Only support dynamic configuration
This commit is contained in:
Manuel Alejandro de Brito Fontes
parent
808c2be914
commit
74c2f93de6
12 changed files with 134 additions and 328 deletions
|
|
@ -20,7 +20,6 @@ import (
|
||||||
"flag"
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"runtime"
|
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"github.com/spf13/pflag"
|
"github.com/spf13/pflag"
|
||||||
|
|
@ -130,10 +129,6 @@ extension for this to succeed.`)
|
||||||
`Customized address to set as the load-balancer status of Ingress objects this controller satisfies.
|
`Customized address to set as the load-balancer status of Ingress objects this controller satisfies.
|
||||||
Requires the update-status parameter.`)
|
Requires the update-status parameter.`)
|
||||||
|
|
||||||
dynamicConfigurationEnabled = flags.Bool("enable-dynamic-configuration", true,
|
|
||||||
`Dynamically refresh backends on topology changes instead of reloading NGINX.
|
|
||||||
Feature backed by OpenResty Lua libraries.`)
|
|
||||||
|
|
||||||
dynamicCertificatesEnabled = flags.Bool("enable-dynamic-certificates", false,
|
dynamicCertificatesEnabled = flags.Bool("enable-dynamic-certificates", false,
|
||||||
`Dynamically update SSL certificates instead of reloading NGINX.
|
`Dynamically update SSL certificates instead of reloading NGINX.
|
||||||
Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not enabled`)
|
Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not enabled`)
|
||||||
|
|
@ -200,7 +195,7 @@ Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not en
|
||||||
glog.Warningf("SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)")
|
glog.Warningf("SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)")
|
||||||
}
|
}
|
||||||
|
|
||||||
if (*enableSSLChainCompletion || !*dynamicConfigurationEnabled) && *dynamicCertificatesEnabled {
|
if *enableSSLChainCompletion && *dynamicCertificatesEnabled {
|
||||||
return false, nil, fmt.Errorf(`SSL certificate chain completion cannot be enabled and dynamic configuration cannot be disabled when
|
return false, nil, fmt.Errorf(`SSL certificate chain completion cannot be enabled and dynamic configuration cannot be disabled when
|
||||||
dynamic certificates functionality is enabled. Please check the flags --enable-ssl-chain-completion and --enable-dynamic-configuration`)
|
dynamic certificates functionality is enabled. Please check the flags --enable-ssl-chain-completion and --enable-dynamic-configuration`)
|
||||||
}
|
}
|
||||||
|
|
@ -209,16 +204,6 @@ dynamic certificates functionality is enabled. Please check the flags --enable-s
|
||||||
return false, nil, fmt.Errorf("Flags --publish-service and --publish-status-address are mutually exclusive")
|
return false, nil, fmt.Errorf("Flags --publish-service and --publish-status-address are mutually exclusive")
|
||||||
}
|
}
|
||||||
|
|
||||||
// LuaJIT is not available on arch s390x and ppc64le
|
|
||||||
disableLua := false
|
|
||||||
if runtime.GOARCH == "s390x" || runtime.GOARCH == "ppc64le" {
|
|
||||||
disableLua = true
|
|
||||||
if *dynamicConfigurationEnabled {
|
|
||||||
*dynamicConfigurationEnabled = false
|
|
||||||
glog.Warningf("LuaJIT is not available on s390x and ppc64le architectures: disabling dynamic configuration feature.")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
config := &controller.Configuration{
|
config := &controller.Configuration{
|
||||||
APIServerHost: *apiserverHost,
|
APIServerHost: *apiserverHost,
|
||||||
KubeConfigFile: *kubeConfigFile,
|
KubeConfigFile: *kubeConfigFile,
|
||||||
|
|
@ -240,8 +225,6 @@ dynamic certificates functionality is enabled. Please check the flags --enable-s
|
||||||
SortBackends: *sortBackends,
|
SortBackends: *sortBackends,
|
||||||
UseNodeInternalIP: *useNodeInternalIP,
|
UseNodeInternalIP: *useNodeInternalIP,
|
||||||
SyncRateLimit: *syncRateLimit,
|
SyncRateLimit: *syncRateLimit,
|
||||||
DynamicConfigurationEnabled: *dynamicConfigurationEnabled,
|
|
||||||
DisableLua: disableLua,
|
|
||||||
DynamicCertificatesEnabled: *dynamicCertificatesEnabled,
|
DynamicCertificatesEnabled: *dynamicCertificatesEnabled,
|
||||||
ListenPorts: &ngx_config.ListenPorts{
|
ListenPorts: &ngx_config.ListenPorts{
|
||||||
Default: *defServerPort,
|
Default: *defServerPort,
|
||||||
|
|
|
||||||
|
|
@ -44,8 +44,7 @@ func (n *NGINXController) Check(_ *http.Request) error {
|
||||||
return fmt.Errorf("ingress controller is not healthy")
|
return fmt.Errorf("ingress controller is not healthy")
|
||||||
}
|
}
|
||||||
|
|
||||||
if n.cfg.DynamicConfigurationEnabled {
|
res, err = http.Get(fmt.Sprintf("http://127.0.0.1:%v/is-dynamic-lb-initialized", n.cfg.ListenPorts.Status))
|
||||||
res, err := http.Get(fmt.Sprintf("http://127.0.0.1:%v/is-dynamic-lb-initialized", n.cfg.ListenPorts.Status))
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
@ -53,7 +52,6 @@ func (n *NGINXController) Check(_ *http.Request) error {
|
||||||
if res.StatusCode != 200 {
|
if res.StatusCode != 200 {
|
||||||
return fmt.Errorf("dynamic load balancer not started")
|
return fmt.Errorf("dynamic load balancer not started")
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
// check the nginx master process is running
|
// check the nginx master process is running
|
||||||
fs, err := proc.NewFS("/proc")
|
fs, err := proc.NewFS("/proc")
|
||||||
|
|
|
||||||
|
|
@ -702,9 +702,7 @@ type TemplateConfig struct {
|
||||||
RedirectServers map[string]string
|
RedirectServers map[string]string
|
||||||
ListenPorts *ListenPorts
|
ListenPorts *ListenPorts
|
||||||
PublishService *apiv1.Service
|
PublishService *apiv1.Service
|
||||||
DynamicConfigurationEnabled bool
|
|
||||||
DynamicCertificatesEnabled bool
|
DynamicCertificatesEnabled bool
|
||||||
DisableLua bool
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// ListenPorts describe the ports required to run the
|
// ListenPorts describe the ports required to run the
|
||||||
|
|
|
||||||
|
|
@ -86,10 +86,6 @@ type Configuration struct {
|
||||||
|
|
||||||
SyncRateLimit float32
|
SyncRateLimit float32
|
||||||
|
|
||||||
DynamicConfigurationEnabled bool
|
|
||||||
|
|
||||||
DisableLua bool
|
|
||||||
|
|
||||||
DynamicCertificatesEnabled bool
|
DynamicCertificatesEnabled bool
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -162,9 +158,7 @@ func (n *NGINXController) syncIngress(interface{}) error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
if n.cfg.DynamicConfigurationEnabled && n.IsDynamicConfigurationEnough(pcfg) {
|
if !n.IsDynamicConfigurationEnough(pcfg) {
|
||||||
glog.Infof("Changes handled by the dynamic configuration, skipping backend reload.")
|
|
||||||
} else {
|
|
||||||
glog.Infof("Configuration changes detected, backend reload required.")
|
glog.Infof("Configuration changes detected, backend reload required.")
|
||||||
|
|
||||||
hash, _ := hashstructure.Hash(pcfg, &hashstructure.HashOptions{
|
hash, _ := hashstructure.Hash(pcfg, &hashstructure.HashOptions{
|
||||||
|
|
@ -189,7 +183,6 @@ func (n *NGINXController) syncIngress(interface{}) error {
|
||||||
n.metricCollector.SetSSLExpireTime(servers)
|
n.metricCollector.SetSSLExpireTime(servers)
|
||||||
}
|
}
|
||||||
|
|
||||||
if n.cfg.DynamicConfigurationEnabled {
|
|
||||||
isFirstSync := n.runningConfig.Equal(&ingress.Configuration{})
|
isFirstSync := n.runningConfig.Equal(&ingress.Configuration{})
|
||||||
go func(isFirstSync bool) {
|
go func(isFirstSync bool) {
|
||||||
if isFirstSync {
|
if isFirstSync {
|
||||||
|
|
@ -205,7 +198,6 @@ func (n *NGINXController) syncIngress(interface{}) error {
|
||||||
glog.Warningf("Dynamic reconfiguration failed: %v", err)
|
glog.Warningf("Dynamic reconfiguration failed: %v", err)
|
||||||
}
|
}
|
||||||
}(isFirstSync)
|
}(isFirstSync)
|
||||||
}
|
|
||||||
|
|
||||||
ri := getRemovedIngresses(n.runningConfig, pcfg)
|
ri := getRemovedIngresses(n.runningConfig, pcfg)
|
||||||
re := getRemovedHosts(n.runningConfig, pcfg)
|
re := getRemovedHosts(n.runningConfig, pcfg)
|
||||||
|
|
|
||||||
|
|
@ -588,9 +588,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
|
||||||
IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough,
|
IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough,
|
||||||
ListenPorts: n.cfg.ListenPorts,
|
ListenPorts: n.cfg.ListenPorts,
|
||||||
PublishService: n.GetPublishService(),
|
PublishService: n.GetPublishService(),
|
||||||
DynamicConfigurationEnabled: n.cfg.DynamicConfigurationEnabled,
|
|
||||||
DynamicCertificatesEnabled: n.cfg.DynamicCertificatesEnabled,
|
DynamicCertificatesEnabled: n.cfg.DynamicCertificatesEnabled,
|
||||||
DisableLua: n.cfg.DisableLua,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tc.Cfg.Checksum = ingressCfg.ConfigurationChecksum
|
tc.Cfg.Checksum = ingressCfg.ConfigurationChecksum
|
||||||
|
|
|
||||||
|
|
@ -183,24 +183,20 @@ func shouldConfigureLuaRestyWAF(disableLuaRestyWAF bool, mode string) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildLuaSharedDictionaries(s interface{}, dynamicConfigurationEnabled bool, disableLuaRestyWAF bool) string {
|
func buildLuaSharedDictionaries(s interface{}, disableLuaRestyWAF bool) string {
|
||||||
servers, ok := s.([]*ingress.Server)
|
servers, ok := s.([]*ingress.Server)
|
||||||
if !ok {
|
if !ok {
|
||||||
glog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s)
|
glog.Errorf("expected an '[]*ingress.Server' type but %T was returned", s)
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
out := []string{}
|
out := []string{
|
||||||
|
|
||||||
if dynamicConfigurationEnabled {
|
|
||||||
out = append(out,
|
|
||||||
"lua_shared_dict configuration_data 5M",
|
"lua_shared_dict configuration_data 5M",
|
||||||
"lua_shared_dict certificate_data 16M",
|
"lua_shared_dict certificate_data 16M",
|
||||||
"lua_shared_dict locks 512k",
|
"lua_shared_dict locks 512k",
|
||||||
"lua_shared_dict balancer_ewma 1M",
|
"lua_shared_dict balancer_ewma 1M",
|
||||||
"lua_shared_dict balancer_ewma_last_touched_at 1M",
|
"lua_shared_dict balancer_ewma_last_touched_at 1M",
|
||||||
"lua_shared_dict sticky_sessions 1M",
|
"lua_shared_dict sticky_sessions 1M",
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if !disableLuaRestyWAF {
|
if !disableLuaRestyWAF {
|
||||||
|
|
@ -424,7 +420,7 @@ func buildLoadBalancingConfig(b interface{}, fallbackLoadBalancing string) strin
|
||||||
// (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation)
|
// (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation)
|
||||||
// If the annotation nginx.ingress.kubernetes.io/add-base-url:"true" is specified it will
|
// If the annotation nginx.ingress.kubernetes.io/add-base-url:"true" is specified it will
|
||||||
// add a base tag in the head of the response from the service
|
// add a base tag in the head of the response from the service
|
||||||
func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigurationEnabled bool) string {
|
func buildProxyPass(host string, b interface{}, loc interface{}) string {
|
||||||
backends, ok := b.([]*ingress.Backend)
|
backends, ok := b.([]*ingress.Backend)
|
||||||
if !ok {
|
if !ok {
|
||||||
glog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b)
|
glog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b)
|
||||||
|
|
@ -458,10 +454,6 @@ func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigur
|
||||||
|
|
||||||
upstreamName := "upstream_balancer"
|
upstreamName := "upstream_balancer"
|
||||||
|
|
||||||
if !dynamicConfigurationEnabled {
|
|
||||||
upstreamName = location.Backend
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, backend := range backends {
|
for _, backend := range backends {
|
||||||
if backend.Name == location.Backend {
|
if backend.Name == location.Backend {
|
||||||
if backend.SSLPassthrough {
|
if backend.SSLPassthrough {
|
||||||
|
|
@ -472,10 +464,6 @@ func buildProxyPass(host string, b interface{}, loc interface{}, dynamicConfigur
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if !dynamicConfigurationEnabled && isSticky(host, location, backend.SessionAffinity.CookieSessionAffinity.Locations) {
|
|
||||||
upstreamName = fmt.Sprintf("sticky-%v", upstreamName)
|
|
||||||
}
|
|
||||||
|
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -709,14 +697,7 @@ func buildDenyVariable(a interface{}) string {
|
||||||
return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
|
return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
|
||||||
}
|
}
|
||||||
|
|
||||||
func buildUpstreamName(host string, b interface{}, loc interface{}, dynamicConfigurationEnabled bool) string {
|
func buildUpstreamName(loc interface{}) string {
|
||||||
|
|
||||||
backends, ok := b.([]*ingress.Backend)
|
|
||||||
if !ok {
|
|
||||||
glog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b)
|
|
||||||
return ""
|
|
||||||
}
|
|
||||||
|
|
||||||
location, ok := loc.(*ingress.Location)
|
location, ok := loc.(*ingress.Location)
|
||||||
if !ok {
|
if !ok {
|
||||||
glog.Errorf("expected a '*ingress.Location' type but %T was returned", loc)
|
glog.Errorf("expected a '*ingress.Location' type but %T was returned", loc)
|
||||||
|
|
@ -725,19 +706,6 @@ func buildUpstreamName(host string, b interface{}, loc interface{}, dynamicConfi
|
||||||
|
|
||||||
upstreamName := location.Backend
|
upstreamName := location.Backend
|
||||||
|
|
||||||
if !dynamicConfigurationEnabled {
|
|
||||||
for _, backend := range backends {
|
|
||||||
if backend.Name == location.Backend {
|
|
||||||
if backend.SessionAffinity.AffinityType == "cookie" &&
|
|
||||||
isSticky(host, location, backend.SessionAffinity.CookieSessionAffinity.Locations) {
|
|
||||||
upstreamName = fmt.Sprintf("sticky-%v", upstreamName)
|
|
||||||
}
|
|
||||||
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return upstreamName
|
return upstreamName
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,6 @@ var (
|
||||||
BaseURLScheme string
|
BaseURLScheme string
|
||||||
Sticky bool
|
Sticky bool
|
||||||
XForwardedPrefix bool
|
XForwardedPrefix bool
|
||||||
DynamicConfigurationEnabled bool
|
|
||||||
SecureBackend bool
|
SecureBackend bool
|
||||||
enforceRegex bool
|
enforceRegex bool
|
||||||
}{
|
}{
|
||||||
|
|
@ -56,25 +55,11 @@ var (
|
||||||
"/",
|
"/",
|
||||||
"/",
|
"/",
|
||||||
"/",
|
"/",
|
||||||
"proxy_pass https://upstream-name;",
|
"proxy_pass https://upstream_balancer;",
|
||||||
false,
|
false,
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
|
||||||
false,
|
|
||||||
},
|
|
||||||
"when secure backend and stickeness enabled": {
|
|
||||||
"/",
|
|
||||||
"/",
|
|
||||||
"/",
|
|
||||||
"proxy_pass https://sticky-upstream-name;",
|
|
||||||
false,
|
|
||||||
"",
|
|
||||||
true,
|
|
||||||
false,
|
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
false,
|
false,
|
||||||
},
|
},
|
||||||
|
|
@ -88,8 +73,8 @@ var (
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
true,
|
true,
|
||||||
true,
|
false,
|
||||||
false},
|
},
|
||||||
"when secure backend, stickeness and dynamic config enabled": {
|
"when secure backend, stickeness and dynamic config enabled": {
|
||||||
"/",
|
"/",
|
||||||
"/",
|
"/",
|
||||||
|
|
@ -100,7 +85,6 @@ var (
|
||||||
true,
|
true,
|
||||||
false,
|
false,
|
||||||
true,
|
true,
|
||||||
true,
|
|
||||||
false,
|
false,
|
||||||
},
|
},
|
||||||
"invalid redirect / to / with dynamic config enabled": {
|
"invalid redirect / to / with dynamic config enabled": {
|
||||||
|
|
@ -112,7 +96,6 @@ var (
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
true,
|
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
},
|
},
|
||||||
|
|
@ -120,14 +103,13 @@ var (
|
||||||
"/",
|
"/",
|
||||||
"/",
|
"/",
|
||||||
"/",
|
"/",
|
||||||
"proxy_pass http://upstream-name;",
|
"proxy_pass http://upstream_balancer;",
|
||||||
false,
|
false,
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
},
|
},
|
||||||
"redirect / to /jenkins": {
|
"redirect / to /jenkins": {
|
||||||
"/",
|
"/",
|
||||||
|
|
@ -136,14 +118,13 @@ var (
|
||||||
`
|
`
|
||||||
rewrite "(?i)/(.*)" /jenkins/$1 break;
|
rewrite "(?i)/(.*)" /jenkins/$1 break;
|
||||||
rewrite "(?i)/$" /jenkins/ break;
|
rewrite "(?i)/$" /jenkins/ break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
`,
|
`,
|
||||||
false,
|
false,
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect /something to /": {
|
"redirect /something to /": {
|
||||||
|
|
@ -153,14 +134,13 @@ proxy_pass http://upstream-name;
|
||||||
`
|
`
|
||||||
rewrite "(?i)/something/(.*)" /$1 break;
|
rewrite "(?i)/something/(.*)" /$1 break;
|
||||||
rewrite "(?i)/something$" / break;
|
rewrite "(?i)/something$" / break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
`,
|
`,
|
||||||
false,
|
false,
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect /end-with-slash/ to /not-root": {
|
"redirect /end-with-slash/ to /not-root": {
|
||||||
|
|
@ -170,14 +150,13 @@ proxy_pass http://upstream-name;
|
||||||
`
|
`
|
||||||
rewrite "(?i)/end-with-slash/(.*)" /not-root/$1 break;
|
rewrite "(?i)/end-with-slash/(.*)" /not-root/$1 break;
|
||||||
rewrite "(?i)/end-with-slash/$" /not-root/ break;
|
rewrite "(?i)/end-with-slash/$" /not-root/ break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
`,
|
`,
|
||||||
false,
|
false,
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect /something-complex to /not-root": {
|
"redirect /something-complex to /not-root": {
|
||||||
|
|
@ -187,14 +166,13 @@ proxy_pass http://upstream-name;
|
||||||
`
|
`
|
||||||
rewrite "(?i)/something-complex/(.*)" /not-root/$1 break;
|
rewrite "(?i)/something-complex/(.*)" /not-root/$1 break;
|
||||||
rewrite "(?i)/something-complex$" /not-root/ break;
|
rewrite "(?i)/something-complex$" /not-root/ break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
`,
|
`,
|
||||||
false,
|
false,
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect / to /jenkins and rewrite": {
|
"redirect / to /jenkins and rewrite": {
|
||||||
|
|
@ -204,7 +182,7 @@ proxy_pass http://upstream-name;
|
||||||
`
|
`
|
||||||
rewrite "(?i)/(.*)" /jenkins/$1 break;
|
rewrite "(?i)/(.*)" /jenkins/$1 break;
|
||||||
rewrite "(?i)/$" /jenkins/ break;
|
rewrite "(?i)/$" /jenkins/ break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
|
|
||||||
set_escape_uri $escaped_base_uri $baseuri;
|
set_escape_uri $escaped_base_uri $baseuri;
|
||||||
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$escaped_base_uri">' ro;
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$escaped_base_uri">' ro;
|
||||||
|
|
@ -214,7 +192,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect /something to / and rewrite": {
|
"redirect /something to / and rewrite": {
|
||||||
|
|
@ -224,7 +201,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
`
|
`
|
||||||
rewrite "(?i)/something/(.*)" /$1 break;
|
rewrite "(?i)/something/(.*)" /$1 break;
|
||||||
rewrite "(?i)/something$" / break;
|
rewrite "(?i)/something$" / break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
|
|
||||||
set_escape_uri $escaped_base_uri $baseuri;
|
set_escape_uri $escaped_base_uri $baseuri;
|
||||||
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$escaped_base_uri">' ro;
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$escaped_base_uri">' ro;
|
||||||
|
|
@ -234,7 +211,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect /end-with-slash/ to /not-root and rewrite": {
|
"redirect /end-with-slash/ to /not-root and rewrite": {
|
||||||
|
|
@ -244,7 +220,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
`
|
`
|
||||||
rewrite "(?i)/end-with-slash/(.*)" /not-root/$1 break;
|
rewrite "(?i)/end-with-slash/(.*)" /not-root/$1 break;
|
||||||
rewrite "(?i)/end-with-slash/$" /not-root/ break;
|
rewrite "(?i)/end-with-slash/$" /not-root/ break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
|
|
||||||
set_escape_uri $escaped_base_uri $baseuri;
|
set_escape_uri $escaped_base_uri $baseuri;
|
||||||
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$escaped_base_uri">' ro;
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$escaped_base_uri">' ro;
|
||||||
|
|
@ -254,7 +230,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect /something-complex to /not-root and rewrite": {
|
"redirect /something-complex to /not-root and rewrite": {
|
||||||
|
|
@ -264,7 +239,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
`
|
`
|
||||||
rewrite "(?i)/something-complex/(.*)" /not-root/$1 break;
|
rewrite "(?i)/something-complex/(.*)" /not-root/$1 break;
|
||||||
rewrite "(?i)/something-complex$" /not-root/ break;
|
rewrite "(?i)/something-complex$" /not-root/ break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
|
|
||||||
set_escape_uri $escaped_base_uri $baseuri;
|
set_escape_uri $escaped_base_uri $baseuri;
|
||||||
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$escaped_base_uri">' ro;
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$escaped_base_uri">' ro;
|
||||||
|
|
@ -274,7 +249,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect /something to / and rewrite with specific scheme": {
|
"redirect /something to / and rewrite with specific scheme": {
|
||||||
|
|
@ -284,7 +258,7 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
`
|
`
|
||||||
rewrite "(?i)/something/(.*)" /$1 break;
|
rewrite "(?i)/something/(.*)" /$1 break;
|
||||||
rewrite "(?i)/something$" / break;
|
rewrite "(?i)/something$" / break;
|
||||||
proxy_pass http://upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
|
|
||||||
set_escape_uri $escaped_base_uri $baseuri;
|
set_escape_uri $escaped_base_uri $baseuri;
|
||||||
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$escaped_base_uri">' ro;
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$escaped_base_uri">' ro;
|
||||||
|
|
@ -294,7 +268,6 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect / to /something with sticky enabled": {
|
"redirect / to /something with sticky enabled": {
|
||||||
|
|
@ -304,14 +277,13 @@ subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="
|
||||||
`
|
`
|
||||||
rewrite "(?i)/(.*)" /something/$1 break;
|
rewrite "(?i)/(.*)" /something/$1 break;
|
||||||
rewrite "(?i)/$" /something/ break;
|
rewrite "(?i)/$" /something/ break;
|
||||||
proxy_pass http://sticky-upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
`,
|
`,
|
||||||
false,
|
false,
|
||||||
"http",
|
"http",
|
||||||
true,
|
true,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"redirect / to /something with sticky and dynamic config enabled": {
|
"redirect / to /something with sticky and dynamic config enabled": {
|
||||||
|
|
@ -327,7 +299,6 @@ proxy_pass http://upstream_balancer;
|
||||||
"http",
|
"http",
|
||||||
true,
|
true,
|
||||||
false,
|
false,
|
||||||
true,
|
|
||||||
false,
|
false,
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
|
|
@ -339,27 +310,25 @@ proxy_pass http://upstream_balancer;
|
||||||
rewrite "(?i)/there/(.*)" /something/$1 break;
|
rewrite "(?i)/there/(.*)" /something/$1 break;
|
||||||
rewrite "(?i)/there$" /something/ break;
|
rewrite "(?i)/there$" /something/ break;
|
||||||
proxy_set_header X-Forwarded-Prefix "/there/";
|
proxy_set_header X-Forwarded-Prefix "/there/";
|
||||||
proxy_pass http://sticky-upstream-name;
|
proxy_pass http://upstream_balancer;
|
||||||
`,
|
`,
|
||||||
false,
|
false,
|
||||||
"http",
|
"http",
|
||||||
true,
|
true,
|
||||||
true,
|
true,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
"use ~* location modifier when ingress does not use rewrite/regex target but at least one other ingress does": {
|
"use ~* location modifier when ingress does not use rewrite/regex target but at least one other ingress does": {
|
||||||
"/something",
|
"/something",
|
||||||
"/something",
|
"/something",
|
||||||
`~* "^/something"`,
|
`~* "^/something"`,
|
||||||
"proxy_pass http://upstream-name;",
|
"proxy_pass http://upstream_balancer;",
|
||||||
false,
|
false,
|
||||||
"",
|
"",
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
false,
|
||||||
false,
|
|
||||||
true,
|
true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
@ -377,11 +346,7 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
config := buildLuaSharedDictionaries(servers, false, false)
|
config := buildLuaSharedDictionaries(servers, false)
|
||||||
if config != "" {
|
|
||||||
t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
|
|
||||||
}
|
|
||||||
config = buildLuaSharedDictionaries(servers, true, false)
|
|
||||||
if !strings.Contains(config, "lua_shared_dict configuration_data") {
|
if !strings.Contains(config, "lua_shared_dict configuration_data") {
|
||||||
t.Errorf("expected to include 'configuration_data' but got %s", config)
|
t.Errorf("expected to include 'configuration_data' but got %s", config)
|
||||||
}
|
}
|
||||||
|
|
@ -390,19 +355,10 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Mode: "ACTIVE"}
|
servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Mode: "ACTIVE"}
|
||||||
config = buildLuaSharedDictionaries(servers, false, false)
|
config = buildLuaSharedDictionaries(servers, false)
|
||||||
if !strings.Contains(config, "lua_shared_dict waf_storage") {
|
if !strings.Contains(config, "lua_shared_dict waf_storage") {
|
||||||
t.Errorf("expected to configure 'waf_storage', but got %s", config)
|
t.Errorf("expected to configure 'waf_storage', but got %s", config)
|
||||||
}
|
}
|
||||||
config = buildLuaSharedDictionaries(servers, true, false)
|
|
||||||
if !strings.Contains(config, "lua_shared_dict waf_storage") {
|
|
||||||
t.Errorf("expected to configure 'waf_storage', but got %s", config)
|
|
||||||
}
|
|
||||||
|
|
||||||
config = buildLuaSharedDictionaries(servers, false, true)
|
|
||||||
if config != "" {
|
|
||||||
t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestFormatIP(t *testing.T) {
|
func TestFormatIP(t *testing.T) {
|
||||||
|
|
@ -471,7 +427,7 @@ func TestBuildProxyPass(t *testing.T) {
|
||||||
|
|
||||||
backends := []*ingress.Backend{backend}
|
backends := []*ingress.Backend{backend}
|
||||||
|
|
||||||
pp := buildProxyPass(defaultHost, backends, loc, tc.DynamicConfigurationEnabled)
|
pp := buildProxyPass(defaultHost, backends, loc)
|
||||||
if !strings.EqualFold(tc.ProxyPass, pp) {
|
if !strings.EqualFold(tc.ProxyPass, pp) {
|
||||||
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, tc.ProxyPass, pp)
|
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, tc.ProxyPass, pp)
|
||||||
}
|
}
|
||||||
|
|
@ -836,10 +792,6 @@ func TestBuildUpstreamName(t *testing.T) {
|
||||||
expected := defaultBackend
|
expected := defaultBackend
|
||||||
|
|
||||||
if tc.Sticky {
|
if tc.Sticky {
|
||||||
if !tc.DynamicConfigurationEnabled {
|
|
||||||
expected = fmt.Sprintf("sticky-" + expected)
|
|
||||||
}
|
|
||||||
|
|
||||||
backend.SessionAffinity = ingress.SessionAffinityConfig{
|
backend.SessionAffinity = ingress.SessionAffinityConfig{
|
||||||
AffinityType: "cookie",
|
AffinityType: "cookie",
|
||||||
CookieSessionAffinity: ingress.CookieSessionAffinity{
|
CookieSessionAffinity: ingress.CookieSessionAffinity{
|
||||||
|
|
@ -850,9 +802,7 @@ func TestBuildUpstreamName(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
backends := []*ingress.Backend{backend}
|
pp := buildUpstreamName(loc)
|
||||||
|
|
||||||
pp := buildUpstreamName(defaultHost, backends, loc, tc.DynamicConfigurationEnabled)
|
|
||||||
if !strings.EqualFold(expected, pp) {
|
if !strings.EqualFold(expected, pp) {
|
||||||
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, expected, pp)
|
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, expected, pp)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -46,11 +46,10 @@ events {
|
||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
{{ if not $all.DisableLua }}
|
|
||||||
lua_package_cpath "/usr/local/lib/lua/?.so;/usr/lib/lua-platform-path/lua/5.1/?.so;;";
|
lua_package_cpath "/usr/local/lib/lua/?.so;/usr/lib/lua-platform-path/lua/5.1/?.so;;";
|
||||||
lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;/usr/local/lib/lua/?.lua;;";
|
lua_package_path "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;/usr/local/lib/lua/?.lua;;";
|
||||||
|
|
||||||
{{ buildLuaSharedDictionaries $servers $all.DynamicConfigurationEnabled $all.Cfg.DisableLuaRestyWAF }}
|
{{ buildLuaSharedDictionaries $servers $all.Cfg.DisableLuaRestyWAF }}
|
||||||
|
|
||||||
init_by_lua_block {
|
init_by_lua_block {
|
||||||
require("resty.core")
|
require("resty.core")
|
||||||
|
|
@ -59,7 +58,6 @@ http {
|
||||||
local lua_resty_waf = require("resty.waf")
|
local lua_resty_waf = require("resty.waf")
|
||||||
lua_resty_waf.init()
|
lua_resty_waf.init()
|
||||||
|
|
||||||
{{ if $all.DynamicConfigurationEnabled }}
|
|
||||||
-- init modules
|
-- init modules
|
||||||
local ok, res
|
local ok, res
|
||||||
|
|
||||||
|
|
@ -77,7 +75,6 @@ http {
|
||||||
else
|
else
|
||||||
balancer = res
|
balancer = res
|
||||||
end
|
end
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
ok, res = pcall(require, "monitor")
|
ok, res = pcall(require, "monitor")
|
||||||
if not ok then
|
if not ok then
|
||||||
|
|
@ -96,13 +93,10 @@ http {
|
||||||
{{ end }}
|
{{ end }}
|
||||||
}
|
}
|
||||||
|
|
||||||
{{ if $all.DynamicConfigurationEnabled }}
|
|
||||||
init_worker_by_lua_block {
|
init_worker_by_lua_block {
|
||||||
balancer.init_worker()
|
balancer.init_worker()
|
||||||
monitor.init_worker()
|
monitor.init_worker()
|
||||||
}
|
}
|
||||||
{{ end }}
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
|
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
|
||||||
{{/* we use the value of the real IP for the geo_ip module */}}
|
{{/* we use the value of the real IP for the geo_ip module */}}
|
||||||
|
|
@ -407,35 +401,6 @@ http {
|
||||||
{{ $cfg.HTTPSnippet }}
|
{{ $cfg.HTTPSnippet }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if not $all.DynamicConfigurationEnabled }}
|
|
||||||
{{ range $upstream := $backends }}
|
|
||||||
{{ if eq $upstream.SessionAffinity.AffinityType "cookie" }}
|
|
||||||
upstream sticky-{{ $upstream.Name }} {
|
|
||||||
sticky hash={{ $upstream.SessionAffinity.CookieSessionAffinity.Hash }} name={{ $upstream.SessionAffinity.CookieSessionAffinity.Name }}{{if eq (len $upstream.SessionAffinity.CookieSessionAffinity.Locations) 1 }}{{ range $locationName, $locationPaths := $upstream.SessionAffinity.CookieSessionAffinity.Locations }}{{ if eq (len $locationPaths) 1 }} path={{ index $locationPaths 0 }}{{ end }}{{ end }}{{ end }} httponly;
|
|
||||||
|
|
||||||
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
|
|
||||||
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
{{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }};
|
|
||||||
{{ end }}
|
|
||||||
}
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
upstream {{ $upstream.Name }} {
|
|
||||||
{{ buildLoadBalancingConfig $upstream $cfg.LoadBalanceAlgorithm }}
|
|
||||||
|
|
||||||
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
|
|
||||||
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
{{ range $server := $upstream.Endpoints }}server {{ $server.Address | formatIP }}:{{ $server.Port }};
|
|
||||||
{{ end }}
|
|
||||||
}
|
|
||||||
{{ end }}
|
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
{{ if $all.DynamicConfigurationEnabled }}
|
|
||||||
upstream upstream_balancer {
|
upstream upstream_balancer {
|
||||||
server 0.0.0.1; # placeholder
|
server 0.0.0.1; # placeholder
|
||||||
|
|
||||||
|
|
@ -447,7 +412,6 @@ http {
|
||||||
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
|
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
}
|
}
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
{{/* build the maps that will be use to validate the Whitelist */}}
|
{{/* build the maps that will be use to validate the Whitelist */}}
|
||||||
{{ range $server := $servers }}
|
{{ range $server := $servers }}
|
||||||
|
|
@ -619,7 +583,7 @@ http {
|
||||||
access_log off;
|
access_log off;
|
||||||
return 200;
|
return 200;
|
||||||
}
|
}
|
||||||
{{ if not $all.DisableLua }}
|
|
||||||
location /is-dynamic-lb-initialized {
|
location /is-dynamic-lb-initialized {
|
||||||
{{ if $cfg.EnableOpentracing }}
|
{{ if $cfg.EnableOpentracing }}
|
||||||
opentracing off;
|
opentracing off;
|
||||||
|
|
@ -638,7 +602,7 @@ http {
|
||||||
ngx.exit(ngx.HTTP_OK)
|
ngx.exit(ngx.HTTP_OK)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
{{ end }}
|
|
||||||
location /nginx_status {
|
location /nginx_status {
|
||||||
set $proxy_upstream_name "internal";
|
set $proxy_upstream_name "internal";
|
||||||
{{ if $cfg.EnableOpentracing }}
|
{{ if $cfg.EnableOpentracing }}
|
||||||
|
|
@ -648,7 +612,7 @@ http {
|
||||||
access_log off;
|
access_log off;
|
||||||
stub_status on;
|
stub_status on;
|
||||||
}
|
}
|
||||||
{{ if $all.DynamicConfigurationEnabled }}
|
|
||||||
location /configuration {
|
location /configuration {
|
||||||
access_log off;
|
access_log off;
|
||||||
{{ if $cfg.EnableOpentracing }}
|
{{ if $cfg.EnableOpentracing }}
|
||||||
|
|
@ -669,18 +633,15 @@ http {
|
||||||
configuration.call()
|
configuration.call()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
{{ end }}
|
|
||||||
location / {
|
location / {
|
||||||
{{ if .CustomErrors }}
|
{{ if .CustomErrors }}
|
||||||
proxy_set_header X-Code 404;
|
proxy_set_header X-Code 404;
|
||||||
{{ end }}
|
{{ end }}
|
||||||
set $proxy_upstream_name "upstream-default-backend";
|
set $proxy_upstream_name "upstream-default-backend";
|
||||||
proxy_set_header Host $best_http_host;
|
proxy_set_header Host $best_http_host;
|
||||||
{{ if $all.DynamicConfigurationEnabled }}
|
|
||||||
proxy_pass http://upstream_balancer;
|
proxy_pass http://upstream_balancer;
|
||||||
{{ else }}
|
|
||||||
proxy_pass http://upstream-default-backend;
|
|
||||||
{{ end }}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
{{ template "CUSTOM_ERRORS" $all }}
|
{{ template "CUSTOM_ERRORS" $all }}
|
||||||
|
|
@ -701,9 +662,7 @@ stream {
|
||||||
|
|
||||||
{{/* definition of templates to avoid repetitions */}}
|
{{/* definition of templates to avoid repetitions */}}
|
||||||
{{ define "CUSTOM_ERRORS" }}
|
{{ define "CUSTOM_ERRORS" }}
|
||||||
{{ $dynamicConfig := .DynamicConfigurationEnabled}}
|
|
||||||
{{ $proxySetHeaders := .ProxySetHeaders }}
|
{{ $proxySetHeaders := .ProxySetHeaders }}
|
||||||
{{ $isLuaDisabled := .DisableLua }}
|
|
||||||
{{ range $errCode := .Cfg.CustomHTTPErrors }}
|
{{ range $errCode := .Cfg.CustomHTTPErrors }}
|
||||||
location @custom_{{ $errCode }} {
|
location @custom_{{ $errCode }} {
|
||||||
internal;
|
internal;
|
||||||
|
|
@ -723,16 +682,10 @@ stream {
|
||||||
|
|
||||||
rewrite (.*) / break;
|
rewrite (.*) / break;
|
||||||
|
|
||||||
{{ if $dynamicConfig }}
|
|
||||||
proxy_pass http://upstream_balancer;
|
proxy_pass http://upstream_balancer;
|
||||||
{{ else }}
|
|
||||||
proxy_pass http://upstream-default-backend;
|
|
||||||
{{ end }}
|
|
||||||
{{ if not $isLuaDisabled }}
|
|
||||||
log_by_lua_block {
|
log_by_lua_block {
|
||||||
monitor.call()
|
monitor.call()
|
||||||
}
|
}
|
||||||
{{ end }}
|
|
||||||
}
|
}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
@ -802,7 +755,7 @@ stream {
|
||||||
ssl_stapling_verify on;
|
ssl_stapling_verify on;
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if and (not $all.DisableLua) $all.DynamicCertificatesEnabled}}
|
{{ if $all.DynamicCertificatesEnabled}}
|
||||||
ssl_certificate_by_lua_block {
|
ssl_certificate_by_lua_block {
|
||||||
certificate.call()
|
certificate.call()
|
||||||
}
|
}
|
||||||
|
|
@ -851,7 +804,7 @@ stream {
|
||||||
# ngx_auth_request module overrides variables in the parent request,
|
# ngx_auth_request module overrides variables in the parent request,
|
||||||
# therefore we have to explicitly set this variable again so that when the parent request
|
# therefore we have to explicitly set this variable again so that when the parent request
|
||||||
# resumes it has the correct value set for this variable so that Lua can pick backend correctly
|
# resumes it has the correct value set for this variable so that Lua can pick backend correctly
|
||||||
set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}";
|
set $proxy_upstream_name "{{ buildUpstreamName $location }}";
|
||||||
|
|
||||||
proxy_pass_request_body off;
|
proxy_pass_request_body off;
|
||||||
proxy_set_header Content-Length "";
|
proxy_set_header Content-Length "";
|
||||||
|
|
@ -919,11 +872,8 @@ stream {
|
||||||
opentracing_propagate_context;
|
opentracing_propagate_context;
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if not $all.DisableLua }}
|
|
||||||
rewrite_by_lua_block {
|
rewrite_by_lua_block {
|
||||||
{{ if $all.DynamicConfigurationEnabled}}
|
|
||||||
balancer.rewrite()
|
balancer.rewrite()
|
||||||
{{ end }}
|
|
||||||
}
|
}
|
||||||
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
|
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
|
||||||
access_by_lua_block {
|
access_by_lua_block {
|
||||||
|
|
@ -964,17 +914,14 @@ stream {
|
||||||
local waf = lua_resty_waf:new()
|
local waf = lua_resty_waf:new()
|
||||||
waf:exec()
|
waf:exec()
|
||||||
}
|
}
|
||||||
{{ end }}
|
|
||||||
log_by_lua_block {
|
log_by_lua_block {
|
||||||
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
|
{{ if shouldConfigureLuaRestyWAF $all.Cfg.DisableLuaRestyWAF $location.LuaRestyWAF.Mode }}
|
||||||
local lua_resty_waf = require "resty.waf"
|
local lua_resty_waf = require "resty.waf"
|
||||||
local waf = lua_resty_waf:new()
|
local waf = lua_resty_waf:new()
|
||||||
waf:exec()
|
waf:exec()
|
||||||
{{ end }}
|
{{ end }}
|
||||||
{{ if $all.DynamicConfigurationEnabled}}
|
|
||||||
balancer.log()
|
balancer.log()
|
||||||
{{ end }}
|
|
||||||
|
|
||||||
monitor.call()
|
monitor.call()
|
||||||
}
|
}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
@ -996,7 +943,7 @@ stream {
|
||||||
|
|
||||||
port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
|
port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
|
||||||
|
|
||||||
set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}";
|
set $proxy_upstream_name "{{ buildUpstreamName $location }}";
|
||||||
|
|
||||||
{{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
|
{{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
|
||||||
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCert.PemFileName)) $location.Rewrite.SSLRedirect)) }}
|
{{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCert.PemFileName)) $location.Rewrite.SSLRedirect)) }}
|
||||||
|
|
@ -1176,7 +1123,7 @@ stream {
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if not (empty $location.Backend) }}
|
{{ if not (empty $location.Backend) }}
|
||||||
{{ buildProxyPass $server.Hostname $all.Backends $location $all.DynamicConfigurationEnabled }}
|
{{ buildProxyPass $server.Hostname $all.Backends $location }}
|
||||||
{{ if (or (eq $location.Proxy.ProxyRedirectFrom "default") (eq $location.Proxy.ProxyRedirectFrom "off")) }}
|
{{ if (or (eq $location.Proxy.ProxyRedirectFrom "default") (eq $location.Proxy.ProxyRedirectFrom "off")) }}
|
||||||
proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }};
|
proxy_redirect {{ $location.Proxy.ProxyRedirectFrom }};
|
||||||
{{ else if not (eq $location.Proxy.ProxyRedirectTo "off") }}
|
{{ else if not (eq $location.Proxy.ProxyRedirectTo "off") }}
|
||||||
|
|
|
||||||
|
|
@ -16,22 +16,13 @@ limitations under the License.
|
||||||
|
|
||||||
package annotations
|
package annotations
|
||||||
|
|
||||||
|
/*
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"net/http"
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
. "github.com/onsi/ginkgo"
|
. "github.com/onsi/ginkgo"
|
||||||
. "github.com/onsi/gomega"
|
. "github.com/onsi/gomega"
|
||||||
"github.com/parnurzeal/gorequest"
|
|
||||||
|
|
||||||
v1beta1 "k8s.io/api/extensions/v1beta1"
|
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
"k8s.io/apimachinery/pkg/util/intstr"
|
|
||||||
|
|
||||||
"k8s.io/ingress-nginx/test/e2e/framework"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
// TODO(elvinefendi) merge this with Affinity tests in test/e2e/lua/dynamic_configuration.go
|
// TODO(elvinefendi) merge this with Affinity tests in test/e2e/lua/dynamic_configuration.go
|
||||||
var _ = framework.IngressNginxDescribe("Annotations - Affinity", func() {
|
var _ = framework.IngressNginxDescribe("Annotations - Affinity", func() {
|
||||||
f := framework.NewDefaultFramework("affinity")
|
f := framework.NewDefaultFramework("affinity")
|
||||||
|
|
@ -266,3 +257,4 @@ var _ = framework.IngressNginxDescribe("Annotations - Affinity", func() {
|
||||||
Expect(resp.Header.Get("Set-Cookie")).Should(ContainSubstring("Path=/;"))
|
Expect(resp.Header.Get("Set-Cookie")).Should(ContainSubstring("Path=/;"))
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
*/
|
||||||
|
|
|
||||||
|
|
@ -438,19 +438,3 @@ func newSingleIngress(name, path, host, ns, service string, port int, annotation
|
||||||
|
|
||||||
return ing
|
return ing
|
||||||
}
|
}
|
||||||
|
|
||||||
// DisableDynamicConfiguration disables dynamic configuration
|
|
||||||
func (f *Framework) DisableDynamicConfiguration() error {
|
|
||||||
return UpdateDeployment(f.KubeClientSet, f.IngressController.Namespace, "nginx-ingress-controller", 1,
|
|
||||||
func(deployment *appsv1beta1.Deployment) error {
|
|
||||||
args := deployment.Spec.Template.Spec.Containers[0].Args
|
|
||||||
args = append(args, "--enable-dynamic-configuration=false")
|
|
||||||
deployment.Spec.Template.Spec.Containers[0].Args = args
|
|
||||||
_, err := f.KubeClientSet.AppsV1beta1().Deployments(f.IngressController.Namespace).Update(deployment)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
|
||||||
})
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -110,7 +110,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
|
||||||
By("skipping Nginx reload")
|
By("skipping Nginx reload")
|
||||||
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
|
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
|
||||||
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
|
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
|
||||||
Expect(restOfLogs).To(ContainSubstring(logSkipBackendReload))
|
|
||||||
})
|
})
|
||||||
|
|
||||||
Context("given an ingress with TLS correctly configured", func() {
|
Context("given an ingress with TLS correctly configured", func() {
|
||||||
|
|
@ -181,7 +180,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
|
||||||
By("skipping Nginx reload")
|
By("skipping Nginx reload")
|
||||||
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
|
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
|
||||||
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
|
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
|
||||||
Expect(restOfLogs).To(ContainSubstring(logSkipBackendReload))
|
|
||||||
})
|
})
|
||||||
|
|
||||||
It("falls back to using default certificate when secret gets deleted without reloading", func() {
|
It("falls back to using default certificate when secret gets deleted without reloading", func() {
|
||||||
|
|
@ -217,7 +215,6 @@ var _ = framework.IngressNginxDescribe("Dynamic Certificate", func() {
|
||||||
By("skipping Nginx reload")
|
By("skipping Nginx reload")
|
||||||
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
|
Expect(restOfLogs).ToNot(ContainSubstring(logRequireBackendReload))
|
||||||
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
|
Expect(restOfLogs).ToNot(ContainSubstring(logBackendReloadSuccess))
|
||||||
Expect(restOfLogs).To(ContainSubstring(logSkipBackendReload))
|
|
||||||
})
|
})
|
||||||
|
|
||||||
It("picks up a non-certificate only change", func() {
|
It("picks up a non-certificate only change", func() {
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,6 @@ const (
|
||||||
logDynamicConfigFailure = "Dynamic reconfiguration failed"
|
logDynamicConfigFailure = "Dynamic reconfiguration failed"
|
||||||
logRequireBackendReload = "Configuration changes detected, backend reload required"
|
logRequireBackendReload = "Configuration changes detected, backend reload required"
|
||||||
logBackendReloadSuccess = "Backend successfully reloaded"
|
logBackendReloadSuccess = "Backend successfully reloaded"
|
||||||
logSkipBackendReload = "Changes handled by the dynamic configuration, skipping backend reload"
|
|
||||||
logInitialConfigSync = "Initial synchronization of the NGINX configuration"
|
logInitialConfigSync = "Initial synchronization of the NGINX configuration"
|
||||||
waitForLuaSync = 5 * time.Second
|
waitForLuaSync = 5 * time.Second
|
||||||
)
|
)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue