diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 453775379..efed2ba46 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -42,7 +42,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -62,60 +62,6 @@ jobs: - 'charts/ingress-nginx/**/*' - 'NGINX_BASE' - - security: - runs-on: ubuntu-latest - steps: - - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Run Gosec Security Scanner - uses: securego/gosec@c5ea1b7bdd9efc3792e513258853552b0ae31e06 # v2.16.0 - with: - # G601 for zz_generated.deepcopy.go - # G306 TODO: Expect WriteFile permissions to be 0600 or less - # G307 TODO: Deferring unsafe method "Close" - args: -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ ./... - - lint: - runs-on: ubuntu-latest - needs: changes - if: | - (needs.changes.outputs.go == 'true') - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up Go - id: go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version: '1.20' - check-latest: true - - - name: Run Lint - run: ./hack/verify-golint.sh - - gofmt: - runs-on: ubuntu-latest - needs: changes - if: | - (needs.changes.outputs.go == 'true') - steps: - - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - - name: Set up Go - id: go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 - with: - go-version: '1.20' - check-latest: true - - - name: Run go-fmt - run: ./hack/verify-gofmt.sh - test-go: runs-on: ubuntu-latest needs: changes @@ -123,13 +69,13 @@ jobs: (needs.changes.outputs.go == 'true') steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Set up Go id: go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.20' + go-version: '1.21.1' check-latest: true - name: Run test @@ -144,21 +90,21 @@ jobs: steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Set up Go id: go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.20' + go-version: '1.21.1' check-latest: true - name: Set up QEMU - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0 + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 with: version: latest @@ -167,9 +113,7 @@ jobs: - name: Prepare Host run: | - sudo apt-get -qq update || true - sudo apt-get install -y pigz - curl -LO https://dl.k8s.io/release/v1.25.5/bin/linux/amd64/kubectl + curl -LO https://dl.k8s.io/release/v1.27.3/bin/linux/amd64/kubectl chmod +x ./kubectl sudo mv ./kubectl /usr/local/bin/kubectl @@ -188,10 +132,10 @@ jobs: nginx-ingress-controller:e2e \ ingress-controller/controller:1.0.0-dev \ ingress-controller/controller-chroot:1.0.0-dev \ - | pigz > docker.tar.gz + | gzip > docker.tar.gz - name: cache - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: docker.tar.gz path: docker.tar.gz @@ -207,16 +151,16 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] + k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0] steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Setup Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.20' + go-version: '1.21.1' check-latest: true - name: cache @@ -260,7 +204,7 @@ jobs: - name: Load images from cache run: | echo "loading docker images..." - pigz -dc docker.tar.gz | docker load + gzip -dc docker.tar.gz | docker load - name: Test env: @@ -282,11 +226,11 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] + k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0] steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -301,7 +245,7 @@ jobs: - name: Load images from cache run: | echo "loading docker images..." - pigz -dc docker.tar.gz | docker load + gzip -dc docker.tar.gz | docker load - name: Run e2e tests env: @@ -313,7 +257,7 @@ jobs: make kind-e2e-test - name: Upload e2e junit-reports - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: success() || failure() with: name: e2e-test-reports-${{ matrix.k8s }} @@ -330,11 +274,11 @@ jobs: strategy: matrix: - k8s: [v1.27.1] + k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0] steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -349,7 +293,7 @@ jobs: - name: Load images from cache run: | echo "loading docker images..." - pigz -dc docker.tar.gz | docker load + gzip -dc docker.tar.gz | docker load - name: Run e2e tests env: @@ -362,7 +306,7 @@ jobs: make kind-e2e-test - name: Upload e2e junit-reports - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: success() || failure() with: name: e2e-test-reports-${{ matrix.k8s }} @@ -380,12 +324,12 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] + k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0] steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: cache uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -400,7 +344,7 @@ jobs: - name: Load images from cache run: | echo "loading docker images..." - pigz -dc docker.tar.gz | docker load + gzip -dc docker.tar.gz | docker load - name: Run e2e tests env: @@ -413,7 +357,7 @@ jobs: make kind-e2e-test - name: Upload e2e junit-reports - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: success() || failure() with: name: e2e-test-reports-chroot-${{ matrix.k8s }} @@ -429,7 +373,7 @@ jobs: PLATFORMS: linux/amd64,linux/arm64 steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images @@ -498,11 +442,11 @@ jobs: strategy: matrix: - k8s: [v1.24.12, v1.25.8, v1.26.3,v1.27.1] + k8s: [v1.25.11, v1.26.6, v1.27.3, v1.28.0] steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter-images @@ -521,9 +465,9 @@ jobs: - name: Set up Go id: go if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: '1.20' + go-version: '1.21.1' check-latest: true - name: kube-webhook-certgen image build diff --git a/.github/workflows/depreview.yaml b/.github/workflows/depreview.yaml index 625c2f461..57874e9da 100644 --- a/.github/workflows/depreview.yaml +++ b/.github/workflows/depreview.yaml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: 'Dependency Review' - uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6 + uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index f7aee6610..4f1279731 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1 id: filter @@ -47,7 +47,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Deploy uses: ./.github/actions/mkdocs diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml new file mode 100644 index 000000000..c32f8e729 --- /dev/null +++ b/.github/workflows/golangci-lint.yml @@ -0,0 +1,34 @@ +name: golangci-lint + +on: + pull_request: + push: + branches: + - main + paths-ignore: + - 'docs/**' + - 'deploy/**' + - '**.md' + +permissions: + contents: read + +jobs: + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + + - name: Set up Go + id: go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: '1.21.1' + check-latest: true + + - name: golangci-lint + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 + with: + version: v1.53 diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml index 6303b6a27..e855566de 100644 --- a/.github/workflows/helm.yaml +++ b/.github/workflows/helm.yaml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Run Artifact Hub lint run: | @@ -61,7 +61,7 @@ jobs: steps: - name: Checkout master - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 fetch-depth: 0 @@ -75,7 +75,7 @@ jobs: - name: Helm Chart Releaser uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0 env: - CR_SKIP_EXISTING: "false" + CR_SKIP_EXISTING: true CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}" with: diff --git a/.github/workflows/perftest.yaml b/.github/workflows/perftest.yaml index 36f1f1ede..2e031361b 100644 --- a/.github/workflows/perftest.yaml +++ b/.github/workflows/perftest.yaml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Install K6 run: | diff --git a/.github/workflows/plugin.yaml b/.github/workflows/plugin.yaml index d8769f439..f0c29f02f 100644 --- a/.github/workflows/plugin.yaml +++ b/.github/workflows/plugin.yaml @@ -4,10 +4,8 @@ on: push: branches: - "main" - paths: - - "cmd/plugin/**" tags: - - "v*" + - 'v*.*.*\+plugin' permissions: contents: write # for goreleaser/goreleaser-action @@ -17,21 +15,21 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: fetch-depth: 0 - name: Set up Go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: 1.20 + go-version: '1.21.1' check-latest: true - name: Run GoReleaser - uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0 + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 2e276a3f6..268914f2c 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -27,7 +27,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: persist-credentials: false @@ -51,7 +51,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/vulnerability-scans.yaml b/.github/workflows/vulnerability-scans.yaml index af7d8bda1..1b8ea4160 100644 --- a/.github/workflows/vulnerability-scans.yaml +++ b/.github/workflows/vulnerability-scans.yaml @@ -22,7 +22,7 @@ jobs: versions: ${{ steps.version.outputs.TAGS }} steps: - name: Checkout code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: fetch-depth: 0 @@ -52,7 +52,7 @@ jobs: versions: ${{ fromJSON(needs.version.outputs.versions) }} steps: - name: Checkout code - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - shell: bash id: test @@ -60,7 +60,7 @@ jobs: - name: Scan image with AquaSec/Trivy id: scan - uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2 + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0 with: image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} format: 'sarif' diff --git a/.gitignore b/.gitignore index 2c0accad7..60bf6a304 100644 --- a/.gitignore +++ b/.gitignore @@ -60,3 +60,4 @@ cmd/plugin/release/ingress-nginx.yaml cmd/plugin/release/*.tar.gz cmd/plugin/release/LICENSE tmp/ +test/junitreports/ diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 000000000..5da8f0399 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,241 @@ +run: + timeout: 10m + allow-parallel-runners: true + + # Maximum issues count per one linter. Set to 0 to disable. Default is 50. + max-issues-per-linter: 0 + + # Maximum count of issues with the same text. Set to 0 to disable. Default is 3. + max-same-issues: 0 +linters: + disable-all: true + enable: + - asasalint + - asciicheck + - bidichk + - bodyclose + - contextcheck + - decorder + - dogsled + - dupl + - durationcheck + - errcheck + - errchkjson + - errname + - execinquery + - ginkgolinter + - gocheckcompilerdirectives + - goconst + - gocritic + - gocyclo + - godox + - gofmt + - gofumpt + - goheader + - goimports + - gomoddirectives + - gomodguard + - goprintffuncname + - gosec + - gosimple + - govet + - grouper + - importas + - ineffassign + - loggercheck + - makezero + - misspell + - musttag + - nakedret + - nolintlint + - nosprintfhostport + - prealloc + - predeclared + - promlinter + - reassign + - revive + - rowserrcheck + - sqlclosecheck + - staticcheck + - stylecheck + - tenv + - testableexamples + - typecheck + - unconvert + - unparam + - unused + - usestdlibvars + - whitespace + # - containedctx + # - cyclop + # - dupword + # - errorlint + # - exhaustive + # - exhaustruct + # - exportloopref + # - forbidigo + # - forcetypeassert + # - funlen + # - gci + # - gochecknoglobals + # - gochecknoinits + # - gocognit + # - godot + # - goerr113 + # - gomnd + # - interfacebloat + # - ireturn + # - lll + # - maintidx + # - nestif + # - nilerr + # - nilnil + # - nlreturn + # - noctx + # - nonamedreturns + # - paralleltest + # - tagliatelle + # - testpackage + # - thelper + # - tparallel + # - varnamelen + # - wastedassign + # - wrapcheck + # - wsl +linters-settings: + gocyclo: + min-complexity: 40 + godox: + keywords: + - BUG + - FIXME + - HACK + errcheck: + check-type-assertions: true + check-blank: true + gocritic: + enabled-checks: + # Diagnostic + - appendAssign + - argOrder + - badCall + - badCond + - badLock + - badRegexp + - badSorting + - builtinShadowDecl + - caseOrder + - codegenComment + - commentedOutCode + - deferInLoop + - deprecatedComment + - dupArg + - dupBranchBody + - dupCase + - dupSubExpr + - dynamicFmtString + - emptyDecl + - evalOrder + - exitAfterDefer + - externalErrorReassign + - filepathJoin + - flagDeref + - flagName + - mapKey + - nilValReturn + - offBy1 + - regexpPattern + - returnAfterHttpError + - sloppyReassign + - sloppyTypeAssert + - sortSlice + - sprintfQuotedString + - sqlQuery + - syncMapLoadAndDelete + - truncateCmp + - unnecessaryDefer + - weakCond + + # Performance + - appendCombine + - equalFold + - hugeParam + - indexAlloc + - preferDecodeRune + - preferFprint + - preferStringWriter + - preferWriteByte + - rangeExprCopy + - rangeValCopy + - sliceClear + - stringXbytes + + # Style + - assignOp + - boolExprSimplify + - captLocal + - commentFormatting + - commentedOutImport + - defaultCaseOrder + - deferUnlambda + - docStub + - dupImport + - elseif + - emptyFallthrough + - emptyStringTest + - exposedSyncMutex + - hexLiteral + - httpNoBody + - ifElseChain + - methodExprCall + - newDeref + - octalLiteral + - preferFilepathJoin + - redundantSprint + - regexpMust + - regexpSimplify + - ruleguard + - singleCaseSwitch + - sloppyLen + - stringConcatSimplify + - stringsCompare + - switchTrue + - timeCmpSimplify + - timeExprSimplify + - todoCommentWithoutDetail + - tooManyResultsChecker + - typeAssertChain + - typeDefFirst + - typeSwitchVar + - underef + - unlabelStmt + - unlambda + - unslice + - valSwap + - whyNoLint + - wrapperFunc + - yodaStyleExpr + + # Opinionated + - builtinShadow + - importShadow + - initClause + - nestingReduce + - paramTypeCombine + - ptrToRefParam + - typeUnparen + - unnamedResult + - unnecessaryBlock + nolintlint: + # Enable to ensure that nolint directives are all used. Default is true. + allow-unused: false + # Disable to ensure that nolint directives don't have a leading space. Default is true. + # TODO(lint): Enforce machine-readable `nolint` directives + allow-leading-space: true + # Exclude following linters from requiring an explanation. Default is []. + allow-no-explanation: [] + # Enable to require an explanation of nonzero length after each nolint directive. Default is false. + # TODO(lint): Enforce explanations for `nolint` directives + require-explanation: false + # Enable to require nolint directives to mention the specific linter being suppressed. Default is false. + require-specific: true diff --git a/Makefile b/Makefile index 7b413141a..792cd56a7 100644 --- a/Makefile +++ b/Makefile @@ -128,6 +128,12 @@ static-check: ## Run verification script for boilerplate, codegen, gofmt, golint MAC_OS=$(MAC_OS) \ hack/verify-all.sh +.PHONY: golint-check +golint-check: + @build/run-in-docker.sh \ + MAC_OS=$(MAC_OS) \ + hack/verify-golint.sh + ############################### # Tests for ingress-nginx ############################### diff --git a/README.md b/README.md index 812ddacb6..b6e2dafe7 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ the versions listed. Ingress-Nginx versions may work on older versions but the p | | Ingress-NGINX version | k8s supported version | Alpine Version | Nginx Version | Helm Chart Version | |:--:|-----------------------|------------------------------|----------------|---------------|--------------------| +| ๐Ÿ”„ | **v1.8.2** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* | | ๐Ÿ”„ | **v1.8.1** | 1.27,1.26, 1.25, 1.24 | 3.18.2 | 1.21.6 | 4.7.* | | ๐Ÿ”„ | **v1.8.0** | 1.27,1.26, 1.25, 1.24 | 3.18.0 | 1.21.6 | 4.7.* | | ๐Ÿ”„ | **v1.7.1** | 1.27,1.26, 1.25, 1.24 | 3.17.2 | 1.21.6 | 4.6.* | diff --git a/TAG b/TAG index 804a616da..57f52717b 100644 --- a/TAG +++ b/TAG @@ -1 +1 @@ -v1.8.0 +v1.8.2 diff --git a/build/dev-env.sh b/build/dev-env.sh index 3d21b7e15..93ed3de40 100755 --- a/build/dev-env.sh +++ b/build/dev-env.sh @@ -45,14 +45,16 @@ if ! command -v helm &> /dev/null; then exit 1 fi +function ver { printf "%d%03d%03d" $(echo "$1" | tr '.' ' '); } + HELM_VERSION=$(helm version 2>&1 | cut -f1 -d"," | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') || true echo $HELM_VERSION -if [[ ${HELM_VERSION} -lt 3.10.0 ]]; then +if [[ $(ver $HELM_VERSION) -lt $(ver "3.10.0") ]]; then echo "Please upgrade helm to v3.10.0 or higher" exit 1 fi -KUBE_CLIENT_VERSION=$(kubectl version --client --short 2>/dev/null | grep Client | awk '{print $3}' | cut -d. -f2) || true +KUBE_CLIENT_VERSION=$(kubectl version --client -oyaml 2>/dev/null | grep "minor:" | awk '{print $2}' | tr -d '"') || true if [[ ${KUBE_CLIENT_VERSION} -lt 24 ]]; then echo "Please update kubectl to 1.24.2 or higher" exit 1 diff --git a/build/run-in-docker.sh b/build/run-in-docker.sh index 86e0e443f..7e7974f0f 100755 --- a/build/run-in-docker.sh +++ b/build/run-in-docker.sh @@ -44,7 +44,7 @@ function cleanup { } trap cleanup EXIT -E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230623-d50c7193b@sha256:e5c68dc56934c273850bfb75c0348a2819756669baf59fcdce9e16771537b247} +E2E_IMAGE=${E2E_IMAGE:-registry.k8s.io/ingress-nginx/e2e-test-runner:v20230907-5bb82dcb7@sha256:421cda0f65a949b8b67b5e62a45071702d19ed458a3e2ba753171b0e66943210} if [[ "$RUNTIME" == podman ]]; then # Podman does not support both tag and digest diff --git a/changelog/Changelog-1.8.2.md b/changelog/Changelog-1.8.2.md new file mode 100644 index 000000000..12a273af2 --- /dev/null +++ b/changelog/Changelog-1.8.2.md @@ -0,0 +1,19 @@ +# Changelog + +### 1.8.2 +Images: + + * registry.k8s.io/ingress-nginx/controller:v1.8.2@sha256:74834d3d25b336b62cabeb8bf7f1d788706e2cf1cfd64022de4137ade8881ff2 + * registry.k8s.io/ingress-nginx/controller-chroot:v1.8.2@sha256:1317a563219f755a6094d990057c78e5c4dcea5e31f4ce1db8641e732a7d6133 + +### All Changes: + +* Release v1.8.2 and Update Go to v1.21.1 (#10379) +* Making auth access logs optional (#10380) +* [release-1.8] Disable Modsecurity from internal processing which affects large ingresses (#10375) +* promote distroless otel init image (#10270) +* [release-1.8] Update images tags after adding git data in gcloud (#10233) +* [release-1.8] Golang 1.20.6 for test runner (#10231) + +### Dependencies updates: +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-controller-v1.8.1...controller-controller-v1.8.2 diff --git a/changelog/Changelog-1.9.0-beta.0.md b/changelog/Changelog-1.9.0-beta.0.md new file mode 100644 index 000000000..d1ffe148f --- /dev/null +++ b/changelog/Changelog-1.9.0-beta.0.md @@ -0,0 +1,93 @@ +# Changelog + +### 1.9.0-beta.0 +Images: + + * registry.k8s.io/ingress-nginx/controller:v1.9.0-beta.0@sha256:531377e4cc9dc62af40d742402222603259673f5a755a64d74122f256dfad8f9 + * registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0-beta.0@sha256:60b4c95349ce2a81a3b2a76423ee483b847b89d3fa8cb148468434f606f3fa0c + +### All Changes: + +* Rework mage (#10418) +* Start release of v1.9.0 beta0 (#10407) +* Update k8s versions on CI (#10406) +* Add a flag to enable or disable aio_write (#10394) +* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372) +* Fix e2e test suite doc (#10396) +* Disable user snippets per default (#10393) +* Deployment/DaemonSet: Fix templating & value. (#10240) +* Fix deferInLoop error (#10387) +* Remove gofmt (#10385) +* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259) +* release notes 1.8.2 (#10389) +* fix: remove curl on base container #9716 (#10306) +* Fix http default backend test (#10382) +* Add golangci github action and replace the deprecated golint (#10187) +* BUGFIX incorrect indentation (#10254) +* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352) +* fix: path with sepecial characters warning #10281 #10308 (#10330) +* Fix golangci-lint errors (#10196) +* chore(build): Fix Run make dev-env syntax error (#10294) +* Add firewall configuration to quick start documentation (#10357) +* Making auth access logs optional (#10335) +* Fix โ€œdev-envโ€ Makefile target to work with kubectl 1.28+ (#10350) +* fix: update action file to auto release plugin #10197 (#10321) +* Use gzip instead of pigz in CI (#10348) +* Disable Modsecurity from internal processing which affects large ingresses (#10316) +* fix: add /etc/mime.types #10309 (#10310) +* Remove curl dependencies in e2e tests #9716 (#10296) +* docs: swap explanation to match example (#10220) +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* Updated index.md - Fix typos (#10256) +* Handle request_id variable correctly in auth requests (#9219) +* test kind updates (#10272) +* promote distroless otel init image (#10257) +* [helm] configure allow to configure hostAliases (#10180) +* Add rolling update strategy to each static deployment file (#10129) +* Implement annotation validation (#9673) +* Golang 1.20.6 for test runner (#10230) +* [helm] pass service annotations through helm tpl engine (#10084) +* Ignore deployment template's replicas if KEDA is enabled (#9534) +* chore: bump OpenResty to v1.21.4.2 (#10219) +* Scanning port 10247 lead to tcp connection 502 error (#9815) +* revise Datadog trace sampling configuration (#10151) +* Clarify TCP/UDP service docs (#10146) +* Exposed continent data as variable in the case of Maxmind city files (#10157) +* Cleanup errcheck code (#10166) +* Fix golang-ci linter errors (#10128) +* Deprecate and remove AJP support (#10158) +* release notes 1.8.1 (#10161) + +### Dependencies updates: +* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355) +* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403) +* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402) +* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404) +* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400) +* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398) +* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401) +* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373) +* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374) +* Bump Go version to 1.21.1 (#10377) +* Bump Go version to 1.21.1 on testrunner (#10378) +* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365) +* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353) +* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354) +* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313) +* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332) +* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314) +* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298) +* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282) +* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258) +* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280) +* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244) +* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193) +* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207) +* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192) +* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191) +* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0-beta.0 diff --git a/changelog/Changelog-1.9.0.md b/changelog/Changelog-1.9.0.md new file mode 100644 index 000000000..cd5396f05 --- /dev/null +++ b/changelog/Changelog-1.9.0.md @@ -0,0 +1,93 @@ +# Changelog + +### 1.9.0 +Images: + + * registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 + * registry.k8s.io/ingress-nginx/controller-chroot:v1.9.0@sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5 + +### All Changes: + +* Rework mage (#10418) +* Start release of v1.9.0 beta0 (#10407) +* Update k8s versions on CI (#10406) +* Add a flag to enable or disable aio_write (#10394) +* Update external-articles.md - advanced setup with GKE/Cloud Armor/IAP (#10372) +* Fix e2e test suite doc (#10396) +* Disable user snippets per default (#10393) +* Deployment/DaemonSet: Fix templating & value. (#10240) +* Fix deferInLoop error (#10387) +* Remove gofmt (#10385) +* Deployment/DaemonSet: Template `topologySpreadConstraints`. (#10259) +* release notes 1.8.2 (#10389) +* fix: remove curl on base container #9716 (#10306) +* Fix http default backend test (#10382) +* Add golangci github action and replace the deprecated golint (#10187) +* BUGFIX incorrect indentation (#10254) +* Upgrade OpenTelemetry to v1.11.0 and gRPC to v1.57.0 (#10352) +* fix: path with sepecial characters warning #10281 #10308 (#10330) +* Fix golangci-lint errors (#10196) +* chore(build): Fix Run make dev-env syntax error (#10294) +* Add firewall configuration to quick start documentation (#10357) +* Making auth access logs optional (#10335) +* Fix โ€œdev-envโ€ Makefile target to work with kubectl 1.28+ (#10350) +* fix: update action file to auto release plugin #10197 (#10321) +* Use gzip instead of pigz in CI (#10348) +* Disable Modsecurity from internal processing which affects large ingresses (#10316) +* fix: add /etc/mime.types #10309 (#10310) +* Remove curl dependencies in e2e tests #9716 (#10296) +* docs: swap explanation to match example (#10220) +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* Updated index.md - Fix typos (#10256) +* Handle request_id variable correctly in auth requests (#9219) +* test kind updates (#10272) +* promote distroless otel init image (#10257) +* [helm] configure allow to configure hostAliases (#10180) +* Add rolling update strategy to each static deployment file (#10129) +* Implement annotation validation (#9673) +* Golang 1.20.6 for test runner (#10230) +* [helm] pass service annotations through helm tpl engine (#10084) +* Ignore deployment template's replicas if KEDA is enabled (#9534) +* chore: bump OpenResty to v1.21.4.2 (#10219) +* Scanning port 10247 lead to tcp connection 502 error (#9815) +* revise Datadog trace sampling configuration (#10151) +* Clarify TCP/UDP service docs (#10146) +* Exposed continent data as variable in the case of Maxmind city files (#10157) +* Cleanup errcheck code (#10166) +* Fix golang-ci linter errors (#10128) +* Deprecate and remove AJP support (#10158) +* release notes 1.8.1 (#10161) + +### Dependencies updates: +* Bump github.com/onsi/ginkgo/v2 from 2.9.5 to 2.12.0 (#10355) +* Bump golang.org/x/crypto from 0.12.0 to 0.13.0 (#10399) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10403) +* Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#10402) +* Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#10404) +* Bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#10400) +* Bump google.golang.org/grpc from 1.57.0 to 1.58.0 (#10398) +* Bump actions/dependency-review-action from 3.0.8 to 3.1.0 (#10401) +* Bump github.com/cyphar/filepath-securejoin from 0.2.3 to 0.2.4 (#10373) +* Bump github.com/cyphar/filepath-securejoin in /magefiles (#10374) +* Bump Go version to 1.21.1 (#10377) +* Bump Go version to 1.21.1 on testrunner (#10378) +* Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#10365) +* Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 (#10353) +* Bump actions/checkout from 3.5.3 to 3.6.0 (#10354) +* Bump actions/dependency-review-action from 3.0.6 to 3.0.8 (#10333) +* Bump actions/setup-go from 4.0.1 to 4.1.0 (#10313) +* Bump securego/gosec from 2.16.0 to 2.17.0 (#10332) +* Bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (#10314) +* Bump github.com/opencontainers/runc from 1.1.8 to 1.1.9 (#10298) +* Bump k8s.io/component-base from 0.26.4 to 0.27.4 (Replace Topology Aware Hints with Topology Aware Routing) (#10282) +* Bump google.golang.org/grpc from 1.56.2 to 1.57.0 (#10258) +* Bump golang.org/x/crypto from 0.11.0 to 0.12.0 (#10280) +* Bump github.com/opencontainers/runc from 1.1.7 to 1.1.8 (#10244) +* Bump google.golang.org/grpc from 1.56.1 to 1.56.2 (#10193) +* Bump docker/setup-buildx-action from 2.9.0 to 2.9.1 (#10207) +* Bump golang.org/x/crypto from 0.10.0 to 0.11.0 (#10192) +* Bump docker/setup-buildx-action from 2.8.0 to 2.9.0 (#10191) +* Bump docker/setup-buildx-action from 2.7.0 to 2.8.0 (#10165) + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/controller-release-1.8...controller-controller-v1.9.0 diff --git a/charts/ingress-nginx/Chart.yaml b/charts/ingress-nginx/Chart.yaml index de5fe4df0..058e4c862 100644 --- a/charts/ingress-nginx/Chart.yaml +++ b/charts/ingress-nginx/Chart.yaml @@ -1,15 +1,15 @@ annotations: artifacthub.io/changes: | - - "Added a doc line to the missing helm value service.internal.loadBalancerIP (#9406)" - - "feat(helm): Add loadBalancerClass (#9562)" - - "added helmshowvalues example (#10019)" - - "Update Ingress-Nginx version controller-v1.8.1" + - "ci(helm): fix Helm Chart release action 422 error (#10237)" + - "helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249)" + - "[helm] configure allow to configure hostAliases (#10180)" + - "[helm] pass service annotations through helm tpl engine (#10084)" + - "Update Ingress-Nginx version controller-v1.9.0" artifacthub.io/prerelease: "false" apiVersion: v2 -appVersion: 1.8.1 +appVersion: 1.9.0 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -engine: gotpl home: https://github.com/kubernetes/ingress-nginx icon: https://upload.wikimedia.org/wikipedia/commons/thumb/c/c5/Nginx_logo.svg/500px-Nginx_logo.svg.png keywords: @@ -23,4 +23,4 @@ maintainers: name: ingress-nginx sources: - https://github.com/kubernetes/ingress-nginx -version: 4.7.1 +version: 4.8.0 diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 6288da3e3..40ee83137 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -2,7 +2,7 @@ [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer -![Version: 4.7.1](https://img.shields.io/badge/Version-4.7.1-informational?style=flat-square) ![AppVersion: 1.8.1](https://img.shields.io/badge/AppVersion-1.8.1-informational?style=flat-square) +![Version: 4.8.0](https://img.shields.io/badge/Version-4.8.0-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square) To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources. @@ -249,7 +249,6 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.key | string | `"/usr/local/certificates/key"` | | | controller.admissionWebhooks.labels | object | `{}` | Labels to be added to admission webhooks | | controller.admissionWebhooks.namespaceSelector | object | `{}` | | -| controller.admissionWebhooks.networkPolicyEnabled | bool | `false` | | | controller.admissionWebhooks.objectSelector | object | `{}` | | | controller.admissionWebhooks.patch.enabled | bool | `true` | | | controller.admissionWebhooks.patch.image.digest | string | `"sha256:543c40fd093964bc9ab509d3e791f9989963021f1e9e4c9c7b6700b02bfb227b"` | | @@ -274,7 +273,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.service.servicePort | int | `443` | | | controller.admissionWebhooks.service.type | string | `"ClusterIP"` | | | controller.affinity | object | `{}` | Affinity and anti-affinity rules for server scheduling to nodes # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity # | -| controller.allowSnippetAnnotations | bool | `true` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | +| controller.allowSnippetAnnotations | bool | `false` | This configuration defines if Ingress Controller should allow users to set their own *-snippet annotations, otherwise this is forbidden / dropped when users add those annotations. Global snippets in ConfigMap are still respected | | controller.annotations | object | `{}` | Annotations to be added to the controller Deployment or DaemonSet # | | controller.autoscaling.annotations | object | `{}` | | | controller.autoscaling.behavior | object | `{}` | | @@ -296,7 +295,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.electionID | string | `""` | Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' | | controller.enableAnnotationValidations | bool | `false` | | | controller.enableMimalloc | bool | `true` | Enable mimalloc as a drop-in replacement for malloc. # ref: https://github.com/microsoft/mimalloc # | -| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" Defaults to false | +| controller.enableTopologyAwareRouting | bool | `false` | This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" Defaults to false | | controller.existingPsp | string | `""` | Use an existing PSP instead of creating one | | controller.extraArgs | object | `{}` | Additional command line arguments to pass to Ingress-Nginx Controller E.g. to specify the default SSL certificate you can use | | controller.extraContainers | list | `[]` | Additional containers to be added to the controller pod. See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. | @@ -307,7 +306,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.extraVolumes | list | `[]` | Additional volumes to the controller pod. | | controller.healthCheckHost | string | `""` | Address to bind the health check endpoint. It is better to set this option to the internal node address if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode. | | controller.healthCheckPath | string | `"/healthz"` | Path of the health check endpoint. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. | -| controller.hostAliases | object | `{}` | Optionally customize the pod hostAliases. | +| controller.hostAliases | list | `[]` | Optionally customize the pod hostAliases. | | controller.hostNetwork | bool | `false` | Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 is merged | | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not | | controller.hostPort.ports.http | int | `80` | 'hostPort' http port | @@ -315,13 +314,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.hostname | object | `{}` | Optionally customize the pod hostname. | | controller.image.allowPrivilegeEscalation | bool | `true` | | | controller.image.chroot | bool | `false` | | -| controller.image.digest | string | `"sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd"` | | -| controller.image.digestChroot | string | `"sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627"` | | +| controller.image.digest | string | `"sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60"` | | +| controller.image.digestChroot | string | `"sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5"` | | | controller.image.image | string | `"ingress-nginx/controller"` | | | controller.image.pullPolicy | string | `"IfNotPresent"` | | | controller.image.registry | string | `"registry.k8s.io"` | | | controller.image.runAsUser | int | `101` | | -| controller.image.tag | string | `"v1.8.1"` | | +| controller.image.tag | string | `"v1.9.0"` | | | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation | | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). | | controller.ingressClassResource.controllerValue | string | `"k8s.io/ingress-nginx"` | Controller-value of the controller that is processing this ingressClass | @@ -374,10 +373,12 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. Define either 'minAvailable' or 'maxUnavailable', never both. | | controller.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | controller.name | string | `"controller"` | | +| controller.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for controller pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | controller.opentelemetry.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | | | controller.opentelemetry.enabled | bool | `false` | | -| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0"` | | +| controller.opentelemetry.image | string | `"registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` | | +| controller.opentelemetry.resources | object | `{}` | | | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # | | controller.podLabels | object | `{}` | Labels to add to the pod container metadata | | controller.podSecurityContext | object | `{}` | Security Context policies for controller pods | @@ -471,6 +472,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | defaultBackend.minAvailable | int | `1` | | | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # | | defaultBackend.name | string | `"defaultbackend"` | | +| defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not | | defaultBackend.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for default backend pod assignment # Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ # | | defaultBackend.podAnnotations | object | `{}` | Annotations to be added to default backend pods # | | defaultBackend.podLabels | object | `{}` | Labels to add to the pod container metadata | diff --git a/charts/ingress-nginx/changelog/Changelog-4.7.2.md b/charts/ingress-nginx/changelog/Changelog-4.7.2.md new file mode 100644 index 000000000..57b17b982 --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-4.7.2.md @@ -0,0 +1,9 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.7.2 + +* Update Ingress-Nginx version controller-v1.8.2 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.1...helm-chart-4.7.2 diff --git a/charts/ingress-nginx/changelog/Changelog-4.8.0-beta.0.md b/charts/ingress-nginx/changelog/Changelog-4.8.0-beta.0.md new file mode 100644 index 000000000..9072a75b4 --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-4.8.0-beta.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0-beta.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0-beta.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0-beta.0 diff --git a/charts/ingress-nginx/changelog/Changelog-4.8.0.md b/charts/ingress-nginx/changelog/Changelog-4.8.0.md new file mode 100644 index 000000000..af8f1241f --- /dev/null +++ b/charts/ingress-nginx/changelog/Changelog-4.8.0.md @@ -0,0 +1,13 @@ +# Changelog + +This file documents all notable changes to [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Helm Chart. The release numbering uses [semantic versioning](http://semver.org). + +### 4.8.0 + +* ci(helm): fix Helm Chart release action 422 error (#10237) +* helm: Use .Release.Namespace as default for ServiceMonitor namespace (#10249) +* [helm] configure allow to configure hostAliases (#10180) +* [helm] pass service annotations through helm tpl engine (#10084) +* Update Ingress-Nginx version controller-v1.9.0 + +**Full Changelog**: https://github.com/kubernetes/ingress-nginx/compare/helm-chart-4.7.2...helm-chart-4.8.0 diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 548e8cf12..bd268cfb2 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -198,7 +198,6 @@ IngressClass parameters. Extra modules. */}} {{- define "extraModules" -}} - - name: {{ .name }} image: {{ .image }} {{- if .distroless | default false }} @@ -209,8 +208,10 @@ Extra modules. {{- if .containerSecurityContext }} securityContext: {{ .containerSecurityContext | toYaml | nindent 4 }} {{- end }} + {{- if .resources }} + resources: {{ .resources | toYaml | nindent 4 }} + {{- end }} volumeMounts: - name: {{ toYaml "modules"}} mountPath: {{ toYaml "/modules_mount"}} - {{- end -}} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml index 08b32257c..d59da7c9c 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.networkPolicyEnabled }} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -16,11 +16,11 @@ metadata: spec: podSelector: matchLabels: - {{- include "ingress-nginx.labels" . | nindent 6 }} + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} app.kubernetes.io/component: admission-webhook policyTypes: - - Ingress - - Egress + - Ingress + - Egress egress: - - {} + - {} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml index 82abe7564..b55db1761 100644 --- a/charts/ingress-nginx/templates/controller-daemonset.yaml +++ b/charts/ingress-nginx/templates/controller-daemonset.yaml @@ -45,6 +45,9 @@ spec: {{- if .Values.controller.dnsConfig }} dnsConfig: {{ toYaml .Values.controller.dnsConfig | nindent 8 }} {{- end }} + {{- if .Values.controller.hostAliases }} + hostAliases: {{ tpl (toYaml .Values.controller.hostAliases) $ | nindent 8 }} + {{- end }} {{- if .Values.controller.hostname }} hostname: {{ toYaml .Values.controller.hostname | nindent 8 }} {{- end }} @@ -180,13 +183,14 @@ spec: {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} -{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext) | nindent 8}} + {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}} {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} @@ -202,7 +206,7 @@ spec: affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml index 537c3feef..df597076a 100644 --- a/charts/ingress-nginx/templates/controller-deployment.yaml +++ b/charts/ingress-nginx/templates/controller-deployment.yaml @@ -24,8 +24,7 @@ spec: {{- end }} revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} {{- if .Values.controller.updateStrategy }} - strategy: - {{ toYaml .Values.controller.updateStrategy | nindent 4 }} + strategy: {{ toYaml .Values.controller.updateStrategy | nindent 4 }} {{- end }} minReadySeconds: {{ .Values.controller.minReadySeconds }} template: @@ -187,13 +186,14 @@ spec: {{- end }} {{- if .Values.controller.extraModules }} {{- range .Values.controller.extraModules }} - {{ $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} -{{ include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | indent 8 }} + {{- $containerSecurityContext := .containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{- include "extraModules" (dict "name" .name "image" .image "containerSecurityContext" $containerSecurityContext) | nindent 8 }} {{- end }} {{- end }} {{- if .Values.controller.opentelemetry.enabled}} - {{ $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} - {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" false) | nindent 8}} + {{- $otelContainerSecurityContext := $.Values.controller.opentelemetry.containerSecurityContext | default $.Values.controller.containerSecurityContext }} + {{ $otelResources := $.Values.controller.opentelemetry.resources | default dict }} + {{- include "extraModules" (dict "name" "opentelemetry" "image" .Values.controller.opentelemetry.image "containerSecurityContext" $otelContainerSecurityContext "distroless" true "resources" $otelResources) | nindent 8}} {{- end}} {{- end }} {{- if .Values.controller.hostNetwork }} @@ -209,7 +209,7 @@ spec: affinity: {{ toYaml .Values.controller.affinity | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} - topologySpreadConstraints: {{ toYaml .Values.controller.topologySpreadConstraints | nindent 8 }} + topologySpreadConstraints: {{ tpl (toYaml .Values.controller.topologySpreadConstraints) $ | nindent 8 }} {{- end }} serviceAccountName: {{ template "ingress-nginx.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} diff --git a/charts/ingress-nginx/templates/controller-networkpolicy.yaml b/charts/ingress-nginx/templates/controller-networkpolicy.yaml new file mode 100644 index 000000000..15d6012f7 --- /dev/null +++ b/charts/ingress-nginx/templates/controller-networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if .Values.controller.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.controller.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: controller + policyTypes: + - Ingress + - Egress + ingress: + - ports: + {{- range $key, $value := .Values.controller.containerPort }} + - protocol: TCP + port: {{ $value }} + {{- end }} + {{- if .Values.controller.metrics.enabled }} + - protocol: TCP + port: {{ .Values.controller.metrics.port }} + {{- end }} + {{- if .Values.controller.admissionWebhooks.enabled }} + - protocol: TCP + port: {{ .Values.controller.admissionWebhooks.port }} + {{- end }} + {{- range $key, $value := .Values.tcp }} + - protocol: TCP + port: {{ $key }} + {{- end }} + {{- range $key, $value := .Values.udp }} + - protocol: UDP + port: {{ $key }} + {{- end }} + egress: + - {} +{{- end }} diff --git a/charts/ingress-nginx/templates/controller-serviceaccount.yaml b/charts/ingress-nginx/templates/controller-serviceaccount.yaml index e6e776d09..e9e9f32ef 100644 --- a/charts/ingress-nginx/templates/controller-serviceaccount.yaml +++ b/charts/ingress-nginx/templates/controller-serviceaccount.yaml @@ -11,8 +11,7 @@ metadata: name: {{ template "ingress-nginx.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- if .Values.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} + annotations: {{ toYaml .Values.serviceAccount.annotations | nindent 4 }} {{- end }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/charts/ingress-nginx/templates/controller-servicemonitor.yaml index 8ab16f0b2..482fe7f3c 100644 --- a/charts/ingress-nginx/templates/controller-servicemonitor.yaml +++ b/charts/ingress-nginx/templates/controller-servicemonitor.yaml @@ -5,6 +5,8 @@ metadata: name: {{ include "ingress-nginx.controller.fullname" . }} {{- if .Values.controller.metrics.serviceMonitor.namespace }} namespace: {{ .Values.controller.metrics.serviceMonitor.namespace | quote }} +{{- else }} + namespace: {{ .Release.Namespace }} {{- end }} labels: {{- include "ingress-nginx.labels" . | nindent 4 }} diff --git a/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml b/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml deleted file mode 100644 index f74c2fbf3..000000000 --- a/charts/ingress-nginx/templates/controller-webhooks-networkpolicy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.controller.admissionWebhooks.enabled }} -{{- if .Values.controller.admissionWebhooks.networkPolicyEnabled }} - -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "ingress-nginx.fullname" . }}-webhooks-allow - namespace: {{ .Release.Namespace }} -spec: - ingress: - - {} - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "ingress-nginx.name" . }} - policyTypes: - - Ingress - -{{- end }} -{{- end }} diff --git a/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml b/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml new file mode 100644 index 000000000..f3a012657 --- /dev/null +++ b/charts/ingress-nginx/templates/default-backend-networkpolicy.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: default-backend + {{- with .Values.defaultBackend.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "ingress-nginx.defaultBackend.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + {{- include "ingress-nginx.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: default-backend + policyTypes: + - Ingress + - Egress + ingress: + - ports: + - protocol: TCP + port: {{ .Values.defaultBackend.port }} +{{- end }} diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 8205b3506..2541f268d 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -24,9 +24,9 @@ controller: ## for backwards compatibility consider setting the full image url via the repository value below ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail ## repository: - tag: "v1.8.1" - digest: sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd - digestChroot: sha256:e0d4121e3c5e39de9122e55e331a32d5ebf8d4d257227cb93ab54a1b912a7627 + tag: "v1.9.0" + digest: sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 + digestChroot: sha256:d9fa7a136de2104fb2ecfcf1666978bfab927f4a125b75c0fb471e6104366ab5 pullPolicy: IfNotPresent # www-data -> uid 101 runAsUser: 101 @@ -50,7 +50,15 @@ controller: # -- Optionally customize the pod dnsConfig. dnsConfig: {} # -- Optionally customize the pod hostAliases. - hostAliases: {} + hostAliases: [] + # - ip: 127.0.0.1 + # hostnames: + # - foo.local + # - bar.local + # - ip: 10.1.2.3 + # hostnames: + # - foo.remote + # - bar.remote # -- Optionally customize the pod hostname. hostname: {} # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. @@ -66,14 +74,14 @@ controller: watchIngressWithoutClass: false # -- Process IngressClass per name (additionally as per spec.controller). ingressClassByName: false - # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-aware-hints="auto" + # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto" # Defaults to false enableTopologyAwareRouting: false # -- This configuration defines if Ingress Controller should allow users to set # their own *-snippet annotations, otherwise this is forbidden / dropped # when users add those annotations. # Global snippets in ConfigMap are still respected - allowSnippetAnnotations: true + allowSnippetAnnotations: false # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 # is merged @@ -88,6 +96,10 @@ controller: http: 80 # -- 'hostPort' https port https: 443 + # NetworkPolicy for controller component. + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader' electionID: "" ## This section refers to the creation of the IngressClass resource @@ -248,12 +260,22 @@ controller: ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: + # - labelSelector: # matchLabels: - # app.kubernetes.io/instance: ingress-nginx-internal + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller + # topologyKey: topology.kubernetes.io/zone + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway + # - labelSelector: + # matchLabels: + # app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}' + # app.kubernetes.io/instance: '{{ .Release.Name }}' + # app.kubernetes.io/component: controller + # topologyKey: kubernetes.io/hostname + # maxSkew: 1 + # whenUnsatisfiable: ScheduleAnyway # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready ## wait up to five minutes for the drain of connections @@ -556,9 +578,10 @@ controller: opentelemetry: enabled: false - image: registry.k8s.io/ingress-nginx/opentelemetry:v20230527@sha256:fd7ec835f31b7b37187238eb4fdad4438806e69f413a203796263131f4f02ed0 + image: registry.k8s.io/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472 containerSecurityContext: allowPrivilegeEscalation: false + resources: {} admissionWebhooks: annotations: {} # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem". @@ -587,7 +610,6 @@ controller: labels: {} # -- Use an existing PSP instead of creating one existingPsp: "" - networkPolicyEnabled: false service: annotations: {} # clusterIP: "" @@ -853,6 +875,12 @@ defaultBackend: maxReplicas: 2 targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 + + # NetworkPolicy for default backend component. + networkPolicy: + # -- Enable 'networkPolicy' or not + enabled: false + service: annotations: {} # clusterIP: "" diff --git a/cmd/dataplane/main.go b/cmd/dataplane/main.go index a1c4cbcc6..65f898df6 100644 --- a/cmd/dataplane/main.go +++ b/cmd/dataplane/main.go @@ -18,11 +18,12 @@ package main import ( "fmt" - "github.com/prometheus/client_golang/prometheus" - "github.com/prometheus/client_golang/prometheus/collectors" "net/http" "os" + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/collectors" + "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/controller" diff --git a/cmd/dbg/main.go b/cmd/dbg/main.go index 41a3c2772..b63bcf5fe 100644 --- a/cmd/dbg/main.go +++ b/cmd/dbg/main.go @@ -114,7 +114,6 @@ func main() { fmt.Println(err) os.Exit(1) } - } func backendsAll() { @@ -155,10 +154,16 @@ func backendsList() { fmt.Println(unmarshalErr) return } - backends := f.([]interface{}) + backends, ok := f.([]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", f) + } for _, backendi := range backends { - backend := backendi.(map[string]interface{}) + backend, ok := backendi.(map[string]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", backendi) + } fmt.Println(backend["name"].(string)) } } @@ -180,12 +185,22 @@ func backendsGet(name string) { fmt.Println(unmarshalErr) return } - backends := f.([]interface{}) + backends, ok := f.([]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", f) + } for _, backendi := range backends { - backend := backendi.(map[string]interface{}) + backend, ok := backendi.(map[string]interface{}) + if !ok { + fmt.Printf("unexpected type: %T", backendi) + } if backend["name"].(string) == name { - printed, _ := json.MarshalIndent(backend, "", " ") + printed, err := json.MarshalIndent(backend, "", " ") + if err != nil { + fmt.Println(err) + return + } fmt.Println(string(printed)) return } @@ -213,18 +228,7 @@ func certGet(host string) { } func general() { - //TODO: refactor to obtain ingress-nginx pod count from the api server - /* - statusCode, body, requestErr := nginx.NewGetStatusRequest(generalPath) - if requestErr != nil { - fmt.Println(requestErr) - return - } - if statusCode != 200 { - fmt.Printf("Nginx returned code %v\n", statusCode) - return - } - */ + // TODO: refactor to obtain ingress-nginx pod count from the api server var prettyBuffer bytes.Buffer indentErr := json.Indent(&prettyBuffer, []byte("{}"), "", " ") diff --git a/cmd/nginx/logger.go b/cmd/nginx/logger.go index 13ec095fa..323085c83 100644 --- a/cmd/nginx/logger.go +++ b/cmd/nginx/logger.go @@ -47,5 +47,4 @@ func logger(address string) { server.Wait() klog.Infof("Stopping logger") - } diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index 508e940e1..1d30091ef 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -153,7 +153,6 @@ func main() { if errExists == nil { conf.IsChroot = true go logger(conf.InternalLoggerAddress) - } go metrics.StartHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux) @@ -282,10 +281,10 @@ func checkService(key string, kubeClient *kubernetes.Clientset) error { } if errors.IsNotFound(err) { - return fmt.Errorf("No service with name %v found in namespace %v: %v", name, ns, err) + return fmt.Errorf("no service with name %v found in namespace %v: %v", name, ns, err) } - return fmt.Errorf("Unexpected error searching service with name %v in namespace %v: %v", name, ns, err) + return fmt.Errorf("unexpected error searching service with name %v in namespace %v: %v", name, ns, err) } return nil diff --git a/cmd/nginx/main_test.go b/cmd/nginx/main_test.go index f57c02c5e..13f1e9eec 100644 --- a/cmd/nginx/main_test.go +++ b/cmd/nginx/main_test.go @@ -47,7 +47,7 @@ func TestCreateApiserverClient(t *testing.T) { func init() { // the default value of nginx.TemplatePath assumes the template exists in // the root filesystem and not in the rootfs directory - path, err := filepath.Abs(filepath.Join("../../rootfs/", nginx.TemplatePath)) + path, err := filepath.Abs(filepath.Join("..", "..", "rootfs", nginx.TemplatePath)) if err == nil { nginx.TemplatePath = path } @@ -87,14 +87,14 @@ func TestHandleSigterm(t *testing.T) { ingressflags.ResetForTesting(func() { t.Fatal("bad parse") }) - os.Setenv("POD_NAME", podName) - os.Setenv("POD_NAMESPACE", namespace) + t.Setenv("POD_NAME", podName) + t.Setenv("POD_NAMESPACE", namespace) oldArgs := os.Args defer func() { - os.Setenv("POD_NAME", "") - os.Setenv("POD_NAMESPACE", "") + t.Setenv("POD_NAME", "") + t.Setenv("POD_NAMESPACE", "") os.Args = oldArgs }() diff --git a/cmd/plugin/commands/backends/backends.go b/cmd/plugin/commands/backends/backends.go index afc98e4d6..ff44fd9c2 100644 --- a/cmd/plugin/commands/backends/backends.go +++ b/cmd/plugin/commands/backends/backends.go @@ -63,13 +63,14 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return cmd } -func backends(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, backend string, onlyList bool) error { +func backends(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, backend string, onlyList bool) error { var command []string - if onlyList { + switch { + case onlyList: command = []string{"/dbg", "backends", "list"} - } else if backend != "" { + case backend != "": command = []string{"/dbg", "backends", "get", backend} - } else { + default: command = []string{"/dbg", "backends", "all"} } diff --git a/cmd/plugin/commands/certs/certs.go b/cmd/plugin/commands/certs/certs.go index 1f08b5216..ee27cf1b1 100644 --- a/cmd/plugin/commands/certs/certs.go +++ b/cmd/plugin/commands/certs/certs.go @@ -59,7 +59,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return cmd } -func certs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, host string) error { +func certs(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container, host string) error { command := []string{"/dbg", "certs", "get", host} pod, err := request.ChoosePod(flags, podName, deployment, selector) diff --git a/cmd/plugin/commands/conf/conf.go b/cmd/plugin/commands/conf/conf.go index a7f03a062..090fb40bb 100644 --- a/cmd/plugin/commands/conf/conf.go +++ b/cmd/plugin/commands/conf/conf.go @@ -55,7 +55,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return cmd } -func conf(flags *genericclioptions.ConfigFlags, host string, podName string, deployment string, selector string, container string) error { +func conf(flags *genericclioptions.ConfigFlags, host, podName, deployment, selector, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err diff --git a/cmd/plugin/commands/exec/exec.go b/cmd/plugin/commands/exec/exec.go index f06aaeb23..8e853c534 100644 --- a/cmd/plugin/commands/exec/exec.go +++ b/cmd/plugin/commands/exec/exec.go @@ -55,7 +55,7 @@ type execFlags struct { Stdin bool } -func exec(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, cmd []string, opts execFlags) error { +func exec(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string, cmd []string, opts execFlags) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err diff --git a/cmd/plugin/commands/general/general.go b/cmd/plugin/commands/general/general.go index fa6c1301f..cea403562 100644 --- a/cmd/plugin/commands/general/general.go +++ b/cmd/plugin/commands/general/general.go @@ -47,7 +47,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return cmd } -func general(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string) error { +func general(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err diff --git a/cmd/plugin/commands/ingresses/ingresses.go b/cmd/plugin/commands/ingresses/ingresses.go index dff967103..8a25418db 100644 --- a/cmd/plugin/commands/ingresses/ingresses.go +++ b/cmd/plugin/commands/ingresses/ingresses.go @@ -74,9 +74,9 @@ func ingresses(flags *genericclioptions.ConfigFlags, host string, allNamespaces if host != "" { rowsWithHost := make([]ingressRow, 0) - for _, row := range rows { - if row.Host == host { - rowsWithHost = append(rowsWithHost, row) + for i := range rows { + if rows[i].Host == host { + rowsWithHost = append(rowsWithHost, rows[i]) } } rows = rowsWithHost @@ -91,7 +91,8 @@ func ingresses(flags *genericclioptions.ConfigFlags, host string, allNamespaces fmt.Fprintln(printer, "INGRESS NAME\tHOST+PATH\tADDRESSES\tTLS\tSERVICE\tSERVICE PORT\tENDPOINTS") } - for _, row := range rows { + for i := range rows { + row := &rows[i] var tlsMsg string if row.TLS { tlsMsg = "YES" @@ -134,8 +135,8 @@ type ingressRow struct { func getIngressRows(ingresses *[]networking.Ingress) []ingressRow { rows := make([]ingressRow, 0) - for _, ing := range *ingresses { - + for i := range *ingresses { + ing := &(*ingresses)[i] address := "" for _, lbIng := range ing.Status.LoadBalancer.Ingress { if len(lbIng.IP) > 0 { @@ -182,7 +183,7 @@ func getIngressRows(ingresses *[]networking.Ingress) []ingressRow { for _, rule := range ing.Spec.Rules { _, hasTLS := tlsHosts[rule.Host] - //Handle ingress with no paths + // Handle ingress with no paths if rule.HTTP == nil { row := ingressRow{ Namespace: ing.Namespace, diff --git a/cmd/plugin/commands/ingresses/ingresses_test.go b/cmd/plugin/commands/ingresses/ingresses_test.go index 6a8d8837f..7a90efe46 100644 --- a/cmd/plugin/commands/ingresses/ingresses_test.go +++ b/cmd/plugin/commands/ingresses/ingresses_test.go @@ -24,7 +24,6 @@ import ( ) func TestGetIngressInformation(t *testing.T) { - testcases := map[string]struct { ServiceBackend *networking.IngressServiceBackend wantName string diff --git a/cmd/plugin/commands/lint/main.go b/cmd/plugin/commands/lint/main.go index 2daf8eb87..847fe86c9 100644 --- a/cmd/plugin/commands/lint/main.go +++ b/cmd/plugin/commands/lint/main.go @@ -111,11 +111,13 @@ type lintOptions struct { } func (opts *lintOptions) Validate() error { + //nolint:dogsled // Ignore 3 blank identifiers _, _, _, err := util.ParseVersionString(opts.versionFrom) if err != nil { return err } + //nolint:dogsled // Ignore 3 blank identifiers _, _, _, err = util.ParseVersionString(opts.versionTo) if err != nil { return err @@ -131,9 +133,9 @@ type lint interface { Version() string } -func checkObjectArray(lints []lint, objects []kmeta.Object, opts lintOptions) { +func checkObjectArray(allLints []lint, objects []kmeta.Object, opts lintOptions) { usedLints := make([]lint, 0) - for _, lint := range lints { + for _, lint := range allLints { lintVersion := lint.Version() if lint.Version() == "" { lintVersion = "0.0.0" @@ -189,7 +191,7 @@ func ingresses(opts lintOptions) error { return err } - var iLints []lints.IngressLint = lints.GetIngressLints() + iLints := lints.GetIngressLints() genericLints := make([]lint, len(iLints)) for i := range iLints { genericLints[i] = iLints[i] @@ -216,7 +218,7 @@ func deployments(opts lintOptions) error { return err } - var iLints []lints.DeploymentLint = lints.GetDeploymentLints() + iLints := lints.GetDeploymentLints() genericLints := make([]lint, len(iLints)) for i := range iLints { genericLints[i] = iLints[i] diff --git a/cmd/plugin/commands/logs/logs.go b/cmd/plugin/commands/logs/logs.go index 56f4fc640..22068d469 100644 --- a/cmd/plugin/commands/logs/logs.go +++ b/cmd/plugin/commands/logs/logs.go @@ -95,7 +95,7 @@ func (o *logsFlags) toStrings() []string { return r } -func logs(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string, opts logsFlags) error { +func logs(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string, opts logsFlags) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err diff --git a/cmd/plugin/commands/ssh/ssh.go b/cmd/plugin/commands/ssh/ssh.go index fe1b3e9fe..a4762d781 100644 --- a/cmd/plugin/commands/ssh/ssh.go +++ b/cmd/plugin/commands/ssh/ssh.go @@ -45,7 +45,7 @@ func CreateCommand(flags *genericclioptions.ConfigFlags) *cobra.Command { return cmd } -func ssh(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string, container string) error { +func ssh(flags *genericclioptions.ConfigFlags, podName, deployment, selector, container string) error { pod, err := request.ChoosePod(flags, podName, deployment, selector) if err != nil { return err diff --git a/cmd/plugin/kubectl/kubectl.go b/cmd/plugin/kubectl/kubectl.go index 1171e9218..cb33243fc 100644 --- a/cmd/plugin/kubectl/kubectl.go +++ b/cmd/plugin/kubectl/kubectl.go @@ -38,11 +38,11 @@ func PodExecString(flags *genericclioptions.ConfigFlags, pod *apiv1.Pod, contain // ExecToString runs a kubectl subcommand and returns stdout as a string func ExecToString(flags *genericclioptions.ConfigFlags, args []string) (string, error) { - kArgs := getKubectlConfigFlags(flags) - kArgs = append(kArgs, args...) + kubectlArgs := getKubectlConfigFlags(flags) + kubectlArgs = append(kubectlArgs, args...) buf := bytes.NewBuffer(make([]byte, 0)) - err := execToWriter(append([]string{"kubectl"}, kArgs...), buf) + err := execToWriter(append([]string{"kubectl"}, kubectlArgs...), buf) if err != nil { return "", err } @@ -51,9 +51,9 @@ func ExecToString(flags *genericclioptions.ConfigFlags, args []string) (string, // Exec replaces the current process with a kubectl invocation func Exec(flags *genericclioptions.ConfigFlags, args []string) error { - kArgs := getKubectlConfigFlags(flags) - kArgs = append(kArgs, args...) - return execCommand(append([]string{"kubectl"}, kArgs...)) + kubectlArgs := getKubectlConfigFlags(flags) + kubectlArgs = append(kubectlArgs, args...) + return execCommand(append([]string{"kubectl"}, kubectlArgs...)) } // Replaces the currently running process with the given command @@ -70,6 +70,7 @@ func execCommand(args []string) error { // Runs a command and returns stdout func execToWriter(args []string, writer io.Writer) error { + //nolint:gosec // Ignore G204 error cmd := exec.Command(args[0], args[1:]...) op, err := cmd.StdoutPipe() @@ -78,7 +79,7 @@ func execToWriter(args []string, writer io.Writer) error { } go func() { - io.Copy(writer, op) //nolint:errcheck + io.Copy(writer, op) //nolint:errcheck // Ignore the error }() err = cmd.Run() if err != nil { @@ -106,7 +107,6 @@ func getKubectlConfigFlags(flags *genericclioptions.ConfigFlags) []string { appendStringFlag(o, flags.Password, "password") appendStringFlag(o, flags.ClusterName, "cluster") appendStringFlag(o, flags.AuthInfoName, "user") - //appendStringFlag(o, flags.Namespace, "namespace") appendStringFlag(o, flags.Context, "context") appendStringFlag(o, flags.APIServer, "server") appendBoolFlag(o, flags.Insecure, "insecure-skip-tls-verify") @@ -128,7 +128,7 @@ func appendBoolFlag(out *[]string, in *bool, flag string) { } } -func appendStringArrayFlag(out *[]string, in *[]string, flag string) { +func appendStringArrayFlag(out, in *[]string, flag string) { if in != nil && len(*in) > 0 { *out = append(*out, fmt.Sprintf("--%v=%v'", flag, strings.Join(*in, ","))) } diff --git a/cmd/plugin/lints/deployment.go b/cmd/plugin/lints/deployment.go index a1c473f1e..ce1712284 100644 --- a/cmd/plugin/lints/deployment.go +++ b/cmd/plugin/lints/deployment.go @@ -35,7 +35,10 @@ type DeploymentLint struct { // Check returns true if the lint detects an issue func (lint DeploymentLint) Check(obj kmeta.Object) bool { - cmp := obj.(*v1.Deployment) + cmp, ok := obj.(*v1.Deployment) + if !ok { + util.PrintError(fmt.Errorf("unexpected type: %T", obj)) + } return lint.f(*cmp) } @@ -72,11 +75,11 @@ func removedFlag(flag string, issueNumber int, version string) DeploymentLint { issue: issueNumber, version: version, f: func(dep v1.Deployment) bool { - if !isIngressNginxDeployment(dep) { + if !isIngressNginxDeployment(&dep) { return false } - args := getNginxArgs(dep) + args := getNginxArgs(&dep) for _, arg := range args { if strings.HasPrefix(arg, fmt.Sprintf("--%v", flag)) { return true @@ -88,8 +91,9 @@ func removedFlag(flag string, issueNumber int, version string) DeploymentLint { } } -func getNginxArgs(dep v1.Deployment) []string { - for _, container := range dep.Spec.Template.Spec.Containers { +func getNginxArgs(dep *v1.Deployment) []string { + for i := range dep.Spec.Template.Spec.Containers { + container := &dep.Spec.Template.Spec.Containers[i] if len(container.Args) > 0 && container.Args[0] == "/nginx-ingress-controller" { return container.Args } @@ -97,10 +101,10 @@ func getNginxArgs(dep v1.Deployment) []string { return make([]string, 0) } -func isIngressNginxDeployment(dep v1.Deployment) bool { +func isIngressNginxDeployment(dep *v1.Deployment) bool { containers := dep.Spec.Template.Spec.Containers - for _, container := range containers { - if len(container.Args) > 0 && container.Args[0] == "/nginx-ingress-controller" { + for i := range containers { + if len(containers[i].Args) > 0 && containers[i].Args[0] == "/nginx-ingress-controller" { return true } } diff --git a/cmd/plugin/lints/ingress.go b/cmd/plugin/lints/ingress.go index ea08bfd8b..d5ad42e2c 100644 --- a/cmd/plugin/lints/ingress.go +++ b/cmd/plugin/lints/ingress.go @@ -30,13 +30,16 @@ type IngressLint struct { message string issue int version string - f func(ing networking.Ingress) bool + f func(ing *networking.Ingress) bool } // Check returns true if the lint detects an issue func (lint IngressLint) Check(obj kmeta.Object) bool { - ing := obj.(*networking.Ingress) - return lint.f(*ing) + ing, ok := obj.(*networking.Ingress) + if !ok { + util.PrintError(fmt.Errorf("unexpected type: %T", obj)) + } + return lint.f(ing) } // Message is a description of the lint @@ -94,7 +97,7 @@ func GetIngressLints() []IngressLint { } } -func xForwardedPrefixIsBool(ing networking.Ingress) bool { +func xForwardedPrefixIsBool(ing *networking.Ingress) bool { for name, val := range ing.Annotations { if strings.HasSuffix(name, "/x-forwarded-prefix") && (val == "true" || val == "false") { return true @@ -103,7 +106,7 @@ func xForwardedPrefixIsBool(ing networking.Ingress) bool { return false } -func annotationPrefixIsNginxCom(ing networking.Ingress) bool { +func annotationPrefixIsNginxCom(ing *networking.Ingress) bool { for name := range ing.Annotations { if strings.HasPrefix(name, "nginx.com/") { return true @@ -112,7 +115,7 @@ func annotationPrefixIsNginxCom(ing networking.Ingress) bool { return false } -func annotationPrefixIsNginxOrg(ing networking.Ingress) bool { +func annotationPrefixIsNginxOrg(ing *networking.Ingress) bool { for name := range ing.Annotations { if strings.HasPrefix(name, "nginx.org/") { return true @@ -121,7 +124,7 @@ func annotationPrefixIsNginxOrg(ing networking.Ingress) bool { return false } -func rewriteTargetWithoutCaptureGroup(ing networking.Ingress) bool { +func rewriteTargetWithoutCaptureGroup(ing *networking.Ingress) bool { for name, val := range ing.Annotations { if strings.HasSuffix(name, "/rewrite-target") && !strings.Contains(val, "$1") { return true @@ -135,7 +138,7 @@ func removedAnnotation(annotationName string, issueNumber int, version string) I message: fmt.Sprintf("Contains the removed %v annotation.", annotationName), issue: issueNumber, version: version, - f: func(ing networking.Ingress) bool { + f: func(ing *networking.Ingress) bool { for annotation := range ing.Annotations { if strings.HasSuffix(annotation, "/"+annotationName) { return true @@ -146,7 +149,7 @@ func removedAnnotation(annotationName string, issueNumber int, version string) I } } -func satisfyDirective(ing networking.Ingress) bool { +func satisfyDirective(ing *networking.Ingress) bool { for name, val := range ing.Annotations { if strings.HasSuffix(name, "/configuration-snippet") { return strings.Contains(val, "satisfy") diff --git a/cmd/plugin/main.go b/cmd/plugin/main.go index f3a809715..e9a8ea59a 100644 --- a/cmd/plugin/main.go +++ b/cmd/plugin/main.go @@ -24,7 +24,7 @@ import ( "k8s.io/cli-runtime/pkg/genericclioptions" - //Just importing this is supposed to allow cloud authentication + // Just importing this is supposed to allow cloud authentication // eg GCP, AWS, Azure ... _ "k8s.io/client-go/plugin/pkg/client/auth" diff --git a/cmd/plugin/request/request.go b/cmd/plugin/request/request.go index d6ee6bead..280be8d9f 100644 --- a/cmd/plugin/request/request.go +++ b/cmd/plugin/request/request.go @@ -32,7 +32,7 @@ import ( ) // ChoosePod finds a pod either by deployment or by name -func ChoosePod(flags *genericclioptions.ConfigFlags, podName string, deployment string, selector string) (apiv1.Pod, error) { +func ChoosePod(flags *genericclioptions.ConfigFlags, podName, deployment, selector string) (apiv1.Pod, error) { if podName != "" { return GetNamedPod(flags, podName) } @@ -51,9 +51,9 @@ func GetNamedPod(flags *genericclioptions.ConfigFlags, name string) (apiv1.Pod, return apiv1.Pod{}, err } - for _, pod := range allPods { - if pod.Name == name { - return pod, nil + for i := range allPods { + if allPods[i].Name == name { + return allPods[i], nil } } @@ -111,7 +111,7 @@ func GetIngressDefinitions(flags *genericclioptions.ConfigFlags, namespace strin } // GetNumEndpoints counts the number of endpointslices adresses for the service with the given name -func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace string, serviceName string) (*int, error) { +func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace, serviceName string) (*int, error) { epss, err := GetEndpointSlicesByName(flags, namespace, serviceName) if err != nil { return nil, err @@ -122,25 +122,26 @@ func GetNumEndpoints(flags *genericclioptions.ConfigFlags, namespace string, ser } ret := 0 - for _, eps := range epss { - for _, ep := range eps.Endpoints { - ret += len(ep.Addresses) + for i := range epss { + eps := &epss[i] + for j := range eps.Endpoints { + ret += len(eps.Endpoints[j].Addresses) } } return &ret, nil } // GetEndpointSlicesByName returns the endpointSlices for the service with the given name -func GetEndpointSlicesByName(flags *genericclioptions.ConfigFlags, namespace string, name string) ([]discoveryv1.EndpointSlice, error) { +func GetEndpointSlicesByName(flags *genericclioptions.ConfigFlags, namespace, name string) ([]discoveryv1.EndpointSlice, error) { allEndpointsSlices, err := getEndpointSlices(flags, namespace) if err != nil { return nil, err } var eps []discoveryv1.EndpointSlice - for _, slice := range allEndpointsSlices { - if svcName, ok := slice.ObjectMeta.GetLabels()[discoveryv1.LabelServiceName]; ok { + for i := range allEndpointsSlices { + if svcName, ok := allEndpointsSlices[i].ObjectMeta.GetLabels()[discoveryv1.LabelServiceName]; ok { if svcName == name { - eps = append(eps, slice) + eps = append(eps, allEndpointsSlices[i]) } } } @@ -161,7 +162,7 @@ func getEndpointSlices(flags *genericclioptions.ConfigFlags, namespace string) ( tryAllNamespacesEndpointSlicesCache(flags) } - cachedEndpointSlices = tryFilteringEndpointSlicesFromAllNamespacesCache(flags, namespace) + cachedEndpointSlices = tryFilteringEndpointSlicesFromAllNamespacesCache(namespace) if cachedEndpointSlices != nil { return *cachedEndpointSlices, nil @@ -188,13 +189,13 @@ func tryAllNamespacesEndpointSlicesCache(flags *genericclioptions.ConfigFlags) { } } -func tryFilteringEndpointSlicesFromAllNamespacesCache(flags *genericclioptions.ConfigFlags, namespace string) *[]discoveryv1.EndpointSlice { +func tryFilteringEndpointSlicesFromAllNamespacesCache(namespace string) *[]discoveryv1.EndpointSlice { allEndpointSlices := endpointSlicesCache[""] if allEndpointSlices != nil { endpointSlices := make([]discoveryv1.EndpointSlice, 0) - for _, slice := range *allEndpointSlices { - if slice.Namespace == namespace { - endpointSlices = append(endpointSlices, slice) + for i := range *allEndpointSlices { + if (*allEndpointSlices)[i].Namespace == namespace { + endpointSlices = append(endpointSlices, (*allEndpointSlices)[i]) } } endpointSlicesCache[namespace] = &endpointSlices @@ -213,9 +214,9 @@ func GetServiceByName(flags *genericclioptions.ConfigFlags, name string, service services = &servicesArray } - for _, svc := range *services { - if svc.Name == name { - return svc, nil + for i := range *services { + if (*services)[i].Name == name { + return (*services)[i], nil } } @@ -239,7 +240,6 @@ func getLabeledPods(flags *genericclioptions.ConfigFlags, label string) ([]apiv1 pods, err := client.CoreV1().Pods(namespace).List(context.TODO(), metav1.ListOptions{ LabelSelector: label, }) - if err != nil { return make([]apiv1.Pod, 0), err } @@ -254,9 +254,9 @@ func getDeploymentPods(flags *genericclioptions.ConfigFlags, deployment string) } ingressPods := make([]apiv1.Pod, 0) - for _, pod := range pods { - if util.PodInDeployment(pod, deployment) { - ingressPods = append(ingressPods, pod) + for i := range pods { + if util.PodInDeployment(&pods[i], deployment) { + ingressPods = append(ingressPods, pods[i]) } } @@ -272,5 +272,4 @@ func getServices(flags *genericclioptions.ConfigFlags) ([]apiv1.Service, error) } return services.Items, nil - } diff --git a/cmd/plugin/util/util.go b/cmd/plugin/util/util.go index e1910140d..7457b8c53 100644 --- a/cmd/plugin/util/util.go +++ b/cmd/plugin/util/util.go @@ -29,8 +29,8 @@ import ( // The default deployment and service names for ingress-nginx const ( - DefaultIngressDeploymentName = "ingress-nginx-controller" - DefaultIngressServiceName = "ingress-nginx-controller" + DefaultIngressDeploymentName = "ingress-nginx-controller" //#nosec G101 + DefaultIngressServiceName = "ingress-nginx-controller" //#nosec G101 DefaultIngressContainerName = "controller" ) @@ -47,17 +47,25 @@ func PrintError(e error) { } // ParseVersionString returns the major, minor, and patch numbers of a version string -func ParseVersionString(v string) (int, int, int, error) { +func ParseVersionString(v string) (major, minor, patch int, err error) { parts := versionRegex.FindStringSubmatch(v) if len(parts) != 4 { return 0, 0, 0, fmt.Errorf("could not parse %v as a version string (like 0.20.3)", v) } - major, _ := strconv.Atoi(parts[1]) - minor, _ := strconv.Atoi(parts[2]) - patch, _ := strconv.Atoi(parts[3]) - + major, err = strconv.Atoi(parts[1]) + if err != nil { + return 0, 0, 0, err + } + minor, err = strconv.Atoi(parts[2]) + if err != nil { + return 0, 0, 0, err + } + patch, err = strconv.Atoi(parts[3]) + if err != nil { + return 0, 0, 0, err + } return major, minor, patch, nil } @@ -90,7 +98,7 @@ func isVersionLessThan(a, b string) bool { // PodInDeployment returns whether a pod is part of a deployment with the given name // a pod is considered to be in {deployment} if it is owned by a replicaset with a name of format {deployment}-otherchars -func PodInDeployment(pod apiv1.Pod, deployment string) bool { +func PodInDeployment(pod *apiv1.Pod, deployment string) bool { for _, owner := range pod.OwnerReferences { if owner.Controller == nil || !*owner.Controller || owner.Kind != "ReplicaSet" { continue @@ -138,7 +146,7 @@ func AddContainerFlag(cmd *cobra.Command) *string { // GetNamespace takes a set of kubectl flag values and returns the namespace we should be operating in func GetNamespace(flags *genericclioptions.ConfigFlags) string { namespace, _, err := flags.ToRawKubeConfigLoader().Namespace() - if err != nil || len(namespace) == 0 { + if err != nil || namespace == "" { namespace = apiv1.NamespaceDefault } return namespace diff --git a/deploy/static/provider/aws/deploy.yaml b/deploy/static/provider/aws/deploy.yaml index 2c785fab2..854d50e37 100644 --- a/deploy/static/provider/aws/deploy.yaml +++ b/deploy/static/provider/aws/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,7 +422,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -446,7 +446,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -518,7 +518,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -529,7 +529,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -565,7 +565,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -576,7 +576,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -614,7 +614,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -627,7 +627,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml index 7eb2a4c12..28dbe82a5 100644 --- a/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml +++ b/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" http-snippet: | server { listen 2443; @@ -335,7 +335,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -353,7 +353,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -386,7 +386,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -409,7 +409,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -431,7 +431,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -455,7 +455,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -530,7 +530,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -541,7 +541,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -577,7 +577,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -588,7 +588,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -626,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -639,7 +639,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/baremetal/deploy.yaml b/deploy/static/provider/baremetal/deploy.yaml index ba5b71838..a757ff71e 100644 --- a/deploy/static/provider/baremetal/deploy.yaml +++ b/deploy/static/provider/baremetal/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -440,7 +440,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -512,7 +512,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -523,7 +523,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -559,7 +559,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -570,7 +570,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -608,7 +608,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -621,7 +621,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/cloud/deploy.yaml b/deploy/static/provider/cloud/deploy.yaml index 0bb95331f..9c55fb0de 100644 --- a/deploy/static/provider/cloud/deploy.yaml +++ b/deploy/static/provider/cloud/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -373,7 +373,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -396,7 +396,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -418,7 +418,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -514,7 +514,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -525,7 +525,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -561,7 +561,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -572,7 +572,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -610,7 +610,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -623,7 +623,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/do/deploy.yaml b/deploy/static/provider/do/deploy.yaml index 9ef7f86ee..c44569512 100644 --- a/deploy/static/provider/do/deploy.yaml +++ b/deploy/static/provider/do/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" use-proxy-protocol: "true" kind: ConfigMap metadata: @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -421,7 +421,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -445,7 +445,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -517,7 +517,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -528,7 +528,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -564,7 +564,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -575,7 +575,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -613,7 +613,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -626,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/exoscale/deploy.yaml b/deploy/static/provider/exoscale/deploy.yaml index d09c9bbb4..5ddda1a2f 100644 --- a/deploy/static/provider/exoscale/deploy.yaml +++ b/deploy/static/provider/exoscale/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -349,7 +349,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -382,7 +382,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -405,7 +405,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -423,7 +423,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -447,7 +447,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -523,7 +523,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -534,7 +534,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -570,7 +570,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -581,7 +581,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -619,7 +619,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -632,7 +632,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/kind/deploy.yaml b/deploy/static/provider/kind/deploy.yaml index f9965d0fe..e26cdc070 100644 --- a/deploy/static/provider/kind/deploy.yaml +++ b/deploy/static/provider/kind/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -340,7 +340,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -372,7 +372,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -395,7 +395,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -417,7 +417,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -442,7 +442,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -524,7 +524,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -535,7 +535,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -571,7 +571,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -582,7 +582,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -620,7 +620,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -633,7 +633,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/oracle/deploy.yaml b/deploy/static/provider/oracle/deploy.yaml index 4c93acfb2..8733ee83b 100644 --- a/deploy/static/provider/oracle/deploy.yaml +++ b/deploy/static/provider/oracle/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" kind: ConfigMap metadata: labels: @@ -328,7 +328,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -344,7 +344,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -377,7 +377,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -400,7 +400,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -422,7 +422,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -446,7 +446,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -518,7 +518,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -529,7 +529,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -565,7 +565,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -576,7 +576,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -614,7 +614,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -627,7 +627,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/deploy/static/provider/scw/deploy.yaml b/deploy/static/provider/scw/deploy.yaml index a57ef5ded..fceda01a7 100644 --- a/deploy/static/provider/scw/deploy.yaml +++ b/deploy/static/provider/scw/deploy.yaml @@ -15,7 +15,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx --- @@ -27,7 +27,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx --- @@ -39,7 +39,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx rules: @@ -129,7 +129,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx rules: @@ -148,7 +148,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx rules: - apiGroups: @@ -230,7 +230,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission rules: - apiGroups: @@ -249,7 +249,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx namespace: ingress-nginx roleRef: @@ -269,7 +269,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission namespace: ingress-nginx roleRef: @@ -288,7 +288,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io @@ -307,7 +307,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission roleRef: apiGroup: rbac.authorization.k8s.io @@ -320,7 +320,7 @@ subjects: --- apiVersion: v1 data: - allow-snippet-annotations: "true" + allow-snippet-annotations: "false" use-proxy-protocol: "true" kind: ConfigMap metadata: @@ -329,7 +329,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx --- @@ -343,7 +343,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -376,7 +376,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller-admission namespace: ingress-nginx spec: @@ -399,7 +399,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-controller namespace: ingress-nginx spec: @@ -421,7 +421,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 spec: containers: - args: @@ -445,7 +445,7 @@ spec: fieldPath: metadata.namespace - name: LD_PRELOAD value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.8.1@sha256:e5c4824e7375fcf2a393e1c03c293b69759af37a9ca6abdb91b13d78a93da8bd + image: registry.k8s.io/ingress-nginx/controller:v1.9.0@sha256:c15d1a617858d90fb8f8a2dd60b0676f2bb85c54e3ed11511794b86ec30c8c60 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -517,7 +517,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create namespace: ingress-nginx spec: @@ -528,7 +528,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-create spec: containers: @@ -564,7 +564,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch namespace: ingress-nginx spec: @@ -575,7 +575,7 @@ spec: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission-patch spec: containers: @@ -613,7 +613,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: nginx spec: controller: k8s.io/ingress-nginx @@ -626,7 +626,7 @@ metadata: app.kubernetes.io/instance: ingress-nginx app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.8.1 + app.kubernetes.io/version: 1.9.0 name: ingress-nginx-admission webhooks: - admissionReviewVersions: diff --git a/docs/deploy/index.md b/docs/deploy/index.md index d719d4a57..ae28c2502 100644 --- a/docs/deploy/index.md +++ b/docs/deploy/index.md @@ -68,7 +68,7 @@ helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx **If you don't have Helm** or if you prefer to use a YAML manifest, you can run the following command instead: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` !!! info @@ -80,6 +80,12 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont Because of api deprecations, the default manifest may not work on your cluster. Specific manifests for supported Kubernetes versions are available within a sub-folder of each provider. +### Firewall configuration + +To check which ports are used by your installation of ingress-nginx, look at the output of `kubectl -n ingress-nginx get pod -o yaml`. In general, you need: +- Port 8443 open between all hosts on which the kubernetes nodes are running. This is used for the ingress-nginx [admission controller](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). +- Port 80 (for HTTP) and/or 443 (for HTTPS) open to the public on the kubernetes nodes to which the DNS of your apps are pointing. + ### Pre-flight check A few pods should start in the `ingress-nginx` namespace: @@ -243,7 +249,7 @@ In AWS, we use a Network load balancer (NLB) to expose the Ingress-Nginx Control ##### Network Load Balancer (NLB) ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/aws/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/deploy.yaml ``` ##### TLS termination in AWS Load Balancer (NLB) @@ -251,10 +257,10 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont By default, TLS is terminated in the ingress controller. But it is also possible to terminate TLS in the Load Balancer. This section explains how to do that on AWS using an NLB. -1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template +1. Download the [deploy.yaml](https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml) template ```console - wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml + wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml ``` 2. Edit the file and change the VPC CIDR in use for the Kubernetes cluster: @@ -300,7 +306,7 @@ Then, the ingress controller can be installed like this: ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` !!! warning @@ -317,7 +323,7 @@ Proxy-protocol is supported in GCE check the [Official Documentations on how to #### Azure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` More information with regard to Azure annotations for ingress controller can be found in the [official AKS documentation](https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip#create-an-ingress-controller). @@ -325,7 +331,7 @@ More information with regard to Azure annotations for ingress controller can be #### Digital Ocean ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/do/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/do/deploy.yaml ``` - By default the service object of the ingress-nginx-controller for Digital-Ocean, only configures one annotation. Its this one `service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"`. While this makes the service functional, it was reported that the Digital-Ocean LoadBalancer graphs shows `no data`, unless a few other annotations are also configured. Some of these other annotations require values that can not be generic and hence not forced in a out-of-the-box installation. These annotations and a discussion on them is well documented in [this issue](https://github.com/kubernetes/ingress-nginx/issues/8965). Please refer to the issue to add annotations, with values specific to user, to get graphs of the DO-LB populated with data. @@ -333,7 +339,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/cont #### Scaleway ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/scw/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/scw/deploy.yaml ``` #### Exoscale @@ -348,7 +354,7 @@ The full list of annotations supported by Exoscale is available in the Exoscale #### Oracle Cloud Infrastructure ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/cloud/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/cloud/deploy.yaml ``` A @@ -375,7 +381,7 @@ For quick testing, you can use a This should work on almost every cluster, but it will typically use a port in the range 30000-32767. ```console -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.1/deploy/static/provider/baremetal/deploy.yaml +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/baremetal/deploy.yaml ``` For more information about bare metal deployments (and how to use port 80 instead of a random port in the 30000-32767 range), diff --git a/docs/e2e-tests.md b/docs/e2e-tests.md index c45b1e72c..bd3936801 100644 --- a/docs/e2e-tests.md +++ b/docs/e2e-tests.md @@ -6,901 +6,552 @@ Do not try to edit it manually. # e2e test suite for [Ingress NGINX Controller](https://github.com/kubernetes/ingress-nginx/tree/main/) - -### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L37) - -- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L45) -- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L72) -- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L89) -- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L110) -- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L127) -- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L138) -- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L152) -- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L166) -- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L201) -- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L217) -- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L233) -- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/admission/admission.go#L244) - -### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L35) - -- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L42) -- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L64) -- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L99) -- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L121) -- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L194) -- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L225) -- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L248) -- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L270) -- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L294) -- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L320) -- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L352) -- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L372) -- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L412) -- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L435) -- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinity.go#L458) - -### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L31) - -- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L34) -- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/affinitymode.go#L67) - -### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L29) - -- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L36) -- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L62) -- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/alias.go#L87) - -### [app-root](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L28) - -- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/approot.go#L35) - -### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L29) - -- [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L36) -- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L84) -- [should 302 redirect to error page instead of 400 when auth-tls-error-page is set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L114) -- [should pass URL-encoded certificate to upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L161) -- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L206) -- [should return 403 using auth-tls-match-cn with no matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L266) -- [should return 200 using auth-tls-match-cn with matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L295) -- [should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/authtls.go#L324) - -### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L27) - -- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L34) -- [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L49) -- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L64) -- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L79) -- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/backendprotocol.go#L94) - -### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L28) - -- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L35) -- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L57) -- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L79) -- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L101) -- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L123) -- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/clientbodybuffersize.go#L145) - -### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L28) - -- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L35) -- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L62) -- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L78) -- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L94) -- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L110) -- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L137) -- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L153) -- [should allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L169) -- [should not allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L196) -- [should allow correct origins - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L216) -- [should not break functionality](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L267) -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L291) -- [should not break functionality with extra domain](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L314) -- [should not match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L338) -- [should allow - single origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L358) -- [should not allow - single origin with port and origin without port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L386) -- [should not allow - single origin without port and origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L405) -- [should allow - matching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L425) -- [should not allow - unmatching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L468) -- [should allow - matching origin+port with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L488) -- [should not allow - portless origin with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L515) -- [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L535) -- [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/cors.go#L571) - -### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L34) - -- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/customhttperrors.go#L41) - -### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L29) - -- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/default_backend.go#L37) - -### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L28) - -- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L35) -- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L53) -- [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/disableaccesslog.go#L71) - -### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L30) - -- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L37) -- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L54) -- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L71) -- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fastcgi.go#L102) - -### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L27) - -- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/forcesslredirect.go#L34) - -### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L31) - -- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L38) -- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/fromtowwwredirect.go#L64) - -### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L30) - -- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/globalratelimit.go#L38) - -### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L27) - -- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/http2pushpreload.go#L34) - -### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L28) - -- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L35) -- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipdenylist.go#L86) - -### [whitelist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L27) - -- [should set valid ip whitelist range](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/ipwhitelist.go#L34) - -### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L31) - -- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitconnections.go#L38) - -### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L29) - -- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/limitrate.go#L37) - -### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L27) - -- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L34) -- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/log.go#L49) - -### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L28) - -- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L35) -- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L53) -- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L74) -- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L91) -- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L110) -- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L132) -- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L153) -- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L189) -- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L225) -- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L264) -- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L305) -- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/modsecurity/modsecurity.go#L347) - -### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L27) - -- [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/preservetrailingslash.go#L34) - -### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L28) - -- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L36) -- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L52) -- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L68) -- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L85) -- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L100) -- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L115) -- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L136) -- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L157) -- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L179) -- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L194) -- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L215) -- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxy.go#L233) - -### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L30) - -- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L37) -- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L64) -- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L94) -- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L122) -- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/proxyssl.go#L150) - -### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L30) - -- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L33) -- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/redirect.go#L61) - -### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L30) - -- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L37) -- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L66) -- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L111) -- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L158) -- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/rewrite.go#L190) - -### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L28) - -- [add valid directives to server via server snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L35) -- [drops server snippet if disabled by the administrator](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serversnippet.go#L61) - -### [service-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L32) - -- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L41) -- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L70) -- [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/serviceupstream.go#L99) - -### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L28) - -- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/sslciphers.go#L35) - -### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L34) - -- [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L41) -- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/streamsnippet.go#L85) - -### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L76) - -- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L83) -- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamhashby.go#L92) - -### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L27) - -- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/upstreamvhost.go#L34) - -### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L28) - -- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L35) -- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/xforwardedprefix.go#L57) - -### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L39) - -- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L46) -- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L65) -- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L89) -- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L116) -- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L144) -- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L172) -- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L199) -- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L227) -- [ when external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L266) -- [ when external auth is not configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L284) -- [ when auth-headers are set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L301) -- [should set cache_key when external auth cache is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L322) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L411) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L422) -- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L433) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L472) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L481) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L492) -- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L516) -- [should not create additional upstream block when auth-keepalive is not set](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L539) -- [should not create additional upstream block when host part of auth-url contains a variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L557) -- [should not create additional upstream block when auth-keepalive is negative](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L577) -- [should not create additional upstream block when auth-keepalive is set with HTTP/2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L596) -- [should create additional upstream block when auth-keepalive is set with HTTP/1.x](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L610) -- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L653) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L662) -- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L673) -- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L732) -- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L752) -- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L780) -- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L809) -- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L839) -- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/auth.go#L847) - -### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L36) - -- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L45) -- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L89) -- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L120) -- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L174) -- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L232) -- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L289) -- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L363) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L445) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L513) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L594) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L647) -- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L692) -- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L741) -- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L790) -- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L862) -- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L910) -- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L952) -- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L995) -- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1031) -- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1070) -- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1104) -- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1138) -- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1175) -- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1242) -- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/canary.go#L1310) - -### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L28) - -- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/connection.go#L35) - -### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L28) - -- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L36) -- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L51) -- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/mirror.go#L67) - -### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L33) - -- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L40) -- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/satisfy.go#L82) - -### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L28) - -- [set snippet more_set_headers in all locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L34) -- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/snippet.go#L63) - -### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L39) - -- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L42) -- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L67) -- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L126) -- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/annotations/grpc.go#L186) - -### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L29) - -- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L37) -- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L56) -- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/dbg/main.go#L85) - -### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L33) - -- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/custom_default_backend.go#L36) - -### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L30) - -- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L33) -- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L88) -- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/default_backend.go#L105) - -### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L26) - -- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/ssl.go#L29) - -### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L30) - -- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/defaultbackend/with_hosts.go#L38) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/e2e_test.go#L) - -### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L29) - -- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/longname.go#L38) - -### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L35) - -- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/endpointslices/topology.go#L43) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/exec.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/fastcgi_helloserver.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/grpc_fortune_teller.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/healthz.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/array.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/chain.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/cookie.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/match.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/object.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/reporter.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/request.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/response.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/string.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/httpexpect/value.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/k8s.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/logs.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/metrics.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/ssl.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/test_context.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/util.go#L) - -### [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/deployment.go#L) - -### [[Setting] ](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L217) - -- [](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/framework/framework.go#L) - -### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L32) - -- [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/grace_period.go#L35) - -### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L30) - -- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L40) -- [should shutdown after waiting 60 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L61) -- [should shutdown after waiting 150 seconds for pending connections to be closed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/shutdown.go#L106) - -### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L25) - -- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/gracefulshutdown/slow_requests.go#L33) - -### [[Ingress] DeepInspection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L27) - -- [should drop whole ingress if one path matches invalid regex](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/deep_inspection.go#L34) - -### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L30) - -- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/multiple_rules.go#L38) - -### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L30) - -- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_exact.go#L37) - -### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L30) - -- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_mixed.go#L39) - -### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L28) - -- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/pathtype_prefix.go#L35) - -### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L31) - -- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L34) -- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ingress/without_host.go#L55) - -### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L35) - -- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/leaks/lua_ssl.go#L42) - -### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L28) - -- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/configmap.go#L35) - -### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L31) - -- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/ewma.go#L42) - -### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L31) - -- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/loadbalance/round_robin.go#L39) - -### [[Lua] dynamic certificates](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L37) - -- [picks up the certificate when we add TLS spec to existing ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L45) -- [picks up the previously missing secret for a given ingress without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L70) -- [supports requests with domain with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L145) -- [picks up the updated certificate without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L149) -- [falls back to using default certificate when secret gets deleted without reloading](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L185) -- [picks up a non-certificate only change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L218) -- [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_certificates.go#L233) - -### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L42) - -- [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L50) -- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L62) -- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L87) -- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L125) -- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/lua/dynamic_configuration.go#L171) - -### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L36) - -- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L50) -- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/metrics/metrics.go#L72) - -### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L99) - -- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L102) -- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L115) -- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/nginx/nginx.go#L124) - -### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L32) - -- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/security/request_smuggling.go#L39) - -### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L33) - -- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L36) -- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_backend.go#L54) - -### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L31) - -- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_nil_backend.go#L38) - -### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L37) - -- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L40) -- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L77) -- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L117) -- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L147) -- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L183) -- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L224) -- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L260) -- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/servicebackend/service_externalname.go#L347) - -### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L27) - -- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L32) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L42) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L54) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L67) -- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/access_log.go#L80) - -### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L29) - -- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L36) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L67) -- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L102) -- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/badannotationvalues.go#L133) - -### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L29) - -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/configmap_change.go#L36) - -### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L30) - -- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L40) -- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/custom_header.go#L65) - -### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L33) - -- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L64) -- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/default_ssl_certificate.go#L80) - -### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L33) - -- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L50) -- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L69) -- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L81) -- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_catch_all.go#L123) - -### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L32) - -- [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L35) -- [should create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L53) -- [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_sync_events.go#L80) - -### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L37) - -- [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L46) -- [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/geoip2.go#L70) - -### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L28) - -- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L38) -- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L55) -- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_access_block.go#L88) - -### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L28) - -- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L31) -- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_options.go#L38) - -### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L30) - -- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/globalratelimit.go#L38) - -### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L29) - -- [should be disabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L32) -- [should be enabled with default settings](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L39) -- [should set gzip_comp_level to 4](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L56) -- [should set gzip_disable to msie6](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L67) -- [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L78) -- [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/gzip.go#L89) - -### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L27) - -- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L40) -- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L48) -- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L60) -- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L68) -- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L80) -- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L88) -- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/hash-size.go#L100) - -### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L39) - -- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L68) -- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L104) -- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L132) -- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L164) -- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L192) -- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L257) -- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L323) -- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L413) -- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L482) -- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L539) -- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L631) -- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ingress_class.go#L652) - -### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L28) - -- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/limit_rate.go#L36) - -### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L28) - -- [should not configure log-format escape by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L40) -- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L47) -- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L55) -- [should enable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L63) -- [should disable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L71) -- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L82) -- [log-format default escape](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L105) -- [log-format-escape-none enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/log-format.go#L128) - -### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L26) - -- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/lua_shared_dicts.go#L29) - -### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L27) - -- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/main_snippet.go#L31) - -### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) - -- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) - -### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L27) - -- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L31) -- [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L39) -- [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/multi_accept.go#L49) - -### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L30) - -- [should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/namespace_selector.go#L63) - -### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L33) - -- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L54) -- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L68) -- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_auth_locations.go#L82) - -### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L42) - -- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ocsp/ocsp.go#L49) - -### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L37) - -- [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L47) -- [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L60) -- [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L74) -- [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L89) -- [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentelemetry.go#L104) - -### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L48) - -- [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L58) -- [should exists opentracing directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L71) -- [should include opentracing_trust_incoming_span off directive when disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L85) -- [should not exists opentracing_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L100) -- [should exists opentracing_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L115) -- [should not exists opentracing_location_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L130) -- [should exists opentracing_location_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L145) -- [should enable opentracing using zipkin](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L160) -- [should enable opentracing using jaeger](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L172) -- [should enable opentracing using jaeger with sampler host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L184) -- [should propagate the w3c header when configured with jaeger](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L197) -- [should enable opentracing using jaeger with an HTTP endpoint](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L228) -- [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/opentracing.go#L241) - -### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L28) - -- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/plugins.go#L35) - -### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L41) - -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy.go#L44) - -### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L37) - -- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/pod_security_policy_volumes.go#L40) - -### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L28) - -- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L36) -- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_connect_timeout.go#L52) - -### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L28) - -- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_next_upstream.go#L36) - -### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L28) - -- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L36) -- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_read_timeout.go#L52) - -### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L28) - -- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L36) -- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_send_timeout.go#L52) - -### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L27) - -- [reuse port should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L38) -- [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L44) -- [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/reuse-port.go#L52) - -### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L28) - -- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L35) -- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_snippet.go#L92) - -### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L29) - -- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L38) -- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/server_tokens.go#L50) - -### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L28) - -- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_ciphers.go#L31) - -### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L35) - -- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/stream_snippet.go#L42) - -### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L30) - -- [ condition](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/brotli.go#L38) - -### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L35) - -- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/disable_service_external_name.go#L55) - -### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L30) - -- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L40) -- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/enable_real_ip.go#L78) - -### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L29) - -- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L39) -- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/forwarded_headers.go#L91) - -### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L34) - -- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L87) -- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L104) -- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L128) -- [should still return status code 200 after auth backend is deleted using cache](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L157) -- [should proxy_method method when global-auth-method is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L199) -- [should add custom error page when global-auth-signin url is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L212) -- [should add auth headers when global-auth-response-headers is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L225) -- [should set request-redirect when global-auth-request-redirect is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L239) -- [should set snippet when global external auth is configured](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L252) -- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L328) -- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L339) -- [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/global_external_auth.go#L350) - -### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L27) - -- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L39) -- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L47) -- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L58) -- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L67) -- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L76) -- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/keep-alive.go#L85) - -### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L30) - -- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L46) -- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L68) -- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/listen_nondefault_ports.go#L98) - -### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L27) - -- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/no_tls_redirect_locations.go#L30) - -### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L28) - -- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L36) -- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_host.go#L57) - -### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L36) - -- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L46) -- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L79) -- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L112) -- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/proxy_protocol.go#L155) - -### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L36) - -- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L56) -- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/ssl_passthrough.go#L79) - -### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L31) - -- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L65) -- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L111) -- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L127) -- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L146) -- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L166) -- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L187) -- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/settings/tls.go#L205) - -### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L29) - -- [should redirect from HTTP to HTTPS when secret is missing](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/http_redirect.go#L36) - -### [[SSL] secret update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L33) - -- [should not appear references to secret updates not used in ingress rules](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L40) -- [should return the fake SSL certificate if the secret is invalid](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/ssl/secret_update.go#L82) - -### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L38) - -- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/status/update.go#L43) - -### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L38) - -- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L46) -- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L80) -- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main/test/e2e/tcpudp/tcp.go#L169) \ No newline at end of file +### [[Admission] admission controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L39) +- [reject ingress with global-rate-limit annotations when memcached is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L47) +- [should not allow overlaps of host and paths without canary annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L74) +- [should allow overlaps of host and paths with canary annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L91) +- [should block ingress with invalid path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L112) +- [should return an error if there is an error validating the ingress definition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L129) +- [should return an error if there is an invalid value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L149) +- [should return an error if there is a forbidden value in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L163) +- [should return an error if there is an invalid path and wrong pathType is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L177) +- [should not return an error if the Ingress V1 definition is valid with Ingress Class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L211) +- [should not return an error if the Ingress V1 definition is valid with IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L227) +- [should return an error if the Ingress V1 definition contains invalid annotations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L243) +- [should not return an error for an invalid Ingress when it has unknown class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/admission/admission.go#L263) +### [affinity session-cookie-name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L43) +- [should set sticky cookie SERVERID](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L50) +- [should change cookie name on ingress definition change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L72) +- [should set the path to /something on the generated cookie](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L107) +- [does not set the path to / on the generated cookie if there's more than one rule referring to the same backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L129) +- [should set cookie with expires](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L202) +- [should set cookie with domain](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L234) +- [should not set cookie without domain annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L257) +- [should work with use-regex annotation and session-cookie-path](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L279) +- [should warn user when use-regex is true and session-cookie-path is not set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L303) +- [should not set affinity across all server locations when using separate ingresses](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L329) +- [should set sticky cookie without host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L361) +- [should work with server-alias annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L381) +- [should set secure in cookie with provided true annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L421) +- [should not set secure in cookie with provided false annotation on http](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L444) +- [should set secure in cookie with provided false annotation on https](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinity.go#L467) +### [affinitymode](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinitymode.go#L33) +- [Balanced affinity mode should balance](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinitymode.go#L36) +- [Check persistent affinity mode](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/affinitymode.go#L69) +### [server-alias](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L31) +- [should return status code 200 for host 'foo' and 404 for 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L38) +- [should return status code 200 for host 'foo' and 'bar'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L64) +- [should return status code 200 for hosts defined in two ingresses, different path with one alias](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/alias.go#L89) +### [app-root](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/approot.go#L28) +- [should redirect to /foo](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/approot.go#L35) +### [auth-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L45) +- [should return status code 200 when no authentication is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L52) +- [should return status code 503 when authentication is configured with an invalid secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L71) +- [should return status code 401 when authentication is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L95) +- [should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L122) +- [should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L150) +- [should return status code 200 when authentication is configured and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L178) +- [should return status code 200 when authentication is configured with a map and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L205) +- [should return status code 401 when authentication is configured with invalid content and Authorization header is sent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L233) +- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L272) +- [proxy_set_header My-Custom-Header 42;](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L298) +- [proxy_set_header 'My-Custom-Header' '42';](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L324) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L432) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L443) +- [user with annotated ingress retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L454) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L493) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L502) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L513) +- [should overwrite Foo header with auth response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L537) +- [should return status code 200 when signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L713) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L722) +- [keeps processing new ingresses even if one of the existing ingresses is misconfigured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L733) +- [should return status code 200 when signed in after auth backend is deleted ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L792) +- [should deny login for different location on same server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L812) +- [should deny login for different servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L840) +- [should redirect to signin url when not signed in](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L869) +- [should return 503 (location was denied)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L899) +- [should add error to the config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/auth.go#L907) +### [auth-tls-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L31) +- [should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L38) +- [should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L86) +- [should 302 redirect to error page instead of 400 when auth-tls-error-page is set](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L116) +- [should pass URL-encoded certificate to upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L163) +- [should validate auth-tls-verify-client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L208) +- [should return 403 using auth-tls-match-cn with no matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L267) +- [should return 200 using auth-tls-match-cn with matching CN from client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L296) +- [should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/authtls.go#L325) +### [backend-protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L29) +- [should set backend protocol to https:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L36) +- [should set backend protocol to $scheme:// and use proxy_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L51) +- [should set backend protocol to grpc:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L66) +- [should set backend protocol to grpcs:// and use grpc_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L81) +- [should set backend protocol to '' and use fastcgi_pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/backendprotocol.go#L96) +### [canary-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L36) +- [should response with a 200 status from the mainline upstream when requests are made to the mainline ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L45) +- [should return 404 status for requests to the canary if no matching ingress is found](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L89) +- [should return the correct status codes when endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L120) +- [should route requests to the correct upstream if mainline ingress is created before the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L174) +- [should route requests to the correct upstream if mainline ingress is created after the canary ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L232) +- [should route requests to the correct upstream if the mainline ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L289) +- [should route requests to the correct upstream if the canary ingress is modified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L363) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L445) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L513) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L594) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L647) +- [should routes to mainline upstream when the given Regex causes error](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L692) +- [should route requests to the correct upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L741) +- [respects always and never values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L790) +- [should route requests only to mainline if canary weight is 0](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L862) +- [should route requests only to canary if canary weight is 100](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L910) +- [should route requests only to canary if canary weight is equal to canary weight total](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L952) +- [should route requests split between mainline and canary if canary weight is 50](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L995) +- [should route requests split between mainline and canary if canary weight is 100 and weight total is 200](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1031) +- [should not use canary as a catch-all server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1070) +- [should not use canary with domain as a server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1104) +- [does not crash when canary ingress has multiple paths to the same non-matching backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1138) +- [always routes traffic to canary if first request was affinitized to canary (default behavior)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1175) +- [always routes traffic to canary if first request was affinitized to canary (explicit sticky behavior)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1242) +- [routes traffic to either mainline or canary backend (legacy behavior)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/canary.go#L1310) +### [client-body-buffer-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L30) +- [should set client_body_buffer_size to 1000](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L37) +- [should set client_body_buffer_size to 1K](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L59) +- [should set client_body_buffer_size to 1k](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L81) +- [should set client_body_buffer_size to 1m](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L103) +- [should set client_body_buffer_size to 1M](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L125) +- [should not set client_body_buffer_size to invalid 1b](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/clientbodybuffersize.go#L147) +### [connection-proxy-header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/connection.go#L28) +- [set connection header to keep-alive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/connection.go#L35) +### [cors-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L33) +- [should enable cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L40) +- [should set cors methods to only allow POST, GET](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L67) +- [should set cors max-age](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L83) +- [should disable cors allow credentials](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L99) +- [should allow origin for cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L115) +- [should allow headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L142) +- [should expose headers for cors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L158) +- [should allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L174) +- [should not allow - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L201) +- [should allow correct origins - single origin for multiple cors values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L221) +- [should not break functionality](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L272) +- [should not break functionality - without `*`](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L296) +- [should not break functionality with extra domain](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L319) +- [should not match](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L343) +- [should allow - single origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L363) +- [should not allow - single origin with port and origin without port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L391) +- [should not allow - single origin without port and origin with required port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L410) +- [should allow - matching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L430) +- [should not allow - unmatching origin with wildcard origin (2 subdomains)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L473) +- [should allow - matching origin+port with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L493) +- [should not allow - portless origin with wildcard origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L520) +- [should allow correct origins - missing subdomain + origin with wildcard origin and correct origin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L540) +- [should allow - missing origins (should allow all origins)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/cors.go#L576) +### [custom-http-errors](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customhttperrors.go#L34) +- [configures Nginx correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/customhttperrors.go#L41) +### [default-backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/default_backend.go#L29) +- [should use a custom default backend as upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/default_backend.go#L37) +### [disable-access-log disable-http-access-log disable-stream-access-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L28) +- [disable-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L35) +- [disable-http-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L53) +- [disable-stream-access-log set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/disableaccesslog.go#L71) +### [backend-protocol - FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L30) +- [should use fastcgi_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L37) +- [should add fastcgi_index in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L54) +- [should add fastcgi_param in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L71) +- [should return OK for service with backend protocol FastCGI](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fastcgi.go#L102) +### [force-ssl-redirect](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/forcesslredirect.go#L27) +- [should redirect to https](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/forcesslredirect.go#L34) +### [from-to-www-redirect](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L31) +- [should redirect from www HTTP to HTTP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L38) +- [should redirect from www HTTPS to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/fromtowwwredirect.go#L64) +### [annotation-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L30) +- [generates correct configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/globalratelimit.go#L38) +### [backend-protocol - GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L40) +- [should use grpc_pass in the configuration file](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L43) +- [should return OK for service with backend protocol GRPC](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L68) +- [authorization metadata should be overwritten by external auth response headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L128) +- [should return OK for service with backend protocol GRPCS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/grpc.go#L189) +### [http2-push-preload](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L27) +- [enable the http2-push-preload directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/http2pushpreload.go#L34) +### [allowlist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipallowlist.go#L27) +- [should set valid ip allowlist range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipallowlist.go#L34) +### [denylist-source-range](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipdenylist.go#L28) +- [only deny explicitly denied IPs, allow all others](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipdenylist.go#L35) +- [only allow explicitly allowed IPs, deny all others](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/ipdenylist.go#L86) +### [Annotation - limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitconnections.go#L31) +- [should limit-connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitconnections.go#L38) +### [limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitrate.go#L29) +- [Check limit-rate annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/limitrate.go#L37) +### [enable-access-log enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/log.go#L27) +- [set access_log off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/log.go#L34) +- [set rewrite_log on](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/log.go#L49) +### [mirror-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L28) +- [should set mirror-target to http://localhost/mirror](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L36) +- [should set mirror-target to https://test.env.com/$request_uri](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L51) +- [should disable mirror-request-body](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/mirror.go#L67) +### [modsecurity owasp](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L39) +- [should enable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L46) +- [should enable modsecurity with transaction ID and OWASP rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L64) +- [should disable modsecurity](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L85) +- [should enable modsecurity with snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L102) +- [should enable modsecurity without using 'modsecurity on;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L130) +- [should disable modsecurity using 'modsecurity off;'](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L153) +- [should enable modsecurity with snippet and block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L175) +- [should enable modsecurity globally and with modsecurity-snippet block requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L214) +- [should enable modsecurity when enable-owasp-modsecurity-crs is set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L253) +- [should enable modsecurity through the config map](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L292) +- [should enable modsecurity through the config map but ignore snippet as disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L338) +- [should disable default modsecurity conf setting when modsecurity-snippet is specified](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/modsecurity/modsecurity.go#L380) +### [preserve-trailing-slash](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L27) +- [should allow preservation of trailing slashes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/preservetrailingslash.go#L34) +### [proxy-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L30) +- [should set proxy_redirect to off](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L38) +- [should set proxy_redirect to default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L54) +- [should set proxy_redirect to hello.com goodbye.com](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L70) +- [should set proxy client-max-body-size to 8m](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L87) +- [should not set proxy client-max-body-size to incorrect value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L102) +- [should set valid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L117) +- [should not set invalid proxy timeouts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L138) +- [should turn on proxy-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L159) +- [should turn off proxy-request-buffering](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L181) +- [should build proxy next upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L196) +- [should setup proxy cookies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L217) +- [should change the default proxy HTTP version](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxy.go#L235) +### [proxy-ssl-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L32) +- [should set valid proxy-ssl-secret](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L39) +- [should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L66) +- [should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L96) +- [should set valid proxy-ssl-secret, proxy-ssl-protocols](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L124) +- [proxy-ssl-location-only flag should change the nginx config server part](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/proxyssl.go#L152) +### [permanent-redirect permanent-redirect-code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L30) +- [should respond with a standard redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L33) +- [should respond with a custom redirect code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/redirect.go#L61) +### [rewrite-target use-regex enable-rewrite-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L32) +- [should write rewrite logs](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L39) +- [should use correct longest path match](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L68) +- [should use ~* location modifier if regex annotation is present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L113) +- [should fail to use longest match for documented warning](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L160) +- [should allow for custom rewrite parameters](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/rewrite.go#L192) +### [satisfy](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/satisfy.go#L33) +- [should configure satisfy directive correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/satisfy.go#L40) +- [should allow multiple auth with satisfy any](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/satisfy.go#L82) +### [server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serversnippet.go#L28) +### [service-upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L32) +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L41) +- [should use the Service Cluster IP and Port ](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L69) +- [should not use the Service Cluster IP and Port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/serviceupstream.go#L97) +### [configuration-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L28) +- [set snippet more_set_headers in all locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L34) +- [drops snippet more_set_header in all locations if disabled by admin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/snippet.go#L73) +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L28) +- [should change ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/sslciphers.go#L35) +### [stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L34) +- [should add value of stream-snippet to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L41) +- [should add stream-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/streamsnippet.go#L94) +### [upstream-hash-by-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L79) +- [should connect to the same pod](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L86) +- [should connect to the same subset of pods](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamhashby.go#L95) +### [upstream-vhost](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamvhost.go#L27) +- [set host to upstreamvhost.bar.com](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/upstreamvhost.go#L34) +### [x-forwarded-prefix](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L28) +- [should set the X-Forwarded-Prefix to the annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L35) +- [should not add X-Forwarded-Prefix if the annotation value is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/annotations/xforwardedprefix.go#L57) +### [Debug CLI](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L29) +- [should list the backend servers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L37) +- [should get information for a specific backend server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L56) +- [should produce valid JSON for /dbg general](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/dbg/main.go#L85) +### [[Default Backend] custom service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/custom_default_backend.go#L33) +- [uses custom default backend that returns 200 as status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/custom_default_backend.go#L36) +### [[Default Backend]](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L30) +- [should return 404 sending requests when only a default backend is running](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L33) +- [enables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L88) +- [disables access logging for default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/default_backend.go#L105) +### [[Default Backend] SSL](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/ssl.go#L26) +- [should return a self generated SSL certificate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/ssl.go#L29) +### [[Default Backend] change default settings](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/with_hosts.go#L30) +- [should apply the annotation to the default backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/defaultbackend/with_hosts.go#L38) +### [[Endpointslices] long service name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/longname.go#L29) +- [should return 200 when service name has max allowed number of characters 63](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/longname.go#L38) +### [[TopologyHints] topology aware routing](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/topology.go#L34) +- [should return 200 when service has topology hints](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/endpointslices/topology.go#L42) +### [[Shutdown] Grace period shutdown](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/grace_period.go#L32) +- [/healthz should return status code 500 during shutdown grace period](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/grace_period.go#L35) +### [[Shutdown] ingress controller](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/shutdown.go#L30) +- [should shutdown in less than 60 secons without pending connections](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/shutdown.go#L40) +### [[Shutdown] Graceful shutdown with pending request](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/slow_requests.go#L25) +- [should let slow requests finish before shutting down](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/gracefulshutdown/slow_requests.go#L33) +### [[Ingress] DeepInspection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/deep_inspection.go#L27) +- [should drop whole ingress if one path matches invalid regex](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/deep_inspection.go#L34) +### [single ingress - multiple hosts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/multiple_rules.go#L30) +- [should set the correct $service_name NGINX variable](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/multiple_rules.go#L38) +### [[Ingress] [PathType] exact](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_exact.go#L30) +- [should choose exact location for /exact](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_exact.go#L37) +### [[Ingress] [PathType] mix Exact and Prefix paths](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_mixed.go#L30) +- [should choose the correct location](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_mixed.go#L39) +### [[Ingress] [PathType] prefix checks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_prefix.go#L28) +- [should return 404 when prefix /aaa does not match request /aaaccc](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/pathtype_prefix.go#L35) +### [[Ingress] definition without host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/without_host.go#L31) +- [should set ingress details variables for ingresses without a host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/without_host.go#L34) +- [should set ingress details variables for ingresses with host without IngressRuleValue, only Backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ingress/without_host.go#L55) +### [[Memory Leak] Dynamic Certificates](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/leaks/lua_ssl.go#L35) +- [should not leak memory from ingress SSL certificates or configuration updates](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/leaks/lua_ssl.go#L42) +### [[Load Balancer] load-balance](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/configmap.go#L30) +- [should apply the configmap load-balance setting](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/configmap.go#L37) +### [[Load Balancer] EWMA](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/ewma.go#L31) +- [does not fail requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/ewma.go#L43) +### [[Load Balancer] round-robin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/round_robin.go#L31) +- [should evenly distribute requests with round-robin (default algorithm)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/loadbalance/round_robin.go#L39) +### [[Lua] dynamic certificates](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L37) +- [picks up the certificate when we add TLS spec to existing ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L45) +- [picks up the previously missing secret for a given ingress without reloading](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L70) +- [supports requests with domain with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L145) +- [picks up the updated certificate without reloading](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L149) +- [falls back to using default certificate when secret gets deleted without reloading](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L185) +- [picks up a non-certificate only change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L218) +- [removes HTTPS configuration when we delete TLS spec](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_certificates.go#L233) +### [[Lua] dynamic configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L41) +- [configures balancer Lua middleware correctly](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L49) +- [handles endpoints only changes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L61) +- [handles endpoints only changes (down scaling of replicas)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L86) +- [handles endpoints only changes consistently (down scaling of replicas vs. empty service)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L124) +- [handles an annotation change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/lua/dynamic_configuration.go#L170) +### [[metrics] exported prometheus metrics](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L36) +- [exclude socket request metrics are absent](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L50) +- [exclude socket request metrics are present](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/metrics/metrics.go#L72) +### [nginx-configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L99) +- [start nginx with default configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L102) +- [fails when using alias directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L114) +- [fails when using root directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/nginx/nginx.go#L121) +### [[Security] request smuggling](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/security/request_smuggling.go#L32) +- [should not return body content from error_page](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/security/request_smuggling.go#L39) +### [[Service] backend status code 503](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_backend.go#L34) +- [should return 503 when backend service does not exist](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_backend.go#L37) +- [should return 503 when all backend service endpoints are unavailable](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_backend.go#L55) +### [[Service] Type ExternalName](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L38) +- [works with external name set to incomplete fqdn](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L41) +- [should return 200 for service type=ExternalName without a port defined](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L78) +- [should return 200 for service type=ExternalName with a port defined](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L118) +- [should return status 502 for service type=ExternalName with an invalid host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L148) +- [should return 200 for service type=ExternalName using a port name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L184) +- [should return 200 for service type=ExternalName using FQDN with trailing dot](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L225) +- [should update the external name after a service update](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L261) +- [should sync ingress on external name service addition/deletion](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_externalname.go#L344) +### [[Service] Nil Service Backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_nil_backend.go#L31) +- [should return 404 when backend service is nil](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/servicebackend/service_nil_backend.go#L38) +### [access-log](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L27) +- [use the default configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L31) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L41) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L52) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L64) +- [use the specified configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/access_log.go#L76) +### [aio-write](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L27) +- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L30) +- [should be enabled when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L37) +- [should be disabled when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/aio_write.go#L46) +### [Bad annotation values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L29) +- [[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L36) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L75) +- [[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L119) +- [[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/badannotationvalues.go#L157) +### [brotli](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L30) +- [should only compress responses that meet the `brotli-min-length` condition](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/brotli.go#L38) +### [Configmap change](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/configmap_change.go#L29) +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/configmap_change.go#L36) +### [add-headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/custom_header.go#L30) +- [Add a custom header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/custom_header.go#L40) +- [Add multiple custom headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/custom_header.go#L65) +### [[SSL] [Flag] default-ssl-certificate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/default_ssl_certificate.go#L35) +- [uses default ssl certificate for catch-all ingress](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/default_ssl_certificate.go#L66) +- [uses default ssl certificate for host based ingress when configured certificate does not match host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/default_ssl_certificate.go#L82) +### [[Flag] disable-catch-all](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L33) +- [should ignore catch all Ingress with backend](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L50) +- [should ignore catch all Ingress with backend and rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L69) +- [should delete Ingress updated to catch-all](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L81) +- [should allow Ingress with rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_catch_all.go#L123) +### [[Flag] disable-service-external-name](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_service_external_name.go#L35) +- [should ignore services of external-name type](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_service_external_name.go#L55) +### [[Flag] disable-sync-events](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L32) +- [should create sync events (default)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L35) +- [should create sync events](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L54) +- [should not create sync events](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/disable_sync_events.go#L82) +### [enable-real-ip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L30) +- [trusts X-Forwarded-For header only when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L40) +- [should not trust X-Forwarded-For header when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/enable_real_ip.go#L78) +### [use-forwarded-headers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L31) +- [should trust X-Forwarded headers when setting is true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L41) +- [should not trust X-Forwarded headers when setting is false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/forwarded_headers.go#L93) +### [Geoip2](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L36) +- [should include geoip2 line in config when enabled and db file exists](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L45) +- [should only allow requests from specific countries](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/geoip2.go#L69) +### [[Security] block-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L28) +- [should block CIDRs defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L38) +- [should block User-Agents defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L55) +- [should block Referers defined in the ConfigMap](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_access_block.go#L88) +### [[Security] global-auth-url](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L39) +- [should return status code 401 when request any protected service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L91) +- [should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L107) +- [should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L130) +- [should still return status code 200 after auth backend is deleted using cache](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L158) +- [user retains cookie by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L322) +- [user does not retain cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L333) +- [user with global-auth-always-set-cookie key in configmap retains cookie if upstream returns error status code](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_external_auth.go#L344) +### [global-options](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L28) +- [should have worker_rlimit_nofile option](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L31) +- [should have worker_rlimit_nofile option and be independent on amount of worker processes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/global_options.go#L37) +### [settings-global-rate-limit](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L30) +- [generates correct NGINX configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/globalratelimit.go#L38) +### [gzip](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L29) +- [should be disabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L32) +- [should be enabled with default settings](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L39) +- [should set gzip_comp_level to 4](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L56) +- [should set gzip_disable to msie6](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L67) +- [should set gzip_min_length to 100](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L78) +- [should set gzip_types to application/javascript](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/gzip.go#L89) +### [hash size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L27) +- [should set server_names_hash_bucket_size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L39) +- [should set server_names_hash_max_size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L47) +- [should set proxy-headers-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L57) +- [should set proxy-headers-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L65) +- [should set variables-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L75) +- [should set variables-hash-max-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L83) +- [should set vmap-hash-bucket-size](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/hash-size.go#L93) +### [[Flag] ingress-class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L41) +- [should ignore Ingress with a different class annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L70) +- [should ignore Ingress with different controller class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L106) +- [should accept both Ingresses with default IngressClassName and IngressClass annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L134) +- [should ignore Ingress without IngressClass configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L166) +- [should delete Ingress when class is removed](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L194) +- [should serve Ingress when class is added](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L259) +- [should serve Ingress when class is updated between annotation and ingressClassName](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L325) +- [should ignore Ingress with no class and accept the correctly configured Ingresses](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L414) +- [should watch Ingress with no class and ignore ingress with a different class](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L482) +- [should watch Ingress that uses the class name even if spec is different](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L538) +- [should watch Ingress with correct annotation](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L628) +- [should ignore Ingress with only IngressClassName](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ingress_class.go#L648) +### [keep-alive keep-alive-requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L28) +- [should set keepalive_timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L40) +- [should set keepalive_requests](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L48) +- [should set keepalive connection to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L58) +- [should set keep alive connection timeout to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L68) +- [should set keepalive time to upstream server](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L78) +- [should set the request count to upstream server through one keep alive connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/keep-alive.go#L88) +### [Configmap - limit-rate](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/limit_rate.go#L28) +- [Check limit-rate config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/limit_rate.go#L36) +### [[Flag] custom HTTP and HTTPS ports](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L30) +- [should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L45) +- [should set X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L65) +- [should set the X-Forwarded-Port header to 443](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/listen_nondefault_ports.go#L93) +### [log-format-*](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L28) +- [should not configure log-format escape by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L39) +- [should enable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L46) +- [should disable the log-format-escape-json](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L54) +- [should enable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L62) +- [should disable the log-format-escape-none](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L70) +- [log-format-escape-json enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L80) +- [log-format default escape](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L103) +- [log-format-escape-none enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/log-format.go#L126) +### [[Lua] lua-shared-dicts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/lua_shared_dicts.go#L26) +- [configures lua shared dicts](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/lua_shared_dicts.go#L29) +### [main-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/main_snippet.go#L27) +- [should add value of main-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/main_snippet.go#L31) +### [[Security] modsecurity-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/modsecurity/modsecurity_snippet.go#L27) +- [should add value of modsecurity-snippet setting to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/modsecurity/modsecurity_snippet.go#L30) +### [enable-multi-accept](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L27) +- [should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L31) +- [should be enabled when set to true](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L39) +- [should be disabled when set to false](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/multi_accept.go#L49) +### [[Flag] watch namespace selector](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/namespace_selector.go#L30) +- [should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/namespace_selector.go#L62) +### [[Security] no-auth-locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L33) +- [should return status code 401 when accessing '/' unauthentication](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L54) +- [should return status code 200 when accessing '/' authentication](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L68) +- [should return status code 200 when accessing '/noauth' unauthenticated](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_auth_locations.go#L82) +### [Add no tls redirect locations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L27) +- [Check no tls redirect locations config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/no_tls_redirect_locations.go#L30) +### [OCSP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L42) +- [should enable OCSP and contain stapling information in the connection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ocsp/ocsp.go#L49) +### [Configure Opentelemetry](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L39) +- [should not exists opentelemetry directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L49) +- [should exists opentelemetry directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L62) +- [should include opentelemetry_trust_incoming_spans on directive when enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L76) +- [should not exists opentelemetry_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L91) +- [should exists opentelemetry_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentelemetry.go#L106) +### [Configure OpenTracing](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L52) +- [should not exists opentracing directive](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L62) +- [should exists opentracing directive when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L75) +- [should include opentracing_trust_incoming_span off directive when disabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L89) +- [should not exists opentracing_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L104) +- [should exists opentracing_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L119) +- [should not exists opentracing_location_operation_name directive when is empty](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L134) +- [should exists opentracing_location_operation_name directive when is configured](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L149) +- [should enable opentracing using zipkin](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L164) +- [should enable opentracing using jaeger](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L176) +- [should enable opentracing using jaeger with sampler host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L188) +- [should propagate the w3c header when configured with jaeger](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L201) +- [should enable opentracing using jaeger with an HTTP endpoint](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L232) +- [should enable opentracing using datadog](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/opentracing.go#L245) +### [plugins](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L28) +- [should exist a x-hello-world header](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/plugins.go#L35) +### [[Security] Pod Security Policies](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy.go#L41) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy.go#L44) +### [[Security] Pod Security Policies with volumes](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy_volumes.go#L37) +- [should be running with a Pod Security Policy](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/pod_security_policy_volumes.go#L40) +### [proxy-connect-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L29) +- [should set valid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L37) +- [should not set invalid proxy timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_connect_timeout.go#L53) +### [Dynamic $proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L28) +- [should exist a proxy_host](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L36) +- [should exist a proxy_host using the upstream-vhost annotation value](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_host.go#L65) +### [proxy-next-upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L28) +- [should build proxy next upstream using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_next_upstream.go#L36) +### [use-proxy-protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L38) +- [should respect port passed by the PROXY Protocol](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L48) +- [should respect proto passed by the PROXY Protocol server port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L85) +- [should enable PROXY Protocol for HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L121) +- [should enable PROXY Protocol for TCP](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_protocol.go#L164) +### [proxy-read-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L29) +- [should set valid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L37) +- [should not set invalid proxy read timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_read_timeout.go#L53) +### [proxy-send-timeout](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_send_timeout.go#L29) +- [should set valid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_send_timeout.go#L37) +- [should not set invalid proxy send timeouts using configmap values](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/proxy_send_timeout.go#L53) +### [reuse-port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L27) +- [reuse port should be enabled by default](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L38) +- [reuse port should be disabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L44) +- [reuse port should be enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/reuse-port.go#L52) +### [configmap server-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L28) +- [should add value of server-snippet setting to all ingress config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L35) +- [should add global server-snippet and drop annotations per admin config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_snippet.go#L98) +### [server-tokens](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L29) +- [should not exists Server header in the response](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L38) +- [should exists Server header in the response when is enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/server_tokens.go#L50) +### [ssl-ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_ciphers.go#L28) +- [Add ssl ciphers](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_ciphers.go#L31) +### [[Flag] enable-ssl-passthrough](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L36) +### [With enable-ssl-passthrough enabled](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L55) +- [should enable ssl-passthrough-proxy-port on a different port](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L56) +- [should pass unknown traffic to default backend and handle known traffic](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/ssl_passthrough.go#L78) +### [configmap stream-snippet](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L35) +- [should add value of stream-snippet via config map to nginx config](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/stream_snippet.go#L42) +### [[SSL] TLS protocols, ciphers and headers)](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L31) +- [setting cipher suite](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L65) +- [setting max-age parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L109) +- [setting includeSubDomains parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L125) +- [setting preload parameter](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L144) +- [overriding what's set from the upstream](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L164) +- [should not use ports during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L186) +- [should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/tls.go#L204) +### [annotation validations](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L30) +- [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L33) +- [should allow ingress based on their risk on webhooks](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/settings/validations/validations.go#L68) +### [[SSL] redirect to HTTPS](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/http_redirect.go#L29) +- [should redirect from HTTP to HTTPS when secret is missing](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/http_redirect.go#L36) +### [[SSL] secret update](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/secret_update.go#L33) +- [should not appear references to secret updates not used in ingress rules](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/secret_update.go#L40) +- [should return the fake SSL certificate if the secret is invalid](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/ssl/secret_update.go#L83) +### [[Status] status update](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/status/update.go#L38) +- [should update status field after client-go reconnection](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/status/update.go#L43) +### [[TCP] tcp-services](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L38) +- [should expose a TCP service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L46) +- [should expose an ExternalName TCP service](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L80) +- [should reload after an update in the configuration](https://github.com/kubernetes/ingress-nginx/tree/main//test/e2e/tcpudp/tcp.go#L169) \ No newline at end of file diff --git a/docs/examples/index.md b/docs/examples/index.md index 3af4266ff..59745e014 100644 --- a/docs/examples/index.md +++ b/docs/examples/index.md @@ -23,7 +23,7 @@ Customization | [External authentication with response header propagation](custo Customization | [Sysctl tuning](customization/sysctl/README.md) | TODO | TODO Features | [Rewrite](rewrite/README.md) | TODO | TODO Features | [Session stickiness](affinity/cookie/README.md) | route requests consistently to the same endpoint | Advanced -Features | [Canary Deployments](canary/README.md) | weigthed canary routing to a seperate deployment | Intermediate +Features | [Canary Deployments](canary/README.md) | weighted canary routing to a seperate deployment | Intermediate Scaling | [Static IP](static-ip/README.md) | a single ingress gets a single static IP | Intermediate TLS | [Multi TLS certificate termination](multi-tls/README.md) | TODO | TODO TLS | [TLS termination](tls-termination/README.md) | TODO | TODO diff --git a/docs/examples/rewrite/README.md b/docs/examples/rewrite/README.md index 5b42e1fc7..16889e0bc 100644 --- a/docs/examples/rewrite/README.md +++ b/docs/examples/rewrite/README.md @@ -30,6 +30,9 @@ Rewriting can be controlled using the following annotations: !!! note [Captured groups](https://www.regular-expressions.info/refcapture.html) are saved in numbered placeholders, chronologically, in the form `$1`, `$2` ... `$n`. These placeholders can be used as parameters in the `rewrite-target` annotation. +!!! note + Please see the [FAQ](../../faq.md#validation-of-path) for Validation Of __`path`__ + Create an Ingress rule with a rewrite annotation: ```console @@ -49,7 +52,7 @@ spec: http: paths: - path: /something(/|$)(.*) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: http-svc diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md index be6e1dd50..07a17a271 100644 --- a/docs/user-guide/cli-arguments.md +++ b/docs/user-guide/cli-arguments.md @@ -25,7 +25,7 @@ They are set in the container spec of the `ingress-nginx-controller` Deployment | `--enable-metrics` | Enables the collection of NGINX metrics. (default true) | | `--enable-ssl-chain-completion` | Autocomplete SSL certificate chains with missing intermediate CA certificates. Certificates uploaded to Kubernetes must have the "Authority Information Access" X.509 v3 extension for this to succeed. (default false)| | `--enable-ssl-passthrough` | Enable SSL Passthrough. (default false) | -| `--enable-topology-aware-routing` | Enable topology aware hints feature, needs service object annotation service.kubernetes.io/topology-aware-hints sets to auto. (default false) | +| `--enable-topology-aware-routing` | Enable topology aware routing feature, needs service object annotation service.kubernetes.io/topology-mode sets to auto. (default false) | | `--exclude-socket-metrics` | Set of socket request metrics to exclude which won't be exported nor being calculated. The possible socket request metrics to exclude are documented in the monitoring guide e.g. 'nginx_ingress_controller_request_duration_seconds,nginx_ingress_controller_response_size'| | `--health-check-path` | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") | | `--health-check-timeout` | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) | diff --git a/docs/user-guide/exposing-tcp-udp-services.md b/docs/user-guide/exposing-tcp-udp-services.md index 089511ff9..dbc143ff1 100644 --- a/docs/user-guide/exposing-tcp-udp-services.md +++ b/docs/user-guide/exposing-tcp-udp-services.md @@ -3,7 +3,7 @@ While the Kubernetes Ingress resource only officially supports routing external HTTP(s) traffic to services, ingress-nginx can be configured to receive external TCP/UDP traffic from non-HTTP protocols and route them to internal services using TCP/UDP port mappings that are specified within a ConfigMap. To support this, the `--tcp-services-configmap` and `--udp-services-configmap` flags can be used to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: -`::[PROXY]:[PROXY]` +`::[PROXY]:[PROXY]` It is also possible to use a number or the name of the port. The two last fields are optional. Adding `PROXY` in either or both of the two last fields we can use [Proxy Protocol](https://www.nginx.com/resources/admin-guide/proxy-protocol) decoding (listen) and/or encoding (proxy_pass) in a TCP service. diff --git a/docs/user-guide/external-articles.md b/docs/user-guide/external-articles.md index 27a3f4447..8a60ad567 100644 --- a/docs/user-guide/external-articles.md +++ b/docs/user-guide/external-articles.md @@ -4,3 +4,4 @@ - [Accessing Kubernetes Pods from Outside of the Cluster](http://alesnosek.com/blog/2017/02/14/accessing-kubernetes-pods-from-outside-of-the-cluster) - [Kubernetes - Redirect HTTP to HTTPS with ELB and the Ingress-Nginx Controller](https://dev.to/tomhoule/kubernetes---redirect-http-to-https-with-elb-and-the-nginx-ingress-controller) - [Configure Nginx Ingress Controller for TLS termination on Kubernetes on Azure](https://blogs.technet.microsoft.com/livedevopsinjapan/2017/02/28/configure-nginx-ingress-controller-for-tls-termination-on-kubernetes-on-azure-2/) +- [Secure your Nginx Ingress controller behind Google Cloud Armor or Identity-Aware Proxy (IAP)](https://medium.com/google-cloud/secure-your-nginx-ingress-controller-behind-cloud-armor-805d6109af86?sk=f64029bb5624b4ad5cd2828f4c358af3) diff --git a/docs/user-guide/ingress-path-matching.md b/docs/user-guide/ingress-path-matching.md index 321ddfa8e..dd618e08b 100644 --- a/docs/user-guide/ingress-path-matching.md +++ b/docs/user-guide/ingress-path-matching.md @@ -5,6 +5,9 @@ !!! important Regular expressions and wild cards are not supported in the `spec.rules.host` field. Full hostnames must be used. +!!! note + Please see the [FAQ](../faq.md#validation-of-path) for Validation Of __`path`__ + The ingress controller supports **case insensitive** regular expressions in the `spec.rules.http.paths.path` field. This can be enabled by setting the `nginx.ingress.kubernetes.io/use-regex` annotation to `true` (the default is false). @@ -28,7 +31,7 @@ spec: http: paths: - path: /foo/.* - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: test @@ -95,7 +98,7 @@ spec: http: paths: - path: /foo/bar/(.+) - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: service3 @@ -160,7 +163,7 @@ spec: port: number: 80 - path: /foo/bar/[A-Z0-9]{3} - pathType: Prefix + pathType: ImplementationSpecific backend: service: name: test diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md index 0916b4df5..877654d12 100755 --- a/docs/user-guide/nginx-configuration/annotations.md +++ b/docs/user-guide/nginx-configuration/annotations.md @@ -33,6 +33,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz |[nginx.ingress.kubernetes.io/auth-cache-key](#external-authentication)|string| |[nginx.ingress.kubernetes.io/auth-cache-duration](#external-authentication)|string| |[nginx.ingress.kubernetes.io/auth-keepalive](#external-authentication)|number| +|[nginx.ingress.kubernetes.io/auth-keepalive-share-vars](#external-authentication)|"true" or "false"| |[nginx.ingress.kubernetes.io/auth-keepalive-requests](#external-authentication)|number| |[nginx.ingress.kubernetes.io/auth-keepalive-timeout](#external-authentication)|number| |[nginx.ingress.kubernetes.io/auth-proxy-set-headers](#external-authentication)|string| @@ -467,6 +468,9 @@ Additionally it is possible to set: > Note: does not work with HTTP/2 listener because of a limitation in Lua [subrequests](https://github.com/openresty/lua-nginx-module#spdy-mode-not-fully-supported). > [UseHTTP2](./configmap.md#use-http2) configuration should be disabled! +* `nginx.ingress.kubernetes.io/auth-keepalive-share-vars`: + Whether to share Nginx variables among the current request and the auth request. Example use case is to track requests: when set to "true" X-Request-ID HTTP header will be the same for the backend and the auth request. + Defaults to "false". * `nginx.ingress.kubernetes.io/auth-keepalive-requests`: `` to specify the maximum number of requests that can be served through one keepalive connection. Defaults to `1000` and only applied if `auth-keepalive` is set to higher than `0`. diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 0a7e44dce..1bb205ad3 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -30,7 +30,7 @@ The following table shows a configuration option's name, type, and the default v |[add-headers](#add-headers)|string|""|| |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|| |[allow-cross-namespace-resources](#allow-cross-namespace-resources)|bool|"true"|| -|[allow-snippet-annotations](#allow-snippet-annotations)|bool|true|| +|[allow-snippet-annotations](#allow-snippet-annotations)|bool|false|| |[annotations-risk-level](#annotations-risk-level)|string|Critical|| |[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""|| |[hide-headers](#hide-headers)|string array|empty|| @@ -97,6 +97,7 @@ The following table shows a configuration option's name, type, and the default v |[ssl-buffer-size](#ssl-buffer-size)|string|"4k"|| |[use-proxy-protocol](#use-proxy-protocol)|bool|"false"|| |[proxy-protocol-header-timeout](#proxy-protocol-header-timeout)|string|"5s"|| +|[enable-aio-write](#enable-aio-write)|bool|"true"|| |[use-gzip](#use-gzip)|bool|"false"|| |[use-geoip](#use-geoip)|bool|"true"|| |[use-geoip2](#use-geoip2)|bool|"false"|| @@ -257,7 +258,7 @@ Enables users to consume cross namespace resource on annotations, when was previ ## allow-snippet-annotations -Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `true` +Enables Ingress to parse and add *-snippet annotations/directives created by the user. _**default:**_ `false` Warning: We recommend enabling this option only if you TRUST users with permission to create Ingress objects, as this may allow a user to add restricted configurations to the final nginx.conf file @@ -709,6 +710,10 @@ Enables or disables the [PROXY protocol](https://www.nginx.com/resources/admin-g Sets the timeout value for receiving the proxy-protocol headers. The default of 5 seconds prevents the TLS passthrough handler from waiting indefinitely on a dropped connection. _**default:**_ 5s +## enable-aio-write + +Enables or disables the directive [aio_write](https://nginx.org/en/docs/http/ngx_http_core_module.html#aio_write) that writes files asynchronously. _**default:**_ true + ## use-gzip Enables or disables compression of HTTP responses using the ["gzip" module](https://nginx.org/en/docs/http/ngx_http_gzip_module.html). MIME types to compress are controlled by [gzip-types](#gzip-types). _**default:**_ false diff --git a/go.mod b/go.mod index 13d0fcf04..63228c8ae 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx -go 1.20 +go 1.21.1 require ( github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a @@ -14,8 +14,8 @@ require ( github.com/mitchellh/mapstructure v1.5.0 github.com/moul/pb v0.0.0-20220425114252-bca18df4138c github.com/ncabatoff/process-exporter v0.7.10 - github.com/onsi/ginkgo/v2 v2.9.5 - github.com/opencontainers/runc v1.1.8 + github.com/onsi/ginkgo/v2 v2.12.0 + github.com/opencontainers/runc v1.1.9 github.com/pmezard/go-difflib v1.0.0 github.com/prometheus/client_golang v1.16.0 github.com/prometheus/client_model v0.4.0 @@ -25,19 +25,19 @@ require ( github.com/stretchr/testify v1.8.4 github.com/yudai/gojsondiff v1.0.0 github.com/zakjan/cert-chain-resolver v0.0.0-20211122211144-c6b0b792af9a - golang.org/x/crypto v0.11.0 - google.golang.org/grpc v1.56.2 + golang.org/x/crypto v0.13.0 + google.golang.org/grpc v1.58.1 google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 gopkg.in/go-playground/pool.v3 v3.1.1 gopkg.in/mcuadros/go-syslog.v2 v2.3.0 - k8s.io/api v0.26.4 + k8s.io/api v0.27.4 k8s.io/apiextensions-apiserver v0.26.4 - k8s.io/apimachinery v0.26.4 + k8s.io/apimachinery v0.27.4 k8s.io/apiserver v0.26.4 k8s.io/cli-runtime v0.26.4 - k8s.io/client-go v0.26.4 + k8s.io/client-go v0.27.4 k8s.io/code-generator v0.26.4 - k8s.io/component-base v0.26.4 + k8s.io/component-base v0.27.4 k8s.io/klog/v2 v2.100.1 pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 sigs.k8s.io/controller-runtime v0.14.6 @@ -50,7 +50,7 @@ require ( github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/eapache/queue v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.10.2 // indirect @@ -59,9 +59,9 @@ require ( github.com/fullsailor/pkcs7 v0.0.0-20160414161337-2585af45975b // indirect github.com/go-errors/errors v1.0.1 // indirect github.com/go-logr/logr v1.2.4 // indirect - github.com/go-openapi/jsonpointer v0.19.5 // indirect - github.com/go-openapi/jsonreference v0.20.0 // indirect - github.com/go-openapi/swag v0.19.14 // indirect + github.com/go-openapi/jsonpointer v0.19.6 // indirect + github.com/go-openapi/jsonreference v0.20.1 // indirect + github.com/go-openapi/swag v0.22.3 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/gogo/protobuf v1.3.2 // indirect @@ -72,14 +72,14 @@ require ( github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.1.0 // indirect - github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect + github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.3.0 // indirect github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect - github.com/mailru/easyjson v0.7.6 // indirect + github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mmarkdown/mmark v2.0.40+incompatible // indirect @@ -100,25 +100,25 @@ require ( github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82 // indirect github.com/yudai/pp v2.0.1+incompatible // indirect go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect - golang.org/x/mod v0.10.0 // indirect - golang.org/x/net v0.10.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect - golang.org/x/sys v0.10.0 // indirect - golang.org/x/term v0.10.0 // indirect - golang.org/x/text v0.11.0 // indirect + golang.org/x/mod v0.12.0 // indirect + golang.org/x/net v0.14.0 // indirect + golang.org/x/oauth2 v0.10.0 // indirect + golang.org/x/sys v0.12.0 // indirect + golang.org/x/term v0.12.0 // indirect + golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.9.1 // indirect + golang.org/x/tools v0.12.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/go-playground/assert.v1 v1.2.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect - k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect - k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 // indirect - sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect + k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect + k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect + sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect diff --git a/go.sum b/go.sum index 6e1495776..c5be5c64d 100644 --- a/go.sum +++ b/go.sum @@ -61,8 +61,8 @@ github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzA github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -103,14 +103,13 @@ github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbV github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= -github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY= -github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA= -github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo= -github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= -github.com/go-openapi/swag v0.19.14 h1:gm3vOOXfiuw5i9p5N9xJvfjvuofpyvLA9Wr6QfK5Fng= -github.com/go-openapi/swag v0.19.14/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ= +github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4= +github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= +github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= +github.com/go-openapi/jsonreference v0.20.1 h1:FBLnyygC4/IZZr893oiomc9XaghoveYTrLC1F86HID8= +github.com/go-openapi/jsonreference v0.20.1/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= +github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= @@ -184,8 +183,8 @@ github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= -github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE= -github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= @@ -227,6 +226,7 @@ github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfn github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -235,10 +235,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= -github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= -github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA= -github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= +github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ= @@ -276,7 +274,6 @@ github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833 h1:t4WWQ9I797y7QU github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833/go.mod h1:0CznHmXSjMEqs5Tezj/w2emQoM41wzYM9KpDKUHPYag= github.com/ncabatoff/process-exporter v0.7.10 h1:+Ere7+3se6QqP54gg7aBRagWcL8bq3u5zNi/GRSWeKQ= github.com/ncabatoff/process-exporter v0.7.10/go.mod h1:DHZRZjqxw9LCOpLlX0DjBuyn6d5plh41Jv6Tmttj7Ek= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= @@ -284,13 +281,14 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q= -github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k= +github.com/onsi/ginkgo/v2 v2.12.0 h1:UIVDowFPwpg6yMUpPjGkYvf06K3RAiJXUhCxEwQVHRI= +github.com/onsi/ginkgo/v2 v2.12.0/go.mod h1:ZNEzXISYlqpb8S36iN71ifqLi3vVD1rVJGvWRCJOUpQ= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= -github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= -github.com/opencontainers/runc v1.1.8 h1:zICRlc+C1XzivLc3nzE+cbJV4LIi8tib6YG0MqC6OqA= -github.com/opencontainers/runc v1.1.8/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/opencontainers/runc v1.1.9 h1:XR0VIHTGce5eWPkaPesqTBrhW2yAcaraWfsEalNwQLM= +github.com/opencontainers/runc v1.1.9/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc= github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= @@ -331,7 +329,8 @@ github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPH github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= @@ -347,7 +346,9 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.1.3/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -355,6 +356,9 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/urfave/cli v1.17.1-0.20160602030128-01a33823596e/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= @@ -380,8 +384,11 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 h1:+FNtrFTmVw0YZGpBGX56XDee331t6JAXeK2bcyhLOOc= go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5/go.mod h1:nmDLcffg48OtT/PSW0Hg7FvpRQsQh5OSqIylirxKC7o= go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw= +go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= +go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= golang.org/dl v0.0.0-20190829154251-82a15e2f2ead/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -390,8 +397,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= -golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -422,8 +429,8 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= -golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc= +golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -457,16 +464,16 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14= +golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= +golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -524,19 +531,19 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= -golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= -golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU= +golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= -golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -586,13 +593,14 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo= -golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss= +golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= +gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= @@ -647,8 +655,8 @@ google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -661,8 +669,8 @@ google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKa google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI= -google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc v1.58.1 h1:OL+Vz23DTtrrldqHK49FUOPHyY75rvFqJfXC84NYW58= +google.golang.org/grpc v1.58.1/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7 h1:pPsdyuBif+uoyUoL19yuj/TCfUPsmpJHJZhWQ98JGLU= google.golang.org/grpc/examples v0.0.0-20221220003428-4f16fbe410f7/go.mod h1:8pQa1yxxkh+EsxUK8/455D5MSbv3vgmEJqKCH3y17mI= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= @@ -677,13 +685,12 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= @@ -717,31 +724,31 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.26.4 h1:qSG2PmtcD23BkYiWfoYAcak870eF/hE7NNYBYavTT94= -k8s.io/api v0.26.4/go.mod h1:WwKEXU3R1rgCZ77AYa7DFksd9/BAIKyOmRlbVxgvjCk= +k8s.io/api v0.27.4 h1:0pCo/AN9hONazBKlNUdhQymmnfLRbSZjd5H5H3f0bSs= +k8s.io/api v0.27.4/go.mod h1:O3smaaX15NfxjzILfiln1D8Z3+gEYpjEpiNA/1EVK1Y= k8s.io/apiextensions-apiserver v0.26.4 h1:9D2RTxYGxrG5uYg6D7QZRcykXvavBvcA59j5kTaedQI= k8s.io/apiextensions-apiserver v0.26.4/go.mod h1:cd4uGFGIgzEqUghWpRsr9KE8j2KNTjY8Ji8pnMMazyw= -k8s.io/apimachinery v0.26.4 h1:rZccKdBLg9vP6J09JD+z8Yr99Ce8gk3Lbi9TCx05Jzs= -k8s.io/apimachinery v0.26.4/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= +k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= +k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= k8s.io/apiserver v0.26.4 h1:3Oq4mnJv0mzVX7BR/Nod+8KjlELf/3Ljvu9ZWDyLUoA= k8s.io/apiserver v0.26.4/go.mod h1:yAY3O1vBM4/0OIGAGeWcdfzQvgdwJ188VirLcuSAVnw= k8s.io/cli-runtime v0.26.4 h1:MgSU871KDzBDX7V9GtuqS6Ai9lhQCHgRzkurnXOWtZ0= k8s.io/cli-runtime v0.26.4/go.mod h1:MjJ2DXMChw2zcG0/agzm17xwKpfVxOfuoCdfY9iOCOE= -k8s.io/client-go v0.26.4 h1:/7P/IbGBuT73A+G97trf44NTPSNqvuBREpOfdLbHvD4= -k8s.io/client-go v0.26.4/go.mod h1:6qOItWm3EwxJdl/8p5t7FWtWUOwyMdA8N9ekbW4idpI= +k8s.io/client-go v0.27.4 h1:vj2YTtSJ6J4KxaC88P4pMPEQECWMY8gqPqsTgUKzvjk= +k8s.io/client-go v0.27.4/go.mod h1:ragcly7lUlN0SRPk5/ZkGnDjPknzb37TICq07WhI6Xc= k8s.io/code-generator v0.26.4 h1:zgDD0qX13p/jtrAoYRRiYeQ5ibnriwmo2cMkMZAtJxc= k8s.io/code-generator v0.26.4/go.mod h1:ryaiIKwfxEJEaywEzx3dhWOydpVctKYbqLajJf0O8dI= -k8s.io/component-base v0.26.4 h1:Bg2xzyXNKL3eAuiTEu3XE198d6z22ENgFgGQv2GGOUk= -k8s.io/component-base v0.26.4/go.mod h1:lTuWL1Xz/a4e80gmIC3YZG2JCO4xNwtKWHJWeJmsq20= +k8s.io/component-base v0.27.4 h1:Wqc0jMKEDGjKXdae8hBXeskRP//vu1m6ypC+gwErj4c= +k8s.io/component-base v0.27.4/go.mod h1:hoiEETnLc0ioLv6WPeDt8vD34DDeB35MfQnxCARq3kY= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= -k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y= -k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY= +k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732 h1:SAElp8THCfmBdM+4lmWX5gebiSSkEr7PAYDVF91qpfg= pault.ag/go/sniff v0.0.0-20200207005214-cf7e4d167732/go.mod h1:lpvCfhqEHNJSSpG5R5A2EgsVzG8RTt4RfPoQuRAcDmg= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= @@ -749,8 +756,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k= -sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= +sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/kustomize/api v0.12.1 h1:7YM7gW3kYBwtKvoY216ZzY+8hM+lV53LUayghNRJ0vM= sigs.k8s.io/kustomize/api v0.12.1/go.mod h1:y3JUhimkZkR6sbLNwfJHxvo1TCLwuwm14sCYnkH6S1s= sigs.k8s.io/kustomize/kyaml v0.13.9 h1:Qz53EAaFFANyNgyOEJbT/yoIHygK40/ZcvU3rgry2Tk= diff --git a/go.work b/go.work new file mode 100644 index 000000000..84cc6ca96 --- /dev/null +++ b/go.work @@ -0,0 +1,6 @@ +go 1.21.1 + +use ( + . + ./magefiles +) diff --git a/go.work.sum b/go.work.sum new file mode 100644 index 000000000..7eb8379b8 --- /dev/null +++ b/go.work.sum @@ -0,0 +1,253 @@ +cloud.google.com/go v0.110.2/go.mod h1:k04UEeEtb6ZBRTv3dZz4CeJC3jKGxyhl0sAiVVquxiw= +cloud.google.com/go v0.110.4/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI= +cloud.google.com/go/accessapproval v1.7.1/go.mod h1:JYczztsHRMK7NTXb6Xw+dwbs/WnOJxbo/2mTI+Kgg68= +cloud.google.com/go/accesscontextmanager v1.8.1/go.mod h1:JFJHfvuaTC+++1iL1coPiG1eu5D24db2wXCDWDjIrxo= +cloud.google.com/go/aiplatform v1.45.0/go.mod h1:Iu2Q7sC7QGhXUeOhAj/oCK9a+ULz1O4AotZiqjQ8MYA= +cloud.google.com/go/analytics v0.21.2/go.mod h1:U8dcUtmDmjrmUTnnnRnI4m6zKn/yaA5N9RlEkYFHpQo= +cloud.google.com/go/apigateway v1.6.1/go.mod h1:ufAS3wpbRjqfZrzpvLC2oh0MFlpRJm2E/ts25yyqmXA= +cloud.google.com/go/apigeeconnect v1.6.1/go.mod h1:C4awq7x0JpLtrlQCr8AzVIzAaYgngRqWf9S5Uhg+wWs= +cloud.google.com/go/apigeeregistry v0.7.1/go.mod h1:1XgyjZye4Mqtw7T9TsY4NW10U7BojBvG4RMD+vRDrIw= +cloud.google.com/go/appengine v1.8.1/go.mod h1:6NJXGLVhZCN9aQ/AEDvmfzKEfoYBlfB80/BHiKVputY= +cloud.google.com/go/area120 v0.8.1/go.mod h1:BVfZpGpB7KFVNxPiQBuHkX6Ed0rS51xIgmGyjrAfzsg= +cloud.google.com/go/artifactregistry v1.14.1/go.mod h1:nxVdG19jTaSTu7yA7+VbWL346r3rIdkZ142BSQqhn5E= +cloud.google.com/go/asset v1.14.1/go.mod h1:4bEJ3dnHCqWCDbWJ/6Vn7GVI9LerSi7Rfdi03hd+WTQ= +cloud.google.com/go/assuredworkloads v1.11.1/go.mod h1:+F04I52Pgn5nmPG36CWFtxmav6+7Q+c5QyJoL18Lry0= +cloud.google.com/go/automl v1.13.1/go.mod h1:1aowgAHWYZU27MybSCFiukPO7xnyawv7pt3zK4bheQE= +cloud.google.com/go/baremetalsolution v0.5.0/go.mod h1:dXGxEkmR9BMwxhzBhV0AioD0ULBmuLZI8CdwalUxuss= +cloud.google.com/go/batch v0.7.0/go.mod h1:vLZN95s6teRUqRQ4s3RLDsH8PvboqBK+rn1oevL159g= +cloud.google.com/go/beyondcorp v0.6.1/go.mod h1:YhxDWw946SCbmcWo3fAhw3V4XZMSpQ/VYfcKGAEU8/4= +cloud.google.com/go/bigquery v1.52.0/go.mod h1:3b/iXjRQGU4nKa87cXeg6/gogLjO8C6PmuM8i5Bi/u4= +cloud.google.com/go/billing v1.16.0/go.mod h1:y8vx09JSSJG02k5QxbycNRrN7FGZB6F3CAcgum7jvGA= +cloud.google.com/go/binaryauthorization v1.6.1/go.mod h1:TKt4pa8xhowwffiBmbrbcxijJRZED4zrqnwZ1lKH51U= +cloud.google.com/go/certificatemanager v1.7.1/go.mod h1:iW8J3nG6SaRYImIa+wXQ0g8IgoofDFRp5UMzaNk1UqI= +cloud.google.com/go/channel v1.16.0/go.mod h1:eN/q1PFSl5gyu0dYdmxNXscY/4Fi7ABmeHCJNf/oHmc= +cloud.google.com/go/cloudbuild v1.10.1/go.mod h1:lyJg7v97SUIPq4RC2sGsz/9tNczhyv2AjML/ci4ulzU= +cloud.google.com/go/clouddms v1.6.1/go.mod h1:Ygo1vL52Ov4TBZQquhz5fiw2CQ58gvu+PlS6PVXCpZI= +cloud.google.com/go/cloudtasks v1.11.1/go.mod h1:a9udmnou9KO2iulGscKR0qBYjreuX8oHwpmFsKspEvM= +cloud.google.com/go/compute v1.19.3/go.mod h1:qxvISKp/gYnXkSAD1ppcSOveRAmzxicEv/JlizULFrI= +cloud.google.com/go/compute v1.20.1/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute v1.21.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= +cloud.google.com/go/contactcenterinsights v1.9.1/go.mod h1:bsg/R7zGLYMVxFFzfh9ooLTruLRCG9fnzhH9KznHhbM= +cloud.google.com/go/container v1.22.1/go.mod h1:lTNExE2R7f+DLbAN+rJiKTisauFCaoDq6NURZ83eVH4= +cloud.google.com/go/containeranalysis v0.10.1/go.mod h1:Ya2jiILITMY68ZLPaogjmOMNkwsDrWBSTyBubGXO7j0= +cloud.google.com/go/datacatalog v1.14.1/go.mod h1:d2CevwTG4yedZilwe+v3E3ZBDRMobQfSG/a6cCCN5R4= +cloud.google.com/go/dataflow v0.9.1/go.mod h1:Wp7s32QjYuQDWqJPFFlnBKhkAtiFpMTdg00qGbnIHVw= +cloud.google.com/go/dataform v0.8.1/go.mod h1:3BhPSiw8xmppbgzeBbmDvmSWlwouuJkXsXsb8UBih9M= +cloud.google.com/go/datafusion v1.7.1/go.mod h1:KpoTBbFmoToDExJUso/fcCiguGDk7MEzOWXUsJo0wsI= +cloud.google.com/go/datalabeling v0.8.1/go.mod h1:XS62LBSVPbYR54GfYQsPXZjTW8UxCK2fkDciSrpRFdY= +cloud.google.com/go/dataplex v1.8.1/go.mod h1:7TyrDT6BCdI8/38Uvp0/ZxBslOslP2X2MPDucliyvSE= +cloud.google.com/go/dataproc v1.12.0/go.mod h1:zrF3aX0uV3ikkMz6z4uBbIKyhRITnxvr4i3IjKsKrw4= +cloud.google.com/go/dataqna v0.8.1/go.mod h1:zxZM0Bl6liMePWsHA8RMGAfmTG34vJMapbHAxQ5+WA8= +cloud.google.com/go/datastore v1.12.1/go.mod h1:KjdB88W897MRITkvWWJrg2OUtrR5XVj1EoLgSp6/N70= +cloud.google.com/go/datastream v1.9.1/go.mod h1:hqnmr8kdUBmrnk65k5wNRoHSCYksvpdZIcZIEl8h43Q= +cloud.google.com/go/deploy v1.11.0/go.mod h1:tKuSUV5pXbn67KiubiUNUejqLs4f5cxxiCNCeyl0F2g= +cloud.google.com/go/dialogflow v1.38.0/go.mod h1:L7jnH+JL2mtmdChzAIcXQHXMvQkE3U4hTaNltEuxXn4= +cloud.google.com/go/dlp v1.10.1/go.mod h1:IM8BWz1iJd8njcNcG0+Kyd9OPnqnRNkDV8j42VT5KOI= +cloud.google.com/go/documentai v1.20.0/go.mod h1:yJkInoMcK0qNAEdRnqY/D5asy73tnPe88I1YTZT+a8E= +cloud.google.com/go/domains v0.9.1/go.mod h1:aOp1c0MbejQQ2Pjf1iJvnVyT+z6R6s8pX66KaCSDYfE= +cloud.google.com/go/edgecontainer v1.1.1/go.mod h1:O5bYcS//7MELQZs3+7mabRqoWQhXCzenBu0R8bz2rwk= +cloud.google.com/go/errorreporting v0.3.0/go.mod h1:xsP2yaAp+OAW4OIm60An2bbLpqIhKXdWR/tawvl7QzU= +cloud.google.com/go/essentialcontacts v1.6.2/go.mod h1:T2tB6tX+TRak7i88Fb2N9Ok3PvY3UNbUsMag9/BARh4= +cloud.google.com/go/eventarc v1.12.1/go.mod h1:mAFCW6lukH5+IZjkvrEss+jmt2kOdYlN8aMx3sRJiAI= +cloud.google.com/go/filestore v1.7.1/go.mod h1:y10jsorq40JJnjR/lQ8AfFbbcGlw3g+Dp8oN7i7FjV4= +cloud.google.com/go/firestore v1.11.0/go.mod h1:b38dKhgzlmNNGTNZZwe7ZRFEuRab1Hay3/DBsIGKKy4= +cloud.google.com/go/functions v1.15.1/go.mod h1:P5yNWUTkyU+LvW/S9O6V+V423VZooALQlqoXdoPz5AE= +cloud.google.com/go/gkebackup v0.4.0/go.mod h1:byAyBGUwYGEEww7xsbnUTBHIYcOPy/PgUWUtOeRm9Vg= +cloud.google.com/go/gkeconnect v0.8.1/go.mod h1:KWiK1g9sDLZqhxB2xEuPV8V9NYzrqTUmQR9shJHpOZw= +cloud.google.com/go/gkehub v0.14.1/go.mod h1:VEXKIJZ2avzrbd7u+zeMtW00Y8ddk/4V9511C9CQGTY= +cloud.google.com/go/gkemulticloud v0.6.1/go.mod h1:kbZ3HKyTsiwqKX7Yw56+wUGwwNZViRnxWK2DVknXWfw= +cloud.google.com/go/gsuiteaddons v1.6.1/go.mod h1:CodrdOqRZcLp5WOwejHWYBjZvfY0kOphkAKpF/3qdZY= +cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0= +cloud.google.com/go/iam v1.1.1/go.mod h1:A5avdyVL2tCppe4unb0951eI9jreack+RJ0/d+KUZOU= +cloud.google.com/go/iap v1.8.1/go.mod h1:sJCbeqg3mvWLqjZNsI6dfAtbbV1DL2Rl7e1mTyXYREQ= +cloud.google.com/go/ids v1.4.1/go.mod h1:np41ed8YMU8zOgv53MMMoCntLTn2lF+SUzlM+O3u/jw= +cloud.google.com/go/iot v1.7.1/go.mod h1:46Mgw7ev1k9KqK1ao0ayW9h0lI+3hxeanz+L1zmbbbk= +cloud.google.com/go/kms v1.12.1/go.mod h1:c9J991h5DTl+kg7gi3MYomh12YEENGrf48ee/N/2CDM= +cloud.google.com/go/language v1.10.1/go.mod h1:CPp94nsdVNiQEt1CNjF5WkTcisLiHPyIbMhvR8H2AW0= +cloud.google.com/go/lifesciences v0.9.1/go.mod h1:hACAOd1fFbCGLr/+weUKRAJas82Y4vrL3O5326N//Wc= +cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M= +cloud.google.com/go/longrunning v0.5.0/go.mod h1:0JNuqRShmscVAhIACGtskSAWtqtOoPkwP0YF1oVEchc= +cloud.google.com/go/longrunning v0.5.1/go.mod h1:spvimkwdz6SPWKEt/XBij79E9fiTkHSQl/fRUUQJYJc= +cloud.google.com/go/managedidentities v1.6.1/go.mod h1:h/irGhTN2SkZ64F43tfGPMbHnypMbu4RB3yl8YcuEak= +cloud.google.com/go/maps v0.7.0/go.mod h1:3GnvVl3cqeSvgMcpRlQidXsPYuDGQ8naBis7MVzpXsY= +cloud.google.com/go/mediatranslation v0.8.1/go.mod h1:L/7hBdEYbYHQJhX2sldtTO5SZZ1C1vkapubj0T2aGig= +cloud.google.com/go/memcache v1.10.1/go.mod h1:47YRQIarv4I3QS5+hoETgKO40InqzLP6kpNLvyXuyaA= +cloud.google.com/go/metastore v1.11.1/go.mod h1:uZuSo80U3Wd4zi6C22ZZliOUJ3XeM/MlYi/z5OAOWRA= +cloud.google.com/go/monitoring v1.15.1/go.mod h1:lADlSAlFdbqQuwwpaImhsJXu1QSdd3ojypXrFSMr2rM= +cloud.google.com/go/networkconnectivity v1.12.1/go.mod h1:PelxSWYM7Sh9/guf8CFhi6vIqf19Ir/sbfZRUwXh92E= +cloud.google.com/go/networkmanagement v1.8.0/go.mod h1:Ho/BUGmtyEqrttTgWEe7m+8vDdK74ibQc+Be0q7Fof0= +cloud.google.com/go/networksecurity v0.9.1/go.mod h1:MCMdxOKQ30wsBI1eI659f9kEp4wuuAueoC9AJKSPWZQ= +cloud.google.com/go/notebooks v1.9.1/go.mod h1:zqG9/gk05JrzgBt4ghLzEepPHNwE5jgPcHZRKhlC1A8= +cloud.google.com/go/optimization v1.4.1/go.mod h1:j64vZQP7h9bO49m2rVaTVoNM0vEBEN5eKPUPbZyXOrk= +cloud.google.com/go/orchestration v1.8.1/go.mod h1:4sluRF3wgbYVRqz7zJ1/EUNc90TTprliq9477fGobD8= +cloud.google.com/go/orgpolicy v1.11.1/go.mod h1:8+E3jQcpZJQliP+zaFfayC2Pg5bmhuLK755wKhIIUCE= +cloud.google.com/go/osconfig v1.12.1/go.mod h1:4CjBxND0gswz2gfYRCUoUzCm9zCABp91EeTtWXyz0tE= +cloud.google.com/go/oslogin v1.10.1/go.mod h1:x692z7yAue5nE7CsSnoG0aaMbNoRJRXO4sn73R+ZqAs= +cloud.google.com/go/phishingprotection v0.8.1/go.mod h1:AxonW7GovcA8qdEk13NfHq9hNx5KPtfxXNeUxTDxB6I= +cloud.google.com/go/policytroubleshooter v1.7.1/go.mod h1:0NaT5v3Ag1M7U5r0GfDCpUFkWd9YqpubBWsQlhanRv0= +cloud.google.com/go/privatecatalog v0.9.1/go.mod h1:0XlDXW2unJXdf9zFz968Hp35gl/bhF4twwpXZAW50JA= +cloud.google.com/go/pubsub v1.32.0/go.mod h1:f+w71I33OMyxf9VpMVcZbnG5KSUkCOUHYpFd5U1GdRc= +cloud.google.com/go/pubsublite v1.8.1/go.mod h1:fOLdU4f5xldK4RGJrBMm+J7zMWNj/k4PxwEZXy39QS0= +cloud.google.com/go/recaptchaenterprise/v2 v2.7.2/go.mod h1:kR0KjsJS7Jt1YSyWFkseQ756D45kaYNTlDPPaRAvDBU= +cloud.google.com/go/recommendationengine v0.8.1/go.mod h1:MrZihWwtFYWDzE6Hz5nKcNz3gLizXVIDI/o3G1DLcrE= +cloud.google.com/go/recommender v1.10.1/go.mod h1:XFvrE4Suqn5Cq0Lf+mCP6oBHD/yRMA8XxP5sb7Q7gpA= +cloud.google.com/go/redis v1.13.1/go.mod h1:VP7DGLpE91M6bcsDdMuyCm2hIpB6Vp2hI090Mfd1tcg= +cloud.google.com/go/resourcemanager v1.9.1/go.mod h1:dVCuosgrh1tINZ/RwBufr8lULmWGOkPS8gL5gqyjdT8= +cloud.google.com/go/resourcesettings v1.6.1/go.mod h1:M7mk9PIZrC5Fgsu1kZJci6mpgN8o0IUzVx3eJU3y4Jw= +cloud.google.com/go/retail v1.14.1/go.mod h1:y3Wv3Vr2k54dLNIrCzenyKG8g8dhvhncT2NcNjb/6gE= +cloud.google.com/go/run v0.9.0/go.mod h1:Wwu+/vvg8Y+JUApMwEDfVfhetv30hCG4ZwDR/IXl2Qg= +cloud.google.com/go/scheduler v1.10.1/go.mod h1:R63Ldltd47Bs4gnhQkmNDse5w8gBRrhObZ54PxgR2Oo= +cloud.google.com/go/secretmanager v1.11.1/go.mod h1:znq9JlXgTNdBeQk9TBW/FnR/W4uChEKGeqQWAJ8SXFw= +cloud.google.com/go/security v1.15.1/go.mod h1:MvTnnbsWnehoizHi09zoiZob0iCHVcL4AUBj76h9fXA= +cloud.google.com/go/securitycenter v1.23.0/go.mod h1:8pwQ4n+Y9WCWM278R8W3nF65QtY172h4S8aXyI9/hsQ= +cloud.google.com/go/servicedirectory v1.10.1/go.mod h1:Xv0YVH8s4pVOwfM/1eMTl0XJ6bzIOSLDt8f8eLaGOxQ= +cloud.google.com/go/shell v1.7.1/go.mod h1:u1RaM+huXFaTojTbW4g9P5emOrrmLE69KrxqQahKn4g= +cloud.google.com/go/spanner v1.47.0/go.mod h1:IXsJwVW2j4UKs0eYDqodab6HgGuA1bViSqW4uH9lfUI= +cloud.google.com/go/speech v1.17.1/go.mod h1:8rVNzU43tQvxDaGvqOhpDqgkJTFowBpDvCJ14kGlJYo= +cloud.google.com/go/storage v1.30.1/go.mod h1:NfxhC0UJE1aXSx7CIIbCf7y9HKT7BiccwkR7+P7gN8E= +cloud.google.com/go/storagetransfer v1.10.0/go.mod h1:DM4sTlSmGiNczmV6iZyceIh2dbs+7z2Ayg6YAiQlYfA= +cloud.google.com/go/talent v1.6.2/go.mod h1:CbGvmKCG61mkdjcqTcLOkb2ZN1SrQI8MDyma2l7VD24= +cloud.google.com/go/texttospeech v1.7.1/go.mod h1:m7QfG5IXxeneGqTapXNxv2ItxP/FS0hCZBwXYqucgSk= +cloud.google.com/go/tpu v1.6.1/go.mod h1:sOdcHVIgDEEOKuqUoi6Fq53MKHJAtOwtz0GuKsWSH3E= +cloud.google.com/go/trace v1.10.1/go.mod h1:gbtL94KE5AJLH3y+WVpfWILmqgc6dXcqgNXdOPAQTYk= +cloud.google.com/go/translate v1.8.1/go.mod h1:d1ZH5aaOA0CNhWeXeC8ujd4tdCFw8XoNWRljklu5RHs= +cloud.google.com/go/video v1.17.1/go.mod h1:9qmqPqw/Ib2tLqaeHgtakU+l5TcJxCJbhFXM7UJjVzU= +cloud.google.com/go/videointelligence v1.11.1/go.mod h1:76xn/8InyQHarjTWsBR058SmlPCwQjgcvoW0aZykOvo= +cloud.google.com/go/vision/v2 v2.7.2/go.mod h1:jKa8oSYBWhYiXarHPvP4USxYANYUEdEsQrloLjrSwJU= +cloud.google.com/go/vmmigration v1.7.1/go.mod h1:WD+5z7a/IpZ5bKK//YmT9E047AD+rjycCAvyMxGJbro= +cloud.google.com/go/vmwareengine v0.4.1/go.mod h1:Px64x+BvjPZwWuc4HdmVhoygcXqEkGHXoa7uyfTgSI0= +cloud.google.com/go/vpcaccess v1.7.1/go.mod h1:FogoD46/ZU+JUBX9D606X21EnxiszYi2tArQwLY4SXs= +cloud.google.com/go/webrisk v1.9.1/go.mod h1:4GCmXKcOa2BZcZPn6DCEvE7HypmEJcJkr4mtM+sqYPc= +cloud.google.com/go/websecurityscanner v1.6.1/go.mod h1:Njgaw3rttgRHXzwCB8kgCYqv5/rGpFCsBOvPbYgszpg= +cloud.google.com/go/workflows v1.11.1/go.mod h1:Z+t10G1wF7h8LgdY/EmRcQY8ptBD/nvofaL6FqlET6g= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/NYTimes/gziphandler v1.1.1/go.mod h1:n/CVRwUEOgIxrgPvAQhUUr9oeUtvrhMomdKFjzJNB0c= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= +github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw= +github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/udpa/go v0.0.0-20220112060539-c52dc94e7fbe/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI= +github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk= +github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0= +github.com/envoyproxy/go-control-plane v0.11.1/go.mod h1:uhMcXKCQMEJHiAb0w+YGefQLaTEw+YhGluxZkrTmD0g= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= +github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k= +github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= +github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= +github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= +github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/gax-go/v2 v2.11.0/go.mod h1:DxmR61SGKkGLa2xigwuZIQpkCI2S5iydzRfb3peWZJI= +github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47RKZmLU= +github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= +github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= +github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 h1:QE6XYQK6naiK1EPAe1g/ILLxN5RBoH5xkJk3CqlMI/Y= +golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc= +golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= +google.golang.org/api v0.126.0/go.mod h1:mBwVAtz+87bEN6CbA1GtZPDOqY2R5ONPqJeIlvyo4Aw= +google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= +google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mREFX5MORlOPEzLMr+90PPZQ2QWzrVTWfAq64= +google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y= +google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g= +google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0= +google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig= +google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ= +google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:8mL13HKkDa+IuJ8yruA3ci0q+0vsUz4m//+ottjwS5o= +google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= +google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= +google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= +google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= +google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ= +google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= +google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= +google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= +google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= +k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= +k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= +k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= diff --git a/hack/generate-e2e-suite-doc.sh b/hack/generate-e2e-suite-doc.sh deleted file mode 100755 index a4ccc8fc2..000000000 --- a/hack/generate-e2e-suite-doc.sh +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -# Copyright 2020 The Kubernetes Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ -n "$DEBUG" ]; then - set -x -fi - -URL="https://github.com/kubernetes/ingress-nginx/tree/main/" -DIR=$(cd $(dirname "${BASH_SOURCE}")/.. && pwd -P) - -echo " - -# e2e test suite for [Ingress NGINX Controller]($URL) - -" - -for FILE in $(find $DIR/test/e2e -name "*.go");do - # describe definition - DESCRIBE=$(cat $FILE | grep -n -oP 'Describe.*') - # line number - DESCRIBE_LINE=$(echo $DESCRIBE | cut -f1 -d ':') - # clean describe, extracting the string - DESCRIBE=$(echo $DESCRIBE | sed -En 's/.*("|`)(.*)("|`).*/\2/p') - - FILE_URL=$(echo $FILE | sed "s|${DIR}/|${URL}|g") - echo " -### [$DESCRIBE]($FILE_URL#L$DESCRIBE_LINE) -" - - # extract Tests - ITS=$(cat $FILE | grep -n -oP 'It\(.*') - while IFS= read -r line; do - IT_LINE=$(echo $line | cut -f1 -d ':') - IT=$(echo $line | sed -En 's/.*("|`)(.*)("|`).*/\2/p') - echo "- [$IT]($FILE_URL#L$IT_LINE)" - done <<< "$ITS" -done diff --git a/hack/verify-golint.sh b/hack/verify-golint.sh index 7c9284880..17bcedd9f 100755 --- a/hack/verify-golint.sh +++ b/hack/verify-golint.sh @@ -22,19 +22,13 @@ KUBE_ROOT=$(dirname "${BASH_SOURCE}")/.. cd "${KUBE_ROOT}" -GOLINT=${GOLINT:-"golint"} -PACKAGES=($(go list ./internal/... | grep -v /vendor/)) -bad_files=() -for package in "${PACKAGES[@]}"; do - out=$("${GOLINT}" -min_confidence=0.9 "${package}" | grep -v -E '(should not use dot imports|internal/file/bindata.go)' || :) - if [[ -n "${out}" ]]; then - bad_files+=("${out}") - fi -done -if [[ "${#bad_files[@]}" -ne 0 ]]; then - echo "!!! '$GOLINT' problems: " - echo "${bad_files[@]}" - exit 1 +LINT=${LINT:-golangci-lint} + +if [[ -z "$(command -v ${LINT})" ]]; then + echo "${LINT} is missing. Installing it now." + # See: https://golangci-lint.run/usage/install/#local-installation + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.53.3 + LINT=$(go env GOPATH)/bin/golangci-lint fi -# ex: ts=2 sw=2 et filetype=sh +${LINT} run diff --git a/images/custom-error-pages/rootfs/Dockerfile b/images/custom-error-pages/rootfs/Dockerfile index 04bcb8e08..8ae42317d 100755 --- a/images/custom-error-pages/rootfs/Dockerfile +++ b/images/custom-error-pages/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.5-alpine3.18 as builder +FROM golang:1.21.1-alpine3.18 as builder RUN apk update \ && apk upgrade && apk add git @@ -32,6 +32,7 @@ FROM gcr.io/distroless/static:nonroot COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/nginx-errors / COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/www /www +COPY --from=builder /go/src/k8s.io/ingress-nginx/images/custom-error-pages/etc /etc USER nonroot:nonroot CMD ["/nginx-errors"] diff --git a/images/custom-error-pages/rootfs/go.mod b/images/custom-error-pages/rootfs/go.mod index 89e47a4b5..1fc8f9939 100644 --- a/images/custom-error-pages/rootfs/go.mod +++ b/images/custom-error-pages/rootfs/go.mod @@ -1,6 +1,6 @@ module k8s.io/ingress-nginx/custom-error-pages -go 1.20 +go 1.21.1 require github.com/prometheus/client_golang v1.11.1 diff --git a/images/ext-auth-example-authsvc/rootfs/Dockerfile b/images/ext-auth-example-authsvc/rootfs/Dockerfile index 02d92d773..f0b51374b 100644 --- a/images/ext-auth-example-authsvc/rootfs/Dockerfile +++ b/images/ext-auth-example-authsvc/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20.5-alpine3.18 as builder +FROM golang:1.21.1-alpine3.18 as builder RUN mkdir /authsvc WORKDIR /authsvc COPY . ./ diff --git a/images/ext-auth-example-authsvc/rootfs/go.mod b/images/ext-auth-example-authsvc/rootfs/go.mod index cc5124072..df99c08b0 100644 --- a/images/ext-auth-example-authsvc/rootfs/go.mod +++ b/images/ext-auth-example-authsvc/rootfs/go.mod @@ -1,6 +1,6 @@ module example.com/authsvc -go 1.20 +go 1.21.1 require k8s.io/apimachinery v0.23.1 diff --git a/images/fastcgi-helloserver/rootfs/Dockerfile b/images/fastcgi-helloserver/rootfs/Dockerfile index 096d31abb..d4ed8305f 100755 --- a/images/fastcgi-helloserver/rootfs/Dockerfile +++ b/images/fastcgi-helloserver/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.5-alpine3.18 as builder +FROM golang:1.21.1-alpine3.18 as builder WORKDIR /go/src/k8s.io/ingress-nginx/images/fastcgi diff --git a/images/fastcgi-helloserver/rootfs/main.go b/images/fastcgi-helloserver/rootfs/main.go index a42c9a487..710f90f2c 100644 --- a/images/fastcgi-helloserver/rootfs/main.go +++ b/images/fastcgi-helloserver/rootfs/main.go @@ -16,13 +16,13 @@ func hello(w http.ResponseWriter, r *http.Request) { } key := keys[0] - fmt.Fprintf(w, "Hello "+string(key)+"!") + fmt.Fprintf(w, "Hello "+key+"!") } func main() { http.HandleFunc("/hello", hello) - l, err := net.Listen("tcp", "0.0.0.0:9000") + l, err := net.Listen("tcp", "0.0.0.0:9000") //nolint:gosec // Ignore the gosec error since it's a hello server if err != nil { panic(err) } diff --git a/images/go-grpc-greeter-server/rootfs/Dockerfile b/images/go-grpc-greeter-server/rootfs/Dockerfile index 46f916fb4..6460ce154 100644 --- a/images/go-grpc-greeter-server/rootfs/Dockerfile +++ b/images/go-grpc-greeter-server/rootfs/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20.5-alpine3.18 as build +FROM golang:1.21.1-alpine3.18 as build WORKDIR /go/src/greeter-server diff --git a/images/go-grpc-greeter-server/rootfs/main.go b/images/go-grpc-greeter-server/rootfs/main.go index 569273dfd..d7fc36208 100644 --- a/images/go-grpc-greeter-server/rootfs/main.go +++ b/images/go-grpc-greeter-server/rootfs/main.go @@ -41,7 +41,7 @@ type hwServer struct { } // SayHello implements helloworld.GreeterServer -func (s *hwServer) SayHello(ctx context.Context, in *hwpb.HelloRequest) (*hwpb.HelloReply, error) { +func (s *hwServer) SayHello(_ context.Context, in *hwpb.HelloRequest) (*hwpb.HelloReply, error) { return &hwpb.HelloReply{Message: "Hello " + in.Name}, nil } @@ -49,7 +49,7 @@ type ecServer struct { ecpb.UnimplementedEchoServer } -func (s *ecServer) UnaryEcho(ctx context.Context, req *ecpb.EchoRequest) (*ecpb.EchoResponse, error) { +func (s *ecServer) UnaryEcho(_ context.Context, req *ecpb.EchoRequest) (*ecpb.EchoResponse, error) { return &ecpb.EchoResponse{Message: req.Message}, nil } diff --git a/images/httpbun/rootfs/Dockerfile b/images/httpbun/rootfs/Dockerfile index e88716bb8..dd2d04502 100644 --- a/images/httpbun/rootfs/Dockerfile +++ b/images/httpbun/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.5 AS builder +FROM golang:1.21.1 AS builder ENV LC_ALL=C.UTF-8 ENV LANG=C.UTF-8 diff --git a/images/kube-webhook-certgen/rootfs/Dockerfile b/images/kube-webhook-certgen/rootfs/Dockerfile index 13226dbe2..4a7e32ced 100644 --- a/images/kube-webhook-certgen/rootfs/Dockerfile +++ b/images/kube-webhook-certgen/rootfs/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.20.5 as builder +FROM --platform=$BUILDPLATFORM golang:1.21.1 as builder ARG BUILDPLATFORM ARG TARGETARCH diff --git a/images/kube-webhook-certgen/rootfs/go.mod b/images/kube-webhook-certgen/rootfs/go.mod index 49f95828f..b2870f840 100644 --- a/images/kube-webhook-certgen/rootfs/go.mod +++ b/images/kube-webhook-certgen/rootfs/go.mod @@ -1,6 +1,6 @@ module github.com/jet/kube-webhook-certgen -go 1.20 +go 1.21.1 require ( github.com/onrik/logrus v0.9.0 diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile index 7627870ba..d5cd8c143 100644 --- a/images/nginx/rootfs/Dockerfile +++ b/images/nginx/rootfs/Dockerfile @@ -40,7 +40,6 @@ RUN apk update \ pcre \ zlib \ geoip \ - curl \ ca-certificates \ patch \ yajl \ diff --git a/images/nginx/rootfs/build.sh b/images/nginx/rootfs/build.sh index db1eebfb8..e35fde7f4 100755 --- a/images/nginx/rootfs/build.sh +++ b/images/nginx/rootfs/build.sh @@ -63,7 +63,7 @@ export MODSECURITY_VERSION=1.0.3 export MODSECURITY_LIB_VERSION=e9a7ba4a60be48f761e0328c6dfcc668d70e35a0 # Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.2...v3.3/master -export OWASP_MODSECURITY_CRS_VERSION=v3.3.4 +export OWASP_MODSECURITY_CRS_VERSION=v3.3.5 # Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/v0.10.25...master export LUA_NGX_VERSION=0.10.25 diff --git a/images/opentelemetry/rootfs/CMakeLists.txt b/images/opentelemetry/rootfs/CMakeLists.txt index ef90b5805..2a816ebf7 100644 --- a/images/opentelemetry/rootfs/CMakeLists.txt +++ b/images/opentelemetry/rootfs/CMakeLists.txt @@ -25,6 +25,7 @@ set(CMAKE_CXX_STANDARD 17) set(CMAKE_CXX_EXTENSIONS OFF) set(CMAKE_CXX_STANDARD_REQUIRED ON) set(CMAKE_CXX_FLAGS "-O2") +set(CMAKE_VERBOSE_MAKEFILE ON CACHE BOOL "ON" FORCE) set(CMAKE_BUILD_TYPE Release @@ -82,12 +83,18 @@ ExternalProject_Add( -DgRPC_BUILD_TESTS=OFF -DBUILD_SHARED_LIBS=OFF -DgRPC_INSTALL=ON + -DgRPC_BUILD_GRPC_NODE_PLUGIN=OFF + -DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN=OFF + -DgRPC_BUILD_GRPC_PHP_PLUGIN=OFF + -DgRPC_BUILD_GRPC_PYTHON_PLUGIN=OFF + -DgRPC_BUILD_GRPC_RUBY_PLUGIN=OFF CMAKE_CACHE_ARGS -DCMAKE_CXX_FLAGS:STRING=${CMAKE_CXX_FLAGS} - TEST_AFTER_INSTALL 0 - DOWNLOAD_NO_PROGRESS 1 - LOG_CONFIGURE 1 - LOG_BUILD 0 - LOG_INSTALL 1) + TEST_AFTER_INSTALL FALSE + USES_TERMINAL_BUILD TRUE + DOWNLOAD_NO_PROGRESS TRUE + LOG_CONFIGURE TRUE + LOG_BUILD TRUE + LOG_INSTALL TRUE) install( DIRECTORY ${STAGED_INSTALL_PREFIX}/ diff --git a/images/opentelemetry/rootfs/Dockerfile b/images/opentelemetry/rootfs/Dockerfile index f3628b1f3..819c0d42c 100644 --- a/images/opentelemetry/rootfs/Dockerfile +++ b/images/opentelemetry/rootfs/Dockerfile @@ -21,19 +21,24 @@ COPY . /opt/third_party/ # install build tools RUN apk update \ && apk upgrade \ - && apk add -U bash cmake ninja \ + && apk add -U bash \ && bash /opt/third_party/build.sh -p -ENV NINJA_STATUS "[%p/%f/%t]" +ENV NINJA_STATUS "[%p/%f/%t] " # install gRPC FROM base as grpc -RUN bash /opt/third_party/build.sh -g v1.49.2 +RUN bash /opt/third_party/build.sh -g v1.57.0 + +# install abseil-cpp +FROM base as absl-cpp +RUN bash /opt/third_party/build.sh -a 20230802.0 # install OpenTelemetry-cpp FROM base as otel-cpp COPY --from=grpc /opt/third_party/install/ /usr -RUN bash /opt/third_party/build.sh -o v1.8.1 +COPY --from=absl-cpp /opt/third_party/install/ /usr +RUN bash /opt/third_party/build.sh -o v1.11.0 # install otel_ngx_module.so FROM base as nginx @@ -52,6 +57,5 @@ RUN CGO_ENABLED=0 go build -o /go/bin/init_module FROM cgr.dev/chainguard/static as final COPY --from=build-init /go/bin/init_module / COPY --from=nginx /etc/nginx/modules /etc/nginx/modules -COPY --from=nginx /opt/third_party/install/lib /etc/nginx/modules CMD ["/init_module"] diff --git a/images/opentelemetry/rootfs/build.sh b/images/opentelemetry/rootfs/build.sh index 30faad304..ebf95e219 100755 --- a/images/opentelemetry/rootfs/build.sh +++ b/images/opentelemetry/rootfs/build.sh @@ -21,6 +21,7 @@ set -o pipefail export GRPC_GIT_TAG=${GRPC_GIT_TAG:="v1.43.2"} # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp/compare/v1.2.0...main export OPENTELEMETRY_CPP_VERSION=${OPENTELEMETRY_CPP_VERSION:="1.2.0"} +export ABSL_CPP_VERSION=${ABSL_CPP_VERSION:="20230802.0"} export INSTAL_DIR=/opt/third_party/install # improve compilation times CORES=$(($(grep -c ^processor /proc/cpuinfo) - 1)) @@ -54,6 +55,8 @@ prepare() { apk add \ linux-headers \ + cmake \ + ninja \ openssl \ curl-dev \ openssl-dev \ @@ -71,14 +74,32 @@ install_grpc() cd ${BUILD_PATH}/grpc cmake -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ -G Ninja \ - -DGRPC_GIT_TAG=${GRPC_GIT_TAG} /opt/third_party \ - -DgRPC_BUILD_GRPC_NODE_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_PHP_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_PHP_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_PYTHON_PLUGIN=OFF \ - -DgRPC_BUILD_GRPC_RUBY_PLUGIN=OFF - cmake --build . -j ${CORES} --target all install + -DGRPC_GIT_TAG=${GRPC_GIT_TAG} /opt/third_party + + cmake --build . -j ${CORES} --target all install --verbose +} + +install_absl() +{ + cd ${BUILD_PATH} + export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:+LD_LIBRARY_PATH:}${INSTAL_DIR}/lib:/usr/local" + export PATH="${PATH}:${INSTAL_DIR}/bin" + git clone --recurse-submodules -j ${CORES} --depth=1 -b \ + ${ABSL_CPP_VERSION} https://github.com/abseil/abseil-cpp.git abseil-cpp-${ABSL_CPP_VERSION} + cd "abseil-cpp-${ABSL_CPP_VERSION}" + mkdir -p .build + cd .build + + cmake -DCMAKE_BUILD_TYPE=Release \ + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE \ + -DBUILD_TESTING=OFF \ + -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ + -DABSL_PROPAGATE_CXX_STD=ON \ + -DBUILD_SHARED_LIBS=OFF \ + .. + cmake --build . -j ${CORES} --target install } install_otel() @@ -94,17 +115,19 @@ install_otel() cmake -DCMAKE_BUILD_TYPE=Release \ -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ -DCMAKE_POSITION_INDEPENDENT_CODE=TRUE \ -DWITH_ZIPKIN=OFF \ - -DWITH_JAEGER=OFF \ -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ -DBUILD_TESTING=OFF \ + -DWITH_BENCHMARK=OFF \ + -DWITH_FUNC_TESTS=OFF \ -DBUILD_SHARED_LIBS=OFF \ - -DWITH_OTLP=ON \ -DWITH_OTLP_GRPC=ON \ -DWITH_OTLP_HTTP=OFF \ - -DWITH_ABSEIL=OFF \ + -DWITH_ABSEIL=ON \ -DWITH_EXAMPLES=OFF \ + -DWITH_NO_DEPRECATED_CODE=ON \ .. cmake --build . -j ${CORES} --target install } @@ -128,7 +151,7 @@ install_nginx() export NGINX_VERSION=1.21.6 # Check for recent changes: https://github.com/open-telemetry/opentelemetry-cpp-contrib/compare/2656a4...main - export OPENTELEMETRY_CONTRIB_COMMIT=1ec94c82095bab61f06c7393b6f3272469d285af + export OPENTELEMETRY_CONTRIB_COMMIT=aaa51e2297bcb34297f3c7aa44fa790497d2f7f3 mkdir -p /etc/nginx cd "$BUILD_PATH" @@ -145,20 +168,19 @@ install_nginx() mkdir -p build cd build cmake -DCMAKE_BUILD_TYPE=Release \ - -G Ninja \ - -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ - -DBUILD_SHARED_LIBS=ON \ - -DNGINX_VERSION=${NGINX_VERSION} \ - .. + -G Ninja \ + -DCMAKE_CXX_STANDARD=17 \ + -DCMAKE_INSTALL_PREFIX=${INSTAL_DIR} \ + -DBUILD_SHARED_LIBS=ON \ + -DNGINX_VERSION=${NGINX_VERSION} \ + .. cmake --build . -j ${CORES} --target install mkdir -p /etc/nginx/modules cp ${INSTAL_DIR}/otel_ngx_module.so /etc/nginx/modules/otel_ngx_module.so - - mkdir -p ${INSTAL_DIR}/lib } -while getopts ":hpng:o:" option; do +while getopts ":pha:g:o:n" option; do case $option in h) # display Help Help @@ -177,6 +199,10 @@ while getopts ":hpng:o:" option; do n) # install nginx install_nginx exit;; + a) # install abseil + ABSL_CPP_VERSION=${OPTARG} + install_absl + exit;; \?) Help exit;; diff --git a/images/opentelemetry/rootfs/go.mod b/images/opentelemetry/rootfs/go.mod index f636c81b7..2ca85f584 100644 --- a/images/opentelemetry/rootfs/go.mod +++ b/images/opentelemetry/rootfs/go.mod @@ -1,3 +1,3 @@ -module init-otel - -go 1.20 +module init-otel + +go 1.21.1 diff --git a/images/test-runner/Makefile b/images/test-runner/Makefile index 3cd378937..dc83dd4a2 100644 --- a/images/test-runner/Makefile +++ b/images/test-runner/Makefile @@ -43,7 +43,7 @@ image: --pull \ --push \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.6 \ + --build-arg GOLANG_VERSION=1.21.1 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ @@ -64,7 +64,7 @@ build: ensure-buildx --progress=${PROGRESS} \ --pull \ --build-arg BASE_IMAGE=${NGINX_BASE_IMAGE} \ - --build-arg GOLANG_VERSION=1.20.6 \ + --build-arg GOLANG_VERSION=1.21.1 \ --build-arg ETCD_VERSION=3.4.3-0 \ --build-arg K8S_RELEASE=v1.26.0 \ --build-arg RESTY_CLI_VERSION=0.27 \ diff --git a/images/test-runner/rootfs/Dockerfile b/images/test-runner/rootfs/Dockerfile index 40017f775..161b6caf4 100644 --- a/images/test-runner/rootfs/Dockerfile +++ b/images/test-runner/rootfs/Dockerfile @@ -65,7 +65,6 @@ RUN apk update && apk upgrade && apk add --no-cache \ unzip \ openssl \ cfssl@testing \ - curl \ tzdata \ libc6-compat diff --git a/internal/admission/controller/main.go b/internal/admission/controller/main.go index f59bf2091..888818c89 100644 --- a/internal/admission/controller/main.go +++ b/internal/admission/controller/main.go @@ -42,19 +42,16 @@ type IngressAdmission struct { Checker Checker } -var ( - ingressResource = metav1.GroupVersionKind{ - Group: networking.GroupName, - Version: "v1", - Kind: "Ingress", - } -) +var ingressResource = metav1.GroupVersionKind{ + Group: networking.GroupName, + Version: "v1", + Kind: "Ingress", +} // HandleAdmission populates the admission Response // with Allowed=false if the Object is an ingress that would prevent nginx to reload the configuration // with Allowed=true otherwise func (ia *IngressAdmission) HandleAdmission(obj runtime.Object) (runtime.Object, error) { - review, isV1 := obj.(*admissionv1.AdmissionReview) if !isV1 { return nil, fmt.Errorf("request is not of type AdmissionReview v1 or v1beta1") diff --git a/internal/admission/controller/main_test.go b/internal/admission/controller/main_test.go index 8c42f87ef..1d223cc9e 100644 --- a/internal/admission/controller/main_test.go +++ b/internal/admission/controller/main_test.go @@ -33,12 +33,12 @@ type failTestChecker struct { t *testing.T } -func (ftc failTestChecker) CheckIngress(ing *networking.Ingress) error { +func (ftc failTestChecker) CheckIngress(_ *networking.Ingress) error { ftc.t.Error("checker should not be called") return nil } -func (ftc failTestChecker) CheckWarning(ing *networking.Ingress) ([]string, error) { +func (ftc failTestChecker) CheckWarning(_ *networking.Ingress) ([]string, error) { ftc.t.Error("checker should not be called") return nil, nil } diff --git a/internal/admission/controller/server.go b/internal/admission/controller/server.go index 3fa70971f..7fc61bcbb 100644 --- a/internal/admission/controller/server.go +++ b/internal/admission/controller/server.go @@ -26,9 +26,7 @@ import ( "k8s.io/klog/v2" ) -var ( - scheme = runtime.NewScheme() -) +var scheme = runtime.NewScheme() func init() { if err := admissionv1.AddToScheme(scheme); err != nil { diff --git a/internal/ingress/annotations/alias/main.go b/internal/ingress/annotations/alias/main.go index 4a5e6f188..7a33e648e 100644 --- a/internal/ingress/annotations/alias/main.go +++ b/internal/ingress/annotations/alias/main.go @@ -72,7 +72,7 @@ func (a alias) Parse(ing *networking.Ingress) (interface{}, error) { aliases := sets.NewString() for _, alias := range strings.Split(val, ",") { alias = strings.TrimSpace(alias) - if len(alias) == 0 { + if alias == "" { continue } diff --git a/internal/ingress/annotations/alias/main_test.go b/internal/ingress/annotations/alias/main_test.go index 1965f2630..f1d68c1f7 100644 --- a/internal/ingress/annotations/alias/main_test.go +++ b/internal/ingress/annotations/alias/main_test.go @@ -65,9 +65,9 @@ func TestParse(t *testing.T) { if testCase.skipValidation { parser.EnableAnnotationValidation = false } - defer func() { + t.Cleanup(func() { parser.EnableAnnotationValidation = true - }() + }) result, err := ap.Parse(ing) if (err != nil) != testCase.wantErr { t.Errorf("ParseAliasAnnotation() annotation: %s, error = %v, wantErr %v", testCase.annotations, err, testCase.wantErr) diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go index 5371e6eb7..38843c2db 100644 --- a/internal/ingress/annotations/annotations.go +++ b/internal/ingress/annotations/annotations.go @@ -86,37 +86,36 @@ type Ingress struct { CorsConfig cors.Config CustomHTTPErrors []int DefaultBackend *apiv1.Service - //TODO: Change this back into an error when https://github.com/imdario/mergo/issues/100 is resolved - FastCGI fastcgi.Config - Denied *string - ExternalAuth authreq.Config - EnableGlobalAuth bool - HTTP2PushPreload bool - Opentracing opentracing.Config - Opentelemetry opentelemetry.Config - Proxy proxy.Config - ProxySSL proxyssl.Config - RateLimit ratelimit.Config - GlobalRateLimit globalratelimit.Config - Redirect redirect.Config - Rewrite rewrite.Config - Satisfy string - ServerSnippet string - ServiceUpstream bool - SessionAffinity sessionaffinity.Config - SSLPassthrough bool - UsePortInRedirects bool - UpstreamHashBy upstreamhashby.Config - LoadBalancing string - UpstreamVhost string - Denylist ipdenylist.SourceRange - XForwardedPrefix string - SSLCipher sslcipher.Config - Logs log.Config - ModSecurity modsecurity.Config - Mirror mirror.Config - StreamSnippet string - Allowlist ipallowlist.SourceRange + FastCGI fastcgi.Config + Denied *string + ExternalAuth authreq.Config + EnableGlobalAuth bool + HTTP2PushPreload bool + Opentracing opentracing.Config + Opentelemetry opentelemetry.Config + Proxy proxy.Config + ProxySSL proxyssl.Config + RateLimit ratelimit.Config + GlobalRateLimit globalratelimit.Config + Redirect redirect.Config + Rewrite rewrite.Config + Satisfy string + ServerSnippet string + ServiceUpstream bool + SessionAffinity sessionaffinity.Config + SSLPassthrough bool + UsePortInRedirects bool + UpstreamHashBy upstreamhashby.Config + LoadBalancing string + UpstreamVhost string + Denylist ipdenylist.SourceRange + XForwardedPrefix string + SSLCipher sslcipher.Config + Logs log.Config + ModSecurity modsecurity.Config + Mirror mirror.Config + StreamSnippet string + Allowlist ipallowlist.SourceRange } // Extractor defines the annotation parsers to be used in the extraction of annotations diff --git a/internal/ingress/annotations/annotations_test.go b/internal/ingress/annotations/annotations_test.go index 2b2a64268..5f8128e0d 100644 --- a/internal/ingress/annotations/annotations_test.go +++ b/internal/ingress/annotations/annotations_test.go @@ -64,7 +64,11 @@ func (m mockCfg) GetService(name string) (*apiv1.Service, error) { } func (m mockCfg) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) { - if secret, _ := m.GetSecret(name); secret != nil { + secret, err := m.GetSecret(name) + if err != nil { + return nil, err + } + if secret != nil { return &resolver.AuthSSLCert{ Secret: name, CAFileName: "/opt/ca.pem", @@ -270,9 +274,9 @@ func TestCors(t *testing.T) { if r.CorsAllowCredentials != foo.credentials { t.Errorf("Returned %v but expected %v for Cors Credentials", r.CorsAllowCredentials, foo.credentials) } - } } + func TestCustomHTTPErrors(t *testing.T) { ec := NewAnnotationExtractor(mockCfg{}) ing := buildIngress() diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go index beecebdb1..7c7fde7b8 100644 --- a/internal/ingress/annotations/auth/main.go +++ b/internal/ingress/annotations/auth/main.go @@ -50,7 +50,7 @@ var ( ) var AuthSecretConfig = parser.AnnotationConfig{ - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars Documentation: `This annotation defines the name of the Secret that contains the usernames and passwords which are granted access to the paths defined in the Ingress rules. `, @@ -61,20 +61,20 @@ var authSecretAnnotations = parser.Annotation{ Annotations: parser.AnnotationFields{ AuthSecretAnnotation: AuthSecretConfig, authSecretTypeAnnotation: { - Validator: parser.ValidateRegex(*authSecretTypeRegex, true), + Validator: parser.ValidateRegex(authSecretTypeRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, Documentation: `This annotation what is the format of auth-secret value. Can be "auth-file" that defines the content of an htpasswd file, or "auth-map" where each key is a user and each value is the password.`, }, authRealmAnnotation: { - Validator: parser.ValidateRegex(*parser.CharsWithSpace, false), + Validator: parser.ValidateRegex(parser.CharsWithSpace, false), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars Documentation: `This annotation defines the realm (message) that should be shown to user when authentication is requested.`, }, authTypeAnnotation: { - Validator: parser.ValidateRegex(*authTypeRegex, true), + Validator: parser.ValidateRegex(authTypeRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, Documentation: `This annotation defines the basic authentication type. Should be "basic" or "digest"`, @@ -167,14 +167,14 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { s, err := parser.GetStringAnnotation(AuthSecretAnnotation, ing, a.annotationConfig.Annotations) if err != nil { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("error reading secret name from annotation: %w", err), } } sns, sname, err := cache.SplitMetaNamespaceKey(s) if err != nil { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("error reading secret name from annotation: %w", err), } } @@ -185,7 +185,7 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { secCfg := a.r.GetSecurityConfiguration() // We don't accept different namespaces for secrets. if !secCfg.AllowCrossNamespaceResources && sns != ing.Namespace { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("cross namespace usage of secrets is not allowed"), } } @@ -193,7 +193,7 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { name := fmt.Sprintf("%v/%v", sns, sname) secret, err := a.r.GetSecret(name) if err != nil { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error reading secret %s: %w", name, err), } } @@ -217,7 +217,7 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { return nil, err } default: - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("invalid auth-secret-type in annotation, must be 'auth-file' or 'auth-map': %w", err), } } @@ -238,14 +238,14 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) { func dumpSecretAuthFile(filename string, secret *api.Secret) error { val, ok := secret.Data["auth"] if !ok { - return ing_errors.LocationDenied{ + return ing_errors.LocationDeniedError{ Reason: fmt.Errorf("the secret %s does not contain a key with value auth", secret.Name), } } err := os.WriteFile(filename, val, file.ReadWriteByUser) if err != nil { - return ing_errors.LocationDenied{ + return ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error creating password file: %w", err), } } @@ -264,7 +264,7 @@ func dumpSecretAuthMap(filename string, secret *api.Secret) error { err := os.WriteFile(filename, []byte(builder.String()), file.ReadWriteByUser) if err != nil { - return ing_errors.LocationDenied{ + return ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error creating password file: %w", err), } } diff --git a/internal/ingress/annotations/auth/main_test.go b/internal/ingress/annotations/auth/main_test.go index 2a9dc7c72..868f31a05 100644 --- a/internal/ingress/annotations/auth/main_test.go +++ b/internal/ingress/annotations/auth/main_test.go @@ -32,6 +32,15 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +//nolint:gosec // Ignore hardcoded credentials error in testing +const ( + authType = "basic" + authRealm = "-realm-" + defaultDemoSecret = "default/demo-secret" + othernsDemoSecret = "otherns/demo-secret" + demoSecret = "demo-secret" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -80,7 +89,7 @@ type mockSecret struct { } func (m mockSecret) GetSecret(name string) (*api.Secret, error) { - if name != "default/demo-secret" && name != "otherns/demo-secret" { + if name != defaultDemoSecret && name != othernsDemoSecret { return nil, fmt.Errorf("there is no secret with name %v", name) } @@ -92,7 +101,7 @@ func (m mockSecret) GetSecret(name string) (*api.Secret, error) { return &api.Secret{ ObjectMeta: meta_v1.ObjectMeta{ Namespace: ns, - Name: "demo-secret", + Name: demoSecret, }, Data: map[string][]byte{"auth": []byte("foo:$apr1$OFG3Xybp$ckL0FHDAkoXYIlH9.cysT0")}, }, nil @@ -129,9 +138,9 @@ func TestIngressInvalidRealm(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "something weird ; location trying to { break }" - data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret" + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = demoSecret ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -148,14 +157,14 @@ func TestIngressInvalidDifferentNamespace(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" - data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "otherns/demo-secret" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = othernsDemoSecret ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) defer os.RemoveAll(dir) - expected := ing_errors.LocationDenied{ + expected := ing_errors.LocationDeniedError{ Reason: errors.New("cross namespace usage of secrets is not allowed"), } _, err := NewParser(dir, &mockSecret{}).Parse(ing) @@ -168,8 +177,8 @@ func TestIngressInvalidDifferentNamespaceAllowed(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" - data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "otherns/demo-secret" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = othernsDemoSecret ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -187,14 +196,14 @@ func TestIngressInvalidSecretName(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret;xpto" ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) defer os.RemoveAll(dir) - expected := ing_errors.LocationDenied{ + expected := ing_errors.LocationDeniedError{ Reason: errors.New("error reading secret name from annotation: annotation nginx.ingress.kubernetes.io/auth-secret contains invalid value"), } _, err := NewParser(dir, &mockSecret{}).Parse(ing) @@ -207,13 +216,13 @@ func TestInvalidIngressAuthNoSecret(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) defer os.RemoveAll(dir) - expected := ing_errors.LocationDenied{ + expected := ing_errors.LocationDeniedError{ Reason: errors.New("error reading secret name from annotation: ingress rule without annotations"), } _, err := NewParser(dir, &mockSecret{}).Parse(ing) @@ -226,9 +235,9 @@ func TestIngressAuth(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" - data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret" - data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "-realm-" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = demoSecret + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = authRealm ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -242,10 +251,10 @@ func TestIngressAuth(t *testing.T) { if !ok { t.Errorf("expected a BasicDigest type") } - if auth.Type != "basic" { + if auth.Type != authType { t.Errorf("Expected basic as auth type but returned %s", auth.Type) } - if auth.Realm != "-realm-" { + if auth.Realm != authRealm { t.Errorf("Expected -realm- as realm but returned %s", auth.Realm) } if !auth.Secured { @@ -257,9 +266,9 @@ func TestIngressAuthWithoutSecret(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "invalid-secret" - data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "-realm-" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = authRealm ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -275,10 +284,10 @@ func TestIngressAuthInvalidSecretKey(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = "basic" - data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = "demo-secret" + data[parser.GetAnnotationWithPrefix(authTypeAnnotation)] = authType + data[parser.GetAnnotationWithPrefix(AuthSecretAnnotation)] = demoSecret data[parser.GetAnnotationWithPrefix(authSecretTypeAnnotation)] = "invalid-type" - data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = "-realm-" + data[parser.GetAnnotationWithPrefix(authRealmAnnotation)] = authRealm ing.SetAnnotations(data) _, dir, _ := dummySecretContent(t) @@ -290,7 +299,7 @@ func TestIngressAuthInvalidSecretKey(t *testing.T) { } } -func dummySecretContent(t *testing.T) (string, string, *api.Secret) { +func dummySecretContent(t *testing.T) (fileName, dir string, s *api.Secret) { dir, err := os.MkdirTemp("", fmt.Sprintf("%v", time.Now().Unix())) if err != nil { t.Error(err) @@ -301,7 +310,10 @@ func dummySecretContent(t *testing.T) (string, string, *api.Secret) { t.Error(err) } defer tmpfile.Close() - s, _ := mockSecret{}.GetSecret("default/demo-secret") + s, err = mockSecret{}.GetSecret(defaultDemoSecret) + if err != nil { + t.Errorf("unexpected error: %v", err) + } return tmpfile.Name(), dir, s } diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go index 2ab98ace0..c66b0ed47 100644 --- a/internal/ingress/annotations/authreq/main.go +++ b/internal/ingress/annotations/authreq/main.go @@ -33,20 +33,21 @@ import ( ) const ( - authReqURLAnnotation = "auth-url" - authReqMethodAnnotation = "auth-method" - authReqSigninAnnotation = "auth-signin" - authReqSigninRedirParamAnnotation = "auth-signin-redirect-param" - authReqSnippetAnnotation = "auth-snippet" - authReqCacheKeyAnnotation = "auth-cache-key" - authReqKeepaliveAnnotation = "auth-keepalive" - authReqKeepaliveRequestsAnnotation = "auth-keepalive-requests" - authReqKeepaliveTimeout = "auth-keepalive-timeout" - authReqCacheDuration = "auth-cache-duration" - authReqResponseHeadersAnnotation = "auth-response-headers" - authReqProxySetHeadersAnnotation = "auth-proxy-set-headers" - authReqRequestRedirectAnnotation = "auth-request-redirect" - authReqAlwaysSetCookieAnnotation = "auth-always-set-cookie" + authReqURLAnnotation = "auth-url" + authReqMethodAnnotation = "auth-method" + authReqSigninAnnotation = "auth-signin" + authReqSigninRedirParamAnnotation = "auth-signin-redirect-param" + authReqSnippetAnnotation = "auth-snippet" + authReqCacheKeyAnnotation = "auth-cache-key" + authReqKeepaliveAnnotation = "auth-keepalive" + authReqKeepaliveShareVarsAnnotation = "auth-keepalive-share-vars" + authReqKeepaliveRequestsAnnotation = "auth-keepalive-requests" + authReqKeepaliveTimeout = "auth-keepalive-timeout" + authReqCacheDuration = "auth-cache-duration" + authReqResponseHeadersAnnotation = "auth-response-headers" + authReqProxySetHeadersAnnotation = "auth-proxy-set-headers" + authReqRequestRedirectAnnotation = "auth-request-redirect" + authReqAlwaysSetCookieAnnotation = "auth-always-set-cookie" // This should be exported as it is imported by other packages AuthSecretAnnotation = "auth-secret" @@ -56,25 +57,25 @@ var authReqAnnotations = parser.Annotation{ Group: "authentication", Annotations: parser.AnnotationFields{ authReqURLAnnotation: { - Validator: parser.ValidateRegex(*parser.URLWithNginxVariableRegex, true), + Validator: parser.ValidateRegex(parser.URLWithNginxVariableRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskHigh, Documentation: `This annotation allows to indicate the URL where the HTTP request should be sent`, }, authReqMethodAnnotation: { - Validator: parser.ValidateRegex(*methodsRegex, true), + Validator: parser.ValidateRegex(methodsRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, Documentation: `This annotation allows to specify the HTTP method to use`, }, authReqSigninAnnotation: { - Validator: parser.ValidateRegex(*parser.URLWithNginxVariableRegex, true), + Validator: parser.ValidateRegex(parser.URLWithNginxVariableRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskHigh, Documentation: `This annotation allows to specify the location of the error page`, }, authReqSigninRedirParamAnnotation: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation allows to specify the URL parameter in the error page which should contain the original URL for a failed signin request`, @@ -86,7 +87,7 @@ var authReqAnnotations = parser.Annotation{ Documentation: `This annotation allows to specify a custom snippet to use with external authentication`, }, authReqCacheKeyAnnotation: { - Validator: parser.ValidateRegex(*parser.NGINXVariable, true), + Validator: parser.ValidateRegex(parser.NGINXVariable, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation enables caching for auth requests.`, @@ -97,6 +98,12 @@ var authReqAnnotations = parser.Annotation{ Risk: parser.AnnotationRiskLow, Documentation: `This annotation specifies the maximum number of keepalive connections to auth-url. Only takes effect when no variables are used in the host part of the URL`, }, + authReqKeepaliveShareVarsAnnotation: { + Validator: parser.ValidateBool, + Scope: parser.AnnotationScopeLocation, + Risk: parser.AnnotationRiskLow, + Documentation: `This annotation specifies whether to share Nginx variables among the current request and the auth request`, + }, authReqKeepaliveRequestsAnnotation: { Validator: parser.ValidateInt, Scope: parser.AnnotationScopeLocation, @@ -110,26 +117,26 @@ var authReqAnnotations = parser.Annotation{ Documentation: `This annotation specifies a duration in seconds which an idle keepalive connection to an upstream server will stay open`, }, authReqCacheDuration: { - Validator: parser.ValidateRegex(*parser.ExtendedCharsRegex, false), + Validator: parser.ValidateRegex(parser.ExtendedCharsRegex, false), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation allows to specify a caching time for auth responses based on their response codes, e.g. 200 202 30m`, }, authReqResponseHeadersAnnotation: { - Validator: parser.ValidateRegex(*parser.HeadersVariable, true), + Validator: parser.ValidateRegex(parser.HeadersVariable, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation sets the headers to pass to backend once authentication request completes. They should be separated by comma.`, }, authReqProxySetHeadersAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation sets the name of a ConfigMap that specifies headers to pass to the authentication service. Only ConfigMaps on the same namespace are allowed`, }, authReqRequestRedirectAnnotation: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation allows to specify the X-Auth-Request-Redirect header value`, @@ -158,6 +165,7 @@ type Config struct { AuthCacheKey string `json:"authCacheKey"` AuthCacheDuration []string `json:"authCacheDuration"` KeepaliveConnections int `json:"keepaliveConnections"` + KeepaliveShareVars bool `json:"keepaliveShareVars"` KeepaliveRequests int `json:"keepaliveRequests"` KeepaliveTimeout int `json:"keepaliveTimeout"` ProxySetHeaders map[string]string `json:"proxySetHeaders,omitempty"` @@ -170,6 +178,7 @@ const DefaultCacheDuration = "200 202 401 5m" // fallback values when no keepalive parameters are set const ( defaultKeepaliveConnections = 0 + defaultKeepaliveShareVars = false defaultKeepaliveRequests = 1000 defaultKeepaliveTimeout = 60 ) @@ -218,6 +227,10 @@ func (e1 *Config) Equal(e2 *Config) bool { return false } + if e1.KeepaliveShareVars != e2.KeepaliveShareVars { + return false + } + if e1.KeepaliveRequests != e2.KeepaliveRequests { return false } @@ -236,8 +249,8 @@ func (e1 *Config) Equal(e2 *Config) bool { var ( methodsRegex = regexp.MustCompile("(GET|HEAD|POST|PUT|PATCH|DELETE|CONNECT|OPTIONS|TRACE)") headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`) - statusCodeRegex = regexp.MustCompile(`^[\d]{3}$`) - durationRegex = regexp.MustCompile(`^[\d]+(ms|s|m|h|d|w|M|y)$`) // see http://nginx.org/en/docs/syntax.html + statusCodeRegex = regexp.MustCompile(`^\d{3}$`) + durationRegex = regexp.MustCompile(`^\d+(ms|s|m|h|d|w|M|y)$`) // see http://nginx.org/en/docs/syntax.html ) // ValidMethod checks is the provided string a valid HTTP method @@ -260,7 +273,7 @@ func ValidCacheDuration(duration string) bool { seenDuration := false for _, element := range elements { - if len(element) == 0 { + if element == "" { continue } if statusCodeRegex.MatchString(element) { @@ -291,6 +304,8 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // ParseAnnotations parses the annotations contained in the ingress // rule used to use an Config URL as source for authentication +// +//nolint:gocyclo // Ignore function complexity error func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { // Required Parameters urlString, err := parser.GetStringAnnotation(authReqURLAnnotation, ing, a.annotationConfig.Annotations) @@ -300,7 +315,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { authURL, err := parser.StringToURL(urlString) if err != nil { - return nil, ing_errors.LocationDenied{Reason: fmt.Errorf("could not parse auth-url annotation: %v", err)} + return nil, ing_errors.LocationDeniedError{Reason: fmt.Errorf("could not parse auth-url annotation: %v", err)} } authMethod, err := parser.GetStringAnnotation(authReqMethodAnnotation, ing, a.annotationConfig.Annotations) @@ -357,6 +372,12 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { } } + keepaliveShareVars, err := parser.GetBoolAnnotation(authReqKeepaliveShareVarsAnnotation, ing, a.annotationConfig.Annotations) + if err != nil { + klog.V(3).InfoS("auth-keepalive-share-vars annotation is undefined and will be set to its default value") + keepaliveShareVars = defaultKeepaliveShareVars + } + keepaliveRequests, err := parser.GetIntAnnotation(authReqKeepaliveRequestsAnnotation, ing, a.annotationConfig.Annotations) if err != nil { klog.V(3).InfoS("auth-keepalive-requests annotation is undefined or invalid and will be set to its default value") @@ -391,7 +412,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { if err != nil && ing_errors.IsValidationError(err) { return nil, ing_errors.NewLocationDenied("validation error") } - if len(hstr) != 0 { + if hstr != "" { harr := strings.Split(hstr, ",") for _, header := range harr { header = strings.TrimSpace(header) @@ -411,7 +432,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { cns, _, err := cache.SplitMetaNamespaceKey(proxySetHeaderMap) if err != nil { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("error reading configmap name %s from annotation: %w", proxySetHeaderMap, err), } } @@ -423,7 +444,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { secCfg := a.r.GetSecurityConfiguration() // We don't accept different namespaces for secrets. if !secCfg.AllowCrossNamespaceResources && cns != ing.Namespace { - return nil, ing_errors.LocationDenied{ + return nil, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("cross namespace usage of secrets is not allowed"), } } @@ -467,6 +488,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { AuthCacheKey: authCacheKey, AuthCacheDuration: authCacheDuration, KeepaliveConnections: keepaliveConnections, + KeepaliveShareVars: keepaliveShareVars, KeepaliveRequests: keepaliveRequests, KeepaliveTimeout: keepaliveTimeout, ProxySetHeaders: proxySetHeaders, @@ -479,7 +501,7 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) { // It will always return at least one duration (the default duration) func ParseStringToCacheDurations(input string) ([]string, error) { authCacheDuration := []string{} - if len(input) != 0 { + if input != "" { arr := strings.Split(input, ",") for _, duration := range arr { duration = strings.TrimSpace(duration) diff --git a/internal/ingress/annotations/authreq/main_test.go b/internal/ingress/annotations/authreq/main_test.go index 833bebe78..3e6df3d3b 100644 --- a/internal/ingress/annotations/authreq/main_test.go +++ b/internal/ingress/annotations/authreq/main_test.go @@ -17,7 +17,6 @@ limitations under the License. package authreq import ( - "fmt" "reflect" "testing" @@ -113,7 +112,7 @@ func TestAnnotations(t *testing.T) { data[parser.GetAnnotationWithPrefix("auth-url")] = test.url data[parser.GetAnnotationWithPrefix("auth-signin")] = test.signinURL data[parser.GetAnnotationWithPrefix("auth-signin-redirect-param")] = test.signinURLRedirectParam - data[parser.GetAnnotationWithPrefix("auth-method")] = fmt.Sprintf("%v", test.method) + data[parser.GetAnnotationWithPrefix("auth-method")] = test.method data[parser.GetAnnotationWithPrefix("auth-request-redirect")] = test.requestRedirect data[parser.GetAnnotationWithPrefix("auth-snippet")] = test.authSnippet data[parser.GetAnnotationWithPrefix("auth-cache-key")] = test.authCacheKey @@ -268,28 +267,31 @@ func TestKeepaliveAnnotations(t *testing.T) { title string url string keepaliveConnections string + keepaliveShareVars string keepaliveRequests string keepaliveTimeout string expectedConnections int + expectedShareVars bool expectedRequests int expectedTimeout int }{ - {"all set", "http://goog.url", "5", "500", "50", 5, 500, 50}, - {"no annotation", "http://goog.url", "", "", "", defaultKeepaliveConnections, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"default for connections", "http://goog.url", "x", "500", "50", defaultKeepaliveConnections, 500, 50}, - {"default for requests", "http://goog.url", "5", "x", "50", 5, defaultKeepaliveRequests, 50}, - {"default for invalid timeout", "http://goog.url", "5", "500", "x", 5, 500, defaultKeepaliveTimeout}, - {"variable in host", "http://$host:5000/a/b", "5", "", "", 0, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"variable in path", "http://goog.url:5000/$path", "5", "", "", 5, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"negative connections", "http://goog.url", "-2", "", "", 0, defaultKeepaliveRequests, defaultKeepaliveTimeout}, - {"negative requests", "http://goog.url", "5", "-1", "", 0, -1, defaultKeepaliveTimeout}, - {"negative timeout", "http://goog.url", "5", "", "-1", 0, defaultKeepaliveRequests, -1}, - {"negative request and timeout", "http://goog.url", "5", "-2", "-3", 0, -2, -3}, + {"all set", "http://goog.url", "5", "false", "500", "50", 5, false, 500, 50}, + {"no annotation", "http://goog.url", "", "", "", "", defaultKeepaliveConnections, defaultKeepaliveShareVars, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"default for connections", "http://goog.url", "x", "true", "500", "50", defaultKeepaliveConnections, true, 500, 50}, + {"default for requests", "http://goog.url", "5", "x", "dummy", "50", 5, defaultKeepaliveShareVars, defaultKeepaliveRequests, 50}, + {"default for invalid timeout", "http://goog.url", "5", "t", "500", "x", 5, true, 500, defaultKeepaliveTimeout}, + {"variable in host", "http://$host:5000/a/b", "5", "1", "", "", 0, true, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"variable in path", "http://goog.url:5000/$path", "5", "t", "", "", 5, true, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"negative connections", "http://goog.url", "-2", "f", "", "", 0, false, defaultKeepaliveRequests, defaultKeepaliveTimeout}, + {"negative requests", "http://goog.url", "5", "True", "-1", "", 0, true, -1, defaultKeepaliveTimeout}, + {"negative timeout", "http://goog.url", "5", "0", "", "-1", 0, false, defaultKeepaliveRequests, -1}, + {"negative request and timeout", "http://goog.url", "5", "False", "-2", "-3", 0, false, -2, -3}, } for _, test := range tests { data[parser.GetAnnotationWithPrefix("auth-url")] = test.url data[parser.GetAnnotationWithPrefix("auth-keepalive")] = test.keepaliveConnections + data[parser.GetAnnotationWithPrefix("auth-keepalive-share-vars")] = test.keepaliveShareVars data[parser.GetAnnotationWithPrefix("auth-keepalive-timeout")] = test.keepaliveTimeout data[parser.GetAnnotationWithPrefix("auth-keepalive-requests")] = test.keepaliveRequests @@ -313,6 +315,10 @@ func TestKeepaliveAnnotations(t *testing.T) { t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.expectedConnections, u.KeepaliveConnections) } + if u.KeepaliveShareVars != test.expectedShareVars { + t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.expectedShareVars, u.KeepaliveShareVars) + } + if u.KeepaliveRequests != test.expectedRequests { t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.expectedRequests, u.KeepaliveRequests) } @@ -324,7 +330,6 @@ func TestKeepaliveAnnotations(t *testing.T) { } func TestParseStringToCacheDurations(t *testing.T) { - tests := []struct { title string duration string @@ -339,7 +344,6 @@ func TestParseStringToCacheDurations(t *testing.T) { } for _, test := range tests { - dur, err := ParseStringToCacheDurations(test.duration) if test.expErr { if err == nil { diff --git a/internal/ingress/annotations/authreqglobal/main.go b/internal/ingress/annotations/authreqglobal/main.go index a1641e085..e8a259047 100644 --- a/internal/ingress/annotations/authreqglobal/main.go +++ b/internal/ingress/annotations/authreqglobal/main.go @@ -55,7 +55,6 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // ParseAnnotations parses the annotations contained in the ingress // rule used to enable or disable global external authentication func (a authReqGlobal) Parse(ing *networking.Ingress) (interface{}, error) { - enableGlobalAuth, err := parser.GetBoolAnnotation(enableGlobalAuthAnnotation, ing, a.annotationConfig.Annotations) if err != nil { enableGlobalAuth = true diff --git a/internal/ingress/annotations/authreqglobal/main_test.go b/internal/ingress/annotations/authreqglobal/main_test.go index 0313edcf5..734f97c0f 100644 --- a/internal/ingress/annotations/authreqglobal/main_test.go +++ b/internal/ingress/annotations/authreqglobal/main_test.go @@ -77,7 +77,10 @@ func TestAnnotation(t *testing.T) { data[parser.GetAnnotationWithPrefix("enable-global-auth")] = "false" ing.SetAnnotations(data) - i, _ := NewParser(&resolver.Mock{}).Parse(ing) + i, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } u, ok := i.(bool) if !ok { t.Errorf("expected a Config type") diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go index 5d6763e8b..adedb084a 100644 --- a/internal/ingress/annotations/authtls/main.go +++ b/internal/ingress/annotations/authtls/main.go @@ -18,11 +18,10 @@ package authtls import ( "fmt" + "regexp" networking "k8s.io/api/networking/v1" - "regexp" - "k8s.io/ingress-nginx/internal/ingress/annotations/parser" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" @@ -45,20 +44,20 @@ var ( regexChars = regexp.QuoteMeta(`()|=`) authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`) commonNameRegex = regexp.MustCompile(`^CN=[/\-.\_\~a-zA-Z0-9` + regexChars + `]*$`) - redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-\.]*(:[0-9]+)?/[A-Za-z0-9\-\.]*)?$`) + redirectRegex = regexp.MustCompile(`^((https?://)?[A-Za-z0-9\-.]*(:\d+)?/[A-Za-z0-9\-.]*)?$`) ) var authTLSAnnotations = parser.Annotation{ Group: "authentication", Annotations: parser.AnnotationFields{ annotationAuthTLSSecret: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars Documentation: `This annotation defines the secret that contains the certificate chain of allowed certs`, }, annotationAuthTLSVerifyClient: { - Validator: parser.ValidateRegex(*authVerifyClientRegex, true), + Validator: parser.ValidateRegex(authVerifyClientRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, // Medium as it allows a subset of chars Documentation: `This annotation enables verification of client certificates. Can be "on", "off", "optional" or "optional_no_ca"`, @@ -70,7 +69,7 @@ var authTLSAnnotations = parser.Annotation{ Documentation: `This annotation defines validation depth between the provided client certificate and the Certification Authority chain.`, }, annotationAuthTLSErrorPage: { - Validator: parser.ValidateRegex(*redirectRegex, true), + Validator: parser.ValidateRegex(redirectRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskHigh, Documentation: `This annotation defines the URL/Page that user should be redirected in case of a Certificate Authentication Error`, @@ -82,7 +81,7 @@ var authTLSAnnotations = parser.Annotation{ Documentation: `This annotation defines if the received certificates should be passed or not to the upstream server in the header "ssl-client-cert"`, }, annotationAuthTLSMatchCN: { - Validator: parser.ValidateRegex(*commonNameRegex, true), + Validator: parser.ValidateRegex(commonNameRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskHigh, Documentation: `This annotation adds a sanity check for the CN of the client certificate that is sent over using a string / regex starting with "CN="`, @@ -130,9 +129,9 @@ func (assl1 *Config) Equal(assl2 *Config) bool { } // NewParser creates a new TLS authentication annotation parser -func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { +func NewParser(r resolver.Resolver) parser.IngressAnnotation { return authTLS{ - r: resolver, + r: r, annotationConfig: authTLSAnnotations, } } @@ -169,7 +168,7 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) { authCert, err := a.r.GetAuthCertificate(tlsauthsecret) if err != nil { e := fmt.Errorf("error obtaining certificate: %w", err) - return &Config{}, ing_errors.LocationDenied{Reason: e} + return &Config{}, ing_errors.LocationDeniedError{Reason: e} } config.AuthSSLCert = *authCert diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go index a1f3f0f92..0dd442e4f 100644 --- a/internal/ingress/annotations/authtls/main_test.go +++ b/internal/ingress/annotations/authtls/main_test.go @@ -27,6 +27,11 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + defaultDemoSecret = "default/demo-secret" + off = "off" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -77,23 +82,22 @@ type mockSecret struct { // GetAuthCertificate from mockSecret mocks the GetAuthCertificate for authTLS func (m mockSecret) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) { - if name != "default/demo-secret" { + if name != defaultDemoSecret { return nil, errors.Errorf("there is no secret with name %v", name) } return &resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", }, nil - } func TestAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = "default/demo-secret" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSSecret)] = defaultDemoSecret ing.SetAnnotations(data) @@ -108,7 +112,7 @@ func TestAnnotations(t *testing.T) { t.Errorf("expected *Config but got %v", u) } - secret, err := fakeSecret.GetAuthCertificate("default/demo-secret") + secret, err := fakeSecret.GetAuthCertificate(defaultDemoSecret) if err != nil { t.Errorf("unexpected error getting secret %v", err) } @@ -132,7 +136,7 @@ func TestAnnotations(t *testing.T) { t.Errorf("expected empty string, but got %v", u.MatchCN) } - data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyClient)] = "off" + data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyClient)] = off data[parser.GetAnnotationWithPrefix(annotationAuthTLSVerifyDepth)] = "2" data[parser.GetAnnotationWithPrefix(annotationAuthTLSErrorPage)] = "ok.com/error" data[parser.GetAnnotationWithPrefix(annotationAuthTLSPassCertToUpstream)] = "true" @@ -153,8 +157,8 @@ func TestAnnotations(t *testing.T) { if u.AuthSSLCert.Secret != secret.Secret { t.Errorf("expected %v but got %v", secret.Secret, u.AuthSSLCert.Secret) } - if u.VerifyClient != "off" { - t.Errorf("expected %v but got %v", "off", u.VerifyClient) + if u.VerifyClient != off { + t.Errorf("expected %v but got %v", off, u.VerifyClient) } if u.ValidationDepth != 2 { t.Errorf("expected %v but got %v", 2, u.ValidationDepth) @@ -262,28 +266,21 @@ func TestInvalidAnnotations(t *testing.T) { if u.MatchCN != "" { t.Errorf("expected empty string but got %v", u.MatchCN) } - } func TestEquals(t *testing.T) { cfg1 := &Config{} cfg2 := &Config{} - // Same config - result := cfg1.Equal(cfg1) - if result != true { - t.Errorf("Expected true") - } - // compare nil - result = cfg1.Equal(nil) + result := cfg1.Equal(nil) if result != false { t.Errorf("Expected false") } // Different Certs sslCert1 := resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", } @@ -302,7 +299,7 @@ func TestEquals(t *testing.T) { // Different Verify Client cfg1.VerifyClient = "on" - cfg2.VerifyClient = "off" + cfg2.VerifyClient = off result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go index 2704ce9f6..62674c4e5 100644 --- a/internal/ingress/annotations/backendprotocol/main.go +++ b/internal/ingress/annotations/backendprotocol/main.go @@ -25,9 +25,7 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -var ( - validProtocols = []string{"auto_http", "http", "https", "grpc", "grpcs", "fcgi"} -) +var validProtocols = []string{"auto_http", "http", "https", "grpc", "grpcs", "fcgi"} const ( http = "HTTP" diff --git a/internal/ingress/annotations/backendprotocol/main_test.go b/internal/ingress/annotations/backendprotocol/main_test.go index 490be447b..cb1ec779f 100644 --- a/internal/ingress/annotations/backendprotocol/main_test.go +++ b/internal/ingress/annotations/backendprotocol/main_test.go @@ -44,6 +44,7 @@ func buildIngress() *networking.Ingress { }, } } + func TestParseInvalidAnnotations(t *testing.T) { ing := buildIngress() @@ -56,7 +57,7 @@ func TestParseInvalidAnnotations(t *testing.T) { if !ok { t.Errorf("expected a string type") } - if val != "HTTP" { + if val != http { t.Errorf("expected HTTPS but %v returned", val) } @@ -72,7 +73,7 @@ func TestParseInvalidAnnotations(t *testing.T) { if !ok { t.Errorf("expected a string type") } - if val != "HTTP" { + if val != http { t.Errorf("expected HTTPS but %v returned", val) } @@ -88,7 +89,7 @@ func TestParseInvalidAnnotations(t *testing.T) { if !ok { t.Errorf("expected a string type") } - if val != "HTTP" { + if val != http { t.Errorf("expected HTTPS but %v returned", val) } } diff --git a/internal/ingress/annotations/canary/main.go b/internal/ingress/annotations/canary/main.go index 119f09181..be5761675 100644 --- a/internal/ingress/annotations/canary/main.go +++ b/internal/ingress/annotations/canary/main.go @@ -57,7 +57,7 @@ var CanaryAnnotations = parser.Annotation{ Documentation: `This annotation The total weight of traffic. If unspecified, it defaults to 100`, }, canaryByHeaderAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines the header that should be used for notifying the Ingress to route the request to the service specified in the Canary Ingress. @@ -65,7 +65,7 @@ var CanaryAnnotations = parser.Annotation{ For any other value, the header will be ignored and the request compared against the other canary rules by precedence`, }, canaryByHeaderValueAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines the header value to match for notifying the Ingress to route the request to the service specified in the Canary Ingress. @@ -74,7 +74,7 @@ var CanaryAnnotations = parser.Annotation{ It doesn't have any effect if the 'canary-by-header' annotation is not defined`, }, canaryByHeaderPatternAnnotation: { - Validator: parser.ValidateRegex(*parser.IsValidRegex, false), + Validator: parser.ValidateRegex(parser.IsValidRegex, false), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation works the same way as canary-by-header-value except it does PCRE Regex matching. @@ -82,7 +82,7 @@ var CanaryAnnotations = parser.Annotation{ When the given Regex causes error during request processing, the request will be considered as not matching.`, }, canaryByCookieAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines the cookie that should be used for notifying the Ingress to route the request to the service specified in the Canary Ingress. @@ -189,7 +189,7 @@ func (c canary) GetDocumentation() parser.AnnotationFields { return c.annotationConfig.Annotations } -func (a canary) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (c canary) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(c.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, CanaryAnnotations.Annotations) } diff --git a/internal/ingress/annotations/canary/main_test.go b/internal/ingress/annotations/canary/main_test.go index ddfc0a9c4..1787ddb85 100644 --- a/internal/ingress/annotations/canary/main_test.go +++ b/internal/ingress/annotations/canary/main_test.go @@ -17,6 +17,7 @@ limitations under the License. package canary import ( + "strconv" "testing" api "k8s.io/api/core/v1" @@ -24,8 +25,6 @@ import ( metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "strconv" - "k8s.io/ingress-nginx/internal/ingress/resolver" ) @@ -93,7 +92,6 @@ func TestCanaryInvalid(t *testing.T) { if val.Weight != 0 { t.Errorf("Expected %v but got %v", 0, val.Weight) } - } func TestAnnotations(t *testing.T) { @@ -133,10 +131,9 @@ func TestAnnotations(t *testing.T) { } continue - } else { - if err != nil { - t.Errorf("%v: expected nil but returned error %v", test.title, err) - } + } + if err != nil { + t.Errorf("%v: expected nil but returned error %v", test.title, err) } canaryConfig, ok := i.(*Config) diff --git a/internal/ingress/annotations/clientbodybuffersize/main.go b/internal/ingress/annotations/clientbodybuffersize/main.go index aa1485df2..c0fa79713 100644 --- a/internal/ingress/annotations/clientbodybuffersize/main.go +++ b/internal/ingress/annotations/clientbodybuffersize/main.go @@ -31,7 +31,7 @@ var clientBodyBufferSizeConfig = parser.Annotation{ Group: "backend", Annotations: parser.AnnotationFields{ clientBodyBufferSizeAnnotation: { - Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Validator: parser.ValidateRegex(parser.SizeRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, // Low, as it allows just a set of options Documentation: `Sets buffer size for reading client request body per location. @@ -65,7 +65,7 @@ func (cbbs clientBodyBufferSize) Parse(ing *networking.Ingress) (interface{}, er return parser.GetStringAnnotation(clientBodyBufferSizeAnnotation, ing, cbbs.annotationConfig.Annotations) } -func (a clientBodyBufferSize) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (cbbs clientBodyBufferSize) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(cbbs.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, clientBodyBufferSizeConfig.Annotations) } diff --git a/internal/ingress/annotations/clientbodybuffersize/main_test.go b/internal/ingress/annotations/clientbodybuffersize/main_test.go index 0f2c8474a..62257aeb9 100644 --- a/internal/ingress/annotations/clientbodybuffersize/main_test.go +++ b/internal/ingress/annotations/clientbodybuffersize/main_test.go @@ -57,6 +57,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/connection/main.go b/internal/ingress/annotations/connection/main.go index 9e96b6ab1..b0242ac23 100644 --- a/internal/ingress/annotations/connection/main.go +++ b/internal/ingress/annotations/connection/main.go @@ -29,15 +29,13 @@ const ( connectionProxyHeaderAnnotation = "connection-proxy-header" ) -var ( - validConnectionHeaderValue = regexp.MustCompile(`^(close|keep-alive)$`) -) +var validConnectionHeaderValue = regexp.MustCompile(`^(close|keep-alive)$`) var connectionHeadersAnnotations = parser.Annotation{ Group: "backend", Annotations: parser.AnnotationFields{ connectionProxyHeaderAnnotation: { - Validator: parser.ValidateRegex(*validConnectionHeaderValue, true), + Validator: parser.ValidateRegex(validConnectionHeaderValue, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, Documentation: `This annotation allows setting a specific value for "proxy_set_header Connection" directive. Right now it is restricted to "close" or "keep-alive"`, diff --git a/internal/ingress/annotations/connection/main_test.go b/internal/ingress/annotations/connection/main_test.go index a95288385..1b9361f31 100644 --- a/internal/ingress/annotations/connection/main_test.go +++ b/internal/ingress/annotations/connection/main_test.go @@ -66,6 +66,5 @@ func TestParse(t *testing.T) { if !p.Equal(testCase.expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, p, testCase.annotations) } - } } diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index cc30b8405..39e02f21b 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -43,9 +43,9 @@ var ( // * Sets a group that can be (https?://)?*?.something.com:port? // * Allows this to be repeated as much as possible, and separated by comma // Otherwise it should be '*' - corsOriginRegexValidator = regexp.MustCompile(`^((((https?://)?(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?,?)+)|\*)?$`) + corsOriginRegexValidator = regexp.MustCompile(`^((((https?://)?(\*\.)?[A-Za-z0-9\-.]*(:\d+)?,?)+)|\*)?$`) // corsOriginRegex defines the regex for validation inside Parse - corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?|\*)?$`) + corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-.]*(:\d+)?|\*)?$`) // Method must contain valid methods list (PUT, GET, POST, BLA) // May contain or not spaces between each verb corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`) @@ -74,7 +74,7 @@ var corsAnnotation = parser.Annotation{ Documentation: `This annotation enables Cross-Origin Resource Sharing (CORS) in an Ingress rule`, }, corsAllowOriginAnnotation: { - Validator: parser.ValidateRegex(*corsOriginRegexValidator, true), + Validator: parser.ValidateRegex(corsOriginRegexValidator, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls what's the accepted Origin for CORS. @@ -82,14 +82,14 @@ var corsAnnotation = parser.Annotation{ It also supports single level wildcard subdomains and follows this format: http(s)://*.foo.bar, http(s)://*.bar.foo:8080 or http(s)://*.abc.bar.foo:9000`, }, corsAllowHeadersAnnotation: { - Validator: parser.ValidateRegex(*parser.HeadersVariable, true), + Validator: parser.ValidateRegex(parser.HeadersVariable, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls which headers are accepted. This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -`, }, corsAllowMethodsAnnotation: { - Validator: parser.ValidateRegex(*corsMethodsRegex, true), + Validator: parser.ValidateRegex(corsMethodsRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls which methods are accepted. @@ -102,7 +102,7 @@ var corsAnnotation = parser.Annotation{ Documentation: `This annotation controls if credentials can be passed during CORS operations.`, }, corsExposeHeadersAnnotation: { - Validator: parser.ValidateRegex(*corsExposeHeadersRegex, true), + Validator: parser.ValidateRegex(corsExposeHeadersRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation controls which headers are exposed to response. @@ -260,7 +260,7 @@ func (c cors) GetDocumentation() parser.AnnotationFields { return c.annotationConfig.Annotations } -func (a cors) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (c cors) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(c.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, corsAnnotation.Annotations) } diff --git a/internal/ingress/annotations/customhttperrors/main.go b/internal/ingress/annotations/customhttperrors/main.go index c3c9b5be3..f3c72a22f 100644 --- a/internal/ingress/annotations/customhttperrors/main.go +++ b/internal/ingress/annotations/customhttperrors/main.go @@ -31,16 +31,14 @@ const ( customHTTPErrorsAnnotation = "custom-http-errors" ) -var ( - // We accept anything between 400 and 599, on a comma separated. - arrayOfHTTPErrors = regexp.MustCompile(`^(?:[4,5][0-9][0-9],?)*$`) -) +// We accept anything between 400 and 599, on a comma separated. +var arrayOfHTTPErrors = regexp.MustCompile(`^(?:[4,5]\d{2},?)*$`) var customHTTPErrorsAnnotations = parser.Annotation{ Group: "backend", Annotations: parser.AnnotationFields{ customHTTPErrorsAnnotation: { - Validator: parser.ValidateRegex(*arrayOfHTTPErrors, true), + Validator: parser.ValidateRegex(arrayOfHTTPErrors, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, Documentation: `If a default backend annotation is specified on the ingress, the errors code specified on this annotation @@ -72,7 +70,7 @@ func (e customhttperrors) Parse(ing *networking.Ingress) (interface{}, error) { } cSplit := strings.Split(c, ",") - var codes []int + codes := make([]int, 0, len(cSplit)) for _, i := range cSplit { num, err := strconv.Atoi(i) if err != nil { @@ -88,7 +86,7 @@ func (e customhttperrors) GetDocumentation() parser.AnnotationFields { return e.annotationConfig.Annotations } -func (a customhttperrors) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (e customhttperrors) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(e.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, customHTTPErrorsAnnotations.Annotations) } diff --git a/internal/ingress/annotations/defaultbackend/main.go b/internal/ingress/annotations/defaultbackend/main.go index f3ca004dd..9ae44f052 100644 --- a/internal/ingress/annotations/defaultbackend/main.go +++ b/internal/ingress/annotations/defaultbackend/main.go @@ -57,14 +57,14 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // Parse parses the annotations contained in the ingress to use // a custom default backend -func (db backend) Parse(ing *networking.Ingress) (interface{}, error) { - s, err := parser.GetStringAnnotation(defaultBackendAnnotation, ing, db.annotationConfig.Annotations) +func (b backend) Parse(ing *networking.Ingress) (interface{}, error) { + s, err := parser.GetStringAnnotation(defaultBackendAnnotation, ing, b.annotationConfig.Annotations) if err != nil { return nil, err } name := fmt.Sprintf("%v/%v", ing.Namespace, s) - svc, err := db.r.GetService(name) + svc, err := b.r.GetService(name) if err != nil { return nil, fmt.Errorf("unexpected error reading service %s: %w", name, err) } @@ -72,11 +72,11 @@ func (db backend) Parse(ing *networking.Ingress) (interface{}, error) { return svc, nil } -func (db backend) GetDocumentation() parser.AnnotationFields { - return db.annotationConfig.Annotations +func (b backend) GetDocumentation() parser.AnnotationFields { + return b.annotationConfig.Annotations } -func (a backend) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (b backend) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(b.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, defaultBackendAnnotations.Annotations) } diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go index 96dbc7159..52384a969 100644 --- a/internal/ingress/annotations/fastcgi/main.go +++ b/internal/ingress/annotations/fastcgi/main.go @@ -32,25 +32,23 @@ import ( const ( fastCGIIndexAnnotation = "fastcgi-index" - fastCGIParamsAnnotation = "fastcgi-params-configmap" + fastCGIParamsAnnotation = "fastcgi-params-configmap" //#nosec G101 ) -var ( - // fast-cgi valid parameters is just a single file name (like index.php) - regexValidIndexAnnotationAndKey = regexp.MustCompile(`^[A-Za-z0-9\.\-\_]+$`) -) +// fast-cgi valid parameters is just a single file name (like index.php) +var regexValidIndexAnnotationAndKey = regexp.MustCompile(`^[A-Za-z0-9.\-\_]+$`) var fastCGIAnnotations = parser.Annotation{ Group: "fastcgi", Annotations: parser.AnnotationFields{ fastCGIIndexAnnotation: { - Validator: parser.ValidateRegex(*regexValidIndexAnnotationAndKey, true), + Validator: parser.ValidateRegex(regexValidIndexAnnotationAndKey, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation can be used to specify an index file`, }, fastCGIParamsAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation can be used to specify a ConfigMap containing the fastcgi parameters as a key/value. @@ -98,7 +96,6 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // ParseAnnotations parses the annotations contained in the ingress // rule used to indicate the fastcgiConfig. func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { - fcgiConfig := Config{} if ing.GetAnnotations() == nil { @@ -125,7 +122,7 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { cmns, cmn, err := cache.SplitMetaNamespaceKey(cm) if err != nil { - return fcgiConfig, ing_errors.LocationDenied{ + return fcgiConfig, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("error reading configmap name from annotation: %w", err), } } @@ -139,7 +136,7 @@ func (a fastcgi) Parse(ing *networking.Ingress) (interface{}, error) { cm = fmt.Sprintf("%v/%v", ing.Namespace, cmn) cmap, err := a.r.GetConfigMap(cm) if err != nil { - return fcgiConfig, ing_errors.LocationDenied{ + return fcgiConfig, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("unexpected error reading configmap %s: %w", cm, err), } } diff --git a/internal/ingress/annotations/fastcgi/main_test.go b/internal/ingress/annotations/fastcgi/main_test.go index 3296ded65..bc5e2755f 100644 --- a/internal/ingress/annotations/fastcgi/main_test.go +++ b/internal/ingress/annotations/fastcgi/main_test.go @@ -155,7 +155,6 @@ func TestParseFastCGIInvalidParamsConfigMapAnnotation(t *testing.T) { invalidConfigMapList := []string{"unknown/configMap", "unknown/config/map"} for _, configmap := range invalidConfigMapList { - data := map[string]string{} data[parser.GetAnnotationWithPrefix("fastcgi-params-configmap")] = configmap ing.SetAnnotations(data) @@ -239,11 +238,9 @@ func TestParseFastCGIParamsConfigMapAnnotationWithDifferentNS(t *testing.T) { if err == nil { t.Errorf("Different namespace configmap should return an error") } - } func TestConfigEquality(t *testing.T) { - var nilConfig *Config config := Config{ @@ -297,7 +294,6 @@ func TestConfigEquality(t *testing.T) { } func Test_fastcgi_Parse(t *testing.T) { - tests := []struct { name string index string @@ -378,7 +374,6 @@ func Test_fastcgi_Parse(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - ing := buildIngress() data := map[string]string{} diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go index 41f58fd57..0aec29f66 100644 --- a/internal/ingress/annotations/globalratelimit/main.go +++ b/internal/ingress/annotations/globalratelimit/main.go @@ -25,7 +25,6 @@ import ( "k8s.io/klog/v2" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/errors" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/net" @@ -57,7 +56,7 @@ var globalRateLimitAnnotationConfig = parser.Annotation{ Documentation: `Configures a time window (i.e 1m) that the limit is applied`, }, globalRateLimitKeyAnnotation: { - Validator: parser.ValidateRegex(*parser.NGINXVariable, true), + Validator: parser.ValidateRegex(parser.NGINXVariable, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskHigh, Documentation: `This annotation Configures a key for counting the samples. Defaults to $remote_addr. @@ -123,23 +122,23 @@ func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { config := &Config{} limit, err := parser.GetIntAnnotation(globalRateLimitAnnotation, ing, a.annotationConfig.Annotations) - if err != nil && errors.IsInvalidContent(err) { + if err != nil && ing_errors.IsInvalidContent(err) { return nil, err } rawWindowSize, err := parser.GetStringAnnotation(globalRateLimitWindowAnnotation, ing, a.annotationConfig.Annotations) - if err != nil && errors.IsValidationError(err) { - return config, ing_errors.LocationDenied{ + if err != nil && ing_errors.IsValidationError(err) { + return config, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), } } - if limit == 0 || len(rawWindowSize) == 0 { + if limit == 0 || rawWindowSize == "" { return config, nil } windowSize, err := time.ParseDuration(rawWindowSize) if err != nil { - return config, ing_errors.LocationDenied{ + return config, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("failed to parse 'global-rate-limit-window' value: %w", err), } } @@ -148,12 +147,12 @@ func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { if err != nil { klog.Warningf("invalid %s, defaulting to %s", globalRateLimitKeyAnnotation, defaultKey) } - if len(key) == 0 { + if key == "" { key = defaultKey } rawIgnoredCIDRs, err := parser.GetStringAnnotation(globalRateLimitIgnoredCidrsAnnotation, ing, a.annotationConfig.Annotations) - if err != nil && errors.IsInvalidContent(err) { + if err != nil && ing_errors.IsInvalidContent(err) { return nil, err } ignoredCIDRs, err := net.ParseCIDRs(rawIgnoredCIDRs) @@ -161,7 +160,7 @@ func (a globalratelimit) Parse(ing *networking.Ingress) (interface{}, error) { return nil, err } - config.Namespace = strings.Replace(string(ing.UID), "-", "", -1) + config.Namespace = strings.ReplaceAll(string(ing.UID), "-", "") config.Limit = limit config.WindowSize = int(windowSize.Seconds()) config.Key = key diff --git a/internal/ingress/annotations/globalratelimit/main_test.go b/internal/ingress/annotations/globalratelimit/main_test.go index 5d7922666..b1a7ab71b 100644 --- a/internal/ingress/annotations/globalratelimit/main_test.go +++ b/internal/ingress/annotations/globalratelimit/main_test.go @@ -30,8 +30,10 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) -const UID = "31285d47-b150-4dcf-bd6f-12c46d769f6e" -const expectedUID = "31285d47b1504dcfbd6f12c46d769f6e" +const ( + UID = "31285d47-b150-4dcf-bd6f-12c46d769f6e" + expectedUID = "31285d47b1504dcfbd6f12c46d769f6e" +) func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ @@ -190,10 +192,19 @@ func TestGlobalRateLimiting(t *testing.T) { t.Errorf("expected error '%v' but got '%v'", testCase.expectedErr, actualErr) } - actualConfig := i.(*Config) + actualConfig, ok := i.(*Config) + if !ok { + t.Errorf("expected Config type but got %T", i) + } if !testCase.expectedConfig.Equal(actualConfig) { - expectedJSON, _ := json.Marshal(testCase.expectedConfig) - actualJSON, _ := json.Marshal(actualConfig) + expectedJSON, err := json.Marshal(testCase.expectedConfig) + if err != nil { + t.Errorf("failed to marshal expected config: %v", err) + } + actualJSON, err := json.Marshal(actualConfig) + if err != nil { + t.Errorf("failed to marshal actual config: %v", err) + } t.Errorf("%v: expected config '%s' but got '%s'", testCase.title, expectedJSON, actualJSON) } } diff --git a/internal/ingress/annotations/http2pushpreload/main.go b/internal/ingress/annotations/http2pushpreload/main.go index af9f90aa9..123940d9d 100644 --- a/internal/ingress/annotations/http2pushpreload/main.go +++ b/internal/ingress/annotations/http2pushpreload/main.go @@ -62,7 +62,7 @@ func (h2pp http2PushPreload) GetDocumentation() parser.AnnotationFields { return h2pp.annotationConfig.Annotations } -func (a http2PushPreload) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (h2pp http2PushPreload) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(h2pp.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, http2PushPreloadAnnotations.Annotations) } diff --git a/internal/ingress/annotations/ipallowlist/main.go b/internal/ingress/annotations/ipallowlist/main.go index d9d454c97..23a3bd9e7 100644 --- a/internal/ingress/annotations/ipallowlist/main.go +++ b/internal/ingress/annotations/ipallowlist/main.go @@ -96,16 +96,15 @@ func (a ipallowlist) Parse(ing *networking.Ingress) (interface{}, error) { return &SourceRange{CIDR: defaultAllowlistSourceRange}, nil } - return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{ + return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDeniedError{ Reason: err, } - } values := strings.Split(val, ",") ipnets, ips, err := net.ParseIPNets(values...) if err != nil && len(ips) == 0 { - return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{ + return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err), } } diff --git a/internal/ingress/annotations/ipdenylist/main.go b/internal/ingress/annotations/ipdenylist/main.go index f17ce079a..e8f02fe50 100644 --- a/internal/ingress/annotations/ipdenylist/main.go +++ b/internal/ingress/annotations/ipdenylist/main.go @@ -93,16 +93,15 @@ func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) { return &SourceRange{CIDR: defaultDenylistSourceRange}, nil } - return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDenied{ + return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDeniedError{ Reason: err, } - } values := strings.Split(val, ",") ipnets, ips, err := net.ParseIPNets(values...) if err != nil && len(ips) == 0 { - return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDenied{ + return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDeniedError{ Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err), } } diff --git a/internal/ingress/annotations/loadbalancing/main_test.go b/internal/ingress/annotations/loadbalancing/main_test.go index b0442c37f..a5205e523 100644 --- a/internal/ingress/annotations/loadbalancing/main_test.go +++ b/internal/ingress/annotations/loadbalancing/main_test.go @@ -54,6 +54,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/log/main.go b/internal/ingress/annotations/log/main.go index ec08292a9..82d50bac3 100644 --- a/internal/ingress/annotations/log/main.go +++ b/internal/ingress/annotations/log/main.go @@ -101,7 +101,7 @@ func (l log) GetDocumentation() parser.AnnotationFields { return l.annotationConfig.Annotations } -func (a log) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (l log) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(l.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, logAnnotations.Annotations) } diff --git a/internal/ingress/annotations/log/main_test.go b/internal/ingress/annotations/log/main_test.go index df97c2e5b..950612b5b 100644 --- a/internal/ingress/annotations/log/main_test.go +++ b/internal/ingress/annotations/log/main_test.go @@ -76,7 +76,10 @@ func TestIngressAccessLogConfig(t *testing.T) { data[parser.GetAnnotationWithPrefix(enableAccessLogAnnotation)] = "false" ing.SetAnnotations(data) - log, _ := NewParser(&resolver.Mock{}).Parse(ing) + log, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } nginxLogs, ok := log.(*Config) if !ok { t.Errorf("expected a Config type") @@ -94,7 +97,10 @@ func TestIngressRewriteLogConfig(t *testing.T) { data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "true" ing.SetAnnotations(data) - log, _ := NewParser(&resolver.Mock{}).Parse(ing) + log, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing annotations %v", err) + } nginxLogs, ok := log.(*Config) if !ok { t.Errorf("expected a Config type") @@ -112,7 +118,10 @@ func TestInvalidBoolConfig(t *testing.T) { data[parser.GetAnnotationWithPrefix(enableRewriteLogAnnotation)] = "blo" ing.SetAnnotations(data) - log, _ := NewParser(&resolver.Mock{}).Parse(ing) + log, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } nginxLogs, ok := log.(*Config) if !ok { t.Errorf("expected a Config type") diff --git a/internal/ingress/annotations/mirror/main.go b/internal/ingress/annotations/mirror/main.go index 2d417dece..d51bdd27c 100644 --- a/internal/ingress/annotations/mirror/main.go +++ b/internal/ingress/annotations/mirror/main.go @@ -34,15 +34,13 @@ const ( mirrorHostAnnotation = "mirror-host" ) -var ( - OnOffRegex = regexp.MustCompile(`^(on|off)$`) -) +var OnOffRegex = regexp.MustCompile(`^(on|off)$`) var mirrorAnnotation = parser.Annotation{ Group: "mirror", Annotations: parser.AnnotationFields{ mirrorRequestBodyAnnotation: { - Validator: parser.ValidateRegex(*OnOffRegex, true), + Validator: parser.ValidateRegex(OnOffRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskLow, Documentation: `This annotation defines if the request-body should be sent to the mirror backend. Can be 'on' or 'off'`, diff --git a/internal/ingress/annotations/modsecurity/main.go b/internal/ingress/annotations/modsecurity/main.go index 5a9aaa729..80ae78937 100644 --- a/internal/ingress/annotations/modsecurity/main.go +++ b/internal/ingress/annotations/modsecurity/main.go @@ -27,7 +27,7 @@ import ( const ( modsecEnableAnnotation = "enable-modsecurity" modsecEnableOwaspCoreAnnotation = "enable-owasp-core-rules" - modesecTransactionIdAnnotation = "modsecurity-transaction-id" + modesecTransactionIDAnnotation = "modsecurity-transaction-id" modsecSnippetAnnotation = "modsecurity-snippet" ) @@ -46,8 +46,8 @@ var modsecurityAnnotation = parser.Annotation{ Risk: parser.AnnotationRiskLow, Documentation: `This annotation enables the OWASP Core Rule Set`, }, - modesecTransactionIdAnnotation: { - Validator: parser.ValidateRegex(*parser.NGINXVariable, true), + modesecTransactionIDAnnotation: { + Validator: parser.ValidateRegex(parser.NGINXVariable, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskHigh, Documentation: `This annotation enables passing an NGINX variable to ModSecurity.`, @@ -98,9 +98,9 @@ func (modsec1 *Config) Equal(modsec2 *Config) bool { } // NewParser creates a new ModSecurity annotation parser -func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { +func NewParser(r resolver.Resolver) parser.IngressAnnotation { return modSecurity{ - r: resolver, + r: r, annotationConfig: modsecurityAnnotation, } } @@ -134,10 +134,10 @@ func (a modSecurity) Parse(ing *networking.Ingress) (interface{}, error) { config.OWASPRules = false } - config.TransactionID, err = parser.GetStringAnnotation(modesecTransactionIdAnnotation, ing, a.annotationConfig.Annotations) + config.TransactionID, err = parser.GetStringAnnotation(modesecTransactionIDAnnotation, ing, a.annotationConfig.Annotations) if err != nil { if errors.IsInvalidContent(err) { - klog.Warningf("annotation %s contains invalid directive, defaulting", modesecTransactionIdAnnotation) + klog.Warningf("annotation %s contains invalid directive, defaulting", modesecTransactionIDAnnotation) } config.TransactionID = "" } diff --git a/internal/ingress/annotations/modsecurity/main_test.go b/internal/ingress/annotations/modsecurity/main_test.go index 2ddbdf7e3..5cb05f201 100644 --- a/internal/ingress/annotations/modsecurity/main_test.go +++ b/internal/ingress/annotations/modsecurity/main_test.go @@ -67,11 +67,17 @@ func TestParse(t *testing.T) { Spec: networking.IngressSpec{}, } - for _, testCase := range testCases { + for i, testCase := range testCases { ing.SetAnnotations(testCase.annotations) - result, _ := ap.Parse(ing) - config := result.(*Config) - if !config.Equal(&testCase.expected) { + result, err := ap.Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + config, ok := result.(*Config) + if !ok { + t.Errorf("unexpected type: %T", result) + } + if !config.Equal(&testCases[i].expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } } diff --git a/internal/ingress/annotations/opentelemetry/main.go b/internal/ingress/annotations/opentelemetry/main.go index a029087da..ca9108548 100644 --- a/internal/ingress/annotations/opentelemetry/main.go +++ b/internal/ingress/annotations/opentelemetry/main.go @@ -51,7 +51,7 @@ var otelAnnotations = parser.Annotation{ Documentation: `This annotation enables or disables using spans from incoming requests as parent for created ones`, }, otelOperationNameAnnotation: { - Validator: parser.ValidateRegex(*regexOperationName, true), + Validator: parser.ValidateRegex(regexOperationName, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines what operation name should be added to the span`, @@ -75,7 +75,6 @@ type Config struct { // Equal tests for equality between two Config types func (bd1 *Config) Equal(bd2 *Config) bool { - if bd1.Set != bd2.Set { return false } @@ -150,7 +149,7 @@ func (c opentelemetry) GetDocumentation() parser.AnnotationFields { return c.annotationConfig.Annotations } -func (a opentelemetry) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (c opentelemetry) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(c.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, otelAnnotations.Annotations) } diff --git a/internal/ingress/annotations/opentelemetry/main_test.go b/internal/ingress/annotations/opentelemetry/main_test.go index c78ebc8b3..e5c1de0b3 100644 --- a/internal/ingress/annotations/opentelemetry/main_test.go +++ b/internal/ingress/annotations/opentelemetry/main_test.go @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const enableAnnotation = "true" + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -73,10 +75,13 @@ func TestIngressAnnotationOpentelemetrySetTrue(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = enableAnnotation ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } openTelemetry, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") @@ -103,7 +108,10 @@ func TestIngressAnnotationOpentelemetrySetFalse(t *testing.T) { data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "false" ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } openTelemetry, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") @@ -123,8 +131,8 @@ func TestIngressAnnotationOpentelemetryTrustSetTrue(t *testing.T) { data := map[string]string{} opName := "foo-op" - data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "true" - data[parser.GetAnnotationWithPrefix(otelTrustSpanAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = enableAnnotation + data[parser.GetAnnotationWithPrefix(otelTrustSpanAnnotation)] = enableAnnotation data[parser.GetAnnotationWithPrefix(otelOperationNameAnnotation)] = opName ing.SetAnnotations(data) @@ -163,7 +171,7 @@ func TestIngressAnnotationOpentelemetryWithBadOpName(t *testing.T) { data := map[string]string{} opName := "fooxpto_123$la;" - data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(enableOpenTelemetryAnnotation)] = enableAnnotation data[parser.GetAnnotationWithPrefix(otelOperationNameAnnotation)] = opName ing.SetAnnotations(data) @@ -180,7 +188,10 @@ func TestIngressAnnotationOpentelemetryUnset(t *testing.T) { data := map[string]string{} ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } _, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") diff --git a/internal/ingress/annotations/opentracing/main.go b/internal/ingress/annotations/opentracing/main.go index 7c8671f9d..9d7995a8a 100644 --- a/internal/ingress/annotations/opentracing/main.go +++ b/internal/ingress/annotations/opentracing/main.go @@ -89,13 +89,13 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { } } -func (s opentracing) Parse(ing *networking.Ingress) (interface{}, error) { - enabled, err := parser.GetBoolAnnotation(enableOpentracingAnnotation, ing, s.annotationConfig.Annotations) +func (o opentracing) Parse(ing *networking.Ingress) (interface{}, error) { + enabled, err := parser.GetBoolAnnotation(enableOpentracingAnnotation, ing, o.annotationConfig.Annotations) if err != nil { return &Config{}, nil } - trustSpan, err := parser.GetBoolAnnotation(opentracingTrustSpanAnnotation, ing, s.annotationConfig.Annotations) + trustSpan, err := parser.GetBoolAnnotation(opentracingTrustSpanAnnotation, ing, o.annotationConfig.Annotations) if err != nil { return &Config{Set: true, Enabled: enabled}, nil } @@ -103,11 +103,11 @@ func (s opentracing) Parse(ing *networking.Ingress) (interface{}, error) { return &Config{Set: true, Enabled: enabled, TrustSet: true, TrustEnabled: trustSpan}, nil } -func (s opentracing) GetDocumentation() parser.AnnotationFields { - return s.annotationConfig.Annotations +func (o opentracing) GetDocumentation() parser.AnnotationFields { + return o.annotationConfig.Annotations } -func (a opentracing) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (o opentracing) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(o.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, opentracingAnnotations.Annotations) } diff --git a/internal/ingress/annotations/opentracing/main_test.go b/internal/ingress/annotations/opentracing/main_test.go index b7b62ac9d..f59e60438 100644 --- a/internal/ingress/annotations/opentracing/main_test.go +++ b/internal/ingress/annotations/opentracing/main_test.go @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const enableAnnotation = "true" + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -73,10 +75,13 @@ func TestIngressAnnotationOpentracingSetTrue(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = enableAnnotation ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error %v", err) + } openTracing, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") @@ -95,7 +100,10 @@ func TestIngressAnnotationOpentracingSetFalse(t *testing.T) { data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "false" ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error %v", err) + } openTracing, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") @@ -110,11 +118,14 @@ func TestIngressAnnotationOpentracingTrustSetTrue(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = "true" - data[parser.GetAnnotationWithPrefix(opentracingTrustSpanAnnotation)] = "true" + data[parser.GetAnnotationWithPrefix(enableOpentracingAnnotation)] = enableAnnotation + data[parser.GetAnnotationWithPrefix(opentracingTrustSpanAnnotation)] = enableAnnotation ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error %v", err) + } openTracing, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") @@ -136,7 +147,11 @@ func TestIngressAnnotationOpentracingUnset(t *testing.T) { data := map[string]string{} ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } + _, ok := val.(*Config) if !ok { t.Errorf("expected a Config type") diff --git a/internal/ingress/annotations/parser/main.go b/internal/ingress/annotations/parser/main.go index 951970e27..554ad9dde 100644 --- a/internal/ingress/annotations/parser/main.go +++ b/internal/ingress/annotations/parser/main.go @@ -118,7 +118,7 @@ func (a ingAnnotations) parseString(name string) (string, error) { val, ok := a[name] if ok { s := normalizeString(val) - if len(s) == 0 { + if s == "" { return "", errors.NewInvalidAnnotationContent(name, val) } @@ -248,13 +248,14 @@ func StringToURL(input string) (*url.URL, error) { return nil, fmt.Errorf("%v is not a valid URL: %v", input, err) } - if parsedURL.Scheme == "" { + switch { + case parsedURL.Scheme == "": return nil, fmt.Errorf("url scheme is empty") - } else if parsedURL.Host == "" { + case parsedURL.Host == "": return nil, fmt.Errorf("url host is empty") - } else if strings.Contains(parsedURL.Host, "..") { + case strings.Contains(parsedURL.Host, ".."): return nil, fmt.Errorf("invalid url host") + default: + return parsedURL, nil } - - return parsedURL, nil } diff --git a/internal/ingress/annotations/parser/main_test.go b/internal/ingress/annotations/parser/main_test.go index beca49370..0f7ecb459 100644 --- a/internal/ingress/annotations/parser/main_test.go +++ b/internal/ingress/annotations/parser/main_test.go @@ -93,14 +93,16 @@ func TestGetStringAnnotation(t *testing.T) { {"valid - A", "string", "A ", "A", false}, {"valid - B", "string", " B", "B", false}, {"empty", "string", " ", "", true}, - {"valid multiline", "string", ` + { + "valid multiline", "string", ` rewrite (?i)/arcgis/rest/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/rest/services/Utilities/Geometry/GeometryServer$1 break; rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/services/Utilities/Geometry/GeometryServer$1 break; `, ` rewrite (?i)/arcgis/rest/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/rest/services/Utilities/Geometry/GeometryServer$1 break; rewrite (?i)/arcgis/services/Utilities/Geometry/GeometryServer(.*)$ /arcgis/services/Utilities/Geometry/GeometryServer$1 break; `, - false}, + false, + }, } data := map[string]string{} @@ -213,8 +215,10 @@ func TestGetIntAnnotation(t *testing.T) { func TestStringToURL(t *testing.T) { validURL := "http://bar.foo.com/external-auth" - validParsedURL, _ := url.Parse(validURL) - + validParsedURL, err := url.Parse(validURL) + if err != nil { + t.Errorf("unexpected error: %v", err) + } tests := []struct { title string url string diff --git a/internal/ingress/annotations/parser/validators.go b/internal/ingress/annotations/parser/validators.go index e14b486eb..ab9b4799f 100644 --- a/internal/ingress/annotations/parser/validators.go +++ b/internal/ingress/annotations/parser/validators.go @@ -52,7 +52,7 @@ var ( var IsValidRegex = regexp.MustCompile("^[/" + alphaNumericChars + regexEnabledChars + "]*$") // SizeRegex validates sizes understood by NGINX, like 1000, 100k, 1000M -var SizeRegex = regexp.MustCompile("^(?i)[0-9]+[bkmg]?$") +var SizeRegex = regexp.MustCompile(`^(?i)\d+[bkmg]?$`) // URLRegex is used to validate a URL but with only a specific set of characters: // It is alphanumericChar + ":", "?", "&" @@ -103,7 +103,7 @@ func ValidateServerName(value string) error { // ValidateRegex receives a regex as an argument and uses it to validate // the value of the field. // Annotation can define if the spaces should be trimmed before validating the value -func ValidateRegex(regex regexp.Regexp, removeSpace bool) AnnotationValidator { +func ValidateRegex(regex *regexp.Regexp, removeSpace bool) AnnotationValidator { return func(s string) error { if removeSpace { s = strings.ReplaceAll(s, " ", "") @@ -117,7 +117,7 @@ func ValidateRegex(regex regexp.Regexp, removeSpace bool) AnnotationValidator { // ValidateOptions receives an array of valid options that can be the value of annotation. // If no valid option is found, it will return an error -func ValidateOptions(options []string, caseSensitive bool, trimSpace bool) AnnotationValidator { +func ValidateOptions(options []string, caseSensitive, trimSpace bool) AnnotationValidator { return func(s string) error { if trimSpace { s = strings.TrimSpace(s) @@ -161,7 +161,7 @@ func ValidateDuration(value string) error { // ValidateNull always return null values and should not be widely used. // It is used on the "snippet" annotations, as it is up to the admin to allow its // usage, knowing it can be critical! -func ValidateNull(value string) error { +func ValidateNull(_ string) error { return nil } diff --git a/internal/ingress/annotations/parser/validators_test.go b/internal/ingress/annotations/parser/validators_test.go index 2aa6cec37..e7aeb15ca 100644 --- a/internal/ingress/annotations/parser/validators_test.go +++ b/internal/ingress/annotations/parser/validators_test.go @@ -223,7 +223,6 @@ func Test_checkAnnotation(t *testing.T) { } func TestCheckAnnotationRisk(t *testing.T) { - tests := []struct { name string annotations map[string]string diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go index a2d10ca90..9d2646261 100644 --- a/internal/ingress/annotations/proxy/main.go +++ b/internal/ingress/annotations/proxy/main.go @@ -42,12 +42,10 @@ const ( proxyRedirectToAnnotation = "proxy-redirect-to" proxyBufferingAnnotation = "proxy-buffering" proxyHTTPVersionAnnotation = "proxy-http-version" - proxyMaxTempFileSizeAnnotation = "proxy-max-temp-file-size" + proxyMaxTempFileSizeAnnotation = "proxy-max-temp-file-size" //#nosec G101 ) -var ( - validUpstreamAnnotation = regexp.MustCompile(`^((error|timeout|invalid_header|http_500|http_502|http_503|http_504|http_403|http_404|http_429|non_idempotent|off)\s?)+$`) -) +var validUpstreamAnnotation = regexp.MustCompile(`^((error|timeout|invalid_header|http_500|http_502|http_503|http_504|http_403|http_404|http_429|non_idempotent|off)\s?)+$`) var proxyAnnotations = parser.Annotation{ Group: "backend", @@ -78,32 +76,32 @@ var proxyAnnotations = parser.Annotation{ By default proxy buffers number is set as 4`, }, proxyBufferSizeAnnotation: { - Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Validator: parser.ValidateRegex(parser.SizeRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, Documentation: `This annotation sets the size of the buffer proxy_buffer_size used for reading the first part of the response received from the proxied server. By default proxy buffer size is set as "4k".`, }, proxyCookiePathAnnotation: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation sets a text that should be changed in the path attribute of the "Set-Cookie" header fields of a proxied server response.`, }, proxyCookieDomainAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation ets a text that should be changed in the domain attribute of the "Set-Cookie" header fields of a proxied server response.`, }, proxyBodySizeAnnotation: { - Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Validator: parser.ValidateRegex(parser.SizeRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation allows setting the maximum allowed size of a client request body.`, }, proxyNextUpstreamAnnotation: { - Validator: parser.ValidateRegex(*validUpstreamAnnotation, false), + Validator: parser.ValidateRegex(validUpstreamAnnotation, false), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines when the next upstream should be used. @@ -129,13 +127,13 @@ var proxyAnnotations = parser.Annotation{ Documentation: `This annotation enables or disables buffering of a client request body.`, }, proxyRedirectFromAnnotation: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, }, proxyRedirectToAnnotation: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `The annotations proxy-redirect-from and proxy-redirect-to will set the first and second parameters of NGINX's proxy_redirect directive respectively`, @@ -153,7 +151,7 @@ var proxyAnnotations = parser.Annotation{ Documentation: `This annotations sets the HTTP protocol version for proxying. Can be "1.0" or "1.1".`, }, proxyMaxTempFileSizeAnnotation: { - Validator: parser.ValidateRegex(*parser.SizeRegex, true), + Validator: parser.ValidateRegex(parser.SizeRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, Documentation: `This annotation defines the maximum size of a temporary file when buffering responses.`, @@ -253,7 +251,8 @@ type proxy struct { // NewParser creates a new reverse proxy configuration annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return proxy{r: r, + return proxy{ + r: r, annotationConfig: proxyAnnotations, } } diff --git a/internal/ingress/annotations/proxy/main_test.go b/internal/ingress/annotations/proxy/main_test.go index fa185551b..9446ae970 100644 --- a/internal/ingress/annotations/proxy/main_test.go +++ b/internal/ingress/annotations/proxy/main_test.go @@ -28,6 +28,12 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + off = "off" + proxyHTTPVersion = "1.0" + proxyMaxTempFileSize = "128k" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -87,7 +93,7 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { ProxyNextUpstreamTimeout: 0, ProxyNextUpstreamTries: 3, ProxyRequestBuffering: "on", - ProxyBuffering: "off", + ProxyBuffering: off, ProxyHTTPVersion: "1.1", ProxyMaxTempFileSize: "1024m", } @@ -103,13 +109,13 @@ func TestProxy(t *testing.T) { data[parser.GetAnnotationWithPrefix("proxy-buffers-number")] = "8" data[parser.GetAnnotationWithPrefix("proxy-buffer-size")] = "1k" data[parser.GetAnnotationWithPrefix("proxy-body-size")] = "2k" - data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-next-upstream")] = off data[parser.GetAnnotationWithPrefix("proxy-next-upstream-timeout")] = "5" data[parser.GetAnnotationWithPrefix("proxy-next-upstream-tries")] = "3" - data[parser.GetAnnotationWithPrefix("proxy-request-buffering")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-request-buffering")] = off data[parser.GetAnnotationWithPrefix("proxy-buffering")] = "on" - data[parser.GetAnnotationWithPrefix("proxy-http-version")] = "1.0" - data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = "128k" + data[parser.GetAnnotationWithPrefix("proxy-http-version")] = proxyHTTPVersion + data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = proxyMaxTempFileSize ing.SetAnnotations(data) i, err := NewParser(mockBackend{}).Parse(ing) @@ -138,7 +144,7 @@ func TestProxy(t *testing.T) { if p.BodySize != "2k" { t.Errorf("expected 2k as body-size but returned %v", p.BodySize) } - if p.NextUpstream != "off" { + if p.NextUpstream != off { t.Errorf("expected off as next-upstream but returned %v", p.NextUpstream) } if p.NextUpstreamTimeout != 5 { @@ -147,16 +153,16 @@ func TestProxy(t *testing.T) { if p.NextUpstreamTries != 3 { t.Errorf("expected 3 as next-upstream-tries but returned %v", p.NextUpstreamTries) } - if p.RequestBuffering != "off" { + if p.RequestBuffering != off { t.Errorf("expected off as request-buffering but returned %v", p.RequestBuffering) } if p.ProxyBuffering != "on" { t.Errorf("expected on as proxy-buffering but returned %v", p.ProxyBuffering) } - if p.ProxyHTTPVersion != "1.0" { + if p.ProxyHTTPVersion != proxyHTTPVersion { t.Errorf("expected 1.0 as proxy-http-version but returned %v", p.ProxyHTTPVersion) } - if p.ProxyMaxTempFileSize != "128k" { + if p.ProxyMaxTempFileSize != proxyMaxTempFileSize { t.Errorf("expected 128k as proxy-max-temp-file-size but returned %v", p.ProxyMaxTempFileSize) } } @@ -176,8 +182,8 @@ func TestProxyComplex(t *testing.T) { data[parser.GetAnnotationWithPrefix("proxy-next-upstream-tries")] = "3" data[parser.GetAnnotationWithPrefix("proxy-request-buffering")] = "off" data[parser.GetAnnotationWithPrefix("proxy-buffering")] = "on" - data[parser.GetAnnotationWithPrefix("proxy-http-version")] = "1.0" - data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = "128k" + data[parser.GetAnnotationWithPrefix("proxy-http-version")] = proxyHTTPVersion + data[parser.GetAnnotationWithPrefix("proxy-max-temp-file-size")] = proxyMaxTempFileSize ing.SetAnnotations(data) i, err := NewParser(mockBackend{}).Parse(ing) @@ -221,10 +227,10 @@ func TestProxyComplex(t *testing.T) { if p.ProxyBuffering != "on" { t.Errorf("expected on as proxy-buffering but returned %v", p.ProxyBuffering) } - if p.ProxyHTTPVersion != "1.0" { + if p.ProxyHTTPVersion != proxyHTTPVersion { t.Errorf("expected 1.0 as proxy-http-version but returned %v", p.ProxyHTTPVersion) } - if p.ProxyMaxTempFileSize != "128k" { + if p.ProxyMaxTempFileSize != proxyMaxTempFileSize { t.Errorf("expected 128k as proxy-max-temp-file-size but returned %v", p.ProxyMaxTempFileSize) } } diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go index 40ee18aa0..0e854cd21 100644 --- a/internal/ingress/annotations/proxyssl/main.go +++ b/internal/ingress/annotations/proxyssl/main.go @@ -24,7 +24,6 @@ import ( networking "k8s.io/api/networking/v1" "k8s.io/ingress-nginx/internal/ingress/annotations/parser" - "k8s.io/ingress-nginx/internal/ingress/errors" ing_errors "k8s.io/ingress-nginx/internal/ingress/errors" "k8s.io/ingress-nginx/internal/ingress/resolver" "k8s.io/ingress-nginx/internal/k8s" @@ -42,7 +41,7 @@ const ( var ( proxySSLOnOffRegex = regexp.MustCompile(`^(on|off)$`) proxySSLProtocolRegex = regexp.MustCompile(`^(SSLv2|SSLv3|TLSv1|TLSv1\.1|TLSv1\.2|TLSv1\.3| )*$`) - proxySSLCiphersRegex = regexp.MustCompile(`^[A-Za-z0-9\+\:\_\-\!]*$`) + proxySSLCiphersRegex = regexp.MustCompile(`^[A-Za-z0-9\+:\_\-!]*$`) ) const ( @@ -59,7 +58,7 @@ var proxySSLAnnotation = parser.Annotation{ Group: "proxy", Annotations: parser.AnnotationFields{ proxySSLSecretAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation specifies a Secret with the certificate tls.crt, key tls.key in PEM format used for authentication to a proxied HTTPS server. @@ -68,14 +67,14 @@ var proxySSLAnnotation = parser.Annotation{ Just secrets on the same namespace of the ingress can be used.`, }, proxySSLCiphersAnnotation: { - Validator: parser.ValidateRegex(*proxySSLCiphersRegex, true), + Validator: parser.ValidateRegex(proxySSLCiphersRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation Specifies the enabled ciphers for requests to a proxied HTTPS server. The ciphers are specified in the format understood by the OpenSSL library.`, }, proxySSLProtocolsAnnotation: { - Validator: parser.ValidateRegex(*proxySSLProtocolRegex, true), + Validator: parser.ValidateRegex(proxySSLProtocolRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskLow, Documentation: `This annotation enables the specified protocols for requests to a proxied HTTPS server.`, @@ -88,7 +87,7 @@ var proxySSLAnnotation = parser.Annotation{ This value is also passed through SNI when a connection is established to the proxied HTTPS server.`, }, proxySSLVerifyAnnotation: { - Validator: parser.ValidateRegex(*proxySSLOnOffRegex, true), + Validator: parser.ValidateRegex(proxySSLOnOffRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskLow, Documentation: `This annotation enables or disables verification of the proxied HTTPS server certificate. (default: off)`, @@ -100,7 +99,7 @@ var proxySSLAnnotation = parser.Annotation{ Documentation: `This annotation Sets the verification depth in the proxied HTTPS server certificates chain. (default: 1).`, }, proxySSLServerNameAnnotation: { - Validator: parser.ValidateRegex(*proxySSLOnOffRegex, true), + Validator: parser.ValidateRegex(proxySSLOnOffRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskLow, Documentation: `This annotation enables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server.`, @@ -150,10 +149,11 @@ func (pssl1 *Config) Equal(pssl2 *Config) bool { } // NewParser creates a new TLS authentication annotation parser -func NewParser(resolver resolver.Resolver) parser.IngressAnnotation { +func NewParser(r resolver.Resolver) parser.IngressAnnotation { return proxySSL{ - r: resolver, - annotationConfig: proxySSLAnnotation} + r: r, + annotationConfig: proxySSLAnnotation, + } } type proxySSL struct { @@ -208,13 +208,13 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) { proxyCert, err := p.r.GetAuthCertificate(proxysslsecret) if err != nil { e := fmt.Errorf("error obtaining certificate: %w", err) - return &Config{}, ing_errors.LocationDenied{Reason: e} + return &Config{}, ing_errors.LocationDeniedError{Reason: e} } config.AuthSSLCert = *proxyCert config.Ciphers, err = parser.GetStringAnnotation(proxySSLCiphersAnnotation, ing, p.annotationConfig.Annotations) if err != nil { - if errors.IsValidationError(err) { + if ing_errors.IsValidationError(err) { klog.Warningf("invalid value passed to proxy-ssl-ciphers, defaulting to %s", defaultProxySSLCiphers) } config.Ciphers = defaultProxySSLCiphers @@ -222,7 +222,7 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) { config.Protocols, err = parser.GetStringAnnotation(proxySSLProtocolsAnnotation, ing, p.annotationConfig.Annotations) if err != nil { - if errors.IsValidationError(err) { + if ing_errors.IsValidationError(err) { klog.Warningf("invalid value passed to proxy-ssl-protocols, defaulting to %s", defaultProxySSLProtocols) } config.Protocols = defaultProxySSLProtocols @@ -232,7 +232,7 @@ func (p proxySSL) Parse(ing *networking.Ingress) (interface{}, error) { config.ProxySSLName, err = parser.GetStringAnnotation(proxySSLNameAnnotation, ing, p.annotationConfig.Annotations) if err != nil { - if errors.IsValidationError(err) { + if ing_errors.IsValidationError(err) { klog.Warningf("invalid value passed to proxy-ssl-name, defaulting to empty") } config.ProxySSLName = "" @@ -260,7 +260,7 @@ func (p proxySSL) GetDocumentation() parser.AnnotationFields { return p.annotationConfig.Annotations } -func (a proxySSL) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (p proxySSL) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(p.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, proxySSLAnnotation.Annotations) } diff --git a/internal/ingress/annotations/proxyssl/main_test.go b/internal/ingress/annotations/proxyssl/main_test.go index edd65343e..a20c6813d 100644 --- a/internal/ingress/annotations/proxyssl/main_test.go +++ b/internal/ingress/annotations/proxyssl/main_test.go @@ -27,6 +27,14 @@ import ( "k8s.io/ingress-nginx/internal/ingress/resolver" ) +const ( + defaultDemoSecret = "default/demo-secret" + proxySslCiphers = "HIGH:-SHA" + off = "off" + sslServerName = "w00t" + defaultProtocol = "SSLv2 TLSv1 TLSv1.2 TLSv1.3" +) + func buildIngress() *networking.Ingress { defaultBackend := networking.IngressBackend{ Service: &networking.IngressServiceBackend{ @@ -77,28 +85,27 @@ type mockSecret struct { // GetAuthCertificate from mockSecret mocks the GetAuthCertificate for backend certificate authentication func (m mockSecret) GetAuthCertificate(name string) (*resolver.AuthSSLCert, error) { - if name != "default/demo-secret" { + if name != defaultDemoSecret { return nil, errors.Errorf("there is no secret with name %v", name) } return &resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", }, nil - } func TestAnnotations(t *testing.T) { ing := buildIngress() data := map[string]string{} - data[parser.GetAnnotationWithPrefix(proxySSLSecretAnnotation)] = "default/demo-secret" - data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = "HIGH:-SHA" + data[parser.GetAnnotationWithPrefix(proxySSLSecretAnnotation)] = defaultDemoSecret + data[parser.GetAnnotationWithPrefix("proxy-ssl-ciphers")] = proxySslCiphers data[parser.GetAnnotationWithPrefix("proxy-ssl-name")] = "$host" data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv1.3 SSLv2 TLSv1 TLSv1.2" data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "on" - data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = "off" + data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = off data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "on" data[parser.GetAnnotationWithPrefix("proxy-ssl-verify-depth")] = "3" @@ -115,7 +122,7 @@ func TestAnnotations(t *testing.T) { t.Errorf("expected *Config but got %v", u) } - secret, err := fakeSecret.GetAuthCertificate("default/demo-secret") + secret, err := fakeSecret.GetAuthCertificate(defaultDemoSecret) if err != nil { t.Errorf("unexpected error getting secret %v", err) } @@ -123,11 +130,11 @@ func TestAnnotations(t *testing.T) { if u.AuthSSLCert.Secret != secret.Secret { t.Errorf("expected %v but got %v", secret.Secret, u.AuthSSLCert.Secret) } - if u.Ciphers != "HIGH:-SHA" { - t.Errorf("expected %v but got %v", "HIGH:-SHA", u.Ciphers) + if u.Ciphers != proxySslCiphers { + t.Errorf("expected %v but got %v", proxySslCiphers, u.Ciphers) } - if u.Protocols != "SSLv2 TLSv1 TLSv1.2 TLSv1.3" { - t.Errorf("expected %v but got %v", "SSLv2 TLSv1 TLSv1.2 TLSv1.3", u.Protocols) + if u.Protocols != defaultProtocol { + t.Errorf("expected %v but got %v", defaultProtocol, u.Protocols) } if u.Verify != "on" { t.Errorf("expected %v but got %v", "on", u.Verify) @@ -141,7 +148,6 @@ func TestAnnotations(t *testing.T) { if u.ProxySSLServerName != "on" { t.Errorf("expected %v but got %v", "on", u.ProxySSLServerName) } - } func TestInvalidAnnotations(t *testing.T) { @@ -172,11 +178,11 @@ func TestInvalidAnnotations(t *testing.T) { } // Invalid optional Annotations - data[parser.GetAnnotationWithPrefix("proxy-ssl-secret")] = "default/demo-secret" + data[parser.GetAnnotationWithPrefix("proxy-ssl-secret")] = defaultDemoSecret data[parser.GetAnnotationWithPrefix("proxy-ssl-protocols")] = "TLSv111 SSLv1" - data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = "w00t" - data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = "w00t" - data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = "w00t" + data[parser.GetAnnotationWithPrefix("proxy-ssl-server-name")] = sslServerName + data[parser.GetAnnotationWithPrefix("proxy-ssl-session-reuse")] = sslServerName + data[parser.GetAnnotationWithPrefix("proxy-ssl-verify")] = sslServerName data[parser.GetAnnotationWithPrefix("proxy-ssl-verify-depth")] = "abcd" ing.SetAnnotations(data) @@ -207,21 +213,15 @@ func TestEquals(t *testing.T) { cfg1 := &Config{} cfg2 := &Config{} - // Same config - result := cfg1.Equal(cfg1) - if result != true { - t.Errorf("Expected true") - } - // compare nil - result = cfg1.Equal(nil) + result := cfg1.Equal(nil) if result != false { t.Errorf("Expected false") } // Different Certs sslCert1 := resolver.AuthSSLCert{ - Secret: "default/demo-secret", + Secret: defaultDemoSecret, CAFileName: "/ssl/ca.crt", CASHA: "abc", } @@ -240,7 +240,7 @@ func TestEquals(t *testing.T) { // Different Ciphers cfg1.Ciphers = "DEFAULT" - cfg2.Ciphers = "HIGH:-SHA" + cfg2.Ciphers = proxySslCiphers result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") @@ -248,22 +248,22 @@ func TestEquals(t *testing.T) { cfg2.Ciphers = "DEFAULT" // Different Protocols - cfg1.Protocols = "SSLv2 TLSv1 TLSv1.2 TLSv1.3" + cfg1.Protocols = defaultProtocol cfg2.Protocols = "SSLv3 TLSv1 TLSv1.2 TLSv1.3" result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") } - cfg2.Protocols = "SSLv2 TLSv1 TLSv1.2 TLSv1.3" + cfg2.Protocols = defaultProtocol // Different Verify - cfg1.Verify = "off" + cfg1.Verify = off cfg2.Verify = "on" result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") } - cfg2.Verify = "off" + cfg2.Verify = off // Different VerifyDepth cfg1.VerifyDepth = 1 @@ -275,13 +275,13 @@ func TestEquals(t *testing.T) { cfg2.VerifyDepth = 1 // Different ProxySSLServerName - cfg1.ProxySSLServerName = "off" + cfg1.ProxySSLServerName = off cfg2.ProxySSLServerName = "on" result = cfg1.Equal(cfg2) if result != false { t.Errorf("Expected false") } - cfg2.ProxySSLServerName = "off" + cfg2.ProxySSLServerName = off // Equal Configs result = cfg1.Equal(cfg2) diff --git a/internal/ingress/annotations/ratelimit/main.go b/internal/ingress/annotations/ratelimit/main.go index 39161a2c0..e79c698bf 100644 --- a/internal/ingress/annotations/ratelimit/main.go +++ b/internal/ingress/annotations/ratelimit/main.go @@ -288,7 +288,7 @@ func (a ratelimit) Parse(ing *networking.Ingress) (interface{}, error) { func encode(s string) string { str := base64.URLEncoding.EncodeToString([]byte(s)) - return strings.Replace(str, "=", "", -1) + return strings.ReplaceAll(str, "=", "") } func (a ratelimit) GetDocumentation() parser.AnnotationFields { diff --git a/internal/ingress/annotations/redirect/redirect.go b/internal/ingress/annotations/redirect/redirect.go index 89513c83c..b58e35171 100644 --- a/internal/ingress/annotations/redirect/redirect.go +++ b/internal/ingress/annotations/redirect/redirect.go @@ -54,14 +54,14 @@ var redirectAnnotations = parser.Annotation{ Documentation: `In some scenarios is required to redirect from www.domain.com to domain.com or vice versa. To enable this feature use this annotation.`, }, temporalRedirectAnnotation: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, false), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, false), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, // Medium, as it allows arbitrary URLs that needs to be validated Documentation: `This annotation allows you to return a temporal redirect (Return Code 302) instead of sending data to the upstream. For example setting this annotation to https://www.google.com would redirect everything to Google with a Return Code of 302 (Moved Temporarily).`, }, permanentRedirectAnnotation: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, false), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, false), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, // Medium, as it allows arbitrary URLs that needs to be validated Documentation: `This annotation allows to return a permanent redirect (Return Code 301) instead of sending data to the upstream. @@ -174,11 +174,11 @@ func isValidURL(s string) error { return nil } -func (a redirect) GetDocumentation() parser.AnnotationFields { - return a.annotationConfig.Annotations +func (r redirect) GetDocumentation() parser.AnnotationFields { + return r.annotationConfig.Annotations } -func (a redirect) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (r redirect) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(r.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, redirectAnnotations.Annotations) } diff --git a/internal/ingress/annotations/redirect/redirect_test.go b/internal/ingress/annotations/redirect/redirect_test.go index 5a61f364d..bd2f98211 100644 --- a/internal/ingress/annotations/redirect/redirect_test.go +++ b/internal/ingress/annotations/redirect/redirect_test.go @@ -136,7 +136,6 @@ func TestTemporalRedirect(t *testing.T) { } func TestIsValidURL(t *testing.T) { - invalid := "ok.com" urlParse, err := url.Parse(invalid) if err != nil { diff --git a/internal/ingress/annotations/rewrite/main.go b/internal/ingress/annotations/rewrite/main.go index 84dc93bf0..cd9ed3993 100644 --- a/internal/ingress/annotations/rewrite/main.go +++ b/internal/ingress/annotations/rewrite/main.go @@ -40,7 +40,7 @@ var rewriteAnnotations = parser.Annotation{ Group: "rewrite", Annotations: parser.AnnotationFields{ rewriteTargetAnnotation: { - Validator: parser.ValidateRegex(*parser.RegexPathWithCapture, false), + Validator: parser.ValidateRegex(parser.RegexPathWithCapture, false), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation allows to specify the target URI where the traffic must be redirected. It can contain regular characters and captured @@ -72,7 +72,7 @@ var rewriteAnnotations = parser.Annotation{ the pathType should also be defined as 'ImplementationSpecific'.`, }, appRootAnnotation: { - Validator: parser.ValidateRegex(*parser.RegexPathWithCapture, false), + Validator: parser.ValidateRegex(parser.RegexPathWithCapture, false), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines the Application Root that the Controller must redirect if it's in / context`, diff --git a/internal/ingress/annotations/rewrite/main_test.go b/internal/ingress/annotations/rewrite/main_test.go index 6b97d2e01..b68b901b4 100644 --- a/internal/ingress/annotations/rewrite/main_test.go +++ b/internal/ingress/annotations/rewrite/main_test.go @@ -120,7 +120,10 @@ func TestSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("rewrite-target")] = defRoute ing.SetAnnotations(data) - i, _ := NewParser(mockBackend{redirect: true}).Parse(ing) + i, err := NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok := i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -132,7 +135,10 @@ func TestSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("rewrite-target")] = "/xpto/$1/abc/$2" ing.SetAnnotations(data) - i, _ = NewParser(mockBackend{redirect: true}).Parse(ing) + i, err = NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok = i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -144,7 +150,10 @@ func TestSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("rewrite-target")] = "/xpto/xas{445}" ing.SetAnnotations(data) - i, _ = NewParser(mockBackend{redirect: true}).Parse(ing) + i, err = NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok = i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -156,7 +165,10 @@ func TestSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("ssl-redirect")] = "false" ing.SetAnnotations(data) - i, _ = NewParser(mockBackend{redirect: false}).Parse(ing) + i, err = NewParser(mockBackend{redirect: false}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok = i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -173,7 +185,10 @@ func TestForceSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("rewrite-target")] = defRoute ing.SetAnnotations(data) - i, _ := NewParser(mockBackend{redirect: true}).Parse(ing) + i, err := NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok := i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -185,7 +200,10 @@ func TestForceSSLRedirect(t *testing.T) { data[parser.GetAnnotationWithPrefix("force-ssl-redirect")] = "true" ing.SetAnnotations(data) - i, _ = NewParser(mockBackend{redirect: false}).Parse(ing) + i, err = NewParser(mockBackend{redirect: false}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok = i.(*Config) if !ok { t.Errorf("expected a Redirect type") @@ -194,6 +212,7 @@ func TestForceSSLRedirect(t *testing.T) { t.Errorf("Expected true but returned false") } } + func TestAppRoot(t *testing.T) { ap := NewParser(mockBackend{redirect: true}) @@ -241,7 +260,10 @@ func TestUseRegex(t *testing.T) { data[parser.GetAnnotationWithPrefix("use-regex")] = "true" ing.SetAnnotations(data) - i, _ := NewParser(mockBackend{redirect: true}).Parse(ing) + i, err := NewParser(mockBackend{redirect: true}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } redirect, ok := i.(*Config) if !ok { t.Errorf("expected a App Context") diff --git a/internal/ingress/annotations/satisfy/main.go b/internal/ingress/annotations/satisfy/main.go index 45187fe5c..13a4532c1 100644 --- a/internal/ingress/annotations/satisfy/main.go +++ b/internal/ingress/annotations/satisfy/main.go @@ -69,7 +69,7 @@ func (s satisfy) GetDocumentation() parser.AnnotationFields { return s.annotationConfig.Annotations } -func (a satisfy) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (s satisfy) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(s.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, satisfyAnnotations.Annotations) } diff --git a/internal/ingress/annotations/serversnippet/main_test.go b/internal/ingress/annotations/serversnippet/main_test.go index 601e11a42..72e757dc1 100644 --- a/internal/ingress/annotations/serversnippet/main_test.go +++ b/internal/ingress/annotations/serversnippet/main_test.go @@ -54,6 +54,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/serviceupstream/main.go b/internal/ingress/annotations/serviceupstream/main.go index e662f73c3..d1851bc7b 100644 --- a/internal/ingress/annotations/serviceupstream/main.go +++ b/internal/ingress/annotations/serviceupstream/main.go @@ -69,7 +69,7 @@ func (s serviceUpstream) GetDocumentation() parser.AnnotationFields { return s.annotationConfig.Annotations } -func (a serviceUpstream) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (s serviceUpstream) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(s.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, serviceUpstreamAnnotations.Annotations) } diff --git a/internal/ingress/annotations/serviceupstream/main_test.go b/internal/ingress/annotations/serviceupstream/main_test.go index 2751208ec..e6216ee5a 100644 --- a/internal/ingress/annotations/serviceupstream/main_test.go +++ b/internal/ingress/annotations/serviceupstream/main_test.go @@ -77,7 +77,10 @@ func TestIngressAnnotationServiceUpstreamEnabled(t *testing.T) { data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "true" ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { t.Errorf("expected a bool type") @@ -96,7 +99,10 @@ func TestIngressAnnotationServiceUpstreamSetFalse(t *testing.T) { data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "false" ing.SetAnnotations(data) - val, _ := NewParser(&resolver.Mock{}).Parse(ing) + val, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { t.Errorf("expected a bool type") @@ -110,7 +116,10 @@ func TestIngressAnnotationServiceUpstreamSetFalse(t *testing.T) { data = map[string]string{} ing.SetAnnotations(data) - val, _ = NewParser(&resolver.Mock{}).Parse(ing) + val, err = NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok = val.(bool) if !ok { t.Errorf("expected a bool type") @@ -137,7 +146,10 @@ func (m mockBackend) GetDefaultBackend() defaults.Backend { func TestParseAnnotationsWithDefaultConfig(t *testing.T) { ing := buildIngress() - val, _ := NewParser(mockBackend{}).Parse(ing) + val, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { @@ -158,7 +170,10 @@ func TestParseAnnotationsOverridesDefaultConfig(t *testing.T) { data[parser.GetAnnotationWithPrefix(serviceUpstreamAnnotation)] = "false" ing.SetAnnotations(data) - val, _ := NewParser(mockBackend{}).Parse(ing) + val, err := NewParser(mockBackend{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error: %v", err) + } enabled, ok := val.(bool) if !ok { diff --git a/internal/ingress/annotations/sessionaffinity/main.go b/internal/ingress/annotations/sessionaffinity/main.go index 0a4a59dbc..cc2095de4 100644 --- a/internal/ingress/annotations/sessionaffinity/main.go +++ b/internal/ingress/annotations/sessionaffinity/main.go @@ -63,13 +63,15 @@ const ( // This is used to control the cookie change after request failure annotationAffinityCookieChangeOnFailure = "session-cookie-change-on-failure" + + cookieAffinity = "cookie" ) var sessionAffinityAnnotations = parser.Annotation{ Group: "affinity", Annotations: parser.AnnotationFields{ annotationAffinityType: { - Validator: parser.ValidateOptions([]string{"cookie"}, true, true), + Validator: parser.ValidateOptions([]string{cookieAffinity}, true, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskLow, Documentation: `This annotation enables and sets the affinity type in all Upstreams of an Ingress. This way, a request will always be directed to the same upstream server. The only affinity type available for NGINX is cookie`, @@ -91,7 +93,7 @@ var sessionAffinityAnnotations = parser.Annotation{ Setting this to legacy will restore original canary behavior, when session affinity was ignored.`, }, annotationAffinityCookieName: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation allows to specify the name of the cookie that will be used to route the requests`, @@ -103,25 +105,25 @@ var sessionAffinityAnnotations = parser.Annotation{ Documentation: `This annotation set the cookie as secure regardless the protocol of the incoming request`, }, annotationAffinityCookieExpires: { - Validator: parser.ValidateRegex(*affinityCookieExpiresRegex, true), + Validator: parser.ValidateRegex(affinityCookieExpiresRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation is a legacy version of "session-cookie-max-age" for compatibility with older browsers, generates an "Expires" cookie directive by adding the seconds to the current date`, }, annotationAffinityCookieMaxAge: { - Validator: parser.ValidateRegex(*affinityCookieExpiresRegex, false), + Validator: parser.ValidateRegex(affinityCookieExpiresRegex, false), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation sets the time until the cookie expires`, }, annotationAffinityCookiePath: { - Validator: parser.ValidateRegex(*parser.URLIsValidRegex, true), + Validator: parser.ValidateRegex(parser.URLIsValidRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines the Path that will be set on the cookie (required if your Ingress paths use regular expressions)`, }, annotationAffinityCookieDomain: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskMedium, Documentation: `This annotation defines the Domain attribute of the sticky cookie.`, @@ -149,9 +151,7 @@ var sessionAffinityAnnotations = parser.Annotation{ }, } -var ( - affinityCookieExpiresRegex = regexp.MustCompile(`(^0|-?[1-9]\d*$)`) -) +var affinityCookieExpiresRegex = regexp.MustCompile(`(^0|-?[1-9]\d*$)`) // Config describes the per ingress session affinity config type Config struct { @@ -186,6 +186,11 @@ type Cookie struct { ConditionalSameSiteNone bool `json:"conditional-samesite-none"` } +type affinity struct { + r resolver.Resolver + annotationConfig parser.Annotation +} + // cookieAffinityParse gets the annotation values related to Cookie Affinity // It also sets default values when no value or incorrect value is found func (a affinity) cookieAffinityParse(ing *networking.Ingress) *Cookie { @@ -252,11 +257,6 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { } } -type affinity struct { - r resolver.Resolver - annotationConfig parser.Annotation -} - // ParseAnnotations parses the annotations contained in the ingress // rule used to configure the affinity directives func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) { @@ -279,11 +279,10 @@ func (a affinity) Parse(ing *networking.Ingress) (interface{}, error) { } switch at { - case "cookie": + case cookieAffinity: cookie = a.cookieAffinityParse(ing) default: klog.V(3).InfoS("No default affinity found", "ingress", ing.Name) - } return &Config{ diff --git a/internal/ingress/annotations/sessionaffinity/main_test.go b/internal/ingress/annotations/sessionaffinity/main_test.go index cffe57fec..cecf8cf8f 100644 --- a/internal/ingress/annotations/sessionaffinity/main_test.go +++ b/internal/ingress/annotations/sessionaffinity/main_test.go @@ -83,7 +83,11 @@ func TestIngressAffinityCookieConfig(t *testing.T) { data[parser.GetAnnotationWithPrefix(annotationAffinityCookieSecure)] = "true" ing.SetAnnotations(data) - affin, _ := NewParser(&resolver.Mock{}).Parse(ing) + affin, err := NewParser(&resolver.Mock{}).Parse(ing) + if err != nil { + t.Errorf("unexpected error parsing annotations: %v", err) + } + nginxAffinity, ok := affin.(*Config) if !ok { t.Errorf("expected a Config type") diff --git a/internal/ingress/annotations/snippet/main_test.go b/internal/ingress/annotations/snippet/main_test.go index 921afeea8..b29b2950d 100644 --- a/internal/ingress/annotations/snippet/main_test.go +++ b/internal/ingress/annotations/snippet/main_test.go @@ -54,6 +54,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/sslcipher/main.go b/internal/ingress/annotations/sslcipher/main.go index c30f12424..685ef90bf 100644 --- a/internal/ingress/annotations/sslcipher/main.go +++ b/internal/ingress/annotations/sslcipher/main.go @@ -31,10 +31,8 @@ const ( sslCipherAnnotation = "ssl-ciphers" ) -var ( - // Should cover something like "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" - regexValidSSLCipher = regexp.MustCompile(`^[A-Za-z0-9!:+\-]*$`) -) +// Should cover something like "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP" +var regexValidSSLCipher = regexp.MustCompile(`^[A-Za-z0-9!:+\-]*$`) var sslCipherAnnotations = parser.Annotation{ Group: "backend", @@ -47,7 +45,7 @@ var sslCipherAnnotations = parser.Annotation{ This configuration specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.`, }, sslCipherAnnotation: { - Validator: parser.ValidateRegex(*regexValidSSLCipher, true), + Validator: parser.ValidateRegex(regexValidSSLCipher, true), Scope: parser.AnnotationScopeIngress, Risk: parser.AnnotationRiskLow, Documentation: `Using this annotation will set the ssl_ciphers directive at the server level. This configuration is active for all the paths in the host.`, @@ -104,7 +102,7 @@ func (sc sslCipher) GetDocumentation() parser.AnnotationFields { return sc.annotationConfig.Annotations } -func (a sslCipher) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (sc sslCipher) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(sc.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, sslCipherAnnotations.Annotations) } diff --git a/internal/ingress/annotations/sslcipher/main_test.go b/internal/ingress/annotations/sslcipher/main_test.go index ac6808e06..20cb4d7af 100644 --- a/internal/ingress/annotations/sslcipher/main_test.go +++ b/internal/ingress/annotations/sslcipher/main_test.go @@ -42,8 +42,11 @@ func TestParse(t *testing.T) { expectErr bool }{ {map[string]string{annotationSSLCiphers: "ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"}, Config{"ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP", ""}, false}, - {map[string]string{annotationSSLCiphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}, - Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}, false}, + { + map[string]string{annotationSSLCiphers: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"}, + Config{"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256", ""}, + false, + }, {map[string]string{annotationSSLCiphers: ""}, Config{"", ""}, false}, {map[string]string{annotationSSLPreferServerCiphers: "true"}, Config{"", "on"}, false}, {map[string]string{annotationSSLPreferServerCiphers: "false"}, Config{"", "off"}, false}, @@ -61,13 +64,13 @@ func TestParse(t *testing.T) { Spec: networking.IngressSpec{}, } - for _, testCase := range testCases { + for i, testCase := range testCases { ing.SetAnnotations(testCase.annotations) result, err := ap.Parse(ing) if (err != nil) != testCase.expectErr { t.Fatalf("expected error: %t got error: %t err value: %s. %+v", testCase.expectErr, err != nil, err, testCase.annotations) } - if !reflect.DeepEqual(result, &testCase.expected) { + if !reflect.DeepEqual(result, &testCases[i].expected) { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) } } diff --git a/internal/ingress/annotations/sslpassthrough/main.go b/internal/ingress/annotations/sslpassthrough/main.go index 1557d4243..c06db8715 100644 --- a/internal/ingress/annotations/sslpassthrough/main.go +++ b/internal/ingress/annotations/sslpassthrough/main.go @@ -47,7 +47,8 @@ type sslpt struct { // NewParser creates a new SSL passthrough annotation parser func NewParser(r resolver.Resolver) parser.IngressAnnotation { - return sslpt{r: r, + return sslpt{ + r: r, annotationConfig: sslPassthroughAnnotations, } } diff --git a/internal/ingress/annotations/streamsnippet/main_test.go b/internal/ingress/annotations/streamsnippet/main_test.go index 997b7be70..e8a1ff8d0 100644 --- a/internal/ingress/annotations/streamsnippet/main_test.go +++ b/internal/ingress/annotations/streamsnippet/main_test.go @@ -38,7 +38,8 @@ func TestParse(t *testing.T) { annotations map[string]string expected string }{ - {map[string]string{annotation: "server { listen: 8000; proxy_pass 127.0.0.1:80}"}, + { + map[string]string{annotation: "server { listen: 8000; proxy_pass 127.0.0.1:80}"}, "server { listen: 8000; proxy_pass 127.0.0.1:80}", }, {map[string]string{annotation: "false"}, "false"}, @@ -56,6 +57,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/annotations/upstreamhashby/main.go b/internal/ingress/annotations/upstreamhashby/main.go index bc07f70fb..25cc88b8e 100644 --- a/internal/ingress/annotations/upstreamhashby/main.go +++ b/internal/ingress/annotations/upstreamhashby/main.go @@ -41,7 +41,7 @@ var upstreamHashByAnnotations = parser.Annotation{ Group: "backend", Annotations: parser.AnnotationFields{ upstreamHashByAnnotation: { - Validator: parser.ValidateRegex(*hashByRegex, true), + Validator: parser.ValidateRegex(hashByRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskHigh, // High, this annotation allows accessing NGINX variables Documentation: `This annotation defines the nginx variable, text value or any combination thereof to use for consistent hashing. diff --git a/internal/ingress/annotations/xforwardedprefix/main.go b/internal/ingress/annotations/xforwardedprefix/main.go index fc4d5798d..530afbb01 100644 --- a/internal/ingress/annotations/xforwardedprefix/main.go +++ b/internal/ingress/annotations/xforwardedprefix/main.go @@ -31,7 +31,7 @@ var xForwardedForAnnotations = parser.Annotation{ Group: "backend", Annotations: parser.AnnotationFields{ xForwardedForPrefixAnnotation: { - Validator: parser.ValidateRegex(*parser.BasicCharsRegex, true), + Validator: parser.ValidateRegex(parser.BasicCharsRegex, true), Scope: parser.AnnotationScopeLocation, Risk: parser.AnnotationRiskLow, // Low, as it allows regexes but on a very limited set Documentation: `This annotation can be used to add the non-standard X-Forwarded-Prefix header to the upstream request with a string value`, @@ -54,15 +54,15 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation { // Parse parses the annotations contained in the ingress rule // used to add an x-forwarded-prefix header to the request -func (cbbs xforwardedprefix) Parse(ing *networking.Ingress) (interface{}, error) { - return parser.GetStringAnnotation(xForwardedForPrefixAnnotation, ing, cbbs.annotationConfig.Annotations) +func (x xforwardedprefix) Parse(ing *networking.Ingress) (interface{}, error) { + return parser.GetStringAnnotation(xForwardedForPrefixAnnotation, ing, x.annotationConfig.Annotations) } -func (cbbs xforwardedprefix) GetDocumentation() parser.AnnotationFields { - return cbbs.annotationConfig.Annotations +func (x xforwardedprefix) GetDocumentation() parser.AnnotationFields { + return x.annotationConfig.Annotations } -func (a xforwardedprefix) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) +func (x xforwardedprefix) Validate(anns map[string]string) error { + maxrisk := parser.StringRiskToRisk(x.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, xForwardedForAnnotations.Annotations) } diff --git a/internal/ingress/annotations/xforwardedprefix/main_test.go b/internal/ingress/annotations/xforwardedprefix/main_test.go index d873a4412..f28b6b10e 100644 --- a/internal/ingress/annotations/xforwardedprefix/main_test.go +++ b/internal/ingress/annotations/xforwardedprefix/main_test.go @@ -54,6 +54,7 @@ func TestParse(t *testing.T) { for _, testCase := range testCases { ing.SetAnnotations(testCase.annotations) + //nolint:errcheck // Ignore the error since invalid cases will be checked with expected results result, _ := ap.Parse(ing) if result != testCase.expected { t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations) diff --git a/internal/ingress/controller/certificate.go b/internal/ingress/controller/certificate.go index e8707c716..76aafec3c 100644 --- a/internal/ingress/controller/certificate.go +++ b/internal/ingress/controller/certificate.go @@ -100,7 +100,7 @@ func matchHostnames(pattern, host string) bool { host = strings.TrimSuffix(host, ".") pattern = strings.TrimSuffix(pattern, ".") - if len(pattern) == 0 || len(host) == 0 { + if pattern == "" || host == "" { return false } diff --git a/internal/ingress/controller/checker.go b/internal/ingress/controller/checker.go index 3229778bb..d1bf19ddf 100644 --- a/internal/ingress/controller/checker.go +++ b/internal/ingress/controller/checker.go @@ -29,7 +29,7 @@ import ( ) // Name returns the healthcheck name -func (n NGINXController) Name() string { +func (n *NGINXController) Name() string { return "nginx-ingress-controller" } diff --git a/internal/ingress/controller/checker_test.go b/internal/ingress/controller/checker_test.go index 2d63efc09..5fb6b09fd 100644 --- a/internal/ingress/controller/checker_test.go +++ b/internal/ingress/controller/checker_test.go @@ -32,7 +32,7 @@ import ( ) func TestNginxCheck(t *testing.T) { - var tests = []struct { + tests := []struct { healthzPath string }{ {"/healthz"}, @@ -42,7 +42,6 @@ func TestNginxCheck(t *testing.T) { for _, tt := range tests { testName := fmt.Sprintf("health path: %s", tt.healthzPath) t.Run(testName, func(t *testing.T) { - mux := http.NewServeMux() listener, err := tryListen("tcp", fmt.Sprintf(":%v", nginx.StatusPort)) @@ -50,7 +49,7 @@ func TestNginxCheck(t *testing.T) { t.Fatalf("creating tcp listener: %s", err) } defer listener.Close() - + //nolint:gosec // Ignore not configured ReadHeaderTimeout in testing server := &httptest.Server{ Listener: listener, Config: &http.Server{ @@ -103,10 +102,10 @@ func TestNginxCheck(t *testing.T) { } }() go func() { - cmd.Wait() //nolint:errcheck + cmd.Wait() //nolint:errcheck // Ignore the error }() - if _, err := pidFile.Write([]byte(fmt.Sprintf("%v", pid))); err != nil { + if _, err := fmt.Fprintf(pidFile, "%v", pid); err != nil { t.Errorf("unexpected error writing the pid file: %v", err) } @@ -121,7 +120,7 @@ func TestNginxCheck(t *testing.T) { }) // pollute pid file - pidFile.Write([]byte("999999")) //nolint:errcheck + pidFile.WriteString("999999") //nolint:errcheck // Ignore the error pidFile.Close() t.Run("bad pid", func(t *testing.T) { @@ -134,7 +133,7 @@ func TestNginxCheck(t *testing.T) { } func callHealthz(expErr bool, healthzPath string, mux *http.ServeMux) error { - req, err := http.NewRequest(http.MethodGet, healthzPath, nil) + req, err := http.NewRequest(http.MethodGet, healthzPath, http.NoBody) if err != nil { return fmt.Errorf("healthz error: %v", err) } diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 6e78964ed..56fd2699f 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -29,10 +29,8 @@ import ( "k8s.io/ingress-nginx/pkg/util/runtime" ) -var ( - // EnableSSLChainCompletion Autocomplete SSL certificate chains with missing intermediate CA certificates. - EnableSSLChainCompletion = false -) +// EnableSSLChainCompletion Autocomplete SSL certificate chains with missing intermediate CA certificates. +var EnableSSLChainCompletion = false const ( // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size @@ -91,7 +89,7 @@ const ( // Configuration represents the content of nginx.conf file type Configuration struct { - defaults.Backend `json:",squash"` //nolint:staticcheck + defaults.Backend `json:",squash"` //nolint:staticcheck // Ignore unknown JSON option "squash" error // AllowSnippetAnnotations enable users to add their own snippets via ingress annotation. // If disabled, only snippets added via ConfigMap are added to ingress. @@ -131,15 +129,19 @@ type Configuration struct { // By default this is disabled EnableAccessLogForDefaultBackend bool `json:"enable-access-log-for-default-backend"` + // EnableAuthAccessLog enable auth access log + // By default this is disabled + EnableAuthAccessLog bool `json:"enable-auth-access-log"` + // AccessLogPath sets the path of the access logs for both http and stream contexts if enabled // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log // http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log // By default access logs go to /var/log/nginx/access.log AccessLogPath string `json:"access-log-path,omitempty"` - // HttpAccessLogPath sets the path of the access logs for http context globally if enabled + // HTTPAccessLogPath sets the path of the access logs for http context globally if enabled // http://nginx.org/en/docs/http/ngx_http_log_module.html#access_log - HttpAccessLogPath string `json:"http-access-log-path,omitempty"` + HTTPAccessLogPath string `json:"http-access-log-path,omitempty"` // StreamAccessLogPath sets the path of the access logs for stream context globally if enabled // http://nginx.org/en/docs/stream/ngx_stream_log_module.html#access_log @@ -226,19 +228,19 @@ type Configuration struct { // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_field_size // HTTP2MaxFieldSize Limits the maximum size of an HPACK-compressed request header field - // NOTE: Deprecated + // Deprecated: HTTP2MaxFieldSize is deprecated. HTTP2MaxFieldSize string `json:"http2-max-field-size,omitempty"` // https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_header_size // HTTP2MaxHeaderSize Limits the maximum size of the entire request header list after HPACK decompression - // NOTE: Deprecated + // Deprecated: HTTP2MaxHeaderSize is deprecated. HTTP2MaxHeaderSize string `json:"http2-max-header-size,omitempty"` // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_requests // HTTP2MaxRequests Sets the maximum number of requests (including push requests) that can be served // through one HTTP/2 connection, after which the next client request will lead to connection closing // and the need of establishing a new connection. - // NOTE: Deprecated + // Deprecated: HTTP2MaxRequests is deprecated. HTTP2MaxRequests int `json:"http2-max-requests,omitempty"` // http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams @@ -422,6 +424,10 @@ type Configuration struct { // Example '60s' ProxyProtocolHeaderTimeout time.Duration `json:"proxy-protocol-header-timeout,omitempty"` + // Enables or disables the directive aio_write that writes files files asynchronously + // https://nginx.org/en/docs/http/ngx_http_core_module.html#aio_write + EnableAioWrite bool `json:"enable-aio-write,omitempty"` + // Enables or disables the use of the nginx module that compresses responses using the "gzip" method // http://nginx.org/en/docs/http/ngx_http_gzip_module.html UseGzip bool `json:"use-gzip,omitempty"` @@ -548,7 +554,7 @@ type Configuration struct { UseForwardedHeaders bool `json:"use-forwarded-headers"` // Sets whether to enable the real ip module - EnableRealIp bool `json:"enable-real-ip"` + EnableRealIP bool `json:"enable-real-ip"` // Sets the header field for identifying the originating IP address of a client // Default is X-Forwarded-For @@ -617,7 +623,7 @@ type Configuration struct { // Default: 0.01 OtelSamplerRatio float32 `json:"otel-sampler-ratio"` - //OtelSamplerParentBased specifies the parent based sampler to be use for any traces created + // OtelSamplerParentBased specifies the parent based sampler to be use for any traces created // Default: true OtelSamplerParentBased bool `json:"otel-sampler-parent-based"` @@ -863,7 +869,7 @@ func NewDefault() Configuration { defGlobalExternalAuth := GlobalExternalAuth{"", "", "", "", "", append(defResponseHeaders, ""), "", "", "", []string{}, map[string]string{}, false} cfg := Configuration{ - AllowSnippetAnnotations: true, + AllowSnippetAnnotations: false, AllowCrossNamespaceResources: true, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", @@ -871,6 +877,7 @@ func NewDefault() Configuration { AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, + EnableAuthAccessLog: false, WorkerCPUAffinity: "", ErrorLogPath: "/var/log/nginx/error.log", BlockCIDRs: defBlockEntity, @@ -886,7 +893,7 @@ func NewDefault() Configuration { EnableUnderscoresInHeaders: false, ErrorLogLevel: errorLevel, UseForwardedHeaders: false, - EnableRealIp: false, + EnableRealIP: false, ForwardedForHeader: "X-Forwarded-For", ComputeFullForwardedFor: false, ProxyAddOriginalURIHeader: false, @@ -935,6 +942,7 @@ func NewDefault() Configuration { SSLSessionTickets: false, SSLSessionTimeout: sslSessionTimeout, EnableBrotli: false, + EnableAioWrite: true, UseGzip: false, UseGeoIP: true, UseGeoIP2: false, @@ -1034,41 +1042,41 @@ func NewDefault() Configuration { // TemplateConfig contains the nginx configuration to render the file nginx.conf type TemplateConfig struct { - ProxySetHeaders map[string]string - AddHeaders map[string]string - BacklogSize int - Backends []*ingress.Backend - PassthroughBackends []*ingress.SSLPassthroughBackend - Servers []*ingress.Server - TCPBackends []ingress.L4Service - UDPBackends []ingress.L4Service - HealthzURI string - Cfg Configuration - IsIPV6Enabled bool - IsSSLPassthroughEnabled bool - NginxStatusIpv4Whitelist []string - NginxStatusIpv6Whitelist []string - RedirectServers interface{} - ListenPorts *ListenPorts - PublishService *apiv1.Service - EnableMetrics bool - MaxmindEditionFiles *[]string - MonitorMaxBatchSize int - PID string - StatusPath string - StatusPort int - StreamPort int - StreamSnippets []string + ProxySetHeaders map[string]string `json:"ProxySetHeaders"` + AddHeaders map[string]string `json:"AddHeaders"` + BacklogSize int `json:"BacklogSize"` + Backends []*ingress.Backend `json:"Backends"` + PassthroughBackends []*ingress.SSLPassthroughBackend `json:"PassthroughBackends"` + Servers []*ingress.Server `json:"Servers"` + TCPBackends []ingress.L4Service `json:"TCPBackends"` + UDPBackends []ingress.L4Service `json:"UDPBackends"` + HealthzURI string `json:"HealthzURI"` + Cfg Configuration `json:"Cfg"` + IsIPV6Enabled bool `json:"IsIPV6Enabled"` + IsSSLPassthroughEnabled bool `json:"IsSSLPassthroughEnabled"` + NginxStatusIpv4Whitelist []string `json:"NginxStatusIpv4Whitelist"` + NginxStatusIpv6Whitelist []string `json:"NginxStatusIpv6Whitelist"` + RedirectServers interface{} `json:"RedirectServers"` + ListenPorts *ListenPorts `json:"ListenPorts"` + PublishService *apiv1.Service `json:"PublishService"` + EnableMetrics bool `json:"EnableMetrics"` + MaxmindEditionFiles *[]string `json:"MaxmindEditionFiles"` + MonitorMaxBatchSize int `json:"MonitorMaxBatchSize"` + PID string `json:"PID"` + StatusPath string `json:"StatusPath"` + StatusPort int `json:"StatusPort"` + StreamPort int `json:"StreamPort"` + StreamSnippets []string `json:"StreamSnippets"` } // ListenPorts describe the ports required to run the // NGINX Ingress controller type ListenPorts struct { - HTTP int - HTTPS int - Health int - Default int - SSLProxy int + HTTP int `json:"HTTP"` + HTTPS int `json:"HTTPS"` + Health int `json:"Health"` + Default int `json:"Default"` + SSLProxy int `json:"SSLProxy"` } // GlobalExternalAuth describe external authentication configuration for the diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 7dc1a5292..bbcde1d4f 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -114,7 +114,7 @@ type Configuration struct { DisableCatchAll bool - IngressClassConfiguration *ingressclass.IngressClassConfiguration + IngressClassConfiguration *ingressclass.Configuration ValidationWebhook string ValidationWebhookCertPath string @@ -142,8 +142,8 @@ type Configuration struct { func getIngressPodZone(svc *apiv1.Service) string { svcKey := k8s.MetaNamespaceKey(svc) - if svcZoneAnnotation, ok := svc.ObjectMeta.GetAnnotations()[apiv1.AnnotationTopologyAwareHints]; ok { - if strings.ToLower(svcZoneAnnotation) == "auto" { + if svcZoneAnnotation, ok := svc.ObjectMeta.GetAnnotations()[apiv1.AnnotationTopologyMode]; ok { + if strings.EqualFold(svcZoneAnnotation, "auto") { if foundZone, ok := k8s.IngressNodeDetails.GetLabels()[apiv1.LabelTopologyZone]; ok { klog.V(3).Infof("Svc has topology aware annotation enabled, try to use zone %q where controller pod is running for Service %q ", foundZone, svcKey) return foundZone @@ -154,7 +154,7 @@ func getIngressPodZone(svc *apiv1.Service) string { } // GetPublishService returns the Service used to set the load-balancer status of Ingresses. -func (n NGINXController) GetPublishService() *apiv1.Service { +func (n *NGINXController) GetPublishService() *apiv1.Service { s, err := n.store.GetService(n.cfg.PublishService) if err != nil { return nil @@ -189,13 +189,16 @@ func (n *NGINXController) syncIngress(interface{}) error { if !utilingress.IsDynamicConfigurationEnough(pcfg, n.runningConfig) { klog.InfoS("Configuration changes detected, backend reload required") - hash, _ := hashstructure.Hash(pcfg, hashstructure.FormatV1, &hashstructure.HashOptions{ + hash, err := hashstructure.Hash(pcfg, hashstructure.FormatV1, &hashstructure.HashOptions{ TagName: "json", }) + if err != nil { + klog.Errorf("unexpected error hashing configuration: %v", err) + } pcfg.ConfigurationChecksum = fmt.Sprintf("%v", hash) - err := n.OnUpdate(*pcfg) + err = n.OnUpdate(*pcfg) if err != nil { n.metricCollector.IncReloadErrorCount() n.metricCollector.ConfigSuccess(hash, false) @@ -263,7 +266,7 @@ func (n *NGINXController) syncIngress(interface{}) error { func (n *NGINXController) CheckWarning(ing *networking.Ingress) ([]string, error) { warnings := make([]string, 0) - var deprecatedAnnotations = sets.NewString() + deprecatedAnnotations := sets.NewString() deprecatedAnnotations.Insert( "enable-influxdb", "influxdb-measurement", @@ -335,7 +338,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { } if n.cfg.DisableCatchAll && ing.Spec.DefaultBackend != nil { - return fmt.Errorf("This deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.defaultBackend' or set DisableCatchAll flag to false.") + return fmt.Errorf("this deployment is trying to create a catch-all ingress while DisableCatchAll flag is set to true. Remove '.spec.defaultBackend' or set DisableCatchAll flag to false") } startRender := time.Now().UnixNano() / 1000000 cfg := n.store.GetBackendConfiguration() @@ -355,10 +358,9 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { } for key, value := range ing.ObjectMeta.GetAnnotations() { - if parser.AnnotationsPrefix != parser.DefaultAnnotationsPrefix { if strings.HasPrefix(key, fmt.Sprintf("%s/", parser.DefaultAnnotationsPrefix)) { - return fmt.Errorf("This deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix) + return fmt.Errorf("this deployment has a custom annotation prefix defined. Use '%s' instead of '%s'", parser.AnnotationsPrefix, parser.DefaultAnnotationsPrefix) } } @@ -374,10 +376,9 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { return fmt.Errorf("%s annotation cannot be used. Snippet directives are disabled by the Ingress administrator", key) } - if len(cfg.GlobalRateLimitMemcachedHost) == 0 && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { + if cfg.GlobalRateLimitMemcachedHost == "" && strings.HasPrefix(key, fmt.Sprintf("%s/%s", parser.AnnotationsPrefix, "global-rate-limit")) { return fmt.Errorf("'global-rate-limit*' annotations require 'global-rate-limit-memcached-host' settings configured in the global configmap") } - } k8s.SetDefaultNGINXPathType(ing) @@ -401,7 +402,7 @@ func (n *NGINXController) CheckIngress(ing *networking.Ingress) error { startTest := time.Now().UnixNano() / 1000000 _, servers, pcfg := n.getConfiguration(ings) - err = checkOverlap(ing, allIngresses, servers) + err = checkOverlap(ing, servers) if err != nil { n.metricCollector.IncCheckErrorCount(ing.ObjectMeta.Namespace, ing.Name) return err @@ -452,7 +453,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr return []ingress.L4Service{} } - var svcs []ingress.L4Service + svcs := make([]ingress.L4Service, 0, len(configmap.Data)) var svcProxyProtocol ingress.ProxyProtocol rp := []int{ @@ -489,10 +490,10 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr svcProxyProtocol.Encode = false // Proxy Protocol is only compatible with TCP Services if len(nsSvcPort) >= 3 && proto == apiv1.ProtocolTCP { - if len(nsSvcPort) >= 3 && strings.ToUpper(nsSvcPort[2]) == "PROXY" { + if len(nsSvcPort) >= 3 && strings.EqualFold(nsSvcPort[2], "PROXY") { svcProxyProtocol.Decode = true } - if len(nsSvcPort) == 4 && strings.ToUpper(nsSvcPort[3]) == "PROXY" { + if len(nsSvcPort) == 4 && strings.EqualFold(nsSvcPort[3], "PROXY") { svcProxyProtocol.Encode = true } } @@ -532,6 +533,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr klog.V(3).Infof("Searching Endpoints with %v port number %d for Service %q", proto, targetPort, nsName) for i := range svc.Spec.Ports { sp := svc.Spec.Ports[i] + //nolint:gosec // Ignore G109 error if sp.Port == int32(targetPort) { if sp.Protocol == proto { endps = getEndpointsFromSlices(svc, &sp, proto, zone, n.store.GetServiceEndpointsSlices) @@ -574,7 +576,7 @@ func (n *NGINXController) getDefaultUpstream() *ingress.Backend { } svcKey := n.cfg.DefaultService - if len(svcKey) == 0 { + if svcKey == "" { upstream.Endpoints = append(upstream.Endpoints, n.DefaultEndpoint()) return upstream } @@ -690,13 +692,14 @@ func dropSnippetDirectives(anns *annotations.Ingress, ingKey string) { klog.V(3).Infof("Ingress %q tried to use stream-snippet and the annotation is disabled by the admin. Removing the annotation", ingKey) anns.StreamSnippet = "" } - } } // getBackendServers returns a list of Upstream and Server to be used by the // backend. An upstream can be used in multiple servers if the namespace, // service name and port are the same. +// +//nolint:gocyclo // Ignore function complexity error func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*ingress.Backend, []*ingress.Server) { du := n.getDefaultUpstream() upstreams := n.createUpstreams(ingresses, du) @@ -1030,7 +1033,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // configure traffic shaping for canary if anns.Canary.Enabled { upstreams[defBackend].NoServer = true - upstreams[defBackend].TrafficShapingPolicy = newTrafficShapingPolicy(anns.Canary) + upstreams[defBackend].TrafficShapingPolicy = newTrafficShapingPolicy(&anns.Canary) } if len(upstreams[defBackend].Endpoints) == 0 { @@ -1054,7 +1057,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B continue } - for _, path := range rule.HTTP.Paths { + for i, path := range rule.HTTP.Paths { if path.Backend.Service == nil { // skip non-service backends klog.V(3).Infof("Ingress %q and path %q does not contain a service backend, using default backend", ingKey, path.Path) @@ -1084,7 +1087,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // add the service ClusterIP as a single Endpoint instead of individual Endpoints if anns.ServiceUpstream { - endpoint, err := n.getServiceClusterEndpoint(svcKey, &path.Backend) + endpoint, err := n.getServiceClusterEndpoint(svcKey, &rule.HTTP.Paths[i].Backend) if err != nil { klog.Errorf("Failed to determine a suitable ClusterIP Endpoint for Service %q: %v", svcKey, err) } else { @@ -1095,7 +1098,7 @@ func (n *NGINXController) createUpstreams(data []*ingress.Ingress, du *ingress.B // configure traffic shaping for canary if anns.Canary.Enabled { upstreams[name].NoServer = true - upstreams[name].TrafficShapingPolicy = newTrafficShapingPolicy(anns.Canary) + upstreams[name].TrafficShapingPolicy = newTrafficShapingPolicy(&anns.Canary) } if len(upstreams[name].Endpoints) == 0 { @@ -1206,7 +1209,6 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres if strconv.Itoa(int(servicePort.Port)) == backendPort || servicePort.TargetPort.String() == backendPort || servicePort.Name == backendPort { - endps := getEndpointsFromSlices(svc, &servicePort, apiv1.ProtocolTCP, zone, n.store.GetServiceEndpointsSlices) if len(endps) == 0 { klog.Warningf("Service %q does not have any active Endpoint.", svcKey) @@ -1239,8 +1241,8 @@ func (n *NGINXController) getDefaultSSLCertificate() *ingress.SSLCert { // one root location, which uses a default backend if left unspecified. func (n *NGINXController) createServers(data []*ingress.Ingress, upstreams map[string]*ingress.Backend, - du *ingress.Backend) map[string]*ingress.Server { - + du *ingress.Backend, +) map[string]*ingress.Server { servers := make(map[string]*ingress.Server, len(data)) allAliases := make(map[string][]string, len(data)) @@ -1282,7 +1284,8 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, Rewrite: false, }, }, - }} + }, + } // initialize all other servers for _, ing := range data { @@ -1532,7 +1535,7 @@ func locationApplyAnnotations(loc *ingress.Location, anns *annotations.Ingress) } // OK to merge canary ingresses iff there exists one or more ingresses to potentially merge into -func nonCanaryIngressExists(ingresses []*ingress.Ingress, canaryIngresses []*ingress.Ingress) bool { +func nonCanaryIngressExists(ingresses, canaryIngresses []*ingress.Ingress) bool { return len(ingresses)-len(canaryIngresses) > 0 } @@ -1540,12 +1543,12 @@ func nonCanaryIngressExists(ingresses []*ingress.Ingress, canaryIngresses []*ing // 1) names of backends do not match and canary doesn't merge into itself // 2) primary name is not the default upstream // 3) the primary has a server -func canMergeBackend(primary *ingress.Backend, alternative *ingress.Backend) bool { +func canMergeBackend(primary, alternative *ingress.Backend) bool { return alternative != nil && primary.Name != alternative.Name && primary.Name != defUpstreamName && !primary.NoServer } // Performs the merge action and checks to ensure that one two alternative backends do not merge into each other -func mergeAlternativeBackend(ing *ingress.Ingress, priUps *ingress.Backend, altUps *ingress.Backend) bool { +func mergeAlternativeBackend(ing *ingress.Ingress, priUps, altUps *ingress.Backend) bool { if priUps.NoServer { klog.Warningf("unable to merge alternative backend %v into primary backend %v because %v is a primary backend", altUps.Name, priUps.Name, priUps.Name) @@ -1563,8 +1566,7 @@ func mergeAlternativeBackend(ing *ingress.Ingress, priUps *ingress.Backend, altU priUps.SessionAffinity.DeepCopyInto(&altUps.SessionAffinity) } - priUps.AlternativeBackends = - append(priUps.AlternativeBackends, altUps.Name) + priUps.AlternativeBackends = append(priUps.AlternativeBackends, altUps.Name) return true } @@ -1574,8 +1576,8 @@ func mergeAlternativeBackend(ing *ingress.Ingress, priUps *ingress.Backend, altU // to a backend's alternative list. // If no match is found, then the serverless backend is deleted. func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingress.Backend, - servers map[string]*ingress.Server) { - + servers map[string]*ingress.Server, +) { // merge catch-all alternative backends if ing.Spec.DefaultBackend != nil { upsName := upstreamName(ing.Namespace, ing.Spec.DefaultBackend.Service) @@ -1585,7 +1587,6 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres if altUps == nil { klog.Warningf("alternative backend %s has already been removed", upsName) } else { - merged := false altEqualsPri := false @@ -1676,8 +1677,8 @@ func mergeAlternativeBackends(ing *ingress.Ingress, upstreams map[string]*ingres // extractTLSSecretName returns the name of the Secret containing a SSL // certificate for the given host name, or an empty string. func extractTLSSecretName(host string, ing *ingress.Ingress, - getLocalSSLCert func(string) (*ingress.SSLCert, error)) string { - + getLocalSSLCert func(string) (*ingress.SSLCert, error), +) string { if ing == nil { return "" } @@ -1694,7 +1695,6 @@ func extractTLSSecretName(host string, ing *ingress.Ingress, // no TLS host matching host name, try each TLS host for matching SAN or CN for _, tls := range ing.Spec.TLS { - if tls.SecretName == "" { // There's no secretName specified, so it will never be available continue @@ -1753,6 +1753,7 @@ func externalNamePorts(name string, svc *apiv1.Service) *apiv1.ServicePort { } for _, svcPort := range svc.Spec.Ports { + //nolint:gosec // Ignore G109 error if svcPort.Port != int32(port) { continue } @@ -1771,13 +1772,14 @@ func externalNamePorts(name string, svc *apiv1.Service) *apiv1.ServicePort { // ExternalName without port return &apiv1.ServicePort{ - Protocol: "TCP", + Protocol: "TCP", + //nolint:gosec // Ignore G109 error Port: int32(port), TargetPort: intstr.FromInt(port), } } -func checkOverlap(ing *networking.Ingress, ingresses []*ingress.Ingress, servers []*ingress.Server) error { +func checkOverlap(ing *networking.Ingress, servers []*ingress.Server) error { for _, rule := range ing.Spec.Rules { if rule.HTTP == nil { continue @@ -1842,7 +1844,7 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net continue } - for _, location := range server.Locations { + for i, location := range server.Locations { if location.Path != path { continue } @@ -1851,7 +1853,7 @@ func ingressForHostPath(hostname, path string, servers []*ingress.Server) []*net continue } - ingresses = append(ingresses, &location.Ingress.Ingress) + ingresses = append(ingresses, &server.Locations[i].Ingress.Ingress) } } @@ -1870,7 +1872,7 @@ func (n *NGINXController) getStreamSnippets(ingresses []*ingress.Ingress) []stri } // newTrafficShapingPolicy creates new ingress.TrafficShapingPolicy instance using canary configuration -func newTrafficShapingPolicy(cfg canary.Config) ingress.TrafficShapingPolicy { +func newTrafficShapingPolicy(cfg *canary.Config) ingress.TrafficShapingPolicy { return ingress.TrafficShapingPolicy{ Weight: cfg.Weight, WeightTotal: cfg.WeightTotal, diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index c353d1b5e..c07fcfadf 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -60,51 +60,56 @@ import ( "k8s.io/ingress-nginx/pkg/util/file" ) +const ( + exampleBackend = "example-http-svc-1-80" + TRUE = "true" +) + type fakeIngressStore struct { ingresses []*ingress.Ingress configuration ngx_config.Configuration } -func (fakeIngressStore) GetIngressClass(ing *networking.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) { +func (fakeIngressStore) GetIngressClass(_ *networking.Ingress, _ *ingressclass.Configuration) (string, error) { return "nginx", nil } -func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { +func (fis *fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { return fis.configuration } -func (fis fakeIngressStore) GetSecurityConfiguration() defaults.SecurityConfiguration { +func (fis *fakeIngressStore) GetSecurityConfiguration() defaults.SecurityConfiguration { return defaults.SecurityConfiguration{ AnnotationsRiskLevel: fis.configuration.AnnotationsRiskLevel, AllowCrossNamespaceResources: fis.configuration.AllowCrossNamespaceResources, } } -func (fakeIngressStore) GetConfigMap(key string) (*corev1.ConfigMap, error) { +func (fakeIngressStore) GetConfigMap(_ string) (*corev1.ConfigMap, error) { return nil, fmt.Errorf("test error") } -func (fakeIngressStore) GetSecret(key string) (*corev1.Secret, error) { +func (fakeIngressStore) GetSecret(_ string) (*corev1.Secret, error) { return nil, fmt.Errorf("test error") } -func (fakeIngressStore) GetService(key string) (*corev1.Service, error) { +func (fakeIngressStore) GetService(_ string) (*corev1.Service, error) { return nil, fmt.Errorf("test error") } -func (fakeIngressStore) GetServiceEndpointsSlices(key string) ([]*discoveryv1.EndpointSlice, error) { +func (fakeIngressStore) GetServiceEndpointsSlices(_ string) ([]*discoveryv1.EndpointSlice, error) { return nil, fmt.Errorf("test error") } -func (fis fakeIngressStore) ListIngresses() []*ingress.Ingress { +func (fis *fakeIngressStore) ListIngresses() []*ingress.Ingress { return fis.ingresses } -func (fis fakeIngressStore) FilterIngresses(ingresses []*ingress.Ingress, filterFunc store.IngressFilterFunc) []*ingress.Ingress { +func (fis *fakeIngressStore) FilterIngresses(ingresses []*ingress.Ingress, _ store.IngressFilterFunc) []*ingress.Ingress { return ingresses } -func (fakeIngressStore) GetLocalSSLCert(name string) (*ingress.SSLCert, error) { +func (fakeIngressStore) GetLocalSSLCert(_ string) (*ingress.SSLCert, error) { return nil, fmt.Errorf("test error") } @@ -120,7 +125,7 @@ func (fakeIngressStore) GetDefaultBackend() defaults.Backend { return defaults.Backend{} } -func (fakeIngressStore) Run(stopCh chan struct{}) {} +func (fakeIngressStore) Run(_ chan struct{}) {} type testNginxTestCommand struct { t *testing.T @@ -129,7 +134,7 @@ type testNginxTestCommand struct { err error } -func (ntc testNginxTestCommand) ExecCommand(args ...string) *exec.Cmd { +func (ntc testNginxTestCommand) ExecCommand(_ ...string) *exec.Cmd { return nil } @@ -152,7 +157,7 @@ func (ntc testNginxTestCommand) Test(cfg string) ([]byte, error) { type fakeTemplate struct{} -func (fakeTemplate) Write(conf ngx_config.TemplateConfig) ([]byte, error) { +func (fakeTemplate) Write(conf *ngx_config.TemplateConfig) ([]byte, error) { r := []byte{} for _, s := range conf.Servers { if len(r) > 0 { @@ -196,7 +201,7 @@ func TestCheckIngress(t *testing.T) { nginx.metricCollector = metric.DummyCollector{} nginx.t = fakeTemplate{} - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{}, } @@ -226,7 +231,7 @@ func TestCheckIngress(t *testing.T) { } t.Run("When the hostname is updated", func(t *testing.T) { - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{ { Ingress: *ing, @@ -273,7 +278,7 @@ func TestCheckIngress(t *testing.T) { }) t.Run("When snippets are disabled and user tries to use snippet annotation", func(t *testing.T) { - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{}, configuration: ngx_config.Configuration{ AllowSnippetAnnotations: false, @@ -290,7 +295,7 @@ func TestCheckIngress(t *testing.T) { }) t.Run("When invalid directives are used in annotation values", func(t *testing.T) { - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{}, configuration: ngx_config.Configuration{ AnnotationValueWordBlocklist: "invalid_directive, another_directive", @@ -366,12 +371,11 @@ func TestCheckIngress(t *testing.T) { } func TestCheckWarning(t *testing.T) { - // Ensure no panic with wrong arguments - var nginx = &NGINXController{} + nginx := &NGINXController{} nginx.t = fakeTemplate{} - nginx.store = fakeIngressStore{ + nginx.store = &fakeIngressStore{ ingresses: []*ingress.Ingress{}, } @@ -390,7 +394,7 @@ func TestCheckWarning(t *testing.T) { }, } t.Run("when a deprecated annotation is used a warning should be returned", func(t *testing.T) { - ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = "true" + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = TRUE defer func() { ing.ObjectMeta.Annotations = map[string]string{} }() @@ -407,7 +411,6 @@ func TestCheckWarning(t *testing.T) { }) t.Run("When an invalid pathType is used, a warning should be returned", func(t *testing.T) { - rules := ing.Spec.DeepCopy().Rules ing.Spec.Rules = []networking.IngressRule{ { @@ -443,8 +446,8 @@ func TestCheckWarning(t *testing.T) { } t.Run("adding invalid annotations increases the warning count", func(t *testing.T) { - ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = "true" - ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "true" + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("enable-influxdb")] = TRUE + ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = TRUE ing.ObjectMeta.Annotations[parser.GetAnnotationWithPrefix("influxdb-host")] = "blabla" defer func() { ing.ObjectMeta.Annotations = map[string]string{} @@ -472,6 +475,7 @@ func TestCheckWarning(t *testing.T) { }) } +//nolint:dupl // Ignore dupl errors for similar test case func TestMergeAlternativeBackends(t *testing.T) { testCases := map[string]struct { ingress *ingress.Ingress @@ -1537,8 +1541,8 @@ func TestExtractTLSSecretName(t *testing.T) { } } +//nolint:gocyclo // Ignore function complexity error func TestGetBackendServers(t *testing.T) { - testCases := []struct { Ingresses []*ingress.Ingress Validate func(ingresses []*ingress.Ingress, upstreams []*ingress.Backend, servers []*ingress.Server) @@ -2078,7 +2082,7 @@ func TestGetBackendServers(t *testing.T) { t.Errorf("server hostname should be 'example.com', got '%s'", s.Hostname) } - if s.Locations[0].Backend != "example-http-svc-1-80" || s.Locations[1].Backend != "example-http-svc-1-80" || s.Locations[2].Backend != "example-http-svc-1-80" { + if s.Locations[0].Backend != exampleBackend || s.Locations[1].Backend != exampleBackend || s.Locations[2].Backend != exampleBackend { t.Errorf("all location backend should be 'example-http-svc-1-80'") } @@ -2087,7 +2091,7 @@ func TestGetBackendServers(t *testing.T) { return } - if upstreams[0].Name != "example-http-svc-1-80" { + if upstreams[0].Name != exampleBackend { t.Errorf("example-http-svc-1-80 should be first upstream, got %s", upstreams[0].Name) return } @@ -2101,6 +2105,7 @@ func TestGetBackendServers(t *testing.T) { SetConfigMap: testConfigMap, }, { + //nolint:dupl // Ignore dupl errors for similar test case Ingresses: []*ingress.Ingress{ { Ingress: networking.Ingress{ @@ -2208,6 +2213,7 @@ func TestGetBackendServers(t *testing.T) { SetConfigMap: testConfigMap, }, { + //nolint:dupl // Ignore dupl errors for similar test case Ingresses: []*ingress.Ingress{ { Ingress: networking.Ingress{ @@ -2319,7 +2325,7 @@ func TestGetBackendServers(t *testing.T) { SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), }, Data: map[string]string{ - "proxy-ssl-location-only": "true", + "proxy-ssl-location-only": TRUE, }, } }, @@ -2380,7 +2386,7 @@ func TestGetBackendServers(t *testing.T) { SelfLink: fmt.Sprintf("/api/v1/namespaces/%s/configmaps/config", ns), }, Data: map[string]string{ - "proxy-ssl-location-only": "true", + "proxy-ssl-location-only": TRUE, }, } }, @@ -2449,7 +2455,6 @@ func TestGetBackendServers(t *testing.T) { if len(s.Locations[0].Allowlist.CIDR) != 1 || s.Locations[0].Allowlist.CIDR[0] != "10.0.0.0/24" { t.Errorf("allow list was incorrectly dropped, len should be 1 and contain 10.0.0.0/24") } - }, SetConfigMap: func(ns string) *corev1.ConfigMap { return &corev1.ConfigMap{ @@ -2520,7 +2525,7 @@ func newNGINXController(t *testing.T) *NGINXController { channels.NewRingChannel(10), false, true, - &ingressclass.IngressClassConfiguration{ + &ingressclass.Configuration{ Controller: "k8s.io/ingress-nginx", AnnotationValue: "nginx", }, @@ -2586,7 +2591,7 @@ func newDynamicNginxController(t *testing.T, setConfigMap func(string) *corev1.C channels.NewRingChannel(10), false, true, - &ingressclass.IngressClassConfiguration{ + &ingressclass.Configuration{ Controller: "k8s.io/ingress-nginx", AnnotationValue: "nginx", }, diff --git a/internal/ingress/controller/endpointslices.go b/internal/ingress/controller/endpointslices.go index ca6e595c8..4f98e3ce7 100644 --- a/internal/ingress/controller/endpointslices.go +++ b/internal/ingress/controller/endpointslices.go @@ -36,8 +36,8 @@ import ( // getEndpointsFromSlices returns a list of Endpoint structs for a given service/target port combination. func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto corev1.Protocol, zoneForHints string, - getServiceEndpointsSlices func(string) ([]*discoveryv1.EndpointSlice, error)) []ingress.Endpoint { - + getServiceEndpointsSlices func(string) ([]*discoveryv1.EndpointSlice, error), +) []ingress.Endpoint { upsServers := []ingress.Endpoint{} if s == nil || port == nil { @@ -94,7 +94,7 @@ func getEndpointsFromSlices(s *corev1.Service, port *corev1.ServicePort, proto c if !reflect.DeepEqual(*epPort.Protocol, proto) { continue } - var targetPort int32 = 0 + var targetPort int32 if port.Name == "" { // port.Name is optional if there is only one port targetPort = *epPort.Port diff --git a/internal/ingress/controller/endpointslices_test.go b/internal/ingress/controller/endpointslices_test.go index b61e9a4f3..69ef3ef1b 100644 --- a/internal/ingress/controller/endpointslices_test.go +++ b/internal/ingress/controller/endpointslices_test.go @@ -27,6 +27,7 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) +//nolint:dupl // Ignore dupl errors for similar test case func TestGetEndpointsFromSlices(t *testing.T) { tests := []struct { name string diff --git a/internal/ingress/controller/ingressclass/ingressclass.go b/internal/ingress/controller/ingressclass/ingressclass.go index 95bd98d0f..90c6a4d67 100644 --- a/internal/ingress/controller/ingressclass/ingressclass.go +++ b/internal/ingress/controller/ingressclass/ingressclass.go @@ -29,9 +29,9 @@ const ( DefaultAnnotationValue = "nginx" ) -// IngressClassConfiguration defines the various aspects of IngressClass parsing +// Configuration defines the various aspects of IngressClass parsing // and how the controller should behave in each case -type IngressClassConfiguration struct { +type Configuration struct { // Controller defines the controller value this daemon watch to. // Defaults to "k8s.io/ingress-nginx" defined in flags Controller string @@ -45,7 +45,7 @@ type IngressClassConfiguration struct { // IgnoreIngressClass defines if Controller should ignore the IngressClass Object if no permissions are // granted on IngressClass IgnoreIngressClass bool - //IngressClassByName defines if the Controller should watch for Ingress Classes by + // IngressClassByName defines if the Controller should watch for Ingress Classes by // .metadata.name together with .spec.Controller IngressClassByName bool } diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 6c25aa34f..30f785586 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -113,7 +113,7 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro if n.cfg.ValidationWebhook != "" { n.validationWebhookServer = &http.Server{ Addr: config.ValidationWebhook, - //G112 (CWE-400): Potential Slowloris Attack + // G112 (CWE-400): Potential Slowloris Attack ReadHeaderTimeout: 10 * time.Second, Handler: adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}), TLSConfig: ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(), @@ -429,7 +429,7 @@ func (n *NGINXController) start(cmd *exec.Cmd) { } // DefaultEndpoint returns the default endpoint to be use as default server that returns 404. -func (n NGINXController) DefaultEndpoint() ingress.Endpoint { +func (n *NGINXController) DefaultEndpoint() ingress.Endpoint { return ingress.Endpoint{ Address: "127.0.0.1", Port: fmt.Sprintf("%v", n.cfg.ListenPorts.Default), @@ -438,8 +438,9 @@ func (n NGINXController) DefaultEndpoint() ingress.Endpoint { } // generateTemplate returns the nginx configuration file content -func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressCfg ingress.Configuration) ([]byte, error) { - +// +//nolint:gocritic // the cfg shouldn't be changed, and shouldn't be mutated by other processes while being rendered. +func (n *NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressCfg ingress.Configuration) ([]byte, error) { if n.cfg.EnableSSLPassthrough { servers := []*tcpproxy.TCPServer{} for _, pb := range ingressCfg.PassthroughBackends { @@ -458,6 +459,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC } } else { for _, sp := range svc.Spec.Ports { + //nolint:gosec // Ignore G109 error if sp.Port == int32(port) { port = int(sp.Port) break @@ -563,7 +565,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC if err != nil { klog.Warningf("Error reading Secret %q from local store: %v", secretName, err) } else { - nsSecName := strings.Replace(secretName, "/", "-", -1) + nsSecName := strings.ReplaceAll(secretName, "/", "-") dh, ok := secret.Data["dhparam.pem"] if ok { pemFileName, err := ssl.AddOrUpdateDHParam(nsSecName, dh) @@ -589,7 +591,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC } } - tc := ngx_config.TemplateConfig{ + tc := &ngx_config.TemplateConfig{ ProxySetHeaders: setHeaders, AddHeaders: addHeaders, BacklogSize: sysctlSomaxconn(), @@ -623,7 +625,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC // testTemplate checks if the NGINX configuration inside the byte array is valid // running the command "nginx -t" using a temporal file. -func (n NGINXController) testTemplate(cfg []byte) error { +func (n *NGINXController) testTemplate(cfg []byte) error { if len(cfg) == 0 { return fmt.Errorf("invalid NGINX configuration (empty)") } @@ -658,6 +660,8 @@ Error: %v // changes were detected. The received backend Configuration is merged with the // configuration ConfigMap before generating the final configuration file. // Returns nil in case the backend was successfully reloaded. +// +//nolint:gocritic // the cfg shouldn't be changed, and shouldn't be mutated by other processes while being rendered. func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { cfg := n.store.GetBackendConfiguration() cfg.Resolver = n.resolver @@ -667,12 +671,12 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { return err } - err = createOpentracingCfg(cfg) + err = createOpentracingCfg(&cfg) if err != nil { return err } - err = createOpentelemetryCfg(cfg) + err = createOpentelemetryCfg(&cfg) if err != nil { return err } @@ -683,7 +687,10 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { } if klog.V(2).Enabled() { - src, _ := os.ReadFile(cfgPath) + src, err := os.ReadFile(cfgPath) + if err != nil { + return err + } if !bytes.Equal(src, content) { tmpfile, err := os.CreateTemp("", "new-nginx-cfg") if err != nil { @@ -694,11 +701,14 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { if err != nil { return err } - + //nolint:gosec //Ignore G204 error diffOutput, err := exec.Command("diff", "-I", "'# Configuration.*'", "-u", cfgPath, tmpfile.Name()).CombinedOutput() if err != nil { if exitError, ok := err.(*exec.ExitError); ok { - ws := exitError.Sys().(syscall.WaitStatus) + ws, ok := exitError.Sys().(syscall.WaitStatus) + if !ok { + klog.Errorf("unexpected type: %T", exitError.Sys()) + } if ws.ExitStatus() == 2 { klog.Warningf("Failed to executing diff command: %v", err) } @@ -828,9 +838,10 @@ func (n *NGINXController) configureDynamically(pcfg *ingress.Configuration) erro return nil } -func updateStreamConfiguration(TCPEndpoints []ingress.L4Service, UDPEndpoints []ingress.L4Service) error { +func updateStreamConfiguration(tcpEndpoints, udpEndpoints []ingress.L4Service) error { streams := make([]ingress.Backend, 0) - for _, ep := range TCPEndpoints { + for i := range tcpEndpoints { + ep := &tcpEndpoints[i] var service *apiv1.Service if ep.Service != nil { service = &apiv1.Service{Spec: ep.Service.Spec} @@ -844,7 +855,8 @@ func updateStreamConfiguration(TCPEndpoints []ingress.L4Service, UDPEndpoints [] Service: service, }) } - for _, ep := range UDPEndpoints { + for i := range udpEndpoints { + ep := &udpEndpoints[i] var service *apiv1.Service if ep.Service != nil { service = &apiv1.Service{Spec: ep.Service.Spec} @@ -1034,7 +1046,7 @@ ratio = {{ .OtelSamplerRatio }} parent_based = {{ .OtelSamplerParentBased }} ` -func datadogOpentracingCfg(cfg ngx_config.Configuration) (string, error) { +func datadogOpentracingCfg(cfg *ngx_config.Configuration) (string, error) { m := map[string]interface{}{ "service": cfg.DatadogServiceName, "agent_host": cfg.DatadogCollectorHost, @@ -1058,7 +1070,7 @@ func datadogOpentracingCfg(cfg ngx_config.Configuration) (string, error) { return string(buf), nil } -func opentracingCfgFromTemplate(cfg ngx_config.Configuration, tmplName string, tmplText string) (string, error) { +func opentracingCfgFromTemplate(cfg *ngx_config.Configuration, tmplName, tmplText string) (string, error) { tmpl, err := template.New(tmplName).Parse(tmplText) if err != nil { return "", err @@ -1073,17 +1085,18 @@ func opentracingCfgFromTemplate(cfg ngx_config.Configuration, tmplName string, t return tmplBuf.String(), nil } -func createOpentracingCfg(cfg ngx_config.Configuration) error { +func createOpentracingCfg(cfg *ngx_config.Configuration) error { var configData string var err error - if cfg.ZipkinCollectorHost != "" { + switch { + case cfg.ZipkinCollectorHost != "": configData, err = opentracingCfgFromTemplate(cfg, "zipkin", zipkinTmpl) - } else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" { + case cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "": configData, err = opentracingCfgFromTemplate(cfg, "jaeger", jaegerTmpl) - } else if cfg.DatadogCollectorHost != "" { + case cfg.DatadogCollectorHost != "": configData, err = datadogOpentracingCfg(cfg) - } else { + default: configData = "{}" } @@ -1097,8 +1110,7 @@ func createOpentracingCfg(cfg ngx_config.Configuration) error { return os.WriteFile("/etc/nginx/opentracing.json", []byte(expanded), file.ReadWriteByUser) } -func createOpentelemetryCfg(cfg ngx_config.Configuration) error { - +func createOpentelemetryCfg(cfg *ngx_config.Configuration) error { tmpl, err := template.New("otel").Parse(otelTmpl) if err != nil { return err @@ -1123,7 +1135,10 @@ func cleanTempNginxCfg() error { return filepath.SkipDir } - dur, _ := time.ParseDuration("-5m") + dur, err := time.ParseDuration("-5m") + if err != nil { + return err + } fiveMinutesAgo := time.Now().Add(dur) if strings.HasPrefix(info.Name(), tempNginxPattern) && info.ModTime().Before(fiveMinutesAgo) { files = append(files, path) diff --git a/internal/ingress/controller/nginx_test.go b/internal/ingress/controller/nginx_test.go index 56eb0f324..c68b0b188 100644 --- a/internal/ingress/controller/nginx_test.go +++ b/internal/ingress/controller/nginx_test.go @@ -58,6 +58,7 @@ func TestConfigureDynamically(t *testing.T) { server := &httptest.Server{ Listener: listener, + //nolint:gosec // Ignore not configured ReadHeaderTimeout in testing Config: &http.Server{ Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusCreated) @@ -76,23 +77,17 @@ func TestConfigureDynamically(t *testing.T) { switch r.URL.Path { case "/configuration/backends": - { - if strings.Contains(body, "target") { - t.Errorf("unexpected target reference in JSON content: %v", body) - } + if strings.Contains(body, "target") { + t.Errorf("unexpected target reference in JSON content: %v", body) + } - if !strings.Contains(body, "service") { - t.Errorf("service reference should be present in JSON content: %v", body) - } + if !strings.Contains(body, "service") { + t.Errorf("service reference should be present in JSON content: %v", body) } case "/configuration/general": - { - } case "/configuration/servers": - { - if !strings.Contains(body, `{"certificates":{},"servers":{"myapp.fake":"-1"}}`) { - t.Errorf("should be present in JSON content: %v", body) - } + if !strings.Contains(body, `{"certificates":{},"servers":{"myapp.fake":"-1"}}`) { + t.Errorf("should be present in JSON content: %v", body) } default: t.Errorf("unknown request to %s", r.URL.Path) @@ -218,6 +213,7 @@ func TestConfigureCertificates(t *testing.T) { server := &httptest.Server{ Listener: listener, + //nolint:gosec // Ignore not configured ReadHeaderTimeout in testing Config: &http.Server{ Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusCreated) @@ -414,6 +410,7 @@ func TestCleanTempNginxCfg(t *testing.T) { } } +//nolint:unparam // Ingnore `network` always receives `"tcp"` error func tryListen(network, address string) (l net.Listener, err error) { condFunc := func() (bool, error) { l, err = net.Listen(network, address) diff --git a/internal/ingress/controller/process/nginx.go b/internal/ingress/controller/process/nginx.go index 70227ac2e..fdf501616 100644 --- a/internal/ingress/controller/process/nginx.go +++ b/internal/ingress/controller/process/nginx.go @@ -30,7 +30,10 @@ func IsRespawnIfRequired(err error) bool { return false } - waitStatus := exitError.Sys().(syscall.WaitStatus) + waitStatus, ok := exitError.Sys().(syscall.WaitStatus) + if !ok { + return false + } klog.Warningf(` ------------------------------------------------------------------------------- NGINX master process died (%v): %v diff --git a/internal/ingress/controller/status.go b/internal/ingress/controller/status.go index 3b0a41ab8..e061b2cb7 100644 --- a/internal/ingress/controller/status.go +++ b/internal/ingress/controller/status.go @@ -50,7 +50,7 @@ func setupLeaderElection(config *leaderElectionConfig) { var cancelContext context.CancelFunc - var newLeaderCtx = func(ctx context.Context) context.CancelFunc { + newLeaderCtx := func(ctx context.Context) context.CancelFunc { // allow to cancel the context in case we stop being the leader leaderCtx, cancel := context.WithCancel(ctx) go elector.Run(leaderCtx) @@ -86,8 +86,10 @@ func setupLeaderElection(config *leaderElectionConfig) { } broadcaster := record.NewBroadcaster() - hostname, _ := os.Hostname() - + hostname, err := os.Hostname() + if err != nil { + klog.Errorf("unexpected error getting hostname: %v", err) + } recorder := broadcaster.NewRecorder(scheme.Scheme, apiv1.EventSource{ Component: "ingress-leader-elector", Host: hostname, @@ -107,7 +109,7 @@ func setupLeaderElection(config *leaderElectionConfig) { ttl := 30 * time.Second - elector, err := leaderelection.NewLeaderElector(leaderelection.LeaderElectionConfig{ + elector, err = leaderelection.NewLeaderElector(leaderelection.LeaderElectionConfig{ Lock: lock, LeaseDuration: ttl, RenewDeadline: ttl / 2, diff --git a/internal/ingress/controller/store/backend_ssl.go b/internal/ingress/controller/store/backend_ssl.go index 6f0fcf189..81b508cd2 100644 --- a/internal/ingress/controller/store/backend_ssl.go +++ b/internal/ingress/controller/store/backend_ssl.go @@ -88,10 +88,11 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error auth := secret.Data["auth"] // namespace/secretName -> namespace-secretName - nsSecName := strings.Replace(secretName, "/", "-", -1) + nsSecName := strings.ReplaceAll(secretName, "/", "-") var sslCert *ingress.SSLCert - if okcert && okkey { + switch { + case okcert && okkey: if cert == nil { return nil, fmt.Errorf("key 'tls.crt' missing from Secret %q", secretName) } @@ -144,7 +145,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error } klog.V(3).InfoS(msg) - } else if len(ca) > 0 { + case len(ca) > 0: sslCert, err = ssl.CreateCACert(ca) if err != nil { return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err) @@ -166,7 +167,7 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error // makes this secret in 'syncSecret' to be used for Certificate Authentication // this does not enable Certificate Authentication klog.V(3).InfoS("Configuring Secret for TLS authentication", "secret", secretName) - } else { + default: if auth != nil { return nil, ErrSecretForAuth } diff --git a/internal/ingress/controller/store/endpointslice.go b/internal/ingress/controller/store/endpointslice.go index 78d088695..61bc63ae7 100644 --- a/internal/ingress/controller/store/endpointslice.go +++ b/internal/ingress/controller/store/endpointslice.go @@ -38,7 +38,7 @@ func (s *EndpointSliceLister) MatchByKey(key string) ([]*discoveryv1.EndpointSli keyNsLen = 0 } else { // count '/' char - keyNsLen += 1 + keyNsLen++ } // filter endpointSlices owned by svc for _, listKey := range s.ListKeys() { diff --git a/internal/ingress/controller/store/endpointslice_test.go b/internal/ingress/controller/store/endpointslice_test.go index 1342575ae..5d423a3a6 100644 --- a/internal/ingress/controller/store/endpointslice_test.go +++ b/internal/ingress/controller/store/endpointslice_test.go @@ -87,7 +87,6 @@ func TestEndpointSliceLister(t *testing.T) { t.Errorf("unexpected error %v", err) } eps, err := el.MatchByKey(key) - if err != nil { t.Errorf("unexpeted error %v", err) } diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index c11e35d76..918dfd41a 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -105,7 +105,7 @@ type Storer interface { Run(stopCh chan struct{}) // GetIngressClass validates given ingress against ingress class configuration and returns the ingress class. - GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) + GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.Configuration) (string, error) } // EventType type of event associated with an informer @@ -242,7 +242,9 @@ type k8sStore struct { defaultSSLCertificate string } -// New creates a new object store to be used in the ingress controller +// New creates a new object store to be used in the ingress controller. +// +//nolint:gocyclo // Ignore function complexity error. func New( namespace string, namespaceSelector labels.Selector, @@ -252,9 +254,9 @@ func New( updateCh *channels.RingChannel, disableCatchAll bool, deepInspector bool, - icConfig *ingressclass.IngressClassConfiguration, - disableSyncEvents bool) Storer { - + icConfig *ingressclass.Configuration, + disableSyncEvents bool, +) Storer { store := &k8sStore{ informers: &Informer{}, listers: &Lister{}, @@ -474,7 +476,8 @@ func New( _, errOld = store.GetIngressClass(oldIng, icConfig) classCur, errCur = store.GetIngressClass(curIng, icConfig) } - if errOld != nil && errCur == nil { + switch { + case errOld != nil && errCur == nil: if hasCatchAllIngressRule(curIng.Spec) && disableCatchAll { klog.InfoS("ignoring update for catch-all ingress because of --disable-catch-all", "ingress", klog.KObj(curIng)) return @@ -482,11 +485,11 @@ func New( klog.InfoS("creating ingress", "ingress", klog.KObj(curIng), "ingressclass", classCur) recorder.Eventf(curIng, corev1.EventTypeNormal, "Sync", "Scheduled for sync") - } else if errOld == nil && errCur != nil { + case errOld == nil && errCur != nil: klog.InfoS("removing ingress because of unknown ingressclass", "ingress", klog.KObj(curIng)) ingDeleteHandler(old) return - } else if errCur == nil && !reflect.DeepEqual(old, cur) { + case errCur == nil && !reflect.DeepEqual(old, cur): if hasCatchAllIngressRule(curIng.Spec) && disableCatchAll { klog.InfoS("ignoring update for catch-all ingress and delete old one because of --disable-catch-all", "ingress", klog.KObj(curIng)) ingDeleteHandler(old) @@ -494,7 +497,7 @@ func New( } recorder.Eventf(curIng, corev1.EventTypeNormal, "Sync", "Scheduled for sync") - } else { + default: klog.V(3).InfoS("No changes on ingress. Skipping update", "ingress", klog.KObj(curIng)) return } @@ -519,7 +522,10 @@ func New( ingressClassEventHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - ingressclass := obj.(*networkingv1.IngressClass) + ingressclass, ok := obj.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } foundClassByName := false if icConfig.IngressClassByName && ingressclass.Name == icConfig.AnnotationValue { klog.InfoS("adding ingressclass as ingress-class-by-name is configured", "ingressclass", klog.KObj(ingressclass)) @@ -541,7 +547,10 @@ func New( } }, DeleteFunc: func(obj interface{}) { - ingressclass := obj.(*networkingv1.IngressClass) + ingressclass, ok := obj.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } if ingressclass.Spec.Controller != icConfig.Controller { klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(ingressclass)) return @@ -557,8 +566,14 @@ func New( } }, UpdateFunc: func(old, cur interface{}) { - oic := old.(*networkingv1.IngressClass) - cic := cur.(*networkingv1.IngressClass) + oic, ok := old.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", old) + } + cic, ok := cur.(*networkingv1.IngressClass) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } if cic.Spec.Controller != icConfig.Controller { klog.InfoS("ignoring ingressclass as the spec.controller is not the same of this ingress", "ingressclass", klog.KObj(cic)) return @@ -581,7 +596,10 @@ func New( secrEventHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - sec := obj.(*corev1.Secret) + sec, ok := obj.(*corev1.Secret) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } key := k8s.MetaNamespaceKey(sec) if store.defaultSSLCertificate == key { @@ -608,7 +626,10 @@ func New( }, UpdateFunc: func(old, cur interface{}) { if !reflect.DeepEqual(old, cur) { - sec := cur.(*corev1.Secret) + sec, ok := cur.(*corev1.Secret) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } key := k8s.MetaNamespaceKey(sec) if !watchedNamespace(sec.Namespace) { @@ -695,8 +716,14 @@ func New( } }, UpdateFunc: func(old, cur interface{}) { - oeps := old.(*discoveryv1.EndpointSlice) - ceps := cur.(*discoveryv1.EndpointSlice) + oeps, ok := old.(*discoveryv1.EndpointSlice) + if !ok { + klog.Errorf("unexpected type: %T", old) + } + ceps, ok := cur.(*discoveryv1.EndpointSlice) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } if !reflect.DeepEqual(ceps.Endpoints, oeps.Endpoints) { updateCh.In() <- Event{ Type: UpdateEvent, @@ -750,7 +777,10 @@ func New( cmEventHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - cfgMap := obj.(*corev1.ConfigMap) + cfgMap, ok := obj.(*corev1.ConfigMap) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } key := k8s.MetaNamespaceKey(cfgMap) handleCfgMapEvent(key, cfgMap, "CREATE") }, @@ -759,7 +789,10 @@ func New( return } - cfgMap := cur.(*corev1.ConfigMap) + cfgMap, ok := cur.(*corev1.ConfigMap) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } key := k8s.MetaNamespaceKey(cfgMap) handleCfgMapEvent(key, cfgMap, "UPDATE") }, @@ -767,7 +800,10 @@ func New( serviceHandler := cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { - svc := obj.(*corev1.Service) + svc, ok := obj.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } if svc.Spec.Type == corev1.ServiceTypeExternalName { updateCh.In() <- Event{ Type: CreateEvent, @@ -776,7 +812,10 @@ func New( } }, DeleteFunc: func(obj interface{}) { - svc := obj.(*corev1.Service) + svc, ok := obj.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", obj) + } if svc.Spec.Type == corev1.ServiceTypeExternalName { updateCh.In() <- Event{ Type: DeleteEvent, @@ -785,8 +824,14 @@ func New( } }, UpdateFunc: func(old, cur interface{}) { - oldSvc := old.(*corev1.Service) - curSvc := cur.(*corev1.Service) + oldSvc, ok := old.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", old) + } + curSvc, ok := cur.(*corev1.Service) + if !ok { + klog.Errorf("unexpected type: %T", cur) + } if reflect.DeepEqual(oldSvc, curSvc) { return @@ -821,7 +866,10 @@ func New( } // do not wait for informers to read the configmap configuration - ns, name, _ := k8s.ParseNameNS(configmap) + ns, name, err := k8s.ParseNameNS(configmap) + if err != nil { + klog.Errorf("unexpected error parsing name and ns: %v", err) + } cm, err := client.CoreV1().ConfigMaps(ns).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { klog.Warningf("Unexpected error reading configuration configmap: %v", err) @@ -837,10 +885,10 @@ func hasCatchAllIngressRule(spec networkingv1.IngressSpec) bool { return spec.DefaultBackend != nil } -func checkBadAnnotationValue(annotations map[string]string, badwords string) error { +func checkBadAnnotationValue(annotationMap map[string]string, badwords string) error { arraybadWords := strings.Split(strings.TrimSpace(badwords), ",") - for annotation, value := range annotations { + for annotation, value := range annotationMap { if strings.HasPrefix(annotation, fmt.Sprintf("%s/", parser.AnnotationsPrefix)) { for _, forbiddenvalue := range arraybadWords { if strings.Contains(value, forbiddenvalue) { @@ -999,7 +1047,7 @@ func (s *k8sStore) GetService(key string) (*corev1.Service, error) { return s.listers.Service.ByKey(key) } -func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.IngressClassConfiguration) (string, error) { +func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressclass.Configuration) (string, error) { // First we try ingressClassName if !icConfig.IgnoreIngressClass && ing.Spec.IngressClassName != nil { iclass, err := s.listers.IngressClass.ByKey(*ing.Spec.IngressClassName) @@ -1010,11 +1058,11 @@ func (s *k8sStore) GetIngressClass(ing *networkingv1.Ingress, icConfig *ingressc } // Then we try annotation - if ingressclass, ok := ing.GetAnnotations()[ingressclass.IngressKey]; ok { - if ingressclass != icConfig.AnnotationValue { + if class, ok := ing.GetAnnotations()[ingressclass.IngressKey]; ok { + if class != icConfig.AnnotationValue { return "", fmt.Errorf("ingress class annotation is not equal to the expected by Ingress Controller") } - return ingressclass, nil + return class, nil } // Then we accept if the WithoutClass is enabled @@ -1055,7 +1103,10 @@ func (s *k8sStore) ListIngresses() []*ingress.Ingress { // filter ingress rules ingresses := make([]*ingress.Ingress, 0) for _, item := range s.listers.IngressWithAnnotation.List() { - ing := item.(*ingress.Ingress) + ing, ok := item.(*ingress.Ingress) + if !ok { + klog.Errorf("unexpected type: %T", item) + } ingresses = append(ingresses, ing) } diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go index 774a45676..317c0f36c 100644 --- a/internal/ingress/controller/store/store_test.go +++ b/internal/ingress/controller/store/store_test.go @@ -44,29 +44,27 @@ import ( var pathPrefix networking.PathType = networking.PathTypePrefix -var DefaultClassConfig = &ingressclass.IngressClassConfiguration{ +var DefaultClassConfig = &ingressclass.Configuration{ Controller: ingressclass.DefaultControllerName, AnnotationValue: ingressclass.DefaultAnnotationValue, WatchWithoutClass: false, } -var ( - commonIngressSpec = networking.IngressSpec{ - Rules: []networking.IngressRule{ - { - Host: "dummy", - IngressRuleValue: networking.IngressRuleValue{ - HTTP: &networking.HTTPIngressRuleValue{ - Paths: []networking.HTTPIngressPath{ - { - Path: "/", - PathType: &pathPrefix, - Backend: networking.IngressBackend{ - Service: &networking.IngressServiceBackend{ - Name: "http-svc", - Port: networking.ServiceBackendPort{ - Number: 80, - }, +var commonIngressSpec = networking.IngressSpec{ + Rules: []networking.IngressRule{ + { + Host: "dummy", + IngressRuleValue: networking.IngressRuleValue{ + HTTP: &networking.HTTPIngressRuleValue{ + Paths: []networking.HTTPIngressPath{ + { + Path: "/", + PathType: &pathPrefix, + Backend: networking.IngressBackend{ + Service: &networking.IngressServiceBackend{ + Name: "http-svc", + Port: networking.ServiceBackendPort{ + Number: 80, }, }, }, @@ -75,12 +73,15 @@ var ( }, }, }, - } -) + }, +} +const updateDummyHost = "update-dummy" + +//nolint:gocyclo // Ignore function complexity error func TestStore(t *testing.T) { - //TODO: move env definition to docker image? - os.Setenv("KUBEBUILDER_ASSETS", "/usr/local/bin") + // TODO: move env definition to docker image? + t.Setenv("KUBEBUILDER_ASSETS", "/usr/local/bin") pathPrefix = networking.PathTypePrefix @@ -90,9 +91,12 @@ func TestStore(t *testing.T) { t.Fatalf("error: %v", err) } - emptySelector, _ := labels.Parse("") + emptySelector, err := labels.Parse("") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } - defer te.Stop() //nolint:errcheck + defer te.Stop() //nolint:errcheck // Ignore the error clientSet, err := kubernetes.NewForConfig(cfg) if err != nil { @@ -176,7 +180,11 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } + if e.Obj == nil { continue } @@ -230,7 +238,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) ni := ing.DeepCopy() - ni.Spec.Rules[0].Host = "update-dummy" + ni.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(ni, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -281,7 +289,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -343,7 +354,7 @@ func TestStore(t *testing.T) { defer deleteIngress(invalidIngress, clientSet, t) ni := ing.DeepCopy() - ni.Spec.Rules[0].Host = "update-dummy" + ni.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(ni, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -392,7 +403,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -411,7 +425,7 @@ func TestStore(t *testing.T) { } }(updateCh) - ingressClassconfig := &ingressclass.IngressClassConfiguration{ + ingressClassconfig := &ingressclass.Configuration{ Controller: ingressclass.DefaultControllerName, AnnotationValue: ingressclass.DefaultAnnotationValue, WatchWithoutClass: true, @@ -463,7 +477,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) validIngressUpdated := validIngress1.DeepCopy() - validIngressUpdated.Spec.Rules[0].Host = "update-dummy" + validIngressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(validIngressUpdated, clientSet, t) if err != nil { t.Errorf("error updating ingress: %v", err) @@ -523,7 +537,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -542,7 +559,7 @@ func TestStore(t *testing.T) { } }(updateCh) - ingressClassconfig := &ingressclass.IngressClassConfiguration{ + ingressClassconfig := &ingressclass.Configuration{ Controller: ingressclass.DefaultControllerName, AnnotationValue: ic, IngressClassByName: true, @@ -581,7 +598,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) ingressUpdated := ing.DeepCopy() - ingressUpdated.Spec.Rules[0].Host = "update-dummy" + ingressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(ingressUpdated, clientSet, t) if err != nil { t.Errorf("error updating ingress: %v", err) @@ -630,7 +647,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -684,7 +704,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) invalidIngressUpdated := invalidIngress.DeepCopy() - invalidIngressUpdated.Spec.Rules[0].Host = "update-dummy" + invalidIngressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(invalidIngressUpdated, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -725,7 +745,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -778,7 +801,7 @@ func TestStore(t *testing.T) { time.Sleep(1 * time.Second) invalidIngressUpdated := invalidIngress.DeepCopy() - invalidIngressUpdated.Spec.Rules[0].Host = "update-dummy" + invalidIngressUpdated.Spec.Rules[0].Host = updateDummyHost _ = ensureIngress(invalidIngressUpdated, clientSet, t) if err != nil { t.Errorf("error creating ingress: %v", err) @@ -816,7 +839,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -908,7 +934,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -1008,7 +1037,6 @@ func TestStore(t *testing.T) { if atomic.LoadUint64(&del) != 1 { t.Errorf("expected 1 events of type Delete but %v occurred", del) } - }) t.Run("should create an ingress with a secret which does not exist", func(t *testing.T) { @@ -1032,7 +1060,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -1159,7 +1190,10 @@ func TestStore(t *testing.T) { return } - e := evt.(Event) + e, ok := evt.(Event) + if !ok { + return + } if e.Obj == nil { continue } @@ -1174,7 +1208,10 @@ func TestStore(t *testing.T) { } }(updateCh) - namesapceSelector, _ := labels.Parse("foo=bar") + namesapceSelector, err := labels.Parse("foo=bar") + if err != nil { + t.Errorf("unexpected error: %v", err) + } storer := New( ns, namesapceSelector, @@ -1236,7 +1273,6 @@ func TestStore(t *testing.T) { if atomic.LoadUint64(&del) != 0 { t.Errorf("expected 0 events of type Delete but %v occurred", del) } - }) // test add ingress with secret it doesn't exists and then add secret // check secret is generated on fs @@ -1274,16 +1310,16 @@ func deleteNamespace(ns string, clientSet kubernetes.Interface, t *testing.T) { func createIngressClass(clientSet kubernetes.Interface, t *testing.T, controller string) string { t.Helper() - ingressclass := &networking.IngressClass{ + class := &networking.IngressClass{ ObjectMeta: metav1.ObjectMeta{ Name: fmt.Sprintf("ingress-nginx-%v", time.Now().Unix()), - //Namespace: "xpto" // TODO: We don't support namespaced ingress-class yet + // Namespace: "xpto" // TODO: We don't support namespaced ingress-class yet }, Spec: networking.IngressClassSpec{ Controller: controller, }, } - ic, err := clientSet.NetworkingV1().IngressClasses().Create(context.TODO(), ingressclass, metav1.CreateOptions{}) + ic, err := clientSet.NetworkingV1().IngressClasses().Create(context.TODO(), class, metav1.CreateOptions{}) if err != nil { t.Errorf("error creating ingress class: %v", err) } @@ -1299,7 +1335,7 @@ func deleteIngressClass(ic string, clientSet kubernetes.Interface, t *testing.T) } } -func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) string { +func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) { t.Helper() configMap := &v1.ConfigMap{ @@ -1308,51 +1344,47 @@ func createConfigMap(clientSet kubernetes.Interface, ns string, t *testing.T) st }, } - cm, err := clientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configMap, metav1.CreateOptions{}) + _, err := clientSet.CoreV1().ConfigMaps(ns).Create(context.TODO(), configMap, metav1.CreateOptions{}) if err != nil { t.Errorf("error creating the configuration map: %v", err) } - - return cm.Name } -func ensureIngress(ingress *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) *networking.Ingress { +func ensureIngress(ing *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) *networking.Ingress { t.Helper() - ing, err := clientSet.NetworkingV1().Ingresses(ingress.Namespace).Update(context.TODO(), ingress, metav1.UpdateOptions{}) - + newIngress, err := clientSet.NetworkingV1().Ingresses(ing.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) if err != nil { if k8sErrors.IsNotFound(err) { - t.Logf("Ingress %v not found, creating", ingress) + t.Logf("Ingress %v not found, creating", ing) - ing, err = clientSet.NetworkingV1().Ingresses(ingress.Namespace).Create(context.TODO(), ingress, metav1.CreateOptions{}) + newIngress, err = clientSet.NetworkingV1().Ingresses(ing.Namespace).Create(context.TODO(), ing, metav1.CreateOptions{}) if err != nil { - t.Fatalf("error creating ingress %+v: %v", ingress, err) + t.Fatalf("error creating ingress %+v: %v", ing, err) } - t.Logf("Ingress %+v created", ingress) - return ing + t.Logf("Ingress %+v created", ing) + return newIngress } - t.Fatalf("error updating ingress %+v: %v", ingress, err) + t.Fatalf("error updating ingress %+v: %v", ing, err) } - return ing + return newIngress } -func deleteIngress(ingress *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) { +func deleteIngress(ing *networking.Ingress, clientSet kubernetes.Interface, t *testing.T) { t.Helper() - err := clientSet.NetworkingV1().Ingresses(ingress.Namespace).Delete(context.TODO(), ingress.Name, metav1.DeleteOptions{}) - + err := clientSet.NetworkingV1().Ingresses(ing.Namespace).Delete(context.TODO(), ing.Name, metav1.DeleteOptions{}) if err != nil { - t.Errorf("failed to delete ingress %+v: %v", ingress, err) + t.Errorf("failed to delete ingress %+v: %v", ing, err) } - t.Logf("Ingress %+v deleted", ingress) + t.Logf("Ingress %+v deleted", ing) } // newStore creates a new mock object store for tests which do not require the // use of Informers. -func newStore(t *testing.T) *k8sStore { +func newStore() *k8sStore { return &k8sStore{ listers: &Lister{ // add more listers if needed @@ -1369,7 +1401,7 @@ func newStore(t *testing.T) *k8sStore { } func TestUpdateSecretIngressMap(t *testing.T) { - s := newStore(t) + s := newStore() ingTpl := &networking.Ingress{ ObjectMeta: metav1.ObjectMeta{ @@ -1431,7 +1463,9 @@ func TestUpdateSecretIngressMap(t *testing.T) { ing.ObjectMeta.SetAnnotations(map[string]string{ parser.GetAnnotationWithPrefix("auth-secret"): "anotherns/auth", }) - s.listers.Ingress.Update(ing) + if err := s.listers.Ingress.Update(ing); err != nil { + t.Errorf("error updating the Ingress: %v", err) + } s.updateSecretIngressMap(ing) if l := s.secretIngressMap.Len(); l != 0 { @@ -1456,7 +1490,7 @@ func TestUpdateSecretIngressMap(t *testing.T) { } func TestListIngresses(t *testing.T) { - s := newStore(t) + s := newStore() invalidIngressClass := "something" validIngressClass := ingressclass.DefaultControllerName @@ -1586,7 +1620,7 @@ func TestWriteSSLSessionTicketKey(t *testing.T) { } for _, test := range tests { - s := newStore(t) + s := newStore() cmap := &v1.ConfigMap{ Data: map[string]string{ diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index c73f3b6c0..9dc019bcc 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -91,6 +91,8 @@ const ( ) // ReadConfig obtains the configuration defined by the user merged with the defaults. +// +//nolint:gocyclo // Ignore function complexity error func ReadConfig(src map[string]string) config.Configuration { conf := map[string]string{} // we need to copy the configmap data because the content is altered @@ -116,12 +118,12 @@ func ReadConfig(src map[string]string) config.Configuration { luaSharedDicts := make(map[string]int) debugConnectionsList := make([]string, 0) - //parse lua shared dict values + // parse lua shared dict values if val, ok := conf[luaSharedDictsKey]; ok { delete(conf, luaSharedDictsKey) lsd := splitAndTrimSpace(val, ",") for _, v := range lsd { - v = strings.Replace(v, " ", "", -1) + v = strings.ReplaceAll(v, " ", "") results := strings.SplitN(v, ":", 2) dictName := results[0] size := dictStrToKb(results[1]) @@ -196,7 +198,7 @@ func ReadConfig(src map[string]string) config.Configuration { if ing_net.IsIPV6(ns) { bindAddressIpv6List = append(bindAddressIpv6List, fmt.Sprintf("[%v]", ns)) } else { - bindAddressIpv4List = append(bindAddressIpv4List, fmt.Sprintf("%v", ns)) + bindAddressIpv4List = append(bindAddressIpv4List, ns.String()) } } else { klog.Warningf("%v is not a valid textual representation of an IP address", i) @@ -250,7 +252,7 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[globalAuthMethod]; ok { delete(conf, globalAuthMethod) - if len(val) != 0 && !authreq.ValidMethod(val) { + if val != "" && !authreq.ValidMethod(val) { klog.Warningf("Global auth location denied - %v.", "invalid HTTP method") } else { to.GlobalExternalAuth.Method = val @@ -261,7 +263,10 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[globalAuthSignin]; ok { delete(conf, globalAuthSignin) - signinURL, _ := parser.StringToURL(val) + signinURL, err := parser.StringToURL(val) + if err != nil { + klog.Errorf("string to URL conversion failed: %v", err) + } if signinURL == nil { klog.Warningf("Global auth location denied - %v.", "global-auth-signin setting is undefined and will not be set") } else { @@ -274,7 +279,10 @@ func ReadConfig(src map[string]string) config.Configuration { delete(conf, globalAuthSigninRedirectParam) redirectParam := strings.TrimSpace(val) - dummySigninURL, _ := parser.StringToURL(fmt.Sprintf("%s?%s=dummy", to.GlobalExternalAuth.SigninURL, redirectParam)) + dummySigninURL, err := parser.StringToURL(fmt.Sprintf("%s?%s=dummy", to.GlobalExternalAuth.SigninURL, redirectParam)) + if err != nil { + klog.Errorf("string to URL conversion failed: %v", err) + } if dummySigninURL == nil { klog.Warningf("Global auth redirect parameter denied - %v.", "global-auth-signin-redirect-param setting is invalid and will not be set") } else { @@ -286,7 +294,7 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[globalAuthResponseHeaders]; ok { delete(conf, globalAuthResponseHeaders) - if len(val) != 0 { + if val != "" { harr := splitAndTrimSpace(val, ",") for _, header := range harr { if !authreq.ValidHeader(header) { @@ -385,8 +393,8 @@ func ReadConfig(src map[string]string) config.Configuration { if val, ok := conf[debugConnections]; ok { delete(conf, debugConnections) for _, i := range splitAndTrimSpace(val, ",") { - validIp := net.ParseIP(i) - if validIp != nil { + validIP := net.ParseIP(i) + if validIP != nil { debugConnectionsList = append(debugConnectionsList, i) } else { _, _, err := net.ParseCIDR(i) @@ -415,14 +423,14 @@ func ReadConfig(src map[string]string) config.Configuration { to.DisableIpv6DNS = !ing_net.IsIPv6Enabled() to.LuaSharedDicts = luaSharedDicts - config := &mapstructure.DecoderConfig{ + decoderConfig := &mapstructure.DecoderConfig{ Metadata: nil, WeaklyTypedInput: true, Result: &to, TagName: "json", } - decoder, err := mapstructure.NewDecoder(config) + decoder, err := mapstructure.NewDecoder(decoderConfig) if err != nil { klog.Warningf("unexpected error merging defaults: %v", err) } @@ -456,6 +464,7 @@ func filterErrors(codes []int) []int { return fa } +//nolint:unparam // Ignore `sep` always receives `,` error func splitAndTrimSpace(s, sep string) []string { f := func(c rune) bool { return strings.EqualFold(string(c), sep) @@ -474,8 +483,11 @@ func dictStrToKb(sizeStr string) int { if sizeMatch == nil { return -1 } - size, _ := strconv.Atoi(sizeMatch[1]) // validated already with regex - if sizeMatch[2] == "" || strings.ToLower(sizeMatch[2]) == "m" { + size, err := strconv.Atoi(sizeMatch[1]) // validated already with regex + if err != nil { + klog.Errorf("unexpected error converting size string %s to int: %v", sizeStr, err) + } + if sizeMatch[2] == "" || strings.EqualFold(sizeMatch[2], "m") { size *= 1024 } return size diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 147455771..4e51ac665 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -52,6 +52,12 @@ const ( nonIdempotent = "non_idempotent" defBufferSize = 65535 writeIndentOnEmptyLines = true // backward-compatibility + httpProtocol = "HTTP" + autoHTTPProtocol = "AUTO_HTTP" + httpsProtocol = "HTTPS" + grpcProtocol = "GRPC" + grpcsProtocol = "GRPCS" + fcgiProtocol = "FCGI" ) const ( @@ -64,13 +70,13 @@ type Writer interface { // Write renders the template. // NOTE: Implementors must ensure that the content of the returned slice is not modified by the implementation // after the return of this function. - Write(conf config.TemplateConfig) ([]byte, error) + Write(conf *config.TemplateConfig) ([]byte, error) } -// Template ... +// Template ingress template type Template struct { tmpl *text_template.Template - //fw watch.FileWatcher + bp *BufferPool } @@ -97,7 +103,7 @@ func NewTemplate(file string) (*Template, error) { // 2. Collapses multiple empty lines to single one // 3. Re-indent // (ATW: always returns nil) -func cleanConf(in *bytes.Buffer, out *bytes.Buffer) error { +func cleanConf(in, out *bytes.Buffer) error { depth := 0 lineStarted := false emptyLineWritten := false @@ -176,7 +182,7 @@ func cleanConf(in *bytes.Buffer, out *bytes.Buffer) error { // Write populates a buffer using a template with NGINX configuration // and the servers and upstreams created by Ingress rules -func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) { +func (t *Template) Write(conf *config.TemplateConfig) ([]byte, error) { tmplBuf := t.bp.Get() defer t.bp.Put(tmplBuf) @@ -184,14 +190,14 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) { defer t.bp.Put(outCmdBuf) if klog.V(3).Enabled() { - b, err := json.Marshal(conf) + b, err := json.Marshal(*conf) if err != nil { klog.Errorf("unexpected error: %v", err) } klog.InfoS("NGINX", "configuration", string(b)) } - err := t.tmpl.Execute(tmplBuf, conf) + err := t.tmpl.Execute(tmplBuf, *conf) if err != nil { return nil, err } @@ -211,78 +217,76 @@ func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) { return res, nil } -var ( - funcMap = text_template.FuncMap{ - "empty": func(input interface{}) bool { - check, ok := input.(string) - if ok { - return len(check) == 0 - } - return true - }, - "escapeLiteralDollar": escapeLiteralDollar, - "buildLuaSharedDictionaries": buildLuaSharedDictionaries, - "luaConfigurationRequestBodySize": luaConfigurationRequestBodySize, - "buildLocation": buildLocation, - "buildAuthLocation": buildAuthLocation, - "shouldApplyGlobalAuth": shouldApplyGlobalAuth, - "buildAuthResponseHeaders": buildAuthResponseHeaders, - "buildAuthUpstreamLuaHeaders": buildAuthUpstreamLuaHeaders, - "buildAuthProxySetHeaders": buildAuthProxySetHeaders, - "buildAuthUpstreamName": buildAuthUpstreamName, - "shouldApplyAuthUpstream": shouldApplyAuthUpstream, - "extractHostPort": extractHostPort, - "changeHostPort": changeHostPort, - "buildProxyPass": buildProxyPass, - "filterRateLimits": filterRateLimits, - "buildRateLimitZones": buildRateLimitZones, - "buildRateLimit": buildRateLimit, - "configForLua": configForLua, - "locationConfigForLua": locationConfigForLua, - "buildResolvers": buildResolvers, - "buildUpstreamName": buildUpstreamName, - "isLocationInLocationList": isLocationInLocationList, - "isLocationAllowed": isLocationAllowed, - "buildDenyVariable": buildDenyVariable, - "getenv": os.Getenv, - "contains": strings.Contains, - "split": strings.Split, - "hasPrefix": strings.HasPrefix, - "hasSuffix": strings.HasSuffix, - "trimSpace": strings.TrimSpace, - "toUpper": strings.ToUpper, - "toLower": strings.ToLower, - "formatIP": formatIP, - "quote": quote, - "buildNextUpstream": buildNextUpstream, - "getIngressInformation": getIngressInformation, - "serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} { - return struct{ First, Second interface{} }{all, server} - }, - "isValidByteSize": isValidByteSize, - "buildForwardedFor": buildForwardedFor, - "buildAuthSignURL": buildAuthSignURL, - "buildAuthSignURLLocation": buildAuthSignURLLocation, - "buildOpentracing": buildOpentracing, - "buildOpentelemetry": buildOpentelemetry, - "proxySetHeader": proxySetHeader, - "enforceRegexModifier": enforceRegexModifier, - "buildCustomErrorDeps": buildCustomErrorDeps, - "buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer, - "shouldLoadModSecurityModule": shouldLoadModSecurityModule, - "buildHTTPListener": buildHTTPListener, - "buildHTTPSListener": buildHTTPSListener, - "buildOpentracingForLocation": buildOpentracingForLocation, - "buildOpentelemetryForLocation": buildOpentelemetryForLocation, - "shouldLoadOpentracingModule": shouldLoadOpentracingModule, - "shouldLoadOpentelemetryModule": shouldLoadOpentelemetryModule, - "buildModSecurityForLocation": buildModSecurityForLocation, - "buildMirrorLocations": buildMirrorLocations, - "shouldLoadAuthDigestModule": shouldLoadAuthDigestModule, - "buildServerName": buildServerName, - "buildCorsOriginRegex": buildCorsOriginRegex, - } -) +var funcMap = text_template.FuncMap{ + "empty": func(input interface{}) bool { + check, ok := input.(string) + if ok { + return check == "" + } + return true + }, + "escapeLiteralDollar": escapeLiteralDollar, + "buildLuaSharedDictionaries": buildLuaSharedDictionaries, + "luaConfigurationRequestBodySize": luaConfigurationRequestBodySize, + "buildLocation": buildLocation, + "buildAuthLocation": buildAuthLocation, + "shouldApplyGlobalAuth": shouldApplyGlobalAuth, + "buildAuthResponseHeaders": buildAuthResponseHeaders, + "buildAuthUpstreamLuaHeaders": buildAuthUpstreamLuaHeaders, + "buildAuthProxySetHeaders": buildAuthProxySetHeaders, + "buildAuthUpstreamName": buildAuthUpstreamName, + "shouldApplyAuthUpstream": shouldApplyAuthUpstream, + "extractHostPort": extractHostPort, + "changeHostPort": changeHostPort, + "buildProxyPass": buildProxyPass, + "filterRateLimits": filterRateLimits, + "buildRateLimitZones": buildRateLimitZones, + "buildRateLimit": buildRateLimit, + "configForLua": configForLua, + "locationConfigForLua": locationConfigForLua, + "buildResolvers": buildResolvers, + "buildUpstreamName": buildUpstreamName, + "isLocationInLocationList": isLocationInLocationList, + "isLocationAllowed": isLocationAllowed, + "buildDenyVariable": buildDenyVariable, + "getenv": os.Getenv, + "contains": strings.Contains, + "split": strings.Split, + "hasPrefix": strings.HasPrefix, + "hasSuffix": strings.HasSuffix, + "trimSpace": strings.TrimSpace, + "toUpper": strings.ToUpper, + "toLower": strings.ToLower, + "formatIP": formatIP, + "quote": quote, + "buildNextUpstream": buildNextUpstream, + "getIngressInformation": getIngressInformation, + "serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} { + return struct{ First, Second interface{} }{all, server} + }, + "isValidByteSize": isValidByteSize, + "buildForwardedFor": buildForwardedFor, + "buildAuthSignURL": buildAuthSignURL, + "buildAuthSignURLLocation": buildAuthSignURLLocation, + "buildOpentracing": buildOpentracing, + "buildOpentelemetry": buildOpentelemetry, + "proxySetHeader": proxySetHeader, + "enforceRegexModifier": enforceRegexModifier, + "buildCustomErrorDeps": buildCustomErrorDeps, + "buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer, + "shouldLoadModSecurityModule": shouldLoadModSecurityModule, + "buildHTTPListener": buildHTTPListener, + "buildHTTPSListener": buildHTTPSListener, + "buildOpentracingForLocation": buildOpentracingForLocation, + "buildOpentelemetryForLocation": buildOpentelemetryForLocation, + "shouldLoadOpentracingModule": shouldLoadOpentracingModule, + "shouldLoadOpentelemetryModule": shouldLoadOpentelemetryModule, + "buildModSecurityForLocation": buildModSecurityForLocation, + "buildMirrorLocations": buildMirrorLocations, + "shouldLoadAuthDigestModule": shouldLoadAuthDigestModule, + "buildServerName": buildServerName, + "buildCorsOriginRegex": buildCorsOriginRegex, +} // escapeLiteralDollar will replace the $ character with ${literal_dollar} // which is made to work via the following configuration in the http section of @@ -296,7 +300,7 @@ func escapeLiteralDollar(input interface{}) string { if !ok { return "" } - return strings.Replace(inputStr, `$`, `${literal_dollar}`, -1) + return strings.ReplaceAll(inputStr, `$`, `${literal_dollar}`) } // formatIP will wrap IPv6 addresses in [] and return IPv4 addresses @@ -328,9 +332,7 @@ func quote(input interface{}) string { return fmt.Sprintf("%q", inputStr) } -func buildLuaSharedDictionaries(c interface{}, s interface{}) string { - var out []string - +func buildLuaSharedDictionaries(c, s interface{}) string { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -343,6 +345,7 @@ func buildLuaSharedDictionaries(c interface{}, s interface{}) string { return "" } + out := make([]string, 0, len(cfg.LuaSharedDicts)) for name, size := range cfg.LuaSharedDicts { sizeStr := dictKbToStr(size) out = append(out, fmt.Sprintf("lua_shared_dict %s %s", name, sizeStr)) @@ -364,7 +367,7 @@ func luaConfigurationRequestBodySize(c interface{}) string { if size < cfg.LuaSharedDicts["certificate_data"] { size = cfg.LuaSharedDicts["certificate_data"] } - size = size + 1024 + size += 1024 return dictKbToStr(size) } @@ -418,7 +421,7 @@ func configForLua(input interface{}) string { } // locationConfigForLua formats some location specific configuration into Lua table represented as string -func locationConfigForLua(l interface{}, a interface{}) string { +func locationConfigForLua(l, a interface{}) string { location, ok := l.(*ingress.Location) if !ok { klog.Errorf("expected an '*ingress.Location' type but %T was given", l) @@ -459,7 +462,7 @@ func locationConfigForLua(l interface{}, a interface{}) string { } // buildResolvers returns the resolvers reading the /etc/resolv.conf file -func buildResolvers(res interface{}, disableIpv6 interface{}) string { +func buildResolvers(res, disableIpv6 interface{}) string { // NGINX need IPV6 addresses to be surrounded by brackets nss, ok := res.([]net.IP) if !ok { @@ -484,7 +487,7 @@ func buildResolvers(res interface{}, disableIpv6 interface{}) string { } r = append(r, fmt.Sprintf("[%v]", ns)) } else { - r = append(r, fmt.Sprintf("%v", ns)) + r = append(r, ns.String()) } } r = append(r, "valid=30s") @@ -554,7 +557,7 @@ func buildAuthLocation(input interface{}, globalExternalAuthURL string) string { str := base64.URLEncoding.EncodeToString([]byte(location.Path)) // removes "=" after encoding - str = strings.Replace(str, "=", "", -1) + str = strings.ReplaceAll(str, "=", "") pathType := "default" if location.PathType != nil { @@ -644,7 +647,7 @@ func buildAuthUpstreamName(input interface{}, host string) string { // shouldApplyAuthUpstream returns true only in case when ExternalAuth.URL and // ExternalAuth.KeepaliveConnections are all set -func shouldApplyAuthUpstream(l interface{}, c interface{}) bool { +func shouldApplyAuthUpstream(l, c interface{}) bool { location, ok := l.(*ingress.Location) if !ok { klog.Errorf("expected an '*ingress.Location' type but %T was returned", l) @@ -672,14 +675,14 @@ func shouldApplyAuthUpstream(l interface{}, c interface{}) bool { } // extractHostPort will extract the host:port part from the URL specified by url -func extractHostPort(url string) string { - if url == "" { +func extractHostPort(newURL string) string { + if newURL == "" { return "" } - authURL, err := parser.StringToURL(url) + authURL, err := parser.StringToURL(newURL) if err != nil { - klog.Errorf("expected a valid URL but %s was returned", url) + klog.Errorf("expected a valid URL but %s was returned", newURL) return "" } @@ -687,14 +690,14 @@ func extractHostPort(url string) string { } // changeHostPort will change the host:port part of the url to value -func changeHostPort(url string, value string) string { - if url == "" { +func changeHostPort(newURL, value string) string { + if newURL == "" { return "" } - authURL, err := parser.StringToURL(url) + authURL, err := parser.StringToURL(newURL) if err != nil { - klog.Errorf("expected a valid URL but %s was returned", url) + klog.Errorf("expected a valid URL but %s was returned", newURL) return "" } @@ -707,7 +710,7 @@ func changeHostPort(url string, value string) string { // (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation) // If the annotation nginx.ingress.kubernetes.io/add-base-url:"true" is specified it will // add a base tag in the head of the response from the service -func buildProxyPass(host string, b interface{}, loc interface{}) string { +func buildProxyPass(_ string, b, loc interface{}) string { backends, ok := b.([]*ingress.Backend) if !ok { klog.Errorf("expected an '[]*ingress.Backend' type but %T was returned", b) @@ -726,17 +729,17 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { proxyPass := "proxy_pass" switch location.BackendProtocol { - case "AUTO_HTTP": + case autoHTTPProtocol: proto = "$scheme://" - case "HTTPS": + case httpsProtocol: proto = "https://" - case "GRPC": + case grpcProtocol: proto = "grpc://" proxyPass = "grpc_pass" - case "GRPCS": + case grpcsProtocol: proto = "grpcs://" proxyPass = "grpc_pass" - case "FCGI": + case fcgiProtocol: proto = "" proxyPass = "fastcgi_pass" } @@ -748,7 +751,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { if backend.SSLPassthrough { proto = "https://" - if location.BackendProtocol == "GRPCS" { + if location.BackendProtocol == grpcsProtocol { proto = "grpcs://" } } @@ -775,7 +778,7 @@ func buildProxyPass(host string, b interface{}, loc interface{}) string { var xForwardedPrefix string if len(location.XForwardedPrefix) > 0 { - xForwardedPrefix = fmt.Sprintf("%s X-Forwarded-Prefix \"%s\";\n", proxySetHeader(location), location.XForwardedPrefix) + xForwardedPrefix = fmt.Sprintf("%s X-Forwarded-Prefix %q;\n", proxySetHeader(location), location.XForwardedPrefix) } return fmt.Sprintf(` @@ -935,9 +938,7 @@ func isLocationAllowed(input interface{}) bool { return loc.Denied == nil } -var ( - denyPathSlugMap = map[string]string{} -) +var denyPathSlugMap = map[string]string{} // buildDenyVariable returns a nginx variable for a location in a // server to be used in the whitelist check @@ -977,7 +978,11 @@ func buildNextUpstream(i, r interface{}) string { return "" } - retryNonIdempotent := r.(bool) + retryNonIdempotent, ok := r.(bool) + if !ok { + klog.Errorf("expected a 'bool' type but %T was returned", i) + return "" + } parts := strings.Split(nextUpstream, " ") @@ -1002,8 +1007,10 @@ func buildNextUpstream(i, r interface{}) string { // refer to http://nginx.org/en/docs/syntax.html // Nginx differentiates between size and offset // offset directives support gigabytes in addition -var nginxSizeRegex = regexp.MustCompile("^[0-9]+[kKmM]{0,1}$") -var nginxOffsetRegex = regexp.MustCompile("^[0-9]+[kKmMgG]{0,1}$") +var ( + nginxSizeRegex = regexp.MustCompile(`^\d+[kKmM]?$`) + nginxOffsetRegex = regexp.MustCompile(`^\d+[kKmMgG]?$`) +) // isValidByteSize validates size units valid in nginx // http://nginx.org/en/docs/syntax.html @@ -1153,13 +1160,17 @@ func buildForwardedFor(input interface{}) string { return "" } - ffh := strings.Replace(s, "-", "_", -1) + ffh := strings.ReplaceAll(s, "-", "_") ffh = strings.ToLower(ffh) return fmt.Sprintf("$http_%v", ffh) } func buildAuthSignURL(authSignURL, authRedirectParam string) string { - u, _ := url.Parse(authSignURL) + u, err := url.Parse(authSignURL) + if err != nil { + klog.Errorf("error parsing authSignURL: %v", err) + return "" + } q := u.Query() if authRedirectParam == "" { authRedirectParam = defaultGlobalAuthRedirectParam @@ -1198,7 +1209,7 @@ func randomString() string { return string(b) } -func buildOpentracing(c interface{}, s interface{}) string { +func buildOpentracing(c, s interface{}) string { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1217,6 +1228,7 @@ func buildOpentracing(c interface{}, s interface{}) string { buf := bytes.NewBufferString("") + //nolint:gocritic // rewriting if-else to switch statement is not more readable if cfg.DatadogCollectorHost != "" { buf.WriteString("opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;") } else if cfg.ZipkinCollectorHost != "" { @@ -1228,16 +1240,16 @@ func buildOpentracing(c interface{}, s interface{}) string { buf.WriteString("\r\n") if cfg.OpentracingOperationName != "" { - buf.WriteString(fmt.Sprintf("opentracing_operation_name \"%s\";\n", cfg.OpentracingOperationName)) + fmt.Fprintf(buf, "opentracing_operation_name \"%s\";\n", cfg.OpentracingOperationName) } if cfg.OpentracingLocationOperationName != "" { - buf.WriteString(fmt.Sprintf("opentracing_location_operation_name \"%s\";\n", cfg.OpentracingLocationOperationName)) + fmt.Fprintf(buf, "opentracing_location_operation_name \"%s\";\n", cfg.OpentracingLocationOperationName) } return buf.String() } -func buildOpentelemetry(c interface{}, s interface{}) string { +func buildOpentelemetry(c, s interface{}) string { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1259,7 +1271,7 @@ func buildOpentelemetry(c interface{}, s interface{}) string { buf.WriteString("\r\n") if cfg.OpentelemetryOperationName != "" { - buf.WriteString(fmt.Sprintf("opentelemetry_operation_name \"%s\";\n", cfg.OpentelemetryOperationName)) + fmt.Fprintf(buf, "opentelemetry_operation_name \"%s\";\n", cfg.OpentelemetryOperationName) } return buf.String() } @@ -1271,7 +1283,7 @@ func proxySetHeader(loc interface{}) string { return "proxy_set_header" } - if location.BackendProtocol == "GRPC" || location.BackendProtocol == "GRPCS" { + if location.BackendProtocol == grpcProtocol || location.BackendProtocol == grpcsProtocol { return "grpc_set_header" } @@ -1280,7 +1292,7 @@ func proxySetHeader(loc interface{}) string { // buildCustomErrorDeps is a utility function returning a struct wrapper with // the data required to build the 'CUSTOM_ERRORS' template -func buildCustomErrorDeps(upstreamName string, errorCodes []int, enableMetrics bool, modsecurityEnabled bool) interface{} { +func buildCustomErrorDeps(upstreamName string, errorCodes []int, enableMetrics, modsecurityEnabled bool) interface{} { return struct { UpstreamName string ErrorCodes []int @@ -1355,7 +1367,7 @@ func opentracingPropagateContext(location *ingress.Location) string { return "" } - if location.BackendProtocol == "GRPC" || location.BackendProtocol == "GRPCS" { + if location.BackendProtocol == grpcProtocol || location.BackendProtocol == grpcsProtocol { return "opentracing_grpc_propagate_context;" } @@ -1372,7 +1384,7 @@ func opentelemetryPropagateContext(location *ingress.Location) string { // shouldLoadModSecurityModule determines whether or not the ModSecurity module needs to be loaded. // First, it checks if `enable-modsecurity` is set in the ConfigMap. If it is not, it iterates over all locations to // check if ModSecurity is enabled by the annotation `nginx.ingress.kubernetes.io/enable-modsecurity`. -func shouldLoadModSecurityModule(c interface{}, s interface{}) bool { +func shouldLoadModSecurityModule(c, s interface{}) bool { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1403,7 +1415,7 @@ func shouldLoadModSecurityModule(c interface{}, s interface{}) bool { return false } -func buildHTTPListener(t interface{}, s interface{}) string { +func buildHTTPListener(t, s interface{}) string { var out []string tc, ok := t.(config.TemplateConfig) @@ -1423,9 +1435,9 @@ func buildHTTPListener(t interface{}, s interface{}) string { addrV4 = tc.Cfg.BindAddressIpv4 } - co := commonListenOptions(tc, hostname) + co := commonListenOptions(&tc, hostname) - out = append(out, httpListener(addrV4, co, tc)...) + out = append(out, httpListener(addrV4, co, &tc)...) if !tc.IsIPV6Enabled { return strings.Join(out, "\n") @@ -1436,12 +1448,12 @@ func buildHTTPListener(t interface{}, s interface{}) string { addrV6 = tc.Cfg.BindAddressIpv6 } - out = append(out, httpListener(addrV6, co, tc)...) + out = append(out, httpListener(addrV6, co, &tc)...) return strings.Join(out, "\n") } -func buildHTTPSListener(t interface{}, s interface{}) string { +func buildHTTPSListener(t, s interface{}) string { var out []string tc, ok := t.(config.TemplateConfig) @@ -1456,14 +1468,14 @@ func buildHTTPSListener(t interface{}, s interface{}) string { return "" } - co := commonListenOptions(tc, hostname) + co := commonListenOptions(&tc, hostname) addrV4 := []string{""} if len(tc.Cfg.BindAddressIpv4) > 0 { addrV4 = tc.Cfg.BindAddressIpv4 } - out = append(out, httpsListener(addrV4, co, tc)...) + out = append(out, httpsListener(addrV4, co, &tc)...) if !tc.IsIPV6Enabled { return strings.Join(out, "\n") @@ -1474,12 +1486,12 @@ func buildHTTPSListener(t interface{}, s interface{}) string { addrV6 = tc.Cfg.BindAddressIpv6 } - out = append(out, httpsListener(addrV6, co, tc)...) + out = append(out, httpsListener(addrV6, co, &tc)...) return strings.Join(out, "\n") } -func commonListenOptions(template config.TemplateConfig, hostname string) string { +func commonListenOptions(template *config.TemplateConfig, hostname string) string { var out []string if template.Cfg.UseProxyProtocol { @@ -1503,7 +1515,7 @@ func commonListenOptions(template config.TemplateConfig, hostname string) string return strings.Join(out, " ") } -func httpListener(addresses []string, co string, tc config.TemplateConfig) []string { +func httpListener(addresses []string, co string, tc *config.TemplateConfig) []string { out := make([]string, 0) for _, address := range addresses { lo := []string{"listen"} @@ -1514,15 +1526,14 @@ func httpListener(addresses []string, co string, tc config.TemplateConfig) []str lo = append(lo, fmt.Sprintf("%v:%v", address, tc.ListenPorts.HTTP)) } - lo = append(lo, co) - lo = append(lo, ";") + lo = append(lo, co, ";") out = append(out, strings.Join(lo, " ")) } return out } -func httpsListener(addresses []string, co string, tc config.TemplateConfig) []string { +func httpsListener(addresses []string, co string, tc *config.TemplateConfig) []string { out := make([]string, 0) for _, address := range addresses { lo := []string{"listen"} @@ -1545,8 +1556,7 @@ func httpsListener(addresses []string, co string, tc config.TemplateConfig) []st } } - lo = append(lo, co) - lo = append(lo, "ssl") + lo = append(lo, co, "ssl") if tc.Cfg.UseHTTP2 { lo = append(lo, "http2") @@ -1559,7 +1569,7 @@ func httpsListener(addresses []string, co string, tc config.TemplateConfig) []st return out } -func buildOpentracingForLocation(isOTEnabled bool, isOTTrustSet bool, location *ingress.Location) string { +func buildOpentracingForLocation(isOTEnabled, isOTTrustSet bool, location *ingress.Location) string { isOTEnabledInLoc := location.Opentracing.Enabled isOTSetInLoc := location.Opentracing.Set @@ -1578,13 +1588,13 @@ func buildOpentracingForLocation(isOTEnabled bool, isOTTrustSet bool, location * if (!isOTTrustSet && !location.Opentracing.TrustSet) || (location.Opentracing.TrustSet && !location.Opentracing.TrustEnabled) { - opc = opc + "\nopentracing_trust_incoming_span off;" + opc += "\nopentracing_trust_incoming_span off;" } return opc } -func buildOpentelemetryForLocation(isOTEnabled bool, isOTTrustSet bool, location *ingress.Location) string { +func buildOpentelemetryForLocation(isOTEnabled, isOTTrustSet bool, location *ingress.Location) string { isOTEnabledInLoc := location.Opentelemetry.Enabled isOTSetInLoc := location.Opentelemetry.Set @@ -1602,14 +1612,14 @@ func buildOpentelemetryForLocation(isOTEnabled bool, isOTTrustSet bool, location } if location.Opentelemetry.OperationName != "" { - opc = opc + "\nopentelemetry_operation_name " + location.Opentelemetry.OperationName + ";" + opc += "\nopentelemetry_operation_name " + location.Opentelemetry.OperationName + ";" } if (!isOTTrustSet && !location.Opentelemetry.TrustSet) || (location.Opentelemetry.TrustSet && !location.Opentelemetry.TrustEnabled) { - opc = opc + "\nopentelemetry_trust_incoming_spans off;" + opc += "\nopentelemetry_trust_incoming_spans off;" } else { - opc = opc + "\nopentelemetry_trust_incoming_spans on;" + opc += "\nopentelemetry_trust_incoming_spans on;" } return opc } @@ -1617,7 +1627,7 @@ func buildOpentelemetryForLocation(isOTEnabled bool, isOTTrustSet bool, location // shouldLoadOpentracingModule determines whether or not the Opentracing module needs to be loaded. // First, it checks if `enable-opentracing` is set in the ConfigMap. If it is not, it iterates over all locations to // check if Opentracing is enabled by the annotation `nginx.ingress.kubernetes.io/enable-opentracing`. -func shouldLoadOpentracingModule(c interface{}, s interface{}) bool { +func shouldLoadOpentracingModule(c, s interface{}) bool { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1647,7 +1657,7 @@ func shouldLoadOpentracingModule(c interface{}, s interface{}) bool { // shouldLoadOpentelemetryModule determines whether or not the Opentelemetry module needs to be loaded. // It checks if `enable-opentelemetry` is set in the ConfigMap. -func shouldLoadOpentelemetryModule(c interface{}, s interface{}) bool { +func shouldLoadOpentelemetryModule(c, s interface{}) bool { cfg, ok := c.(config.Configuration) if !ok { klog.Errorf("expected a 'config.Configuration' type but %T was returned", c) @@ -1674,6 +1684,7 @@ func shouldLoadOpentelemetryModule(c interface{}, s interface{}) bool { return false } +//nolint:gocritic // Ignore passing cfg by pointer error func buildModSecurityForLocation(cfg config.Configuration, location *ingress.Location) string { isMSEnabledInLoc := location.ModSecurity.Enable isMSEnableSetInLoc := location.ModSecurity.EnableSet @@ -1807,7 +1818,7 @@ func convertGoSliceIntoLuaTable(goSliceInterface interface{}, emptyStringAsNil b switch kind { case reflect.String: - if emptyStringAsNil && len(goSlice.Interface().(string)) == 0 { + if emptyStringAsNil && goSlice.Interface().(string) == "" { return "nil", nil } return fmt.Sprintf(`"%v"`, goSlice.Interface()), nil @@ -1840,17 +1851,17 @@ func buildCorsOriginRegex(corsOrigins []string) string { return "set $http_origin *;\nset $cors 'true';" } - var originsRegex string = "if ($http_origin ~* (" + originsRegex := "if ($http_origin ~* (" for i, origin := range corsOrigins { originTrimmed := strings.TrimSpace(origin) if len(originTrimmed) > 0 { builtOrigin := buildOriginRegex(originTrimmed) originsRegex += builtOrigin if i != len(corsOrigins)-1 { - originsRegex = originsRegex + "|" + originsRegex += "|" } } } - originsRegex = originsRegex + ")$ ) { set $cors 'true'; }" + originsRegex += ")$ ) { set $cors 'true'; }" return originsRegex } diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index a2c3b8299..110967711 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -48,9 +48,9 @@ import ( func init() { // the default value of nginx.TemplatePath assumes the template exists in // the root filesystem and not in the rootfs directory - path, err := filepath.Abs(filepath.Join("../../../../rootfs/", nginx.TemplatePath)) + absPath, err := filepath.Abs(filepath.Join("..", "..", "..", "..", "rootfs", nginx.TemplatePath)) if err == nil { - nginx.TemplatePath = path + nginx.TemplatePath = absPath } } @@ -63,7 +63,7 @@ var ( Target string Location string ProxyPass string - AutoHttpProxyPass string + AutoHTTPProxyPass string Sticky bool XForwardedPrefix string SecureBackend bool @@ -200,6 +200,12 @@ proxy_pass $scheme://upstream_balancer;`, } ) +const ( + defaultBackend = "upstream-name" + defaultHost = "example.com" + fooAuthHost = "foo.com/auth" +) + func getTestDataDir() (string, error) { pwd, err := os.Getwd() if err != nil { @@ -326,9 +332,6 @@ func TestBuildLocation(t *testing.T) { } func TestBuildProxyPass(t *testing.T) { - defaultBackend := "upstream-name" - defaultHost := "example.com" - for k, tc := range tmplFuncTestcases { loc := &ingress.Location{ Path: tc.Path, @@ -339,7 +342,7 @@ func TestBuildProxyPass(t *testing.T) { } if tc.SecureBackend { - loc.BackendProtocol = "HTTPS" + loc.BackendProtocol = httpsProtocol } backend := &ingress.Backend{ @@ -367,9 +370,6 @@ func TestBuildProxyPass(t *testing.T) { } func TestBuildProxyPassAutoHttp(t *testing.T) { - defaultBackend := "upstream-name" - defaultHost := "example.com" - for k, tc := range tmplFuncTestcases { loc := &ingress.Location{ Path: tc.Path, @@ -379,9 +379,9 @@ func TestBuildProxyPassAutoHttp(t *testing.T) { } if tc.SecureBackend { - loc.BackendProtocol = "HTTPS" + loc.BackendProtocol = httpsProtocol } else { - loc.BackendProtocol = "AUTO_HTTP" + loc.BackendProtocol = autoHTTPProtocol } backend := &ingress.Backend{ @@ -402,7 +402,7 @@ func TestBuildProxyPassAutoHttp(t *testing.T) { backends := []*ingress.Backend{backend} pp := buildProxyPass(defaultHost, backends, loc) - if !strings.EqualFold(tc.AutoHttpProxyPass, pp) { + if !strings.EqualFold(tc.AutoHTTPProxyPass, pp) { t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, tc.ProxyPass, pp) } } @@ -417,7 +417,7 @@ func TestBuildAuthLocation(t *testing.T) { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - authURL := "foo.com/auth" + authURL := fooAuthHost globalAuthURL := "foo.com/global-auth" loc := &ingress.Location{ @@ -428,7 +428,7 @@ func TestBuildAuthLocation(t *testing.T) { EnableGlobalAuth: true, } - encodedAuthURL := strings.Replace(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "", -1) + encodedAuthURL := strings.ReplaceAll(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "") externalAuthPath := fmt.Sprintf("/_external-auth-%v-default", encodedAuthURL) testCases := []struct { @@ -460,8 +460,7 @@ func TestBuildAuthLocation(t *testing.T) { } func TestShouldApplyGlobalAuth(t *testing.T) { - - authURL := "foo.com/auth" + authURL := fooAuthHost globalAuthURL := "foo.com/global-auth" loc := &ingress.Location{ @@ -579,12 +578,12 @@ func TestBuildAuthUpstreamName(t *testing.T) { loc := &ingress.Location{ ExternalAuth: authreq.Config{ - URL: "foo.com/auth", + URL: fooAuthHost, }, Path: "/cat", } - encodedAuthURL := strings.Replace(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "", -1) + encodedAuthURL := strings.ReplaceAll(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "") externalAuthPath := fmt.Sprintf("external-auth-%v-default", encodedAuthURL) testCases := []struct { @@ -606,7 +605,7 @@ func TestBuildAuthUpstreamName(t *testing.T) { } func TestShouldApplyAuthUpstream(t *testing.T) { - authURL := "foo.com/auth" + authURL := fooAuthHost loc := &ingress.Location{ ExternalAuth: authreq.Config{ @@ -702,7 +701,10 @@ func TestChangeHostPort(t *testing.T) { } func TestTemplateWithData(t *testing.T) { - pwd, _ := os.Getwd() + pwd, err := os.Getwd() + if err != nil { + t.Errorf("unexpected error: %v", err) + } f, err := os.Open(path.Join(pwd, "../../../../test/data/config.json")) if err != nil { t.Errorf("unexpected error reading json file: %v", err) @@ -727,7 +729,7 @@ func TestTemplateWithData(t *testing.T) { dat.Cfg.DefaultSSLCertificate = &ingress.SSLCert{} - rt, err := ngxTpl.Write(dat) + rt, err := ngxTpl.Write(&dat) if err != nil { t.Errorf("invalid NGINX template: %v", err) } @@ -746,7 +748,10 @@ func TestTemplateWithData(t *testing.T) { } func BenchmarkTemplateWithData(b *testing.B) { - pwd, _ := os.Getwd() + pwd, err := os.Getwd() + if err != nil { + b.Errorf("unexpected error: %v", err) + } f, err := os.Open(path.Join(pwd, "../../../../test/data/config.json")) if err != nil { b.Errorf("unexpected error reading json file: %v", err) @@ -767,7 +772,7 @@ func BenchmarkTemplateWithData(b *testing.B) { } for i := 0; i < b.N; i++ { - if _, err := ngxTpl.Write(dat); err != nil { + if _, err := ngxTpl.Write(&dat); err != nil { b.Errorf("unexpected error writing template: %v", err) } } @@ -1066,9 +1071,6 @@ func TestBuildUpstreamName(t *testing.T) { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - defaultBackend := "upstream-name" - defaultHost := "example.com" - for k, tc := range tmplFuncTestcases { loc := &ingress.Location{ Path: tc.Path, @@ -1079,7 +1081,7 @@ func TestBuildUpstreamName(t *testing.T) { } if tc.SecureBackend { - loc.BackendProtocol = "HTTPS" + loc.BackendProtocol = httpsProtocol } backend := &ingress.Backend{ @@ -1134,13 +1136,13 @@ func TestEscapeLiteralDollar(t *testing.T) { func TestOpentracingPropagateContext(t *testing.T) { tests := map[*ingress.Location]string{ - {BackendProtocol: "HTTP"}: "opentracing_propagate_context;", - {BackendProtocol: "HTTPS"}: "opentracing_propagate_context;", - {BackendProtocol: "AUTO_HTTP"}: "opentracing_propagate_context;", - {BackendProtocol: "GRPC"}: "opentracing_grpc_propagate_context;", - {BackendProtocol: "GRPCS"}: "opentracing_grpc_propagate_context;", - {BackendProtocol: "FCGI"}: "opentracing_propagate_context;", - nil: "", + {BackendProtocol: httpProtocol}: "opentracing_propagate_context;", + {BackendProtocol: httpsProtocol}: "opentracing_propagate_context;", + {BackendProtocol: autoHTTPProtocol}: "opentracing_propagate_context;", + {BackendProtocol: grpcProtocol}: "opentracing_grpc_propagate_context;", + {BackendProtocol: grpcsProtocol}: "opentracing_grpc_propagate_context;", + {BackendProtocol: fcgiProtocol}: "opentracing_propagate_context;", + nil: "", } for loc, expectedDirective := range tests { @@ -1153,13 +1155,13 @@ func TestOpentracingPropagateContext(t *testing.T) { func TestOpentelemetryPropagateContext(t *testing.T) { tests := map[*ingress.Location]string{ - {BackendProtocol: "HTTP"}: "opentelemetry_propagate;", - {BackendProtocol: "HTTPS"}: "opentelemetry_propagate;", - {BackendProtocol: "AUTO_HTTP"}: "opentelemetry_propagate;", - {BackendProtocol: "GRPC"}: "opentelemetry_propagate;", - {BackendProtocol: "GRPCS"}: "opentelemetry_propagate;", - {BackendProtocol: "FCGI"}: "opentelemetry_propagate;", - nil: "", + {BackendProtocol: httpProtocol}: "opentelemetry_propagate;", + {BackendProtocol: httpsProtocol}: "opentelemetry_propagate;", + {BackendProtocol: autoHTTPProtocol}: "opentelemetry_propagate;", + {BackendProtocol: grpcProtocol}: "opentelemetry_propagate;", + {BackendProtocol: grpcsProtocol}: "opentelemetry_propagate;", + {BackendProtocol: fcgiProtocol}: "opentelemetry_propagate;", + nil: "", } for loc, expectedDirective := range tests { @@ -1171,7 +1173,6 @@ func TestOpentelemetryPropagateContext(t *testing.T) { } func TestGetIngressInformation(t *testing.T) { - testcases := map[string]struct { Ingress interface{} Host string @@ -1625,7 +1626,7 @@ func TestProxySetHeader(t *testing.T) { { name: "gRPC backend", loc: &ingress.Location{ - BackendProtocol: "GRPC", + BackendProtocol: grpcProtocol, }, expected: "grpc_set_header", }, @@ -1716,7 +1717,6 @@ func TestBuildOpenTracing(t *testing.T) { if expected != actual { t.Errorf("Expected '%v' but returned '%v'", expected, actual) } - } func TestBuildOpenTelemetry(t *testing.T) { @@ -1777,6 +1777,7 @@ func TestEnforceRegexModifier(t *testing.T) { } } +//nolint:dupl // Ignore dupl errors for similar test case func TestShouldLoadModSecurityModule(t *testing.T) { // ### Invalid argument type tests ### // The first tests should return false. @@ -1877,6 +1878,7 @@ opentracing_trust_incoming_span off;` } } +//nolint:dupl // Ignore dupl errors for similar test case func TestShouldLoadOpentracingModule(t *testing.T) { // ### Invalid argument type tests ### // The first tests should return false. @@ -1978,6 +1980,7 @@ opentelemetry_trust_incoming_spans off;` } } +//nolint:dupl // Ignore dupl errors for similar test case func TestShouldLoadOpentelemetryModule(t *testing.T) { // ### Invalid argument type tests ### // The first tests should return false. @@ -2104,7 +2107,6 @@ func TestModSecurityForLocation(t *testing.T) { } func TestBuildServerName(t *testing.T) { - testCases := []struct { title string hostname string diff --git a/internal/ingress/controller/util.go b/internal/ingress/controller/util.go index 6562dd17c..8851f323f 100644 --- a/internal/ingress/controller/util.go +++ b/internal/ingress/controller/util.go @@ -135,11 +135,13 @@ func (nc NginxCommand) ExecCommand(args ...string) *exec.Cmd { cmdArgs = append(cmdArgs, "-c", cfgPath) cmdArgs = append(cmdArgs, args...) + //nolint:gosec // Ignore G204 error return exec.Command(nc.Binary, cmdArgs...) } // Test checks if config file is a syntax valid nginx configuration func (nc NginxCommand) Test(cfg string) ([]byte, error) { + //nolint:gosec // Ignore G204 error return exec.Command(nc.Binary, "-c", cfg, "-t").CombinedOutput() } diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go index 8cd0e8ba5..0526d443e 100644 --- a/internal/ingress/defaults/main.go +++ b/internal/ingress/defaults/main.go @@ -100,7 +100,7 @@ type Backend struct { // Name server/s used to resolve names of upstream servers into IP addresses. // The file /etc/resolv.conf is used as DNS resolution configuration. - Resolver []net.IP + Resolver []net.IP `json:"Resolver"` // SkipAccessLogURLs sets a list of URLs that should not appear in the NGINX access log // This is useful with urls like `/health` or `health-check` that make "complex" reading the logs diff --git a/internal/ingress/errors/errors.go b/internal/ingress/errors/errors.go index e6f7fb52c..d70218334 100644 --- a/internal/ingress/errors/errors.go +++ b/internal/ingress/errors/errors.go @@ -33,57 +33,57 @@ var ( // NewInvalidAnnotationConfiguration returns a new InvalidConfiguration error for use when // annotations are not correctly configured -func NewInvalidAnnotationConfiguration(name string, reason string) error { - return InvalidConfiguration{ +func NewInvalidAnnotationConfiguration(name, reason string) error { + return InvalidConfigurationError{ Name: fmt.Sprintf("the annotation %v does not contain a valid configuration: %v", name, reason), } } // NewInvalidAnnotationContent returns a new InvalidContent error func NewInvalidAnnotationContent(name string, val interface{}) error { - return InvalidContent{ + return InvalidContentError{ Name: fmt.Sprintf("the annotation %v does not contain a valid value (%v)", name, val), } } // NewLocationDenied returns a new LocationDenied error func NewLocationDenied(reason string) error { - return LocationDenied{ - Reason: fmt.Errorf("Location denied, reason: %v", reason), + return LocationDeniedError{ + Reason: fmt.Errorf("location denied, reason: %v", reason), } } -// InvalidConfiguration Error -type InvalidConfiguration struct { +// InvalidConfigurationError +type InvalidConfigurationError struct { Name string } -func (e InvalidConfiguration) Error() string { +func (e InvalidConfigurationError) Error() string { return e.Name } -// InvalidContent error -type InvalidContent struct { +// InvalidContentError +type InvalidContentError struct { Name string } -func (e InvalidContent) Error() string { +func (e InvalidContentError) Error() string { return e.Name } -// LocationDenied error -type LocationDenied struct { +// LocationDeniedError +type LocationDeniedError struct { Reason error } -func (e LocationDenied) Error() string { +func (e LocationDeniedError) Error() string { return e.Reason.Error() } // IsLocationDenied checks if the err is an error which // indicates a location should return HTTP code 503 func IsLocationDenied(e error) bool { - _, ok := e.(LocationDenied) + _, ok := e.(LocationDeniedError) return ok } @@ -96,7 +96,7 @@ func IsMissingAnnotations(e error) bool { // IsInvalidContent checks if the err is an error which // indicates an annotations value is not valid func IsInvalidContent(e error) bool { - _, ok := e.(InvalidContent) + _, ok := e.(InvalidContentError) return ok } diff --git a/internal/ingress/inspector/ingress_test.go b/internal/ingress/inspector/ingress_test.go index bfd9f6b93..52ad8d431 100644 --- a/internal/ingress/inspector/ingress_test.go +++ b/internal/ingress/inspector/ingress_test.go @@ -24,7 +24,6 @@ import ( ) func makeSimpleIngress(hostname string, paths ...string) *networking.Ingress { - newIngress := networking.Ingress{ ObjectMeta: v1.ObjectMeta{ Name: "test1", diff --git a/internal/ingress/inspector/inspector.go b/internal/ingress/inspector/inspector.go index 23b57e538..b41e18d9e 100644 --- a/internal/ingress/inspector/inspector.go +++ b/internal/ingress/inspector/inspector.go @@ -40,9 +40,7 @@ func DeepInspect(obj interface{}) error { } } -var ( - implSpecific = networking.PathTypeImplementationSpecific -) +var implSpecific = networking.PathTypeImplementationSpecific func ValidatePathType(ing *networking.Ingress) error { if ing == nil { diff --git a/internal/ingress/inspector/rules.go b/internal/ingress/inspector/rules.go index c9714e680..8388efdd5 100644 --- a/internal/ingress/inspector/rules.go +++ b/internal/ingress/inspector/rules.go @@ -34,7 +34,7 @@ var ( // the group [[:alnum:]\_\-\/]* says that any amount of characters (A-Za-z0-9), _, - and / // are accepted until the end of the line // Nothing else is accepted. - validPathType = regexp.MustCompile(`(?i)^/[[:alnum:]\_\-\/]*$`) + validPathType = regexp.MustCompile(`(?i)^/[[:alnum:]\_\-/]*$`) invalidRegex = []regexp.Regexp{} ) @@ -52,8 +52,8 @@ func init() { // CheckRegex receives a value/configuration and validates if it matches with one of the // forbidden regexes. func CheckRegex(value string) error { - for _, regex := range invalidRegex { - if regex.MatchString(value) { + for i := range invalidRegex { + if invalidRegex[i].MatchString(value) { return fmt.Errorf("invalid value found: %s", value) } } diff --git a/internal/ingress/inspector/rules_test.go b/internal/ingress/inspector/rules_test.go index 6ed6dbe87..3945a3bd4 100644 --- a/internal/ingress/inspector/rules_test.go +++ b/internal/ingress/inspector/rules_test.go @@ -19,7 +19,6 @@ package inspector import "testing" func TestCheckRegex(t *testing.T) { - tests := []struct { name string value string diff --git a/internal/ingress/inspector/service.go b/internal/ingress/inspector/service.go index 27ed27a8c..8be08490b 100644 --- a/internal/ingress/inspector/service.go +++ b/internal/ingress/inspector/service.go @@ -21,6 +21,6 @@ import ( ) // InspectService will be used to inspect service objects for possible invalid configurations -func InspectService(svc *corev1.Service) error { +func InspectService(_ *corev1.Service) error { return nil } diff --git a/internal/ingress/metric/collectors/admission.go b/internal/ingress/metric/collectors/admission.go index cf42fbaa1..7b84325c0 100644 --- a/internal/ingress/metric/collectors/admission.go +++ b/internal/ingress/metric/collectors/admission.go @@ -104,7 +104,7 @@ func NewAdmissionCollector(pod, namespace, class string) *AdmissionCollector { } // Describe implements prometheus.Collector -func (am AdmissionCollector) Describe(ch chan<- *prometheus.Desc) { +func (am *AdmissionCollector) Describe(ch chan<- *prometheus.Desc) { am.testedIngressLength.Describe(ch) am.testedIngressTime.Describe(ch) am.renderingIngressLength.Describe(ch) @@ -114,7 +114,7 @@ func (am AdmissionCollector) Describe(ch chan<- *prometheus.Desc) { } // Collect implements the prometheus.Collector interface. -func (am AdmissionCollector) Collect(ch chan<- prometheus.Metric) { +func (am *AdmissionCollector) Collect(ch chan<- prometheus.Metric) { am.testedIngressLength.Collect(ch) am.testedIngressTime.Collect(ch) am.renderingIngressLength.Collect(ch) @@ -139,7 +139,7 @@ func ByteFormat(bytes int64) string { } // SetAdmissionMetrics sets the values for AdmissionMetrics that can be called externally -func (am *AdmissionCollector) SetAdmissionMetrics(testedIngressLength float64, testedIngressTime float64, renderingIngressLength float64, renderingIngressTime float64, testedConfigurationSize float64, admissionTime float64) { +func (am *AdmissionCollector) SetAdmissionMetrics(testedIngressLength, testedIngressTime, renderingIngressLength, renderingIngressTime, testedConfigurationSize, admissionTime float64) { am.testedIngressLength.Set(testedIngressLength) am.testedIngressTime.Set(testedIngressTime) am.renderingIngressLength.Set(renderingIngressLength) diff --git a/internal/ingress/metric/collectors/controller.go b/internal/ingress/metric/collectors/controller.go index 3a65a1a99..e1d6789bb 100644 --- a/internal/ingress/metric/collectors/controller.go +++ b/internal/ingress/metric/collectors/controller.go @@ -226,7 +226,7 @@ func (cm *Controller) IncCheckErrorCount(namespace, name string) { } // IncOrphanIngress sets the the orphaned ingress gauge to one -func (cm *Controller) IncOrphanIngress(namespace string, name string, orphanityType string) { +func (cm *Controller) IncOrphanIngress(namespace, name, orphanityType string) { labels := prometheus.Labels{ "namespace": namespace, "ingress": name, @@ -236,7 +236,7 @@ func (cm *Controller) IncOrphanIngress(namespace string, name string, orphanityT } // DecOrphanIngress sets the the orphaned ingress gauge to zero (all services has their endpoints) -func (cm *Controller) DecOrphanIngress(namespace string, name string, orphanityType string) { +func (cm *Controller) DecOrphanIngress(namespace, name, orphanityType string) { labels := prometheus.Labels{ "namespace": namespace, "ingress": name, @@ -261,7 +261,7 @@ func (cm *Controller) ConfigSuccess(hash uint64, success bool) { } // Describe implements prometheus.Collector -func (cm Controller) Describe(ch chan<- *prometheus.Desc) { +func (cm *Controller) Describe(ch chan<- *prometheus.Desc) { cm.configHash.Describe(ch) cm.configSuccess.Describe(ch) cm.configSuccessTime.Describe(ch) @@ -277,7 +277,7 @@ func (cm Controller) Describe(ch chan<- *prometheus.Desc) { } // Collect implements the prometheus.Collector interface. -func (cm Controller) Collect(ch chan<- prometheus.Metric) { +func (cm *Controller) Collect(ch chan<- prometheus.Metric) { cm.configHash.Collect(ch) cm.configSuccess.Collect(ch) cm.configSuccessTime.Collect(ch) @@ -295,41 +295,45 @@ func (cm Controller) Collect(ch chan<- prometheus.Metric) { // SetSSLExpireTime sets the expiration time of SSL Certificates func (cm *Controller) SetSSLExpireTime(servers []*ingress.Server) { for _, s := range servers { - if s.Hostname != "" && s.SSLCert != nil && s.SSLCert.ExpireTime.Unix() > 0 { - labels := make(prometheus.Labels, len(cm.labels)+1) - for k, v := range cm.labels { - labels[k] = v - } - labels["host"] = s.Hostname - labels["secret_name"] = s.SSLCert.Name - - cm.sslExpireTime.With(labels).Set(float64(s.SSLCert.ExpireTime.Unix())) + if !(s.Hostname != "" && s.SSLCert != nil && s.SSLCert.ExpireTime.Unix() > 0) { + continue } + + labels := make(prometheus.Labels, len(cm.labels)+1) + for k, v := range cm.labels { + labels[k] = v + } + labels["host"] = s.Hostname + labels["secret_name"] = s.SSLCert.Name + + cm.sslExpireTime.With(labels).Set(float64(s.SSLCert.ExpireTime.Unix())) } } // SetSSLInfo creates a metric with all certificates informations func (cm *Controller) SetSSLInfo(servers []*ingress.Server) { for _, s := range servers { - if s.SSLCert != nil && s.SSLCert.Certificate != nil && s.SSLCert.Certificate.SerialNumber != nil { - labels := make(prometheus.Labels, len(cm.labels)+1) - for k, v := range cm.labels { - labels[k] = v - } - labels["identifier"] = s.SSLCert.Identifier() - labels["host"] = s.Hostname - labels["secret_name"] = s.SSLCert.Name - labels["namespace"] = s.SSLCert.Namespace - labels["issuer_common_name"] = s.SSLCert.Certificate.Issuer.CommonName - labels["issuer_organization"] = "" - if len(s.SSLCert.Certificate.Issuer.Organization) > 0 { - labels["issuer_organization"] = s.SSLCert.Certificate.Issuer.Organization[0] - } - labels["serial_number"] = s.SSLCert.Certificate.SerialNumber.String() - labels["public_key_algorithm"] = s.SSLCert.Certificate.PublicKeyAlgorithm.String() - - cm.sslInfo.With(labels).Set(1) + if s.SSLCert == nil || s.SSLCert.Certificate == nil || s.SSLCert.Certificate.SerialNumber == nil { + continue } + + labels := make(prometheus.Labels, len(cm.labels)+1) + for k, v := range cm.labels { + labels[k] = v + } + labels["identifier"] = s.SSLCert.Identifier() + labels["host"] = s.Hostname + labels["secret_name"] = s.SSLCert.Name + labels["namespace"] = s.SSLCert.Namespace + labels["issuer_common_name"] = s.SSLCert.Certificate.Issuer.CommonName + labels["issuer_organization"] = "" + if len(s.SSLCert.Certificate.Issuer.Organization) > 0 { + labels["issuer_organization"] = s.SSLCert.Certificate.Issuer.Organization[0] + } + labels["serial_number"] = s.SSLCert.Certificate.SerialNumber.String() + labels["public_key_algorithm"] = s.SSLCert.Certificate.PublicKeyAlgorithm.String() + + cm.sslInfo.With(labels).Set(1) } } diff --git a/internal/ingress/metric/collectors/controller_test.go b/internal/ingress/metric/collectors/controller_test.go index ef80bc96a..15735df42 100644 --- a/internal/ingress/metric/collectors/controller_test.go +++ b/internal/ingress/metric/collectors/controller_test.go @@ -76,9 +76,12 @@ func TestControllerCounters(t *testing.T) { { name: "should set SSL certificates metrics", test: func(cm *Controller) { - t1, _ := time.Parse( + t1, err := time.Parse( time.RFC3339, "2012-11-01T22:08:41+00:00") + if err != nil { + t.Errorf("unexpected error: %v", err) + } servers := []*ingress.Server{ { @@ -106,7 +109,6 @@ func TestControllerCounters(t *testing.T) { { name: "should set SSL certificates infos metrics", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -143,7 +145,6 @@ func TestControllerCounters(t *testing.T) { { name: "should ignore certificates without serial number", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -168,7 +169,6 @@ func TestControllerCounters(t *testing.T) { { name: "should ignore certificates with nil x509 pointer", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -193,7 +193,6 @@ func TestControllerCounters(t *testing.T) { { name: "should ignore servers without certificates", test: func(cm *Controller) { - servers := []*ingress.Server{ { Hostname: "demo", @@ -232,9 +231,12 @@ func TestRemoveMetrics(t *testing.T) { t.Errorf("registering collector failed: %s", err) } - t1, _ := time.Parse( + t1, err := time.Parse( time.RFC3339, "2012-11-01T22:08:41+00:00") + if err != nil { + t.Errorf("Unexpected error: %v", err) + } servers := []*ingress.Server{ { @@ -279,10 +281,12 @@ func TestRemoveAllSSLMetrics(t *testing.T) { t.Errorf("registering collector failed: %s", err) } - t1, _ := time.Parse( + t1, err := time.Parse( time.RFC3339, "2012-11-01T22:08:41+00:00") - + if err != nil { + t.Errorf("unexpected error: %v", err) + } servers := []*ingress.Server{ { Hostname: "demo", diff --git a/internal/ingress/metric/collectors/main.go b/internal/ingress/metric/collectors/main.go index 2c57ad774..b2479929b 100644 --- a/internal/ingress/metric/collectors/main.go +++ b/internal/ingress/metric/collectors/main.go @@ -17,4 +17,4 @@ limitations under the License. package collectors // PrometheusNamespace default metric namespace -var PrometheusNamespace = "nginx_ingress_controller" +var PrometheusNamespace = "nginx_ingress_controller" //#nosec G101 diff --git a/internal/ingress/metric/collectors/nginx_status.go b/internal/ingress/metric/collectors/nginx_status.go index 5aaa787de..f3afdc334 100644 --- a/internal/ingress/metric/collectors/nginx_status.go +++ b/internal/ingress/metric/collectors/nginx_status.go @@ -75,7 +75,6 @@ type NGINXStatusCollector interface { // NewNGINXStatus returns a new prometheus collector the default nginx status module func NewNGINXStatus(podName, namespace, ingressClass string) (NGINXStatusCollector, error) { - p := nginxStatusCollector{ scrapeChan: make(chan scrapeRequest), } diff --git a/internal/ingress/metric/collectors/nginx_status_test.go b/internal/ingress/metric/collectors/nginx_status_test.go index 4dc67c425..ec535745d 100644 --- a/internal/ingress/metric/collectors/nginx_status_test.go +++ b/internal/ingress/metric/collectors/nginx_status_test.go @@ -106,7 +106,7 @@ func TestStatusCollector(t *testing.T) { server := &httptest.Server{ Listener: listener, - Config: &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + Config: &http.Server{Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { //nolint:gosec // Ignore the gosec error in testing w.WriteHeader(http.StatusOK) if r.URL.Path == "/nginx_status" { diff --git a/internal/ingress/metric/collectors/process.go b/internal/ingress/metric/collectors/process.go index 23f533876..3803a47ae 100644 --- a/internal/ingress/metric/collectors/process.go +++ b/internal/ingress/metric/collectors/process.go @@ -53,6 +53,8 @@ type BinaryNameMatcher struct { // MatchAndName returns false if the match failed, otherwise // true and the resulting name. +// +//nolint:gocritic // nacl param cannot be a pointer since it's to implement common.MatchNamer interface func (em BinaryNameMatcher) MatchAndName(nacl common.ProcAttributes) (bool, string) { if len(nacl.Cmdline) == 0 { return false, "" @@ -94,8 +96,10 @@ type NGINXProcessCollector interface { Stop() } -var name = "nginx" -var binary = "/usr/bin/nginx" +var ( + name = "nginx" + binary = "/usr/bin/nginx" +) // NewNGINXProcess returns a new prometheus collector for the nginx process func NewNGINXProcess(pod, namespace, ingressClass string) (NGINXProcessCollector, error) { @@ -106,7 +110,7 @@ func NewNGINXProcess(pod, namespace, ingressClass string) (NGINXProcessCollector nm := newBinaryNameMatcher(name, binary) - p := namedProcess{ + p := &namedProcess{ scrapeChan: make(chan scrapeRequest), Grouper: proc.NewGrouper(nm, true, false, false, false), fs: fs, @@ -164,7 +168,7 @@ func NewNGINXProcess(pod, namespace, ingressClass string) (NGINXProcessCollector } // Describe implements prometheus.Collector. -func (p namedProcess) Describe(ch chan<- *prometheus.Desc) { +func (p *namedProcess) Describe(ch chan<- *prometheus.Desc) { ch <- p.data.cpuSecs ch <- p.data.numProcs ch <- p.data.readBytes @@ -175,13 +179,13 @@ func (p namedProcess) Describe(ch chan<- *prometheus.Desc) { } // Collect implements prometheus.Collector. -func (p namedProcess) Collect(ch chan<- prometheus.Metric) { +func (p *namedProcess) Collect(ch chan<- prometheus.Metric) { req := scrapeRequest{results: ch, done: make(chan struct{})} p.scrapeChan <- req <-req.done } -func (p namedProcess) Start() { +func (p *namedProcess) Start() { for req := range p.scrapeChan { ch := req.results p.scrape(ch) @@ -189,18 +193,19 @@ func (p namedProcess) Start() { } } -func (p namedProcess) Stop() { +func (p *namedProcess) Stop() { close(p.scrapeChan) } -func (p namedProcess) scrape(ch chan<- prometheus.Metric) { +func (p *namedProcess) scrape(ch chan<- prometheus.Metric) { _, groups, err := p.Update(p.fs.AllProcs()) if err != nil { klog.Warningf("unexpected error obtaining nginx process info: %v", err) return } - for _, gcounts := range groups { + for i := range groups { + gcounts := groups[i] ch <- prometheus.MustNewConstMetric(p.data.numProcs, prometheus.GaugeValue, float64(gcounts.Procs)) ch <- prometheus.MustNewConstMetric(p.data.memResidentbytes, diff --git a/internal/ingress/metric/collectors/process_test.go b/internal/ingress/metric/collectors/process_test.go index b21d95496..588cbafef 100644 --- a/internal/ingress/metric/collectors/process_test.go +++ b/internal/ingress/metric/collectors/process_test.go @@ -48,8 +48,11 @@ func TestProcessCollector(t *testing.T) { done := make(chan struct{}) go func() { - cmd.Wait() //nolint:errcheck - status := cmd.ProcessState.Sys().(syscall.WaitStatus) + cmd.Wait() //nolint:errcheck // Ignore the error + status, ok := cmd.ProcessState.Sys().(syscall.WaitStatus) + if !ok { + t.Errorf("unexpected type: %T", cmd.ProcessState.Sys()) + } if status.Signaled() { t.Logf("Signal: %v", status.Signal()) } else { @@ -69,7 +72,7 @@ func TestProcessCollector(t *testing.T) { defer func() { cm.Stop() - cmd.Process.Kill() //nolint:errcheck + cmd.Process.Kill() //nolint:errcheck // Ignore the error <-done close(done) }() diff --git a/internal/ingress/metric/collectors/socket.go b/internal/ingress/metric/collectors/socket.go index 508cc6bc8..a70024c57 100644 --- a/internal/ingress/metric/collectors/socket.go +++ b/internal/ingress/metric/collectors/socket.go @@ -44,14 +44,11 @@ type socketData struct { Latency float64 `json:"upstreamLatency"` HeaderTime float64 `json:"upstreamHeaderTime"` ResponseTime float64 `json:"upstreamResponseTime"` - //ResponseLength float64 `json:"upstreamResponseLength"` - //Status string `json:"upstreamStatus"` - - Namespace string `json:"namespace"` - Ingress string `json:"ingress"` - Service string `json:"service"` - Canary string `json:"canary"` - Path string `json:"path"` + Namespace string `json:"namespace"` + Ingress string `json:"ingress"` + Service string `json:"service"` + Canary string `json:"canary"` + Path string `json:"path"` } // HistogramBuckets allow customizing prometheus histogram buckets values @@ -89,19 +86,17 @@ type SocketCollector struct { reportStatusClasses bool } -var ( - requestTags = []string{ - "status", +var requestTags = []string{ + "status", - "method", - "path", + "method", + "path", - "namespace", - "ingress", - "service", - "canary", - } -) + "namespace", + "ingress", + "service", + "canary", +} // DefObjectives was removed in https://github.com/prometheus/client_golang/pull/262 // updating the library to latest version changed the output of the metrics @@ -112,6 +107,7 @@ var defObjectives = map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001} func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStatusClasses bool, buckets HistogramBuckets, excludeMetrics []string) (*SocketCollector, error) { socket := "/tmp/nginx/prometheus-nginx.socket" // unix sockets must be unlink()ed before being used + //nolint:errcheck // Ignore unlink error _ = syscall.Unlink(socket) listener, err := net.Listen("unix", socket) @@ -119,7 +115,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat return nil, err } - err = os.Chmod(socket, 0777) // #nosec + err = os.Chmod(socket, 0o777) // #nosec if err != nil { return nil, err } @@ -152,7 +148,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat reportStatusClasses: reportStatusClasses, connectTime: histogramMetric( - prometheus.HistogramOpts{ + &prometheus.HistogramOpts{ Name: "connect_duration_seconds", Help: "The time spent on establishing a connection with the upstream server", Namespace: PrometheusNamespace, @@ -165,7 +161,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), headerTime: histogramMetric( - prometheus.HistogramOpts{ + &prometheus.HistogramOpts{ Name: "header_duration_seconds", Help: "The time spent on receiving first header from the upstream server", Namespace: PrometheusNamespace, @@ -177,7 +173,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat mm, ), responseTime: histogramMetric( - prometheus.HistogramOpts{ + &prometheus.HistogramOpts{ Name: "response_duration_seconds", Help: "The time spent on receiving the response from the upstream server", Namespace: PrometheusNamespace, @@ -190,7 +186,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), requestTime: histogramMetric( - prometheus.HistogramOpts{ + &prometheus.HistogramOpts{ Name: "request_duration_seconds", Help: "The request processing time in milliseconds", Namespace: PrometheusNamespace, @@ -203,7 +199,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), responseLength: histogramMetric( - prometheus.HistogramOpts{ + &prometheus.HistogramOpts{ Name: "response_size", Help: "The response length (including request line, header, and request body)", Namespace: PrometheusNamespace, @@ -216,7 +212,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), requestLength: histogramMetric( - prometheus.HistogramOpts{ + &prometheus.HistogramOpts{ Name: "request_size", Help: "The request length (including request line, header, and request body)", Namespace: PrometheusNamespace, @@ -229,7 +225,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), requests: counterMetric( - prometheus.CounterOpts{ + &prometheus.CounterOpts{ Name: "requests", Help: "The total number of client requests", Namespace: PrometheusNamespace, @@ -241,7 +237,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), bytesSent: histogramMetric( - prometheus.HistogramOpts{ + &prometheus.HistogramOpts{ Name: "bytes_sent", Help: "DEPRECATED The number of bytes sent to a client", Namespace: PrometheusNamespace, @@ -254,7 +250,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost, reportStat ), upstreamLatency: summaryMetric( - prometheus.SummaryOpts{ + &prometheus.SummaryOpts{ Name: "ingress_upstream_latency_seconds", Help: "DEPRECATED Upstream service latency per Ingress", Namespace: PrometheusNamespace, @@ -279,36 +275,36 @@ func containsMetric(excludeMetrics map[string]struct{}, name string) bool { return false } -func summaryMetric(opts prometheus.SummaryOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.SummaryVec { +func summaryMetric(opts *prometheus.SummaryOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.SummaryVec { if containsMetric(excludeMetrics, opts.Name) { return nil } m := prometheus.NewSummaryVec( - opts, + *opts, requestTags, ) metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m return m } -func counterMetric(opts prometheus.CounterOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.CounterVec { +func counterMetric(opts *prometheus.CounterOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.CounterVec { if containsMetric(excludeMetrics, opts.Name) { return nil } m := prometheus.NewCounterVec( - opts, + *opts, requestTags, ) metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m return m } -func histogramMetric(opts prometheus.HistogramOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.HistogramVec { +func histogramMetric(opts *prometheus.HistogramOpts, requestTags []string, excludeMetrics map[string]struct{}, metricMapping metricMapping) *prometheus.HistogramVec { if containsMetric(excludeMetrics, opts.Name) { return nil } m := prometheus.NewHistogramVec( - opts, + *opts, requestTags, ) metricMapping[prometheus.BuildFQName(PrometheusNamespace, "", opts.Name)] = m @@ -326,7 +322,8 @@ func (sc *SocketCollector) handleMessage(msg []byte) { return } - for _, stats := range statsBatch { + for i := range statsBatch { + stats := &statsBatch[i] if sc.metricsPerHost && !sc.hosts.Has(stats.Host) { klog.V(3).InfoS("Skipping metric for host not being served", "host", stats.Host) continue @@ -543,14 +540,14 @@ func (sc *SocketCollector) RemoveMetrics(ingresses []string, registry prometheus } // Describe implements prometheus.Collector -func (sc SocketCollector) Describe(ch chan<- *prometheus.Desc) { +func (sc *SocketCollector) Describe(ch chan<- *prometheus.Desc) { for _, metric := range sc.metricMapping { metric.Describe(ch) } } // Collect implements the prometheus.Collector interface. -func (sc SocketCollector) Collect(ch chan<- prometheus.Metric) { +func (sc *SocketCollector) Collect(ch chan<- prometheus.Metric) { for _, metric := range sc.metricMapping { metric.Collect(ch) } diff --git a/internal/ingress/metric/collectors/socket_test.go b/internal/ingress/metric/collectors/socket_test.go index 6000f2685..71e9097c9 100644 --- a/internal/ingress/metric/collectors/socket_test.go +++ b/internal/ingress/metric/collectors/socket_test.go @@ -30,6 +30,7 @@ import ( func TestNewUDPLogListener(t *testing.T) { var count uint64 + //nolint:unparam // Unused `message` param is required by the handleMessages function fn := func(message []byte) { atomic.AddUint64(&count, 1) } @@ -57,7 +58,10 @@ func TestNewUDPLogListener(t *testing.T) { } }() - conn, _ := net.Dial("unix", tmpFile) + conn, err := net.Dial("unix", tmpFile) + if err != nil { + t.Errorf("unexpected error connecting to unix socket: %v", err) + } if _, err := conn.Write([]byte("message")); err != nil { t.Errorf("unexpected error writing to unix socket: %v", err) } @@ -70,7 +74,6 @@ func TestNewUDPLogListener(t *testing.T) { } func TestCollector(t *testing.T) { - buckets := struct { TimeBuckets []float64 LengthBuckets []float64 diff --git a/internal/ingress/metric/collectors/testutils.go b/internal/ingress/metric/collectors/testutils.go index 8c5c27b62..669e89e17 100644 --- a/internal/ingress/metric/collectors/testutils.go +++ b/internal/ingress/metric/collectors/testutils.go @@ -31,7 +31,7 @@ import ( // GatherAndCompare retrieves all metrics exposed by a collector and compares it // to an expected output in the Prometheus text exposition format. // metricNames allows only comparing the given metrics. All are compared if it's nil. -func GatherAndCompare(c prometheus.Collector, expected string, metricNames []string, reg prometheus.Gatherer) error { +func GatherAndCompare(_ prometheus.Collector, expected string, metricNames []string, reg prometheus.Gatherer) error { expected = removeUnusedWhitespace(expected) metrics, err := reg.Gather() @@ -77,9 +77,7 @@ metric output does not match expectation; want: got: -'%s' - -`, buf2.String(), buf1.String()) +'%s'`, buf2.String(), buf1.String()) } return nil } diff --git a/internal/ingress/metric/dummy.go b/internal/ingress/metric/dummy.go index d8ae0155a..a619ccbd8 100644 --- a/internal/ingress/metric/dummy.go +++ b/internal/ingress/metric/dummy.go @@ -29,50 +29,50 @@ func NewDummyCollector() Collector { // DummyCollector dummy implementation for mocks in tests type DummyCollector struct{} -// ConfigSuccess ... +// ConfigSuccess dummy implementation func (dc DummyCollector) ConfigSuccess(uint64, bool) {} -// SetAdmissionMetrics ... +// SetAdmissionMetrics dummy implementation func (dc DummyCollector) SetAdmissionMetrics(float64, float64, float64, float64, float64, float64) {} -// IncReloadCount ... +// IncReloadCount dummy implementation func (dc DummyCollector) IncReloadCount() {} -// IncReloadErrorCount ... +// IncReloadErrorCount dummy implementation func (dc DummyCollector) IncReloadErrorCount() {} -// IncOrphanIngress ... +// IncOrphanIngress dummy implementation func (dc DummyCollector) IncOrphanIngress(string, string, string) {} -// DecOrphanIngress ... +// DecOrphanIngress dummy implementation func (dc DummyCollector) DecOrphanIngress(string, string, string) {} -// IncCheckCount ... +// IncCheckCount dummy implementation func (dc DummyCollector) IncCheckCount(string, string) {} -// IncCheckErrorCount ... +// IncCheckErrorCount dummy implementation func (dc DummyCollector) IncCheckErrorCount(string, string) {} -// RemoveMetrics ... -func (dc DummyCollector) RemoveMetrics(ingresses, endpoints, certificates []string) {} +// RemoveMetrics dummy implementation +func (dc DummyCollector) RemoveMetrics(_, _, _ []string) {} -// Start ... -func (dc DummyCollector) Start(admissionStatus string) {} +// Start dummy implementation +func (dc DummyCollector) Start(_ string) {} -// Stop ... -func (dc DummyCollector) Stop(admissionStatus string) {} +// Stop dummy implementation +func (dc DummyCollector) Stop(_ string) {} -// SetSSLInfo ... +// SetSSLInfo dummy implementation func (dc DummyCollector) SetSSLInfo([]*ingress.Server) {} -// SetSSLExpireTime ... +// SetSSLExpireTime dummy implementation func (dc DummyCollector) SetSSLExpireTime([]*ingress.Server) {} -// SetHosts ... -func (dc DummyCollector) SetHosts(hosts sets.Set[string]) {} +// SetHosts dummy implementation +func (dc DummyCollector) SetHosts(_ sets.Set[string]) {} // OnStartedLeading indicates the pod is not the current leader -func (dc DummyCollector) OnStartedLeading(electionID string) {} +func (dc DummyCollector) OnStartedLeading(_ string) {} // OnStoppedLeading indicates the pod is not the current leader -func (dc DummyCollector) OnStoppedLeading(electionID string) {} +func (dc DummyCollector) OnStoppedLeading(_ string) {} diff --git a/internal/ingress/metric/main.go b/internal/ingress/metric/main.go index b2f721f62..aa35a5c51 100644 --- a/internal/ingress/metric/main.go +++ b/internal/ingress/metric/main.go @@ -115,11 +115,11 @@ func (c *collector) ConfigSuccess(hash uint64, success bool) { c.ingressController.ConfigSuccess(hash, success) } -func (c *collector) IncCheckCount(namespace string, name string) { +func (c *collector) IncCheckCount(namespace, name string) { c.ingressController.IncCheckCount(namespace, name) } -func (c *collector) IncCheckErrorCount(namespace string, name string) { +func (c *collector) IncCheckErrorCount(namespace, name string) { c.ingressController.IncCheckErrorCount(namespace, name) } @@ -183,11 +183,11 @@ func (c *collector) SetSSLInfo(servers []*ingress.Server) { c.ingressController.SetSSLInfo(servers) } -func (c *collector) IncOrphanIngress(namespace string, name string, orphanityType string) { +func (c *collector) IncOrphanIngress(namespace, name, orphanityType string) { c.ingressController.IncOrphanIngress(namespace, name, orphanityType) } -func (c *collector) DecOrphanIngress(namespace string, name string, orphanityType string) { +func (c *collector) DecOrphanIngress(namespace, name, orphanityType string) { c.ingressController.DecOrphanIngress(namespace, name, orphanityType) } @@ -195,7 +195,7 @@ func (c *collector) SetHosts(hosts sets.Set[string]) { c.socket.SetHosts(hosts) } -func (c *collector) SetAdmissionMetrics(testedIngressLength float64, testedIngressTime float64, renderingIngressLength float64, renderingIngressTime float64, testedConfigurationSize float64, admissionTime float64) { +func (c *collector) SetAdmissionMetrics(testedIngressLength, testedIngressTime, renderingIngressLength, renderingIngressTime, testedConfigurationSize, admissionTime float64) { c.admissionController.SetAdmissionMetrics( testedIngressLength, testedIngressTime, @@ -219,9 +219,7 @@ func (c *collector) OnStoppedLeading(electionID string) { c.ingressController.RemoveAllSSLMetrics(c.registry) } -var ( - currentLeader uint32 -) +var currentLeader uint32 func setLeader(leader bool) { var i uint32 diff --git a/internal/ingress/status/status.go b/internal/ingress/status/status.go index 62b88da16..81fb9044a 100644 --- a/internal/ingress/status/status.go +++ b/internal/ingress/status/status.go @@ -44,7 +44,7 @@ import ( // which the status should check if an update is required. var UpdateInterval = 60 -// Syncer ... +// Syncer is an interface that implements syncer type Syncer interface { Run(chan struct{}) @@ -56,7 +56,7 @@ type ingressLister interface { ListIngresses() []*ingress.Ingress } -// Config ... +// Config is a structure that implements Client interfaces type Config struct { Client clientset.Interface @@ -87,7 +87,7 @@ type statusSync struct { } // Start starts the loop to keep the status in sync -func (s statusSync) Run(stopCh chan struct{}) { +func (s *statusSync) Run(stopCh chan struct{}) { go s.syncQueue.Run(time.Second, stopCh) // trigger initial sync @@ -95,6 +95,7 @@ func (s statusSync) Run(stopCh chan struct{}) { // when this instance is the leader we need to enqueue // an item to trigger the update of the Ingress status. + //nolint:staticcheck // TODO: will replace it since wait.PollUntil is deprecated err := wait.PollUntil(time.Duration(UpdateInterval)*time.Second, func() (bool, error) { s.syncQueue.EnqueueTask(task.GetDummyObject("sync status")) return false, nil @@ -106,7 +107,7 @@ func (s statusSync) Run(stopCh chan struct{}) { // Shutdown stops the sync. In case the instance is the leader it will remove the current IP // if there is no other instances running. -func (s statusSync) Shutdown() { +func (s *statusSync) Shutdown() { go s.syncQueue.Shutdown() if !s.UpdateStatusOnShutdown { @@ -135,7 +136,7 @@ func (s statusSync) Shutdown() { s.updateStatus([]v1.IngressLoadBalancerIngress{}) } -func (s *statusSync) sync(key interface{}) error { +func (s *statusSync) sync(_ interface{}) error { if s.syncQueue.IsShuttingDown() { klog.V(2).InfoS("skipping Ingress status update (shutting down in progress)") return nil @@ -150,13 +151,13 @@ func (s *statusSync) sync(key interface{}) error { return nil } -func (s statusSync) keyfunc(input interface{}) (interface{}, error) { +func (s *statusSync) keyfunc(input interface{}) (interface{}, error) { return input, nil } // NewStatusSyncer returns a new Syncer instance func NewStatusSyncer(config Config) Syncer { - st := statusSync{ + st := &statusSync{ Config: config, } st.syncQueue = task.NewCustomTaskQueue(st.sync, st.keyfunc) @@ -229,7 +230,6 @@ func (s *statusSync) runningAddresses() ([]v1.IngressLoadBalancerIngress, error) } func (s *statusSync) isRunningMultiplePods() bool { - // As a standard, app.kubernetes.io are "reserved well-known" labels. // In our case, we add those labels as identifiers of the Ingress // deployment in this namespace, so we can select it as a set of Ingress instances. @@ -288,7 +288,8 @@ func (s *statusSync) updateStatus(newIngressPoint []v1.IngressLoadBalancerIngres } func runUpdate(ing *ingress.Ingress, status []v1.IngressLoadBalancerIngress, - client clientset.Interface) pool.WorkFunc { + client clientset.Interface, +) pool.WorkFunc { return func(wu pool.WorkUnit) (interface{}, error) { if wu.IsCancelled() { return nil, nil @@ -341,7 +342,10 @@ func ingressSliceEqual(lhs, rhs []v1.IngressLoadBalancerIngress) bool { } func statusAddressFromService(service string, kubeClient clientset.Interface) ([]v1.IngressLoadBalancerIngress, error) { - ns, name, _ := k8s.ParseNameNS(service) + ns, name, err := k8s.ParseNameNS(service) + if err != nil { + return nil, err + } svc, err := kubeClient.CoreV1().Services(ns).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return nil, err @@ -362,15 +366,15 @@ func statusAddressFromService(service string, kubeClient clientset.Interface) ([ IP: svc.Spec.ClusterIP, }}, nil } - addrs := make([]v1.IngressLoadBalancerIngress, len(svc.Spec.ExternalIPs)) - for i, ip := range svc.Spec.ExternalIPs { - addrs[i] = v1.IngressLoadBalancerIngress{IP: ip} + addrs := make([]v1.IngressLoadBalancerIngress, 0, len(svc.Spec.ExternalIPs)) + for _, ip := range svc.Spec.ExternalIPs { + addrs = append(addrs, v1.IngressLoadBalancerIngress{IP: ip}) } return addrs, nil case apiv1.ServiceTypeLoadBalancer: - addrs := make([]v1.IngressLoadBalancerIngress, len(svc.Status.LoadBalancer.Ingress)) + addrs := make([]v1.IngressLoadBalancerIngress, 0, len(svc.Status.LoadBalancer.Ingress)) for i, ingress := range svc.Status.LoadBalancer.Ingress { - addrs[i] = v1.IngressLoadBalancerIngress{} + addrs = append(addrs, v1.IngressLoadBalancerIngress{}) if ingress.Hostname != "" { addrs[i].Hostname = ingress.Hostname } diff --git a/internal/ingress/status/status_test.go b/internal/ingress/status/status_test.go index ce6b6a0bf..01419708b 100644 --- a/internal/ingress/status/status_test.go +++ b/internal/ingress/status/status_test.go @@ -18,7 +18,6 @@ package status import ( "context" - "os" "reflect" "testing" "time" @@ -34,6 +33,8 @@ import ( "k8s.io/ingress-nginx/pkg/apis/ingress" ) +const localhost = "127.0.0.1" + func buildLoadBalancerIngressByIP() []networking.IngressLoadBalancerIngress { return []networking.IngressLoadBalancerIngress{ { @@ -126,17 +127,6 @@ func buildSimpleClientSet() *testclient.Clientset { // This is commented out as the ServiceStatus.LoadBalancer field expects a LoadBalancerStatus object // which is incompatible with the current Ingress struct which expects a IngressLoadBalancerStatus object // TODO: update this service when the ServiceStatus struct gets updated - //{ - // ObjectMeta: metav1.ObjectMeta{ - // Name: "foo", - // Namespace: apiv1.NamespaceDefault, - // }, - // Status: apiv1.ServiceStatus{ - // LoadBalancer: apiv1.LoadBalancerStatus{ - // Ingress: buildLoadBalancerIngressByIP(), - // }, - // }, - //}, { ObjectMeta: metav1.ObjectMeta{ Name: "foo_non_exist", @@ -185,7 +175,8 @@ func buildSimpleClientSet() *testclient.Clientset { Name: "ingress-controller-leader", Namespace: apiv1.NamespaceDefault, }, - }}}, + }, + }}, &networking.IngressList{Items: buildExtensionsIngresses()}, ) } @@ -245,30 +236,33 @@ func buildExtensionsIngresses() []networking.Ingress { } } -type testIngressLister struct { -} +type testIngressLister struct{} func (til *testIngressLister) ListIngresses() []*ingress.Ingress { var ingresses []*ingress.Ingress - ingresses = append(ingresses, &ingress.Ingress{ - Ingress: networking.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo_ingress_non_01", - Namespace: apiv1.NamespaceDefault, - }}}) - - ingresses = append(ingresses, &ingress.Ingress{ - Ingress: networking.Ingress{ - ObjectMeta: metav1.ObjectMeta{ - Name: "foo_ingress_1", - Namespace: apiv1.NamespaceDefault, - }, - Status: networking.IngressStatus{ - LoadBalancer: networking.IngressLoadBalancerStatus{ - Ingress: buildLoadBalancerIngressByIP(), + ingresses = append(ingresses, + &ingress.Ingress{ + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo_ingress_non_01", + Namespace: apiv1.NamespaceDefault, }, }, - }}) + }, + &ingress.Ingress{ + Ingress: networking.Ingress{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo_ingress_1", + Namespace: apiv1.NamespaceDefault, + }, + Status: networking.IngressStatus{ + LoadBalancer: networking.IngressLoadBalancerStatus{ + Ingress: buildLoadBalancerIngressByIP(), + }, + }, + }, + }, + ) return ingresses } @@ -290,8 +284,8 @@ func buildStatusSync() statusSync { func TestStatusActions(t *testing.T) { // make sure election can be created - os.Setenv("POD_NAME", "foo1") - os.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) + t.Setenv("POD_NAME", "foo1") + t.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) c := Config{ Client: buildSimpleClientSet(), PublishService: "", @@ -315,7 +309,10 @@ func TestStatusActions(t *testing.T) { t.Fatalf("expected a valid Sync") } - fk := fkSync.(statusSync) + fk, ok := fkSync.(*statusSync) + if !ok { + t.Errorf("unexpected type: %T", fkSync) + } // start it and wait for the election and syn actions stopCh := make(chan struct{}) @@ -366,7 +363,7 @@ func TestStatusActions(t *testing.T) { } } -func TestCallback(t *testing.T) { +func TestCallback(_ *testing.T) { buildStatusSync() } @@ -375,7 +372,6 @@ func TestKeyfunc(t *testing.T) { i := "foo_base_pod" r, err := fk.keyfunc(i) - if err != nil { t.Fatalf("unexpected error") } @@ -392,34 +388,36 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }{ "service type ClusterIP": { testclient.NewSimpleClientset( - &apiv1.PodList{Items: []apiv1.Pod{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.PodSpec{ - NodeName: "foo_node", - }, - Status: apiv1.PodStatus{ - Phase: apiv1.PodRunning, + &apiv1.PodList{ + Items: []apiv1.Pod{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.PodSpec{ + NodeName: "foo_node", + }, + Status: apiv1.PodStatus{ + Phase: apiv1.PodRunning, + }, }, }, }, - }, - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeClusterIP, - ClusterIP: "1.1.1.1", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeClusterIP, + ClusterIP: "1.1.1.1", + }, }, }, }, - }, ), []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, @@ -428,19 +426,20 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, "service type NodePort": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeNodePort, - ClusterIP: "1.1.1.1", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeNodePort, + ClusterIP: "1.1.1.1", + }, }, }, }, - }, ), []networking.IngressLoadBalancerIngress{ {IP: "1.1.1.1"}, @@ -449,19 +448,20 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, "service type ExternalName": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeExternalName, - ExternalName: "foo.bar", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeExternalName, + ExternalName: "foo.bar", + }, }, }, }, - }, ), []networking.IngressLoadBalancerIngress{ {Hostname: "foo.bar"}, @@ -470,35 +470,36 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, "service type LoadBalancer": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeLoadBalancer, - }, - Status: apiv1.ServiceStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ - { - IP: "10.0.0.1", - }, - { - IP: "", - Hostname: "foo", - }, - { - IP: "10.0.0.2", - Hostname: "10-0-0-2.cloudprovider.example.net", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeLoadBalancer, + }, + Status: apiv1.ServiceStatus{ + LoadBalancer: apiv1.LoadBalancerStatus{ + Ingress: []apiv1.LoadBalancerIngress{ + { + IP: "10.0.0.1", + }, + { + IP: "", + Hostname: "foo", + }, + { + IP: "10.0.0.2", + Hostname: "10-0-0-2.cloudprovider.example.net", + }, }, }, }, }, }, }, - }, ), []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, @@ -512,28 +513,29 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, "service type LoadBalancer with same externalIP and ingress IP": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, - }, - Spec: apiv1.ServiceSpec{ - Type: apiv1.ServiceTypeLoadBalancer, - ExternalIPs: []string{"10.0.0.1"}, - }, - Status: apiv1.ServiceStatus{ - LoadBalancer: apiv1.LoadBalancerStatus{ - Ingress: []apiv1.LoadBalancerIngress{ - { - IP: "10.0.0.1", + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, + Spec: apiv1.ServiceSpec{ + Type: apiv1.ServiceTypeLoadBalancer, + ExternalIPs: []string{"10.0.0.1"}, + }, + Status: apiv1.ServiceStatus{ + LoadBalancer: apiv1.LoadBalancerStatus{ + Ingress: []apiv1.LoadBalancerIngress{ + { + IP: "10.0.0.1", + }, }, }, }, }, }, }, - }, ), []networking.IngressLoadBalancerIngress{ {IP: "10.0.0.1"}, @@ -542,15 +544,16 @@ func TestRunningAddressesWithPublishService(t *testing.T) { }, "invalid service type": { testclient.NewSimpleClientset( - &apiv1.ServiceList{Items: []apiv1.Service{ - { - ObjectMeta: metav1.ObjectMeta{ - Name: "foo", - Namespace: apiv1.NamespaceDefault, + &apiv1.ServiceList{ + Items: []apiv1.Service{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Namespace: apiv1.NamespaceDefault, + }, }, }, }, - }, ), nil, true, @@ -559,7 +562,6 @@ func TestRunningAddressesWithPublishService(t *testing.T) { for title, tc := range testCases { t.Run(title, func(t *testing.T) { - fk := buildStatusSync() fk.Config.Client = tc.fakeClient @@ -587,7 +589,11 @@ func TestRunningAddressesWithPods(t *testing.T) { fk := buildStatusSync() fk.PublishService = "" - r, _ := fk.runningAddresses() + r, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if r == nil { t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } @@ -603,9 +609,12 @@ func TestRunningAddressesWithPods(t *testing.T) { func TestRunningAddressesWithPublishStatusAddress(t *testing.T) { fk := buildStatusSync() - fk.PublishStatusAddress = "127.0.0.1" + fk.PublishStatusAddress = localhost - ra, _ := fk.runningAddresses() + ra, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } if ra == nil { t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } @@ -614,8 +623,8 @@ func TestRunningAddressesWithPublishStatusAddress(t *testing.T) { t.Errorf("returned %v but expected %v", rl, 1) } rv := ra[0] - if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) + if rv.IP != localhost { + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: localhost}) } } @@ -623,7 +632,10 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { fk := buildStatusSync() fk.PublishStatusAddress = "127.0.0.1,1.1.1.1" - ra, _ := fk.runningAddresses() + ra, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } if ra == nil { t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngress") } @@ -633,8 +645,8 @@ func TestRunningAddressesWithPublishStatusAddresses(t *testing.T) { } rv := ra[0] rv2 := ra[1] - if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) + if rv.IP != localhost { + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: localhost}) } if rv2.IP != "1.1.1.1" { t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) @@ -645,7 +657,10 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { fk := buildStatusSync() fk.PublishStatusAddress = "127.0.0.1, 1.1.1.1" - ra, _ := fk.runningAddresses() + ra, err := fk.runningAddresses() + if err != nil { + t.Errorf("unexpected error: %v", err) + } if ra == nil { t.Fatalf("returned nil but expected valid []networking.IngressLoadBalancerIngresst") } @@ -655,8 +670,8 @@ func TestRunningAddressesWithPublishStatusAddressesAndSpaces(t *testing.T) { } rv := ra[0] rv2 := ra[1] - if rv.IP != "127.0.0.1" { - t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: "127.0.0.1"}) + if rv.IP != localhost { + t.Errorf("returned %v but expected %v", rv, networking.IngressLoadBalancerIngress{IP: localhost}) } if rv2.IP != "1.1.1.1" { t.Errorf("returned %v but expected %v", rv2, networking.IngressLoadBalancerIngress{IP: "1.1.1.1"}) diff --git a/internal/k8s/main.go b/internal/k8s/main.go index d61013a9f..5e93e560d 100644 --- a/internal/k8s/main.go +++ b/internal/k8s/main.go @@ -33,7 +33,7 @@ import ( ) // ParseNameNS parses a string searching a namespace and name -func ParseNameNS(input string) (string, string, error) { +func ParseNameNS(input string) (ns, name string, err error) { nsName := strings.Split(input, "/") if len(nsName) != 2 { return "", "", fmt.Errorf("invalid format (namespace/name) found in '%v'", input) @@ -148,7 +148,10 @@ const IngressNGINXController = "k8s.io/ingress-nginx" // NetworkingIngressAvailable checks if the package "k8s.io/api/networking/v1" // is available or not and if Ingress V1 is supported (k8s >= v1.19.0) func NetworkingIngressAvailable(client clientset.Interface) bool { - version119, _ := version.ParseGeneric("v1.19.0") + version119, err := version.ParseGeneric("v1.19.0") + if err != nil { + return false + } serverVersion, err := client.Discovery().ServerVersion() if err != nil { diff --git a/internal/k8s/main_test.go b/internal/k8s/main_test.go index f3f8b652e..1721c1fb2 100644 --- a/internal/k8s/main_test.go +++ b/internal/k8s/main_test.go @@ -17,7 +17,6 @@ limitations under the License. package k8s import ( - "os" "testing" apiv1 "k8s.io/api/core/v1" @@ -203,7 +202,8 @@ func TestGetNodeIP(t *testing.T) { }, }, }}}), - "demo", "10.0.0.2", true}, + "demo", "10.0.0.2", true, + }, } for _, fk := range fKNodes { @@ -216,32 +216,32 @@ func TestGetNodeIP(t *testing.T) { func TestGetIngressPod(t *testing.T) { // POD_NAME & POD_NAMESPACE not exist - os.Setenv("POD_NAME", "") - os.Setenv("POD_NAMESPACE", "") + t.Setenv("POD_NAME", "") + t.Setenv("POD_NAMESPACE", "") err := GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") } // POD_NAME not exist - os.Setenv("POD_NAME", "") - os.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) + t.Setenv("POD_NAME", "") + t.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) err = GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") } // POD_NAMESPACE not exist - os.Setenv("POD_NAME", "testpod") - os.Setenv("POD_NAMESPACE", "") + t.Setenv("POD_NAME", "testpod") + t.Setenv("POD_NAMESPACE", "") err = GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") } // POD not exist - os.Setenv("POD_NAME", "testpod") - os.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) + t.Setenv("POD_NAME", "testpod") + t.Setenv("POD_NAMESPACE", apiv1.NamespaceDefault) err = GetIngressPod(testclient.NewSimpleClientset()) if err == nil { t.Errorf("expected an error but returned nil") diff --git a/internal/net/dns/dns.go b/internal/net/dns/dns.go index 7dfbbd177..6b250e8cb 100644 --- a/internal/net/dns/dns.go +++ b/internal/net/dns/dns.go @@ -38,7 +38,7 @@ func GetSystemNameServers() ([]net.IP, error) { lines := strings.Split(string(file), "\n") for l := range lines { trimmed := strings.TrimSpace(lines[l]) - if len(trimmed) == 0 || trimmed[0] == '#' || trimmed[0] == ';' { + if trimmed == "" || trimmed[0] == '#' || trimmed[0] == ';' { continue } fields := strings.Fields(trimmed) diff --git a/internal/net/ipnet_test.go b/internal/net/ipnet_test.go index 95e6b9c32..8e460aae9 100644 --- a/internal/net/ipnet_test.go +++ b/internal/net/ipnet_test.go @@ -36,13 +36,17 @@ func TestNewIPSet(t *testing.T) { } func TestParseCIDRs(t *testing.T) { - cidr, _ := ParseCIDRs("invalid.com") + cidr, err := ParseCIDRs("invalid.com") + if err == nil { + t.Errorf("expected error but got nil") + } + if cidr != nil { t.Errorf("expected %v but got %v", nil, cidr) } expected := []string{"192.0.0.1", "192.0.1.0/24"} - cidr, err := ParseCIDRs("192.0.0.1, 192.0.1.0/24") + cidr, err = ParseCIDRs("192.0.0.1, 192.0.1.0/24") if err != nil { t.Errorf("unexpected error %v", err) } diff --git a/internal/net/net.go b/internal/net/net.go index 712262f3a..b0952d9cc 100644 --- a/internal/net/net.go +++ b/internal/net/net.go @@ -30,11 +30,12 @@ func IsIPV6(ip _net.IP) bool { // IsPortAvailable checks if a TCP port is available or not func IsPortAvailable(p int) bool { ln, err := _net.Listen("tcp", fmt.Sprintf(":%v", p)) - if err != nil { - return false - } - defer ln.Close() - return true + defer func() { + if ln != nil { + ln.Close() + } + }() + return err == nil } // IsIPv6Enabled checks if IPV6 is enabled or not and we have @@ -51,7 +52,10 @@ func IsIPv6Enabled() bool { } for _, addr := range addrs { - ip, _, _ := _net.ParseCIDR(addr.String()) + ip, _, err := _net.ParseCIDR(addr.String()) + if err != nil { + return false + } if IsIPV6(ip) { return true } diff --git a/internal/net/net_test.go b/internal/net/net_test.go index f2f37a838..f7a4f52e1 100644 --- a/internal/net/net_test.go +++ b/internal/net/net_test.go @@ -47,7 +47,7 @@ func TestIsPortAvailable(t *testing.T) { t.Fatal("expected port 0 to be available (random port) but returned false") } - ln, err := net.Listen("tcp", ":0") + ln, err := net.Listen("tcp", ":0") //nolint:gosec // Ignore the gosec error in testing if err != nil { t.Fatalf("unexpected error: %v", err) } diff --git a/internal/net/ssl/ssl.go b/internal/net/ssl/ssl.go index c74537fe9..26fd706e1 100644 --- a/internal/net/ssl/ssl.go +++ b/internal/net/ssl/ssl.go @@ -52,17 +52,15 @@ import ( // certificate generated by the ingress controller var FakeSSLCertificateUID = "00000000-0000-0000-0000-000000000000" -var ( - oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17} -) +var oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17} const ( - fakeCertificateName = "default-fake-certificate" + fakeCertificateName = "default-fake-certificate" //#nosec G101 ) // getPemFileName returns absolute file path and file name of pem cert related to given fullSecretName -func getPemFileName(fullSecretName string) (string, string) { - pemName := fmt.Sprintf("%v.pem", fullSecretName) +func getPemFileName(fullSecretName string) (filePath, pemName string) { + pemName = fmt.Sprintf("%v.pem", fullSecretName) return fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, pemName), pemName } @@ -192,7 +190,7 @@ func StoreSSLCertOnDisk(name string, sslCert *ingress.SSLCert) (string, error) { // ConfigureCACertWithCertAndKey appends ca into existing PEM file consisting of cert and key // and sets relevant fields in sslCert object -func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLCert) error { +func ConfigureCACertWithCertAndKey(_ string, ca []byte, sslCert *ingress.SSLCert) error { var buffer bytes.Buffer _, err := buffer.WriteString(sslCert.PemCertKey) @@ -210,12 +208,12 @@ func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLC return fmt.Errorf("could not write ca data to cert file %v: %v", sslCert.CAFileName, err) } - return os.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0644) + //nolint:gosec // Not change permission to avoid possible issues + return os.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0o644) } // ConfigureCRL creates a CRL file and append it into the SSLCert func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error { - crlName := fmt.Sprintf("crl-%v.pem", name) crlFileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, crlName) @@ -230,10 +228,11 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error { _, err := x509.ParseRevocationList(pemCRLBlock.Bytes) if err != nil { - return fmt.Errorf(err.Error()) + return err } - err = os.WriteFile(crlFileName, crl, 0644) + //nolint:gosec // Not change permission to avoid possible issues + err = os.WriteFile(crlFileName, crl, 0o644) if err != nil { return fmt.Errorf("could not write CRL file %v: %v", crlFileName, err) } @@ -242,7 +241,6 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error { sslCert.CRLSHA = file.SHA1(crlFileName) return nil - } // ConfigureCACert is similar to ConfigureCACertWithCertAndKey but it creates a separate file @@ -251,7 +249,8 @@ func ConfigureCACert(name string, ca []byte, sslCert *ingress.SSLCert) error { caName := fmt.Sprintf("ca-%v.pem", name) fileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, caName) - err := os.WriteFile(fileName, ca, 0644) + //nolint:gosec // Not change permission to avoid possible issues + err := os.WriteFile(fileName, ca, 0o644) if err != nil { return fmt.Errorf("could not write CA file %v: %v", fileName, err) } @@ -293,14 +292,14 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre var seq asn1.RawValue var rest []byte if rest, err = asn1.Unmarshal(value, &seq); err != nil { - return + return dnsNames, emailAddresses, ipAddresses, err } else if len(rest) != 0 { err = errors.New("x509: trailing data after X.509 extension") - return + return dnsNames, emailAddresses, ipAddresses, err } if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 { err = asn1.StructuralError{Msg: "bad SAN sequence"} - return + return dnsNames, emailAddresses, ipAddresses, err } rest = seq.Bytes @@ -308,7 +307,7 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre var v asn1.RawValue rest, err = asn1.Unmarshal(rest, &v) if err != nil { - return + return dnsNames, emailAddresses, ipAddresses, err } switch v.Tag { case 1: @@ -321,12 +320,12 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre ipAddresses = append(ipAddresses, v.Bytes) default: err = errors.New("x509: certificate contained IP address of length " + strconv.Itoa(len(v.Bytes))) - return + return dnsNames, emailAddresses, ipAddresses, err } } } - return + return dnsNames, emailAddresses, ipAddresses, err } // AddOrUpdateDHParam creates a dh parameters file with the specified name @@ -396,7 +395,7 @@ func GetFakeSSLCert() *ingress.SSLCert { return sslCert } -func getFakeHostSSLCert(host string) ([]byte, []byte) { +func getFakeHostSSLCert(host string) (cert, key []byte) { var priv interface{} var err error @@ -412,7 +411,6 @@ func getFakeHostSSLCert(host string) ([]byte, []byte) { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { klog.Fatalf("failed to generate fake serial number: %v", err) } @@ -436,9 +434,9 @@ func getFakeHostSSLCert(host string) ([]byte, []byte) { klog.Fatalf("Failed to create fake certificate: %v", err) } - cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) + cert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) - key := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))}) + key = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))}) return cert, key } @@ -508,9 +506,14 @@ func NewTLSListener(certificate, key string) *TLSListener { l.load() - _, _ = file.NewFileWatcher(certificate, l.load) - _, _ = file.NewFileWatcher(key, l.load) - + _, err := file.NewFileWatcher(certificate, l.load) + if err != nil { + klog.Errorf("unexpected error: %v", err) + } + _, err = file.NewFileWatcher(key, l.load) + if err != nil { + klog.Errorf("unexpected error: %v", err) + } return &l } diff --git a/internal/net/ssl/ssl_test.go b/internal/net/ssl/ssl_test.go index a86ecb87a..9f8c5eeae 100644 --- a/internal/net/ssl/ssl_test.go +++ b/internal/net/ssl/ssl_test.go @@ -42,7 +42,7 @@ import ( ) // generateRSACerts generates a self signed certificate using a self generated ca -func generateRSACerts(host string) (*keyPair, *keyPair, error) { +func generateRSACerts(host string) (newCert, newCa *keyPair, err error) { ca, err := newCA("self-sign-ca") if err != nil { return nil, nil, err @@ -57,7 +57,7 @@ func generateRSACerts(host string) (*keyPair, *keyPair, error) { CommonName: host, Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}, } - cert, err := newSignedCert(config, key, ca.Cert, ca.Key) + cert, err := newSignedCert(&config, key, ca.Cert, ca.Key) if err != nil { return nil, nil, fmt.Errorf("unable to sign the server certificate: %v", err) } @@ -139,11 +139,11 @@ func TestCACert(t *testing.T) { func TestGetFakeSSLCert(t *testing.T) { sslCert := GetFakeSSLCert() - if len(sslCert.PemCertKey) == 0 { + if sslCert.PemCertKey == "" { t.Fatalf("expected PemCertKey to not be empty") } - if len(sslCert.PemFileName) == 0 { + if sslCert.PemFileName == "" { t.Fatalf("expected PemFileName to not be empty") } @@ -195,7 +195,7 @@ func TestConfigureCRL(t *testing.T) { // Demo CRL from https://csrc.nist.gov/projects/pki-testing/sample-certificates-and-crls // Converted to PEM to be tested // SHA: ef21f9c97ec2ef84ba3b2ab007c858a6f760d813 - var crl = []byte(`-----BEGIN X509 CRL----- + crl := []byte(`-----BEGIN X509 CRL----- MIIBYDCBygIBATANBgkqhkiG9w0BAQUFADBDMRMwEQYKCZImiZPyLGQBGRYDY29t MRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTETMBEGA1UEAxMKRXhhbXBsZSBDQRcN MDUwMjA1MTIwMDAwWhcNMDUwMjA2MTIwMDAwWjAiMCACARIXDTA0MTExOTE1NTcw @@ -237,6 +237,7 @@ fUNCdMGmr8FVF6IzTNYGmCuk/C4= t.Fatalf("the expected CRL SHA wasn't found") } } + func TestCreateSSLCert(t *testing.T) { cert, _, err := generateRSACerts("echoheaders") if err != nil { @@ -339,12 +340,12 @@ func newPrivateKey() (*rsa.PrivateKey, error) { } // newSignedCert creates a signed certificate using the given CA certificate and key -func newSignedCert(cfg certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { +func newSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) { serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) if err != nil { return nil, err } - if len(cfg.CommonName) == 0 { + if cfg.CommonName == "" { return nil, errors.New("must specify a CommonName") } if len(cfg.Usages) == 0 { @@ -389,7 +390,7 @@ func encodeCertPEM(cert *x509.Certificate) []byte { return pem.EncodeToMemory(&block) } -func newFakeCertificate(t *testing.T) ([]byte, string, string) { +func newFakeCertificate(t *testing.T) (sslCert []byte, certFileName, keyFileName string) { cert, key := getFakeHostSSLCert("localhost") certFile, err := os.CreateTemp("", "crt-") @@ -423,10 +424,9 @@ func dialTestServer(port string, rootCertificates ...[]byte) error { return fmt.Errorf("failed to add root certificate") } } - resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{ + resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{ //nolint:gosec // Ignore the gosec error in testing RootCAs: roots, }) - if err != nil { return err } @@ -473,15 +473,14 @@ func TestTLSKeyReloader(t *testing.T) { } }) - //TODO: fix - /* - // simulate watch.NewFileWatcher to call the load function - watcher.load() - t.Run("when the certificate is reloaded", func(t *testing.T) { - if err := dialTestServer(port, cert); err != nil { - t.Errorf("TLS dial should succeed, got error: %v", err) - } - }) + /*TODO: fix + // simulate watch.NewFileWatcher to call the load function + watcher.load() + t.Run("when the certificate is reloaded", func(t *testing.T) { + if err := dialTestServer(port, cert); err != nil { + t.Errorf("TLS dial should succeed, got error: %v", err) + } + }) */ }) } diff --git a/internal/nginx/main.go b/internal/nginx/main.go index ae319fe1f..fc586e9e8 100644 --- a/internal/nginx/main.go +++ b/internal/nginx/main.go @@ -62,7 +62,7 @@ var StatusPath = "/nginx_status" var StreamPort = 10247 // NewGetStatusRequest creates a new GET request to the internal NGINX status server -func NewGetStatusRequest(path string) (int, []byte, error) { +func NewGetStatusRequest(path string) (statusCode int, data []byte, err error) { url := fmt.Sprintf("http://127.0.0.1:%v%v", StatusPort, path) client := http.Client{} @@ -72,7 +72,7 @@ func NewGetStatusRequest(path string) (int, []byte, error) { } defer res.Body.Close() - data, err := io.ReadAll(res.Body) + data, err = io.ReadAll(res.Body) if err != nil { return 0, nil, err } @@ -81,7 +81,7 @@ func NewGetStatusRequest(path string) (int, []byte, error) { } // NewPostStatusRequest creates a new POST request to the internal NGINX status server -func NewPostStatusRequest(path, contentType string, data interface{}) (int, []byte, error) { +func NewPostStatusRequest(path, contentType string, data interface{}) (statusCode int, body []byte, err error) { url := fmt.Sprintf("http://127.0.0.1:%v%v", StatusPort, path) buf, err := json.Marshal(data) @@ -96,7 +96,7 @@ func NewPostStatusRequest(path, contentType string, data interface{}) (int, []by } defer res.Body.Close() - body, err := io.ReadAll(res.Body) + body, err = io.ReadAll(res.Body) if err != nil { return 0, nil, err } @@ -105,7 +105,7 @@ func NewPostStatusRequest(path, contentType string, data interface{}) (int, []by } // GetServerBlock takes an nginx.conf file and a host and tries to find the server block for that host -func GetServerBlock(conf string, host string) (string, error) { +func GetServerBlock(conf, host string) (string, error) { startMsg := fmt.Sprintf("## start server %v\n", host) endMsg := fmt.Sprintf("## end server %v", host) @@ -113,7 +113,7 @@ func GetServerBlock(conf string, host string) (string, error) { if blockStart < 0 { return "", fmt.Errorf("host %v was not found in the controller's nginx.conf", host) } - blockStart = blockStart + len(startMsg) + blockStart += len(startMsg) blockEnd := strings.Index(conf, endMsg) if blockEnd < 0 { @@ -163,7 +163,10 @@ func Version() string { // IsRunning returns true if a process with the name 'nginx' is found func IsRunning() bool { - processes, _ := ps.Processes() + processes, err := ps.Processes() + if err != nil { + klog.ErrorS(err, "unexpected error obtaining process list") + } for _, p := range processes { if p.Executable() == "nginx" { return true diff --git a/internal/nginx/maxmind.go b/internal/nginx/maxmind.go index 5aee414cd..4719a22c1 100644 --- a/internal/nginx/maxmind.go +++ b/internal/nginx/maxmind.go @@ -101,7 +101,7 @@ func DownloadGeoLite2DB(attempts int, period time.Duration) error { var lastErr error retries := 0 - _ = wait.ExponentialBackoff(defaultRetry, func() (bool, error) { + lastErr = wait.ExponentialBackoff(defaultRetry, func() (bool, error) { var dlError error for _, dbName := range strings.Split(MaxmindEditionIDs, ",") { dlError = downloadDatabase(dbName) @@ -139,8 +139,8 @@ func createURL(mirror, licenseKey, dbName string) string { } func downloadDatabase(dbName string) error { - url := createURL(MaxmindMirror, MaxmindLicenseKey, dbName) - req, err := http.NewRequest(http.MethodGet, url, nil) + newURL := createURL(MaxmindMirror, MaxmindLicenseKey, dbName) + req, err := http.NewRequest(http.MethodGet, newURL, http.NoBody) if err != nil { return err } @@ -175,24 +175,23 @@ func downloadDatabase(dbName string) error { return err } - switch header.Typeflag { - case tar.TypeReg: + if header.Typeflag == tar.TypeReg { if !strings.HasSuffix(header.Name, mmdbFile) { continue } + return func() error { + outFile, err := os.Create(path.Join(geoIPPath, mmdbFile)) + if err != nil { + return err + } - outFile, err := os.Create(path.Join(geoIPPath, mmdbFile)) - if err != nil { - return err - } + defer outFile.Close() - defer outFile.Close() - - if _, err := io.CopyN(outFile, tarReader, header.Size); err != nil { - return err - } - - return nil + if _, err := io.CopyN(outFile, tarReader, header.Size); err != nil { + return err + } + return nil + }() } } diff --git a/internal/task/queue.go b/internal/task/queue.go index ff6b20f62..f92f2a501 100644 --- a/internal/task/queue.go +++ b/internal/task/queue.go @@ -28,9 +28,7 @@ import ( "k8s.io/client-go/util/workqueue" ) -var ( - keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc -) +var keyFunc = cache.DeletionHandlingMetaNamespaceKeyFunc // Queue manages a time work queue through an independent worker that invokes the // given sync function for every work item inserted. @@ -117,7 +115,10 @@ func (t *Queue) worker() { } ts := time.Now().UnixNano() - item := key.(Element) + item, ok := key.(Element) + if !ok { + klog.ErrorS(nil, "invalid item type", "key", key) + } if item.Timestamp != 0 && t.lastSync > item.Timestamp { klog.V(3).InfoS("skipping sync", "key", item.Key, "last", t.lastSync, "now", item.Timestamp) t.queue.Forget(key) @@ -168,7 +169,7 @@ func NewTaskQueue(syncFn func(interface{}) error) *Queue { return NewCustomTaskQueue(syncFn, nil) } -// NewCustomTaskQueue ... +// NewCustomTaskQueue creates a new custom task queue with the given sync function. func NewCustomTaskQueue(syncFn func(interface{}) error, fn func(interface{}) (interface{}, error)) *Queue { q := &Queue{ queue: workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()), diff --git a/magefiles/docker.go b/magefiles/docker.go deleted file mode 100644 index d7c7f588e..000000000 --- a/magefiles/docker.go +++ /dev/null @@ -1,19 +0,0 @@ -//go:build mage - -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main diff --git a/magefiles/yaml.go b/magefiles/exec.go similarity index 84% rename from magefiles/yaml.go rename to magefiles/exec.go index d7c7f588e..0acd557c6 100644 --- a/magefiles/yaml.go +++ b/magefiles/exec.go @@ -1,4 +1,4 @@ -//go:build mage +//go:build ignore /* Copyright 2023 The Kubernetes Authors. @@ -17,3 +17,11 @@ limitations under the License. */ package main + +import ( + "os" + + "github.com/magefile/mage/mage" +) + +func main() { os.Exit(mage.Main()) } diff --git a/magefiles/go.go b/magefiles/go.go deleted file mode 100644 index 2385b089e..000000000 --- a/magefiles/go.go +++ /dev/null @@ -1,31 +0,0 @@ -//go:build mage - -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -//import ( -// "github.com/magefile/mage/mg" -// "github.com/mysteriumnetwork/go-ci/commands" -//) -// -//type Go mg.Namespace -// -//// Checks for issues with go imports -//func (Go) CheckGoImports() error { -// return commands.GoImports("./...") -//} diff --git a/magefiles/go.mod b/magefiles/go.mod index 40b909600..ac05f6b89 100644 --- a/magefiles/go.mod +++ b/magefiles/go.mod @@ -1,32 +1,32 @@ -module github.com/kubernetes/ingress-nginx/magefiles +module k8s.io/ingress-nginx/magefiles -go 1.20 +go 1.21.1 require ( github.com/blang/semver/v4 v4.0.0 github.com/google/go-github/v48 v48.2.0 github.com/helm/helm v2.17.0+incompatible - github.com/magefile/mage v1.14.0 + github.com/magefile/mage v1.15.0 github.com/vmware-labs/yaml-jsonpath v0.3.2 - golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be + golang.org/x/oauth2 v0.12.0 gopkg.in/yaml.v3 v3.0.1 ) require ( - github.com/BurntSushi/toml v1.2.1 // indirect + github.com/BurntSushi/toml v1.3.2 // indirect github.com/Masterminds/semver v1.5.0 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960 // indirect github.com/ghodss/yaml v1.0.0 // indirect github.com/gobwas/glob v0.2.3 // indirect - github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/protobuf v1.5.3 // indirect github.com/google/go-querystring v1.1.0 // indirect - github.com/stretchr/testify v1.8.1 // indirect - golang.org/x/crypto v0.1.0 // indirect - golang.org/x/net v0.7.0 // indirect + github.com/rogpeppe/go-internal v1.11.0 // indirect + golang.org/x/crypto v0.13.0 // indirect + golang.org/x/net v0.15.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.28.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - k8s.io/apimachinery v0.25.4 // indirect + k8s.io/apimachinery v0.27.4 // indirect k8s.io/helm v2.17.0+incompatible // indirect ) diff --git a/magefiles/go.sum b/magefiles/go.sum index 9c0c8ee7f..8cd8c9420 100644 --- a/magefiles/go.sum +++ b/magefiles/go.sum @@ -1,11 +1,11 @@ -github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= -github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= +github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= +github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -19,11 +19,12 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= -github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-github/v48 v48.2.0 h1:68puzySE6WqUY9KWmpOsDEQfDZsso98rT6pZcz9HqcE= github.com/google/go-github/v48 v48.2.0/go.mod h1:dDlehKBDo850ZPvCTK0sEqTCVWcrGl2LcDiajkYi89Y= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -33,59 +34,61 @@ github.com/helm/helm v2.17.0+incompatible/go.mod h1:ahXhuvluW4YnSL6W6hDVetZsVK8P github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= +github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= -github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= +github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg= +github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/ginkgo v1.10.2 h1:uqH7bpe+ERSiDa34FDOF7RikN6RzXgduUF8yarlZp94= github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= -github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q= +github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E= +github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3q3fQ= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/vmware-labs/yaml-jsonpath v0.3.2 h1:/5QKeCBGdsInyDCyVNLbXyilb61MXGi9NP674f9Hobk= github.com/vmware-labs/yaml-jsonpath v0.3.2/go.mod h1:U6whw1z03QyqgWdgXxvVnQ90zN1BWz5V+51Ewf8k+rQ= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU= -golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck= +golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be h1:vEDujvNQGv4jgYKudGeI/+DAX4Jffq6hpD55MmoEvKs= -golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8= +golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= +golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o= +golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= @@ -99,7 +102,7 @@ gopkg.in/yaml.v3 v3.0.0-20191026110619-0b21df46bc1d/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc= -k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo= +k8s.io/apimachinery v0.27.4 h1:CdxflD4AF61yewuid0fLl6bM4a3q04jWel0IlP+aYjs= +k8s.io/apimachinery v0.27.4/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E= k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= diff --git a/magefiles/mage.go b/magefiles/mage.go index 605d687a9..1dfaa4dbd 100644 --- a/magefiles/mage.go +++ b/magefiles/mage.go @@ -1,8 +1,7 @@ -//go:build ignore -// +build ignore +//go:build mage /* -Copyright 2021 The Kubernetes Authors. +Copyright 2023 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -20,10 +19,6 @@ limitations under the License. package main import ( - "github.com/magefile/mage/mage" - "os" + //mage:import + _ "k8s.io/ingress-nginx/magefiles/steps" ) - -func main() { - os.Exit(mage.Main()) -} diff --git a/magefiles/release.go b/magefiles/release.go deleted file mode 100644 index 6e5efb490..000000000 --- a/magefiles/release.go +++ /dev/null @@ -1,551 +0,0 @@ -//go:build mage - -/* -Copyright 2023 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package main - -import ( - "context" - "errors" - "fmt" - "github.com/google/go-github/v48/github" - "github.com/magefile/mage/mg" - "github.com/magefile/mage/sh" - "golang.org/x/oauth2" - "gopkg.in/yaml.v3" - "io" - "net" - "net/http" - "os" - "text/template" - - "regexp" - "strings" - "time" -) - -type Release mg.Namespace - -var INGRESS_ORG = "kubernetes" // the owner so we can test from forks -var INGRESS_REPO = "ingress-nginx" // the repo to pull from -var RELEASE_BRANCH = "main" //we only release from main -var GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API -var K8S_IO_ORG = "kubernetes" //the owner or organization for the k8s.io repo -var K8S_IO_REPO = "k8s.io" //the repo that holds the images yaml for production promotion -var INGRESS_REGISTRY = "registry.k8s.io" //Container registry for storage Ingress-nginx images -var KUSTOMIZE_INSTALL_VERSION = "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4" //static deploys needs kustomize to generate the template - -// ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR -var IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml" -var ctx = context.Background() // Context used for GitHub Client - -const INDEX_DOCS = "docs/deploy/index.md" //index.md has a version of the controller and needs to updated -const CHANGELOG = "Changelog.md" //Name of the changelog - -// ControllerImage - struct with info about controllers -type ControllerImage struct { - Tag string - Digest string - Registry string - Name string -} - -// IngressRelease All the information about an ingress-nginx release that gets updated -type IngressRelease struct { - ControllerVersion string - ControllerImage ControllerImage - ReleaseNote ReleaseNote - Release *github.RepositoryRelease -} - -// ReleaseNote - All the pieces of information/documents that get updated during a release -type ReleaseNote struct { - Version string - NewControllerVersion string - PreviousControllerVersion string - ControllerImages []ControllerImage - DepUpdates []string - Updates []string - HelmUpdates []string - NewHelmChartVersion string - PreviousHelmChartVersion string -} - -// IMAGES_YAML returns this data structure -type ImageYamls []ImageElement - -// ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions -type ImageElement struct { - Name string `json:"name"` - Dmap map[string][]string `json:"dmap"` -} - -// init will set the GitHub token from the committers/releasers env var -func init() { - GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") -} - -// PromoteImage Creates PR into the k8s.io repo for promotion of ingress from staging to production -func (Release) PromoteImage(version, sha string) { - -} - -// Release Create a new release of ingress nginx controller -func (Release) NewRelease(version string) { - //newRelease := Release{} - - //update ingress-nginx version - //This is the step that kicks all the release process - //it is already done, so it kicks off the gcloud build of the controller images - //mg.Deps(mg.F(Tag.BumpNginx, version)) - - tag, err := getIngressNGINXVersion() - CheckIfError(err, "RELEASE Retrieving the current Ingress Nginx Version") - - Info("RELEASE Checking Current Version %s to New Version %s", tag, version) - //if the version were upgrading does not match the TAG file, lets update the TAG file - if tag[1:] != version { - Warning("RELEASE Ingress Nginx TAG %s and new version %s do not match", tag, version) - mg.Deps(mg.F(Tag.BumpNginx, fmt.Sprintf("v%s", version))) - } - - //update git controller tag controller-v$version - mg.Deps(mg.F(Tag.NewControllerTag, version)) - - //make release notes - releaseNotes, err := makeReleaseNotes(version) - CheckIfError(err, "RELEASE Creating Release Notes for version %s", version) - Info("RELEASE Release Notes %s completed", releaseNotes.Version) - - //update chart values.yaml new controller tag and image digest - releaseNotes.PreviousHelmChartVersion = currentChartVersion() - - //controller tag - updateChartValue("controller.image.tag", fmt.Sprintf("v%s", releaseNotes.Version)) - Debug("releaseNotes.ControllerImages[0].Name %s", releaseNotes.ControllerImages[0].Name) - Debug("releaseNotes.ControllerImages[1].Name %s", releaseNotes.ControllerImages[1].Name) - //controller digest - if releaseNotes.ControllerImages[0].Name == "ingress-nginx/controller" { - Debug("Updating Chart Value %s with %s", "controller.image.digest", releaseNotes.ControllerImages[0].Digest) - updateChartValue("controller.image.digest", releaseNotes.ControllerImages[0].Digest) - } - //controller chroot digest - if releaseNotes.ControllerImages[1].Name == "ingress-nginx/controller-chroot" { - Debug("Updating Chart Value %s with %s", "controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) - updateChartValue("controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) - } - - //update helm chart app version - mg.Deps(mg.F(Helm.UpdateVersion, version)) - - releaseNotes.NewHelmChartVersion = currentChartVersion() - - //update helm chart release notes - updateChartReleaseNotes(releaseNotes.HelmUpdates) - - //Run helm docs update - CheckIfError(runHelmDocs(), "Error Updating Helm Docs ") - - releaseNotes.helmTemplate() - - //update static manifest - CheckIfError(updateStaticManifest(), "Error Updating Static manifests") - - ////update e2e docs - updateE2EDocs() - - //update documentation with ingress-nginx version - CheckIfError(updateIndexMD(releaseNotes.PreviousControllerVersion, releaseNotes.NewControllerVersion), "Error Updating %s", INDEX_DOCS) - - //keeping these manual for now - //git commit TODO - //make Pull Request TODO - //make release TODO - //mg.Deps(mg.F(Release.CreateRelease, version)) -} - -// the index.md doc needs the controller version updated -func updateIndexMD(old, new string) error { - Info("Updating Deploy docs with new version") - data, err := os.ReadFile(INDEX_DOCS) - CheckIfError(err, "Could not read INDEX_DOCS file %s", INDEX_DOCS) - datString := string(data) - datString = strings.Replace(datString, old, new, -1) - err = os.WriteFile(INDEX_DOCS, []byte(datString), 644) - if err != nil { - ErrorF("Could not write new %s %s", INDEX_DOCS, err) - return err - } - return nil -} - -// runs the hack/generate-deploy-scripts.sh -func updateE2EDocs() { - updates, err := sh.Output("./hack/generate-e2e-suite-doc.sh") - CheckIfError(err, "Could not run update hack script") - err = os.WriteFile("docs/e2e-tests.md", []byte(updates), 644) - CheckIfError(err, "Could not write new e2e test file ") -} - -// The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed -func installKustomize() error { - Info("Install Kustomize") - var g0 = sh.RunCmd("go") - // somewhere in your main code - err := g0("install", KUSTOMIZE_INSTALL_VERSION) - if err != nil { - return err - } - return nil -} - -func updateStaticManifest() error { - CheckIfError(installKustomize(), "error installing kustomize") - //hack/generate-deploy-scripts.sh - err := sh.RunV("./hack/generate-deploy-scripts.sh") - if err != nil { - return err - } - return nil -} - -//// CreateRelease Creates a new GitHub Release -//func (Release) CreateRelease(name string) { -// releaser, err := gh_release.NewReleaser(INGRESS_ORG, INGRESS_REPO, GITHUB_TOKEN) -// CheckIfError(err, "GitHub Release Client error") -// newRelease, err := releaser.Create(fmt.Sprintf("controller-%s", name)) -// CheckIfError(err, "Create release error") -// Info("New Release: Tag %v, ID: %v", newRelease.TagName, newRelease.ID) -//} - -// Returns a GitHub client ready for use -func githubClient() *github.Client { - ts := oauth2.StaticTokenSource( - &oauth2.Token{AccessToken: GITHUB_TOKEN}, - ) - oauthClient := oauth2.NewClient(ctx, ts) - return github.NewClient(oauthClient) -} - -// LatestCommitLogs Retrieves the commit log between the latest two controller versions. -func (Release) LatestCommitLogs() { - commitLog := commitsBetweenTags() - for i, s := range commitLog { - Info("#%v Version %v", i, s) - } -} - -func commitsBetweenTags() []string { - tags := getAllControllerTags() - Info("Getting Commits between %v and %v", tags[0], tags[1]) - commitLog, err := git("log", "--full-history", "--pretty", "--oneline", fmt.Sprintf("%v..%v", tags[1], tags[0])) - - if commitLog == "" { - Warning("All Controller Tags is empty") - } - CheckIfError(err, "Retrieving Commit log") - return strings.Split(commitLog, "\n") -} - -// Generate Release Notes -func (Release) ReleaseNotes(newVersion string) error { - notes, err := makeReleaseNotes(newVersion) - CheckIfError(err, "Creating Release Notes for version %s", newVersion) - Info("Release Notes %s completed", notes.Version) - return nil -} - -func makeReleaseNotes(newVersion string) (*ReleaseNote, error) { - var newReleaseNotes = ReleaseNote{} - - newReleaseNotes.Version = newVersion - allControllerTags := getAllControllerTags() - - //new version - newReleaseNotes.NewControllerVersion = allControllerTags[0] - newControllerVersion := fmt.Sprintf("controller-v%s", newVersion) - - //the newControllerVersion should match the latest tag - if newControllerVersion != allControllerTags[0] { - return nil, errors.New(fmt.Sprintf("Generating release new version %s didnt match the current latest tag %s", newControllerVersion, allControllerTags[0])) - } - //previous version - newReleaseNotes.PreviousControllerVersion = allControllerTags[1] - - Info("New Version: %s Old Version: %s", newReleaseNotes.NewControllerVersion, newReleaseNotes.PreviousControllerVersion) - - commits := commitsBetweenTags() - - //dependency_updates - //all_updates - var allUpdates []string - var depUpdates []string - var helmUpdates []string - prRegex := regexp.MustCompile("\\(#\\d+\\)") - depBot := regexp.MustCompile("^(\\w){1,10} Bump ") - helmRegex := regexp.MustCompile("helm|chart") - for i, s := range commits { - //matches on PR - if prRegex.Match([]byte(s)) { - //matches a dependant bot update - if depBot.Match([]byte(s)) { // - Debug("#%v DEPENDABOT %v", i, s) - u := strings.SplitN(s, " ", 2) - depUpdates = append(depUpdates, u[1]) - } else { // add it to the all updates slice - Debug("#%v ALL UPDATES %v", i, s) - u := strings.SplitN(s, " ", 2) - allUpdates = append(allUpdates, u[1]) - - //helm chart updates - if helmRegex.Match([]byte(s)) { - u := strings.SplitN(s, " ", 2) - helmUpdates = append(helmUpdates, u[1]) - } - } - - } - } - helmUpdates = append(helmUpdates, fmt.Sprintf("Update Ingress-Nginx version %s", newReleaseNotes.NewControllerVersion)) - - newReleaseNotes.Updates = allUpdates - newReleaseNotes.DepUpdates = depUpdates - newReleaseNotes.HelmUpdates = helmUpdates - - //controller_image_digests - imagesYaml, err := downloadFile(IMAGES_YAML) - if err != nil { - ErrorF("Could not download file %s : %s", IMAGES_YAML, err) - return nil, err - } - Debug("%s", imagesYaml) - - data := ImageYamls{} - - err = yaml.Unmarshal([]byte(imagesYaml), &data) - if err != nil { - ErrorF("Could not unmarshal images yaml %s", err) - return nil, err - } - - //controller - controllerDigest := findImageDigest(data, "controller", newVersion) - if len(controllerDigest) == 0 { - ErrorF("Controller Digest could not be found") - return nil, errors.New("Controller digest could not be found") - } - - controllerChrootDigest := findImageDigest(data, "controller-chroot", newVersion) - if len(controllerChrootDigest) == 0 { - ErrorF("Controller Chroot Digest could not be found") - return nil, errors.New("Controller Chroot digest could not be found") - } - - Debug("Latest Controller Digest %v", controllerDigest) - Debug("Latest Controller Chroot Digest %v", controllerChrootDigest) - c1 := ControllerImage{ - Digest: controllerDigest, - Registry: INGRESS_REGISTRY, - Name: "ingress-nginx/controller", - Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), - } - - c2 := ControllerImage{ - Digest: controllerChrootDigest, - Registry: INGRESS_REGISTRY, - Name: "ingress-nginx/controller-chroot", - Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), - } - - newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c1) - newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c2) - Debug("New Release Controller Images %s %s", newReleaseNotes.ControllerImages[0].Digest, newReleaseNotes.ControllerImages[1].Digest) - - if DEBUG { - newReleaseNotes.printRelease() - } - - //write it all out to the changelog file - newReleaseNotes.template() - - return &newReleaseNotes, nil -} - -func (i ControllerImage) print() string { - return fmt.Sprintf("%s/%s:%s@%s", i.Registry, i.Name, i.Tag, i.Digest) -} - -func (r ReleaseNote) template() { - // Files are provided as a slice of strings. - changelogTemplate, err := os.ReadFile("Changelog.md.gotmpl") - if err != nil { - ErrorF("Could not read changelog template file %s", err) - } - Debug("ChangeLog Templates %s", string(changelogTemplate)) - t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) - // create a new file - file, err := os.Create(fmt.Sprintf("changelog/Changelog-%s.md", r.Version)) - if err != nil { - ErrorF("Could not create changelog file %s", err) - } - defer file.Close() - - err = t.Execute(file, r) - if err != nil { - ErrorF("executing template:", err) - } -} - -func (r ReleaseNote) helmTemplate() { - // Files are provided as a slice of strings. - changelogTemplate, err := os.ReadFile("charts/ingress-nginx/changelog.md.gotmpl") - if err != nil { - ErrorF("Could not read changelog template file %s", err) - } - Debug("ChangeLog Templates %s", string(changelogTemplate)) - t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) - // create a new file - file, err := os.Create(fmt.Sprintf("charts/ingress-nginx/changelog/Changelog-%s.md", r.NewHelmChartVersion)) - if err != nil { - ErrorF("Could not create changelog file %s", err) - } - defer file.Close() - - err = t.Execute(file, r) - if err != nil { - ErrorF("executing template:", err) - } -} - -func (r ReleaseNote) printRelease() { - Info("Release Version: %v", r.NewControllerVersion) - Info("Previous Version: %v", r.PreviousControllerVersion) - Info("Controller Image: %v", r.ControllerImages[0].print()) - Info("Controller Chroot Image: %v", r.ControllerImages[1].print()) - for i := range r.Updates { - Info("Update #%v - %v", i, r.Updates[i]) - } - for j := range r.DepUpdates { - Info("Dependabot Update #%v - %v", j, r.DepUpdates[j]) - } -} - -func findImageDigest(yaml ImageYamls, image, version string) string { - version = fmt.Sprintf("v%s", version) - Info("Searching Digest for %s:%s", image, version) - for i := range yaml { - if yaml[i].Name == image { - for k, v := range yaml[i].Dmap { - if v[0] == version { - return k - } - } - return "" - } - } - return "" -} - -func downloadFile(url string) (string, error) { - client := &http.Client{ - Transport: &http.Transport{ - DialContext: (&net.Dialer{ - Timeout: 5 * time.Second, - KeepAlive: 5 * time.Second, - }).DialContext, - TLSHandshakeTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - ExpectContinueTimeout: 1 * time.Second, - MaxIdleConnsPerHost: -1, - }, - } - resp, err := client.Get(url) - if err != nil { - return "", nil - } - defer resp.Body.Close() - - if resp.StatusCode != http.StatusOK { - return "", errors.New(fmt.Sprintf("Could not retrieve file, response from server %s for file %s", resp.StatusCode, url)) - } - bodyBytes, err := io.ReadAll(resp.Body) - if err != nil { - return "", nil - } - return string(bodyBytes), nil -} - -// Latest returns latest Github Release -func (Release) Latest() error { - r, _, err := latestRelease() - if err != nil { - ErrorF("Latest Release error %s", err) - return err - } - Info("Latest Release %v", r.String()) - return nil -} - -func (Release) ReleaseByTag(tag string) error { - r, _, err := releaseByTag(tag) - if err != nil { - ErrorF("Release retrieve tag error %s", tag, err) - return err - } - - Info("Latest Release %v", r.String()) - - return nil -} - -func releaseByTag(tag string) (*github.RepositoryRelease, *github.Response, error) { - ghClient := githubClient() - return ghClient.Repositories.GetReleaseByTag(ctx, INGRESS_ORG, INGRESS_REPO, tag) -} - -func latestRelease() (*github.RepositoryRelease, *github.Response, error) { - ghClient := githubClient() - return ghClient.Repositories.GetLatestRelease(ctx, INGRESS_ORG, INGRESS_REPO) -} - -// Copy Test function to copy a release -func (Release) Copy() error { - ghClient := githubClient() - kRelease, _, err := ghClient.Repositories.GetLatestRelease(ctx, "kubernetes", "ingress-nginx") - if err != nil { - ErrorF("Get Release from kubernetes %s", err) - return err - } - - sRelease := &github.RepositoryRelease{ - TagName: kRelease.TagName, - Name: kRelease.Name, - Body: kRelease.Body, - Draft: kRelease.Draft, - Prerelease: kRelease.GenerateReleaseNotes, - DiscussionCategoryName: kRelease.DiscussionCategoryName, - GenerateReleaseNotes: kRelease.GenerateReleaseNotes, - } - - sRelease, _, err = ghClient.Repositories.CreateRelease(ctx, "strongjz", "ingress-nginx", sRelease) - if err != nil { - ErrorF("Creating Strongjz release %s", err) - return err - } - Info("Copied over Kubernetes Release %v to Strongjz %v", &kRelease.Name, &sRelease.Name) - return nil -} diff --git a/magefiles/steps/helm.go b/magefiles/steps/helm.go new file mode 100644 index 000000000..b53283f78 --- /dev/null +++ b/magefiles/steps/helm.go @@ -0,0 +1,188 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package steps + +import ( + "bytes" + "fmt" + "os" + "strings" + + semver "github.com/blang/semver/v4" + "github.com/helm/helm/pkg/chartutil" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + yamlpath "github.com/vmware-labs/yaml-jsonpath/pkg/yamlpath" + "gopkg.in/yaml.v3" + + utils "k8s.io/ingress-nginx/magefiles/utils" +) + +const ( + HelmChartPath = "charts/ingress-nginx/Chart.yaml" + HelmChartValues = "charts/ingress-nginx/values.yaml" +) + +type Helm mg.Namespace + +// UpdateVersion Update Helm Version of the Chart +func (Helm) UpdateVersion(version string) { + updateVersion(version) +} + +func currentChartVersion() string { + chart, err := chartutil.LoadChartfile(HelmChartPath) + utils.CheckIfError(err, "HELM Could not Load Chart") + return chart.Version +} + +func updateVersion(version string) { + utils.Info("HELM Reading File %v", HelmChartPath) + + chart, err := chartutil.LoadChartfile(HelmChartPath) + utils.CheckIfError(err, "HELM Could not Load Chart") + + // Get the current tag + // appVersionV, err := getIngressNGINXVersion() + // utils.CheckIfError(err, "HELM Issue Retrieving the Current Ingress Nginx Version") + + // remove the v from TAG + appVersion := version + + utils.Info("HELM Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + if appVersion == chart.AppVersion { + utils.Warning("HELM Ingress NGINX Version didnt change Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) + return + } + + controllerSemVer, err := semver.Parse(version) + utils.CheckIfError(err, "error parsing semver of new app") + isPreRelease := len(controllerSemVer.Pre) > 0 + oldControllerSemVer, err := semver.Parse(chart.AppVersion) + utils.CheckIfError(err, "error parsing semver of old chart") + isBreakingChange := controllerSemVer.Major > oldControllerSemVer.Major || controllerSemVer.Minor > oldControllerSemVer.Minor + + // Update the helm chart + chart.AppVersion = appVersion + cTag, err := semver.Make(chart.Version) + utils.CheckIfError(err, "HELM Creating Chart Version: %v", err) + + incrFunc := cTag.IncrementPatch + if isBreakingChange { + cTag.Patch = 0 + incrFunc = cTag.IncrementMinor + + } + + if isPreRelease { + chart.Annotations["artifacthub.io/prerelease"] = "true" + cTag.Pre = controllerSemVer.Pre + } + + if err = incrFunc(); err != nil { + utils.ErrorF("HELM Incrementing Chart Version: %v", err) + os.Exit(1) + } + chart.Version = cTag.String() + utils.Debug("HELM Updated Chart Version: %v", chart.Version) + + err = chartutil.SaveChartfile(HelmChartPath, chart) + utils.CheckIfError(err, "HELM Saving new Chart") +} + +func updateChartReleaseNotes(releasesNotes []string) { + utils.Info("HELM Updating the Chart Release notes") + chart, err := chartutil.LoadChartfile(HelmChartPath) + utils.CheckIfError(err, "HELM Could not Load Chart to update release notes %s", HelmChartPath) + for i := range releasesNotes { + releasesNotes[i] = fmt.Sprintf("- %q", releasesNotes[i]) + } + releaseNoteString := strings.Join(releasesNotes, "\n") + utils.Info("HELM Release note string %s", releaseNoteString) + chart.Annotations["artifacthub.io/changes"] = releaseNoteString + err = chartutil.SaveChartfile(HelmChartPath, chart) + utils.CheckIfError(err, "HELM Saving updated release notes for Chart") +} + +// UpdateChartValue Updates the Helm ChartValue +func (Helm) UpdateChartValue(key, value string) { + updateChartValue(key, value) +} + +func updateChartValue(key, value string) { + utils.Info("HELM Updating Chart %s %s:%s", HelmChartValues, key, value) + + // read current values.yaml + data, err := os.ReadFile(HelmChartValues) + utils.CheckIfError(err, "HELM Could not Load Helm Chart Values files %s", HelmChartValues) + + // var valuesStruct IngressChartValue + var n yaml.Node + utils.CheckIfError(yaml.Unmarshal(data, &n), "HELM Could not Unmarshal %s", HelmChartValues) + + // update value + // keyParse := parsePath(key) + p, err := yamlpath.NewPath(key) + utils.CheckIfError(err, "HELM cannot create path") + + q, err := p.Find(&n) + utils.CheckIfError(err, "HELM unexpected error finding path") + + for _, i := range q { + utils.Info("HELM Found %s at %s", i.Value, key) + i.Value = value + utils.Info("HELM Updated %s at %s", i.Value, key) + } + + //// write to file + var b bytes.Buffer + yamlEncoder := yaml.NewEncoder(&b) + yamlEncoder.SetIndent(2) + err = yamlEncoder.Encode(&n) + utils.CheckIfError(err, "HELM Could not Marshal new Values file") + err = os.WriteFile(HelmChartValues, b.Bytes(), 0o644) + utils.CheckIfError(err, "HELM Could not write new Values file to %s", HelmChartValues) + + utils.Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) +} + +func (Helm) Helmdocs() error { + return runHelmDocs() +} + +func runHelmDocs() error { + err := installHelmDocs() + if err != nil { + return err + } + err = sh.RunV("helm-docs", "--chart-search-root=${PWD}/charts") + if err != nil { + return err + } + return nil +} + +func installHelmDocs() error { + utils.Info("HELM Install HelmDocs") + g0 := sh.RunCmd("go") + + err := g0("install", "github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0") + if err != nil { + return err + } + return nil +} diff --git a/magefiles/steps/release.go b/magefiles/steps/release.go new file mode 100644 index 000000000..1ed09850f --- /dev/null +++ b/magefiles/steps/release.go @@ -0,0 +1,396 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package steps + +import ( + "context" + "errors" + "fmt" + "os" + "regexp" + "strings" + + "github.com/google/go-github/v48/github" + "github.com/magefile/mage/mg" + "github.com/magefile/mage/sh" + "golang.org/x/oauth2" + "gopkg.in/yaml.v3" + + utils "k8s.io/ingress-nginx/magefiles/utils" +) + +type Release mg.Namespace + +var ( + INGRESS_ORG = "kubernetes" // the owner so we can test from forks + INGRESS_REPO = "ingress-nginx" // the repo to pull from + RELEASE_BRANCH = "main" // we only release from main + GITHUB_TOKEN string // the Google/gogithub lib needs an PAT to access the GitHub API + K8S_IO_ORG = "kubernetes" // the owner or organization for the k8s.io repo + K8S_IO_REPO = "k8s.io" // the repo that holds the images yaml for production promotion + INGRESS_REGISTRY = "registry.k8s.io" // Container registry for storage Ingress-nginx images + KUSTOMIZE_INSTALL_VERSION = "sigs.k8s.io/kustomize/kustomize/v4@v4.5.4" // static deploys needs kustomize to generate the template +) + +// ingress-nginx releases start with a TAG then a cloudbuild, then a promotion through a PR, this the location of that PR +var ( + IMAGES_YAML = "https://raw.githubusercontent.com/kubernetes/k8s.io/main/registry.k8s.io/images/k8s-staging-ingress-nginx/images.yaml" + ctx = context.Background() // Context used for GitHub Client +) + +const ( + INDEX_DOCS = "docs/deploy/index.md" // index.md has a version of the controller and needs to updated + CHANGELOG = "Changelog.md" // Name of the changelog +) + +// init will set the GitHub token from the committers/releasers env var +func init() { + GITHUB_TOKEN = os.Getenv("GITHUB_TOKEN") +} + +// Release Create a new release of ingress nginx controller +func (Release) NewRelease(version string) { + newRelease(version, "") +} + +func (Release) NewReleaseFromOld(version, oldversion string) { + newRelease(version, oldversion) +} + +func (Release) E2EDocs() { + e2edocs, err := utils.GenerateE2EDocs() + utils.CheckIfError(err, "error on template") + err = os.WriteFile("docs/e2e-tests.md", []byte(e2edocs), 644) + utils.CheckIfError(err, "Could not write new e2e test file ") +} + +func newRelease(version, oldversion string) { + // newRelease := Release{} + + // update ingress-nginx version + // This is the step that kicks all the release process + // it is already done, so it kicks off the gcloud build of the controller images + // mg.Deps(mg.F(Tag.BumpNginx, version)) + + tag, err := getIngressNGINXVersion() + utils.CheckIfError(err, "RELEASE Retrieving the current Ingress Nginx Version") + + utils.Info("RELEASE Checking Current Version %s to New Version %s", tag, version) + // if the version were upgrading does not match the TAG file, lets update the TAG file + if tag[1:] != version { + utils.Warning("RELEASE Ingress Nginx TAG %s and new version %s do not match", tag, version) + mg.Deps(mg.F(Tag.BumpNginx, fmt.Sprintf("v%s", version))) + } + + // update git controller tag controller-v$version + mg.Deps(mg.F(Tag.NewControllerTag, version)) + + // make release notes + releaseNotes, err := makeReleaseNotes(version, oldversion) + utils.CheckIfError(err, "RELEASE Creating Release Notes for version %s", version) + utils.Info("RELEASE Release Notes %s completed", releaseNotes.Version) + + // update chart values.yaml new controller tag and image digest + releaseNotes.PreviousHelmChartVersion = currentChartVersion() + + // controller tag + updateChartValue("controller.image.tag", fmt.Sprintf("v%s", releaseNotes.Version)) + utils.Debug("releaseNotes.ControllerImages[0].Name %s", releaseNotes.ControllerImages[0].Name) + utils.Debug("releaseNotes.ControllerImages[1].Name %s", releaseNotes.ControllerImages[1].Name) + // controller digest + if releaseNotes.ControllerImages[0].Name == "ingress-nginx/controller" { + utils.Debug("Updating Chart Value %s with %s", "controller.image.digest", releaseNotes.ControllerImages[0].Digest) + updateChartValue("controller.image.digest", releaseNotes.ControllerImages[0].Digest) + } + // controller chroot digest + if releaseNotes.ControllerImages[1].Name == "ingress-nginx/controller-chroot" { + utils.Debug("Updating Chart Value %s with %s", "controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) + updateChartValue("controller.image.digestChroot", releaseNotes.ControllerImages[1].Digest) + } + + // update helm chart app version + mg.Deps(mg.F(Helm.UpdateVersion, version)) + + releaseNotes.NewHelmChartVersion = currentChartVersion() + + // update helm chart release notes + updateChartReleaseNotes(releaseNotes.HelmUpdates) + + // Run helm docs update + utils.CheckIfError(runHelmDocs(), "Error Updating Helm Docs ") + + releaseNotes.HelmTemplate() + + // update static manifest + utils.CheckIfError(updateStaticManifest(), "Error Updating Static manifests") + + ////update e2e docs + mg.Deps(mg.F(Release.E2EDocs)) + + // update documentation with ingress-nginx version + utils.CheckIfError(updateIndexMD(releaseNotes.PreviousControllerVersion, releaseNotes.NewControllerVersion), "Error Updating %s", INDEX_DOCS) + + // keeping these manual for now + // git commit TODO + // make Pull Request TODO + // make release TODO + // mg.Deps(mg.F(Release.CreateRelease, version)) +} + +// the index.md doc needs the controller version updated +func updateIndexMD(old, new string) error { + utils.Info("Updating Deploy docs with new version") + data, err := os.ReadFile(INDEX_DOCS) + utils.CheckIfError(err, "Could not read INDEX_DOCS file %s", INDEX_DOCS) + datString := string(data) + datString = strings.Replace(datString, old, new, -1) + err = os.WriteFile(INDEX_DOCS, []byte(datString), 644) + if err != nil { + utils.ErrorF("Could not write new %s %s", INDEX_DOCS, err) + return err + } + return nil +} + +// The static deploy scripts use kustomize to generate them, this function ensures kustomize is installed +func installKustomize() error { + utils.Info("Install Kustomize") + g0 := sh.RunCmd("go") + // somewhere in your main code + err := g0("install", KUSTOMIZE_INSTALL_VERSION) + if err != nil { + return err + } + return nil +} + +func updateStaticManifest() error { + utils.CheckIfError(installKustomize(), "error installing kustomize") + // hack/generate-deploy-scripts.sh + err := sh.RunV("./hack/generate-deploy-scripts.sh") + if err != nil { + return err + } + return nil +} + +//// CreateRelease Creates a new GitHub Release +//func (Release) CreateRelease(name string) { +// releaser, err := gh_release.NewReleaser(INGRESS_ORG, INGRESS_REPO, GITHUB_TOKEN) +// utils.CheckIfError(err, "GitHub Release Client error") +// newRelease, err := releaser.Create(fmt.Sprintf("controller-%s", name)) +// utils.CheckIfError(err, "Create release error") +// utils.Info("New Release: Tag %v, ID: %v", newRelease.TagName, newRelease.ID) +//} + +// Returns a GitHub client ready for use +func githubClient() *github.Client { + ts := oauth2.StaticTokenSource( + &oauth2.Token{AccessToken: GITHUB_TOKEN}, + ) + oauthClient := oauth2.NewClient(ctx, ts) + return github.NewClient(oauthClient) +} + +// LatestCommitLogs Retrieves the commit log between the latest two controller versions. +func (Release) LatestCommitLogs() { + commitLog := commitsBetweenTags("", "") + for i, s := range commitLog { + utils.Info("#%v Version %v", i, s) + } +} + +func commitsBetweenTags(newversion, oldversion string) []string { + + var newTag, oldTag string + tags := getAllControllerTags() + newTag, oldTag = tags[0], tags[1] + if newversion != "" { + newTag = newversion + } + if oldversion != "" { + oldTag = oldversion + } + + utils.Info("Getting Commits between %v and %v", newTag, oldTag) + commitLog, err := git("log", "--full-history", "--pretty", "--oneline", fmt.Sprintf("%v..%v", oldTag, newTag)) + + if commitLog == "" { + utils.Warning("All Controller Tags is empty") + } + utils.CheckIfError(err, "Retrieving Commit log") + return strings.Split(commitLog, "\n") +} + +// Generate Release Notes +func (Release) ReleaseNotes(newVersion string) error { + notes, err := makeReleaseNotes(newVersion, "") + utils.CheckIfError(err, "Creating Release Notes for version %s", newVersion) + utils.Info("Release Notes %s completed", notes.Version) + return nil +} + +func makeReleaseNotes(newVersion, oldVersion string) (*utils.ReleaseNote, error) { + newReleaseNotes := utils.ReleaseNote{} + + newReleaseNotes.Version = newVersion + allControllerTags := getAllControllerTags() + + // new version + newReleaseNotes.NewControllerVersion = allControllerTags[0] + newControllerVersion := fmt.Sprintf("controller-v%s", newVersion) + + // the newControllerVersion should match the latest tag + if newControllerVersion != allControllerTags[0] { + return nil, errors.New(fmt.Sprintf("Generating release new version %s didnt match the current latest tag %s", newControllerVersion, allControllerTags[0])) + } + // previous version + newReleaseNotes.PreviousControllerVersion = allControllerTags[1] + if oldVersion != "" { + newReleaseNotes.PreviousControllerVersion = oldVersion + } + + utils.Info("New Version: %s Old Version: %s", newReleaseNotes.NewControllerVersion, newReleaseNotes.PreviousControllerVersion) + + commits := commitsBetweenTags(newReleaseNotes.NewControllerVersion, newReleaseNotes.PreviousControllerVersion) + + // dependency_updates + // all_updates + var allUpdates []string + var depUpdates []string + var helmUpdates []string + prRegex := regexp.MustCompile("\\(#\\d+\\)") + depBot := regexp.MustCompile("^(\\w){1,10} Bump ") + helmRegex := regexp.MustCompile("helm|chart") + for i, s := range commits { + // matches on PR + if prRegex.Match([]byte(s)) { + // matches a dependant bot update + if depBot.Match([]byte(s)) { // + utils.Debug("#%v DEPENDABOT %v", i, s) + u := strings.SplitN(s, " ", 2) + depUpdates = append(depUpdates, u[1]) + } else { // add it to the all updates slice + utils.Debug("#%v ALL UPDATES %v", i, s) + u := strings.SplitN(s, " ", 2) + allUpdates = append(allUpdates, u[1]) + + // helm chart updates + if helmRegex.Match([]byte(s)) { + u := strings.SplitN(s, " ", 2) + helmUpdates = append(helmUpdates, u[1]) + } + } + } + } + helmUpdates = append(helmUpdates, fmt.Sprintf("Update Ingress-Nginx version %s", newReleaseNotes.NewControllerVersion)) + + newReleaseNotes.Updates = allUpdates + newReleaseNotes.DepUpdates = depUpdates + newReleaseNotes.HelmUpdates = helmUpdates + + // controller_image_digests + imagesYaml, err := utils.DownloadFile(IMAGES_YAML) + if err != nil { + utils.ErrorF("Could not download file %s : %s", IMAGES_YAML, err) + return nil, err + } + utils.Debug("%s", imagesYaml) + + data := utils.ImageYamls{} + + err = yaml.Unmarshal([]byte(imagesYaml), &data) + if err != nil { + utils.ErrorF("Could not unmarshal images yaml %s", err) + return nil, err + } + + // controller + controllerDigest := utils.FindImageDigest(data, "controller", newVersion) + if len(controllerDigest) == 0 { + utils.ErrorF("Controller Digest could not be found") + return nil, errors.New("Controller digest could not be found") + } + + controllerChrootDigest := utils.FindImageDigest(data, "controller-chroot", newVersion) + if len(controllerChrootDigest) == 0 { + utils.ErrorF("Controller Chroot Digest could not be found") + return nil, errors.New("Controller Chroot digest could not be found") + } + + utils.Debug("Latest Controller Digest %v", controllerDigest) + utils.Debug("Latest Controller Chroot Digest %v", controllerChrootDigest) + c1 := utils.ControllerImage{ + Digest: controllerDigest, + Registry: INGRESS_REGISTRY, + Name: "ingress-nginx/controller", + Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), + } + + c2 := utils.ControllerImage{ + Digest: controllerChrootDigest, + Registry: INGRESS_REGISTRY, + Name: "ingress-nginx/controller-chroot", + Tag: fmt.Sprintf("v%s", newReleaseNotes.Version), + } + + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c1) + newReleaseNotes.ControllerImages = append(newReleaseNotes.ControllerImages, c2) + utils.Debug("New Release Controller Images %s %s", newReleaseNotes.ControllerImages[0].Digest, newReleaseNotes.ControllerImages[1].Digest) + + if utils.DEBUG { + newReleaseNotes.PrintRelease() + } + + // write it all out to the changelog file + newReleaseNotes.Template() + + return &newReleaseNotes, nil +} + +// Latest returns latest Github Release +func (Release) Latest() error { + r, _, err := latestRelease() + if err != nil { + utils.ErrorF("Latest Release error %s", err) + return err + } + utils.Info("Latest Release %v", r.String()) + return nil +} + +func (Release) ReleaseByTag(tag string) error { + r, _, err := releaseByTag(tag) + if err != nil { + utils.ErrorF("Release retrieve tag %s error %s", tag, err) + return err + } + + utils.Info("Latest Release %v", r.String()) + + return nil +} + +func releaseByTag(tag string) (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetReleaseByTag(ctx, INGRESS_ORG, INGRESS_REPO, tag) +} + +func latestRelease() (*github.RepositoryRelease, *github.Response, error) { + ghClient := githubClient() + return ghClient.Repositories.GetLatestRelease(ctx, INGRESS_ORG, INGRESS_REPO) +} diff --git a/magefiles/tags.go b/magefiles/steps/tags.go similarity index 64% rename from magefiles/tags.go rename to magefiles/steps/tags.go index 02bbbcb37..e3c811f8c 100644 --- a/magefiles/tags.go +++ b/magefiles/steps/tags.go @@ -1,5 +1,3 @@ -//go:build mage - /* Copyright 2023 The Kubernetes Authors. @@ -16,15 +14,18 @@ See the License for the specific language governing permissions and limitations under the License. */ -package main +package steps import ( "fmt" + "os" + "strings" + semver "github.com/blang/semver/v4" "github.com/magefile/mage/mg" "github.com/magefile/mage/sh" - "os" - "strings" + + utils "k8s.io/ingress-nginx/magefiles/utils" ) type Tag mg.Namespace @@ -34,35 +35,35 @@ var git = sh.OutCmd("git") // Nginx returns the ingress-nginx current version func (Tag) Nginx() { tag, err := getIngressNGINXVersion() - CheckIfError(err, "") + utils.CheckIfError(err, "") fmt.Printf("%v", tag) } func getIngressNGINXVersion() (string, error) { dat, err := os.ReadFile("TAG") - CheckIfError(err, "Could not read TAG file") + utils.CheckIfError(err, "Could not read TAG file") datString := string(dat) - //remove newline + // remove newline datString = strings.Replace(datString, "\n", "", -1) return datString, nil } func checkSemVer(currentVersion, newVersion string) bool { - Info("Checking Sem Ver between current %s and new %s", currentVersion, newVersion) + utils.Info("Checking Sem Ver between current %s and new %s", currentVersion, newVersion) cVersion, err := semver.Make(currentVersion[1:]) if err != nil { - ErrorF("TAG Error Current Tag %v Making Semver : %v", currentVersion[1:], err) + utils.ErrorF("TAG Error Current Tag %v Making Semver : %v", currentVersion[1:], err) return false } nVersion, err := semver.Make(newVersion) if err != nil { - ErrorF("TAG %v Error Making Semver %v \n", newVersion, err) + utils.ErrorF("TAG %v Error Making Semver %v \n", newVersion, err) return false } err = nVersion.Validate() if err != nil { - ErrorF("TAG %v not a valid Semver %v \n", newVersion, err) + utils.ErrorF("TAG %v not a valid Semver %v \n", newVersion, err) return false } @@ -70,10 +71,10 @@ func checkSemVer(currentVersion, newVersion string) bool { //0 if newVersion == currentVersion //-1 if newVersion < currentVersion //+1 if newVersion > currentVersion. - Info("TAG Comparing Old %s to New %s", cVersion.String(), nVersion.String()) + utils.Info("TAG Comparing Old %s to New %s", cVersion.String(), nVersion.String()) comp := nVersion.Compare(cVersion) if comp <= 0 { - Warning("SemVer:%v is not an update\n", newVersion) + utils.Warning("SemVer:%v is not an update\n", newVersion) return false } return true @@ -81,29 +82,29 @@ func checkSemVer(currentVersion, newVersion string) bool { // BumpNginx will update the nginx TAG func (Tag) BumpNginx(newTag string) { - Info("TAG BumpNginx version %v", newTag) + utils.Info("TAG BumpNginx version %v", newTag) currentTag, err := getIngressNGINXVersion() - CheckIfError(err, "Getting Ingress-nginx Version") + utils.CheckIfError(err, "Getting Ingress-nginx Version") bump(currentTag, newTag) } func bump(currentTag, newTag string) { - //check if semver is valid + // check if semver is valid if !checkSemVer(currentTag, newTag) { - ErrorF("ERROR: Semver is not valid %v", newTag) + utils.ErrorF("ERROR: Semver is not valid %v", newTag) os.Exit(1) } - Info("Updating Tag %v to %v", currentTag, newTag) - err := os.WriteFile("TAG", []byte(newTag), 0666) - CheckIfError(err, "Error Writing New Tag File") + utils.Info("Updating Tag %v to %v", currentTag, newTag) + err := os.WriteFile("TAG", []byte(newTag), 0o666) + utils.CheckIfError(err, "Error Writing New Tag File") } // Git Returns the latest git tag func (Tag) Git() { tag, err := getGitTag() - CheckIfError(err, "Retrieving Git Tag") - Info("Git tag: %v", tag) + utils.CheckIfError(err, "Retrieving Git Tag") + utils.Info("Git tag: %v", tag) } func getGitTag() (string, error) { @@ -112,10 +113,10 @@ func getGitTag() (string, error) { // ControllerTag Creates a new Git Tag for the ingress controller func (Tag) NewControllerTag(version string) { - Info("Create Ingress Nginx Controller Tag v%s", version) + utils.Info("Create Ingress Nginx Controller Tag v%s", version) tag, err := controllerTag(version) - CheckIfError(err, "Creating git tag") - Debug("Git Tag: %s", tag) + utils.CheckIfError(err, "Creating git tag") + utils.Debug("Git Tag: %s", tag) } func controllerTag(version string) (string, error) { @@ -125,22 +126,22 @@ func controllerTag(version string) (string, error) { func (Tag) AllControllerTags() { tags := getAllControllerTags() for i, s := range tags { - Info("#%v Version %v", i, s) + utils.Info("#%v Version %v", i, s) } } func getAllControllerTags() []string { allControllerTags, err := git("tag", "-l", "--sort=-v:refname", "controller-v*") - CheckIfError(err, "Retrieving git tags") + utils.CheckIfError(err, "Retrieving git tags") if !sh.CmdRan(err) { - Warning("Issue Running Command") + utils.Warning("Issue Running Command") } if allControllerTags == "" { - Warning("All Controller Tags is empty") + utils.Warning("All Controller Tags is empty") } - Debug("Controller Tags: %v", allControllerTags) + utils.Debug("Controller Tags: %v", allControllerTags) temp := strings.Split(allControllerTags, "\n") - Debug("There are %v controller tags", len(temp)) + utils.Debug("There are %v controller tags", len(temp)) return temp } diff --git a/magefiles/common.go b/magefiles/utils/common.go similarity index 73% rename from magefiles/common.go rename to magefiles/utils/common.go index c5c33f989..19cad7bba 100644 --- a/magefiles/common.go +++ b/magefiles/utils/common.go @@ -1,5 +1,3 @@ -//go:build mage - /* Copyright 2023 The Kubernetes Authors. @@ -16,10 +14,14 @@ See the License for the specific language governing permissions and limitations under the License. */ -package main +package utils import ( + "errors" "fmt" + "io" + "net" + "net/http" "os" "strings" "time" @@ -80,3 +82,32 @@ func Debug(format string, args ...interface{}) { func ErrorF(format string, args ...interface{}) { fmt.Printf("\x1b[31;1m%s ERROR: %s\x1b[0m\n", timeStamp(), fmt.Sprintf(format, args...)) } + +func DownloadFile(url string) (string, error) { + client := &http.Client{ + Transport: &http.Transport{ + DialContext: (&net.Dialer{ + Timeout: 5 * time.Second, + KeepAlive: 5 * time.Second, + }).DialContext, + TLSHandshakeTimeout: 5 * time.Second, + ResponseHeaderTimeout: 5 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + MaxIdleConnsPerHost: -1, + }, + } + resp, err := client.Get(url) + if err != nil { + return "", nil + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return "", errors.New(fmt.Sprintf("could not retrieve file, response from server %d for file %s", resp.StatusCode, url)) + } + bodyBytes, err := io.ReadAll(resp.Body) + if err != nil { + return "", nil + } + return string(bodyBytes), nil +} diff --git a/magefiles/utils/controller.go b/magefiles/utils/controller.go new file mode 100644 index 000000000..c8e250a36 --- /dev/null +++ b/magefiles/utils/controller.go @@ -0,0 +1,68 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "fmt" + + "github.com/google/go-github/v48/github" +) + +// ControllerImage - struct with info about controllers +type ControllerImage struct { + Tag string + Digest string + Registry string + Name string +} + +// IngressRelease All the information about an ingress-nginx release that gets updated +type IngressRelease struct { + ControllerVersion string + ControllerImage ControllerImage + ReleaseNote ReleaseNote + Release *github.RepositoryRelease +} + +// IMAGES_YAML returns this data structure +type ImageYamls []ImageElement + +// ImageElement - a specific image and it's data structure the dmap is a list of shas and container versions +type ImageElement struct { + Name string `json:"name"` + Dmap map[string][]string `json:"dmap"` +} + +func (i ControllerImage) print() string { + return fmt.Sprintf("%s/%s:%s@%s", i.Registry, i.Name, i.Tag, i.Digest) +} + +func FindImageDigest(yaml ImageYamls, image, version string) string { + version = fmt.Sprintf("v%s", version) + Info("Searching Digest for %s:%s", image, version) + for i := range yaml { + if yaml[i].Name == image { + for k, v := range yaml[i].Dmap { + if v[0] == version { + return k + } + } + return "" + } + } + return "" +} diff --git a/magefiles/utils/e2edocs.go b/magefiles/utils/e2edocs.go new file mode 100644 index 000000000..2edc2ca40 --- /dev/null +++ b/magefiles/utils/e2edocs.go @@ -0,0 +1,140 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "bufio" + "bytes" + "embed" + "fmt" + "io/fs" + "os" + "path/filepath" + "regexp" + "strings" + "text/template" + + "slices" +) + +//go:embed templates/e2edocs.tpl +var tplContent embed.FS + +var ( + skipFiles = []string{ + "test/e2e/framework/framework.go", + "test/e2e/e2e.go", + "test/e2e/e2e_test.go", + } +) + +const ( + testDir = "test/e2e" + describe = "Describe" + URL = "https://github.com/kubernetes/ingress-nginx/tree/main/" +) + +var ( + betweenquotes = regexp.MustCompile(`("|\')(?P.*)("|\')`) +) + +type E2ETemplate struct { + URL string + Tests []string +} + +func getDescription(linetext, path, url string, lineN int, isDescription bool) string { + var descriptionLine string + prefix := "-" + if isDescription { + prefix = "###" + } + + matches := betweenquotes.FindStringSubmatch(linetext) + contentIndex := betweenquotes.SubexpIndex("TestDescription") + if len(matches) < 2 || contentIndex == -1 { + return "" + } + + fileName := fmt.Sprintf("%s/%s", url, path) + descriptionLine = fmt.Sprintf("%s [%s](%s#L%d)", prefix, matches[contentIndex], fileName, lineN) + + return descriptionLine +} + +func containsGinkgoTest(line string) bool { + if !strings.Contains(line, describe) && !strings.Contains(line, "It") { + return false + } + return strings.Contains(line, "func() {") +} + +func (t *E2ETemplate) walkE2eDir(path string, d fs.DirEntry, errAggregated error) error { + if errAggregated != nil { + return errAggregated + } + // Remove ignored files or non .go files + if d.IsDir() || slices.Contains(skipFiles, path) || !strings.HasSuffix(path, ".go") { + return nil + } + + content, err := os.ReadFile(path) + if err != nil { + return err + } + + fileScanner := bufio.NewScanner(bytes.NewReader(content)) + + fileScanner.Split(bufio.ScanLines) + + tests := make([]string, 0) + var lineN = 0 + for fileScanner.Scan() { + lineN = lineN + 1 + if !containsGinkgoTest(fileScanner.Text()) { + continue + } + + line := getDescription(fileScanner.Text(), path, t.URL, lineN, strings.Contains(fileScanner.Text(), describe)) + if line != "" { + tests = append(tests, line) + } + } + t.Tests = append(t.Tests, tests...) + return nil +} + +func GenerateE2EDocs() (string, error) { + e2etpl := &E2ETemplate{URL: URL} + err := filepath.WalkDir(testDir, e2etpl.walkE2eDir) + if err != nil { + return "", err + } + + tmpl, err := template.New("e2edocs.tpl").ParseFS(tplContent, "templates/e2edocs.tpl") + if err != nil { + return "", fmt.Errorf("error parsing the template file: %s", err) + } + + tplBuff := new(bytes.Buffer) + err = tmpl.Execute(tplBuff, e2etpl) + if err != nil { + return "", err + } + return tplBuff.String(), nil + +} diff --git a/magefiles/helm.go b/magefiles/utils/helm.go similarity index 50% rename from magefiles/helm.go rename to magefiles/utils/helm.go index 585a93413..dea68caab 100644 --- a/magefiles/helm.go +++ b/magefiles/utils/helm.go @@ -1,5 +1,3 @@ -//go:build mage - /* Copyright 2023 The Kubernetes Authors. @@ -16,183 +14,11 @@ See the License for the specific language governing permissions and limitations under the License. */ -package main - -import ( - "bytes" - "fmt" - "os" - "strings" - - semver "github.com/blang/semver/v4" - "github.com/helm/helm/pkg/chartutil" - "github.com/magefile/mage/mg" - "github.com/magefile/mage/sh" - yamlpath "github.com/vmware-labs/yaml-jsonpath/pkg/yamlpath" - "gopkg.in/yaml.v3" -) - -const HelmChartPath = "charts/ingress-nginx/Chart.yaml" -const HelmChartValues = "charts/ingress-nginx/values.yaml" - -type Helm mg.Namespace - -// UpdateAppVersion Updates the Helm App Version of Ingress Nginx Controller -func (Helm) UpdateAppVersion() { - updateAppVersion() -} - -func updateAppVersion() { - -} - -// UpdateVersion Update Helm Version of the Chart -func (Helm) UpdateVersion(version string) { - updateVersion(version) -} - -func currentChartVersion() string { - chart, err := chartutil.LoadChartfile(HelmChartPath) - CheckIfError(err, "HELM Could not Load Chart") - return chart.Version -} - -func currentChartAppVersion() string { - chart, err := chartutil.LoadChartfile(HelmChartPath) - CheckIfError(err, "HELM Could not Load Chart") - return chart.AppVersion -} - -func updateVersion(version string) { - Info("HELM Reading File %v", HelmChartPath) - - chart, err := chartutil.LoadChartfile(HelmChartPath) - CheckIfError(err, "HELM Could not Load Chart") - - //Get the current tag - //appVersionV, err := getIngressNGINXVersion() - //CheckIfError(err, "HELM Issue Retrieving the Current Ingress Nginx Version") - - //remove the v from TAG - appVersion := version - - Info("HELM Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) - if appVersion == chart.AppVersion { - Warning("HELM Ingress NGINX Version didnt change Ingress-Nginx App Version: %s Chart AppVersion: %s", appVersion, chart.AppVersion) - return - } - - //Update the helm chart - chart.AppVersion = appVersion - cTag, err := semver.Make(chart.Version) - CheckIfError(err, "HELM Creating Chart Version: %v", err) - - if err = cTag.IncrementPatch(); err != nil { - ErrorF("HELM Incrementing Chart Version: %v", err) - os.Exit(1) - } - chart.Version = cTag.String() - Debug("HELM Updated Chart Version: %v", chart.Version) - - err = chartutil.SaveChartfile(HelmChartPath, chart) - CheckIfError(err, "HELM Saving new Chart") -} - -func updateChartReleaseNotes(releasesNotes []string) { - Info("HELM Updating the Chart Release notes") - chart, err := chartutil.LoadChartfile(HelmChartPath) - CheckIfError(err, "HELM Could not Load Chart to update release notes %s", HelmChartPath) - var releaseNoteString string - for i := range releasesNotes { - releaseNoteString = fmt.Sprintf("%s - \"%s\"\n", releaseNoteString, releasesNotes[i]) - } - Info("HELM Release note string %s", releaseNoteString) - chart.Annotations["artifacthub.io/changes"] = releaseNoteString - err = chartutil.SaveChartfile(HelmChartPath, chart) - CheckIfError(err, "HELM Saving updated release notes for Chart") -} - -func UpdateChartChangelog() { - -} - -// UpdateChartValue Updates the Helm ChartValue -func (Helm) UpdateChartValue(key, value string) { - updateChartValue(key, value) -} - -func updateChartValue(key, value string) { - Info("HELM Updating Chart %s %s:%s", HelmChartValues, key, value) - - //read current values.yaml - data, err := os.ReadFile(HelmChartValues) - CheckIfError(err, "HELM Could not Load Helm Chart Values files %s", HelmChartValues) - - //var valuesStruct IngressChartValue - var n yaml.Node - CheckIfError(yaml.Unmarshal(data, &n), "HELM Could not Unmarshal %s", HelmChartValues) - - //update value - //keyParse := parsePath(key) - p, err := yamlpath.NewPath(key) - CheckIfError(err, "HELM cannot create path") - - q, err := p.Find(&n) - CheckIfError(err, "HELM unexpected error finding path") - - for _, i := range q { - Info("HELM Found %s at %s", i.Value, key) - i.Value = value - Info("HELM Updated %s at %s", i.Value, key) - } - - //// write to file - var b bytes.Buffer - yamlEncoder := yaml.NewEncoder(&b) - yamlEncoder.SetIndent(2) - err = yamlEncoder.Encode(&n) - CheckIfError(err, "HELM Could not Marshal new Values file") - err = os.WriteFile(HelmChartValues, b.Bytes(), 0644) - CheckIfError(err, "HELM Could not write new Values file to %s", HelmChartValues) - - Info("HELM Ingress Nginx Helm Chart update %s %s", key, value) -} - -func (Helm) Helmdocs() error { - return runHelmDocs() -} -func runHelmDocs() error { - err := installHelmDocs() - if err != nil { - return err - } - err = sh.RunV("helm-docs", "--chart-search-root=${PWD}/charts") - if err != nil { - return err - } - return nil -} - -func installHelmDocs() error { - Info("HELM Install HelmDocs") - var g0 = sh.RunCmd("go") - - err := g0("install", "github.com/norwoodj/helm-docs/cmd/helm-docs@v1.11.0") - if err != nil { - return err - } - return nil -} -func parsePath(key string) []string { return strings.Split(key, ".") } - -func updateHelmDocs() { - -} +package utils type IngressChartValue struct { - CommonLabels struct { - } `yaml:"commonLabels"` - Controller struct { + CommonLabels struct{} `yaml:"commonLabels"` + Controller struct { Name string `yaml:"name"` Image struct { Chroot bool `yaml:"chroot"` @@ -211,24 +37,18 @@ type IngressChartValue struct { HTTP int `yaml:"http"` HTTPS int `yaml:"https"` } `yaml:"containerPort"` - Config struct { - } `yaml:"config"` - ConfigAnnotations struct { - } `yaml:"configAnnotations"` - ProxySetHeaders struct { - } `yaml:"proxySetHeaders"` - AddHeaders struct { - } `yaml:"addHeaders"` - DNSConfig struct { - } `yaml:"dnsConfig"` - Hostname struct { - } `yaml:"hostname"` - DNSPolicy string `yaml:"dnsPolicy"` - ReportNodeInternalIP bool `yaml:"reportNodeInternalIp"` - WatchIngressWithoutClass bool `yaml:"watchIngressWithoutClass"` - IngressClassByName bool `yaml:"ingressClassByName"` - AllowSnippetAnnotations bool `yaml:"allowSnippetAnnotations"` - HostNetwork bool `yaml:"hostNetwork"` + Config struct{} `yaml:"config"` + ConfigAnnotations struct{} `yaml:"configAnnotations"` + ProxySetHeaders struct{} `yaml:"proxySetHeaders"` + AddHeaders struct{} `yaml:"addHeaders"` + DNSConfig struct{} `yaml:"dnsConfig"` + Hostname struct{} `yaml:"hostname"` + DNSPolicy string `yaml:"dnsPolicy"` + ReportNodeInternalIP bool `yaml:"reportNodeInternalIp"` + WatchIngressWithoutClass bool `yaml:"watchIngressWithoutClass"` + IngressClassByName bool `yaml:"ingressClassByName"` + AllowSnippetAnnotations bool `yaml:"allowSnippetAnnotations"` + HostNetwork bool `yaml:"hostNetwork"` HostPort struct { Enabled bool `yaml:"enabled"` Ports struct { @@ -238,21 +58,17 @@ type IngressChartValue struct { } `yaml:"hostPort"` ElectionID string `yaml:"electionID"` IngressClassResource struct { - Name string `yaml:"name"` - Enabled bool `yaml:"enabled"` - Default bool `yaml:"default"` - ControllerValue string `yaml:"controllerValue"` - Parameters struct { - } `yaml:"parameters"` + Name string `yaml:"name"` + Enabled bool `yaml:"enabled"` + Default bool `yaml:"default"` + ControllerValue string `yaml:"controllerValue"` + Parameters struct{} `yaml:"parameters"` } `yaml:"ingressClassResource"` - IngressClass string `yaml:"ingressClass"` - PodLabels struct { - } `yaml:"podLabels"` - PodSecurityContext struct { - } `yaml:"podSecurityContext"` - Sysctls struct { - } `yaml:"sysctls"` - PublishService struct { + IngressClass string `yaml:"ingressClass"` + PodLabels struct{} `yaml:"podLabels"` + PodSecurityContext struct{} `yaml:"podSecurityContext"` + Sysctls struct{} `yaml:"sysctls"` + PublishService struct { Enabled bool `yaml:"enabled"` PathOverride string `yaml:"pathOverride"` } `yaml:"publishService"` @@ -263,30 +79,23 @@ type IngressChartValue struct { } `yaml:"scope"` ConfigMapNamespace string `yaml:"configMapNamespace"` TCP struct { - ConfigMapNamespace string `yaml:"configMapNamespace"` - Annotations struct { - } `yaml:"annotations"` + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct{} `yaml:"annotations"` } `yaml:"tcp"` UDP struct { - ConfigMapNamespace string `yaml:"configMapNamespace"` - Annotations struct { - } `yaml:"annotations"` + ConfigMapNamespace string `yaml:"configMapNamespace"` + Annotations struct{} `yaml:"annotations"` } `yaml:"udp"` - MaxmindLicenseKey string `yaml:"maxmindLicenseKey"` - ExtraArgs struct { - } `yaml:"extraArgs"` - ExtraEnvs []interface{} `yaml:"extraEnvs"` - Kind string `yaml:"kind"` - Annotations struct { - } `yaml:"annotations"` - Labels struct { - } `yaml:"labels"` - UpdateStrategy struct { - } `yaml:"updateStrategy"` - MinReadySeconds int `yaml:"minReadySeconds"` - Tolerations []interface{} `yaml:"tolerations"` - Affinity struct { - } `yaml:"affinity"` + MaxmindLicenseKey string `yaml:"maxmindLicenseKey"` + ExtraArgs struct{} `yaml:"extraArgs"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + Kind string `yaml:"kind"` + Annotations struct{} `yaml:"annotations"` + Labels struct{} `yaml:"labels"` + UpdateStrategy struct{} `yaml:"updateStrategy"` + MinReadySeconds int `yaml:"minReadySeconds"` + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct{} `yaml:"affinity"` TopologySpreadConstraints []interface{} `yaml:"topologySpreadConstraints"` TerminationGracePeriodSeconds int `yaml:"terminationGracePeriodSeconds"` NodeSelector struct { @@ -316,29 +125,26 @@ type IngressChartValue struct { SuccessThreshold int `yaml:"successThreshold"` FailureThreshold int `yaml:"failureThreshold"` } `yaml:"readinessProbe"` - HealthCheckPath string `yaml:"healthCheckPath"` - HealthCheckHost string `yaml:"healthCheckHost"` - PodAnnotations struct { - } `yaml:"podAnnotations"` - ReplicaCount int `yaml:"replicaCount"` - MinAvailable int `yaml:"minAvailable"` - Resources struct { + HealthCheckPath string `yaml:"healthCheckPath"` + HealthCheckHost string `yaml:"healthCheckHost"` + PodAnnotations struct{} `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct { Requests struct { CPU string `yaml:"cpu"` Memory string `yaml:"memory"` } `yaml:"requests"` } `yaml:"resources"` Autoscaling struct { - APIVersion string `yaml:"apiVersion"` - Enabled bool `yaml:"enabled"` - Annotations struct { - } `yaml:"annotations"` - MinReplicas int `yaml:"minReplicas"` - MaxReplicas int `yaml:"maxReplicas"` - TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` - TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` - Behavior struct { - } `yaml:"behavior"` + APIVersion string `yaml:"apiVersion"` + Enabled bool `yaml:"enabled"` + Annotations struct{} `yaml:"annotations"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + Behavior struct{} `yaml:"behavior"` } `yaml:"autoscaling"` AutoscalingTemplate []interface{} `yaml:"autoscalingTemplate"` Keda struct { @@ -350,12 +156,10 @@ type IngressChartValue struct { CooldownPeriod int `yaml:"cooldownPeriod"` RestoreToOriginalReplicaCount bool `yaml:"restoreToOriginalReplicaCount"` ScaledObject struct { - Annotations struct { - } `yaml:"annotations"` + Annotations struct{} `yaml:"annotations"` } `yaml:"scaledObject"` Triggers []interface{} `yaml:"triggers"` - Behavior struct { - } `yaml:"behavior"` + Behavior struct{} `yaml:"behavior"` } `yaml:"keda"` EnableMimalloc bool `yaml:"enableMimalloc"` CustomTemplate struct { @@ -363,12 +167,10 @@ type IngressChartValue struct { ConfigMapKey string `yaml:"configMapKey"` } `yaml:"customTemplate"` Service struct { - Enabled bool `yaml:"enabled"` - AppProtocol bool `yaml:"appProtocol"` - Annotations struct { - } `yaml:"annotations"` - Labels struct { - } `yaml:"labels"` + Enabled bool `yaml:"enabled"` + AppProtocol bool `yaml:"appProtocol"` + Annotations struct{} `yaml:"annotations"` + Labels struct{} `yaml:"labels"` ExternalIPs []interface{} `yaml:"externalIPs"` LoadBalancerIP string `yaml:"loadBalancerIP"` LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` @@ -386,20 +188,17 @@ type IngressChartValue struct { } `yaml:"targetPorts"` Type string `yaml:"type"` NodePorts struct { - HTTP string `yaml:"http"` - HTTPS string `yaml:"https"` - TCP struct { - } `yaml:"tcp"` - UDP struct { - } `yaml:"udp"` + HTTP string `yaml:"http"` + HTTPS string `yaml:"https"` + TCP struct{} `yaml:"tcp"` + UDP struct{} `yaml:"udp"` } `yaml:"nodePorts"` External struct { Enabled bool `yaml:"enabled"` } `yaml:"external"` Internal struct { - Enabled bool `yaml:"enabled"` - Annotations struct { - } `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + Annotations struct{} `yaml:"annotations"` LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` } `yaml:"internal"` } `yaml:"service"` @@ -417,25 +216,20 @@ type IngressChartValue struct { } `yaml:"containerSecurityContext"` } `yaml:"opentelemetry"` AdmissionWebhooks struct { - Annotations struct { - } `yaml:"annotations"` - Enabled bool `yaml:"enabled"` - ExtraEnvs []interface{} `yaml:"extraEnvs"` - FailurePolicy string `yaml:"failurePolicy"` - Port int `yaml:"port"` - Certificate string `yaml:"certificate"` - Key string `yaml:"key"` - NamespaceSelector struct { - } `yaml:"namespaceSelector"` - ObjectSelector struct { - } `yaml:"objectSelector"` - Labels struct { - } `yaml:"labels"` - ExistingPsp string `yaml:"existingPsp"` - NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` + Annotations struct{} `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + ExtraEnvs []interface{} `yaml:"extraEnvs"` + FailurePolicy string `yaml:"failurePolicy"` + Port int `yaml:"port"` + Certificate string `yaml:"certificate"` + Key string `yaml:"key"` + NamespaceSelector struct{} `yaml:"namespaceSelector"` + ObjectSelector struct{} `yaml:"objectSelector"` + Labels struct{} `yaml:"labels"` + ExistingPsp string `yaml:"existingPsp"` + NetworkPolicyEnabled bool `yaml:"networkPolicyEnabled"` Service struct { - Annotations struct { - } `yaml:"annotations"` + Annotations struct{} `yaml:"annotations"` ExternalIPs []interface{} `yaml:"externalIPs"` LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` ServicePort int `yaml:"servicePort"` @@ -445,15 +239,13 @@ type IngressChartValue struct { SecurityContext struct { AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"securityContext"` - Resources struct { - } `yaml:"resources"` + Resources struct{} `yaml:"resources"` } `yaml:"createSecretJob"` PatchWebhookJob struct { SecurityContext struct { AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"securityContext"` - Resources struct { - } `yaml:"resources"` + Resources struct{} `yaml:"resources"` } `yaml:"patchWebhookJob"` Patch struct { Enabled bool `yaml:"enabled"` @@ -464,15 +256,13 @@ type IngressChartValue struct { Digest string `yaml:"digest"` PullPolicy string `yaml:"pullPolicy"` } `yaml:"image"` - PriorityClassName string `yaml:"priorityClassName"` - PodAnnotations struct { - } `yaml:"podAnnotations"` - NodeSelector struct { + PriorityClassName string `yaml:"priorityClassName"` + PodAnnotations struct{} `yaml:"podAnnotations"` + NodeSelector struct { KubernetesIoOs string `yaml:"kubernetes.io/os"` } `yaml:"nodeSelector"` - Tolerations []interface{} `yaml:"tolerations"` - Labels struct { - } `yaml:"labels"` + Tolerations []interface{} `yaml:"tolerations"` + Labels struct{} `yaml:"labels"` SecurityContext struct { RunAsNonRoot bool `yaml:"runAsNonRoot"` RunAsUser int `yaml:"runAsUser"` @@ -494,30 +284,26 @@ type IngressChartValue struct { PortName string `yaml:"portName"` Enabled bool `yaml:"enabled"` Service struct { - Annotations struct { - } `yaml:"annotations"` + Annotations struct{} `yaml:"annotations"` ExternalIPs []interface{} `yaml:"externalIPs"` LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` ServicePort int `yaml:"servicePort"` Type string `yaml:"type"` } `yaml:"service"` ServiceMonitor struct { - Enabled bool `yaml:"enabled"` - AdditionalLabels struct { - } `yaml:"additionalLabels"` - Namespace string `yaml:"namespace"` - NamespaceSelector struct { - } `yaml:"namespaceSelector"` + Enabled bool `yaml:"enabled"` + AdditionalLabels struct{} `yaml:"additionalLabels"` + Namespace string `yaml:"namespace"` + NamespaceSelector struct{} `yaml:"namespaceSelector"` ScrapeInterval string `yaml:"scrapeInterval"` TargetLabels []interface{} `yaml:"targetLabels"` Relabelings []interface{} `yaml:"relabelings"` MetricRelabelings []interface{} `yaml:"metricRelabelings"` } `yaml:"serviceMonitor"` PrometheusRule struct { - Enabled bool `yaml:"enabled"` - AdditionalLabels struct { - } `yaml:"additionalLabels"` - Rules []interface{} `yaml:"rules"` + Enabled bool `yaml:"enabled"` + AdditionalLabels struct{} `yaml:"additionalLabels"` + Rules []interface{} `yaml:"rules"` } `yaml:"prometheusRule"` } `yaml:"metrics"` Lifecycle struct { @@ -543,9 +329,8 @@ type IngressChartValue struct { ReadOnlyRootFilesystem bool `yaml:"readOnlyRootFilesystem"` AllowPrivilegeEscalation bool `yaml:"allowPrivilegeEscalation"` } `yaml:"image"` - ExistingPsp string `yaml:"existingPsp"` - ExtraArgs struct { - } `yaml:"extraArgs"` + ExistingPsp string `yaml:"existingPsp"` + ExtraArgs struct{} `yaml:"extraArgs"` ServiceAccount struct { Create bool `yaml:"create"` Name string `yaml:"name"` @@ -567,46 +352,37 @@ type IngressChartValue struct { SuccessThreshold int `yaml:"successThreshold"` TimeoutSeconds int `yaml:"timeoutSeconds"` } `yaml:"readinessProbe"` - Tolerations []interface{} `yaml:"tolerations"` - Affinity struct { - } `yaml:"affinity"` - PodSecurityContext struct { - } `yaml:"podSecurityContext"` - ContainerSecurityContext struct { - } `yaml:"containerSecurityContext"` - PodLabels struct { - } `yaml:"podLabels"` - NodeSelector struct { + Tolerations []interface{} `yaml:"tolerations"` + Affinity struct{} `yaml:"affinity"` + PodSecurityContext struct{} `yaml:"podSecurityContext"` + ContainerSecurityContext struct{} `yaml:"containerSecurityContext"` + PodLabels struct{} `yaml:"podLabels"` + NodeSelector struct { KubernetesIoOs string `yaml:"kubernetes.io/os"` } `yaml:"nodeSelector"` - PodAnnotations struct { - } `yaml:"podAnnotations"` - ReplicaCount int `yaml:"replicaCount"` - MinAvailable int `yaml:"minAvailable"` - Resources struct { - } `yaml:"resources"` + PodAnnotations struct{} `yaml:"podAnnotations"` + ReplicaCount int `yaml:"replicaCount"` + MinAvailable int `yaml:"minAvailable"` + Resources struct{} `yaml:"resources"` ExtraVolumeMounts []interface{} `yaml:"extraVolumeMounts"` ExtraVolumes []interface{} `yaml:"extraVolumes"` Autoscaling struct { - Annotations struct { - } `yaml:"annotations"` - Enabled bool `yaml:"enabled"` - MinReplicas int `yaml:"minReplicas"` - MaxReplicas int `yaml:"maxReplicas"` - TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` - TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` + Annotations struct{} `yaml:"annotations"` + Enabled bool `yaml:"enabled"` + MinReplicas int `yaml:"minReplicas"` + MaxReplicas int `yaml:"maxReplicas"` + TargetCPUUtilizationPercentage int `yaml:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage int `yaml:"targetMemoryUtilizationPercentage"` } `yaml:"autoscaling"` Service struct { - Annotations struct { - } `yaml:"annotations"` + Annotations struct{} `yaml:"annotations"` ExternalIPs []interface{} `yaml:"externalIPs"` LoadBalancerSourceRanges []interface{} `yaml:"loadBalancerSourceRanges"` ServicePort int `yaml:"servicePort"` Type string `yaml:"type"` } `yaml:"service"` - PriorityClassName string `yaml:"priorityClassName"` - Labels struct { - } `yaml:"labels"` + PriorityClassName string `yaml:"priorityClassName"` + Labels struct{} `yaml:"labels"` } `yaml:"defaultBackend"` Rbac struct { Create bool `yaml:"create"` @@ -616,17 +392,14 @@ type IngressChartValue struct { Enabled bool `yaml:"enabled"` } `yaml:"podSecurityPolicy"` ServiceAccount struct { - Create bool `yaml:"create"` - Name string `yaml:"name"` - AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` - Annotations struct { - } `yaml:"annotations"` + Create bool `yaml:"create"` + Name string `yaml:"name"` + AutomountServiceAccountToken bool `yaml:"automountServiceAccountToken"` + Annotations struct{} `yaml:"annotations"` } `yaml:"serviceAccount"` ImagePullSecrets []interface{} `yaml:"imagePullSecrets"` - TCP struct { - } `yaml:"tcp"` - UDP struct { - } `yaml:"udp"` - PortNamePrefix string `yaml:"portNamePrefix"` - DhParam interface{} `yaml:"dhParam"` + TCP struct{} `yaml:"tcp"` + UDP struct{} `yaml:"udp"` + PortNamePrefix string `yaml:"portNamePrefix"` + DhParam interface{} `yaml:"dhParam"` } diff --git a/magefiles/utils/releasenote.go b/magefiles/utils/releasenote.go new file mode 100644 index 000000000..fa883104f --- /dev/null +++ b/magefiles/utils/releasenote.go @@ -0,0 +1,91 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package utils + +import ( + "fmt" + "os" + "text/template" +) + +// ReleaseNote - All the pieces of information/documents that get updated during a release +type ReleaseNote struct { + Version string + NewControllerVersion string + PreviousControllerVersion string + ControllerImages []ControllerImage + DepUpdates []string + Updates []string + HelmUpdates []string + NewHelmChartVersion string + PreviousHelmChartVersion string +} + +func (r ReleaseNote) Template() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("Changelog.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("changelog/Changelog-%s.md", r.Version)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template: %s", err) + } +} + +func (r ReleaseNote) HelmTemplate() { + // Files are provided as a slice of strings. + changelogTemplate, err := os.ReadFile("charts/ingress-nginx/changelog.md.gotmpl") + if err != nil { + ErrorF("Could not read changelog template file %s", err) + } + Debug("ChangeLog Templates %s", string(changelogTemplate)) + t := template.Must(template.New("changelog").Parse(string(changelogTemplate))) + // create a new file + file, err := os.Create(fmt.Sprintf("charts/ingress-nginx/changelog/Changelog-%s.md", r.NewHelmChartVersion)) + if err != nil { + ErrorF("Could not create changelog file %s", err) + } + defer file.Close() + + err = t.Execute(file, r) + if err != nil { + ErrorF("executing template: %s", err) + } +} + +func (r ReleaseNote) PrintRelease() { + Info("Release Version: %v", r.NewControllerVersion) + Info("Previous Version: %v", r.PreviousControllerVersion) + Info("Controller Image: %v", r.ControllerImages[0].print()) + Info("Controller Chroot Image: %v", r.ControllerImages[1].print()) + for i := range r.Updates { + Info("Update #%v - %v", i, r.Updates[i]) + } + for j := range r.DepUpdates { + Info("Dependabot Update #%v - %v", j, r.DepUpdates[j]) + } +} diff --git a/magefiles/utils/templates/e2edocs.tpl b/magefiles/utils/templates/e2edocs.tpl new file mode 100644 index 000000000..8757c10bd --- /dev/null +++ b/magefiles/utils/templates/e2edocs.tpl @@ -0,0 +1,10 @@ + + +# e2e test suite for [Ingress NGINX Controller]({{.URL}}) + +{{ range $test := .Tests }} +{{ $test }} +{{- end }} \ No newline at end of file diff --git a/pkg/apis/ingress/sslcert.go b/pkg/apis/ingress/sslcert.go index 7dee3880d..b340b2d9a 100644 --- a/pkg/apis/ingress/sslcert.go +++ b/pkg/apis/ingress/sslcert.go @@ -66,12 +66,12 @@ type SSLCert struct { } // GetObjectKind implements the ObjectKind interface as a noop -func (s SSLCert) GetObjectKind() schema.ObjectKind { +func (s *SSLCert) GetObjectKind() schema.ObjectKind { return schema.EmptyObjectKind } // Identifier returns a the couple issuer / serial number if they both exist, an empty string otherwise -func (s SSLCert) Identifier() string { +func (s *SSLCert) Identifier() string { if s.Certificate != nil { if s.Certificate.SerialNumber != nil { return fmt.Sprintf("%s-%s", s.Certificate.Issuer.SerialNumber, s.Certificate.SerialNumber.String()) @@ -81,7 +81,7 @@ func (s SSLCert) Identifier() string { } // HashInclude defines if a field should be used or not to calculate the hash -func (s SSLCert) HashInclude(field string, v interface{}) (bool, error) { +func (s *SSLCert) HashInclude(field string, _ interface{}) (bool, error) { switch field { case "PemSHA", "CASHA", "ExpireTime": return true, nil diff --git a/pkg/apis/ingress/types.go b/pkg/apis/ingress/types.go index 284e9b427..0742e9f3b 100644 --- a/pkg/apis/ingress/types.go +++ b/pkg/apis/ingress/types.go @@ -73,7 +73,7 @@ type Configuration struct { DefaultSSLCertificate *SSLCert `json:"-"` - StreamSnippets []string + StreamSnippets []string `json:"StreamSnippets"` } // Backend describes one or more remote server/s (endpoints) associated with a service @@ -129,7 +129,7 @@ type TrafficShapingPolicy struct { } // HashInclude defines if a field should be used or not to calculate the hash -func (s Backend) HashInclude(field string, v interface{}) (bool, error) { +func (b *Backend) HashInclude(field string, _ interface{}) (bool, error) { switch field { case "Endpoints": return false, nil @@ -410,5 +410,4 @@ type Ingress struct { } // GeneralConfig holds the definition of lua general configuration data -type GeneralConfig struct { -} +type GeneralConfig struct{} diff --git a/pkg/apis/ingress/types_equals.go b/pkg/apis/ingress/types_equals.go index c87f5ba3e..45f0eedba 100644 --- a/pkg/apis/ingress/types_equals.go +++ b/pkg/apis/ingress/types_equals.go @@ -80,58 +80,58 @@ func (c1 *Configuration) Equal(c2 *Configuration) bool { } // Equal tests for equality between two Backend types -func (b1 *Backend) Equal(b2 *Backend) bool { - if b1 == b2 { +func (b *Backend) Equal(newB *Backend) bool { + if b == newB { return true } - if b1 == nil || b2 == nil { + if b == nil || newB == nil { return false } - if b1.Name != b2.Name { + if b.Name != newB.Name { return false } - if b1.NoServer != b2.NoServer { + if b.NoServer != newB.NoServer { return false } - if b1.Service != b2.Service { - if b1.Service == nil || b2.Service == nil { + if b.Service != newB.Service { + if b.Service == nil || newB.Service == nil { return false } - if b1.Service.GetNamespace() != b2.Service.GetNamespace() { + if b.Service.GetNamespace() != newB.Service.GetNamespace() { return false } - if b1.Service.GetName() != b2.Service.GetName() { + if b.Service.GetName() != newB.Service.GetName() { return false } } - if b1.Port != b2.Port { + if b.Port != newB.Port { return false } - if b1.SSLPassthrough != b2.SSLPassthrough { + if b.SSLPassthrough != newB.SSLPassthrough { return false } - if !(&b1.SessionAffinity).Equal(&b2.SessionAffinity) { + if !(&b.SessionAffinity).Equal(&newB.SessionAffinity) { return false } - if b1.UpstreamHashBy != b2.UpstreamHashBy { + if b.UpstreamHashBy != newB.UpstreamHashBy { return false } - if b1.LoadBalancing != b2.LoadBalancing { + if b.LoadBalancing != newB.LoadBalancing { return false } - match := compareEndpoints(b1.Endpoints, b2.Endpoints) + match := compareEndpoints(b.Endpoints, newB.Endpoints) if !match { return false } - if !b1.TrafficShapingPolicy.Equal(b2.TrafficShapingPolicy) { + if !b.TrafficShapingPolicy.Equal(&newB.TrafficShapingPolicy) { return false } - return sets.StringElementsMatch(b1.AlternativeBackends, b2.AlternativeBackends) + return sets.StringElementsMatch(b.AlternativeBackends, newB.AlternativeBackends) } // Equal tests for equality between two SessionAffinityConfig types @@ -243,7 +243,7 @@ func (e1 *Endpoint) Equal(e2 *Endpoint) bool { } // Equal checks for equality between two TrafficShapingPolicies -func (tsp1 TrafficShapingPolicy) Equal(tsp2 TrafficShapingPolicy) bool { +func (tsp1 *TrafficShapingPolicy) Equal(tsp2 *TrafficShapingPolicy) bool { if tsp1.Weight != tsp2.Weight { return false } @@ -335,6 +335,8 @@ func (s1 *Server) Equal(s2 *Server) bool { } // Equal tests for equality between two Location types +// +//nolint:gocyclo // Ignore function complexity error func (l1 *Location) Equal(l2 *Location) bool { if l1 == l2 { return true @@ -550,39 +552,39 @@ func (l4b1 *L4Backend) Equal(l4b2 *L4Backend) bool { } // Equal tests for equality between two SSLCert types -func (s1 *SSLCert) Equal(s2 *SSLCert) bool { - if s1 == s2 { +func (s *SSLCert) Equal(newS *SSLCert) bool { + if s == newS { return true } - if s1 == nil || s2 == nil { + if s == nil || newS == nil { return false } - if s1.CASHA != s2.CASHA { + if s.CASHA != newS.CASHA { return false } - if s1.CRLSHA != s2.CRLSHA { + if s.CRLSHA != newS.CRLSHA { return false } - if s1.PemSHA != s2.PemSHA { + if s.PemSHA != newS.PemSHA { return false } - if s1.CAFileName != s2.CAFileName { + if s.CAFileName != newS.CAFileName { return false } - if s1.CRLFileName != s2.CRLFileName { + if s.CRLFileName != newS.CRLFileName { return false } - if !s1.ExpireTime.Equal(s2.ExpireTime) { + if !s.ExpireTime.Equal(newS.ExpireTime) { return false } - if s1.PemCertKey != s2.PemCertKey { + if s.PemCertKey != newS.PemCertKey { return false } - if s1.UID != s2.UID { + if s.UID != newS.UID { return false } - return sets.StringElementsMatch(s1.CN, s2.CN) + return sets.StringElementsMatch(s.CN, newS.CN) } var compareEndpointsFunc = func(e1, e2 interface{}) bool { diff --git a/pkg/apis/ingress/types_equals_test.go b/pkg/apis/ingress/types_equals_test.go index 78d29d46c..53643f912 100644 --- a/pkg/apis/ingress/types_equals_test.go +++ b/pkg/apis/ingress/types_equals_test.go @@ -25,19 +25,29 @@ import ( ) func TestEqualConfiguration(t *testing.T) { - ap, _ := filepath.Abs("../../../test/manifests/configuration-a.json") + ap, err := filepath.Abs("../../../test/manifests/configuration-a.json") + if err != nil { + t.Errorf("unexpected error: %v", err) + } a, err := readJSON(ap) if err != nil { t.Errorf("unexpected error reading JSON file: %v", err) } - bp, _ := filepath.Abs("../../../test/manifests/configuration-b.json") + bp, err := filepath.Abs("../../../test/manifests/configuration-b.json") + if err != nil { + t.Errorf("unexpected error: %v", err) + } + b, err := readJSON(bp) if err != nil { t.Errorf("unexpected error reading JSON file: %v", err) } - cp, _ := filepath.Abs("../../../test/manifests/configuration-c.json") + cp, err := filepath.Abs("../../../test/manifests/configuration-c.json") + if err != nil { + t.Errorf("unexpected error: %v", err) + } c, err := readJSON(cp) if err != nil { t.Errorf("unexpected error reading JSON file: %v", err) @@ -84,15 +94,18 @@ func TestL4ServiceElementsMatch(t *testing.T) { {[]L4Service{{Port: 80}}, []L4Service{{Port: 80}}, true}, { []L4Service{ - {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}}}}, + {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}}}, + }, []L4Service{{Port: 80}}, false, }, { []L4Service{ - {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}, {Address: "1.1.1.2"}}}}, + {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.1"}, {Address: "1.1.1.2"}}}, + }, []L4Service{ - {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.2"}, {Address: "1.1.1.1"}}}}, + {Port: 80, Endpoints: []Endpoint{{Address: "1.1.1.2"}, {Address: "1.1.1.1"}}}, + }, true, }, { diff --git a/pkg/flags/flags.go b/pkg/flags/flags.go index 2c926a35f..d3bc4ee86 100644 --- a/pkg/flags/flags.go +++ b/pkg/flags/flags.go @@ -221,7 +221,7 @@ Takes the form ":port". If not provided, no admission controller is starte disableSyncEvents = flags.Bool("disable-sync-events", false, "Disables the creation of 'Sync' event resources") - enableTopologyAwareRouting = flags.Bool("enable-topology-aware-routing", false, "Enable topology aware hints feature, needs service object annotation service.kubernetes.io/topology-aware-hints sets to auto.") + enableTopologyAwareRouting = flags.Bool("enable-topology-aware-routing", false, "Enable topology aware routing feature, needs service object annotation service.kubernetes.io/topology-mode sets to auto.") ) flags.StringVar(&nginx.MaxmindMirror, "maxmind-mirror", "", `Maxmind mirror url (example: http://geoip.local/databases.`) @@ -298,12 +298,12 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g nginx.HealthCheckTimeout = time.Duration(*defHealthCheckTimeout) * time.Second } - if len(*watchNamespace) != 0 && len(*watchNamespaceSelector) != 0 { + if *watchNamespace != "" && *watchNamespaceSelector != "" { return false, nil, fmt.Errorf("flags --watch-namespace and --watch-namespace-selector are mutually exclusive") } var namespaceSelector labels.Selector - if len(*watchNamespaceSelector) != 0 { + if *watchNamespaceSelector != "" { var err error namespaceSelector, err = labels.Parse(*watchNamespaceSelector) if err != nil { @@ -311,7 +311,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g } } - var histogramBuckets = &collectors.HistogramBuckets{ + histogramBuckets := &collectors.HistogramBuckets{ TimeBuckets: *timeBuckets, LengthBuckets: *lengthBuckets, SizeBuckets: *sizeBuckets, @@ -360,7 +360,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g HTTPS: *httpsPort, SSLProxy: *sslProxyPort, }, - IngressClassConfiguration: &ingressclass.IngressClassConfiguration{ + IngressClassConfiguration: &ingressclass.Configuration{ Controller: *ingressClassController, AnnotationValue: *ingressClassAnnotation, WatchWithoutClass: *watchWithoutClass, @@ -380,7 +380,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g var err error if nginx.MaxmindEditionIDs != "" { - if err = nginx.ValidateGeoLite2DBEditions(); err != nil { + if err := nginx.ValidateGeoLite2DBEditions(); err != nil { return false, nil, err } if nginx.MaxmindLicenseKey != "" || nginx.MaxmindMirror != "" { diff --git a/pkg/flags/flags_test.go b/pkg/flags/flags_test.go index 2a33d73dd..bffe2b16d 100644 --- a/pkg/flags/flags_test.go +++ b/pkg/flags/flags_test.go @@ -33,7 +33,8 @@ func TestDefaults(t *testing.T) { oldArgs := os.Args defer func() { os.Args = oldArgs }() - os.Args = []string{"cmd", + os.Args = []string{ + "cmd", "--default-backend-service", "namespace/test", "--http-port", "0", "--https-port", "0", @@ -53,8 +54,8 @@ func TestDefaults(t *testing.T) { } } -func TestSetupSSLProxy(t *testing.T) { - // TODO +func TestSetupSSLProxy(_ *testing.T) { + // TODO TestSetupSSLProxy } func TestFlagConflict(t *testing.T) { diff --git a/pkg/metrics/handler.go b/pkg/metrics/handler.go index c37c1760c..73c7d328f 100644 --- a/pkg/metrics/handler.go +++ b/pkg/metrics/handler.go @@ -29,7 +29,6 @@ import ( ) func RegisterHealthz(healthPath string, mux *http.ServeMux, checks ...healthz.HealthChecker) { - healthCheck := []healthz.HealthChecker{healthz.PingHealthz} if len(checks) > 0 { healthCheck = append(healthCheck, checks...) @@ -67,7 +66,7 @@ func RegisterProfiler(host string, port int) { server := &http.Server{ Addr: fmt.Sprintf("%s:%d", host, port), - //G112 (CWE-400): Potential Slowloris Attack + // G112 (CWE-400): Potential Slowloris Attack ReadHeaderTimeout: 10 * time.Second, Handler: mux, } diff --git a/pkg/tcpproxy/tcp.go b/pkg/tcpproxy/tcp.go index 25cc39ee4..eda4a2746 100644 --- a/pkg/tcpproxy/tcp.go +++ b/pkg/tcpproxy/tcp.go @@ -69,7 +69,7 @@ func (p *TCPProxy) Handle(conn net.Conn) { } proxy := p.Default - hostname, err := parser.GetHostname(data[:]) + hostname, err := parser.GetHostname(data) if err == nil { klog.V(4).InfoS("TLS Client Hello", "host", hostname) proxy = p.Get(hostname) @@ -91,8 +91,14 @@ func (p *TCPProxy) Handle(conn net.Conn) { if proxy.ProxyProtocol { // write out the Proxy Protocol header - localAddr := conn.LocalAddr().(*net.TCPAddr) - remoteAddr := conn.RemoteAddr().(*net.TCPAddr) + localAddr, ok := conn.LocalAddr().(*net.TCPAddr) + if !ok { + klog.Errorf("unexpected type: %T", conn.LocalAddr()) + } + remoteAddr, ok := conn.RemoteAddr().(*net.TCPAddr) + if !ok { + klog.Errorf("unexpected type: %T", conn.RemoteAddr()) + } protocol := "UNKNOWN" if remoteAddr.IP.To4() != nil { protocol = "TCP4" diff --git a/pkg/util/file/file_watcher.go b/pkg/util/file/file_watcher.go index daf955e52..3899e41f8 100644 --- a/pkg/util/file/file_watcher.go +++ b/pkg/util/file/file_watcher.go @@ -26,8 +26,8 @@ import ( "github.com/fsnotify/fsnotify" ) -// FileWatcher is an interface we use to watch changes in files -type FileWatcher interface { +// Watcher is an interface we use to watch changes in files +type Watcher interface { Close() error } @@ -40,7 +40,7 @@ type OSFileWatcher struct { } // NewFileWatcher creates a new FileWatcher -func NewFileWatcher(file string, onEvent func()) (FileWatcher, error) { +func NewFileWatcher(file string, onEvent func()) (Watcher, error) { fw := OSFileWatcher{ file: file, onEvent: onEvent, diff --git a/pkg/util/file/filesystem.go b/pkg/util/file/filesystem.go index 7c0db9f12..ccb93ed06 100644 --- a/pkg/util/file/filesystem.go +++ b/pkg/util/file/filesystem.go @@ -17,4 +17,4 @@ limitations under the License. package file // ReadWriteByUser defines linux permission to read and write files for the owner user -const ReadWriteByUser = 0700 +const ReadWriteByUser = 0o700 diff --git a/pkg/util/file/structure.go b/pkg/util/file/structure.go index d109e8c03..7d4f26da9 100644 --- a/pkg/util/file/structure.go +++ b/pkg/util/file/structure.go @@ -33,12 +33,10 @@ const ( DefaultSSLDirectory = "/etc/ingress-controller/ssl" ) -var ( - directories = []string{ - DefaultSSLDirectory, - AuthDirectory, - } -) +var directories = []string{ + DefaultSSLDirectory, + AuthDirectory, +} // CreateRequiredDirectories verifies if the required directories to // start the ingress controller exist and creates the missing ones. diff --git a/pkg/util/ingress/ingress.go b/pkg/util/ingress/ingress.go index e69ca7b29..881d5a001 100644 --- a/pkg/util/ingress/ingress.go +++ b/pkg/util/ingress/ingress.go @@ -114,7 +114,7 @@ func GetRemovedIngresses(rucfg, newcfg *ingress.Configuration) []string { // IsDynamicConfigurationEnough returns whether a Configuration can be // dynamically applied, without reloading the backend. -func IsDynamicConfigurationEnough(newcfg *ingress.Configuration, oldcfg *ingress.Configuration) bool { +func IsDynamicConfigurationEnough(newcfg, oldcfg *ingress.Configuration) bool { copyOfRunningConfig := *oldcfg copyOfPcfg := *newcfg @@ -133,21 +133,21 @@ func IsDynamicConfigurationEnough(newcfg *ingress.Configuration, oldcfg *ingress // clearL4serviceEndpoints is a helper function to clear endpoints from the ingress configuration since they should be ignored when // checking if the new configuration changes can be applied dynamically. func clearL4serviceEndpoints(config *ingress.Configuration) { - var clearedTCPL4Services []ingress.L4Service - var clearedUDPL4Services []ingress.L4Service - for _, service := range config.TCPEndpoints { + clearedTCPL4Services := make([]ingress.L4Service, 0, len(config.TCPEndpoints)) + clearedUDPL4Services := make([]ingress.L4Service, 0, len(config.UDPEndpoints)) + for i := range config.TCPEndpoints { copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, + Port: config.TCPEndpoints[i].Port, + Backend: config.TCPEndpoints[i].Backend, Endpoints: []ingress.Endpoint{}, Service: nil, } clearedTCPL4Services = append(clearedTCPL4Services, copyofService) } - for _, service := range config.UDPEndpoints { + for i := range config.UDPEndpoints { copyofService := ingress.L4Service{ - Port: service.Port, - Backend: service.Backend, + Port: config.UDPEndpoints[i].Port, + Backend: config.UDPEndpoints[i].Backend, Endpoints: []ingress.Endpoint{}, Service: nil, } @@ -160,7 +160,7 @@ func clearL4serviceEndpoints(config *ingress.Configuration) { // clearCertificates is a helper function to clear Certificates from the ingress configuration since they should be ignored when // checking if the new configuration changes can be applied dynamically if dynamic certificates is on func clearCertificates(config *ingress.Configuration) { - var clearedServers []*ingress.Server + clearedServers := make([]*ingress.Server, 0, len(config.Servers)) for _, server := range config.Servers { copyOfServer := *server copyOfServer.SSLCert = nil @@ -169,16 +169,16 @@ func clearCertificates(config *ingress.Configuration) { config.Servers = clearedServers } -type redirect struct { +type Redirect struct { From string To string SSLCert *ingress.SSLCert } // BuildRedirects build the redirects of servers based on configurations and certificates -func BuildRedirects(servers []*ingress.Server) []*redirect { +func BuildRedirects(servers []*ingress.Server) []*Redirect { names := sets.Set[string]{} - redirectServers := make([]*redirect, 0) + redirectServers := make([]*Redirect, 0) for _, srv := range servers { if !srv.RedirectFromToWWW { @@ -212,7 +212,7 @@ func BuildRedirects(servers []*ingress.Server) []*redirect { continue } - r := &redirect{ + r := &Redirect{ From: from, To: to, } diff --git a/pkg/util/process/controller.go b/pkg/util/process/controller.go index ae9bc9356..a73e81934 100644 --- a/pkg/util/process/controller.go +++ b/pkg/util/process/controller.go @@ -16,9 +16,9 @@ limitations under the License. package process -// ProcessController defines a common interface for a process to be controlled, +// Controller defines a common interface for a process to be controlled, // like the configurer, the webhook or the proper ingress controller -type ProcessController interface { +type Controller interface { Start() Stop() error } diff --git a/pkg/util/process/sigterm.go b/pkg/util/process/sigterm.go index 77c0ad58c..1c0d729c1 100644 --- a/pkg/util/process/sigterm.go +++ b/pkg/util/process/sigterm.go @@ -29,7 +29,7 @@ type exiter func(code int) // HandleSigterm receives a ProcessController interface and deals with // the graceful shutdown -func HandleSigterm(ngx ProcessController, delay int, exit exiter) { +func HandleSigterm(ngx Controller, delay int, exit exiter) { signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM) <-signalChan diff --git a/pkg/util/process/sigterm_test.go b/pkg/util/process/sigterm_test.go index b7413bed4..08c8275c3 100644 --- a/pkg/util/process/sigterm_test.go +++ b/pkg/util/process/sigterm_test.go @@ -43,7 +43,7 @@ func (f *FakeProcess) exiterFunc(code int) { } func sendDelayedSignal(delay time.Duration) error { - time.Sleep(delay * time.Second) + time.Sleep(delay) return syscall.Kill(syscall.Getpid(), syscall.SIGTERM) } @@ -67,7 +67,7 @@ func TestHandleSigterm(t *testing.T) { process := &FakeProcess{shouldError: tt.shouldError} t.Run(tt.name, func(t *testing.T) { go func() { - err := sendDelayedSignal(2) // Send a signal after 2 seconds + err := sendDelayedSignal(2 * time.Second) // Send a signal after 2 seconds if err != nil { t.Errorf("error sending delayed signal: %v", err) } diff --git a/pkg/util/runtime/cpu_notlinux.go b/pkg/util/runtime/cpu_notlinux.go index 2a1b48252..97c72cd5a 100644 --- a/pkg/util/runtime/cpu_notlinux.go +++ b/pkg/util/runtime/cpu_notlinux.go @@ -23,7 +23,7 @@ import ( "runtime" ) -// NumCPU ... +// NumCPU returns the number of logical CPUs usable by the current process. func NumCPU() int { return runtime.NumCPU() } diff --git a/pkg/util/sets/match_test.go b/pkg/util/sets/match_test.go index e2366d2c7..a65c5a05f 100644 --- a/pkg/util/sets/match_test.go +++ b/pkg/util/sets/match_test.go @@ -20,23 +20,20 @@ import ( "testing" ) -var ( - testCasesElementMatch = []struct { - listA []string - listB []string - expected bool - }{ - {nil, nil, true}, - {[]string{"1"}, nil, false}, - {[]string{"1"}, []string{"1"}, true}, - {[]string{"1", "2", "1"}, []string{"1", "1", "2"}, true}, - {[]string{"1", "3", "1"}, []string{"1", "1", "2"}, false}, - {[]string{"1", "1"}, []string{"1", "2"}, false}, - } -) +var testCasesElementMatch = []struct { + listA []string + listB []string + expected bool +}{ + {nil, nil, true}, + {[]string{"1"}, nil, false}, + {[]string{"1"}, []string{"1"}, true}, + {[]string{"1", "2", "1"}, []string{"1", "1", "2"}, true}, + {[]string{"1", "3", "1"}, []string{"1", "1", "2"}, false}, + {[]string{"1", "1"}, []string{"1", "2"}, false}, +} func TestElementsMatch(t *testing.T) { - for _, testCase := range testCasesElementMatch { result := StringElementsMatch(testCase.listA, testCase.listB) if result != testCase.expected { diff --git a/rootfs/Dockerfile-chroot b/rootfs/Dockerfile-chroot index 48facd44f..945304ad2 100644 --- a/rootfs/Dockerfile-chroot +++ b/rootfs/Dockerfile-chroot @@ -50,7 +50,6 @@ RUN apk update \ && apk add -U --no-cache \ bash \ openssl \ - curl \ ca-certificates \ dumb-init \ tzdata \ diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 02b5309cd..e3145e6a5 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -140,7 +140,7 @@ http { {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* we use the value of the real IP for the geo_ip module */}} - {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIp }} + {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }} {{ if $cfg.UseProxyProtocol }} real_ip_header proxy_protocol; {{ else }} @@ -296,7 +296,10 @@ http { {{ end }} aio threads; + + {{ if $cfg.EnableAioWrite }} aio_write on; + {{ end }} tcp_nopush on; tcp_nodelay on; @@ -406,7 +409,7 @@ http { {{ if $cfg.EnableSyslog }} access_log syslog:server={{ $cfg.SyslogHost }}:{{ $cfg.SyslogPort }} upstreaminfo if=$loggable; {{ else }} - access_log {{ or $cfg.HttpAccessLogPath $cfg.AccessLogPath }} upstreaminfo {{ $cfg.AccessLogParams }} if=$loggable; + access_log {{ or $cfg.HTTPAccessLogPath $cfg.AccessLogPath }} upstreaminfo {{ $cfg.AccessLogParams }} if=$loggable; {{ end }} {{ end }} @@ -709,6 +712,11 @@ http { # default server, used for NGINX healthcheck and access to nginx stats server { + # Ensure that modsecurity will not run on an internal location as this is not accessible from outside + {{ if $all.Cfg.EnableModsecurity }} + modsecurity off; + {{ end }} + listen 127.0.0.1:{{ .StatusPort }}; set $proxy_upstream_name "internal"; @@ -817,7 +825,7 @@ stream { error_log {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }}; - {{ if $cfg.EnableRealIp }} + {{ if $cfg.EnableRealIP }} {{ range $trusted_ip := $cfg.ProxyRealIPCIDR }} set_real_ip_from {{ $trusted_ip }}; {{ end }} @@ -1097,7 +1105,9 @@ stream { opentelemetry_propagate; {{ end }} + {{ if not $all.Cfg.EnableAuthAccessLog }} access_log off; + {{ end }} # Ensure that modsecurity will not run on an internal location as this is not accessible from outside {{ if $all.Cfg.EnableModsecurity }} @@ -1334,7 +1344,7 @@ stream { # `auth_request` module does not support HTTP keepalives in upstream block: # https://trac.nginx.org/nginx/ticket/1579 access_by_lua_block { - local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '' }) + local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $externalAuth.KeepaliveShareVars }} }) if res.status == ngx.HTTP_OK then ngx.var.auth_cookie = res.header['Set-Cookie'] {{- range $line := buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }} diff --git a/test/e2e-image/Dockerfile b/test/e2e-image/Dockerfile index 2ee5716ed..28609d23d 100644 --- a/test/e2e-image/Dockerfile +++ b/test/e2e-image/Dockerfile @@ -7,7 +7,6 @@ RUN apk update \ && apk upgrade && apk add -U --no-cache \ ca-certificates \ bash \ - curl \ tzdata \ libc6-compat \ openssl diff --git a/test/e2e-image/Makefile b/test/e2e-image/Makefile index f68d6ea6e..bd3453253 100644 --- a/test/e2e-image/Makefile +++ b/test/e2e-image/Makefile @@ -1,6 +1,6 @@ DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) -E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230623-d50c7193b@sha256:e5c68dc56934c273850bfb75c0348a2819756669baf59fcdce9e16771537b247" +E2E_BASE_IMAGE ?= "registry.k8s.io/ingress-nginx/e2e-test-runner:v20230907-5bb82dcb7@sha256:421cda0f65a949b8b67b5e62a45071702d19ed458a3e2ba753171b0e66943210" image: echo "..entered Makefile in /test/e2e-image" diff --git a/test/e2e/admission/admission.go b/test/e2e/admission/admission.go index 0ee8248b0..c41105e2d 100644 --- a/test/e2e/admission/admission.go +++ b/test/e2e/admission/admission.go @@ -34,6 +34,8 @@ import ( networking "k8s.io/api/networking/v1" ) +const admissionTestHost = "admission-test" + var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", func() { f := framework.NewDefaultFramework("admission") @@ -43,7 +45,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("reject ingress with global-rate-limit annotations when memcached is not configured", func() { - host := "admission-test" + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/global-rate-limit": "100", @@ -70,7 +72,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should not allow overlaps of host and paths without canary annotations", func() { - host := "admission-test" + host := admissionTestHost firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil) _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) @@ -87,7 +89,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should allow overlaps of host and paths with canary annotation", func() { - host := "admission-test" + host := admissionTestHost firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, nil) _, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{}) @@ -125,7 +127,16 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if there is an error validating the ingress definition", func() { - host := "admission-test" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": "something invalid", @@ -136,7 +147,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if there is an invalid value in some annotation", func() { - host := "admission-test" + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/connection-proxy-header": "a;}", @@ -150,7 +161,7 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if there is a forbidden value in some annotation", func() { - host := "admission-test" + host := admissionTestHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/connection-proxy-header": "set_by_lua", @@ -195,7 +206,6 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", validPath := framework.NewSingleIngress("second-ingress", "/bloblo", host, f.Namespace, framework.EchoService, 80, nil) _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), validPath, metav1.CreateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with valid path should not return an error") - }) ginkgo.It("should not return an error if the Ingress V1 definition is valid with Ingress Class", func() { @@ -231,6 +241,15 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + out, err := createIngress(f.Namespace, invalidV1Ingress) assert.Empty(ginkgo.GinkgoT(), out) assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl") @@ -242,6 +261,14 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller", }) ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass) assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out) assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl") @@ -346,7 +373,7 @@ func createIngress(namespace, ingressDefinition string) (string, error) { execOut bytes.Buffer execErr bytes.Buffer ) - + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v --warnings-as-errors=false apply --namespace %s -f -", framework.KubectlPath, namespace)) cmd.Stdin = strings.NewReader(ingressDefinition) cmd.Stdout = &execOut diff --git a/test/e2e/annotations/affinity.go b/test/e2e/annotations/affinity.go index 3e1e9e969..b64581ef6 100644 --- a/test/e2e/annotations/affinity.go +++ b/test/e2e/annotations/affinity.go @@ -32,6 +32,14 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + affinityAnnotation = "cookie" + cookieName = "SERVERID" + enableAnnotation = "true" + disableAnnotation = "false" + defaultHost = "foo.com" +) + var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f := framework.NewDefaultFramework("affinity") @@ -42,8 +50,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set sticky cookie SERVERID", func() { host := "sticky.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -64,8 +72,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should change cookie name on ingress definition change", func() { host := "change.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -80,7 +88,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK). - Header("Set-Cookie").Contains("SERVERID") + Header("Set-Cookie").Contains(cookieName) ing.ObjectMeta.Annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "OTHERCOOKIENAME" @@ -99,8 +107,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set the path to /something on the generated cookie", func() { host := "path.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress(host, "/something", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -122,8 +130,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { pathtype := networking.PathTypePrefix host := "morethanonerule.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName f.EnsureIngress(&networking.Ingress{ ObjectMeta: metav1.ObjectMeta{ @@ -194,7 +202,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set cookie with expires", func() { host := "cookieexpires.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "ExpiresCookie" annotations["nginx.ingress.kubernetes.io/session-cookie-expires"] = "172800" annotations["nginx.ingress.kubernetes.io/session-cookie-max-age"] = "259200" @@ -211,7 +219,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { assert.Nil(ginkgo.GinkgoT(), err, "loading GMT location") assert.NotNil(ginkgo.GinkgoT(), local, "expected a location but none returned") - duration, _ := time.ParseDuration("48h") + duration, err := time.ParseDuration("48h") + assert.Nil(ginkgo.GinkgoT(), err, "parsing duration") expected := time.Now().In(local).Add(duration).Format("Mon, 02-Jan-06 15:04") f.HTTPTestClient(). @@ -225,7 +234,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set cookie with domain", func() { host := "cookiedomain.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "DomainCookie" annotations["nginx.ingress.kubernetes.io/session-cookie-domain"] = "foo.bar" @@ -248,7 +257,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should not set cookie without domain annotation", func() { host := "cookienodomain.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "NoDomainCookie" ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) @@ -270,9 +279,9 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should work with use-regex annotation and session-cookie-path", func() { host := "useregex.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/use-regex"] = "true" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/use-regex"] = enableAnnotation annotations["nginx.ingress.kubernetes.io/session-cookie-path"] = "/foo/bar" ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) @@ -294,9 +303,9 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should warn user when use-regex is true and session-cookie-path is not set", func() { host := "useregexwarn.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/use-regex"] = "true" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/use-regex"] = enableAnnotation ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -321,7 +330,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { host := "separate.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation ing1 := framework.NewSingleIngress("ingress1", "/foo/bar", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing1) @@ -351,8 +360,8 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { ginkgo.It("should set sticky cookie without host", func() { annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName ing := framework.NewSingleIngress("default-no-host", "/", "", f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -370,12 +379,12 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should work with server-alias annotation", func() { - host := "foo.com" + host := defaultHost alias1 := "a1.foo.com" alias2 := "a2.foo.com" annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName annotations["nginx.ingress.kubernetes.io/server-alias"] = fmt.Sprintf("%s,%s", alias1, alias2) ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations) @@ -383,7 +392,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { f.WaitForNginxServer(host, func(server string) bool { - //server alias sort by sort.Strings(), see: internal/ingress/annotations/alias/main.go:60 + // server alias sort by sort.Strings(), see: internal/ingress/annotations/alias/main.go:60 return strings.Contains(server, fmt.Sprintf("server_name %s %s %s ;", host, alias1, alias2)) }) @@ -410,11 +419,11 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should set secure in cookie with provided true annotation on http", func() { - host := "foo.com" + host := defaultHost annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "true" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = enableAnnotation ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -433,11 +442,11 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should not set secure in cookie with provided false annotation on http", func() { - host := "foo.com" + host := defaultHost annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "false" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = disableAnnotation ing := framework.NewSingleIngress(host, "/bar", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -456,11 +465,11 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { }) ginkgo.It("should set secure in cookie with provided false annotation on https", func() { - host := "foo.com" + host := defaultHost annotations := make(map[string]string) - annotations["nginx.ingress.kubernetes.io/affinity"] = "cookie" - annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "SERVERID" - annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = "false" + annotations["nginx.ingress.kubernetes.io/affinity"] = affinityAnnotation + annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = cookieName + annotations["nginx.ingress.kubernetes.io/session-cookie-secure"] = disableAnnotation f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, annotations)) @@ -470,6 +479,7 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() { strings.Contains(server, "listen 443") }) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). WithURL(f.GetURL(framework.HTTPS)). diff --git a/test/e2e/annotations/affinitymode.go b/test/e2e/annotations/affinitymode.go index ad210cfa5..e6253b6ff 100644 --- a/test/e2e/annotations/affinitymode.go +++ b/test/e2e/annotations/affinitymode.go @@ -28,6 +28,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const sslRedirectValue = "false" + var _ = framework.DescribeAnnotation("affinitymode", func() { f := framework.NewDefaultFramework("affinity") @@ -45,7 +47,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "hello-cookie" annotations["nginx.ingress.kubernetes.io/session-cookie-expires"] = "172800" annotations["nginx.ingress.kubernetes.io/session-cookie-max-age"] = "172800" - annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = "false" + annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = sslRedirectValue annotations["nginx.ingress.kubernetes.io/affinity-mode"] = "balanced" annotations["nginx.ingress.kubernetes.io/session-cookie-hash"] = "sha1" @@ -78,7 +80,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { annotations["nginx.ingress.kubernetes.io/session-cookie-name"] = "hello-cookie" annotations["nginx.ingress.kubernetes.io/session-cookie-expires"] = "172800" annotations["nginx.ingress.kubernetes.io/session-cookie-max-age"] = "172800" - annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = "false" + annotations["nginx.ingress.kubernetes.io/ssl-redirect"] = sslRedirectValue annotations["nginx.ingress.kubernetes.io/affinity-mode"] = "persistent" annotations["nginx.ingress.kubernetes.io/session-cookie-hash"] = "sha1" @@ -106,7 +108,7 @@ var _ = framework.DescribeAnnotation("affinitymode", func() { // Send new requests and add new backends. Check which backend responded to the sent request cookies := getCookiesFromHeader(response.Header("Set-Cookie").Raw()) for sendRequestNumber := 0; sendRequestNumber < 10; sendRequestNumber++ { - replicas = replicas + 1 + replicas++ err := framework.UpdateDeployment(f.KubeClientSet, f.Namespace, deploymentName, replicas, nil) assert.Nil(ginkgo.GinkgoT(), err) framework.Sleep() diff --git a/test/e2e/annotations/alias.go b/test/e2e/annotations/alias.go index de829507d..ca4fe9c31 100644 --- a/test/e2e/annotations/alias.go +++ b/test/e2e/annotations/alias.go @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const fooHost = "foo" + var _ = framework.DescribeAnnotation("server-alias", func() { f := framework.NewDefaultFramework("alias") @@ -34,7 +36,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { }) ginkgo.It("should return status code 200 for host 'foo' and 404 for 'bar'", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -60,7 +62,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { }) ginkgo.It("should return status code 200 for host 'foo' and 'bar'", func() { - host := "foo" + host := fooHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-alias": "bar", } @@ -73,7 +75,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { return strings.Contains(server, fmt.Sprintf("server_name %v", host)) }) - hosts := []string{"foo", "bar"} + hosts := []string{fooHost, "bar"} for _, host := range hosts { f.HTTPTestClient(). GET("/"). @@ -85,7 +87,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { }) ginkgo.It("should return status code 200 for hosts defined in two ingresses, different path with one alias", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress("app-a", "/app-a", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -101,7 +103,7 @@ var _ = framework.DescribeAnnotation("server-alias", func() { return strings.Contains(server, fmt.Sprintf("server_name %v bar", host)) }) - hosts := []string{"foo", "bar"} + hosts := []string{fooHost, "bar"} for _, host := range hosts { f.HTTPTestClient(). GET("/app-a"). diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 8011186a1..415ffd951 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -36,6 +36,12 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + differentHost = "different" + authHost = "auth" + authURL = "http://foo.bar.baz:5000/path" +) + var _ = framework.DescribeAnnotation("auth-*", func() { f := framework.NewDefaultFramework("auth", framework.WithHTTPBunEnabled()) @@ -44,7 +50,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 200 when no authentication is configured", func() { - host := "auth" + host := authHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -63,7 +69,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 503 when authentication is configured with an invalid secret", func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", "nginx.ingress.kubernetes.io/auth-secret": "something", @@ -87,9 +93,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 401 when authentication is configured but Authorization header is not configured", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -114,9 +120,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -142,9 +148,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -170,9 +176,9 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It("should return status code 200 when authentication is configured and Authorization header is sent", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -191,15 +197,15 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.HTTPTestClient(). GET("/"). WithHeader("Host", host). - WithBasicAuth("foo", "bar"). + WithBasicAuth(fooHost, "bar"). Expect(). Status(http.StatusOK) }) ginkgo.It("should return status code 200 when authentication is configured with a map and Authorization header is sent", func() { - host := "auth" + host := authHost - s := f.EnsureSecret(buildMapSecret("foo", "bar", "test", f.Namespace)) + s := f.EnsureSecret(buildMapSecret(fooHost, "bar", "test", f.Namespace)) annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-type": "basic", @@ -219,13 +225,13 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.HTTPTestClient(). GET("/"). WithHeader("Host", host). - WithBasicAuth("foo", "bar"). + WithBasicAuth(fooHost, "bar"). Expect(). Status(http.StatusOK) }) ginkgo.It("should return status code 401 when authentication is configured with invalid content and Authorization header is sent", func() { - host := "auth" + host := authHost s := f.EnsureSecret( &corev1.Secret{ @@ -258,19 +264,27 @@ var _ = framework.DescribeAnnotation("auth-*", func() { f.HTTPTestClient(). GET("/"). WithHeader("Host", host). - WithBasicAuth("foo", "bar"). + WithBasicAuth(fooHost, "bar"). Expect(). Status(http.StatusUnauthorized) }) ginkgo.It(`should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured`, func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password", "nginx.ingress.kubernetes.io/auth-snippet": ` proxy_set_header My-Custom-Header 42;`, } + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -282,7 +296,16 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() { - host := "auth" + host := authHost + + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-snippet": ` @@ -299,7 +322,7 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It(`should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set`, func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password", @@ -320,11 +343,11 @@ var _ = framework.DescribeAnnotation("auth-*", func() { }) ginkgo.It(`should set cache_key when external auth cache is configured`, func() { - host := "auth" + host := authHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password", - "nginx.ingress.kubernetes.io/auth-cache-key": "foo", + "nginx.ingress.kubernetes.io/auth-cache-key": fooHost, "nginx.ingress.kubernetes.io/auth-cache-duration": "200 202 401 30m", } @@ -337,7 +360,6 @@ var _ = framework.DescribeAnnotation("auth-*", func() { func(server string) bool { return cacheRegex.MatchString(server) && strings.Contains(server, `proxy_cache_valid 200 202 401 30m;`) - }) }) @@ -405,7 +427,6 @@ http { f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, "server_name "+host) }) - }) ginkgo.It("user retains cookie by default", func() { @@ -431,7 +452,7 @@ http { }) ginkgo.It("user with annotated ingress retains cookie if upstream returns error status code", func() { - annotations["nginx.ingress.kubernetes.io/auth-always-set-cookie"] = "true" + annotations["nginx.ingress.kubernetes.io/auth-always-set-cookie"] = enableAnnotation f.UpdateIngress(ing1) f.UpdateIngress(ing2) @@ -451,7 +472,7 @@ http { }) ginkgo.Context("when external authentication is configured", func() { - host := "auth" + host := authHost var annotations map[string]string var ing *networking.Ingress @@ -495,7 +516,7 @@ http { annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth" f.UpdateIngress(ing) - anotherHost := "different" + anotherHost := differentHost anotherAnnotations := map[string]string{} anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations) @@ -544,12 +565,12 @@ http { // Sleep a while just to guarantee that the configmap is applied framework.Sleep() - annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path" + annotations["nginx.ingress.kubernetes.io/auth-url"] = authURL f.UpdateIngress(ing) f.WaitForNginxServer("", func(server string) bool { - return strings.Contains(server, "http://foo.bar.baz:5000/path") && + return strings.Contains(server, authURL) && !strings.Contains(server, `upstream auth-external-auth`) }) }) @@ -582,19 +603,19 @@ http { // Sleep a while just to guarantee that the configmap is applied framework.Sleep() - annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path" + annotations["nginx.ingress.kubernetes.io/auth-url"] = authURL annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "-1" f.UpdateIngress(ing) f.WaitForNginxServer("", func(server string) bool { - return strings.Contains(server, "http://foo.bar.baz:5000/path") && + return strings.Contains(server, authURL) && !strings.Contains(server, `upstream auth-external-auth`) }) }) ginkgo.It(`should not create additional upstream block when auth-keepalive is set with HTTP/2`, func() { - annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path" + annotations["nginx.ingress.kubernetes.io/auth-url"] = authURL annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123" annotations["nginx.ingress.kubernetes.io/auth-keepalive-requests"] = "456" annotations["nginx.ingress.kubernetes.io/auth-keepalive-timeout"] = "789" @@ -602,7 +623,7 @@ http { f.WaitForNginxServer("", func(server string) bool { - return strings.Contains(server, "http://foo.bar.baz:5000/path") && + return strings.Contains(server, authURL) && !strings.Contains(server, `upstream auth-external-auth`) }) }) @@ -628,10 +649,49 @@ http { strings.Contains(server, `keepalive_timeout 789s;`) }) }) + + ginkgo.It(`should disable set_all_vars when auth-keepalive-share-vars is not set`, func() { + f.UpdateNginxConfigMapData("use-http2", "false") + defer func() { + f.UpdateNginxConfigMapData("use-http2", "true") + }() + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "10" + f.UpdateIngress(ing) + + f.WaitForNginxServer("", + func(server string) bool { + return strings.Contains(server, `upstream auth-external-auth`) && + strings.Contains(server, `keepalive 10;`) && + strings.Contains(server, `share_all_vars = false`) + }) + }) + + ginkgo.It(`should enable set_all_vars when auth-keepalive-share-vars is true`, func() { + f.UpdateNginxConfigMapData("use-http2", "false") + defer func() { + f.UpdateNginxConfigMapData("use-http2", "true") + }() + // Sleep a while just to guarantee that the configmap is applied + framework.Sleep() + + annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "10" + annotations["nginx.ingress.kubernetes.io/auth-keepalive-share-vars"] = enableAnnotation + f.UpdateIngress(ing) + + f.WaitForNginxServer("", + func(server string) bool { + return strings.Contains(server, `upstream auth-external-auth`) && + strings.Contains(server, `keepalive 10;`) && + strings.Contains(server, `share_all_vars = true`) + }) + }) }) ginkgo.Context("when external authentication is configured with a custom redirect param", func() { - host := "auth" + host := authHost var annotations map[string]string var ing *networking.Ingress @@ -676,7 +736,7 @@ http { annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth" f.UpdateIngress(ing) - anotherHost := "different" + anotherHost := differentHost anotherAnnotations := map[string]string{} anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations) @@ -696,8 +756,8 @@ http { }) ginkgo.Context("when external authentication with caching is configured", func() { - thisHost := "auth" - thatHost := "different" + thisHost := authHost + thatHost := differentHost fooPath := "/foo" barPath := "/bar" @@ -819,7 +879,7 @@ http { }) ginkgo.Context("with invalid auth-url should deny whole location", func() { - host := "auth" + host := authHost var annotations map[string]string var ing *networking.Ingress @@ -859,7 +919,6 @@ http { // Auth error func buildSecret(username, password, name, namespace string) *corev1.Secret { - //out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() out, err := bcrypt.GenerateFromPassword([]byte(password), 14) encpass := fmt.Sprintf("%v:%s\n", username, out) assert.Nil(ginkgo.GinkgoT(), err) @@ -878,7 +937,6 @@ func buildSecret(username, password, name, namespace string) *corev1.Secret { } func buildMapSecret(username, password, name, namespace string) *corev1.Secret { - //out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() out, err := bcrypt.GenerateFromPassword([]byte(password), 14) assert.Nil(ginkgo.GinkgoT(), err) @@ -889,7 +947,7 @@ func buildMapSecret(username, password, name, namespace string) *corev1.Secret { DeletionGracePeriodSeconds: framework.NewInt64(1), }, Data: map[string][]byte{ - username: []byte(out), + username: out, }, Type: corev1.SecretTypeOpaque, } diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go index e96835aa0..c7a05c053 100644 --- a/test/e2e/annotations/authtls.go +++ b/test/e2e/annotations/authtls.go @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const authTLSFooHost = "authtls.foo.com" + var _ = framework.DescribeAnnotation("auth-tls-*", func() { f := framework.NewDefaultFramework("authtls") @@ -34,7 +36,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should set sslClientCertificate, sslVerifyClient and sslVerifyDepth with auth-tls-secret", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -82,7 +84,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should set valid auth-tls-secret, sslVerify to off, and sslVerifyDepth to 2", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace _, err := framework.CreateIngressMASecret( @@ -112,7 +114,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should 302 redirect to error page instead of 400 when auth-tls-error-page is set", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace errorPath := "/error" @@ -159,7 +161,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should pass URL-encoded certificate to upstream", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -204,7 +206,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should validate auth-tls-verify-client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -260,11 +262,10 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK) - }) ginkgo.It("should return 403 using auth-tls-match-cn with no matching CN from client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -293,7 +294,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should return 200 using auth-tls-match-cn with matching CN from client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -322,7 +323,7 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) ginkgo.It("should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client", func() { - host := "authtls.foo.com" + host := authTLSFooHost nameSpace := f.Namespace clientConfig, err := framework.CreateIngressMASecret( @@ -351,7 +352,8 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { }) }) -func assertSslClientCertificateConfig(f *framework.Framework, host string, verifyClient string, verifyDepth string) { +//nolint:unparam // Ignore the invariant param: host +func assertSslClientCertificateConfig(f *framework.Framework, host, verifyClient, verifyDepth string) { sslClientCertDirective := fmt.Sprintf("ssl_client_certificate /etc/ingress-controller/ssl/%s-%s.pem;", f.Namespace, host) sslVerify := fmt.Sprintf("ssl_verify_client %s;", verifyClient) sslVerifyDepth := fmt.Sprintf("ssl_verify_depth %s;", verifyDepth) diff --git a/test/e2e/annotations/backendprotocol.go b/test/e2e/annotations/backendprotocol.go index 566a6921e..d0a08c767 100644 --- a/test/e2e/annotations/backendprotocol.go +++ b/test/e2e/annotations/backendprotocol.go @@ -24,6 +24,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const backendProtocolHost = "backendprotocol.foo.com" + var _ = framework.DescribeAnnotation("backend-protocol", func() { f := framework.NewDefaultFramework("backendprotocol") @@ -32,7 +34,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to https:// and use proxy_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS", } @@ -47,7 +49,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to $scheme:// and use proxy_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "AUTO_HTTP", } @@ -62,7 +64,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to grpc:// and use grpc_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "GRPC", } @@ -77,7 +79,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to grpcs:// and use grpc_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "GRPCS", } @@ -92,7 +94,7 @@ var _ = framework.DescribeAnnotation("backend-protocol", func() { }) ginkgo.It("should set backend protocol to '' and use fastcgi_pass", func() { - host := "backendprotocol.foo.com" + host := backendProtocolHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", } diff --git a/test/e2e/annotations/canary.go b/test/e2e/annotations/canary.go index 15cbeffa7..ea733dbf4 100644 --- a/test/e2e/annotations/canary.go +++ b/test/e2e/annotations/canary.go @@ -43,7 +43,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canary is created", func() { ginkgo.It("should response with a 200 status from the mainline upstream when requests are made to the mainline ingress", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -87,7 +87,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should return 404 status for requests to the canary if no matching ingress is found", func() { - host := "foo" + host := fooHost canaryAnnotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -118,7 +118,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { TODO: This test needs improvements made to the e2e framework so that deployment updates work in order to successfully run It("should return the correct status codes when endpoints are unavailable", func() { - host := "foo" + host := fooHost annotations := map[string]string{} ing := framework.NewSingleIngress(host, "/info", host, f.Namespace, framework.HTTPBunService, 80, annotations) @@ -172,7 +172,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { */ ginkgo.It("should route requests to the correct upstream if mainline ingress is created before the canary ingress", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -230,7 +230,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests to the correct upstream if mainline ingress is created after the canary ingress", func() { - host := "foo" + host := fooHost canaryAnnotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -287,7 +287,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests to the correct upstream if the mainline ingress is modified", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -321,7 +321,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { canaryAnnotations)) modAnnotations := map[string]string{ - "foo": "bar", + fooHost: "bar", } f.UpdateIngress(framework.NewSingleIngress( @@ -361,7 +361,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests to the correct upstream if the canary ingress is modified", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -443,7 +443,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canaried by header with no value", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost f.EnsureIngress(framework.NewSingleIngress( host, @@ -511,7 +511,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canaried by header with value", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -592,7 +592,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canaried by header with value and pattern", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -645,7 +645,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -690,7 +690,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { Body().Contains(framework.HTTPBunService).NotContains(canaryService) }) ginkgo.It("should routes to mainline upstream when the given Regex causes error", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -739,7 +739,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canaried by header with value and cookie", func() { ginkgo.It("should route requests to the correct upstream", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -788,7 +788,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canaried by cookie", func() { ginkgo.It("respects always and never values", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -860,7 +860,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("when canaried by weight", func() { ginkgo.It("should route requests only to mainline if canary weight is 0", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -908,7 +908,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests only to canary if canary weight is 100", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -950,7 +950,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests only to canary if canary weight is equal to canary weight total", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -993,7 +993,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests split between mainline and canary if canary weight is 50", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -1029,7 +1029,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should route requests split between mainline and canary if canary weight is 100 and weight total is 200", func() { - host := "foo" + host := fooHost annotations := map[string]string{} f.EnsureIngress(framework.NewSingleIngress( @@ -1068,7 +1068,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { ginkgo.Context("Single canary Ingress", func() { ginkgo.It("should not use canary as a catch-all server", func() { - host := "foo" + host := fooHost canaryIngName := fmt.Sprintf("%v-canary", host) annotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -1102,7 +1102,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("should not use canary with domain as a server", func() { - host := "foo" + host := fooHost canaryIngName := fmt.Sprintf("%v-canary", host) annotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -1136,7 +1136,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.It("does not crash when canary ingress has multiple paths to the same non-matching backend", func() { - host := "foo" + host := fooHost canaryIngName := fmt.Sprintf("%v-canary", host) annotations := map[string]string{ "nginx.ingress.kubernetes.io/canary": "true", @@ -1168,7 +1168,7 @@ var _ = framework.DescribeAnnotation("canary-*", func() { }) ginkgo.Context("canary affinity behavior", func() { - host := "foo" + host := fooHost affinityCookieName := "aff" canaryIngName := fmt.Sprintf("%v-canary", host) @@ -1370,7 +1370,6 @@ var _ = framework.DescribeAnnotation("canary-*", func() { TestMainlineCanaryDistribution(f, host) }) }) - }) // This method assumes canary weight being configured at 50%. @@ -1407,12 +1406,12 @@ func TestMainlineCanaryDistribution(f *framework.Framework, host string) { assert.GreaterOrEqual( ginkgo.GinkgoT(), - int(replicaRequestCount[keys[0].String()]), + replicaRequestCount[keys[0].String()], requestsNumberToTest, ) assert.GreaterOrEqual( ginkgo.GinkgoT(), - int(replicaRequestCount[keys[1].String()]), + replicaRequestCount[keys[1].String()], requestsNumberToTest, ) } diff --git a/test/e2e/annotations/clientbodybuffersize.go b/test/e2e/annotations/clientbodybuffersize.go index 4ea1943bd..15a3530f3 100644 --- a/test/e2e/annotations/clientbodybuffersize.go +++ b/test/e2e/annotations/clientbodybuffersize.go @@ -25,6 +25,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const clientBodyBufferSizeHost = "client-body-buffer-size.com" + var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { f := framework.NewDefaultFramework("clientbodybuffersize") @@ -33,7 +35,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1000", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1000" annotations := make(map[string]string) @@ -55,7 +57,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1K", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1K" annotations := make(map[string]string) @@ -77,7 +79,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1k", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1k" annotations := make(map[string]string) @@ -99,7 +101,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1m", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1m" annotations := make(map[string]string) @@ -121,7 +123,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should set client_body_buffer_size to 1M", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1M" annotations := make(map[string]string) @@ -143,7 +145,7 @@ var _ = framework.DescribeAnnotation("client-body-buffer-size", func() { }) ginkgo.It("should not set client_body_buffer_size to invalid 1b", func() { - host := "client-body-buffer-size.com" + host := clientBodyBufferSizeHost clientBodyBufferSize := "1b" annotations := make(map[string]string) diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go index f53bd8e9e..dd28f5dd4 100644 --- a/test/e2e/annotations/cors.go +++ b/test/e2e/annotations/cors.go @@ -25,6 +25,11 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + originHost = "http://origin.com:8080" + corsHost = "cors.foo.com" +) + var _ = framework.DescribeAnnotation("cors-*", func() { f := framework.NewDefaultFramework("cors") @@ -33,7 +38,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should enable cors", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", } @@ -60,7 +65,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should set cors methods to only allow POST, GET", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-methods": "POST, GET", @@ -76,7 +81,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should set cors max-age", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-max-age": "200", @@ -92,7 +97,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should disable cors allow credentials", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-credentials": "false", @@ -108,7 +113,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow origin for cors", func() { - host := "cors.foo.com" + host := corsHost origin := "https://origin.cors.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -135,7 +140,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow headers for cors", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-headers": "DNT, User-Agent", @@ -151,7 +156,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should expose headers for cors", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-expose-headers": "X-CustomResponseHeader, X-CustomSecondHeader", @@ -167,7 +172,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - single origin for multiple cors values", func() { - host := "cors.foo.com" + host := corsHost origin := "https://origin.cors.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -194,7 +199,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - single origin for multiple cors values", func() { - host := "cors.foo.com" + host := corsHost origin := "http://no.origin.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -214,7 +219,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow correct origins - single origin for multiple cors values", func() { - host := "cors.foo.com" + host := corsHost badOrigin := "origin.cors.com:8080" origin1 := "https://origin2.cors.com" origin2 := "https://origin.com" @@ -265,7 +270,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not break functionality", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "*", @@ -289,7 +294,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not break functionality - without `*`", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", } @@ -312,7 +317,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not break functionality with extra domain", func() { - host := "cors.foo.com" + host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "*, foo.bar.com", @@ -336,7 +341,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not match", func() { - host := "cors.foo.com" + host := corsHost origin := "https://fooxbar.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -356,8 +361,8 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - single origin with required port", func() { - host := "cors.foo.com" - origin := "http://origin.com:8080" + host := corsHost + origin := originHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080", @@ -384,8 +389,8 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - single origin with port and origin without port", func() { - host := "cors.foo.com" - origin := "http://origin.com:8080" + host := corsHost + origin := originHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin2.cors.com, http://origin.com", @@ -403,7 +408,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - single origin without port and origin with required port", func() { - host := "cors.foo.com" + host := corsHost origin := "http://origin.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -423,7 +428,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() { - host := "cors.foo.com" + host := corsHost origin := "http://foo.origin.cors.com" origin2 := "http://bar-foo.origin.cors.com" annotations := map[string]string{ @@ -466,7 +471,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() { - host := "cors.foo.com" + host := corsHost origin := "http://bar.foo.origin.cors.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -486,7 +491,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - matching origin+port with wildcard origin", func() { - host := "cors.foo.com" + host := corsHost origin := "http://abc.origin.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -513,7 +518,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should not allow - portless origin with wildcard origin", func() { - host := "cors.foo.com" + host := corsHost origin := "http://abc.origin.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -533,8 +538,8 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow correct origins - missing subdomain + origin with wildcard origin and correct origin", func() { - host := "cors.foo.com" - badOrigin := "http://origin.com:8080" + host := corsHost + badOrigin := originHost origin := "http://bar.origin.com:8080" annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -569,7 +574,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() { }) ginkgo.It("should allow - missing origins (should allow all origins)", func() { - host := "cors.foo.com" + host := corsHost origin := "http://origin.com" origin2 := "http://book.origin.com" origin3 := "test.origin.com" diff --git a/test/e2e/annotations/customhttperrors.go b/test/e2e/annotations/customhttperrors.go index 3862f817b..37a3e9695 100644 --- a/test/e2e/annotations/customhttperrors.go +++ b/test/e2e/annotations/customhttperrors.go @@ -27,7 +27,7 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -func errorBlockName(upstreamName string, errorCode string) string { +func errorBlockName(upstreamName, errorCode string) string { return fmt.Sprintf("@custom_%s_%s", upstreamName, errorCode) } diff --git a/test/e2e/annotations/default_backend.go b/test/e2e/annotations/default_backend.go index 53c98a307..72ca303b5 100644 --- a/test/e2e/annotations/default_backend.go +++ b/test/e2e/annotations/default_backend.go @@ -48,18 +48,18 @@ var _ = framework.DescribeAnnotation("default-backend", func() { return strings.Contains(server, fmt.Sprintf("server_name %v", host)) }) - requestId := "something-unique" + requestID := "something-unique" f.HTTPTestClient(). GET("/alma/armud"). WithHeader("Host", host). - WithHeader("x-request-id", requestId). + WithHeader("x-request-id", requestID). Expect(). Status(http.StatusOK). Body().Contains("x-code=503"). Contains(fmt.Sprintf("x-ingress-name=%s", host)). Contains("x-service-name=invalid"). - Contains(fmt.Sprintf("x-request-id=%s", requestId)) + Contains(fmt.Sprintf("x-request-id=%s", requestID)) }) }) }) diff --git a/test/e2e/annotations/fastcgi.go b/test/e2e/annotations/fastcgi.go index 7ed35cb76..bcf1c3487 100644 --- a/test/e2e/annotations/fastcgi.go +++ b/test/e2e/annotations/fastcgi.go @@ -82,7 +82,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() { f.EnsureConfigMap(configuration) - host := "fastcgi-params-configmap" + host := "fastcgi-params-configmap" //#nosec G101 annotations := map[string]string{ "nginx.ingress.kubernetes.io/backend-protocol": "FCGI", diff --git a/test/e2e/annotations/fromtowwwredirect.go b/test/e2e/annotations/fromtowwwredirect.go index 9201bedb7..b69cce93e 100644 --- a/test/e2e/annotations/fromtowwwredirect.go +++ b/test/e2e/annotations/fromtowwwredirect.go @@ -62,6 +62,15 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { }) ginkgo.It("should redirect from www HTTPS to HTTPS", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + ginkgo.By("setting up server for redirect from www") fromHost := fmt.Sprintf("%s.nip.io", f.GetNginxIP()) @@ -90,7 +99,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { ginkgo.By("sending request to www should redirect to domain") f.HTTPTestClientWithTLSConfig(&tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing ServerName: toHost, }). GET("/"). @@ -102,7 +111,7 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() { ginkgo.By("sending request to domain should not redirect to www") f.HTTPTestClientWithTLSConfig(&tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing ServerName: fromHost, }). GET("/"). diff --git a/test/e2e/annotations/globalratelimit.go b/test/e2e/annotations/globalratelimit.go index 2efcc3558..96be467fe 100644 --- a/test/e2e/annotations/globalratelimit.go +++ b/test/e2e/annotations/globalratelimit.go @@ -47,7 +47,7 @@ var _ = framework.DescribeAnnotation("annotation-global-rate-limit", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing = f.EnsureIngress(ing) - namespace := strings.Replace(string(ing.UID), "-", "", -1) + namespace := strings.ReplaceAll(string(ing.UID), "-", "") serverConfig := "" f.WaitForNginxServer(host, func(server string) bool { diff --git a/test/e2e/annotations/grpc.go b/test/e2e/annotations/grpc.go index 243307df4..b256b8ae4 100644 --- a/test/e2e/annotations/grpc.go +++ b/test/e2e/annotations/grpc.go @@ -17,12 +17,11 @@ limitations under the License. package annotations import ( + "context" "crypto/tls" "fmt" "strings" - "context" - pb "github.com/moul/pb/grpcbin/go-grpc" "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" @@ -36,6 +35,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const echoHost = "echo" + var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { f := framework.NewDefaultFramework("grpc", framework.WithHTTPBunEnabled()) @@ -67,7 +68,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("should return OK for service with backend protocol GRPC", func() { f.NewGRPCBinDeployment() - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -102,14 +103,15 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { return strings.Contains(server, "grpc_pass grpc://upstream_balancer;") }) - conn, _ := grpc.Dial(f.GetNginxIP()+":443", + conn, err := grpc.Dial(f.GetNginxIP()+":443", grpc.WithTransportCredentials( credentials.NewTLS(&tls.Config{ - ServerName: "echo", - InsecureSkipVerify: true, + ServerName: echoHost, + InsecureSkipVerify: true, //nolint:gosec // Ignore certificate validation in testing }), ), ) + assert.Nil(ginkgo.GinkgoT(), err, "error creating a connection") defer conn.Close() client := pb.NewGRPCBinClient(conn) @@ -125,7 +127,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { ginkgo.It("authorization metadata should be overwritten by external auth response headers", func() { f.NewGRPCBinDeployment() - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -162,14 +164,15 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { return strings.Contains(server, "grpc_pass grpc://upstream_balancer;") }) - conn, _ := grpc.Dial(f.GetNginxIP()+":443", + conn, err := grpc.Dial(f.GetNginxIP()+":443", grpc.WithTransportCredentials( credentials.NewTLS(&tls.Config{ - ServerName: "echo", - InsecureSkipVerify: true, + ServerName: echoHost, + InsecureSkipVerify: true, //nolint:gosec // Ignore certificate validation in testing }), ), ) + assert.Nil(ginkgo.GinkgoT(), err) defer conn.Close() client := pb.NewGRPCBinClient(conn) @@ -180,13 +183,22 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { assert.Nil(ginkgo.GinkgoT(), err) metadata := res.GetMetadata() - assert.Equal(ginkgo.GinkgoT(), "foo", metadata["authorization"].Values[0]) + assert.Equal(ginkgo.GinkgoT(), fooHost, metadata["authorization"].Values[0]) }) ginkgo.It("should return OK for service with backend protocol GRPCS", func() { f.NewGRPCBinDeployment() - host := "echo" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -226,14 +238,15 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() { return strings.Contains(server, "grpc_pass grpcs://upstream_balancer;") }) - conn, _ := grpc.Dial(f.GetNginxIP()+":443", + conn, err := grpc.Dial(f.GetNginxIP()+":443", grpc.WithTransportCredentials( credentials.NewTLS(&tls.Config{ - ServerName: "echo", - InsecureSkipVerify: true, + ServerName: echoHost, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }), ), ) + assert.Nil(ginkgo.GinkgoT(), err) defer conn.Close() client := pb.NewGRPCBinClient(conn) diff --git a/test/e2e/annotations/modsecurity/modsecurity.go b/test/e2e/annotations/modsecurity/modsecurity.go index 62c9bc843..a3e7d80ba 100644 --- a/test/e2e/annotations/modsecurity/modsecurity.go +++ b/test/e2e/annotations/modsecurity/modsecurity.go @@ -25,6 +25,17 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + modSecurityFooHost = "modsecurity.foo.com" + defaultSnippet = `SecRuleEngine On + SecRequestBodyAccess On + SecAuditEngine RelevantOnly + SecAuditLogParts ABIJDEFHZ + SecAuditLog /dev/stdout + SecAuditLogType Serial + SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` +) + var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f := framework.NewDefaultFramework("modsecuritylocation") @@ -33,7 +44,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -51,7 +62,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with transaction ID and OWASP rules", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -72,7 +83,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should disable modsecurity", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -89,7 +100,16 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -109,10 +129,11 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { ginkgo.It("should enable modsecurity without using 'modsecurity on;'", func() { f.SetNginxConfigMapData(map[string]string{ - "enable-modsecurity": "true"}, + "enable-modsecurity": "true", + }, ) - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -131,10 +152,11 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { ginkgo.It("should disable modsecurity using 'modsecurity off;'", func() { f.SetNginxConfigMapData(map[string]string{ - "enable-modsecurity": "true"}, + "enable-modsecurity": "true", + }, ) - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace annotations := map[string]string{ @@ -151,16 +173,19 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity with snippet and block requests", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace - snippet := `SecRuleEngine On - SecRequestBodyAccess On - SecAuditEngine RelevantOnly - SecAuditLogParts ABIJDEFHZ - SecAuditLog /dev/stdout - SecAuditLogType Serial - SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` + snippet := defaultSnippet annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-modsecurity": "true", @@ -187,16 +212,19 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace - snippet := `SecRuleEngine On - SecRequestBodyAccess On - SecAuditEngine RelevantOnly - SecAuditLogParts ABIJDEFHZ - SecAuditLog /dev/stdout - SecAuditLogType Serial - SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` + snippet := defaultSnippet annotations := map[string]string{ "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, @@ -223,16 +251,21 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "enable-modsecurity": "true", + "enable-owasp-modsecurity-crs": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + + host := modSecurityFooHost nameSpace := f.Namespace - snippet := `SecRuleEngine On - SecRequestBodyAccess On - SecAuditEngine RelevantOnly - SecAuditLogParts ABIJDEFHZ - SecAuditLog /dev/stdout - SecAuditLogType Serial - SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"` + snippet := defaultSnippet annotations := map[string]string{ "nginx.ingress.kubernetes.io/modsecurity-snippet": snippet, @@ -243,11 +276,6 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.SetNginxConfigMapData(map[string]string{ - "enable-modsecurity": "true", - "enable-owasp-modsecurity-crs": "true", - }) - f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, "SecRuleEngine On") @@ -262,7 +290,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity through the config map", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace snippet := `SecRequestBodyAccess On @@ -282,12 +310,17 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { f.EnsureIngress(ing) expectedComment := "SecRuleEngine On" - f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", "enable-modsecurity": "true", "enable-owasp-modsecurity-crs": "true", "modsecurity-snippet": expectedComment, }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() f.WaitForNginxServer(host, func(server string) bool { @@ -303,7 +336,7 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should enable modsecurity through the config map but ignore snippet as disabled by admin", func() { - host := "modsecurity.foo.com" + host := modSecurityFooHost nameSpace := f.Namespace snippet := `SecRequestBodyAccess On @@ -345,7 +378,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() { }) ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() { - host := "modsecurity.foo.com" + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := modSecurityFooHost nameSpace := f.Namespace snippet := `SecRuleEngine On diff --git a/test/e2e/annotations/proxy.go b/test/e2e/annotations/proxy.go index c0c89eb43..235b828e7 100644 --- a/test/e2e/annotations/proxy.go +++ b/test/e2e/annotations/proxy.go @@ -25,6 +25,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const proxyRedirectToHost = "goodbye.com" + var _ = framework.DescribeAnnotation("proxy-*", func() { f := framework.NewDefaultFramework("proxy") host := "proxy.foo.com" @@ -38,7 +40,7 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-redirect-from"] = proxyRedirectFrom - annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = "goodbye.com" + annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = proxyRedirectToHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -54,7 +56,7 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-redirect-from"] = proxyRedirectFrom - annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = "goodbye.com" + annotations["nginx.ingress.kubernetes.io/proxy-redirect-to"] = proxyRedirectToHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -67,7 +69,7 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { ginkgo.It("should set proxy_redirect to hello.com goodbye.com", func() { proxyRedirectFrom := "hello.com" - proxyRedirectTo := "goodbye.com" + proxyRedirectTo := proxyRedirectToHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-redirect-from"] = proxyRedirectFrom @@ -244,5 +246,4 @@ var _ = framework.DescribeAnnotation("proxy-*", func() { return strings.Contains(server, fmt.Sprintf("proxy_http_version %s;", proxyHTTPVersion)) }) }) - }) diff --git a/test/e2e/annotations/proxyssl.go b/test/e2e/annotations/proxyssl.go index 7f14c3393..989d681c1 100644 --- a/test/e2e/annotations/proxyssl.go +++ b/test/e2e/annotations/proxyssl.go @@ -27,6 +27,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const proxySSLHost = "proxyssl.foo.com" + var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { f := framework.NewDefaultFramework("proxyssl") @@ -35,7 +37,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { }) ginkgo.It("should set valid proxy-ssl-secret", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host @@ -62,7 +64,7 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { }) ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-verify to on, proxy-ssl-verify-depth to 2, and proxy-ssl-server-name to on", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host annotations["nginx.ingress.kubernetes.io/proxy-ssl-verify"] = "on" @@ -90,9 +92,9 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { Expect(). Status(http.StatusOK) }) - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-ciphers to HIGH:!AES", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host annotations["nginx.ingress.kubernetes.io/proxy-ssl-ciphers"] = "HIGH:!AES" @@ -118,9 +120,9 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { Expect(). Status(http.StatusOK) }) - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should set valid proxy-ssl-secret, proxy-ssl-protocols", func() { - host := "proxyssl.foo.com" + host := proxySSLHost annotations := make(map[string]string) annotations["nginx.ingress.kubernetes.io/proxy-ssl-secret"] = f.Namespace + "/" + host annotations["nginx.ingress.kubernetes.io/proxy-ssl-protocols"] = "TLSv1.2 TLSv1.3" @@ -195,7 +197,6 @@ var _ = framework.DescribeAnnotation("proxy-ssl-*", func() { strings.Contains(server, "proxy_ssl_certificate_key")) }) }) - }) func assertProxySSL(f *framework.Framework, host, sslName, ciphers, protocols, verify string, depth int, proxySSLServerName string) { diff --git a/test/e2e/annotations/rewrite.go b/test/e2e/annotations/rewrite.go index 79738b984..173df29f0 100644 --- a/test/e2e/annotations/rewrite.go +++ b/test/e2e/annotations/rewrite.go @@ -27,6 +27,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const rewriteHost = "rewrite.bar.com" + var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-log", func() { f := framework.NewDefaultFramework("rewrite") @@ -37,7 +39,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo ginkgo.It("should write rewrite logs", func() { ginkgo.By("setting enable-rewrite-log annotation") - host := "rewrite.bar.com" + host := rewriteHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/rewrite-target": "/", "nginx.ingress.kubernetes.io/enable-rewrite-log": "true", @@ -64,7 +66,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should use correct longest path match", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By("creating a regular ingress definition") ing := framework.NewSingleIngress("kube-lego", "/.well-known/acme/challenge", host, f.Namespace, framework.EchoService, 80, nil) @@ -109,10 +111,10 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should use ~* location modifier if regex annotation is present", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By("creating a regular ingress definition") - ing := framework.NewSingleIngress("foo", "/foo", host, f.Namespace, framework.EchoService, 80, nil) + ing := framework.NewSingleIngress(fooHost, "/foo", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) f.WaitForNginxServer(host, @@ -156,10 +158,10 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should fail to use longest match for documented warning", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By("creating a regular ingress definition") - ing := framework.NewSingleIngress("foo", "/foo/bar/bar", host, f.Namespace, framework.EchoService, 80, nil) + ing := framework.NewSingleIngress(fooHost, "/foo/bar/bar", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) ginkgo.By(`creating an ingress definition with the use-regex annotation`) @@ -188,7 +190,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo }) ginkgo.It("should allow for custom rewrite parameters", func() { - host := "rewrite.bar.com" + host := rewriteHost ginkgo.By(`creating an ingress definition with the use-regex annotation`) annotations := map[string]string{ diff --git a/test/e2e/annotations/serversnippet.go b/test/e2e/annotations/serversnippet.go index df1383bdb..1195b728a 100644 --- a/test/e2e/annotations/serversnippet.go +++ b/test/e2e/annotations/serversnippet.go @@ -33,6 +33,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`add valid directives to server via server snippet`, func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "serversnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` @@ -59,6 +68,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { }) ginkgo.It(`drops server snippet if disabled by the administrator`, func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "noserversnippet.foo.com" annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` @@ -89,6 +107,5 @@ var _ = framework.DescribeAnnotation("server-snippet", func() { Status(http.StatusOK).Headers(). NotContainsKey("Foo"). NotContainsKey("Xpto") - }) }) diff --git a/test/e2e/annotations/serviceupstream.go b/test/e2e/annotations/serviceupstream.go index 94ad6d346..1d80f304a 100644 --- a/test/e2e/annotations/serviceupstream.go +++ b/test/e2e/annotations/serviceupstream.go @@ -25,10 +25,10 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/ingress-nginx/test/e2e/framework" - - "k8s.io/ingress-nginx/internal/nginx" ) +const dbgCmd = "/dbg backends all" + var _ = framework.DescribeAnnotation("service-upstream", func() { f := framework.NewDefaultFramework("serviceupstream") host := "serviceupstream" @@ -59,10 +59,9 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { ginkgo.By("checking if the Service Cluster IP and Port are used") s := f.GetService(f.Namespace, framework.EchoService) - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - output, err := f.ExecIngressPod(curlCmd) + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP)) + assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`"address": %q`, s.Spec.ClusterIP)) }) }) @@ -88,10 +87,9 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { ginkgo.By("checking if the Service Cluster IP and Port are used") s := f.GetService(f.Namespace, framework.EchoService) - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - output, err := f.ExecIngressPod(curlCmd) + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP)) + assert.Contains(ginkgo.GinkgoT(), output, fmt.Sprintf(`"address": %q`, s.Spec.ClusterIP)) }) }) @@ -119,10 +117,9 @@ var _ = framework.DescribeAnnotation("service-upstream", func() { ginkgo.By("checking if the Service Cluster IP and Port are not used") s := f.GetService(f.Namespace, framework.EchoService) - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - output, err := f.ExecIngressPod(curlCmd) + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) - assert.NotContains(ginkgo.GinkgoT(), output, fmt.Sprintf(`{"address":"%s"`, s.Spec.ClusterIP)) + assert.NotContains(ginkgo.GinkgoT(), output, fmt.Sprintf(`"address": %q`, s.Spec.ClusterIP)) }) }) }) diff --git a/test/e2e/annotations/snippet.go b/test/e2e/annotations/snippet.go index 2bbd3e33a..0c6148a4f 100644 --- a/test/e2e/annotations/snippet.go +++ b/test/e2e/annotations/snippet.go @@ -33,6 +33,16 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { ginkgo.It("set snippet more_set_headers in all locations", func() { host := "configurationsnippet.foo.com" + + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`, } @@ -76,10 +86,6 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() { annotations) f.UpdateNginxConfigMapData("allow-snippet-annotations", "false") - defer func() { - // Return to the original value - f.UpdateNginxConfigMapData("allow-snippet-annotations", "true") - }() // Sleep a while just to guarantee that the configmap is applied framework.Sleep() diff --git a/test/e2e/annotations/streamsnippet.go b/test/e2e/annotations/streamsnippet.go index b5df50975..432537b4a 100644 --- a/test/e2e/annotations/streamsnippet.go +++ b/test/e2e/annotations/streamsnippet.go @@ -39,6 +39,15 @@ var _ = framework.DescribeSetting("stream-snippet", func() { }) ginkgo.It("should add value of stream-snippet to nginx config", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "foo.com" snippet := `server {listen 8000; proxy_pass 127.0.0.1:80;}` diff --git a/test/e2e/annotations/upstreamhashby.go b/test/e2e/annotations/upstreamhashby.go index 023a094aa..1b8106662 100644 --- a/test/e2e/annotations/upstreamhashby.go +++ b/test/e2e/annotations/upstreamhashby.go @@ -39,12 +39,13 @@ func startIngress(f *framework.Framework, annotations map[string]string) map[str return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) }) + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(framework.Poll, framework.DefaultTimeout, func() (bool, error) { - resp := f.HTTPTestClient(). GET("/"). WithHeader("Host", host). Expect().Raw() + defer resp.Body.Close() if resp.StatusCode == http.StatusOK { return true, nil @@ -55,7 +56,9 @@ func startIngress(f *framework.Framework, annotations map[string]string) map[str assert.Nil(ginkgo.GinkgoT(), err) - re, _ := regexp.Compile(fmt.Sprintf(`Hostname: %v.*`, framework.EchoService)) + re, err := regexp.Compile(fmt.Sprintf(`Hostname: %v.*`, framework.EchoService)) + assert.Nil(ginkgo.GinkgoT(), err, "error compiling regex") + podMap := map[string]bool{} for i := 0; i < 100; i++ { diff --git a/test/e2e/dbg/main.go b/test/e2e/dbg/main.go index 2df57469d..6c0a22f69 100644 --- a/test/e2e/dbg/main.go +++ b/test/e2e/dbg/main.go @@ -49,7 +49,7 @@ var _ = framework.IngressNginxDescribe("Debug CLI", func() { assert.Nil(ginkgo.GinkgoT(), err) // Should be 2: the default and the echo deployment - numUpstreams := len(strings.Split(strings.Trim(string(output), "\n"), "\n")) + numUpstreams := len(strings.Split(strings.Trim(output, "\n"), "\n")) assert.Equal(ginkgo.GinkgoT(), numUpstreams, 2) }) @@ -67,7 +67,7 @@ var _ = framework.IngressNginxDescribe("Debug CLI", func() { output, err := f.ExecIngressPod(cmd) assert.Nil(ginkgo.GinkgoT(), err) - backends := strings.Split(string(output), "\n") + backends := strings.Split(output, "\n") assert.Greater(ginkgo.GinkgoT(), len(backends), 0) getCmd := "/dbg backends get " + backends[0] diff --git a/test/e2e/defaultbackend/default_backend.go b/test/e2e/defaultbackend/default_backend.go index e589024b4..936878000 100644 --- a/test/e2e/defaultbackend/default_backend.go +++ b/test/e2e/defaultbackend/default_backend.go @@ -49,15 +49,15 @@ var _ = framework.IngressNginxDescribe("[Default Backend]", func() { {"basic HTTPS POST request without host to path / should return 404", "", framework.HTTPS, "POST", "/", http.StatusNotFound}, {"basic HTTPS POST request without host to path /demo should return 404", "", framework.HTTPS, "POST", "/demo", http.StatusNotFound}, - {"basic HTTP GET request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTP, "GET", "/", http.StatusNotFound}, - {"basic HTTP GET request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTP, "GET", "/demo", http.StatusNotFound}, - {"basic HTTPS GET request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTPS, "GET", "/", http.StatusNotFound}, - {"basic HTTPS GET request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTPS, "GET", "/demo", http.StatusNotFound}, + {"basic HTTP GET request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTP, "GET", "/", http.StatusNotFound}, + {"basic HTTP GET request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTP, "GET", "/demo", http.StatusNotFound}, + {"basic HTTPS GET request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTPS, "GET", "/", http.StatusNotFound}, + {"basic HTTPS GET request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTPS, "GET", "/demo", http.StatusNotFound}, - {"basic HTTP POST request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTP, "POST", "/", http.StatusNotFound}, - {"basic HTTP POST request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTP, "POST", "/demo", http.StatusNotFound}, - {"basic HTTPS POST request to host foo.bar.com and path / should return 404", " foo.bar.com", framework.HTTPS, "POST", "/", http.StatusNotFound}, - {"basic HTTPS POST request to host foo.bar.com and path /demo should return 404", " foo.bar.com", framework.HTTPS, "POST", "/demo", http.StatusNotFound}, + {"basic HTTP POST request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTP, "POST", "/", http.StatusNotFound}, + {"basic HTTP POST request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTP, "POST", "/demo", http.StatusNotFound}, + {"basic HTTPS POST request to host foo.bar.com and path / should return 404", "foo.bar.com", framework.HTTPS, "POST", "/", http.StatusNotFound}, + {"basic HTTPS POST request to host foo.bar.com and path /demo should return 404", "foo.bar.com", framework.HTTPS, "POST", "/demo", http.StatusNotFound}, } framework.Sleep() diff --git a/test/e2e/e2e.go b/test/e2e/e2e.go index 28adf297d..25d714f88 100644 --- a/test/e2e/e2e.go +++ b/test/e2e/e2e.go @@ -48,7 +48,6 @@ import ( _ "k8s.io/ingress-nginx/test/e2e/settings/modsecurity" _ "k8s.io/ingress-nginx/test/e2e/settings/ocsp" _ "k8s.io/ingress-nginx/test/e2e/settings/validations" - _ "k8s.io/ingress-nginx/test/e2e/ssl" _ "k8s.io/ingress-nginx/test/e2e/status" _ "k8s.io/ingress-nginx/test/e2e/tcpudp" diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go index 4a7a48d92..2e556cf6d 100644 --- a/test/e2e/e2e_test.go +++ b/test/e2e/e2e_test.go @@ -26,6 +26,7 @@ func init() { testing.Init() framework.RegisterParseFlags() } + func TestE2E(t *testing.T) { RunE2ETests(t) } diff --git a/test/e2e/endpointslices/longname.go b/test/e2e/endpointslices/longname.go index 0adb66767..b2242daac 100644 --- a/test/e2e/endpointslices/longname.go +++ b/test/e2e/endpointslices/longname.go @@ -36,7 +36,6 @@ var _ = framework.IngressNginxDescribe("[Endpointslices] long service name", fun }) ginkgo.It("should return 200 when service name has max allowed number of characters 63", func() { - annotations := make(map[string]string) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, name, 80, annotations) f.EnsureIngress(ing) diff --git a/test/e2e/endpointslices/topology.go b/test/e2e/endpointslices/topology.go index ff66f2ad1..38c5f8b76 100644 --- a/test/e2e/endpointslices/topology.go +++ b/test/e2e/endpointslices/topology.go @@ -28,7 +28,6 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" - "k8s.io/ingress-nginx/internal/nginx" "k8s.io/ingress-nginx/test/e2e/framework" ) @@ -41,7 +40,6 @@ var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware rou }) ginkgo.It("should return 200 when service has topology hints", func() { - annotations := make(map[string]string) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) @@ -72,8 +70,8 @@ var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware rou } } - curlCmd := fmt.Sprintf("curl --fail --silent http://localhost:%v/configuration/backends", nginx.StatusPort) - status, err := f.ExecIngressPod(curlCmd) + dbgCmd := "/dbg backends all" + status, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) var backends []map[string]interface{} err = json.Unmarshal([]byte(status), &backends) @@ -86,7 +84,7 @@ var _ = framework.IngressNginxDescribeSerial("[TopologyHints] topology aware rou } if gotHints { - //we have 2 replics, if there is just one backend it means that we are routing according slices hints to same zone as controller is + // we have 2 replics, if there is just one backend it means that we are routing according slices hints to same zone as controller is assert.Equal(ginkgo.GinkgoT(), 1, gotBackends) } else { // two replicas should have two endpoints without topology hints diff --git a/test/e2e/framework/deployment.go b/test/e2e/framework/deployment.go index bcb1d3960..08a5353b2 100644 --- a/test/e2e/framework/deployment.go +++ b/test/e2e/framework/deployment.go @@ -47,10 +47,10 @@ const NIPService = "external-nip" var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE") // EchoImage is the default image to be used by the echo service -const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a" +const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a" //#nosec G101 // TODO: change all Deployment functions to use these options -// in order to reduce complexity and have a unified API accross the +// in order to reduce complexity and have a unified API across the // framework type deploymentOptions struct { name string @@ -67,11 +67,11 @@ func WithDeploymentNamespace(n string) func(*deploymentOptions) { } } -// WithSvcTopologyAnnotations create svc with topology aware hints sets to auto +// WithSvcTopologyAnnotations create svc with topology mode sets to auto func WithSvcTopologyAnnotations() func(*deploymentOptions) { return func(o *deploymentOptions) { o.svcAnnotations = map[string]string{ - "service.kubernetes.io/topology-aware-hints": "auto", + corev1.AnnotationTopologyMode: "auto", } } } @@ -213,7 +213,7 @@ func (f *Framework) NewHttpbunDeployment(opts ...func(*deploymentOptions)) strin 80, int32(options.replicas), nil, nil, - //Required to get hostname information + // Required to get hostname information []corev1.EnvVar{ { Name: "HTTPBUN_INFO_ENABLED", @@ -317,7 +317,7 @@ func (f *Framework) GetNginxBaseImage() string { // NGINXDeployment creates a new simple NGINX Deployment using NGINX base image // and passing the desired configuration -func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool) { +func (f *Framework) NGINXDeployment(name, cfg string, waitendpoint bool) { cfgMap := map[string]string{ "nginx.conf": cfg, } @@ -389,7 +389,7 @@ func (f *Framework) NGINXDeployment(name string, cfg string, waitendpoint bool) } // NGINXWithConfigDeployment creates an NGINX deployment using a configmap containing the nginx.conf configuration -func (f *Framework) NGINXWithConfigDeployment(name string, cfg string) { +func (f *Framework) NGINXWithConfigDeployment(name, cfg string) { f.NGINXDeployment(name, cfg, true) } @@ -487,7 +487,8 @@ func (f *Framework) NewGRPCBinDeployment() { } func newDeployment(name, namespace, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar, - volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) *appsv1.Deployment { + volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool, +) *appsv1.Deployment { probe := &corev1.Probe{ InitialDelaySeconds: 2, PeriodSeconds: 1, @@ -559,12 +560,12 @@ func newDeployment(name, namespace, image string, port int32, replicas int32, co return d } -func (f *Framework) NewDeployment(name, image string, port int32, replicas int32) { +func (f *Framework) NewDeployment(name, image string, port, replicas int32) { f.NewDeploymentWithOpts(name, image, port, replicas, nil, nil, nil, nil, nil, true) } // NewDeployment creates a new deployment in a particular namespace. -func (f *Framework) NewDeploymentWithOpts(name, image string, port int32, replicas int32, command []string, args []string, env []corev1.EnvVar, volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) { +func (f *Framework) NewDeploymentWithOpts(name, image string, port, replicas int32, command, args []string, env []corev1.EnvVar, volumeMounts []corev1.VolumeMount, volumes []corev1.Volume, setProbe bool) { deployment := newDeployment(name, f.Namespace, image, port, replicas, command, args, env, volumeMounts, volumes, setProbe) f.EnsureDeployment(deployment) @@ -606,7 +607,7 @@ func (f *Framework) DeleteDeployment(name string) error { }) assert.Nil(ginkgo.GinkgoT(), err, "deleting deployment") - return waitForPodsDeleted(f.KubeClientSet, 2*time.Minute, f.Namespace, metav1.ListOptions{ + return waitForPodsDeleted(f.KubeClientSet, 2*time.Minute, f.Namespace, &metav1.ListOptions{ LabelSelector: labelSelectorToString(d.Spec.Selector.MatchLabels), }) } diff --git a/test/e2e/framework/exec.go b/test/e2e/framework/exec.go index 07bf09be8..9e4b55122 100644 --- a/test/e2e/framework/exec.go +++ b/test/e2e/framework/exec.go @@ -66,6 +66,7 @@ func (f *Framework) ExecCommand(pod *corev1.Pod, command string) (string, error) execErr bytes.Buffer ) + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v exec --namespace %s %s --container controller -- %s", KubectlPath, pod.Namespace, pod.Name, command)) cmd.Stdout = &execOut cmd.Stderr = &execErr @@ -73,7 +74,6 @@ func (f *Framework) ExecCommand(pod *corev1.Pod, command string) (string, error) err := cmd.Run() if err != nil { return "", fmt.Errorf("could not execute '%s %s': %v", cmd.Path, cmd.Args, err) - } if execErr.Len() > 0 { @@ -91,6 +91,7 @@ func (f *Framework) NamespaceContent() (string, error) { execErr bytes.Buffer ) + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%v get pods,services,endpoints,deployments --namespace %s", KubectlPath, f.Namespace)) cmd.Stdout = &execOut cmd.Stderr = &execErr @@ -98,7 +99,6 @@ func (f *Framework) NamespaceContent() (string, error) { err := cmd.Run() if err != nil { return "", fmt.Errorf("could not execute '%s %s': %v", cmd.Path, cmd.Args, err) - } eout := strings.TrimSpace(execErr.String()) @@ -110,7 +110,7 @@ func (f *Framework) NamespaceContent() (string, error) { } // newIngressController deploys a new NGINX Ingress controller in a namespace -func (f *Framework) newIngressController(namespace string, namespaceOverlay string) error { +func (f *Framework) newIngressController(namespace, namespaceOverlay string) error { // Creates an nginx deployment isChroot, ok := os.LookupEnv("IS_CHROOT") if !ok { @@ -130,12 +130,11 @@ func (f *Framework) newIngressController(namespace string, namespaceOverlay stri return nil } -var ( - proxyRegexp = regexp.MustCompile("Starting to serve on .*:([0-9]+)") -) +var proxyRegexp = regexp.MustCompile(`Starting to serve on .*:(\d+)`) // KubectlProxy creates a proxy to kubernetes apiserver func (f *Framework) KubectlProxy(port int) (int, *exec.Cmd, error) { + //nolint:gosec // Ignore G204 error cmd := exec.Command("/bin/bash", "-c", fmt.Sprintf("%s proxy --accept-hosts=.* --address=0.0.0.0 --port=%d", KubectlPath, port)) stdout, stderr, err := startCmdAndStreamOutput(cmd) if err != nil { @@ -163,6 +162,7 @@ func (f *Framework) KubectlProxy(port int) (int, *exec.Cmd, error) { } func (f *Framework) UninstallChart() error { + //nolint:gosec //Ignore G204 error cmd := exec.Command("helm", "uninstall", "--namespace", f.Namespace, "nginx-ingress") _, err := cmd.CombinedOutput() if err != nil { diff --git a/test/e2e/framework/fastcgi_helloserver.go b/test/e2e/framework/fastcgi_helloserver.go index 719048c06..73f9ef340 100644 --- a/test/e2e/framework/fastcgi_helloserver.go +++ b/test/e2e/framework/fastcgi_helloserver.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package framework import ( @@ -75,7 +76,7 @@ func (f *Framework) NewNewFastCGIHelloServerDeploymentWithReplicas(replicas int3 d := f.EnsureDeployment(deployment) - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, &metav1.ListOptions{ LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), }) assert.Nil(ginkgo.GinkgoT(), err, "failed to wait for to become ready") diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go index 69f6dae78..b62ad691c 100644 --- a/test/e2e/framework/framework.go +++ b/test/e2e/framework/framework.go @@ -49,10 +49,8 @@ const ( HTTPS RequestScheme = "https" ) -var ( - // KubectlPath defines the full path of the kubectl binary - KubectlPath = "/usr/local/bin/kubectl" -) +// KubectlPath defines the full path of the kubectl binary +var KubectlPath = "/usr/local/bin/kubectl" // Framework supports common operations used by e2e tests; it will keep a client & a namespace for you. type Framework struct { @@ -131,7 +129,6 @@ func (f *Framework) CreateEnvironment() { f.KubeClientSet, err = kubernetes.NewForConfig(f.KubeConfig) assert.Nil(ginkgo.GinkgoT(), err, "creating a kubernetes client") - } f.Namespace, err = CreateKubeNamespace(f.BaseName, f.KubeClientSet) @@ -250,9 +247,9 @@ func (f *Framework) GetNginxPodIP() string { } // GetURL returns the URL should be used to make a request to NGINX -func (f *Framework) GetURL(scheme RequestScheme) string { +func (f *Framework) GetURL(requestScheme RequestScheme) string { ip := f.GetNginxIP() - return fmt.Sprintf("%v://%v", scheme, ip) + return fmt.Sprintf("%v://%v", requestScheme, ip) } // GetIngressNGINXPod returns the ingress controller running pod @@ -270,6 +267,7 @@ func (f *Framework) updateIngressNGINXPod() error { // WaitForNginxServer waits until the nginx configuration contains a particular server section. // `cfg` passed to matcher is normalized by replacing all tabs and spaces with single space. func (f *Framework) WaitForNginxServer(name string, matcher func(cfg string) bool) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, f.matchNginxConditions(name, matcher)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx server condition/s") Sleep(1 * time.Second) @@ -278,13 +276,15 @@ func (f *Framework) WaitForNginxServer(name string, matcher func(cfg string) boo // WaitForNginxConfiguration waits until the nginx configuration contains a particular configuration // `cfg` passed to matcher is normalized by replacing all tabs and spaces with single space. func (f *Framework) WaitForNginxConfiguration(matcher func(cfg string) bool) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, f.matchNginxConditions("", matcher)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx server condition/s") Sleep(1 * time.Second) } // WaitForNginxCustomConfiguration waits until the nginx configuration given part (from, to) contains a particular configuration -func (f *Framework) WaitForNginxCustomConfiguration(from string, to string, matcher func(cfg string) bool) { +func (f *Framework) WaitForNginxCustomConfiguration(from, to string, matcher func(cfg string) bool) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, f.matchNginxCustomConditions(from, to, matcher)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for nginx server condition/s") } @@ -325,7 +325,7 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b } } -func (f *Framework) matchNginxCustomConditions(from string, to string, matcher func(cfg string) bool) wait.ConditionFunc { +func (f *Framework) matchNginxCustomConditions(from, to string, matcher func(cfg string) bool) wait.ConditionFunc { return func() (bool, error) { cmd := fmt.Sprintf("cat /etc/nginx/nginx.conf| awk '/%v/,/%v/'", from, to) @@ -395,7 +395,7 @@ func (f *Framework) CreateConfigMap(name string, data map[string]string) { } // UpdateNginxConfigMapData updates single field in ingress-nginx's nginx-ingress-controller map data -func (f *Framework) UpdateNginxConfigMapData(key string, value string) { +func (f *Framework) UpdateNginxConfigMapData(key, value string) { config, err := f.getConfigMap("nginx-ingress-controller") assert.Nil(ginkgo.GinkgoT(), err) assert.NotNil(ginkgo.GinkgoT(), config, "expected a configmap but none returned") @@ -421,6 +421,7 @@ func (f *Framework) WaitForReload(fn func()) { fn() count := 0 + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(1*time.Second, DefaultTimeout, func() (bool, error) { reloads := getReloadCount(f.pod, f.Namespace, f.KubeClientSet) // most of the cases reload the ingress controller @@ -441,8 +442,8 @@ func getReloadCount(pod *v1.Pod, namespace string, client kubernetes.Interface) assert.Nil(ginkgo.GinkgoT(), err, "obtaining NGINX Pod") reloadCount := 0 - for _, e := range events.Items { - if e.Reason == "RELOAD" && e.Type == v1.EventTypeNormal { + for i := range events.Items { + if events.Items[i].Reason == "RELOAD" && events.Items[i].Type == v1.EventTypeNormal { reloadCount++ } } @@ -457,7 +458,7 @@ func (f *Framework) DeleteNGINXPod(grace int64) { err := f.KubeClientSet.CoreV1().Pods(ns).Delete(context.TODO(), f.pod.GetName(), *metav1.NewDeleteOptions(grace)) assert.Nil(ginkgo.GinkgoT(), err, "deleting ingress nginx pod") - + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(Poll, DefaultTimeout, func() (bool, error) { err := f.updateIngressNGINXPod() if err != nil || f.pod == nil { @@ -487,7 +488,7 @@ func (f *Framework) HTTPTestClientWithTLSConfig(config *tls.Config) *httpexpect. func (f *Framework) newHTTPTestClient(config *tls.Config, setIngressURL bool) *httpexpect.HTTPRequest { if config == nil { config = &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing } } var baseURL string @@ -507,12 +508,13 @@ func (f *Framework) newHTTPTestClient(config *tls.Config, setIngressURL bool) *h // WaitForNginxListening waits until NGINX starts accepting connections on a port func (f *Framework) WaitForNginxListening(port int) { - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, 1, f.Namespace, &metav1.ListOptions{ LabelSelector: "app.kubernetes.io/name=ingress-nginx", }) assert.Nil(ginkgo.GinkgoT(), err, "waiting for ingress pods to be ready") podIP := f.GetNginxIP() + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(500*time.Millisecond, DefaultTimeout, func() (bool, error) { hostPort := net.JoinHostPort(podIP, fmt.Sprintf("%v", port)) conn, err := net.Dial("tcp", hostPort) @@ -529,7 +531,7 @@ func (f *Framework) WaitForNginxListening(port int) { // WaitForPod waits for a specific Pod to be ready, using a label selector func (f *Framework) WaitForPod(selector string, timeout time.Duration, shouldFail bool) { - err := waitForPodsReady(f.KubeClientSet, timeout, 1, f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, timeout, 1, f.Namespace, &metav1.ListOptions{ LabelSelector: selector, }) @@ -541,7 +543,7 @@ func (f *Framework) WaitForPod(selector string, timeout time.Duration, shouldFai } // UpdateDeployment runs the given updateFunc on the deployment and waits for it to be updated -func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name string, replicas int, updateFunc func(d *appsv1.Deployment) error) error { +func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace, name string, replicas int, updateFunc func(d *appsv1.Deployment) error) error { deployment, err := kubeClientSet.AppsV1().Deployments(namespace).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return err @@ -571,7 +573,7 @@ func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name } } - err = waitForPodsReady(kubeClientSet, DefaultTimeout, replicas, namespace, metav1.ListOptions{ + err = waitForPodsReady(kubeClientSet, DefaultTimeout, replicas, namespace, &metav1.ListOptions{ LabelSelector: fields.SelectorFromSet(fields.Set(deployment.Spec.Template.ObjectMeta.Labels)).String(), }) if err != nil { @@ -582,6 +584,7 @@ func UpdateDeployment(kubeClientSet kubernetes.Interface, namespace string, name } func waitForDeploymentRollout(kubeClientSet kubernetes.Interface, resource *appsv1.Deployment) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, 5*time.Minute, func() (bool, error) { d, err := kubeClientSet.AppsV1().Deployments(resource.Namespace).Get(context.TODO(), resource.Name, metav1.GetOptions{}) if apierrors.IsNotFound(err) { @@ -605,7 +608,7 @@ func waitForDeploymentRollout(kubeClientSet kubernetes.Interface, resource *apps } // UpdateIngress runs the given updateFunc on the ingress -func UpdateIngress(kubeClientSet kubernetes.Interface, namespace string, name string, updateFunc func(d *networking.Ingress) error) error { +func UpdateIngress(kubeClientSet kubernetes.Interface, namespace, name string, updateFunc func(d *networking.Ingress) error) error { ingress, err := kubeClientSet.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{}) if err != nil { return err diff --git a/test/e2e/framework/grpc_fortune_teller.go b/test/e2e/framework/grpc_fortune_teller.go index 02ff3aae2..a7be46327 100644 --- a/test/e2e/framework/grpc_fortune_teller.go +++ b/test/e2e/framework/grpc_fortune_teller.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package framework import ( @@ -75,7 +76,7 @@ func (f *Framework) NewNewGRPCFortuneTellerDeploymentWithReplicas(replicas int32 d := f.EnsureDeployment(deployment) - err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, metav1.ListOptions{ + err := waitForPodsReady(f.KubeClientSet, DefaultTimeout, int(replicas), f.Namespace, &metav1.ListOptions{ LabelSelector: fields.SelectorFromSet(fields.Set(d.Spec.Template.ObjectMeta.Labels)).String(), }) assert.Nil(ginkgo.GinkgoT(), err, "failed to wait for to become ready") diff --git a/test/e2e/framework/healthz.go b/test/e2e/framework/healthz.go index b52c3ffde..3ee297b27 100644 --- a/test/e2e/framework/healthz.go +++ b/test/e2e/framework/healthz.go @@ -26,7 +26,7 @@ func (f *Framework) VerifyHealthz(ip string, statusCode int) error { url := fmt.Sprintf("http://%v:10254/healthz", ip) client := &http.Client{} - req, err := http.NewRequest(http.MethodGet, url, nil) + req, err := http.NewRequest(http.MethodGet, url, http.NoBody) if err != nil { return fmt.Errorf("creating GET request for URL %q failed: %v", url, err) } diff --git a/test/e2e/framework/httpexpect/match.go b/test/e2e/framework/httpexpect/match.go index b031510c4..aad10b02e 100644 --- a/test/e2e/framework/httpexpect/match.go +++ b/test/e2e/framework/httpexpect/match.go @@ -23,7 +23,7 @@ type Match struct { names map[string]int } -func makeMatch(chain chain, submatches []string, names []string) *Match { +func makeMatch(chain chain, submatches, names []string) *Match { if submatches == nil { submatches = []string{} } diff --git a/test/e2e/framework/httpexpect/object.go b/test/e2e/framework/httpexpect/object.go index f7c27faaf..49dcf5659 100644 --- a/test/e2e/framework/httpexpect/object.go +++ b/test/e2e/framework/httpexpect/object.go @@ -23,6 +23,8 @@ import ( "github.com/yudai/gojsondiff/formatter" ) +const unavailableMsg = " (unavailable)" + // Object provides methods to inspect attached map[string]interface{} object // (Go representation of JSON object). type Object struct { @@ -81,20 +83,21 @@ func diffValues(expected, actual interface{}) string { var diff gojsondiff.Diff - if ve, ok := expected.(map[string]interface{}); ok { + switch ve := expected.(type) { + case map[string]interface{}: if va, ok := actual.(map[string]interface{}); ok { diff = differ.CompareObjects(ve, va) } else { - return " (unavailable)" + return unavailableMsg } - } else if ve, ok := expected.([]interface{}); ok { + case []interface{}: if va, ok := actual.([]interface{}); ok { diff = differ.CompareArrays(ve, va) } else { - return " (unavailable)" + return unavailableMsg } - } else { - return " (unavailable)" + default: + return unavailableMsg } config := formatter.AsciiFormatterConfig{ @@ -104,7 +107,7 @@ func diffValues(expected, actual interface{}) string { str, err := f.Format(diff) if err != nil { - return " (unavailable)" + return unavailableMsg } return "--- expected\n+++ actual\n" + str diff --git a/test/e2e/framework/httpexpect/request.go b/test/e2e/framework/httpexpect/request.go index d8edb42ce..0ae85dd79 100644 --- a/test/e2e/framework/httpexpect/request.go +++ b/test/e2e/framework/httpexpect/request.go @@ -65,7 +65,7 @@ func (h *HTTPRequest) DoRequest(method, rpath string) *HTTPRequest { var request *http.Request uri.Path = path.Join(uri.Path, rpath) - if request, err = http.NewRequest(method, uri.String(), nil); err != nil { + if request, err = http.NewRequest(method, uri.String(), http.NoBody); err != nil { h.chain.fail(err.Error()) } @@ -110,6 +110,7 @@ func (h *HTTPRequest) Expect() *HTTPResponse { if err != nil { h.chain.fail(err.Error()) } + defer response.Body.Close() h.HTTPResponse.Response = response // set the HTTP response diff --git a/test/e2e/framework/k8s.go b/test/e2e/framework/k8s.go index fc3e59b08..7c067421d 100644 --- a/test/e2e/framework/k8s.go +++ b/test/e2e/framework/k8s.go @@ -47,7 +47,7 @@ func (f *Framework) EnsureSecret(secret *core.Secret) *core.Secret { } // GetConfigMap gets a ConfigMap object from the given namespace, name and returns it, throws error if it does not exist. -func (f *Framework) GetConfigMap(namespace string, name string) *core.ConfigMap { +func (f *Framework) GetConfigMap(namespace, name string) *core.ConfigMap { cm, err := f.KubeClientSet.CoreV1().ConfigMaps(namespace).Get(context.TODO(), name, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "getting configmap") assert.NotNil(ginkgo.GinkgoT(), cm, "expected a configmap but none returned") @@ -73,7 +73,7 @@ func (f *Framework) EnsureConfigMap(configMap *core.ConfigMap) *core.ConfigMap { } // GetIngress gets an Ingress object from the given namespace, name and returns it, throws error if it does not exists. -func (f *Framework) GetIngress(namespace string, name string) *networking.Ingress { +func (f *Framework) GetIngress(namespace, name string) *networking.Ingress { ing, err := f.KubeClientSet.NetworkingV1().Ingresses(namespace).Get(context.TODO(), name, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "getting ingress") assert.NotNil(ginkgo.GinkgoT(), ing, "expected an ingress but none returned") @@ -114,7 +114,7 @@ func (f *Framework) UpdateIngress(ingress *networking.Ingress) *networking.Ingre } // GetService gets a Service object from the given namespace, name and returns it, throws error if it does not exist. -func (f *Framework) GetService(namespace string, name string) *core.Service { +func (f *Framework) GetService(namespace, name string) *core.Service { s, err := f.KubeClientSet.CoreV1().Services(namespace).Get(context.TODO(), name, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "getting service") assert.NotNil(ginkgo.GinkgoT(), s, "expected a service but none returned") @@ -143,16 +143,21 @@ func (f *Framework) EnsureDeployment(deployment *appsv1.Deployment) *appsv1.Depl } // waitForPodsReady waits for a given amount of time until a group of Pods is running in the given namespace. -func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, expectedReplicas int, namespace string, opts metav1.ListOptions) error { +func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, expectedReplicas int, namespace string, opts *metav1.ListOptions) error { + //nolint:staticcheck // TODO: will replace it since wait.PollImmediate is deprecated return wait.PollImmediate(1*time.Second, timeout, func() (bool, error) { - pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), opts) + pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), *opts) if err != nil { return false, nil } r := 0 - for _, p := range pl.Items { - if isRunning, _ := podRunningReady(&p); isRunning { + for i := range pl.Items { + isRunning, err := podRunningReady(&pl.Items[i]) + if err != nil { + Logf("error checking if pod is running : %v", err) + } + if isRunning { r++ } } @@ -166,9 +171,10 @@ func waitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration, } // waitForPodsDeleted waits for a given amount of time until a group of Pods are deleted in the given namespace. -func waitForPodsDeleted(kubeClientSet kubernetes.Interface, timeout time.Duration, namespace string, opts metav1.ListOptions) error { +func waitForPodsDeleted(kubeClientSet kubernetes.Interface, timeout time.Duration, namespace string, opts *metav1.ListOptions) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, timeout, func() (bool, error) { - pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), opts) + pl, err := kubeClientSet.CoreV1().Pods(namespace).List(context.TODO(), *opts) if err != nil { return false, nil } @@ -186,7 +192,7 @@ func WaitForEndpoints(kubeClientSet kubernetes.Interface, timeout time.Duration, if expectedEndpoints == 0 { return nil } - + //nolint:staticcheck // TODO: will replace it since wait.PollImmediate is deprecated return wait.PollImmediate(Poll, timeout, func() (bool, error) { endpoint, err := kubeClientSet.CoreV1().Endpoints(ns).Get(context.TODO(), name, metav1.GetOptions{}) if k8sErrors.IsNotFound(err) { @@ -248,6 +254,7 @@ func isPodReady(p *core.Pod) bool { // getIngressNGINXPod returns the ingress controller running pod func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Pod, error) { var pod *core.Pod + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(1*time.Second, DefaultTimeout, func() (bool, error) { l, err := kubeClientSet.CoreV1().Pods(ns).List(context.TODO(), metav1.ListOptions{ LabelSelector: "app.kubernetes.io/name=ingress-nginx", @@ -256,15 +263,16 @@ func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Po return false, nil } - for _, p := range l.Items { + for i := range l.Items { + p := &l.Items[i] if strings.HasPrefix(p.GetName(), "nginx-ingress-controller") { - isRunning, err := podRunningReady(&p) + isRunning, err := podRunningReady(p) if err != nil { continue } if isRunning { - pod = &p + pod = p return true, nil } } @@ -273,6 +281,7 @@ func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Po return false, nil }) if err != nil { + //nolint:staticcheck // TODO: will replace it since wait.ErrWaitTimeout is deprecated if err == wait.ErrWaitTimeout { return nil, fmt.Errorf("timeout waiting at least one ingress-nginx pod running in namespace %v", ns) } @@ -285,7 +294,7 @@ func getIngressNGINXPod(ns string, kubeClientSet kubernetes.Interface) (*core.Po func createDeploymentWithRetries(c kubernetes.Interface, namespace string, obj *appsv1.Deployment) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.AppsV1().Deployments(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -298,7 +307,7 @@ func createDeploymentWithRetries(c kubernetes.Interface, namespace string, obj * if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) @@ -306,7 +315,7 @@ func createDeploymentWithRetries(c kubernetes.Interface, namespace string, obj * func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *core.Secret) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.CoreV1().Secrets(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -319,14 +328,14 @@ func createSecretWithRetries(c kubernetes.Interface, namespace string, obj *core if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) } func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *core.Service) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.CoreV1().Services(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -339,7 +348,7 @@ func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *cor if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) @@ -347,7 +356,7 @@ func createServiceWithRetries(c kubernetes.Interface, namespace string, obj *cor func createIngressWithRetries(c kubernetes.Interface, namespace string, obj *networking.Ingress) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } createFunc := func() (bool, error) { _, err := c.NetworkingV1().Ingresses(namespace).Create(context.TODO(), obj, metav1.CreateOptions{}) @@ -360,7 +369,7 @@ func createIngressWithRetries(c kubernetes.Interface, namespace string, obj *net if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to create object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to create object with non-retriable error: %v", err) } return retryWithExponentialBackOff(createFunc) @@ -368,7 +377,7 @@ func createIngressWithRetries(c kubernetes.Interface, namespace string, obj *net func updateIngressWithRetries(c kubernetes.Interface, namespace string, obj *networking.Ingress) error { if obj == nil { - return fmt.Errorf("Object provided to create is empty") + return fmt.Errorf("object provided to create is empty") } updateFunc := func() (bool, error) { _, err := c.NetworkingV1().Ingresses(namespace).Update(context.TODO(), obj, metav1.UpdateOptions{}) @@ -378,7 +387,7 @@ func updateIngressWithRetries(c kubernetes.Interface, namespace string, obj *net if isRetryableAPIError(err) { return false, nil } - return false, fmt.Errorf("Failed to update object with non-retriable error: %v", err) + return false, fmt.Errorf("failed to update object with non-retriable error: %v", err) } return retryWithExponentialBackOff(updateFunc) diff --git a/test/e2e/framework/metrics.go b/test/e2e/framework/metrics.go index 830237540..774f1bd7e 100644 --- a/test/e2e/framework/metrics.go +++ b/test/e2e/framework/metrics.go @@ -29,7 +29,7 @@ func (f *Framework) GetMetric(metricName, ip string) (*dto.MetricFamily, error) url := fmt.Sprintf("http://%v:10254/metrics", ip) client := &http.Client{} - req, err := http.NewRequest(http.MethodGet, url, nil) + req, err := http.NewRequest(http.MethodGet, url, http.NoBody) if err != nil { return nil, fmt.Errorf("creating GET request for URL %q failed: %v", url, err) } @@ -44,7 +44,6 @@ func (f *Framework) GetMetric(metricName, ip string) (*dto.MetricFamily, error) var parser expfmt.TextParser metrics, err := parser.TextToMetricFamilies(resp.Body) - if err != nil { return nil, fmt.Errorf("reading text format failed: %v", err) } diff --git a/test/e2e/framework/ssl.go b/test/e2e/framework/ssl.go index 52ceffc57..d6252fe47 100644 --- a/test/e2e/framework/ssl.go +++ b/test/e2e/framework/ssl.go @@ -93,8 +93,8 @@ func CreateIngressTLSSecret(client kubernetes.Interface, hosts []string, secretN // CreateIngressMASecret creates or updates a Secret containing a Mutual Auth // certificate-chain for the given Ingress and returns a TLS configuration suitable // for HTTP clients to use against that particular Ingress. -func CreateIngressMASecret(client kubernetes.Interface, host string, secretName, namespace string) (*tls.Config, error) { - if len(host) == 0 { +func CreateIngressMASecret(client kubernetes.Interface, host, secretName, namespace string) (*tls.Config, error) { + if host == "" { return nil, fmt.Errorf("requires a non-empty host") } @@ -138,12 +138,13 @@ func CreateIngressMASecret(client kubernetes.Interface, host string, secretName, return &tls.Config{ ServerName: host, Certificates: []tls.Certificate{clientPair}, - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }, nil } // WaitForTLS waits until the TLS handshake with a given server completes successfully. func WaitForTLS(url string, tlsConfig *tls.Config) { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err := wait.Poll(Poll, DefaultTimeout, matchTLSServerName(url, tlsConfig)) assert.Nil(ginkgo.GinkgoT(), err, "waiting for TLS configuration in URL %s", url) } @@ -160,7 +161,6 @@ func generateRSACert(host string, isCA bool, keyOut, certOut io.Writer) error { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { return fmt.Errorf("failed to generate serial number: %s", err) } @@ -329,7 +329,7 @@ func tlsConfig(serverName string, pemCA []byte) (*tls.Config, error) { if !rootCAPool.AppendCertsFromPEM(pemCA) { return nil, fmt.Errorf("error creating CA certificate pool (%s)", serverName) } - return &tls.Config{ + return &tls.Config{ //nolint:gosec // Ignore the gosec error in testing ServerName: serverName, RootCAs: rootCAPool, }, nil diff --git a/test/e2e/framework/test_context.go b/test/e2e/framework/test_context.go index be4cd6e5e..961357885 100644 --- a/test/e2e/framework/test_context.go +++ b/test/e2e/framework/test_context.go @@ -23,7 +23,7 @@ import ( // TestContextType describes the client context to use in communications with the Kubernetes API. type TestContextType struct { KubeHost string - //KubeConfig string + // KubeConfig string KubeContext string } @@ -33,7 +33,6 @@ var TestContext TestContextType // registerCommonFlags registers flags common to all e2e test suites. func registerCommonFlags() { flag.StringVar(&TestContext.KubeHost, "kubernetes-host", "http://127.0.0.1:8080", "The kubernetes host, or apiserver, to connect to") - //flag.StringVar(&TestContext.KubeConfig, "kubernetes-config", os.Getenv(clientcmd.RecommendedConfigPathEnvVar), "Path to config containing embedded authinfo for kubernetes. Default value is from environment variable "+clientcmd.RecommendedConfigPathEnvVar) flag.StringVar(&TestContext.KubeContext, "kubernetes-context", "", "config context to use for kubernetes. If unset, will use value from 'current-context'") } diff --git a/test/e2e/framework/util.go b/test/e2e/framework/util.go index 90f15eb1b..abdb168e1 100644 --- a/test/e2e/framework/util.go +++ b/test/e2e/framework/util.go @@ -49,24 +49,24 @@ func nowStamp() string { return time.Now().Format(time.StampMilli) } -func log(level string, format string, args ...interface{}) { +func logf(level, format string, args ...interface{}) { fmt.Fprintf(ginkgo.GinkgoWriter, nowStamp()+": "+level+": "+format+"\n", args...) } // Logf logs to the INFO logs. func Logf(format string, args ...interface{}) { - log("INFO", format, args...) + logf("INFO", format, args...) } // Failf logs to the INFO logs and fails the test. func Failf(format string, args ...interface{}) { msg := fmt.Sprintf(format, args...) - log("INFO", msg) + logf("INFO", msg) ginkgo.Fail(nowStamp()+": "+msg, 1) } // RestclientConfig deserializes the contents of a kubeconfig file into a Config object. -func RestclientConfig(config, context string) (*api.Config, error) { +func RestclientConfig(config, newContext string) (*api.Config, error) { Logf(">>> config: %s\n", config) if config == "" { return nil, fmt.Errorf("config file must be specified to load client config") @@ -75,9 +75,9 @@ func RestclientConfig(config, context string) (*api.Config, error) { if err != nil { return nil, fmt.Errorf("error loading config: %v", err.Error()) } - if context != "" { - Logf(">>> context: %s\n", context) - c.CurrentContext = context + if newContext != "" { + Logf(">>> context: %s\n", newContext) + c.CurrentContext = newContext } return c, nil } @@ -98,6 +98,7 @@ func createNamespace(baseName string, labels map[string]string, c kubernetes.Int var got *corev1.Namespace var err error + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(Poll, DefaultTimeout, func() (bool, error) { got, err = c.CoreV1().Namespaces().Create(context.TODO(), ns, metav1.CreateOptions{}) if err != nil { @@ -114,13 +115,11 @@ func createNamespace(baseName string, labels map[string]string, c kubernetes.Int // CreateKubeNamespace creates a new namespace in the cluster func CreateKubeNamespace(baseName string, c kubernetes.Interface) (string, error) { - return createNamespace(baseName, nil, c) } // CreateKubeNamespaceWithLabel creates a new namespace with given labels in the cluster func CreateKubeNamespaceWithLabel(baseName string, labels map[string]string, c kubernetes.Interface) (string, error) { - return createNamespace(baseName, labels, c) } @@ -150,7 +149,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error }, }, metav1.CreateOptions{}) if err != nil { - return "", fmt.Errorf("Unexpected error creating IngressClass %s: %v", icname, err) + return "", fmt.Errorf("unexpected error creating IngressClass %s: %v", icname, err) } _, err = c.RbacV1().ClusterRoles().Create(context.TODO(), &rbacv1.ClusterRole{ @@ -162,7 +161,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error }}, }, metav1.CreateOptions{}) if err != nil { - return "", fmt.Errorf("Unexpected error creating IngressClass ClusterRole %s: %v", icname, err) + return "", fmt.Errorf("unexpected error creating IngressClass ClusterRole %s: %v", icname, err) } _, err = c.RbacV1().ClusterRoleBindings().Create(context.TODO(), &rbacv1.ClusterRoleBinding{ @@ -184,7 +183,7 @@ func CreateIngressClass(namespace string, c kubernetes.Interface) (string, error }, }, metav1.CreateOptions{}) if err != nil { - return "", fmt.Errorf("Unexpected error creating IngressClass ClusterRoleBinding %s: %v", icname, err) + return "", fmt.Errorf("unexpected error creating IngressClass ClusterRoleBinding %s: %v", icname, err) } return ic.Name, nil } @@ -200,16 +199,16 @@ func deleteIngressClass(c kubernetes.Interface, ingressclass string) error { } err = c.NetworkingV1().IngressClasses().Delete(context.TODO(), ingressclass, deleteOptions) if err != nil { - return fmt.Errorf("Unexpected error deleting IngressClass %s: %v", ingressclass, err) + return fmt.Errorf("unexpected error deleting IngressClass %s: %v", ingressclass, err) } err = c.RbacV1().ClusterRoleBindings().Delete(context.TODO(), ingressclass, deleteOptions) if err != nil { - return fmt.Errorf("Unexpected error deleting IngressClass ClusterRoleBinding %s: %v", ingressclass, err) + return fmt.Errorf("unexpected error deleting IngressClass ClusterRoleBinding %s: %v", ingressclass, err) } err = c.RbacV1().ClusterRoles().Delete(context.TODO(), ingressclass, deleteOptions) if err != nil { - return fmt.Errorf("Unexpected error deleting IngressClass ClusterRole %s: %v", ingressclass, err) + return fmt.Errorf("unexpected error deleting IngressClass ClusterRole %s: %v", ingressclass, err) } return nil @@ -223,6 +222,7 @@ func GetIngressClassName(namespace string) *string { // WaitForKubeNamespaceNotExist waits until a namespaces is not present in the cluster func WaitForKubeNamespaceNotExist(c kubernetes.Interface, namespace string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, namespaceNotExist(c, namespace)) } @@ -241,6 +241,7 @@ func namespaceNotExist(c kubernetes.Interface, namespace string) wait.ConditionF // WaitForNoPodsInNamespace waits until there are no pods running in a namespace func WaitForNoPodsInNamespace(c kubernetes.Interface, namespace string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, noPodsInNamespace(c, namespace)) } @@ -267,15 +268,17 @@ func WaitForPodRunningInNamespace(c kubernetes.Interface, pod *corev1.Pod) error if pod.Status.Phase == corev1.PodRunning { return nil } - return waitTimeoutForPodRunningInNamespace(c, pod.Name, pod.Namespace, DefaultTimeout) + return waitTimeoutForPodRunningInNamespace(c, pod.Name, pod.Namespace) } -func waitTimeoutForPodRunningInNamespace(c kubernetes.Interface, podName, namespace string, timeout time.Duration) error { +func waitTimeoutForPodRunningInNamespace(c kubernetes.Interface, podName, namespace string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, podRunning(c, podName, namespace)) } // WaitForSecretInNamespace waits a default amount of time for the specified secret is present in a particular namespace func WaitForSecretInNamespace(c kubernetes.Interface, namespace, name string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, secretInNamespace(c, namespace, name)) } @@ -298,6 +301,7 @@ func secretInNamespace(c kubernetes.Interface, namespace, name string) wait.Cond // WaitForFileInFS waits a default amount of time for the specified file is present in the filesystem func WaitForFileInFS(file string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, fileInFS(file)) } @@ -322,6 +326,7 @@ func fileInFS(file string) wait.ConditionFunc { // WaitForNoIngressInNamespace waits until there is no ingress object in a particular namespace func WaitForNoIngressInNamespace(c kubernetes.Interface, namespace, name string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, noIngressInNamespace(c, namespace, name)) } @@ -344,6 +349,7 @@ func noIngressInNamespace(c kubernetes.Interface, namespace, name string) wait.C // WaitForIngressInNamespace waits until a particular ingress object exists namespace func WaitForIngressInNamespace(c kubernetes.Interface, namespace, name string) error { + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated return wait.Poll(Poll, DefaultTimeout, ingressInNamespace(c, namespace, name)) } diff --git a/test/e2e/gracefulshutdown/grace_period.go b/test/e2e/gracefulshutdown/grace_period.go index 12e2f3d67..123892f3a 100644 --- a/test/e2e/gracefulshutdown/grace_period.go +++ b/test/e2e/gracefulshutdown/grace_period.go @@ -33,7 +33,6 @@ var _ = framework.IngressNginxDescribe("[Shutdown] Grace period shutdown", func( f := framework.NewDefaultFramework("shutdown-grace-period") ginkgo.It("/healthz should return status code 500 during shutdown grace period", func() { - f.NewSlowEchoDeployment() err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { @@ -83,6 +82,5 @@ var _ = framework.IngressNginxDescribe("[Shutdown] Grace period shutdown", func( for _, err := range <-result { assert.Nil(ginkgo.GinkgoT(), err) } - }) }) diff --git a/test/e2e/ingress/multiple_rules.go b/test/e2e/ingress/multiple_rules.go index c08f36374..f44b2f8dd 100644 --- a/test/e2e/ingress/multiple_rules.go +++ b/test/e2e/ingress/multiple_rules.go @@ -36,6 +36,15 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func() }) ginkgo.It("should set the correct $service_name NGINX variable", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "service-name: $service_name";`, } diff --git a/test/e2e/ingress/pathtype_exact.go b/test/e2e/ingress/pathtype_exact.go index ae2902e9f..d0564cbf6 100644 --- a/test/e2e/ingress/pathtype_exact.go +++ b/test/e2e/ingress/pathtype_exact.go @@ -35,6 +35,14 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { }) ginkgo.It("should choose exact location for /exact", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "exact.path" @@ -42,7 +50,7 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() { "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "pathType: exact";`, } - var exactPathType = networking.PathTypeExact + exactPathType := networking.PathTypeExact ing := framework.NewSingleIngress("exact", "/exact", host, f.Namespace, framework.EchoService, 80, annotations) ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &exactPathType f.EnsureIngress(ing) diff --git a/test/e2e/ingress/pathtype_mixed.go b/test/e2e/ingress/pathtype_mixed.go index dd183bbb4..e7bf2532e 100644 --- a/test/e2e/ingress/pathtype_mixed.go +++ b/test/e2e/ingress/pathtype_mixed.go @@ -34,9 +34,17 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi f.NewEchoDeployment() }) - var exactPathType = networking.PathTypeExact + exactPathType := networking.PathTypeExact ginkgo.It("should choose the correct location", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "mixed.path" diff --git a/test/e2e/leaks/lua_ssl.go b/test/e2e/leaks/lua_ssl.go index e63a1e353..88285ba4b 100644 --- a/test/e2e/leaks/lua_ssl.go +++ b/test/e2e/leaks/lua_ssl.go @@ -87,14 +87,14 @@ func provisionIngress(hostname string, f *framework.Framework) { func checkIngress(hostname string, f *framework.Framework) { resp := f.HTTPTestClientWithTLSConfig(&tls.Config{ ServerName: hostname, - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }). GET("/"). WithURL(f.GetURL(framework.HTTPS)). WithHeader("Host", hostname). Expect(). Raw() - + defer resp.Body.Close() assert.Equal(ginkgo.GinkgoT(), resp.StatusCode, http.StatusOK) // check the returned secret is not the fake one diff --git a/test/e2e/loadbalance/configmap.go b/test/e2e/loadbalance/configmap.go index 8cd47286b..737cd06dd 100644 --- a/test/e2e/loadbalance/configmap.go +++ b/test/e2e/loadbalance/configmap.go @@ -25,6 +25,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const loadBalanceHost = "load-balance.com" + var _ = framework.DescribeSetting("[Load Balancer] load-balance", func() { f := framework.NewDefaultFramework("lb-configmap") @@ -33,7 +35,7 @@ var _ = framework.DescribeSetting("[Load Balancer] load-balance", func() { }) ginkgo.It("should apply the configmap load-balance setting", func() { - host := "load-balance.com" + host := loadBalanceHost f.UpdateNginxConfigMapData("load-balance", "ewma") diff --git a/test/e2e/loadbalance/ewma.go b/test/e2e/loadbalance/ewma.go index e2750a09a..f457e6357 100644 --- a/test/e2e/loadbalance/ewma.go +++ b/test/e2e/loadbalance/ewma.go @@ -35,12 +35,13 @@ var _ = framework.DescribeSetting("[Load Balancer] EWMA", func() { f.NewEchoDeployment(framework.WithDeploymentReplicas(3)) f.SetNginxConfigMapData(map[string]string{ "worker-processes": "2", - "load-balance": "ewma"}, + "load-balance": "ewma", + }, ) }) ginkgo.It("does not fail requests", func() { - host := "load-balance.com" + host := loadBalanceHost f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, @@ -52,7 +53,9 @@ var _ = framework.DescribeSetting("[Load Balancer] EWMA", func() { assert.Nil(ginkgo.GinkgoT(), err) assert.Equal(ginkgo.GinkgoT(), algorithm, "ewma") - re, _ := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + re, err := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + assert.Nil(ginkgo.GinkgoT(), err, "error compiling regex") + replicaRequestCount := map[string]int{} for i := 0; i < 30; i++ { diff --git a/test/e2e/loadbalance/round_robin.go b/test/e2e/loadbalance/round_robin.go index 2d0582e9a..5f6667143 100644 --- a/test/e2e/loadbalance/round_robin.go +++ b/test/e2e/loadbalance/round_robin.go @@ -37,7 +37,7 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() { }) ginkgo.It("should evenly distribute requests with round-robin (default algorithm)", func() { - host := "load-balance.com" + host := loadBalanceHost f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)) f.WaitForNginxServer(host, @@ -45,7 +45,9 @@ var _ = framework.DescribeSetting("[Load Balancer] round-robin", func() { return strings.Contains(server, "server_name load-balance.com") }) - re, _ := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + re, err := regexp.Compile(fmt.Sprintf(`%v.*`, framework.EchoService)) + assert.Nil(ginkgo.GinkgoT(), err, "error compiling regex") + replicaRequestCount := map[string]int{} for i := 0; i < 600; i++ { diff --git a/test/e2e/lua/dynamic_certificates.go b/test/e2e/lua/dynamic_certificates.go index 0160cc9e7..8c9df5e71 100644 --- a/test/e2e/lua/dynamic_certificates.go +++ b/test/e2e/lua/dynamic_certificates.go @@ -245,7 +245,6 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic certificates", func() { WithHeader("Host", host). Expect(). Status(http.StatusOK) - }) }) }) @@ -254,7 +253,6 @@ func extractReloadCount(mf *dto.MetricFamily) (float64, error) { vec, err := expfmt.ExtractSamples(&expfmt.DecodeOptions{ Timestamp: model.Now(), }, mf) - if err != nil { return 0, err } diff --git a/test/e2e/lua/dynamic_configuration.go b/test/e2e/lua/dynamic_configuration.go index 8e9804545..8ec1ef839 100644 --- a/test/e2e/lua/dynamic_configuration.go +++ b/test/e2e/lua/dynamic_configuration.go @@ -26,7 +26,6 @@ import ( "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" - networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" @@ -199,20 +198,18 @@ var _ = framework.IngressNginxDescribe("[Lua] dynamic configuration", func() { }) }) -func ensureIngress(f *framework.Framework, host string, deploymentName string) *networking.Ingress { - ing := createIngress(f, host, deploymentName) +func ensureIngress(f *framework.Framework, host, deploymentName string) { + createIngress(f, host, deploymentName) f.HTTPTestClient(). GET("/"). WithHeader("Host", host). Expect(). Status(http.StatusOK) - - return ing } -func createIngress(f *framework.Framework, host string, deploymentName string) *networking.Ingress { - ing := f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, deploymentName, 80, +func createIngress(f *framework.Framework, host, deploymentName string) { + f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, deploymentName, 80, map[string]string{ "nginx.ingress.kubernetes.io/load-balance": "ewma", }, @@ -223,21 +220,19 @@ func createIngress(f *framework.Framework, host string, deploymentName string) * return strings.Contains(server, fmt.Sprintf("server_name %s ;", host)) && strings.Contains(server, "proxy_pass http://upstream_balancer;") }) - - return ing } -func ensureHTTPSRequest(f *framework.Framework, url string, host string, expectedDNSName string) { +func ensureHTTPSRequest(f *framework.Framework, url, host, expectedDNSName string) { resp := f.HTTPTestClientWithTLSConfig(&tls.Config{ ServerName: host, - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing }). GET("/"). WithURL(url). WithHeader("Host", host). Expect(). Raw() - + defer resp.Body.Close() assert.Equal(ginkgo.GinkgoT(), resp.StatusCode, http.StatusOK) assert.Equal(ginkgo.GinkgoT(), len(resp.TLS.PeerCertificates), 1) assert.Equal(ginkgo.GinkgoT(), resp.TLS.PeerCertificates[0].DNSNames[0], expectedDNSName) diff --git a/test/e2e/nginx/nginx.go b/test/e2e/nginx/nginx.go index cd14a931c..7e572a976 100644 --- a/test/e2e/nginx/nginx.go +++ b/test/e2e/nginx/nginx.go @@ -100,7 +100,6 @@ var _ = framework.DescribeSetting("nginx-configuration", func() { f := framework.NewSimpleFramework("nginxconfiguration") ginkgo.It("start nginx with default configuration", func() { - f.NGINXWithConfigDeployment("default-nginx", cfgOK) f.WaitForPod("app=default-nginx", 60*time.Second, false) framework.Sleep(5 * time.Second) @@ -113,20 +112,16 @@ var _ = framework.DescribeSetting("nginx-configuration", func() { }) ginkgo.It("fails when using alias directive", func() { - f.NGINXDeployment("alias-nginx", cfgAlias, false) // This should fail with a crashloopback because our NGINX does not have // alias directive! f.WaitForPod("app=alias-nginx", 60*time.Second, true) - }) ginkgo.It("fails when using root directive", func() { - f.NGINXDeployment("root-nginx", cfgRoot, false) // This should fail with a crashloopback because our NGINX does not have // root directive! f.WaitForPod("app=root-nginx", 60*time.Second, true) - }) }) diff --git a/test/e2e/security/request_smuggling.go b/test/e2e/security/request_smuggling.go index 58b17c4d8..5ede02d4b 100644 --- a/test/e2e/security/request_smuggling.go +++ b/test/e2e/security/request_smuggling.go @@ -50,9 +50,9 @@ server { f.UpdateNginxConfigMapData("http-snippet", snippet) - //TODO: currently using a self hosted HTTPBun instance results in a 499, we - //should move away from using httpbun.com once we have the httpbun - //deployment as part of the framework + // TODO: currently using a self hosted HTTPBun instance results in a 499, we + // should move away from using httpbun.com once we have the httpbun + // deployment as part of the framework ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, map[string]string{ "nginx.ingress.kubernetes.io/auth-signin": "https://httpbun.com/bearer/d4bcba7a-0def-4a31-91a7-47e420adf44b", "nginx.ingress.kubernetes.io/auth-url": "https://httpbun.com/basic-auth/user/passwd", @@ -91,7 +91,7 @@ func smugglingRequest(host, addr string, port int) (string, error) { // wait for /_hidden/index.html response framework.Sleep() - var buf = make([]byte, 1024) + buf := make([]byte, 1024) r := bufio.NewReader(conn) _, err = r.Read(buf) if err != nil { diff --git a/test/e2e/servicebackend/service_backend.go b/test/e2e/servicebackend/service_backend.go index 44f3d36a5..6ab2f8ad1 100644 --- a/test/e2e/servicebackend/service_backend.go +++ b/test/e2e/servicebackend/service_backend.go @@ -29,48 +29,50 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) -var pathtype = networking.PathTypePrefix -var _ = framework.IngressNginxDescribe("[Service] backend status code 503", func() { - f := framework.NewDefaultFramework("service-backend") +var ( + pathtype = networking.PathTypePrefix + _ = framework.IngressNginxDescribe("[Service] backend status code 503", func() { + f := framework.NewDefaultFramework("service-backend") - ginkgo.It("should return 503 when backend service does not exist", func() { - host := "nonexistent.svc.com" + ginkgo.It("should return 503 when backend service does not exist", func() { + host := "nonexistent.svc.com" - bi := buildIngressWithNonexistentService(host, f.Namespace, "/") - f.EnsureIngress(bi) + bi := buildIngressWithNonexistentService(host, f.Namespace, "/") + f.EnsureIngress(bi) - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "proxy_pass http://upstream_balancer;") - }) + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "proxy_pass http://upstream_balancer;") + }) - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusServiceUnavailable) + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusServiceUnavailable) + }) + + ginkgo.It("should return 503 when all backend service endpoints are unavailable", func() { + host := "unavailable.svc.com" + + bi, bs := buildIngressWithUnavailableServiceEndpoints(host, f.Namespace, "/") + + f.EnsureService(bs) + f.EnsureIngress(bi) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "proxy_pass http://upstream_balancer;") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusServiceUnavailable) + }) }) - - ginkgo.It("should return 503 when all backend service endpoints are unavailable", func() { - host := "unavailable.svc.com" - - bi, bs := buildIngressWithUnavailableServiceEndpoints(host, f.Namespace, "/") - - f.EnsureService(bs) - f.EnsureIngress(bi) - - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "proxy_pass http://upstream_balancer;") - }) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusServiceUnavailable) - }) -}) +) func buildIngressWithNonexistentService(host, namespace, path string) *networking.Ingress { backendService := "nonexistent-svc" @@ -146,14 +148,15 @@ func buildIngressWithUnavailableServiceEndpoints(host, namespace, path string) ( Name: backendService, Namespace: namespace, }, - Spec: corev1.ServiceSpec{Ports: []corev1.ServicePort{ - { - Name: "tcp", - Port: 80, - TargetPort: intstr.FromInt(80), - Protocol: "TCP", + Spec: corev1.ServiceSpec{ + Ports: []corev1.ServicePort{ + { + Name: "tcp", + Port: 80, + TargetPort: intstr.FromInt(80), + Protocol: "TCP", + }, }, - }, Selector: map[string]string{ "app": backendService, }, diff --git a/test/e2e/servicebackend/service_externalname.go b/test/e2e/servicebackend/service_externalname.go index 89ae77b10..fccd1cd19 100644 --- a/test/e2e/servicebackend/service_externalname.go +++ b/test/e2e/servicebackend/service_externalname.go @@ -30,16 +30,17 @@ import ( networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/ingress-nginx/internal/nginx" "k8s.io/ingress-nginx/test/e2e/framework" ) +const echoHost = "echo" + var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { f := framework.NewDefaultFramework("type-externalname", framework.WithHTTPBunEnabled()) ginkgo.It("works with external name set to incomplete fqdn", func() { f.NewEchoDeployment() - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -75,7 +76,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName without a port defined", func() { - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -115,7 +116,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName with a port defined", func() { - host := "echo" + host := echoHost svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) @@ -145,7 +146,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return status 502 for service type=ExternalName with an invalid host", func() { - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -181,7 +182,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using a port name", func() { - host := "echo" + host := echoHost svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) @@ -222,7 +223,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should return 200 for service type=ExternalName using FQDN with trailing dot", func() { - host := "echo" + host := echoHost svc := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ @@ -258,7 +259,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { }) ginkgo.It("should update the external name after a service update", func() { - host := "echo" + host := echoHost svc := framework.BuildNIPExternalNameService(f, f.HTTPBunIP, host) f.EnsureService(svc) @@ -307,7 +308,7 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { Get(context.TODO(), framework.NIPService, metav1.GetOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "unexpected error obtaining external service") - //Deploy a new instance to switch routing to + // Deploy a new instance to switch routing to ip := f.NewHttpbunDeployment(framework.WithDeploymentName("eu-server")) svc.Spec.ExternalName = framework.BuildNIPHost(ip) @@ -330,22 +331,18 @@ var _ = framework.IngressNginxDescribe("[Service] Type ExternalName", func() { assert.Contains(ginkgo.GinkgoT(), body, `"X-Forwarded-Host": "echo"`) ginkgo.By("checking the service is updated to use new host") - curlCmd := fmt.Sprintf( - "curl --fail --silent http://localhost:%v/configuration/backends", - nginx.StatusPort, - ) - - output, err := f.ExecIngressPod(curlCmd) + dbgCmd := "/dbg backends all" + output, err := f.ExecIngressPod(dbgCmd) assert.Nil(ginkgo.GinkgoT(), err) assert.Contains( ginkgo.GinkgoT(), output, - fmt.Sprintf("{\"address\":\"%s\"", framework.BuildNIPHost(ip)), + fmt.Sprintf(`"address": %q`, framework.BuildNIPHost(ip)), ) }) ginkgo.It("should sync ingress on external name service addition/deletion", func() { - host := "echo" + host := echoHost // Create the Ingress first ing := framework.NewSingleIngress(host, diff --git a/test/e2e/servicebackend/service_nil_backend.go b/test/e2e/servicebackend/service_nil_backend.go index c44601c88..9b5b4c7e6 100644 --- a/test/e2e/servicebackend/service_nil_backend.go +++ b/test/e2e/servicebackend/service_nil_backend.go @@ -64,7 +64,6 @@ var _ = framework.IngressNginxDescribe("[Service] Nil Service Backend", func() { WithHeader("Host", invalidHost). Expect(). Status(http.StatusNotFound) - }) }) diff --git a/test/e2e/settings/access_log.go b/test/e2e/settings/access_log.go index 7c7e2b9e3..65b9dfda4 100644 --- a/test/e2e/settings/access_log.go +++ b/test/e2e/settings/access_log.go @@ -28,7 +28,6 @@ var _ = framework.DescribeSetting("access-log", func() { f := framework.NewDefaultFramework("access-log") ginkgo.Context("access-log-path", func() { - ginkgo.It("use the default configuration", func() { f.WaitForNginxConfiguration( func(cfg string) bool { @@ -50,7 +49,6 @@ var _ = framework.DescribeSetting("access-log", func() { }) ginkgo.Context("http-access-log-path", func() { - ginkgo.It("use the specified configuration", func() { f.UpdateNginxConfigMapData("http-access-log-path", "/tmp/nginx/http-access.log") f.WaitForNginxConfiguration( @@ -63,7 +61,6 @@ var _ = framework.DescribeSetting("access-log", func() { }) ginkgo.Context("stream-access-log-path", func() { - ginkgo.It("use the specified configuration", func() { f.UpdateNginxConfigMapData("stream-access-log-path", "/tmp/nginx/stream-access.log") f.WaitForNginxConfiguration( @@ -76,7 +73,6 @@ var _ = framework.DescribeSetting("access-log", func() { }) ginkgo.Context("http-access-log-path & stream-access-log-path", func() { - ginkgo.It("use the specified configuration", func() { f.SetNginxConfigMapData(map[string]string{ "http-access-log-path": "/tmp/nginx/http-access.log", diff --git a/test/e2e/settings/aio_write.go b/test/e2e/settings/aio_write.go new file mode 100644 index 000000000..bcfe2a4de --- /dev/null +++ b/test/e2e/settings/aio_write.go @@ -0,0 +1,54 @@ +/* +Copyright 2023 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "strings" + + "github.com/onsi/ginkgo/v2" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.DescribeSetting("aio-write", func() { + f := framework.NewDefaultFramework("aio-write") + + ginkgo.It("should be enabled by default", func() { + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "aio_write on") + }) + }) + + ginkgo.It("should be enabled when setting is true", func() { + f.UpdateNginxConfigMapData("enable-aio-write", "true") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, "aio_write on") + }) + }) + + ginkgo.It("should be disabled when setting is false", func() { + f.UpdateNginxConfigMapData("enable-aio-write", "false") + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return !strings.Contains(cfg, "aio_write on") + }) + }) +}) diff --git a/test/e2e/settings/badannotationvalues.go b/test/e2e/settings/badannotationvalues.go index b4b6def4a..f61b5bada 100644 --- a/test/e2e/settings/badannotationvalues.go +++ b/test/e2e/settings/badannotationvalues.go @@ -34,6 +34,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "invalid-value-test" annotations := map[string]string{ @@ -65,6 +73,15 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "forbidden-value-test" annotations := map[string]string{ @@ -100,7 +117,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() { - + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() hostValid := "custom-allowed-value-test" annotationsValid := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": ` @@ -131,6 +155,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { }) ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "custom-forbidden-value-test" annotations := map[string]string{ @@ -159,6 +191,5 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() { WithHeader("Host", host). Expect(). Status(http.StatusNotFound) - }) }) diff --git a/test/e2e/settings/default_ssl_certificate.go b/test/e2e/settings/default_ssl_certificate.go index ea97d4895..c48a1e87f 100644 --- a/test/e2e/settings/default_ssl_certificate.go +++ b/test/e2e/settings/default_ssl_certificate.go @@ -30,10 +30,12 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const fooHost = "foo" + var _ = framework.IngressNginxDescribe("[SSL] [Flag] default-ssl-certificate", func() { f := framework.NewDefaultFramework("default-ssl-certificate") var tlsConfig *tls.Config - secretName := "my-custom-cert" + secretName := "my-custom-cert" //nolint:gosec // Ignore the gosec error in testing service := framework.EchoService port := 80 @@ -78,7 +80,7 @@ var _ = framework.IngressNginxDescribe("[SSL] [Flag] default-ssl-certificate", f }) ginkgo.It("uses default ssl certificate for host based ingress when configured certificate does not match host", func() { - host := "foo" + host := fooHost ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, service, port, nil)) _, err := framework.CreateIngressTLSSecret(f.KubeClientSet, diff --git a/test/e2e/settings/disable_catch_all.go b/test/e2e/settings/disable_catch_all.go index 0d1a14493..4e7a16f4d 100644 --- a/test/e2e/settings/disable_catch_all.go +++ b/test/e2e/settings/disable_catch_all.go @@ -48,7 +48,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should ignore catch all Ingress with backend", func() { - host := "foo" + host := fooHost ing := framework.NewSingleCatchAllIngress("catch-all", f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -67,7 +67,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should ignore catch all Ingress with backend and rules", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngressWithBackendAndRules(host, "/", host, f.Namespace, framework.EchoService, 80, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -79,7 +79,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should delete Ingress updated to catch-all", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -121,7 +121,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-catch-all", func() { }) ginkgo.It("should allow Ingress with rules", func() { - host := "foo" + host := fooHost ing := framework.NewSingleIngress("not-catch-all", "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) diff --git a/test/e2e/settings/disable_service_external_name.go b/test/e2e/settings/disable_service_external_name.go index 4ecf69e81..602828089 100644 --- a/test/e2e/settings/disable_service_external_name.go +++ b/test/e2e/settings/disable_service_external_name.go @@ -95,6 +95,5 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-service-external-name", f WithHeader("Host", externalhost). Expect(). StatusRange(httpexpect.Status5xx) - }) }) diff --git a/test/e2e/settings/disable_sync_events.go b/test/e2e/settings/disable_sync_events.go index 7d1298087..033fd9194 100644 --- a/test/e2e/settings/disable_sync_events.go +++ b/test/e2e/settings/disable_sync_events.go @@ -50,6 +50,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { assert.NotEmpty(ginkgo.GinkgoT(), events.Items, "got events") }) + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should create sync events", func() { host := "disable-sync-events-false" f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) @@ -77,6 +78,7 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { assert.NotEmpty(ginkgo.GinkgoT(), events.Items, "got events") }) + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should not create sync events", func() { host := "disable-sync-events-true" f.NewEchoDeployment(framework.WithDeploymentReplicas(1)) @@ -103,5 +105,4 @@ var _ = framework.IngressNginxDescribe("[Flag] disable-sync-events", func() { assert.Empty(ginkgo.GinkgoT(), events.Items, "got events") }) - }) diff --git a/test/e2e/settings/forwarded_headers.go b/test/e2e/settings/forwarded_headers.go index d4ffee545..44460aca6 100644 --- a/test/e2e/settings/forwarded_headers.go +++ b/test/e2e/settings/forwarded_headers.go @@ -26,6 +26,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const forwardedHeadersHost = "forwarded-headers" + var _ = framework.DescribeSetting("use-forwarded-headers", func() { f := framework.NewDefaultFramework("forwarded-headers") @@ -37,7 +39,7 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { }) ginkgo.It("should trust X-Forwarded headers when setting is true", func() { - host := "forwarded-headers" + host := forwardedHeadersHost f.UpdateNginxConfigMapData(setting, "true") @@ -89,7 +91,7 @@ var _ = framework.DescribeSetting("use-forwarded-headers", func() { }) ginkgo.It("should not trust X-Forwarded headers when setting is false", func() { - host := "forwarded-headers" + host := forwardedHeadersHost f.UpdateNginxConfigMapData(setting, "false") diff --git a/test/e2e/settings/geoip2.go b/test/e2e/settings/geoip2.go index 9b2ca8624..e37286d5c 100644 --- a/test/e2e/settings/geoip2.go +++ b/test/e2e/settings/geoip2.go @@ -19,11 +19,10 @@ package settings import ( "context" "fmt" + "net/http" "path/filepath" "strings" - "net/http" - "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" @@ -70,10 +69,17 @@ var _ = framework.DescribeSetting("Geoip2", func() { ginkgo.It("should only allow requests from specific countries", func() { ginkgo.Skip("GeoIP test are temporarily disabled") - f.UpdateNginxConfigMapData("use-geoip2", "true") + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + "use-geoip2": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() - httpSnippetAllowingOnlyAustralia := - `map $geoip2_city_country_code $blocked_country { + httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country { default 1; AU 0; }` @@ -85,8 +91,7 @@ var _ = framework.DescribeSetting("Geoip2", func() { return strings.Contains(cfg, "map $geoip2_city_country_code $blocked_country") }) - configSnippet := - `if ($blocked_country) { + configSnippet := `if ($blocked_country) { return 403; }` diff --git a/test/e2e/settings/global_external_auth.go b/test/e2e/settings/global_external_auth.go index cc98099ae..741e6f955 100644 --- a/test/e2e/settings/global_external_auth.go +++ b/test/e2e/settings/global_external_auth.go @@ -31,6 +31,11 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const ( + disable = "false" + noAuthLocaltionSetting = "no-auth-locations" +) + var _ = framework.DescribeSetting("[Security] global-auth-url", func() { f := framework.NewDefaultFramework( "global-external-auth", @@ -46,7 +51,7 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { fooPath := "/foo" barPath := "/bar" - noAuthSetting := "no-auth-locations" + noAuthSetting := noAuthLocaltionSetting noAuthLocations := barPath enableGlobalExternalAuthAnnotation := "nginx.ingress.kubernetes.io/enable-global-auth" @@ -56,7 +61,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.Context("when global external authentication is configured", func() { - ginkgo.BeforeEach(func() { globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBunService, f.Namespace) @@ -85,7 +89,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should return status code 401 when request any protected service", func() { - ginkgo.By("Sending a request to protected service /foo") f.HTTPTestClient(). GET(fooPath). @@ -102,7 +105,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service", func() { - ginkgo.By("Adding a no-auth-locations for /bar to configMap") f.UpdateNginxConfigMapData(noAuthSetting, noAuthLocations) f.WaitForNginxServer(host, @@ -126,10 +128,9 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service", func() { - ginkgo.By("Adding an ingress rule for /bar with annotation enable-global-auth = false") err := framework.UpdateIngress(f.KubeClientSet, f.Namespace, "bar-ingress", func(ingress *networking.Ingress) error { - ingress.ObjectMeta.Annotations[enableGlobalExternalAuthAnnotation] = "false" + ingress.ObjectMeta.Annotations[enableGlobalExternalAuthAnnotation] = disable return nil }) assert.Nil(ginkgo.GinkgoT(), err) @@ -155,9 +156,8 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It("should still return status code 200 after auth backend is deleted using cache", func() { - globalExternalAuthCacheKeySetting := "global-auth-cache-key" - globalExternalAuthCacheKey := "foo" + globalExternalAuthCacheKey := fooHost globalExternalAuthCacheDurationSetting := "global-auth-cache-duration" globalExternalAuthCacheDuration := "200 201 401 30m" globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBunService, f.Namespace) @@ -197,7 +197,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should proxy_method method when global-auth-method is configured`, func() { - globalExternalAuthMethodSetting := "global-auth-method" globalExternalAuthMethod := "GET" @@ -210,7 +209,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should add custom error page when global-auth-signin url is configured`, func() { - globalExternalAuthSigninSetting := "global-auth-signin" globalExternalAuthSignin := "http://foo.com/global-error-page" @@ -223,7 +221,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should add auth headers when global-auth-response-headers is configured`, func() { - globalExternalAuthResponseHeadersSetting := "global-auth-response-headers" globalExternalAuthResponseHeaders := "Foo, Bar" @@ -237,7 +234,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { }) ginkgo.It(`should set request-redirect when global-auth-request-redirect is configured`, func() { - globalExternalAuthRequestRedirectSetting := "global-auth-request-redirect" globalExternalAuthRequestRedirect := "Foo-Redirect" @@ -260,7 +256,6 @@ var _ = framework.DescribeSetting("[Security] global-auth-url", func() { return strings.Contains(server, globalExternalAuthSnippet) }) }) - }) ginkgo.Context("cookie set by external authentication server", func() { @@ -322,7 +317,6 @@ http { f.WaitForNginxServer(host, func(server string) bool { return strings.Contains(server, "server_name "+host) }) - }) ginkgo.It("user retains cookie by default", func() { diff --git a/test/e2e/settings/global_options.go b/test/e2e/settings/global_options.go index 117860d59..1f84ef5d7 100644 --- a/test/e2e/settings/global_options.go +++ b/test/e2e/settings/global_options.go @@ -31,7 +31,6 @@ var _ = framework.IngressNginxDescribe("global-options", func() { ginkgo.It("should have worker_rlimit_nofile option", func() { f.WaitForNginxConfiguration(func(server string) bool { return strings.Contains(server, fmt.Sprintf("worker_rlimit_nofile %d;", rlimitMaxNumFiles()-1024)) - }) }) diff --git a/test/e2e/settings/hash-size.go b/test/e2e/settings/hash-size.go index 6e3e0480c..5aa5f7c95 100644 --- a/test/e2e/settings/hash-size.go +++ b/test/e2e/settings/hash-size.go @@ -36,7 +36,6 @@ var _ = framework.DescribeSetting("hash size", func() { }) ginkgo.Context("Check server names hash size", func() { - ginkgo.It("should set server_names_hash_bucket_size", func() { f.UpdateNginxConfigMapData("server-name-hash-bucket-size", "512") @@ -52,11 +51,9 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "server_names_hash_max_size 4096;") }) }) - }) ginkgo.Context("Check proxy header hash size", func() { - ginkgo.It("should set proxy-headers-hash-bucket-size", func() { f.UpdateNginxConfigMapData("proxy-headers-hash-bucket-size", "512") @@ -72,11 +69,9 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "proxy_headers_hash_max_size 4096;") }) }) - }) ginkgo.Context("Check the variable hash size", func() { - ginkgo.It("should set variables-hash-bucket-size", func() { f.UpdateNginxConfigMapData("variables-hash-bucket-size", "512") @@ -92,11 +87,9 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "variables_hash_max_size 512;") }) }) - }) ginkgo.Context("Check the map hash size", func() { - ginkgo.It("should set vmap-hash-bucket-size", func() { f.UpdateNginxConfigMapData("map-hash-bucket-size", "512") @@ -104,7 +97,5 @@ var _ = framework.DescribeSetting("hash size", func() { return strings.Contains(server, "map_hash_bucket_size 512;") }) }) - }) - }) diff --git a/test/e2e/settings/ingress_class.go b/test/e2e/settings/ingress_class.go index 232045f3a..80c09f80c 100644 --- a/test/e2e/settings/ingress_class.go +++ b/test/e2e/settings/ingress_class.go @@ -36,6 +36,8 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const barHost = "bar" + var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { f := framework.NewDefaultFramework("ingress-class") @@ -66,7 +68,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { ginkgo.Context("With default ingress class config", func() { ginkgo.It("should ignore Ingress with a different class annotation", func() { - invalidHost := "foo" + invalidHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass", } @@ -75,7 +77,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { ing.Spec.IngressClassName = nil f.EnsureIngress(ing) - validHost := "bar" + validHost := barHost annotationClass := map[string]string{ ingressclass.IngressKey: ingressclass.DefaultAnnotationValue, } @@ -385,7 +387,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusOK) }) - }) ginkgo.Context("With specific ingress-class flags", func() { @@ -411,13 +412,13 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should ignore Ingress with no class and accept the correctly configured Ingresses", func() { - invalidHost := "bar" + invalidHost := barHost ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil) ing.Spec.IngressClassName = nil f.EnsureIngress(ing) - validHost := "foo" + validHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass", } @@ -455,7 +456,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) ginkgo.Context("With watch-ingress-without-class flag", func() { @@ -480,13 +480,13 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should watch Ingress with no class and ignore ingress with a different class", func() { - validHost := "bar" + validHost := barHost ing := framework.NewSingleIngress(validHost, "/", validHost, f.Namespace, framework.EchoService, 80, nil) ing.Spec.IngressClassName = nil f.EnsureIngress(ing) - invalidHost := "foo" + invalidHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass123", } @@ -511,7 +511,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) ginkgo.Context("With ingress-class-by-name flag", func() { @@ -579,11 +578,9 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) ginkgo.Context("Without IngressClass Cluster scoped Permission", func() { - ginkgo.BeforeEach(func() { icname := fmt.Sprintf("ic-%s", f.Namespace) @@ -629,8 +626,7 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should watch Ingress with correct annotation", func() { - - validHost := "foo" + validHost := fooHost annotations := map[string]string{ ingressclass.IngressKey: "testclass", } @@ -650,7 +646,6 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { }) ginkgo.It("should ignore Ingress with only IngressClassName", func() { - invalidHost := "noclassforyou" ing := framework.NewSingleIngress(invalidHost, "/", invalidHost, f.Namespace, framework.EchoService, 80, nil) @@ -666,6 +661,5 @@ var _ = framework.IngressNginxDescribe("[Flag] ingress-class", func() { Expect(). Status(http.StatusNotFound) }) - }) }) diff --git a/test/e2e/settings/keep-alive.go b/test/e2e/settings/keep-alive.go index d139f61c0..167f5ac18 100644 --- a/test/e2e/settings/keep-alive.go +++ b/test/e2e/settings/keep-alive.go @@ -21,6 +21,7 @@ import ( "strings" "github.com/onsi/ginkgo/v2" + "github.com/stretchr/testify/assert" "k8s.io/ingress-nginx/test/e2e/framework" ) @@ -50,7 +51,6 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.WaitForNginxConfiguration(func(server string) bool { return strings.Contains(server, `keepalive_requests 200;`) }) - }) }) @@ -59,7 +59,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-connections", "128") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive 128;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive 128;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) @@ -68,7 +69,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-timeout", "120") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_timeout\s*120s;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_timeout\s*120s;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) @@ -77,7 +79,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-time", "75s") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_time\s*75s;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_time\s*75s;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) @@ -86,7 +89,8 @@ var _ = framework.DescribeSetting("keep-alive keep-alive-requests", func() { f.UpdateNginxConfigMapData("upstream-keepalive-requests", "200") f.WaitForNginxConfiguration(func(server string) bool { - match, _ := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_requests\s*200;`, server) + match, err := regexp.MatchString(`upstream\supstream_balancer\s\{[\s\S]*keepalive_requests\s*200;`, server) + assert.Nil(ginkgo.GinkgoT(), err, "unexpected error matching the upstream keepalive time") return match }) }) diff --git a/test/e2e/settings/listen_nondefault_ports.go b/test/e2e/settings/listen_nondefault_ports.go index 7e3b11b21..9d3952227 100644 --- a/test/e2e/settings/listen_nondefault_ports.go +++ b/test/e2e/settings/listen_nondefault_ports.go @@ -28,7 +28,6 @@ import ( ) var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", func() { - host := "forwarded-headers" f := framework.NewDefaultFramework("forwarded-port-headers", framework.WithHTTPBunEnabled()) @@ -44,7 +43,6 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun ginkgo.Context("with a plain HTTP ingress", func() { ginkgo.It("should set X-Forwarded-Port headers accordingly when listening on a non-default HTTP port", func() { - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -64,9 +62,7 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun }) ginkgo.Context("with a TLS enabled ingress", func() { - ginkgo.It("should set X-Forwarded-Port header to 443", func() { - ing := framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil) f.EnsureIngress(ing) @@ -94,7 +90,6 @@ var _ = framework.IngressNginxDescribe("[Flag] custom HTTP and HTTPS ports", fun }) ginkgo.Context("when external authentication is configured", func() { - ginkgo.It("should set the X-Forwarded-Port header to 443", func() { annotations := map[string]string{ "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", f.HTTPBunIP), diff --git a/test/e2e/settings/log-format.go b/test/e2e/settings/log-format.go index 24877818d..18835cb66 100644 --- a/test/e2e/settings/log-format.go +++ b/test/e2e/settings/log-format.go @@ -36,7 +36,6 @@ var _ = framework.DescribeSetting("log-format-*", func() { }) ginkgo.Context("Check log-format-escape-json and log-format-escape-none", func() { - ginkgo.It("should not configure log-format escape by default", func() { f.WaitForNginxConfiguration( func(cfg string) bool { @@ -78,7 +77,6 @@ var _ = framework.DescribeSetting("log-format-*", func() { }) ginkgo.Context("Check log-format-upstream with log-format-escape-json and log-format-escape-none", func() { - ginkgo.It("log-format-escape-json enabled", func() { f.SetNginxConfigMapData(map[string]string{ "log-format-escape-json": "true", diff --git a/test/e2e/settings/namespace_selector.go b/test/e2e/settings/namespace_selector.go index 3bf856566..1da62ee86 100644 --- a/test/e2e/settings/namespace_selector.go +++ b/test/e2e/settings/namespace_selector.go @@ -29,12 +29,12 @@ import ( var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", func() { f := framework.NewDefaultFramework("namespace-selector") - notMatchedHost, matchedHost := "bar", "foo" + notMatchedHost, matchedHost := barHost, fooHost var notMatchedNs string var matchedNs string // create a test namespace, under which create an ingress and backend deployment - prepareTestIngress := func(baseName string, host string, labels map[string]string) string { + prepareTestIngress := func(host string, labels map[string]string) string { ns, err := framework.CreateKubeNamespaceWithLabel(f.BaseName, labels, f.KubeClientSet) assert.Nil(ginkgo.GinkgoT(), err, "creating test namespace") f.NewEchoDeployment(framework.WithDeploymentNamespace(ns)) @@ -49,8 +49,8 @@ var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", } ginkgo.BeforeEach(func() { - notMatchedNs = prepareTestIngress(notMatchedHost, notMatchedHost, nil) // create namespace without label "foo=bar" - matchedNs = prepareTestIngress(matchedHost, matchedHost, map[string]string{"foo": "bar"}) + notMatchedNs = prepareTestIngress(notMatchedHost, nil) // create namespace without label "foo=bar" + matchedNs = prepareTestIngress(matchedHost, map[string]string{fooHost: barHost}) }) ginkgo.AfterEach(func() { @@ -59,9 +59,7 @@ var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", }) ginkgo.Context("With specific watch-namespace-selector flags", func() { - - ginkgo.It("should ingore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar", func() { - + ginkgo.It("should ignore Ingress of namespace without label foo=bar and accept those of namespace with label foo=bar", func() { f.WaitForNginxConfiguration(func(cfg string) bool { return !strings.Contains(cfg, "server_name bar") && strings.Contains(cfg, "server_name foo") @@ -86,7 +84,7 @@ var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", if ns.Labels == nil { ns.Labels = make(map[string]string) } - ns.Labels["foo"] = "bar" + ns.Labels[fooHost] = barHost _, err = f.KubeClientSet.CoreV1().Namespaces().Update(context.TODO(), ns, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "labeling not matched namespace") @@ -97,7 +95,7 @@ var _ = framework.IngressNginxDescribeSerial("[Flag] watch namespace selector", if ing.Labels == nil { ing.Labels = make(map[string]string) } - ing.Labels["foo"] = "bar" + ing.Labels[fooHost] = barHost _, err = f.KubeClientSet.NetworkingV1().Ingresses(notMatchedNs).Update(context.TODO(), ing, metav1.UpdateOptions{}) assert.Nil(ginkgo.GinkgoT(), err, "updating ingress") diff --git a/test/e2e/settings/no_auth_locations.go b/test/e2e/settings/no_auth_locations.go index 2fc4b6455..103c057d7 100644 --- a/test/e2e/settings/no_auth_locations.go +++ b/test/e2e/settings/no_auth_locations.go @@ -18,12 +18,12 @@ package settings import ( "fmt" - "golang.org/x/crypto/bcrypt" "net/http" "strings" "github.com/onsi/ginkgo/v2" "github.com/stretchr/testify/assert" + "golang.org/x/crypto/bcrypt" corev1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -34,7 +34,7 @@ var _ = framework.DescribeSetting("[Security] no-auth-locations", func() { f := framework.NewDefaultFramework("no-auth-locations") setting := "no-auth-locations" - username := "foo" + username := fooHost password := "bar" secretName := "test-secret" host := "no-auth-locations" @@ -100,7 +100,8 @@ func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName s ObjectMeta: metav1.ObjectMeta{ Name: host, Namespace: namespace, - Annotations: map[string]string{"nginx.ingress.kubernetes.io/auth-type": "basic", + Annotations: map[string]string{ + "nginx.ingress.kubernetes.io/auth-type": "basic", "nginx.ingress.kubernetes.io/auth-secret": secretName, "nginx.ingress.kubernetes.io/auth-realm": "test auth", }, @@ -147,7 +148,6 @@ func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName s } func buildSecret(username, password, name, namespace string) *corev1.Secret { - //out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput() out, err := bcrypt.GenerateFromPassword([]byte(password), 14) assert.Nil(ginkgo.GinkgoT(), err, "creating password") diff --git a/test/e2e/settings/no_tls_redirect_locations.go b/test/e2e/settings/no_tls_redirect_locations.go index 332d764d6..8339eb23e 100644 --- a/test/e2e/settings/no_tls_redirect_locations.go +++ b/test/e2e/settings/no_tls_redirect_locations.go @@ -44,6 +44,5 @@ var _ = framework.DescribeSetting("Add no tls redirect locations", func() { f.WaitForNginxConfiguration(func(server string) bool { return strings.Contains(server, "force_no_ssl_redirect = true,") }) - }) }) diff --git a/test/e2e/settings/ocsp/ocsp.go b/test/e2e/settings/ocsp/ocsp.go index 0173f41ac..4d419c5d0 100644 --- a/test/e2e/settings/ocsp/ocsp.go +++ b/test/e2e/settings/ocsp/ocsp.go @@ -47,6 +47,7 @@ var _ = framework.DescribeSetting("OCSP", func() { }) ginkgo.It("should enable OCSP and contain stapling information in the connection", func() { + ginkgo.Skip("Skipped due to a bug with cfssl and Alpine") host := "www.example.com" f.UpdateNginxConfigMapData("enable-ocsp", "true") @@ -112,7 +113,7 @@ var _ = framework.DescribeSetting("OCSP", func() { return strings.Contains(server, fmt.Sprintf(`server_name %v`, host)) }) - tlsConfig := &tls.Config{ServerName: host, InsecureSkipVerify: true} + tlsConfig := &tls.Config{ServerName: host, InsecureSkipVerify: true} //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(tlsConfig). GET("/"). WithURL(f.GetURL(framework.HTTPS)). @@ -195,7 +196,8 @@ const configTemplate = ` func prepareCertificates(namespace string) error { config := fmt.Sprintf(configTemplate, namespace) - err := os.WriteFile("cfssl_config.json", []byte(config), 0644) + //nolint:gosec // Not change permission to avoid possible issues + err := os.WriteFile("cfssl_config.json", []byte(config), 0o644) if err != nil { return fmt.Errorf("creating cfssl_config.json file: %v", err) } diff --git a/test/e2e/settings/opentelemetry.go b/test/e2e/settings/opentelemetry.go index 92d202cb3..15b5d165e 100644 --- a/test/e2e/settings/opentelemetry.go +++ b/test/e2e/settings/opentelemetry.go @@ -32,6 +32,8 @@ const ( opentelemetryLocationOperationName = "opentelemetry-location-operation-name" opentelemetryConfig = "opentelemetry-config" opentelemetryConfigPath = "/etc/nginx/opentelemetry.toml" + + enable = "true" ) var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { @@ -46,7 +48,7 @@ var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { ginkgo.It("should not exists opentelemetry directive", func() { config := map[string]string{} - config[enableOpentelemetry] = "false" + config[enableOpentelemetry] = disable f.SetNginxConfigMapData(config) f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) @@ -59,7 +61,7 @@ var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { ginkgo.It("should exists opentelemetry directive when is enabled", func() { config := map[string]string{} - config[enableOpentelemetry] = "true" + config[enableOpentelemetry] = enable config[opentelemetryConfig] = opentelemetryConfigPath f.SetNginxConfigMapData(config) @@ -73,9 +75,9 @@ var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { ginkgo.It("should include opentelemetry_trust_incoming_spans on directive when enabled", func() { config := map[string]string{} - config[enableOpentelemetry] = "true" + config[enableOpentelemetry] = enable config[opentelemetryConfig] = opentelemetryConfigPath - config[opentelemetryTrustIncomingSpan] = "true" + config[opentelemetryTrustIncomingSpan] = enable f.SetNginxConfigMapData(config) f.EnsureIngress(framework.NewSingleIngress(enableOpentelemetry, "/", enableOpentelemetry, f.Namespace, "http-svc", 80, nil)) @@ -88,7 +90,7 @@ var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { ginkgo.It("should not exists opentelemetry_operation_name directive when is empty", func() { config := map[string]string{} - config[enableOpentelemetry] = "true" + config[enableOpentelemetry] = enable config[opentelemetryConfig] = opentelemetryConfigPath config[opentelemetryOperationName] = "" f.SetNginxConfigMapData(config) @@ -103,7 +105,7 @@ var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { ginkgo.It("should exists opentelemetry_operation_name directive when is configured", func() { config := map[string]string{} - config[enableOpentelemetry] = "true" + config[enableOpentelemetry] = enable config[opentelemetryConfig] = opentelemetryConfigPath config[opentelemetryOperationName] = "HTTP $request_method $uri" f.SetNginxConfigMapData(config) @@ -115,5 +117,4 @@ var _ = framework.IngressNginxDescribe("Configure Opentelemetry", func() { return strings.Contains(cfg, `opentelemetry_operation_name "HTTP $request_method $uri"`) }) }) - }) diff --git a/test/e2e/settings/opentracing.go b/test/e2e/settings/opentracing.go index aee01ea60..76d96498d 100644 --- a/test/e2e/settings/opentracing.go +++ b/test/e2e/settings/opentracing.go @@ -41,8 +41,12 @@ const ( datadogCollectorHost = "datadog-collector-host" - opentracingOperationName = "opentracing-operation-name" + opentracingOperationName = "opentracing-operation-name" + opentracingOperationValue = "HTTP $request_method $uri" + opentracingLocationOperationName = "opentracing-location-operation-name" + + localhost = "127.0.0.1" ) var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { @@ -57,7 +61,7 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should not exists opentracing directive", func() { config := map[string]string{} - config[enableOpentracing] = "false" + config[enableOpentracing] = disable f.SetNginxConfigMapData(config) f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) @@ -70,8 +74,8 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should exists opentracing directive when is enabled", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[zipkinCollectorHost] = localhost f.SetNginxConfigMapData(config) f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) @@ -84,9 +88,9 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should include opentracing_trust_incoming_span off directive when disabled", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[opentracingTrustIncomingSpan] = "false" - config[zipkinCollectorHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[opentracingTrustIncomingSpan] = disable + config[zipkinCollectorHost] = localhost f.SetNginxConfigMapData(config) f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) @@ -99,8 +103,8 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should not exists opentracing_operation_name directive when is empty", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[zipkinCollectorHost] = localhost config[opentracingOperationName] = "" f.SetNginxConfigMapData(config) @@ -114,9 +118,9 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should exists opentracing_operation_name directive when is configured", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - config[opentracingOperationName] = "HTTP $request_method $uri" + config[enableOpentracing] = enable + config[zipkinCollectorHost] = localhost + config[opentracingOperationName] = opentracingOperationValue f.SetNginxConfigMapData(config) f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) @@ -129,8 +133,8 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should not exists opentracing_location_operation_name directive when is empty", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[zipkinCollectorHost] = localhost config[opentracingLocationOperationName] = "" f.SetNginxConfigMapData(config) @@ -144,9 +148,9 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should exists opentracing_location_operation_name directive when is configured", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" - config[opentracingLocationOperationName] = "HTTP $request_method $uri" + config[enableOpentracing] = enable + config[zipkinCollectorHost] = localhost + config[opentracingLocationOperationName] = opentracingOperationValue f.SetNginxConfigMapData(config) f.EnsureIngress(framework.NewSingleIngress(enableOpentracing, "/", enableOpentracing, f.Namespace, "http-svc", 80, nil)) @@ -159,8 +163,8 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should enable opentracing using zipkin", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[zipkinCollectorHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[zipkinCollectorHost] = localhost f.SetNginxConfigMapData(config) framework.Sleep(10 * time.Second) @@ -171,8 +175,8 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should enable opentracing using jaeger", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[jaegerCollectorHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[jaegerCollectorHost] = localhost f.SetNginxConfigMapData(config) framework.Sleep(10 * time.Second) @@ -183,9 +187,9 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should enable opentracing using jaeger with sampler host", func() { config := map[string]string{} - config[enableOpentracing] = "true" - config[jaegerCollectorHost] = "127.0.0.1" - config[jaegerSamplerHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[jaegerCollectorHost] = localhost + config[jaegerSamplerHost] = localhost f.SetNginxConfigMapData(config) framework.Sleep(10 * time.Second) @@ -197,8 +201,8 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should propagate the w3c header when configured with jaeger", func() { host := "jaeger-w3c" config := map[string]string{} - config[enableOpentracing] = "true" - config[jaegerCollectorHost] = "127.0.0.1" + config[enableOpentracing] = enable + config[jaegerCollectorHost] = localhost config[jaegerPropagationFormat] = "w3c" f.SetNginxConfigMapData(config) @@ -227,7 +231,7 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { /* ginkgo.It("should enable opentracing using jaeger with an HTTP endpoint", func() { config := map[string]string{} - config[enableOpentracing] = "true" + config[enableOpentracing] = TRUE config[jaegerEndpoint] = "http://127.0.0.1/api/traces" f.SetNginxConfigMapData(config) @@ -240,7 +244,7 @@ var _ = framework.IngressNginxDescribe("Configure OpenTracing", func() { ginkgo.It("should enable opentracing using datadog", func() { config := map[string]string{} - config[enableOpentracing] = "true" + config[enableOpentracing] = enable config[datadogCollectorHost] = "http://127.0.0.1" f.SetNginxConfigMapData(config) diff --git a/test/e2e/settings/pod_security_policy_volumes.go b/test/e2e/settings/pod_security_policy_volumes.go index dd4df3bd9..f8fc58300 100644 --- a/test/e2e/settings/pod_security_policy_volumes.go +++ b/test/e2e/settings/pod_security_policy_volumes.go @@ -38,7 +38,6 @@ var _ = framework.IngressNginxDescribe("[Security] Pod Security Policies with vo f := framework.NewDefaultFramework("pod-security-policies-volumes") ginkgo.It("should be running with a Pod Security Policy", func() { - k8sversion, err := f.KubeClientSet.Discovery().ServerVersion() if err != nil { assert.Nil(ginkgo.GinkgoT(), err, "getting version") diff --git a/test/e2e/settings/proxy_connect_timeout.go b/test/e2e/settings/proxy_connect_timeout.go index 1290775a5..185ac1dd1 100644 --- a/test/e2e/settings/proxy_connect_timeout.go +++ b/test/e2e/settings/proxy_connect_timeout.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package settings import ( @@ -64,5 +65,4 @@ var _ = framework.DescribeSetting("proxy-connect-timeout", func() { return !strings.Contains(server, fmt.Sprintf("proxy_connect_timeout %ss;", proxyConnectTimeout)) }) }) - }) diff --git a/test/e2e/settings/proxy_host.go b/test/e2e/settings/proxy_host.go index efc254e45..35aafc53d 100644 --- a/test/e2e/settings/proxy_host.go +++ b/test/e2e/settings/proxy_host.go @@ -34,6 +34,14 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) annotations := map[string]string{ "nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`, @@ -55,6 +63,15 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() { }) ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService) upstreamVHost := "different.host" annotations := map[string]string{ diff --git a/test/e2e/settings/proxy_protocol.go b/test/e2e/settings/proxy_protocol.go index 9939cad9e..cfce68bf8 100644 --- a/test/e2e/settings/proxy_protocol.go +++ b/test/e2e/settings/proxy_protocol.go @@ -33,8 +33,10 @@ import ( "k8s.io/ingress-nginx/test/e2e/framework" ) +const proxyProtocol = "proxy-protocol" + var _ = framework.DescribeSetting("use-proxy-protocol", func() { - f := framework.NewDefaultFramework("proxy-protocol") + f := framework.NewDefaultFramework(proxyProtocol) setting := "use-proxy-protocol" @@ -42,9 +44,9 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { f.NewEchoDeployment() f.UpdateNginxConfigMapData(setting, "false") }) - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should respect port passed by the PROXY Protocol", func() { - host := "proxy-protocol" + host := proxyProtocol f.UpdateNginxConfigMapData(setting, "true") @@ -73,14 +75,15 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") body := string(data) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", proxyProtocol)) assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=http") assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should respect proto passed by the PROXY Protocol server port", func() { - host := "proxy-protocol" + host := proxyProtocol f.UpdateNginxConfigMapData(setting, "true") @@ -109,14 +112,14 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") body := string(data) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", proxyProtocol)) assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=443") assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=https") assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-for=192.168.0.1") }) ginkgo.It("should enable PROXY Protocol for HTTPS", func() { - host := "proxy-protocol" + host := proxyProtocol f.UpdateNginxConfigMapData(setting, "true") @@ -151,7 +154,7 @@ var _ = framework.DescribeSetting("use-proxy-protocol", func() { assert.Nil(ginkgo.GinkgoT(), err, "unexpected error reading connection data") body := string(data) - assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", "proxy-protocol")) + assert.Contains(ginkgo.GinkgoT(), body, fmt.Sprintf("host=%v", proxyProtocol)) assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-port=1234") assert.Contains(ginkgo.GinkgoT(), body, "x-forwarded-proto=https") assert.Contains(ginkgo.GinkgoT(), body, "x-scheme=https") diff --git a/test/e2e/settings/proxy_read_timeout.go b/test/e2e/settings/proxy_read_timeout.go index c84956cc9..484b44f24 100644 --- a/test/e2e/settings/proxy_read_timeout.go +++ b/test/e2e/settings/proxy_read_timeout.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package settings import ( @@ -64,5 +65,4 @@ var _ = framework.DescribeSetting("proxy-read-timeout", func() { return !strings.Contains(server, fmt.Sprintf("proxy_read_timeout %ss;", proxyReadtimeout)) }) }) - }) diff --git a/test/e2e/settings/proxy_send_timeout.go b/test/e2e/settings/proxy_send_timeout.go index 886642bc0..bdcd46f0f 100644 --- a/test/e2e/settings/proxy_send_timeout.go +++ b/test/e2e/settings/proxy_send_timeout.go @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +//nolint:dupl // Ignore dupl errors for similar test case package settings import ( @@ -64,5 +65,4 @@ var _ = framework.DescribeSetting("proxy-send-timeout", func() { return !strings.Contains(server, fmt.Sprintf("proxy_send_timeout %ss;", proxySendTimeout)) }) }) - }) diff --git a/test/e2e/settings/server_snippet.go b/test/e2e/settings/server_snippet.go index 1577c927c..8ddf10fd9 100644 --- a/test/e2e/settings/server_snippet.go +++ b/test/e2e/settings/server_snippet.go @@ -37,10 +37,16 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { hostAnnots := "serverannotssnippet1.foo.com" f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", "server-snippet": ` more_set_headers "Globalfoo: Foooo";`, }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` more_set_headers "Foo: Bar"; @@ -99,6 +105,11 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() { more_set_headers "Globalfoo: Foooo";`, }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() annotations := map[string]string{ "nginx.ingress.kubernetes.io/server-snippet": ` more_set_headers "Foo: Bar"; diff --git a/test/e2e/settings/ssl_passthrough.go b/test/e2e/settings/ssl_passthrough.go index f0859f878..b10511bde 100644 --- a/test/e2e/settings/ssl_passthrough.go +++ b/test/e2e/settings/ssl_passthrough.go @@ -19,7 +19,7 @@ package settings import ( "context" "crypto/tls" - "fmt" + "net" "net/http" "strings" @@ -54,7 +54,6 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { ginkgo.Describe("With enable-ssl-passthrough enabled", func() { ginkgo.It("should enable ssl-passthrough-proxy-port on a different port", func() { - err := f.UpdateIngressControllerDeployment(func(deployment *appsv1.Deployment) error { args := deployment.Spec.Template.Spec.Containers[0].Args args = append(args, "--ssl-passthrough-proxy-port=1442") @@ -77,7 +76,6 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { }) ginkgo.It("should pass unknown traffic to default backend and handle known traffic", func() { - host := "testpassthrough.com" echoName := "echopass" @@ -170,20 +168,21 @@ var _ = framework.IngressNginxDescribe("[Flag] enable-ssl-passthrough", func() { return strings.Contains(server, "listen 442") }) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). - WithURL(fmt.Sprintf("https://%s:443", host)). + WithURL("https://"+net.JoinHostPort(host, "443")). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusOK) + //nolint:gosec // Ignore the gosec error in testing f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: hostBad, InsecureSkipVerify: true}). GET("/"). - WithURL(fmt.Sprintf("https://%s:443", hostBad)). + WithURL("https://"+net.JoinHostPort(hostBad, "443")). ForceResolve(f.GetNginxIP(), 443). Expect(). Status(http.StatusNotFound) - }) }) }) diff --git a/test/e2e/settings/tls.go b/test/e2e/settings/tls.go index a820e41dd..51f760df8 100644 --- a/test/e2e/settings/tls.go +++ b/test/e2e/settings/tls.go @@ -87,9 +87,7 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f }) ginkgo.Context("should configure HSTS policy header", func() { - var ( - tlsConfig *tls.Config - ) + var tlsConfig *tls.Config const ( hstsMaxAge = "hsts-max-age" @@ -170,17 +168,18 @@ var _ = framework.DescribeSetting("[SSL] TLS protocols, ciphers and headers)", f hstsIncludeSubdomains: "false", }) - // we can not use gorequest here because it flattens the duplicate headers - // and specifically in case of Strict-Transport-Security it ignore extra headers - // intead of concatenating, rightfully. And I don't know of any API it provides for getting raw headers. - curlCmd := fmt.Sprintf("curl -I -k --fail --silent --resolve settings-tls:443:127.0.0.1 https://settings-tls%v", "?hsts=true") - output, err := f.ExecIngressPod(curlCmd) - assert.Nil(ginkgo.GinkgoT(), err) - assert.Contains(ginkgo.GinkgoT(), output, "strict-transport-security: max-age=86400; preload") - // this is what the upstream sets - assert.NotContains(ginkgo.GinkgoT(), output, "strict-transport-security: max-age=3600; preload") - }) + expectResponse := f.HTTPTestClientWithTLSConfig(tlsConfig). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + WithQuery("hsts", "true"). + Expect() + expectResponse.Header("Strict-Transport-Security").Equal("max-age=86400; preload") + header := expectResponse.Raw().Header + got := header["Strict-Transport-Security"] + assert.Equal(ginkgo.GinkgoT(), 1, len(got)) + }) }) ginkgo.Context("ports or X-Forwarded-Host check during HTTP tp HTTPS redirection", func() { diff --git a/test/e2e/settings/validations/validations.go b/test/e2e/settings/validations/validations.go index 6f1715ada..ac95a453a 100644 --- a/test/e2e/settings/validations/validations.go +++ b/test/e2e/settings/validations/validations.go @@ -29,8 +29,17 @@ import ( var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { f := framework.NewDefaultFramework("validations") - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should allow ingress based on their risk on webhooks", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() + host := "annotation-validations" // Low and Medium Risk annotations should be allowed, the rest should be denied @@ -54,10 +63,17 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with risky annotations should trigger an error") - }) - + //nolint:dupl // Ignore dupl errors for similar test case ginkgo.It("should allow ingress based on their risk on webhooks", func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "true", + }) + defer func() { + f.SetNginxConfigMapData(map[string]string{ + "allow-snippet-annotations": "false", + }) + }() host := "annotation-validations" // Low and Medium Risk annotations should be allowed, the rest should be denied @@ -81,6 +97,5 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) _, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Update(context.TODO(), ing, metav1.UpdateOptions{}) assert.NotNil(ginkgo.GinkgoT(), err, "creating ingress with risky annotations should trigger an error") - }) }) diff --git a/test/e2e/ssl/secret_update.go b/test/e2e/ssl/secret_update.go index fe7bfca0c..8e81f09f9 100644 --- a/test/e2e/ssl/secret_update.go +++ b/test/e2e/ssl/secret_update.go @@ -98,7 +98,7 @@ var _ = framework.IngressNginxDescribe("[SSL] secret update", func() { return strings.Contains(server, "server_name invalid-ssl") && strings.Contains(server, "listen 443") }) - + //nolint:gosec // Ignore certificate validation in testing resp := f.HTTPTestClientWithTLSConfig(&tls.Config{ServerName: host, InsecureSkipVerify: true}). GET("/"). WithURL(f.GetURL(framework.HTTPS)). diff --git a/test/e2e/status/update.go b/test/e2e/status/update.go index 046752d2b..c3c48f8d2 100644 --- a/test/e2e/status/update.go +++ b/test/e2e/status/update.go @@ -108,6 +108,7 @@ var _ = framework.IngressNginxDescribe("[Status] status update", func() { } }() + //nolint:staticcheck // TODO: will replace it since wait.Poll is deprecated err = wait.Poll(5*time.Second, 4*time.Minute, func() (done bool, err error) { ing, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Get(context.TODO(), host, metav1.GetOptions{}) if err != nil { @@ -134,7 +135,8 @@ func getHostIP() net.IP { } defer conn.Close() - localAddr := conn.LocalAddr().(*net.UDPAddr) + localAddr, ok := conn.LocalAddr().(*net.UDPAddr) + assert.True(ginkgo.GinkgoT(), ok, "unexpected type: %T", conn.LocalAddr()) return localAddr.IP } diff --git a/test/e2e/tcpudp/tcp.go b/test/e2e/tcpudp/tcp.go index 16a633b63..f06d6c9a3 100644 --- a/test/e2e/tcpudp/tcp.go +++ b/test/e2e/tcpudp/tcp.go @@ -148,18 +148,18 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { } var ips []string - var retryErr error + var errRetry error err = wait.ExponentialBackoff(retry, func() (bool, error) { - ips, retryErr = resolver.LookupHost(context.Background(), "google-public-dns-b.google.com") - if retryErr == nil { + ips, errRetry = resolver.LookupHost(context.Background(), "google-public-dns-b.google.com") + if errRetry == nil { return true, nil } return false, nil }) - + //nolint:staticcheck // TODO: will replace it since wait.ErrWaitTimeout is deprecated if err == wait.ErrWaitTimeout { - err = retryErr + err = errRetry } assert.Nil(ginkgo.GinkgoT(), err, "unexpected error from DNS resolver") @@ -167,7 +167,6 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { }) ginkgo.It("should reload after an update in the configuration", func() { - ginkgo.By("setting up a first deployment") f.NewEchoDeployment(framework.WithDeploymentName("first-service")) @@ -217,5 +216,4 @@ var _ = framework.IngressNginxDescribe("[TCP] tcp-services", func() { assert.Nil(ginkgo.GinkgoT(), err, "obtaining nginx logs") assert.Contains(ginkgo.GinkgoT(), logs, "Backend successfully reloaded") }) - })