Merge branch 'master' into nginx/extauth_headers

2017-02-27 16:28:11 -05:00 · 2017-02-27 16:28:11 -05:00 · c8eda8f17f
commit c8eda8f17f
parent 4c2b2512f5 fb8e2d7373
89 changed files with 3309 additions and 379 deletions
--- a/controllers/nginx/pkg/cmd/controller/nginx.go
+++ b/controllers/nginx/pkg/cmd/controller/nginx.go
@ -30,6 +30,7 @@ import (

 	"github.com/golang/glog"
 	"github.com/mitchellh/mapstructure"
+	"github.com/spf13/pflag"

 	"k8s.io/kubernetes/pkg/api"

@ -101,6 +102,8 @@ type NGINXController struct {

 	configmap *api.ConfigMap

+	storeLister ingress.StoreLister
+
 	binary string
 }

@ -251,6 +254,11 @@ func (n NGINXController) Info() *ingress.BackendInfo {
 	}
 }

+// OverrideFlags customize NGINX controller flags
+func (n NGINXController) OverrideFlags(flags *pflag.FlagSet) {
+	flags.Set("ingress-class", "nginx")
+}
+
 // testTemplate checks if the NGINX configuration inside the byte array is valid
 // running the command "nginx -t" using a temporal file.
 func (n NGINXController) testTemplate(cfg []byte) error {
@ -276,11 +284,16 @@ Error: %v
 	return nil
 }

-// SetConfig ...
+// SetConfig sets the configured configmap
 func (n *NGINXController) SetConfig(cmap *api.ConfigMap) {
 	n.configmap = cmap
 }

+// SetListers sets the configured store listers in the generic ingress controller
+func (n *NGINXController) SetListers(lister ingress.StoreLister) {
+	n.storeLister = lister
+}
+
 // OnUpdate is called by syncQueue in https://github.com/aledbf/ingress-controller/blob/master/pkg/ingress/controller/controller.go#L82
 // periodically to keep the configuration in sync.
 //
@ -324,7 +337,20 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) ([]byte, er
 	// and we leave some room to avoid consuming all the FDs available
 	maxOpenFiles := (sysctlFSFileMax() / cfg.WorkerProcesses) - 1024

-	return n.t.Write(config.TemplateConfig{
+	setHeaders := map[string]string{}
+	if cfg.ProxySetHeaders != "" {
+		cmap, exists, err := n.storeLister.ConfigMap.GetByKey(cfg.ProxySetHeaders)
+		if err != nil {
+			glog.Warningf("unexpected error reading configmap %v: %v", cfg.ProxySetHeaders, err)
+		}
+
+		if exists {
+			setHeaders = cmap.(*api.ConfigMap).Data
+		}
+	}
+
+	content, err := n.t.Write(config.TemplateConfig{
+		ProxySetHeaders:     setHeaders,
 		MaxOpenFiles:        maxOpenFiles,
 		BacklogSize:         sysctlSomaxconn(),
 		Backends:            ingressCfg.Backends,
@ -335,7 +361,16 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) ([]byte, er
 		HealthzURI:          ngxHealthPath,
 		CustomErrors:        len(cfg.CustomHTTPErrors) > 0,
 		Cfg:                 cfg,
-	}, n.testTemplate)
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	if err := n.testTemplate(content); err != nil {
+		return nil, err
+	}
+
+	return content, nil
 }

 // Name returns the healthcheck name
--- a/controllers/nginx/pkg/config/config.go
+++ b/controllers/nginx/pkg/config/config.go
@ -88,6 +88,10 @@ type Configuration struct {
 	// http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
 	ClientHeaderBufferSize string `json:"client-header-buffer-size"`

+	// DisableAccessLog disables the Access Log globally from NGINX ingress controller
+	//http://nginx.org/en/docs/http/ngx_http_log_module.html
+	DisableAccessLog bool `json:"disable-access-log,omitempty"`
+
 	// EnableSPDY enables spdy and use ALPN and NPN to advertise the availability of the two protocols
 	// https://blog.cloudflare.com/open-sourcing-our-nginx-http-2-spdy-code
 	// By default this is enabled
@ -152,6 +156,9 @@ type Configuration struct {
 	// of your external load balancer
 	ProxyRealIPCIDR string `json:"proxy-real-ip-cidr,omitempty"`

+	// Sets the name of the configmap that contains the headers to pass to the backend
+	ProxySetHeaders string `json:"proxy-set-headers,omitempty"`
+
 	// Maximum size of the server names hash tables used in server names, map directive’s values,
 	// MIME types, names of request header strings, etcd.
 	// http://nginx.org/en/docs/hash.html
@ -233,6 +240,7 @@ type Configuration struct {
 func NewDefault() Configuration {
 	cfg := Configuration{
 		ClientHeaderBufferSize:  "1k",
+		DisableAccessLog:        false,
 		EnableDynamicTLSRecords: true,
 		EnableSPDY:              false,
 		ErrorLogLevel:           errorLevel,
@ -266,6 +274,8 @@ func NewDefault() Configuration {
 			ProxyReadTimeout:     60,
 			ProxySendTimeout:     60,
 			ProxyBufferSize:      "4k",
+			ProxyCookieDomain:    "off",
+			ProxyCookiePath:      "off",
 			SSLRedirect:          true,
 			CustomHTTPErrors:     []int{},
 			WhitelistSourceRange: []string{},
@ -283,13 +293,14 @@ func NewDefault() Configuration {

 // TemplateConfig contains the nginx configuration to render the file nginx.conf
 type TemplateConfig struct {
+	ProxySetHeaders     map[string]string
 	MaxOpenFiles        int
 	BacklogSize         int
 	Backends            []*ingress.Backend
 	PassthroughBackends []*ingress.SSLPassthroughBackend
 	Servers             []*ingress.Server
-	TCPBackends         []*ingress.Location
-	UDPBackends         []*ingress.Location
+	TCPBackends         []ingress.L4Service
+	UDPBackends         []ingress.L4Service
 	HealthzURI          string
 	CustomErrors        bool
 	Cfg                 Configuration
--- a/controllers/nginx/pkg/template/configmap_test.go
+++ b/controllers/nginx/pkg/template/configmap_test.go
@ -39,12 +39,14 @@ func TestMergeConfigMapToStruct(t *testing.T) {
 		"proxy-send-timeout":         "2",
 		"skip-access-log-urls":       "/log,/demo,/test",
 		"use-proxy-protocol":         "true",
+		"disable-access-log":         "true",
 		"use-gzip":                   "true",
 		"enable-dynamic-tls-records": "false",
 		"gzip-types":                 "text/html",
 	}
 	def := config.NewDefault()
 	def.CustomHTTPErrors = []int{300, 400}
+	def.DisableAccessLog = true
 	def.SkipAccessLogURLs = []string{"/log", "/demo", "/test"}
 	def.ProxyReadTimeout = 1
 	def.ProxySendTimeout = 2
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@ -78,7 +78,7 @@ func (t *Template) Close() {

 // Write populates a buffer using a template with NGINX configuration
 // and the servers and upstreams created by Ingress rules
-func (t *Template) Write(conf config.TemplateConfig, isValidTemplate func([]byte) error) ([]byte, error) {
+func (t *Template) Write(conf config.TemplateConfig) ([]byte, error) {
 	defer t.tmplBuf.Reset()
 	defer t.outCmdBuf.Reset()

@ -114,13 +114,7 @@ func (t *Template) Write(conf config.TemplateConfig, isValidTemplate func([]byte
 		return t.tmplBuf.Bytes(), nil
 	}

-	content := t.outCmdBuf.Bytes()
-	err = isValidTemplate(content)
-	if err != nil {
-		return nil, err
-	}
-
-	return content, nil
+	return t.outCmdBuf.Bytes(), nil
 }

 var (
@ -132,16 +126,15 @@ var (
 			}
 			return true
 		},
-		"buildLocation":               buildLocation,
-		"buildAuthLocation":           buildAuthLocation,
-		"buildAuthResponseHeaders":    buildAuthResponseHeaders,
-		"buildProxyPass":              buildProxyPass,
-		"buildRateLimitZones":         buildRateLimitZones,
-		"buildRateLimit":              buildRateLimit,
-		"buildSSPassthroughUpstreams": buildSSPassthroughUpstreams,
-		"buildResolvers":              buildResolvers,
-		"isLocationAllowed":           isLocationAllowed,
-		"buildStreamUpstreams":        buildStreamUpstreams,
+		"buildLocation":                buildLocation,
+		"buildAuthLocation":            buildAuthLocation,
+    "buildAuthResponseHeaders":     buildAuthResponseHeaders,
+    "buildProxyPass":               buildProxyPass,
+		"buildRateLimitZones":          buildRateLimitZones,
+		"buildRateLimit":               buildRateLimit,
+		"buildSSLPassthroughUpstreams": buildSSLPassthroughUpstreams,
+		"buildResolvers":               buildResolvers,
+		"isLocationAllowed":            isLocationAllowed,

 		"contains":  strings.Contains,
 		"hasPrefix": strings.HasPrefix,
@ -172,7 +165,7 @@ func buildResolvers(a interface{}) string {
 	return strings.Join(r, " ")
 }

-func buildSSPassthroughUpstreams(b interface{}, sslb interface{}) string {
+func buildSSLPassthroughUpstreams(b interface{}, sslb interface{}) string {
 	backends := b.([]*ingress.Backend)
 	sslBackends := sslb.([]*ingress.SSLPassthroughBackend)
 	buf := bytes.NewBuffer(make([]byte, 0, 10))
@ -200,34 +193,6 @@ func buildSSPassthroughUpstreams(b interface{}, sslb interface{}) string {
 	return buf.String()
 }

-func buildStreamUpstreams(proto string, b interface{}, s interface{}) string {
-	backends := b.([]*ingress.Backend)
-	streams := s.([]*ingress.Location)
-	buf := bytes.NewBuffer(make([]byte, 0, 10))
-	// multiple services can use the same upstream.
-	// avoid duplications using a map[name]=true
-	u := make(map[string]bool)
-	for _, stream := range streams {
-		if u[stream.Backend] {
-			continue
-		}
-		u[stream.Backend] = true
-		fmt.Fprintf(buf, "upstream %v-%v {\n", proto, stream.Backend)
-		// TODO: find a better way to avoid empty stream upstreams
-		fmt.Fprintf(buf, "\t\tserver 127.0.0.1:8181 down;\n")
-		for _, backend := range backends {
-			if backend.Name == stream.Backend {
-				for _, server := range backend.Endpoints {
-					fmt.Fprintf(buf, "\t\tserver %v:%v;\n", server.Address, server.Port)
-				}
-				break
-			}
-		}
-		fmt.Fprint(buf, "\t}\n\n")
-	}
-	return buf.String()
-}
-
 // buildLocation produces the location string, if the ingress has redirects
 // (specified through the ingress.kubernetes.io/rewrite-to annotation)
 func buildLocation(input interface{}) string {
@ -238,7 +203,10 @@ func buildLocation(input interface{}) string {

 	path := location.Path
 	if len(location.Redirect.Target) > 0 && location.Redirect.Target != path {
-		return fmt.Sprintf("~* %s", path)
+		if path == "/" {
+			return fmt.Sprintf("~* %s", path)
+		}
+		return fmt.Sprintf("~* ^%s", path)
 	}

 	return path
--- a/controllers/nginx/pkg/template/template_test.go
+++ b/controllers/nginx/pkg/template/template_test.go
@ -47,12 +47,12 @@ var (
 	rewrite /(.*) /jenkins/$1 break;
 	proxy_pass http://upstream-name;
 	`, false},
-		"redirect /something to /": {"/something", "/", "~* /something", `
+		"redirect /something to /": {"/something", "/", "~* ^/something", `
 	rewrite /something/(.*) /$1 break;
 	rewrite /something / break;
 	proxy_pass http://upstream-name;
 	`, false},
-		"redirect /something-complex to /not-root": {"/something-complex", "/not-root", "~* /something-complex", `
+		"redirect /something-complex to /not-root": {"/something-complex", "/not-root", "~* ^/something-complex", `
 	rewrite /something-complex/(.*) /not-root/$1 break;
 	proxy_pass http://upstream-name;
 	`, false},
@ -62,14 +62,14 @@ var (
 	subs_filter '<head(.*)>' '<head$1><base href="$scheme://$server_name/jenkins/">' r;
 	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$server_name/jenkins/">' r;
 	`, true},
-		"redirect /something to / and rewrite": {"/something", "/", "~* /something", `
+		"redirect /something to / and rewrite": {"/something", "/", "~* ^/something", `
 	rewrite /something/(.*) /$1 break;
 	rewrite /something / break;
 	proxy_pass http://upstream-name;
 	subs_filter '<head(.*)>' '<head$1><base href="$scheme://$server_name/">' r;
 	subs_filter '<HEAD(.*)>' '<HEAD$1><base href="$scheme://$server_name/">' r;
 	`, true},
-		"redirect /something-complex to /not-root and rewrite": {"/something-complex", "/not-root", "~* /something-complex", `
+		"redirect /something-complex to /not-root and rewrite": {"/something-complex", "/not-root", "~* ^/something-complex", `
 	rewrite /something-complex/(.*) /not-root/$1 break;
 	proxy_pass http://upstream-name;
 	subs_filter '<head(.*)>' '<head$1><base href="$scheme://$server_name/not-root/">' r;
@ -151,7 +151,7 @@ func TestTemplateWithData(t *testing.T) {
 		t.Errorf("invalid NGINX template: %v", err)
 	}

-	_, err = ngxTpl.Write(dat, func(b []byte) error { return nil })
+	_, err = ngxTpl.Write(dat)
 	if err != nil {
 		t.Errorf("invalid NGINX template: %v", err)
 	}
@ -185,6 +185,6 @@ func BenchmarkTemplateWithData(b *testing.B) {
 	}

 	for i := 0; i < b.N; i++ {
-		ngxTpl.Write(dat, func(b []byte) error { return nil })
+		ngxTpl.Write(dat)
 	}
 }