Add support for backends which require client certificate (eg. NiFi)
authentication. The `proxy-ssl-secret` k8s annotation references a
secret which is used to authenticate to the backend server. All other
directives fine tune the backend communication.
The following annotations are supported:
* proxy-ssl-secret
* proxy-ssl-ciphers
* proxy-ssl-protocol
* proxy-ssl-verify
* proxy-ssl-verify-depth
add a way to configure the `proxy_cache_*` [1] directive for external-auth.
The user-defined cache_key may contain sensitive information
(e.g. Authorization header).
We want to store *only* a hash of that key, not the key itself on disk.
[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key
Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
The fact that you need to explicitly add the annotation is easy to miss.
This makes this more explicit, while leaving the finer details to the
linked annotations document.
1. Session cookie is updated on previous attempt failure when `session-cookie-change-on-failure = true` (default value is `false`).
2. Added tests to check both cases.
3. Updated docs.
Co-Authored-By: Vladimir Grishin <yadolov@users.noreply.github.com>
IPv6 enabled/disabled working was confusing or contradicting itself. This updates the wording to what is expected, based on the default values in the table above, and the behaviour that I could find in code.
Move the "gzip-types" value default from the "use-gzip" to the "gzip-types"
heading, and link to it from use-gzip.
Document that the "use-gzip" default is "true", matching the style of other
configmap items.
In case some ingress have a syntax error in the snippet configuration,
the freshly generated configuration will not be reloaded to prevent tearing down existing rules.
Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster.
To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses.
In case the generated configuration is not validated by nginx, deny the insertion of the ingress.
In case certificates are mounted using kubernetes secrets, when those
changes, keys are automatically updated in the container volume, and the
controller reloads it using the filewatcher.
Related changes:
- Update vendors
- Extract useful functions to check configuration with an additional ingress
- Update documentation for validating webhook
- Add validating webhook examples
- Add a metric for each syntax check success and errors
- Add more certificate generation examples
Updates e2e test
Removes focus from e2e test
Fixes renamed function
Adds tests for new template funcs
Addresses gofmt
Updates e2e test, fixes custom-default-backend test by creating service
Updates docs
add new annotation (header-value)
parse it and propogate to lua script
alter balancer rule to include it into the canary routing logic
add e2e test to validate fallback for canary-by-header-value
add description of canary-by-header-value to documentation
update test for backendprotocols
Adds support for HTTP2 Push Preload annotation
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Adds support for HTTP2 Push Preload annotation
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Adds support for HTTP2 Push Preload annotation
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Adds support for HTTP2 Push Preload annotation
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
Adds support for HTTP2 Push Preload annotation
Adds support for HTTP2 Push Preload annotation
Adds the ability to create alternative backends. Alternative backends enable
traffic shaping by sharing a single location but routing to different
backends depending on the TrafficShapingPolicy defined by AlternativeBackends.
When the list of upstreams and servers are retrieved, we then call
mergeAlternativeBackends which iterates through the paths of every ingress
and checks if the backend supporting the path is a AlternativeBackend. If
so, we then iterate through the map of servers and find the real backend
that the AlternativeBackend should fall under. Once found, the
AlternativeBackend is embedded in the list of VirtualBackends for the real
backend.
If no matching real backend for a AlternativeBackend is found, then the
AlternativeBackend is deleted as it cannot be backed by any server.
Adds per-server/location error-catch functionality to nginx template
Adds documentation
Reduces template duplication with helper function for CUSTOM_ERRORS data
Updates documentation
Adds e2e test for customerrors
Removes AllCustomHTTPErrors, replaces with template function with deduplication and adds e2e test of deduplication
Fixes copy-paste error in test, adds additional test cases
Reverts noop change in controller.go (unused now)
add test for new auth-snippet annotation
document auth-snippet annotation
add e2e test for auth-snippet annotation
add log warning and update documentation
