Unbind policy from preview policies (#2566)

Policy settings are no longer gated through the use of -enable-preview-policies: - RateLimit - JWT - IngressMTLS - EgressMTLS
nginx · Apr 6, 2022 · 069ca8e · 069ca8e
1 parent 89a49b7
commit 069ca8e
Show file tree

Hide file tree

Showing 14 changed files with 74 additions and 112 deletions.
diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml
@@ -43,7 +43,7 @@ spec:
               type: object
               properties:
                 accessControl:
-                  description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
+                  description: AccessControl defines an access policy based on the source IP of a request.
                   type: object
                   properties:
                     allow:
@@ -55,7 +55,7 @@ spec:
                       items:
                         type: string
                 egressMTLS:
-                  description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
+                  description: EgressMTLS defines an Egress MTLS policy.
                   type: object
                   properties:
                     ciphers:
@@ -79,7 +79,7 @@ spec:
                 ingressClassName:
                   type: string
                 ingressMTLS:
-                  description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
+                  description: IngressMTLS defines an Ingress MTLS policy.
                   type: object
                   properties:
                     clientCertSecret:
@@ -89,7 +89,7 @@ spec:
                     verifyDepth:
                       type: integer
                 jwt:
-                  description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
+                  description: JWTAuth holds JWT authentication configuration.
                   type: object
                   properties:
                     realm:
@@ -99,7 +99,7 @@ spec:
                     token:
                       type: string
                 oidc:
-                  description: OIDC defines an Open ID Connect policy.
+                  description: 'OIDC defines an Open ID Connect policy. policy status: preview'
                   type: object
                   properties:
                     authEndpoint:
@@ -117,7 +117,7 @@ spec:
                     tokenEndpoint:
                       type: string
                 rateLimit:
-                  description: 'RateLimit defines a rate limit policy. policy status: preview'
+                  description: RateLimit defines a rate limit policy.
                   type: object
                   properties:
                     burst:
@@ -139,7 +139,7 @@ spec:
                     zoneSize:
                       type: string
                 waf:
-                  description: 'WAF defines an WAF policy. policy status: preview'
+                  description: WAF defines an WAF policy.
                   type: object
                   properties:
                     apPolicy:

diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml
@@ -43,7 +43,7 @@ spec:
               type: object
               properties:
                 accessControl:
-                  description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
+                  description: AccessControl defines an access policy based on the source IP of a request.
                   type: object
                   properties:
                     allow:
@@ -55,7 +55,7 @@ spec:
                       items:
                         type: string
                 egressMTLS:
-                  description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
+                  description: EgressMTLS defines an Egress MTLS policy.
                   type: object
                   properties:
                     ciphers:
@@ -79,7 +79,7 @@ spec:
                 ingressClassName:
                   type: string
                 ingressMTLS:
-                  description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
+                  description: IngressMTLS defines an Ingress MTLS policy.
                   type: object
                   properties:
                     clientCertSecret:
@@ -89,7 +89,7 @@ spec:
                     verifyDepth:
                       type: integer
                 jwt:
-                  description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
+                  description: JWTAuth holds JWT authentication configuration.
                   type: object
                   properties:
                     realm:
@@ -99,7 +99,7 @@ spec:
                     token:
                       type: string
                 oidc:
-                  description: OIDC defines an Open ID Connect policy.
+                  description: 'OIDC defines an Open ID Connect policy. policy status: preview'
                   type: object
                   properties:
                     authEndpoint:
@@ -117,7 +117,7 @@ spec:
                     tokenEndpoint:
                       type: string
                 rateLimit:
-                  description: 'RateLimit defines a rate limit policy. policy status: preview'
+                  description: RateLimit defines a rate limit policy.
                   type: object
                   properties:
                     burst:
@@ -139,7 +139,7 @@ spec:
                     zoneSize:
                       type: string
                 waf:
-                  description: 'WAF defines an WAF policy. policy status: preview'
+                  description: WAF defines an WAF policy.
                   type: object
                   properties:
                     apPolicy:

diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md
@@ -94,8 +94,6 @@ policies:
 
 ### RateLimit
 
-> **Feature Status**: Rate-Limiting is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 The rate limit policy configures NGINX to limit the processing rate of requests.
 
 For example, the following policy will limit all subsequent requests coming from a single IP address once a rate of 10 requests per second is exceeded:
@@ -136,8 +134,6 @@ When you reference more than one rate limit policy, the Ingress Controller will
 
 ### JWT
 
-> **Feature Status**: JWT is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 > Note: This feature is only available in NGINX Plus.
 
 The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens.
@@ -189,8 +185,6 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### IngressMTLS
 
-> **Feature Status**: IngressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 The IngressMTLS policy configures client certificate verification.
 
 For example, the following policy will verify a client certificate using the CA certificate specified in the `ingress-mtls-secret`:
@@ -243,8 +237,6 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### EgressMTLS
 
-> **Feature Status**: EgressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 The EgressMTLS policy configures upstreams authentication and certificate verification.
 
 For example, the following policy will use `egress-mtls-secret` to authenticate with the upstream application and `egress-trusted-ca-secret` to verify the certificate of the application:

diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md
@@ -90,7 +90,7 @@ If you would like to use the TCP and UDP load balancing features of the Ingress
     $ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml
     ```
 
-> **Feature Status**: The TransportServer, GlobalConfiguration and Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default.
+> **Feature Status**: The Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default.
 
 ### Resources for NGINX App Protect
 

diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go
@@ -374,14 +374,12 @@ type PolicyList struct {
 }
 
 // AccessControl defines an access policy based on the source IP of a request.
-// policy status: production-ready
 type AccessControl struct {
 	Allow []string `json:"allow"`
 	Deny  []string `json:"deny"`
 }
 
 // RateLimit defines a rate limit policy.
-// policy status: preview
 type RateLimit struct {
 	Rate       string `json:"rate"`
 	Key        string `json:"key"`
@@ -395,23 +393,20 @@ type RateLimit struct {
 }
 
 // JWTAuth holds JWT authentication configuration.
-// policy status: preview
 type JWTAuth struct {
 	Realm  string `json:"realm"`
 	Secret string `json:"secret"`
 	Token  string `json:"token"`
 }
 
 // IngressMTLS defines an Ingress MTLS policy.
-// policy status: preview
 type IngressMTLS struct {
 	ClientCertSecret string `json:"clientCertSecret"`
 	VerifyClient     string `json:"verifyClient"`
 	VerifyDepth      *int   `json:"verifyDepth"`
 }
 
 // EgressMTLS defines an Egress MTLS policy.
-// policy status: preview
 type EgressMTLS struct {
 	TLSSecret         string `json:"tlsSecret"`
 	VerifyServer      bool   `json:"verifyServer"`
@@ -425,6 +420,7 @@ type EgressMTLS struct {
 }
 
 // OIDC defines an Open ID Connect policy.
+// policy status: preview
 type OIDC struct {
 	AuthEndpoint  string `json:"authEndpoint"`
 	TokenEndpoint string `json:"tokenEndpoint"`
@@ -436,7 +432,6 @@ type OIDC struct {
 }
 
 // WAF defines an WAF policy.
-// policy status: preview
 type WAF struct {
 	Enable      bool         `json:"enable"`
 	ApPolicy    string       `json:"apPolicy"`

diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go
@@ -30,19 +30,11 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab
 	}
 
 	if spec.RateLimit != nil {
-		if !enablePreviewPolicies {
-			return append(allErrs, field.Forbidden(fieldPath.Child("rateLimit"),
-				"rateLimit is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
-		}
 		allErrs = append(allErrs, validateRateLimit(spec.RateLimit, fieldPath.Child("rateLimit"), isPlus)...)
 		fieldCount++
 	}
 
 	if spec.JWTAuth != nil {
-		if !enablePreviewPolicies {
-			allErrs = append(allErrs, field.Forbidden(fieldPath.Child("jwt"),
-				"jwt is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
-		}
 		if !isPlus {
 			return append(allErrs, field.Forbidden(fieldPath.Child("jwt"), "jwt secrets are only supported in NGINX Plus"))
 		}
@@ -52,19 +44,11 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab
 	}
 
 	if spec.IngressMTLS != nil {
-		if !enablePreviewPolicies {
-			return append(allErrs, field.Forbidden(fieldPath.Child("ingressMTLS"),
-				"ingressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
-		}
 		allErrs = append(allErrs, validateIngressMTLS(spec.IngressMTLS, fieldPath.Child("ingressMTLS"))...)
 		fieldCount++
 	}
 
 	if spec.EgressMTLS != nil {
-		if !enablePreviewPolicies {
-			return append(allErrs, field.Forbidden(fieldPath.Child("egressMTLS"),
-				"egressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
-		}
 		allErrs = append(allErrs, validateEgressMTLS(spec.EgressMTLS, fieldPath.Child("egressMTLS"))...)
 		fieldCount++
 	}