DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

NGINX: Remove inline Lua from template. (#11806)

Browse source
This commit is contained in:
Ricardo Katz 2024-09-08 18:48:12 -03:00 committed by GitHub
parent ee61440780
commit 6510535ae0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
30 changed files with 361 additions and 233 deletions
Download patch file Download diff file Expand all files Collapse all files

12
rootfs/etc/nginx/lua/lua_ingress.lua
View file

@ -1,4 +1,5 @@
local ngx_re_split = require("ngx.re").split
local string_to_bool = require("util").string_to_bool
local certificate_configured_for_current_request =
require("certificate").configured_for_current_request
@ -108,7 +109,16 @@ end
-- rewrite gets called in every location context.
-- This is where we do variable assignments to be used in subsequent
-- phases or redirection
function _M.rewrite(location_config)
function _M.rewrite()
local location_config = {
force_ssl_redirect = string_to_bool(ngx.var.force_ssl_redirect),
ssl_redirect = string_to_bool(ngx.var.ssl_redirect),
force_no_ssl_redirect = string_to_bool(ngx.var.force_no_ssl_redirect),
preserve_trailing_slash = string_to_bool(ngx.var.preserve_trailing_slash),
use_port_in_redirects = string_to_bool(ngx.var.use_port_in_redirects),
}
ngx.var.pass_access_scheme = ngx.var.scheme
ngx.var.best_http_host = ngx.var.http_host or ngx.var.host

2
rootfs/etc/nginx/lua/nginx/ngx_conf_balancer.lua Normal file
View file

@ -0,0 +1,2 @@
local balancer = require("balancer")
balancer.balance()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua Normal file
View file

@ -0,0 +1,2 @@
local tcp_udp_balancer = require("tcp_udp_balancer")
tcp_udp_balancer.balance()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_certificate.lua Normal file
View file

@ -0,0 +1,2 @@
local certificate = require("certificate")
certificate.call()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_configuration.lua Normal file
View file

@ -0,0 +1,2 @@
local configuration = require("configuration")
configuration.call()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua Normal file
View file

@ -0,0 +1,2 @@
local tcp_udp_configuration = require("tcp_udp_configuration")
tcp_udp_configuration.call()

2
rootfs/etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua Normal file
View file

@ -0,0 +1,2 @@
local tcp_udp_balancer = require("tcp_udp_balancer")
tcp_udp_balancer.init_worker()

9
rootfs/etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua Normal file
View file

@ -0,0 +1,9 @@
local configuration = require("configuration")
local backend_data = configuration.get_backends_data()
if not backend_data then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
return
end
ngx.say("OK")
ngx.exit(ngx.HTTP_OK)

2
rootfs/etc/nginx/lua/nginx/ngx_conf_log.lua Normal file
View file

@ -0,0 +1,2 @@
local monitor = require("monitor")
monitor.call()

11
rootfs/etc/nginx/lua/nginx/ngx_conf_log_block.lua Normal file
View file

@ -0,0 +1,11 @@
local balancer = require("balancer")
local monitor = require("monitor")
local luaconfig = ngx.shared.luaconfig
local enablemetrics = luaconfig:get("enablemetrics")
balancer.log()
if enablemetrics then
monitor.call()
end

1
rootfs/etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua Normal file
View file

@ -0,0 +1 @@
ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))

2
rootfs/etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua Normal file
View file

@ -0,0 +1,2 @@
local lua_ingress = require("lua_ingress")
lua_ingress.header()

5
rootfs/etc/nginx/lua/nginx/ngx_rewrite.lua Normal file
View file

@ -0,0 +1,5 @@
local lua_ingress = require("lua_ingress")
local balancer = require("balancer")
lua_ingress.rewrite()
balancer.rewrite()

24
rootfs/etc/nginx/lua/nginx/ngx_srv_redirect.lua Normal file
View file

@ -0,0 +1,24 @@
local request_uri = ngx.var.request_uri
local redirect_to = ngx.arg[1]
local luaconfig = ngx.shared.luaconfig
local use_forwarded_headers = luaconfig:get("use_forwarded_headers")
if string.sub(request_uri, -1) == "/" then
request_uri = string.sub(request_uri, 1, -2)
end
local redirectScheme = ngx.var.scheme
local redirectPort = ngx.var.server_port
if use_forwarded_headers then
if ngx.var.http_x_forwarded_proto then
redirectScheme = ngx.var.http_x_forwarded_proto
end
if ngx.var.http_x_forwarded_port then
redirectPort = ngx.var.http_x_forwarded_port
end
end
return string.format("%s://%s:%s%s", redirectScheme,
redirect_to, redirectPort, request_uri)

53
rootfs/etc/nginx/lua/ngx_conf_init.lua Normal file
View file

@ -0,0 +1,53 @@
local cjson = require("cjson.safe")
collectgarbage("collect")
local f = io.open("/etc/nginx/lua/cfg.json", "r")
local content = f:read("*a")
f:close()
local configfile = cjson.decode(content)
local luaconfig = ngx.shared.luaconfig
luaconfig:set("enablemetrics", configfile.enable_metrics)
luaconfig:set("use_forwarded_headers", configfile.use_forwarded_headers)
-- init modules
local ok, res
ok, res = pcall(require, "lua_ingress")
if not ok then
error("require failed: " .. tostring(res))
else
lua_ingress = res
lua_ingress.set_config(configfile)
end
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
if not configfile.listen_ports.status_port then
error("required status port not found")
end
configuration.prohibited_localhost_port = configfile.listen_ports.status_port
end
ok, res = pcall(require, "balancer")
if not ok then
error("require failed: " .. tostring(res))
else
balancer = res
end
if configfile.enable_metrics then
ok, res = pcall(require, "monitor")
if not ok then
error("require failed: " .. tostring(res))
else
monitor = res
end
end
ok, res = pcall(require, "certificate")
if not ok then
error("require failed: " .. tostring(res))
else
certificate = res
if configfile.enable_ocsp then
certificate.is_ocsp_stapling_enabled = configfile.enable_ocsp
end
end

30
rootfs/etc/nginx/lua/ngx_conf_init_stream.lua Normal file
View file

@ -0,0 +1,30 @@
local cjson = require("cjson.safe")
collectgarbage("collect")
local f = io.open("/etc/nginx/lua/cfg.json", "r")
local content = f:read("*a")
f:close()
local configfile = cjson.decode(content)
-- init modules
local ok, res
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
end
ok, res = pcall(require, "tcp_udp_configuration")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_configuration = res
if not configfile.listen_ports.status_port then
error("required status port not found")
end
tcp_udp_configuration.prohibited_localhost_port = configfile.listen_ports.status_port
end
ok, res = pcall(require, "tcp_udp_balancer")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_balancer = res
end

15
rootfs/etc/nginx/lua/ngx_conf_init_worker.lua Normal file
View file

@ -0,0 +1,15 @@
local cjson = require("cjson.safe")
local f = io.open("/etc/nginx/lua/cfg.json", "r")
local content = f:read("*a")
f:close()
local configfile = cjson.decode(content)
local lua_ingress = require("lua_ingress")
local balancer = require("balancer")
local monitor = require("monitor")
lua_ingress.init_worker()
balancer.init_worker()
if configfile.enable_metrics and configfile.monitor_batch_max_size then
monitor.init_worker(configfile.monitor_batch_max_size)
end

4
rootfs/etc/nginx/lua/util.lua
View file

@ -146,6 +146,10 @@ function _M.is_blank(str)
return str == nil or string_len(str) == 0
end
function _M.string_to_bool(str)
return str == "true"
end
-- this implementation is taken from:
-- https://github.com/luafun/luafun/blob/master/fun.lua#L33
-- SHA: 04c99f9c393e54a604adde4b25b794f48104e0d0

189
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -68,60 +68,11 @@ http {
{{ buildLuaSharedDictionaries $cfg $servers }}
init_by_lua_block {
collectgarbage("collect")
lua_shared_dict luaconfig 5m;
-- init modules
local ok, res
init_by_lua_file /etc/nginx/lua/ngx_conf_init.lua;
ok, res = pcall(require, "lua_ingress")
if not ok then
error("require failed: " .. tostring(res))
else
lua_ingress = res
lua_ingress.set_config({{ configForLua $all }})
end
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
configuration.prohibited_localhost_port = '{{ .StatusPort }}'
end
ok, res = pcall(require, "balancer")
if not ok then
error("require failed: " .. tostring(res))
else
balancer = res
end
{{ if $all.EnableMetrics }}
ok, res = pcall(require, "monitor")
if not ok then
error("require failed: " .. tostring(res))
else
monitor = res
end
{{ end }}
ok, res = pcall(require, "certificate")
if not ok then
error("require failed: " .. tostring(res))
else
certificate = res
certificate.is_ocsp_stapling_enabled = {{ $cfg.EnableOCSP }}
end
}
init_worker_by_lua_block {
lua_ingress.init_worker()
balancer.init_worker()
{{ if $all.EnableMetrics }}
monitor.init_worker({{ $all.MonitorMaxBatchSize }})
{{ end }}
}
init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua;
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
{{/* we use the value of the real IP for the geo_ip module */}}
@ -539,9 +490,7 @@ http {
server 0.0.0.1; # placeholder
balancer_by_lua_block {
balancer.balance()
}
balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer.lua;
{{ if (gt $cfg.UpstreamKeepaliveConnections 0) }}
keepalive {{ $cfg.UpstreamKeepaliveConnections }};
@ -606,9 +555,7 @@ http {
{{ buildHTTPListener $all $redirect.From }}
{{ buildHTTPSListener $all $redirect.From }}
ssl_certificate_by_lua_block {
certificate.call()
}
ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
{{ if gt (len $cfg.BlockUserAgents) 0 }}
if ($block_ua) {
@ -621,30 +568,7 @@ http {
}
{{ end }}
set_by_lua_block $redirect_to {
local request_uri = ngx.var.request_uri
if string.sub(request_uri, -1) == "/" then
request_uri = string.sub(request_uri, 1, -2)
end
{{ if $cfg.UseForwardedHeaders }}
local redirectScheme
if not ngx.var.http_x_forwarded_proto then
redirectScheme = ngx.var.scheme
else
redirectScheme = ngx.var.http_x_forwarded_proto
end
{{ else }}
local redirectScheme = ngx.var.scheme
{{ end }}
{{ if ne $all.ListenPorts.HTTPS 443 }}
{{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
return string.format("%s://%s%s%s", redirectScheme, "{{ $redirect.To }}", "{{ $redirect_port }}", request_uri)
{{ else }}
return string.format("%s://%s%s", redirectScheme, "{{ $redirect.To }}", request_uri)
{{ end }}
}
set_by_lua_file $redirect_to /etc/nginx/lua/nginx/ngx_srv_redirect.lua {{ $redirect.To }};
return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to;
}
@ -739,17 +663,7 @@ http {
}
location /is-dynamic-lb-initialized {
content_by_lua_block {
local configuration = require("configuration")
local backend_data = configuration.get_backends_data()
if not backend_data then
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
return
end
ngx.say("OK")
ngx.exit(ngx.HTTP_OK)
}
content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_is_dynamic_lb_initialized.lua;
}
location {{ .StatusPath }} {
@ -761,15 +675,11 @@ http {
client_body_buffer_size {{ luaConfigurationRequestBodySize $cfg }};
proxy_buffering off;
content_by_lua_block {
configuration.call()
}
content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_configuration.lua;
}
location / {
content_by_lua_block {
ngx.exit(ngx.HTTP_NOT_FOUND)
}
return 404;
}
}
}
@ -781,39 +691,9 @@ stream {
{{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
init_by_lua_block {
collectgarbage("collect")
init_by_lua_file /etc/nginx/lua/ngx_conf_init_stream.lua;
-- init modules
local ok, res
ok, res = pcall(require, "configuration")
if not ok then
error("require failed: " .. tostring(res))
else
configuration = res
end
ok, res = pcall(require, "tcp_udp_configuration")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_configuration = res
tcp_udp_configuration.prohibited_localhost_port = '{{ .StatusPort }}'
end
ok, res = pcall(require, "tcp_udp_balancer")
if not ok then
error("require failed: " .. tostring(res))
else
tcp_udp_balancer = res
end
}
init_worker_by_lua_block {
tcp_udp_balancer.init_worker()
}
init_worker_by_lua_file /etc/nginx/lua/nginx/ngx_conf_init_tcp_udp.lua;
lua_add_variable $proxy_upstream_name;
@ -835,10 +715,7 @@ stream {
upstream upstream_balancer {
server 0.0.0.1:1234; # placeholder
balancer_by_lua_block {
tcp_udp_balancer.balance()
}
balancer_by_lua_file /etc/nginx/lua/nginx/ngx_conf_balancer_tcp_udp.lua;
}
server {
@ -846,9 +723,7 @@ stream {
access_log off;
content_by_lua_block {
tcp_udp_configuration.call()
}
content_by_lua_file /etc/nginx/lua/nginx/ngx_conf_content_tcp_udp.lua;
}
# TCP services
@ -948,11 +823,9 @@ stream {
rewrite (.*) / break;
proxy_pass http://upstream_balancer;
log_by_lua_block {
{{ if $enableMetrics }}
monitor.call()
{{ end }}
}
{{ if $enableMetrics }}
log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log.lua;
{{ end }}
}
{{ end }}
{{ end }}
@ -1012,9 +885,7 @@ stream {
ssl_reject_handshake {{ if $all.Cfg.SSLRejectHandshake }}on{{ else }}off{{ end }};
{{ end }}
ssl_certificate_by_lua_block {
certificate.call()
}
ssl_certificate_by_lua_file /etc/nginx/lua/nginx/ngx_conf_certificate.lua;
{{ if not (empty $server.AuthTLSError) }}
# {{ $server.AuthTLSError }}
@ -1115,9 +986,7 @@ stream {
set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
set $cache_key '';
rewrite_by_lua_block {
ngx.var.cache_key = ngx.encode_base64(ngx.sha1_bin(ngx.var.tmp_cache_key))
}
rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_conf_rewrite_auth.lua;
proxy_cache auth_cache;
@ -1250,27 +1119,13 @@ stream {
mirror_request_body {{ $location.Mirror.RequestBody }};
{{ end }}
rewrite_by_lua_block {
lua_ingress.rewrite({{ locationConfigForLua $location $all }})
balancer.rewrite()
}
{{ locationConfigForLua $location $all }}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
rewrite_by_lua_file /etc/nginx/lua/nginx/ngx_rewrite.lua;
header_filter_by_lua_block {
lua_ingress.header()
}
header_filter_by_lua_file /etc/nginx/lua/nginx/ngx_conf_srv_hdr_filter.lua;
log_by_lua_block {
balancer.log()
{{ if $all.EnableMetrics }}
monitor.call()
{{ end }}
}
log_by_lua_file /etc/nginx/lua/nginx/ngx_conf_log_block.lua;
{{ if not $location.Logs.Access }}
access_log off;