndex], fileName, lineN) + + return descriptionLine +} + +func containsGinkgoTest(line string) bool { + if !strings.Contains(line, describe) && !strings.Contains(line, "It") { + return false + } + return strings.Contains(line, "func() {") +} + +func (t *E2ETemplate) walkE2eDir(path string, d fs.DirEntry, errAggregated error) error { + if errAggregated != nil { + return errAggregated + } + // Remove ignored files or non .go files + if d.IsDir() || slices.Contains(skipFiles, path) || !strings.HasSuffix(path, ".go") { + return nil + } + + content, err := os.ReadFile(path) + if err != nil { + return err + } + + fileScanner := bufio.NewScanner(bytes.NewReader(content)) + + fileScanner.Split(bufio.ScanLines) + + tests := make([]string, 0) + var lineN = 0 + for fileScanner.Scan() { + lineN = lineN + 1 + if !containsGinkgoTest(fileScanner.Text()) { + continue + } + + line := getDescription(fileScanner.Text(), path, t.URL, lineN, strings.Contains(fileScanner.Text(), describe)) + if line != "" { + tests = append(tests, line) + } + } + t.Tests = append(t.Tests, tests...) + return nil +} + +func GenerateE2EDocs() (string, error) { + e2etpl := &E2ETemplate{URL: URL} + err := filepath.WalkDir(testDir, e2etpl.walkE2eDir) + if err != nil { + return "", err + } + + tmpl, err := template.New("e2edocs.tpl").ParseFS(tplContent, "templates/e2edocs.tpl") + if err != nil { + return "", fmt.Errorf("error parsing the template file: %s", err) + } + + tplBuff := new(bytes.Buffer) + err = tmpl.Execute(tplBuff, e2etpl) + if err != nil { + return "", err + } + return tplBuff.String(), nil + +} diff --git a/magefiles/utils/helm.go b/magefiles/utils/helm.go new file mode 100644 index 000000000..dea68caab --- /dev/null +++ b/magefiles/utils/helm.go @@ -0,0 +1,405 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +type IngressChartValue struct { + CommonLabels struct{} `yaml:"commonLabels"` + Controller struct { + Name string `yaml:"name"` + Image struct { + Chroot bool `yaml:"chroot"` + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + Digest string `yaml:"digest"` + DigestChroot string `yaml:"digestChroot"` + PullPolicy string `yaml:"pullPolicy"` + RunAsUser int `yaml:"runAsUser"` + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` + ContainerName string `yaml:"containerName"` + ContainerPort struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"containerPort"` + Config struct{} `yaml:"config"` + ConfigAnnotations struct{} `yaml:"configAnnotations"` + ProxySetHeaders struct{} `yaml:"proxySetHeaders"` + AddHeaders struct{} `yaml:"addHeaders"` + DNSConfig struct{} `yaml:"dnsConfig"` + Hostname struct{} `yaml:"hostname"` + DNSPolicy string `yaml:"dnsPolicy"` + ReportNodeInternalIP bool `yaml:"reportNodeInternalIp"` + WatchIngressWithoutClass bool `yaml:"watchIngressWithoutClass"` + IngressClassByName bool `yaml:"ingressClassByName"` + AllowSnippetAnnotations bool `yaml:"allowSnippetAnnotations"` + HostNetwork bool `yaml:"hostNetwork"` + HostPort struct { + Enabled bool `yaml:"enabled"` + Ports struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"ports"` + } `yaml:"hostPort"` + ElectionID string `yaml:"electionID"` + IngressClassResource struct { + Name string `yaml:"name"` + Enabled bool `yaml:"enabled"` + Default bool `yaml:"default"` + ControllerValue string `yaml:"controllerValue"` + Parameters struct{} `yaml:"parameters"` + } `yaml:"ingressClassResource"` + IngressClass string `yaml:"ingressClass"` + PodLabels struct{} `yaml:"podLabels"` + PodSecurityContext struct{} `yaml:"podSecurityContext"` + Sysctls struct{} `yaml:"sysctls"` + PublishService struct { + Enabled bool `yaml:"enabled"` + PathOverride string `yaml:"pathOverride"` + } `yaml:"publishService"` + Scope struct { + Enabled bool `yaml:"enabled"` + Namespace string `yaml:"namespace"` + NamespaceSelector string `yaml:"namespaceSelector"` + } `yaml:"scope"` + ConfigMapNamespace string `yaml:"configMapNamespace"` + TCP struct { + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct{} `yaml:"annotations"` + } `yaml:"tcp"` + UDP struct { + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct{} `yaml:"annotations"` + } `yaml:"udp"` + MaxmindLicenseKey string `yaml:"maxmindLicenseKey"` + ExtraArgs struct{} `yaml:"extraArgs"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + Kind string `yaml:"kind"` + Annotations struct{} `yaml:"annotations"` + Labels struct{} `yaml:"labels"` + UpdateStrategy struct{} `yaml:"updateStrategy"` + MinReadySeconds int `yaml:"minReadySeconds"` + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct{} `yaml:"affinity"` + TopologySpreadConstraints []interface{} `yaml:"topologySpreadConstraints"` + TerminationGracePeriodSeconds int `yaml:"terminationGracePeriodSeconds"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + LivenessProbe struct { + HTTPGet struct { + Path string `yaml:"path"` + Port int `yaml:"port"` + Scheme string `yaml:"scheme"` + } `yaml:"httpGet"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + FailureThreshold int `yaml:"failureThreshold"` + } `yaml:"livenessProbe"` + ReadinessProbe struct { + HTTPGet struct { + Path string `yaml:"path"` + Port int `yaml:"port"` + Scheme string `yaml:"scheme"` + } `yaml:"httpGet"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + FailureThreshold int `yaml:"failureThreshold"` + } `yaml:"readinessProbe"` + HealthCheckPath string `yaml:"healthCheckPath"` + HealthCheckHost string `yaml:"healthCheckHost"` + PodAnnotations struct{} `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct { + Requests struct { + CPU string `yaml:"cpu"` + Memory string `yaml:"memory"` + } `yaml:"requests"` + } `yaml:"resources"` + Autoscaling struct { + APIVersion string `yaml:"apiVersion"` + Enabled bool `yaml:"enabled"` + Annotations struct{} `yaml:"annotations"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + Behavior struct{} `yaml:"behavior"` + } `yaml:"autoscaling"` + AutoscalingTemplate []interface{} `yaml:"autoscalingTemplate"` + Keda struct { + APIVersion string `yaml:"apiVersion"` + Enabled bool `yaml:"enabled"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + PollingInterval int `yaml:"pollingInterval"` + CooldownPeriod int `yaml:"cooldownPeriod"` + RestoreToOriginalReplicaCount bool `yaml:"restoreToOriginalReplicaCount"` + ScaledObject struct { + Annotations struct{} `yaml:"annotations"` + } `yaml:"scaledObject"` + Triggers []interface{} `yaml:"triggers"` + Behavior struct{} `yaml:"behavior"` + } `yaml:"keda"` + EnableMimalloc bool `yaml:"enableMimalloc"` + CustomTemplate struct { + ConfigMapName string `yaml:"configMapName"` + ConfigMapKey string `yaml:"configMapKey"` + } `yaml:"customTemplate"` + Service struct { + Enabled bool `yaml:"enabled"` + AppProtocol bool `yaml:"appProtocol"` + Annotations struct{} `yaml:"annotations"` + Labels struct{} `yaml:"labels"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerIP string `yaml:"loadBalancerIP"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + EnableHTTP bool `yaml:"enableHttp"` + EnableHTTPS bool `yaml:"enableHttps"` + IPFamilyPolicy string `yaml:"ipFamilyPolicy"` + IPFamilies []string `yaml:"ipFamilies"` + Ports struct { + HTTP int `yaml:"http"` + HTTPS int `yaml:"https"` + } `yaml:"ports"` + TargetPorts struct { + HTTP string `yaml:"http"` + HTTPS string `yaml:"https"` + } `yaml:"targetPorts"` + Type string `yaml:"type"` + NodePorts struct { + HTTP string `yaml:"http"` + HTTPS string `yaml:"https"` + TCP struct{} `yaml:"tcp"` + UDP struct{} `yaml:"udp"` + } `yaml:"nodePorts"` + External struct { + Enabled bool `yaml:"enabled"` + } `yaml:"external"` + Internal struct { + Enabled bool `yaml:"enabled"` + Annotations struct{} `yaml:"annotations"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + } `yaml:"internal"` + } `yaml:"service"` + ShareProcessNamespace bool `yaml:"shareProcessNamespace"` + ExtraContainers []interface{} `yaml:"extraContainers"` + ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` + ExtraVolumes []interface{} `yaml:"extraVolumes"` + ExtraInitContainers []interface{} `yaml:"extraInitContainers"` + ExtraModules []interface{} `yaml:"extraModules"` + Opentelemetry struct { + Enabled bool `yaml:"enabled"` + Image string `yaml:"image"` + ContainerSecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"containerSecurityContext"` + } `yaml:"opentelemetry"` + AdmissionWebhooks struct { + Annotations struct{} `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + FailurePolicy string `yaml:"failurePolicy"` + Port int `yaml:"port"` + Certificate string `yaml:"certificate"` + Key string `yaml:"key"` + NamespaceSelector struct{} `yaml:"namespaceSelector"` + ObjectSelector struct{} `yaml:"objectSelector"` + Labels struct{} `yaml:"labels"` + ExistingPsp string `yaml:"existingPsp"` + NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` + Service struct { + Annotations struct{} `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + CreateSecretJob struct { + SecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"securityContext"` + Resources struct{} `yaml:"resources"` + } `yaml:"createSecretJob"` + PatchWebhookJob struct { + SecurityContext struct { + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"securityContext"` + Resources struct{} `yaml:"resources"` + } `yaml:"patchWebhookJob"` + Patch struct { + Enabled bool `yaml:"enabled"` + Image struct { + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + Digest string `yaml:"digest"` + PullPolicy string `yaml:"pullPolicy"` + } `yaml:"image"` + PriorityClassName string `yaml:"priorityClassName"` + PodAnnotations struct{} `yaml:"podAnnotations"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + Tolerations []interface{} `yaml:"tolerations"` + Labels struct{} `yaml:"labels"` + SecurityContext struct { + RunAsNonRoot bool `yaml:"runAsNonRoot"` + RunAsUser int `yaml:"runAsUser"` + FsGroup int `yaml:"fsGroup"` + } `yaml:"securityContext"` + } `yaml:"patch"` + CertManager struct { + Enabled bool `yaml:"enabled"` + RootCert struct { + Duration string `yaml:"duration"` + } `yaml:"rootCert"` + AdmissionCert struct { + Duration string `yaml:"duration"` + } `yaml:"admissionCert"` + } `yaml:"certManager"` + } `yaml:"admissionWebhooks"` + Metrics struct { + Port int `yaml:"port"` + PortName string `yaml:"portName"` + Enabled bool `yaml:"enabled"` + Service struct { + Annotations struct{} `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + ServiceMonitor struct { + Enabled bool `yaml:"enabled"` + AdditionalLabels struct{} `yaml:"additionalLabels"` + Namespace string `yaml:"namespace"` + NamespaceSelector struct{} `yaml:"namespaceSelector"` + ScrapeInterval string `yaml:"scrapeInterval"` + TargetLabels []interface{} `yaml:"targetLabels"` + Relabelings []interface{} `yaml:"relabelings"` + MetricRelabelings []interface{} `yaml:"metricRelabelings"` + } `yaml:"serviceMonitor"` + PrometheusRule struct { + Enabled bool `yaml:"enabled"` + AdditionalLabels struct{} `yaml:"additionalLabels"` + Rules []interface{} `yaml:"rules"` + } `yaml:"prometheusRule"` + } `yaml:"metrics"` + Lifecycle struct { + PreStop struct { + Exec struct { + Command []string `yaml:"command"` + } `yaml:"exec"` + } `yaml:"preStop"` + } `yaml:"lifecycle"` + PriorityClassName string `yaml:"priorityClassName"` + } `yaml:"controller"` + RevisionHistoryLimit int `yaml:"revisionHistoryLimit"` + DefaultBackend struct { + Enabled bool `yaml:"enabled"` + Name string `yaml:"name"` + Image struct { + Registry string `yaml:"registry"` + Image string `yaml:"image"` + Tag string `yaml:"tag"` + PullPolicy string `yaml:"pullPolicy"` + RunAsUser int `yaml:"runAsUser"` + RunAsNonRoot bool `yaml:"runAsNonRoot"` + ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` + AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` + } `yaml:"image"` + ExistingPsp string `yaml:"existingPsp"` + ExtraArgs struct{} `yaml:"extraArgs"` + ServiceAccount struct { + Create bool `yaml:"create"` + Name string `yaml:"name"` + AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` + } `yaml:"serviceAccount"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + Port int `yaml:"port"` + LivenessProbe struct { + FailureThreshold int `yaml:"failureThreshold"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + } `yaml:"livenessProbe"` + ReadinessProbe struct { + FailureThreshold int `yaml:"failureThreshold"` + InitialDelaySeconds int `yaml:"initialDelaySeconds"` + PeriodSeconds int `yaml:"periodSeconds"` + SuccessThreshold int `yaml:"successThreshold"` + TimeoutSeconds int `yaml:"timeoutSeconds"` + } `yaml:"readinessProbe"` + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct{} `yaml:"affinity"` + PodSecurityContext struct{} `yaml:"podSecurityContext"` + ContainerSecurityContext struct{} `yaml:"containerSecurityContext"` + PodLabels struct{} `yaml:"podLabels"` + NodeSelector struct { + KubernetesIoOs string `yaml:"kubernetes.io/os"` + } `yaml:"nodeSelector"` + PodAnnotations struct{} `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct{} `yaml:"resources"` + ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` + ExtraVolumes []interface{} `yaml:"extraVolumes"` + Autoscaling struct { + Annotations struct{} `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + } `yaml:"autoscaling"` + Service struct { + Annotations struct{} `yaml:"annotations"` + ExternalIPs []interface{} `yaml:"externalIPs"` + LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` + ServicePort int `yaml:"servicePort"` + Type string `yaml:"type"` + } `yaml:"service"` + PriorityClassName string `yaml:"priorityClassName"` + Labels struct{} `yaml:"labels"` + } `yaml:"defaultBackend"` + Rbac struct { + Create bool `yaml:"create"` + Scope bool `yaml:"scope"` + } `yaml:"rbac"` + PodSecurityPolicy struct { + Enabled bool `yaml:"enabled"` + } `yaml:"podSecurityPolicy"` + ServiceAccount struct { + Create bool `yaml:"create"` + Name string `yaml:"name"` + AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` + Annotations struct{} `yaml:"annotations"` + } `yaml:"serviceAccount"` + ImagePullSecrets []interface{} `yaml:"imagePullSecrets"` + TCP struct{} `yaml:"tcp"` + UDP struct{} `yaml:"udp"` + PortNamePrefix string `yaml:"portNamePrefix"` + DhParam interface{} `yaml:"dhParam"` +} diff --git a/magefiles/utils/releasenote.go b/magefiles/utils/releasenote.go new file mode 100644 index 000000000..341595444 --- /dev/null +++ b/magefiles/utils/releasenote.go @@ -0,0 +1,91 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "fmt" + "os" + "text/template" +) + +// ReleaseNote - All the pieces of information/documents that get updated during a release +type ReleaseNote struct { + Version string + NewControllerVersion string + PreviousControllerVersion string + ControllerImages []ControllerImage + DepUpdates []string + Updates []string + HelmUpdates []string + NewHelmChartVersion string + PreviousHelmChartVersion string +} + +func (r ReleaseNote) Template() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("changelog/controller.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("changelog/controller-%s.md", r.Version)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template: %s", err) + } +} + +func (r ReleaseNote) HelmTemplate() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("charts/ingress-nginx/changelog/helm-chart.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("charts/ingress-nginx/changelog/helm-chart-%s.md", r.NewHelmChartVersion)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template: %s", err) + } +} + +func (r ReleaseNote) PrintRelease() { + Info("Release Version: %v", r.NewControllerVersion) + Info("Previous Version: %v", r.PreviousControllerVersion) + Info("Controller Image: %v", r.ControllerImages[0].print()) + Info("Controller Chroot Image: %v", r.ControllerImages[1].print()) + for i := range r.Updates { + Info("Update #%v - %v", i, r.Updates[i]) + } + for j := range r.DepUpdates { + Info("Dependabot Update #%v - %v", j, r.DepUpdates[j]) + } +} diff --git a/magefiles/utils/templates/e2edocs.tpl b/magefiles/utils/templates/e2edocs.tpl new file mode 100644 index 000000000..8757c10bd --- /dev/null +++ b/magefiles/utils/templates/e2edocs.tpl @@ -0,0 +1,10 @@ + + +# e2e test suite for [Ingress NGINX Controller]({{.URL}}) + +{{ range $test := .Tests }} +{{ $test }} +{{- end }} \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index c76a640f6..cbc2988ce 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,4 +1,4 @@ -site_name: NGINX Ingress Controller +site_name: Ingress-Nginx Controller repo_name: "kubernetes/ingress-nginx" repo_url: https://github.com/kubernetes/ingress-nginx site_url: https://kubernetes.github.io/ingress-nginx @@ -65,7 +65,6 @@ plugins: extra_css: [extra.css] -google_analytics: ["UA-118407822-1", "kubernetes.github.io"] nav: - Welcome: @@ -79,7 +78,7 @@ nav: - Role Based Access Control (RBAC): "deploy/rbac.md" - Upgrade: "deploy/upgrade.md" - Hardening guide: "deploy/hardening-guide.md" - - User guide: + - User Guide: - NGINX Configuration: - Introduction: "user-guide/nginx-configuration/index.md" - Basic usage: "user-guide/basic-usage.md" @@ -100,7 +99,7 @@ nav: - TLS/HTTPS: "user-guide/tls.md" - Third party addons: - ModSecurity Web Application Firewall: "user-guide/third-party-addons/modsecurity.md" - - OpenTracing: "user-guide/third-party-addons/opentracing.md" + - OpenTelemetry: "user-guide/third-party-addons/opentelemetry.md" - Examples: - Introduction: "examples/index.md" - Prerequisites: "examples/PREREQUISITES.md" @@ -125,6 +124,9 @@ nav: - Static IPs: "examples/static-ip/README.md" - TLS termination: "examples/tls-termination/README.md" - Pod Security Policy (PSP): "examples/psp/README.md" + - Open Policy Agent rules: "examples/openpolicyagent/README.md" + - Canary Deployments: "examples/canary/README.md" - Developer Guide: - Getting Started: "developer-guide/getting-started.md" - Code Overview: "developer-guide/code-overview.md" + - FAQ: "faq.md" diff --git a/netlify.toml b/netlify.toml new file mode 100644 index 000000000..dc4b0d1ca --- /dev/null +++ b/netlify.toml @@ -0,0 +1,11 @@ +# netlify configuration +[build] +publish = "site" +command = "make build-docs" +ignore = "git diff --quiet $CACHED_COMMIT_REF $COMMIT_REF ./docs" +# available here https://github.com/netlify/build-image/blob/focal/included_software.md#languages +environment = { PYTHON_VERSION = "3.8" } + +[context.deploy-preview] + publish = "site/" + command = "make build-docs" diff --git a/pkg/apis/ingress/sslcert.go b/pkg/apis/ingress/sslcert.go index 7dee3880d..b340b2d9a 100644 --- a/pkg/apis/ingress/sslcert.go +++ b/pkg/apis/ingress/sslcert.go @@ -66,12 +66,12 @@ type SSLCert struct { } // GetObjectKind implements the ObjectKind interface as a noop -func (s SSLCert) GetObjectKind() schema.ObjectKind { +func (s *SSLCert) GetObjectKind() schema.ObjectKind { return schema.EmptyObjectKind } // Identifier returns a the couple issuer / serial number if they both exist, an empty string otherwise -func (s SSLCert) Identifier() string { +func (s *SSLCert) Identifier() string { if s.Certificate != nil { if s.Certificate.SerialNumber != nil { return fmt.Sprintf("%s-%s", s.Certificate.Issuer.SerialNumber, s.Certificate.SerialNumber.String()) @@ -81,7 +81,7 @@ func (s SSLCert) Identifier() string { } // HashInclude defines if a field should be used or not to calculate the hash -func (s SSLCert) HashInclude(field string, v interface{}) (bool, error) { +func (s *SSLCert) HashInclude(field string, _ interface{}) (bool, error) { switch field { case "PemSHA", "CASHA", "ExpireTime": return true, nil diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index 7c1c825b7..2ad17ec3d 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -29,12 +29,12 @@ import ( "k8s.io/ingress-nginx/internal/ingress/annotations/cors" "k8s.io/ingress-nginx/internal/ingress/annotations/fastcgi" "k8s.io/ingress-nginx/internal/ingress/annotations/globalratelimit" - "k8s.io/ingress-nginx/internal/ingress/annotations/influxdb" - "k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipallowlist" + "k8s.io/ingress-nginx/internal/ingress/annotations/ipdenylist" "k8s.io/ingress-nginx/internal/ingress/annotations/log" "k8s.io/ingress-nginx/internal/ingress/annotations/mirror" "k8s.io/ingress-nginx/internal/ingress/annotations/modsecurity" - "k8s.io/ingress-nginx/internal/ingress/annotations/opentracing" + "k8s.io/ingress-nginx/internal/ingress/annotations/opentelemetry" "k8s.io/ingress-nginx/internal/ingress/annotations/proxy" "k8s.io/ingress-nginx/internal/ingress/annotations/proxyssl" "k8s.io/ingress-nginx/internal/ingress/annotations/ratelimit" @@ -72,7 +72,7 @@ type Configuration struct { DefaultSSLCertificate *SSLCert `json:"-"` - StreamSnippets []string + StreamSnippets []string `json:"StreamSnippets"` } // Backend describes one or more remote server/s (endpoints) associated with a service @@ -128,7 +128,7 @@ type TrafficShapingPolicy struct { } // HashInclude defines if a field should be used or not to calculate the hash -func (s Backend) HashInclude(field string, v interface{}) (bool, error) { +func (b *Backend) HashInclude(field string, _ interface{}) (bool, error) { switch field { case "Endpoints": return false, nil @@ -222,7 +222,8 @@ type Server struct { // In some cases when more than one annotations is defined a particular order in the execution // is required. // The chain in the execution order of annotations should be: -// - Whitelist +// - Denylist +// - Allowlist // - RateLimit // - BasicDigestAuth // - ExternalAuth @@ -292,10 +293,14 @@ type Location struct { // Rewrite describes the redirection this location. // +optional Rewrite rewrite.Config `json:"rewrite,omitempty"` - // Whitelist indicates only connections from certain client + // Denylist indicates only connections from certain client // addresses or networks are allowed. // +optional - Whitelist ipwhitelist.SourceRange `json:"whitelist,omitempty"` + Denylist ipdenylist.SourceRange `json:"denylist,omitempty"` + // Allowlist indicates only connections from certain client + // addresses or networks are allowed. + // +optional + Allowlist ipallowlist.SourceRange `json:"allowlist,omitempty"` // Proxy contains information about timeouts and buffer sizes // to be used in connections against endpoints // +optional @@ -331,9 +336,6 @@ type Location struct { // Logs allows to enable or disable the nginx logs // By default access logs are enabled and rewrite logs are disabled Logs log.Config `json:"logs,omitempty"` - // InfluxDB allows to monitor the incoming request by sending them to an influxdb database - // +optional - InfluxDB influxdb.Config `json:"influxDB,omitempty"` // BackendProtocol indicates which protocol should be used to communicate with the service // By default this is HTTP BackendProtocol string `json:"backend-protocol"` @@ -343,6 +345,11 @@ type Location struct { // CustomHTTPErrors specifies the error codes that should be intercepted. // +optional CustomHTTPErrors []int `json:"custom-http-errors"` + // ProxyInterceptErrors disables error intecepting when using CustomHTTPErrors + // e.g. custom 404 and 503 when service-a does not exist or is not available + // but service-a can return 404 and 503 error codes without intercept + // +optional + DisableProxyInterceptErrors bool `json:"disable-proxy-intercept-errors"` // ModSecurity allows to enable and configure modsecurity // +optional ModSecurity modsecurity.Config `json:"modsecurity"` @@ -351,9 +358,9 @@ type Location struct { // Mirror allows you to mirror traffic to a "test" backend // +optional Mirror mirror.Config `json:"mirror,omitempty"` - // Opentracing allows the global opentracing setting to be overridden for a location + // Opentelemetry allows the global opentelemetry setting to be overridden for a location // +optional - Opentracing opentracing.Config `json:"opentracing"` + Opentelemetry opentelemetry.Config `json:"opentelemetry"` } // SSLPassthroughBackend describes a SSL upstream server configured @@ -404,5 +411,4 @@ type Ingress struct { } // GeneralConfig holds the definition of lua general configuration data -type GeneralConfig struct { -} +type GeneralConfig struct{} diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index a954a253b..eeed9a06e 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -76,66 +76,62 @@ func (c1 *Configuration) Equal(c2 *Configuration) bool { } } - if c1.BackendConfigChecksum != c2.BackendConfigChecksum { - return false - } - - return true + return c1.BackendConfigChecksum == c2.BackendConfigChecksum } // Equal tests for equality between two Backend types -func (b1 *Backend) Equal(b2 *Backend) bool { - if b1 == b2 { +func (b *Backend) Equal(newB *Backend) bool { + if b == newB { return true } - if b1 == nil || b2 == nil { + if b == nil || newB == nil { return false } - if b1.Name != b2.Name { + if b.Name != newB.Name { return false } - if b1.NoServer != b2.NoServer { + if b.NoServer != newB.NoServer { return false } - if b1.Service != b2.Service { - if b1.Service == nil || b2.Service == nil { + if b.Service != newB.Service { + if b.Service == nil || newB.Service == nil { return false } - if b1.Service.GetNamespace() != b2.Service.GetNamespace() { + if b.Service.GetNamespace() != newB.Service.GetNamespace() { return false } - if b1.Service.GetName() != b2.Service.GetName() { + if b.Service.GetName() != newB.Service.GetName() { return false } } - if b1.Port != b2.Port { + if b.Port != newB.Port { return false } - if b1.SSLPassthrough != b2.SSLPassthrough { + if b.SSLPassthrough != newB.SSLPassthrough { return false } - if !(&b1.SessionAffinity).Equal(&b2.SessionAffinity) { + if !(&b.SessionAffinity).Equal(&newB.SessionAffinity) { return false } - if b1.UpstreamHashBy != b2.UpstreamHashBy { + if b.UpstreamHashBy != newB.UpstreamHashBy { return false } - if b1.LoadBalancing != b2.LoadBalancing { + if b.LoadBalancing != newB.LoadBalancing { return false } - match := compareEndpoints(b1.Endpoints, b2.Endpoints) + match := compareEndpoints(b.Endpoints, newB.Endpoints) if !match { return false } - if !b1.TrafficShapingPolicy.Equal(b2.TrafficShapingPolicy) { + if !b.TrafficShapingPolicy.Equal(&newB.TrafficShapingPolicy) { return false } - return sets.StringElementsMatch(b1.AlternativeBackends, b2.AlternativeBackends) + return sets.StringElementsMatch(b.AlternativeBackends, newB.AlternativeBackends) } // Equal tests for equality between two SessionAffinityConfig types @@ -247,7 +243,7 @@ func (e1 *Endpoint) Equal(e2 *Endpoint) bool { } // Equal checks for equality between two TrafficShapingPolicies -func (tsp1 TrafficShapingPolicy) Equal(tsp2 TrafficShapingPolicy) bool { +func (tsp1 *TrafficShapingPolicy) Equal(tsp2 *TrafficShapingPolicy) bool { if tsp1.Weight != tsp2.Weight { return false } @@ -339,6 +335,8 @@ func (s1 *Server) Equal(s2 *Server) bool { } // Equal tests for equality between two Location types +// +//nolint:gocyclo // Ignore function complexity error func (l1 *Location) Equal(l2 *Location) bool { if l1 == l2 { return true @@ -401,7 +399,10 @@ func (l1 *Location) Equal(l2 *Location) bool { if !(&l1.Rewrite).Equal(&l2.Rewrite) { return false } - if !(&l1.Whitelist).Equal(&l2.Whitelist) { + if !(&l1.Denylist).Equal(&l2.Denylist) { + return false + } + if !(&l1.Allowlist).Equal(&l2.Allowlist) { return false } if !(&l1.Proxy).Equal(&l2.Proxy) { @@ -432,10 +433,6 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } - if !(&l1.InfluxDB).Equal(&l2.InfluxDB) { - return false - } - if l1.BackendProtocol != l2.BackendProtocol { return false } @@ -461,7 +458,7 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } - if !l1.Opentracing.Equal(&l2.Opentracing) { + if !l1.Opentelemetry.Equal(&l2.Opentelemetry) { return false } @@ -469,6 +466,10 @@ func (l1 *Location) Equal(l2 *Location) bool { return false } + if l1.DisableProxyInterceptErrors != l2.DisableProxyInterceptErrors { + return false + } + return true } @@ -551,39 +552,39 @@ func (l4b1 *L4Backend) Equal(l4b2 *L4Backend) bool { } // Equal tests for equality between two SSLCert types -func (s1 *SSLCert) Equal(s2 *SSLCert) bool { - if s1 == s2 { +func (s *SSLCert) Equal(newS *SSLCert) bool { + if s == newS { return true } - if s1 == nil || s2 == nil { + if s == nil || newS == nil { return false } - if s1.CASHA != s2.CASHA { + if s.CASHA != newS.CASHA { return false } - if s1.CRLSHA != s2.CRLSHA { + if s.CRLSHA != newS.CRLSHA { return false } - if s1.PemSHA != s2.PemSHA { + if s.PemSHA != newS.PemSHA { return false } - if s1.CAFileName != s2.CAFileName { + if s.CAFileName != newS.CAFileName { return false } - if s1.CRLFileName != s2.CRLFileName { + if s.CRLFileName != newS.CRLFileName { return false } - if !s1.ExpireTime.Equal(s2.ExpireTime) { + if !s.ExpireTime.Equal(newS.ExpireTime) { return false } - if s1.PemCertKey != s2.PemCertKey { + if s.PemCertKey != newS.PemCertKey { return false } - if s1.UID != s2.UID { + if s.UID != newS.UID { return false } - return sets.StringElementsMatch(s1.CN, s2.CN) + return sets.StringElementsMatch(s.CN, newS.CN) } var compareEndpointsFunc = func(e1, e2 interface{}) bool { diff --git a/pkg/apis/ingress/types_equals_test.go b/pkg/apis/ingress/types_equals_test.go index 78d29d46c..53643f912 100644 --- a/pkg/apis/ingress/types_equals_test.go +++ b/pkg/apis/ingress/types_equals_test.go @@ -25,19 +25,29 @@ import ( ) func TestEqualConfiguration(t *testing.T) { - ap, _ := filepath.Abs("../../../test/manifests/configuration-a.json") + ap, err := filepath.Abs("../../../test/manifests/configuration-a.json") + if err != nil { + t.Errorf("unexpected error: %v", err) + } a, err := readJSON(ap) if err != nil { t.Errorf("unexpected error reading JSON file: %v", err) } - bp, _ := filepath.Abs("../../../test/manifests/configuration-b.json") + bp, err := filepath.Abs("../../../test/manifests/configuration-b.json") + if err != nil { + t.Errorf("unexpected error: %v", err) + } + b, err := readJSON(bp) if err != nil { t.Errorf("unexpected error reading JSON file: %v", err) } - cp, _ := filepath.Abs("../../../test/manifests/configuration-c.json") + cp, err := filepath.Abs("../../../test/manifests/configuration-c.json") + if err != nil { + t.Errorf("unexpected error: %v", err) + } c, err := readJSON(cp) if err != nil { t.Errorf("unexpected error reading JSON file: %v", err) @@ -84,15 +94,18 @@ func TestL4ServiceElementsMatch(t *testing.T) { {[]L4Service{{Port: 80}}, []L4Service{{Port: 80}}, true}, { []L4Service{ - {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}}}}, + {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}}}, + }, []L4Service{{Port: 80}}, false, }, { []L4Service{ - {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}, {Address: "1.1.1.2"}}}}, + {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}, {Address: "1.1.1.2"}}}, + }, []L4Service{ - {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.2"}, {Address: "1.1.1.1"}}}}, + {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.2"}, {Address: "1.1.1.1"}}}, + }, true, }, { diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 65b5fbcdc..d3bc4ee86 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -152,6 +152,9 @@ Requires the update-status parameter.`) annotationsPrefix = flags.String("annotations-prefix", parser.DefaultAnnotationsPrefix, `Prefix of the Ingress annotations specific to the NGINX controller.`) + enableAnnotationValidation = flags.Bool("enable-annotation-validation", false, + `If true, will enable the annotation validation feature. This value will be defaulted to true on a future release`) + enableSSLChainCompletion = flags.Bool("enable-ssl-chain-completion", false, `Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 @@ -171,10 +174,11 @@ Requires the update-status parameter.`) reportStatusClasses = flags.Bool("report-status-classes", false, `Use status classes (2xx, 3xx, 4xx and 5xx) instead of status codes in metrics.`) - timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime.") - lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength.") - sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent.") - monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics.") + timeBuckets = flags.Float64Slice("time-buckets", prometheus.DefBuckets, "Set of buckets which will be used for prometheus histogram metrics such as RequestTime, ResponseTime.") + lengthBuckets = flags.Float64Slice("length-buckets", prometheus.LinearBuckets(10, 10, 10), "Set of buckets which will be used for prometheus histogram metrics such as RequestLength, ResponseLength.") + sizeBuckets = flags.Float64Slice("size-buckets", prometheus.ExponentialBuckets(10, 10, 7), "Set of buckets which will be used for prometheus histogram metrics such as BytesSent.") + excludeSocketMetrics = flags.StringSlice("exclude-socket-metrics", []string{}, "et of socket request metrics to exclude which won't be exported nor being calculated. E.g. 'nginx_ingress_controller_success,nginx_ingress_controller_header_duration_seconds'.") + monitorMaxBatchSize = flags.Int("monitor-max-batch-size", 10000, "Max batch size of NGINX metrics.") httpPort = flags.Int("http-port", 80, `Port to use for servicing HTTP traffic.`) httpsPort = flags.Int("https-port", 443, `Port to use for servicing HTTPS traffic.`) @@ -214,6 +218,10 @@ Takes the form ":port". If not provided, no admission controller is starte deepInspector = flags.Bool("deep-inspect", true, "Enables ingress object security deep inspector") dynamicConfigurationRetries = flags.Int("dynamic-configuration-retries", 15, "Number of times to retry failed dynamic configuration before failing to sync an ingress.") + + disableSyncEvents = flags.Bool("disable-sync-events", false, "Disables the creation of 'Sync' event resources") + + enableTopologyAwareRouting = flags.Bool("enable-topology-aware-routing", false, "Enable topology aware routing feature, needs service object annotation service.kubernetes.io/topology-mode sets to auto.") ) flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases.`) @@ -223,14 +231,10 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g flags.IntVar(&nginx.MaxmindRetriesCount, "maxmind-retries-count", 1, "Number of attempts to download the GeoIP DB.") flags.DurationVar(&nginx.MaxmindRetriesTimeout, "maxmind-retries-timeout", time.Second*0, "Maxmind downloading delay between 1st and 2nd attempt, 0s - do not retry to download if something went wrong.") - flag.Set("logtostderr", "true") - flags.AddGoFlagSet(flag.CommandLine) - flags.Parse(os.Args) - - // Workaround for this issue: - // https://github.com/kubernetes/kubernetes/issues/17162 - flag.CommandLine.Parse([]string{}) + if err := flags.Parse(os.Args); err != nil { + return false, nil, err + } pflag.VisitAll(func(flag *pflag.Flag) { klog.V(2).InfoS("FLAG", flag.Name, flag.Value) @@ -248,6 +252,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g } parser.AnnotationsPrefix = *annotationsPrefix + parser.EnableAnnotationValidation = *enableAnnotationValidation // check port collisions if !ing_net.IsPortAvailable(*httpPort) { @@ -293,12 +298,12 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g nginx.HealthCheckTimeout = time.Duration(*defHealthCheckTimeout) * time.Second } - if len(*watchNamespace) != 0 && len(*watchNamespaceSelector) != 0 { + if *watchNamespace != "" && *watchNamespaceSelector != "" { return false, nil, fmt.Errorf("flags --watch-namespace and --watch-namespace-selector are mutually exclusive") } var namespaceSelector labels.Selector - if len(*watchNamespaceSelector) != 0 { + if *watchNamespaceSelector != "" { var err error namespaceSelector, err = labels.Parse(*watchNamespaceSelector) if err != nil { @@ -306,7 +311,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g } } - var histogramBuckets = &collectors.HistogramBuckets{ + histogramBuckets := &collectors.HistogramBuckets{ TimeBuckets: *timeBuckets, LengthBuckets: *lengthBuckets, SizeBuckets: *sizeBuckets, @@ -324,6 +329,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g MetricsPerHost: *metricsPerHost, MetricsBuckets: histogramBuckets, ReportStatusClasses: *reportStatusClasses, + ExcludeSocketMetrics: *excludeSocketMetrics, MonitorMaxBatchSize: *monitorMaxBatchSize, DisableServiceExternalName: *disableServiceExternalName, EnableSSLPassthrough: *enableSSLPassthrough, @@ -346,6 +352,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g SyncRateLimit: *syncRateLimit, HealthCheckHost: *healthzHost, DynamicConfigurationRetries: *dynamicConfigurationRetries, + EnableTopologyAwareRouting: *enableTopologyAwareRouting, ListenPorts: &ngx_config.ListenPorts{ Default: *defServerPort, Health: *healthzPort, @@ -353,7 +360,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g HTTPS: *httpsPort, SSLProxy: *sslProxyPort, }, - IngressClassConfiguration: &ingressclass.IngressClassConfiguration{ + IngressClassConfiguration: &ingressclass.Configuration{ Controller: *ingressClassController, AnnotationValue: *ingressClassAnnotation, WatchWithoutClass: *watchWithoutClass, @@ -364,6 +371,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g ValidationWebhookCertPath: *validationWebhookCert, ValidationWebhookKeyPath: *validationWebhookKey, InternalLoggerAddress: *internalLoggerAddress, + DisableSyncEvents: *disableSyncEvents, } if *apiserverHost != "" { @@ -372,7 +380,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g var err error if nginx.MaxmindEditionIDs != "" { - if err = nginx.ValidateGeoLite2DBEditions(); err != nil { + if err := nginx.ValidateGeoLite2DBEditions(); err != nil { return false, nil, err } if nginx.MaxmindLicenseKey != "" || nginx.MaxmindMirror != "" { diff --git a/pkg/flags/flags_test.go b/pkg/flags/flags_test.go index 2a33d73dd..bffe2b16d 100644 --- a/pkg/flags/flags_test.go +++ b/pkg/flags/flags_test.go @@ -33,7 +33,8 @@ func TestDefaults(t *testing.T) { oldArgs := os.Args defer func() { os.Args = oldArgs }() - os.Args = []string{"cmd", + os.Args = []string{ + "cmd", "--default-backend-service", "namespace/test", "--http-port", "0", "--https-port", "0", @@ -53,8 +54,8 @@ func TestDefaults(t *testing.T) { } } -func TestSetupSSLProxy(t *testing.T) { - // TODO +func TestSetupSSLProxy(_ *testing.T) { + // TODO TestSetupSSLProxy } func TestFlagConflict(t *testing.T) { diff --git a/pkg/metrics/handler.go b/pkg/metrics/handler.go index c37c1760c..73c7d328f 100644 --- a/pkg/metrics/handler.go +++ b/pkg/metrics/handler.go @@ -29,7 +29,6 @@ import ( ) func RegisterHealthz(healthPath string, mux *http.ServeMux, checks ...healthz.HealthChecker) { - healthCheck := []healthz.HealthChecker{healthz.PingHealthz} if len(checks) > 0 { healthCheck = append(healthCheck, checks...) @@ -67,7 +66,7 @@ func RegisterProfiler(host string, port int) { server := &http.Server{ Addr: fmt.Sprintf("%s:%d", host, port), - //G112 (CWE-400): Potential Slowloris Attack + // G112 (CWE-400): Potential Slowloris Attack ReadHeaderTimeout: 10 * time.Second, Handler: mux, } diff --git a/pkg/tcpproxy/tcp.go b/pkg/tcpproxy/tcp.go index 4c34e1f7b..fba4d21be 100644 --- a/pkg/tcpproxy/tcp.go +++ b/pkg/tcpproxy/tcp.go @@ -59,16 +59,17 @@ func (p *TCPProxy) Get(host string) *TCPServer { // and open a connection to the passthrough server. func (p *TCPProxy) Handle(conn net.Conn) { defer conn.Close() - data := make([]byte, 4096) + // See: https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=sessions-ssl-record-format + data := make([]byte, 16384) length, err := conn.Read(data) if err != nil { - klog.V(4).ErrorS(err, "Error reading the first 4k of the connection") + klog.V(4).ErrorS(err, "Error reading data from the connection") return } proxy := p.Default - hostname, err := parser.GetHostname(data[:]) + hostname, err := parser.GetHostname(data) if err == nil { klog.V(4).InfoS("TLS Client Hello", "host", hostname) proxy = p.Get(hostname) @@ -90,8 +91,14 @@ func (p *TCPProxy) Handle(conn net.Conn) { if proxy.ProxyProtocol { // write out the Proxy Protocol header - localAddr := conn.LocalAddr().(*net.TCPAddr) - remoteAddr := conn.RemoteAddr().(*net.TCPAddr) + localAddr, ok := conn.LocalAddr().(*net.TCPAddr) + if !ok { + klog.Errorf("unexpected type: %T", conn.LocalAddr()) + } + remoteAddr, ok := conn.RemoteAddr().(*net.TCPAddr) + if !ok { + klog.Errorf("unexpected type: %T", conn.RemoteAddr()) + } protocol := "UNKNOWN" if remoteAddr.IP.To4() != nil { protocol = "TCP4" @@ -118,6 +125,7 @@ func (p *TCPProxy) Handle(conn net.Conn) { func pipe(client, server net.Conn) { doCopy := func(s, c net.Conn, cancel chan<- bool) { + //nolint:errcheck // No need to catch these errors io.Copy(s, c) cancel <- true } diff --git a/pkg/util/file/file_test.go b/pkg/util/file/file_test.go index 93ec39cf9..9a43946b3 100644 --- a/pkg/util/file/file_test.go +++ b/pkg/util/file/file_test.go @@ -35,8 +35,12 @@ func TestSHA1(t *testing.T) { if err != nil { t.Fatal(err) } - f.Write(test.content) - f.Sync() + if _, err := f.Write(test.content); err != nil { + t.Error(err) + } + if err := f.Sync(); err != nil { + t.Error(err) + } sha := SHA1(f.Name()) f.Close() diff --git a/pkg/util/file/file_watcher.go b/pkg/util/file/file_watcher.go index eeb7b5721..3899e41f8 100644 --- a/pkg/util/file/file_watcher.go +++ b/pkg/util/file/file_watcher.go @@ -26,8 +26,8 @@ import ( "github.com/fsnotify/fsnotify" ) -// FileWatcher is an interface we use to watch changes in files -type FileWatcher interface { +// Watcher is an interface we use to watch changes in files +type Watcher interface { Close() error } @@ -40,7 +40,7 @@ type OSFileWatcher struct { } // NewFileWatcher creates a new FileWatcher -func NewFileWatcher(file string, onEvent func()) (FileWatcher, error) { +func NewFileWatcher(file string, onEvent func()) (Watcher, error) { fw := OSFileWatcher{ file: file, onEvent: onEvent, @@ -72,8 +72,8 @@ func (f *OSFileWatcher) watch() error { for { select { case event := <-watcher.Events: - if event.Op&fsnotify.Create == fsnotify.Create || - event.Op&fsnotify.Write == fsnotify.Write { + if event.Has(fsnotify.Create) || + event.Has(fsnotify.Write) { if finfo, err := os.Lstat(event.Name); err != nil { log.Printf("can not lstat file: %v\n", err) } else if finfo.Mode()&os.ModeSymlink != 0 { diff --git a/pkg/util/file/file_watcher_test.go b/pkg/util/file/file_watcher_test.go index 316cb6f1e..dd2755812 100644 --- a/pkg/util/file/file_watcher_test.go +++ b/pkg/util/file/file_watcher_test.go @@ -59,7 +59,9 @@ func TestFileWatcher(t *testing.T) { t.Fatalf("expected no events before writing a file") case <-timeoutChan: } - os.WriteFile(f.Name(), []byte{}, ReadWriteByUser) + if err := os.WriteFile(f.Name(), []byte{}, ReadWriteByUser); err != nil { + t.Errorf("unexpected error: %v", err) + } select { case <-events: case <-timeoutChan: diff --git a/pkg/util/file/filesystem.go b/pkg/util/file/filesystem.go index 7c0db9f12..ccb93ed06 100644 --- a/pkg/util/file/filesystem.go +++ b/pkg/util/file/filesystem.go @@ -17,4 +17,4 @@ limitations under the License. package file // ReadWriteByUser defines linux permission to read and write files for the owner user -const ReadWriteByUser = 0700 +const ReadWriteByUser = 0o700 diff --git a/pkg/util/file/structure.go b/pkg/util/file/structure.go index d109e8c03..7d4f26da9 100644 --- a/pkg/util/file/structure.go +++ b/pkg/util/file/structure.go @@ -33,12 +33,10 @@ const ( DefaultSSLDirectory = "/etc/ingress-controller/ssl" ) -var ( - directories = []string{ - DefaultSSLDirectory, - AuthDirectory, - } -) +var directories = []string{ + DefaultSSLDirectory, + AuthDirectory, +} // CreateRequiredDirectories verifies if the required directories to // start the ingress controller exist and creates the missing ones. diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index 5fb3ee7b9..881d5a001 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -18,30 +18,15 @@ package ingress import ( "fmt" - "regexp" "strings" - networkingv1 "k8s.io/api/networking/v1" "k8s.io/apimachinery/pkg/util/sets" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/internal/k8s" "k8s.io/ingress-nginx/internal/net/ssl" "k8s.io/ingress-nginx/pkg/apis/ingress" "k8s.io/klog/v2" ) -const ( - alphaNumericChars = `\-\.\_\~a-zA-Z0-9/` - regexEnabledChars = `\^\$\[\]\(\)\{\}\*\+` -) - -var ( - // pathAlphaNumeric is a regex validation of something like "^/[a-zA-Z]+$" on path - pathAlphaNumeric = regexp.MustCompile("^/[" + alphaNumericChars + "]*$").MatchString - // pathRegexEnabled is a regex validation of paths that may contain regex. - pathRegexEnabled = regexp.MustCompile("^/[" + alphaNumericChars + regexEnabledChars + "]*$").MatchString -) - func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string { oldSet := sets.NewString() newSet := sets.NewString() @@ -61,7 +46,7 @@ func GetRemovedHosts(rucfg, newcfg *ingress.Configuration) []string { return oldSet.Difference(newSet).List() } -// GetRemovedCertificateSerialNumber extracts the difference of certificates between two configurations +// GetRemovedCertificateSerialNumbers extracts the difference of certificates between two configurations func GetRemovedCertificateSerialNumbers(rucfg, newcfg *ingress.Configuration) []string { oldCertificates := sets.NewString() newCertificates := sets.NewString() @@ -129,7 +114,7 @@ func GetRemovedIngresses(rucfg, newcfg *ingress.Configuration) []string { // IsDynamicConfigurationEnough returns whether a Configuration can be // dynamically applied, without reloading the backend. -func IsDynamicConfigurationEnough(newcfg *ingress.Configuration, oldcfg *ingress.Configuration) bool { +func IsDynamicConfigurationEnough(newcfg, oldcfg *ingress.Configuration) bool { copyOfRunningConfig := *oldcfg copyOfPcfg := *newcfg @@ -148,21 +133,21 @@ func IsDynamicConfigurationEnough(newcfg *ingress.Configuration, oldcfg *ingress // clearL4serviceEndpoints is a helper function to clear endpoints from the ingress configuration since they should be ignored when // checking if the new configuration changes can be applied dynamically. func clearL4serviceEndpoints(config *ingress.Configuration) { - var clearedTCPL4Services []ingress.L4Service - var clearedUDPL4Services []ingress.L4Service - for _, service := range config.TCPEndpoints { + clearedTCPL4Services := make([]ingress.L4Service, 0, len(config.TCPEndpoints)) + clearedUDPL4Services := make([]ingress.L4Service, 0, len(config.UDPEndpoints)) + for i := range config.TCPEndpoints { copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, + Port: config.TCPEndpoints[i].Port, + Backend: config.TCPEndpoints[i].Backend, Endpoints: []ingress.Endpoint{}, Service: nil, } clearedTCPL4Services = append(clearedTCPL4Services, copyofService) } - for _, service := range config.UDPEndpoints { + for i := range config.UDPEndpoints { copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, + Port: config.UDPEndpoints[i].Port, + Backend: config.UDPEndpoints[i].Backend, Endpoints: []ingress.Endpoint{}, Service: nil, } @@ -175,7 +160,7 @@ func clearL4serviceEndpoints(config *ingress.Configuration) { // clearCertificates is a helper function to clear Certificates from the ingress configuration since they should be ignored when // checking if the new configuration changes can be applied dynamically if dynamic certificates is on func clearCertificates(config *ingress.Configuration) { - var clearedServers []*ingress.Server + clearedServers := make([]*ingress.Server, 0, len(config.Servers)) for _, server := range config.Servers { copyOfServer := *server copyOfServer.SSLCert = nil @@ -184,16 +169,16 @@ func clearCertificates(config *ingress.Configuration) { config.Servers = clearedServers } -type redirect struct { +type Redirect struct { From string To string SSLCert *ingress.SSLCert } // BuildRedirects build the redirects of servers based on configurations and certificates -func BuildRedirects(servers []*ingress.Server) []*redirect { - names := sets.String{} - redirectServers := make([]*redirect, 0) +func BuildRedirects(servers []*ingress.Server) []*Redirect { + names := sets.Set[string]{} + redirectServers := make([]*Redirect, 0) for _, srv := range servers { if !srv.RedirectFromToWWW { @@ -227,7 +212,7 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { continue } - r := &redirect{ + r := &Redirect{ From: from, To: to, } @@ -246,13 +231,3 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { return redirectServers } - -// IsSafePath verifies if the path used in ingress object contains only valid characters. -// It will behave differently if regex is enabled or not -func IsSafePath(copyIng *networkingv1.Ingress, path string) bool { - isRegex, _ := parser.GetBoolAnnotation("use-regex", copyIng) - if isRegex { - return pathRegexEnabled(path) - } - return pathAlphaNumeric(path) -} diff --git a/pkg/util/ingress/ingress_test.go b/pkg/util/ingress/ingress_test.go index d829a57f1..24597fb6e 100644 --- a/pkg/util/ingress/ingress_test.go +++ b/pkg/util/ingress/ingress_test.go @@ -17,13 +17,8 @@ limitations under the License. package ingress import ( - "fmt" "testing" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - networkingv1 "k8s.io/api/networking/v1" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" "k8s.io/ingress-nginx/pkg/apis/ingress" ) @@ -135,83 +130,3 @@ func TestIsDynamicConfigurationEnough(t *testing.T) { t.Errorf("Expected new config to not change") } } - -func generateDumbIngressforPathTest(regexEnabled bool) *networkingv1.Ingress { - var annotations = make(map[string]string) - regexAnnotation := fmt.Sprintf("%s/use-regex", parser.AnnotationsPrefix) - if regexEnabled { - annotations[regexAnnotation] = "true" - } - return &networkingv1.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "dumb", - Namespace: "default", - Annotations: annotations, - }, - } -} - -func TestIsSafePath(t *testing.T) { - tests := []struct { - name string - copyIng *networkingv1.Ingress - path string - want bool - }{ - { - name: "should accept valid path with regex disabled", - want: true, - copyIng: generateDumbIngressforPathTest(false), - path: "/xpto/~user/t-e_st.exe", - }, - { - name: "should accept valid path / with regex disabled", - want: true, - copyIng: generateDumbIngressforPathTest(false), - path: "/", - }, - { - name: "should reject invalid path with invalid chars", - want: false, - copyIng: generateDumbIngressforPathTest(false), - path: "/foo/bar/;xpto", - }, - { - name: "should reject regex path when regex is disabled", - want: false, - copyIng: generateDumbIngressforPathTest(false), - path: "/foo/bar/(.+)", - }, - { - name: "should accept valid path / with regex enabled", - want: true, - copyIng: generateDumbIngressforPathTest(true), - path: "/", - }, - { - name: "should accept regex path when regex is enabled", - want: true, - copyIng: generateDumbIngressforPathTest(true), - path: "/foo/bar/(.+)", - }, - { - name: "should reject regex path when regex is enabled but the path is invalid", - want: false, - copyIng: generateDumbIngressforPathTest(true), - path: "/foo/bar/;xpto", - }, - { - name: "should reject regex path when regex is enabled but the path is invalid", - want: false, - copyIng: generateDumbIngressforPathTest(true), - path: ";xpto", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := IsSafePath(tt.copyIng, tt.path); got != tt.want { - t.Errorf("IsSafePath() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/pkg/util/process/controller.go b/pkg/util/process/controller.go index ae9bc9356..a73e81934 100644 --- a/pkg/util/process/controller.go +++ b/pkg/util/process/controller.go @@ -16,9 +16,9 @@ limitations under the License. package process -// ProcessController defines a common interface for a process to be controlled, +// Controller defines a common interface for a process to be controlled, // like the configurer, the webhook or the proper ingress controller -type ProcessController interface { +type Controller interface { Start() Stop() error } diff --git a/pkg/util/process/sigterm.go b/pkg/util/process/sigterm.go index 77c0ad58c..1c0d729c1 100644 --- a/pkg/util/process/sigterm.go +++ b/pkg/util/process/sigterm.go @@ -29,7 +29,7 @@ type exiter func(code int) // HandleSigterm receives a ProcessController interface and deals with // the graceful shutdown -func HandleSigterm(ngx ProcessController, delay int, exit exiter) { +func HandleSigterm(ngx Controller, delay int, exit exiter) { signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM) <-signalChan diff --git a/pkg/util/process/sigterm_test.go b/pkg/util/process/sigterm_test.go index 2c2a6ee91..08c8275c3 100644 --- a/pkg/util/process/sigterm_test.go +++ b/pkg/util/process/sigterm_test.go @@ -42,9 +42,9 @@ func (f *FakeProcess) exiterFunc(code int) { f.exitCode = code } -func sendDelayedSignal(delay time.Duration) { - time.Sleep(delay * time.Second) - syscall.Kill(syscall.Getpid(), syscall.SIGTERM) +func sendDelayedSignal(delay time.Duration) error { + time.Sleep(delay) + return syscall.Kill(syscall.Getpid(), syscall.SIGTERM) } func TestHandleSigterm(t *testing.T) { @@ -66,7 +66,12 @@ func TestHandleSigterm(t *testing.T) { for _, tt := range tests { process := &FakeProcess{shouldError: tt.shouldError} t.Run(tt.name, func(t *testing.T) { - go sendDelayedSignal(2) // Send a signal after 2 seconds + go func() { + err := sendDelayedSignal(2 * time.Second) // Send a signal after 2 seconds + if err != nil { + t.Errorf("error sending delayed signal: %v", err) + } + }() HandleSigterm(process, tt.delay, process.exiterFunc) }) if tt.shouldError && process.exitCode != 1 { diff --git a/pkg/util/runtime/cpu_notlinux.go b/pkg/util/runtime/cpu_notlinux.go index 2a1b48252..97c72cd5a 100644 --- a/pkg/util/runtime/cpu_notlinux.go +++ b/pkg/util/runtime/cpu_notlinux.go @@ -23,7 +23,7 @@ import ( "runtime" ) -// NumCPU ... +// NumCPU returns the number of logical CPUs usable by the current process. func NumCPU() int { return runtime.NumCPU() } diff --git a/pkg/util/sets/match_test.go b/pkg/util/sets/match_test.go index e2366d2c7..a65c5a05f 100644 --- a/pkg/util/sets/match_test.go +++ b/pkg/util/sets/match_test.go @@ -20,23 +20,20 @@ import ( "testing" ) -var ( - testCasesElementMatch = []struct { - listA []string - listB []string - expected bool - }{ - {nil, nil, true}, - {[]string{"1"}, nil, false}, - {[]string{"1"}, []string{"1"}, true}, - {[]string{"1", "2", "1"}, []string{"1", "1", "2"}, true}, - {[]string{"1", "3", "1"}, []string{"1", "1", "2"}, false}, - {[]string{"1", "1"}, []string{"1", "2"}, false}, - } -) +var testCasesElementMatch = []struct { + listA []string + listB []string + expected bool +}{ + {nil, nil, true}, + {[]string{"1"}, nil, false}, + {[]string{"1"}, []string{"1"}, true}, + {[]string{"1", "2", "1"}, []string{"1", "1", "2"}, true}, + {[]string{"1", "3", "1"}, []string{"1", "1", "2"}, false}, + {[]string{"1", "1"}, []string{"1", "2"}, false}, +} func TestElementsMatch(t *testing.T) { - for _, testCase := range testCasesElementMatch { result := StringElementsMatch(testCase.listA, testCase.listB) if result != testCase.expected { diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index 75cf3fc65..a04cfe3de 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -49,9 +49,10 @@ COPY --chown=www-data:www-data bin/${TARGETARCH}/wait-shutdown / # with volumes (custom templates) RUN bash -xeu -c ' \ writeDirs=( \ - /etc/ingress-controller \ /etc/ingress-controller/ssl \ /etc/ingress-controller/auth \ + /etc/ingress-controller/geoip \ + /etc/ingress-controller/telemetry \ /var/log \ /var/log/nginx \ /tmp/nginx \ @@ -83,5 +84,4 @@ RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log ENTRYPOINT ["/usr/bin/dumb-init", "--"] - CMD ["/nginx-ingress-controller"] diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index bdb9be60b..98f078261 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -23,7 +23,7 @@ RUN apk update \ && apk upgrade \ && /chroot.sh -FROM alpine:3.17.0 +FROM alpine:3.19.1 ARG TARGETARCH ARG VERSION @@ -49,7 +49,6 @@ RUN apk update \ && apk upgrade \ && apk add -U --no-cache \ bash \ - curl \ openssl \ ca-certificates \ dumb-init \ @@ -120,7 +119,6 @@ RUN mkdir -p /chroot/modules_mount \ USER www-data EXPOSE 80 443 - ENTRYPOINT ["/usr/bin/dumb-init", "--"] CMD ["/nginx-ingress-controller"] diff --git a/rootfs/chroot.sh b/rootfs/chroot.sh index 9f3cbd804..38547b69c 100755 --- a/rootfs/chroot.sh +++ b/rootfs/chroot.sh @@ -21,6 +21,8 @@ writeDirs=( \ /chroot/etc/ingress-controller \ /chroot/etc/ingress-controller/ssl \ /chroot/etc/ingress-controller/auth \ + /chroot/etc/ingress-controller/telemetry \ + /chroot/etc/ingress-controller/geoip \ /chroot/opt/modsecurity/var/log \ /chroot/opt/modsecurity/var/upload \ /chroot/opt/modsecurity/var/audit \ @@ -41,7 +43,8 @@ for dir in "${writeDirs[@]}"; do done mkdir -p /chroot/lib /chroot/proc /chroot/usr /chroot/bin /chroot/dev /chroot/run -cp /etc/passwd /etc/group /chroot/etc/ +cp /etc/passwd /etc/group /etc/hosts /chroot/etc/ cp -a /usr/* /chroot/usr/ cp -a /etc/nginx/* /chroot/etc/nginx/ +cp -a /etc/ingress-controller/* /chroot/etc/ingress-controller/ cp /lib/ld-musl-* /lib/libcrypto* /lib/libssl* /lib/libz* /chroot/lib/ diff --git a/rootfs/etc/nginx/lua/tcp_udp_configuration.lua b/rootfs/etc/nginx/lua/tcp_udp_configuration.lua index 85864b45b..f191454fa 100644 --- a/rootfs/etc/nginx/lua/tcp_udp_configuration.lua +++ b/rootfs/etc/nginx/lua/tcp_udp_configuration.lua @@ -1,5 +1,6 @@ local ngx = ngx local tostring = tostring +local cjson = require("cjson.safe") -- this is the Lua representation of TCP/UDP Configuration local tcp_udp_configuration_data = ngx.shared.tcp_udp_configuration_data @@ -37,6 +38,14 @@ function _M.call() return end + local _, backends_err = cjson.decode(backends) + + if backends_err then + ngx.log(ngx.ERR, "could not parse backends data: ", backends_err) + return + end + + local success, err_conf = tcp_udp_configuration_data:set("backends", backends) if not success then ngx.log(ngx.ERR, "dynamic-configuration: error updating configuration: " .. tostring(err_conf)) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl old mode 100755 new mode 100644 index 3ace12bc3..d58be2880 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -21,10 +21,6 @@ load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so; load_module /etc/nginx/modules/ngx_http_brotli_static_module.so; {{ end }} -{{ if (shouldLoadInfluxDBModule $servers) }} -load_module /etc/nginx/modules/ngx_http_influxdb_module.so; -{{ end }} - {{ if (shouldLoadAuthDigestModule $servers) }} load_module /etc/nginx/modules/ngx_http_auth_digest_module.so; {{ end }} @@ -33,8 +29,8 @@ load_module /etc/nginx/modules/ngx_http_auth_digest_module.so; load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; {{ end }} -{{ if (shouldLoadOpentracingModule $cfg $servers) }} -load_module /etc/nginx/modules/ngx_http_opentracing_module.so; +{{ if (shouldLoadOpentelemetryModule $cfg $servers) }} +load_module /etc/nginx/modules/otel_ngx_module.so; {{ end }} daemon off; @@ -64,6 +60,10 @@ events { } http { + {{ if (shouldLoadOpentelemetryModule $cfg $servers) }} + opentelemetry_config {{ $cfg.OpentelemetryConfig }}; + {{ end }} + lua_package_path "/etc/nginx/lua/?.lua;;"; {{ buildLuaSharedDictionaries $cfg $servers }} @@ -136,7 +136,7 @@ http { {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* we use the value of the real IP for the geo_ip module */}} - {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIp }} + {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }} {{ if $cfg.UseProxyProtocol }} real_ip_header proxy_protocol; {{ else }} @@ -166,43 +166,39 @@ http { {{ end }} - {{ if $cfg.UseGeoIP }} - {{/* databases used to determine the country depending on the client IP address */}} - {{/* http://nginx.org/en/docs/http/ngx_http_geoip_module.html */}} - {{/* this is require to calculate traffic for individual country using GeoIP in the status page */}} - geoip_country /etc/nginx/geoip/GeoIP.dat; - geoip_city /etc/nginx/geoip/GeoLiteCity.dat; - geoip_org /etc/nginx/geoip/GeoIPASNum.dat; - geoip_proxy_recursive on; - {{ end }} - {{ if $cfg.UseGeoIP2 }} # https://github.com/leev/ngx_http_geoip2_module#example-usage {{ range $index, $file := $all.MaxmindEditionFiles }} {{ if eq $file "GeoLite2-Country.mmdb" }} - geoip2 /etc/nginx/geoip/GeoLite2-Country.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoLite2-Country.mmdb { $geoip2_country_code source=$remote_addr country iso_code; $geoip2_country_name source=$remote_addr country names en; + $geoip2_country_geoname_id source=$remote_addr country geoname_id; $geoip2_continent_code source=$remote_addr continent code; $geoip2_continent_name source=$remote_addr continent names en; + $geoip2_continent_geoname_id source=$remote_addr continent geoname_id; } {{ end }} {{ if eq $file "GeoIP2-Country.mmdb" }} - geoip2 /etc/nginx/geoip/GeoIP2-Country.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoIP2-Country.mmdb { $geoip2_country_code source=$remote_addr country iso_code; $geoip2_country_name source=$remote_addr country names en; + $geoip2_country_geoname_id source=$remote_addr country geoname_id; $geoip2_continent_code source=$remote_addr continent code; $geoip2_continent_name source=$remote_addr continent names en; + $geoip2_continent_geoname_id source=$remote_addr continent geoname_id; } {{ end }} {{ if eq $file "GeoLite2-City.mmdb" }} - geoip2 /etc/nginx/geoip/GeoLite2-City.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoLite2-City.mmdb { $geoip2_city_country_code source=$remote_addr country iso_code; $geoip2_city_country_name source=$remote_addr country names en; + $geoip2_city_country_geoname_id source=$remote_addr country geoname_id; $geoip2_city source=$remote_addr city names en; + $geoip2_city_geoname_id source=$remote_addr city geoname_id; $geoip2_postal_code source=$remote_addr postal code; $geoip2_dma_code source=$remote_addr location metro_code; $geoip2_latitude source=$remote_addr location latitude; @@ -210,16 +206,22 @@ http { $geoip2_time_zone source=$remote_addr location time_zone; $geoip2_region_code source=$remote_addr subdivisions 0 iso_code; $geoip2_region_name source=$remote_addr subdivisions 0 names en; + $geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id; $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code; $geoip2_subregion_name source=$remote_addr subdivisions 1 names en; + $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id; + $geoip2_city_continent_code source=$remote_addr continent code; + $geoip2_city_continent_name source=$remote_addr continent names en; } {{ end }} {{ if eq $file "GeoIP2-City.mmdb" }} - geoip2 /etc/nginx/geoip/GeoIP2-City.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoIP2-City.mmdb { $geoip2_city_country_code source=$remote_addr country iso_code; $geoip2_city_country_name source=$remote_addr country names en; + $geoip2_city_country_geoname_id source=$remote_addr country geoname_id; $geoip2_city source=$remote_addr city names en; + $geoip2_city_geoname_id source=$remote_addr city geoname_id; $geoip2_postal_code source=$remote_addr postal code; $geoip2_dma_code source=$remote_addr location metro_code; $geoip2_latitude source=$remote_addr location latitude; @@ -227,27 +229,31 @@ http { $geoip2_time_zone source=$remote_addr location time_zone; $geoip2_region_code source=$remote_addr subdivisions 0 iso_code; $geoip2_region_name source=$remote_addr subdivisions 0 names en; + $geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id; $geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code; $geoip2_subregion_name source=$remote_addr subdivisions 1 names en; + $geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id; + $geoip2_city_continent_code source=$remote_addr continent code; + $geoip2_city_continent_name source=$remote_addr continent names en; } {{ end }} {{ if eq $file "GeoLite2-ASN.mmdb" }} - geoip2 /etc/nginx/geoip/GeoLite2-ASN.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoLite2-ASN.mmdb { $geoip2_asn source=$remote_addr autonomous_system_number; $geoip2_org source=$remote_addr autonomous_system_organization; } {{ end }} {{ if eq $file "GeoIP2-ASN.mmdb" }} - geoip2 /etc/nginx/geoip/GeoIP2-ASN.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoIP2-ASN.mmdb { $geoip2_asn source=$remote_addr autonomous_system_number; $geoip2_org source=$remote_addr autonomous_system_organization; } {{ end }} {{ if eq $file "GeoIP2-ISP.mmdb" }} - geoip2 /etc/nginx/geoip/GeoIP2-ISP.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoIP2-ISP.mmdb { $geoip2_isp source=$remote_addr isp; $geoip2_isp_org source=$remote_addr organization; $geoip2_asn source=$remote_addr default=0 autonomous_system_number; @@ -255,13 +261,13 @@ http { {{ end }} {{ if eq $file "GeoIP2-Connection-Type.mmdb" }} - geoip2 /etc/nginx/geoip/GeoIP2-Connection-Type.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoIP2-Connection-Type.mmdb { $geoip2_connection_type connection_type; } {{ end }} {{ if eq $file "GeoIP2-Anonymous-IP.mmdb" }} - geoip2 /etc/nginx/geoip/GeoIP2-Anonymous-IP.mmdb { + geoip2 /etc/ingress-controller/geoip/GeoIP2-Anonymous-IP.mmdb { $geoip2_is_anon source=$remote_addr is_anonymous; $geoip2_is_anonymous source=$remote_addr default=0 is_anonymous; $geoip2_is_anonymous_vpn source=$remote_addr default=0 is_anonymous_vpn; @@ -276,7 +282,10 @@ http { {{ end }} aio threads; + + {{ if $cfg.EnableAioWrite }} aio_write on; + {{ end }} tcp_nopush on; tcp_nodelay on; @@ -291,7 +300,6 @@ http { client_body_temp_path /tmp/nginx/client-body; fastcgi_temp_path /tmp/nginx/fastcgi-temp; proxy_temp_path /tmp/nginx/proxy-temp; - ajp_temp_path /tmp/nginx/ajp-temp; client_header_buffer_size {{ $cfg.ClientHeaderBufferSize }}; client_header_timeout {{ $cfg.ClientHeaderTimeout }}s; @@ -299,9 +307,15 @@ http { client_body_buffer_size {{ $cfg.ClientBodyBufferSize }}; client_body_timeout {{ $cfg.ClientBodyTimeout }}s; + {{ if and (ne $cfg.HTTP2MaxHeaderSize "") (ne $cfg.HTTP2MaxFieldSize "") }} http2_max_field_size {{ $cfg.HTTP2MaxFieldSize }}; http2_max_header_size {{ $cfg.HTTP2MaxHeaderSize }}; + {{ end }} + + {{ if (gt $cfg.HTTP2MaxRequests 0) }} http2_max_requests {{ $cfg.HTTP2MaxRequests }}; + {{ end }} + http2_max_concurrent_streams {{ $cfg.HTTP2MaxConcurrentStreams }}; types_hash_max_size 2048; @@ -321,7 +335,7 @@ http { limit_req_status {{ $cfg.LimitReqStatusCode }}; limit_conn_status {{ $cfg.LimitConnStatusCode }}; - {{ buildOpentracing $cfg $servers }} + {{ buildOpentelemetry $cfg $servers }} include /etc/nginx/mime.types; default_type {{ $cfg.DefaultType }}; @@ -336,6 +350,9 @@ http { {{ if $cfg.UseGzip }} gzip on; gzip_comp_level {{ $cfg.GzipLevel }}; + {{- if $cfg.GzipDisable }} + gzip_disable "{{ $cfg.GzipDisable }}"; + {{- end }} gzip_http_version 1.1; gzip_min_length {{ $cfg.GzipMinLength}}; gzip_types {{ $cfg.GzipTypes }}; @@ -377,7 +394,7 @@ http { {{ if $cfg.EnableSyslog }} access_log syslog:server={{ $cfg.SyslogHost }}:{{ $cfg.SyslogPort }} upstreaminfo if=$loggable; {{ else }} - access_log {{ or $cfg.HttpAccessLogPath $cfg.AccessLogPath }} upstreaminfo {{ $cfg.AccessLogParams }} if=$loggable; + access_log {{ or $cfg.HTTPAccessLogPath $cfg.AccessLogPath }} upstreaminfo {{ $cfg.AccessLogParams }} if=$loggable; {{ end }} {{ end }} @@ -447,7 +464,7 @@ http { ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }}; {{ if not (empty $cfg.SSLSessionTicketKey ) }} - ssl_session_ticket_key /etc/nginx/tickets.key; + ssl_session_ticket_key /etc/ingress-controller/tickets.key; {{ end }} # slightly reduce the time-to-first-byte @@ -470,7 +487,7 @@ http { ssl_certificate {{ $cfg.DefaultSSLCertificate.PemFileName }}; ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }}; - {{ if gt (len $cfg.CustomHTTPErrors) 0 }} + {{ if and $cfg.CustomHTTPErrors (not $cfg.DisableProxyInterceptErrors) }} proxy_intercept_errors on; {{ end }} @@ -519,14 +536,14 @@ http { {{ range $rl := (filterRateLimits $servers ) }} # Ratelimit {{ $rl.Name }} - geo $remote_addr $whitelist_{{ $rl.ID }} { + geo $remote_addr $allowlist_{{ $rl.ID }} { default 0; - {{ range $ip := $rl.Whitelist }} + {{ range $ip := $rl.Allowlist }} {{ $ip }} 1;{{ end }} } # Ratelimit {{ $rl.Name }} - map $whitelist_{{ $rl.ID }} $limit_{{ $rl.ID }} { + map $allowlist_{{ $rl.ID }} $limit_{{ $rl.ID }} { 0 {{ $cfg.LimitConnZoneVariable }}; 1 ""; } @@ -641,6 +658,10 @@ http { server { server_name {{ buildServerName $server.Hostname }} {{range $server.Aliases }}{{ . }} {{ end }}; + {{ if $cfg.UseHTTP2 }} + http2 on; + {{ end }} + {{ if gt (len $cfg.BlockUserAgents) 0 }} if ($block_ua) { return 403; @@ -680,6 +701,11 @@ http { # default server, used for NGINX healthcheck and access to nginx stats server { + # Ensure that modsecurity will not run on an internal location as this is not accessible from outside + {{ if $all.Cfg.EnableModsecurity }} + modsecurity off; + {{ end }} + listen 127.0.0.1:{{ .StatusPort }}; set $proxy_upstream_name "internal"; @@ -688,10 +714,9 @@ http { access_log off; - {{ if $cfg.EnableOpentracing }} - opentracing off; + {{ if $cfg.EnableOpentelemetry }} + opentelemetry off; {{ end }} - location {{ $healthzURI }} { return 200; } @@ -736,6 +761,8 @@ stream { lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;"; lua_shared_dict tcp_udp_configuration_data 5M; + + {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }} init_by_lua_block { collectgarbage("collect") @@ -783,7 +810,7 @@ stream { error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }}; - {{ if $cfg.EnableRealIp }} + {{ if $cfg.EnableRealIP }} {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }} set_real_ip_from {{ $trusted_ip }}; {{ end }} @@ -1053,9 +1080,13 @@ stream { location = {{ $authPath }} { internal; - {{ if (or $all.Cfg.EnableOpentracing $location.Opentracing.Enabled) }} - opentracing on; - opentracing_propagate_context; + {{ if (or $all.Cfg.EnableOpentelemetry $location.Opentelemetry.Enabled) }} + opentelemetry on; + opentelemetry_propagate; + {{ end }} + + {{ if not $all.Cfg.EnableAuthAccessLog }} + access_log off; {{ end }} # Ensure that modsecurity will not run on an internal location as this is not accessible from outside @@ -1173,6 +1204,10 @@ stream { add_header Set-Cookie $auth_cookie; + {{ if $location.CorsConfig.CorsEnabled }} + {{ template "CORS" $location }} + {{ end }} + # Ensure that modsecurity will not run on an internal location as this is not accessible from outside {{ if $all.Cfg.EnableModsecurity }} modsecurity off; @@ -1192,7 +1227,7 @@ stream { set $location_path {{ $ing.Path | escapeLiteralDollar | quote }}; set $global_rate_limit_exceeding n; - {{ buildOpentracingForLocation $all.Cfg.EnableOpentracing $all.Cfg.OpentracingTrustIncomingSpan $location }} + {{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }} {{ if $location.Mirror.Source }} mirror {{ $location.Mirror.Source }}; @@ -1262,8 +1297,12 @@ stream { {{ buildModSecurityForLocation $all.Cfg $location }} {{ if isLocationAllowed $location }} - {{ if gt (len $location.Whitelist.CIDR) 0 }} - {{ range $ip := $location.Whitelist.CIDR }} + {{ if gt (len $location.Denylist.CIDR) 0 }} + {{ range $ip := $location.Denylist.CIDR }} + deny {{ $ip }};{{ end }} + {{ end }} + {{ if gt (len $location.Allowlist.CIDR) 0 }} + {{ range $ip := $location.Allowlist.CIDR }} allow {{ $ip }};{{ end }} deny all; {{ end }} @@ -1284,7 +1323,7 @@ stream { # `auth_request` module does not support HTTP keepalives in upstream block: # https://trac.nginx.org/nginx/ticket/1579 access_by_lua_block { - local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '' }) + local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $externalAuth.KeepaliveShareVars }} }) if res.status == ngx.HTTP_OK then ngx.var.auth_cookie = res.header['Set-Cookie'] {{- range $line := buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }} @@ -1333,8 +1372,6 @@ stream { {{ range $limit := $limits }} {{ $limit }}{{ end }} - {{ buildInfluxDB $location.InfluxDB }} - {{ if isValidByteSize $location.Proxy.BodySize true }} client_max_body_size {{ $location.Proxy.BodySize }}; {{ end }} @@ -1343,13 +1380,11 @@ stream { {{ end }} {{/* By default use vhost as Host to upstream, but allow overrides */}} - {{ if not (eq $proxySetHeader "grpc_set_header") }} {{ if not (empty $location.UpstreamVhost) }} {{ $proxySetHeader }} Host {{ $location.UpstreamVhost | quote }}; {{ else }} {{ $proxySetHeader }} Host $best_http_host; {{ end }} - {{ end }} # Pass the extracted client certificate to the backend {{ if not (empty $server.CertificateAuth.CAFileName) }} @@ -1442,7 +1477,7 @@ stream { {{ end }} {{/* if a location-specific error override is set, add the proxy_intercept here */}} - {{ if $location.CustomHTTPErrors }} + {{ if and $location.CustomHTTPErrors (not $location.DisableProxyInterceptErrors) }} # Custom error pages per ingress proxy_intercept_errors on; {{ end }} @@ -1501,8 +1536,9 @@ stream { {{ if eq $server.Hostname "_" }} # health checks in cloud providers require the use of port {{ $all.ListenPorts.HTTP }} location {{ $all.HealthzURI }} { - {{ if $all.Cfg.EnableOpentracing }} - opentracing off; + + {{ if $all.Cfg.EnableOpentelemetry }} + opentelemetry off; {{ end }} access_log off; @@ -1512,8 +1548,9 @@ stream { # this is required to avoid error if nginx is being monitored # with an external software (like sysdig) location /nginx_status { - {{ if $all.Cfg.EnableOpentracing }} - opentracing off; + + {{ if $all.Cfg.EnableOpentelemetry }} + opentelemetry off; {{ end }} {{ range $v := $all.NginxStatusIpv4Whitelist }} diff --git a/test/data/cleanConf.expected.conf b/test/data/cleanConf.expected.conf index 1666c19f6..7c4a16824 100644 --- a/test/data/cleanConf.expected.conf +++ b/test/data/cleanConf.expected.conf @@ -47,7 +47,7 @@ http { listen_ports = { ssl_proxy = "442", https = "443" }, hsts = true, - hsts_max_age = 15724800, + hsts_max_age = 31536000, hsts_include_subdomains = true, hsts_preload = false, }) diff --git a/test/data/cleanConf.src.conf b/test/data/cleanConf.src.conf index 0e572faa5..89954cf0d 100644 --- a/test/data/cleanConf.src.conf +++ b/test/data/cleanConf.src.conf @@ -65,7 +65,7 @@ lua_shared_dict ocsp_response_cache 5M; listen_ports = { ssl_proxy = "442", https = "443" }, hsts = true, - hsts_max_age = 15724800, + hsts_max_age = 31536000, hsts_include_subdomains = true, hsts_preload = false, }) diff --git a/test/data/config.json b/test/data/config.json index b506399bd..d64cfe0d2 100644 --- a/test/data/config.json +++ b/test/data/config.json @@ -25,7 +25,7 @@ "gzipTypes": "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/javascript text/plain text/x-component", "hsts": true, "hstsIncludeSubdomains": true, - "hstsMaxAge": "15724800", + "hstsMaxAge": "31536000", "keepAlive": 75, "mapHashBucketSize": 64, "maxWorkerConnections": 16384, @@ -100,6 +100,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": ["1.1.1.1"] + }, "whitelist": { "cidr": ["1.1.1.1"] }, @@ -150,6 +153,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": ["1.1.1.1"] + }, "whitelist": { "cidr": ["1.1.1.1"] }, @@ -206,6 +212,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -256,6 +265,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -306,6 +318,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": null + }, "whitelist": { "cidr": null }, @@ -362,6 +377,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": null + }, "whitelist": { "cidr": null }, @@ -395,7 +413,7 @@ "secured": false }, "externalAuth": { - "url": "https://httpbin.org/basic-auth/user/passwd", + "url": "https://httpbun.com/basic-auth/user/passwd", "method": "", "sendBody": false }, @@ -418,6 +436,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -474,6 +495,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -530,6 +554,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -586,6 +613,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -642,6 +672,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -698,6 +731,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -754,6 +790,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -810,6 +849,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -866,6 +908,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -922,6 +967,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -978,6 +1026,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1034,6 +1085,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1090,6 +1144,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1146,6 +1203,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1202,6 +1262,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1258,6 +1321,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1314,6 +1380,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1370,6 +1439,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1426,6 +1498,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1482,6 +1557,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1538,6 +1616,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1594,6 +1675,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1650,6 +1734,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1706,6 +1793,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1762,6 +1852,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1818,6 +1911,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1874,6 +1970,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1930,6 +2029,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -1986,6 +2088,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2042,6 +2147,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2098,6 +2206,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2154,6 +2265,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2210,6 +2324,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2266,6 +2383,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2322,6 +2442,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2378,6 +2501,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2434,6 +2560,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2490,6 +2619,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2546,6 +2678,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2602,6 +2737,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2658,6 +2796,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2714,6 +2855,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2770,6 +2914,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2826,6 +2973,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2882,6 +3032,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2938,6 +3091,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -2994,6 +3150,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3050,6 +3209,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3106,6 +3268,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3162,6 +3327,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3218,6 +3386,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3274,6 +3445,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3330,6 +3504,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3386,6 +3563,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3442,6 +3622,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3498,6 +3681,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3554,6 +3740,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3610,6 +3799,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3666,6 +3858,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3722,6 +3917,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3778,6 +3976,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3834,6 +4035,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3890,6 +4094,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -3946,6 +4153,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4002,6 +4212,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4058,6 +4271,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4114,6 +4330,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4170,6 +4389,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4226,6 +4448,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4282,6 +4507,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4338,6 +4566,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4394,6 +4625,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4450,6 +4684,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4506,6 +4743,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4562,6 +4802,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4618,6 +4861,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4674,6 +4920,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4730,6 +4979,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4786,6 +5038,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4842,6 +5097,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4898,6 +5156,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -4954,6 +5215,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5010,6 +5274,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5066,6 +5333,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5122,6 +5392,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5178,6 +5451,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5234,6 +5510,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5290,6 +5569,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5346,6 +5628,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5402,6 +5687,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5458,6 +5746,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5514,6 +5805,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5570,6 +5864,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5626,6 +5923,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5682,6 +5982,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5738,6 +6041,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5794,6 +6100,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5850,6 +6159,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5906,6 +6218,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -5962,6 +6277,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6018,6 +6336,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6074,6 +6395,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6130,6 +6454,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6186,6 +6513,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6242,6 +6572,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6298,6 +6631,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6354,6 +6690,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6410,6 +6749,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6466,6 +6808,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6522,6 +6867,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6578,6 +6926,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6634,6 +6985,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6690,6 +7044,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6746,6 +7103,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6802,6 +7162,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6858,6 +7221,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6914,6 +7280,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -6970,6 +7339,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7026,6 +7398,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7082,6 +7457,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7138,6 +7516,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7194,6 +7575,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7250,6 +7634,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7306,6 +7693,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7362,6 +7752,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7418,6 +7811,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7474,6 +7870,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7530,6 +7929,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7586,6 +7988,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7642,6 +8047,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7698,6 +8106,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7754,6 +8165,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7810,6 +8224,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7866,6 +8283,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7922,6 +8342,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -7978,6 +8401,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8034,6 +8460,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8090,6 +8519,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8146,6 +8578,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8202,6 +8637,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8258,6 +8696,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8314,6 +8755,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8370,6 +8814,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8426,6 +8873,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8482,6 +8932,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8538,6 +8991,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8594,6 +9050,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8650,6 +9109,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8706,6 +9168,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8762,6 +9227,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8818,6 +9286,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8874,6 +9345,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8930,6 +9404,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -8986,6 +9463,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9042,6 +9522,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9098,6 +9581,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9154,6 +9640,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9210,6 +9699,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9266,6 +9758,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9322,6 +9817,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9378,6 +9876,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9434,6 +9935,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9490,6 +9994,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9546,6 +10053,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9602,6 +10112,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9658,6 +10171,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9714,6 +10230,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9770,6 +10289,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9826,6 +10348,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9882,6 +10407,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9938,6 +10466,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -9994,6 +10525,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10050,6 +10584,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10106,6 +10643,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10162,6 +10702,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10218,6 +10761,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10274,6 +10820,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10330,6 +10879,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10386,6 +10938,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10442,6 +10997,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10498,6 +11056,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10554,6 +11115,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10610,6 +11174,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10666,6 +11233,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10722,6 +11292,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10778,6 +11351,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10834,6 +11410,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10890,6 +11469,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -10946,6 +11528,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11002,6 +11587,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11058,6 +11646,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11114,6 +11705,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11170,6 +11764,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11226,6 +11823,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11282,6 +11882,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11338,6 +11941,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11394,6 +12000,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11450,6 +12059,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11506,6 +12118,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11562,6 +12177,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11618,6 +12236,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11674,6 +12295,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11730,6 +12354,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11786,6 +12413,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11842,6 +12472,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11898,6 +12531,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -11954,6 +12590,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12010,6 +12649,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12066,6 +12708,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12122,6 +12767,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12178,6 +12826,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12234,6 +12885,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12290,6 +12944,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12346,6 +13003,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12402,6 +13062,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12458,6 +13121,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12514,6 +13180,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12570,6 +13239,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12626,6 +13298,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12682,6 +13357,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12738,6 +13416,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12794,6 +13475,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12850,6 +13534,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12906,6 +13593,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -12962,6 +13652,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13018,6 +13711,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13074,6 +13770,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13130,6 +13829,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13186,6 +13888,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13242,6 +13947,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13298,6 +14006,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13354,6 +14065,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13410,6 +14124,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13466,6 +14183,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13522,6 +14242,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13578,6 +14301,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13634,6 +14360,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13690,6 +14419,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13746,6 +14478,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13802,6 +14537,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13858,6 +14596,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13914,6 +14655,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -13970,6 +14714,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14026,6 +14773,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14082,6 +14832,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14138,6 +14891,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14194,6 +14950,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14250,6 +15009,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14306,6 +15068,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14362,6 +15127,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14418,6 +15186,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14474,6 +15245,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14530,6 +15304,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14586,6 +15363,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14642,6 +15422,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14698,6 +15481,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14754,6 +15540,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14810,6 +15599,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14866,6 +15658,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14922,6 +15717,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -14978,6 +15776,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15034,6 +15835,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15090,6 +15894,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15146,6 +15953,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15202,6 +16012,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15258,6 +16071,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15314,6 +16130,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15370,6 +16189,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15426,6 +16248,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15482,6 +16307,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15538,6 +16366,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15594,6 +16425,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15650,6 +16484,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15706,6 +16543,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15762,6 +16602,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15818,6 +16661,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15874,6 +16720,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15930,6 +16779,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -15986,6 +16838,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16042,6 +16897,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16098,6 +16956,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16154,6 +17015,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16210,6 +17074,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16266,6 +17133,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16322,6 +17192,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16378,6 +17251,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16434,6 +17310,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16490,6 +17369,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16546,6 +17428,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16602,6 +17487,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16658,6 +17546,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16714,6 +17605,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16770,6 +17664,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16826,6 +17723,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16882,6 +17782,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16938,6 +17841,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -16994,6 +17900,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17050,6 +17959,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17106,6 +18018,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17162,6 +18077,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17218,6 +18136,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17274,6 +18195,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17330,6 +18254,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17386,6 +18313,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17442,6 +18372,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17498,6 +18431,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17554,6 +18490,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17610,6 +18549,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17666,6 +18608,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17722,6 +18667,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17778,6 +18726,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17834,6 +18785,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17890,6 +18844,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -17946,6 +18903,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18002,6 +18962,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18058,6 +19021,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18114,6 +19080,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18170,6 +19139,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18226,6 +19198,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18282,6 +19257,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18338,6 +19316,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18394,6 +19375,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18450,6 +19434,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18506,6 +19493,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18562,6 +19552,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18618,6 +19611,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18674,6 +19670,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18730,6 +19729,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18786,6 +19788,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18842,6 +19847,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18898,6 +19906,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -18954,6 +19965,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19010,6 +20024,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19066,6 +20083,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19122,6 +20142,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19178,6 +20201,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19234,6 +20260,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19290,6 +20319,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19346,6 +20378,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19402,6 +20437,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19458,6 +20496,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19514,6 +20555,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19570,6 +20614,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19626,6 +20673,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19682,6 +20732,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19738,6 +20791,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19794,6 +20850,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19850,6 +20909,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19906,6 +20968,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -19962,6 +21027,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20018,6 +21086,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20074,6 +21145,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20130,6 +21204,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20186,6 +21263,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20242,6 +21322,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20298,6 +21381,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20354,6 +21440,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20410,6 +21499,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20466,6 +21558,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20522,6 +21617,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20578,6 +21676,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20634,6 +21735,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20690,6 +21794,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20746,6 +21853,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20802,6 +21912,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20858,6 +21971,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20914,6 +22030,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -20970,6 +22089,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21026,6 +22148,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21082,6 +22207,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21138,6 +22266,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21194,6 +22325,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21250,6 +22384,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21306,6 +22443,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21362,6 +22502,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21418,6 +22561,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21474,6 +22620,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21530,6 +22679,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21586,6 +22738,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21642,6 +22797,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21698,6 +22856,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21754,6 +22915,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21810,6 +22974,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21866,6 +23033,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21922,6 +23092,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -21978,6 +23151,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22034,6 +23210,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22090,6 +23269,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22146,6 +23328,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22202,6 +23387,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22258,6 +23446,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22314,6 +23505,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22370,6 +23564,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22426,6 +23623,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22482,6 +23682,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22538,6 +23741,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22594,6 +23800,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22650,6 +23859,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22706,6 +23918,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22762,6 +23977,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22818,6 +24036,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22874,6 +24095,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22930,6 +24154,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -22986,6 +24213,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23042,6 +24272,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23098,6 +24331,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23154,6 +24390,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23210,6 +24449,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23266,6 +24508,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23322,6 +24567,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23378,6 +24626,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23434,6 +24685,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23490,6 +24744,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23546,6 +24803,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23602,6 +24862,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23658,6 +24921,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23714,6 +24980,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23770,6 +25039,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23826,6 +25098,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23882,6 +25157,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23938,6 +25216,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -23994,6 +25275,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24050,6 +25334,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24106,6 +25393,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24162,6 +25452,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24218,6 +25511,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24274,6 +25570,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24330,6 +25629,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24386,6 +25688,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24442,6 +25747,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24498,6 +25806,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24554,6 +25865,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24610,6 +25924,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24666,6 +25983,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24722,6 +26042,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24778,6 +26101,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24834,6 +26160,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24890,6 +26219,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -24946,6 +26278,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25002,6 +26337,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25058,6 +26396,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25114,6 +26455,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25170,6 +26514,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25226,6 +26573,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25282,6 +26632,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25338,6 +26691,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25394,6 +26750,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25450,6 +26809,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25506,6 +26868,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25562,6 +26927,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25618,6 +26986,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25674,6 +27045,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25730,6 +27104,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25786,6 +27163,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25842,6 +27222,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25898,6 +27281,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -25954,6 +27340,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26010,6 +27399,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26066,6 +27458,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26122,6 +27517,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26178,6 +27576,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26234,6 +27635,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26290,6 +27694,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26346,6 +27753,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26402,6 +27812,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26458,6 +27871,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26514,6 +27930,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26570,6 +27989,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26626,6 +28048,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26682,6 +28107,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26738,6 +28166,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26794,6 +28225,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26850,6 +28284,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26906,6 +28343,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -26962,6 +28402,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27018,6 +28461,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27074,6 +28520,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27130,6 +28579,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27186,6 +28638,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27242,6 +28697,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27298,6 +28756,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27354,6 +28815,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27410,6 +28874,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27466,6 +28933,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27522,6 +28992,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27578,6 +29051,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27634,6 +29110,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27690,6 +29169,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27746,6 +29228,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27802,6 +29287,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27858,6 +29346,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27914,6 +29405,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -27970,6 +29464,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28026,6 +29523,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28082,6 +29582,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28138,6 +29641,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28194,6 +29700,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28250,6 +29759,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28306,6 +29818,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28362,6 +29877,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28418,6 +29936,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28474,6 +29995,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28530,6 +30054,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28586,6 +30113,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28642,6 +30172,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28698,6 +30231,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28754,6 +30290,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28810,6 +30349,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28866,6 +30408,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28922,6 +30467,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -28978,6 +30526,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29034,6 +30585,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29090,6 +30644,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29146,6 +30703,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29202,6 +30762,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29258,6 +30821,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29314,6 +30880,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29370,6 +30939,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29426,6 +30998,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29482,6 +31057,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29538,6 +31116,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29594,6 +31175,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29650,6 +31234,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29706,6 +31293,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29762,6 +31352,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29818,6 +31411,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29874,6 +31470,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29930,6 +31529,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -29986,6 +31588,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30042,6 +31647,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30098,6 +31706,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30154,6 +31765,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30210,6 +31824,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30266,6 +31883,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30322,6 +31942,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30378,6 +32001,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30434,6 +32060,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30490,6 +32119,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30546,6 +32178,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30602,6 +32237,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30658,6 +32296,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30714,6 +32355,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30770,6 +32414,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30826,6 +32473,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30882,6 +32532,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30938,6 +32591,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -30994,6 +32650,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31050,6 +32709,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31106,6 +32768,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31162,6 +32827,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31218,6 +32886,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31274,6 +32945,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31330,6 +33004,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31386,6 +33063,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31442,6 +33122,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31498,6 +33181,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31554,6 +33240,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31610,6 +33299,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31666,6 +33358,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31722,6 +33417,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31778,6 +33476,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31834,6 +33535,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31890,6 +33594,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -31946,6 +33653,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32002,6 +33712,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32058,6 +33771,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32114,6 +33830,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32170,6 +33889,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32226,6 +33948,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32282,6 +34007,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32338,6 +34066,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32394,6 +34125,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32450,6 +34184,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32506,6 +34243,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32562,6 +34302,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32618,6 +34361,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32674,6 +34420,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32730,6 +34479,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32786,6 +34538,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32842,6 +34597,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32898,6 +34656,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -32954,6 +34715,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33010,6 +34774,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33066,6 +34833,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33122,6 +34892,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33178,6 +34951,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33234,6 +35010,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33290,6 +35069,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33346,6 +35128,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33402,6 +35187,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33458,6 +35246,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33514,6 +35305,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33570,6 +35364,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33626,6 +35423,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33682,6 +35482,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33738,6 +35541,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33794,6 +35600,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33850,6 +35659,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33906,6 +35718,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -33962,6 +35777,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34018,6 +35836,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34074,6 +35895,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34130,6 +35954,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34186,6 +36013,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34242,6 +36072,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34298,6 +36131,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34354,6 +36190,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34410,6 +36249,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34466,6 +36308,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34522,6 +36367,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34578,6 +36426,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34634,6 +36485,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34690,6 +36544,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34746,6 +36603,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34802,6 +36662,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34858,6 +36721,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34914,6 +36780,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -34970,6 +36839,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35026,6 +36898,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35082,6 +36957,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35138,6 +37016,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35194,6 +37075,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35250,6 +37134,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35306,6 +37193,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35362,6 +37252,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35418,6 +37311,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35474,6 +37370,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35530,6 +37429,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35586,6 +37488,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35642,6 +37547,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35698,6 +37606,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35754,6 +37665,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35810,6 +37724,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35866,6 +37783,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35922,6 +37842,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -35978,6 +37901,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36034,6 +37960,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36090,6 +38019,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36146,6 +38078,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36202,6 +38137,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36258,6 +38196,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36314,6 +38255,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36370,6 +38314,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36426,6 +38373,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36482,6 +38432,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36538,6 +38491,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36594,6 +38550,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36650,6 +38609,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36706,6 +38668,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36762,6 +38727,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36818,6 +38786,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36874,6 +38845,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36930,6 +38904,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -36986,6 +38963,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37042,6 +39022,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37098,6 +39081,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37154,6 +39140,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37210,6 +39199,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37266,6 +39258,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37322,6 +39317,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37378,6 +39376,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37434,6 +39435,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37490,6 +39494,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37546,6 +39553,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37602,6 +39612,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37658,6 +39671,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37714,6 +39730,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37770,6 +39789,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37826,6 +39848,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37882,6 +39907,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37938,6 +39966,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -37994,6 +40025,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38050,6 +40084,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38106,6 +40143,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38162,6 +40202,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38218,6 +40261,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38274,6 +40320,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38330,6 +40379,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38386,6 +40438,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38442,6 +40497,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38498,6 +40556,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38554,6 +40615,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38610,6 +40674,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38666,6 +40733,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38722,6 +40792,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38778,6 +40851,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38834,6 +40910,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38890,6 +40969,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -38946,6 +41028,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39002,6 +41087,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39058,6 +41146,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39114,6 +41205,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39170,6 +41264,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39226,6 +41323,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39282,6 +41382,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39338,6 +41441,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39394,6 +41500,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39450,6 +41559,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39506,6 +41618,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39562,6 +41677,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39618,6 +41736,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39674,6 +41795,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39730,6 +41854,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39786,6 +41913,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39842,6 +41972,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39898,6 +42031,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -39954,6 +42090,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40010,6 +42149,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40066,6 +42208,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40122,6 +42267,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40178,6 +42326,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40234,6 +42385,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40290,6 +42444,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40346,6 +42503,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40402,6 +42562,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40458,6 +42621,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40514,6 +42680,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40570,6 +42739,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40626,6 +42798,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40682,6 +42857,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40738,6 +42916,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40794,6 +42975,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40850,6 +43034,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40906,6 +43093,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -40962,6 +43152,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41018,6 +43211,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41074,6 +43270,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41130,6 +43329,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41186,6 +43388,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41242,6 +43447,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41298,6 +43506,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41354,6 +43565,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41410,6 +43624,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41466,6 +43683,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41522,6 +43742,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41578,6 +43801,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41634,6 +43860,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41690,6 +43919,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41746,6 +43978,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41802,6 +44037,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41858,6 +44096,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41914,6 +44155,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -41970,6 +44214,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42026,6 +44273,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42082,6 +44332,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42138,6 +44391,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42194,6 +44450,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42250,6 +44509,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42306,6 +44568,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42362,6 +44627,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42418,6 +44686,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42474,6 +44745,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42530,6 +44804,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42586,6 +44863,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42642,6 +44922,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42698,6 +44981,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42754,6 +45040,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42810,6 +45099,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42866,6 +45158,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42922,6 +45217,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -42978,6 +45276,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43034,6 +45335,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43090,6 +45394,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43146,6 +45453,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43202,6 +45512,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43258,6 +45571,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43314,6 +45630,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43370,6 +45689,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43426,6 +45748,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43482,6 +45807,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43538,6 +45866,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43594,6 +45925,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43650,6 +45984,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43706,6 +46043,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43762,6 +46102,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43818,6 +46161,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43874,6 +46220,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43930,6 +46279,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -43986,6 +46338,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44042,6 +46397,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44098,6 +46456,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44154,6 +46515,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44210,6 +46574,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44266,6 +46633,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44322,6 +46692,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44378,6 +46751,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44434,6 +46810,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44490,6 +46869,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44546,6 +46928,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44602,6 +46987,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44658,6 +47046,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44714,6 +47105,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44770,6 +47164,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44826,6 +47223,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44882,6 +47282,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44938,6 +47341,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -44994,6 +47400,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45050,6 +47459,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45106,6 +47518,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45162,6 +47577,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45218,6 +47636,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45274,6 +47695,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45330,6 +47754,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45386,6 +47813,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45442,6 +47872,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45498,6 +47931,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45554,6 +47990,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45610,6 +48049,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45666,6 +48108,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45722,6 +48167,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45778,6 +48226,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45834,6 +48285,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45890,6 +48344,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -45946,6 +48403,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46002,6 +48462,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46058,6 +48521,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46114,6 +48580,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46170,6 +48639,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46226,6 +48698,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46282,6 +48757,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46338,6 +48816,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46394,6 +48875,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46450,6 +48934,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46506,6 +48993,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46562,6 +49052,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46618,6 +49111,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46674,6 +49170,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46730,6 +49229,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46786,6 +49288,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46842,6 +49347,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46898,6 +49406,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -46954,6 +49465,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47010,6 +49524,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47066,6 +49583,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47122,6 +49642,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47178,6 +49701,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47234,6 +49760,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47290,6 +49819,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47346,6 +49878,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47402,6 +49937,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47458,6 +49996,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47514,6 +50055,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47570,6 +50114,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47626,6 +50173,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47682,6 +50232,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47738,6 +50291,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47794,6 +50350,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47850,6 +50409,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47906,6 +50468,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -47962,6 +50527,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48018,6 +50586,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48074,6 +50645,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48130,6 +50704,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48186,6 +50763,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48242,6 +50822,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48298,6 +50881,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48354,6 +50940,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48410,6 +50999,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48466,6 +51058,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48522,6 +51117,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48578,6 +51176,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48634,6 +51235,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48690,6 +51294,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48746,6 +51353,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48802,6 +51412,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48858,6 +51471,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48914,6 +51530,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -48970,6 +51589,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49026,6 +51648,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49082,6 +51707,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49138,6 +51766,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49194,6 +51825,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49250,6 +51884,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49306,6 +51943,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49362,6 +52002,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49418,6 +52061,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49474,6 +52120,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49530,6 +52179,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49586,6 +52238,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49642,6 +52297,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49698,6 +52356,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49754,6 +52415,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49810,6 +52474,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49866,6 +52533,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49922,6 +52592,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -49978,6 +52651,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50034,6 +52710,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50090,6 +52769,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50146,6 +52828,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50202,6 +52887,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50258,6 +52946,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50314,6 +53005,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50370,6 +53064,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50426,6 +53123,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50482,6 +53182,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50538,6 +53241,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50594,6 +53300,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50650,6 +53359,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50706,6 +53418,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50762,6 +53477,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50818,6 +53536,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50874,6 +53595,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50930,6 +53654,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -50986,6 +53713,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51042,6 +53772,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51098,6 +53831,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51154,6 +53890,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51210,6 +53949,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51266,6 +54008,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51322,6 +54067,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51378,6 +54126,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51434,6 +54185,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51490,6 +54244,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51546,6 +54303,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51602,6 +54362,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51658,6 +54421,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51714,6 +54480,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51770,6 +54539,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51826,6 +54598,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51882,6 +54657,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51938,6 +54716,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -51994,6 +54775,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52050,6 +54834,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52106,6 +54893,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52162,6 +54952,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52218,6 +55011,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52274,6 +55070,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52330,6 +55129,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52386,6 +55188,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52442,6 +55247,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52498,6 +55306,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52554,6 +55365,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52610,6 +55424,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52666,6 +55483,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52722,6 +55542,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52778,6 +55601,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52834,6 +55660,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52890,6 +55719,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -52946,6 +55778,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53002,6 +55837,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53058,6 +55896,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53114,6 +55955,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53170,6 +56014,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53226,6 +56073,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53282,6 +56132,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53338,6 +56191,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53394,6 +56250,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53450,6 +56309,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53506,6 +56368,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53562,6 +56427,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53618,6 +56486,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53674,6 +56545,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53730,6 +56604,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53786,6 +56663,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53842,6 +56722,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53898,6 +56781,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -53954,6 +56840,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54010,6 +56899,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54066,6 +56958,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54122,6 +57017,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54178,6 +57076,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54234,6 +57135,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54290,6 +57194,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54346,6 +57253,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54402,6 +57312,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54458,6 +57371,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54514,6 +57430,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54570,6 +57489,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54626,6 +57548,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54682,6 +57607,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54738,6 +57666,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54794,6 +57725,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54850,6 +57784,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54906,6 +57843,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -54962,6 +57902,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55018,6 +57961,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55074,6 +58020,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55130,6 +58079,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55186,6 +58138,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55242,6 +58197,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55298,6 +58256,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55354,6 +58315,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55410,6 +58374,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55466,6 +58433,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55522,6 +58492,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55578,6 +58551,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55634,6 +58610,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55690,6 +58669,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55746,6 +58728,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55802,6 +58787,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55858,6 +58846,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55914,6 +58905,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -55970,6 +58964,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56026,6 +59023,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56082,6 +59082,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56138,6 +59141,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56194,6 +59200,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56250,6 +59259,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56306,6 +59318,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56339,7 +59354,7 @@ "secured": false }, "externalAuth": { - "url": "https://httpbin.org/basic-auth/user/passwd", + "url": "https://httpbun.com/basic-auth/user/passwd", "method": "", "sendBody": false }, @@ -56362,6 +59377,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56418,6 +59436,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56468,6 +59489,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56524,6 +59548,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56580,6 +59607,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56636,6 +59666,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56692,6 +59725,9 @@ "addBaseUrl": true, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56742,6 +59778,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": null }, @@ -56798,6 +59837,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56854,6 +59896,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -56904,6 +59949,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": null }, @@ -56960,6 +60008,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -57010,6 +60061,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": null }, @@ -57066,6 +60120,9 @@ "addBaseUrl": false, "sslRedirect": true }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -57122,6 +60179,9 @@ "addBaseUrl": false, "sslRedirect": false }, + "denylist": { + "cidr": [] + }, "whitelist": { "cidr": [] }, @@ -57212,4 +60272,4 @@ "failTimeout": 0 }] }] -} \ No newline at end of file +} diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index ab4ba5026..6c1fbefc6 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -1,12 +1,12 @@ ARG E2E_BASE_IMAGE FROM ${E2E_BASE_IMAGE} AS BASE -FROM alpine:3.16.2 +FROM alpine:3.19.1 -RUN apk add -U --no-cache \ +RUN apk update \ + && apk upgrade && apk add -U --no-cache \ ca-certificates \ bash \ - curl \ tzdata \ libc6-compat \ openssl diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index f89bf6bf2..9f43c4691 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE="registry.k8s.io/ingress-nginx/e2e-test-runner:v20221221-controller-v1.5.1-62-g6ffaef32a@sha256:8f025472964cd15ae2d379503aba150565a8d78eb36b41ddfc5f1e3b1ca81a8e" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20240126-760bf8eb@sha256:5e676bf2e5d5d035adfc6e093abee040af08327011e72fef640fa20da73cea2e" image: echo "..entered Makefile in /test/e2e-image" diff --git a/test/e2e-image/e2e.sh b/test/e2e-image/e2e.sh index 7b4d56f10..f8ecd5337 100755 --- a/test/e2e-image/e2e.sh +++ b/test/e2e-image/e2e.sh @@ -14,60 +14,39 @@ # See the License for the specific language governing permissions and # limitations under the License. -set -e +set -eu NC='\e[0m' BGREEN='\e[32m' -#SLOW_E2E_THRESHOLD=${SLOW_E2E_THRESHOLD:-"5s"} -FOCUS=${FOCUS:-.*} E2E_NODES=${E2E_NODES:-5} E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-""} +reportFile="report-e2e-test-suite.xml" ginkgo_args=( - "-randomize-all" - "-flake-attempts=2" - "-fail-fast" - "--show-node-events" + "--fail-fast" + "--flake-attempts=2" + "--junit-report=${reportFile}" + "--nodes=${E2E_NODES}" "--poll-progress-after=180s" -# "-slow-spec-threshold=${SLOW_E2E_THRESHOLD}" - "-succinct" - "-timeout=75m" + "--randomize-all" + "--show-node-events" + "--succinct" + "--timeout=75m" ) -# Variable for the prefix of report filenames -reportFileNamePrefix="report-e2e-test-suite" - -echo -e "${BGREEN}Running e2e test suite (FOCUS=${FOCUS})...${NC}" -ginkgo "${ginkgo_args[@]}" \ - -focus="${FOCUS}" \ - -skip="\[Serial\]|\[MemoryLeak\]" \ - -nodes="${E2E_NODES}" \ - --junit-report=$reportFileNamePrefix.xml \ - /e2e.test -# Create configMap out of a compressed report file for extraction later - -echo -e "${BGREEN}Running e2e test suite with tests that require serial execution...${NC}" -ginkgo "${ginkgo_args[@]}" \ - -focus="\[Serial\]" \ - -skip="\[MemoryLeak\]" \ - --junit-report=$reportFileNamePrefix-serial.xml \ - /e2e.test -# Create configMap out of a compressed report file for extraction later - -if [[ ${E2E_CHECK_LEAKS} != "" ]]; then - echo -e "${BGREEN}Running e2e test suite with tests that check for memory leaks...${NC}" - ginkgo "${ginkgo_args[@]}" \ - -focus="\[MemoryLeak\]" \ - -skip="\[Serial\]" \ - --junit-report=$reportFileNamePrefix-memleak.xml \ - /e2e.test -# Create configMap out of a compressed report file for extraction later +if [ -n "${FOCUS}" ]; then + ginkgo_args+=("--focus=${FOCUS}") fi -for rFile in `ls $reportFileNamePrefix*` -do - gzip -k $rFile - kubectl create cm $rFile.gz --from-file $rFile.gz - kubectl label cm $rFile.gz junitreport=true -done +if [ -z "${E2E_CHECK_LEAKS}" ]; then + ginkgo_args+=("--skip=\[Memory Leak\]") +fi + +echo -e "${BGREEN}Running e2e test suite...${NC}" +(set -x; ginkgo "${ginkgo_args[@]}" /e2e.test) + +# Create configMap out of a compressed report file for extraction later +gzip -k ${reportFile} +kubectl create cm ${reportFile}.gz --from-file ${reportFile}.gz +kubectl label cm ${reportFile}.gz junitreport=true diff --git a/test/e2e-image/namespace-overlays/topology/values.yaml b/test/e2e-image/namespace-overlays/topology/values.yaml new file mode 100644 index 000000000..5e27f7902 --- /dev/null +++ b/test/e2e-image/namespace-overlays/topology/values.yaml @@ -0,0 +1,34 @@ +# TODO: remove the need to use fullnameOverride +fullnameOverride: nginx-ingress +controller: + image: + repository: ingress-controller/controller + chroot: true + tag: 1.0.0-dev + digest: + digestChroot: + scope: + # Necessary to allow the ingress controller to get the topology information from the nodes + enabled: false + config: + worker-processes: "1" + readinessProbe: + initialDelaySeconds: 3 + periodSeconds: 1 + livenessProbe: + initialDelaySeconds: 3 + periodSeconds: 1 + service: + type: NodePort + extraArgs: + # e2e tests do not require information about ingress status + update-status: "false" + terminationGracePeriodSeconds: 1 + admissionWebhooks: + enabled: false + + enableTopologyAwareRouting: true + +rbac: + create: true + scope: false diff --git a/test/e2e-image/namespace-overlays/validations/values.yaml b/test/e2e-image/namespace-overlays/validations/values.yaml new file mode 100644 index 000000000..d423217db --- /dev/null +++ b/test/e2e-image/namespace-overlays/validations/values.yaml @@ -0,0 +1,38 @@ +# TODO: remove the need to use fullnameOverride +fullnameOverride: nginx-ingress +controller: + image: + repository: ingress-controller/controller + chroot: true + tag: 1.0.0-dev + digest: + digestChroot: + containerPort: + http: "1080" + https: "1443" + + extraArgs: + http-port: "1080" + https-port: "1443" + # e2e tests do not require information about ingress status + update-status: "false" + + scope: + enabled: true + + config: + worker-processes: "1" + service: + type: NodePort + + admissionWebhooks: + enabled: true + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + +defaultBackend: + enabled: false + +rbac: + create: true + scope: true diff --git a/test/e2e/HTTPBUN_IMAGE b/test/e2e/HTTPBUN_IMAGE new file mode 100644 index 000000000..7e83b49fe --- /dev/null +++ b/test/e2e/HTTPBUN_IMAGE @@ -0,0 +1 @@ +registry.k8s.io/ingress-nginx/e2e-test-httpbun:v20231011-8b53cabe0 diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index bde98fddf..c41105e2d 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -30,9 +30,13 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" + + networking "k8s.io/api/networking/v1" ) -var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { +const admissionTestHost = "admission-test" + +var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", func() { f := framework.NewDefaultFramework("admission") ginkgo.BeforeEach(func() { @@ -40,13 +44,8 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { f.NewSlowEchoDeployment() }) - ginkgo.AfterEach(func() { - err := uninstallChart(f) - assert.Nil(ginkgo.GinkgoT(), err, "uninstalling helm chart") - }) - ginkgo.It("reject ingress with global-rate-limit annotations when memcached is not configured", func() { - host := "admission-test" + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/global-rate-limit": "100", @@ -73,7 +72,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) ginkgo.It("should not allow overlaps of host and paths without canary annotations", func() { - host := "admission-test" + host := admissionTestHost firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil) _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) @@ -90,7 +89,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) ginkgo.It("should allow overlaps of host and paths with canary annotation", func() { - host := "admission-test" + host := admissionTestHost firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil) _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) @@ -128,7 +127,16 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) ginkgo.It("should return an error if there is an error validating the ingress definition", func() { - host := "admission-test" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": "something invalid", @@ -139,7 +147,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) ginkgo.It("should return an error if there is an invalid value in some annotation", func() { - host := "admission-test" + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/connection-proxy-header": "a;}", @@ -153,7 +161,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) ginkgo.It("should return an error if there is a forbidden value in some annotation", func() { - host := "admission-test" + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/connection-proxy-header": "set_by_lua", @@ -166,6 +174,40 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error") }) + ginkgo.It("should return an error if there is an invalid path and wrong pathType is set", func() { + host := "path-validation" + var ( + exactPathType = networking.PathTypeExact + prefixPathType = networking.PathTypePrefix + implSpecific = networking.PathTypeImplementationSpecific + ) + + f.UpdateNginxConfigMapData("strict-validate-path-type", "true") + + invalidPath := framework.NewSingleIngress("first-ingress", "/foo/bar/[a-z]{3}", host, f.Namespace, framework.EchoService, 80, nil) + invalidPath.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType + + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), invalidPath, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path value should return an error") + + invalidPath.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &prefixPathType + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), invalidPath, metav1.CreateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path value should return an error") + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/use-regex": "true", + "nginx.ingress.kubernetes.io/rewrite-target": "/new/backend", + } + pathSpecific := framework.NewSingleIngress("pathspec-ingress", "/foo/bar/[a-z]{3}", host, f.Namespace, framework.EchoService, 80, annotations) + pathSpecific.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &implSpecific + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), pathSpecific, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with arbitrary path and implSpecific value should not return an error") + + validPath := framework.NewSingleIngress("second-ingress", "/bloblo", host, f.Namespace, framework.EchoService, 80, nil) + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), validPath, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with valid path should not return an error") + }) + ginkgo.It("should not return an error if the Ingress V1 definition is valid with Ingress Class", func() { out, err := createIngress(f.Namespace, validV1Ingress) assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions created\n", out) @@ -199,6 +241,15 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + out, err := createIngress(f.Namespace, invalidV1Ingress) assert.Empty(ginkgo.GinkgoT(), out) assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl") @@ -210,22 +261,20 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() { }) ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass) assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out) assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl") }) }) -func uninstallChart(f *framework.Framework) error { - cmd := exec.Command("helm", "uninstall", "--namespace", f.Namespace, "nginx-ingress") - _, err := cmd.CombinedOutput() - if err != nil { - return fmt.Errorf("unexpected error uninstalling ingress-nginx release: %v", err) - } - - return nil -} - const ( validV1Ingress = ` apiVersion: networking.k8s.io/v1 @@ -324,7 +373,7 @@ func createIngress(namespace, ingressDefinition string) (string, error) { execOut bytes.Buffer execErr bytes.Buffer ) - + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v --warnings-as-errors=false apply --namespace %s -f -", framework.KubectlPath, namespace)) cmd.Stdin = strings.NewReader(ingressDefinition) cmd.Stdout = &execOut diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go index 3e1e9e969..b64581ef6 100644 --- a/test/e2e/annotations/affinity.go +++ b/test/e2e/annotations/affinity.go @@ -32,6 +32,14 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + affinityAnnotation = "cookie" + cookieName = "SERVERID" + enableAnnotation = "true" + disableAnnotation = "false" + defaultHost = "foo.com" +) + var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f := framework.NewDefaultFramework("affinity") @@ -42,8 +50,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set sticky cookie SERVERID", func() { host := "sticky.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -64,8 +72,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should change cookie name on ingress definition change", func() { host := "change.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -80,7 +88,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK). - Header("Set-Cookie").Contains("SERVERID") + Header("Set-Cookie").Contains(cookieName) ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "OTHERCOOKIENAME" @@ -99,8 +107,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set the path to /something on the generated cookie", func() { host := "path.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress(host, "/something", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -122,8 +130,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { pathtype := networking.PathTypePrefix host := "morethanonerule.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName f.EnsureIngress(&networking.Ingress{ ObjectMeta: metav1.ObjectMeta{ @@ -194,7 +202,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set cookie with expires", func() { host := "cookieexpires.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "ExpiresCookie" annotations["nginx.ingress.kubernetes.io/session-cookie-expires"] = "172800" annotations["nginx.ingress.kubernetes.io/session-cookie-max-age"] = "259200" @@ -211,7 +219,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { assert.Nil(ginkgo.GinkgoT(), err, "loading GMT location") assert.NotNil(ginkgo.GinkgoT(), local, "expected a location but none returned") - duration, _ := time.ParseDuration("48h") + duration, err := time.ParseDuration("48h") + assert.Nil(ginkgo.GinkgoT(), err, "parsing duration") expected := time.Now().In(local).Add(duration).Format("Mon, 02-Jan-06 15:04") f.HTTPTestClient(). @@ -225,7 +234,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set cookie with domain", func() { host := "cookiedomain.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "DomainCookie" annotations["nginx.ingress.kubernetes.io/session-cookie-domain"] = "foo.bar" @@ -248,7 +257,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should not set cookie without domain annotation", func() { host := "cookienodomain.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "NoDomainCookie" ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) @@ -270,9 +279,9 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should work with use-regex annotation and session-cookie-path", func() { host := "useregex.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/use-regex"] = "true" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/use-regex"] = enableAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-path"] = "/foo/bar" ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) @@ -294,9 +303,9 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should warn user when use-regex is true and session-cookie-path is not set", func() { host := "useregexwarn.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/use-regex"] = "true" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/use-regex"] = enableAnnotation ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -321,7 +330,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { host := "separate.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation ing1 := framework.NewSingleIngress("ingress1", "/foo/bar", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing1) @@ -351,8 +360,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set sticky cookie without host", func() { annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress("default-no-host", "/", "", f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -370,12 +379,12 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should work with server-alias annotation", func() { - host := "foo.com" + host := defaultHost alias1 := "a1.foo.com" alias2 := "a2.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName annotations["nginx.ingress.kubernetes.io/server-alias"] = fmt.Sprintf("%s,%s", alias1, alias2) ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations) @@ -383,7 +392,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - //server alias sort by sort.Strings(), see: internal/ingress/annotations/alias/main.go:60 + // server alias sort by sort.Strings(), see: internal/ingress/annotations/alias/main.go:60 return strings.Contains(server, fmt.Sprintf("server_name %s %s %s ;", host, alias1, alias2)) }) @@ -410,11 +419,11 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should set secure in cookie with provided true annotation on http", func() { - host := "foo.com" + host := defaultHost annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "true" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = enableAnnotation ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -433,11 +442,11 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should not set secure in cookie with provided false annotation on http", func() { - host := "foo.com" + host := defaultHost annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "false" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = disableAnnotation ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -456,11 +465,11 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should set secure in cookie with provided false annotation on https", func() { - host := "foo.com" + host := defaultHost annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "false" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = disableAnnotation f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)) @@ -470,6 +479,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { strings.Contains(server, "listen 443") }) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). WithURL(f.GetURL(framework.HTTPS)). diff --git a/test/e2e/annotations/affinitymode.go b/test/e2e/annotations/affinitymode.go index cce2b004d..e6253b6ff 100644 --- a/test/e2e/annotations/affinitymode.go +++ b/test/e2e/annotations/affinitymode.go @@ -28,6 +28,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const sslRedirectValue = "false" + var _ = framework.DescribeAnnotation("affinitymode", func() { f := framework.NewDefaultFramework("affinity") @@ -45,7 +47,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "hello-cookie" annotations["nginx.ingress.kubernetes.io/session-cookie-expires"] = "172800" annotations["nginx.ingress.kubernetes.io/session-cookie-max-age"] = "172800" - annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = "false" + annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = sslRedirectValue annotations["nginx.ingress.kubernetes.io/affinity-mode"] = "balanced" annotations["nginx.ingress.kubernetes.io/session-cookie-hash"] = "sha1" @@ -78,7 +80,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "hello-cookie" annotations["nginx.ingress.kubernetes.io/session-cookie-expires"] = "172800" annotations["nginx.ingress.kubernetes.io/session-cookie-max-age"] = "172800" - annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = "false" + annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = sslRedirectValue annotations["nginx.ingress.kubernetes.io/affinity-mode"] = "persistent" annotations["nginx.ingress.kubernetes.io/session-cookie-hash"] = "sha1" @@ -106,7 +108,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { // Send new requests and add new backends. Check which backend responded to the sent request cookies := getCookiesFromHeader(response.Header("Set-Cookie").Raw()) for sendRequestNumber := 0; sendRequestNumber < 10; sendRequestNumber++ { - replicas = replicas + 1 + replicas++ err := framework.UpdateDeployment(f.KubeClientSet, f.Namespace, deploymentName, replicas, nil) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -125,7 +127,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { framework.Sleep() // validate, there is no backend to serve the request - response = request.WithCookies(cookies).Expect().Status(http.StatusServiceUnavailable) + request.WithCookies(cookies).Expect().Status(http.StatusServiceUnavailable) // create brand new backends replicas = 2 diff --git a/test/e2e/annotations/alias.go b/test/e2e/annotations/alias.go index de829507d..ca4fe9c31 100644 --- a/test/e2e/annotations/alias.go +++ b/test/e2e/annotations/alias.go @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const fooHost = "foo" + var _ = framework.DescribeAnnotation("server-alias", func() { f := framework.NewDefaultFramework("alias") @@ -34,7 +36,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { }) ginkgo.It("should return status code 200 for host 'foo' and 404 for 'bar'", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -60,7 +62,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { }) ginkgo.It("should return status code 200 for host 'foo' and 'bar'", func() { - host := "foo" + host := fooHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-alias": "bar", } @@ -73,7 +75,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { return strings.Contains(server, fmt.Sprintf("server_name %v", host)) }) - hosts := []string{"foo", "bar"} + hosts := []string{fooHost, "bar"} for _, host := range hosts { f.HTTPTestClient(). GET("/"). @@ -85,7 +87,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { }) ginkgo.It("should return status code 200 for hosts defined in two ingresses, different path with one alias", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress("app-a", "/app-a", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -101,7 +103,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { return strings.Contains(server, fmt.Sprintf("server_name %v bar", host)) }) - hosts := []string{"foo", "bar"} + hosts := []string{fooHost, "bar"} for _, host := range hosts { f.HTTPTestClient(). GET("/app-a"). diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 1f0f4c3b2..ea33fdf32 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -21,10 +21,10 @@ import ( "fmt" "net/http" "net/url" - "os/exec" "regexp" "strings" - "time" + + "golang.org/x/crypto/bcrypt" "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" @@ -36,15 +36,21 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + differentHost = "different" + authHost = "auth" + authURL = "http://foo.bar.baz:5000/path" +) + var _ = framework.DescribeAnnotation("auth-*", func() { - f := framework.NewDefaultFramework("auth") + f := framework.NewDefaultFramework("auth", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { f.NewEchoDeployment() }) ginkgo.It("should return status code 200 when no authentication is configured", func() { - host := "auth" + host := authHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -63,7 +69,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 503 when authentication is configured with an invalid secret", func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", "nginx.ingress.kubernetes.io/auth-secret": "something", @@ -87,9 +93,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 401 when authentication is configured but Authorization header is not configured", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -114,9 +120,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -142,9 +148,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -170,9 +176,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 200 when authentication is configured and Authorization header is sent", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -191,15 +197,15 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.HTTPTestClient(). GET("/"). WithHeader("Host", host). - WithBasicAuth("foo", "bar"). + WithBasicAuth(fooHost, "bar"). Expect(). Status(http.StatusOK) }) ginkgo.It("should return status code 200 when authentication is configured with a map and Authorization header is sent", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildMapSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildMapSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -219,13 +225,13 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.HTTPTestClient(). GET("/"). WithHeader("Host", host). - WithBasicAuth("foo", "bar"). + WithBasicAuth(fooHost, "bar"). Expect(). Status(http.StatusOK) }) ginkgo.It("should return status code 401 when authentication is configured with invalid content and Authorization header is sent", func() { - host := "auth" + host := authHost s := f.EnsureSecret( &corev1.Secret{ @@ -258,19 +264,27 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.HTTPTestClient(). GET("/"). WithHeader("Host", host). - WithBasicAuth("foo", "bar"). + WithBasicAuth(fooHost, "bar"). Expect(). Status(http.StatusUnauthorized) }) ginkgo.It(`should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured`, func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password", "nginx.ingress.kubernetes.io/auth-snippet": ` proxy_set_header My-Custom-Header 42;`, } + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -282,7 +296,16 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() { - host := "auth" + host := authHost + + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-snippet": ` @@ -299,7 +322,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It(`should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set`, func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password", @@ -320,11 +343,11 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It(`should set cache_key when external auth cache is configured`, func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password", - "nginx.ingress.kubernetes.io/auth-cache-key": "foo", + "nginx.ingress.kubernetes.io/auth-cache-key": fooHost, "nginx.ingress.kubernetes.io/auth-cache-duration": "200 202 401 30m", } @@ -337,7 +360,6 @@ var _ = framework.DescribeAnnotation("auth-*", func() { func(server string) bool { return cacheRegex.MatchString(server) && strings.Contains(server, `proxy_cache_valid 200 202 401 30m;`) - }) }) @@ -389,10 +411,10 @@ http { assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + nginxIP := e.Subsets[0].Addresses[0].IP annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", nginxIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } @@ -403,9 +425,9 @@ http { f.EnsureIngress(ing2) f.WaitForNginxServer(host, func(server string) bool { + //nolint:goconst //server_name is a constant return strings.Contains(server, "server_name "+host) }) - }) ginkgo.It("user retains cookie by default", func() { @@ -431,7 +453,7 @@ http { }) ginkgo.It("user with annotated ingress retains cookie if upstream returns error status code", func() { - annotations["nginx.ingress.kubernetes.io/auth-always-set-cookie"] = "true" + annotations["nginx.ingress.kubernetes.io/auth-always-set-cookie"] = enableAnnotation f.UpdateIngress(ing1) f.UpdateIngress(ing2) @@ -451,26 +473,13 @@ http { }) ginkgo.Context("when external authentication is configured", func() { - host := "auth" + host := authHost var annotations map[string]string var ing *networking.Ingress ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbinIP := e.Subsets[0].Addresses[0].IP - annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } @@ -508,7 +517,7 @@ http { annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth" f.UpdateIngress(ing) - anotherHost := "different" + anotherHost := differentHost anotherAnnotations := map[string]string{} anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations) @@ -557,12 +566,12 @@ http { // Sleep a while just to guarantee that the configmap is applied framework.Sleep() - annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path" + annotations["nginx.ingress.kubernetes.io/auth-url"] = authURL f.UpdateIngress(ing) f.WaitForNginxServer("", func(server string) bool { - return strings.Contains(server, "http://foo.bar.baz:5000/path") && + return strings.Contains(server, authURL) && !strings.Contains(server, `upstream auth-external-auth`) }) }) @@ -595,19 +604,19 @@ http { // Sleep a while just to guarantee that the configmap is applied framework.Sleep() - annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path" + annotations["nginx.ingress.kubernetes.io/auth-url"] = authURL annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "-1" f.UpdateIngress(ing) f.WaitForNginxServer("", func(server string) bool { - return strings.Contains(server, "http://foo.bar.baz:5000/path") && + return strings.Contains(server, authURL) && !strings.Contains(server, `upstream auth-external-auth`) }) }) ginkgo.It(`should not create additional upstream block when auth-keepalive is set with HTTP/2`, func() { - annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path" + annotations["nginx.ingress.kubernetes.io/auth-url"] = authURL annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123" annotations["nginx.ingress.kubernetes.io/auth-keepalive-requests"] = "456" annotations["nginx.ingress.kubernetes.io/auth-keepalive-timeout"] = "789" @@ -615,7 +624,7 @@ http { f.WaitForNginxServer("", func(server string) bool { - return strings.Contains(server, "http://foo.bar.baz:5000/path") && + return strings.Contains(server, authURL) && !strings.Contains(server, `upstream auth-external-auth`) }) }) @@ -641,28 +650,55 @@ http { strings.Contains(server, `keepalive_timeout 789s;`) }) }) + + ginkgo.It(`should disable set_all_vars when auth-keepalive-share-vars is not set`, func() { + f.UpdateNginxConfigMapData("use-http2", "false") + defer func() { + f.UpdateNginxConfigMapData("use-http2", "true") + }() + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "10" + f.UpdateIngress(ing) + + f.WaitForNginxServer("", + func(server string) bool { + return strings.Contains(server, `upstream auth-external-auth`) && + strings.Contains(server, `keepalive 10;`) && + strings.Contains(server, `share_all_vars = false`) + }) + }) + + ginkgo.It(`should enable set_all_vars when auth-keepalive-share-vars is true`, func() { + f.UpdateNginxConfigMapData("use-http2", "false") + defer func() { + f.UpdateNginxConfigMapData("use-http2", "true") + }() + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "10" + annotations["nginx.ingress.kubernetes.io/auth-keepalive-share-vars"] = enableAnnotation + f.UpdateIngress(ing) + + f.WaitForNginxServer("", + func(server string) bool { + return strings.Contains(server, `upstream auth-external-auth`) && + strings.Contains(server, `keepalive 10;`) && + strings.Contains(server, `share_all_vars = true`) + }) + }) }) ginkgo.Context("when external authentication is configured with a custom redirect param", func() { - host := "auth" + host := authHost var annotations map[string]string var ing *networking.Ingress ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() - - var httpbinIP string - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - httpbinIP = e.Subsets[0].Addresses[0].IP - annotations = map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", "nginx.ingress.kubernetes.io/auth-signin-redirect-param": "orig", } @@ -701,7 +737,7 @@ http { annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth" f.UpdateIngress(ing) - anotherHost := "different" + anotherHost := differentHost anotherAnnotations := map[string]string{} anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations) @@ -721,30 +757,15 @@ http { }) ginkgo.Context("when external authentication with caching is configured", func() { - thisHost := "auth" - thatHost := "different" + thisHost := authHost + thatHost := differentHost fooPath := "/foo" barPath := "/bar" ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - framework.Sleep(1 * time.Second) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbinIP := e.Subsets[0].Addresses[0].IP - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", "nginx.ingress.kubernetes.io/auth-cache-key": "fixed", "nginx.ingress.kubernetes.io/auth-cache-duration": "200 201 401 30m", @@ -777,7 +798,7 @@ http { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -797,7 +818,7 @@ http { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -826,7 +847,7 @@ http { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -859,7 +880,7 @@ http { }) ginkgo.Context("with invalid auth-url should deny whole location", func() { - host := "auth" + host := authHost var annotations map[string]string var ing *networking.Ingress @@ -899,7 +920,7 @@ http { // Auth error func buildSecret(username, password, name, namespace string) *corev1.Secret { - out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + out, err := bcrypt.GenerateFromPassword([]byte(password), 14) encpass := fmt.Sprintf("%v:%s\n", username, out) assert.Nil(ginkgo.GinkgoT(), err) @@ -917,7 +938,7 @@ func buildSecret(username, password, name, namespace string) *corev1.Secret { } func buildMapSecret(username, password, name, namespace string) *corev1.Secret { - out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + out, err := bcrypt.GenerateFromPassword([]byte(password), 14) assert.Nil(ginkgo.GinkgoT(), err) return &corev1.Secret{ @@ -927,7 +948,7 @@ func buildMapSecret(username, password, name, namespace string) *corev1.Secret { DeletionGracePeriodSeconds: framework.NewInt64(1), }, Data: map[string][]byte{ - username: []byte(out), + username: out, }, Type: corev1.SecretTypeOpaque, } diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go index e96835aa0..c7a05c053 100644 --- a/test/e2e/annotations/authtls.go +++ b/test/e2e/annotations/authtls.go @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const authTLSFooHost = "authtls.foo.com" + var _ = framework.DescribeAnnotation("auth-tls-*", func() { f := framework.NewDefaultFramework("authtls") @@ -34,7 +36,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -82,7 +84,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace _, err := framework.CreateIngressMASecret( @@ -112,7 +114,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should 302 redirect to error page instead of 400 when auth-tls-error-page is set", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace errorPath := "/error" @@ -159,7 +161,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should pass URL-encoded certificate to upstream", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -204,7 +206,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should validate auth-tls-verify-client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -260,11 +262,10 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK) - }) ginkgo.It("should return 403 using auth-tls-match-cn with no matching CN from client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -293,7 +294,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should return 200 using auth-tls-match-cn with matching CN from client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -322,7 +323,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -351,7 +352,8 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) }) -func assertSslClientCertificateConfig(f *framework.Framework, host string, verifyClient string, verifyDepth string) { +//nolint:unparam // Ignore the invariant param: host +func assertSslClientCertificateConfig(f *framework.Framework, host, verifyClient, verifyDepth string) { sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", f.Namespace, host) sslVerify := fmt.Sprintf("ssl_verify_client %s;", verifyClient) sslVerifyDepth := fmt.Sprintf("ssl_verify_depth %s;", verifyDepth) diff --git a/test/e2e/annotations/backendprotocol.go b/test/e2e/annotations/backendprotocol.go index bccb03afb..0a181d3c7 100644 --- a/test/e2e/annotations/backendprotocol.go +++ b/test/e2e/annotations/backendprotocol.go @@ -24,6 +24,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const backendProtocolHost = "backendprotocol.foo.com" + var _ = framework.DescribeAnnotation("backend-protocol", func() { f := framework.NewDefaultFramework("backendprotocol") @@ -32,7 +34,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to https:// and use proxy_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS", } @@ -46,8 +48,23 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) }) + ginkgo.It("should set backend protocol to https:// and use proxy_pass with lowercase annotation", func() { + host := backendProtocolHost + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/backend-protocol": "https", + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "proxy_pass https://upstream_balancer;") + }) + }) + ginkgo.It("should set backend protocol to $scheme:// and use proxy_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "AUTO_HTTP", } @@ -62,7 +79,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to grpc:// and use grpc_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", } @@ -77,7 +94,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to grpcs:// and use grpc_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "GRPCS", } @@ -92,7 +109,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to '' and use fastcgi_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", } @@ -105,19 +122,4 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { return strings.Contains(server, "fastcgi_pass upstream_balancer;") }) }) - - ginkgo.It("should set backend protocol to '' and use ajp_pass", func() { - host := "backendprotocol.foo.com" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/backend-protocol": "AJP", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "ajp_pass upstream_balancer;") - }) - }) }) diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go index 893a4dc8b..ea733dbf4 100644 --- a/test/e2e/annotations/canary.go +++ b/test/e2e/annotations/canary.go @@ -30,28 +30,30 @@ import ( ) const ( - canaryService = "echo-canary" + canaryService = "httpbun-canary" ) var _ = framework.DescribeAnnotation("canary-*", func() { - f := framework.NewDefaultFramework("canary") + f := framework.NewDefaultFramework("canary", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { - // Deployment for main backend - f.NewEchoDeployment() - // Deployment for canary backend - f.NewEchoDeployment(framework.WithDeploymentName(canaryService)) + f.NewHttpbunDeployment(framework.WithDeploymentName(canaryService)) }) ginkgo.Context("when canary is created", func() { ginkgo.It("should response with a 200 status from the mainline upstream when requests are made to the mainline ingress", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -65,20 +67,27 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) }) ginkgo.It("should return 404 status for requests to the canary if no matching ingress is found", func() { - host := "foo" + host := fooHost canaryAnnotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -87,13 +96,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). @@ -105,10 +118,10 @@ var _ = framework.DescribeAnnotation("canary-*", func() { TODO: This test needs improvements made to the e2e framework so that deployment updates work in order to successfully run It("should return the correct status codes when endpoints are unavailable", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + ing := framework.NewSingleIngress(host, "/info", host, f.Namespace, framework.HTTPBunService, 80, annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -123,7 +136,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, + canaryIng := framework.NewSingleIngress(canaryIngName, "/info", host, f.Namespace, canaryService, 80, canaryAnnotations) f.EnsureIngress(canaryIng) @@ -159,12 +172,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { */ ginkgo.It("should route requests to the correct upstream if mainline ingress is created before the canary ingress", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -178,33 +196,41 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests destined for the mainline ingress to the maineline upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) ginkgo.It("should route requests to the correct upstream if mainline ingress is created after the canary ingress", func() { - host := "foo" + host := fooHost canaryAnnotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -213,15 +239,25 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -230,30 +266,38 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests destined for the mainline ingress to the mainelin upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) ginkgo.It("should route requests to the correct upstream if the mainline ingress is modified", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -267,18 +311,27 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) modAnnotations := map[string]string{ - "foo": "bar", + fooHost: "bar", } - modIng := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, modAnnotations) - - f.UpdateIngress(modIng) + f.UpdateIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + modAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -287,30 +340,38 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests destined fro the mainline ingress to the mainline upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) ginkgo.It("should route requests to the correct upstream if the canary ingress is modified", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -324,9 +385,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -338,10 +404,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader2", } - modIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, newAnnotations) - - f.UpdateIngress(modIng) + f.UpdateIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + newAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -350,31 +420,39 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests destined for the mainline ingress to the mainline upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader2", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests destined for the canary ingress to the canary upstream") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader2", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) }) }) ginkgo.Context("when canaried by header with no value", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxServer(host, func(server string) bool { @@ -388,48 +466,62 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header is set to 'always'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to 'never'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). Body(). - Contains(framework.EchoService).NotContains(canaryService) + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to anything else") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "badheadervalue"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) }) }) ginkgo.Context("when canaried by header with value", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -444,55 +536,73 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header is set to 'DoCanary'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCanary"). Expect(). Status(http.StatusOK). - Body().Contains(canaryService) + Body(). + Contains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to 'always'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "always"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to 'never'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) ginkgo.By("routing requests to the mainline upstream when header is set to anything else") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "otherheadervalue"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body(). + Contains(framework.HTTPBunService). + NotContains(canaryService) }) }) ginkgo.Context("when canaried by header with value and pattern", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -507,13 +617,18 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, - 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header pattern is matched") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCanary"). Expect(). @@ -522,19 +637,25 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests to the mainline upstream when header failed to match header value") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "Docanary"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -550,25 +671,36 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, - 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the mainline upstream when header is set to 'DoCananry' and header-value is 'DoCanary'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCananry"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) ginkgo.It("should routes to mainline upstream when the given Regex causes error", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -584,30 +716,40 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, f.Namespace, canaryService, - 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the mainline upstream when the given Regex causes error") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "DoCanary"). WithCookie("CanaryByCookie", "always"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) }) ginkgo.Context("when canaried by header with value and cookie", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -623,13 +765,18 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when header value does not match and cookie is set to 'always'") f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("CanaryByHeader", "otherheadervalue"). WithCookie("CanaryByCookie", "always"). @@ -641,12 +788,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canaried by cookie", func() { ginkgo.It("respects always and never values", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -660,14 +812,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryIngName := fmt.Sprintf("%v-canary", host) - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) ginkgo.By("routing requests to the canary upstream when cookie is set to 'always'") for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie("Canary-By-Cookie", "always"). Expect(). @@ -678,12 +835,12 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.By("routing requests to the mainline upstream when cookie is set to 'never'") for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie("Canary-By-Cookie", "never"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) } ginkgo.By("routing requests to the mainline upstream when cookie is set to anything else") @@ -691,24 +848,29 @@ var _ = framework.DescribeAnnotation("canary-*", func() { // This test relies on canary cookie not parsing into the valid // affinity data and canary weight not being specified at all. f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie("Canary-By-Cookie", "badcookievalue"). Expect(). Status(http.StatusOK). - Body().Contains(framework.EchoService).NotContains(canaryService) + Body().Contains(framework.HTTPBunService).NotContains(canaryService) } }) }) ginkgo.Context("when canaried by weight", func() { ginkgo.It("should route requests only to mainline if canary weight is 0", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -721,9 +883,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "0", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -731,22 +898,27 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). Body(). - Contains(framework.EchoService). + Contains(framework.HTTPBunService). NotContains(canaryService) }) ginkgo.It("should route requests only to canary if canary weight is 100", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -759,12 +931,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "100", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). @@ -773,12 +950,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests only to canary if canary weight is equal to canary weight total", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -792,12 +974,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight-total": "1000", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK). @@ -806,12 +993,17 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests split between mainline and canary if canary weight is 50", func() { - host := "foo" + host := fooHost annotations := map[string]string{} - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -824,9 +1016,51 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "50", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) + + TestMainlineCanaryDistribution(f, host) + }) + + ginkgo.It("should route requests split between mainline and canary if canary weight is 100 and weight total is 200", func() { + host := fooHost + annotations := map[string]string{} + + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "server_name foo") + }) + + canaryIngName := fmt.Sprintf("%v-canary", host) + canaryAnnotations := map[string]string{ + "nginx.ingress.kubernetes.io/canary": "true", + "nginx.ingress.kubernetes.io/canary-weight": "100", + "nginx.ingress.kubernetes.io/canary-weight-total": "200", + } + + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) TestMainlineCanaryDistribution(f, host) }) @@ -834,24 +1068,30 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("Single canary Ingress", func() { ginkgo.It("should not use canary as a catch-all server", func() { - host := "foo" + host := fooHost canaryIngName := fmt.Sprintf("%v-canary", host) annotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", "nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader", } - ing := framework.NewSingleCatchAllIngress(canaryIngName, - f.Namespace, canaryService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleCatchAllIngress( + canaryIngName, + f.Namespace, + canaryService, + 80, + annotations)) - ing = framework.NewSingleCatchAllIngress(host, f.Namespace, - framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleCatchAllIngress( + host, + f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxServer("_", func(server string) bool { - upstreamName := fmt.Sprintf(`set $proxy_upstream_name "%s-%s-%s";`, f.Namespace, framework.EchoService, "80") + upstreamName := fmt.Sprintf(`set $proxy_upstream_name "%s-%s-%s";`, f.Namespace, framework.HTTPBunService, "80") canaryUpstreamName := fmt.Sprintf(`set $proxy_upstream_name "%s-%s-%s";`, f.Namespace, canaryService, "80") return strings.Contains(server, fmt.Sprintf(`set $ingress_name "%v";`, host)) && @@ -862,21 +1102,31 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should not use canary with domain as a server", func() { - host := "foo" + host := fooHost canaryIngName := fmt.Sprintf("%v-canary", host) annotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", "nginx.ingress.kubernetes.io/canary-by-header": "CanaryByHeader", } - ing := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + annotations)) otherHost := "bar" - ing = framework.NewSingleIngress(otherHost, "/", otherHost, - f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + otherHost, + "/info", + otherHost, + f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxConfiguration(func(cfg string) bool { return strings.Contains(cfg, "server_name "+otherHost) && @@ -886,7 +1136,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("does not crash when canary ingress has multiple paths to the same non-matching backend", func() { - host := "foo" + host := fooHost canaryIngName := fmt.Sprintf("%v-canary", host) annotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -894,13 +1144,22 @@ var _ = framework.DescribeAnnotation("canary-*", func() { } paths := []string{"/foo", "/bar"} - ing := framework.NewSingleIngressWithMultiplePaths(canaryIngName, paths, host, - f.Namespace, "httpy-svc-canary", 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngressWithMultiplePaths( + canaryIngName, + paths, + host, + f.Namespace, + "httpy-svc-canary", + 80, + annotations)) - ing = framework.NewSingleIngress(host, "/", host, f.Namespace, - framework.EchoService, 80, nil) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, f.Namespace, + framework.HTTPBunService, + 80, + nil)) f.WaitForNginxServer(host, func(server string) bool { @@ -909,7 +1168,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.Context("canary affinity behavior", func() { - host := "foo" + host := fooHost affinityCookieName := "aff" canaryIngName := fmt.Sprintf("%v-canary", host) @@ -919,9 +1178,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName, } - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -937,14 +1201,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/canary-weight": "1", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) // This request will produce affinity cookie coming from the canary // backend. forcedRequestToCanary := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("ForceCanary", "yes"). Expect(). @@ -961,7 +1230,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { // routed to a specific backend. for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie(affinityCookieName, affinityCookie.Raw().Value). Expect(). @@ -976,9 +1245,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName, } - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -995,14 +1269,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/affinity-canary-behavior": "sticky", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) // This request will produce affinity cookie coming from the canary // backend. forcedRequestToCanary := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("ForceCanary", "yes"). Expect(). @@ -1019,7 +1298,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { // routed to a specific backend. for i := 0; i < 50; i++ { f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithCookie(affinityCookieName, affinityCookie.Raw().Value). Expect(). @@ -1034,9 +1313,14 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/session-cookie-name": affinityCookieName, } - ing := framework.NewSingleIngress(host, "/", host, - f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/info", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -1053,14 +1337,19 @@ var _ = framework.DescribeAnnotation("canary-*", func() { "nginx.ingress.kubernetes.io/affinity-canary-behavior": "legacy", } - canaryIng := framework.NewSingleIngress(canaryIngName, "/", host, - f.Namespace, canaryService, 80, canaryAnnotations) - f.EnsureIngress(canaryIng) + f.EnsureIngress(framework.NewSingleIngress( + canaryIngName, + "/info", + host, + f.Namespace, + canaryService, + 80, + canaryAnnotations)) // This request will produce affinity cookie coming from the canary // backend. forcedRequestToCanary := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). WithHeader("ForceCanary", "yes"). Expect(). @@ -1081,12 +1370,11 @@ var _ = framework.DescribeAnnotation("canary-*", func() { TestMainlineCanaryDistribution(f, host) }) }) - }) // This method assumes canary weight being configured at 50%. func TestMainlineCanaryDistribution(f *framework.Framework, host string) { - re := regexp.MustCompile(fmt.Sprintf(`%s.*`, framework.EchoService)) + re := regexp.MustCompile(fmt.Sprintf(`%s.*`, framework.HTTPBunService)) replicaRequestCount := map[string]int{} // The implementation of choice by weight doesn't guarantee exact @@ -1097,7 +1385,7 @@ func TestMainlineCanaryDistribution(f *framework.Framework, host string) { for i := 0; i < requestsToGet; i++ { body := f.HTTPTestClient(). - GET("/"). + GET("/info"). WithHeader("Host", host). Expect(). Status(http.StatusOK).Body().Raw() @@ -1116,6 +1404,14 @@ func TestMainlineCanaryDistribution(f *framework.Framework, host string) { assert.Equal(ginkgo.GinkgoT(), 2, len(keys)) - assert.GreaterOrEqual(ginkgo.GinkgoT(), int(replicaRequestCount[keys[0].String()]), requestsNumberToTest) - assert.GreaterOrEqual(ginkgo.GinkgoT(), int(replicaRequestCount[keys[1].String()]), requestsNumberToTest) + assert.GreaterOrEqual( + ginkgo.GinkgoT(), + replicaRequestCount[keys[0].String()], + requestsNumberToTest, + ) + assert.GreaterOrEqual( + ginkgo.GinkgoT(), + replicaRequestCount[keys[1].String()], + requestsNumberToTest, + ) } diff --git a/test/e2e/annotations/clientbodybuffersize.go b/test/e2e/annotations/clientbodybuffersize.go index 4ea1943bd..15a3530f3 100644 --- a/test/e2e/annotations/clientbodybuffersize.go +++ b/test/e2e/annotations/clientbodybuffersize.go @@ -25,6 +25,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const clientBodyBufferSizeHost = "client-body-buffer-size.com" + var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { f := framework.NewDefaultFramework("clientbodybuffersize") @@ -33,7 +35,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1000", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1000" annotations := make(map[string]string) @@ -55,7 +57,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1K", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1K" annotations := make(map[string]string) @@ -77,7 +79,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1k", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1k" annotations := make(map[string]string) @@ -99,7 +101,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1m", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1m" annotations := make(map[string]string) @@ -121,7 +123,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1M", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1M" annotations := make(map[string]string) @@ -143,7 +145,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should not set client_body_buffer_size to invalid 1b", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1b" annotations := make(map[string]string) diff --git a/test/e2e/annotations/connection.go b/test/e2e/annotations/connection.go index 9cfcbacd0..428d85876 100644 --- a/test/e2e/annotations/connection.go +++ b/test/e2e/annotations/connection.go @@ -17,7 +17,6 @@ limitations under the License. package annotations import ( - "fmt" "net/http" "strings" @@ -52,6 +51,6 @@ var _ = framework.DescribeAnnotation("connection-proxy-header", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK). - Body().Contains(fmt.Sprintf("connection=keep-alive")) + Body().Contains("connection=keep-alive") }) }) diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go index f53bd8e9e..a14a5761f 100644 --- a/test/e2e/annotations/cors.go +++ b/test/e2e/annotations/cors.go @@ -25,6 +25,11 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + originHost = "http://origin.com:8080" + corsHost = "cors.foo.com" +) + var _ = framework.DescribeAnnotation("cors-*", func() { f := framework.NewDefaultFramework("cors") @@ -33,7 +38,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should enable cors", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", } @@ -60,7 +65,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should set cors methods to only allow POST, GET", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-methods": "POST, GET", @@ -76,7 +81,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should set cors max-age", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-max-age": "200", @@ -92,7 +97,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should disable cors allow credentials", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-credentials": "false", @@ -108,7 +113,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow origin for cors", func() { - host := "cors.foo.com" + host := corsHost origin := "https://origin.cors.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -135,7 +140,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow headers for cors", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-headers": "DNT, User-Agent", @@ -151,7 +156,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should expose headers for cors", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-expose-headers": "X-CustomResponseHeader, X-CustomSecondHeader", @@ -167,7 +172,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - single origin for multiple cors values", func() { - host := "cors.foo.com" + host := corsHost origin := "https://origin.cors.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -194,7 +199,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - single origin for multiple cors values", func() { - host := "cors.foo.com" + host := corsHost origin := "http://no.origin.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -214,7 +219,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow correct origins - single origin for multiple cors values", func() { - host := "cors.foo.com" + host := corsHost badOrigin := "origin.cors.com:8080" origin1 := "https://origin2.cors.com" origin2 := "https://origin.com" @@ -265,7 +270,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not break functionality", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "*", @@ -289,7 +294,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not break functionality - without `*`", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", } @@ -312,7 +317,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not break functionality with extra domain", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "*, foo.bar.com", @@ -336,7 +341,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not match", func() { - host := "cors.foo.com" + host := corsHost origin := "https://fooxbar.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -356,8 +361,8 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - single origin with required port", func() { - host := "cors.foo.com" - origin := "http://origin.com:8080" + host := corsHost + origin := originHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080", @@ -384,8 +389,8 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - single origin with port and origin without port", func() { - host := "cors.foo.com" - origin := "http://origin.com:8080" + host := corsHost + origin := originHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin2.cors.com, http://origin.com", @@ -403,7 +408,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - single origin without port and origin with required port", func() { - host := "cors.foo.com" + host := corsHost origin := "http://origin.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -423,7 +428,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() { - host := "cors.foo.com" + host := corsHost origin := "http://foo.origin.cors.com" origin2 := "http://bar-foo.origin.cors.com" annotations := map[string]string{ @@ -466,7 +471,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() { - host := "cors.foo.com" + host := corsHost origin := "http://bar.foo.origin.cors.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -486,7 +491,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - matching origin+port with wildcard origin", func() { - host := "cors.foo.com" + host := corsHost origin := "http://abc.origin.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -513,7 +518,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - portless origin with wildcard origin", func() { - host := "cors.foo.com" + host := corsHost origin := "http://abc.origin.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -533,8 +538,8 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow correct origins - missing subdomain + origin with wildcard origin and correct origin", func() { - host := "cors.foo.com" - badOrigin := "http://origin.com:8080" + host := corsHost + badOrigin := originHost origin := "http://bar.origin.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -569,7 +574,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - missing origins (should allow all origins)", func() { - host := "cors.foo.com" + host := corsHost origin := "http://origin.com" origin2 := "http://book.origin.com" origin3 := "test.origin.com" @@ -627,4 +632,41 @@ var _ = framework.DescribeAnnotation("cors-*", func() { Status(http.StatusOK).Headers(). ValueEqual("Access-Control-Allow-Origin", []string{"*"}) }) + + ginkgo.It("should allow correct origin but not others - cors allow origin annotations contain trailing comma", func() { + host := corsHost + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/enable-cors": "true", + "nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin-123.cors.com:8080, ,https://origin-321.cors.com:8080,", + } + + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + origin1 := "https://origin-123.cors.com:8080" + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("Origin", origin1). + Expect(). + Headers().ContainsKey("Access-Control-Allow-Origin") + + origin2 := "https://origin-321.cors.com:8080" + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("Origin", origin2). + Expect(). + Status(http.StatusOK).Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{origin2}) + + origin3 := "https://unknown.cors.com:8080" + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("Origin", origin3). + Expect(). + Headers(). + NotContainsKey("Access-Control-Allow-Origin") + }) }) diff --git a/test/e2e/annotations/customhttperrors.go b/test/e2e/annotations/customhttperrors.go index 3862f817b..37a3e9695 100644 --- a/test/e2e/annotations/customhttperrors.go +++ b/test/e2e/annotations/customhttperrors.go @@ -27,7 +27,7 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -func errorBlockName(upstreamName string, errorCode string) string { +func errorBlockName(upstreamName, errorCode string) string { return fmt.Sprintf("@custom_%s_%s", upstreamName, errorCode) } diff --git a/test/e2e/annotations/default_backend.go b/test/e2e/annotations/default_backend.go index 53c98a307..72ca303b5 100644 --- a/test/e2e/annotations/default_backend.go +++ b/test/e2e/annotations/default_backend.go @@ -48,18 +48,18 @@ var _ = framework.DescribeAnnotation("default-backend", func() { return strings.Contains(server, fmt.Sprintf("server_name %v", host)) }) - requestId := "something-unique" + requestID := "something-unique" f.HTTPTestClient(). GET("/alma/armud"). WithHeader("Host", host). - WithHeader("x-request-id", requestId). + WithHeader("x-request-id", requestID). Expect(). Status(http.StatusOK). Body().Contains("x-code=503"). Contains(fmt.Sprintf("x-ingress-name=%s", host)). Contains("x-service-name=invalid"). - Contains(fmt.Sprintf("x-request-id=%s", requestId)) + Contains(fmt.Sprintf("x-request-id=%s", requestID)) }) }) }) diff --git a/test/e2e/annotations/disableproxyintercepterrors.go b/test/e2e/annotations/disableproxyintercepterrors.go new file mode 100644 index 000000000..17efa4588 --- /dev/null +++ b/test/e2e/annotations/disableproxyintercepterrors.go @@ -0,0 +1,100 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "fmt" + "net/http" + "strings" + + networking "k8s.io/api/networking/v1" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeAnnotation("disable-proxy-intercept-errors", func() { + f := framework.NewDefaultFramework("disable-proxy-intercept-errors") + + ginkgo.BeforeEach(func() { + f.NewHttpbunDeployment() + f.NewEchoDeployment() + }) + + ginkgo.It("configures Nginx correctly", func() { + host := "pie.foo.com" + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/custom-http-errors": "404", + "nginx.ingress.kubernetes.io/disable-proxy-intercept-errors": "true", + "nginx.ingress.kubernetes.io/default-backend": framework.EchoService, + } + + ingHTTPBunService := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, annotations) + f.EnsureIngress(ingHTTPBunService) + + var serverConfig string + f.WaitForNginxServer(host, func(sc string) bool { + serverConfig = sc + return strings.Contains(serverConfig, fmt.Sprintf("server_name %s", host)) + }) + + ginkgo.By("turning off proxy_intercept_errors directive") + assert.NotContains(ginkgo.GinkgoT(), serverConfig, "proxy_intercept_errors on;") + + // the plan for client side testing + // create ingress where we disable intercept for code 404 - that error should get to the client + // the same ingress should intercept any other error (>300 and not 404) where we will get intercepted error + ginkgo.By("client test to check response - with intercept disabled") + requestID := "proxy_intercept_errors" + + f.HTTPTestClient(). + GET("/status/404"). + WithHeader("Host", host). + WithHeader("x-request-id", requestID). + Expect(). + Status(http.StatusNotFound). + Body().Empty() + + ginkgo.By("client test to check response - with intercept enabled") + err := framework.UpdateIngress(f.KubeClientSet, f.Namespace, host, func(ingress *networking.Ingress) error { + ingress.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/disable-proxy-intercept-errors"] = "false" + return nil + }) + assert.Nil(ginkgo.GinkgoT(), err) + + f.WaitForNginxServer(host, func(sc string) bool { + if serverConfig != sc { + serverConfig = sc + return true + } + return false + }) + + f.HTTPTestClient(). + GET("/status/404"). + WithHeader("Host", host). + WithHeader("x-request-id", requestID). + Expect(). + Status(http.StatusOK). + Body().Contains("x-code=404"). + Contains(fmt.Sprintf("x-ingress-name=%s", host)). + Contains(fmt.Sprintf("x-service-name=%s", framework.HTTPBunService)). + Contains(fmt.Sprintf("x-request-id=%s", requestID)) + }) +}) diff --git a/test/e2e/annotations/fastcgi.go b/test/e2e/annotations/fastcgi.go index 0dc6ae4a4..bcf1c3487 100644 --- a/test/e2e/annotations/fastcgi.go +++ b/test/e2e/annotations/fastcgi.go @@ -21,7 +21,6 @@ import ( "strings" "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -76,16 +75,14 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { Namespace: f.Namespace, }, Data: map[string]string{ - "SCRIPT_FILENAME": "/home/www/scripts/php$fastcgi_script_name", + "SCRIPT_FILENAME": "$fastcgi_script_name", "REDIRECT_STATUS": "200", }, } - cm, err := f.EnsureConfigMap(configuration) - assert.Nil(ginkgo.GinkgoT(), err, "creating configmap") - assert.NotNil(ginkgo.GinkgoT(), cm, "expected a configmap but none returned") + f.EnsureConfigMap(configuration) - host := "fastcgi-params-configmap" + host := "fastcgi-params-configmap" //#nosec G101 annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", @@ -97,7 +94,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, "fastcgi_param SCRIPT_FILENAME \"/home/www/scripts/php$fastcgi_script_name\";") && + return strings.Contains(server, "fastcgi_param SCRIPT_FILENAME \"$fastcgi_script_name\";") && strings.Contains(server, "fastcgi_param REDIRECT_STATUS \"200\";") }) }) diff --git a/test/e2e/annotations/fromtowwwredirect.go b/test/e2e/annotations/fromtowwwredirect.go index 9201bedb7..b69cce93e 100644 --- a/test/e2e/annotations/fromtowwwredirect.go +++ b/test/e2e/annotations/fromtowwwredirect.go @@ -62,6 +62,15 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { }) ginkgo.It("should redirect from www HTTPS to HTTPS", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + ginkgo.By("setting up server for redirect from www") fromHost := fmt.Sprintf("%s.nip.io", f.GetNginxIP()) @@ -90,7 +99,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { ginkgo.By("sending request to www should redirect to domain") f.HTTPTestClientWithTLSConfig(&tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing ServerName: toHost, }). GET("/"). @@ -102,7 +111,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { ginkgo.By("sending request to domain should not redirect to www") f.HTTPTestClientWithTLSConfig(&tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing ServerName: fromHost, }). GET("/"). diff --git a/test/e2e/annotations/globalratelimit.go b/test/e2e/annotations/globalratelimit.go index 2efcc3558..96be467fe 100644 --- a/test/e2e/annotations/globalratelimit.go +++ b/test/e2e/annotations/globalratelimit.go @@ -47,7 +47,7 @@ var _ = framework.DescribeAnnotation("annotation-global-rate-limit", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing = f.EnsureIngress(ing) - namespace := strings.Replace(string(ing.UID), "-", "", -1) + namespace := strings.ReplaceAll(string(ing.UID), "-", "") serverConfig := "" f.WaitForNginxServer(host, func(server string) bool { diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 39349e701..b3be82c2a 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -17,19 +17,17 @@ limitations under the License. package annotations import ( + "context" "crypto/tls" "fmt" "strings" - "context" - pb "github.com/moul/pb/grpcbin/go-grpc" "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" "google.golang.org/grpc" "google.golang.org/grpc/credentials" "google.golang.org/grpc/metadata" - core "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" @@ -37,8 +35,10 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const echoHost = "echo" + var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { - f := framework.NewDefaultFramework("grpc") + f := framework.NewDefaultFramework("grpc", framework.WithHTTPBunEnabled()) ginkgo.It("should use grpc_pass in the configuration file", func() { f.NewGRPCFortuneTellerDeployment() @@ -68,9 +68,9 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("should return OK for service with backend protocol GRPC", func() { f.NewGRPCBinDeployment() - host := "echo" + host := echoHost - svc := &core.Service{ + svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcbin-test", Namespace: f.Namespace, @@ -103,14 +103,16 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { return strings.Contains(server, "grpc_pass grpc://upstream_balancer;") }) - conn, _ := grpc.Dial(f.GetNginxIP()+":443", + //nolint:goconst //string interpolation + conn, err := grpc.Dial(f.GetNginxIP()+":443", grpc.WithTransportCredentials( credentials.NewTLS(&tls.Config{ - ServerName: "echo", - InsecureSkipVerify: true, + ServerName: echoHost, + InsecureSkipVerify: true, //nolint:gosec // Ignore certificate validation in testing }), ), ) + assert.Nil(ginkgo.GinkgoT(), err, "error creating a connection") defer conn.Close() client := pb.NewGRPCBinClient(conn) @@ -121,15 +123,14 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { metadata := res.GetMetadata() assert.Equal(ginkgo.GinkgoT(), metadata["content-type"].Values[0], "application/grpc") + assert.Equal(ginkgo.GinkgoT(), metadata[":authority"].Values[0], host) }) ginkgo.It("authorization metadata should be overwritten by external auth response headers", func() { f.NewGRPCBinDeployment() - f.NewHttpbinDeployment() + host := echoHost - host := "echo" - - svc := &core.Service{ + svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcbin-test", Namespace: f.Namespace, @@ -149,19 +150,8 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { } f.EnsureService(svc) - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbinIP := e.Subsets[0].Addresses[0].IP - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/response-headers?authorization=foo", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/response-headers?authorization=foo", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-response-headers": "Authorization", "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", } @@ -175,14 +165,15 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { return strings.Contains(server, "grpc_pass grpc://upstream_balancer;") }) - conn, _ := grpc.Dial(f.GetNginxIP()+":443", + conn, err := grpc.Dial(f.GetNginxIP()+":443", grpc.WithTransportCredentials( credentials.NewTLS(&tls.Config{ - ServerName: "echo", - InsecureSkipVerify: true, + ServerName: echoHost, + InsecureSkipVerify: true, //nolint:gosec // Ignore certificate validation in testing }), ), ) + assert.Nil(ginkgo.GinkgoT(), err) defer conn.Close() client := pb.NewGRPCBinClient(conn) @@ -193,15 +184,24 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { assert.Nil(ginkgo.GinkgoT(), err) metadata := res.GetMetadata() - assert.Equal(ginkgo.GinkgoT(), "foo", metadata["authorization"].Values[0]) + assert.Equal(ginkgo.GinkgoT(), fooHost, metadata["authorization"].Values[0]) }) ginkgo.It("should return OK for service with backend protocol GRPCS", func() { f.NewGRPCBinDeployment() - host := "echo" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() - svc := &core.Service{ + host := echoHost + + svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "grpcbin-test", Namespace: f.Namespace, @@ -239,14 +239,15 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { return strings.Contains(server, "grpc_pass grpcs://upstream_balancer;") }) - conn, _ := grpc.Dial(f.GetNginxIP()+":443", + conn, err := grpc.Dial(f.GetNginxIP()+":443", grpc.WithTransportCredentials( credentials.NewTLS(&tls.Config{ - ServerName: "echo", - InsecureSkipVerify: true, + ServerName: echoHost, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }), ), ) + assert.Nil(ginkgo.GinkgoT(), err) defer conn.Close() client := pb.NewGRPCBinClient(conn) diff --git a/test/e2e/annotations/influxdb.go b/test/e2e/annotations/influxdb.go deleted file mode 100644 index 7a52730cf..000000000 --- a/test/e2e/annotations/influxdb.go +++ /dev/null @@ -1,186 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package annotations - -import ( - "bytes" - "context" - "fmt" - "net/http" - "os/exec" - "strings" - "time" - - jsoniter "github.com/json-iterator/go" - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/apimachinery/pkg/util/wait" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -var _ = framework.DescribeAnnotation("influxdb-*", func() { - f := framework.NewDefaultFramework("influxdb") - - ginkgo.BeforeEach(func() { - f.NewInfluxDBDeployment() - f.NewEchoDeployment() - }) - - ginkgo.Context("when influxdb is enabled", func() { - ginkgo.It("should send the request metric to the influxdb server", func() { - ifs := createInfluxDBService(f) - - // Ingress configured with InfluxDB annotations - host := "influxdb.e2e.local" - createInfluxDBIngress( - f, - host, - framework.EchoService, - 80, - map[string]string{ - "nginx.ingress.kubernetes.io/enable-influxdb": "true", - "nginx.ingress.kubernetes.io/influxdb-host": ifs.Spec.ClusterIP, - "nginx.ingress.kubernetes.io/influxdb-port": "8089", - "nginx.ingress.kubernetes.io/influxdb-measurement": "requests", - "nginx.ingress.kubernetes.io/influxdb-servername": "e2e-nginx-srv", - }, - ) - - // Do a request to the echo server ingress that sends metrics - // to the InfluxDB backend. - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - - framework.Sleep(10 * time.Second) - - var measurements string - var err error - - err = wait.Poll(time.Second, time.Minute, func() (bool, error) { - measurements, err = extractInfluxDBMeasurements(f) - if err != nil { - return false, nil - } - return true, nil - }) - assert.Nil(ginkgo.GinkgoT(), err) - - var results map[string][]map[string]interface{} - _ = jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal([]byte(measurements), &results) - - assert.NotEqual(ginkgo.GinkgoT(), len(measurements), 0) - for _, elem := range results["results"] { - assert.NotEqual(ginkgo.GinkgoT(), len(elem), 0) - } - }) - }) -}) - -func createInfluxDBService(f *framework.Framework) *corev1.Service { - service := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: "influxdb", - Namespace: f.Namespace, - }, - Spec: corev1.ServiceSpec{Ports: []corev1.ServicePort{ - { - Name: "udp", - Port: 8089, - TargetPort: intstr.FromInt(8089), - Protocol: "UDP", - }, - }, - Selector: map[string]string{ - "app": "influxdb", - }, - }, - } - - return f.EnsureService(service) -} - -func createInfluxDBIngress(f *framework.Framework, host, service string, port int, annotations map[string]string) { - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, service, port, annotations) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %v", host)) - }) -} - -func extractInfluxDBMeasurements(f *framework.Framework) (string, error) { - l, err := f.KubeClientSet.CoreV1().Pods(f.Namespace).List(context.TODO(), metav1.ListOptions{ - LabelSelector: "app=influxdb", - }) - if err != nil { - return "", err - } - - if len(l.Items) == 0 { - return "", err - } - - cmd := "influx -database 'nginx' -execute 'select * from requests' -format 'json' -pretty" - - var pod *corev1.Pod - for _, p := range l.Items { - pod = &p - break - } - - if pod == nil { - return "", fmt.Errorf("no influxdb pods found") - } - - o, err := execInfluxDBCommand(pod, cmd) - if err != nil { - return "", err - } - - return o, nil -} - -func execInfluxDBCommand(pod *corev1.Pod, command string) (string, error) { - var ( - execOut bytes.Buffer - execErr bytes.Buffer - ) - - cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v exec --namespace %s %s -- %s", framework.KubectlPath, pod.Namespace, pod.Name, command)) - cmd.Stdout = &execOut - cmd.Stderr = &execErr - - err := cmd.Run() - - if execErr.Len() > 0 { - return "", fmt.Errorf("stderr: %v", execErr.String()) - } - - if err != nil { - return "", fmt.Errorf("could not execute '%s %s': %v", cmd.Path, cmd.Args, err) - } - - return execOut.String(), nil -} diff --git a/test/e2e/annotations/ipwhitelist.go b/test/e2e/annotations/ipallowlist.go similarity index 81% rename from test/e2e/annotations/ipwhitelist.go rename to test/e2e/annotations/ipallowlist.go index 71f026c7f..79c77b4d0 100644 --- a/test/e2e/annotations/ipwhitelist.go +++ b/test/e2e/annotations/ipallowlist.go @@ -24,19 +24,19 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.DescribeAnnotation("whitelist-source-range", func() { - f := framework.NewDefaultFramework("ipwhitelist") +var _ = framework.DescribeAnnotation("allowlist-source-range", func() { + f := framework.NewDefaultFramework("ipallowlist") ginkgo.BeforeEach(func() { f.NewEchoDeployment() }) - ginkgo.It("should set valid ip whitelist range", func() { - host := "ipwhitelist.foo.com" + ginkgo.It("should set valid ip allowlist range", func() { + host := "ipallowlist.foo.com" nameSpace := f.Namespace annotations := map[string]string{ - "nginx.ingress.kubernetes.io/whitelist-source-range": "18.0.0.0/8, 56.0.0.0/8", + "nginx.ingress.kubernetes.io/allowlist-source-range": "18.0.0.0/8, 56.0.0.0/8", } ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) diff --git a/test/e2e/annotations/ipdenylist.go b/test/e2e/annotations/ipdenylist.go new file mode 100644 index 000000000..9c1d45cf5 --- /dev/null +++ b/test/e2e/annotations/ipdenylist.go @@ -0,0 +1,147 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "net/http" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeAnnotation("denylist-source-range", func() { + f := framework.NewDefaultFramework("ipdenylist") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.It("only deny explicitly denied IPs, allow all others", func() { + host := "ipdenylist.foo.com" + namespace := f.Namespace + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/denylist-source-range": "18.0.0.0/8, 56.0.0.1", + } + + ing := framework.NewSingleIngress(host, "/", host, namespace, framework.EchoService, 80, annotations) + + // Temporarily trust forwarded headers so we can test IP based access control + f.UpdateNginxConfigMapData("use-forwarded-headers", "true") + defer func() { + // Return to the original value + f.UpdateNginxConfigMapData("use-forwarded-headers", "false") + }() + + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "deny 18.0.0.0/8;") && + strings.Contains(server, "deny 56.0.0.1;") && + !strings.Contains(server, "deny all;") + }) + + ginkgo.By("sending request from an explicitly denied IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "18.0.0.1"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an explicitly denied IP address") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "56.0.0.1"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an implicitly allowed IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "56.0.0.2"). + Expect(). + Status(http.StatusOK) + }) + + ginkgo.It("only allow explicitly allowed IPs, deny all others", func() { + host := "ipdenylist.foo.com" + namespace := f.Namespace + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/denylist-source-range": "18.1.0.0/16, 56.0.0.0/8", + "nginx.ingress.kubernetes.io/whitelist-source-range": "18.0.0.0/8, 55.0.0.0/8", + } + + ing := framework.NewSingleIngress(host, "/", host, namespace, framework.EchoService, 80, annotations) + + // Temporarily trust forwarded headers so we can test IP based access control + f.UpdateNginxConfigMapData("use-forwarded-headers", "true") + defer func() { + // Return to the original value + f.UpdateNginxConfigMapData("use-forwarded-headers", "false") + }() + + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "deny 18.1.0.0/16;") && + strings.Contains(server, "deny 56.0.0.0/8;") && + strings.Contains(server, "allow 18.0.0.0/8;") && + strings.Contains(server, "allow 55.0.0.0/8;") && + strings.Contains(server, "deny all;") + }) + + ginkgo.By("sending request from an explicitly denied IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "18.1.0.1"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an implicitly denied IP") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "10.10.10.10"). + Expect(). + Status(http.StatusForbidden) + + ginkgo.By("sending request from an explicitly allowed IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "18.4.0.1"). + Expect(). + Status(http.StatusOK) + + ginkgo.By("sending request from an explicitly allowed IP range") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithHeader("X-Forwarded-For", "55.55.55.55"). + Expect(). + Status(http.StatusOK) + }) +}) diff --git a/test/e2e/annotations/mirror.go b/test/e2e/annotations/mirror.go index ad178a947..787cbfa3b 100644 --- a/test/e2e/annotations/mirror.go +++ b/test/e2e/annotations/mirror.go @@ -60,7 +60,7 @@ var _ = framework.DescribeAnnotation("mirror-*", func() { func(server string) bool { return strings.Contains(server, fmt.Sprintf("mirror /_mirror-%v;", ing.UID)) && strings.Contains(server, "mirror_request_body on;") && - strings.Contains(server, "proxy_pass https://test.env.com/$request_uri;") + strings.Contains(server, `proxy_pass "https://test.env.com/$request_uri";`) }) }) diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go index 62c9bc843..a3e7d80ba 100644 --- a/test/e2e/annotations/modsecurity/modsecurity.go +++ b/test/e2e/annotations/modsecurity/modsecurity.go @@ -25,6 +25,17 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + modSecurityFooHost = "modsecurity.foo.com" + defaultSnippet = `SecRuleEngine On + SecRequestBodyAccess On + SecAuditEngine RelevantOnly + SecAuditLogParts ABIJDEFHZ + SecAuditLog /dev/stdout + SecAuditLogType Serial + SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` +) + var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f := framework.NewDefaultFramework("modsecuritylocation") @@ -33,7 +44,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -51,7 +62,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with transaction ID and OWASP rules", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -72,7 +83,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should disable modsecurity", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -89,7 +100,16 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -109,10 +129,11 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { ginkgo.It("should enable modsecurity without using 'modsecurity on;'", func() { f.SetNginxConfigMapData(map[string]string{ - "enable-modsecurity": "true"}, + "enable-modsecurity": "true", + }, ) - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -131,10 +152,11 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { ginkgo.It("should disable modsecurity using 'modsecurity off;'", func() { f.SetNginxConfigMapData(map[string]string{ - "enable-modsecurity": "true"}, + "enable-modsecurity": "true", + }, ) - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -151,16 +173,19 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet and block requests", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace - snippet := `SecRuleEngine On - SecRequestBodyAccess On - SecAuditEngine RelevantOnly - SecAuditLogParts ABIJDEFHZ - SecAuditLog /dev/stdout - SecAuditLogType Serial - SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` + snippet := defaultSnippet annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-modsecurity": "true", @@ -187,16 +212,19 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace - snippet := `SecRuleEngine On - SecRequestBodyAccess On - SecAuditEngine RelevantOnly - SecAuditLogParts ABIJDEFHZ - SecAuditLog /dev/stdout - SecAuditLogType Serial - SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` + snippet := defaultSnippet annotations := map[string]string{ "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, @@ -223,16 +251,21 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "enable-modsecurity": "true", + "enable-owasp-modsecurity-crs": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace - snippet := `SecRuleEngine On - SecRequestBodyAccess On - SecAuditEngine RelevantOnly - SecAuditLogParts ABIJDEFHZ - SecAuditLog /dev/stdout - SecAuditLogType Serial - SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` + snippet := defaultSnippet annotations := map[string]string{ "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, @@ -243,11 +276,6 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.SetNginxConfigMapData(map[string]string{ - "enable-modsecurity": "true", - "enable-owasp-modsecurity-crs": "true", - }) - f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, "SecRuleEngine On") @@ -262,7 +290,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity through the config map", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace snippet := `SecRequestBodyAccess On @@ -282,12 +310,17 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f.EnsureIngress(ing) expectedComment := "SecRuleEngine On" - f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", "enable-modsecurity": "true", "enable-owasp-modsecurity-crs": "true", "modsecurity-snippet": expectedComment, }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() f.WaitForNginxServer(host, func(server string) bool { @@ -303,7 +336,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity through the config map but ignore snippet as disabled by admin", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace snippet := `SecRequestBodyAccess On @@ -345,7 +378,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := modSecurityFooHost nameSpace := f.Namespace snippet := `SecRuleEngine On diff --git a/test/e2e/annotations/proxy.go b/test/e2e/annotations/proxy.go index c0c89eb43..235b828e7 100644 --- a/test/e2e/annotations/proxy.go +++ b/test/e2e/annotations/proxy.go @@ -25,6 +25,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const proxyRedirectToHost = "goodbye.com" + var _ = framework.DescribeAnnotation("proxy-*", func() { f := framework.NewDefaultFramework("proxy") host := "proxy.foo.com" @@ -38,7 +40,7 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-redirect-from"] = proxyRedirectFrom - annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = "goodbye.com" + annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = proxyRedirectToHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -54,7 +56,7 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-redirect-from"] = proxyRedirectFrom - annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = "goodbye.com" + annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = proxyRedirectToHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -67,7 +69,7 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { ginkgo.It("should set proxy_redirect to hello.com goodbye.com", func() { proxyRedirectFrom := "hello.com" - proxyRedirectTo := "goodbye.com" + proxyRedirectTo := proxyRedirectToHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-redirect-from"] = proxyRedirectFrom @@ -244,5 +246,4 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { return strings.Contains(server, fmt.Sprintf("proxy_http_version %s;", proxyHTTPVersion)) }) }) - }) diff --git a/test/e2e/annotations/proxyssl.go b/test/e2e/annotations/proxyssl.go index 7f14c3393..989d681c1 100644 --- a/test/e2e/annotations/proxyssl.go +++ b/test/e2e/annotations/proxyssl.go @@ -27,6 +27,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const proxySSLHost = "proxyssl.foo.com" + var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { f := framework.NewDefaultFramework("proxyssl") @@ -35,7 +37,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { }) ginkgo.It("should set valid proxy-ssl-secret", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host @@ -62,7 +64,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { }) ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host annotations["nginx.ingress.kubernetes.io/proxy-ssl-verify"] = "on" @@ -90,9 +92,9 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { Expect(). Status(http.StatusOK) }) - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host annotations["nginx.ingress.kubernetes.io/proxy-ssl-ciphers"] = "HIGH:!AES" @@ -118,9 +120,9 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { Expect(). Status(http.StatusOK) }) - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-protocols", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host annotations["nginx.ingress.kubernetes.io/proxy-ssl-protocols"] = "TLSv1.2 TLSv1.3" @@ -195,7 +197,6 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { strings.Contains(server, "proxy_ssl_certificate_key")) }) }) - }) func assertProxySSL(f *framework.Framework, host, sslName, ciphers, protocols, verify string, depth int, proxySSLServerName string) { diff --git a/test/e2e/annotations/rewrite.go b/test/e2e/annotations/rewrite.go index 79738b984..173df29f0 100644 --- a/test/e2e/annotations/rewrite.go +++ b/test/e2e/annotations/rewrite.go @@ -27,6 +27,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const rewriteHost = "rewrite.bar.com" + var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-log", func() { f := framework.NewDefaultFramework("rewrite") @@ -37,7 +39,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo ginkgo.It("should write rewrite logs", func() { ginkgo.By("setting enable-rewrite-log annotation") - host := "rewrite.bar.com" + host := rewriteHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/rewrite-target": "/", "nginx.ingress.kubernetes.io/enable-rewrite-log": "true", @@ -64,7 +66,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should use correct longest path match", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By("creating a regular ingress definition") ing := framework.NewSingleIngress("kube-lego", "/.well-known/acme/challenge", host, f.Namespace, framework.EchoService, 80, nil) @@ -109,10 +111,10 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should use ~* location modifier if regex annotation is present", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By("creating a regular ingress definition") - ing := framework.NewSingleIngress("foo", "/foo", host, f.Namespace, framework.EchoService, 80, nil) + ing := framework.NewSingleIngress(fooHost, "/foo", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -156,10 +158,10 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should fail to use longest match for documented warning", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By("creating a regular ingress definition") - ing := framework.NewSingleIngress("foo", "/foo/bar/bar", host, f.Namespace, framework.EchoService, 80, nil) + ing := framework.NewSingleIngress(fooHost, "/foo/bar/bar", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) ginkgo.By(`creating an ingress definition with the use-regex annotation`) @@ -188,7 +190,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should allow for custom rewrite parameters", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By(`creating an ingress definition with the use-regex annotation`) annotations := map[string]string{ diff --git a/test/e2e/annotations/satisfy.go b/test/e2e/annotations/satisfy.go index e75464a9d..6ba6db33e 100644 --- a/test/e2e/annotations/satisfy.go +++ b/test/e2e/annotations/satisfy.go @@ -17,7 +17,6 @@ limitations under the License. package annotations import ( - "context" "fmt" "net/http" "net/url" @@ -27,13 +26,12 @@ import ( "github.com/stretchr/testify/assert" networking "k8s.io/api/networking/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" ) var _ = framework.DescribeAnnotation("satisfy", func() { - f := framework.NewDefaultFramework("satisfy") + f := framework.NewDefaultFramework("satisfy", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { f.NewEchoDeployment() @@ -84,17 +82,6 @@ var _ = framework.DescribeAnnotation("satisfy", func() { ginkgo.It("should allow multiple auth with satisfy any", func() { host := "auth" - // setup external auth - f.NewHttpbinDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - httpbinIP := e.Subsets[0].Addresses[0].IP - // create basic auth secret at ingress s := f.EnsureSecret(buildSecret("uname", "pwd", "basic-secret", f.Namespace)) @@ -105,7 +92,7 @@ var _ = framework.DescribeAnnotation("satisfy", func() { "nginx.ingress.kubernetes.io/auth-realm": "test basic auth", // annotations for external auth - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", // set satisfy any diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go index df1383bdb..1195b728a 100644 --- a/test/e2e/annotations/serversnippet.go +++ b/test/e2e/annotations/serversnippet.go @@ -33,6 +33,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`add valid directives to server via server snippet`, func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "serversnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` @@ -59,6 +68,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`drops server snippet if disabled by the administrator`, func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "noserversnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` @@ -89,6 +107,5 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { Status(http.StatusOK).Headers(). NotContainsKey("Foo"). NotContainsKey("Xpto") - }) }) diff --git a/test/e2e/annotations/serviceupstream.go b/test/e2e/annotations/serviceupstream.go index 94ad6d346..1d80f304a 100644 --- a/test/e2e/annotations/serviceupstream.go +++ b/test/e2e/annotations/serviceupstream.go @@ -25,10 +25,10 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/ingress-nginx/test/e2e/framework" - - "k8s.io/ingress-nginx/internal/nginx" ) +const dbgCmd = "/dbg backends all" + var _ = framework.DescribeAnnotation("service-upstream", func() { f := framework.NewDefaultFramework("serviceupstream") host := "serviceupstream" @@ -59,10 +59,9 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { ginkgo.By("checking if the Service Cluster IP and Port are used") s := f.GetService(f.Namespace, framework.EchoService) - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - output, err := f.ExecIngressPod(curlCmd) + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP)) + assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`"address": %q`, s.Spec.ClusterIP)) }) }) @@ -88,10 +87,9 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { ginkgo.By("checking if the Service Cluster IP and Port are used") s := f.GetService(f.Namespace, framework.EchoService) - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - output, err := f.ExecIngressPod(curlCmd) + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP)) + assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`"address": %q`, s.Spec.ClusterIP)) }) }) @@ -119,10 +117,9 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { ginkgo.By("checking if the Service Cluster IP and Port are not used") s := f.GetService(f.Namespace, framework.EchoService) - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - output, err := f.ExecIngressPod(curlCmd) + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.NotContains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP)) + assert.NotContains(ginkgo.GinkgoT(), output, fmt.Sprintf(`"address": %q`, s.Spec.ClusterIP)) }) }) }) diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 367708302..0c6148a4f 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -26,21 +26,35 @@ import ( ) var _ = framework.DescribeAnnotation("configuration-snippet", func() { - f := framework.NewDefaultFramework("configurationsnippet") + f := framework.NewDefaultFramework( + "configurationsnippet", + framework.WithHTTPBunEnabled(), + ) - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It(`set snippet "more_set_headers "Foo1: Bar1";" in all locations"`, func() { + ginkgo.It("set snippet more_set_headers in all locations", func() { host := "configurationsnippet.foo.com" + + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + annotations := map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": ` - more_set_headers "Foo1: Bar1";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) + f.EnsureIngress(framework.NewSingleIngress( + host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations)) f.WaitForNginxServer(host, func(server string) bool { @@ -51,23 +65,28 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { GET("/"). WithHeader("Host", host). Expect(). - Status(http.StatusOK).Headers(). + Status(http.StatusOK). + Headers(). ValueEqual("Foo1", []string{"Bar1"}) }) - ginkgo.It(`drops snippet "more_set_headers "Foo1: Bar1";" in all locations if disabled by admin"`, func() { + ginkgo.It("drops snippet more_set_header in all locations if disabled by admin", func() { host := "noconfigurationsnippet.foo.com" annotations := map[string]string{ - "nginx.ingress.kubernetes.io/configuration-snippet": ` - more_set_headers "Foo1: Bar1";`, + "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + ing := framework.NewSingleIngress( + host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) + f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") - defer func() { - // Return to the original value - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") - }() + // Sleep a while just to guarantee that the configmap is applied framework.Sleep() f.EnsureIngress(ing) @@ -81,7 +100,8 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { GET("/"). WithHeader("Host", host). Expect(). - Status(http.StatusOK).Headers(). + Status(http.StatusOK). + Headers(). NotContainsKey("Foo1") }) }) diff --git a/test/e2e/annotations/sslciphers.go b/test/e2e/annotations/sslciphers.go index 58010421d..aece7fc41 100644 --- a/test/e2e/annotations/sslciphers.go +++ b/test/e2e/annotations/sslciphers.go @@ -54,4 +54,27 @@ var _ = framework.DescribeAnnotation("ssl-ciphers", func() { Expect(). Status(http.StatusOK) }) + + ginkgo.It("should keep ssl ciphers", func() { + host := "ciphers.foo.com" + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/ssl-ciphers": "ALL:!aNULL:!EXPORT56:RC4+RSA@STRENGTH:+HIGH@SECLEVEL=0:+MEDIUM:+LOW:+SSLv2:+EXP", + "nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers": "true", + } + + ing := framework.NewSingleIngress(host, "/something", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA@STRENGTH:+HIGH@SECLEVEL=0:+MEDIUM:+LOW:+SSLv2:+EXP;") && + strings.Contains(server, "ssl_prefer_server_ciphers on;") + }) + f.HTTPTestClient(). + GET("/something"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) }) diff --git a/test/e2e/annotations/streamsnippet.go b/test/e2e/annotations/streamsnippet.go index b5df50975..432537b4a 100644 --- a/test/e2e/annotations/streamsnippet.go +++ b/test/e2e/annotations/streamsnippet.go @@ -39,6 +39,15 @@ var _ = framework.DescribeSetting("stream-snippet", func() { }) ginkgo.It("should add value of stream-snippet to nginx config", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "foo.com" snippet := `server {listen 8000; proxy_pass 127.0.0.1:80;}` diff --git a/test/e2e/annotations/upstreamhashby.go b/test/e2e/annotations/upstreamhashby.go index 023a094aa..1b8106662 100644 --- a/test/e2e/annotations/upstreamhashby.go +++ b/test/e2e/annotations/upstreamhashby.go @@ -39,12 +39,13 @@ func startIngress(f *framework.Framework, annotations map[string]string) map[str return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) }) + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(framework.Poll, framework.DefaultTimeout, func() (bool, error) { - resp := f.HTTPTestClient(). GET("/"). WithHeader("Host", host). Expect().Raw() + defer resp.Body.Close() if resp.StatusCode == http.StatusOK { return true, nil @@ -55,7 +56,9 @@ func startIngress(f *framework.Framework, annotations map[string]string) map[str assert.Nil(ginkgo.GinkgoT(), err) - re, _ := regexp.Compile(fmt.Sprintf(`Hostname: %v.*`, framework.EchoService)) + re, err := regexp.Compile(fmt.Sprintf(`Hostname: %v.*`, framework.EchoService)) + assert.Nil(ginkgo.GinkgoT(), err, "error compiling regex") + podMap := map[string]bool{} for i := 0; i < 100; i++ { diff --git a/test/e2e/dbg/main.go b/test/e2e/dbg/main.go index 2df57469d..6c0a22f69 100644 --- a/test/e2e/dbg/main.go +++ b/test/e2e/dbg/main.go @@ -49,7 +49,7 @@ var _ = framework.IngressNginxDescribe("Debug CLI", func() { assert.Nil(ginkgo.GinkgoT(), err) // Should be 2: the default and the echo deployment - numUpstreams := len(strings.Split(strings.Trim(string(output), "\n"), "\n")) + numUpstreams := len(strings.Split(strings.Trim(output, "\n"), "\n")) assert.Equal(ginkgo.GinkgoT(), numUpstreams, 2) }) @@ -67,7 +67,7 @@ var _ = framework.IngressNginxDescribe("Debug CLI", func() { output, err := f.ExecIngressPod(cmd) assert.Nil(ginkgo.GinkgoT(), err) - backends := strings.Split(string(output), "\n") + backends := strings.Split(output, "\n") assert.Greater(ginkgo.GinkgoT(), len(backends), 0) getCmd := "/dbg backends get " + backends[0] diff --git a/test/e2e/defaultbackend/default_backend.go b/test/e2e/defaultbackend/default_backend.go index e589024b4..936878000 100644 --- a/test/e2e/defaultbackend/default_backend.go +++ b/test/e2e/defaultbackend/default_backend.go @@ -49,15 +49,15 @@ var _ = framework.IngressNginxDescribe("[Default Backend]", func() { {"basic HTTPS POST request without host to path / should return 404", "", framework.HTTPS, "POST", "/", http.StatusNotFound}, {"basic HTTPS POST request without host to path /demo should return 404", "", framework.HTTPS, "POST", "/demo", http.StatusNotFound}, - {"basic HTTP GET request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTP, "GET", "/", http.StatusNotFound}, - {"basic HTTP GET request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTP, "GET", "/demo", http.StatusNotFound}, - {"basic HTTPS GET request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTPS, "GET", "/", http.StatusNotFound}, - {"basic HTTPS GET request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTPS, "GET", "/demo", http.StatusNotFound}, + {"basic HTTP GET request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTP, "GET", "/", http.StatusNotFound}, + {"basic HTTP GET request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTP, "GET", "/demo", http.StatusNotFound}, + {"basic HTTPS GET request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTPS, "GET", "/", http.StatusNotFound}, + {"basic HTTPS GET request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTPS, "GET", "/demo", http.StatusNotFound}, - {"basic HTTP POST request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTP, "POST", "/", http.StatusNotFound}, - {"basic HTTP POST request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTP, "POST", "/demo", http.StatusNotFound}, - {"basic HTTPS POST request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTPS, "POST", "/", http.StatusNotFound}, - {"basic HTTPS POST request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTPS, "POST", "/demo", http.StatusNotFound}, + {"basic HTTP POST request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTP, "POST", "/", http.StatusNotFound}, + {"basic HTTP POST request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTP, "POST", "/demo", http.StatusNotFound}, + {"basic HTTPS POST request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTPS, "POST", "/", http.StatusNotFound}, + {"basic HTTPS POST request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTPS, "POST", "/demo", http.StatusNotFound}, } framework.Sleep() diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 57b047230..25d714f88 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -40,12 +40,14 @@ import ( _ "k8s.io/ingress-nginx/test/e2e/leaks" _ "k8s.io/ingress-nginx/test/e2e/loadbalance" _ "k8s.io/ingress-nginx/test/e2e/lua" + _ "k8s.io/ingress-nginx/test/e2e/metrics" _ "k8s.io/ingress-nginx/test/e2e/nginx" _ "k8s.io/ingress-nginx/test/e2e/security" _ "k8s.io/ingress-nginx/test/e2e/servicebackend" _ "k8s.io/ingress-nginx/test/e2e/settings" _ "k8s.io/ingress-nginx/test/e2e/settings/modsecurity" _ "k8s.io/ingress-nginx/test/e2e/settings/ocsp" + _ "k8s.io/ingress-nginx/test/e2e/settings/validations" _ "k8s.io/ingress-nginx/test/e2e/ssl" _ "k8s.io/ingress-nginx/test/e2e/status" _ "k8s.io/ingress-nginx/test/e2e/tcpudp" diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 4a7a48d92..2e556cf6d 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -26,6 +26,7 @@ func init() { testing.Init() framework.RegisterParseFlags() } + func TestE2E(t *testing.T) { RunE2ETests(t) } diff --git a/test/e2e/endpointslices/longname.go b/test/e2e/endpointslices/longname.go index 0adb66767..b2242daac 100644 --- a/test/e2e/endpointslices/longname.go +++ b/test/e2e/endpointslices/longname.go @@ -36,7 +36,6 @@ var _ = framework.IngressNginxDescribe("[Endpointslices] long service name", fun }) ginkgo.It("should return 200 when service name has max allowed number of characters 63", func() { - annotations := make(map[string]string) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, name, 80, annotations) f.EnsureIngress(ing) diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go new file mode 100644 index 000000000..38c5f8b76 --- /dev/null +++ b/test/e2e/endpointslices/topology.go @@ -0,0 +1,94 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package endpointslices + +import ( + "context" + "encoding/json" + "fmt" + "net/http" + "strings" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware routing", func() { + f := framework.NewDefaultFramework("topology") + host := "topology-svc.foo.com" + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment(framework.WithDeploymentReplicas(2), framework.WithSvcTopologyAnnotations()) + }) + + ginkgo.It("should return 200 when service has topology hints", func() { + annotations := make(map[string]string) + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s", host)) + }) + + ginkgo.By("checking if the service is reached") + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + + slices, err := f.KubeClientSet.DiscoveryV1().EndpointSlices(f.Namespace).List(context.TODO(), metav1.ListOptions{ + LabelSelector: "kubernetes.io/service-name=echo", + Limit: 1, + }) + assert.Nil(ginkgo.GinkgoT(), err) + + // check if we have hints, really depends on k8s endpoint slice controller + gotHints := true + for _, ep := range slices.Items[0].Endpoints { + if ep.Hints == nil || len(ep.Hints.ForZones) == 0 { + gotHints = false + break + } + } + + dbgCmd := "/dbg backends all" + status, err := f.ExecIngressPod(dbgCmd) + assert.Nil(ginkgo.GinkgoT(), err) + var backends []map[string]interface{} + err = json.Unmarshal([]byte(status), &backends) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error unmarshalling backends") + gotBackends := 0 + for _, bck := range backends { + if strings.Contains(bck["name"].(string), "topology") { + gotBackends = len(bck["endpoints"].([]interface{})) + } + } + + if gotHints { + // we have 2 replics, if there is just one backend it means that we are routing according slices hints to same zone as controller is + assert.Equal(ginkgo.GinkgoT(), 1, gotBackends) + } else { + // two replicas should have two endpoints without topology hints + assert.Equal(ginkgo.GinkgoT(), 2, gotBackends) + } + }) +}) diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index 3cfe8f360..08a5353b2 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -19,6 +19,7 @@ package framework import ( "context" "errors" + "fmt" "os" "time" @@ -36,14 +37,27 @@ const EchoService = "echo" // SlowEchoService name of the deployment for the echo app const SlowEchoService = "slow-echo" -// HTTPBinService name of the deployment for the httpbin app -const HTTPBinService = "httpbin" +// HTTPBunService name of the deployment for the httpbun app +const HTTPBunService = "httpbun" +// NipService name of external service using nip.io +const NIPService = "external-nip" + +// HTTPBunImage is the default image that is used to deploy HTTPBun with the framwork +var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE") + +// EchoImage is the default image to be used by the echo service +const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a" //#nosec G101 + +// TODO: change all Deployment functions to use these options +// in order to reduce complexity and have a unified API across the +// framework type deploymentOptions struct { - namespace string - name string - replicas int - image string + name string + namespace string + image string + replicas int + svcAnnotations map[string]string } // WithDeploymentNamespace allows configuring the deployment's namespace @@ -53,6 +67,15 @@ func WithDeploymentNamespace(n string) func(*deploymentOptions) { } } +// WithSvcTopologyAnnotations create svc with topology mode sets to auto +func WithSvcTopologyAnnotations() func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.svcAnnotations = map[string]string{ + corev1.AnnotationTopologyMode: "auto", + } + } +} + // WithDeploymentName allows configuring the deployment's names func WithDeploymentName(n string) func(*deploymentOptions) { return func(o *deploymentOptions) { @@ -73,30 +96,42 @@ func WithName(n string) func(*deploymentOptions) { } } +// WithImage allows configuring the image for the deployments +func WithImage(i string) func(*deploymentOptions) { + return func(o *deploymentOptions) { + o.image = i + } +} + // NewEchoDeployment creates a new single replica deployment of the echo server image in a particular namespace func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { options := &deploymentOptions{ namespace: f.Namespace, name: EchoService, replicas: 1, + image: EchoImage, } for _, o := range opts { o(options) } - deployment := newDeployment(options.name, options.namespace, "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:778ac6d1188c8de8ecabeddd3c37b72c8adc8c712bad2bd7a81fb23a3514934c", 80, int32(options.replicas), + f.EnsureDeployment(newDeployment( + options.name, + options.namespace, + options.image, + 80, + int32(options.replicas), nil, nil, nil, []corev1.VolumeMount{}, []corev1.Volume{}, true, - ) + )) - f.EnsureDeployment(deployment) - - service := &corev1.Service{ + f.EnsureService(&corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: options.name, - Namespace: options.namespace, + Name: options.name, + Namespace: options.namespace, + Annotations: options.svcAnnotations, }, Spec: corev1.ServiceSpec{ Ports: []corev1.ServicePort{ @@ -111,12 +146,125 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) { "app": options.name, }, }, + }) + + err := WaitForEndpoints( + f.KubeClientSet, + DefaultTimeout, + options.name, + options.namespace, + options.replicas, + ) + assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") +} + +// BuildNipHost used to generate a nip host for DNS resolving +func BuildNIPHost(ip string) string { + return fmt.Sprintf("%s.nip.io", ip) +} + +// GetNipHost used to generate a nip host for external DNS resolving +// for the instance deployed by the framework +func (f *Framework) GetNIPHost() string { + return BuildNIPHost(f.HTTPBunIP) +} + +// BuildNIPExternalNameService used to generate a service pointing to nip.io to +// help resolve to an IP address +func BuildNIPExternalNameService(f *Framework, ip, portName string) *corev1.Service { + return &corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: NIPService, + Namespace: f.Namespace, + }, + Spec: corev1.ServiceSpec{ + ExternalName: BuildNIPHost(ip), + Type: corev1.ServiceTypeExternalName, + Ports: []corev1.ServicePort{ + { + Name: portName, + Port: 80, + TargetPort: intstr.FromInt(80), + Protocol: "TCP", + }, + }, + }, + } +} + +// NewHttpbunDeployment creates a new single replica deployment of the httpbun +// server image in a particular namespace we return the ip for testing purposes +func (f *Framework) NewHttpbunDeployment(opts ...func(*deploymentOptions)) string { + options := &deploymentOptions{ + namespace: f.Namespace, + name: HTTPBunService, + replicas: 1, + image: HTTPBunImage, + } + for _, o := range opts { + o(options) } - f.EnsureService(service) + // Create the HTTPBun Deployment + f.EnsureDeployment(newDeployment( + options.name, + options.namespace, + options.image, + 80, + int32(options.replicas), + nil, nil, + // Required to get hostname information + []corev1.EnvVar{ + { + Name: "HTTPBUN_INFO_ENABLED", + Value: "1", + }, + }, + []corev1.VolumeMount{}, + []corev1.Volume{}, + true, + )) - err := WaitForEndpoints(f.KubeClientSet, DefaultTimeout, options.name, options.namespace, options.replicas) + // Create a service pointing to deployment + f.EnsureService(&corev1.Service{ + ObjectMeta: metav1.ObjectMeta{ + Name: options.name, + Namespace: options.namespace, + Annotations: options.svcAnnotations, + }, + Spec: corev1.ServiceSpec{ + Ports: []corev1.ServicePort{ + { + Name: "http", + Port: 80, + TargetPort: intstr.FromInt(80), + Protocol: corev1.ProtocolTCP, + }, + }, + Selector: map[string]string{ + "app": options.name, + }, + }, + }) + + // Wait for deployment to become available + err := WaitForEndpoints( + f.KubeClientSet, + DefaultTimeout, + options.name, + options.namespace, + options.replicas, + ) assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") + + // Get cluster ip for HTTPBun to be used in tests + e, err := f.KubeClientSet. + CoreV1(). + Endpoints(f.Namespace). + Get(context.TODO(), HTTPBunService, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "failed to get httpbun endpoint") + + return e.Subsets[0].Addresses[0].IP } // NewSlowEchoDeployment creates a new deployment of the slow echo server image in a particular namespace. @@ -169,18 +317,21 @@ func (f *Framework) GetNginxBaseImage() string { // NGINXDeployment creates a new simple NGINX Deployment using NGINX base image // and passing the desired configuration -func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool) { +func (f *Framework) NGINXDeployment(name, cfg string, waitendpoint bool) { cfgMap := map[string]string{ "nginx.conf": cfg, } - _, err := f.KubeClientSet.CoreV1().ConfigMaps(f.Namespace).Create(context.TODO(), &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: f.Namespace, - }, - Data: cfgMap, - }, metav1.CreateOptions{}) + _, err := f.KubeClientSet. + CoreV1(). + ConfigMaps(f.Namespace). + Create(context.TODO(), &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: f.Namespace, + }, + Data: cfgMap, + }, metav1.CreateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "creating configmap") deployment := newDeployment(name, f.Namespace, f.GetNginxBaseImage(), 80, 1, @@ -238,7 +389,7 @@ func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool) } // NGINXWithConfigDeployment creates an NGINX deployment using a configmap containing the nginx.conf configuration -func (f *Framework) NGINXWithConfigDeployment(name string, cfg string) { +func (f *Framework) NGINXWithConfigDeployment(name, cfg string) { f.NGINXDeployment(name, cfg, true) } @@ -336,7 +487,8 @@ func (f *Framework) NewGRPCBinDeployment() { } func newDeployment(name, namespace, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar, - volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) *appsv1.Deployment { + volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool, +) *appsv1.Deployment { probe := &corev1.Probe{ InitialDelaySeconds: 2, PeriodSeconds: 1, @@ -408,17 +560,12 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co return d } -// NewHttpbinDeployment creates a new single replica deployment of the httpbin image in a particular namespace. -func (f *Framework) NewHttpbinDeployment() { - f.NewDeployment(HTTPBinService, "registry.k8s.io/ingress-nginx/e2e-test-httpbin@sha256:c6372ef57a775b95f18e19d4c735a9819f2e7bb4641e5e3f27287d831dfeb7e8", 80, 1) -} - -func (f *Framework) NewDeployment(name, image string, port int32, replicas int32) { +func (f *Framework) NewDeployment(name, image string, port, replicas int32) { f.NewDeploymentWithOpts(name, image, port, replicas, nil, nil, nil, nil, nil, true) } // NewDeployment creates a new deployment in a particular namespace. -func (f *Framework) NewDeploymentWithOpts(name, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar, volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) { +func (f *Framework) NewDeploymentWithOpts(name, image string, port, replicas int32, command, args []string, env []corev1.EnvVar, volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) { deployment := newDeployment(name, f.Namespace, image, port, replicas, command, args, env, volumeMounts, volumes, setProbe) f.EnsureDeployment(deployment) @@ -460,7 +607,7 @@ func (f *Framework) DeleteDeployment(name string) error { }) assert.Nil(ginkgo.GinkgoT(), err, "deleting deployment") - return waitForPodsDeleted(f.KubeClientSet, 2*time.Minute, f.Namespace, metav1.ListOptions{ + return waitForPodsDeleted(f.KubeClientSet, 2*time.Minute, f.Namespace, &metav1.ListOptions{ LabelSelector: labelSelectorToString(d.Spec.Selector.MatchLabels), }) } diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index 8c8c7ddb0..9e4b55122 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -21,6 +21,7 @@ import ( "encoding/json" "fmt" "io" + "os" "os/exec" "regexp" "strconv" @@ -65,6 +66,7 @@ func (f *Framework) ExecCommand(pod *corev1.Pod, command string) (string, error) execErr bytes.Buffer ) + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v exec --namespace %s %s --container controller -- %s", KubectlPath, pod.Namespace, pod.Name, command)) cmd.Stdout = &execOut cmd.Stderr = &execErr @@ -72,7 +74,6 @@ func (f *Framework) ExecCommand(pod *corev1.Pod, command string) (string, error) err := cmd.Run() if err != nil { return "", fmt.Errorf("could not execute '%s %s': %v", cmd.Path, cmd.Args, err) - } if execErr.Len() > 0 { @@ -90,6 +91,7 @@ func (f *Framework) NamespaceContent() (string, error) { execErr bytes.Buffer ) + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v get pods,services,endpoints,deployments --namespace %s", KubectlPath, f.Namespace)) cmd.Stdout = &execOut cmd.Stderr = &execErr @@ -97,7 +99,6 @@ func (f *Framework) NamespaceContent() (string, error) { err := cmd.Run() if err != nil { return "", fmt.Errorf("could not execute '%s %s': %v", cmd.Path, cmd.Args, err) - } eout := strings.TrimSpace(execErr.String()) @@ -109,9 +110,18 @@ func (f *Framework) NamespaceContent() (string, error) { } // newIngressController deploys a new NGINX Ingress controller in a namespace -func (f *Framework) newIngressController(namespace string, namespaceOverlay string) error { +func (f *Framework) newIngressController(namespace, namespaceOverlay string) error { // Creates an nginx deployment - cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay) + isChroot, ok := os.LookupEnv("IS_CHROOT") + if !ok { + isChroot = "false" + } + + enableAnnotationValidations, ok := os.LookupEnv("ENABLE_VALIDATIONS") + if !ok { + enableAnnotationValidations = "false" + } + cmd := exec.Command("./wait-for-nginx.sh", namespace, namespaceOverlay, isChroot, enableAnnotationValidations) out, err := cmd.CombinedOutput() if err != nil { return fmt.Errorf("unexpected error waiting for ingress controller deployment: %v.\nLogs:\n%v", err, string(out)) @@ -120,12 +130,11 @@ func (f *Framework) newIngressController(namespace string, namespaceOverlay stri return nil } -var ( - proxyRegexp = regexp.MustCompile("Starting to serve on .*:([0-9]+)") -) +var proxyRegexp = regexp.MustCompile(`Starting to serve on .*:(\d+)`) // KubectlProxy creates a proxy to kubernetes apiserver func (f *Framework) KubectlProxy(port int) (int, *exec.Cmd, error) { + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%s proxy --accept-hosts=.* --address=0.0.0.0 --port=%d", KubectlPath, port)) stdout, stderr, err := startCmdAndStreamOutput(cmd) if err != nil { @@ -152,6 +161,17 @@ func (f *Framework) KubectlProxy(port int) (int, *exec.Cmd, error) { return -1, cmd, fmt.Errorf("failed to parse port from proxy stdout: %s", output) } +func (f *Framework) UninstallChart() error { + //nolint:gosec //Ignore G204 error + cmd := exec.Command("helm", "uninstall", "--namespace", f.Namespace, "nginx-ingress") + _, err := cmd.CombinedOutput() + if err != nil { + return fmt.Errorf("unexpected error uninstalling ingress-nginx release: %v", err) + } + + return nil +} + func startCmdAndStreamOutput(cmd *exec.Cmd) (stdout, stderr io.ReadCloser, err error) { stdout, err = cmd.StdoutPipe() if err != nil { diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go index c3e89c7f5..73f9ef340 100644 --- a/test/e2e/framework/fastcgi_helloserver.go +++ b/test/e2e/framework/fastcgi_helloserver.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package framework import ( @@ -58,7 +59,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3 Containers: []corev1.Container{ { Name: "fastcgi-helloserver", - Image: "registry.k8s.io/ingress-nginx/e2e-test-fastcgi-helloserver@sha256:723b8187e1768d199b93fd939c37c1ce9427dcbca72ec6415f4d890bca637fcc", + Image: "registry.k8s.io/ingress-nginx/e2e-test-fastcgi-helloserver@sha256:0e08c836cc58f1ea862578de99b13bc4264fe071e816f96dc1d79857bfba7473", Env: []corev1.EnvVar{}, Ports: []corev1.ContainerPort{ { @@ -75,7 +76,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3 d := f.EnsureDeployment(deployment) - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, &metav1.ListOptions{ LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), }) assert.Nil(ginkgo.GinkgoT(), err, "failed to wait for to become ready") diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 662cd0879..b62ad691c 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -27,7 +27,6 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" apiextcs "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset" @@ -38,7 +37,6 @@ import ( "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" "k8s.io/client-go/rest" - restclient "k8s.io/client-go/rest" "k8s.io/klog/v2" ) @@ -51,10 +49,8 @@ const ( HTTPS RequestScheme = "https" ) -var ( - // KubectlPath defines the full path of the kubectl binary - KubectlPath = "/usr/local/bin/kubectl" -) +// KubectlPath defines the full path of the kubectl binary +var KubectlPath = "/usr/local/bin/kubectl" // Framework supports common operations used by e2e tests; it will keep a client & a namespace for you. type Framework struct { @@ -62,23 +58,39 @@ type Framework struct { // A Kubernetes and Service Catalog client KubeClientSet kubernetes.Interface - KubeConfig *restclient.Config + KubeConfig *rest.Config APIExtensionsClientSet apiextcs.Interface Namespace string IngressClass string - pod *corev1.Pod + pod *v1.Pod + // We use httpbun as a service that we route to in our tests through + // the ingress controller. We add it as part of the framework as it + // is used extensively + HTTPBunIP string + HTTPBunEnabled bool +} + +// WithHTTPBunEnabled deploys an instance of HTTPBun for the specific test +func WithHTTPBunEnabled() func(*Framework) { + return func(f *Framework) { + f.HTTPBunEnabled = true + } } // NewDefaultFramework makes a new framework and sets up a BeforeEach/AfterEach for // you (you can write additional before/after each functions). -func NewDefaultFramework(baseName string) *Framework { +func NewDefaultFramework(baseName string, opts ...func(*Framework)) *Framework { defer ginkgo.GinkgoRecover() f := &Framework{ BaseName: baseName, } + // set framework options + for _, o := range opts { + o(f) + } ginkgo.BeforeEach(f.BeforeEach) ginkgo.AfterEach(f.AfterEach) @@ -88,12 +100,16 @@ func NewDefaultFramework(baseName string) *Framework { // NewSimpleFramework makes a new framework that allows the usage of a namespace // for arbitraty tests. -func NewSimpleFramework(baseName string) *Framework { +func NewSimpleFramework(baseName string, opts ...func(*Framework)) *Framework { defer ginkgo.GinkgoRecover() f := &Framework{ BaseName: baseName, } + // set framework options + for _, o := range opts { + o(f) + } ginkgo.BeforeEach(f.CreateEnvironment) ginkgo.AfterEach(f.DestroyEnvironment) @@ -113,7 +129,6 @@ func (f *Framework) CreateEnvironment() { f.KubeClientSet, err = kubernetes.NewForConfig(f.KubeConfig) assert.Nil(ginkgo.GinkgoT(), err, "creating a kubernetes client") - } f.Namespace, err = CreateKubeNamespace(f.BaseName, f.KubeClientSet) @@ -142,6 +157,11 @@ func (f *Framework) BeforeEach() { assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller pod information") f.WaitForNginxListening(80) + + // If HTTPBun is enabled deploy an instance to the namespace + if f.HTTPBunEnabled { + f.HTTPBunIP = f.NewHttpbunDeployment() + } } // AfterEach deletes the namespace, after reading its events. @@ -150,7 +170,11 @@ func (f *Framework) AfterEach() { defer func(kubeClient kubernetes.Interface, ingressclass string) { defer ginkgo.GinkgoRecover() - err := deleteIngressClass(kubeClient, ingressclass) + + err := f.UninstallChart() + assert.Nil(ginkgo.GinkgoT(), err, "uninstalling helm chart") + + err = deleteIngressClass(kubeClient, ingressclass) assert.Nil(ginkgo.GinkgoT(), err, "deleting IngressClass") }(f.KubeClientSet, f.IngressClass) @@ -158,7 +182,7 @@ func (f *Framework) AfterEach() { return } - cmd := fmt.Sprintf("cat /etc/nginx/nginx.conf") + cmd := "cat /etc/nginx/nginx.conf" o, err := f.ExecCommand(f.pod, cmd) if err != nil { Logf("Unexpected error obtaining nginx.conf file: %v", err) @@ -192,6 +216,11 @@ func IngressNginxDescribe(text string, body func()) bool { return ginkgo.Describe(text, body) } +// IngressNginxDescribeSerial wrapper function for ginkgo describe. Adds namespacing. +func IngressNginxDescribeSerial(text string, body func()) bool { + return ginkgo.Describe(text, ginkgo.Serial, body) +} + // DescribeAnnotation wrapper function for ginkgo describe. Adds namespacing. func DescribeAnnotation(text string, body func()) bool { return ginkgo.Describe("[Annotations] "+text, body) @@ -202,11 +231,6 @@ func DescribeSetting(text string, body func()) bool { return ginkgo.Describe("[Setting] "+text, body) } -// MemoryLeakIt is wrapper function for ginkgo It. Adds "[MemoryLeak]" tag and makes static analysis easier. -func MemoryLeakIt(text string, body interface{}) bool { - return ginkgo.It(text+" [MemoryLeak]", body) -} - // GetNginxIP returns the number of TCP port where NGINX is running func (f *Framework) GetNginxIP() string { s, err := f.KubeClientSet. @@ -223,13 +247,13 @@ func (f *Framework) GetNginxPodIP() string { } // GetURL returns the URL should be used to make a request to NGINX -func (f *Framework) GetURL(scheme RequestScheme) string { +func (f *Framework) GetURL(requestScheme RequestScheme) string { ip := f.GetNginxIP() - return fmt.Sprintf("%v://%v", scheme, ip) + return fmt.Sprintf("%v://%v", requestScheme, ip) } // GetIngressNGINXPod returns the ingress controller running pod -func (f *Framework) GetIngressNGINXPod() *corev1.Pod { +func (f *Framework) GetIngressNGINXPod() *v1.Pod { return f.pod } @@ -243,6 +267,7 @@ func (f *Framework) updateIngressNGINXPod() error { // WaitForNginxServer waits until the nginx configuration contains a particular server section. // `cfg` passed to matcher is normalized by replacing all tabs and spaces with single space. func (f *Framework) WaitForNginxServer(name string, matcher func(cfg string) bool) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, f.matchNginxConditions(name, matcher)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx server condition/s") Sleep(1 * time.Second) @@ -251,13 +276,15 @@ func (f *Framework) WaitForNginxServer(name string, matcher func(cfg string) boo // WaitForNginxConfiguration waits until the nginx configuration contains a particular configuration // `cfg` passed to matcher is normalized by replacing all tabs and spaces with single space. func (f *Framework) WaitForNginxConfiguration(matcher func(cfg string) bool) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, f.matchNginxConditions("", matcher)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx server condition/s") Sleep(1 * time.Second) } // WaitForNginxCustomConfiguration waits until the nginx configuration given part (from, to) contains a particular configuration -func (f *Framework) WaitForNginxCustomConfiguration(from string, to string, matcher func(cfg string) bool) { +func (f *Framework) WaitForNginxCustomConfiguration(from, to string, matcher func(cfg string) bool) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, f.matchNginxCustomConditions(from, to, matcher)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx server condition/s") } @@ -275,7 +302,7 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b return func() (bool, error) { var cmd string if name == "" { - cmd = fmt.Sprintf("cat /etc/nginx/nginx.conf") + cmd = "cat /etc/nginx/nginx.conf" } else { cmd = fmt.Sprintf("cat /etc/nginx/nginx.conf | awk '/## start server %v/,/## end server %v/'", name, name) } @@ -298,7 +325,7 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b } } -func (f *Framework) matchNginxCustomConditions(from string, to string, matcher func(cfg string) bool) wait.ConditionFunc { +func (f *Framework) matchNginxCustomConditions(from, to string, matcher func(cfg string) bool) wait.ConditionFunc { return func() (bool, error) { cmd := fmt.Sprintf("cat /etc/nginx/nginx.conf| awk '/%v/,/%v/'", from, to) @@ -368,7 +395,7 @@ func (f *Framework) CreateConfigMap(name string, data map[string]string) { } // UpdateNginxConfigMapData updates single field in ingress-nginx's nginx-ingress-controller map data -func (f *Framework) UpdateNginxConfigMapData(key string, value string) { +func (f *Framework) UpdateNginxConfigMapData(key, value string) { config, err := f.getConfigMap("nginx-ingress-controller") assert.Nil(ginkgo.GinkgoT(), err) assert.NotNil(ginkgo.GinkgoT(), config, "expected a configmap but none returned") @@ -387,13 +414,14 @@ func (f *Framework) UpdateNginxConfigMapData(key string, value string) { } // WaitForReload calls the passed function and -// asser it has caused at least 1 reload. +// asserts it has caused at least 1 reload. func (f *Framework) WaitForReload(fn func()) { initialReloadCount := getReloadCount(f.pod, f.Namespace, f.KubeClientSet) fn() count := 0 + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(1*time.Second, DefaultTimeout, func() (bool, error) { reloads := getReloadCount(f.pod, f.Namespace, f.KubeClientSet) // most of the cases reload the ingress controller @@ -409,13 +437,13 @@ func (f *Framework) WaitForReload(fn func()) { assert.Nil(ginkgo.GinkgoT(), err, "while waiting for ingress controller reload") } -func getReloadCount(pod *corev1.Pod, namespace string, client kubernetes.Interface) int { +func getReloadCount(pod *v1.Pod, namespace string, client kubernetes.Interface) int { events, err := client.CoreV1().Events(namespace).Search(scheme.Scheme, pod) assert.Nil(ginkgo.GinkgoT(), err, "obtaining NGINX Pod") reloadCount := 0 - for _, e := range events.Items { - if e.Reason == "RELOAD" && e.Type == corev1.EventTypeNormal { + for i := range events.Items { + if events.Items[i].Reason == "RELOAD" && events.Items[i].Type == v1.EventTypeNormal { reloadCount++ } } @@ -430,7 +458,7 @@ func (f *Framework) DeleteNGINXPod(grace int64) { err := f.KubeClientSet.CoreV1().Pods(ns).Delete(context.TODO(), f.pod.GetName(), *metav1.NewDeleteOptions(grace)) assert.Nil(ginkgo.GinkgoT(), err, "deleting ingress nginx pod") - + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(Poll, DefaultTimeout, func() (bool, error) { err := f.updateIngressNGINXPod() if err != nil || f.pod == nil { @@ -460,7 +488,7 @@ func (f *Framework) HTTPTestClientWithTLSConfig(config *tls.Config) *httpexpect. func (f *Framework) newHTTPTestClient(config *tls.Config, setIngressURL bool) *httpexpect.HTTPRequest { if config == nil { config = &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing } } var baseURL string @@ -480,12 +508,13 @@ func (f *Framework) newHTTPTestClient(config *tls.Config, setIngressURL bool) *h // WaitForNginxListening waits until NGINX starts accepting connections on a port func (f *Framework) WaitForNginxListening(port int) { - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, &metav1.ListOptions{ LabelSelector: "app.kubernetes.io/name=ingress-nginx", }) assert.Nil(ginkgo.GinkgoT(), err, "waiting for ingress pods to be ready") podIP := f.GetNginxIP() + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(500*time.Millisecond, DefaultTimeout, func() (bool, error) { hostPort := net.JoinHostPort(podIP, fmt.Sprintf("%v", port)) conn, err := net.Dial("tcp", hostPort) @@ -502,7 +531,7 @@ func (f *Framework) WaitForNginxListening(port int) { // WaitForPod waits for a specific Pod to be ready, using a label selector func (f *Framework) WaitForPod(selector string, timeout time.Duration, shouldFail bool) { - err := waitForPodsReady(f.KubeClientSet, timeout, 1, f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, timeout, 1, f.Namespace, &metav1.ListOptions{ LabelSelector: selector, }) @@ -514,7 +543,7 @@ func (f *Framework) WaitForPod(selector string, timeout time.Duration, shouldFai } // UpdateDeployment runs the given updateFunc on the deployment and waits for it to be updated -func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name string, replicas int, updateFunc func(d *appsv1.Deployment) error) error { +func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace, name string, replicas int, updateFunc func(d *appsv1.Deployment) error) error { deployment, err := kubeClientSet.AppsV1().Deployments(namespace).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return err @@ -544,7 +573,7 @@ func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name } } - err = waitForPodsReady(kubeClientSet, DefaultTimeout, replicas, namespace, metav1.ListOptions{ + err = waitForPodsReady(kubeClientSet, DefaultTimeout, replicas, namespace, &metav1.ListOptions{ LabelSelector: fields.SelectorFromSet(fields.Set(deployment.Spec.Template.ObjectMeta.Labels)).String(), }) if err != nil { @@ -555,6 +584,7 @@ func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name } func waitForDeploymentRollout(kubeClientSet kubernetes.Interface, resource *appsv1.Deployment) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, 5*time.Minute, func() (bool, error) { d, err := kubeClientSet.AppsV1().Deployments(resource.Namespace).Get(context.TODO(), resource.Name, metav1.GetOptions{}) if apierrors.IsNotFound(err) { @@ -578,7 +608,7 @@ func waitForDeploymentRollout(kubeClientSet kubernetes.Interface, resource *apps } // UpdateIngress runs the given updateFunc on the ingress -func UpdateIngress(kubeClientSet kubernetes.Interface, namespace string, name string, updateFunc func(d *networking.Ingress) error) error { +func UpdateIngress(kubeClientSet kubernetes.Interface, namespace, name string, updateFunc func(d *networking.Ingress) error) error { ingress, err := kubeClientSet.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return err @@ -789,7 +819,7 @@ func Sleep(duration ...time.Duration) { time.Sleep(sleepFor) } -func loadConfig() (*restclient.Config, error) { +func loadConfig() (*rest.Config, error) { config, err := rest.InClusterConfig() if err != nil { return nil, err diff --git a/test/e2e/framework/grpc_fortune_teller.go b/test/e2e/framework/grpc_fortune_teller.go index 02ff3aae2..a7be46327 100644 --- a/test/e2e/framework/grpc_fortune_teller.go +++ b/test/e2e/framework/grpc_fortune_teller.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package framework import ( @@ -75,7 +76,7 @@ func (f *Framework) NewNewGRPCFortuneTellerDeploymentWithReplicas(replicas int32 d := f.EnsureDeployment(deployment) - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, &metav1.ListOptions{ LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), }) assert.Nil(ginkgo.GinkgoT(), err, "failed to wait for to become ready") diff --git a/test/e2e/framework/healthz.go b/test/e2e/framework/healthz.go index bef093355..3ee297b27 100644 --- a/test/e2e/framework/healthz.go +++ b/test/e2e/framework/healthz.go @@ -26,7 +26,7 @@ func (f *Framework) VerifyHealthz(ip string, statusCode int) error { url := fmt.Sprintf("http://%v:10254/healthz", ip) client := &http.Client{} - req, err := http.NewRequest("GET", url, nil) + req, err := http.NewRequest(http.MethodGet, url, http.NoBody) if err != nil { return fmt.Errorf("creating GET request for URL %q failed: %v", url, err) } diff --git a/test/e2e/framework/httpexpect/chain.go b/test/e2e/framework/httpexpect/chain.go index 79956fb33..33c4d15b7 100644 --- a/test/e2e/framework/httpexpect/chain.go +++ b/test/e2e/framework/httpexpect/chain.go @@ -36,19 +36,3 @@ func (c *chain) fail(message string, args ...interface{}) { c.failbit = true c.reporter.Errorf(message, args...) } - -func (c *chain) reset() { - c.failbit = false -} - -func (c *chain) assertFailed(r Reporter) { - if !c.failbit { - r.Errorf("expected chain is failed, but it's ok") - } -} - -func (c *chain) assertOK(r Reporter) { - if c.failbit { - r.Errorf("expected chain is ok, but it's failed") - } -} diff --git a/test/e2e/framework/httpexpect/match.go b/test/e2e/framework/httpexpect/match.go index b031510c4..aad10b02e 100644 --- a/test/e2e/framework/httpexpect/match.go +++ b/test/e2e/framework/httpexpect/match.go @@ -23,7 +23,7 @@ type Match struct { names map[string]int } -func makeMatch(chain chain, submatches []string, names []string) *Match { +func makeMatch(chain chain, submatches, names []string) *Match { if submatches == nil { submatches = []string{} } diff --git a/test/e2e/framework/httpexpect/object.go b/test/e2e/framework/httpexpect/object.go index f7c27faaf..49dcf5659 100644 --- a/test/e2e/framework/httpexpect/object.go +++ b/test/e2e/framework/httpexpect/object.go @@ -23,6 +23,8 @@ import ( "github.com/yudai/gojsondiff/formatter" ) +const unavailableMsg = " (unavailable)" + // Object provides methods to inspect attached map[string]interface{} object // (Go representation of JSON object). type Object struct { @@ -81,20 +83,21 @@ func diffValues(expected, actual interface{}) string { var diff gojsondiff.Diff - if ve, ok := expected.(map[string]interface{}); ok { + switch ve := expected.(type) { + case map[string]interface{}: if va, ok := actual.(map[string]interface{}); ok { diff = differ.CompareObjects(ve, va) } else { - return " (unavailable)" + return unavailableMsg } - } else if ve, ok := expected.([]interface{}); ok { + case []interface{}: if va, ok := actual.([]interface{}); ok { diff = differ.CompareArrays(ve, va) } else { - return " (unavailable)" + return unavailableMsg } - } else { - return " (unavailable)" + default: + return unavailableMsg } config := formatter.AsciiFormatterConfig{ @@ -104,7 +107,7 @@ func diffValues(expected, actual interface{}) string { str, err := f.Format(diff) if err != nil { - return " (unavailable)" + return unavailableMsg } return "--- expected\n+++ actual\n" + str diff --git a/test/e2e/framework/httpexpect/request.go b/test/e2e/framework/httpexpect/request.go index d8edb42ce..0ae85dd79 100644 --- a/test/e2e/framework/httpexpect/request.go +++ b/test/e2e/framework/httpexpect/request.go @@ -65,7 +65,7 @@ func (h *HTTPRequest) DoRequest(method, rpath string) *HTTPRequest { var request *http.Request uri.Path = path.Join(uri.Path, rpath) - if request, err = http.NewRequest(method, uri.String(), nil); err != nil { + if request, err = http.NewRequest(method, uri.String(), http.NoBody); err != nil { h.chain.fail(err.Error()) } @@ -110,6 +110,7 @@ func (h *HTTPRequest) Expect() *HTTPResponse { if err != nil { h.chain.fail(err.Error()) } + defer response.Body.Close() h.HTTPResponse.Response = response // set the HTTP response diff --git a/test/e2e/framework/httpexpect/response.go b/test/e2e/framework/httpexpect/response.go index 1c7624752..e324e94ff 100644 --- a/test/e2e/framework/httpexpect/response.go +++ b/test/e2e/framework/httpexpect/response.go @@ -234,6 +234,7 @@ func (r *HTTPResponse) checkContentType(expectedType string, expectedCharset ... } if mediaType != expectedType { + //nolint:goconst //string interpolation r.chain.fail("\nexpected \"Content-Type\" header with %q media type,"+ "\nbut got %q", expectedType, mediaType) return false diff --git a/test/e2e/framework/influxdb.go b/test/e2e/framework/influxdb.go deleted file mode 100644 index c3c0e3421..000000000 --- a/test/e2e/framework/influxdb.go +++ /dev/null @@ -1,143 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package framework - -import ( - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/fields" -) - -const influxConfig = ` -reporting-disabled = true -bind-address = "0.0.0.0:8088" - -[meta] - dir = "/var/lib/influxdb/meta" - retention-autocreate = true - logging-enabled = true - -[data] - dir = "/var/lib/influxdb/data" - index-version = "inmem" - wal-dir = "/var/lib/influxdb/wal" - wal-fsync-delay = "0s" - query-log-enabled = true - cache-max-memory-size = 1073741824 - cache-snapshot-memory-size = 26214400 - cache-snapshot-write-cold-duration = "10m0s" - compact-full-write-cold-duration = "4h0m0s" - max-series-per-database = 1000000 - max-values-per-tag = 100000 - max-concurrent-compactions = 0 - trace-logging-enabled = false - -[[udp]] - enabled = true - bind-address = ":8089" - database = "nginx" -` - -// NewInfluxDBDeployment creates an InfluxDB server configured to reply -// on 8086/tcp and 8089/udp -func (f *Framework) NewInfluxDBDeployment() { - configuration := &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: "influxdb-config", - Namespace: f.Namespace, - }, - Data: map[string]string{ - "influxd.conf": influxConfig, - }, - } - - cm, err := f.EnsureConfigMap(configuration) - assert.Nil(ginkgo.GinkgoT(), err, "creating an Influxdb deployment") - assert.NotNil(ginkgo.GinkgoT(), cm, "expected a configmap but none returned") - - deployment := &appsv1.Deployment{ - ObjectMeta: metav1.ObjectMeta{ - Name: "influxdb", - Namespace: f.Namespace, - }, - Spec: appsv1.DeploymentSpec{ - Replicas: NewInt32(1), - Selector: &metav1.LabelSelector{ - MatchLabels: map[string]string{ - "app": "influxdb", - }, - }, - Template: corev1.PodTemplateSpec{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{ - "app": "influxdb", - }, - }, - Spec: corev1.PodSpec{ - TerminationGracePeriodSeconds: NewInt64(0), - Volumes: []corev1.Volume{ - { - Name: "influxdb-config", - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "influxdb-config", - }, - }, - }, - }, - }, - Containers: []corev1.Container{ - { - Name: "influxdb", - Image: "docker.io/influxdb:1.5", - Env: []corev1.EnvVar{}, - Command: []string{"influxd", "-config", "/influxdb-config/influxd.conf"}, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "influxdb-config", - ReadOnly: true, - MountPath: "/influxdb-config", - }, - }, - Ports: []corev1.ContainerPort{ - { - Name: "http", - ContainerPort: 8086, - }, - { - Name: "udp", - ContainerPort: 8089, - }, - }, - }, - }, - }, - }, - }, - } - - d := f.EnsureDeployment(deployment) - - err = waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, metav1.ListOptions{ - LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), - }) - assert.Nil(ginkgo.GinkgoT(), err, "waiting for influxdb pod to become ready") -} diff --git a/test/e2e/framework/k8s.go b/test/e2e/framework/k8s.go index ef9c522d6..7c067421d 100644 --- a/test/e2e/framework/k8s.go +++ b/test/e2e/framework/k8s.go @@ -25,9 +25,7 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" - api "k8s.io/api/core/v1" core "k8s.io/api/core/v1" - v1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" k8sErrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -36,8 +34,8 @@ import ( "k8s.io/client-go/kubernetes" ) -// EnsureSecret creates a Secret object or returns it if it already exists. -func (f *Framework) EnsureSecret(secret *api.Secret) *api.Secret { +// EnsureSecret creates a Secret object or returns it. +func (f *Framework) EnsureSecret(secret *core.Secret) *core.Secret { err := createSecretWithRetries(f.KubeClientSet, secret.Namespace, secret) assert.Nil(ginkgo.GinkgoT(), err, "creating secret") @@ -48,21 +46,34 @@ func (f *Framework) EnsureSecret(secret *api.Secret) *api.Secret { return s } -// EnsureConfigMap creates a ConfigMap object or returns it if it already exists. -func (f *Framework) EnsureConfigMap(configMap *api.ConfigMap) (*api.ConfigMap, error) { - cm, err := f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Create(context.TODO(), configMap, metav1.CreateOptions{}) - if err != nil { - if k8sErrors.IsAlreadyExists(err) { - return f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Update(context.TODO(), configMap, metav1.UpdateOptions{}) - } - return nil, err +// GetConfigMap gets a ConfigMap object from the given namespace, name and returns it, throws error if it does not exist. +func (f *Framework) GetConfigMap(namespace, name string) *core.ConfigMap { + cm, err := f.KubeClientSet.CoreV1().ConfigMaps(namespace).Get(context.TODO(), name, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "getting configmap") + assert.NotNil(ginkgo.GinkgoT(), cm, "expected a configmap but none returned") + return cm +} + +// EnsureConfigMap creates or updates an existing ConfigMap object or returns it. +func (f *Framework) EnsureConfigMap(configMap *core.ConfigMap) *core.ConfigMap { + cm := configMap.DeepCopy() + // Clean out ResourceVersion field if present + if cm.ObjectMeta.ResourceVersion != "" { + cm.ObjectMeta.ResourceVersion = "" } - return cm, nil + res, err := f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Create(context.TODO(), cm, metav1.CreateOptions{}) + if k8sErrors.IsAlreadyExists(err) { + res, err = f.KubeClientSet.CoreV1().ConfigMaps(configMap.Namespace).Update(context.TODO(), cm, metav1.UpdateOptions{}) + } + assert.Nil(ginkgo.GinkgoT(), err, "updating configmap") + assert.NotNil(ginkgo.GinkgoT(), res, "updating configmap") + + return res } // GetIngress gets an Ingress object from the given namespace, name and returns it, throws error if it does not exists. -func (f *Framework) GetIngress(namespace string, name string) *networking.Ingress { +func (f *Framework) GetIngress(namespace, name string) *networking.Ingress { ing, err := f.KubeClientSet.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "getting ingress") assert.NotNil(ginkgo.GinkgoT(), ing, "expected an ingress but none returned") @@ -103,7 +114,7 @@ func (f *Framework) UpdateIngress(ingress *networking.Ingress) *networking.Ingre } // GetService gets a Service object from the given namespace, name and returns it, throws error if it does not exist. -func (f *Framework) GetService(namespace string, name string) *core.Service { +func (f *Framework) GetService(namespace, name string) *core.Service { s, err := f.KubeClientSet.CoreV1().Services(namespace).Get(context.TODO(), name, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "getting service") assert.NotNil(ginkgo.GinkgoT(), s, "expected a service but none returned") @@ -132,16 +143,21 @@ func (f *Framework) EnsureDeployment(deployment *appsv1.Deployment) *appsv1.Depl } // waitForPodsReady waits for a given amount of time until a group of Pods is running in the given namespace. -func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, expectedReplicas int, namespace string, opts metav1.ListOptions) error { +func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, expectedReplicas int, namespace string, opts *metav1.ListOptions) error { + //nolint:staticcheck // TODO: will replace it since wait.PollImmediate is deprecated return wait.PollImmediate(1*time.Second, timeout, func() (bool, error) { - pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), opts) + pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), *opts) if err != nil { return false, nil } r := 0 - for _, p := range pl.Items { - if isRunning, _ := podRunningReady(&p); isRunning { + for i := range pl.Items { + isRunning, err := podRunningReady(&pl.Items[i]) + if err != nil { + Logf("error checking if pod is running : %v", err) + } + if isRunning { r++ } } @@ -155,9 +171,10 @@ func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, } // waitForPodsDeleted waits for a given amount of time until a group of Pods are deleted in the given namespace. -func waitForPodsDeleted(kubeClientSet kubernetes.Interface, timeout time.Duration, namespace string, opts metav1.ListOptions) error { +func waitForPodsDeleted(kubeClientSet kubernetes.Interface, timeout time.Duration, namespace string, opts *metav1.ListOptions) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, timeout, func() (bool, error) { - pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), opts) + pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), *opts) if err != nil { return false, nil } @@ -175,7 +192,7 @@ func WaitForEndpoints(kubeClientSet kubernetes.Interface, timeout time.Duration, if expectedEndpoints == 0 { return nil } - + //nolint:staticcheck // TODO: will replace it since wait.PollImmediate is deprecated return wait.PollImmediate(Poll, timeout, func() (bool, error) { endpoint, err := kubeClientSet.CoreV1().Endpoints(ns).Get(context.TODO(), name, metav1.GetOptions{}) if k8sErrors.IsNotFound(err) { @@ -237,6 +254,7 @@ func isPodReady(p *core.Pod) bool { // getIngressNGINXPod returns the ingress controller running pod func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Pod, error) { var pod *core.Pod + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(1*time.Second, DefaultTimeout, func() (bool, error) { l, err := kubeClientSet.CoreV1().Pods(ns).List(context.TODO(), metav1.ListOptions{ LabelSelector: "app.kubernetes.io/name=ingress-nginx", @@ -245,15 +263,16 @@ func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Po return false, nil } - for _, p := range l.Items { + for i := range l.Items { + p := &l.Items[i] if strings.HasPrefix(p.GetName(), "nginx-ingress-controller") { - isRunning, err := podRunningReady(&p) + isRunning, err := podRunningReady(p) if err != nil { continue } if isRunning { - pod = &p + pod = p return true, nil } } @@ -262,6 +281,7 @@ func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Po return false, nil }) if err != nil { + //nolint:staticcheck // TODO: will replace it since wait.ErrWaitTimeout is deprecated if err == wait.ErrWaitTimeout { return nil, fmt.Errorf("timeout waiting at least one ingress-nginx pod running in namespace %v", ns) } @@ -274,7 +294,7 @@ func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Po func createDeploymentWithRetries(c kubernetes.Interface, namespace string, obj *appsv1.Deployment) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.AppsV1().Deployments(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -287,15 +307,15 @@ func createDeploymentWithRetries(c kubernetes.Interface, namespace string, obj * if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) } -func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *v1.Secret) error { +func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *core.Secret) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.CoreV1().Secrets(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -308,14 +328,14 @@ func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *v1.S if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) } -func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *v1.Service) error { +func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *core.Service) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.CoreV1().Services(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -328,7 +348,7 @@ func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *v1. if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) @@ -336,7 +356,7 @@ func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *v1. func createIngressWithRetries(c kubernetes.Interface, namespace string, obj *networking.Ingress) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.NetworkingV1().Ingresses(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -349,7 +369,7 @@ func createIngressWithRetries(c kubernetes.Interface, namespace string, obj *net if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) @@ -357,7 +377,7 @@ func createIngressWithRetries(c kubernetes.Interface, namespace string, obj *net func updateIngressWithRetries(c kubernetes.Interface, namespace string, obj *networking.Ingress) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } updateFunc := func() (bool, error) { _, err := c.NetworkingV1().Ingresses(namespace).Update(context.TODO(), obj, metav1.UpdateOptions{}) @@ -367,7 +387,7 @@ func updateIngressWithRetries(c kubernetes.Interface, namespace string, obj *net if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to update object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to update object with non-retriable error: %v", err) } return retryWithExponentialBackOff(updateFunc) diff --git a/test/e2e/framework/metrics.go b/test/e2e/framework/metrics.go index 349eb4dc3..774f1bd7e 100644 --- a/test/e2e/framework/metrics.go +++ b/test/e2e/framework/metrics.go @@ -29,7 +29,7 @@ func (f *Framework) GetMetric(metricName, ip string) (*dto.MetricFamily, error) url := fmt.Sprintf("http://%v:10254/metrics", ip) client := &http.Client{} - req, err := http.NewRequest("GET", url, nil) + req, err := http.NewRequest(http.MethodGet, url, http.NoBody) if err != nil { return nil, fmt.Errorf("creating GET request for URL %q failed: %v", url, err) } @@ -44,7 +44,6 @@ func (f *Framework) GetMetric(metricName, ip string) (*dto.MetricFamily, error) var parser expfmt.TextParser metrics, err := parser.TextToMetricFamilies(resp.Body) - if err != nil { return nil, fmt.Errorf("reading text format failed: %v", err) } diff --git a/test/e2e/framework/ssl.go b/test/e2e/framework/ssl.go index 52ceffc57..d6252fe47 100644 --- a/test/e2e/framework/ssl.go +++ b/test/e2e/framework/ssl.go @@ -93,8 +93,8 @@ func CreateIngressTLSSecret(client kubernetes.Interface, hosts []string, secretN // CreateIngressMASecret creates or updates a Secret containing a Mutual Auth // certificate-chain for the given Ingress and returns a TLS configuration suitable // for HTTP clients to use against that particular Ingress. -func CreateIngressMASecret(client kubernetes.Interface, host string, secretName, namespace string) (*tls.Config, error) { - if len(host) == 0 { +func CreateIngressMASecret(client kubernetes.Interface, host, secretName, namespace string) (*tls.Config, error) { + if host == "" { return nil, fmt.Errorf("requires a non-empty host") } @@ -138,12 +138,13 @@ func CreateIngressMASecret(client kubernetes.Interface, host string, secretName, return &tls.Config{ ServerName: host, Certificates: []tls.Certificate{clientPair}, - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }, nil } // WaitForTLS waits until the TLS handshake with a given server completes successfully. func WaitForTLS(url string, tlsConfig *tls.Config) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, matchTLSServerName(url, tlsConfig)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for TLS configuration in URL %s", url) } @@ -160,7 +161,6 @@ func generateRSACert(host string, isCA bool, keyOut, certOut io.Writer) error { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { return fmt.Errorf("failed to generate serial number: %s", err) } @@ -329,7 +329,7 @@ func tlsConfig(serverName string, pemCA []byte) (*tls.Config, error) { if !rootCAPool.AppendCertsFromPEM(pemCA) { return nil, fmt.Errorf("error creating CA certificate pool (%s)", serverName) } - return &tls.Config{ + return &tls.Config{ //nolint:gosec // Ignore the gosec error in testing ServerName: serverName, RootCAs: rootCAPool, }, nil diff --git a/test/e2e/framework/test_context.go b/test/e2e/framework/test_context.go index be4cd6e5e..961357885 100644 --- a/test/e2e/framework/test_context.go +++ b/test/e2e/framework/test_context.go @@ -23,7 +23,7 @@ import ( // TestContextType describes the client context to use in communications with the Kubernetes API. type TestContextType struct { KubeHost string - //KubeConfig string + // KubeConfig string KubeContext string } @@ -33,7 +33,6 @@ var TestContext TestContextType // registerCommonFlags registers flags common to all e2e test suites. func registerCommonFlags() { flag.StringVar(&TestContext.KubeHost, "kubernetes-host", "http://127.0.0.1:8080", "The kubernetes host, or apiserver, to connect to") - //flag.StringVar(&TestContext.KubeConfig, "kubernetes-config", os.Getenv(clientcmd.RecommendedConfigPathEnvVar), "Path to config containing embedded authinfo for kubernetes. Default value is from environment variable "+clientcmd.RecommendedConfigPathEnvVar) flag.StringVar(&TestContext.KubeContext, "kubernetes-context", "", "config context to use for kubernetes. If unset, will use value from 'current-context'") } diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go index 90f15eb1b..abdb168e1 100644 --- a/test/e2e/framework/util.go +++ b/test/e2e/framework/util.go @@ -49,24 +49,24 @@ func nowStamp() string { return time.Now().Format(time.StampMilli) } -func log(level string, format string, args ...interface{}) { +func logf(level, format string, args ...interface{}) { fmt.Fprintf(ginkgo.GinkgoWriter, nowStamp()+": "+level+": "+format+"\n", args...) } // Logf logs to the INFO logs. func Logf(format string, args ...interface{}) { - log("INFO", format, args...) + logf("INFO", format, args...) } // Failf logs to the INFO logs and fails the test. func Failf(format string, args ...interface{}) { msg := fmt.Sprintf(format, args...) - log("INFO", msg) + logf("INFO", msg) ginkgo.Fail(nowStamp()+": "+msg, 1) } // RestclientConfig deserializes the contents of a kubeconfig file into a Config object. -func RestclientConfig(config, context string) (*api.Config, error) { +func RestclientConfig(config, newContext string) (*api.Config, error) { Logf(">>> config: %s\n", config) if config == "" { return nil, fmt.Errorf("config file must be specified to load client config") @@ -75,9 +75,9 @@ func RestclientConfig(config, context string) (*api.Config, error) { if err != nil { return nil, fmt.Errorf("error loading config: %v", err.Error()) } - if context != "" { - Logf(">>> context: %s\n", context) - c.CurrentContext = context + if newContext != "" { + Logf(">>> context: %s\n", newContext) + c.CurrentContext = newContext } return c, nil } @@ -98,6 +98,7 @@ func createNamespace(baseName string, labels map[string]string, c kubernetes.Int var got *corev1.Namespace var err error + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(Poll, DefaultTimeout, func() (bool, error) { got, err = c.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{}) if err != nil { @@ -114,13 +115,11 @@ func createNamespace(baseName string, labels map[string]string, c kubernetes.Int // CreateKubeNamespace creates a new namespace in the cluster func CreateKubeNamespace(baseName string, c kubernetes.Interface) (string, error) { - return createNamespace(baseName, nil, c) } // CreateKubeNamespaceWithLabel creates a new namespace with given labels in the cluster func CreateKubeNamespaceWithLabel(baseName string, labels map[string]string, c kubernetes.Interface) (string, error) { - return createNamespace(baseName, labels, c) } @@ -150,7 +149,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error }, }, metav1.CreateOptions{}) if err != nil { - return "", fmt.Errorf("Unexpected error creating IngressClass %s: %v", icname, err) + return "", fmt.Errorf("unexpected error creating IngressClass %s: %v", icname, err) } _, err = c.RbacV1().ClusterRoles().Create(context.TODO(), &rbacv1.ClusterRole{ @@ -162,7 +161,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error }}, }, metav1.CreateOptions{}) if err != nil { - return "", fmt.Errorf("Unexpected error creating IngressClass ClusterRole %s: %v", icname, err) + return "", fmt.Errorf("unexpected error creating IngressClass ClusterRole %s: %v", icname, err) } _, err = c.RbacV1().ClusterRoleBindings().Create(context.TODO(), &rbacv1.ClusterRoleBinding{ @@ -184,7 +183,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error }, }, metav1.CreateOptions{}) if err != nil { - return "", fmt.Errorf("Unexpected error creating IngressClass ClusterRoleBinding %s: %v", icname, err) + return "", fmt.Errorf("unexpected error creating IngressClass ClusterRoleBinding %s: %v", icname, err) } return ic.Name, nil } @@ -200,16 +199,16 @@ func deleteIngressClass(c kubernetes.Interface, ingressclass string) error { } err = c.NetworkingV1().IngressClasses().Delete(context.TODO(), ingressclass, deleteOptions) if err != nil { - return fmt.Errorf("Unexpected error deleting IngressClass %s: %v", ingressclass, err) + return fmt.Errorf("unexpected error deleting IngressClass %s: %v", ingressclass, err) } err = c.RbacV1().ClusterRoleBindings().Delete(context.TODO(), ingressclass, deleteOptions) if err != nil { - return fmt.Errorf("Unexpected error deleting IngressClass ClusterRoleBinding %s: %v", ingressclass, err) + return fmt.Errorf("unexpected error deleting IngressClass ClusterRoleBinding %s: %v", ingressclass, err) } err = c.RbacV1().ClusterRoles().Delete(context.TODO(), ingressclass, deleteOptions) if err != nil { - return fmt.Errorf("Unexpected error deleting IngressClass ClusterRole %s: %v", ingressclass, err) + return fmt.Errorf("unexpected error deleting IngressClass ClusterRole %s: %v", ingressclass, err) } return nil @@ -223,6 +222,7 @@ func GetIngressClassName(namespace string) *string { // WaitForKubeNamespaceNotExist waits until a namespaces is not present in the cluster func WaitForKubeNamespaceNotExist(c kubernetes.Interface, namespace string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, namespaceNotExist(c, namespace)) } @@ -241,6 +241,7 @@ func namespaceNotExist(c kubernetes.Interface, namespace string) wait.ConditionF // WaitForNoPodsInNamespace waits until there are no pods running in a namespace func WaitForNoPodsInNamespace(c kubernetes.Interface, namespace string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, noPodsInNamespace(c, namespace)) } @@ -267,15 +268,17 @@ func WaitForPodRunningInNamespace(c kubernetes.Interface, pod *corev1.Pod) error if pod.Status.Phase == corev1.PodRunning { return nil } - return waitTimeoutForPodRunningInNamespace(c, pod.Name, pod.Namespace, DefaultTimeout) + return waitTimeoutForPodRunningInNamespace(c, pod.Name, pod.Namespace) } -func waitTimeoutForPodRunningInNamespace(c kubernetes.Interface, podName, namespace string, timeout time.Duration) error { +func waitTimeoutForPodRunningInNamespace(c kubernetes.Interface, podName, namespace string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, podRunning(c, podName, namespace)) } // WaitForSecretInNamespace waits a default amount of time for the specified secret is present in a particular namespace func WaitForSecretInNamespace(c kubernetes.Interface, namespace, name string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, secretInNamespace(c, namespace, name)) } @@ -298,6 +301,7 @@ func secretInNamespace(c kubernetes.Interface, namespace, name string) wait.Cond // WaitForFileInFS waits a default amount of time for the specified file is present in the filesystem func WaitForFileInFS(file string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, fileInFS(file)) } @@ -322,6 +326,7 @@ func fileInFS(file string) wait.ConditionFunc { // WaitForNoIngressInNamespace waits until there is no ingress object in a particular namespace func WaitForNoIngressInNamespace(c kubernetes.Interface, namespace, name string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, noIngressInNamespace(c, namespace, name)) } @@ -344,6 +349,7 @@ func noIngressInNamespace(c kubernetes.Interface, namespace, name string) wait.C // WaitForIngressInNamespace waits until a particular ingress object exists namespace func WaitForIngressInNamespace(c kubernetes.Interface, namespace, name string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, ingressInNamespace(c, namespace, name)) } diff --git a/test/e2e/gracefulshutdown/grace_period.go b/test/e2e/gracefulshutdown/grace_period.go index 12e2f3d67..123892f3a 100644 --- a/test/e2e/gracefulshutdown/grace_period.go +++ b/test/e2e/gracefulshutdown/grace_period.go @@ -33,7 +33,6 @@ var _ = framework.IngressNginxDescribe("[Shutdown] Grace period shutdown", func( f := framework.NewDefaultFramework("shutdown-grace-period") ginkgo.It("/healthz should return status code 500 during shutdown grace period", func() { - f.NewSlowEchoDeployment() err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { @@ -83,6 +82,5 @@ var _ = framework.IngressNginxDescribe("[Shutdown] Grace period shutdown", func( for _, err := range <-result { assert.Nil(ginkgo.GinkgoT(), err) } - }) }) diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go index c08f36374..f44b2f8dd 100644 --- a/test/e2e/ingress/multiple_rules.go +++ b/test/e2e/ingress/multiple_rules.go @@ -36,6 +36,15 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func() }) ginkgo.It("should set the correct $service_name NGINX variable", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "service-name: $service_name";`, } diff --git a/test/e2e/ingress/pathtype_exact.go b/test/e2e/ingress/pathtype_exact.go index ae2902e9f..d0564cbf6 100644 --- a/test/e2e/ingress/pathtype_exact.go +++ b/test/e2e/ingress/pathtype_exact.go @@ -35,6 +35,14 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { }) ginkgo.It("should choose exact location for /exact", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "exact.path" @@ -42,7 +50,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";`, } - var exactPathType = networking.PathTypeExact + exactPathType := networking.PathTypeExact ing := framework.NewSingleIngress("exact", "/exact", host, f.Namespace, framework.EchoService, 80, annotations) ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType f.EnsureIngress(ing) diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go index dd183bbb4..e7bf2532e 100644 --- a/test/e2e/ingress/pathtype_mixed.go +++ b/test/e2e/ingress/pathtype_mixed.go @@ -34,9 +34,17 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi f.NewEchoDeployment() }) - var exactPathType = networking.PathTypeExact + exactPathType := networking.PathTypeExact ginkgo.It("should choose the correct location", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "mixed.path" diff --git a/test/e2e/kind.yaml b/test/e2e/kind.yaml index 97dc7082d..07a56dae8 100644 --- a/test/e2e/kind.yaml +++ b/test/e2e/kind.yaml @@ -2,8 +2,14 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane + labels: + topology.kubernetes.io/zone: zone-1 - role: worker + labels: + topology.kubernetes.io/zone: zone-1 - role: worker + labels: + topology.kubernetes.io/zone: zone-2 kubeadmConfigPatches: - | kind: ClusterConfiguration diff --git a/test/e2e/leaks/lua_ssl.go b/test/e2e/leaks/lua_ssl.go index 8ebd05ccb..88285ba4b 100644 --- a/test/e2e/leaks/lua_ssl.go +++ b/test/e2e/leaks/lua_ssl.go @@ -39,7 +39,7 @@ var _ = framework.IngressNginxDescribe("[Memory Leak] Dynamic Certificates", fun f.NewEchoDeployment() }) - framework.MemoryLeakIt("should not leak memory from ingress SSL certificates or configuration updates", func() { + ginkgo.It("should not leak memory from ingress SSL certificates or configuration updates", func() { hostCount := 1000 iterations := 10 @@ -87,14 +87,14 @@ func provisionIngress(hostname string, f *framework.Framework) { func checkIngress(hostname string, f *framework.Framework) { resp := f.HTTPTestClientWithTLSConfig(&tls.Config{ ServerName: hostname, - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }). GET("/"). WithURL(f.GetURL(framework.HTTPS)). WithHeader("Host", hostname). Expect(). Raw() - + defer resp.Body.Close() assert.Equal(ginkgo.GinkgoT(), resp.StatusCode, http.StatusOK) // check the returned secret is not the fake one diff --git a/test/e2e/loadbalance/configmap.go b/test/e2e/loadbalance/configmap.go index 8cd47286b..737cd06dd 100644 --- a/test/e2e/loadbalance/configmap.go +++ b/test/e2e/loadbalance/configmap.go @@ -25,6 +25,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const loadBalanceHost = "load-balance.com" + var _ = framework.DescribeSetting("[Load Balancer] load-balance", func() { f := framework.NewDefaultFramework("lb-configmap") @@ -33,7 +35,7 @@ var _ = framework.DescribeSetting("[Load Balancer] load-balance", func() { }) ginkgo.It("should apply the configmap load-balance setting", func() { - host := "load-balance.com" + host := loadBalanceHost f.UpdateNginxConfigMapData("load-balance", "ewma") diff --git a/test/e2e/loadbalance/ewma.go b/test/e2e/loadbalance/ewma.go index e2750a09a..f457e6357 100644 --- a/test/e2e/loadbalance/ewma.go +++ b/test/e2e/loadbalance/ewma.go @@ -35,12 +35,13 @@ var _ = framework.DescribeSetting("[Load Balancer] EWMA", func() { f.NewEchoDeployment(framework.WithDeploymentReplicas(3)) f.SetNginxConfigMapData(map[string]string{ "worker-processes": "2", - "load-balance": "ewma"}, + "load-balance": "ewma", + }, ) }) ginkgo.It("does not fail requests", func() { - host := "load-balance.com" + host := loadBalanceHost f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, @@ -52,7 +53,9 @@ var _ = framework.DescribeSetting("[Load Balancer] EWMA", func() { assert.Nil(ginkgo.GinkgoT(), err) assert.Equal(ginkgo.GinkgoT(), algorithm, "ewma") - re, _ := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + re, err := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + assert.Nil(ginkgo.GinkgoT(), err, "error compiling regex") + replicaRequestCount := map[string]int{} for i := 0; i < 30; i++ { diff --git a/test/e2e/loadbalance/round_robin.go b/test/e2e/loadbalance/round_robin.go index 2d0582e9a..5f6667143 100644 --- a/test/e2e/loadbalance/round_robin.go +++ b/test/e2e/loadbalance/round_robin.go @@ -37,7 +37,7 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() { }) ginkgo.It("should evenly distribute requests with round-robin (default algorithm)", func() { - host := "load-balance.com" + host := loadBalanceHost f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, @@ -45,7 +45,9 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() { return strings.Contains(server, "server_name load-balance.com") }) - re, _ := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + re, err := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + assert.Nil(ginkgo.GinkgoT(), err, "error compiling regex") + replicaRequestCount := map[string]int{} for i := 0; i < 600; i++ { diff --git a/test/e2e/lua/dynamic_certificates.go b/test/e2e/lua/dynamic_certificates.go index 0160cc9e7..8c9df5e71 100644 --- a/test/e2e/lua/dynamic_certificates.go +++ b/test/e2e/lua/dynamic_certificates.go @@ -245,7 +245,6 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK) - }) }) }) @@ -254,7 +253,6 @@ func extractReloadCount(mf *dto.MetricFamily) (float64, error) { vec, err := expfmt.ExtractSamples(&expfmt.DecodeOptions{ Timestamp: model.Now(), }, mf) - if err != nil { return 0, err } diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go index 8e9804545..8ec1ef839 100644 --- a/test/e2e/lua/dynamic_configuration.go +++ b/test/e2e/lua/dynamic_configuration.go @@ -26,7 +26,6 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" - networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" @@ -199,20 +198,18 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() { }) }) -func ensureIngress(f *framework.Framework, host string, deploymentName string) *networking.Ingress { - ing := createIngress(f, host, deploymentName) +func ensureIngress(f *framework.Framework, host, deploymentName string) { + createIngress(f, host, deploymentName) f.HTTPTestClient(). GET("/"). WithHeader("Host", host). Expect(). Status(http.StatusOK) - - return ing } -func createIngress(f *framework.Framework, host string, deploymentName string) *networking.Ingress { - ing := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, deploymentName, 80, +func createIngress(f *framework.Framework, host, deploymentName string) { + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, deploymentName, 80, map[string]string{ "nginx.ingress.kubernetes.io/load-balance": "ewma", }, @@ -223,21 +220,19 @@ func createIngress(f *framework.Framework, host string, deploymentName string) * return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) && strings.Contains(server, "proxy_pass http://upstream_balancer;") }) - - return ing } -func ensureHTTPSRequest(f *framework.Framework, url string, host string, expectedDNSName string) { +func ensureHTTPSRequest(f *framework.Framework, url, host, expectedDNSName string) { resp := f.HTTPTestClientWithTLSConfig(&tls.Config{ ServerName: host, - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }). GET("/"). WithURL(url). WithHeader("Host", host). Expect(). Raw() - + defer resp.Body.Close() assert.Equal(ginkgo.GinkgoT(), resp.StatusCode, http.StatusOK) assert.Equal(ginkgo.GinkgoT(), len(resp.TLS.PeerCertificates), 1) assert.Equal(ginkgo.GinkgoT(), resp.TLS.PeerCertificates[0].DNSNames[0], expectedDNSName) diff --git a/test/e2e/metrics/metrics.go b/test/e2e/metrics/metrics.go new file mode 100644 index 000000000..907b53732 --- /dev/null +++ b/test/e2e/metrics/metrics.go @@ -0,0 +1,94 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package defaultbackend + +import ( + "context" + "fmt" + "net/http" + "strings" + "time" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +const waitForMetrics = 2 * time.Second + +var _ = framework.IngressNginxDescribe("[metrics] exported prometheus metrics", func() { + f := framework.NewDefaultFramework("metrics") + host := "foo.com" + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) && + strings.Contains(server, "proxy_pass http://upstream_balancer;") + }) + }) + + ginkgo.It("exclude socket request metrics are absent", func() { + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--exclude-socket-metrics=nginx_ingress_controller_request_size,nginx_ingress_controller_header_duration_seconds") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating deployment") + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + time.Sleep(waitForMetrics) + + ip := f.GetNginxPodIP() + mf, err := f.GetMetric("nginx_ingress_controller_request_size", ip) + assert.ErrorContains(ginkgo.GinkgoT(), err, "nginx_ingress_controller_request_size") + assert.Nil(ginkgo.GinkgoT(), mf) + }) + ginkgo.It("exclude socket request metrics are present", func() { + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--exclude-socket-metrics=non_existing_metric_does_not_affect_existing_metrics") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating deployment") + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + time.Sleep(waitForMetrics) + + ip := f.GetNginxPodIP() + mf, err := f.GetMetric("nginx_ingress_controller_request_size", ip) + assert.Nil(ginkgo.GinkgoT(), err) + assert.NotNil(ginkgo.GinkgoT(), mf) + }) +}) diff --git a/test/e2e/nginx/nginx.go b/test/e2e/nginx/nginx.go index cd14a931c..7e572a976 100644 --- a/test/e2e/nginx/nginx.go +++ b/test/e2e/nginx/nginx.go @@ -100,7 +100,6 @@ var _ = framework.DescribeSetting("nginx-configuration", func() { f := framework.NewSimpleFramework("nginxconfiguration") ginkgo.It("start nginx with default configuration", func() { - f.NGINXWithConfigDeployment("default-nginx", cfgOK) f.WaitForPod("app=default-nginx", 60*time.Second, false) framework.Sleep(5 * time.Second) @@ -113,20 +112,16 @@ var _ = framework.DescribeSetting("nginx-configuration", func() { }) ginkgo.It("fails when using alias directive", func() { - f.NGINXDeployment("alias-nginx", cfgAlias, false) // This should fail with a crashloopback because our NGINX does not have // alias directive! f.WaitForPod("app=alias-nginx", 60*time.Second, true) - }) ginkgo.It("fails when using root directive", func() { - f.NGINXDeployment("root-nginx", cfgRoot, false) // This should fail with a crashloopback because our NGINX does not have // root directive! f.WaitForPod("app=root-nginx", 60*time.Second, true) - }) }) diff --git a/test/e2e/run-chart-test.sh b/test/e2e/run-chart-test.sh index e501ca6fe..05f199cb2 100755 --- a/test/e2e/run-chart-test.sh +++ b/test/e2e/run-chart-test.sh @@ -62,7 +62,7 @@ export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6} + export K8S_VERSION=${K8S_VERSION:-v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f} kind create cluster \ --verbosity=${KIND_LOG_LEVEL} \ @@ -78,7 +78,7 @@ fi if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 + go install github.com/onsi/ginkgo/v2/ginkgo@v2.15.0 fi echo "[dev-env] building image" make -C ${DIR}/../../ clean-image build image @@ -91,19 +91,25 @@ echo "[dev-env] copying docker images to cluster..." kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG} if [ "${SKIP_CERT_MANAGER_CREATION:-false}" = "false" ]; then + curl -fsSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.11.1/cmctl-linux-amd64.tar.gz + tar xzf cmctl.tar.gz + chmod +x cmctl + ./cmctl help echo "[dev-env] apply cert-manager ..." - kubectl apply --wait -f https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml - sleep 10 + kubectl apply --wait -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml + kubectl wait --timeout=30s --for=condition=available deployment/cert-manager -n cert-manager + kubectl get validatingwebhookconfigurations cert-manager-webhook -ojson | jq '.webhooks[].clientConfig' + kubectl get endpoints -n cert-manager cert-manager-webhook + ./cmctl check api --wait=2m fi echo "[dev-env] running helm chart e2e tests..." -# Uses a custom chart-testing image to avoid timeouts waiting for namespace deletion. -# The changes can be found here: https://github.com/aledbf/chart-testing/commit/41fe0ae0733d0c9a538099fb3cec522e888e3d82 docker run --rm --interactive --network host \ --name ct \ --volume $KUBECONFIG:/root/.kube/config \ --volume "${DIR}/../../":/workdir \ --workdir /workdir \ - aledbf/chart-testing:v3.3.1-next ct install \ + registry.k8s.io/ingress-nginx/e2e-test-runner:v20240126-760bf8eb@sha256:5e676bf2e5d5d035adfc6e093abee040af08327011e72fef640fa20da73cea2e \ + ct install \ --charts charts/ingress-nginx \ --helm-extra-args "--timeout 60s" diff --git a/build/run-e2e-suite.sh b/test/e2e/run-e2e-suite.sh similarity index 54% rename from build/run-e2e-suite.sh rename to test/e2e/run-e2e-suite.sh index ae38b5fcc..9333ee61f 100755 --- a/build/run-e2e-suite.sh +++ b/test/e2e/run-e2e-suite.sh @@ -14,10 +14,16 @@ # See the License for the specific language governing permissions and # limitations under the License. -if ! [ -z "$DEBUG" ]; then +if [ -n "$DEBUG" ]; then set -x +else + trap cleanup EXIT fi +function cleanup { + kubectl delete pod e2e 2>/dev/null || true +} + set -o errexit set -o nounset set -o pipefail @@ -43,19 +49,9 @@ if [ "$missing" = true ]; then exit 1 fi -function cleanup { - kubectl delete pod e2e 2>/dev/null || true -} -trap cleanup EXIT - -E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS:-} -FOCUS=${FOCUS:-.*} - BASEDIR=$(dirname "$0") -NGINX_BASE_IMAGE=$(cat $BASEDIR/../NGINX_BASE) - -export E2E_CHECK_LEAKS -export FOCUS +NGINX_BASE_IMAGE=$(cat $BASEDIR/../../NGINX_BASE) +HTTPBUN_IMAGE=$(cat $BASEDIR/HTTPBUN_IMAGE) echo -e "${BGREEN}Granting permissions to ingress-nginx e2e service account...${NC}" kubectl create serviceaccount ingress-nginx-e2e || true @@ -65,7 +61,6 @@ kubectl create clusterrolebinding permissive-binding \ --user=kubelet \ --serviceaccount=default:ingress-nginx-e2e || true - VER=$(kubectl version --client=false -o json |jq '.serverVersion.minor |tonumber') if [ $VER -lt 24 ]; then echo -e "${BGREEN}Waiting service account...${NC}"; \ @@ -75,7 +70,6 @@ if [ $VER -lt 24 ]; then done fi - echo -e "Starting the e2e test pod" kubectl run --rm \ @@ -83,44 +77,20 @@ kubectl run --rm \ --restart=Never \ --env="E2E_NODES=${E2E_NODES}" \ --env="FOCUS=${FOCUS}" \ + --env="IS_CHROOT=${IS_CHROOT:-false}"\ + --env="ENABLE_VALIDATIONS=${ENABLE_VALIDATIONS:-false}"\ + --env="SKIP_OPENTELEMETRY_TESTS=${SKIP_OPENTELEMETRY_TESTS:-false}"\ --env="E2E_CHECK_LEAKS=${E2E_CHECK_LEAKS}" \ --env="NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE}" \ + --env="HTTPBUN_IMAGE=${HTTPBUN_IMAGE}" \ --overrides='{ "apiVersion": "v1", "spec":{"serviceAccountName": "ingress-nginx-e2e"}}' \ e2e --image=nginx-ingress-controller:e2e # Get the junit-reports stored in the configMaps created during e2etests -echo "Getting the report files out now.." +echo "Getting the report file out now.." reportsDir="test/junitreports" -reportFileName="report-e2e-test-suite" -[ ! -e ${reportsDir} ] && mkdir $reportsDir +reportFile="report-e2e-test-suite.xml.gz" +mkdir -p $reportsDir cd $reportsDir - -# TODO: Seeking Rikatz help here to extract in a loop. Tried things like below without success -#for cmName in `k get cm -l junitreport=true -o json | jq '.items[].binaryData | keys[]' | tr '\"' ' '` -#do -# -# -# kubectl get cm -l junitreport=true -o json | jq -r '[.items[].binaryData | to_entries[] | {"key": .key, "value": .value }] | from_entries' -# - -# Below lines successfully extract the report but they are one line per report. -# We only have 3 ginkgo reports so its ok for now -# But still, ideally this should be a loop as talked about in comments a few lines above -kubectl get cm $reportFileName.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite\.xml\.gz']}" > $reportFileName.xml.gz.base64 -kubectl get cm $reportFileName-serial.xml.gz -o "jsonpath={.binaryData['report-e2e-test-suite-serial\.xml\.gz']}" > $reportFileName-serial.xml.gz.base64 - -cat $reportFileName.xml.gz.base64 | base64 -d > $reportFileName.xml.gz -cat $reportFileName-serial.xml.gz.base64 | base64 -d > $reportFileName-serial.xml.gz - -gzip -d $reportFileName.xml.gz -gzip -d $reportFileName-serial.xml.gz - -rm *.base64 -cd ../.. - -# TODO Temporary: if condition to check if the memleak cm exists and only then try the extract for the memleak report -# -#kubectl get cm $reportFileName-serial -o "jsonpath={.data['report-e2e-test-suite-memleak\.xml\.gz']}" > $reportFileName-memleak.base64 -#cat $reportFileName-memleak.base64 | base64 -d > $reportFileName-memleak.xml.gz -#gzip -d $reportFileName-memleak.xml.gz -echo "done getting the reports files out.." +kubectl get cm $reportFile -o "jsonpath={.binaryData['${reportFile//\./\\.}']}" | base64 -d | gunzip > ${reportFile%\.gz} +echo "done getting the report file out.." diff --git a/test/e2e/run.sh b/test/e2e/run-kind-e2e.sh similarity index 56% rename from test/e2e/run.sh rename to test/e2e/run-kind-e2e.sh index 17dad6c39..5e4afb57d 100755 --- a/test/e2e/run.sh +++ b/test/e2e/run-kind-e2e.sh @@ -14,13 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. -KIND_LOG_LEVEL="1" - -if ! [ -z $DEBUG ]; then - set -x - KIND_LOG_LEVEL="6" -fi - set -o errexit set -o nounset set -o pipefail @@ -31,45 +24,57 @@ cleanup() { fi kind delete cluster \ - --verbosity=${KIND_LOG_LEVEL} \ - --name ${KIND_CLUSTER_NAME} + --verbosity="${KIND_LOG_LEVEL}" \ + --name "${KIND_CLUSTER_NAME}" } -trap cleanup EXIT +DEBUG=${DEBUG:=false} +if [ "${DEBUG}" = "true" ]; then + set -x + KIND_LOG_LEVEL="6" +else + trap cleanup EXIT +fi + +KIND_LOG_LEVEL="1" +IS_CHROOT="${IS_CHROOT:-false}" +ENABLE_VALIDATIONS="${ENABLE_VALIDATIONS:-false}" export KIND_CLUSTER_NAME=${KIND_CLUSTER_NAME:-ingress-nginx-dev} +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +# Use 1.0.0-dev to make sure we use the latest configuration in the helm template +export TAG=1.0.0-dev +export ARCH=${ARCH:-amd64} +export REGISTRY=ingress-controller +NGINX_BASE_IMAGE=${NGINX_BASE_IMAGE:-$(cat "$DIR"/../../NGINX_BASE)} +export NGINX_BASE_IMAGE=$NGINX_BASE_IMAGE +export DOCKER_CLI_EXPERIMENTAL=enabled +export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" +SKIP_INGRESS_IMAGE_CREATION="${SKIP_INGRESS_IMAGE_CREATION:-false}" +SKIP_E2E_IMAGE_CREATION="${SKIP_E2E_IMAGE_CREATION:=false}" +SKIP_CLUSTER_CREATION="${SKIP_CLUSTER_CREATION:-false}" if ! command -v kind --version &> /dev/null; then echo "kind is not installed. Use the package manager or visit the official site https://kind.sigs.k8s.io/" exit 1 fi -DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -# Use 1.0.0-dev to make sure we use the latest configuration in the helm template -export TAG=1.0.0-dev -export ARCH=${ARCH:-amd64} -export REGISTRY=ingress-controller - -NGINX_BASE_IMAGE=$(cat $DIR/../../NGINX_BASE) - echo "Running e2e with nginx base image ${NGINX_BASE_IMAGE}" -export NGINX_BASE_IMAGE=$NGINX_BASE_IMAGE - -export DOCKER_CLI_EXPERIMENTAL=enabled - -export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/kind-config-$KIND_CLUSTER_NAME}" - -if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then +if [ "${SKIP_CLUSTER_CREATION}" = "false" ]; then echo "[dev-env] creating Kubernetes cluster with kind" - export K8S_VERSION=${K8S_VERSION:-v1.25.2@sha256:9be91e9e9cdf116809841fc77ebdb8845443c4c72fe5218f3ae9eb57fdb4bace} + export K8S_VERSION=${K8S_VERSION:-v1.26.3@sha256:61b92f38dff6ccc29969e7aa154d34e38b89443af1a2c14e6cfbd2df6419c66f} + + # delete the cluster if it exists + if kind get clusters | grep "${KIND_CLUSTER_NAME}"; then + kind delete cluster --name "${KIND_CLUSTER_NAME}" + fi kind create cluster \ - --verbosity=${KIND_LOG_LEVEL} \ - --name ${KIND_CLUSTER_NAME} \ - --config ${DIR}/kind.yaml \ + --verbosity="${KIND_LOG_LEVEL}" \ + --name "${KIND_CLUSTER_NAME}" \ + --config "${DIR}"/kind.yaml \ --retain \ --image "kindest/node:${K8S_VERSION}" @@ -77,16 +82,26 @@ if [ "${SKIP_CLUSTER_CREATION:-false}" = "false" ]; then kubectl get nodes -o wide fi -if [ "${SKIP_IMAGE_CREATION:-false}" = "false" ]; then - if ! command -v ginkgo &> /dev/null; then - go get github.com/onsi/ginkgo/v2/ginkgo@v2.6.1 +if [ "${SKIP_INGRESS_IMAGE_CREATION}" = "false" ]; then + echo "[dev-env] building image" + if [ "${IS_CHROOT}" = "true" ]; then + make BASE_IMAGE="${NGINX_BASE_IMAGE}" -C "${DIR}"/../../ clean-image build image-chroot + docker tag ${REGISTRY}/controller-chroot:${TAG} ${REGISTRY}/controller:${TAG} + else + make BASE_IMAGE="${NGINX_BASE_IMAGE}" -C "${DIR}"/../../ clean-image build image + fi + + echo "[dev-env] .. done building controller images" +fi + +if [ "${SKIP_E2E_IMAGE_CREATION}" = "false" ]; then + if ! command -v ginkgo &> /dev/null; then + go install github.com/onsi/ginkgo/v2/ginkgo@v2.15.0 fi - echo "[dev-env] building image" - make -C ${DIR}/../../ clean-image build image image-chroot echo "[dev-env] .. done building controller images" echo "[dev-env] now building e2e-image.." - make -C ${DIR}/../e2e-image image + make -C "${DIR}"/../e2e-image image echo "[dev-env] ..done building e2e-image" fi @@ -95,13 +110,7 @@ KIND_WORKERS=$(kind get nodes --name="${KIND_CLUSTER_NAME}" | grep worker | awk echo "[dev-env] copying docker images to cluster..." -kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} nginx-ingress-controller:e2e - -if [ "${IS_CHROOT:-false}" = "true" ]; then - docker tag ${REGISTRY}/controller-chroot:${TAG} ${REGISTRY}/controller:${TAG} -fi - -kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes=${KIND_WORKERS} ${REGISTRY}/controller:${TAG} - +kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" nginx-ingress-controller:e2e +kind load docker-image --name="${KIND_CLUSTER_NAME}" --nodes="${KIND_WORKERS}" "${REGISTRY}"/controller:"${TAG}" echo "[dev-env] running e2e tests..." -make -C ${DIR}/../../ e2e-test +make -C "${DIR}"/../../ e2e-test diff --git a/test/e2e/security/invalid_paths.go b/test/e2e/security/invalid_paths.go deleted file mode 100644 index d75aefc2c..000000000 --- a/test/e2e/security/invalid_paths.go +++ /dev/null @@ -1,134 +0,0 @@ -/* -Copyright 2022 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package security - -import ( - "fmt" - "net/http" - "strings" - - "github.com/onsi/ginkgo/v2" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -const ( - validPath = "/xpto/~user/t-e_st.exe" - invalidPath = "/foo/bar/;xpto" - regexPath = "/foo/bar/(.+)" - host = "securitytest.com" -) - -var ( - annotationRegex = map[string]string{ - "nginx.ingress.kubernetes.io/use-regex": "true", - } -) - -var _ = framework.IngressNginxDescribe("[Security] validate path fields", func() { - f := framework.NewDefaultFramework("validate-path") - - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.It("should accept an ingress with valid path", func() { - - ing := framework.NewSingleIngress(host, validPath, host, f.Namespace, framework.EchoService, 80, nil) - - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(validPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - }) - - ginkgo.It("should drop an ingress with invalid path", func() { - - ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(invalidPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) - - ginkgo.It("should drop an ingress with regex path and regex disabled", func() { - - ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET("/foo/bar/lalala"). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) - - ginkgo.It("should accept an ingress with regex path and regex enabled", func() { - - ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET("/foo/bar/lalala"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK) - }) - - ginkgo.It("should reject an ingress with invalid path and regex enabled", func() { - - ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, annotationRegex) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET(invalidPath). - WithHeader("Host", host). - Expect(). - Status(http.StatusNotFound) - }) -}) diff --git a/test/e2e/security/request_smuggling.go b/test/e2e/security/request_smuggling.go index 9891480dc..5ede02d4b 100644 --- a/test/e2e/security/request_smuggling.go +++ b/test/e2e/security/request_smuggling.go @@ -50,9 +50,12 @@ server { f.UpdateNginxConfigMapData("http-snippet", snippet) + // TODO: currently using a self hosted HTTPBun instance results in a 499, we + // should move away from using httpbun.com once we have the httpbun + // deployment as part of the framework ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, map[string]string{ - "nginx.ingress.kubernetes.io/auth-signin": "https://httpbin.org/uuid", - "nginx.ingress.kubernetes.io/auth-url": "https://httpbin.org/basic-auth/user/passwd", + "nginx.ingress.kubernetes.io/auth-signin": "https://httpbun.com/bearer/d4bcba7a-0def-4a31-91a7-47e420adf44b", + "nginx.ingress.kubernetes.io/auth-url": "https://httpbun.com/basic-auth/user/passwd", }) f.EnsureIngress(ing) @@ -76,7 +79,9 @@ func smugglingRequest(host, addr string, port int) (string, error) { defer conn.Close() - conn.SetDeadline(time.Now().Add(time.Second * 10)) + if err := conn.SetDeadline(time.Now().Add(time.Second * 10)); err != nil { + return "", err + } _, err = fmt.Fprintf(conn, "GET /echo HTTP/1.1\r\nHost: %v\r\nContent-Length: 56\r\n\r\nGET /_hidden/index.html HTTP/1.1\r\nHost: notlocalhost\r\n\r\n", host) if err != nil { @@ -86,7 +91,7 @@ func smugglingRequest(host, addr string, port int) (string, error) { // wait for /_hidden/index.html response framework.Sleep() - var buf = make([]byte, 1024) + buf := make([]byte, 1024) r := bufio.NewReader(conn) _, err = r.Read(buf) if err != nil { diff --git a/test/e2e/servicebackend/service_backend.go b/test/e2e/servicebackend/service_backend.go index 44f3d36a5..6ab2f8ad1 100644 --- a/test/e2e/servicebackend/service_backend.go +++ b/test/e2e/servicebackend/service_backend.go @@ -29,48 +29,50 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var pathtype = networking.PathTypePrefix -var _ = framework.IngressNginxDescribe("[Service] backend status code 503", func() { - f := framework.NewDefaultFramework("service-backend") +var ( + pathtype = networking.PathTypePrefix + _ = framework.IngressNginxDescribe("[Service] backend status code 503", func() { + f := framework.NewDefaultFramework("service-backend") - ginkgo.It("should return 503 when backend service does not exist", func() { - host := "nonexistent.svc.com" + ginkgo.It("should return 503 when backend service does not exist", func() { + host := "nonexistent.svc.com" - bi := buildIngressWithNonexistentService(host, f.Namespace, "/") - f.EnsureIngress(bi) + bi := buildIngressWithNonexistentService(host, f.Namespace, "/") + f.EnsureIngress(bi) - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "proxy_pass http://upstream_balancer;") - }) + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "proxy_pass http://upstream_balancer;") + }) - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusServiceUnavailable) + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusServiceUnavailable) + }) + + ginkgo.It("should return 503 when all backend service endpoints are unavailable", func() { + host := "unavailable.svc.com" + + bi, bs := buildIngressWithUnavailableServiceEndpoints(host, f.Namespace, "/") + + f.EnsureService(bs) + f.EnsureIngress(bi) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "proxy_pass http://upstream_balancer;") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusServiceUnavailable) + }) }) - - ginkgo.It("should return 503 when all backend service endpoints are unavailable", func() { - host := "unavailable.svc.com" - - bi, bs := buildIngressWithUnavailableServiceEndpoints(host, f.Namespace, "/") - - f.EnsureService(bs) - f.EnsureIngress(bi) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "proxy_pass http://upstream_balancer;") - }) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusServiceUnavailable) - }) -}) +) func buildIngressWithNonexistentService(host, namespace, path string) *networking.Ingress { backendService := "nonexistent-svc" @@ -146,14 +148,15 @@ func buildIngressWithUnavailableServiceEndpoints(host, namespace, path string) ( Name: backendService, Namespace: namespace, }, - Spec: corev1.ServiceSpec{Ports: []corev1.ServicePort{ - { - Name: "tcp", - Port: 80, - TargetPort: intstr.FromInt(80), - Protocol: "TCP", + Spec: corev1.ServiceSpec{ + Ports: []corev1.ServicePort{ + { + Name: "tcp", + Port: 80, + TargetPort: intstr.FromInt(80), + Protocol: "TCP", + }, }, - }, Selector: map[string]string{ "app": backendService, }, diff --git a/test/e2e/servicebackend/service_externalname.go b/test/e2e/servicebackend/service_externalname.go index 0d121c671..fccd1cd19 100644 --- a/test/e2e/servicebackend/service_externalname.go +++ b/test/e2e/servicebackend/service_externalname.go @@ -29,44 +29,22 @@ import ( corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" - "k8s.io/ingress-nginx/internal/nginx" "k8s.io/ingress-nginx/test/e2e/framework" ) -func buildHTTPBinExternalNameService(f *framework.Framework, portName string) *corev1.Service { - return &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, - Namespace: f.Namespace, - }, - Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org", - Type: corev1.ServiceTypeExternalName, - Ports: []corev1.ServicePort{ - { - Name: portName, - Port: 80, - TargetPort: intstr.FromInt(80), - Protocol: "TCP", - }, - }, - }, - } -} +const echoHost = "echo" var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { - f := framework.NewDefaultFramework("type-externalname") + f := framework.NewDefaultFramework("type-externalname", framework.WithHTTPBunEnabled()) ginkgo.It("works with external name set to incomplete fqdn", func() { f.NewEchoDeployment() - - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ @@ -74,10 +52,15 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.NIPService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -93,25 +76,31 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName without a port defined", func() { - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org", + ExternalName: f.GetNIPHost(), Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -127,15 +116,21 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName with a port defined", func() { - host := "echo" + host := echoHost - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -151,11 +146,11 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return status 502 for service type=ExternalName with an invalid host", func() { - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ @@ -163,10 +158,15 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.NIPService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -182,23 +182,31 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using a port name", func() { - host := "echo" + host := echoHost - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) + namedBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Port: networking.ServiceBackendPort{ Name: host, }, }, } + ing.Spec.Rules[0].HTTP.Paths[0].Backend = namedBackend f.EnsureIngress(ing) @@ -215,22 +223,27 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using FQDN with trailing dot", func() { - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org.", + ExternalName: f.GetNIPHost(), Type: corev1.ServiceTypeExternalName, }, } - f.EnsureService(svc) - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -246,18 +259,26 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should update the external name after a service update", func() { - host := "echo" + host := echoHost - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) annotations := map[string]string{ - "nginx.ingress.kubernetes.io/upstream-vhost": "httpbin.org", + "nginx.ingress.kubernetes.io/upstream-vhost": f.GetNIPHost(), } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, annotations) + + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.HTTPBunService, + 80, + annotations) + namedBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ - Name: framework.HTTPBinService, + Name: framework.NIPService, Port: networking.ServiceBackendPort{ Name: host, }, @@ -281,13 +302,21 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { assert.Contains(ginkgo.GinkgoT(), body, `"X-Forwarded-Host": "echo"`) - svc, err := f.KubeClientSet.CoreV1().Services(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining httpbin service") + svc, err := f.KubeClientSet. + CoreV1(). + Services(f.Namespace). + Get(context.TODO(), framework.NIPService, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining external service") - svc.Spec.ExternalName = "eu.httpbin.org" + // Deploy a new instance to switch routing to + ip := f.NewHttpbunDeployment(framework.WithDeploymentName("eu-server")) + svc.Spec.ExternalName = framework.BuildNIPHost(ip) - _, err = f.KubeClientSet.CoreV1().Services(f.Namespace).Update(context.Background(), svc, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating httpbin service") + _, err = f.KubeClientSet. + CoreV1(). + Services(f.Namespace). + Update(context.Background(), svc, metav1.UpdateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating external service") framework.Sleep() @@ -301,18 +330,28 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { assert.Contains(ginkgo.GinkgoT(), body, `"X-Forwarded-Host": "echo"`) - ginkgo.By("checking the service is updated to use eu.httpbin.org") - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - output, err := f.ExecIngressPod(curlCmd) + ginkgo.By("checking the service is updated to use new host") + dbgCmd := "/dbg backends all" + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, `{"address":"eu.httpbin.org"`) + assert.Contains( + ginkgo.GinkgoT(), + output, + fmt.Sprintf(`"address": %q`, framework.BuildNIPHost(ip)), + ) }) ginkgo.It("should sync ingress on external name service addition/deletion", func() { - host := "echo" + host := echoHost // Create the Ingress first - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil) + ing := framework.NewSingleIngress(host, + "/", + host, + f.Namespace, + framework.NIPService, + 80, + nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -328,7 +367,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Status(http.StatusServiceUnavailable) // Now create the service - svc := buildHTTPBinExternalNameService(f, host) + svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) framework.Sleep() @@ -341,9 +380,11 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Status(http.StatusOK) // And back to 503 after deleting the service - - err := f.KubeClientSet.CoreV1().Services(f.Namespace).Delete(context.TODO(), framework.HTTPBinService, metav1.DeleteOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting httpbin service") + err := f.KubeClientSet. + CoreV1(). + Services(f.Namespace). + Delete(context.TODO(), framework.NIPService, metav1.DeleteOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error deleting external service") framework.Sleep() diff --git a/test/e2e/servicebackend/service_nil_backend.go b/test/e2e/servicebackend/service_nil_backend.go index c44601c88..9b5b4c7e6 100644 --- a/test/e2e/servicebackend/service_nil_backend.go +++ b/test/e2e/servicebackend/service_nil_backend.go @@ -64,7 +64,6 @@ var _ = framework.IngressNginxDescribe("[Service] Nil Service Backend", func() { WithHeader("Host", invalidHost). Expect(). Status(http.StatusNotFound) - }) }) diff --git a/test/e2e/settings/access_log.go b/test/e2e/settings/access_log.go index 7c7e2b9e3..65b9dfda4 100644 --- a/test/e2e/settings/access_log.go +++ b/test/e2e/settings/access_log.go @@ -28,7 +28,6 @@ var _ = framework.DescribeSetting("access-log", func() { f := framework.NewDefaultFramework("access-log") ginkgo.Context("access-log-path", func() { - ginkgo.It("use the default configuration", func() { f.WaitForNginxConfiguration( func(cfg string) bool { @@ -50,7 +49,6 @@ var _ = framework.DescribeSetting("access-log", func() { }) ginkgo.Context("http-access-log-path", func() { - ginkgo.It("use the specified configuration", func() { f.UpdateNginxConfigMapData("http-access-log-path", "/tmp/nginx/http-access.log") f.WaitForNginxConfiguration( @@ -63,7 +61,6 @@ var _ = framework.DescribeSetting("access-log", func() { }) ginkgo.Context("stream-access-log-path", func() { - ginkgo.It("use the specified configuration", func() { f.UpdateNginxConfigMapData("stream-access-log-path", "/tmp/nginx/stream-access.log") f.WaitForNginxConfiguration( @@ -76,7 +73,6 @@ var _ = framework.DescribeSetting("access-log", func() { }) ginkgo.Context("http-access-log-path & stream-access-log-path", func() { - ginkgo.It("use the specified configuration", func() { f.SetNginxConfigMapData(map[string]string{ "http-access-log-path": "/tmp/nginx/http-access.log", diff --git a/test/e2e/settings/aio_write.go b/test/e2e/settings/aio_write.go new file mode 100644 index 000000000..bcfe2a4de --- /dev/null +++ b/test/e2e/settings/aio_write.go @@ -0,0 +1,54 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("aio-write", func() { + f := framework.NewDefaultFramework("aio-write") + + ginkgo.It("should be enabled by default", func() { + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "aio_write on") + }) + }) + + ginkgo.It("should be enabled when setting is true", func() { + f.UpdateNginxConfigMapData("enable-aio-write", "true") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "aio_write on") + }) + }) + + ginkgo.It("should be disabled when setting is false", func() { + f.UpdateNginxConfigMapData("enable-aio-write", "false") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "aio_write on") + }) + }) +}) diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go index b4b6def4a..f61b5bada 100644 --- a/test/e2e/settings/badannotationvalues.go +++ b/test/e2e/settings/badannotationvalues.go @@ -34,6 +34,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "invalid-value-test" annotations := map[string]string{ @@ -65,6 +73,15 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "forbidden-value-test" annotations := map[string]string{ @@ -100,7 +117,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() { - + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() hostValid := "custom-allowed-value-test" annotationsValid := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": ` @@ -131,6 +155,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "custom-forbidden-value-test" annotations := map[string]string{ @@ -159,6 +191,5 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { WithHeader("Host", host). Expect(). Status(http.StatusNotFound) - }) }) diff --git a/test/e2e/settings/brotli.go b/test/e2e/settings/brotli.go index a07eb6c09..aacaddec5 100644 --- a/test/e2e/settings/brotli.go +++ b/test/e2e/settings/brotli.go @@ -28,14 +28,13 @@ import ( ) var _ = framework.IngressNginxDescribe("brotli", func() { - f := framework.NewDefaultFramework("brotli") + f := framework.NewDefaultFramework( + "brotli", + framework.WithHTTPBunEnabled(), + ) host := "brotli" - ginkgo.BeforeEach(func() { - f.NewHttpbinDeployment() - }) - ginkgo.It("should only compress responses that meet the `brotli-min-length` condition", func() { brotliMinLength := 24 contentEncoding := "application/octet-stream" @@ -43,7 +42,7 @@ var _ = framework.IngressNginxDescribe("brotli", func() { f.UpdateNginxConfigMapData("brotli-types", contentEncoding) f.UpdateNginxConfigMapData("brotli-min-length", strconv.Itoa(brotliMinLength)) - f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBinService, 80, nil)) + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.HTTPBunService, 80, nil)) f.WaitForNginxConfiguration( func(server string) bool { diff --git a/test/e2e/settings/configmap_change.go b/test/e2e/settings/configmap_change.go index be3ab0b11..3e37b62cd 100644 --- a/test/e2e/settings/configmap_change.go +++ b/test/e2e/settings/configmap_change.go @@ -73,5 +73,9 @@ var _ = framework.DescribeSetting("Configmap change", func() { return strings.ContainsAny(cfg, "error_log /var/log/nginx/error.log debug;") }) assert.NotEqual(ginkgo.GinkgoT(), checksum, newChecksum) + + logs, err := f.NginxLogs() + assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") + assert.Contains(ginkgo.GinkgoT(), logs, "Backend successfully reloaded") }) }) diff --git a/test/e2e/settings/default_ssl_certificate.go b/test/e2e/settings/default_ssl_certificate.go index ea97d4895..c48a1e87f 100644 --- a/test/e2e/settings/default_ssl_certificate.go +++ b/test/e2e/settings/default_ssl_certificate.go @@ -30,10 +30,12 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const fooHost = "foo" + var _ = framework.IngressNginxDescribe("[SSL] [Flag] default-ssl-certificate", func() { f := framework.NewDefaultFramework("default-ssl-certificate") var tlsConfig *tls.Config - secretName := "my-custom-cert" + secretName := "my-custom-cert" //nolint:gosec // Ignore the gosec error in testing service := framework.EchoService port := 80 @@ -78,7 +80,7 @@ var _ = framework.IngressNginxDescribe("[SSL] [Flag] default-ssl-certificate", f }) ginkgo.It("uses default ssl certificate for host based ingress when configured certificate does not match host", func() { - host := "foo" + host := fooHost ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, service, port, nil)) _, err := framework.CreateIngressTLSSecret(f.KubeClientSet, diff --git a/test/e2e/settings/disable_catch_all.go b/test/e2e/settings/disable_catch_all.go index 0d1a14493..4e7a16f4d 100644 --- a/test/e2e/settings/disable_catch_all.go +++ b/test/e2e/settings/disable_catch_all.go @@ -48,7 +48,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should ignore catch all Ingress with backend", func() { - host := "foo" + host := fooHost ing := framework.NewSingleCatchAllIngress("catch-all", f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -67,7 +67,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should ignore catch all Ingress with backend and rules", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngressWithBackendAndRules(host, "/", host, f.Namespace, framework.EchoService, 80, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -79,7 +79,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should delete Ingress updated to catch-all", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -121,7 +121,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should allow Ingress with rules", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress("not-catch-all", "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go index a24cfebde..602828089 100644 --- a/test/e2e/settings/disable_service_external_name.go +++ b/test/e2e/settings/disable_service_external_name.go @@ -33,7 +33,10 @@ import ( ) var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", func() { - f := framework.NewDefaultFramework("disabled-service-external-name") + f := framework.NewDefaultFramework( + "disabled-service-external-name", + framework.WithHTTPBunEnabled(), + ) ginkgo.BeforeEach(func() { f.NewEchoDeployment(framework.WithDeploymentReplicas(2)) @@ -50,21 +53,22 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f }) ginkgo.It("should ignore services of external-name type", func() { - nonexternalhost := "echo-svc.com" externalhost := "echo-external-svc.com" - svcexternal := &corev1.Service{ + + f.EnsureService(framework.BuildNIPExternalNameService(f, f.HTTPBunIP, "echo")) + + f.EnsureService(&corev1.Service{ ObjectMeta: metav1.ObjectMeta{ Name: "external", Namespace: f.Namespace, }, Spec: corev1.ServiceSpec{ - ExternalName: "httpbin.org", + ExternalName: f.GetNIPHost(), Type: corev1.ServiceTypeExternalName, }, - } - f.EnsureService(svcexternal) + }) ingexternal := framework.NewSingleIngress(externalhost, "/", externalhost, f.Namespace, "external", 80, nil) f.EnsureIngress(ingexternal) @@ -91,6 +95,5 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f WithHeader("Host", externalhost). Expect(). StatusRange(httpexpect.Status5xx) - }) }) diff --git a/test/e2e/settings/disable_sync_events.go b/test/e2e/settings/disable_sync_events.go new file mode 100644 index 000000000..0d55c96e4 --- /dev/null +++ b/test/e2e/settings/disable_sync_events.go @@ -0,0 +1,109 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "context" + "fmt" + "strings" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + appsv1 "k8s.io/api/apps/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { + f := framework.NewDefaultFramework("disable-sync-events") + + ginkgo.It("should create sync events (default)", func() { + host := "sync-events-default" + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) + + ing := framework.NewSingleIngressWithIngressClass(host, "/", host, f.Namespace, framework.EchoService, f.IngressClass, 80, nil) + ing = f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + }) + + //nolint:goconst //string interpolation + events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) + assert.Nil(ginkgo.GinkgoT(), err, "listing events") + + assert.NotEmpty(ginkgo.GinkgoT(), events.Items, "got events") + }) + + //nolint:dupl // Ignore dupl errors for similar test case + ginkgo.It("should create sync events", func() { + host := "disable-sync-events-false" + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) + + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--disable-sync-events=false") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") + + ing := framework.NewSingleIngressWithIngressClass(host, "/", host, f.Namespace, framework.EchoService, f.IngressClass, 80, nil) + ing = f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + }) + + events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) + assert.Nil(ginkgo.GinkgoT(), err, "listing events") + + assert.NotEmpty(ginkgo.GinkgoT(), events.Items, "got events") + }) + + //nolint:dupl // Ignore dupl errors for similar test case + ginkgo.It("should not create sync events", func() { + host := "disable-sync-events-true" + f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) + + err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { + args := deployment.Spec.Template.Spec.Containers[0].Args + args = append(args, "--disable-sync-events=true") + deployment.Spec.Template.Spec.Containers[0].Args = args + _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{}) + return err + }) + assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") + + ing := framework.NewSingleIngressWithIngressClass(host, "/", host, f.Namespace, framework.EchoService, f.IngressClass, 80, nil) + ing = f.EnsureIngress(ing) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, fmt.Sprintf("server_name %v", host)) + }) + + events, err := f.KubeClientSet.CoreV1().Events(ing.Namespace).List(context.TODO(), metav1.ListOptions{FieldSelector: "reason=Sync,involvedObject.name=" + host}) + assert.Nil(ginkgo.GinkgoT(), err, "listing events") + + assert.Empty(ginkgo.GinkgoT(), events.Items, "got events") + }) +}) diff --git a/test/e2e/settings/enable_real_ip.go b/test/e2e/settings/enable_real_ip.go index 9be2e52d9..bf16e1ea0 100644 --- a/test/e2e/settings/enable_real_ip.go +++ b/test/e2e/settings/enable_real_ip.go @@ -47,6 +47,7 @@ var _ = framework.DescribeSetting("enable-real-ip", func() { f.WaitForNginxServer(host, func(server string) bool { + //nolint:goconst //already a const return strings.Contains(server, "server_name "+host) && !strings.Contains(server, "proxy_set_header X-Forwarded-Proto $full_x_forwarded_proto;") }) @@ -64,15 +65,15 @@ var _ = framework.DescribeSetting("enable-real-ip", func() { Body(). Raw() - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) + assert.NotContains(ginkgo.GinkgoT(), body, "host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%s", host)) assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=%s", host)) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=80")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=80") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") }) ginkgo.It("should not trust X-Forwarded-For header when setting is false", func() { @@ -101,13 +102,13 @@ var _ = framework.DescribeSetting("enable-real-ip", func() { Raw() assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%s", host)) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=80")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-original-forwarded-for=1.2.3.4")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=80") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-original-forwarded-for=1.2.3.4") + assert.NotContains(ginkgo.GinkgoT(), body, "host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") }) }) diff --git a/test/e2e/settings/forwarded_headers.go b/test/e2e/settings/forwarded_headers.go index b929e683b..44460aca6 100644 --- a/test/e2e/settings/forwarded_headers.go +++ b/test/e2e/settings/forwarded_headers.go @@ -17,7 +17,6 @@ limitations under the License. package settings import ( - "fmt" "net/http" "strings" @@ -27,6 +26,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const forwardedHeadersHost = "forwarded-headers" + var _ = framework.DescribeSetting("use-forwarded-headers", func() { f := framework.NewDefaultFramework("forwarded-headers") @@ -38,7 +39,7 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { }) ginkgo.It("should trust X-Forwarded headers when setting is true", func() { - host := "forwarded-headers" + host := forwardedHeadersHost f.UpdateNginxConfigMapData(setting, "true") @@ -65,12 +66,12 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { Body(). Raw() - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-scheme=myproto")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "host=myhost") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-scheme=myproto") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") ginkgo.By("ensuring that first entry in X-Forwarded-Host is used as the best host") body = f.HTTPTestClient(). @@ -85,12 +86,12 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { Body(). Raw() - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost.com")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost.com")) + assert.Contains(ginkgo.GinkgoT(), body, "host=myhost.com") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost.com") }) ginkgo.It("should not trust X-Forwarded headers when setting is false", func() { - host := "forwarded-headers" + host := forwardedHeadersHost f.UpdateNginxConfigMapData(setting, "false") @@ -115,16 +116,16 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { Body(). Raw() - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=forwarded-headers")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=80")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-scheme=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-original-forwarded-for=1.2.3.4")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-host=myhost")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-scheme=myproto")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.NotContains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=1.2.3.4")) + assert.Contains(ginkgo.GinkgoT(), body, "host=forwarded-headers") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=80") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-scheme=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-original-forwarded-for=1.2.3.4") + assert.NotContains(ginkgo.GinkgoT(), body, "host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-host=myhost") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-proto=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-scheme=myproto") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.NotContains(ginkgo.GinkgoT(), body, "x-forwarded-for=1.2.3.4") }) }) diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go index 9b2ca8624..7da26d810 100644 --- a/test/e2e/settings/geoip2.go +++ b/test/e2e/settings/geoip2.go @@ -19,11 +19,10 @@ package settings import ( "context" "fmt" + "net/http" "path/filepath" "strings" - "net/http" - "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" @@ -55,7 +54,7 @@ var _ = framework.DescribeSetting("Geoip2", func() { }) assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags") - filename := fmt.Sprintf("/etc/nginx/geoip/%s.mmdb", edition) + filename := fmt.Sprintf("/etc/ingress-controller/geoip/%s.mmdb", edition) exec, err := f.ExecIngressPod(fmt.Sprintf(`sh -c "mkdir -p '%s' && wget -O '%s' '%s' 2>&1"`, filepath.Dir(filename), filename, testdataURL)) framework.Logf(exec) assert.Nil(ginkgo.GinkgoT(), err, fmt.Sprintln("error downloading test geoip2 db", filename)) @@ -70,10 +69,17 @@ var _ = framework.DescribeSetting("Geoip2", func() { ginkgo.It("should only allow requests from specific countries", func() { ginkgo.Skip("GeoIP test are temporarily disabled") - f.UpdateNginxConfigMapData("use-geoip2", "true") + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "use-geoip2": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() - httpSnippetAllowingOnlyAustralia := - `map $geoip2_city_country_code $blocked_country { + httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country { default 1; AU 0; }` @@ -85,8 +91,7 @@ var _ = framework.DescribeSetting("Geoip2", func() { return strings.Contains(cfg, "map $geoip2_city_country_code $blocked_country") }) - configSnippet := - `if ($blocked_country) { + configSnippet := `if ($blocked_country) { return 403; }` diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go index c70b5a9b1..741e6f955 100644 --- a/test/e2e/settings/global_external_auth.go +++ b/test/e2e/settings/global_external_auth.go @@ -31,8 +31,16 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + disable = "false" + noAuthLocaltionSetting = "no-auth-locations" +) + var _ = framework.DescribeSetting("[Security] global-auth-url", func() { - f := framework.NewDefaultFramework("global-external-auth") + f := framework.NewDefaultFramework( + "global-external-auth", + framework.WithHTTPBunEnabled(), + ) host := "global-external-auth" @@ -43,20 +51,18 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { fooPath := "/foo" barPath := "/bar" - noAuthSetting := "no-auth-locations" + noAuthSetting := noAuthLocaltionSetting noAuthLocations := barPath enableGlobalExternalAuthAnnotation := "nginx.ingress.kubernetes.io/enable-global-auth" ginkgo.BeforeEach(func() { f.NewEchoDeployment() - f.NewHttpbinDeployment() }) ginkgo.Context("when global external authentication is configured", func() { - ginkgo.BeforeEach(func() { - globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBinService, f.Namespace) + globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBunService, f.Namespace) ginkgo.By("Adding an ingress rule for /foo") fooIng := framework.NewSingleIngress("foo-ingress", fooPath, host, f.Namespace, echoServiceName, 80, nil) @@ -83,7 +89,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should return status code 401 when request any protected service", func() { - ginkgo.By("Sending a request to protected service /foo") f.HTTPTestClient(). GET(fooPath). @@ -100,7 +105,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service", func() { - ginkgo.By("Adding a no-auth-locations for /bar to configMap") f.UpdateNginxConfigMapData(noAuthSetting, noAuthLocations) f.WaitForNginxServer(host, @@ -124,10 +128,9 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service", func() { - ginkgo.By("Adding an ingress rule for /bar with annotation enable-global-auth = false") err := framework.UpdateIngress(f.KubeClientSet, f.Namespace, "bar-ingress", func(ingress *networking.Ingress) error { - ingress.ObjectMeta.Annotations[enableGlobalExternalAuthAnnotation] = "false" + ingress.ObjectMeta.Annotations[enableGlobalExternalAuthAnnotation] = disable return nil }) assert.Nil(ginkgo.GinkgoT(), err) @@ -153,12 +156,11 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should still return status code 200 after auth backend is deleted using cache", func() { - globalExternalAuthCacheKeySetting := "global-auth-cache-key" - globalExternalAuthCacheKey := "foo" + globalExternalAuthCacheKey := fooHost globalExternalAuthCacheDurationSetting := "global-auth-cache-duration" globalExternalAuthCacheDuration := "200 201 401 30m" - globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBinService, f.Namespace) + globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBunService, f.Namespace) ginkgo.By("Adding a global-auth-cache-key to configMap") f.SetNginxConfigMapData(map[string]string{ @@ -182,7 +184,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { Expect(). Status(http.StatusOK) - err := f.DeleteDeployment(framework.HTTPBinService) + err := f.DeleteDeployment(framework.HTTPBunService) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() @@ -195,7 +197,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should proxy_method method when global-auth-method is configured`, func() { - globalExternalAuthMethodSetting := "global-auth-method" globalExternalAuthMethod := "GET" @@ -208,7 +209,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should add custom error page when global-auth-signin url is configured`, func() { - globalExternalAuthSigninSetting := "global-auth-signin" globalExternalAuthSignin := "http://foo.com/global-error-page" @@ -221,7 +221,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should add auth headers when global-auth-response-headers is configured`, func() { - globalExternalAuthResponseHeadersSetting := "global-auth-response-headers" globalExternalAuthResponseHeaders := "Foo, Bar" @@ -235,7 +234,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should set request-redirect when global-auth-request-redirect is configured`, func() { - globalExternalAuthRequestRedirectSetting := "global-auth-request-redirect" globalExternalAuthRequestRedirect := "Foo-Redirect" @@ -258,7 +256,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { return strings.Contains(server, globalExternalAuthSnippet) }) }) - }) ginkgo.Context("cookie set by external authentication server", func() { @@ -307,9 +304,9 @@ http { assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - httpbinIP := e.Subsets[0].Addresses[0].IP + nginxIP := e.Subsets[0].Addresses[0].IP - f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbinIP)) + f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, fmt.Sprintf("http://%s/cookies/set/alma/armud", nginxIP)) ing1 = framework.NewSingleIngress(host, "/", host, f.Namespace, "http-cookie-with-error", 80, nil) f.EnsureIngress(ing1) @@ -320,7 +317,6 @@ http { f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, "server_name "+host) }) - }) ginkgo.It("user retains cookie by default", func() { diff --git a/test/e2e/settings/global_options.go b/test/e2e/settings/global_options.go index 117860d59..1f84ef5d7 100644 --- a/test/e2e/settings/global_options.go +++ b/test/e2e/settings/global_options.go @@ -31,7 +31,6 @@ var _ = framework.IngressNginxDescribe("global-options", func() { ginkgo.It("should have worker_rlimit_nofile option", func() { f.WaitForNginxConfiguration(func(server string) bool { return strings.Contains(server, fmt.Sprintf("worker_rlimit_nofile %d;", rlimitMaxNumFiles()-1024)) - }) }) diff --git a/test/e2e/settings/gzip.go b/test/e2e/settings/gzip.go new file mode 100644 index 000000000..68e80d3a0 --- /dev/null +++ b/test/e2e/settings/gzip.go @@ -0,0 +1,99 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "fmt" + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/internal/ingress/controller/config" + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("gzip", func() { + f := framework.NewDefaultFramework("gzip") + + ginkgo.It("should be disabled by default", func() { + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "gzip on;") + }) + }) + + ginkgo.It("should be enabled with default settings", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + defaultCfg := config.NewDefault() + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, fmt.Sprintf("gzip_comp_level %d;", defaultCfg.GzipLevel)) && + !strings.Contains(cfg, "gzip_disable") && + strings.Contains(cfg, "gzip_http_version 1.1;") && + strings.Contains(cfg, fmt.Sprintf("gzip_min_length %d;", defaultCfg.GzipMinLength)) && + strings.Contains(cfg, fmt.Sprintf("gzip_types %s;", defaultCfg.GzipTypes)) && + strings.Contains(cfg, "gzip_proxied any;") && + strings.Contains(cfg, "gzip_vary on;") + }) + }) + + ginkgo.It("should set gzip_comp_level to 4", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-level", "4") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, "gzip_comp_level 4;") + }) + }) + + ginkgo.It("should set gzip_disable to msie6", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-disable", "msie6") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, `gzip_disable "msie6";`) + }) + }) + + ginkgo.It("should set gzip_min_length to 100", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-min-length", "100") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, "gzip_min_length 100;") + }) + }) + + ginkgo.It("should set gzip_types to application/javascript", func() { + f.UpdateNginxConfigMapData("use-gzip", "true") + f.UpdateNginxConfigMapData("gzip-types", "application/javascript") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "gzip on;") && + strings.Contains(cfg, "gzip_types application/javascript;") + }) + }) +}) diff --git a/test/e2e/settings/hash-size.go b/test/e2e/settings/hash-size.go index 6e3e0480c..5aa5f7c95 100644 --- a/test/e2e/settings/hash-size.go +++ b/test/e2e/settings/hash-size.go @@ -36,7 +36,6 @@ var _ = framework.DescribeSetting("hash size", func() { }) ginkgo.Context("Check server names hash size", func() { - ginkgo.It("should set server_names_hash_bucket_size", func() { f.UpdateNginxConfigMapData("server-name-hash-bucket-size", "512") @@ -52,11 +51,9 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "server_names_hash_max_size 4096;") }) }) - }) ginkgo.Context("Check proxy header hash size", func() { - ginkgo.It("should set proxy-headers-hash-bucket-size", func() { f.UpdateNginxConfigMapData("proxy-headers-hash-bucket-size", "512") @@ -72,11 +69,9 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "proxy_headers_hash_max_size 4096;") }) }) - }) ginkgo.Context("Check the variable hash size", func() { - ginkgo.It("should set variables-hash-bucket-size", func() { f.UpdateNginxConfigMapData("variables-hash-bucket-size", "512") @@ -92,11 +87,9 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "variables_hash_max_size 512;") }) }) - }) ginkgo.Context("Check the map hash size", func() { - ginkgo.It("should set vmap-hash-bucket-size", func() { f.UpdateNginxConfigMapData("map-hash-bucket-size", "512") @@ -104,7 +97,5 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "map_hash_bucket_size 512;") }) }) - }) - }) diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go index 232045f3a..80c09f80c 100644 --- a/test/e2e/settings/ingress_class.go +++ b/test/e2e/settings/ingress_class.go @@ -36,6 +36,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const barHost = "bar" + var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f := framework.NewDefaultFramework("ingress-class") @@ -66,7 +68,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { ginkgo.Context("With default ingress class config", func() { ginkgo.It("should ignore Ingress with a different class annotation", func() { - invalidHost := "foo" + invalidHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass", } @@ -75,7 +77,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { ing.Spec.IngressClassName = nil f.EnsureIngress(ing) - validHost := "bar" + validHost := barHost annotationClass := map[string]string{ ingressclass.IngressKey: ingressclass.DefaultAnnotationValue, } @@ -385,7 +387,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusOK) }) - }) ginkgo.Context("With specific ingress-class flags", func() { @@ -411,13 +412,13 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should ignore Ingress with no class and accept the correctly configured Ingresses", func() { - invalidHost := "bar" + invalidHost := barHost ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil) ing.Spec.IngressClassName = nil f.EnsureIngress(ing) - validHost := "foo" + validHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass", } @@ -455,7 +456,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) ginkgo.Context("With watch-ingress-without-class flag", func() { @@ -480,13 +480,13 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should watch Ingress with no class and ignore ingress with a different class", func() { - validHost := "bar" + validHost := barHost ing := framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, nil) ing.Spec.IngressClassName = nil f.EnsureIngress(ing) - invalidHost := "foo" + invalidHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass123", } @@ -511,7 +511,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) ginkgo.Context("With ingress-class-by-name flag", func() { @@ -579,11 +578,9 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) ginkgo.Context("Without IngressClass Cluster scoped Permission", func() { - ginkgo.BeforeEach(func() { icname := fmt.Sprintf("ic-%s", f.Namespace) @@ -629,8 +626,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should watch Ingress with correct annotation", func() { - - validHost := "foo" + validHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass", } @@ -650,7 +646,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should ignore Ingress with only IngressClassName", func() { - invalidHost := "noclassforyou" ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil) @@ -666,6 +661,5 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) }) diff --git a/test/e2e/settings/keep-alive.go b/test/e2e/settings/keep-alive.go index 510a90125..167f5ac18 100644 --- a/test/e2e/settings/keep-alive.go +++ b/test/e2e/settings/keep-alive.go @@ -17,11 +17,11 @@ limitations under the License. package settings import ( - "fmt" "regexp" "strings" "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" "k8s.io/ingress-nginx/test/e2e/framework" ) @@ -41,7 +41,7 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("keep-alive", "140") f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`keepalive_timeout 140s;`)) + return strings.Contains(server, `keepalive_timeout 140s;`) }) }) @@ -49,9 +49,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("keep-alive-requests", "200") f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`keepalive_requests 200;`)) + return strings.Contains(server, `keepalive_requests 200;`) }) - }) }) @@ -60,7 +59,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-connections", "128") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive 128;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive 128;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) @@ -69,7 +69,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-timeout", "120") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_timeout\s*120s;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_timeout\s*120s;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) @@ -78,7 +79,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-time", "75s") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_time\s*75s;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_time\s*75s;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) @@ -87,7 +89,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-requests", "200") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_requests\s*200;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_requests\s*200;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) diff --git a/test/e2e/settings/listen_nondefault_ports.go b/test/e2e/settings/listen_nondefault_ports.go index 61a128040..9d3952227 100644 --- a/test/e2e/settings/listen_nondefault_ports.go +++ b/test/e2e/settings/listen_nondefault_ports.go @@ -17,23 +17,20 @@ limitations under the License. package settings import ( - "context" "fmt" "net/http" "strings" "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" ) var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", func() { - host := "forwarded-headers" - f := framework.NewDefaultFramework("forwarded-port-headers") + f := framework.NewDefaultFramework("forwarded-port-headers", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { f.NewEchoDeployment() @@ -46,7 +43,6 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun ginkgo.Context("with a plain HTTP ingress", func() { ginkgo.It("should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port", func() { - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -66,9 +62,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun }) ginkgo.Context("with a TLS enabled ingress", func() { - ginkgo.It("should set X-Forwarded-Port header to 443", func() { - ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -92,27 +86,13 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun Expect(). Status(http.StatusOK). Body(). - Contains(fmt.Sprintf("x-forwarded-port=443")) + Contains("x-forwarded-port=443") }) ginkgo.Context("when external authentication is configured", func() { - ginkgo.It("should set the X-Forwarded-Port header to 443", func() { - f.NewHttpbinDeployment() - - err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) - assert.Nil(ginkgo.GinkgoT(), err) - - e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err) - - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint") - assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint") - - httpbinIP := e.Subsets[0].Addresses[0].IP - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } @@ -141,7 +121,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun Expect(). Status(http.StatusOK). Body(). - Contains(fmt.Sprintf("x-forwarded-port=443")) + Contains("x-forwarded-port=443") }) }) }) diff --git a/test/e2e/settings/log-format.go b/test/e2e/settings/log-format.go index 24877818d..18835cb66 100644 --- a/test/e2e/settings/log-format.go +++ b/test/e2e/settings/log-format.go @@ -36,7 +36,6 @@ var _ = framework.DescribeSetting("log-format-*", func() { }) ginkgo.Context("Check log-format-escape-json and log-format-escape-none", func() { - ginkgo.It("should not configure log-format escape by default", func() { f.WaitForNginxConfiguration( func(cfg string) bool { @@ -78,7 +77,6 @@ var _ = framework.DescribeSetting("log-format-*", func() { }) ginkgo.Context("Check log-format-upstream with log-format-escape-json and log-format-escape-none", func() { - ginkgo.It("log-format-escape-json enabled", func() { f.SetNginxConfigMapData(map[string]string{ "log-format-escape-json": "true", diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go index a23514dca..1da62ee86 100644 --- a/test/e2e/settings/namespace_selector.go +++ b/test/e2e/settings/namespace_selector.go @@ -27,14 +27,14 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() { +var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", func() { f := framework.NewDefaultFramework("namespace-selector") - notMatchedHost, matchedHost := "bar", "foo" + notMatchedHost, matchedHost := barHost, fooHost var notMatchedNs string var matchedNs string // create a test namespace, under which create an ingress and backend deployment - prepareTestIngress := func(baseName string, host string, labels map[string]string) string { + prepareTestIngress := func(host string, labels map[string]string) string { ns, err := framework.CreateKubeNamespaceWithLabel(f.BaseName, labels, f.KubeClientSet) assert.Nil(ginkgo.GinkgoT(), err, "creating test namespace") f.NewEchoDeployment(framework.WithDeploymentNamespace(ns)) @@ -45,30 +45,21 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() cleanupNamespace := func(ns string) { err := framework.DeleteKubeNamespace(f.KubeClientSet, ns) - assert.Nil(ginkgo.GinkgoT(), err, "deleting temporarily crated namespace") + assert.Nil(ginkgo.GinkgoT(), err, "deleting temporarily created namespace") } ginkgo.BeforeEach(func() { - notMatchedNs = prepareTestIngress(notMatchedHost, notMatchedHost, nil) // create namespace without label "foo=bar" - matchedNs = prepareTestIngress(matchedHost, matchedHost, map[string]string{"foo": "bar"}) + notMatchedNs = prepareTestIngress(notMatchedHost, nil) // create namespace without label "foo=bar" + matchedNs = prepareTestIngress(matchedHost, map[string]string{fooHost: barHost}) }) ginkgo.AfterEach(func() { cleanupNamespace(notMatchedNs) cleanupNamespace(matchedNs) - - // cleanup clusterrole/clusterrolebinding created by installing chart with controller.scope.enabled=false - err := f.KubeClientSet.RbacV1().ClusterRoles().Delete(context.TODO(), "nginx-ingress", metav1.DeleteOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "deleting clusterrole nginx-ingress") - - err = f.KubeClientSet.RbacV1().ClusterRoleBindings().Delete(context.TODO(), "nginx-ingress", metav1.DeleteOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "deleting clusterrolebinging nginx-ingress") }) ginkgo.Context("With specific watch-namespace-selector flags", func() { - - ginkgo.It("should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar", func() { - + ginkgo.It("should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar", func() { f.WaitForNginxConfiguration(func(cfg string) bool { return !strings.Contains(cfg, "server_name bar") && strings.Contains(cfg, "server_name foo") @@ -93,7 +84,7 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() if ns.Labels == nil { ns.Labels = make(map[string]string) } - ns.Labels["foo"] = "bar" + ns.Labels[fooHost] = barHost _, err = f.KubeClientSet.CoreV1().Namespaces().Update(context.TODO(), ns, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "labeling not matched namespace") @@ -104,7 +95,7 @@ var _ = framework.IngressNginxDescribe("[Flag] watch namespace selector", func() if ing.Labels == nil { ing.Labels = make(map[string]string) } - ing.Labels["foo"] = "bar" + ing.Labels[fooHost] = barHost _, err = f.KubeClientSet.NetworkingV1().Ingresses(notMatchedNs).Update(context.TODO(), ing, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "updating ingress") diff --git a/test/e2e/settings/no_auth_locations.go b/test/e2e/settings/no_auth_locations.go index 70ec3be8f..103c057d7 100644 --- a/test/e2e/settings/no_auth_locations.go +++ b/test/e2e/settings/no_auth_locations.go @@ -19,11 +19,11 @@ package settings import ( "fmt" "net/http" - "os/exec" "strings" "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" + "golang.org/x/crypto/bcrypt" corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -34,7 +34,7 @@ var _ = framework.DescribeSetting("[Security] no-auth-locations", func() { f := framework.NewDefaultFramework("no-auth-locations") setting := "no-auth-locations" - username := "foo" + username := fooHost password := "bar" secretName := "test-secret" host := "no-auth-locations" @@ -100,7 +100,8 @@ func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName s ObjectMeta: metav1.ObjectMeta{ Name: host, Namespace: namespace, - Annotations: map[string]string{"nginx.ingress.kubernetes.io/auth-type": "basic", + Annotations: map[string]string{ + "nginx.ingress.kubernetes.io/auth-type": "basic", "nginx.ingress.kubernetes.io/auth-secret": secretName, "nginx.ingress.kubernetes.io/auth-realm": "test auth", }, @@ -147,7 +148,7 @@ func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName s } func buildSecret(username, password, name, namespace string) *corev1.Secret { - out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() + out, err := bcrypt.GenerateFromPassword([]byte(password), 14) assert.Nil(ginkgo.GinkgoT(), err, "creating password") encpass := fmt.Sprintf("%v:%s\n", username, out) diff --git a/test/e2e/settings/no_tls_redirect_locations.go b/test/e2e/settings/no_tls_redirect_locations.go index 2fca545ff..8339eb23e 100644 --- a/test/e2e/settings/no_tls_redirect_locations.go +++ b/test/e2e/settings/no_tls_redirect_locations.go @@ -17,7 +17,6 @@ limitations under the License. package settings import ( - "fmt" "strings" "github.com/onsi/ginkgo/v2" @@ -34,7 +33,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.EnsureIngress(ing) f.WaitForNginxConfiguration(func(server string) bool { - return !strings.Contains(server, fmt.Sprintf("force_no_ssl_redirect = true,")) + return !strings.Contains(server, "force_no_ssl_redirect = true,") }) wlKey := "no-tls-redirect-locations" @@ -43,8 +42,7 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.UpdateNginxConfigMapData(wlKey, wlValue) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf("force_no_ssl_redirect = true,")) + return strings.Contains(server, "force_no_ssl_redirect = true,") }) - }) }) diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index ea137aeb1..f6f106b06 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -47,6 +47,7 @@ var _ = framework.DescribeSetting("OCSP", func() { }) ginkgo.It("should enable OCSP and contain stapling information in the connection", func() { + ginkgo.Skip("Skipped due to a bug with cfssl and Alpine") host := "www.example.com" f.UpdateNginxConfigMapData("enable-ocsp", "true") @@ -68,7 +69,7 @@ var _ = framework.DescribeSetting("OCSP", func() { var pemCertBuffer bytes.Buffer pemCertBuffer.Write(leafCert) - pemCertBuffer.Write([]byte("\n")) + pemCertBuffer.WriteString("\n") pemCertBuffer.Write(intermediateCa) f.EnsureSecret(&corev1.Secret{ @@ -85,7 +86,7 @@ var _ = framework.DescribeSetting("OCSP", func() { cfsslDB, err := os.ReadFile("empty.db") assert.Nil(ginkgo.GinkgoT(), err) - cmap, err := f.EnsureConfigMap(&corev1.ConfigMap{ + f.EnsureConfigMap(&corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: "ocspserve", Namespace: f.Namespace, @@ -95,8 +96,6 @@ var _ = framework.DescribeSetting("OCSP", func() { "db-config.json": []byte(`{"driver":"sqlite3","data_source":"/data/empty.db"}`), }, }) - assert.Nil(ginkgo.GinkgoT(), err) - assert.NotNil(ginkgo.GinkgoT(), cmap) d, s := ocspserveDeployment(f.Namespace) f.EnsureDeployment(d) @@ -114,7 +113,7 @@ var _ = framework.DescribeSetting("OCSP", func() { return strings.Contains(server, fmt.Sprintf(`server_name %v`, host)) }) - tlsConfig := &tls.Config{ServerName: host, InsecureSkipVerify: true} + tlsConfig := &tls.Config{ServerName: host, InsecureSkipVerify: true} //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(tlsConfig). GET("/"). WithURL(f.GetURL(framework.HTTPS)). @@ -197,7 +196,8 @@ const configTemplate = ` func prepareCertificates(namespace string) error { config := fmt.Sprintf(configTemplate, namespace) - err := os.WriteFile("cfssl_config.json", []byte(config), 0644) + //nolint:gosec // Not change permission to avoid possible issues + err := os.WriteFile("cfssl_config.json", []byte(config), 0o644) if err != nil { return fmt.Errorf("creating cfssl_config.json file: %v", err) } @@ -292,7 +292,7 @@ func ocspserveDeployment(namespace string) (*appsv1.Deployment, *corev1.Service) Containers: []corev1.Container{ { Name: name, - Image: "registry.k8s.io/ingress-nginx/e2e-test-cfssl@sha256:c1b273763048944dd7d22d37adfc65be4fa6a5f6068204292573c6cdc5ea3457", + Image: "registry.k8s.io/ingress-nginx/e2e-test-cfssl@sha256:48869cf72b0ceb1d8c82029f85961e423daf3ff8a04f4a455150000f90a90606", Command: []string{ "/bin/bash", "-c", diff --git a/test/e2e/settings/opentelemetry.go b/test/e2e/settings/opentelemetry.go new file mode 100644 index 000000000..b5fc6ff4e --- /dev/null +++ b/test/e2e/settings/opentelemetry.go @@ -0,0 +1,120 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +const ( + enableOpentelemetry = "enable-opentelemetry" + opentelemetryTrustIncomingSpan = "opentelemetry-trust-incoming-span" + + opentelemetryOperationName = "opentelemetry-operation-name" + opentelemetryLocationOperationName = "opentelemetry-location-operation-name" + opentelemetryConfig = "opentelemetry-config" + opentelemetryConfigPath = "/etc/ingress-controller/telemetry/opentelemetry.toml" + + enable = "true" +) + +var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { + f := framework.NewDefaultFramework("enable-opentelemetry") + + ginkgo.BeforeEach(func() { + f.NewEchoDeployment() + }) + + ginkgo.AfterEach(func() { + }) + + ginkgo.It("should not exists opentelemetry directive", func() { + config := map[string]string{} + config[enableOpentelemetry] = disable + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "opentelemetry on") + }) + }) + + ginkgo.It("should exists opentelemetry directive when is enabled", func() { + config := map[string]string{} + config[enableOpentelemetry] = enable + config[opentelemetryConfig] = opentelemetryConfigPath + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "opentelemetry on") + }) + }) + + ginkgo.It("should include opentelemetry_trust_incoming_spans on directive when enabled", func() { + config := map[string]string{} + config[enableOpentelemetry] = enable + config[opentelemetryConfig] = opentelemetryConfigPath + config[opentelemetryTrustIncomingSpan] = enable + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "opentelemetry_trust_incoming_spans on") + }) + }) + + ginkgo.It("should not exists opentelemetry_operation_name directive when is empty", func() { + config := map[string]string{} + config[enableOpentelemetry] = enable + config[opentelemetryConfig] = opentelemetryConfigPath + config[opentelemetryOperationName] = "" + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "opentelemetry_operation_name") + }) + }) + + ginkgo.It("should exists opentelemetry_operation_name directive when is configured", func() { + config := map[string]string{} + config[enableOpentelemetry] = enable + config[opentelemetryConfig] = opentelemetryConfigPath + config[opentelemetryOperationName] = "HTTP $request_method $uri" + f.SetNginxConfigMapData(config) + + f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, `opentelemetry_operation_name "HTTP $request_method $uri"`) + }) + }) +}) diff --git a/test/e2e/settings/opentracing.go b/test/e2e/settings/opentracing.go deleted file mode 100644 index aee01ea60..000000000 --- a/test/e2e/settings/opentracing.go +++ /dev/null @@ -1,252 +0,0 @@ -/* -Copyright 2020 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package settings - -import ( - "fmt" - "net/http" - "strings" - "time" - - "github.com/onsi/ginkgo/v2" - "github.com/stretchr/testify/assert" - - "k8s.io/ingress-nginx/test/e2e/framework" -) - -const ( - enableOpentracing = "enable-opentracing" - opentracingTrustIncomingSpan = "opentracing-trust-incoming-span" - - zipkinCollectorHost = "zipkin-collector-host" - - jaegerCollectorHost = "jaeger-collector-host" - jaegerSamplerHost = "jaeger-sampler-host" - jaegerPropagationFormat = "jaeger-propagation-format" - // jaegerEndpoint = "jaeger-endpoint" - - datadogCollectorHost = "datadog-collector-host" - - opentracingOperationName = "opentracing-operation-name" - opentracingLocationOperationName = "opentracing-location-operation-name" -) - -var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { - f := framework.NewDefaultFramework("enable-opentracing") - - ginkgo.BeforeEach(func() { - f.NewEchoDeployment() - }) - - ginkgo.AfterEach(func() { - }) - - ginkgo.It("should not exists opentracing directive", func() { - config := map[string]string{} - config[enableOpentracing] = "false" - f.SetNginxConfigMapData(config) - - f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return !strings.Contains(cfg, "opentracing on") - }) - }) - - ginkgo.It("should exists opentracing directive when is enabled", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - f.SetNginxConfigMapData(config) - - f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return strings.Contains(cfg, "opentracing on") - }) - }) - - ginkgo.It("should include opentracing_trust_incoming_span off directive when disabled", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[opentracingTrustIncomingSpan] = "false" - config[zipkinCollectorHost] = "127.0.0.1" - f.SetNginxConfigMapData(config) - - f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return strings.Contains(cfg, "opentracing_trust_incoming_span off") - }) - }) - - ginkgo.It("should not exists opentracing_operation_name directive when is empty", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - config[opentracingOperationName] = "" - f.SetNginxConfigMapData(config) - - f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return !strings.Contains(cfg, "opentracing_operation_name") - }) - }) - - ginkgo.It("should exists opentracing_operation_name directive when is configured", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - config[opentracingOperationName] = "HTTP $request_method $uri" - f.SetNginxConfigMapData(config) - - f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return strings.Contains(cfg, `opentracing_operation_name "HTTP $request_method $uri"`) - }) - }) - - ginkgo.It("should not exists opentracing_location_operation_name directive when is empty", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - config[opentracingLocationOperationName] = "" - f.SetNginxConfigMapData(config) - - f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return !strings.Contains(cfg, "opentracing_location_operation_name") - }) - }) - - ginkgo.It("should exists opentracing_location_operation_name directive when is configured", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - config[opentracingLocationOperationName] = "HTTP $request_method $uri" - f.SetNginxConfigMapData(config) - - f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) - - f.WaitForNginxConfiguration( - func(cfg string) bool { - return strings.Contains(cfg, "opentracing_location_operation_name \"HTTP $request_method $uri\"") - }) - }) - - ginkgo.It("should enable opentracing using zipkin", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - f.SetNginxConfigMapData(config) - - framework.Sleep(10 * time.Second) - log, err := f.NginxLogs() - assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") - assert.NotContains(ginkgo.GinkgoT(), log, "Unexpected failure reloading the backend", "reloading nginx after a configmap change") - }) - - ginkgo.It("should enable opentracing using jaeger", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[jaegerCollectorHost] = "127.0.0.1" - f.SetNginxConfigMapData(config) - - framework.Sleep(10 * time.Second) - log, err := f.NginxLogs() - assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") - assert.NotContains(ginkgo.GinkgoT(), log, "Unexpected failure reloading the backend", "reloading nginx after a configmap change") - }) - - ginkgo.It("should enable opentracing using jaeger with sampler host", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[jaegerCollectorHost] = "127.0.0.1" - config[jaegerSamplerHost] = "127.0.0.1" - f.SetNginxConfigMapData(config) - - framework.Sleep(10 * time.Second) - log, err := f.NginxLogs() - assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") - assert.NotContains(ginkgo.GinkgoT(), log, "Unexpected failure reloading the backend", "reloading nginx after a configmap change") - }) - - ginkgo.It("should propagate the w3c header when configured with jaeger", func() { - host := "jaeger-w3c" - config := map[string]string{} - config[enableOpentracing] = "true" - config[jaegerCollectorHost] = "127.0.0.1" - config[jaegerPropagationFormat] = "w3c" - f.SetNginxConfigMapData(config) - - framework.Sleep(10 * time.Second) - log, err := f.NginxLogs() - assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") - assert.NotContains(ginkgo.GinkgoT(), log, "Unexpected failure reloading the backend", "reloading nginx after a configmap change") - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) - f.EnsureIngress(ing) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) - }) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK). - Body(). - Match("traceparent=[0-9a-f]{2}-[0-9a-f]{32}-[0-9a-f]{16}-[0-9a-f]{2}") - }) - - /* - ginkgo.It("should enable opentracing using jaeger with an HTTP endpoint", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[jaegerEndpoint] = "http://127.0.0.1/api/traces" - f.SetNginxConfigMapData(config) - - framework.Sleep(10 * time.Second) - log, err := f.NginxLogs() - assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") - assert.NotContains(ginkgo.GinkgoT(), log, "Unexpected failure reloading the backend", "reloading nginx after a configmap change") - }) - */ - - ginkgo.It("should enable opentracing using datadog", func() { - config := map[string]string{} - config[enableOpentracing] = "true" - config[datadogCollectorHost] = "http://127.0.0.1" - f.SetNginxConfigMapData(config) - - framework.Sleep(10 * time.Second) - log, err := f.NginxLogs() - assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") - assert.NotContains(ginkgo.GinkgoT(), log, "Unexpected failure reloading the backend", "reloading nginx after a configmap change") - }) -}) diff --git a/test/e2e/settings/pod_security_policy_volumes.go b/test/e2e/settings/pod_security_policy_volumes.go index dd4df3bd9..f8fc58300 100644 --- a/test/e2e/settings/pod_security_policy_volumes.go +++ b/test/e2e/settings/pod_security_policy_volumes.go @@ -38,7 +38,6 @@ var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies with vo f := framework.NewDefaultFramework("pod-security-policies-volumes") ginkgo.It("should be running with a Pod Security Policy", func() { - k8sversion, err := f.KubeClientSet.Discovery().ServerVersion() if err != nil { assert.Nil(ginkgo.GinkgoT(), err, "getting version") diff --git a/test/e2e/settings/proxy_connect_timeout.go b/test/e2e/settings/proxy_connect_timeout.go index 1290775a5..185ac1dd1 100644 --- a/test/e2e/settings/proxy_connect_timeout.go +++ b/test/e2e/settings/proxy_connect_timeout.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package settings import ( @@ -64,5 +65,4 @@ var _ = framework.DescribeSetting("proxy-connect-timeout", func() { return !strings.Contains(server, fmt.Sprintf("proxy_connect_timeout %ss;", proxyConnectTimeout)) }) }) - }) diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index 8f564414a..35aafc53d 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -34,6 +34,14 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`, @@ -55,6 +63,15 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) upstreamVHost := "different.host" annotations := map[string]string{ @@ -66,7 +83,7 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { f.WaitForNginxConfiguration( func(server string) bool { return strings.Contains(server, fmt.Sprintf("server_name %v", test)) && - strings.Contains(server, fmt.Sprintf("set $proxy_host $proxy_upstream_name")) + strings.Contains(server, "set $proxy_host $proxy_upstream_name") }) f.HTTPTestClient(). diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index 8b0e56fe4..cfce68bf8 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -33,8 +33,10 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const proxyProtocol = "proxy-protocol" + var _ = framework.DescribeSetting("use-proxy-protocol", func() { - f := framework.NewDefaultFramework("proxy-protocol") + f := framework.NewDefaultFramework(proxyProtocol) setting := "use-proxy-protocol" @@ -42,9 +44,9 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { f.NewEchoDeployment() f.UpdateNginxConfigMapData(setting, "false") }) - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should respect port passed by the PROXY Protocol", func() { - host := "proxy-protocol" + host := proxyProtocol f.UpdateNginxConfigMapData(setting, "true") @@ -63,21 +65,25 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 1234\r\n" - conn.Write([]byte(header)) - conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + _, err = conn.Write([]byte(header)) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + + _, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") data, err := io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") body := string(data) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=http")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", proxyProtocol)) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should respect proto passed by the PROXY Protocol server port", func() { - host := "proxy-protocol" + host := proxyProtocol f.UpdateNginxConfigMapData(setting, "true") @@ -96,21 +102,24 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 443\r\n" - conn.Write([]byte(header)) - conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + _, err = conn.Write([]byte(header)) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + + _, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") data, err := io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") body := string(data) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=443")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=https")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", proxyProtocol)) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=443") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=https") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) ginkgo.It("should enable PROXY Protocol for HTTPS", func() { - host := "proxy-protocol" + host := proxyProtocol f.UpdateNginxConfigMapData(setting, "true") @@ -145,11 +154,11 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") body := string(data) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-port=1234")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-proto=https")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-scheme=https")) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("x-forwarded-for=192.168.0.1")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", proxyProtocol)) + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=https") + assert.Contains(ginkgo.GinkgoT(), body, "x-scheme=https") + assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) ginkgo.It("should enable PROXY Protocol for TCP", func() { @@ -205,8 +214,11 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { defer conn.Close() header := "PROXY TCP4 192.168.0.1 192.168.0.11 56324 8080\r\n" - conn.Write([]byte(header)) - conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + _, err = conn.Write([]byte(header)) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing header") + + _, err = conn.Write([]byte("GET / HTTP/1.1\r\nHost: proxy-protocol\r\n\r\n")) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error writing request") _, err = io.ReadAll(conn) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") diff --git a/test/e2e/settings/proxy_read_timeout.go b/test/e2e/settings/proxy_read_timeout.go index c84956cc9..484b44f24 100644 --- a/test/e2e/settings/proxy_read_timeout.go +++ b/test/e2e/settings/proxy_read_timeout.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package settings import ( @@ -64,5 +65,4 @@ var _ = framework.DescribeSetting("proxy-read-timeout", func() { return !strings.Contains(server, fmt.Sprintf("proxy_read_timeout %ss;", proxyReadtimeout)) }) }) - }) diff --git a/test/e2e/settings/proxy_send_timeout.go b/test/e2e/settings/proxy_send_timeout.go index 886642bc0..bdcd46f0f 100644 --- a/test/e2e/settings/proxy_send_timeout.go +++ b/test/e2e/settings/proxy_send_timeout.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package settings import ( @@ -64,5 +65,4 @@ var _ = framework.DescribeSetting("proxy-send-timeout", func() { return !strings.Contains(server, fmt.Sprintf("proxy_send_timeout %ss;", proxySendTimeout)) }) }) - }) diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go index 1577c927c..8ddf10fd9 100644 --- a/test/e2e/settings/server_snippet.go +++ b/test/e2e/settings/server_snippet.go @@ -37,10 +37,16 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { hostAnnots := "serverannotssnippet1.foo.com" f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` more_set_headers "Foo: Bar"; @@ -99,6 +105,11 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { more_set_headers "Globalfoo: Foooo";`, }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` more_set_headers "Foo: Bar"; diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index 77a3c990e..b10511bde 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -19,7 +19,7 @@ package settings import ( "context" "crypto/tls" - "fmt" + "net" "net/http" "strings" @@ -34,7 +34,7 @@ import ( ) var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { - f := framework.NewDefaultFramework("ssl-passthrough") + f := framework.NewDefaultFramework("ssl-passthrough", framework.WithHTTPBunEnabled()) ginkgo.BeforeEach(func() { err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { @@ -54,7 +54,6 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.Describe("With enable-ssl-passthrough enabled", func() { ginkgo.It("should enable ssl-passthrough-proxy-port on a different port", func() { - err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { args := deployment.Spec.Template.Spec.Containers[0].Args args = append(args, "--ssl-passthrough-proxy-port=1442") @@ -77,16 +76,22 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { }) ginkgo.It("should pass unknown traffic to default backend and handle known traffic", func() { - host := "testpassthrough.com" echoName := "echopass" - /* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the trafic */ + /* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the traffic */ annotations := map[string]string{ "nginx.ingress.kubernetes.io/ssl-passthrough": "true", } - ingressDef := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, echoName, 80, annotations) + ingressDef := framework.NewSingleIngressWithTLS(host, + "/", + host, + []string{host}, + f.Namespace, + echoName, + 80, + annotations) tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet, ingressDef.Spec.TLS[0].Hosts, ingressDef.Spec.TLS[0].SecretName, @@ -119,7 +124,17 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { Value: "/certs/tls.key", }, } - f.NewDeploymentWithOpts("echopass", "ghcr.io/sharat87/httpbun:latest", 80, 1, nil, nil, envs, volumeMount, volume, false) + + f.NewDeploymentWithOpts("echopass", + framework.HTTPBunImage, + 80, + 1, + nil, + nil, + envs, + volumeMount, + volume, + false) f.EnsureIngress(ingressDef) @@ -133,7 +148,14 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { /* This one should not receive traffic as it does not contain passthrough annotation */ hostBad := "noannotationnopassthrough.com" - ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, "/", hostBad, []string{hostBad}, f.Namespace, echoName, 80, nil)) + ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, + "/", + hostBad, + []string{hostBad}, + f.Namespace, + echoName, + 80, + nil)) tlsConfigBad, err := framework.CreateIngressTLSSecret(f.KubeClientSet, ingBad.Spec.TLS[0].Hosts, ingBad.Spec.TLS[0].SecretName, @@ -146,20 +168,21 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { return strings.Contains(server, "listen 442") }) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). - WithURL(fmt.Sprintf("https://%s:443", host)). + WithURL("https://"+net.JoinHostPort(host, "443")). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusOK) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}). GET("/"). - WithURL(fmt.Sprintf("https://%s:443", hostBad)). + WithURL("https://"+net.JoinHostPort(hostBad, "443")). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusNotFound) - }) }) }) diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go index a249f8bad..51f760df8 100644 --- a/test/e2e/settings/tls.go +++ b/test/e2e/settings/tls.go @@ -87,9 +87,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f }) ginkgo.Context("should configure HSTS policy header", func() { - var ( - tlsConfig *tls.Config - ) + var tlsConfig *tls.Config const ( hstsMaxAge = "hsts-max-age" @@ -112,7 +110,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f f.UpdateNginxConfigMapData(hstsMaxAge, "86400") f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`hsts_max_age = 86400,`)) + return strings.Contains(server, `hsts_max_age = 86400,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -131,7 +129,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f }) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`hsts_include_subdomains = false,`)) + return strings.Contains(server, `hsts_include_subdomains = false,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -151,7 +149,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f }) f.WaitForNginxConfiguration(func(server string) bool { - return strings.Contains(server, fmt.Sprintf(`hsts_preload = true,`)) + return strings.Contains(server, `hsts_preload = true,`) }) f.HTTPTestClientWithTLSConfig(tlsConfig). @@ -170,17 +168,18 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f hstsIncludeSubdomains: "false", }) - // we can not use gorequest here because it flattens the duplicate headers - // and specifically in case of Strict-Transport-Security it ignore extra headers - // intead of concatenating, rightfully. And I don't know of any API it provides for getting raw headers. - curlCmd := fmt.Sprintf("curl -I -k --fail --silent --resolve settings-tls:443:127.0.0.1 https://settings-tls%v", "?hsts=true") - output, err := f.ExecIngressPod(curlCmd) - assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, "strict-transport-security: max-age=86400; preload") - // this is what the upstream sets - assert.NotContains(ginkgo.GinkgoT(), output, "strict-transport-security: max-age=3600; preload") - }) + expectResponse := f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + WithQuery("hsts", "true"). + Expect() + expectResponse.Header("Strict-Transport-Security").Equal("max-age=86400; preload") + header := expectResponse.Raw().Header + got := header["Strict-Transport-Security"] + assert.Equal(ginkgo.GinkgoT(), 1, len(got)) + }) }) ginkgo.Context("ports or X-Forwarded-Host check during HTTP tp HTTPS redirection", func() { diff --git a/test/e2e/settings/validations/validations.go b/test/e2e/settings/validations/validations.go new file mode 100644 index 000000000..ac95a453a --- /dev/null +++ b/test/e2e/settings/validations/validations.go @@ -0,0 +1,101 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package annotations + +import ( + "context" + + "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { + f := framework.NewDefaultFramework("validations") + //nolint:dupl // Ignore dupl errors for similar test case + ginkgo.It("should allow ingress based on their risk on webhooks", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := "annotation-validations" + + // Low and Medium Risk annotations should be allowed, the rest should be denied + f.UpdateNginxConfigMapData("annotations-risk-level", "Medium") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + } + + ginkgo.By("allow ingress with low/medium risk annotations") + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating ingress with allowed annotations should not trigger an error") + + ginkgo.By("block ingress with risky annotations") + annotations["nginx.ingress.kubernetes.io/modsecurity-transaction-id"] = "bla123" // High should be blocked + annotations["nginx.ingress.kubernetes.io/modsecurity-snippet"] = "some random stuff;" // High should be blocked + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with risky annotations should trigger an error") + }) + //nolint:dupl // Ignore dupl errors for similar test case + ginkgo.It("should allow ingress based on their risk on webhooks", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "annotation-validations" + + // Low and Medium Risk annotations should be allowed, the rest should be denied + f.UpdateNginxConfigMapData("annotations-risk-level", "Medium") + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/default-backend": "default/bla", // low risk + "nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk + } + + ginkgo.By("allow ingress with low/medium risk annotations") + ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "creating ingress with allowed annotations should not trigger an error") + + ginkgo.By("block ingress with risky annotations") + annotations["nginx.ingress.kubernetes.io/modsecurity-transaction-id"] = "bla123" // High should be blocked + annotations["nginx.ingress.kubernetes.io/modsecurity-snippet"] = "some random stuff;" // High should be blocked + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) + assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with risky annotations should trigger an error") + }) +}) diff --git a/test/e2e/ssl/secret_update.go b/test/e2e/ssl/secret_update.go index 77e64c6b2..8e81f09f9 100644 --- a/test/e2e/ssl/secret_update.go +++ b/test/e2e/ssl/secret_update.go @@ -73,7 +73,8 @@ var _ = framework.IngressNginxDescribe("[SSL] secret update", func() { dummySecret.Data["some-key"] = []byte("some value") - f.KubeClientSet.CoreV1().Secrets(f.Namespace).Update(context.TODO(), dummySecret, metav1.UpdateOptions{}) + _, err = f.KubeClientSet.CoreV1().Secrets(f.Namespace).Update(context.TODO(), dummySecret, metav1.UpdateOptions{}) + assert.Nil(ginkgo.GinkgoT(), err, "updating secret") assert.NotContains(ginkgo.GinkgoT(), log, fmt.Sprintf("starting syncing of secret %v/dummy", f.Namespace)) assert.NotContains(ginkgo.GinkgoT(), log, fmt.Sprintf("error obtaining PEM from secret %v/dummy", f.Namespace)) @@ -97,7 +98,7 @@ var _ = framework.IngressNginxDescribe("[SSL] secret update", func() { return strings.Contains(server, "server_name invalid-ssl") && strings.Contains(server, "listen 443") }) - + //nolint:gosec // Ignore certificate validation in testing resp := f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). WithURL(f.GetURL(framework.HTTPS)). diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index c9c6ef333..c3c48f8d2 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -28,7 +28,7 @@ import ( "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" - apiv1 "k8s.io/api/core/v1" + v1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/wait" @@ -71,7 +71,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { f.NewEchoDeployment() - ing := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxConfiguration( func(cfg string) bool { @@ -84,10 +84,10 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { err = cmd.Process.Kill() assert.Nil(ginkgo.GinkgoT(), err, "unexpected error terminating kubectl proxy") - ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) + ing, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error getting %s/%v Ingress", f.Namespace, host) - ing.Status.LoadBalancer.Ingress = []apiv1.LoadBalancerIngress{} + ing.Status.LoadBalancer.Ingress = []v1.IngressLoadBalancerIngress{} _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).UpdateStatus(context.TODO(), ing, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error cleaning Ingress status") framework.Sleep(10 * time.Second) @@ -108,6 +108,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { } }() + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(5*time.Second, 4*time.Minute, func() (done bool, err error) { ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) if err != nil { @@ -121,9 +122,9 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { return true, nil }) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error waiting for ingress status") - assert.Equal(ginkgo.GinkgoT(), ing.Status.LoadBalancer.Ingress, ([]apiv1.LoadBalancerIngress{ + assert.Equal(ginkgo.GinkgoT(), ing.Status.LoadBalancer.Ingress, []v1.IngressLoadBalancerIngress{ {IP: "1.1.0.0"}, - })) + }) }) }) @@ -134,7 +135,8 @@ func getHostIP() net.IP { } defer conn.Close() - localAddr := conn.LocalAddr().(*net.UDPAddr) + localAddr, ok := conn.LocalAddr().(*net.UDPAddr) + assert.True(ginkgo.GinkgoT(), ok, "unexpected type: %T", conn.LocalAddr()) return localAddr.IP } diff --git a/test/e2e/tcpudp/tcp.go b/test/e2e/tcpudp/tcp.go index b62134a03..f06d6c9a3 100644 --- a/test/e2e/tcpudp/tcp.go +++ b/test/e2e/tcpudp/tcp.go @@ -21,6 +21,7 @@ import ( "fmt" "net" "net/http" + "regexp" "strings" "time" @@ -36,58 +37,39 @@ import ( var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { f := framework.NewDefaultFramework("tcp") + var ip string + + ginkgo.BeforeEach(func() { + ip = f.GetNginxIP() + }) ginkgo.It("should expose a TCP service", func() { f.NewEchoDeployment() - config, err := f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Get(context.TODO(), "tcp-services", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining tcp-services configmap") - assert.NotNil(ginkgo.GinkgoT(), config, "expected a configmap but none returned") - - if config.Data == nil { - config.Data = map[string]string{} + cm := f.GetConfigMap(f.Namespace, "tcp-services") + cm.Data = map[string]string{ + "8080": fmt.Sprintf("%v/%v:80", f.Namespace, framework.EchoService), } + f.EnsureConfigMap(cm) - config.Data["8080"] = fmt.Sprintf("%v/%v:80", f.Namespace, framework.EchoService) - - _, err = f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Update(context.TODO(), config, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating configmap") - - svc, err := f.KubeClientSet. - CoreV1(). - Services(f.Namespace). - Get(context.TODO(), "nginx-ingress-controller", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining ingress-nginx service") - assert.NotNil(ginkgo.GinkgoT(), svc, "expected a service but none returned") - + svc := f.GetService(f.Namespace, "nginx-ingress-controller") svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ Name: framework.EchoService, Port: 8080, TargetPort: intstr.FromInt(8080), }) - _, err = f.KubeClientSet. + _, err := f.KubeClientSet. CoreV1(). Services(f.Namespace). Update(context.TODO(), svc, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating service") - // wait for update and nginx reload and new endpoint is available - framework.Sleep() - f.WaitForNginxConfiguration( func(cfg string) bool { return strings.Contains(cfg, fmt.Sprintf(`ngx.var.proxy_upstream_name="tcp-%v-%v-80"`, f.Namespace, framework.EchoService)) }) - ip := f.GetNginxIP() - f.HTTPTestClient(). GET("/"). WithURL(fmt.Sprintf("http://%v:8080", ip)). @@ -122,44 +104,25 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { } f.EnsureService(externalService) - // Expose the `external name` port on the `ingress-nginx` service - svc, err := f.KubeClientSet. - CoreV1(). - Services(f.Namespace). - Get(context.TODO(), "nginx-ingress-controller", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining ingress-nginx service") - assert.NotNil(ginkgo.GinkgoT(), svc, "expected a service but none returned") - + // Expose the `external name` port on the `ingress-nginx-controller` service + svc := f.GetService(f.Namespace, "nginx-ingress-controller") svc.Spec.Ports = append(svc.Spec.Ports, corev1.ServicePort{ Name: "dns-svc", Port: 5353, TargetPort: intstr.FromInt(5353), }) - _, err = f.KubeClientSet. + _, err := f.KubeClientSet. CoreV1(). Services(f.Namespace). Update(context.TODO(), svc, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating service") // Update the TCP configmap to link port 5353 to the DNS external name service - config, err := f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Get(context.TODO(), "tcp-services", metav1.GetOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining tcp-services configmap") - assert.NotNil(ginkgo.GinkgoT(), config, "expected a configmap but none returned") - - if config.Data == nil { - config.Data = map[string]string{} + config := f.GetConfigMap(f.Namespace, "tcp-services") + config.Data = map[string]string{ + "5353": fmt.Sprintf("%v/dns-external-name-svc:5353", f.Namespace), } - - config.Data["5353"] = fmt.Sprintf("%v/dns-external-name-svc:5353", f.Namespace) - - _, err = f.KubeClientSet. - CoreV1(). - ConfigMaps(f.Namespace). - Update(context.TODO(), config, metav1.UpdateOptions{}) - assert.Nil(ginkgo.GinkgoT(), err, "unexpected error updating configmap") + f.EnsureConfigMap(config) // Validate that the generated nginx config contains the expected `proxy_upstream_name` value f.WaitForNginxConfiguration( @@ -168,7 +131,6 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { }) // Execute the test. Use the `external name` service to resolve a domain name. - ip := f.GetNginxIP() resolver := net.Resolver{ PreferGo: true, Dial: func(ctx context.Context, network, address string) (net.Conn, error) { @@ -186,21 +148,72 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { } var ips []string - var retryErr error + var errRetry error err = wait.ExponentialBackoff(retry, func() (bool, error) { - ips, retryErr = resolver.LookupHost(context.Background(), "google-public-dns-b.google.com") - if retryErr == nil { + ips, errRetry = resolver.LookupHost(context.Background(), "google-public-dns-b.google.com") + if errRetry == nil { return true, nil } return false, nil }) - + //nolint:staticcheck // TODO: will replace it since wait.ErrWaitTimeout is deprecated if err == wait.ErrWaitTimeout { - err = retryErr + err = errRetry } assert.Nil(ginkgo.GinkgoT(), err, "unexpected error from DNS resolver") assert.Contains(ginkgo.GinkgoT(), ips, "8.8.4.4") }) + + ginkgo.It("should reload after an update in the configuration", func() { + ginkgo.By("setting up a first deployment") + f.NewEchoDeployment(framework.WithDeploymentName("first-service")) + + cm := f.GetConfigMap(f.Namespace, "tcp-services") + cm.Data = map[string]string{ + "8080": fmt.Sprintf("%v/first-service:80", f.Namespace), + } + f.EnsureConfigMap(cm) + + checksumRegex := regexp.MustCompile(`Configuration checksum:\s+(\d+)`) + checksum := "" + + f.WaitForNginxConfiguration( + func(cfg string) bool { + // before returning, extract the current checksum + match := checksumRegex.FindStringSubmatch(cfg) + if len(match) > 0 { + checksum = match[1] + } + + return strings.Contains(cfg, fmt.Sprintf(`ngx.var.proxy_upstream_name="tcp-%v-first-service-80"`, + f.Namespace)) + }) + assert.NotEmpty(ginkgo.GinkgoT(), checksum) + + ginkgo.By("updating the tcp service to a second deployment") + f.NewEchoDeployment(framework.WithDeploymentName("second-service")) + + cm = f.GetConfigMap(f.Namespace, "tcp-services") + cm.Data["8080"] = fmt.Sprintf("%v/second-service:80", f.Namespace) + f.EnsureConfigMap(cm) + + newChecksum := "" + f.WaitForNginxConfiguration( + func(cfg string) bool { + match := checksumRegex.FindStringSubmatch(cfg) + if len(match) > 0 { + newChecksum = match[1] + } + + return strings.Contains(cfg, fmt.Sprintf(`ngx.var.proxy_upstream_name="tcp-%v-second-service-80"`, + f.Namespace)) + }) + assert.NotEqual(ginkgo.GinkgoT(), checksum, newChecksum) + + logs, err := f.NginxLogs() + assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") + assert.Contains(ginkgo.GinkgoT(), logs, "Backend successfully reloaded") + }) }) diff --git a/test/e2e/wait-for-nginx.sh b/test/e2e/wait-for-nginx.sh index 190f71e6d..d2529e348 100755 --- a/test/e2e/wait-for-nginx.sh +++ b/test/e2e/wait-for-nginx.sh @@ -23,6 +23,8 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" export NAMESPACE=$1 export NAMESPACE_OVERLAY=$2 +export IS_CHROOT=$3 +export ENABLE_VALIDATIONS=$4 echo "deploying NGINX Ingress controller in namespace $NAMESPACE" @@ -57,9 +59,10 @@ else # TODO: remove the need to use fullnameOverride fullnameOverride: nginx-ingress controller: + enableAnnotationValidations: ${ENABLE_VALIDATIONS} image: repository: ingress-controller/controller - chroot: true + chroot: ${IS_CHROOT} tag: 1.0.0-dev digest: digestChroot: @@ -100,6 +103,8 @@ controller: hostPath: path: /tmp/coredump +${OTEL_MODULE} + rbac: create: true scope: true diff --git a/test/k6/smoketest.js b/test/k6/smoketest.js index b5ab577a9..8fe9e950a 100644 --- a/test/k6/smoketest.js +++ b/test/k6/smoketest.js @@ -27,7 +27,7 @@ export default function () { const params = { headers: {'host': 'test.ingress-nginx-controller.ga'}, }; - // httpbin.org documents these requests + // httpbun.com documents these requests const req1 = { method: 'GET', url: 'http://test.ingress-nginx-controller.ga/ip', diff --git a/test/test-lua.sh b/test/test-lua.sh index 3b00cf35a..fc60023f8 100755 --- a/test/test-lua.sh +++ b/test/test-lua.sh @@ -25,14 +25,23 @@ set -o pipefail BUSTED_ARGS="-v --pattern=_test" -resty \ - -I ./rootfs/etc/nginx/lua \ - --shdict "configuration_data 5M" \ - --shdict "certificate_data 16M" \ - --shdict "certificate_servers 1M" \ - --shdict "ocsp_response_cache 1M" \ - --shdict "balancer_ewma 1M" \ - --shdict "balancer_ewma_last_touched_at 1M" \ - --shdict "balancer_ewma_locks 512k" \ - --shdict "global_throttle_cache 5M" \ - ./rootfs/etc/nginx/lua/test/run.lua ${BUSTED_ARGS} ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test +SHDICT_ARGS=( + "-I" "./rootfs/etc/nginx/lua" + "--shdict" "configuration_data 5M" + "--shdict" "certificate_data 16M" + "--shdict" "certificate_servers 1M" + "--shdict" "ocsp_response_cache 1M" + "--shdict" "balancer_ewma 1M" + "--shdict" "quota_tracker 1M" + "--shdict" "high_throughput_tracker 1M" + "--shdict" "balancer_ewma_last_touched_at 1M" + "--shdict" "balancer_ewma_locks 512k" + "--shdict" "global_throttle_cache 5M" + "./rootfs/etc/nginx/lua/test/run.lua" +) + +if [ $# -eq 0 ]; then + resty "${SHDICT_ARGS[@]}" ./rootfs/etc/nginx/lua/test/ ./rootfs/etc/nginx/lua/plugins/**/test ${BUSTED_ARGS} +else + resty "${SHDICT_ARGS[@]}" $@ ${BUSTED_ARGS} +fi