## What this PR does / why we need it:
In https://github.com/kubernetes/ingress-nginx/issues/5651 there was a
request to throw an error when there are two ingresses defining the same
host and path, which was implemented as part of the validation webhook.
Despite of this there are clear rules on the ingress controller that
describes what the controller would do in [such situation (the oldest
rule wins)](https://github.com/kubernetes/ingress-nginx/blob/main/docs/how-it-works.md?plain=1#L27)
Some users are relying on this validation behaviour to prevent
misconfigurations, but there are use cases where allowing it, maybe
temporarily, is helpful. Those use cases includes:
- Splitting large ingresses objects in smaller ones https://github.com/kubernetes/ingress-nginx/issues/10820
- Moving ingress objects between namespaces without downtime (like when you transfer an ingress from team A that owns namespace A to team B that owns namespace B) https://github.com/kubernetes/ingress-nginx/issues/10090
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
## Types of changes
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds functionality)
- [ ] CVE Report (Scanner found CVE and adding report)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] Documentation only
## Which issue/s this PR fixes
It might help with #10820
<!--- Please describe in detail how you tested your changes. -->
<!--- Include details of your testing environment, and the tests you ran to -->
<!--- see how your change affects other areas of the code, etc. -->
## How Has This Been Tested?
building an image and testing it in a local cluster, will update later
with some real life scenarios
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
## Checklist:
- [X] My change requires a change to the documentation.
- [ ] I have updated the documentation accordingly.
- [X] I've read the [CONTRIBUTION](https://github.com/kubernetes/ingress-nginx/blob/main/CONTRIBUTING.md) guide
- [X] I have added unit and/or e2e tests to cover my changes.
- [X] All new and existing tests passed.
Change-Id: I9d4124d1c36876b06d63100cd10988eaf2f41db9
* added proxy-intercept-errors config option
* fixed error when comparing locations
* fixed missing location config from annotation
added e2e test
* reversed logic for proxy-intercept-errors to disable-proxy-intercept-errors
* reversed logic to disable-proxy-intercept-errors
* reversed logic
* default has to be false
* put comment in same line as return
* run gofmt
* fixing wrong Boilerplate header
* updated code to new IngressAnnotation interface
* fixes to satisfy PR comments
* synced with upstream; fixed typo
* gofumpt disableproxyintercepterrors.go
* gofumpt
* Add validation to all annotations
* Add annotation validation for fcgi
* Fix reviews and fcgi e2e
* Add flag to disable cross namespace validation
* Add risk, flag for validation, tests
* Add missing formating
* Enable validation by default on tests
* Test validation flag
* remove ajp from list
* Finalize validation changes
* Add validations to CI
* Update helm docs
* Fix code review
* Use a better name for annotation risk
* exclude creation and exporting of socket metrics via flag
* make exclude metric naming more consistent
* fix connect time metric update
* add documentation
* e2e test
* improve creation of metric mapping
* update path type validation to be false and update e2e test scripts
Signed-off-by: James Strong <strong.james.e@gmail.com>
* update to make tests clear
Signed-off-by: James Strong <strong.james.e@gmail.com>
* update test params
Signed-off-by: James Strong <strong.james.e@gmail.com>
* Adding else per pr comments
Signed-off-by: James Strong <james.strong@chainguard.dev>
---------
Signed-off-by: James Strong <strong.james.e@gmail.com>
Signed-off-by: James Strong <james.strong@chainguard.dev>
* feat: Add support for IP Deny List
* fixed gomod
* Update package
* go mod tidy
* Revert "go mod tidy"
This reverts commit e6a837e1e7.
* update ginko version
* Updates e2e tests
* fix test typo
This adds the new annotation `nginx.ingress.kubernetes.io/session-cookie-domain`
for setting the cookie `Domain` attribute of the sticky cookie.
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
Signed-off-by: Matthias Neugebauer <mtneug@mailbox.org>
This commit introduces a backwards compatible command line option
--report-status-classes which will enable reporting response status classes
(2xx, 3xx..) instead of status codes in exported metrics.
* Initial work on chrooting nginx process
* More improvements in chroot
* Fix charts and some file locations
* Fix symlink on non chrooted container
* fix psp test
* Add e2e tests to chroot image
* Fix logger
* Add internal logger in controller
* Fix overlay for chrooted tests
* Fix tests
* fix boilerplates
* Fix unittest to point to the right pid
* Fix PR review
When the ingress controller loads certificates (new ones or following a
secret update), it performs a series of check to ensure its validity.
In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.
This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.
This generates a random error on the client side, depending on the
actual pod instance it reaches.
In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.
This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`
This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
