Merge branch 'upstream' into nginx/extauth_headers
This commit is contained in:
rsafronov
commit
6d07d32003
63 changed files with 1075 additions and 218 deletions
|
|
@ -1,5 +1,74 @@
|
|||
Changelog
|
||||
|
||||
### 0.9-beta.3
|
||||
|
||||
**Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.3`
|
||||
|
||||
*New Features:*
|
||||
|
||||
- Custom log formats using `log-format-upstream` directive in the configuration configmap.
|
||||
- Force redirect to SSL using the annotation `ingress.kubernetes.io/force-ssl-redirect`
|
||||
- Prometheus metric for VTS status module (transparent, just enable vts stats)
|
||||
- Improved external authentication adding `ingress.kubernetes.io/auth-signin` annotation. Please check this [example](https://github.com/kubernetes/ingress/tree/master/examples/external-auth/nginx)
|
||||
|
||||
|
||||
*Breaking changes:*
|
||||
|
||||
- `ssl-dh-param` configuration in configmap is now the name of a secret that contains the Diffie-Hellman key
|
||||
|
||||
*Changes:*
|
||||
|
||||
- [X] [#433](https://github.com/kubernetes/ingress/pull/433) close over the ingress variable or the last assignment will be used
|
||||
- [X] [#424](https://github.com/kubernetes/ingress/pull/424) Manually sync secrets from certificate authentication annotations
|
||||
- [X] [#423](https://github.com/kubernetes/ingress/pull/423) Scrap json metrics from nginx vts module when enabled
|
||||
- [X] [#418](https://github.com/kubernetes/ingress/pull/418) Only update Ingress status for the configured class
|
||||
- [X] [#415](https://github.com/kubernetes/ingress/pull/415) Improve external authentication docs
|
||||
- [X] [#410](https://github.com/kubernetes/ingress/pull/410) Add support for "signin url"
|
||||
- [X] [#409](https://github.com/kubernetes/ingress/pull/409) Allow custom http2 header sizes
|
||||
- [X] [#408](https://github.com/kubernetes/ingress/pull/408) Review docs
|
||||
- [X] [#406](https://github.com/kubernetes/ingress/pull/406) Add debug info and fix spelling
|
||||
- [X] [#402](https://github.com/kubernetes/ingress/pull/402) allow specifying custom dh param
|
||||
- [X] [#397](https://github.com/kubernetes/ingress/pull/397) Fix external auth
|
||||
- [X] [#394](https://github.com/kubernetes/ingress/pull/394) Update README.md
|
||||
- [X] [#392](https://github.com/kubernetes/ingress/pull/392) Fix http2 header size
|
||||
- [X] [#391](https://github.com/kubernetes/ingress/pull/391) remove tmp nginx-diff files
|
||||
- [X] [#390](https://github.com/kubernetes/ingress/pull/390) Fix RateLimit comment
|
||||
- [X] [#385](https://github.com/kubernetes/ingress/pull/385) add Copyright
|
||||
- [X] [#382](https://github.com/kubernetes/ingress/pull/382) Ingress Fake Certificate generation
|
||||
- [X] [#380](https://github.com/kubernetes/ingress/pull/380) Fix custom log format
|
||||
- [X] [#373](https://github.com/kubernetes/ingress/pull/373) Cleanup
|
||||
- [X] [#371](https://github.com/kubernetes/ingress/pull/371) add configuration to disable listening on ipv6
|
||||
- [X] [#370](https://github.com/kubernetes/ingress/pull/270) Add documentation for ingress.kubernetes.io/force-ssl-redirect
|
||||
- [X] [#369](https://github.com/kubernetes/ingress/pull/369) Minor text fix for "ApiServer"
|
||||
- [X] [#367](https://github.com/kubernetes/ingress/pull/367) BuildLogFormatUpstream was always using the default log-format
|
||||
- [X] [#366](https://github.com/kubernetes/ingress/pull/366) add_judgment
|
||||
- [X] [#365](https://github.com/kubernetes/ingress/pull/365) add ForceSSLRedirect ingress annotation
|
||||
- [X] [#364](https://github.com/kubernetes/ingress/pull/364) Fix error caused by increasing proxy_buffer_size (#363)
|
||||
- [X] [#362](https://github.com/kubernetes/ingress/pull/362) Fix ingress class
|
||||
- [X] [#360](https://github.com/kubernetes/ingress/pull/360) add example of 'run multiple nginx ingress controllers as a deployment'
|
||||
- [X] [#358](https://github.com/kubernetes/ingress/pull/358) Checks if the TLS secret contains a valid keypair structure
|
||||
- [X] [#356](https://github.com/kubernetes/ingress/pull/356) Disable listen only on ipv6 and fix proxy_protocol
|
||||
- [X] [#354](https://github.com/kubernetes/ingress/pull/354) add judgment
|
||||
- [X] [#352](https://github.com/kubernetes/ingress/pull/352) Add ability to customize upstream and stream log format
|
||||
- [X] [#351](https://github.com/kubernetes/ingress/pull/351) Enable custom election id for status sync.
|
||||
- [X] [#347](https://github.com/kubernetes/ingress/pull/347) Fix client source IP address
|
||||
- [X] [#345](https://github.com/kubernetes/ingress/pull/345) Fix lint error
|
||||
- [X] [#344](https://github.com/kubernetes/ingress/pull/344) Refactoring of TCP and UDP services
|
||||
- [X] [#343](https://github.com/kubernetes/ingress/pull/343) Fix node lister when --watch-namespace is used
|
||||
- [X] [#341](https://github.com/kubernetes/ingress/pull/341) Do not run coverage check in the default target.
|
||||
- [X] [#340](https://github.com/kubernetes/ingress/pull/340) Add support for specify proxy cookie path/domain
|
||||
- [X] [#337](https://github.com/kubernetes/ingress/pull/337) Fix for formatting error introduced in #304
|
||||
- [X] [#335](https://github.com/kubernetes/ingress/pull/335) Fix for vet complaints:
|
||||
- [X] [#332](https://github.com/kubernetes/ingress/pull/332) Add annotation to customize nginx configuration
|
||||
- [X] [#331](https://github.com/kubernetes/ingress/pull/331) Correct spelling mistake
|
||||
- [X] [#328](https://github.com/kubernetes/ingress/pull/328) fix misspell "affinity" in main.go
|
||||
- [X] [#326](https://github.com/kubernetes/ingress/pull/326) add nginx daemonset example
|
||||
- [X] [#311](https://github.com/kubernetes/ingress/pull/311) Sort stream service ports to avoid extra reloads
|
||||
- [X] [#307](https://github.com/kubernetes/ingress/pull/307) Add docs for body-size annotation
|
||||
- [X] [#306](https://github.com/kubernetes/ingress/pull/306) modify nginx readme
|
||||
- [X] [#304](https://github.com/kubernetes/ingress/pull/304) change 'buildSSPassthrouthUpstreams' to 'buildSSLPassthroughUpstreams'
|
||||
|
||||
|
||||
### 0.9-beta.2
|
||||
|
||||
**Image:** `gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.2`
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ all: push
|
|||
BUILDTAGS=
|
||||
|
||||
# Use the 0.0 tag for testing, it shouldn't clobber any release builds
|
||||
RELEASE?=0.9.0-beta.2
|
||||
RELEASE?=0.9.0-beta.3
|
||||
PREFIX?=gcr.io/google_containers/nginx-ingress-controller
|
||||
GOOS?=linux
|
||||
DOCKER?=gcloud docker --
|
||||
|
|
@ -21,7 +21,7 @@ build: clean
|
|||
-ldflags "-s -w -X ${PKG}/pkg/version.RELEASE=${RELEASE} -X ${PKG}/pkg/version.COMMIT=${COMMIT} -X ${PKG}/pkg/version.REPO=${REPO_INFO}" \
|
||||
-o rootfs/nginx-ingress-controller ${PKG}/pkg/cmd/controller
|
||||
|
||||
container:
|
||||
container: build
|
||||
$(DOCKER) build --pull -t $(PREFIX):$(RELEASE) rootfs
|
||||
|
||||
push: container
|
||||
|
|
@ -50,4 +50,4 @@ vet:
|
|||
@go vet $(shell go list ${PKG}/... | grep -v vendor)
|
||||
|
||||
clean:
|
||||
rm -f nginx-ingress-controller
|
||||
rm -f rootfs/nginx-ingress-controller
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ The following annotations are supported:
|
|||
|Name |type|
|
||||
|---------------------------|------|
|
||||
|[ingress.kubernetes.io/add-base-url](#rewrite)|true or false|
|
||||
|[ingress.kubernetes.io/app-root](#rewrite)|string|
|
||||
|[ingress.kubernetes.io/affinity](#session-affinity)|true or false|
|
||||
|[ingress.kubernetes.io/auth-realm](#authentication)|string|
|
||||
|[ingress.kubernetes.io/auth-secret](#authentication)|string|
|
||||
|
|
@ -174,7 +175,9 @@ Set the annotation `ingress.kubernetes.io/rewrite-target` to the path expected b
|
|||
|
||||
If the application contains relative links it is possible to add an additional annotation `ingress.kubernetes.io/add-base-url` that will prepend a [`base` tag](https://developer.mozilla.org/en/docs/Web/HTML/Element/base) in the header of the returned HTML from the backend.
|
||||
|
||||
Please check the [rewrite](examples/rewrite/README.md) example.
|
||||
If the Application Root is exposed in a different path and needs to be redirected, the annotation `ingress.kubernetes.io/app-root` might be used.
|
||||
|
||||
Please check the [rewrite](/examples/rewrite/README.md) example.
|
||||
|
||||
|
||||
### Rate limiting
|
||||
|
|
|
|||
|
|
@ -441,7 +441,7 @@ func (n NGINXController) Check(_ *http.Request) error {
|
|||
}
|
||||
defer res.Body.Close()
|
||||
if res.StatusCode != 200 {
|
||||
return fmt.Errorf("Ingress controller is not healthy")
|
||||
return fmt.Errorf("ingress controller is not healthy")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ const (
|
|||
|
||||
gzipTypes = "application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component"
|
||||
|
||||
logFormatUpstream = `%v - [$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status"`
|
||||
logFormatUpstream = `%v - [$proxy_add_x_forwarded_for] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`
|
||||
|
||||
logFormatStream = `[$time_local] $protocol [$ssl_preread_server_name] [$stream_upstream] $status $bytes_sent $bytes_received $session_time`
|
||||
|
||||
|
|
|
|||
|
|
@ -138,7 +138,7 @@ func (bit BoolToFloat64) UnmarshalJSON(data []byte) error {
|
|||
} else if asString == "0" || asString == "false" {
|
||||
bit = 0
|
||||
} else {
|
||||
return fmt.Errorf(fmt.Sprintf("Boolean unmarshal error: invalid input %s", asString))
|
||||
return fmt.Errorf(fmt.Sprintf("boolean unmarshal error: invalid input %s", asString))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -203,10 +203,16 @@ func buildLocation(input interface{}) string {
|
|||
|
||||
path := location.Path
|
||||
if len(location.Redirect.Target) > 0 && location.Redirect.Target != path {
|
||||
if path == "/" {
|
||||
if path == slash {
|
||||
return fmt.Sprintf("~* %s", path)
|
||||
}
|
||||
return fmt.Sprintf("~* ^%s", path)
|
||||
// baseuri regex will parse basename from the given location
|
||||
baseuri := `(?<baseuri>.*)`
|
||||
if !strings.HasSuffix(path, slash) {
|
||||
// Not treat the slash after "location path" as a part of baseuri
|
||||
baseuri = fmt.Sprintf(`\/?%s`, baseuri)
|
||||
}
|
||||
return fmt.Sprintf(`~* ^%s%s`, path, baseuri)
|
||||
}
|
||||
|
||||
return path
|
||||
|
|
@ -294,13 +300,10 @@ func buildProxyPass(b interface{}, loc interface{}) string {
|
|||
if len(location.Redirect.Target) > 0 {
|
||||
abu := ""
|
||||
if location.Redirect.AddBaseURL {
|
||||
bPath := location.Redirect.Target
|
||||
if !strings.HasSuffix(bPath, slash) {
|
||||
bPath = fmt.Sprintf("%s/", bPath)
|
||||
}
|
||||
|
||||
abu = fmt.Sprintf(`subs_filter '<head(.*)>' '<head$1><base href="$scheme://$server_name%v">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$server_name%v">' r;
|
||||
// path has a slash suffix, so that it can be connected with baseuri directly
|
||||
bPath := fmt.Sprintf("%s%s", path, "$baseuri")
|
||||
abu = fmt.Sprintf(`subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host%v">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host%v">' r;
|
||||
`, bPath, bPath)
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -47,33 +47,43 @@ var (
|
|||
rewrite /(.*) /jenkins/$1 break;
|
||||
proxy_pass http://upstream-name;
|
||||
`, false},
|
||||
"redirect /something to /": {"/something", "/", "~* ^/something", `
|
||||
"redirect /something to /": {"/something", "/", `~* ^/something\/?(?<baseuri>.*)`, `
|
||||
rewrite /something/(.*) /$1 break;
|
||||
rewrite /something / break;
|
||||
proxy_pass http://upstream-name;
|
||||
`, false},
|
||||
"redirect /something-complex to /not-root": {"/something-complex", "/not-root", "~* ^/something-complex", `
|
||||
"redirect /end-with-slash/ to /not-root": {"/end-with-slash/", "/not-root", "~* ^/end-with-slash/(?<baseuri>.*)", `
|
||||
rewrite /end-with-slash/(.*) /not-root/$1 break;
|
||||
proxy_pass http://upstream-name;
|
||||
`, false},
|
||||
"redirect /something-complex to /not-root": {"/something-complex", "/not-root", `~* ^/something-complex\/?(?<baseuri>.*)`, `
|
||||
rewrite /something-complex/(.*) /not-root/$1 break;
|
||||
proxy_pass http://upstream-name;
|
||||
`, false},
|
||||
"redirect / to /jenkins and rewrite": {"/", "/jenkins", "~* /", `
|
||||
rewrite /(.*) /jenkins/$1 break;
|
||||
proxy_pass http://upstream-name;
|
||||
subs_filter '<head(.*)>' '<head$1><base href="$scheme://$server_name/jenkins/">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$server_name/jenkins/">' r;
|
||||
subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/$baseuri">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/$baseuri">' r;
|
||||
`, true},
|
||||
"redirect /something to / and rewrite": {"/something", "/", "~* ^/something", `
|
||||
"redirect /something to / and rewrite": {"/something", "/", `~* ^/something\/?(?<baseuri>.*)`, `
|
||||
rewrite /something/(.*) /$1 break;
|
||||
rewrite /something / break;
|
||||
proxy_pass http://upstream-name;
|
||||
subs_filter '<head(.*)>' '<head$1><base href="$scheme://$server_name/">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$server_name/">' r;
|
||||
subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/something/$baseuri">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/something/$baseuri">' r;
|
||||
`, true},
|
||||
"redirect /something-complex to /not-root and rewrite": {"/something-complex", "/not-root", "~* ^/something-complex", `
|
||||
"redirect /end-with-slash/ to /not-root and rewrite": {"/end-with-slash/", "/not-root", `~* ^/end-with-slash/(?<baseuri>.*)`, `
|
||||
rewrite /end-with-slash/(.*) /not-root/$1 break;
|
||||
proxy_pass http://upstream-name;
|
||||
subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/end-with-slash/$baseuri">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/end-with-slash/$baseuri">' r;
|
||||
`, true},
|
||||
"redirect /something-complex to /not-root and rewrite": {"/something-complex", "/not-root", `~* ^/something-complex\/?(?<baseuri>.*)`, `
|
||||
rewrite /something-complex/(.*) /not-root/$1 break;
|
||||
proxy_pass http://upstream-name;
|
||||
subs_filter '<head(.*)>' '<head$1><base href="$scheme://$server_name/not-root/">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$server_name/not-root/">' r;
|
||||
subs_filter '<head(.*)>' '<head$1><base href="$scheme://$http_host/something-complex/$baseuri">' r;
|
||||
subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$http_host/something-complex/$baseuri">' r;
|
||||
`, true},
|
||||
}
|
||||
)
|
||||
|
|
|
|||
|
|
@ -16,10 +16,8 @@ FROM gcr.io/google_containers/nginx-slim:0.14
|
|||
|
||||
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
|
||||
diffutils \
|
||||
ssl-cert \
|
||||
--no-install-recommends \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
&& make-ssl-cert generate-default-snakeoil --force-overwrite
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY . /
|
||||
|
||||
|
|
|
|||
|
|
@ -236,7 +236,19 @@ http {
|
|||
ssl_verify_client on;
|
||||
ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }};
|
||||
{{ end }}
|
||||
|
||||
{{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }}
|
||||
# enforce ssl on server side
|
||||
if ($pass_access_scheme = http) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
{{ if not (empty $location.Redirect.AppRoot)}}
|
||||
if ($uri = /) {
|
||||
return 302 {{ $location.Redirect.AppRoot }};
|
||||
}
|
||||
{{ end }}
|
||||
{{ if not (empty $authPath) }}
|
||||
location = {{ $authPath }} {
|
||||
internal;
|
||||
|
|
@ -282,12 +294,7 @@ http {
|
|||
error_page 401 = {{ $location.ExternalAuth.SigninURL }};
|
||||
{{ end }}
|
||||
|
||||
{{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }}
|
||||
# enforce ssl on server side
|
||||
if ($pass_access_scheme = http) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
{{/* if the location contains a rate limit annotation, create one */}}
|
||||
{{ $limits := buildRateLimit $location }}
|
||||
{{ range $limit := $limits }}
|
||||
|
|
@ -493,7 +500,7 @@ stream {
|
|||
|
||||
# TCP services
|
||||
{{ range $i, $tcpServer := .TCPBackends }}
|
||||
upstream {{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} {
|
||||
upstream tcp-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} {
|
||||
{{ range $j, $endpoint := $tcpServer.Endpoints }}
|
||||
server {{ $endpoint.Address }}:{{ $endpoint.Port }};
|
||||
{{ end }}
|
||||
|
|
@ -501,22 +508,22 @@ stream {
|
|||
|
||||
server {
|
||||
listen {{ $tcpServer.Port }};
|
||||
proxy_pass {{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }};
|
||||
proxy_pass tcp-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }};
|
||||
}
|
||||
{{ end }}
|
||||
|
||||
# UDP services
|
||||
{{ range $i, $udpServer := .UDPBackends }}
|
||||
upstream {{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }} {
|
||||
upstream udp-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }} {
|
||||
{{ range $j, $endpoint := $udpServer.Endpoints }}
|
||||
server {{ $endpoint.Address }}:{{ $endpoint.Port }};
|
||||
{{ end }}
|
||||
}
|
||||
|
||||
server {
|
||||
listen {{ $udpServer.Port }};
|
||||
listen {{ $udpServer.Port }} udp;
|
||||
proxy_responses 1;
|
||||
proxy_pass {{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }};
|
||||
proxy_pass udp-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }};
|
||||
}
|
||||
{{ end }}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue