DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Continue go crossplane (#11964)

Browse source
This commit is contained in:
Ricardo Katz 2024-09-10 20:20:56 -03:00 committed by Ricardo Katz
parent 1ef5295ffe
commit 6c45750174
13 changed files with 1960 additions and 280 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -50,8 +50,8 @@ require (
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/jstemmer/go-junit-report v1.0.0 // indirect
github.com/klauspost/compress v1.17.9 // indirect
github.com/maxbrunsfeld/counterfeiter/v6 v6.10.0 // indirect
github.com/moby/sys/userns v0.1.0 // indirect
github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1 // indirect
github.com/x448/float16 v0.8.4 // indirect
go.opentelemetry.io/otel v1.31.0 // indirect
go.opentelemetry.io/otel/trace v1.31.0 // indirect

4
go.sum
View file

@ -129,8 +129,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1 h1:NicmruxkeqHjDv03SfSxqmaLuisddudfP3h5wdXFbhM=
github.com/maxbrunsfeld/counterfeiter/v6 v6.8.1/go.mod h1:eyp4DdUJAKkr9tvxR3jWhw2mDK7CWABMG5r9uyaKC7I=
github.com/maxbrunsfeld/counterfeiter/v6 v6.10.0 h1:9WsegDYiSKtZXru+NcOB4z7iqb00n4atjmQlyy5TRXI=
github.com/maxbrunsfeld/counterfeiter/v6 v6.10.0/go.mod h1:TeVdzh+5QB5IpWDJAU/uviXA6kOg9yXzLrrjeLKJXqY=
github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=

3
go.work.sum
View file

@ -25,6 +25,7 @@ github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1Ig
github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
@ -82,6 +83,7 @@ github.com/nwaples/rardecode v1.1.3/go.mod h1:5DzqNKiOdpKKBH87u8VlvAnPZMXcGRhxWk
github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
github.com/onsi/ginkgo/v2 v2.22.1/go.mod h1:S6aTpoRsSq2cZOd+pssHAlKW/Q/jZt6cPrPlnj4a1xM=
github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
@ -160,5 +162,6 @@ google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojt
gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
k8s.io/apimachinery v0.31.2/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
k8s.io/kms v0.32.0/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=

2
images/kube-webhook-certgen/rootfs/go.mod
View file

@ -14,7 +14,7 @@ require (
require (
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.11.3 // indirect
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect

3
images/kube-webhook-certgen/rootfs/go.sum
View file

@ -3,8 +3,7 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/emicklei/go-restful/v3 v3.11.3 h1:yagOQz/38xJmcNeZJtrUcKjkHRltIaIFXKWeG1SkWGE=
github.com/emicklei/go-restful/v3 v3.11.3/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=

14
internal/ingress/controller/template/crossplane/config.go
View file

@ -44,5 +44,19 @@ func (c *Template) buildConfig() {
)
}
if shouldLoadAuthDigestModule(c.tplConfig.Servers) {
config.Parsed = append(config.Parsed, buildDirective("load_module", "/etc/nginx/modules/ngx_http_auth_digest_module.so"))
}
if c.tplConfig.Cfg.EnableOpentelemetry || shouldLoadOpentelemetryModule(c.tplConfig.Servers) {
config.Parsed = append(config.Parsed, buildDirective("load_module", "/etc/nginx/modules/otel_ngx_module.so"))
}
if c.tplConfig.Cfg.UseGeoIP2 {
config.Parsed = append(config.Parsed,
buildDirective("load_module", "/etc/nginx/modules/ngx_http_geoip2_module.so"),
)
}
c.config = config
}

2
internal/ingress/controller/template/crossplane/crossplane_test.go
View file

@ -53,7 +53,7 @@ func TestCrossplaneTemplate(t *testing.T) {
IgnoreDirectives: []string{"more_clear_headers", "more_set_headers"}, // TODO: Add more_set_headers
DirectiveSources: []ngx_crossplane.MatchFunc{
ngx_crossplane.DefaultDirectivesMatchFunc,
ngx_crossplane.LuaDirectivesMatchFn,
ngx_crossplane.MatchLuaLatest,
extramodules.BrotliMatchFn,
},
LexOptions: ngx_crossplane.LexOptions{

34
internal/ingress/controller/template/crossplane/http.go
View file

@ -28,9 +28,11 @@ func (c *Template) initHTTPDirectives() ngx_crossplane.Directives {
cfg := c.tplConfig.Cfg
httpBlock := ngx_crossplane.Directives{
buildDirective("lua_package_path", "/etc/nginx/lua/?.lua;;"),
buildDirective("lua_shared_dict", "luaconfig", "5m"),
buildDirective("init_by_lua_file", "/etc/nginx/lua/ngx_conf_init.lua"),
buildDirective("init_worker_by_lua_file", "/etc/nginx/lua/ngx_conf_init_worker.lua"),
buildDirective("include", c.mimeFile),
buildDirective("default_type", cfg.DefaultType),
buildDirective("real_ip_recursive", "on"),
buildDirective("aio", "threads"),
buildDirective("aio_write", cfg.EnableAioWrite),
buildDirective("server_tokens", cfg.ShowServerTokens),
@ -85,8 +87,11 @@ func (c *Template) initHTTPDirectives() ngx_crossplane.Directives {
func (c *Template) buildHTTP() {
cfg := c.tplConfig.Cfg
httpBlock := c.initHTTPDirectives()
httpBlock = append(httpBlock, buildLuaSharedDictionaries(&c.tplConfig.Cfg)...)
httpBlock = append(httpBlock, buildLuaSharedDictionaries(&cfg)...)
if c.tplConfig.Cfg.EnableOpentelemetry || shouldLoadOpentelemetryModule(c.tplConfig.Servers) {
httpBlock = append(httpBlock, buildDirective("opentelemetry_config", cfg.OpentelemetryConfig))
}
// Real IP dealing
if (cfg.UseForwardedHeaders || cfg.UseProxyProtocol) || cfg.EnableRealIP {
if cfg.UseProxyProtocol {
@ -94,7 +99,7 @@ func (c *Template) buildHTTP() {
} else {
httpBlock = append(httpBlock, buildDirective("real_ip_header", cfg.ForwardedForHeader))
}
httpBlock = append(httpBlock, buildDirective("real_ip_recursive", "on"))
for k := range cfg.ProxyRealIPCIDR {
httpBlock = append(httpBlock, buildDirective("set_real_ip_from", cfg.ProxyRealIPCIDR[k]))
}
@ -128,10 +133,25 @@ func (c *Template) buildHTTP() {
}
}
if cfg.EnableBrotli {
httpBlock = append(httpBlock, buildDirective("brotli", "on"))
httpBlock = append(httpBlock, buildDirective("brotli_comp_level", cfg.BrotliLevel))
httpBlock = append(httpBlock, buildDirective("brotli_min_length", cfg.BrotliMinLength))
httpBlock = append(httpBlock, buildDirective("brotli_types", cfg.BrotliTypes))
}
if !cfg.ShowServerTokens {
httpBlock = append(httpBlock, buildDirective("more_clear_headers", "Server"))
}
httpBlock = append(httpBlock, buildBlockDirective(
"geo",
[]string{"$literal_dollar"},
ngx_crossplane.Directives{
buildDirective("default", "$"),
},
))
if len(c.tplConfig.AddHeaders) > 0 {
additionalHeaders := make([]string, 0)
for headerName, headerValue := range c.tplConfig.AddHeaders {
@ -206,6 +226,8 @@ func (c *Template) buildHTTP() {
httpUpgradeMap := ngx_crossplane.Directives{buildDirective("default", "upgrade")}
if cfg.UpstreamKeepaliveConnections < 1 {
httpUpgradeMap = append(httpUpgradeMap, buildDirective("", "close"))
} else {
httpUpgradeMap = append(httpUpgradeMap, buildDirective("", ""))
}
httpBlock = append(httpBlock, buildMapDirective("$http_upgrade", "$connection_upgrade", httpUpgradeMap))
@ -220,7 +242,7 @@ func (c *Template) buildHTTP() {
if cfg.UseProxyProtocol {
forwardForMap = append(forwardForMap,
buildDirective("default", "$http_x_forwarded_for, $proxy_protocol_addr"),
buildDirective("", "$http_x_forwarded_for, $proxy_protocol_addr"),
buildDirective("", "$proxy_protocol_addr"),
)
} else {
forwardForMap = append(forwardForMap,
@ -244,15 +266,13 @@ func (c *Template) buildHTTP() {
)
}
if len(cfg.HideHeaders) > 0 {
for k := range cfg.HideHeaders {
httpBlock = append(httpBlock, buildDirective("proxy_hide_header", cfg.HideHeaders[k]))
}
}
blockUpstreamDirectives := ngx_crossplane.Directives{
buildDirective("server", "0.0.0.1"),
buildBlockDirective("balancer_by_lua_block", nil, ngx_crossplane.Directives{buildDirective("balancer.balance()")}),
buildDirective("balancer_by_lua_file", "/etc/nginx/lua/nginx/ngx_conf_balancer.lua"),
}
if c.tplConfig.Cfg.UpstreamKeepaliveConnections > 0 {
blockUpstreamDirectives = append(blockUpstreamDirectives,

692
internal/ingress/controller/template/crossplane/testdata/nginx.tmpl → internal/ingress/controller/template/crossplane/testdata/nginx-new-orig.tmpl vendored
View file

@ -7,11 +7,16 @@
{{ $proxyHeaders := .ProxySetHeaders }}
{{ $addHeaders := .AddHeaders }}
# MIGRATED
pid {{ .PID }};
# Configuration checksum: {{ $all.Cfg.Checksum }}
# MODULES ARE NOT MIGRATED YET!
{{ if $cfg.EnableBrotli }}
# setup custom paths that do not require root access
pid {{ .PID }}; # OK
{{ if $cfg.UseGeoIP2 }} #OK
load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
{{ end }}
{{ if $cfg.EnableBrotli }} #OK
load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
{{ end }}
@ -20,114 +25,56 @@ load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
load_module /etc/nginx/modules/ngx_http_auth_digest_module.so;
{{ end }}
{{ if (shouldLoadModSecurityModule $cfg $servers) }}
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
{{ end }}
{{ if (shouldLoadOpentelemetryModule $cfg $servers) }}
load_module /etc/nginx/modules/otel_ngx_module.so;
{{ end }}
# MIGRATED 1
daemon off;
daemon off; # OK
worker_processes {{ $cfg.WorkerProcesses }};
{{ if gt (len $cfg.WorkerCPUAffinity) 0 }}
worker_processes {{ $cfg.WorkerProcesses }}; # OK
{{ if gt (len $cfg.WorkerCPUAffinity) 0 }} # OK
worker_cpu_affinity {{ $cfg.WorkerCPUAffinity }};
{{ end }}
worker_rlimit_nofile {{ $cfg.MaxWorkerOpenFiles }};
worker_rlimit_nofile {{ $cfg.MaxWorkerOpenFiles }}; # OK
{{/* http://nginx.org/en/docs/ngx_core_module.html#worker_shutdown_timeout */}}
{{/* avoid waiting too long during a reload */}}
worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ;
worker_shutdown_timeout {{ $cfg.WorkerShutdownTimeout }} ; # OK
# REMOVED
# {{ if not (empty $cfg.MainSnippet) }}
# {{ $cfg.MainSnippet }}
# {{ end }}
events {
multi_accept {{ if $cfg.EnableMultiAccept }}on{{ else }}off{{ end }};
worker_connections {{ $cfg.MaxWorkerConnections }};
use epoll;
{{ range $index , $v := $cfg.DebugConnections }}
debug_connection {{ $v }};
multi_accept {{ if $cfg.EnableMultiAccept }}on{{ else }}off{{ end }}; # OK
worker_connections {{ $cfg.MaxWorkerConnections }}; # OK
use epoll; # OK
{{ range $index , $v := $cfg.DebugConnections }} # OK
debug_connection {{ $v }}; # OK
{{ end }}
}
# END MIGRATED 1
http {
{{ if (shouldLoadOpentelemetryModule $cfg $servers) }}
opentelemetry_config {{ $cfg.OpentelemetryConfig }};
{{ end }}
# MIGRATED
lua_package_path "/etc/nginx/lua/?.lua;;";
lua_package_path "/etc/nginx/lua/?.lua;;"; # OK
# MIGRATED
{{ buildLuaSharedDictionaries $cfg $servers }}
{{ buildLuaSharedDictionaries $cfg $servers }} # OK
# NOT MIGRATED
init_by_lua_block {
collectgarbage("collect")
lua_shared_dict luaconfig 5m; # OK
-- init modules
local ok, res
init_by_lua_file /etc/nginx/lua/ngx_conf_init.lua; # OK
ok, res = pcall(require, "lua_ingress")
if not ok then
error("require failed: " .. tostring(res))
else
lua_ingress = res
lua_ingress.set_config({{ configForLua $all }})
end
init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; # OK
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
configuration.prohibited_localhost_port = '{{ .StatusPort }}'
end
ok, res = pcall(require, "balancer")
if not ok then
error("require failed: " .. tostring(res))
else
balancer = res
end
{{ if $all.EnableMetrics }}
ok, res = pcall(require, "monitor")
if not ok then
error("require failed: " .. tostring(res))
else
monitor = res
end
{{ end }}
ok, res = pcall(require, "certificate")
if not ok then
error("require failed: " .. tostring(res))
else
certificate = res
certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }}
end
ok, res = pcall(require, "plugins")
if not ok then
error("require failed: " .. tostring(res))
else
plugins = res
end
-- load all plugins that'll be used here
plugins.init({ {{ range $idx, $plugin := $cfg.Plugins }}{{ if $idx }},{{ end }}{{ $plugin | quote }}{{ end }} })
}
init_worker_by_lua_block {
lua_ingress.init_worker()
balancer.init_worker()
{{ if $all.EnableMetrics }}
monitor.init_worker({{ $all.MonitorMaxBatchSize }})
{{ end }}
plugins.run()
}
# MIGRATED VARIOUS 1
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
{{/* we use the value of the real IP for the geo_ip module */}}
{{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }}
@ -143,6 +90,162 @@ http {
{{ end }}
{{ end }}
{{ if $all.Cfg.EnableModsecurity }}
modsecurity on;
{{ if (not (empty $all.Cfg.ModsecuritySnippet)) }}
modsecurity_rules '
{{ $all.Cfg.ModsecuritySnippet }}
';
{{ else }}
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
{{ end }}
{{ if $all.Cfg.EnableOWASPCoreRules }}
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
{{ end }}
{{ end }}
{{ if $cfg.UseGeoIP2 }}
# https://github.com/leev/ngx_http_geoip2_module#example-usage
{{ range $index, $file := $all.MaxmindEditionFiles }}
{{ if eq $file "GeoLite2-Country.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoLite2-Country.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_country_code source=$remote_addr country iso_code;
$geoip2_country_name source=$remote_addr country names en;
$geoip2_country_geoname_id source=$remote_addr country geoname_id;
$geoip2_continent_code source=$remote_addr continent code;
$geoip2_continent_name source=$remote_addr continent names en;
$geoip2_continent_geoname_id source=$remote_addr continent geoname_id;
}
{{ end }}
{{ if eq $file "GeoIP2-Country.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoIP2-Country.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_country_code source=$remote_addr country iso_code;
$geoip2_country_name source=$remote_addr country names en;
$geoip2_country_geoname_id source=$remote_addr country geoname_id;
$geoip2_continent_code source=$remote_addr continent code;
$geoip2_continent_name source=$remote_addr continent names en;
$geoip2_continent_geoname_id source=$remote_addr continent geoname_id;
}
{{ end }}
{{ if eq $file "GeoLite2-City.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoLite2-City.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_city_country_code source=$remote_addr country iso_code;
$geoip2_city_country_name source=$remote_addr country names en;
$geoip2_city_country_geoname_id source=$remote_addr country geoname_id;
$geoip2_city source=$remote_addr city names en;
$geoip2_city_geoname_id source=$remote_addr city geoname_id;
$geoip2_postal_code source=$remote_addr postal code;
$geoip2_dma_code source=$remote_addr location metro_code;
$geoip2_latitude source=$remote_addr location latitude;
$geoip2_longitude source=$remote_addr location longitude;
$geoip2_time_zone source=$remote_addr location time_zone;
$geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
$geoip2_region_name source=$remote_addr subdivisions 0 names en;
$geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id;
$geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
$geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
$geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id;
$geoip2_city_continent_code source=$remote_addr continent code;
$geoip2_city_continent_name source=$remote_addr continent names en;
}
{{ end }}
{{ if eq $file "GeoIP2-City.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoIP2-City.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_city_country_code source=$remote_addr country iso_code;
$geoip2_city_country_name source=$remote_addr country names en;
$geoip2_city_country_geoname_id source=$remote_addr country geoname_id;
$geoip2_city source=$remote_addr city names en;
$geoip2_city_geoname_id source=$remote_addr city geoname_id;
$geoip2_postal_code source=$remote_addr postal code;
$geoip2_dma_code source=$remote_addr location metro_code;
$geoip2_latitude source=$remote_addr location latitude;
$geoip2_longitude source=$remote_addr location longitude;
$geoip2_time_zone source=$remote_addr location time_zone;
$geoip2_region_code source=$remote_addr subdivisions 0 iso_code;
$geoip2_region_name source=$remote_addr subdivisions 0 names en;
$geoip2_region_geoname_id source=$remote_addr subdivisions 0 geoname_id;
$geoip2_subregion_code source=$remote_addr subdivisions 1 iso_code;
$geoip2_subregion_name source=$remote_addr subdivisions 1 names en;
$geoip2_subregion_geoname_id source=$remote_addr subdivisions 1 geoname_id;
$geoip2_city_continent_code source=$remote_addr continent code;
$geoip2_city_continent_name source=$remote_addr continent names en;
}
{{ end }}
{{ if eq $file "GeoLite2-ASN.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoLite2-ASN.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_asn source=$remote_addr autonomous_system_number;
$geoip2_org source=$remote_addr autonomous_system_organization;
}
{{ end }}
{{ if eq $file "GeoIP2-ASN.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoIP2-ASN.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_asn source=$remote_addr autonomous_system_number;
$geoip2_org source=$remote_addr autonomous_system_organization;
}
{{ end }}
{{ if eq $file "GeoIP2-ISP.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoIP2-ISP.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_isp source=$remote_addr isp;
$geoip2_isp_org source=$remote_addr organization;
$geoip2_asn source=$remote_addr default=0 autonomous_system_number;
}
{{ end }}
{{ if eq $file "GeoIP2-Connection-Type.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoIP2-Connection-Type.mmdb {
$geoip2_connection_type connection_type;
}
{{ end }}
{{ if eq $file "GeoIP2-Anonymous-IP.mmdb" }}
geoip2 /etc/ingress-controller/geoip/GeoIP2-Anonymous-IP.mmdb {
{{ if (gt $cfg.GeoIP2AutoReloadMinutes 0) }}
auto_reload {{ $cfg.GeoIP2AutoReloadMinutes }}m;
{{ end }}
$geoip2_is_anon source=$remote_addr is_anonymous;
$geoip2_is_anonymous source=$remote_addr default=0 is_anonymous;
$geoip2_is_anonymous_vpn source=$remote_addr default=0 is_anonymous_vpn;
$geoip2_is_hosting_provider source=$remote_addr default=0 is_hosting_provider;
$geoip2_is_public_proxy source=$remote_addr default=0 is_public_proxy;
$geoip2_is_tor_exit_node source=$remote_addr default=0 is_tor_exit_node;
}
{{ end }}
{{ end }}
{{ end }}
aio threads;
{{ if $cfg.EnableAioWrite }}
@ -201,9 +304,18 @@ http {
limit_req_status {{ $cfg.LimitReqStatusCode }};
limit_conn_status {{ $cfg.LimitConnStatusCode }};
{{ buildOpentelemetry $cfg $servers }}
include /etc/nginx/mime.types;
default_type {{ $cfg.DefaultType }};
{{ if $cfg.EnableBrotli }}
brotli on;
brotli_comp_level {{ $cfg.BrotliLevel }};
brotli_min_length {{ $cfg.BrotliMinLength }};
brotli_types {{ $cfg.BrotliTypes }};
{{ end }}
{{ if $cfg.UseGzip }}
gzip on;
gzip_comp_level {{ $cfg.GzipLevel }};
@ -263,26 +375,6 @@ http {
{{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
server_name_in_redirect off;
port_in_redirect off;
ssl_protocols {{ $cfg.SSLProtocols }};
ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }};
# allow configuring ssl session tickets
ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
# slightly reduce the time-to-first-byte
ssl_buffer_size {{ $cfg.SSLBufferSize }};
ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
# PEM sha: {{ $cfg.DefaultSSLCertificate.PemSHA }}
ssl_certificate {{ $cfg.DefaultSSLCertificate.PemFileName }};
ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }};
proxy_ssl_session_reuse on;
# See https://www.nginx.com/blog/websocket-nginx
map $http_upgrade $connection_upgrade {
default upgrade;
@ -303,9 +395,6 @@ http {
{{ end }}
}
# Cache for internal auth checks
proxy_cache_path /tmp/nginx/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
{{ if and $cfg.UseForwardedHeaders $cfg.ComputeFullForwardedFor }}
# We can't use $proxy_add_x_forwarded_for because the realip module
# replaces the remote_addr too soon
@ -321,16 +410,35 @@ http {
{{ end }}
# Create a variable that contains the literal $ character.
# This works because the geo module will not resolve variables.
geo $literal_dollar {
default "$";
}
server_name_in_redirect off;
port_in_redirect off;
ssl_protocols {{ $cfg.SSLProtocols }};
ssl_early_data {{ if $cfg.SSLEarlyData }}on{{ else }}off{{ end }};
# turn on session caching to drastically improve performance
{{ if $cfg.SSLSessionCache }}
ssl_session_cache shared:SSL:{{ $cfg.SSLSessionCacheSize }};
ssl_session_timeout {{ $cfg.SSLSessionTimeout }};
{{ end }}
# allow configuring ssl session tickets
ssl_session_tickets {{ if $cfg.SSLSessionTickets }}on{{ else }}off{{ end }};
{{ if not (empty $cfg.SSLSessionTicketKey ) }}
ssl_session_ticket_key /etc/ingress-controller/tickets.key;
{{ end }}
# slightly reduce the time-to-first-byte
ssl_buffer_size {{ $cfg.SSLBufferSize }};
{{ if not (empty $cfg.SSLCiphers) }}
# allow configuring custom ssl ciphers
ssl_ciphers '{{ $cfg.SSLCiphers }}';
@ -342,16 +450,20 @@ http {
ssl_dhparam {{ $cfg.SSLDHParam }};
{{ end }}
ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};
# PEM sha: {{ $cfg.DefaultSSLCertificate.PemSHA }}
ssl_certificate {{ $cfg.DefaultSSLCertificate.PemFileName }};
ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }};
{{ if and $cfg.CustomHTTPErrors (not $cfg.DisableProxyInterceptErrors) }}
proxy_intercept_errors on;
{{ end }}
{{ if $cfg.EnableBrotli }}
brotli on;
brotli_comp_level {{ $cfg.BrotliLevel }};
brotli_min_length {{ $cfg.BrotliMinLength }};
brotli_types {{ $cfg.BrotliTypes }};
{{ end }}
{{ range $errCode := $cfg.CustomHTTPErrors }}
error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
proxy_ssl_session_reuse on;
{{ if $cfg.AllowBackendServerHeader }}
proxy_pass_header Server;
@ -360,6 +472,59 @@ http {
{{ range $header := $cfg.HideHeaders }}proxy_hide_header {{ $header }};
{{ end }}
{{ if not (empty $cfg.HTTPSnippet) }}
# Custom code snippet configured in the configuration configmap
{{ $cfg.HTTPSnippet }}
{{ end }}
upstream upstream_balancer {
### Attention!!!
#
# We no longer create "upstream" section for every backend.
# Backends are handled dynamically using Lua. If you would like to debug
# and see what backends ingress-nginx has in its memory you can
# install our kubectl plugin https://kubernetes.github.io/ingress-nginx/kubectl-plugin.
# Once you have the plugin you can use "kubectl ingress-nginx backends" command to
# inspect current backends.
#
###
server 0.0.0.1; # placeholder
balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua;
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
keepalive_time {{ $cfg.UpstreamKeepaliveTime }};
keepalive_timeout {{ $cfg.UpstreamKeepaliveTimeout }}s;
keepalive_requests {{ $cfg.UpstreamKeepaliveRequests }};
{{ end }}
}
{{ range $rl := (filterRateLimits $servers ) }}
# Ratelimit {{ $rl.Name }}
geo $remote_addr $allowlist_{{ $rl.ID }} {
default 0;
{{ range $ip := $rl.Allowlist }}
{{ $ip }} 1;{{ end }}
}
# Ratelimit {{ $rl.Name }}
map $allowlist_{{ $rl.ID }} $limit_{{ $rl.ID }} {
0 {{ $cfg.LimitConnZoneVariable }};
1 "";
}
{{ end }}
{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
{{ range $zone := (buildRateLimitZones $servers) }}
{{ $zone }}
{{ end }}
# Cache for internal auth checks
proxy_cache_path /tmp/nginx/nginx-cache-auth levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
# Global filters
{{ range $ip := $cfg.BlockCIDRs }}deny {{ trimSpace $ip }};
{{ end }}
@ -382,57 +547,6 @@ http {
}
{{ end }}
upstream upstream_balancer {
server 0.0.0.1; # placeholder
balancer_by_lua_block {
balancer.balance()
}
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
keepalive_time {{ $cfg.UpstreamKeepaliveTime }};
keepalive_timeout {{ $cfg.UpstreamKeepaliveTimeout }}s;
keepalive_requests {{ $cfg.UpstreamKeepaliveRequests }};
{{ end }}
}
# END MIGRATED VARIOUS 1
{{ buildOpentelemetry $cfg $servers }}
# Create a variable that contains the literal $ character.
# This works because the geo module will not resolve variables.
geo $literal_dollar {
default "$";
}
# MIGRATED
{{ range $errCode := $cfg.CustomHTTPErrors }}
error_page {{ $errCode }} = @custom_upstream-default-backend_{{ $errCode }};{{ end }}
{{ range $rl := (filterRateLimits $servers ) }}
# Ratelimit {{ $rl.Name }}
geo $remote_addr $allowlist_{{ $rl.ID }} {
default 0;
{{ range $ip := $rl.Allowlist }}
{{ $ip }} 1;{{ end }}
}
# Ratelimit {{ $rl.Name }}
map $allowlist_{{ $rl.ID }} $limit_{{ $rl.ID }} {
0 {{ $cfg.LimitConnZoneVariable }};
1 "";
}
{{ end }}
{{/* build all the required rate limit zones. Each annotation requires a dedicated zone */}}
{{/* 1MB -> 16 thousand 64-byte states or about 8 thousand 128-byte states */}}
{{ range $zone := (buildRateLimitZones $servers) }}
{{ $zone }}
{{ end }}
{{/* Build server redirects (from/to www) */}}
{{ range $redirect := .RedirectServers }}
## start server {{ $redirect.From }}
@ -442,9 +556,7 @@ http {
{{ buildHTTPListener $all $redirect.From }}
{{ buildHTTPSListener $all $redirect.From }}
ssl_certificate_by_lua_block {
certificate.call()
}
ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
{{ if gt (len $cfg.BlockUserAgents) 0 }}
if ($block_ua) {
@ -457,30 +569,7 @@ http {
}
{{ end }}
set_by_lua_block $redirect_to {
local request_uri = ngx.var.request_uri
if string.sub(request_uri, -1) == "/" then
request_uri = string.sub(request_uri, 1, -2)
end
{{ if $cfg.UseForwardedHeaders }}
local redirectScheme
if not ngx.var.http_x_forwarded_proto then
redirectScheme = ngx.var.scheme
else
redirectScheme = ngx.var.http_x_forwarded_proto
end
{{ else }}
local redirectScheme = ngx.var.scheme
{{ end }}
{{ if ne $all.ListenPorts.HTTPS 443 }}
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
{{ else }}
return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri)
{{ end }}
}
set_by_lua_file $redirect_to /etc/nginx/lua/nginx/ngx_srv_redirect.lua {{ $redirect.To }};
return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to;
}
@ -528,7 +617,12 @@ http {
{{ template "SERVER" serverConfig $all $server }}
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics) }}
{{ if not (empty $cfg.ServerSnippet) }}
# Custom code snippet configured in the configuration configmap
{{ $cfg.ServerSnippet }}
{{ end }}
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics $cfg.EnableModsecurity) }}
}
## end server {{ $server.Hostname }}
@ -549,6 +643,11 @@ http {
# default server, used for NGINX healthcheck and access to nginx stats
server {
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $all.Cfg.EnableModsecurity }}
modsecurity off;
{{ end }}
listen 127.0.0.1:{{ .StatusPort }};
set $proxy_upstream_name "internal";
@ -565,17 +664,7 @@ http {
}
location /is-dynamic-lb-initialized {
content_by_lua_block {
local configuration = require("configuration")
local backend_data = configuration.get_backends_data()
if not backend_data then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
return
end
ngx.say("OK")
ngx.exit(ngx.HTTP_OK)
}
content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua;
}
location {{ .StatusPath }} {
@ -587,27 +676,136 @@ http {
client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }};
proxy_buffering off;
content_by_lua_block {
configuration.call()
}
content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_configuration.lua;
}
location / {
content_by_lua_block {
ngx.exit(ngx.HTTP_NOT_FOUND)
return 404;
}
}
}
stream {
lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;";
lua_shared_dict tcp_udp_configuration_data 5M;
{{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
init_by_lua_file /etc/nginx/lua/ngx_conf_init_stream.lua;
init_worker_by_lua_file /etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua;
lua_add_variable $proxy_upstream_name;
log_format log_stream '{{ $cfg.LogFormatStream }}';
{{ if or $cfg.DisableAccessLog $cfg.DisableStreamAccessLog }}
access_log off;
{{ else }}
access_log {{ or $cfg.StreamAccessLogPath $cfg.AccessLogPath }} log_stream {{ $cfg.AccessLogParams }};
{{ end }}
error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
{{ if $cfg.EnableRealIP }}
{{ range $trusted_ip := $cfg.ProxyRealIPCIDR }}
set_real_ip_from {{ $trusted_ip }};
{{ end }}
{{ end }}
upstream upstream_balancer {
server 0.0.0.1:1234; # placeholder
balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua;
}
server {
listen 127.0.0.1:{{ .StreamPort }};
access_log off;
content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua;
}
# TCP services
{{ range $tcpServer := .TCPBackends }}
server {
preread_by_lua_block {
ngx.var.proxy_upstream_name="tcp-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }}";
}
{{ range $address := $all.Cfg.BindAddressIpv4 }}
listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
{{ else }}
listen {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
{{ end }}
{{ if $IsIPV6Enabled }}
{{ range $address := $all.Cfg.BindAddressIpv6 }}
listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
{{ else }}
listen [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }};
{{ end }}
{{ end }}
proxy_timeout {{ $cfg.ProxyStreamTimeout }};
proxy_next_upstream {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
proxy_next_upstream_tries {{ $cfg.ProxyStreamNextUpstreamTries }};
proxy_pass upstream_balancer;
{{ if $tcpServer.Backend.ProxyProtocol.Encode }}
proxy_protocol on;
{{ end }}
}
{{ end }}
# UDP services
{{ range $udpServer := .UDPBackends }}
server {
preread_by_lua_block {
ngx.var.proxy_upstream_name="udp-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }}";
}
{{ range $address := $all.Cfg.BindAddressIpv4 }}
listen {{ $address }}:{{ $udpServer.Port }} udp;
{{ else }}
listen {{ $udpServer.Port }} udp;
{{ end }}
{{ if $IsIPV6Enabled }}
{{ range $address := $all.Cfg.BindAddressIpv6 }}
listen {{ $address }}:{{ $udpServer.Port }} udp;
{{ else }}
listen [::]:{{ $udpServer.Port }} udp;
{{ end }}
{{ end }}
proxy_responses {{ $cfg.ProxyStreamResponses }};
proxy_timeout {{ $cfg.ProxyStreamTimeout }};
proxy_next_upstream {{ if $cfg.ProxyStreamNextUpstream }}on{{ else }}off{{ end }};
proxy_next_upstream_timeout {{ $cfg.ProxyStreamNextUpstreamTimeout }};
proxy_next_upstream_tries {{ $cfg.ProxyStreamNextUpstreamTries }};
proxy_pass upstream_balancer;
}
{{ end }}
# Stream Snippets
{{ range $snippet := .StreamSnippets }}
{{ $snippet }}
{{ end }}
}
{{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }}
{{ $enableMetrics := .EnableMetrics }}
{{ $modsecurityEnabled := .ModsecurityEnabled }}
{{ $upstreamName := .UpstreamName }}
{{ range $errCode := .ErrorCodes }}
location @custom_{{ $upstreamName }}_{{ $errCode }} {
internal;
# Ensure that modsecurity will not run on custom error pages or they might be blocked
{{ if $modsecurityEnabled }}
modsecurity off;
{{ end }}
proxy_intercept_errors off;
proxy_set_header X-Code {{ $errCode }};
@ -626,12 +824,10 @@ http {
rewrite (.*) / break;
proxy_pass http://upstream_balancer;
log_by_lua_block {
{{ if $enableMetrics }}
monitor.call()
log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log.lua;
{{ end }}
}
}
{{ end }}
{{ end }}
@ -690,9 +886,7 @@ http {
ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }};
{{ end }}
ssl_certificate_by_lua_block {
certificate.call()
}
ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
{{ if not (empty $server.AuthTLSError) }}
# {{ $server.AuthTLSError }}
@ -741,8 +935,13 @@ http {
ssl_prefer_server_ciphers {{ $server.SSLPreferServerCiphers }};
{{ end }}
{{ if not (empty $server.ServerSnippet) }}
# Custom code snippet configured for host {{ $server.Hostname }}
{{ $server.ServerSnippet }}
{{ end }}
{{ range $errorLocation := (buildCustomErrorLocationsPerServer $server) }}
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics) }}
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics $all.Cfg.EnableModsecurity) }}
{{ end }}
{{ buildMirrorLocations $server.Locations }}
@ -779,13 +978,16 @@ http {
access_log off;
{{ end }}
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $all.Cfg.EnableModsecurity }}
modsecurity off;
{{ end }}
{{ if $externalAuth.AuthCacheKey }}
set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
set $cache_key '';
rewrite_by_lua_block {
ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))
}
rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua;
proxy_cache auth_cache;
@ -861,6 +1063,10 @@ http {
{{ $line }}
{{- end }}
{{ if not (empty $externalAuth.AuthSnippet) }}
{{ $externalAuth.AuthSnippet }}
{{ end }}
{{ if and (eq $applyAuthUpstream true) (eq $applyGlobalAuth false) }}
{{ $authUpstreamName := buildAuthUpstreamName $location $server.Hostname }}
# The target is an upstream with HTTP keepalive, that is why the
@ -889,6 +1095,11 @@ http {
{{ template "CORS" $location }}
{{ end }}
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $all.Cfg.EnableModsecurity }}
modsecurity off;
{{ end }}
return 302 {{ buildAuthSignURL $externalAuth.SigninURL $externalAuth.SigninURLRedirectParam }};
}
{{ end }}
@ -901,7 +1112,6 @@ http {
set $service_name {{ $ing.Service | quote }};
set $service_port {{ $ing.ServicePort | quote }};
set $location_path {{ $ing.Path | escapeLiteralDollar | quote }};
set $global_rate_limit_exceeding n;
{{ buildOpentelemetryForLocation $all.Cfg.EnableOpentelemetry $all.Cfg.OpentelemetryTrustIncomingSpan $location }}
@ -910,35 +1120,13 @@ http {
mirror_request_body {{ $location.Mirror.RequestBody }};
{{ end }}
rewrite_by_lua_block {
lua_ingress.rewrite({{ locationConfigForLua $location $all }})
balancer.rewrite()
plugins.run()
}
{{ locationConfigForLua $location $all }}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_rewrite.lua;
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
header_filter_by_lua_file /etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua;
body_filter_by_lua_block {
plugins.run()
}
log_by_lua_block {
balancer.log()
{{ if $all.EnableMetrics }}
monitor.call()
{{ end }}
plugins.run()
}
log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log_block.lua;
{{ if not $location.Logs.Access }}
access_log off;
@ -970,6 +1158,8 @@ http {
set $proxy_alternative_upstream_name "";
{{ buildModSecurityForLocation $all.Cfg $location }}
{{ if isLocationAllowed $location }}
{{ if gt (len $location.Denylist.CIDR) 0 }}
{{ range $ip := $location.Denylist.CIDR }}
@ -1134,6 +1324,14 @@ http {
grpc_read_timeout {{ $location.Proxy.ReadTimeout }}s;
{{ end }}
{{/* Add any additional configuration defined */}}
{{ $location.ConfigurationSnippet }}
{{ if not (empty $all.Cfg.LocationSnippet) }}
# Custom code snippet configured in the configuration configmap
{{ $all.Cfg.LocationSnippet }}
{{ end }}
{{ if $location.CustomHeaders }}
# Custom Response Headers
{{ range $k, $v := $location.CustomHeaders.Headers }}

1419
internal/ingress/controller/template/crossplane/testdata/nginx-new.tmpl vendored Normal file
View file

File diff suppressed because it is too large Load diff

29
internal/ingress/controller/template/crossplane/utils.go
View file

@ -25,6 +25,7 @@ import (
"k8s.io/ingress-nginx/internal/ingress/controller/config"
ing_net "k8s.io/ingress-nginx/internal/net"
"k8s.io/ingress-nginx/pkg/apis/ingress"
)
type seconds int
@ -112,3 +113,31 @@ func dictKbToStr(size int) string {
}
return fmt.Sprintf("%dK", size)
}
func shouldLoadAuthDigestModule(servers []*ingress.Server) bool {
for _, server := range servers {
for _, location := range server.Locations {
if !location.BasicDigestAuth.Secured {
continue
}
if location.BasicDigestAuth.Type == "digest" {
return true
}
}
}
return false
}
// shouldLoadOpentelemetryModule determines whether or not the Opentelemetry module needs to be loaded.
// It checks if `enable-opentelemetry` is set in the ConfigMap.
func shouldLoadOpentelemetryModule(servers []*ingress.Server) bool {
for _, server := range servers {
for _, location := range server.Locations {
if location.Opentelemetry.Enabled {
return true
}
}
}
return false
}

10
magefiles/go.mod
View file

@ -8,23 +8,23 @@ require (
github.com/helm/helm v2.17.0+incompatible
github.com/magefile/mage v1.15.0
github.com/vmware-labs/yaml-jsonpath v0.3.2
golang.org/x/oauth2 v0.22.0
golang.org/x/oauth2 v0.23.0
gopkg.in/yaml.v3 v3.0.1
)
require (
github.com/BurntSushi/toml v1.3.2 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/cyphar/filepath-securejoin v0.3.4 // indirect
github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fsnotify/fsnotify v1.8.0 // indirect
github.com/ghodss/yaml v1.0.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/go-querystring v1.1.0 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/onsi/ginkgo v1.16.5 // indirect
github.com/onsi/gomega v1.34.1 // indirect
github.com/onsi/gomega v1.34.2 // indirect
github.com/sergi/go-diff v1.3.1 // indirect
github.com/stretchr/testify v1.9.0 // indirect
golang.org/x/crypto v0.31.0 // indirect
@ -32,6 +32,6 @@ require (
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/apimachinery v0.31.0 // indirect
k8s.io/apimachinery v0.31.2 // indirect
k8s.io/helm v2.17.0+incompatible // indirect
)

14
magefiles/go.sum
View file

@ -5,8 +5,7 @@ github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF0
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@ -14,8 +13,7 @@ github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 h1:aRd8M7HJVZOqn/v
github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960/go.mod h1:9HQzr9D/0PGwMEbC3d5AB7oi67+h4TsQqItC1GVYG58=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
@ -64,7 +62,7 @@ github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042
github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
@ -91,8 +89,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA=
golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -149,6 +147,6 @@ gopkg.in/yaml.v3 v3.0.0-20191026110619-0b21df46bc1d/go.mod h1:K4uyk7z7BCEPqu6E+C
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc=
k8s.io/apimachinery v0.31.2 h1:i4vUt2hPK56W6mlT7Ry+AO8eEsyxMD1U44NR22CLTYw=
k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao=
k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI=