* exclude creation and exporting of socket metrics via flag
* make exclude metric naming more consistent
* fix connect time metric update
* add documentation
* e2e test
* improve creation of metric mapping
* Rework Ginkgo usage
Currently Ginkgo is launched multiple times with different options to
accomodate various use-cases. In particular, some specs needs to be run
sequentially because non-namespaced objects are created that conflicts
with concurent Helm deployments.
However Ginkgo is able to handle such cases natively, in particular
specs that needs to be run sequentially are supported (Serial spec).
This commit marks the specs that needs to be run sequentially as Serial
specs and runs the whole test suite from a single Ginkgo invocation. As
a result, a single JUnit report is now generated.
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Fix controller error in test
Error getting ConfigMap "$NAMESPACE/tcp-services": no object matching key "$NAMESPACE/tcp-services" in local store
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Replace "go get" invocations by "go install"
Executing "go get" changes the go.mod & go.sum files which is not the
case of "go install".
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Always clean out the Helm deployment
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Add E2E test to verify that changes to one or more configmap trigger an update
Signed-off-by: Hervé Werner <dud225@hotmail.com>
---------
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* update path type validation to be false and update e2e test scripts
Signed-off-by: James Strong <strong.james.e@gmail.com>
* update to make tests clear
Signed-off-by: James Strong <strong.james.e@gmail.com>
* update test params
Signed-off-by: James Strong <strong.james.e@gmail.com>
* Adding else per pr comments
Signed-off-by: James Strong <james.strong@chainguard.dev>
---------
Signed-off-by: James Strong <strong.james.e@gmail.com>
Signed-off-by: James Strong <james.strong@chainguard.dev>
* feat: Add support for IP Deny List
* fixed gomod
* Update package
* go mod tidy
* Revert "go mod tidy"
This reverts commit e6a837e1e7.
* update ginko version
* Updates e2e tests
* fix test typo
* Support none keyword in log-format escape
## What this PR does / why we need it:
ingress-nginx does not support disabling escaping of special characters in the nginx log. This PR exposes the setting to support that functionality.
## Types of changes
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Documentation only
## Which issue/s this PR fixes
<!--
(optional, in `fixes #<issue number>` format, will close that issue when PR gets merged):
fixes #
-->
## How Has This Been Tested?
Followed the [getting-started](96b6228a6b/docs/developer-guide/getting-started.md) guide. Used ppa:longsleep/golang-backports on WSL Ubuntu to establish a golang-1.18 environment with latest docker and recommended kind. Built the dev-env successfully; had issues with make test, but they are entirely unrelated to anything I touched. Ultimate test was
```
FOCUS=log-format make kind-e2e-test
...
Ginkgo ran 1 suite in 6m29.7437865s
Test Suite Passed
```
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
- [x] I have added tests to cover my changes.
- [x] All new and existing tests passed.
I did not update docs/e2e-tests.md.
* gofmt -s ./internal/ingress/controller/config/config.go
This adds the new annotation `nginx.ingress.kubernetes.io/session-cookie-domain`
for setting the cookie `Domain` attribute of the sticky cookie.
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
We removed the use of configmap as an election lock, so we will use the
Lease API to complete the election.
Before this, we used `MultiLock` to facilitate smooth migration of
existing users of ingress-nginx from configmap to LeaseLock.
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
This commit introduces a backwards compatible command line option
--report-status-classes which will enable reporting response status classes
(2xx, 3xx..) instead of status codes in exported metrics.
* disable modsecurity on error page
* fix modsecurity error pages test
* fix variable in nginx template
* disable modsecurity on all internal locations
* fix pipeline checks for gofmt
Signed-off-by: Florian Michel <florianmichel@hotmail.de>
* nginx 1.19.10 keepalive_time parameter
* nginx v1.19.10 base image
* keepalive_time documentation
* base image
* restore base image
* e2e test
* replace default value in test
* Initial work on chrooting nginx process
* More improvements in chroot
* Fix charts and some file locations
* Fix symlink on non chrooted container
* fix psp test
* Add e2e tests to chroot image
* Fix logger
* Add internal logger in controller
* Fix overlay for chrooted tests
* Fix tests
* fix boilerplates
* Fix unittest to point to the right pid
* Fix PR review
* Add keepalive support for auth requests
* Fix typo
* Address PR comments
* Log warning when auth-url contains variable in its host:port
* Generate upstream name without replacing dots to underscores in server name
* Add comment in the nginx template when the keepalive upstream block is referenced
* Workaround for auth_request module ignores keepalive in upstream block
* The `auth_request` module does not support HTTP keepalives in upstream block:
https://trac.nginx.org/nginx/ticket/1579
* As a workaround we use ngx.location.capture but unfortunately it does not
support HTTP/2 so `use-http2` configuration parameter is needed.
* Handle PR comments
* Address PR comments
* Handle invalid values for int parameters
* Handle PR comments
* Fix e2e test
When the ingress controller loads certificates (new ones or following a
secret update), it performs a series of check to ensure its validity.
In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.
This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.
This generates a random error on the client side, depending on the
actual pod instance it reaches.
In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.
This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`
This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
