DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

WIP Remove nginx unix sockets (#4531)

Browse source 
* Remove nginx unix sockets
* Use an emptyDir volume for /tmp in PSP e2e tests
This commit is contained in:
Manuel Alejandro de Brito Fontes 2019-09-08 18:14:54 -03:00 committed by GitHub
parent 76e2a5d731
commit ce3e3d51c3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 32 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
internal/ingress/controller/config/config.go
View file

@ -798,7 +798,7 @@ type TemplateConfig struct {
PID string PID string
StatusPath string StatusPath string
StatusPort int StatusPort int
StreamSocket string StreamPort int
} }
// ListenPorts describe the ports required to run the // ListenPorts describe the ports required to run the

14
internal/ingress/controller/nginx.go
View file

@ -607,7 +607,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC
PID: nginx.PID, PID: nginx.PID,
StatusPath: nginx.StatusPath, StatusPath: nginx.StatusPath,
StatusPort: nginx.StatusPort, StatusPort: nginx.StatusPort,
StreamSocket: nginx.StreamSocket, StreamPort: nginx.StreamPort,
} }
tc.Cfg.Checksum = ingressCfg.ConfigurationChecksum tc.Cfg.Checksum = ingressCfg.ConfigurationChecksum
@ -923,17 +923,17 @@ func updateStreamConfiguration(TCPEndpoints []ingress.L4Service, UDPEndpoints []
}) })
} }
conn, err := net.Dial("unix", nginx.StreamSocket)
if err != nil {
return err
}
defer conn.Close()
buf, err := json.Marshal(streams) buf, err := json.Marshal(streams)
if err != nil { if err != nil {
return err return err
} }
conn, err := net.Dial("tcp", fmt.Sprintf("127.0.0.1:%v", nginx.StreamPort))
if err != nil {
return err
}
defer conn.Close()
_, err = conn.Write(buf) _, err = conn.Write(buf)
if err != nil { if err != nil {
return err return err

14
internal/ingress/controller/nginx_test.go
View file

@ -151,16 +151,15 @@ func TestIsDynamicConfigurationEnough(t *testing.T) {
func TestConfigureDynamically(t *testing.T) { func TestConfigureDynamically(t *testing.T) {
listener, err := net.Listen("tcp", fmt.Sprintf(":%v", nginx.StatusPort)) listener, err := net.Listen("tcp", fmt.Sprintf(":%v", nginx.StatusPort))
if err != nil { if err != nil {
t.Fatalf("crating unix listener: %s", err) t.Fatalf("crating tcp listener: %s", err)
} }
defer listener.Close() defer listener.Close()
streamListener, err := net.Listen("unix", nginx.StreamSocket) streamListener, err := net.Listen("tcp", fmt.Sprintf(":%v", nginx.StreamPort))
if err != nil { if err != nil {
t.Fatalf("crating unix listener: %s", err) t.Fatalf("crating tcp listener: %s", err)
} }
defer streamListener.Close() defer streamListener.Close()
defer os.Remove(nginx.StreamSocket)
endpointStats := map[string]int{"/configuration/backends": 0, "/configuration/general": 0, "/configuration/servers": 0} endpointStats := map[string]int{"/configuration/backends": 0, "/configuration/general": 0, "/configuration/servers": 0}
resetEndpointStats := func() { resetEndpointStats := func() {
@ -321,16 +320,15 @@ func TestConfigureDynamically(t *testing.T) {
func TestConfigureCertificates(t *testing.T) { func TestConfigureCertificates(t *testing.T) {
listener, err := net.Listen("tcp", fmt.Sprintf(":%v", nginx.StatusPort)) listener, err := net.Listen("tcp", fmt.Sprintf(":%v", nginx.StatusPort))
if err != nil { if err != nil {
t.Fatalf("crating unix listener: %s", err) t.Fatalf("crating tcp listener: %s", err)
} }
defer listener.Close() defer listener.Close()
streamListener, err := net.Listen("unix", nginx.StreamSocket) streamListener, err := net.Listen("tcp", fmt.Sprintf(":%v", nginx.StreamPort))
if err != nil { if err != nil {
t.Fatalf("crating unix listener: %s", err) t.Fatalf("crating tcp listener: %s", err)
} }
defer streamListener.Close() defer streamListener.Close()
defer os.Remove(nginx.StreamSocket)
servers := []*ingress.Server{{ servers := []*ingress.Server{{
Hostname: "myapp.fake", Hostname: "myapp.fake",

6
internal/nginx/main.go
View file

@ -50,10 +50,8 @@ var HealthCheckTimeout = 10 * time.Second
// http://nginx.org/en/docs/http/ngx_http_stub_status_module.html // http://nginx.org/en/docs/http/ngx_http_stub_status_module.html
var StatusPath = "/nginx_status" var StatusPath = "/nginx_status"
// StreamSocket defines the location of the unix socket used by NGINX for the NGINX stream configuration socket // StreamPort defines the port used by NGINX for the NGINX stream configuration socket
var StreamSocket = "/tmp/ingress-stream.sock" var StreamPort = 10257
var statusLocation = "nginx-status"
// NewGetStatusRequest creates a new GET request to the internal NGINX status server // NewGetStatusRequest creates a new GET request to the internal NGINX status server
func NewGetStatusRequest(path string) (int, []byte, error) { func NewGetStatusRequest(path string) (int, []byte, error) {

2
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -669,7 +669,7 @@ stream {
} }
server { server {
listen unix:{{ .StreamSocket }}; listen 127.0.0.1:{{ .StreamPort }};
access_log off; access_log off;

8
test/e2e/settings/pod_security_policy_volumes.go
View file

@ -71,6 +71,11 @@ var _ = framework.IngressNginxDescribe("Pod Security Policies with volumes", fun
EmptyDir: &corev1.EmptyDirVolumeSource{}, EmptyDir: &corev1.EmptyDirVolumeSource{},
}, },
}, },
{
Name: "tmp", VolumeSource: corev1.VolumeSource{
EmptyDir: &corev1.EmptyDirVolumeSource{},
},
},
} }
fsGroup := int64(33) fsGroup := int64(33)
@ -82,6 +87,9 @@ var _ = framework.IngressNginxDescribe("Pod Security Policies with volumes", fun
{ {
Name: "ssl", MountPath: "/etc/ingress-controller", Name: "ssl", MountPath: "/etc/ingress-controller",
}, },
{
Name: "tmp", MountPath: "/tmp",
},
} }
_, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(deployment) _, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Update(deployment)