DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
7081 commits 4 branches 217 tags 166 MiB
Commit graph

672 commits

Author SHA1 Message Date
Tobias Salzmann
ce9deaa332
Add stream-snippet as a ConfigMap and Annotation option (#8029) 
* stream snippet

* gofmt -s
 2021-12-23 11:46:30 -08:00
Moh Basher
fea7fed6da
Disable default modsecurity_rules_file if modsecurity-snippet is specified (#8021) 
* Disabled default modsecurity_rules_file if modsecurity-snippet is specifed

The default modsecurity_rules_file overwrites the ModSecurity-snippet if it is specified with custom config settings like "SecRuleEngine On". This will not let Modsecurity be in blocking mode even if "SecRuleEngine On" is specified in the ModSecurity-snippet configuration

* Remove unnecessary comments

Only have the default Modsecurity conf settings in case Modsecurity configuration snippet is not present and remove unnecessary comments

* Fixed modsecurity default file only if Modsecurity snippet present

Fixed if condition  Modsecurity snippet present have modsecurity default config file

* Added e2e test to disabling modsecurity conf

Added e2e in case modsecurity-snippet enabled to disable settings in default modsecurity.conf

* Validate writing to a different location

Validate also modsecurity to write to a different location instead of the default directory

* Fixed the formatting

* Fixed if empty ModsecuritySnippet

* Fixed ModsecuritySnippet condition

* Fixed the condition also in ingress controller template

* Removed the default config condition  in ingress controller template

* Fixed the default config condition in ingress controller template

* Fixed pull-ingress-nginx-test

* Revert "Fixed the default config condition in ingress controller template"

This reverts commit 9d38eca40f.

* Revert template_test

* Adjusted the formating %v
 2021-12-23 03:34:38 -08:00
Yecheng Fu
5cff197bc5
add canary-weight-total annotation (#6338) 2021-12-07 08:40:00 -08:00
Ana Claudia Riekstin
6163231ef6
fix to really execute plugins in order (#8018) 2021-12-07 08:01:02 -08:00
Ansil H
a03895d91e
Add ssl_reject_handshake to defaul server (#7977) 
* Add ssl_reject_handshake to defaul server

* Added SSLRejectHandshake to NewDefault

* Added documentation
 2021-11-29 08:33:23 -08:00
Christopher Larivière
65b8eeddec
Support cors-allow-origin with multiple origins (#7614) 
* Add Initial support for multiple cors origins in nginx

- bump cluster version for `make dev-env`
- add buildOriginRegex function in nginx.tmpl
- add e2e 4 e2e tests for cors.go
- refers to feature request #5496

* add tests + use search to identify '*' origin

* add tests + use search to identify '*' origin

Signed-off-by: Christopher Larivière <lariviere.c@gmail.com>

* fix "should enable cors test" looking at improper values

* Modify tests and add some logic for origin validation

- add origin validation in cors ingress annotations
- add extra tests to validate regex
- properly escape regex using "QuoteMeta"
- fix some copy/paste errors

* add TrimSpace and length validation before adding a new origin

* modify documentation for cors and remove dangling comment

* add support for optional port mapping on origin

* support single-level wildcard subdomains + tests

* Remove automatic `*` fonctionality from incorrect origins

- use []string instead of basic string to avoid reparsing in template.go
- fix typo in docs
- modify template to properly enable only if the whole block is enabled
- modify cors parsing
- test properly by validating that the value returned is the proper
  origin
- update unit tests and annotation tests

* Re-add `*` when no cors origins are supplied + fix tests

- fix e2e tests to allow for `*`
- re-add `*` to cors parsing if trimmed cors-allow-origin is empty
(supplied but empty) and if it wasn't supplied at all.

* remove unecessary logic for building cors origin + remove comments

- add some edge cases in e2e tests
- rework logic for building cors origin

there was no need for logic in template.go for buildCorsOriginRegex
if there is a `*` it ill be short-circuited by first if.

if it's a wildcard domain or any domain (without a wildcard), it MUST
match the main/cors.go regex format.

if there's a star in a wildcard domain, it must be replaced with
`[A-Za-z0-9]+`

* add missing check in e2e tests
 2021-11-02 12:31:42 -07:00
Rahil Patel
c8ab4dc307
add brotli-min-length configuration option (#7854) 
* add `brotli-min-length` configuration option

* add e2e tests for brotli

* include check for expected content type

* fix header and format
 2021-11-02 04:52:59 -07:00
Matthew Silverman
7d5452d00b
configmap: option to not trust incoming tracing spans (#7045) 
* validate the sender of tracing spans

* add location-specific setting
 2021-10-24 14:36:21 -07:00
Alex R
9e3c528640
Disable builtin ssl_session_cache (#7777) 
Signed-off-by: Alex R <i@sepa.spb.ru>
 2021-10-08 11:47:23 -07:00
Léopold Jacquot
ddbb0be0a0
add canary backend name for requests metrics (#7696) 2021-09-26 10:54:22 -07:00
agile6v
557a765754
fix typos. (#7640) 2021-09-15 11:30:12 -07:00
Vincent LE GOFF
f2e743f561
feat: add session-cookie-secure annotation (#7399) 2021-09-01 15:23:40 -07:00
Matthew Silverman
b591adac48
allow kb granularity for lua shared dicts (#6750) 
Update internal/ingress/controller/template/configmap.go

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
 2021-08-12 11:13:50 -07:00
Tom Hayward
9a9ad47857 Fix forwarding of auth-response-headers to gRPC backends (#7331) 
* add e2e test for auth-response-headers annotation

* add e2e test for grpc with auth-response-headers

* fix forwarding of auth header to GRPC backends

* add test case for proxySetHeader(nil)
 2021-08-10 11:24:39 -07:00
Ricardo Katz
2d90ba14f5
Change all master reference to main (#7369) 2021-08-06 17:07:29 -07:00
tobiasgiese
9efea320b9
Fix cap for NET_BIND_SERVICE (#7449) 
Signed-off-by: Tobias Giese <tobias.giese@daimler.com>
 2021-08-06 12:45:30 -07:00
wasker
f222c752be
Enable session affinity for canaries (#7371) 2021-07-29 14:23:19 -07:00
Ricardo Katz
191b27a8bb
Automatically add area labels to help triaging (#7387) 2021-07-22 17:29:16 -07:00
Kyle Michel
12a2a6d0e0
Fix definition order of modsecurity directives for controller to match PR 5315 (#6940) (#7323) 
* Fix definition order of modsecurity directives for controller to match PR 5315

* Add a test
 2021-07-06 19:24:43 -07:00
Kirill Trofimenkov
a064337621
Rewrite clean-nginx-conf.sh in Go to speed up admission webhook (#7076) (#7322) 
* Rewrite clean-nginx-conf.sh to speed up admission webhook

* Less diff with original clean-nginx-conf.sh

* Add error handling, add documentation, add unit test

* indent code

* Don't ignore Getwd() error
 2021-07-06 10:50:19 -07:00
zhaogaolong
68ec350388
perf: json encoding share to eatch request (#6955) 
* perf: json encoding share to eatch request

* fix: fix lint lua
 2021-05-23 17:57:38 -07:00
Matt Miller
b3dfee6ada
Allow preservation of trailing slashes on TLS redirects via annotation. (#7144) 
* allow retaining a trailing slash in a TLS redirect via annotation.

Signed-off-by: mamiller <mamiller@rosettastone.com>

* requested changes

* gofmt
 2021-05-23 08:51:38 -07:00
Matthew Silverman
9b00a4912f set x-forwarded-scheme like x-forwarded-proto 2021-05-13 09:26:27 -04:00
Ricardo Pchevuzinske Katz
0dceedfad7 Remove localhost calls from external names 
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
 2021-04-30 16:49:35 -03:00
Adam Renberg Tamm
9123820584 Expose Geo IP subdivision 1 as variables 2021-03-22 17:30:16 +00:00
Kubernetes Prow Robot
ff74d0ff33
Merge pull request #6726 from afrouzMashaykhi/add-body-filter-by-lua 
add body_filter_by_lua_block lua plugin to ingress-nginx
 2021-01-06 16:55:45 -08:00
Kubernetes Prow Robot
37ee5d98bf
Merge pull request #6679 from nic-6443/bug-fix 
Bugfix: fix incomplete log
 2021-01-06 15:01:45 -08:00
qianyong
b65ceee1a8 Bugfix: fix incomplete log 2021-01-06 10:51:05 +08:00
Ginger Cookie
8662144511
Update rootfs/etc/nginx/lua/plugins/README.md 
Co-authored-by: Elvin Efendi <elvin.efendiyev@gmail.com>
 2021-01-05 21:14:35 +03:30
afrouz
ed6debb194 add body_filter_by_lua_block lua plugin to ingress-nginx 2021-01-05 20:56:13 +03:30
Elvin Efendi
e0dece48f7 Add Global Rate Limiting support 2021-01-04 17:47:07 -05:00
Elvin Efendi
2cff9fa41d generalize cidr parsing and improve lua tests 2021-01-04 15:01:55 -05:00
Kubernetes Prow Robot
b022ea8c40
Merge pull request #6639 from spacewander/use_last_for_ewma 
Don't pick tried endpoint & count the latest in ewma balancer
 2020-12-23 18:50:27 -08:00
spacewander
06b200fa4b Update for review 2020-12-24 09:07:12 +08:00
Kubernetes Prow Robot
7732aec3c4
Merge pull request #6600 from nic-6443/backend-sync-503-fix 
Bugfix: some requests fail with 503 when nginx reload
 2020-12-23 09:02:26 -08:00
qianyong
8085304cb9 Separate the ExternalName backend from other backends in the process of synchronizing the backend, because the synchronization of the ExternalName backend requires dns resolution, so we should ensure that it does not affect the synchronization of the Non-ExternalName backend. After separation, in the init worker stage, we should immediately synchronize the Non-ExternalName backend, otherwise there will be some requests that fail with 503 because the balancer cannot be obtained in the rewrite stage. 2020-12-22 17:24:41 +08:00
spacewander
e118ebc08a Don't pick tried endpoint & count the latest in ewma balancer 
fixes https://github.com/kubernetes/ingress-nginx/issues/6632
 2020-12-18 19:21:51 +08:00
Josh Soref
a8728f3d2c Spelling 2020-12-15 16:10:48 -05:00
Manuel Alejandro de Brito Fontes
9c0a39636d Refactor ingress nginx variables 2020-12-12 08:52:47 -03:00
Elvin Efendi
cc94a51cba make sure canary attributes are reset on ewma backend sync 2020-12-11 09:38:58 -05:00
Kubernetes Prow Robot
baf2afc5de
Merge pull request #6546 from nic-6443/ewma-cananry-fix 
bugfix: update trafficShapingPolicy not working in ewma load-balance
 2020-12-11 03:29:23 -08:00
Elvin Efendi
1e9650a0f9 fix flaky lua tests 2020-12-10 22:41:41 -05:00
Matthew Tuusberg
1c6a1a0e23
feat: add support for country databases 2020-12-07 21:43:38 +03:00
Kubernetes Prow Robot
2f6f09a106
Merge pull request #6541 from Jangyooseok/Jangyooseok 
fixed misspell
 2020-12-04 15:35:25 -08:00
Jangyooseok
1ad89c8bb2 fixed misspell 
Update rootfs/etc/nginx/lua/plugins/README.md
 2020-12-04 10:13:00 +09:00
agile6v
06f53bcf05 feat: allow user to specify the maxmium number of retries in stream block. 2020-12-02 14:54:14 +08:00
qianyong
8ca5450e22 bugfix: always update trafficShapingPolicy when using ewma as load-balance even if endpoints not change, otherwise update trafficShapingPolicy will not working 2020-12-01 12:10:15 +08:00
m22r
612a604fa4 Fix ErrorLogLevel in stream contexts 2020-11-27 14:29:43 +09:00
Kubernetes Prow Robot
e3a3ea8826
Merge pull request #6294 from ianbuss/auth-error-redirect-param 
Allow customisation of redirect URL parameter in external auth redirects
 2020-11-23 01:27:37 -08:00
Julien Vey
fd8af11392
Fix opentracing propagation on auth-url 
Currently, the opentracing propagation instructions are set only if opentracing is configured globally.
This fix set the propagation instructions if opentracing is disabled globally, but enabled per ingress
 2020-11-20 01:32:20 +01:00
Manuel Alejandro de Brito Fontes
3f153add00 Refactor handling of path Prefix and Exact 2020-11-10 07:21:34 -03:00
Minji Chun
2e7967cc99 Add comment indicating server-snippet section 2020-11-04 18:59:39 +09:00
Manuel Alejandro de Brito Fontes
a6b6f03b53 Add support for k8s ingress pathtype Prefix 2020-11-02 09:56:49 -05:00
Manuel Alejandro de Brito Fontes
d74ea25df8 Add validation for wildcard server names 2020-10-26 10:51:14 -03:00
Kubernetes Prow Robot
524c3a50ea
Merge pull request #6037 from aledbf/redirect 
Do not append a trailing slash on redirects
 2020-10-08 11:51:06 -07:00
Ian Buss
41cf628bdf Add a configurable URL redirect parameter for error URLs 2020-10-08 12:53:46 +01:00
Kubernetes Prow Robot
8d45bb39a4
Merge pull request #5348 from Antiarchitect/stream-log-annotations 
Ability to separately disable access log in http and stream contexts
 2020-09-28 11:02:53 -07:00
Manuel Alejandro de Brito Fontes
493dd6726d
Replace request_uri 2020-09-27 20:26:39 -03:00
shrpne
2948e3e109 better cors 2020-09-27 21:44:24 +03:00
Maxime LUCE
b7b85175f6 Add annotation to configure CORS Access-Control-Expose-Headers 2020-09-23 17:41:52 +02:00
wenzong
87e79da16a Move ocsp_response_cache:delete after certificate_data:set 2020-09-19 23:16:00 +08:00
wenzong
16f970d8bb Use was_not_called without check args match 2020-09-19 00:15:42 +08:00
wenzong
724646bd73 Delete OCSP Response cache when certificate renewed 2020-09-18 14:30:18 +08:00
Elvin Efendi
8e83d4e84a delete redundant NGINX config about X-Forwarded-Proto 2020-09-15 13:22:26 -04:00
Manuel Alejandro de Brito Fontes
e659efbfdb Use dynamic load of modules 2020-09-10 11:39:35 -03:00
Kubernetes Prow Robot
33cab380ba
Merge pull request #5757 from agile6v/stream 
feat: support to define trusted addresses for proxy protocol in stream block
 2020-09-01 17:29:07 -07:00
agile6v
609e1b5775 feat: support to define trusted addresses for proxy protocol in stream block 2020-08-28 14:37:16 +08:00
Manuel Alejandro de Brito Fontes
bf11584dbd Add build_id dockerfile label 2020-08-27 10:05:07 -04:00
Manuel Alejandro de Brito Fontes
43ca5f5ef1 Add new Dockerfile label org.opencontainers.image.revision 2020-08-19 22:39:10 -04:00
Frank Gadban
e9059eef01 fixed some typos 
Signed-off-by: Frank Gadban <frankgad@outlook.de>
 2020-07-21 22:02:23 +02:00
Kubernetes Prow Robot
e825af86e1
Merge pull request #5887 from dschwar/force-use-forwarded-for 
Add force-enable-realip-module
 2020-07-17 07:17:02 -07:00
David Schwartz
d52141c2b9 Add enable-real-ip 2020-07-15 15:25:29 -04:00
Manuel Alejandro de Brito Fontes
dc3876666b Revert "use-regex annotation should be applied to only one Location" 
This reverts commit a8a8b5f6e9.
 2020-07-15 11:20:47 -04:00
Manuel Alejandro de Brito Fontes
a8a8b5f6e9 use-regex annotation should be applied to only one Location 2020-07-06 19:29:39 -04:00
Manuel Alejandro de Brito Fontes
ec4fb05cad Fix proxy ssl e2e test 2020-07-06 18:41:42 -04:00
Zhongcheng Lao
c0629e92c2
Add proxy-ssl-server-name to enable passing SNI 2020-07-03 14:14:32 +08:00
Kubernetes Prow Robot
baa2b2cd33
Merge pull request #5709 from agile6v/master 
fix: remove duplicated X-Forwarded-Proto header.
 2020-07-02 17:50:47 -07:00
agile6v
3402d07ff0
doc: update docs and fixed typos (#5821) 2020-07-01 10:02:52 -04:00
Manuel Alejandro de Brito Fontes
bcc3cfaa65 Dynamic LB sync non-external backends only when necessary 2020-06-29 18:11:51 -04:00
agile6v
e8aaa15ce8 Remove duplicated X-Forwarded-Proto header. 2020-06-25 11:11:00 +08:00
Kubernetes Prow Robot
803a76cf8a
Merge pull request #5749 from Bo0km4n/feat-configurable-max-batch-size 
[Fix/metrics] Be configurable max batch size of metrics
 2020-06-22 22:07:40 -07:00
mengqi.wmq
f232a264ab Add default-type as a configurable for default_type 2020-06-21 11:10:51 +08:00
Bo0km4n
7ab0916c92 Resolve conflicts 2020-06-20 17:13:31 +09:00
Bo0km4n
53a6b0fd3b Configurable metrics max batch size 2020-06-20 15:58:14 +09:00
agile6v
5b0f7d7d6e Improve performance. 2020-06-10 17:36:56 +08:00
Manuel Alejandro de Brito Fontes
1d4c7ec65c Fix lua lint error 2020-06-09 17:19:16 -04:00
Andreas Sommer
f27b404421 Serve correct TLS certificate for requests with uppercase host 2020-06-09 16:47:03 -04:00
Kubernetes Prow Robot
0549d9b132
Merge pull request #5672 from agile6v/master 
feat: enable lj-releng tool to lint lua code.
 2020-06-09 11:15:19 -07:00
agile6v
bafbd4cccf Enable lj-releng tool to lint lua code. 2020-06-09 18:01:35 +08:00
Jeff Hui
7767230e6a fix undefined variable $auth_cookie error when location is denied 
(add) isLocationAllowed check before setting the cookie
 2020-06-08 13:59:52 -04:00
agile6v
fc1c043437 Add http-access-log-path and stream-access-log-path options in configMap 2020-06-05 01:27:26 +08:00
Manuel Alejandro de Brito Fontes
ea8e711d2c Refactor build of docker images 2020-06-02 12:16:39 -04:00
Kubernetes Prow Robot
d061375afa
Merge pull request #5571 from agile6v/dev 
feat: support the combination of Nginx variables for annotation upstream-hash-by.
 2020-06-01 15:10:14 -07:00
agile6v
c035a144f8 Support the combination of nginx variables and text value for annotation upstream-hash-by. 2020-06-01 06:37:41 +08:00
Kubernetes Prow Robot
ee02d897d5
Merge pull request #5534 from agile6v/master 
Add annotation ssl-prefer-server-ciphers.
 2020-05-29 08:35:16 -07:00
adiov
d03266d505
Add MaxMind GeoIP2 Anonymous IP support 2020-05-21 06:50:57 +03:00
Andrey Voronkov
bced1ed8b8 Ability to separately disable access log in http and stream contexts 
Two new configuration options:
`disable-http-access-log`
`disable-stream-access-log`

Should resolve issue with enormous amount of `TCP 200` useless entries in logs

Signed-off-by: Andrey Voronkov <voronkovaa@gmail.com>
 2020-05-13 21:23:37 +03:00
agile6v
41d82005ec Add annotation ssl-prefer-server-ciphers. 2020-05-11 16:31:08 +08:00
Elvin Efendi
3b217cf766 make sure first backend sync happens in timer phase 2020-04-30 19:44:24 -04:00
Manuel Alejandro de Brito Fontes
c8eb914d8a Remove noisy dns log 2020-04-28 18:34:51 -04:00