Nathan Baulch
4f23049374
Fix minor typos ( #11935 )
2024-09-06 15:59:43 +01:00
Ricardo Katz
21cd966d1c
Remove global-rate-limit feature ( #11851 )
2024-08-25 21:03:29 +01:00
Ricardo Katz
3bec99ecfc
Remove 3rd party lua plugin support ( #11821 )
2024-08-21 14:54:29 +01:00
Marco Ebert
bf3fa53167
Owners: Promote Gacko to ingress-nginx-maintainers & ingress-nginx-reviewers. ( #11165 )
...
* Owners: Sort `ingress-nginx-maintainers` & `ingress-nginx-reviewers`.
* Owners: Update URL in aliases.
* Images: Remove owners as it's identical to global owners.
* Images: Remove global owners from `kube-webhook-certgen` owners.
* Owners: Remove members from aliases covered by other aliases.
ingress-nginx-helm-maintainers:
- cpanato: Covered by ingress-nginx-maintainers
- strongjz: Covered by ingress-nginx-maintainers
ingress-nginx-helm-reviewers:
- cpanato: Covered by ingress-nginx-reviewers
- strongjz: Covered by ingress-nginx-reviewers
ingress-nginx-docs-maintainers:
- tao12345666333: Covered by ingress-nginx-maintainers
* Owners: Promote myself to `ingress-nginx-maintainers` & `ingress-nginx-reviewers`.
2024-04-04 08:01:10 -07:00
Artur Juraszek
3a887f28e8
Properly support a TLS-wrapped OCSP responder ( #10164 )
...
Current implementation of OCSP stapling makes use of the DNS caching machinery[^1],
which results in resty.http not seeing the actual host name of the OCSP responder.
On HTTP level, this is already mitigated via overriding the Host header, but
if a given responder operates on a HTTPS endpoint (a setup which, admittedly, isn't
very popular due to its chicken-and-egg caveats involved but is nonetheless legal[^2])
the connection will fail to be established. A relevant (and a bit redacted) excerpt from logs:
2023/07/02 18:13:23 [info] 112#112: *29039 [lua] dns.lua:32: cache_set(): cache set for 'my.ocsp.responder' with value of [10.1.2.3, 10.4.5.6, 10.7.8.9] and ttl of 30., context: ngx.timer, client: 127.0.0.1, server: 0.0.0.0:442
2023/07/02 18:13:23 [error] 112#112: *29039 lua ssl certificate does not match host "10.1.2.3", context: ngx.timer, client: 127.0.0.1, server: 0.0.0.0:442
2023/07/02 18:13:23 [error] 112#112: *29039 [lua] certificate.lua:143: fetch_and_cache_ocsp_response(): could not get OCSP response: certificate host mismatch, context: ngx.timer, client: 127.0.0.1, server: 0.0.0.0:442
[^1]: https://github.com/kubernetes/ingress-nginx/blob/ebb6314/rootfs/etc/nginx/lua/certificate.lua#L81
[^2]: https://datatracker.ietf.org/doc/html/rfc2560#appendix-A.1.1
2024-02-27 05:56:40 -08:00
lijie
0cd1f16c47
Scanning port 10247 lead to tcp connection 502 error ( #9815 )
...
* fix tcp 502 error
* fix tcp 502 error for parse tcp backend data
* fix tcp 502 error for parse tcp backend data
2023-07-16 13:45:06 -07:00
Matthias Neugebauer
26fe69cb47
Add annotation for setting sticky cookie domain ( #9088 )
...
This adds the new annotation `nginx.ingress.kubernetes.io/session-cookie-domain`
for setting the cookie `Domain` attribute of the sticky cookie.
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
2022-09-28 07:28:37 -07:00
Kir Shatrov
0f5bf530ae
Add missing space to error message ( #9069 )
2022-09-20 04:03:21 -07:00
Christian
fe09f6d096
Don't error log when no OCSP responder URL exists ( #8881 )
2022-08-22 15:38:09 -07:00
Dmitry Bashkatov
f85c3866d8
add new summary metric: ingress_header_seconds ( #8726 )
2022-06-22 12:59:43 -07:00
Ricardo Katz
3def835a6a
Jail/chroot nginx process inside controller container ( #8337 )
...
* Initial work on chrooting nginx process
* More improvements in chroot
* Fix charts and some file locations
* Fix symlink on non chrooted container
* fix psp test
* Add e2e tests to chroot image
* Fix logger
* Add internal logger in controller
* Fix overlay for chrooted tests
* Fix tests
* fix boilerplates
* Fix unittest to point to the right pid
* Fix PR review
2022-04-08 21:48:04 -07:00
Josh Soref
c6a8ad9a65
Darwin arm64 ( #8399 )
...
* Use sed instead of gnu find flags
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Support building linux/amd64 on darin/arm64
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Upgrade awesome_bot to dkhamsing/awesome_bot:1.20.0
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Favor find -prune for vendor
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Skip golang modcache folder
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Favor find -prune for changelog
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Ignore Changelogs of any case
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Fix service-l7 link
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Fix route53-mapper link
Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>
* Update rootfs contents description
The auxiliary scripts were removed after:
ab8349008a/rootfs/ingress-controller
2022-04-06 13:46:26 -07:00
Wei Wu
e625c2507a
Fix chashsubset backend with canary ( #7235 )
...
* Fix chashsubset backend with canary
* use floor for buckets calculation to remove hot spot
* Remove testing code
2021-12-29 16:14:50 -08:00
ZxYuan
362c97bd09
Remove force sync / 30s for non-external backends ( #7958 )
2021-12-23 12:08:30 -08:00
Yecheng Fu
5cff197bc5
add canary-weight-total annotation ( #6338 )
2021-12-07 08:40:00 -08:00
Ana Claudia Riekstin
6163231ef6
fix to really execute plugins in order ( #8018 )
2021-12-07 08:01:02 -08:00
Léopold Jacquot
ddbb0be0a0
add canary backend name for requests metrics ( #7696 )
2021-09-26 10:54:22 -07:00
agile6v
557a765754
fix typos. ( #7640 )
2021-09-15 11:30:12 -07:00
Vincent LE GOFF
f2e743f561
feat: add session-cookie-secure annotation ( #7399 )
2021-09-01 15:23:40 -07:00
Ricardo Katz
2d90ba14f5
Change all master reference to main ( #7369 )
2021-08-06 17:07:29 -07:00
wasker
f222c752be
Enable session affinity for canaries ( #7371 )
2021-07-29 14:23:19 -07:00
Ricardo Katz
191b27a8bb
Automatically add area labels to help triaging ( #7387 )
2021-07-22 17:29:16 -07:00
zhaogaolong
68ec350388
perf: json encoding share to eatch request ( #6955 )
...
* perf: json encoding share to eatch request
* fix: fix lint lua
2021-05-23 17:57:38 -07:00
Matt Miller
b3dfee6ada
Allow preservation of trailing slashes on TLS redirects via annotation. ( #7144 )
...
* allow retaining a trailing slash in a TLS redirect via annotation.
Signed-off-by: mamiller <mamiller@rosettastone.com>
* requested changes
* gofmt
2021-05-23 08:51:38 -07:00
Ricardo Pchevuzinske Katz
0dceedfad7
Remove localhost calls from external names
...
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
2021-04-30 16:49:35 -03:00
Kubernetes Prow Robot
ff74d0ff33
Merge pull request #6726 from afrouzMashaykhi/add-body-filter-by-lua
...
add body_filter_by_lua_block lua plugin to ingress-nginx
2021-01-06 16:55:45 -08:00
Kubernetes Prow Robot
37ee5d98bf
Merge pull request #6679 from nic-6443/bug-fix
...
Bugfix: fix incomplete log
2021-01-06 15:01:45 -08:00
qianyong
b65ceee1a8
Bugfix: fix incomplete log
2021-01-06 10:51:05 +08:00
Ginger Cookie
8662144511
Update rootfs/etc/nginx/lua/plugins/README.md
...
Co-authored-by: Elvin Efendi <elvin.efendiyev@gmail.com>
2021-01-05 21:14:35 +03:30
afrouz
ed6debb194
add body_filter_by_lua_block lua plugin to ingress-nginx
2021-01-05 20:56:13 +03:30
Elvin Efendi
e0dece48f7
Add Global Rate Limiting support
2021-01-04 17:47:07 -05:00
Elvin Efendi
2cff9fa41d
generalize cidr parsing and improve lua tests
2021-01-04 15:01:55 -05:00
Kubernetes Prow Robot
b022ea8c40
Merge pull request #6639 from spacewander/use_last_for_ewma
...
Don't pick tried endpoint & count the latest in ewma balancer
2020-12-23 18:50:27 -08:00
spacewander
06b200fa4b
Update for review
2020-12-24 09:07:12 +08:00
Kubernetes Prow Robot
7732aec3c4
Merge pull request #6600 from nic-6443/backend-sync-503-fix
...
Bugfix: some requests fail with 503 when nginx reload
2020-12-23 09:02:26 -08:00
qianyong
8085304cb9
Separate the ExternalName backend from other backends in the process of synchronizing the backend, because the synchronization of the ExternalName backend requires dns resolution, so we should ensure that it does not affect the synchronization of the Non-ExternalName backend. After separation, in the init worker stage, we should immediately synchronize the Non-ExternalName backend, otherwise there will be some requests that fail with 503 because the balancer cannot be obtained in the rewrite stage.
2020-12-22 17:24:41 +08:00
spacewander
e118ebc08a
Don't pick tried endpoint & count the latest in ewma balancer
...
fixes https://github.com/kubernetes/ingress-nginx/issues/6632
2020-12-18 19:21:51 +08:00
Josh Soref
a8728f3d2c
Spelling
2020-12-15 16:10:48 -05:00
Elvin Efendi
cc94a51cba
make sure canary attributes are reset on ewma backend sync
2020-12-11 09:38:58 -05:00
Kubernetes Prow Robot
baf2afc5de
Merge pull request #6546 from nic-6443/ewma-cananry-fix
...
bugfix: update trafficShapingPolicy not working in ewma load-balance
2020-12-11 03:29:23 -08:00
Elvin Efendi
1e9650a0f9
fix flaky lua tests
2020-12-10 22:41:41 -05:00
Jangyooseok
1ad89c8bb2
fixed misspell
...
Update rootfs/etc/nginx/lua/plugins/README.md
2020-12-04 10:13:00 +09:00
qianyong
8ca5450e22
bugfix: always update trafficShapingPolicy when using ewma as load-balance even if endpoints not change, otherwise update trafficShapingPolicy will not working
2020-12-01 12:10:15 +08:00
Manuel Alejandro de Brito Fontes
3f153add00
Refactor handling of path Prefix and Exact
2020-11-10 07:21:34 -03:00
Manuel Alejandro de Brito Fontes
a6b6f03b53
Add support for k8s ingress pathtype Prefix
2020-11-02 09:56:49 -05:00
Manuel Alejandro de Brito Fontes
493dd6726d
Replace request_uri
2020-09-27 20:26:39 -03:00
wenzong
87e79da16a
Move ocsp_response_cache:delete after certificate_data:set
2020-09-19 23:16:00 +08:00
wenzong
16f970d8bb
Use was_not_called without check args match
2020-09-19 00:15:42 +08:00
wenzong
724646bd73
Delete OCSP Response cache when certificate renewed
2020-09-18 14:30:18 +08:00
Frank Gadban
e9059eef01
fixed some typos
...
Signed-off-by: Frank Gadban <frankgad@outlook.de>
2020-07-21 22:02:23 +02:00
