Merge pull request #3197 from aledbf/remove-tcp-udp

Remove support for TCP and UDP services
2018-10-08 07:19:39 -07:00 · 2018-10-08 07:19:39 -07:00 · 3cf00b2fd8
commit 3cf00b2fd8
parent 182767b06b f3625e24f3
10 changed files with 27 additions and 308 deletions
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@ -65,19 +65,6 @@ Takes the form "namespace/name". When used together with update-status, the
 controller mirrors the address of this service's endpoints to the load-balancer
 status of all Ingress objects it satisfies.`)

-		tcpConfigMapName = flags.String("tcp-services-configmap", "",
-			`Name of the ConfigMap containing the definition of the TCP services to expose.
-The key in the map indicates the external port to be used. The value is a
-reference to a Service in the form "namespace/name:port", where "port" can
-either be a port number or name. TCP ports 80 and 443 are reserved by the
-controller for servicing HTTP traffic.`)
-
-		udpConfigMapName = flags.String("udp-services-configmap", "",
-			`Name of the ConfigMap containing the definition of the UDP services to expose.
-The key in the map indicates the external port to be used. The value is a
-reference to a Service in the form "namespace/name:port", where "port" can
-either be a port name or number.`)
-
 		resyncPeriod = flags.Duration("sync-period", 0,
 			`Period at which the controller forces the repopulation of its local object stores. Disabled by default.`)

@ -240,8 +227,6 @@ dynamic certificates functionality is enabled. Please check the flags --enable-s
 		DefaultService:              *defaultSvc,
 		Namespace:                   *watchNamespace,
 		ConfigMapName:               *configMap,
-		TCPConfigMapName:            *tcpConfigMapName,
-		UDPConfigMapName:            *udpConfigMapName,
 		DefaultSSLCertificate:       *defSSLCertificate,
 		DefaultHealthzURL:           *defHealthzURL,
 		PublishService:              *publishSvc,
--- a/internal/ingress/controller/config/config.go
+++ b/internal/ingress/controller/config/config.go
@ -692,8 +692,6 @@ type TemplateConfig struct {
 	Backends                    []*ingress.Backend
 	PassthroughBackends         []*ingress.SSLPassthroughBackend
 	Servers                     []*ingress.Server
-	TCPBackends                 []ingress.L4Service
-	UDPBackends                 []ingress.L4Service
 	HealthzURI                  string
 	CustomErrors                bool
 	Cfg                         Configuration
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -21,7 +21,6 @@ import (
 	"math/rand"
 	"sort"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/golang/glog"
@ -61,11 +60,6 @@ type Configuration struct {

 	ForceNamespaceIsolation bool

-	// +optional
-	TCPConfigMapName string
-	// +optional
-	UDPConfigMapName string
-
 	DefaultHealthzURL     string
 	DefaultSSLCertificate string

@ -160,8 +154,6 @@ func (n *NGINXController) syncIngress(interface{}) error {
 	pcfg := &ingress.Configuration{
 		Backends:              upstreams,
 		Servers:               servers,
-		TCPEndpoints:          n.getStreamServices(n.cfg.TCPConfigMapName, apiv1.ProtocolTCP),
-		UDPEndpoints:          n.getStreamServices(n.cfg.UDPConfigMapName, apiv1.ProtocolUDP),
 		PassthroughBackends:   passUpstreams,
 		BackendConfigChecksum: n.store.GetBackendConfiguration().Checksum,
 	}
@ -225,136 +217,6 @@ func (n *NGINXController) syncIngress(interface{}) error {
 	return nil
 }

-func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Protocol) []ingress.L4Service {
-	if configmapName == "" {
-		return []ingress.L4Service{}
-	}
-	glog.V(3).Infof("Obtaining information about %v stream services from ConfigMap %q", proto, configmapName)
-
-	_, _, err := k8s.ParseNameNS(configmapName)
-	if err != nil {
-		glog.Errorf("Error parsing ConfigMap reference %q: %v", configmapName, err)
-		return []ingress.L4Service{}
-	}
-
-	configmap, err := n.store.GetConfigMap(configmapName)
-	if err != nil {
-		glog.Errorf("Error getting ConfigMap %q: %v", configmapName, err)
-		return []ingress.L4Service{}
-	}
-
-	var svcs []ingress.L4Service
-	var svcProxyProtocol ingress.ProxyProtocol
-
-	rp := []int{
-		n.cfg.ListenPorts.HTTP,
-		n.cfg.ListenPorts.HTTPS,
-		n.cfg.ListenPorts.SSLProxy,
-		n.cfg.ListenPorts.Status,
-		n.cfg.ListenPorts.Health,
-		n.cfg.ListenPorts.Default,
-	}
-	reserverdPorts := sets.NewInt(rp...)
-
-	// svcRef format: <(str)namespace>/<(str)service>:<(intstr)port>[:<("PROXY")decode>:<("PROXY")encode>]
-	for port, svcRef := range configmap.Data {
-		externalPort, err := strconv.Atoi(port)
-		if err != nil {
-			glog.Warningf("%q is not a valid %v port number", port, proto)
-			continue
-		}
-
-		if reserverdPorts.Has(externalPort) {
-			glog.Warningf("Port %d cannot be used for %v stream services. It is reserved for the Ingress controller.", externalPort, proto)
-			continue
-		}
-
-		nsSvcPort := strings.Split(svcRef, ":")
-		if len(nsSvcPort) < 2 {
-			glog.Warningf("Invalid Service reference %q for %v port %d", svcRef, proto, externalPort)
-			continue
-		}
-
-		nsName := nsSvcPort[0]
-		svcPort := nsSvcPort[1]
-		svcProxyProtocol.Decode = false
-		svcProxyProtocol.Encode = false
-
-		// Proxy Protocol is only compatible with TCP Services
-		if len(nsSvcPort) >= 3 && proto == apiv1.ProtocolTCP {
-			if len(nsSvcPort) >= 3 && strings.ToUpper(nsSvcPort[2]) == "PROXY" {
-				svcProxyProtocol.Decode = true
-			}
-			if len(nsSvcPort) == 4 && strings.ToUpper(nsSvcPort[3]) == "PROXY" {
-				svcProxyProtocol.Encode = true
-			}
-		}
-
-		svcNs, svcName, err := k8s.ParseNameNS(nsName)
-		if err != nil {
-			glog.Warningf("%v", err)
-			continue
-		}
-
-		svc, err := n.store.GetService(nsName)
-		if err != nil {
-			glog.Warningf("Error getting Service %q: %v", nsName, err)
-			continue
-		}
-
-		var endps []ingress.Endpoint
-		targetPort, err := strconv.Atoi(svcPort)
-		if err != nil {
-			// not a port number, fall back to using port name
-			glog.V(3).Infof("Searching Endpoints with %v port name %q for Service %q", proto, svcPort, nsName)
-			for _, sp := range svc.Spec.Ports {
-				if sp.Name == svcPort {
-					if sp.Protocol == proto {
-						endps = getEndpoints(svc, &sp, proto, &healthcheck.Config{}, n.store.GetServiceEndpoints)
-						break
-					}
-				}
-			}
-		} else {
-			glog.V(3).Infof("Searching Endpoints with %v port number %d for Service %q", proto, targetPort, nsName)
-			for _, sp := range svc.Spec.Ports {
-				if sp.Port == int32(targetPort) {
-					if sp.Protocol == proto {
-						endps = getEndpoints(svc, &sp, proto, &healthcheck.Config{}, n.store.GetServiceEndpoints)
-						break
-					}
-				}
-			}
-		}
-
-		// stream services cannot contain empty upstreams and there is
-		// no default backend equivalent
-		if len(endps) == 0 {
-			glog.Warningf("Service %q does not have any active Endpoint for %v port %v", nsName, proto, svcPort)
-			continue
-		}
-
-		svcs = append(svcs, ingress.L4Service{
-			Port: externalPort,
-			Backend: ingress.L4Backend{
-				Name:          svcName,
-				Namespace:     svcNs,
-				Port:          intstr.FromString(svcPort),
-				Protocol:      proto,
-				ProxyProtocol: svcProxyProtocol,
-			},
-			Endpoints: endps,
-		})
-	}
-
-	// Keep upstream order sorted to reduce unnecessary nginx config reloads.
-	sort.SliceStable(svcs, func(i, j int) bool {
-		return svcs[i].Port < svcs[j].Port
-	})
-
-	return svcs
-}
-
 // getDefaultUpstream returns the upstream associated with the default backend.
 // Configures the upstream to return HTTP code 503 in case of error.
 func (n *NGINXController) getDefaultUpstream() *ingress.Backend {
--- a/internal/ingress/controller/nginx.go
+++ b/internal/ingress/controller/nginx.go
@ -112,8 +112,6 @@ func NewNGINXController(config *Configuration, mc metric.Collector, fs file.File
 		config.EnableSSLChainCompletion,
 		config.Namespace,
 		config.ConfigMapName,
-		config.TCPConfigMapName,
-		config.UDPConfigMapName,
 		config.DefaultSSLCertificate,
 		config.ResyncPeriod,
 		config.Client,
@ -580,8 +578,6 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
 		Backends:                    ingressCfg.Backends,
 		PassthroughBackends:         ingressCfg.PassthroughBackends,
 		Servers:                     ingressCfg.Servers,
-		TCPBackends:                 ingressCfg.TCPEndpoints,
-		UDPBackends:                 ingressCfg.UDPEndpoints,
 		HealthzURI:                  ngxHealthPath,
 		CustomErrors:                len(cfg.CustomHTTPErrors) > 0,
 		Cfg:                         cfg,
--- a/internal/ingress/controller/store/store.go
+++ b/internal/ingress/controller/store/store.go
@ -218,7 +218,7 @@ type k8sStore struct {

 // New creates a new object store to be used in the ingress controller
 func New(checkOCSP bool,
-	namespace, configmap, tcp, udp, defaultSSLCertificate string,
+	namespace, configmap, defaultSSLCertificate string,
 	resyncPeriod time.Duration,
 	client clientset.Interface,
 	fs file.Filesystem,
@ -473,7 +473,7 @@ func New(checkOCSP bool,
 			cm := obj.(*corev1.ConfigMap)
 			key := k8s.MetaNamespaceKey(cm)
 			// updates to configuration configmaps can trigger an update
-			if key == configmap || key == tcp || key == udp {
+			if key == configmap {
 				recorder.Eventf(cm, corev1.EventTypeNormal, "CREATE", fmt.Sprintf("ConfigMap %v", key))
 				if key == configmap {
 					store.setConfig(cm)
@ -489,7 +489,7 @@ func New(checkOCSP bool,
 				cm := cur.(*corev1.ConfigMap)
 				key := k8s.MetaNamespaceKey(cm)
 				// updates to configuration configmaps can trigger an update
-				if key == configmap || key == tcp || key == udp {
+				if key == configmap {
 					recorder.Eventf(cm, corev1.EventTypeNormal, "UPDATE", fmt.Sprintf("ConfigMap %v", key))
 					if key == configmap {
 						store.setConfig(cm)
--- a/internal/ingress/controller/store/store_test.go
+++ b/internal/ingress/controller/store/store_test.go
@ -32,6 +32,7 @@ import (

 	"encoding/base64"
 	"io/ioutil"
+
 	"k8s.io/api/core/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
@ -62,8 +63,6 @@ func TestStore(t *testing.T) {
 		storer := New(true,
 			ns,
 			fmt.Sprintf("%v/config", ns),
-			fmt.Sprintf("%v/tcp", ns),
-			fmt.Sprintf("%v/udp", ns),
 			"",
 			10*time.Minute,
 			clientSet,
@ -150,8 +149,6 @@ func TestStore(t *testing.T) {
 		storer := New(true,
 			ns,
 			fmt.Sprintf("%v/config", ns),
-			fmt.Sprintf("%v/tcp", ns),
-			fmt.Sprintf("%v/udp", ns),
 			"",
 			10*time.Minute,
 			clientSet,
@ -298,8 +295,6 @@ func TestStore(t *testing.T) {
 		storer := New(true,
 			ns,
 			fmt.Sprintf("%v/config", ns),
-			fmt.Sprintf("%v/tcp", ns),
-			fmt.Sprintf("%v/udp", ns),
 			"",
 			10*time.Minute,
 			clientSet,
@ -387,8 +382,6 @@ func TestStore(t *testing.T) {
 		storer := New(true,
 			ns,
 			fmt.Sprintf("%v/config", ns),
-			fmt.Sprintf("%v/tcp", ns),
-			fmt.Sprintf("%v/udp", ns),
 			"",
 			10*time.Minute,
 			clientSet,
@ -499,8 +492,6 @@ func TestStore(t *testing.T) {
 		storer := New(true,
 			ns,
 			fmt.Sprintf("%v/config", ns),
-			fmt.Sprintf("%v/tcp", ns),
-			fmt.Sprintf("%v/udp", ns),
 			"",
 			10*time.Minute,
 			clientSet,
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@ -53,12 +53,6 @@ type Configuration struct {
 	Backends []*Backend `json:"backends,omitempty"`
 	// Servers
 	Servers []*Server `json:"servers,omitempty"`
-	// TCPEndpoints contain endpoints for tcp streams handled by this backend
-	// +optional
-	TCPEndpoints []L4Service `json:"tcpEndpoints,omitempty"`
-	// UDPEndpoints contain endpoints for udp streams handled by this backend
-	// +optional
-	UDPEndpoints []L4Service `json:"udpEndpoints,omitempty"`
 	// PassthroughBackend contains the backends used for SSL passthrough.
 	// It contains information about the associated Server Name Indication (SNI).
 	// +optional
--- a/internal/ingress/types_equals.go
+++ b/internal/ingress/types_equals.go
@ -53,44 +53,6 @@ func (c1 *Configuration) Equal(c2 *Configuration) bool {
 		}
 	}

-	if len(c1.TCPEndpoints) != len(c2.TCPEndpoints) {
-		return false
-	}
-
-	for _, tcp1 := range c1.TCPEndpoints {
-		found := false
-		for _, tcp2 := range c2.TCPEndpoints {
-			if (&tcp1).Equal(&tcp2) {
-				found = true
-				break
-			}
-		}
-		if !found {
-			return false
-		}
-	}
-
-	if len(c1.UDPEndpoints) != len(c2.UDPEndpoints) {
-		return false
-	}
-
-	for _, udp1 := range c1.UDPEndpoints {
-		found := false
-		for _, udp2 := range c2.UDPEndpoints {
-			if (&udp1).Equal(&udp2) {
-				found = true
-				break
-			}
-		}
-		if !found {
-			return false
-		}
-	}
-
-	if len(c1.PassthroughBackends) != len(c2.PassthroughBackends) {
-		return false
-	}
-
 	for _, ptb1 := range c1.PassthroughBackends {
 		found := false
 		for _, ptb2 := range c2.PassthroughBackends {
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -697,63 +697,6 @@ stream {
    {{ end }}

    error_log  {{ $cfg.ErrorLogPath }};
-
-    # TCP services
-    {{ range $tcpServer := .TCPBackends }}
-    upstream tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} {
-    {{ range $endpoint := $tcpServer.Endpoints }}
-        server                  {{ $endpoint.Address | formatIP }}:{{ $endpoint.Port }};
-    {{ end }}
-    }
-    server {
-        {{ range $address := $all.Cfg.BindAddressIpv4 }}
-        listen                  {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
-        {{ else }}
-        listen                  {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
-        {{ end }}
-        {{ if $IsIPV6Enabled }}
-        {{ range $address := $all.Cfg.BindAddressIpv6 }}
-        listen                  {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
-        {{ else }}
-        listen                  [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
-        {{ end }}
-        {{ end }}
-        proxy_timeout           {{ $cfg.ProxyStreamTimeout }};
-        proxy_pass              tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }};
-        {{ if $tcpServer.Backend.ProxyProtocol.Encode }}
-        proxy_protocol          on;
-        {{ end }}
-    }
-
-    {{ end }}
-
-    # UDP services
-    {{ range $udpServer := .UDPBackends }}
-    upstream udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }} {
-    {{ range $endpoint := $udpServer.Endpoints }}
-        server                  {{ $endpoint.Address | formatIP }}:{{ $endpoint.Port }};
-    {{ end }}
-    }
-
-    server {
-        {{ range $address := $all.Cfg.BindAddressIpv4 }}
-        listen                  {{ $address }}:{{ $udpServer.Port }} udp;
-        {{ else }}
-        listen                  {{ $udpServer.Port }} udp;
-        {{ end }}
-        {{ if $IsIPV6Enabled }}
-        {{ range $address := $all.Cfg.BindAddressIpv6 }}
-        listen                  {{ $address }}:{{ $udpServer.Port }} udp;
-        {{ else }}
-        listen                  [::]:{{ $udpServer.Port }} udp;
-        {{ end }}
-        {{ end }}
-        proxy_responses         {{ $cfg.ProxyStreamResponses }};
-        proxy_timeout           {{ $cfg.ProxyStreamTimeout }};
-        proxy_pass              udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }};
-    }
-
-    {{ end }}
 }

 {{/* definition of templates to avoid repetitions */}}
--- a/test/manifests/ingress-controller/mandatory.yaml
+++ b/test/manifests/ingress-controller/mandatory.yaml
@ -1,5 +1,3 @@
---
-
 kind: ConfigMap
 apiVersion: v1
 metadata:
@ -8,7 +6,6 @@ metadata:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 ---
-
 kind: ConfigMap
 apiVersion: v1
 metadata:
@ -17,7 +14,6 @@ metadata:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 ---
-
 kind: ConfigMap
 apiVersion: v1
 metadata:
@ -26,7 +22,6 @@ metadata:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 ---
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@ -35,7 +30,6 @@ metadata:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
@ -80,10 +74,10 @@ rules:
  - apiGroups:
      - ""
    resources:
-        - events
+      - events
    verbs:
-        - create
-        - patch
+      - create
+      - patch
  - apiGroups:
      - "extensions"
    resources:
@ -92,7 +86,6 @@ rules:
      - update

 ---
-
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
 metadata:
@ -137,7 +130,6 @@ rules:
      - get

 ---
-
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
 metadata:
@ -155,7 +147,6 @@ subjects:
    namespace: ${NAMESPACE}

 ---
-
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@ -171,9 +162,8 @@ subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ${NAMESPACE}
-    
---

+---
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@ -193,39 +183,37 @@ spec:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/part-of: ingress-nginx
      annotations:
-        prometheus.io/port: '10254'
-        prometheus.io/scrape: 'true'
+        prometheus.io/port: "10254"
+        prometheus.io/scrape: "true"
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: nginx-ingress-serviceaccount
      initContainers:
-      - name: enable-coredump
-        image: busybox
-        command:
-        - /bin/sh
-        - -c
-        - |
-          ulimit -c unlimited
-          echo "/tmp/core.%e.%p" > /proc/sys/kernel/core_pattern
-          sysctl -w fs.suid_dumpable=2
-        securityContext:
-          privileged: true
+        - name: enable-coredump
+          image: busybox
+          command:
+            - /bin/sh
+            - -c
+            - |
+              ulimit -c unlimited
+              echo "/tmp/core.%e.%p" > /proc/sys/kernel/core_pattern
+              sysctl -w fs.suid_dumpable=2
+          securityContext:
+            privileged: true
      containers:
        - name: nginx-ingress-controller
          image: ingress-controller/nginx-ingress-controller:dev
          args:
            - /nginx-ingress-controller
            - --configmap=$(POD_NAMESPACE)/nginx-configuration
-            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
-            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx
            - --annotations-prefix=nginx.ingress.kubernetes.io
            - --watch-namespace=${NAMESPACE}
          securityContext:
            capabilities:
-                drop:
+              drop:
                - ALL
-                add:
+              add:
                - NET_BIND_SERVICE
            # www-data -> 33
            runAsUser: 33
@ -239,10 +227,10 @@ spec:
                fieldRef:
                  fieldPath: metadata.namespace
          ports:
-          - name: http
-            containerPort: 80
-          - name: https
-            containerPort: 443
+            - name: http
+              containerPort: 80
+            - name: https
+              containerPort: 443
          livenessProbe:
            failureThreshold: 3
            httpGet: