Rewrite clean-nginx-conf.sh in Go to speed up admission webhook (#7076) (#7322)

* Rewrite clean-nginx-conf.sh to speed up admission webhook * Less diff with original clean-nginx-conf.sh * Add error handling, add documentation, add unit test * indent code * Don't ignore Getwd() error
2021-07-06 20:50:19 +03:00 · 2021-07-06 20:50:19 +03:00 · a064337621
commit a064337621
parent f5c80783bf
8 changed files with 462 additions and 60 deletions
--- a/test/data/cleanConf.expected.conf
+++ b/test/data/cleanConf.expected.conf
@ -0,0 +1,139 @@
+# Configuration checksum: 
+
+# setup custom paths that do not require root access
+pid /tmp/nginx.pid;
+
+daemon off;
+
+worker_processes 8;
+
+worker_rlimit_nofile 130048;
+
+worker_shutdown_timeout 240s ;
+
+events {
+	multi_accept        on;
+	worker_connections  16384;
+	use                 epoll;
+}
+
+http {
+	lua_package_path "/etc/nginx/lua/?.lua;;";
+	
+	lua_shared_dict balancer_ewma 10M;
+	lua_shared_dict balancer_ewma_last_touched_at 10M;
+	lua_shared_dict balancer_ewma_locks 1M;
+	lua_shared_dict certificate_data 20M;
+	lua_shared_dict certificate_servers 5M;
+	lua_shared_dict configuration_data 20M;
+	lua_shared_dict ocsp_response_cache 5M;
+	
+	init_by_lua_block {
+		collectgarbage("collect")
+		
+		-- init modules
+		local ok, res
+		
+		ok, res = pcall(require, "lua_ingress")
+		if not ok then
+		error("require failed: " .. tostring(res))
+		else
+		lua_ingress = res
+		lua_ingress.set_config({
+			use_forwarded_headers = true,
+			use_proxy_protocol = false,
+			is_ssl_passthrough_enabled = false,
+			http_redirect_code = 308,
+			listen_ports = { ssl_proxy = "442", https = "443" },
+			
+			hsts = true,
+			hsts_max_age = 15724800,
+			hsts_include_subdomains = true,
+			hsts_preload = false,
+		})
+		end
+		
+		ok, res = pcall(require, "monitor")
+		if not ok then
+		error("require failed: " .. tostring(res))
+		else
+		monitor = res
+		end
+		
+	}
+	
+	init_worker_by_lua_block {
+		lua_ingress.init_worker()
+		balancer.init_worker()
+		
+		monitor.init_worker(10000)
+		
+		plugins.run()
+	}
+	
+	map $request_uri $loggable {
+		
+		default 1;
+	}
+	
+	access_log /var/log/nginx/access.log upstreaminfo  if=$loggable;
+	
+	error_log  /var/log/nginx/error.log notice;
+	
+	resolver 169.254.25.10 valid=30s ipv6=off;
+	
+	# See https://www.nginx.com/blog/websocket-nginx
+	map $http_upgrade $connection_upgrade {
+		default          upgrade;
+		
+		# See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+		''               '';
+		
+	}
+	
+	## start server _
+	server {
+		server_name _ ;
+		
+		listen 80 default_server reuseport backlog=4096 ;
+		listen 443 default_server reuseport backlog=4096 ssl http2 ;
+		
+		set $proxy_upstream_name "-";
+		
+		ssl_certificate_by_lua_block {
+			certificate.call()
+		}
+		
+		location / {
+			
+			set $namespace      "";
+			set $ingress_name   "";
+			set $service_name   "";
+			set $service_port   "";
+			set $location_path  "";
+			
+			rewrite_by_lua_block {
+				lua_ingress.rewrite({
+					force_ssl_redirect = false,
+					ssl_redirect = false,
+					force_no_ssl_redirect = false,
+					use_port_in_redirects = false,
+				})
+				balancer.rewrite()
+				plugins.run()
+			}
+			
+			# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
+			# other authentication method such as basic auth or external auth useless - all requests will be allowed.
+			#access_by_lua_block {
+			#}
+			
+			header_filter_by_lua_block {
+				lua_ingress.header()
+				plugins.run()
+			}
+			
+		}
+		## end server _
+		
+	}
--- a/test/data/cleanConf.src.conf
+++ b/test/data/cleanConf.src.conf
@ -0,0 +1,187 @@
+# Configuration checksum: 
+
+# setup custom paths that do not require root access
+pid /tmp/nginx.pid;
+
+
+
+
+
+
+
+
+
+
+
+
+
+daemon off;
+
+worker_processes 8;
+
+
+worker_rlimit_nofile 130048;
+
+
+
+worker_shutdown_timeout 240s ;
+
+
+
+events {
+    multi_accept        on;
+    worker_connections  16384;
+    use                 epoll;
+}
+
+http {
+    lua_package_path "/etc/nginx/lua/?.lua;;";
+
+    lua_shared_dict balancer_ewma 10M;
+lua_shared_dict balancer_ewma_last_touched_at 10M;
+lua_shared_dict balancer_ewma_locks 1M;
+lua_shared_dict certificate_data 20M;
+lua_shared_dict certificate_servers 5M;
+lua_shared_dict configuration_data 20M;
+lua_shared_dict ocsp_response_cache 5M;
+
+
+    init_by_lua_block {
+        collectgarbage("collect")
+
+        -- init modules
+        local ok, res
+
+        ok, res = pcall(require, "lua_ingress")
+        if not ok then
+          error("require failed: " .. tostring(res))
+        else
+          lua_ingress = res
+          lua_ingress.set_config({
+		use_forwarded_headers = true,
+		use_proxy_protocol = false,
+		is_ssl_passthrough_enabled = false,
+		http_redirect_code = 308,
+		listen_ports = { ssl_proxy = "442", https = "443" },
+
+		hsts = true,
+		hsts_max_age = 15724800,
+		hsts_include_subdomains = true,
+		hsts_preload = false,
+	})
+        end
+
+
+        
+        ok, res = pcall(require, "monitor")
+        if not ok then
+          error("require failed: " .. tostring(res))
+        else
+          monitor = res
+        end
+        
+
+    }
+
+    init_worker_by_lua_block {
+        lua_ingress.init_worker()
+        balancer.init_worker()
+        
+        monitor.init_worker(10000)
+        
+
+        plugins.run()
+    }
+
+    
+    
+    map $request_uri $loggable {
+        
+        default 1;
+    }
+
+    
+    
+    access_log /var/log/nginx/access.log upstreaminfo  if=$loggable;
+    
+    
+
+    
+    error_log  /var/log/nginx/error.log notice;
+    
+
+    resolver 169.254.25.10 valid=30s ipv6=off;
+
+    # See https://www.nginx.com/blog/websocket-nginx
+    map $http_upgrade $connection_upgrade {
+        default          upgrade;
+        
+        # See http://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+        ''               '';
+        
+    }
+
+
+    ## start server _
+    server {
+        server_name _ ;
+
+        
+        
+
+        
+        
+        
+
+        listen 80 default_server reuseport backlog=4096 ;
+        listen 443 default_server reuseport backlog=4096 ssl http2 ;
+
+        set $proxy_upstream_name "-";
+
+        ssl_certificate_by_lua_block {
+            certificate.call()
+        }
+
+
+
+        location / {
+            
+            set $namespace      "";
+            set $ingress_name   "";
+            set $service_name   "";
+            set $service_port   "";
+            set $location_path  "";
+
+            
+
+            
+
+            rewrite_by_lua_block {
+                lua_ingress.rewrite({
+		force_ssl_redirect = false,
+		ssl_redirect = false,
+		force_no_ssl_redirect = false,
+		use_port_in_redirects = false,
+	})
+                balancer.rewrite()
+                plugins.run()
+            }
+
+            # be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
+            # other authentication method such as basic auth or external auth useless - all requests will be allowed.
+            #access_by_lua_block {
+            #}
+
+            header_filter_by_lua_block {
+                lua_ingress.header()
+                plugins.run()
+            }
+
+
+    }
+    ## end server _
+
+    
+
+    
+}