diff --git a/hack/verify-flags/exceptions.txt b/hack/verify-flags/exceptions.txt index cb9306d274..8d10586343 100644 --- a/hack/verify-flags/exceptions.txt +++ b/hack/verify-flags/exceptions.txt @@ -2,7 +2,7 @@ ingress/controllers/nginx/README.md:Enables which HTTP codes should be passed fo ingress/controllers/nginx/README.md:Setting at least one code this also enables [proxy_intercept_errors](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) (required to process error_page) ingress/controllers/nginx/nginx.tmpl: require("error_page") ingress/controllers/nginx/nginx.tmpl: error_page {{ $errCode }} = @custom_{{ $errCode }};{{ end }} -ingress/controllers/nginx/nginx/main.go: // enables which HTTP codes should be passed for processing with the error_page directive +ingress/controllers/nginx/nginx/config/config.go: // enables which HTTP codes should be passed for processing with the error_page directive mungegithub/mungers/submit-queue.go: sq.e2e = &fake_e2e.FakeE2ETester{ mungegithub/mungers/submit-queue.go: fake_e2e "k8s.io/contrib/mungegithub/mungers/e2e/fake" mungegithub/mungers/submit-queue_test.go: fake_e2e "k8s.io/contrib/mungegithub/mungers/e2e/fake" diff --git a/ingress/controllers/nginx/controller.go b/ingress/controllers/nginx/controller.go index 9a74695328..c87a868e1b 100644 --- a/ingress/controllers/nginx/controller.go +++ b/ingress/controllers/nginx/controller.go @@ -42,6 +42,7 @@ import ( "k8s.io/contrib/ingress/controllers/nginx/nginx" "k8s.io/contrib/ingress/controllers/nginx/nginx/auth" + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" "k8s.io/contrib/ingress/controllers/nginx/nginx/healthcheck" "k8s.io/contrib/ingress/controllers/nginx/nginx/ratelimit" "k8s.io/contrib/ingress/controllers/nginx/nginx/rewrite" @@ -647,7 +648,7 @@ func (lbc *loadBalancerController) getDefaultUpstream() *nginx.Upstream { return upstream } -func (lbc *loadBalancerController) getUpstreamServers(ngxCfg nginx.Configuration, data []interface{}) ([]*nginx.Upstream, []*nginx.Server) { +func (lbc *loadBalancerController) getUpstreamServers(ngxCfg config.Configuration, data []interface{}) ([]*nginx.Upstream, []*nginx.Server) { upstreams := lbc.createUpstreams(ngxCfg, data) upstreams[defUpstreamName] = lbc.getDefaultUpstream() @@ -785,7 +786,7 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg nginx.Configuration // createUpstreams creates the NGINX upstreams for each service referenced in // Ingress rules. The servers inside the upstream are endpoints. -func (lbc *loadBalancerController) createUpstreams(ngxCfg nginx.Configuration, data []interface{}) map[string]*nginx.Upstream { +func (lbc *loadBalancerController) createUpstreams(ngxCfg config.Configuration, data []interface{}) map[string]*nginx.Upstream { upstreams := make(map[string]*nginx.Upstream) for _, ingIf := range data { diff --git a/ingress/controllers/nginx/nginx/command.go b/ingress/controllers/nginx/nginx/command.go index b8da85a428..0e5ac987a5 100644 --- a/ingress/controllers/nginx/nginx/command.go +++ b/ingress/controllers/nginx/nginx/command.go @@ -25,6 +25,8 @@ import ( "github.com/golang/glog" "k8s.io/kubernetes/pkg/healthz" + + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) // Start starts a nginx (master process) and waits. If the process ends @@ -54,7 +56,7 @@ func (ngx *Manager) Start() { // shut down, stop accepting new connections and continue to service current requests // until all such requests are serviced. After that, the old worker processes exit. // http://nginx.org/en/docs/beginners_guide.html#control -func (ngx *Manager) CheckAndReload(cfg Configuration, ingressCfg IngressConfig) { +func (ngx *Manager) CheckAndReload(cfg config.Configuration, ingressCfg IngressConfig) { ngx.reloadRateLimiter.Accept() ngx.reloadLock.Lock() diff --git a/ingress/controllers/nginx/nginx/config/config.go b/ingress/controllers/nginx/nginx/config/config.go new file mode 100644 index 0000000000..83bfc9f6a0 --- /dev/null +++ b/ingress/controllers/nginx/nginx/config/config.go @@ -0,0 +1,280 @@ +/* +Copyright 2016 The Kubernetes Authors All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package config + +import ( + "runtime" + "strconv" + + "github.com/golang/glog" +) + +const ( + // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size + // Sets the maximum allowed size of the client request body + bodySize = "1m" + + // http://nginx.org/en/docs/ngx_core_module.html#error_log + // Configures logging level [debug | info | notice | warn | error | crit | alert | emerg] + // Log levels above are listed in the order of increasing severity + errorLevel = "notice" + + // HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) + // that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. + // https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security + // max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. + hstsMaxAge = "15724800" + + // If UseProxyProtocol is enabled defIPCIDR defines the default the IP/network address of your external load balancer + defIPCIDR = "0.0.0.0/0" + + gzipTypes = "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" + + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size + // Sets the size of the buffer used for sending data. + // 4k helps NGINX to improve TLS Time To First Byte (TTTFB) + // https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ + sslBufferSize = "4k" + + // Enabled ciphers list to enabled. The ciphers are specified in the format understood by the OpenSSL library + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers + sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + + // SSL enabled protocols to use + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols + sslProtocols = "TLSv1 TLSv1.1 TLSv1.2" + + // Time during which a client may reuse the session parameters stored in a cache. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout + sslSessionTimeout = "10m" + + // Size of the SSL shared cache between all worker processes. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache + sslSessionCacheSize = "10m" +) + +var ( + // SSLDirectory contains the mounted secrets with SSL certificates, keys and + SSLDirectory = "/etc/nginx-ssl" +) + +// Configuration represents the content of nginx.conf file +type Configuration struct { + // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size + // Sets the maximum allowed size of the client request body + BodySize string `structs:"body-size,omitempty"` + + // EnableStickySessions enabled sticky sessions using cookies + // https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng + // By default this is disabled + EnableStickySessions bool `structs:"enable-sticky-sessions,omitempty"` + + // EnableVtsStatus allows the replacement of the default status page with a third party module named + // nginx-module-vts - https://github.com/vozlt/nginx-module-vts + // By default this is disabled + EnableVtsStatus bool `structs:"enable-vts-status,omitempty"` + + VtsStatusZoneSize string `structs:"vts-status-zone-size,omitempty"` + + // RetryNonIdempotent since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) + // in case of an error. The previous behavior can be restored using the value true + RetryNonIdempotent bool `structs:"retry-non-idempotent"` + + // http://nginx.org/en/docs/ngx_core_module.html#error_log + // Configures logging level [debug | info | notice | warn | error | crit | alert | emerg] + // Log levels above are listed in the order of increasing severity + ErrorLogLevel string `structs:"error-log-level,omitempty"` + + // Enables or disables the header HSTS in servers running SSL + HSTS bool `structs:"hsts,omitempty"` + + // Enables or disables the use of HSTS in all the subdomains of the servername + // Default: true + HSTSIncludeSubdomains bool `structs:"hsts-include-subdomains,omitempty"` + + // HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) + // that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. + // https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security + // max-age is the time, in seconds, that the browser should remember that this site is only to be + // accessed using HTTPS. + HSTSMaxAge string `structs:"hsts-max-age,omitempty"` + + // enables which HTTP codes should be passed for processing with the error_page directive + // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors + // http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page + // By default this is disabled + CustomHTTPErrors []int `structs:"custom-http-errors,-"` + + // Time during which a keep-alive client connection will stay open on the server side. + // The zero value disables keep-alive client connections + // http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout + KeepAlive int `structs:"keep-alive,omitempty"` + + // Maximum number of simultaneous connections that can be opened by each worker process + // http://nginx.org/en/docs/ngx_core_module.html#worker_connections + MaxWorkerConnections int `structs:"max-worker-connections,omitempty"` + + // Defines a timeout for establishing a connection with a proxied server. + // It should be noted that this timeout cannot usually exceed 75 seconds. + // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout + ProxyConnectTimeout int `structs:"proxy-connect-timeout,omitempty"` + + // If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address + // of your external load balancer + ProxyRealIPCIDR string `structs:"proxy-real-ip-cidr,omitempty"` + + // Timeout in seconds for reading a response from the proxied server. The timeout is set only between + // two successive read operations, not for the transmission of the whole response + // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout + ProxyReadTimeout int `structs:"proxy-read-timeout,omitempty"` + + // Timeout in seconds for transmitting a request to the proxied server. The timeout is set only between + // two successive write operations, not for the transmission of the whole request. + // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout + ProxySendTimeout int `structs:"proxy-send-timeout,omitempty"` + + // Configures name servers used to resolve names of upstream servers into addresses + // http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver + Resolver string `structs:"resolver,omitempty"` + + // Maximum size of the server names hash tables used in server names, map directive’s values, + // MIME types, names of request header strings, etcd. + // http://nginx.org/en/docs/hash.html + // http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size + ServerNameHashMaxSize int `structs:"server-name-hash-max-size,omitempty"` + + // Size of the bucker for the server names hash tables + // http://nginx.org/en/docs/hash.html + // http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size + ServerNameHashBucketSize int `structs:"server-name-hash-bucket-size,omitempty"` + + // Enables or disables the redirect (301) to the HTTPS port + SSLRedirect bool `structs:"ssl-redirect,omitempty"` + + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size + // Sets the size of the buffer used for sending data. + // 4k helps NGINX to improve TLS Time To First Byte (TTTFB) + // https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ + SSLBufferSize string `structs:"ssl-buffer-size,omitempty"` + + // Enabled ciphers list to enabled. The ciphers are specified in the format understood by + // the OpenSSL library + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers + SSLCiphers string `structs:"ssl-ciphers,omitempty"` + + // Base64 string that contains Diffie-Hellman key to help with "Perfect Forward Secrecy" + // https://www.openssl.org/docs/manmaster/apps/dhparam.html + // https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam + SSLDHParam string `structs:"ssl-dh-param,omitempty"` + + // SSL enabled protocols to use + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols + SSLProtocols string `structs:"ssl-protocols,omitempty"` + + // Enables or disables the use of shared SSL cache among worker processes. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache + SSLSessionCache bool `structs:"ssl-session-cache,omitempty"` + + // Size of the SSL shared cache between all worker processes. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache + SSLSessionCacheSize string `structs:"ssl-session-cache-size,omitempty"` + + // Enables or disables session resumption through TLS session tickets. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets + SSLSessionTickets bool `structs:"ssl-session-tickets,omitempty"` + + // Time during which a client may reuse the session parameters stored in a cache. + // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout + SSLSessionTimeout string `structs:"ssl-session-timeout,omitempty"` + + // Number of unsuccessful attempts to communicate with the server that should happen in the + // duration set by the fail_timeout parameter to consider the server unavailable + // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream + // Default: 0, ie use platform liveness probe + UpstreamMaxFails int `structs:"upstream-max-fails,omitempty"` + + // Time during which the specified number of unsuccessful attempts to communicate with + // the server should happen to consider the server unavailable + // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream + // Default: 0, ie use platform liveness probe + UpstreamFailTimeout int `structs:"upstream-fail-timeout,omitempty"` + + // Enables or disables the use of the PROXY protocol to receive client connection + // (real IP address) information passed through proxy servers and load balancers + // such as HAproxy and Amazon Elastic Load Balancer (ELB). + // https://www.nginx.com/resources/admin-guide/proxy-protocol/ + UseProxyProtocol bool `structs:"use-proxy-protocol,omitempty"` + + // Enables or disables the use of the nginx module that compresses responses using the "gzip" method + // http://nginx.org/en/docs/http/ngx_http_gzip_module.html + UseGzip bool `structs:"use-gzip,omitempty"` + + // Enables or disables the HTTP/2 support in secure connections + // http://nginx.org/en/docs/http/ngx_http_v2_module.html + // Default: true + UseHTTP2 bool `structs:"use-http2,omitempty"` + + // MIME types in addition to "text/html" to compress. The special value “*” matches any MIME type. + // Responses with the “text/html” type are always compressed if UseGzip is enabled + GzipTypes string `structs:"gzip-types,omitempty"` + + // Defines the number of worker processes. By default auto means number of available CPU cores + // http://nginx.org/en/docs/ngx_core_module.html#worker_processes + WorkerProcesses string `structs:"worker-processes,omitempty"` +} + +// NewDefault returns the default configuration contained +// in the file default-conf.json +func NewDefault() Configuration { + cfg := Configuration{ + BodySize: bodySize, + ErrorLogLevel: errorLevel, + HSTS: true, + HSTSIncludeSubdomains: true, + HSTSMaxAge: hstsMaxAge, + GzipTypes: gzipTypes, + KeepAlive: 75, + MaxWorkerConnections: 16384, + ProxyConnectTimeout: 5, + ProxyRealIPCIDR: defIPCIDR, + ProxyReadTimeout: 60, + ProxySendTimeout: 60, + ServerNameHashMaxSize: 512, + ServerNameHashBucketSize: 64, + SSLRedirect: true, + SSLBufferSize: sslBufferSize, + SSLCiphers: sslCiphers, + SSLProtocols: sslProtocols, + SSLSessionCache: true, + SSLSessionCacheSize: sslSessionCacheSize, + SSLSessionTickets: true, + SSLSessionTimeout: sslSessionTimeout, + UseProxyProtocol: false, + UseGzip: true, + WorkerProcesses: strconv.Itoa(runtime.NumCPU()), + VtsStatusZoneSize: "10m", + UseHTTP2: true, + CustomHTTPErrors: make([]int, 0), + } + + if glog.V(5) { + cfg.ErrorLogLevel = "debug" + } + + return cfg +} diff --git a/ingress/controllers/nginx/nginx/healthcheck/main.go b/ingress/controllers/nginx/nginx/healthcheck/main.go index dfde50a274..2bafeced40 100644 --- a/ingress/controllers/nginx/nginx/healthcheck/main.go +++ b/ingress/controllers/nginx/nginx/healthcheck/main.go @@ -22,7 +22,7 @@ import ( "k8s.io/kubernetes/pkg/apis/extensions" - "k8s.io/contrib/ingress/controllers/nginx/nginx" + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) const ( @@ -82,7 +82,7 @@ func (a ingAnnotations) failTimeout() (int, error) { // ParseAnnotations parses the annotations contained in the ingress // rule used to configure upstream check parameters -func ParseAnnotations(cfg nginx.Configuration, ing *extensions.Ingress) *Upstream { +func ParseAnnotations(cfg config.Configuration, ing *extensions.Ingress) *Upstream { if ing.GetAnnotations() == nil { return &Upstream{cfg.UpstreamMaxFails, cfg.UpstreamFailTimeout} } diff --git a/ingress/controllers/nginx/nginx/healthcheck/main_test.go b/ingress/controllers/nginx/nginx/healthcheck/main_test.go index 0aeb0a9fa3..348df45e6e 100644 --- a/ingress/controllers/nginx/nginx/healthcheck/main_test.go +++ b/ingress/controllers/nginx/nginx/healthcheck/main_test.go @@ -23,7 +23,7 @@ import ( "k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/util/intstr" - "k8s.io/contrib/ingress/controllers/nginx/nginx" + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) func buildIngress() *extensions.Ingress { @@ -103,7 +103,7 @@ func TestIngressHealthCheck(t *testing.T) { data[upsMaxFails] = "2" ing.SetAnnotations(data) - cfg := nginx.Configuration{} + cfg := config.Configuration{} cfg.UpstreamFailTimeout = 1 nginxHz := ParseAnnotations(cfg, ing) diff --git a/ingress/controllers/nginx/nginx/main.go b/ingress/controllers/nginx/nginx/main.go index 2b0ec99355..f7fc27dff2 100644 --- a/ingress/controllers/nginx/nginx/main.go +++ b/ingress/controllers/nginx/nginx/main.go @@ -19,8 +19,6 @@ package nginx import ( "fmt" "os" - "runtime" - "strconv" "strings" "sync" "text/template" @@ -33,225 +31,15 @@ import ( "k8s.io/kubernetes/pkg/api" client "k8s.io/kubernetes/pkg/client/unversioned" "k8s.io/kubernetes/pkg/util/flowcontrol" -) - -const ( - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size - // Sets the maximum allowed size of the client request body - bodySize = "1m" - - // http://nginx.org/en/docs/ngx_core_module.html#error_log - // Configures logging level [debug | info | notice | warn | error | crit | alert | emerg] - // Log levels above are listed in the order of increasing severity - errorLevel = "notice" - - // HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) - // that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. - // https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security - // max-age is the time, in seconds, that the browser should remember that this site is only to be accessed using HTTPS. - hstsMaxAge = "15724800" - - // If UseProxyProtocol is enabled defIPCIDR defines the default the IP/network address of your external load balancer - defIPCIDR = "0.0.0.0/0" - - gzipTypes = "application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component" - - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size - // Sets the size of the buffer used for sending data. - // 4k helps NGINX to improve TLS Time To First Byte (TTTFB) - // https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ - sslBufferSize = "4k" - // Enabled ciphers list to enabled. The ciphers are specified in the format understood by the OpenSSL library - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers - sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" - - // SSL enabled protocols to use - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols - sslProtocols = "TLSv1 TLSv1.1 TLSv1.2" - - // Time during which a client may reuse the session parameters stored in a cache. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout - sslSessionTimeout = "10m" - - // Size of the SSL shared cache between all worker processes. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache - sslSessionCacheSize = "10m" + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) -var ( - // Base directory that contains the mounted secrets with SSL certificates, keys and - sslDirectory = "/etc/nginx-ssl" -) - -// Configuration represents the content of nginx.conf file -type Configuration struct { - // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size - // Sets the maximum allowed size of the client request body - BodySize string `structs:"body-size,omitempty"` - - // EnableStickySessions enabled sticky sessions using cookies - // https://bitbucket.org/nginx-goodies/nginx-sticky-module-ng - // By default this is disabled - EnableStickySessions bool `structs:"enable-sticky-sessions,omitempty"` - - // EnableVtsStatus allows the replacement of the default status page with a third party module named - // nginx-module-vts - https://github.com/vozlt/nginx-module-vts - // By default this is disabled - EnableVtsStatus bool `structs:"enable-vts-status,omitempty"` - - VtsStatusZoneSize string `structs:"vts-status-zone-size,omitempty"` - - // RetryNonIdempotent since 1.9.13 NGINX will not retry non-idempotent requests (POST, LOCK, PATCH) - // in case of an error. The previous behavior can be restored using the value true - RetryNonIdempotent bool `structs:"retry-non-idempotent"` - - // http://nginx.org/en/docs/ngx_core_module.html#error_log - // Configures logging level [debug | info | notice | warn | error | crit | alert | emerg] - // Log levels above are listed in the order of increasing severity - ErrorLogLevel string `structs:"error-log-level,omitempty"` - - // Enables or disables the header HSTS in servers running SSL - HSTS bool `structs:"hsts,omitempty"` - - // Enables or disables the use of HSTS in all the subdomains of the servername - // Default: true - HSTSIncludeSubdomains bool `structs:"hsts-include-subdomains,omitempty"` - - // HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature (HTTP header) - // that tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. - // https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security - // max-age is the time, in seconds, that the browser should remember that this site is only to be - // accessed using HTTPS. - HSTSMaxAge string `structs:"hsts-max-age,omitempty"` - - // enables which HTTP codes should be passed for processing with the error_page directive - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors - // http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page - // By default this is disabled - CustomHTTPErrors []int `structs:"custom-http-errors,-"` - - // Time during which a keep-alive client connection will stay open on the server side. - // The zero value disables keep-alive client connections - // http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout - KeepAlive int `structs:"keep-alive,omitempty"` - - // Maximum number of simultaneous connections that can be opened by each worker process - // http://nginx.org/en/docs/ngx_core_module.html#worker_connections - MaxWorkerConnections int `structs:"max-worker-connections,omitempty"` - - // Defines a timeout for establishing a connection with a proxied server. - // It should be noted that this timeout cannot usually exceed 75 seconds. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout - ProxyConnectTimeout int `structs:"proxy-connect-timeout,omitempty"` - - // If UseProxyProtocol is enabled ProxyRealIPCIDR defines the default the IP/network address - // of your external load balancer - ProxyRealIPCIDR string `structs:"proxy-real-ip-cidr,omitempty"` - - // Timeout in seconds for reading a response from the proxied server. The timeout is set only between - // two successive read operations, not for the transmission of the whole response - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout - ProxyReadTimeout int `structs:"proxy-read-timeout,omitempty"` - - // Timeout in seconds for transmitting a request to the proxied server. The timeout is set only between - // two successive write operations, not for the transmission of the whole request. - // http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout - ProxySendTimeout int `structs:"proxy-send-timeout,omitempty"` - - // Configures name servers used to resolve names of upstream servers into addresses - // http://nginx.org/en/docs/http/ngx_http_core_module.html#resolver - Resolver string `structs:"resolver,omitempty"` - - // Maximum size of the server names hash tables used in server names, map directive’s values, - // MIME types, names of request header strings, etcd. - // http://nginx.org/en/docs/hash.html - // http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size - ServerNameHashMaxSize int `structs:"server-name-hash-max-size,omitempty"` - - // Size of the bucker for the server names hash tables - // http://nginx.org/en/docs/hash.html - // http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size - ServerNameHashBucketSize int `structs:"server-name-hash-bucket-size,omitempty"` - - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size - // Sets the size of the buffer used for sending data. - // 4k helps NGINX to improve TLS Time To First Byte (TTTFB) - // https://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/ - SSLBufferSize string `structs:"ssl-buffer-size,omitempty"` - - // Enabled ciphers list to enabled. The ciphers are specified in the format understood by - // the OpenSSL library - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers - SSLCiphers string `structs:"ssl-ciphers,omitempty"` - - // Base64 string that contains Diffie-Hellman key to help with "Perfect Forward Secrecy" - // https://www.openssl.org/docs/manmaster/apps/dhparam.html - // https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam - SSLDHParam string `structs:"ssl-dh-param,omitempty"` - - // SSL enabled protocols to use - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols - SSLProtocols string `structs:"ssl-protocols,omitempty"` - - // Enables or disables the use of shared SSL cache among worker processes. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache - SSLSessionCache bool `structs:"ssl-session-cache,omitempty"` - - // Size of the SSL shared cache between all worker processes. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache - SSLSessionCacheSize string `structs:"ssl-session-cache-size,omitempty"` - - // Enables or disables session resumption through TLS session tickets. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets - SSLSessionTickets bool `structs:"ssl-session-tickets,omitempty"` - - // Time during which a client may reuse the session parameters stored in a cache. - // http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_timeout - SSLSessionTimeout string `structs:"ssl-session-timeout,omitempty"` - - // Number of unsuccessful attempts to communicate with the server that should happen in the - // duration set by the fail_timeout parameter to consider the server unavailable - // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream - // Default: 0, ie use platform liveness probe - UpstreamMaxFails int `structs:"upstream-max-fails,omitempty"` - - // Time during which the specified number of unsuccessful attempts to communicate with - // the server should happen to consider the server unavailable - // http://nginx.org/en/docs/http/ngx_http_upstream_module.html#upstream - // Default: 0, ie use platform liveness probe - UpstreamFailTimeout int `structs:"upstream-fail-timeout,omitempty"` - - // Enables or disables the use of the PROXY protocol to receive client connection - // (real IP address) information passed through proxy servers and load balancers - // such as HAproxy and Amazon Elastic Load Balancer (ELB). - // https://www.nginx.com/resources/admin-guide/proxy-protocol/ - UseProxyProtocol bool `structs:"use-proxy-protocol,omitempty"` - - // Enables or disables the use of the nginx module that compresses responses using the "gzip" method - // http://nginx.org/en/docs/http/ngx_http_gzip_module.html - UseGzip bool `structs:"use-gzip,omitempty"` - - // Enables or disables the HTTP/2 support in secure connections - // http://nginx.org/en/docs/http/ngx_http_v2_module.html - // Default: true - UseHTTP2 bool `structs:"use-http2,omitempty"` - - // MIME types in addition to "text/html" to compress. The special value “*” matches any MIME type. - // Responses with the “text/html” type are always compressed if UseGzip is enabled - GzipTypes string `structs:"gzip-types,omitempty"` - - // Defines the number of worker processes. By default auto means number of available CPU cores - // http://nginx.org/en/docs/ngx_core_module.html#worker_processes - WorkerProcesses string `structs:"worker-processes,omitempty"` -} - // Manager ... type Manager struct { ConfigFile string - defCfg Configuration + defCfg config.Configuration defResolver string @@ -265,59 +53,19 @@ type Manager struct { reloadLock *sync.Mutex } -// defaultConfiguration returns the default configuration contained -// in the file default-conf.json -func newDefaultNginxCfg() Configuration { - cfg := Configuration{ - BodySize: bodySize, - ErrorLogLevel: errorLevel, - HSTS: true, - HSTSIncludeSubdomains: true, - HSTSMaxAge: hstsMaxAge, - GzipTypes: gzipTypes, - KeepAlive: 75, - MaxWorkerConnections: 16384, - ProxyConnectTimeout: 5, - ProxyRealIPCIDR: defIPCIDR, - ProxyReadTimeout: 60, - ProxySendTimeout: 60, - ServerNameHashMaxSize: 512, - ServerNameHashBucketSize: 64, - SSLBufferSize: sslBufferSize, - SSLCiphers: sslCiphers, - SSLProtocols: sslProtocols, - SSLSessionCache: true, - SSLSessionCacheSize: sslSessionCacheSize, - SSLSessionTickets: true, - SSLSessionTimeout: sslSessionTimeout, - UseProxyProtocol: false, - UseGzip: true, - WorkerProcesses: strconv.Itoa(runtime.NumCPU()), - VtsStatusZoneSize: "10m", - UseHTTP2: true, - CustomHTTPErrors: make([]int, 0), - } - - if glog.V(5) { - cfg.ErrorLogLevel = "debug" - } - - return cfg -} - // NewManager ... func NewManager(kubeClient *client.Client) *Manager { ngx := &Manager{ ConfigFile: "/etc/nginx/nginx.conf", - defCfg: newDefaultNginxCfg(), + defCfg: config.NewDefault(), defResolver: strings.Join(getDNSServers(), " "), reloadLock: &sync.Mutex{}, reloadRateLimiter: flowcontrol.NewTokenBucketRateLimiter(0.1, 1), } - ngx.createCertsDir(sslDirectory) + ngx.createCertsDir(config.SSLDirectory) - ngx.sslDHParam = ngx.SearchDHParamFile(sslDirectory) + ngx.sslDHParam = ngx.SearchDHParamFile(config.SSLDirectory) ngx.loadTemplate() @@ -342,7 +90,7 @@ func ConfigMapAsString() string { cfg.Namespace = "a-valid-namespace" cfg.Data = make(map[string]string) - data := structs.Map(newDefaultNginxCfg()) + data := structs.Map(config.NewDefault()) for k, v := range data { cfg.Data[k] = fmt.Sprintf("%v", v) } diff --git a/ingress/controllers/nginx/nginx/rewrite/main_test.go b/ingress/controllers/nginx/nginx/rewrite/main_test.go index 57db686af4..5e16adb7b1 100644 --- a/ingress/controllers/nginx/nginx/rewrite/main_test.go +++ b/ingress/controllers/nginx/nginx/rewrite/main_test.go @@ -22,6 +22,8 @@ import ( "k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/util/intstr" + + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) const ( @@ -94,7 +96,7 @@ func TestAnnotations(t *testing.T) { func TestWithoutAnnotations(t *testing.T) { ing := buildIngress() - _, err := ParseAnnotations(ing) + _, err := ParseAnnotations(config.NewDefault(), ing) if err == nil { t.Error("Expected error with ingress without annotations") } @@ -107,7 +109,7 @@ func TestRedirect(t *testing.T) { data[rewriteTo] = defRoute ing.SetAnnotations(data) - redirect, err := ParseAnnotations(ing) + redirect, err := ParseAnnotations(config.NewDefault(), ing) if err != nil { t.Errorf("Uxpected error with ingress: %v", err) } diff --git a/ingress/controllers/nginx/nginx/ssl.go b/ingress/controllers/nginx/nginx/ssl.go index dce7253502..cabcc7fd1d 100644 --- a/ingress/controllers/nginx/nginx/ssl.go +++ b/ingress/controllers/nginx/nginx/ssl.go @@ -26,6 +26,8 @@ import ( "os" "github.com/golang/glog" + + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) // SSLCert describes a SSL certificate to be used in NGINX @@ -43,7 +45,7 @@ type SSLCert struct { // AddOrUpdateCertAndKey creates a .pem file wth the cert and the key with the specified name func (nginx *Manager) AddOrUpdateCertAndKey(name string, cert string, key string) (SSLCert, error) { - pemFileName := sslDirectory + "/" + name + ".pem" + pemFileName := config.SSLDirectory + "/" + name + ".pem" pem, err := os.Create(pemFileName) if err != nil { diff --git a/ingress/controllers/nginx/nginx/ssl_test.go b/ingress/controllers/nginx/nginx/ssl_test.go index 3408806743..f6ad78c1e7 100644 --- a/ingress/controllers/nginx/nginx/ssl_test.go +++ b/ingress/controllers/nginx/nginx/ssl_test.go @@ -22,10 +22,12 @@ import ( "os" "testing" "time" + + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) func TestAddOrUpdateCertAndKey(t *testing.T) { - sslDirectory = os.TempDir() + config.SSLDirectory = os.TempDir() // openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/tls.key -out /tmp/tls.crt -subj "/CN=echoheaders/O=echoheaders" tlsCrt := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhakNDQWxLZ0F3SUJBZ0lKQUxHUXR5VVBKTFhYTUEwR0NTcUdTSWIzRFFFQkJRVUFNQ3d4RkRBU0JnTlYKQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3RWdZRFZRUUtFd3RsWTJodmFHVmhaR1Z5Y3pBZUZ3MHhOakF6TXpFeQpNekU1TkRoYUZ3MHhOekF6TXpFeU16RTVORGhhTUN3eEZEQVNCZ05WQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3CkVnWURWUVFLRXd0bFkyaHZhR1ZoWkdWeWN6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0MKZ2dFQkFONzVmS0N5RWwxanFpMjUxTlNabDYzeGQweG5HMHZTVjdYL0xxTHJveVNraW5nbnI0NDZZWlE4UEJWOAo5TUZzdW5RRGt1QVoyZzA3NHM1YWhLSm9BRGJOMzhld053RXNsVDJkRzhRTUw0TktrTUNxL1hWbzRQMDFlWG1PCmkxR2txZFA1ZUExUHlPZCtHM3gzZmxPN2xOdmtJdHVHYXFyc0tvMEhtMHhqTDVtRUpwWUlOa0tGSVhsWWVLZS8KeHRDR25CU2tLVHFMTG0yeExKSGFFcnJpaDZRdkx4NXF5U2gzZTU2QVpEcTlkTERvcWdmVHV3Z2IzekhQekc2NwppZ0E0dkYrc2FRNHpZUE1NMHQyU1NiVkx1M2pScWNvL3lxZysrOVJBTTV4bjRubnorL0hUWFhHKzZ0RDBaeGI1CmVVRDNQakVhTnlXaUV2dTN6UFJmdysyNURMY0NBd0VBQWFPQmpqQ0JpekFkQmdOVkhRNEVGZ1FVcktMZFhHeUUKNUlEOGRvd2lZNkdzK3dNMHFKc3dYQVlEVlIwakJGVXdVNEFVcktMZFhHeUU1SUQ4ZG93aVk2R3Mrd00wcUp1aApNS1F1TUN3eEZEQVNCZ05WQkFNVEMyVmphRzlvWldGa1pYSnpNUlF3RWdZRFZRUUtFd3RsWTJodmFHVmhaR1Z5CmM0SUpBTEdRdHlVUEpMWFhNQXdHQTFVZEV3UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUZCUUFEZ2dFQkFNZVMKMHFia3VZa3Z1enlSWmtBeE1PdUFaSDJCK0Evb3N4ODhFRHB1ckV0ZWN5RXVxdnRvMmpCSVdCZ2RkR3VBYU5jVQorUUZDRm9NakJOUDVWVUxIWVhTQ3VaczN2Y25WRDU4N3NHNlBaLzhzbXJuYUhTUjg1ZVpZVS80bmFyNUErdWErClIvMHJrSkZnOTlQSmNJd3JmcWlYOHdRcWdJVVlLNE9nWEJZcUJRL0VZS2YvdXl6UFN3UVZYRnVJTTZTeDBXcTYKTUNML3d2RlhLS0FaWDBqb3J4cHRjcldkUXNCcmYzWVRnYmx4TE1sN20zL2VuR1drcEhDUHdYeVRCOC9rRkw3SApLL2ZHTU1NWGswUkVSbGFPM1hTSUhrZUQ2SXJiRnRNV3R1RlJwZms2ZFA2TXlMOHRmTmZ6a3VvUHVEWUFaWllWCnR1NnZ0c0FRS0xWb0pGaGV0b1k9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" tlsKey := "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBM3ZsOG9MSVNYV09xTGJuVTFKbVhyZkYzVEdjYlM5Slh0Zjh1b3V1akpLU0tlQ2V2CmpqcGhsRHc4Rlh6MHdXeTZkQU9TNEJuYURUdml6bHFFb21nQU5zM2Z4N0EzQVN5VlBaMGJ4QXd2ZzBxUXdLcjkKZFdqZy9UVjVlWTZMVWFTcDAvbDREVS9JNTM0YmZIZCtVN3VVMitRaTI0WnFxdXdxalFlYlRHTXZtWVFtbGdnMgpRb1VoZVZoNHA3L0cwSWFjRktRcE9vc3ViYkVza2RvU3V1S0hwQzh2SG1ySktIZDdub0JrT3IxMHNPaXFCOU83CkNCdmZNYy9NYnJ1S0FEaThYNnhwRGpOZzh3elMzWkpKdFV1N2VOR3B5ai9LcUQ3NzFFQXpuR2ZpZWZQNzhkTmQKY2I3cTBQUm5Gdmw1UVBjK01SbzNKYUlTKzdmTTlGL0Q3YmtNdHdJREFRQUJBb0lCQUViNmFEL0hMNjFtMG45bgp6bVkyMWwvYW83MUFmU0h2dlZnRCtWYUhhQkY4QjFBa1lmQUdpWlZrYjBQdjJRSFJtTERoaWxtb0lROWhadHVGCldQOVIxKythTFlnbGdmenZzanBBenR2amZTUndFaEFpM2pnSHdNY1p4S2Q3UnNJZ2hxY2huS093S0NYNHNNczQKUnBCbEFBZlhZWGs4R3F4NkxUbGptSDRDZk42QzZHM1EwTTlLMUxBN2lsck1Na3hwcngxMnBlVTNkczZMVmNpOQptOFdBL21YZ2I0c3pEbVNaWVpYRmNZMEhYNTgyS3JKRHpQWEVJdGQwZk5wd3I0eFIybzdzMEwvK2RnZCtqWERjCkh2SDBKZ3NqODJJaTIxWGZGM2tST3FxR3BKNmhVcncxTUZzVWRyZ29GL3pFck0vNWZKMDdVNEhodGFlalVzWTIKMFJuNXdpRUNnWUVBKzVUTVRiV084Wkg5K2pIdVQwc0NhZFBYcW50WTZYdTZmYU04Tm5CZWNoeTFoWGdlQVN5agpSWERlZGFWM1c0SjU5eWxIQ3FoOVdseVh4cDVTWWtyQU41RnQ3elFGYi91YmorUFIyWWhMTWZpYlBSYlYvZW1MCm5YaGF6MmtlNUUxT1JLY0x6QUVwSmpuZGQwZlZMZjdmQzFHeStnS2YyK3hTY1hjMHJqRE5iNGtDZ1lFQTR1UVEKQk91TlJQS3FKcDZUZS9zUzZrZitHbEpjQSs3RmVOMVlxM0E2WEVZVm9ydXhnZXQ4a2E2ZEo1QjZDOWtITGtNcQpwdnFwMzkxeTN3YW5uWC9ONC9KQlU2M2RxZEcyd1BWRUQ0REduaE54Qm1oaWZpQ1I0R0c2ZnE4MUV6ZE1vcTZ4CklTNHA2RVJaQnZkb1RqNk9pTHl6aUJMckpxeUhIMWR6c0hGRlNqOENnWUVBOWlSSEgyQ2JVazU4SnVYak8wRXcKUTBvNG4xdS9TZkQ4TFNBZ01VTVBwS1hpRTR2S0Qyd1U4a1BUNDFiWXlIZUh6UUpkdDFmU0RTNjZjR0ZHU1ZUSgphNVNsOG5yN051ejg3bkwvUmMzTGhFQ3Y0YjBOOFRjbW1oSy9CbDdiRXBOd0dFczNoNGs3TVdNOEF4QU15c3VxCmZmQ1pJM0tkNVJYNk0zbGwyV2QyRjhFQ2dZQlQ5RU9oTG0vVmhWMUVjUVR0cVZlMGJQTXZWaTVLSGozZm5UZkUKS0FEUVIvYVZncElLR3RLN0xUdGxlbVpPbi8yeU5wUS91UnpHZ3pDUUtldzNzU1RFSmMzYVlzbFVudzdhazJhZAp2ZTdBYXowMU84YkdHTk1oamNmdVBIS05LN2Nsc3pKRHJzcys4SnRvb245c0JHWEZYdDJuaWlpTTVPWVN5TTg4CkNJMjFEUUtCZ0hEQVRZbE84UWlDVWFBQlVqOFBsb1BtMDhwa3cyc1VmQW0xMzJCY00wQk9BN1hqYjhtNm1ManQKOUlteU5kZ2ZiM080UjlKVUxTb1pZSTc1dUxIL3k2SDhQOVlpWHZOdzMrTXl6VFU2b2d1YU8xSTNya2pna29NeAo5cU5pYlJFeGswS1A5MVZkckVLSEdHZEFwT05ES1N4VzF3ektvbUxHdmtYSTVKV05KRXFkCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" diff --git a/ingress/controllers/nginx/nginx/template.go b/ingress/controllers/nginx/nginx/template.go index 60fd1b5e34..d28cd9e651 100644 --- a/ingress/controllers/nginx/nginx/template.go +++ b/ingress/controllers/nginx/nginx/template.go @@ -26,6 +26,8 @@ import ( "github.com/fatih/structs" "github.com/golang/glog" + + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) const ( @@ -57,7 +59,7 @@ func (ngx *Manager) loadTemplate() { ngx.template = tmpl } -func (ngx *Manager) writeCfg(cfg Configuration, ingressCfg IngressConfig) (bool, error) { +func (ngx *Manager) writeCfg(cfg config.Configuration, ingressCfg IngressConfig) (bool, error) { conf := make(map[string]interface{}) conf["upstreams"] = ingressCfg.Upstreams conf["servers"] = ingressCfg.Servers diff --git a/ingress/controllers/nginx/nginx/utils.go b/ingress/controllers/nginx/nginx/utils.go index 2cd7546b3d..b70779391a 100644 --- a/ingress/controllers/nginx/nginx/utils.go +++ b/ingress/controllers/nginx/nginx/utils.go @@ -26,9 +26,10 @@ import ( "strings" "github.com/golang/glog" - "github.com/mitchellh/mapstructure" "k8s.io/kubernetes/pkg/api" + + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) const ( @@ -67,7 +68,7 @@ func getDNSServers() []string { // getConfigKeyToStructKeyMap returns a map with the ConfigMapKey as key and the StructName as value. func getConfigKeyToStructKeyMap() map[string]string { keyMap := map[string]string{} - n := &Configuration{} + n := &config.Configuration{} val := reflect.Indirect(reflect.ValueOf(n)) for i := 0; i < val.Type().NumField(); i++ { fieldSt := val.Type().Field(i) @@ -79,13 +80,13 @@ func getConfigKeyToStructKeyMap() map[string]string { } // ReadConfig obtains the configuration defined by the user merged with the defaults. -func (ngx *Manager) ReadConfig(config *api.ConfigMap) Configuration { - if len(config.Data) == 0 { - return newDefaultNginxCfg() +func (ngx *Manager) ReadConfig(conf *api.ConfigMap) config.Configuration { + if len(conf.Data) == 0 { + return config.NewDefault() } - cfgCM := Configuration{} - cfgDefault := newDefaultNginxCfg() + cfgCM := config.Configuration{} + cfgDefault := config.NewDefault() metadata := &mapstructure.Metadata{} @@ -97,8 +98,8 @@ func (ngx *Manager) ReadConfig(config *api.ConfigMap) Configuration { }) cErrors := make([]int, 0) - if val, ok := config.Data[customHTTPErrors]; ok { - delete(config.Data, customHTTPErrors) + if val, ok := conf.Data[customHTTPErrors]; ok { + delete(conf.Data, customHTTPErrors) for _, i := range strings.Split(val, ",") { j, err := strconv.Atoi(i) if err != nil { @@ -109,7 +110,7 @@ func (ngx *Manager) ReadConfig(config *api.ConfigMap) Configuration { } } - err = decoder.Decode(config.Data) + err = decoder.Decode(conf.Data) if err != nil { glog.Infof("%v", err) } diff --git a/ingress/controllers/nginx/nginx/utils_test.go b/ingress/controllers/nginx/nginx/utils_test.go index b5b7057b37..1f95bf59ec 100644 --- a/ingress/controllers/nginx/nginx/utils_test.go +++ b/ingress/controllers/nginx/nginx/utils_test.go @@ -20,9 +20,11 @@ import ( "testing" "k8s.io/kubernetes/pkg/api" + + "k8s.io/contrib/ingress/controllers/nginx/nginx/config" ) -func getConfigNginxBool(data map[string]string) Configuration { +func getConfigNginxBool(data map[string]string) config.Configuration { manager := &Manager{} configMap := &api.ConfigMap{ Data: data,