DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove inline lua script from template

Browse source
This commit is contained in:
Ricardo Katz 2024-08-14 19:07:46 -03:00
parent 8b20427d02
commit 27cbb6ddb2
22 changed files with 256 additions and 155 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.github/workflows/ci.yaml vendored
View file

@ -71,6 +71,22 @@ jobs:
- 'images/nginx-1.25/**' - 'images/nginx-1.25/**'
docs: docs:
- '**/*.md' - '**/*.md'
lua:
- '**/*.lua'
lua-lint:
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.lua == 'true') || ${{ github.event.workflow_dispatch.run_e2e == 'true' }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Luacheck linter
uses: lunarmodules/luacheck@v1
with:
args: --codes --globals lua_ingress --globals configuration --globals balancer --globals monitor --globals certificate --globals plugins --globals tcp_udp_configuration --globals tcp_udp_balancer --no-max-comment-line-length -q rootfs/etc/nginx/lua/
test-go: test-go:
runs-on: ubuntu-latest runs-on: ubuntu-latest

10
hack/verify-lualint.sh
View file

@ -18,6 +18,14 @@ set -o errexit
set -o nounset set -o nounset
set -o pipefail set -o pipefail
luacheck --codes -q rootfs/etc/nginx/lua/ luacheck --codes --globals lua_ingress \
--globals configuration \
--globals balancer \
--globals monitor \
--globals certificate \
--globals plugins \
--globals tcp_udp_configuration \
--globals tcp_udp_balancer \
--no-max-comment-line-length -q rootfs/etc/nginx/lua/
find rootfs/etc/nginx/lua/ -name "*.lua" -not -path "*/test/*" -exec lj-releng -L -s {} + && echo "lj-releng validation is success!" find rootfs/etc/nginx/lua/ -name "*.lua" -not -path "*/test/*" -exec lj-releng -L -s {} + && echo "lj-releng validation is success!"

2
rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua Normal file
View file

@ -0,0 +1,2 @@
local balancer = require("balancer")
balancer.balance()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua Normal file
View file

@ -0,0 +1,2 @@
local tcp_udp_balancer = require("tcp_udp_balancer")
tcp_udp_balancer.balance()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua Normal file
View file

@ -0,0 +1,2 @@
local certificate = require("certificate")
certificate.call()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua Normal file
View file

@ -0,0 +1,2 @@
local configuration = require("configuration")
configuration.call()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua Normal file
View file

@ -0,0 +1,2 @@
local tcp_udp_configuration = require("tcp_udp_configuration")
tcp_udp_configuration.call()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua Normal file
View file

@ -0,0 +1,2 @@
local tcp_udp_balancer = require("tcp_udp_balancer")
tcp_udp_balancer.init_worker()

9
rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua Normal file
View file

@ -0,0 +1,9 @@
local configuration = require("configuration")
local backend_data = configuration.get_backends_data()
if not backend_data then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
return
end
ngx.say("OK")
ngx.exit(ngx.HTTP_OK)

2
rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua Normal file
View file

@ -0,0 +1,2 @@
local monitor = require("monitor")
monitor.call()

14
rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua Normal file
View file

@ -0,0 +1,14 @@
local balancer = require("balancer")
local monitor = require("monitor")
local plugins = require("plugins")
local luaconfig = ngx.shared.luaconfig
local enablemetrics = luaconfig:get("enablemetrics")
balancer.log()
if enablemetrics then
monitor.call()
end
plugins.run()

1
rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua Normal file
View file

@ -0,0 +1 @@
ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))

2
rootfs/etc/nginx/lua/nginx/ngx_conf_srv_body_filter.lua Normal file
View file

@ -0,0 +1,2 @@
local plugins = require("plugins")
plugins.run()

4
rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua Normal file
View file

@ -0,0 +1,4 @@
local lua_ingress = require("lua_ingress")
local plugins = require("plugins")
lua_ingress.header()
plugins.run()

1
rootfs/etc/nginx/lua/nginx/ngx_not_found.lua Normal file
View file

@ -0,0 +1 @@
ngx.exit(ngx.HTTP_NOT_FOUND)

30
rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua Normal file
View file

@ -0,0 +1,30 @@
local request_uri = ngx.var.request_uri
local redirect_to = ngx.arg[1]
local luaconfig = ngx.shared.luaconfig
local use_forwarded_headers = luaconfig:get("use_forwarded_headers")
local listen_https_ports = luaconfig:get("listen_https_ports")
if string.sub(request_uri, -1) == "/" then
request_uri = string.sub(request_uri, 1, -2)
end
local redirectScheme
if use_forwarded_headers then
if not ngx.var.http_x_forwarded_proto then
redirectScheme = ngx.var.scheme
else
redirectScheme = ngx.var.http_x_forwarded_proto
end
else
redirectScheme = ngx.var.scheme
end
if listen_https_ports == '443' then
return string.format("%s://%s%s", redirectScheme, redirect_to, request_uri)
else
return string.format("%s://%s:%s%s", redirectScheme,
redirect_to, listen_https_ports, request_uri)
end

57
rootfs/etc/nginx/lua/ngx_conf_init.lua Normal file
View file

@ -0,0 +1,57 @@
local function initialize_ingress(statusport, enablemetrics, ocsp, ingress)
collectgarbage("collect")
-- init modules
local ok, res
ok, res = pcall(require, "lua_ingress")
if not ok then
error("require failed: " .. tostring(res))
else
lua_ingress = res
lua_ingress.set_config(ingress)
end
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
configuration.prohibited_localhost_port = statusport
end
ok, res = pcall(require, "balancer")
if not ok then
error("require failed: " .. tostring(res))
else
balancer = res
end
if enablemetrics then
ok, res = pcall(require, "monitor")
if not ok then
error("require failed: " .. tostring(res))
else
monitor = res
end
end
ok, res = pcall(require, "certificate")
if not ok then
error("require failed: " .. tostring(res))
else
certificate = res
certificate.is_ocsp_stapling_enabled = ocsp
end
ok, res = pcall(require, "plugins")
if not ok then
error("require failed: " .. tostring(res))
else
plugins = res
end
-- TODO: Re-enable 3rd party plugins
--plugins.init({ {{ range $idx, $plugin := $cfg.Plugins }}{{ if $idx }},{{ end }}{{ $plugin | quote }}{{ end }} })
plugins.init({})
end
return { initialize_ingress = initialize_ingress }

31
rootfs/etc/nginx/lua/ngx_conf_init_stream.lua Normal file
View file

@ -0,0 +1,31 @@
local function initialize_stream(statusport)
collectgarbage("collect")
-- init modules
local ok, res
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
end
ok, res = pcall(require, "tcp_udp_configuration")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_configuration = res
tcp_udp_configuration.prohibited_localhost_port = statusport
end
ok, res = pcall(require, "tcp_udp_balancer")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_balancer = res
end
end
return { initialize_stream = initialize_stream }

14
rootfs/etc/nginx/lua/ngx_conf_init_worker.lua Normal file
View file

@ -0,0 +1,14 @@
local function initialize_worker(enablemetrics, monitorbatchsize)
local lua_ingress = require("lua_ingress")
local balancer = require("balancer")
local plugins = require("plugins")
local monitor = require("monitor")
lua_ingress.init_worker()
balancer.init_worker()
if enablemetrics then
monitor.init_worker(monitorbatchsize)
end
plugins.run()
end
return { initialize_worker = initialize_worker }

202
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -68,59 +68,22 @@ http {
{{ buildLuaSharedDictionaries $cfg $servers }} {{ buildLuaSharedDictionaries $cfg $servers }}
lua_shared_dict luaconfig 5m;
{{/* We need to keep this lua block inline, because init_worker_by_lua_file does not support using arguments */}}
init_by_lua_block { init_by_lua_block {
collectgarbage("collect") local luaconfig = ngx.shared.luaconfig
local ingresscfg = {{ configForLua $all }}
-- init modules luaconfig:set("enablemetrics", {{ $all.EnableMetrics }})
local ok, res luaconfig:set("listen_https_ports", '{{ $all.ListenPorts.HTTPS }}')
luaconfig:set("use_forwarded_headers", {{ $cfg.UseForwardedHeaders }})
ok, res = pcall(require, "lua_ingress") local ngx_conf_init = require('ngx_conf_init')
if not ok then ngx_conf_init.initialize_ingress('{{ .StatusPort }}', {{ $all.EnableMetrics }}, {{ $cfg.EnableOCSP }}, ingresscfg)
error("require failed: " .. tostring(res))
else
lua_ingress = res
lua_ingress.set_config({{ configForLua $all }})
end
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
configuration.prohibited_localhost_port = '{{ .StatusPort }}'
end
ok, res = pcall(require, "balancer")
if not ok then
error("require failed: " .. tostring(res))
else
balancer = res
end
{{ if $all.EnableMetrics }}
ok, res = pcall(require, "monitor")
if not ok then
error("require failed: " .. tostring(res))
else
monitor = res
end
{{ end }}
ok, res = pcall(require, "certificate")
if not ok then
error("require failed: " .. tostring(res))
else
certificate = res
certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }}
end
} }
init_worker_by_lua_block { init_worker_by_lua_block {
lua_ingress.init_worker() local ngx_conf_init_worker = require('ngx_conf_init_worker')
balancer.init_worker() ngx_conf_init_worker.initialize_worker({{ $all.EnableMetrics }}, {{ $all.MonitorMaxBatchSize }})
{{ if $all.EnableMetrics }}
monitor.init_worker({{ $all.MonitorMaxBatchSize }})
{{ end }}
} }
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
@ -539,9 +502,7 @@ http {
server 0.0.0.1; # placeholder server 0.0.0.1; # placeholder
balancer_by_lua_block { balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua;
balancer.balance()
}
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }} {{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
keepalive {{ $cfg.UpstreamKeepaliveConnections }}; keepalive {{ $cfg.UpstreamKeepaliveConnections }};
@ -606,9 +567,7 @@ http {
{{ buildHTTPListener $all $redirect.From }} {{ buildHTTPListener $all $redirect.From }}
{{ buildHTTPSListener $all $redirect.From }} {{ buildHTTPSListener $all $redirect.From }}
ssl_certificate_by_lua_block { ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
certificate.call()
}
{{ if gt (len $cfg.BlockUserAgents) 0 }} {{ if gt (len $cfg.BlockUserAgents) 0 }}
if ($block_ua) { if ($block_ua) {
@ -621,30 +580,7 @@ http {
} }
{{ end }} {{ end }}
set_by_lua_block $redirect_to { set_by_lua_file $redirect_to /etc/nginx/lua/nginx/ngx_srv_redirect.lua {{ $redirect.To }};
local request_uri = ngx.var.request_uri
if string.sub(request_uri, -1) == "/" then
request_uri = string.sub(request_uri, 1, -2)
end
{{ if $cfg.UseForwardedHeaders }}
local redirectScheme
if not ngx.var.http_x_forwarded_proto then
redirectScheme = ngx.var.scheme
else
redirectScheme = ngx.var.http_x_forwarded_proto
end
{{ else }}
local redirectScheme = ngx.var.scheme
{{ end }}
{{ if ne $all.ListenPorts.HTTPS 443 }}
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
{{ else }}
return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri)
{{ end }}
}
return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to; return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to;
} }
@ -739,17 +675,7 @@ http {
} }
location /is-dynamic-lb-initialized { location /is-dynamic-lb-initialized {
content_by_lua_block { content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua;
local configuration = require("configuration")
local backend_data = configuration.get_backends_data()
if not backend_data then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
return
end
ngx.say("OK")
ngx.exit(ngx.HTTP_OK)
}
} }
location {{ .StatusPath }} { location {{ .StatusPath }} {
@ -761,15 +687,11 @@ http {
client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }}; client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }};
proxy_buffering off; proxy_buffering off;
content_by_lua_block { content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_configuration.lua;
configuration.call()
}
} }
location / { location / {
content_by_lua_block { content_by_lua_file /etc/nginx/lua/nginx/ngx_not_found.lua;
ngx.exit(ngx.HTTP_NOT_FOUND)
}
} }
} }
} }
@ -782,38 +704,11 @@ stream {
{{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }} {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
init_by_lua_block { init_by_lua_block {
collectgarbage("collect") local ngx_conf_init_stream = require('ngx_conf_init_stream')
ngx_conf_init_stream.initialize_stream('{{ .StatusPort }}')
-- init modules
local ok, res
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
end
ok, res = pcall(require, "tcp_udp_configuration")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_configuration = res
tcp_udp_configuration.prohibited_localhost_port = '{{ .StatusPort }}'
end
ok, res = pcall(require, "tcp_udp_balancer")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_balancer = res
end
} }
init_worker_by_lua_block { init_worker_by_lua_file /etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua;
tcp_udp_balancer.init_worker()
}
lua_add_variable $proxy_upstream_name; lua_add_variable $proxy_upstream_name;
@ -835,10 +730,7 @@ stream {
upstream upstream_balancer { upstream upstream_balancer {
server 0.0.0.1:1234; # placeholder server 0.0.0.1:1234; # placeholder
balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua;
balancer_by_lua_block {
tcp_udp_balancer.balance()
}
} }
server { server {
@ -846,9 +738,7 @@ stream {
access_log off; access_log off;
content_by_lua_block { content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua;
tcp_udp_configuration.call()
}
} }
# TCP services # TCP services
@ -948,11 +838,9 @@ stream {
rewrite (.*) / break; rewrite (.*) / break;
proxy_pass http://upstream_balancer; proxy_pass http://upstream_balancer;
log_by_lua_block { {{ if $enableMetrics }}
{{ if $enableMetrics }} log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log.lua;
monitor.call() {{ end }}
{{ end }}
}
} }
{{ end }} {{ end }}
{{ end }} {{ end }}
@ -1012,9 +900,7 @@ stream {
ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }}; ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }};
{{ end }} {{ end }}
ssl_certificate_by_lua_block { ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
certificate.call()
}
{{ if not (empty $server.AuthTLSError) }} {{ if not (empty $server.AuthTLSError) }}
# {{ $server.AuthTLSError }} # {{ $server.AuthTLSError }}
@ -1115,9 +1001,7 @@ stream {
set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}'; set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
set $cache_key ''; set $cache_key '';
rewrite_by_lua_block { rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua;
ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))
}
proxy_cache auth_cache; proxy_cache auth_cache;
@ -1255,12 +1139,9 @@ stream {
balancer.rewrite() balancer.rewrite()
} }
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any header_filter_by_lua_file /etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua;
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
<<<<<<< HEAD
header_filter_by_lua_block { header_filter_by_lua_block {
lua_ingress.header() lua_ingress.header()
} }
@ -1271,6 +1152,29 @@ stream {
monitor.call() monitor.call()
{{ end }} {{ end }}
} }
||||||| parent of b65dae6b8 (Remove inline lua script from template)
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
body_filter_by_lua_block {
plugins.run()
}
log_by_lua_block {
balancer.log()
{{ if $all.EnableMetrics }}
monitor.call()
{{ end }}
plugins.run()
}
=======
body_filter_by_lua_file /etc/nginx/lua/nginx/ngx_conf_srv_body_filter.lua;
log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log_block.lua;
>>>>>>> b65dae6b8 (Remove inline lua script from template)
{{ if not $location.Logs.Access }} {{ if not $location.Logs.Access }}
access_log off; access_log off;

2
test/e2e/lua/dynamic_configuration.go
View file

@ -48,7 +48,7 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() {
ginkgo.It("configures balancer Lua middleware correctly", func() { ginkgo.It("configures balancer Lua middleware correctly", func() {
f.WaitForNginxConfiguration(func(cfg string) bool { f.WaitForNginxConfiguration(func(cfg string) bool {
return strings.Contains(cfg, "balancer.init_worker()") && strings.Contains(cfg, "balancer.balance()") return strings.Contains(cfg, "balancer.init_worker()") && strings.Contains(cfg, "balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua")
}) })
host := "foo.com" host := "foo.com"

4
test/e2e/settings/ocsp/ocsp.go
View file

@ -107,10 +107,6 @@ var _ = framework.DescribeSetting("OCSP", func() {
err = framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, "ocspserve", f.Namespace, 1) err = framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, "ocspserve", f.Namespace, 1)
assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready") assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready")
f.WaitForNginxConfiguration(func(cfg string) bool {
return strings.Contains(cfg, "certificate.is_ocsp_stapling_enabled = true")
})
f.WaitForNginxServer(host, f.WaitForNginxServer(host,
func(server string) bool { func(server string) bool {
return strings.Contains(server, fmt.Sprintf(`server_name %v`, host)) return strings.Contains(server, fmt.Sprintf(`server_name %v`, host))