From 44bdc7eb59a28a4ec1ca8588271b0d5aa2addbae Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Sun, 7 Oct 2018 10:53:37 -0300 Subject: [PATCH 1/2] Remove support for TCP and UDP services --- cmd/nginx/flags.go | 15 -- internal/ingress/controller/config/config.go | 2 - internal/ingress/controller/controller.go | 138 ------------------ internal/ingress/controller/nginx.go | 4 - internal/ingress/controller/store/store.go | 6 +- .../ingress/controller/store/store_test.go | 11 +- internal/ingress/types.go | 6 - internal/ingress/types_equals.go | 38 ----- rootfs/etc/nginx/template/nginx.tmpl | 57 -------- 9 files changed, 4 insertions(+), 273 deletions(-) diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go index f2fcd2012c..450b00e175 100644 --- a/cmd/nginx/flags.go +++ b/cmd/nginx/flags.go @@ -65,19 +65,6 @@ Takes the form "namespace/name". When used together with update-status, the controller mirrors the address of this service's endpoints to the load-balancer status of all Ingress objects it satisfies.`) - tcpConfigMapName = flags.String("tcp-services-configmap", "", - `Name of the ConfigMap containing the definition of the TCP services to expose. -The key in the map indicates the external port to be used. The value is a -reference to a Service in the form "namespace/name:port", where "port" can -either be a port number or name. TCP ports 80 and 443 are reserved by the -controller for servicing HTTP traffic.`) - - udpConfigMapName = flags.String("udp-services-configmap", "", - `Name of the ConfigMap containing the definition of the UDP services to expose. -The key in the map indicates the external port to be used. The value is a -reference to a Service in the form "namespace/name:port", where "port" can -either be a port name or number.`) - resyncPeriod = flags.Duration("sync-period", 0, `Period at which the controller forces the repopulation of its local object stores. Disabled by default.`) @@ -240,8 +227,6 @@ dynamic certificates functionality is enabled. Please check the flags --enable-s DefaultService: *defaultSvc, Namespace: *watchNamespace, ConfigMapName: *configMap, - TCPConfigMapName: *tcpConfigMapName, - UDPConfigMapName: *udpConfigMapName, DefaultSSLCertificate: *defSSLCertificate, DefaultHealthzURL: *defHealthzURL, PublishService: *publishSvc, diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 41e9e38332..5a0d8b332e 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -692,8 +692,6 @@ type TemplateConfig struct { Backends []*ingress.Backend PassthroughBackends []*ingress.SSLPassthroughBackend Servers []*ingress.Server - TCPBackends []ingress.L4Service - UDPBackends []ingress.L4Service HealthzURI string CustomErrors bool Cfg Configuration diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 02d8b23a37..d9afb87b95 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -21,7 +21,6 @@ import ( "math/rand" "sort" "strconv" - "strings" "time" "github.com/golang/glog" @@ -61,11 +60,6 @@ type Configuration struct { ForceNamespaceIsolation bool - // +optional - TCPConfigMapName string - // +optional - UDPConfigMapName string - DefaultHealthzURL string DefaultSSLCertificate string @@ -160,8 +154,6 @@ func (n *NGINXController) syncIngress(interface{}) error { pcfg := &ingress.Configuration{ Backends: upstreams, Servers: servers, - TCPEndpoints: n.getStreamServices(n.cfg.TCPConfigMapName, apiv1.ProtocolTCP), - UDPEndpoints: n.getStreamServices(n.cfg.UDPConfigMapName, apiv1.ProtocolUDP), PassthroughBackends: passUpstreams, BackendConfigChecksum: n.store.GetBackendConfiguration().Checksum, } @@ -225,136 +217,6 @@ func (n *NGINXController) syncIngress(interface{}) error { return nil } -func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Protocol) []ingress.L4Service { - if configmapName == "" { - return []ingress.L4Service{} - } - glog.V(3).Infof("Obtaining information about %v stream services from ConfigMap %q", proto, configmapName) - - _, _, err := k8s.ParseNameNS(configmapName) - if err != nil { - glog.Errorf("Error parsing ConfigMap reference %q: %v", configmapName, err) - return []ingress.L4Service{} - } - - configmap, err := n.store.GetConfigMap(configmapName) - if err != nil { - glog.Errorf("Error getting ConfigMap %q: %v", configmapName, err) - return []ingress.L4Service{} - } - - var svcs []ingress.L4Service - var svcProxyProtocol ingress.ProxyProtocol - - rp := []int{ - n.cfg.ListenPorts.HTTP, - n.cfg.ListenPorts.HTTPS, - n.cfg.ListenPorts.SSLProxy, - n.cfg.ListenPorts.Status, - n.cfg.ListenPorts.Health, - n.cfg.ListenPorts.Default, - } - reserverdPorts := sets.NewInt(rp...) - - // svcRef format: <(str)namespace>/<(str)service>:<(intstr)port>[:<("PROXY")decode>:<("PROXY")encode>] - for port, svcRef := range configmap.Data { - externalPort, err := strconv.Atoi(port) - if err != nil { - glog.Warningf("%q is not a valid %v port number", port, proto) - continue - } - - if reserverdPorts.Has(externalPort) { - glog.Warningf("Port %d cannot be used for %v stream services. It is reserved for the Ingress controller.", externalPort, proto) - continue - } - - nsSvcPort := strings.Split(svcRef, ":") - if len(nsSvcPort) < 2 { - glog.Warningf("Invalid Service reference %q for %v port %d", svcRef, proto, externalPort) - continue - } - - nsName := nsSvcPort[0] - svcPort := nsSvcPort[1] - svcProxyProtocol.Decode = false - svcProxyProtocol.Encode = false - - // Proxy Protocol is only compatible with TCP Services - if len(nsSvcPort) >= 3 && proto == apiv1.ProtocolTCP { - if len(nsSvcPort) >= 3 && strings.ToUpper(nsSvcPort[2]) == "PROXY" { - svcProxyProtocol.Decode = true - } - if len(nsSvcPort) == 4 && strings.ToUpper(nsSvcPort[3]) == "PROXY" { - svcProxyProtocol.Encode = true - } - } - - svcNs, svcName, err := k8s.ParseNameNS(nsName) - if err != nil { - glog.Warningf("%v", err) - continue - } - - svc, err := n.store.GetService(nsName) - if err != nil { - glog.Warningf("Error getting Service %q: %v", nsName, err) - continue - } - - var endps []ingress.Endpoint - targetPort, err := strconv.Atoi(svcPort) - if err != nil { - // not a port number, fall back to using port name - glog.V(3).Infof("Searching Endpoints with %v port name %q for Service %q", proto, svcPort, nsName) - for _, sp := range svc.Spec.Ports { - if sp.Name == svcPort { - if sp.Protocol == proto { - endps = getEndpoints(svc, &sp, proto, &healthcheck.Config{}, n.store.GetServiceEndpoints) - break - } - } - } - } else { - glog.V(3).Infof("Searching Endpoints with %v port number %d for Service %q", proto, targetPort, nsName) - for _, sp := range svc.Spec.Ports { - if sp.Port == int32(targetPort) { - if sp.Protocol == proto { - endps = getEndpoints(svc, &sp, proto, &healthcheck.Config{}, n.store.GetServiceEndpoints) - break - } - } - } - } - - // stream services cannot contain empty upstreams and there is - // no default backend equivalent - if len(endps) == 0 { - glog.Warningf("Service %q does not have any active Endpoint for %v port %v", nsName, proto, svcPort) - continue - } - - svcs = append(svcs, ingress.L4Service{ - Port: externalPort, - Backend: ingress.L4Backend{ - Name: svcName, - Namespace: svcNs, - Port: intstr.FromString(svcPort), - Protocol: proto, - ProxyProtocol: svcProxyProtocol, - }, - Endpoints: endps, - }) - } - - // Keep upstream order sorted to reduce unnecessary nginx config reloads. - sort.SliceStable(svcs, func(i, j int) bool { - return svcs[i].Port < svcs[j].Port - }) - - return svcs -} - // getDefaultUpstream returns the upstream associated with the default backend. // Configures the upstream to return HTTP code 503 in case of error. func (n *NGINXController) getDefaultUpstream() *ingress.Backend { diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 65c685bb9e..aa4ccf86a4 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -112,8 +112,6 @@ func NewNGINXController(config *Configuration, mc metric.Collector, fs file.File config.EnableSSLChainCompletion, config.Namespace, config.ConfigMapName, - config.TCPConfigMapName, - config.UDPConfigMapName, config.DefaultSSLCertificate, config.ResyncPeriod, config.Client, @@ -580,8 +578,6 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { Backends: ingressCfg.Backends, PassthroughBackends: ingressCfg.PassthroughBackends, Servers: ingressCfg.Servers, - TCPBackends: ingressCfg.TCPEndpoints, - UDPBackends: ingressCfg.UDPEndpoints, HealthzURI: ngxHealthPath, CustomErrors: len(cfg.CustomHTTPErrors) > 0, Cfg: cfg, diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 751246c01d..547d5ff44c 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -218,7 +218,7 @@ type k8sStore struct { // New creates a new object store to be used in the ingress controller func New(checkOCSP bool, - namespace, configmap, tcp, udp, defaultSSLCertificate string, + namespace, configmap, defaultSSLCertificate string, resyncPeriod time.Duration, client clientset.Interface, fs file.Filesystem, @@ -473,7 +473,7 @@ func New(checkOCSP bool, cm := obj.(*corev1.ConfigMap) key := k8s.MetaNamespaceKey(cm) // updates to configuration configmaps can trigger an update - if key == configmap || key == tcp || key == udp { + if key == configmap { recorder.Eventf(cm, corev1.EventTypeNormal, "CREATE", fmt.Sprintf("ConfigMap %v", key)) if key == configmap { store.setConfig(cm) @@ -489,7 +489,7 @@ func New(checkOCSP bool, cm := cur.(*corev1.ConfigMap) key := k8s.MetaNamespaceKey(cm) // updates to configuration configmaps can trigger an update - if key == configmap || key == tcp || key == udp { + if key == configmap { recorder.Eventf(cm, corev1.EventTypeNormal, "UPDATE", fmt.Sprintf("ConfigMap %v", key)) if key == configmap { store.setConfig(cm) diff --git a/internal/ingress/controller/store/store_test.go b/internal/ingress/controller/store/store_test.go index 8bb6f8f660..860ebe651d 100644 --- a/internal/ingress/controller/store/store_test.go +++ b/internal/ingress/controller/store/store_test.go @@ -32,6 +32,7 @@ import ( "encoding/base64" "io/ioutil" + "k8s.io/api/core/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/fake" @@ -62,8 +63,6 @@ func TestStore(t *testing.T) { storer := New(true, ns, fmt.Sprintf("%v/config", ns), - fmt.Sprintf("%v/tcp", ns), - fmt.Sprintf("%v/udp", ns), "", 10*time.Minute, clientSet, @@ -150,8 +149,6 @@ func TestStore(t *testing.T) { storer := New(true, ns, fmt.Sprintf("%v/config", ns), - fmt.Sprintf("%v/tcp", ns), - fmt.Sprintf("%v/udp", ns), "", 10*time.Minute, clientSet, @@ -298,8 +295,6 @@ func TestStore(t *testing.T) { storer := New(true, ns, fmt.Sprintf("%v/config", ns), - fmt.Sprintf("%v/tcp", ns), - fmt.Sprintf("%v/udp", ns), "", 10*time.Minute, clientSet, @@ -387,8 +382,6 @@ func TestStore(t *testing.T) { storer := New(true, ns, fmt.Sprintf("%v/config", ns), - fmt.Sprintf("%v/tcp", ns), - fmt.Sprintf("%v/udp", ns), "", 10*time.Minute, clientSet, @@ -499,8 +492,6 @@ func TestStore(t *testing.T) { storer := New(true, ns, fmt.Sprintf("%v/config", ns), - fmt.Sprintf("%v/tcp", ns), - fmt.Sprintf("%v/udp", ns), "", 10*time.Minute, clientSet, diff --git a/internal/ingress/types.go b/internal/ingress/types.go index 57f9ac6b02..60d1315f13 100644 --- a/internal/ingress/types.go +++ b/internal/ingress/types.go @@ -53,12 +53,6 @@ type Configuration struct { Backends []*Backend `json:"backends,omitempty"` // Servers Servers []*Server `json:"servers,omitempty"` - // TCPEndpoints contain endpoints for tcp streams handled by this backend - // +optional - TCPEndpoints []L4Service `json:"tcpEndpoints,omitempty"` - // UDPEndpoints contain endpoints for udp streams handled by this backend - // +optional - UDPEndpoints []L4Service `json:"udpEndpoints,omitempty"` // PassthroughBackend contains the backends used for SSL passthrough. // It contains information about the associated Server Name Indication (SNI). // +optional diff --git a/internal/ingress/types_equals.go b/internal/ingress/types_equals.go index 0c1b64beb6..5b957787e7 100644 --- a/internal/ingress/types_equals.go +++ b/internal/ingress/types_equals.go @@ -53,44 +53,6 @@ func (c1 *Configuration) Equal(c2 *Configuration) bool { } } - if len(c1.TCPEndpoints) != len(c2.TCPEndpoints) { - return false - } - - for _, tcp1 := range c1.TCPEndpoints { - found := false - for _, tcp2 := range c2.TCPEndpoints { - if (&tcp1).Equal(&tcp2) { - found = true - break - } - } - if !found { - return false - } - } - - if len(c1.UDPEndpoints) != len(c2.UDPEndpoints) { - return false - } - - for _, udp1 := range c1.UDPEndpoints { - found := false - for _, udp2 := range c2.UDPEndpoints { - if (&udp1).Equal(&udp2) { - found = true - break - } - } - if !found { - return false - } - } - - if len(c1.PassthroughBackends) != len(c2.PassthroughBackends) { - return false - } - for _, ptb1 := range c1.PassthroughBackends { found := false for _, ptb2 := range c2.PassthroughBackends { diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 39b8b130b8..9bdd018d17 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -697,63 +697,6 @@ stream { {{ end }} error_log {{ $cfg.ErrorLogPath }}; - - # TCP services - {{ range $tcpServer := .TCPBackends }} - upstream tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }} { - {{ range $endpoint := $tcpServer.Endpoints }} - server {{ $endpoint.Address | formatIP }}:{{ $endpoint.Port }}; - {{ end }} - } - server { - {{ range $address := $all.Cfg.BindAddressIpv4 }} - listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; - {{ else }} - listen {{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; - {{ end }} - {{ if $IsIPV6Enabled }} - {{ range $address := $all.Cfg.BindAddressIpv6 }} - listen {{ $address }}:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; - {{ else }} - listen [::]:{{ $tcpServer.Port }}{{ if $tcpServer.Backend.ProxyProtocol.Decode }} proxy_protocol{{ end }}; - {{ end }} - {{ end }} - proxy_timeout {{ $cfg.ProxyStreamTimeout }}; - proxy_pass tcp-{{ $tcpServer.Port }}-{{ $tcpServer.Backend.Namespace }}-{{ $tcpServer.Backend.Name }}-{{ $tcpServer.Backend.Port }}; - {{ if $tcpServer.Backend.ProxyProtocol.Encode }} - proxy_protocol on; - {{ end }} - } - - {{ end }} - - # UDP services - {{ range $udpServer := .UDPBackends }} - upstream udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }} { - {{ range $endpoint := $udpServer.Endpoints }} - server {{ $endpoint.Address | formatIP }}:{{ $endpoint.Port }}; - {{ end }} - } - - server { - {{ range $address := $all.Cfg.BindAddressIpv4 }} - listen {{ $address }}:{{ $udpServer.Port }} udp; - {{ else }} - listen {{ $udpServer.Port }} udp; - {{ end }} - {{ if $IsIPV6Enabled }} - {{ range $address := $all.Cfg.BindAddressIpv6 }} - listen {{ $address }}:{{ $udpServer.Port }} udp; - {{ else }} - listen [::]:{{ $udpServer.Port }} udp; - {{ end }} - {{ end }} - proxy_responses {{ $cfg.ProxyStreamResponses }}; - proxy_timeout {{ $cfg.ProxyStreamTimeout }}; - proxy_pass udp-{{ $udpServer.Port }}-{{ $udpServer.Backend.Namespace }}-{{ $udpServer.Backend.Name }}-{{ $udpServer.Backend.Port }}; - } - - {{ end }} } {{/* definition of templates to avoid repetitions */}} From f3625e24f3d3b3ea53e2661d237916c7ce713230 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Sun, 7 Oct 2018 11:27:44 -0300 Subject: [PATCH 2/2] Remove flags --- .../ingress-controller/mandatory.yaml | 58 ++++++++----------- 1 file changed, 23 insertions(+), 35 deletions(-) diff --git a/test/manifests/ingress-controller/mandatory.yaml b/test/manifests/ingress-controller/mandatory.yaml index 3c84ba722a..c960bb0ff4 100644 --- a/test/manifests/ingress-controller/mandatory.yaml +++ b/test/manifests/ingress-controller/mandatory.yaml @@ -1,5 +1,3 @@ ---- - kind: ConfigMap apiVersion: v1 metadata: @@ -8,7 +6,6 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- - kind: ConfigMap apiVersion: v1 metadata: @@ -17,7 +14,6 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- - kind: ConfigMap apiVersion: v1 metadata: @@ -26,7 +22,6 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- - apiVersion: v1 kind: ServiceAccount metadata: @@ -35,7 +30,6 @@ metadata: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: @@ -80,10 +74,10 @@ rules: - apiGroups: - "" resources: - - events + - events verbs: - - create - - patch + - create + - patch - apiGroups: - "extensions" resources: @@ -92,7 +86,6 @@ rules: - update --- - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: @@ -137,7 +130,6 @@ rules: - get --- - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: @@ -155,7 +147,6 @@ subjects: namespace: ${NAMESPACE} --- - apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: @@ -171,9 +162,8 @@ subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ${NAMESPACE} - ---- +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -193,39 +183,37 @@ spec: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: - prometheus.io/port: '10254' - prometheus.io/scrape: 'true' + prometheus.io/port: "10254" + prometheus.io/scrape: "true" spec: terminationGracePeriodSeconds: 0 serviceAccountName: nginx-ingress-serviceaccount initContainers: - - name: enable-coredump - image: busybox - command: - - /bin/sh - - -c - - | - ulimit -c unlimited - echo "/tmp/core.%e.%p" > /proc/sys/kernel/core_pattern - sysctl -w fs.suid_dumpable=2 - securityContext: - privileged: true + - name: enable-coredump + image: busybox + command: + - /bin/sh + - -c + - | + ulimit -c unlimited + echo "/tmp/core.%e.%p" > /proc/sys/kernel/core_pattern + sysctl -w fs.suid_dumpable=2 + securityContext: + privileged: true containers: - name: nginx-ingress-controller image: ingress-controller/nginx-ingress-controller:dev args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io - --watch-namespace=${NAMESPACE} securityContext: capabilities: - drop: + drop: - ALL - add: + add: - NET_BIND_SERVICE # www-data -> 33 runAsUser: 33 @@ -239,10 +227,10 @@ spec: fieldRef: fieldPath: metadata.namespace ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 + - name: http + containerPort: 80 + - name: https + containerPort: 443 livenessProbe: failureThreshold: 3 httpGet: