Skip to content

Commit

Permalink
Merge pull request #3203 from aledbf/remove-deprecated
Browse files Browse the repository at this point in the history
Remove annotations grpc-backend and secure-backend already deprecated
  • Loading branch information
k8s-ci-robot authored Oct 9, 2018
2 parents c8f407a + 859b298 commit 77aece4
Show file tree
Hide file tree
Showing 14 changed files with 64 additions and 254 deletions.
5 changes: 2 additions & 3 deletions docs/examples/grpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,7 @@ inside the cluster and arrive "insecure").

For your own application you may or may not want to do this. If you prefer to
forward encrypted traffic to your POD and terminate TLS at the gRPC server
itself, add the ingress annotation `nginx.ingress.kubernetes.io/secure-backends:
"true"`.
itself, add the ingress annotation `nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"`.

### Step 2: the kubernetes `Service`

Expand All @@ -69,7 +68,7 @@ $ kubectl create -f ingress.yaml
A few things to note:

1. We've tagged the ingress with the annotation
`nginx.ingress.kubernetes.io/grpc-backend: "true"`. This is the magic
`nginx.ingress.kubernetes.io/backend-protocol: "GRPC"`. This is the magic
ingredient that sets up the appropriate nginx configuration to route http/2
traffic to our service.
1. We're terminating TLS at the ingress and have configured an SSL certificate
Expand Down
28 changes: 0 additions & 28 deletions docs/user-guide/nginx-configuration/annotations.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|[nginx.ingress.kubernetes.io/cors-max-age](#enable-cors)|number|
|[nginx.ingress.kubernetes.io/force-ssl-redirect](#server-side-https-enforcement-through-redirect)|"true" or "false"|
|[nginx.ingress.kubernetes.io/from-to-www-redirect](#redirect-from-to-www)|"true" or "false"|
|[nginx.ingress.kubernetes.io/grpc-backend](#grpc-backend)|"true" or "false"|
|[nginx.ingress.kubernetes.io/limit-connections](#rate-limiting)|number|
|[nginx.ingress.kubernetes.io/limit-rps](#rate-limiting)|number|
|[nginx.ingress.kubernetes.io/permanent-redirect](#permanent-redirect)|string|
Expand All @@ -58,7 +57,6 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|[nginx.ingress.kubernetes.io/proxy-redirect-to](#proxy-redirect)|string|
|[nginx.ingress.kubernetes.io/enable-rewrite-log](#enable-rewrite-log)|"true" or "false"|
|[nginx.ingress.kubernetes.io/rewrite-target](#rewrite)|URI|
|[nginx.ingress.kubernetes.io/secure-backends](#secure-backends)|"true" or "false"|
|[nginx.ingress.kubernetes.io/secure-verify-ca-secret](#secure-backends)|string|
|[nginx.ingress.kubernetes.io/server-alias](#server-alias)|string|
|[nginx.ingress.kubernetes.io/server-snippet](#server-snippet)|string|
Expand Down Expand Up @@ -393,19 +391,6 @@ the User guide.
Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough
invalidates all the other annotations set on an Ingress object.

### Secure backends DEPRECATED (since 0.18.0)

Please use `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"`
By default NGINX uses plain HTTP to reach the services.
Adding the annotation `nginx.ingress.kubernetes.io/secure-backends: "true"` in the Ingress rule changes the protocol to HTTPS.
If you want to validate the upstream against a specific certificate, you can create a secret with it and reference the secret with the annotation `nginx.ingress.kubernetes.io/secure-verify-ca-secret`.

!!! attention

Note that if an invalid or non-existent secret is given,
the ingress controller will ignore the `secure-backends` annotation.

### Service Upstream

By default the NGINX ingress controller uses a list of all endpoints (Pod IP/port) in the NGINX upstream configuration.
Expand Down Expand Up @@ -588,19 +573,6 @@ nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules: '[=[ { "access": [ { "act

For details on how to write WAF rules, please refer to [https://github.com/p0pr0ck5/lua-resty-waf](https://github.com/p0pr0ck5/lua-resty-waf).

### gRPC backend DEPRECATED (since 0.18.0)

Please use `nginx.ingress.kubernetes.io/backend-protocol: "GRPC"` or `nginx.ingress.kubernetes.io/backend-protocol: "GRPCS"`

Since NGINX 1.13.10 it is possible to expose [gRPC services natively](http://nginx.org/en/docs/http/ngx_http_grpc_module.html)

You only need to add the annotation `nginx.ingress.kubernetes.io/grpc-backend: "true"` to enable this feature.
Additionally, if the gRPC service requires TLS, add `nginx.ingress.kubernetes.io/secure-backends: "true"`.

!!! attention
This feature requires HTTP2 to work which means we need to expose this service using HTTPS.
Exposing a gRPC service using HTTP is not supported.

[configmap]: ./configmap.md

### InfluxDB
Expand Down
3 changes: 0 additions & 3 deletions internal/ingress/annotations/annotations.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ import (
"k8s.io/ingress-nginx/internal/ingress/annotations/connection"
"k8s.io/ingress-nginx/internal/ingress/annotations/cors"
"k8s.io/ingress-nginx/internal/ingress/annotations/defaultbackend"
"k8s.io/ingress-nginx/internal/ingress/annotations/grpc"
"k8s.io/ingress-nginx/internal/ingress/annotations/healthcheck"
"k8s.io/ingress-nginx/internal/ingress/annotations/influxdb"
"k8s.io/ingress-nginx/internal/ingress/annotations/ipwhitelist"
Expand Down Expand Up @@ -95,7 +94,6 @@ type Ingress struct {
XForwardedPrefix bool
SSLCiphers string
Logs log.Config
GRPC bool
LuaRestyWAF luarestywaf.Config
InfluxDB influxdb.Config
}
Expand Down Expand Up @@ -136,7 +134,6 @@ func NewAnnotationExtractor(cfg resolver.Resolver) Extractor {
"XForwardedPrefix": xforwardedprefix.NewParser(cfg),
"SSLCiphers": sslcipher.NewParser(cfg),
"Logs": log.NewParser(cfg),
"GRPC": grpc.NewParser(cfg),
"LuaRestyWAF": luarestywaf.NewParser(cfg),
"InfluxDB": influxdb.NewParser(cfg),
"BackendProtocol": backendprotocol.NewParser(cfg),
Expand Down
36 changes: 6 additions & 30 deletions internal/ingress/annotations/annotations_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ import (
)

var (
annotationSecureUpstream = parser.GetAnnotationWithPrefix("secure-backends")
annotationSecureVerifyCACert = parser.GetAnnotationWithPrefix("secure-verify-ca-secret")
annotationUpsMaxFails = parser.GetAnnotationWithPrefix("upstream-max-fails")
annotationUpsFailTimeout = parser.GetAnnotationWithPrefix("upstream-fail-timeout")
Expand All @@ -40,6 +39,7 @@ var (
annotationCorsAllowMethods = parser.GetAnnotationWithPrefix("cors-allow-methods")
annotationCorsAllowHeaders = parser.GetAnnotationWithPrefix("cors-allow-headers")
annotationCorsAllowCredentials = parser.GetAnnotationWithPrefix("cors-allow-credentials")
backendProtocol = parser.GetAnnotationWithPrefix("backend-protocol")
defaultCorsMethods = "GET, PUT, POST, DELETE, PATCH, OPTIONS"
defaultCorsHeaders = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
annotationAffinityCookieName = parser.GetAnnotationWithPrefix("session-cookie-name")
Expand Down Expand Up @@ -111,30 +111,6 @@ func buildIngress() *extensions.Ingress {
}
}

func TestSecureUpstream(t *testing.T) {
ec := NewAnnotationExtractor(mockCfg{})
ing := buildIngress()

fooAnns := []struct {
annotations map[string]string
er bool
}{
{map[string]string{annotationSecureUpstream: "true"}, true},
{map[string]string{annotationSecureUpstream: "false"}, false},
{map[string]string{annotationSecureUpstream + "_no": "true"}, false},
{map[string]string{}, false},
{nil, false},
}

for _, foo := range fooAnns {
ing.SetAnnotations(foo.annotations)
r := ec.Extract(ing).SecureUpstream
if r.Secure != foo.er {
t.Errorf("Returned %v but expected %v", r, foo.er)
}
}
}

func TestSecureVerifyCACert(t *testing.T) {
ec := NewAnnotationExtractor(mockCfg{
MockSecrets: map[string]*apiv1.Secret{
Expand All @@ -151,11 +127,11 @@ func TestSecureVerifyCACert(t *testing.T) {
annotations map[string]string
exists bool
}{
{1, map[string]string{annotationSecureUpstream: "true", annotationSecureVerifyCACert: "not"}, false},
{2, map[string]string{annotationSecureUpstream: "false", annotationSecureVerifyCACert: "secure-verify-ca"}, false},
{3, map[string]string{annotationSecureUpstream: "true", annotationSecureVerifyCACert: "secure-verify-ca"}, true},
{4, map[string]string{annotationSecureUpstream: "true", annotationSecureVerifyCACert + "_not": "secure-verify-ca"}, false},
{5, map[string]string{annotationSecureUpstream: "true"}, false},
{1, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert: "not"}, false},
{2, map[string]string{backendProtocol: "HTTP", annotationSecureVerifyCACert: "secure-verify-ca"}, false},
{3, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert: "secure-verify-ca"}, true},
{4, map[string]string{backendProtocol: "HTTPS", annotationSecureVerifyCACert + "_not": "secure-verify-ca"}, false},
{5, map[string]string{backendProtocol: "HTTPS"}, false},
{6, map[string]string{}, false},
{7, nil, false},
}
Expand Down
44 changes: 0 additions & 44 deletions internal/ingress/annotations/grpc/main.go

This file was deleted.

80 changes: 0 additions & 80 deletions internal/ingress/annotations/grpc/main_test.go

This file was deleted.

8 changes: 3 additions & 5 deletions internal/ingress/annotations/secureupstream/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ import (

// Config describes SSL backend configuration
type Config struct {
Secure bool `json:"secure"`
CACert resolver.AuthSSLCert `json:"caCert"`
}

Expand All @@ -44,13 +43,13 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation {
// Parse parses the annotations contained in the ingress
// rule used to indicate if the upstream servers should use SSL
func (a su) Parse(ing *extensions.Ingress) (interface{}, error) {
s, _ := parser.GetBoolAnnotation("secure-backends", ing)
bp, _ := parser.GetStringAnnotation("backend-protocol", ing)
ca, _ := parser.GetStringAnnotation("secure-verify-ca-secret", ing)
secure := &Config{
Secure: s,
CACert: resolver.AuthSSLCert{},
}
if !s && ca != "" {

if (bp != "HTTPS" && bp != "GRPCS") && ca != "" {
return secure,
errors.Errorf("trying to use CA from secret %v/%v on a non secure backend", ing.Namespace, ca)
}
Expand All @@ -65,7 +64,6 @@ func (a su) Parse(ing *extensions.Ingress) (interface{}, error) {
return secure, nil
}
return &Config{
Secure: s,
CACert: *caCert,
}, nil
}
6 changes: 3 additions & 3 deletions internal/ingress/annotations/secureupstream/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ func (cfg mockCfg) GetAuthCertificate(secret string) (*resolver.AuthSSLCert, err
func TestAnnotations(t *testing.T) {
ing := buildIngress()
data := map[string]string{}
data[parser.GetAnnotationWithPrefix("secure-backends")] = "true"
data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS"
data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca"
ing.SetAnnotations(data)

Expand All @@ -96,7 +96,7 @@ func TestAnnotations(t *testing.T) {
func TestSecretNotFound(t *testing.T) {
ing := buildIngress()
data := map[string]string{}
data[parser.GetAnnotationWithPrefix("secure-backends")] = "true"
data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTPS"
data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca"
ing.SetAnnotations(data)
_, err := NewParser(mockCfg{}).Parse(ing)
Expand All @@ -108,7 +108,7 @@ func TestSecretNotFound(t *testing.T) {
func TestSecretOnNonSecure(t *testing.T) {
ing := buildIngress()
data := map[string]string{}
data[parser.GetAnnotationWithPrefix("secure-backends")] = "false"
data[parser.GetAnnotationWithPrefix("backend-protocol")] = "HTTP"
data[parser.GetAnnotationWithPrefix("secure-verify-ca-secret")] = "secure-verify-ca"
ing.SetAnnotations(data)
_, err := NewParser(mockCfg{
Expand Down
10 changes: 0 additions & 10 deletions internal/ingress/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,6 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
loc.UsePortInRedirects = anns.UsePortInRedirects
loc.Connection = anns.Connection
loc.Logs = anns.Logs
loc.GRPC = anns.GRPC
loc.LuaRestyWAF = anns.LuaRestyWAF
loc.InfluxDB = anns.InfluxDB
loc.DefaultBackend = anns.DefaultBackend
Expand Down Expand Up @@ -389,7 +388,6 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
UsePortInRedirects: anns.UsePortInRedirects,
Connection: anns.Connection,
Logs: anns.Logs,
GRPC: anns.GRPC,
LuaRestyWAF: anns.LuaRestyWAF,
InfluxDB: anns.InfluxDB,
DefaultBackend: anns.DefaultBackend,
Expand Down Expand Up @@ -523,9 +521,6 @@ func (n *NGINXController) createUpstreams(data []*extensions.Ingress, du *ingres

glog.V(3).Infof("Creating upstream %q", defBackend)
upstreams[defBackend] = newUpstream(defBackend)
if !upstreams[defBackend].Secure {
upstreams[defBackend].Secure = anns.SecureUpstream.Secure
}
if upstreams[defBackend].SecureCACert.Secret == "" {
upstreams[defBackend].SecureCACert = anns.SecureUpstream.CACert
}
Expand Down Expand Up @@ -577,10 +572,6 @@ func (n *NGINXController) createUpstreams(data []*extensions.Ingress, du *ingres
upstreams[name] = newUpstream(name)
upstreams[name].Port = path.Backend.ServicePort

if !upstreams[name].Secure {
upstreams[name].Secure = anns.SecureUpstream.Secure
}

if upstreams[name].SecureCACert.Secret == "" {
upstreams[name].SecureCACert = anns.SecureUpstream.CACert
}
Expand Down Expand Up @@ -835,7 +826,6 @@ func (n *NGINXController) createServers(data []*extensions.Ingress,
defLoc.UpstreamVhost = anns.UpstreamVhost
defLoc.Whitelist = anns.Whitelist
defLoc.Denied = anns.Denied
defLoc.GRPC = anns.GRPC
defLoc.LuaRestyWAF = anns.LuaRestyWAF
defLoc.InfluxDB = anns.InfluxDB
} else {
Expand Down
Loading

0 comments on commit 77aece4

Please sign in to comment.