DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add keepalive support for auth requests (#8219)

Browse source 
* Add keepalive support for auth requests

* Fix typo

* Address PR comments

* Log warning when auth-url contains variable in its host:port
* Generate upstream name without replacing dots to underscores in server name
* Add comment in the nginx template when the keepalive upstream block is referenced

* Workaround for auth_request module ignores keepalive in upstream block

* The `auth_request` module does not support HTTP keepalives in upstream block:
  https://trac.nginx.org/nginx/ticket/1579
* As a workaround we use ngx.location.capture but unfortunately it does not
  support HTTP/2 so `use-http2` configuration parameter is needed.

* Handle PR comments

* Address PR comments

* Handle invalid values for int parameters

* Handle PR comments

* Fix e2e test
This commit is contained in:
Gabor Lekeny 2022-04-09 05:22:04 +02:00 committed by GitHub
parent 5e322f79a1
commit 83ce21b4dd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 570 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

16
docs/user-guide/nginx-configuration/annotations.md
View file

@ -31,6 +31,9 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|[nginx.ingress.kubernetes.io/auth-url](#external-authentication)|string|
|[nginx.ingress.kubernetes.io/auth-cache-key](#external-authentication)|string|
|[nginx.ingress.kubernetes.io/auth-cache-duration](#external-authentication)|string|
|[nginx.ingress.kubernetes.io/auth-keepalive](#external-authentication)|number|
|[nginx.ingress.kubernetes.io/auth-keepalive-requests](#external-authentication)|number|
|[nginx.ingress.kubernetes.io/auth-keepalive-timeout](#external-authentication)|number|
|[nginx.ingress.kubernetes.io/auth-proxy-set-headers](#external-authentication)|string|
|[nginx.ingress.kubernetes.io/auth-snippet](#external-authentication)|string|
|[nginx.ingress.kubernetes.io/enable-global-auth](#external-authentication)|"true" or "false"|
@ -453,6 +456,19 @@ nginx.ingress.kubernetes.io/auth-url: "URL to the authentication service"
Additionally it is possible to set:
* `nginx.ingress.kubernetes.io/auth-keepalive`:
`<Connections>` to specify the maximum number of keepalive connections to `auth-url`. Only takes effect
when no variables are used in the host part of the URL. Defaults to `0` (keepalive disabled).
> Note: does not work with HTTP/2 listener because of a limitation in Lua [subrequests](https://github.com/openresty/lua-nginx-module#spdy-mode-not-fully-supported).
> [UseHTTP2](./configmap.md#use-http2) configuration should be disabled!
* `nginx.ingress.kubernetes.io/auth-keepalive-requests`:
`<Requests>` to specify the maximum number of requests that can be served through one keepalive connection.
Defaults to `1000` and only applied if `auth-keepalive` is set to higher than `0`.
* `nginx.ingress.kubernetes.io/auth-keepalive-timeout`:
`<Timeout>` to specify a duration in seconds which an idle keepalive connection to an upstream server will stay open.
Defaults to `60` and only applied if `auth-keepalive` is set to higher than `0`.
* `nginx.ingress.kubernetes.io/auth-method`:
`<Method>` to specify the HTTP method to use.
* `nginx.ingress.kubernetes.io/auth-signin`: