DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
7758 commits 4 branches 217 tags 166 MiB
Commit graph

709 commits

Author SHA1 Message Date
Manuel Alejandro de Brito Fontes
07b70f68bd
Redirect for app-root should preserve current scheme (#5266) 2020-03-19 15:49:18 -03:00
Maxim Pogozhiy
78576a9bbc Add Maxmind Editions support 2020-03-19 19:36:10 +07:00
Kubernetes Prow Robot
d5d1e9bfbd
Merge pull request #4958 from niedbalski/fix-forwarded-proto 
Add a forwarded protocol map for included x-forwarded-proto.
 2020-03-11 02:35:36 -07:00
Jorge Niedbalski
1d1b857cb7 Add a forwarded protocol map for included x-forwarded-proto. 
This change adds a new map for including the passed x-forwarded-proto
header in case is provided as an extra header.

Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
 2020-03-10 18:26:28 -03:00
Lisheng Zheng
f2e5d6f8a5 Migrate the backends handler logic to function 2020-02-27 09:31:04 +08:00
Laszlo Janosi
2de30bf451 Add proxy-ssl-name to location level 2020-02-25 13:52:34 +01:00
schaefec
141ea59b7f Allows overriding the server name used to verify the certificate of the proxied HTTPS server 2020-02-25 13:32:14 +01:00
Kubernetes Prow Robot
35264d6e8f
Merge pull request #5114 from whalecold/match 
Feat: add header-pattern annotation.
 2020-02-24 17:07:36 -08:00
Manuel Alejandro de Brito Fontes
351307280e Clean template 2020-02-21 16:14:49 -03:00
Lisheng Zheng
0b33650bb8 Feat: canary supports using specific match strategy to match header value. 2020-02-21 10:02:20 +08:00
Karl Stoney
5c64c52a60 Ensured that opentracing on auth request is only enabled for people that have opentracing 2020-02-20 14:12:54 +00:00
Karl Stoney
08471b527b Fixes https://github.com/kubernetes/ingress-nginx/issues/5120 2020-02-20 14:03:09 +00:00
Elvin Efendi
ad78425852 also expose pem cert uid in certificate.call function 2020-02-19 13:41:50 -05:00
Elvin Efendi
4bb9106be2 refactor ssl handling in preperation of OCSP stapling 2020-02-19 13:14:35 -05:00
briankopp
b2beeeab25 Add case for when user agent is nil 
Add test for nil user agent
 2020-02-16 21:07:45 -06:00
Manuel Alejandro de Brito Fontes
4b5c39e97b
Fox docker opencontainers version label (#5087) 2020-02-16 11:55:12 -03:00
Manuel Alejandro de Brito Fontes
12314aa1ac
Cleanup docker build (#5084) 2020-02-15 13:59:56 -03:00
Daniel Arifin
d48d5a61ae Add gzip-min-length as a configurable 2020-02-14 13:29:51 +07:00
Manuel Alejandro de Brito Fontes
71e35c9100
Make sure set-cookie is retained from external auth endpoint (#5067) 2020-02-14 01:41:11 -03:00
Kubernetes Prow Robot
5e54f66ab2
Merge pull request #5040 from BrianKopp/samesite-followup 
Update documentation and remove hack fixed by upstream cookie library
 2020-02-10 10:25:53 -08:00
Ilya Nemakov
46a3e0a6fd Fix X-Forwarded-Proto based on proxy-protocol server port 2020-02-10 18:08:34 +03:00
BrianKopp
7c7a1b9c8b Update samesite tests 2020-02-08 12:58:52 -07:00
BrianKopp
34b194c770 Update documentation and remove hack fixed by upstream cookie library 2020-02-08 11:54:52 -07:00
Manuel Alejandro de Brito Fontes
b3146354d4 Refactor mirror feature 2020-02-05 10:39:55 -03:00
Manuel Alejandro de Brito Fontes
b9e944a8a6
Move mod-security logic from template to go code (#5009) 2020-02-04 14:04:11 -03:00
Manuel Alejandro de Brito Fontes
ee5595f5be
Cleanup main makefile and remove the need of sed (#4995) 2020-01-31 22:56:55 -03:00
Brian Kopp
1b523390bb Add SameSite=None support and conditionally omit SameSite=None for backwards compatibility 2020-01-29 14:30:00 -07:00
Manuel Alejandro de Brito Fontes
5d05e19cc3
Fix enable opentracing per location (#4983) 2020-01-29 12:20:05 -03:00
Kubernetes Prow Robot
2f8cbeb8fa
Merge pull request #4956 from djboris9/proxy-protocol-port 
Fix proxy protocol support for X-Forwarded-Port
 2020-01-26 12:27:02 -08:00
Manuel Alejandro de Brito Fontes
7ff49b25d6
Move opentracing configuration for location to go (#4965) 2020-01-25 21:39:20 -03:00
Boris Djurdjevic
665f924e9e Add proxy protocol support for X-Forwarded-Port 
Fixes https://github.com/kubernetes/ingress-nginx/issues/4951
 2020-01-24 13:50:35 +01:00
Manuel Alejandro de Brito Fontes
c8015c7734
Update nginx image, use docker buildx and remove qemu (#4923) 
* Update nginx image, use docker buildx and remove qemu

* Update e2e image
 2020-01-14 20:52:57 -03:00
Manuel Alejandro de Brito Fontes
a8c2c9c6bc
Remove todo from lua test (#4894) 2020-01-08 19:46:52 -03:00
Manuel Alejandro de Brito Fontes
5ce93d98c2 Fix lua test 2020-01-05 16:00:54 -03:00
Manuel Alejandro de Brito Fontes
025d4eaceb Migrate to alpine linux 2020-01-04 13:23:16 -03:00
Manuel Alejandro de Brito Fontes
fbdd924a45 Update nginx image 2020-01-04 13:23:16 -03:00
Manuel Alejandro de Brito Fontes
6c92c80073 Fix sticky session for ingress without host 2020-01-02 16:52:49 -03:00
Manuel Alejandro de Brito Fontes
a0523c3c8a
Use a named location for authSignURL (#4859) 2019-12-24 22:50:25 -03:00
Elvin Efendi
54918c0ff2 fix duplicate hsts bug 2019-12-12 13:49:13 -05:00
MMeent
75e8d37d71
Fix issue in logic of modsec template 
according to go templates: `(and ((not false) false))` == `true`

the only way to remove the owasp rules from every location is to disable modsec on that location, or to enable owasp globally, both not-so-great choices.

This commit fixes the logic issue by fixing the and-clause in the if-statement. As a result this reduces global resource usages when modsecurity is configured globally, but not on every location.
 2019-11-28 14:56:41 +01:00
Kubernetes Prow Robot
a85d5ed93a
Merge pull request #4779 from aledbf/update-image 
Remove lua-resty-waf feature
 2019-11-27 11:45:05 -08:00
Kubernetes Prow Robot
b286c2a336
Merge pull request #4732 from willthames/enable-opentracing-annotation 
Allow enabling/disabling opentracing for ingresses
 2019-11-26 17:31:21 -08:00
Will Thames
0ae463a5f3 Provide annotation to control opentracing 
By default you might want opentracing off, but on for a particular
ingress.

Similarly, you might want opentracing globally on, but disabled for
a specific endpoint. To achieve this, `opentracing_propagate_context`
cannot be set when combined with `opentracing off`

A new annotation, `enable-opentracing` allows more fine grained control
of opentracing for specific ingresses.
 2019-11-27 11:07:26 +10:00
Manuel Alejandro de Brito Fontes
61d902db14 Remove Lua resty waf feature 2019-11-26 10:37:43 -03:00
Kubernetes Prow Robot
62518b60b4
Merge pull request #4689 from janosi/upstream_ssl 
Server-only authentication of backends and per-location SSL config
 2019-11-18 19:49:43 -08:00
Michael Frister
dea9c405e5 Docker image: Add more opencontainers labels (incl. version) 2019-11-18 10:20:20 +01:00
Michael Frister
be5349c05a Docker image: Add source code reference label 
This allows tools that automate component updates (in our case Renovate Bot [1])
to automatically find the source repository for the Docker image and extract
release notes from there. Renovate Bot can include the relevant release notes
automatically in a merge request changing the component version.

In [2], Renovate added the label for their own Docker image.

[1] https://github.com/renovatebot/renovate
[2] https://github.com/renovatebot/renovate/pull/3753
 2019-11-12 11:40:37 +01:00
Kubernetes Prow Robot
0d244e1c41
Merge pull request #4730 from stamm/master 
add configuration for http2_max_concurrent_streams
 2019-11-08 07:12:29 -08:00
Rustam Zagirov
d9cfad1894 add configuration for http2_max_concurrent_streams 2019-10-31 15:13:38 +03:00
Laszlo Janosi
cc84bd4ab6 Server level proxy_ssl parameters are applied again, following the comments received. 
Also writing tls.crt and tls.key to disk is according to the original code.
 2019-10-26 20:20:18 +02:00
Laszlo Janosi
31227d61c2 Removing secure-verify-ca-secret support and writing an error log if that annotation is used in an Ingress definition 2019-10-18 10:58:57 +02:00
Laszlo Janosi
37fe9c9876 Enabling per-location proxy-ssl parameters, so locations of the same server but with own unique Ingress definitions can have different SSL configs 2019-10-17 10:15:53 +02:00
Thomas Jackson
7fc442c7f1 update test cases 2019-10-14 08:14:35 -07:00
Thomas Jackson
b698699fdd More helpful DNS failure message 
Previously if dns.lua failed to resolve a name you'd see the following in your logs:
```
2019/10/12 23:39:34 [error] 41#41: *6474 [lua] dns.lua:121: dns_lookup(): failed to query the DNS server:
server returned error code: 3: name error
server returned error code: 3: name error, context: ngx.timer
```

Unfortunately this doesn't tell you what name is failing (so you have to start guessing). To alleviate the pain this simply adds the host name we are attempting to resolve to the log line so users don't have to guess.
 2019-10-14 08:14:35 -07:00
Kubernetes Prow Robot
69880ac9ad
Merge pull request #4650 from DaveAurionix/master 
Expose GeoIP2 Organization as variable $geoip2_org
 2019-10-12 15:34:36 -07:00
Sergei Turchanov
0476715022 Need to quote expansion of $cfg.LogFormatStream in log_stream access log 
format in nginx.tmpl otherwise individual variables are just glued together
without separating spaces so that you would get these in access logs:

[10/Oct/2019:05:03:30 +0000]TCP200000.003
[10/Oct/2019:05:03:30 +0000]TCP200000.000
[10/Oct/2019:05:05:04 +0000]TCP200000.000

which supposed to be someting like these:
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.003
[10/Oct/2019:05:03:30 +0000] TCP 200 0 0 0.000
[10/Oct/2019:05:05:04 +0000] TCP 200 0 0 0.000
 2019-10-10 17:27:15 +10:00
Dave Thompson
8e926b21d1 Expose GeoIP2 Organization as variable $geoip2_org 2019-10-09 09:47:48 +01:00
Kubernetes Prow Robot
8fd17045e6
Merge pull request #4603 from membphis/code-style 
optimize: local cache global variable and reduce string object creation.
 2019-10-08 07:51:15 -07:00
MRoci
72c4ffa8b5
add modsecurity-snippet key 2019-09-28 09:54:07 +02:00
Yuansheng
e4571fdeef optimize: local cache global variable and reduce string object creation. 
and some code style.
 2019-09-25 09:43:11 -04:00
Elvin Efendi
73e659f5fc improve certificate configuration detection per request 2019-09-24 21:17:22 -04:00
Elvin Efendi
c5a8357f1d handle hsts header injection in lua 2019-09-24 21:17:22 -04:00
Elvin Efendi
c93d384fb1 delete redundant config 2019-09-24 18:51:35 -04:00
Elvin Efendi
8c64b12a96 refactor force ssl redirect logic 2019-09-24 14:57:52 -04:00
Elvin Efendi
e392c8a8af cleanup unused certificates 2019-09-24 14:16:03 -04:00
Kubernetes Prow Robot
1dc4d184a0
Merge pull request #4550 from Shopify/upstream-auth-proxy-set-headers 
Add support for configmap of headers for auth-url per ingress
 2019-09-24 09:33:27 -07:00
Kubernetes Prow Robot
0f378154a0
Merge pull request #4591 from membphis/change/lua-code-style 
optimize: local cache global variable and avoid single lines over 80
 2019-09-24 07:55:29 -07:00
A Gardner
786a3b6862 Add support for configmap of headers to be sent to external auth service 2019-09-24 10:53:23 -04:00
Yuansheng
1ce68c8723 optimize: local cache global variable and avoid single lines over 80 
characters.
 2019-09-24 10:08:45 -04:00
Kubernetes Prow Robot
f6c2f5fb97
Merge pull request #4514 from alexmaret/4475-stickyness-mode 
Added new affinity mode for maximum session stickyness.
 2019-09-24 05:09:27 -07:00
Alexander Maret-Huskinson
c26ab315b8 Fixed LUA lint findings. 2019-09-24 10:56:11 +02:00
Alexander Maret-Huskinson
f1839ddb42 Fixed review findings. 2019-09-24 10:46:02 +02:00
Manuel Alejandro de Brito Fontes
4b4176c830
Fix log format after #4557 2019-09-18 12:52:09 -03:00
Manuel Alejandro de Brito Fontes
9af574a234
Remove the_real_ip variable 2019-09-12 20:01:33 -03:00
Elvin Efendi
bbcf3dc625 regression test for the issue fixed in #4543 2019-09-10 10:00:21 -04:00
Manuel Alejandro de Brito Fontes
ce3e3d51c3
WIP Remove nginx unix sockets (#4531) 
* Remove nginx unix sockets
* Use an emptyDir volume for /tmp in PSP e2e tests
 2019-09-08 18:14:54 -03:00
Thomas Jackson
28a42686a5 Correctly format ipv6 resolver config for lua 
It seems that when support was added for parsing resolv_conf directly a regression was introduced which effectively breaks anyone with ipv6 resolvers.

Regression of #3895
 2019-09-06 21:18:07 -07:00
Ricardo Katz
9c51676f17 Add support to CRL (#3164) 
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>

Add support to CRL

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>
 2019-09-03 16:47:28 -04:00
Manuel Alejandro de Brito Fontes
c2935ca35c
Refactor health checks and wait until NGINX process ends 2019-09-01 15:31:27 -04:00
Manuel Alejandro de Brito Fontes
c7d2444cf4
Fix nginx variable service_port (nginx) (#4500) 2019-08-31 11:24:01 -04:00
Alexander Maret-Huskinson
880b3dc5f1 Fixed test findings. 2019-08-30 19:08:03 +02:00
Alexander Maret-Huskinson
881e352d68 Converted sticky session balancers into separate classes. 2019-08-30 18:07:24 +02:00
Alexander Maret-Huskinson
9170591185 Added new affinity mode for maximum session stickyness. Fixes kubernetes/ingress-nginx#4475 2019-08-30 11:40:29 +02:00
Kubernetes Prow Robot
8740c1b661
Merge pull request #4478 from zikhan/AddWildcardAffinity 
Re-add Support for Wildcard Hosts with Sticky Sessions
 2019-08-27 10:52:07 -07:00
Elvin Efendi
06f03a2af6 point users to kubectl ingress-nginx plugin 2019-08-27 07:42:42 -04:00
Zovin Khanmohammed
76c2063be8
Code Review changes. Remove duplicate tests. 2019-08-26 14:00:59 -05:00
Zovin Khanmohammed
1f8ab60e40
Adds Wilcard check for hostname. Adds wildcard hostname tests. 2019-08-26 14:00:44 -05:00
Elvin Efendi
57db904c92 fix lua certificate handling tests 2019-08-26 13:05:05 -04:00
Manuel Alejandro de Brito Fontes
8def5ef7ca
Add support for multiple alias and remove duplication of SSL certificates (#4472) 2019-08-26 10:58:44 -04:00
Kubernetes Prow Robot
f0e71cf688
Merge pull request #4463 from zerda/fix-add-headers 
Always set headers with add-headers option
 2019-08-25 09:16:21 -07:00
SilverFox
a44b5cf3f3 Always set headers with add-headers option 
It should work regardless of the response code or add_header directive in location.
 2019-08-18 14:28:43 +08:00
Gabor Lekeny
4624b5bc77 Change PemSHA to CASHA 2019-08-16 06:31:15 +02:00
Gabor Lekeny
65b9e2c574 Merge branch 'master' of https://github.com/kubernetes/ingress-nginx into proxyssl 2019-08-16 06:21:53 +02:00
Kubernetes Prow Robot
b5fecd0dc8
Merge pull request #4450 from Shopify/proxy-max-temp-file-size 
Add nginx proxy_max_temp_file_size configuration option
 2019-08-15 12:40:33 -07:00
Maxime Ginters
d8bd8c5619 Add nginx proxy_max_temp_file_size configuration option 2019-08-15 13:47:42 -04:00
Elvin Efendi
30b64df10a ewma improvements 2019-08-15 13:13:43 -04:00
Kubernetes Prow Robot
0b375989f3
Merge pull request #4412 from Shopify/ssl-early-data 
Add nginx ssl_early_data option support
 2019-08-15 10:08:35 -07:00
Elvin Efendi
6a293c7e11 set /configuration client body size dynamically 2019-08-14 22:10:56 -04:00
Kubernetes Prow Robot
dd0fe4b458
Merge pull request #4422 from ElvinEfendi/lua-resolv-conf-search 
teach lua about search and ndots settings in resolv.conf
 2019-08-14 17:36:33 -07:00
Kubernetes Prow Robot
0d690fba1a
Merge pull request #4356 from aledbf/only-dynamic-mode 
Only support SSL dynamic mode
 2019-08-14 17:08:35 -07:00
Elvin Efendi
7b4655bb39 teach lua about search and ndots settings in resolv.conf 2019-08-14 18:03:30 -04:00
Kubernetes Prow Robot
adef152db8
Merge pull request #4379 from diazjf/mirror 
Allow Requests to be Mirrored to different backends
 2019-08-13 17:52:24 -07:00
Elvin Efendi
d46b4148fa Lua /etc/resolv.conf parser and some refactoring 2019-08-13 18:34:54 -04:00
Manuel Alejandro de Brito Fontes
80bd481abb
Only support SSL dynamic mode 2019-08-13 17:33:34 -04:00
Manuel Alejandro de Brito Fontes
2ed75b3362
Move listen logic to go 2019-08-13 14:52:25 -04:00
Mathieu Naouache
4d97240d88
Add timezone value into $geoip2_time_zone variable 2019-08-11 14:26:48 +02:00
Pierrick Charron
f459515d0d Add quote function in template 
Co-authored-by: Charle Demers <charle.demers@gmail.com>
 2019-08-09 15:47:29 -04:00
Kubernetes Prow Robot
8c472190d1
Merge pull request #4086 from jeroen92/issue-4038 
Resolve #4038, move X-Forwarded-Port variable to the location context
 2019-08-09 08:07:25 -07:00
Manuel Alejandro de Brito Fontes
4a9b02bc03
Remove dynamic TLS records 2019-08-08 15:52:56 -04:00
tals
a2e667c082 lua shared dict from cm 
lua shared dict teml test and update func sign

lua shared dict cm test

lua shared dict integration test

lua shared dict add cm parsing

lua shared dict change test header
 2019-08-08 12:44:11 +03:00
Maxime Ginters
7219130da4 Add nginx ssl_early_data option support 2019-08-07 16:04:09 -04:00
Jeroen Schutrup
8dd912114e
Move X-Forwarded-Port variable to the location context 
Resolves issue #4038 where the X-Forwarded-Port header would be set to the value of the https listening port if all of the following settings were satisfied:
- The ingress controller was started with a non-default HTTPS port set with the `--https-port` argument
- An ingress is created having:
  - the `nginx.ingress.kubernetes.io/auth-url` annotation set
  - TLS enabled

This commit solves this issue by moving the setting of the `pass_server_port` variable from the server, one level down to the location context.
 2019-08-06 17:00:58 +02:00
Fernando Diaz
386486e969 Allow Requests to be Mirrored to different backends 
Add a feature which allows traffic to be mirrored to
additional backends. This is useful for testing how
requests will behave on different "test" backends.

See https://nginx.org/en/docs/http/ngx_http_mirror_module.html
 2019-08-01 11:53:58 -05:00
Kubernetes Prow Robot
c8a3710fb8
Merge pull request #4344 from Nuglif/fastcgi-backend-support 
Add FastCGI backend support (#2982)
 2019-07-31 11:20:14 -07:00
Charle Demers
72271e9313
FastCGI backend support (#2982) 
Co-authored-by: Pierrick Charron <pierrick@adoy.net>
 2019-07-31 10:39:21 -04:00
Elvin Efendi
8f5fa78e1a regression test 2019-07-26 10:18:31 -04:00
Elvin Efendi
6f7b66fc7d memoize balancer for a request 2019-07-26 09:35:58 -04:00
Gabor Lekeny
def13fc06c Add proxy_ssl_* directives 
Add support for backends which require client certificate (eg. NiFi)
authentication. The `proxy-ssl-secret` k8s annotation references a
secret which is used to authenticate to the backend server. All other
directives fine tune the backend communication.

The following annotations are supported:
* proxy-ssl-secret
* proxy-ssl-ciphers
* proxy-ssl-protocol
* proxy-ssl-verify
* proxy-ssl-verify-depth
 2019-07-18 03:21:52 +02:00
Kubernetes Prow Robot
589c9a20f9
Merge pull request #4278 from moolen/feat/auth-req-cache 
feat: auth-req caching
 2019-07-17 12:06:12 -07:00
Moritz Johner
23504db770 feat: auth-req caching 
add a way to configure the `proxy_cache_*` [1] directive for external-auth.
The user-defined cache_key may contain sensitive information
(e.g. Authorization header).
We want to store *only* a hash of that key, not the key itself on disk.

[1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
 2019-07-17 18:39:04 +02:00
Elvin Efendi
b424ad2681 avoid warning during lua unit test 2019-07-11 18:24:13 -04:00
Kubernetes Prow Robot
fe6c086580
Merge pull request #4288 from eshicks4/proxy-http-version-annotation 
added proxy-http-version annotation to override the HTTP/1.1 default …
 2019-07-11 11:43:07 -07:00
Manuel Alejandro de Brito Fontes
1e07cc6933
Disable access log in stream section for configuration socket 2019-07-10 13:42:13 -04:00
E. Stuart Hicks
3b0c523e49 added proxy-http-version annotation to override the HTTP/1.1 default connection type to reverse proxy backends 2019-07-08 14:32:00 -04:00
Elvin Efendi
97d3a0ddab fix lua lints 2019-07-08 13:51:24 -04:00
Kubernetes Prow Robot
7c297e001a
Merge pull request #4246 from ElvinEfendi/proxy-alternative-upstream-name 
introduce proxy_alternative_upstream_name Nginx var
 2019-07-04 19:20:35 -07:00
Elvin Efendi
8b208cac93 introduce proxy_alternative_upstream_name Nginx var to differentiate canary requests 2019-07-04 19:43:20 -04:00
Kubernetes Prow Robot
930e37a0b5
Merge pull request #4273 from aledbf/ssh-chain-dynamic 
Check and complete intermediate SSL certificates
 2019-07-04 16:32:36 -07:00
Manuel Alejandro de Brito Fontes
8807db9748
Check and complete intermediate SSL certificates 2019-07-04 19:13:21 -04:00
Elvin Efendi
0e5913310d dynamic cert mode should understand domain with trailing dot 2019-07-04 17:30:41 -04:00
Elvin Efendi
27df697dde introduce ngx.var.balancer_ewma_score 2019-07-03 16:50:22 -04:00
Kubernetes Prow Robot
c01effb076
Merge pull request #4232 from ElvinEfendi/fix-dynamic-cert-bug 
override least recently used entries when certificate_data dict is full
 2019-07-01 08:03:22 -07:00
Elvin Efendi
b66f9e329d override least recently used entries when certificate_data dictionary is full 2019-07-01 10:18:40 -04:00
Manuel Alejandro de Brito Fontes
591887089f
Add e2e test suite to detect memory leaks in lua 2019-06-27 22:05:52 -04:00
Manuel Alejandro de Brito Fontes
ddffa2a173
Enable arm again 2019-06-26 23:00:58 -04:00
Elvin Efendi
2b46c3a056 fix monitor test after move to openresty 2019-06-24 14:21:19 -04:00
Kubernetes Prow Robot
5dfc7e211f
Merge pull request #4221 from aledbf/upgrade-nginx-image 
Switch to openresty image
 2019-06-24 09:45:57 -07:00
Manuel Alejandro de Brito Fontes
991f95f6bf
Migrate to openresty 2019-06-23 22:29:11 -04:00
Manuel Alejandro de Brito Fontes
d7b213d979
Do not set Host header when backend protocol is grpc 2019-06-18 23:44:10 -04:00
Kubernetes Prow Robot
57a0542fa3
Merge pull request #4187 from s-shirayama/add_unit_test_case_for_balancer_lua_module 
Add unit test cases for balancer lua module
 2019-06-13 09:02:20 -07:00
Sebastiaan Tammer
c11583dc5f Only load modsecurity_module when ModSec is active 2019-06-11 16:39:52 +02:00
s-shirayama
6f0d6b38b8 Add unit test case for canary by header 2019-06-11 22:34:33 +09:00
s-shirayama
0ff679baa7 Add unit test case for canary by cookie 2019-06-11 22:34:30 +09:00
s-shirayama
e9f4c0bb0e Add unit test case for canary by weight 2019-06-11 22:34:24 +09:00
s-shirayama
7a15f52cf1 Add unit test case for balancer.route_to_alternative_balancer() 2019-06-11 22:34:05 +09:00
Elvin Efendi
e2c6202324 bugfix: check all previously failing upstreams, not just the last one 2019-06-07 10:00:31 -04:00
Elvin Efendi
b9b1ffb1d5 simplify sticky balancer 2019-06-06 16:32:33 -04:00
Elvin Efendi
83f2acbe38 Session Affinity ChangeOnFailure should be boolean 2019-06-06 11:22:05 -04:00
Kubernetes Prow Robot
286ff13af2
Merge pull request #4048 from fedunineyu/change-upstream-on-error-with-sticky-session 
Change upstream on error when sticky session balancer is used
 2019-06-06 07:22:17 -07:00
Eugene Fedunin
254629cf16 Added support for annotation session-cookie-change-on-failure 
1. Session cookie is updated on previous attempt failure when `session-cookie-change-on-failure = true` (default value is `false`).
2. Added tests to check both cases.
3. Updated docs.

Co-Authored-By: Vladimir Grishin <yadolov@users.noreply.github.com>
 2019-05-27 13:00:07 +03:00
Manuel Alejandro de Brito Fontes
c4597522bf
Refactor whitelist from map to standard allow directives 2019-05-27 04:55:38 -04:00
Elvin Efendi
0e9e40a60b use nkeys for counting lua table elements 2019-05-26 18:15:15 -04:00
Elvin Efendi
dc7fa885a2 log info when endpoints change for a balancer 2019-05-25 23:50:18 -04:00
weltschraet
abca32ba8e reduce memory footprint and cpu usage when modsecurity and owasp rules are enabled globally 2019-05-18 19:08:30 +02:00
MRoci
8b7f069b56
load modsecurity.conf on ModSecurity.Enable 2019-05-13 17:39:06 +02:00
okryvoshapka-connyun
8cc9afe8ee Added Global External Authentication settings to configmap parameters incl. addons 2019-05-03 12:08:16 +02:00
Kubernetes Prow Robot
34734edc6e
Merge pull request #4005 from Shopify/proxy-next-upstream-timeout 
Support proxy_next_upstream_timeout
 2019-04-15 09:10:09 -07:00
Alex Kursell
ffeb1fe348 Support proxy_next_upstream_timeout 2019-04-15 11:08:57 -04:00
Kubernetes Prow Robot
6b6610dabe
Merge pull request #4000 from ElvinEfendi/dynamic-ssl-improvements 
Dynamic ssl improvements
 2019-04-13 14:38:00 -07:00
Elvin Efendi
2f3cf1a6c0 do not create empty access_by_lua_block 2019-04-13 16:11:46 -04:00
Elvin Efendi
93f00b2143 fix luacheck warning 2019-04-13 15:26:48 -04:00
Elvin Efendi
45add6cb7d better certificate lua unit tests 2019-04-13 14:01:44 -04:00
Elvin Efendi
42c207c548 handle default certificate correctly in Lua 2019-04-13 12:32:06 -04:00
Elvin Efendi
f067712824 better logging in certificate.lua 2019-04-13 12:32:06 -04:00
Elvin Efendi
8f81538b0d lua plugin system 2019-04-04 09:25:22 -04:00
Elvin Efendi
87e962682f properly parse x-forwarded-host 2019-03-31 15:10:45 -04:00
Elvin Efendi
496ff07bf1 replace some of the Nginx configuration to Lua code 2019-03-31 12:04:52 -04:00
Gregor Noczinski
1bef3e75b2 Set X-Request-ID for the default-backend, too. 2019-03-22 11:33:11 +01:00
Manuel Alejandro de Brito Fontes
6c1a7f1efd
Add support for IPV6 resolvers 2019-03-21 11:23:47 -03:00
Alejandro Pedraza
a3c87cf9cb Properly set ing.Service when there are multiple rules with different hosts using the same path 
Fixes #3611

Signed-off-by: Alejandro Pedraza <alejandro.pedraza@gmail.com>
 2019-03-07 06:06:24 -05:00
Alex Kursell
d3ac73be79 Remove session-cookie-hash annotation 2019-03-04 10:34:48 -05:00
Mikhail Marchenko
8b3702c829 Enable access log for default backend 
disable log on default_server
 2019-02-26 11:14:31 +03:00
Alex Kursell
c96eae3015 Add /dbg certs command 2019-02-25 11:38:07 -05:00
jasongwartz
3865e30a00 Changes CustomHTTPErrors annotation to use custom default backend 
Updates e2e test

Removes focus from e2e test

Fixes renamed function

Adds tests for new template funcs

Addresses gofmt

Updates e2e test, fixes custom-default-backend test by creating service

Updates docs
 2019-02-24 22:48:56 +01:00
Kubernetes Prow Robot
7b2495047f
Merge pull request #3781 from zoumo/proxy-buffer-number 
feat: configurable proxy buffers number
 2019-02-22 12:11:46 -08:00
Jim Zhang
dc63e5d185 fix: rename proxy-buffer-number to proxy-buffers-number 2019-02-22 10:21:17 +08:00
Manuel Alejandro de Brito Fontes
8b6e4d4697
Use UsePortInRedirects only if enabled 2019-02-21 17:48:45 -03:00
Jim Zhang
c92d29d462 feat: configurable proxy buffer number 2019-02-20 18:05:09 +08:00
Kubernetes Prow Robot
15d5ef95ef
Merge pull request #3740 from Shopify/session-annotation-reload 
Fix ingress updating for session-cookie-* annotation changes
 2019-02-19 15:14:21 -08:00
Alex Kursell
c180a0998b Fix session-cookie-* annotation reloading 2019-02-19 17:27:08 -05:00
Anthony Ho
ec04852526 Create custom annotation for satisfy "value" 2019-02-19 15:58:35 -05:00
Kubernetes Prow Robot
201718ec0f
Merge pull request #3775 from kppullin/fix-l4-dns-resolve-failures 
Fix DNS lookup failures in L4 services
 2019-02-19 11:11:48 -08:00
Kevin Pullin
f6aded2c51 Fix DNS failures in L4 services 2019-02-17 14:12:10 -08:00
Kubernetes Prow Robot
908a2ae506
Merge pull request #3764 from ElvinEfendi/cleanup-confusing-attribute 
delete confusing CustomErrors attribute to make things more explicit
 2019-02-14 03:26:21 -08:00
Elvin Efendi
adc128711b delete confusing CustomErrors attribute to make things more explicit 2019-02-13 22:41:02 -05:00
Kubernetes Prow Robot
c8d30755a9
Merge pull request #3748 from aledbf/update-image 
Update nginx image
 2019-02-13 15:14:08 -08:00
Kubernetes Prow Robot
d9845c79c5
Merge pull request #3671 from moonming/randomseed-bugfix 
bugfix: fixed duplicated seeds.
 2019-02-10 11:33:42 -08:00
Manuel Alejandro de Brito Fontes
7dc17a603d Update nginx image 2019-02-09 18:53:31 -03:00
Kubernetes Prow Robot
17e788b8e1
Merge pull request #3684 from aledbf/health 
Replace Status port using a socket
 2019-02-06 13:49:08 -08:00
Manuel Alejandro de Brito Fontes
34b0580225
Replace Status port using a socket 2019-02-06 18:00:10 -03:00
Tim Reddehase
018a1e4d94 respond with 503 when there are no endpoints 
* related to:
  * https://github.com/kubernetes/ingress-nginx/issues/3070
  * https://github.com/kubernetes/ingress-nginx/issues/3335
* add a 503 test
  * test a service that starts out empty
    (a.k.a. ingress-nginx controller (re-)start)
  * test scaling up (should route traffic accordingly)
  * test scaling down to empty service
  * use custom deployments for scaling test.
* provide a fix by updating the lua table (cache) of the configured backends
  to unset the backend if there are no endpoints available.
 2019-02-03 11:43:47 +01:00
Kubernetes Prow Robot
d4d25f6fb4
Merge pull request #3619 from minherz/add-canary-header-by-value 
add header-value annotation
 2019-02-01 14:45:54 -08:00
minherz
57440c9464 fix issue with failing e2e tests 2019-02-01 22:11:09 +02:00
Kubernetes Prow Robot
eddbcc7f3a
Merge pull request #3673 from moonming/table-new 
used table functions of LuaJIT for better performance.
 2019-02-01 08:40:34 -08:00
minherz
de2a1ece6d add header-value annotation 
add new annotation (header-value)
parse it and propogate to lua script
alter balancer rule to include it into the canary routing logic
add e2e test to validate fallback for canary-by-header-value
add description of canary-by-header-value to documentation
 2019-01-30 23:23:44 +02:00
Rustam Zagirov
5dee6af957 add params for access log 2019-01-26 21:42:11 +03:00
WenMing
8ea7501d8b added more error info and keep test cases. 2019-01-21 17:32:18 +08:00
WenMing
a36961f9f9 used table functions of LuaJIT for better performance. 2019-01-19 11:16:31 +08:00
WenMing
1d37e83a18 used cjson.safe instead of pcall. 2019-01-18 23:12:22 +08:00
WenMing
c782f22c5d fixed test case for math.randomseed. 2019-01-18 10:08:33 +08:00
WenMing
011062967a bugfix: fixed duplicated seeds. 
ngx.time() + ngx.worker.pid() maybe get duplicated seeds. get from /dev/urandom first.
 2019-01-18 00:21:25 +08:00
Kubernetes Prow Robot
1db9c91af4
Merge pull request #3363 from skeeey/master 
Document for cookie expires annotation
 2019-01-14 07:52:28 -08:00
Maximilian Gaß
39dd0c50da Remove stickyness cookie domain from Lua balancer to match old behavior (#3648) 2019-01-11 22:24:45 -03:00
liuwei
7aa5834948 add cookie expires document and fix a flaw for session-cookie-expires 2019-01-11 15:35:39 +08:00
Kubernetes Prow Robot
61bca89d13
Merge pull request #3637 from aledbf/fix-redirect 
Add support for redirect https to https (from-to-www-redirect)
 2019-01-10 19:58:35 -08:00
Manuel Alejandro de Brito Fontes
a3bcbeb3d2
Add support for redirect https to https when from-to-www-redirect is defined 2019-01-10 20:59:49 -03:00
Manuel Alejandro de Brito Fontes
916b6a06d2 Empty access_by_lua_block breaks satisfy any 2019-01-10 10:27:23 -03:00
Shai Katz
edd87fbae3 add limit connection status code 
add default conn status code

add missing colon

add limit connection status code
 2019-01-09 19:31:10 +02:00
Elvin Efendi
ba7b542d78 canary by cookie should support hypen in cookie name 2019-01-08 13:15:02 -05:00
Diego Woitasen
60b983503b Consistent hashing to a subset of nodes. It works like consistent hash, 
but instead of mapping to a single node, we map to a subset of nodes.
 2019-01-03 01:32:52 -03:00
Kubernetes Prow Robot
71cc6df74f
Merge pull request #3174 from Shopify/rewrite-regex 
Generalize Rewrite Block Creation and Deprecate AddBaseUrl (not backwards compatible)
 2019-01-02 12:30:18 -08:00
Manuel Alejandro de Brito Fontes
a73dac2c0b
Fix proxy_host variable configuration 2019-01-02 15:31:27 -03:00
ramnes
bf7b5ebd81 Add an option to automatically set worker_connections based on worker_rlimit_nofile 2018-12-27 18:36:19 +01:00
Anish Ramasekar
382049a0bf Adds support for HTTP2 Push Preload annotation 
update test for backendprotocols

Adds support for HTTP2 Push Preload annotation

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>

Adds support for HTTP2 Push Preload annotation

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>

Adds support for HTTP2 Push Preload annotation

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>

Adds support for HTTP2 Push Preload annotation

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@serpro.gov.br>

Adds support for HTTP2 Push Preload annotation

Adds support for HTTP2 Push Preload annotation
 2018-12-24 17:13:25 -02:00
Elvin Efendi
4896b064ca lua randomseed per worker 2018-12-20 17:09:29 +04:00
Kubernetes Prow Robot
ee3a8fe581
Merge pull request #3505 from Shopify/watch-pod-lua 
Update lua configuration_data when number of controller pod change
 2018-12-17 00:10:30 -08:00
Maxime Ginters
f90881b367 Update lua configuration_data when number of controller pod change 2018-12-14 13:34:54 -05:00
Zenara Daley
67654a6fd5 Generalize Rewrite Block Creation 2018-12-13 13:02:05 -05:00
Maxime Ginters
ff8bfb6a86 Fix --enable-dynamic-certificates for nested subdomain 2018-12-12 09:16:39 -05:00
Manuel Alejandro de Brito Fontes
41700044ad Replace dockerfile entrypoint 2018-12-07 14:00:55 -03:00
Kubernetes Prow Robot
da32401c66
Merge pull request #3509 from fabiant7t/master 
[1759] Ingress affinity session cookie with Secure flag for HTTPS
 2018-12-06 01:18:24 -08:00
Fabian Topfstedt
f03c8a8544 testing that a secure cookie gets set when being in ssl mode 
Signed-off-by: Fabian Topfstedt <topfstedt@schneevonmorgen.com>
 2018-12-06 09:08:25 +01:00
Fabian Topfstedt
6c46adf2b7 reverted changing $https globally in the unit tests 
Signed-off-by: Fabian Topfstedt <topfstedt@schneevonmorgen.com>
 2018-12-06 09:01:08 +01:00
Manuel Alejandro de Brito Fontes
06d33c16b5
Allow to disable NGINX metrics 2018-12-05 10:14:35 -03:00
Fabian Topfstedt
1e31767b51 [1759] Ingress affinity session cookie with Secure flag for HTTPS 
Signed-off-by: Fabian Topfstedt <topfstedt@schneevonmorgen.com>
 2018-12-04 10:51:52 +01:00
Elvin Efendi
a4bad90f1f fix an ewma unit test 2018-12-03 15:56:58 +04:00
Elvin Efendi
4eabd535f9 be consistent with what Nginx supports 2018-12-02 22:20:56 +04:00
Andre Marianiello
b80b19902a Use opentracing_grpc_propagate_context when necessary 2018-12-01 16:31:10 -05:00
Elvin Efendi
7ae2583ff9 dynamic certificate mode should support widlcard hosts 2018-11-29 15:41:34 +04:00
Manuel Alejandro de Brito Fontes
c4d6e8f55d Fix nginx directory permissions 2018-11-27 23:05:18 -03:00
Elvin Efendi
c03ac375ef test for ewma:after_balance function 2018-11-26 17:20:26 +04:00
Elvin Efendi
f81f06151d store ewma stats per backend 2018-11-26 16:59:26 +04:00
k8s-ci-robot
8aac340203
Merge pull request #3453 from Shopify/monitor-fixes 
Monitor fixes
 2018-11-21 09:28:24 -08:00
Elvin Efendi
d8b928f501 remove already unused endpoint metric 2018-11-21 20:05:44 +04:00
Elvin Efendi
068d633e81 fix Status key conflic, fixes https://github.com/kubernetes/ingress-nginx/issues/3451 2018-11-21 20:03:15 +04:00
Manuel Alejandro de Brito Fontes
35b8023dc8 Match body buffer to max upload size 2018-11-20 15:06:03 -03:00
Zenara Daley
2b109b360b Only set cookies on paths that enable session affinity 2018-11-19 11:42:12 -05:00
k8s-ci-robot
82721e575d
Merge pull request #3372 from Shopify/session-cookie-path 
Add annotation for session affinity path
 2018-11-19 07:25:32 -08:00
Zenara Daley
50b29feb4a Add annotation for session affinity path 2018-11-19 09:15:24 -05:00
k8s-ci-robot
bf7ad0daca
Merge pull request #3374 from aledbf/restore-tcp-udp 
Revert removal of support for TCP and UDP services
 2018-11-18 08:33:29 -08:00
Manuel Alejandro de Brito Fontes
af2dce901d
Fix tests 2018-11-18 08:17:18 -03:00
k8s-ci-robot
34598e71e0
Merge pull request #3428 from aledbf/set-variables 
Set proxy_host variable to avoid using default value from proxy_pass
 2018-11-18 02:17:49 -08:00
k8s-ci-robot
442b01e5e8
Merge pull request #3400 from diazjf/more-modsecurity 
Add Snippet for ModSecurity
 2018-11-17 03:35:53 -08:00
Manuel Alejandro de Brito Fontes
654eceda46
Add tcp e2e test 2018-11-16 21:07:52 -03:00
Manuel Alejandro de Brito Fontes
a2d50c2cd6
Set proxy_host variable to avoid using default value from proxy_pass 2018-11-16 14:55:53 -03:00
Manuel Alejandro de Brito Fontes
168f30d1ec Revert removal of support for TCP and UDP services 2018-11-16 13:48:47 -03:00
Fernando Diaz
95b3042b6e Add a Snippet for ModSecurity 
Allows for the configuration of Mod Security rules via
a Snippet.
 2018-11-14 23:31:27 -06:00
Maxime Ginters
20b095f444 Fix X-Forwarded-Proto typo 2018-11-14 10:19:31 -05:00
k8s-ci-robot
a22c656f30
Merge pull request #3409 from Shopify/client-max-body-size 
Convert isValidClientBodyBufferSize to something more generic
 2018-11-13 08:36:06 -08:00
Maxime Ginters
0f3e2b9bf0 Convert isValidClientBodyBufferSize to something more generic and use it for client_max_body_size 2018-11-13 10:11:40 -05:00