DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'kubernetes:main' into feature/topology_zones

Browse source
This commit is contained in:
Tomas Hulata 2023-01-06 00:55:32 +01:00 committed by GitHub
commit 78f277f021
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
23 changed files with 400 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
.github/workflows/ci.yaml vendored
View file

@ -75,6 +75,63 @@ jobs:
# G307 TODO: Deferring unsafe method "Close"
args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./...
lint:
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.go == 'true')
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Set up Go
id: go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: '1.19'
check-latest: true
- name: Run Lint
run: ./hack/verify-golint.sh
gofmt:
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.go == 'true')
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Set up Go
id: go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: '1.19'
check-latest: true
- name: Run go-fmt
run: ./hack/verify-gofmt.sh
test-go:
runs-on: ubuntu-latest
needs: changes
if: |
(needs.changes.outputs.go == 'true')
steps:
- name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Set up Go
id: go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: '1.19'
check-latest: true
- name: Run test
run: make test
build:
name: Build
runs-on: ubuntu-latest

2
Changelog.md
View file

@ -1,5 +1,7 @@
# Changelog
All New change are in [Changelog](./changelog)
### 1.5.1
* Upgrade NGINX to 1.21.6

1
Makefile
View file

@ -141,6 +141,7 @@ test: ## Run go unit tests.
COMMIT_SHA=$(COMMIT_SHA) \
REPO_INFO=$(REPO_INFO) \
TAG=$(TAG) \
GOFLAGS="-buildvcs=false" \
test/test.sh
.PHONY: lua-test

1
README.md
View file

@ -38,6 +38,7 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p
| Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version |
|-----------------------|------------------------------|----------------|---------------|
| v1.5.2 | 1.26, 1.25, 1.24, 1.23 | 3.17.2 | 1.21.6 |
| v1.5.1 | 1.25, 1.24, 1.23 | 3.16.2 | 1.21.6 |
| v1.4.0 | 1.25, 1.24, 1.23, 1.22 | 3.16.2 | 1.19.10† |
| v1.3.1 | 1.24, 1.23, 1.22, 1.21, 1.20 | 3.16.2 | 1.19.10† |

4
RELEASE.md
View file

@ -89,7 +89,7 @@ Promoting the images basically means that images, that were pushed to staging co
- The sha is also visible here https://console.cloud.google.com/gcr/images/k8s-staging-ingress-nginx/global/controller
- The sha is also visible [here]((https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*)), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:
- The sha is also visible [here](https://prow.k8s.io/?repo=kubernetes%2Fingress-nginx&job=post-*), after cloud build is finished. Click on the respective job, go to `Artifacts` section in the UI, then again `artifacts` in the directory browser. In the `build.log` at the very bottom you see something like this:
```
...
@ -113,7 +113,7 @@ Promoting the images basically means that images, that were pushed to staging co
- For making it easier, you can edit your branch directly in the browser. But be careful about making any mistake.
- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before
- Insert the sha(s) & the tag(s), in a new line, in this file [Project kubernetes/k8s.io Ingress-Nginx-Controller Images](https://github.com/kubernetes/k8s.io/blob/main/k8s.gcr.io/images/k8s-staging-ingress-nginx/images.yaml) Look at this [example PR and the diff](https://github.com/kubernetes/k8s.io/pull/2536) to see how it was done before
- Save and commit

2
TAG
View file

@ -1 +1 @@
v1.5.2
v1.5.1

8
build/build.sh
View file

@ -16,10 +16,10 @@
GO_BUILD_CMD="go build"
if [ -n "$DEBUG" ]; then
set -x
GO_BUILD_CMD="go build -v"
fi
#if [ -n "$DEBUG" ]; then
# set -x
# GO_BUILD_CMD="go build -v"
#fi
set -o errexit
set -o nounset

16
build/run-in-docker.sh
View file

@ -65,23 +65,21 @@ fi
USER=${USER:-nobody}
echo "..printing env & other vars to stdout"
echo "HOSTNAME=`hostname`"
uname -a
env
echo "DIND_ENABLED=$DOCKER_IN_DOCKER_ENABLED"
echo "done..printing env & other vars to stdout"
#echo "..printing env & other vars to stdout"
#echo "HOSTNAME=`hostname`"
#uname -a
#env
#echo "DIND_ENABLED=$DOCKER_IN_DOCKER_ENABLED"
#echo "done..printing env & other vars to stdout"
if [[ "$DOCKER_IN_DOCKER_ENABLED" == "true" ]]; then
echo "..reached DIND check TRUE block, inside run-in-docker.sh"
echo "FLAGS=$FLAGS"
go env
set -x
#go env
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo@v2.6.1
find / -type f -name ginkgo 2>/dev/null
which ginkgo
/bin/bash -c "${FLAGS}"
set +x
else
echo "Reached DIND check ELSE block, inside run-in-docker.sh"
docker run \

79
changelog/Changelog-1.5.2.md Normal file
View file

@ -0,0 +1,79 @@
# Changelog
### 1.5.2
Images:
* registry.k8s.io/ingress-nginx/controller:controller-v1.5.2@sha256:3870522ed937c9efb94bfa31a7eb16009831567a0d4cbe01846fc5486d622655
* registry.k8s.io/ingress-nginx/controller-chroot:controller-v1.5.2@sha256:84613555694f2c59a8b2551126d226c9aa648544ebf0cde1e0df942f7dbce42b
### All Changes:
* restart 1.5.2 release process (#9450)
* Update command line arguments documentation (#9224)
* start release 1.5.2 (#9445)
* upgrade nginx base image (#9436)
* test the new e2e test images (#9444)
* avoid builds and tests for non-code changes (#9392)
* CI updates (#9440)
* HPA: Add `controller.autoscaling.annotations` to `values.yaml`. (#9253)
* update the nginx run container for alpine:3.17.0 (#9430)
* cleanup: remove ioutil for new go version (#9427)
* start upgrade to golang 1.19.4 and alpine 3.17.0 (#9417)
* ci: remove setup-helm step (#9404)
* ci: remove setup-kind step (#9401)
* Add reporter for all tests (#9395)
* added action for issues to project (#9386)
* doc: update NEW_CONTRIBUTOR.md (#9381)
* feat(helm): Optionally use cert-manager instead admission patch (#9279)
* integrated junit-reports with ghactions (#9361)
* [user-guide configmap] fix doc for global-auth-snippet (#9372)
* update OpenTelemetry image (#9308)
* fix: missing CORS headers when auth fails (#9251)
* Fix styling in canary annotation docs. (#9259)
* resolved ginkgo deprecation message (#9365)
* Enable profiler-address to be configured (#9311)
* ModSecurity dependencies update to avoid Memory Leaks (#9330)
* fix(hpa): deprecated api version, bump to v2 (#9348)
* fix(typo): pluralize provider (#9346)
* removed deprecation messsage for ingressClass annotation (#9357)
* added ginkgo junit reports (#9350)
* Fix typos found by codespell (#9353)
* bumped ginkgo to v2.5.1 in testrunner (#9340)
* create nsswitch-conf if missing (#9339)
* remove the configmap related permissions (#9310)
* remove hardcoded datasource from grafana dashboard (#9284)
* update gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b to 3.0.0 (#9277)
* Validate ingress path fields (#9309)
* added SAN to cert create command (#9295)
* Missing controller.ingressClass (#9304)
* OpenTelemetry static linking (#9286)
* Fixed indentation in commented-out autoscaling (#9225)
* run helm release on main only and when the chart/value changes only (#9290)
* fix broken annotation yaml (#9243)
* PDB: Add `maxUnavailable`. (#9278)
* add containerSecurityContext to extraModules init containers (kubernetes#9016) (#9242)
### Dependencies updates:
* Bump golang.org/x/crypto from 0.3.0 to 0.4.0 (#9397)
* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9432)
* Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.6.1 (#9421)
* Bump github/codeql-action from 2.1.36 to 2.1.37 (#9423)
* Bump actions/checkout from 3.1.0 to 3.2.0 (#9425)
* Bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (#9426)
* Bump actions/dependency-review-action from 3.0.1 to 3.0.2 (#9424)
* Bump ossf/scorecard-action from 2.0.6 to 2.1.0 (#9422)
* Bump github.com/prometheus/common from 0.37.0 to 0.39.0 (#9416)
* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9408)
* Bump github.com/onsi/ginkgo/v2 from 2.5.1 to 2.6.0 (#9398)
* Bump github/codeql-action from 2.1.35 to 2.1.36 (#9400)
* Bump actions/setup-go from 3.3.1 to 3.4.0 (#9370)
* Bump github/codeql-action from 2.1.31 to 2.1.35 (#9369)
* Bump google.golang.org/grpc from 1.50.1 to 1.51.0 (#9316)
* Bump github.com/prometheus/client_golang from 1.13.1 to 1.14.0 (#9298)
* Bump actions/dependency-review-action from 3.0.0 to 3.0.1 (#9319)
* Bump golang.org/x/crypto from 0.1.0 to 0.3.0 (#9318)
* Bump github.com/onsi/ginkgo/v2 from 2.4.0 to 2.5.1 (#9317)
* Bump actions/dependency-review-action from 2.5.1 to 3.0.0 (#9301)
* Bump k8s.io/component-base from 0.25.3 to 0.25.4 (#9300)
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.5.1...controller-controller-v1.5.2

2
charts/ingress-nginx/Chart.yaml
View file

@ -2,7 +2,7 @@ apiVersion: v2
name: ingress-nginx
# When the version is modified, make sure the artifacthub.io/changes list is updated
# Also update CHANGELOG.md
version: 4.4.0
version: 4.4.2
appVersion: 1.5.1
home: https://github.com/kubernetes/ingress-nginx
description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer

2
charts/ingress-nginx/README.md
View file

@ -2,7 +2,7 @@
[ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
![Version: 4.4.0](https://img.shields.io/badge/Version-4.4.0-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square)
![Version: 4.4.2](https://img.shields.io/badge/Version-4.4.2-informational?style=flat-square) ![AppVersion: 1.5.1](https://img.shields.io/badge/AppVersion-1.5.1-informational?style=flat-square)
To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.

9
charts/ingress-nginx/changelog.md.gotmpl Normal file
View file

@ -0,0 +1,9 @@
# Changelog
This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org).
### {{ .NewHelmChartVersion }}
{{ with .HelmUpdates }}
{{ range . }}* {{ . }}
{{ end }}{{ end }}
**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-{{ .PreviousHelmChartVersion }}...helm-chart-{{ .NewHelmChartVersion }}

6
hack/generate-e2e-suite-doc.sh
View file

@ -18,10 +18,6 @@ if [ -n "$DEBUG" ]; then
set -x
fi
set -o errexit
set -o nounset
set -o pipefail
URL="https://github.com/kubernetes/ingress-nginx/tree/main/"
DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P)
@ -34,7 +30,7 @@ Do not try to edit it manually.
"
for FILE in `find $DIR/test/e2e -name "*.go"`;do
for FILE in $(find $DIR/test/e2e -name "*.go");do
# describe definition
DESCRIBE=$(cat $FILE | grep -n -oP 'Describe.*')
# line number

3
internal/ingress/annotations/authreq/main.go
View file

@ -149,7 +149,8 @@ func ValidHeader(header string) bool {
// ValidCacheDuration checks if the provided string is a valid cache duration
// spec: [code ...] [time ...];
// with: code is an http status code
// time must match the time regex and may appear multiple times, e.g. `1h 30m`
//
// time must match the time regex and may appear multiple times, e.g. `1h 30m`
func ValidCacheDuration(duration string) bool {
elements := strings.Split(duration, " ")
seenDuration := false

11
internal/ingress/controller/template/template.go
View file

@ -75,8 +75,8 @@ type Template struct {
bp *BufferPool
}
//NewTemplate returns a new Template instance or an
//error if the specified template file contains errors
// NewTemplate returns a new Template instance or an
// error if the specified template file contains errors
func NewTemplate(file string) (*Template, error) {
data, err := os.ReadFile(file)
if err != nil {
@ -287,9 +287,10 @@ var (
// escapeLiteralDollar will replace the $ character with ${literal_dollar}
// which is made to work via the following configuration in the http section of
// the template:
// geo $literal_dollar {
// default "$";
// }
//
// geo $literal_dollar {
// default "$";
// }
func escapeLiteralDollar(input interface{}) string {
inputStr, ok := input.(string)
if !ok {

3
internal/ingress/resolver/mock.go
View file

@ -41,7 +41,8 @@ func (m Mock) GetSecret(string) (*apiv1.Secret, error) {
// GetAuthCertificate resolves a given secret name into an SSL certificate.
// The secret must contain 3 keys named:
// ca.crt: contains the certificate chain used for authentication
//
// ca.crt: contains the certificate chain used for authentication
func (m Mock) GetAuthCertificate(string) (*AuthSSLCert, error) {
return nil, nil
}

8
pkg/tcpproxy/tcp.go
View file

@ -80,6 +80,7 @@ func (p *TCPProxy) Handle(conn net.Conn) {
}
hostPort := net.JoinHostPort(proxy.IP, fmt.Sprintf("%v", proxy.Port))
klog.V(4).InfoS("passing to", "hostport", hostPort)
clientConn, err := net.Dial("tcp", hostPort)
if err != nil {
klog.V(4).ErrorS(err, "error dialing proxy", "ip", proxy.IP, "port", proxy.Port, "hostname", proxy.Hostname)
@ -99,7 +100,7 @@ func (p *TCPProxy) Handle(conn net.Conn) {
}
proxyProtocolHeader := fmt.Sprintf("PROXY %s %s %s %d %d\r\n", protocol, remoteAddr.IP.String(), localAddr.IP.String(), remoteAddr.Port, localAddr.Port)
klog.V(4).InfoS("Writing Proxy Protocol", "header", proxyProtocolHeader)
_, err = fmt.Fprintf(clientConn, proxyProtocolHeader)
_, err = fmt.Fprint(clientConn, proxyProtocolHeader)
}
if err != nil {
klog.ErrorS(err, "Error writing Proxy Protocol header")
@ -126,8 +127,5 @@ func pipe(client, server net.Conn) {
go doCopy(server, client, cancel)
go doCopy(client, server, cancel)
select {
case <-cancel:
return
}
<-cancel
}

3
pkg/util/runtime/cpu_linux.go
View file

@ -33,7 +33,8 @@ import (
// NumCPU returns the number of logical CPUs usable by the current process.
// If CPU cgroups limits are configured, use cfs_quota_us / cfs_period_us
// as formula
// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt
//
// https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt
func NumCPU() int {
cpus := runtime.NumCPU()

1
rootfs/chroot.sh
View file

@ -40,7 +40,6 @@ for dir in "${writeDirs[@]}"; do
chown -R www-data.www-data ${dir};
done
mkdir -p /chroot/lib /chroot/proc /chroot/usr /chroot/bin /chroot/dev /chroot/run
cp /etc/passwd /etc/group /chroot/etc/
cp -a /usr/* /chroot/usr/

33
test/e2e/framework/deployment.go
View file

@ -85,9 +85,10 @@ func (f *Framework) NewEchoDeployment(opts ...func(*deploymentOptions)) {
}
deployment := newDeployment(options.name, options.namespace, "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:778ac6d1188c8de8ecabeddd3c37b72c8adc8c712bad2bd7a81fb23a3514934c", 80, int32(options.replicas),
nil,
nil, nil, nil,
[]corev1.VolumeMount{},
[]corev1.Volume{},
true,
)
f.EnsureDeployment(deployment)
@ -183,7 +184,7 @@ func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool)
assert.Nil(ginkgo.GinkgoT(), err, "creating configmap")
deployment := newDeployment(name, f.Namespace, f.GetNginxBaseImage(), 80, 1,
nil,
nil, nil, nil,
[]corev1.VolumeMount{
{
Name: name,
@ -203,7 +204,7 @@ func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool)
},
},
},
},
}, true,
)
f.EnsureDeployment(deployment)
@ -334,8 +335,8 @@ func (f *Framework) NewGRPCBinDeployment() {
assert.Nil(ginkgo.GinkgoT(), err, "waiting for endpoints to become ready")
}
func newDeployment(name, namespace, image string, port int32, replicas int32, command []string,
volumeMounts []corev1.VolumeMount, volumes []corev1.Volume) *appsv1.Deployment {
func newDeployment(name, namespace, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar,
volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) *appsv1.Deployment {
probe := &corev1.Probe{
InitialDelaySeconds: 2,
PeriodSeconds: 1,
@ -381,9 +382,7 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co
ContainerPort: port,
},
},
ReadinessProbe: probe,
LivenessProbe: probe,
VolumeMounts: volumeMounts,
VolumeMounts: volumeMounts,
},
},
Volumes: volumes,
@ -392,10 +391,20 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co
},
}
if setProbe {
d.Spec.Template.Spec.Containers[0].ReadinessProbe = probe
d.Spec.Template.Spec.Containers[0].LivenessProbe = probe
}
if len(command) > 0 {
d.Spec.Template.Spec.Containers[0].Command = command
}
if len(args) > 0 {
d.Spec.Template.Spec.Containers[0].Args = args
}
if len(env) > 0 {
d.Spec.Template.Spec.Containers[0].Env = env
}
return d
}
@ -404,9 +413,13 @@ func (f *Framework) NewHttpbinDeployment() {
f.NewDeployment(HTTPBinService, "registry.k8s.io/ingress-nginx/e2e-test-httpbin@sha256:c6372ef57a775b95f18e19d4c735a9819f2e7bb4641e5e3f27287d831dfeb7e8", 80, 1)
}
// NewDeployment creates a new deployment in a particular namespace.
func (f *Framework) NewDeployment(name, image string, port int32, replicas int32) {
deployment := newDeployment(name, f.Namespace, image, port, replicas, nil, nil, nil)
f.NewDeploymentWithOpts(name, image, port, replicas, nil, nil, nil, nil, nil, true)
}
// NewDeployment creates a new deployment in a particular namespace.
func (f *Framework) NewDeploymentWithOpts(name, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar, volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) {
deployment := newDeployment(name, f.Namespace, image, port, replicas, command, args, env, volumeMounts, volumes, setProbe)
f.EnsureDeployment(deployment)

29
test/e2e/framework/httpexpect/request.go
View file

@ -17,8 +17,10 @@ limitations under the License.
package httpexpect
import (
"context"
"fmt"
"io"
"net"
"net/http"
"net/url"
"path"
@ -71,6 +73,33 @@ func (h *HTTPRequest) DoRequest(method, rpath string) *HTTPRequest {
return h
}
// ForceResolve forces the test resolver to point to a specific endpoint
func (h *HTTPRequest) ForceResolve(ip string, port uint16) *HTTPRequest {
addr := net.ParseIP(ip)
if addr == nil {
h.chain.fail(fmt.Sprintf("invalid ip address: %s", ip))
return h
}
dialer := &net.Dialer{
Timeout: h.client.Timeout,
KeepAlive: h.client.Timeout,
DualStack: true,
}
resolveAddr := fmt.Sprintf("%s:%d", ip, int(port))
oldTransport, ok := h.client.Transport.(*http.Transport)
if !ok {
h.chain.fail("invalid old transport address")
return h
}
newTransport := oldTransport.Clone()
newTransport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
return dialer.DialContext(ctx, network, resolveAddr)
}
h.client.Transport = newTransport
return h
}
// Expect executes the request and returns an HTTP response.
func (h *HTTPRequest) Expect() *HTTPResponse {
if h.query != nil {

4
test/e2e/framework/util.go
View file

@ -189,7 +189,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error
return ic.Name, nil
}
//deleteIngressClass deletes an IngressClass and its related ClusterRole* objects
// deleteIngressClass deletes an IngressClass and its related ClusterRole* objects
func deleteIngressClass(c kubernetes.Interface, ingressclass string) error {
var err error
grace := int64(0)
@ -215,7 +215,7 @@ func deleteIngressClass(c kubernetes.Interface, ingressclass string) error {
return nil
}
//GetIngressClassName returns the default IngressClassName given a namespace
// GetIngressClassName returns the default IngressClassName given a namespace
func GetIngressClassName(namespace string) *string {
icname := fmt.Sprintf("ic-%s", namespace)
return &icname

165
test/e2e/settings/ssl_passthrough.go Normal file
View file

@ -0,0 +1,165 @@
/*
Copyright 2022 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package settings
import (
"context"
"crypto/tls"
"fmt"
"net/http"
"strings"
"github.com/onsi/ginkgo/v2"
"github.com/stretchr/testify/assert"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/ingress-nginx/test/e2e/framework"
)
var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() {
f := framework.NewDefaultFramework("ssl-passthrough")
ginkgo.BeforeEach(func() {
err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
args := deployment.Spec.Template.Spec.Containers[0].Args
args = append(args, "--enable-ssl-passthrough")
deployment.Spec.Template.Spec.Containers[0].Args = args
_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
return err
})
assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
f.WaitForNginxServer("_",
func(server string) bool {
return strings.Contains(server, "listen 442")
})
})
ginkgo.Describe("With enable-ssl-passthrough enabled", func() {
ginkgo.It("should enable ssl-passthrough-proxy-port on a different port", func() {
err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error {
args := deployment.Spec.Template.Spec.Containers[0].Args
args = append(args, "--ssl-passthrough-proxy-port=1442")
deployment.Spec.Template.Spec.Containers[0].Args = args
_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(context.TODO(), deployment, metav1.UpdateOptions{})
return err
})
assert.Nil(ginkgo.GinkgoT(), err, "updating ingress controller deployment flags")
f.WaitForNginxServer("_",
func(server string) bool {
return strings.Contains(server, "listen 1442")
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", "something").
Expect().
Status(http.StatusNotFound)
})
ginkgo.It("should pass unknown traffic to default backend and handle known traffic", func() {
host := "testpassthrough.com"
echoName := "echopass"
/* Even with enable-ssl-passthrough enabled, only annotated ingresses may receive the trafic */
annotations := map[string]string{
"nginx.ingress.kubernetes.io/ssl-passthrough": "true",
}
ingressDef := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, echoName, 80, annotations)
tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
ingressDef.Spec.TLS[0].Hosts,
ingressDef.Spec.TLS[0].SecretName,
ingressDef.Namespace)
volumeMount := []corev1.VolumeMount{
{
Name: "certs",
ReadOnly: true,
MountPath: "/certs",
},
}
volume := []corev1.Volume{
{
Name: "certs",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: ingressDef.Spec.TLS[0].SecretName,
},
},
},
}
envs := []corev1.EnvVar{
{
Name: "HTTPBUN_SSL_CERT",
Value: "/certs/tls.crt",
},
{
Name: "HTTPBUN_SSL_KEY",
Value: "/certs/tls.key",
},
}
f.NewDeploymentWithOpts("echopass", "ghcr.io/sharat87/httpbun:latest", 80, 1, nil, nil, envs, volumeMount, volume, false)
f.EnsureIngress(ingressDef)
assert.Nil(ginkgo.GinkgoT(), err)
framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "listen 442")
})
/* This one should not receive traffic as it does not contain passthrough annotation */
hostBad := "noannotationnopassthrough.com"
ingBad := f.EnsureIngress(framework.NewSingleIngressWithTLS(hostBad, "/", hostBad, []string{hostBad}, f.Namespace, echoName, 80, nil))
tlsConfigBad, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
ingBad.Spec.TLS[0].Hosts,
ingBad.Spec.TLS[0].SecretName,
ingBad.Namespace)
assert.Nil(ginkgo.GinkgoT(), err)
framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfigBad)
f.WaitForNginxServer(hostBad,
func(server string) bool {
return strings.Contains(server, "listen 442")
})
f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}).
GET("/").
WithURL(fmt.Sprintf("https://%s:443", host)).
ForceResolve(f.GetNginxIP(), 443).
Expect().
Status(http.StatusOK)
f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}).
GET("/").
WithURL(fmt.Sprintf("https://%s:443", hostBad)).
ForceResolve(f.GetNginxIP(), 443).
Expect().
Status(http.StatusNotFound)
})
})
})