DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added configmap option to disable IPv6 in nginx DNS resolver (#1992)

Browse source
This commit is contained in:
Luke Jolly 2018-02-02 14:53:28 -05:00 committed by Manuel Alejandro de Brito Fontes
parent ad2238ca94
commit 42076e8ed0
7 changed files with 46 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docs/user-guide/configmap.md
View file

@ -37,11 +37,12 @@ The following table shows a configuration option's name, type, and the default v
|[client‑header‑timeout](#client-header-timeout)|int|60| |[client‑header‑timeout](#client-header-timeout)|int|60|
|[client‑body‑buffer‑size](#client-body-buffer-size)|string|"8k"| |[client‑body‑buffer‑size](#client-body-buffer-size)|string|"8k"|
|[client‑body‑timeout](#client-body-timeout)|int|60| |[client‑body‑timeout](#client-body-timeout)|int|60|
|[disable‑access‑log](#disable-access-log)|bool|"false"| |[disable‑access‑log](#disable-access-log)|bool|false|
|[disable‑ipv6](#disable-ipv6)|bool|"false"| |[disable‑ipv6](#disable-ipv6)|bool|false|
|[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|"false"| |[disable‑ipv6‑dns](#disable-ipv6-dns)|bool|false|
|[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|"true"| |[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|false|
|[enable‑vts‑status](#enable-vts-status)|bool|"false"| |[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|true|
|[enable‑vts‑status](#enable-vts-status)|bool|false|
|[vts‑status‑zone‑size](#vts-status-zone-size)|string|"10m"| |[vts‑status‑zone‑size](#vts-status-zone-size)|string|"10m"|
|[vts‑default‑filter‑key](#vts-default-filter-key)|string|"$geoip_country_code country::*"| |[vts‑default‑filter‑key](#vts-default-filter-key)|string|"$geoip_country_code country::*"|
|[retry‑non‑idempotent](#retry-non-idempotent)|bool|"false"| |[retry‑non‑idempotent](#retry-non-idempotent)|bool|"false"|
@ -211,6 +212,10 @@ _References:_
Disable listening on IPV6. By default this is disabled. Disable listening on IPV6. By default this is disabled.
## disable-ipv6-dns
Disable IPV6 for nginx DNS reslover. By default this is disabled.
## enable-underscores-in-headers ## enable-underscores-in-headers
Enables underscores in header names. By default this is disabled. Enables underscores in header names. By default this is disabled.
@ -707,4 +712,4 @@ Enables or disables [buffering of responses from the proxied server](http://ngin
## limit-request-status-code ## limit-request-status-code
Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503 Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503

8
internal/file/bindata.go
View file

File diff suppressed because one or more lines are too long

3
internal/ingress/controller/config/config.go
View file

@ -140,6 +140,9 @@ type Configuration struct {
//http://nginx.org/en/docs/http/ngx_http_log_module.html //http://nginx.org/en/docs/http/ngx_http_log_module.html
DisableAccessLog bool `json:"disable-access-log,omitempty"` DisableAccessLog bool `json:"disable-access-log,omitempty"`
// DisableIpv6DNS disables IPv6 for nginx resolver
DisableIpv6DNS bool `json:"disable-ipv6-dns"`
// DisableIpv6 disable listening on ipv6 address // DisableIpv6 disable listening on ipv6 address
DisableIpv6 bool `json:"disable-ipv6,omitempty"` DisableIpv6 bool `json:"disable-ipv6,omitempty"`

1
internal/ingress/controller/template/configmap.go
View file

@ -144,6 +144,7 @@ func ReadConfig(src map[string]string) config.Configuration {
to.HideHeaders = hideHeaderslist to.HideHeaders = hideHeaderslist
to.HTTPRedirectCode = redirectCode to.HTTPRedirectCode = redirectCode
to.ProxyStreamResponses = streamResponses to.ProxyStreamResponses = streamResponses
to.DisableIpv6DNS = !ing_net.IsIPv6Enabled()
config := &mapstructure.DecoderConfig{ config := &mapstructure.DecoderConfig{
Metadata: nil, Metadata: nil,

22
internal/ingress/controller/template/template.go
View file

@ -163,11 +163,16 @@ func formatIP(input string) string {
} }
// buildResolvers returns the resolvers reading the /etc/resolv.conf file // buildResolvers returns the resolvers reading the /etc/resolv.conf file
func buildResolvers(input interface{}) string { func buildResolvers(res interface{}, disableIpv6 interface{}) string {
// NGINX need IPV6 addresses to be surrounded by brackets // NGINX need IPV6 addresses to be surrounded by brackets
nss, ok := input.([]net.IP) nss, ok := res.([]net.IP)
if !ok { if !ok {
glog.Errorf("expected a '[]net.IP' type but %T was returned", input) glog.Errorf("expected a '[]net.IP' type but %T was returned", res)
return ""
}
no6, ok := disableIpv6.(bool)
if !ok {
glog.Errorf("expected a 'bool' type but %T was returned", disableIpv6)
return "" return ""
} }
@ -178,14 +183,21 @@ func buildResolvers(input interface{}) string {
r := []string{"resolver"} r := []string{"resolver"}
for _, ns := range nss { for _, ns := range nss {
if ing_net.IsIPV6(ns) { if ing_net.IsIPV6(ns) {
if no6 {
continue
}
r = append(r, fmt.Sprintf("[%v]", ns)) r = append(r, fmt.Sprintf("[%v]", ns))
} else { } else {
r = append(r, fmt.Sprintf("%v", ns)) r = append(r, fmt.Sprintf("%v", ns))
} }
} }
r = append(r, "valid=30s;") r = append(r, "valid=30s")
return strings.Join(r, " ") if no6 {
r = append(r, "ipv6=off")
}
return strings.Join(r, " ") + ";"
} }
// buildLocation produces the location string, if the ingress has redirects // buildLocation produces the location string, if the ingress has redirects

10
internal/ingress/controller/template/template_test.go
View file

@ -28,6 +28,7 @@ import (
"encoding/base64" "encoding/base64"
"fmt" "fmt"
"k8s.io/ingress-nginx/internal/file" "k8s.io/ingress-nginx/internal/file"
"k8s.io/ingress-nginx/internal/ingress" "k8s.io/ingress-nginx/internal/ingress"
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq" "k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
@ -352,7 +353,14 @@ func TestBuildResolvers(t *testing.T) {
ipList := []net.IP{ipOne, ipTwo} ipList := []net.IP{ipOne, ipTwo}
validResolver := "resolver 192.0.0.1 [2001:db8:1234::] valid=30s;" validResolver := "resolver 192.0.0.1 [2001:db8:1234::] valid=30s;"
resolver := buildResolvers(ipList) resolver := buildResolvers(ipList, false)
if resolver != validResolver {
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
}
validResolver = "resolver 192.0.0.1 valid=30s ipv6=off;"
resolver = buildResolvers(ipList, true)
if resolver != validResolver { if resolver != validResolver {
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver) t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)

2
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -172,7 +172,7 @@ http {
{{ end }} {{ end }}
error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }}; error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
{{ buildResolvers $cfg.Resolver }} {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
{{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}} {{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}}
{{/* when making the target request. This means that you cannot simply use */}} {{/* when making the target request. This means that you cannot simply use */}}