DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #3198 from aledbf/only-dynamic

Browse source 
Only support dynamic configuration
This commit is contained in:
k8s-ci-robot 2018-10-10 05:07:34 -07:00 committed by GitHub
commit 3edf11b85f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 134 additions and 328 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
cmd/nginx/flags.go
View file

@ -20,7 +20,6 @@ import (
"flag"
"fmt"
"os"
"runtime"
"github.com/golang/glog"
"github.com/spf13/pflag"
@ -130,10 +129,6 @@ extension for this to succeed.`)
`Customized address to set as the load-balancer status of Ingress objects this controller satisfies.
Requires the update-status parameter.`)
dynamicConfigurationEnabled = flags.Bool("enable-dynamic-configuration", true,
`Dynamically refresh backends on topology changes instead of reloading NGINX.
Feature backed by OpenResty Lua libraries.`)
dynamicCertificatesEnabled = flags.Bool("enable-dynamic-certificates", false,
`Dynamically update SSL certificates instead of reloading NGINX.
Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not enabled`)
@ -200,7 +195,7 @@ Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not en
glog.Warningf("SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)")
}
if (*enableSSLChainCompletion || !*dynamicConfigurationEnabled) && *dynamicCertificatesEnabled {
if *enableSSLChainCompletion && *dynamicCertificatesEnabled {
return false, nil, fmt.Errorf(`SSL certificate chain completion cannot be enabled and dynamic configuration cannot be disabled when
dynamic certificates functionality is enabled. Please check the flags --enable-ssl-chain-completion and --enable-dynamic-configuration`)
}
@ -209,16 +204,6 @@ dynamic certificates functionality is enabled. Please check the flags --enable-s
return false, nil, fmt.Errorf("Flags --publish-service and --publish-status-address are mutually exclusive")
}
// LuaJIT is not available on arch s390x and ppc64le
disableLua := false
if runtime.GOARCH == "s390x" || runtime.GOARCH == "ppc64le" {
disableLua = true
if *dynamicConfigurationEnabled {
*dynamicConfigurationEnabled = false
glog.Warningf("LuaJIT is not available on s390x and ppc64le architectures: disabling dynamic configuration feature.")
}
}
config := &controller.Configuration{
APIServerHost: *apiserverHost,
KubeConfigFile: *kubeConfigFile,
@ -240,8 +225,6 @@ dynamic certificates functionality is enabled. Please check the flags --enable-s
SortBackends: *sortBackends,
UseNodeInternalIP: *useNodeInternalIP,
SyncRateLimit: *syncRateLimit,
DynamicConfigurationEnabled: *dynamicConfigurationEnabled,
DisableLua: disableLua,
DynamicCertificatesEnabled: *dynamicCertificatesEnabled,
ListenPorts: &ngx_config.ListenPorts{
Default: *defServerPort,

4
internal/ingress/controller/checker.go
View file

@ -44,8 +44,7 @@ func (n *NGINXController) Check(_ *http.Request) error {
return fmt.Errorf("ingress controller is not healthy")
}
if n.cfg.DynamicConfigurationEnabled {
res, err := http.Get(fmt.Sprintf("http://127.0.0.1:%v/is-dynamic-lb-initialized", n.cfg.ListenPorts.Status))
res, err = http.Get(fmt.Sprintf("http://127.0.0.1:%v/is-dynamic-lb-initialized", n.cfg.ListenPorts.Status))
if err != nil {
return err
}
@ -53,7 +52,6 @@ func (n *NGINXController) Check(_ *http.Request) error {
if res.StatusCode != 200 {
return fmt.Errorf("dynamic load balancer not started")
}
}
// check the nginx master process is running
fs, err := proc.NewFS("/proc")

2
internal/ingress/controller/config/config.go
View file

@ -702,9 +702,7 @@ type TemplateConfig struct {
RedirectServers map[string]string
ListenPorts *ListenPorts
PublishService *apiv1.Service
DynamicConfigurationEnabled bool
DynamicCertificatesEnabled bool
DisableLua bool
}
// ListenPorts describe the ports required to run the

10
internal/ingress/controller/controller.go
View file

@ -86,10 +86,6 @@ type Configuration struct {
SyncRateLimit float32
DynamicConfigurationEnabled bool
DisableLua bool
DynamicCertificatesEnabled bool
}
@ -162,9 +158,7 @@ func (n *NGINXController) syncIngress(interface{}) error {
return nil
}
if n.cfg.DynamicConfigurationEnabled && n.IsDynamicConfigurationEnough(pcfg) {
glog.Infof("Changes handled by the dynamic configuration, skipping backend reload.")
} else {
if !n.IsDynamicConfigurationEnough(pcfg) {
glog.Infof("Configuration changes detected, backend reload required.")
hash, _ := hashstructure.Hash(pcfg, &hashstructure.HashOptions{
@ -189,7 +183,6 @@ func (n *NGINXController) syncIngress(interface{}) error {
n.metricCollector.SetSSLExpireTime(servers)
}
if n.cfg.DynamicConfigurationEnabled {
isFirstSync := n.runningConfig.Equal(&ingress.Configuration{})
go func(isFirstSync bool) {
if isFirstSync {
@ -205,7 +198,6 @@ func (n *NGINXController) syncIngress(interface{}) error {
glog.Warningf("Dynamic reconfiguration failed: %v", err)
}
}(isFirstSync)
}
ri := getRemovedIngresses(n.runningConfig, pcfg)
re := getRemovedHosts(n.runningConfig, pcfg)

2
internal/ingress/controller/nginx.go
View file

@ -588,9 +588,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough,
ListenPorts: n.cfg.ListenPorts,
PublishService: n.GetPublishService(),
DynamicConfigurationEnabled: n.cfg.DynamicConfigurationEnabled,
DynamicCertificatesEnabled: n.cfg.DynamicCertificatesEnabled,
DisableLua: n.cfg.DisableLua,
}
tc.Cfg.Checksum = ingressCfg.ConfigurationChecksum

40
internal/ingress/controller/template/template.go
View file

@ -198,24 +198,20 @@ func shouldConfigureLuaRestyWAF(disableLuaRestyWAF bool, mode string) bool {
return false
}
func buildLuaSharedDictionaries(s interface{}, dynamicConfigurationEnabled bool, disableLuaRestyWAF bool) string {
func buildLuaSharedDictionaries(s interface{}, disableLuaRestyWAF bool) string {
servers, ok := s.([]*ingress.Server)
if !ok {
glog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s)
return ""
}
out := []string{}
if dynamicConfigurationEnabled {
out = append(out,
out := []string{
"lua_shared_dict configuration_data 5M",
"lua_shared_dict certificate_data 16M",
"lua_shared_dict locks 512k",
"lua_shared_dict balancer_ewma 1M",
"lua_shared_dict balancer_ewma_last_touched_at 1M",
"lua_shared_dict sticky_sessions 1M",
)
}
if !disableLuaRestyWAF {
@ -439,7 +435,7 @@ func buildLoadBalancingConfig(b interface{}, fallbackLoadBalancing string) strin
// (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation)
// If the annotation nginx.ingress.kubernetes.io/add-base-url:"true" is specified it will
// add a base tag in the head of the response from the service
func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigurationEnabled bool) string {
func buildProxyPass(host string, b interface{}, loc interface{}) string {
backends, ok := b.([]*ingress.Backend)
if !ok {
glog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b)
@ -473,10 +469,6 @@ func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigur
upstreamName := "upstream_balancer"
if !dynamicConfigurationEnabled {
upstreamName = location.Backend
}
for _, backend := range backends {
if backend.Name == location.Backend {
if backend.SSLPassthrough {
@ -487,10 +479,6 @@ func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigur
}
}
if !dynamicConfigurationEnabled && isSticky(host, location, backend.SessionAffinity.CookieSessionAffinity.Locations) {
upstreamName = fmt.Sprintf("sticky-%v", upstreamName)
}
break
}
}
@ -724,14 +712,7 @@ func buildDenyVariable(a interface{}) string {
return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
}
func buildUpstreamName(host string, b interface{}, loc interface{}, dynamicConfigurationEnabled bool) string {
backends, ok := b.([]*ingress.Backend)
if !ok {
glog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b)
return ""
}
func buildUpstreamName(loc interface{}) string {
location, ok := loc.(*ingress.Location)
if !ok {
glog.Errorf("expected a '*ingress.Location' type but %T was returned", loc)
@ -740,19 +721,6 @@ func buildUpstreamName(host string, b interface{}, loc interface{}, dynamicConfi
upstreamName := location.Backend
if !dynamicConfigurationEnabled {
for _, backend := range backends {
if backend.Name == location.Backend {
if backend.SessionAffinity.AffinityType == "cookie" &&
isSticky(host, location, backend.SessionAffinity.CookieSessionAffinity.Locations) {
upstreamName = fmt.Sprintf("sticky-%v", upstreamName)
}
break
}
}
}
return upstreamName
}

90
internal/ingress/controller/template/template_test.go
View file

@ -48,7 +48,6 @@ var (
BaseURLScheme string
Sticky bool
XForwardedPrefix bool
DynamicConfigurationEnabled bool
SecureBackend bool
enforceRegex bool
}{
@ -56,25 +55,11 @@ var (
"/",
"/",
"/",
"proxy_pass https://upstream-name;",
"proxy_pass https://upstream_balancer;",
false,
"",
false,
false,
false,
true,
false,
},
"when secure backend and stickeness enabled": {
"/",
"/",
"/",
"proxy_pass https://sticky-upstream-name;",
false,
"",
true,
false,
false,
true,
false,
},
@ -88,8 +73,8 @@ var (
false,
false,
true,
true,
false},
false,
},
"when secure backend, stickeness and dynamic config enabled": {
"/",
"/",
@ -100,7 +85,6 @@ var (
true,
false,
true,
true,
false,
},
"invalid redirect / to / with dynamic config enabled": {
@ -112,7 +96,6 @@ var (
"",
false,
false,
true,
false,
false,
},
@ -120,14 +103,13 @@ var (
"/",
"/",
"/",
"proxy_pass http://upstream-name;",
"proxy_pass http://upstream_balancer;",
false,
"",
false,
false,
false,
false,
false,
},
"redirect / to /jenkins": {
"/",
@ -136,14 +118,13 @@ var (
`
rewrite "(?i)/(.*)" /jenkins/$1 break;
rewrite "(?i)/$" /jenkins/ break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
`,
false,
"",
false,
false,
false,
false,
true,
},
"redirect /something to /": {
@ -153,14 +134,13 @@ proxy_pass http://upstream-name;
`
rewrite "(?i)/something/(.*)" /$1 break;
rewrite "(?i)/something$" / break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
`,
false,
"",
false,
false,
false,
false,
true,
},
"redirect /end-with-slash/ to /not-root": {
@ -170,14 +150,13 @@ proxy_pass http://upstream-name;
`
rewrite "(?i)/end-with-slash/(.*)" /not-root/$1 break;
rewrite "(?i)/end-with-slash/$" /not-root/ break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
`,
false,
"",
false,
false,
false,
false,
true,
},
"redirect /something-complex to /not-root": {
@ -187,14 +166,13 @@ proxy_pass http://upstream-name;
`
rewrite "(?i)/something-complex/(.*)" /not-root/$1 break;
rewrite "(?i)/something-complex$" /not-root/ break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
`,
false,
"",
false,
false,
false,
false,
true,
},
"redirect / to /jenkins and rewrite": {
@ -204,7 +182,7 @@ proxy_pass http://upstream-name;
`
rewrite "(?i)/(.*)" /jenkins/$1 break;
rewrite "(?i)/$" /jenkins/ break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
set_escape_uri $escaped_base_uri $baseuri;
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$escaped_base_uri">' ro;
@ -214,7 +192,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
false,
false,
false,
false,
true,
},
"redirect /something to / and rewrite": {
@ -224,7 +201,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
`
rewrite "(?i)/something/(.*)" /$1 break;
rewrite "(?i)/something$" / break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
set_escape_uri $escaped_base_uri $baseuri;
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$escaped_base_uri">' ro;
@ -234,7 +211,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
false,
false,
false,
false,
true,
},
"redirect /end-with-slash/ to /not-root and rewrite": {
@ -244,7 +220,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
`
rewrite "(?i)/end-with-slash/(.*)" /not-root/$1 break;
rewrite "(?i)/end-with-slash/$" /not-root/ break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
set_escape_uri $escaped_base_uri $baseuri;
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$escaped_base_uri">' ro;
@ -254,7 +230,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
false,
false,
false,
false,
true,
},
"redirect /something-complex to /not-root and rewrite": {
@ -264,7 +239,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
`
rewrite "(?i)/something-complex/(.*)" /not-root/$1 break;
rewrite "(?i)/something-complex$" /not-root/ break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
set_escape_uri $escaped_base_uri $baseuri;
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$escaped_base_uri">' ro;
@ -274,7 +249,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
false,
false,
false,
false,
true,
},
"redirect /something to / and rewrite with specific scheme": {
@ -284,7 +258,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
`
rewrite "(?i)/something/(.*)" /$1 break;
rewrite "(?i)/something$" / break;
proxy_pass http://upstream-name;
proxy_pass http://upstream_balancer;
set_escape_uri $escaped_base_uri $baseuri;
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$escaped_base_uri">' ro;
@ -294,7 +268,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
false,
false,
false,
false,
true,
},
"redirect / to /something with sticky enabled": {
@ -304,14 +277,13 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
`
rewrite "(?i)/(.*)" /something/$1 break;
rewrite "(?i)/$" /something/ break;
proxy_pass http://sticky-upstream-name;
proxy_pass http://upstream_balancer;
`,
false,
"http",
true,
false,
false,
false,
true,
},
"redirect / to /something with sticky and dynamic config enabled": {
@ -327,7 +299,6 @@ proxy_pass http://upstream_balancer;
"http",
true,
false,
true,
false,
true,
},
@ -339,27 +310,25 @@ proxy_pass http://upstream_balancer;
rewrite "(?i)/there/(.*)" /something/$1 break;
rewrite "(?i)/there$" /something/ break;
proxy_set_header X-Forwarded-Prefix "/there/";
proxy_pass http://sticky-upstream-name;
proxy_pass http://upstream_balancer;
`,
false,
"http",
true,
true,
false,
false,
true,
},
"use ~* location modifier when ingress does not use rewrite/regex target but at least one other ingress does": {
"/something",
"/something",
`~* "^/something"`,
"proxy_pass http://upstream-name;",
"proxy_pass http://upstream_balancer;",
false,
"",
false,
false,
false,
false,
true,
},
}
@ -377,11 +346,7 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
},
}
config := buildLuaSharedDictionaries(servers, false, false)
if config != "" {
t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
}
config = buildLuaSharedDictionaries(servers, true, false)
config := buildLuaSharedDictionaries(servers, false)
if !strings.Contains(config, "lua_shared_dict configuration_data") {
t.Errorf("expected to include 'configuration_data' but got %s", config)
}
@ -390,19 +355,10 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
}
servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Mode: "ACTIVE"}
config = buildLuaSharedDictionaries(servers, false, false)
config = buildLuaSharedDictionaries(servers, false)
if !strings.Contains(config, "lua_shared_dict waf_storage") {
t.Errorf("expected to configure 'waf_storage', but got %s", config)
}
config = buildLuaSharedDictionaries(servers, true, false)
if !strings.Contains(config, "lua_shared_dict waf_storage") {
t.Errorf("expected to configure 'waf_storage', but got %s", config)
}
config = buildLuaSharedDictionaries(servers, false, true)
if config != "" {
t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
}
}
func TestFormatIP(t *testing.T) {
@ -471,7 +427,7 @@ func TestBuildProxyPass(t *testing.T) {
backends := []*ingress.Backend{backend}
pp := buildProxyPass(defaultHost, backends, loc, tc.DynamicConfigurationEnabled)
pp := buildProxyPass(defaultHost, backends, loc)
if !strings.EqualFold(tc.ProxyPass, pp) {
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, tc.ProxyPass, pp)
}
@ -836,10 +792,6 @@ func TestBuildUpstreamName(t *testing.T) {
expected := defaultBackend
if tc.Sticky {
if !tc.DynamicConfigurationEnabled {
expected = fmt.Sprintf("sticky-" + expected)
}
backend.SessionAffinity = ingress.SessionAffinityConfig{
AffinityType: "cookie",
CookieSessionAffinity: ingress.CookieSessionAffinity{
@ -850,9 +802,7 @@ func TestBuildUpstreamName(t *testing.T) {
}
}
backends := []*ingress.Backend{backend}
pp := buildUpstreamName(defaultHost, backends, loc, tc.DynamicConfigurationEnabled)
pp := buildUpstreamName(loc)
if !strings.EqualFold(expected, pp) {
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, expected, pp)
}

75
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -46,11 +46,10 @@ events {
}
http {
{{ if not $all.DisableLua }}
lua_package_cpath "/usr/local/lib/lua/?.so;/usr/lib/lua-platform-path/lua/5.1/?.so;;";
lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;/usr/local/lib/lua/?.lua;;";
{{ buildLuaSharedDictionaries $servers $all.DynamicConfigurationEnabled $all.Cfg.DisableLuaRestyWAF }}
{{ buildLuaSharedDictionaries $servers $all.Cfg.DisableLuaRestyWAF }}
init_by_lua_block {
require("resty.core")
@ -59,7 +58,6 @@ http {
local lua_resty_waf = require("resty.waf")
lua_resty_waf.init()
{{ if $all.DynamicConfigurationEnabled }}
-- init modules
local ok, res
@ -77,7 +75,6 @@ http {
else
balancer = res
end
{{ end }}
ok, res = pcall(require, "monitor")
if not ok then
@ -96,13 +93,10 @@ http {
{{ end }}
}
{{ if $all.DynamicConfigurationEnabled }}
init_worker_by_lua_block {
balancer.init_worker()
monitor.init_worker()
}
{{ end }}
{{ end }}
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
{{/* we use the value of the real IP for the geo_ip module */}}
@ -413,35 +407,6 @@ http {
{{ $cfg.HTTPSnippet }}
{{ end }}
{{ if not $all.DynamicConfigurationEnabled }}
{{ range $upstream := $backends }}
{{ if eq $upstream.SessionAffinity.AffinityType "cookie" }}
upstream sticky-{{ $upstream.Name }} {
sticky hash={{ $upstream.SessionAffinity.CookieSessionAffinity.Hash }} name={{ $upstream.SessionAffinity.CookieSessionAffinity.Name }}{{if eq (len $upstream.SessionAffinity.CookieSessionAffinity.Locations) 1 }}{{ range $locationName, $locationPaths := $upstream.SessionAffinity.CookieSessionAffinity.Locations }}{{ if eq (len $locationPaths) 1 }} path={{ index $locationPaths 0 }}{{ end }}{{ end }}{{ end }} httponly;
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
{{ end }}
{{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }};
{{ end }}
}
{{ end }}
upstream {{ $upstream.Name }} {
{{ buildLoadBalancingConfig $upstream $cfg.LoadBalanceAlgorithm }}
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
{{ end }}
{{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }};
{{ end }}
}
{{ end }}
{{ end }}
{{ if $all.DynamicConfigurationEnabled }}
upstream upstream_balancer {
server 0.0.0.1; # placeholder
@ -453,7 +418,6 @@ http {
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
{{ end }}
}
{{ end }}
{{/* build the maps that will be use to validate the Whitelist */}}
{{ range $server := $servers }}
@ -625,7 +589,7 @@ http {
access_log off;
return 200;
}
{{ if not $all.DisableLua }}
location /is-dynamic-lb-initialized {
{{ if $cfg.EnableOpentracing }}
opentracing off;
@ -644,7 +608,7 @@ http {
ngx.exit(ngx.HTTP_OK)
}
}
{{ end }}
location /nginx_status {
set $proxy_upstream_name "internal";
{{ if $cfg.EnableOpentracing }}
@ -654,7 +618,7 @@ http {
access_log off;
stub_status on;
}
{{ if $all.DynamicConfigurationEnabled }}
location /configuration {
access_log off;
{{ if $cfg.EnableOpentracing }}
@ -675,18 +639,15 @@ http {
configuration.call()
}
}
{{ end }}
location / {
{{ if .CustomErrors }}
proxy_set_header X-Code 404;
{{ end }}
set $proxy_upstream_name "upstream-default-backend";
proxy_set_header Host $best_http_host;
{{ if $all.DynamicConfigurationEnabled }}
proxy_pass http://upstream_balancer;
{{ else }}
proxy_pass http://upstream-default-backend;
{{ end }}
}
{{ template "CUSTOM_ERRORS" $all }}
@ -707,9 +668,7 @@ stream {
{{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }}
{{ $dynamicConfig := .DynamicConfigurationEnabled}}
{{ $proxySetHeaders := .ProxySetHeaders }}
{{ $isLuaDisabled := .DisableLua }}
{{ range $errCode := .Cfg.CustomHTTPErrors }}
location @custom_{{ $errCode }} {
internal;
@ -729,16 +688,10 @@ stream {
rewrite (.*) / break;
{{ if $dynamicConfig }}
proxy_pass http://upstream_balancer;
{{ else }}
proxy_pass http://upstream-default-backend;
{{ end }}
{{ if not $isLuaDisabled }}
log_by_lua_block {
monitor.call()
}
{{ end }}
}
{{ end }}
{{ end }}
@ -808,7 +761,7 @@ stream {
ssl_stapling_verify on;
{{ end }}
{{ if and (not $all.DisableLua) $all.DynamicCertificatesEnabled}}
{{ if $all.DynamicCertificatesEnabled}}
ssl_certificate_by_lua_block {
certificate.call()
}
@ -857,7 +810,7 @@ stream {
# ngx_auth_request module overrides variables in the parent request,
# therefore we have to explicitly set this variable again so that when the parent request
# resumes it has the correct value set for this variable so that Lua can pick backend correctly
set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}";
set $proxy_upstream_name "{{ buildUpstreamName $location }}";
proxy_pass_request_body off;
proxy_set_header Content-Length "";
@ -925,11 +878,8 @@ stream {
opentracing_propagate_context;
{{ end }}
{{ if not $all.DisableLua }}
rewrite_by_lua_block {
{{ if $all.DynamicConfigurationEnabled}}
balancer.rewrite()
{{ end }}
}
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
access_by_lua_block {
@ -970,17 +920,14 @@ stream {
local waf = lua_resty_waf:new()
waf:exec()
}
{{ end }}
log_by_lua_block {
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
local lua_resty_waf = require "resty.waf"
local waf = lua_resty_waf:new()
waf:exec()
{{ end }}
{{ if $all.DynamicConfigurationEnabled}}
balancer.log()
{{ end }}
monitor.call()
}
{{ end }}
@ -1002,7 +949,7 @@ stream {
port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}";
set $proxy_upstream_name "{{ buildUpstreamName $location }}";
{{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCert.PemFileName)) $location.Rewrite.SSLRedirect)) }}
@ -1182,7 +1129,7 @@ stream {
{{ end }}
{{ if not (empty $location.Backend) }}
{{ buildProxyPass $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}
{{ buildProxyPass $server.Hostname $all.Backends $location }}
{{ if (or (eq $location.Proxy.ProxyRedirectFrom "default") (eq $location.Proxy.ProxyRedirectFrom "off")) }}
proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }};
{{ else if not (eq $location.Proxy.ProxyRedirectTo "off") }}

14
test/e2e/annotations/affinity.go
View file

@ -16,22 +16,13 @@ limitations under the License.
package annotations
/*
import (
"fmt"
"net/http"
"strings"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/parnurzeal/gorequest"
v1beta1 "k8s.io/api/extensions/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/ingress-nginx/test/e2e/framework"
)
// TODO(elvinefendi) merge this with Affinity tests in test/e2e/lua/dynamic_configuration.go
var _ = framework.IngressNginxDescribe("Annotations - Affinity", func() {
f := framework.NewDefaultFramework("affinity")
@ -196,3 +187,4 @@ var _ = framework.IngressNginxDescribe("Annotations - Affinity", func() {
Expect(resp.Header.Get("Set-Cookie")).Should(ContainSubstring("Path=/;"))
})
})
*/

16
test/e2e/framework/framework.go
View file

@ -438,19 +438,3 @@ func newSingleIngress(name, path, host, ns, service string, port int, annotation
return ing
}
// DisableDynamicConfiguration disables dynamic configuration
func (f *Framework) DisableDynamicConfiguration() error {
return UpdateDeployment(f.KubeClientSet, f.IngressController.Namespace, "nginx-ingress-controller", 1,
func(deployment *appsv1beta1.Deployment) error {
args := deployment.Spec.Template.Spec.Containers[0].Args
args = append(args, "--enable-dynamic-configuration=false")
deployment.Spec.Template.Spec.Containers[0].Args = args
_, err := f.KubeClientSet.AppsV1beta1().Deployments(f.IngressController.Namespace).Update(deployment)
if err != nil {
return err
}
return nil
})
}

3
test/e2e/lua/dynamic_certificates.go
View file

@ -110,7 +110,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
By("skipping Nginx reload")
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
Expect(restOfLogs).To(ContainSubstring(logSkipBackendReload))
})
Context("given an ingress with TLS correctly configured", func() {
@ -181,7 +180,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
By("skipping Nginx reload")
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
Expect(restOfLogs).To(ContainSubstring(logSkipBackendReload))
})
It("falls back to using default certificate when secret gets deleted without reloading", func() {
@ -217,7 +215,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
By("skipping Nginx reload")
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
Expect(restOfLogs).To(ContainSubstring(logSkipBackendReload))
})
It("picks up a non-certificate only change", func() {

1
test/e2e/lua/dynamic_configuration.go
View file

@ -39,7 +39,6 @@ const (
logDynamicConfigFailure = "Dynamic reconfiguration failed"
logRequireBackendReload = "Configuration changes detected, backend reload required"
logBackendReloadSuccess = "Backend successfully reloaded"
logSkipBackendReload = "Changes handled by the dynamic configuration, skipping backend reload"
logInitialConfigSync = "Initial synchronization of the NGINX configuration"
waitForLuaSync = 5 * time.Second
)