* Add a flag to enable or disable aio_write
Signed-off-by: z1cheng <imchench@gmail.com>
* Fix e2e test for aio_write
Signed-off-by: z1cheng <imchench@gmail.com>
* Remove redundant spaces to fix the 2e test
Signed-off-by: z1cheng <imchench@gmail.com>
---------
Signed-off-by: z1cheng <imchench@gmail.com>
* Add validation to all annotations
* Add annotation validation for fcgi
* Fix reviews and fcgi e2e
* Add flag to disable cross namespace validation
* Add risk, flag for validation, tests
* Add missing formating
* Enable validation by default on tests
* Test validation flag
* remove ajp from list
* Finalize validation changes
* Add validations to CI
* Update helm docs
* Fix code review
* Use a better name for annotation risk
* datadog: sample_rate omitted by default
* config: use *float32 with nil instead of float32 with sentinel value
* change some names
* gofmt -s -w internal/ingress/controller/nginx.go
* Remove variables with $ before feeding into url.Parse
Signed-off-by: Gerald Pape <gerald@giantswarm.io>
* Do not render invalid request mirroring config
Signed-off-by: Gerald Pape <gerald@giantswarm.io>
* Remove additional note from docs again
Signed-off-by: Gerald Pape <gerald@giantswarm.io>
* Include quotes in e2e test for mirror proxy_pass
---------
Signed-off-by: Gerald Pape <gerald@giantswarm.io>
We can use alternative functions to avoid unnecessary byte/string
conversion calls and reduce allocations.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* exclude creation and exporting of socket metrics via flag
* make exclude metric naming more consistent
* fix connect time metric update
* add documentation
* e2e test
* improve creation of metric mapping
* Rework Ginkgo usage
Currently Ginkgo is launched multiple times with different options to
accomodate various use-cases. In particular, some specs needs to be run
sequentially because non-namespaced objects are created that conflicts
with concurent Helm deployments.
However Ginkgo is able to handle such cases natively, in particular
specs that needs to be run sequentially are supported (Serial spec).
This commit marks the specs that needs to be run sequentially as Serial
specs and runs the whole test suite from a single Ginkgo invocation. As
a result, a single JUnit report is now generated.
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Fix controller error in test
Error getting ConfigMap "$NAMESPACE/tcp-services": no object matching key "$NAMESPACE/tcp-services" in local store
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Replace "go get" invocations by "go install"
Executing "go get" changes the go.mod & go.sum files which is not the
case of "go install".
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Always clean out the Helm deployment
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* Add E2E test to verify that changes to one or more configmap trigger an update
Signed-off-by: Hervé Werner <dud225@hotmail.com>
---------
Signed-off-by: Hervé Werner <dud225@hotmail.com>
* update path type validation to be false and update e2e test scripts
Signed-off-by: James Strong <strong.james.e@gmail.com>
* update to make tests clear
Signed-off-by: James Strong <strong.james.e@gmail.com>
* update test params
Signed-off-by: James Strong <strong.james.e@gmail.com>
* Adding else per pr comments
Signed-off-by: James Strong <james.strong@chainguard.dev>
---------
Signed-off-by: James Strong <strong.james.e@gmail.com>
Signed-off-by: James Strong <james.strong@chainguard.dev>
* deps: bump k8s dependencies to remove go-autorest
* fix: update use of apiv1.LoadBalancerIngress
Due to changes in the Kubernetes API, we needed to switch to using
v1.IngressLoadBalancerIngress instead of apiv1.LoadBalancerIngress. The
struct is otherwise identical despite the name change.
* fix ingress status test cases
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Signed-off-by: Ismayil Mirzali <ismayilmirzeli@gmail.com>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Signed-off-by: Ismayil Mirzali <ismayilmirzeli@gmail.com>
Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com>
* feat: Add support for IP Deny List
* fixed gomod
* Update package
* go mod tidy
* Revert "go mod tidy"
This reverts commit e6a837e1e7.
* update ginko version
* Updates e2e tests
* fix test typo
* clean prometheus metrics
- add new histogram metrics with consistent names
- deprecate summary metrics with inconsistent names
* update prometheus metrics tests
* remove ingress_upstream_header_seconds metric
It hasn't been released so it is safe. Use header_duration_seconds metric.
* add documentation on prometheus metrics
* Support none keyword in log-format escape
## What this PR does / why we need it:
ingress-nginx does not support disabling escaping of special characters in the nginx log. This PR exposes the setting to support that functionality.
## Types of changes
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Documentation only
## Which issue/s this PR fixes
<!--
(optional, in `fixes #<issue number>` format, will close that issue when PR gets merged):
fixes #
-->
## How Has This Been Tested?
Followed the [getting-started](96b6228a6b/docs/developer-guide/getting-started.md) guide. Used ppa:longsleep/golang-backports on WSL Ubuntu to establish a golang-1.18 environment with latest docker and recommended kind. Built the dev-env successfully; had issues with make test, but they are entirely unrelated to anything I touched. Ultimate test was
```
FOCUS=log-format make kind-e2e-test
...
Ginkgo ran 1 suite in 6m29.7437865s
Test Suite Passed
```
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
- [x] I have added tests to cover my changes.
- [x] All new and existing tests passed.
I did not update docs/e2e-tests.md.
* gofmt -s ./internal/ingress/controller/config/config.go
This adds the new annotation `nginx.ingress.kubernetes.io/session-cookie-domain`
for setting the cookie `Domain` attribute of the sticky cookie.
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
We removed the use of configmap as an election lock, so we will use the
Lease API to complete the election.
Before this, we used `MultiLock` to facilitate smooth migration of
existing users of ingress-nginx from configmap to LeaseLock.
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
* Improve path rule
* Add nginx configuration tests
* Revert framework changes
* Add test to patched directives
* Fix root conf test
* Add comment in new function
When creating several ingresses at the same time a race condition can
happen by modifying a variable deep in another object. When this race
condition is triggered the generated nginx configuration is broken:
```
nginx: [emerg] invalid parameter "8.8.8.8/32,8" in /tmp/nginx-cfg4027854160:671
nginx: configuration file /tmp/nginx-cfg4027854160 test failed
```
Once it happens, the controller won't ever be able to generate the
configuration again. Thus the only option is to restart the process.
There is not really a good way to reproduce this issue. It happens quite
sporadically every 2 or 3 days. However, after this fix has been
applied, we haven't seen it happen after about 4 weeks.
Co-authored-by: Ruud van der Weijde <ruudvanderweijde@gmail.com>
This commit introduces a backwards compatible command line option
--report-status-classes which will enable reporting response status classes
(2xx, 3xx..) instead of status codes in exported metrics.
* disable modsecurity on error page
* fix modsecurity error pages test
* fix variable in nginx template
* disable modsecurity on all internal locations
* fix pipeline checks for gofmt
Signed-off-by: Florian Michel <florianmichel@hotmail.de>
X-CustomHeader looks more like an example than a header we would want to
accept in production. Added Range as a useful header that enables
operations on resources that can be fetched in chunks.
* nginx 1.19.10 keepalive_time parameter
* nginx v1.19.10 base image
* keepalive_time documentation
* base image
* restore base image
* e2e test
* replace default value in test
* Initial work on chrooting nginx process
* More improvements in chroot
* Fix charts and some file locations
* Fix symlink on non chrooted container
* fix psp test
* Add e2e tests to chroot image
* Fix logger
* Add internal logger in controller
* Fix overlay for chrooted tests
* Fix tests
* fix boilerplates
* Fix unittest to point to the right pid
* Fix PR review
* Add keepalive support for auth requests
* Fix typo
* Address PR comments
* Log warning when auth-url contains variable in its host:port
* Generate upstream name without replacing dots to underscores in server name
* Add comment in the nginx template when the keepalive upstream block is referenced
* Workaround for auth_request module ignores keepalive in upstream block
* The `auth_request` module does not support HTTP keepalives in upstream block:
https://trac.nginx.org/nginx/ticket/1579
* As a workaround we use ngx.location.capture but unfortunately it does not
support HTTP/2 so `use-http2` configuration parameter is needed.
* Handle PR comments
* Address PR comments
* Handle invalid values for int parameters
* Handle PR comments
* Fix e2e test
When the ingress controller loads certificates (new ones or following a
secret update), it performs a series of check to ensure its validity.
In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.
This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.
This generates a random error on the client side, depending on the
actual pod instance it reaches.
In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.
This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`
This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
* fix inconsistent-label-cardinality
for prometheus metrics: nginx_ingress_controller_requests
* add host to collectorLabels only if metricsPerHost is true
