diff --git a/charts/nginx-ingress/templates/_helpers.tpl b/charts/nginx-ingress/templates/_helpers.tpl index 5372053b0c..8008dc350f 100644 --- a/charts/nginx-ingress/templates/_helpers.tpl +++ b/charts/nginx-ingress/templates/_helpers.tpl @@ -133,3 +133,93 @@ Expand image name. {{- define "nginx-ingress.prometheus.serviceName" -}} {{- printf "%s-%s" (include "nginx-ingress.fullname" .) "prometheus-service" -}} {{- end -}} + +{{/* +Build the args for the service binary. +*/}} +{{- define "nginx-ingress.args" -}} +- -nginx-plus={{ .Values.controller.nginxplus }} +- -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} +- -enable-app-protect={{ .Values.controller.appprotect.enable }} +{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} +- -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} +{{ end }} +- -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} +{{- if .Values.controller.appprotectdos.enable }} +- -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} +- -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} +- -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} +- -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} +{{ end }} +- -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} +{{- if .Values.controller.defaultTLS.secret }} +- -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} +{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} +- -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} +{{- end }} +- -ingress-class={{ .Values.controller.ingressClass.name }} +{{- if .Values.controller.watchNamespace }} +- -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchNamespaceLabel }} +- -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} +- -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} +{{- end }} +- -health-status={{ .Values.controller.healthStatus }} +- -health-status-uri={{ .Values.controller.healthStatusURI }} +- -nginx-debug={{ .Values.controller.nginxDebug }} +- -v={{ .Values.controller.logLevel }} +- -nginx-status={{ .Values.controller.nginxStatus.enable }} +{{- if .Values.controller.nginxStatus.enable }} +- -nginx-status-port={{ .Values.controller.nginxStatus.port }} +- -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} +{{- end }} +{{- if .Values.controller.reportIngressStatus.enable }} +- -report-ingress-status +{{- if .Values.controller.reportIngressStatus.ingressLink }} +- -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} +{{- else if .Values.controller.reportIngressStatus.externalService }} +- -external-service={{ .Values.controller.reportIngressStatus.externalService }} +{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} +- -external-service={{ include "nginx-ingress.controller.service.name" . }} +{{- end }} +{{- end }} +- -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} +{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} +- -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} +{{- end }} +{{- if .Values.controller.wildcardTLS.secret }} +- -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} +{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} +- -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} +{{- end }} +- -enable-prometheus-metrics={{ .Values.prometheus.create }} +- -prometheus-metrics-listen-port={{ .Values.prometheus.port }} +- -prometheus-tls-secret={{ .Values.prometheus.secret }} +- -enable-service-insight={{ .Values.serviceInsight.create }} +- -service-insight-listen-port={{ .Values.serviceInsight.port }} +- -service-insight-tls-secret={{ .Values.serviceInsight.secret }} +- -enable-custom-resources={{ .Values.controller.enableCustomResources }} +- -enable-snippets={{ .Values.controller.enableSnippets }} +- -include-year={{ .Values.controller.includeYear }} +- -disable-ipv6={{ .Values.controller.disableIPV6 }} +{{- if .Values.controller.enableCustomResources }} +- -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} +{{- if .Values.controller.enableTLSPassthrough }} +- -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} +{{- end }} +- -enable-cert-manager={{ .Values.controller.enableCertManager }} +- -enable-oidc={{ .Values.controller.enableOIDC }} +- -enable-external-dns={{ .Values.controller.enableExternalDNS }} +- -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} +- -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} +{{- if .Values.controller.globalConfiguration.create }} +- -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} +{{- end }} +{{- end }} +- -ready-status={{ .Values.controller.readyStatus.enable }} +- -ready-status-port={{ .Values.controller.readyStatus.port }} +- -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +{{- end -}} diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index 2d5acfe509..b2459c927c 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -164,90 +164,7 @@ spec: resources: {{ toYaml .Values.controller.resources | indent 10 }} args: - - -nginx-plus={{ .Values.controller.nginxplus }} - - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} - - -enable-app-protect={{ .Values.controller.appprotect.enable }} -{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} -{{ end }} - - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} - {{- if .Values.controller.appprotectdos.enable }} - - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} - - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} - {{ end }} - - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} -{{- if .Values.controller.defaultTLS.secret }} - - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} -{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} - - -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} -{{- end }} - - -ingress-class={{ .Values.controller.ingressClass.name }} -{{- if .Values.controller.watchNamespace }} - - -watch-namespace={{ .Values.controller.watchNamespace }} -{{- end }} -{{- if .Values.controller.watchNamespaceLabel }} - - -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} -{{- end }} -{{- if .Values.controller.watchSecretNamespace }} - - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} -{{- end }} - - -health-status={{ .Values.controller.healthStatus }} - - -health-status-uri={{ .Values.controller.healthStatusURI }} - - -nginx-debug={{ .Values.controller.nginxDebug }} - - -v={{ .Values.controller.logLevel }} - - -nginx-status={{ .Values.controller.nginxStatus.enable }} -{{- if .Values.controller.nginxStatus.enable }} - - -nginx-status-port={{ .Values.controller.nginxStatus.port }} - - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} -{{- end }} -{{- if .Values.controller.reportIngressStatus.enable }} - - -report-ingress-status -{{- if .Values.controller.reportIngressStatus.ingressLink }} - - -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} -{{- else if .Values.controller.reportIngressStatus.externalService }} - - -external-service={{ .Values.controller.reportIngressStatus.externalService }} -{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.controller.service.name" . }} -{{- end }} -{{- end }} - - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} -{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} - - -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} -{{- end }} -{{- if .Values.controller.wildcardTLS.secret }} - - -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} -{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} - - -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} -{{- end }} - - -enable-prometheus-metrics={{ .Values.prometheus.create }} - - -prometheus-metrics-listen-port={{ .Values.prometheus.port }} - - -prometheus-tls-secret={{ .Values.prometheus.secret }} - - -enable-service-insight={{ .Values.serviceInsight.create }} - - -service-insight-listen-port={{ .Values.serviceInsight.port }} - - -service-insight-tls-secret={{ .Values.serviceInsight.secret }} - - -enable-custom-resources={{ .Values.controller.enableCustomResources }} - - -enable-snippets={{ .Values.controller.enableSnippets }} - - -include-year={{ .Values.controller.includeYear }} - - -disable-ipv6={{ .Values.controller.disableIPV6 }} -{{- if .Values.controller.enableCustomResources }} - - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} - - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} - - -enable-cert-manager={{ .Values.controller.enableCertManager }} - - -enable-oidc={{ .Values.controller.enableOIDC }} - - -enable-external-dns={{ .Values.controller.enableExternalDNS }} - - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} - - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} -{{- if .Values.controller.globalConfiguration.create }} - - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} -{{- end }} -{{- end }} - - -ready-status={{ .Values.controller.readyStatus.enable }} - - -ready-status-port={{ .Values.controller.readyStatus.port }} - - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +{{- include "nginx-ingress.args" . | nindent 10 }} {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index 96532d8f54..1f291ff4cd 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -171,90 +171,7 @@ spec: fieldPath: spec.serviceAccountName {{- end }} args: - - -nginx-plus={{ .Values.controller.nginxplus }} - - -nginx-reload-timeout={{ .Values.controller.nginxReloadTimeout }} - - -enable-app-protect={{ .Values.controller.appprotect.enable }} -{{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }} - - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }} -{{ end }} - - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }} -{{- if .Values.controller.appprotectdos.enable }} - - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }} - - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }} - - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }} - - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }} -{{ end }} - - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }} -{{- if .Values.controller.defaultTLS.secret }} - - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }} -{{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }} - - -default-server-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.defaultTLSName" . }} -{{- end }} - - -ingress-class={{ .Values.controller.ingressClass.name }} -{{- if .Values.controller.watchNamespace }} - - -watch-namespace={{ .Values.controller.watchNamespace }} -{{- end }} -{{- if .Values.controller.watchNamespaceLabel }} - - -watch-namespace-label={{ .Values.controller.watchNamespaceLabel }} -{{- end }} -{{- if .Values.controller.watchSecretNamespace }} - - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} -{{- end }} - - -health-status={{ .Values.controller.healthStatus }} - - -health-status-uri={{ .Values.controller.healthStatusURI }} - - -nginx-debug={{ .Values.controller.nginxDebug }} - - -v={{ .Values.controller.logLevel }} - - -nginx-status={{ .Values.controller.nginxStatus.enable }} -{{- if .Values.controller.nginxStatus.enable }} - - -nginx-status-port={{ .Values.controller.nginxStatus.port }} - - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }} -{{- end }} -{{- if .Values.controller.reportIngressStatus.enable }} - - -report-ingress-status -{{- if .Values.controller.reportIngressStatus.ingressLink }} - - -ingresslink={{ .Values.controller.reportIngressStatus.ingressLink }} -{{- else if .Values.controller.reportIngressStatus.externalService }} - - -external-service={{ .Values.controller.reportIngressStatus.externalService }} -{{- else if and (.Values.controller.service.create) (eq .Values.controller.service.type "LoadBalancer") }} - - -external-service={{ include "nginx-ingress.controller.service.name" . }} -{{- end }} -{{- end }} - - -enable-leader-election={{ .Values.controller.reportIngressStatus.enableLeaderElection }} -{{- if .Values.controller.reportIngressStatus.enableLeaderElection }} - - -leader-election-lock-name={{ include "nginx-ingress.leaderElectionName" . }} -{{- end }} -{{- if .Values.controller.wildcardTLS.secret }} - - -wildcard-tls-secret={{ .Values.controller.wildcardTLS.secret }} -{{- else if and .Values.controller.wildcardTLS.cert .Values.controller.wildcardTLS.key }} - - -wildcard-tls-secret=$(POD_NAMESPACE)/{{ include "nginx-ingress.wildcardTLSName" . }} -{{- end }} - - -enable-prometheus-metrics={{ .Values.prometheus.create }} - - -prometheus-metrics-listen-port={{ .Values.prometheus.port }} - - -prometheus-tls-secret={{ .Values.prometheus.secret }} - - -enable-service-insight={{ .Values.serviceInsight.create }} - - -service-insight-listen-port={{ .Values.serviceInsight.port }} - - -service-insight-tls-secret={{ .Values.serviceInsight.secret }} - - -enable-custom-resources={{ .Values.controller.enableCustomResources }} - - -enable-snippets={{ .Values.controller.enableSnippets }} - - -include-year={{ .Values.controller.includeYear }} - - -disable-ipv6={{ .Values.controller.disableIPV6 }} -{{- if .Values.controller.enableCustomResources }} - - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} -{{ if .Values.controller.enableTLSPassthrough }} - - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }} -{{ end }} - - -enable-cert-manager={{ .Values.controller.enableCertManager }} - - -enable-oidc={{ .Values.controller.enableOIDC }} - - -enable-external-dns={{ .Values.controller.enableExternalDNS }} - - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} - - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} -{{- if .Values.controller.globalConfiguration.create }} - - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} -{{- end }} -{{- end }} - - -ready-status={{ .Values.controller.readyStatus.enable }} - - -ready-status-port={{ .Values.controller.readyStatus.port }} - - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }} +{{- include "nginx-ingress.args" . | nindent 10 }} {{- if .Values.controller.extraContainers }} {{ toYaml .Values.controller.extraContainers | nindent 6 }} {{- end }} diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 32a826331d..d9373c5ae7 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -123,9 +123,20 @@ func main() { plusClient := createPlusClient(*nginxPlus, useFakeNginxManager, nginxManager) plusCollector, syslogListener, latencyCollector := createPlusAndLatencyCollectors(registry, constLabels, kubeClient, plusClient, staticCfgParams.NginxServiceMesh) + cnf := configs.NewConfigurator(configs.ConfiguratorParams{ + NginxManager: nginxManager, + StaticCfgParams: staticCfgParams, + Config: cfgParams, + TemplateExecutor: templateExecutor, + TemplateExecutorV2: templateExecutorV2, + LatencyCollector: latencyCollector, + LabelUpdater: plusCollector, + IsPlus: *nginxPlus, + IsWildcardEnabled: isWildcardEnabled, + IsPrometheusEnabled: *enablePrometheusMetrics, + IsLatencyMetricsEnabled: *enableLatencyMetrics, + }) - cnf := configs.NewConfigurator(nginxManager, staticCfgParams, cfgParams, templateExecutor, - templateExecutorV2, *nginxPlus, isWildcardEnabled, plusCollector, *enablePrometheusMetrics, latencyCollector, *enableLatencyMetrics) controllerNamespace := os.Getenv("POD_NAMESPACE") transportServerValidator := cr_validation.NewTransportServerValidator(*enableTLSPassthrough, *enableSnippets, *nginxPlus) diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index d1b397ee92..007efd4808 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -129,11 +129,24 @@ type Configurator struct { isReloadsEnabled bool } +// ConfiguratorParams is a collection of parameters used for the +// NewConfigurator() function +type ConfiguratorParams struct { + NginxManager nginx.Manager + StaticCfgParams *StaticConfigParams + Config *ConfigParams + TemplateExecutor *version1.TemplateExecutor + TemplateExecutorV2 *version2.TemplateExecutor + LabelUpdater collector.LabelUpdater + LatencyCollector latCollector.LatencyCollector + IsPlus bool + IsPrometheusEnabled bool + IsWildcardEnabled bool + IsLatencyMetricsEnabled bool +} + // NewConfigurator creates a new Configurator. -func NewConfigurator(nginxManager nginx.Manager, staticCfgParams *StaticConfigParams, config *ConfigParams, - templateExecutor *version1.TemplateExecutor, templateExecutorV2 *version2.TemplateExecutor, isPlus bool, isWildcardEnabled bool, - labelUpdater collector.LabelUpdater, isPrometheusEnabled bool, latencyCollector latCollector.LatencyCollector, isLatencyMetricsEnabled bool, -) *Configurator { +func NewConfigurator(p ConfiguratorParams) *Configurator { metricLabelsIndex := &metricLabelsIndex{ ingressUpstreams: make(map[string][]string), virtualServerUpstreams: make(map[string][]string), @@ -147,23 +160,23 @@ func NewConfigurator(nginxManager nginx.Manager, staticCfgParams *StaticConfigPa } cnf := Configurator{ - nginxManager: nginxManager, - staticCfgParams: staticCfgParams, - cfgParams: config, + nginxManager: p.NginxManager, + staticCfgParams: p.StaticCfgParams, + cfgParams: p.Config, ingresses: make(map[string]*IngressEx), virtualServers: make(map[string]*VirtualServerEx), transportServers: make(map[string]*TransportServerEx), - templateExecutor: templateExecutor, - templateExecutorV2: templateExecutorV2, + templateExecutor: p.TemplateExecutor, + templateExecutorV2: p.TemplateExecutorV2, minions: make(map[string]map[string]bool), tlsPassthroughPairs: make(map[string]tlsPassthroughPair), - isPlus: isPlus, - isWildcardEnabled: isWildcardEnabled, - labelUpdater: labelUpdater, + isPlus: p.IsPlus, + isWildcardEnabled: p.IsWildcardEnabled, + labelUpdater: p.LabelUpdater, metricLabelsIndex: metricLabelsIndex, - isPrometheusEnabled: isPrometheusEnabled, - latencyCollector: latencyCollector, - isLatencyMetricsEnabled: isLatencyMetricsEnabled, + isPrometheusEnabled: p.IsPrometheusEnabled, + latencyCollector: p.LatencyCollector, + isLatencyMetricsEnabled: p.IsLatencyMetricsEnabled, isReloadsEnabled: false, } return &cnf @@ -361,8 +374,18 @@ func (cnf *Configurator) addOrUpdateIngress(ingEx *IngressEx) (Warnings, error) } isMinion := false - nginxCfg, warnings := generateNginxCfg(ingEx, apResources, dosResource, isMinion, cnf.cfgParams, cnf.isPlus, cnf.IsResolverConfigured(), - cnf.staticCfgParams, cnf.isWildcardEnabled) + nginxCfg, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: cnf.staticCfgParams, + ingEx: ingEx, + apResources: apResources, + dosResource: dosResource, + isMinion: isMinion, + isPlus: cnf.isPlus, + baseCfgParams: cnf.cfgParams, + isResolverConfigured: cnf.IsResolverConfigured(), + isWildcardEnabled: cnf.isWildcardEnabled, + }) + name := objectMetaToFileName(&ingEx.Ingress.ObjectMeta) content, err := cnf.templateExecutor.ExecuteIngressConfigTemplate(&nginxCfg) if err != nil { @@ -414,8 +437,16 @@ func (cnf *Configurator) addOrUpdateMergeableIngress(mergeableIngs *MergeableIng } } - nginxCfg, warnings := generateNginxCfgForMergeableIngresses(mergeableIngs, apResources, dosResource, cnf.cfgParams, cnf.isPlus, - cnf.IsResolverConfigured(), cnf.staticCfgParams, cnf.isWildcardEnabled) + nginxCfg, warnings := generateNginxCfgForMergeableIngresses(NginxCfgParams{ + mergeableIngs: mergeableIngs, + apResources: apResources, + dosResource: dosResource, + baseCfgParams: cnf.cfgParams, + isPlus: cnf.isPlus, + isResolverConfigured: cnf.IsResolverConfigured(), + staticParams: cnf.staticCfgParams, + isWildcardEnabled: cnf.isWildcardEnabled, + }) name := objectMetaToFileName(&mergeableIngs.Master.Ingress.ObjectMeta) content, err := cnf.templateExecutor.ExecuteIngressConfigTemplate(&nginxCfg) diff --git a/internal/configs/configurator_test.go b/internal/configs/configurator_test.go index c8f9d6c912..565605e6ce 100644 --- a/internal/configs/configurator_test.go +++ b/internal/configs/configurator_test.go @@ -41,10 +41,19 @@ func createTestConfigurator(t *testing.T) *Configurator { } manager := nginx.NewFakeManager("/etc/nginx") - cnf, err := NewConfigurator(manager, createTestStaticConfigParams(), NewDefaultConfigParams(false), templateExecutor, templateExecutorV2, false, false, nil, false, nil, false), nil - if err != nil { - t.Fatal(err) - } + cnf := NewConfigurator(ConfiguratorParams{ + NginxManager: manager, + StaticCfgParams: createTestStaticConfigParams(), + Config: NewDefaultConfigParams(false), + TemplateExecutor: templateExecutor, + TemplateExecutorV2: templateExecutorV2, + LatencyCollector: nil, + LabelUpdater: nil, + IsPlus: false, + IsWildcardEnabled: false, + IsPrometheusEnabled: false, + IsLatencyMetricsEnabled: false, + }) cnf.isReloadsEnabled = true return cnf } @@ -62,10 +71,19 @@ func createTestConfiguratorInvalidIngressTemplate(t *testing.T) *Configurator { } manager := nginx.NewFakeManager("/etc/nginx") - cnf, err := NewConfigurator(manager, createTestStaticConfigParams(), NewDefaultConfigParams(false), templateExecutor, &version2.TemplateExecutor{}, false, false, nil, false, nil, false), nil - if err != nil { - t.Fatal(err) - } + cnf := NewConfigurator(ConfiguratorParams{ + NginxManager: manager, + StaticCfgParams: createTestStaticConfigParams(), + Config: NewDefaultConfigParams(false), + TemplateExecutor: templateExecutor, + TemplateExecutorV2: &version2.TemplateExecutor{}, + LatencyCollector: nil, + LabelUpdater: nil, + IsPlus: false, + IsWildcardEnabled: false, + IsPrometheusEnabled: false, + IsLatencyMetricsEnabled: false, + }) cnf.isReloadsEnabled = true return cnf } diff --git a/internal/configs/ingress.go b/internal/configs/ingress.go index f92700ed88..c7eb24e203 100644 --- a/internal/configs/ingress.go +++ b/internal/configs/ingress.go @@ -75,37 +75,51 @@ type MergeableIngresses struct { Minions []*IngressEx } -func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosResource *appProtectDosResource, isMinion bool, - baseCfgParams *ConfigParams, isPlus bool, isResolverConfigured bool, staticParams *StaticConfigParams, isWildcardEnabled bool, -) (version1.IngressNginxConfig, Warnings) { - hasAppProtect := staticParams.MainAppProtectLoadModule - hasAppProtectDos := staticParams.MainAppProtectDosLoadModule +// NginxCfgParams is a collection of parameters +// used by generateNginxCfg() and generateNginxCfgForMergeableIngresses() +type NginxCfgParams struct { + staticParams *StaticConfigParams + ingEx *IngressEx + mergeableIngs *MergeableIngresses + apResources *AppProtectResources + dosResource *appProtectDosResource + baseCfgParams *ConfigParams + isMinion bool + isPlus bool + isResolverConfigured bool + isWildcardEnabled bool +} + +//nolint:gocyclo +func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings) { + hasAppProtect := p.staticParams.MainAppProtectLoadModule + hasAppProtectDos := p.staticParams.MainAppProtectDosLoadModule - cfgParams := parseAnnotations(ingEx, baseCfgParams, isPlus, hasAppProtect, hasAppProtectDos, staticParams.EnableInternalRoutes) + cfgParams := parseAnnotations(p.ingEx, p.baseCfgParams, p.isPlus, hasAppProtect, hasAppProtectDos, p.staticParams.EnableInternalRoutes) - wsServices := getWebsocketServices(ingEx) - spServices := getSessionPersistenceServices(ingEx) - rewrites := getRewrites(ingEx) - sslServices := getSSLServices(ingEx) - grpcServices := getGrpcServices(ingEx) + wsServices := getWebsocketServices(p.ingEx) + spServices := getSessionPersistenceServices(p.ingEx) + rewrites := getRewrites(p.ingEx) + sslServices := getSSLServices(p.ingEx) + grpcServices := getGrpcServices(p.ingEx) upstreams := make(map[string]version1.Upstream) healthChecks := make(map[string]version1.HealthCheck) // HTTP2 is required for gRPC to function if len(grpcServices) > 0 && !cfgParams.HTTP2 { - glog.Errorf("Ingress %s/%s: annotation nginx.org/grpc-services requires HTTP2, ignoring", ingEx.Ingress.Namespace, ingEx.Ingress.Name) + glog.Errorf("Ingress %s/%s: annotation nginx.org/grpc-services requires HTTP2, ignoring", p.ingEx.Ingress.Namespace, p.ingEx.Ingress.Name) grpcServices = make(map[string]bool) } - if ingEx.Ingress.Spec.DefaultBackend != nil { - name := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.DefaultBackend) - upstream := createUpstream(ingEx, name, ingEx.Ingress.Spec.DefaultBackend, spServices[ingEx.Ingress.Spec.DefaultBackend.Service.Name], &cfgParams, - isPlus, isResolverConfigured, staticParams.EnableLatencyMetrics) + if p.ingEx.Ingress.Spec.DefaultBackend != nil { + name := getNameForUpstream(p.ingEx.Ingress, emptyHost, p.ingEx.Ingress.Spec.DefaultBackend) + upstream := createUpstream(p.ingEx, name, p.ingEx.Ingress.Spec.DefaultBackend, spServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], &cfgParams, + p.isPlus, p.isResolverConfigured, p.staticParams.EnableLatencyMetrics) upstreams[name] = upstream if cfgParams.HealthCheckEnabled { - if hc, exists := ingEx.HealthChecks[ingEx.Ingress.Spec.DefaultBackend.Service.Name+GetBackendPortAsString(ingEx.Ingress.Spec.DefaultBackend.Service.Port)]; exists { + if hc, exists := p.ingEx.HealthChecks[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name+GetBackendPortAsString(p.ingEx.Ingress.Spec.DefaultBackend.Service.Port)]; exists { healthChecks[name] = createHealthCheck(hc, name, &cfgParams) } } @@ -115,9 +129,9 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes var servers []version1.Server - for _, rule := range ingEx.Ingress.Spec.Rules { + for _, rule := range p.ingEx.Ingress.Spec.Rules { // skipping invalid hosts - if !ingEx.ValidHosts[rule.Host] { + if !p.ingEx.ValidHosts[rule.Host] { continue } @@ -152,35 +166,35 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes ServerSnippets: cfgParams.ServerSnippets, Ports: cfgParams.Ports, SSLPorts: cfgParams.SSLPorts, - TLSPassthrough: staticParams.TLSPassthrough, + TLSPassthrough: p.staticParams.TLSPassthrough, AppProtectEnable: cfgParams.AppProtectEnable, AppProtectLogEnable: cfgParams.AppProtectLogEnable, SpiffeCerts: cfgParams.SpiffeServerCerts, - DisableIPV6: staticParams.DisableIPV6, + DisableIPV6: p.staticParams.DisableIPV6, } - warnings := addSSLConfig(&server, ingEx.Ingress, rule.Host, ingEx.Ingress.Spec.TLS, ingEx.SecretRefs, isWildcardEnabled) + warnings := addSSLConfig(&server, p.ingEx.Ingress, rule.Host, p.ingEx.Ingress.Spec.TLS, p.ingEx.SecretRefs, p.isWildcardEnabled) allWarnings.Add(warnings) if hasAppProtect { - server.AppProtectPolicy = apResources.AppProtectPolicy - server.AppProtectLogConfs = apResources.AppProtectLogconfs + server.AppProtectPolicy = p.apResources.AppProtectPolicy + server.AppProtectLogConfs = p.apResources.AppProtectLogconfs } - if hasAppProtectDos && dosResource != nil { - server.AppProtectDosEnable = dosResource.AppProtectDosEnable - server.AppProtectDosLogEnable = dosResource.AppProtectDosLogEnable - server.AppProtectDosMonitorURI = dosResource.AppProtectDosMonitorURI - server.AppProtectDosMonitorProtocol = dosResource.AppProtectDosMonitorProtocol - server.AppProtectDosMonitorTimeout = dosResource.AppProtectDosMonitorTimeout - server.AppProtectDosName = dosResource.AppProtectDosName - server.AppProtectDosAccessLogDst = dosResource.AppProtectDosAccessLogDst - server.AppProtectDosPolicyFile = dosResource.AppProtectDosPolicyFile - server.AppProtectDosLogConfFile = dosResource.AppProtectDosLogConfFile + if hasAppProtectDos && p.dosResource != nil { + server.AppProtectDosEnable = p.dosResource.AppProtectDosEnable + server.AppProtectDosLogEnable = p.dosResource.AppProtectDosLogEnable + server.AppProtectDosMonitorURI = p.dosResource.AppProtectDosMonitorURI + server.AppProtectDosMonitorProtocol = p.dosResource.AppProtectDosMonitorProtocol + server.AppProtectDosMonitorTimeout = p.dosResource.AppProtectDosMonitorTimeout + server.AppProtectDosName = p.dosResource.AppProtectDosName + server.AppProtectDosAccessLogDst = p.dosResource.AppProtectDosAccessLogDst + server.AppProtectDosPolicyFile = p.dosResource.AppProtectDosPolicyFile + server.AppProtectDosLogConfFile = p.dosResource.AppProtectDosLogConfFile } - if !isMinion && cfgParams.JWTKey != "" { - jwtAuth, redirectLoc, warnings := generateJWTConfig(ingEx.Ingress, ingEx.SecretRefs, &cfgParams, getNameForRedirectLocation(ingEx.Ingress)) + if !p.isMinion && cfgParams.JWTKey != "" { + jwtAuth, redirectLoc, warnings := generateJWTConfig(p.ingEx.Ingress, p.ingEx.SecretRefs, &cfgParams, getNameForRedirectLocation(p.ingEx.Ingress)) server.JWTAuth = jwtAuth if redirectLoc != nil { server.JWTRedirectLocations = append(server.JWTRedirectLocations, *redirectLoc) @@ -188,8 +202,8 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes allWarnings.Add(warnings) } - if !isMinion && cfgParams.BasicAuthSecret != "" { - basicAuth, warnings := generateBasicAuthConfig(ingEx.Ingress, ingEx.SecretRefs, &cfgParams) + if !p.isMinion && cfgParams.BasicAuthSecret != "" { + basicAuth, warnings := generateBasicAuthConfig(p.ingEx.Ingress, p.ingEx.SecretRefs, &cfgParams) server.BasicAuth = basicAuth allWarnings.Add(warnings) } @@ -211,32 +225,33 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes grpcOnly = false } - for _, path := range httpIngressRuleValue.Paths { + for i := range httpIngressRuleValue.Paths { + path := httpIngressRuleValue.Paths[i] // skip invalid paths for minions - if isMinion && !ingEx.ValidMinionPaths[path.Path] { + if p.isMinion && !p.ingEx.ValidMinionPaths[path.Path] { continue } - upsName := getNameForUpstream(ingEx.Ingress, rule.Host, &path.Backend) + upsName := getNameForUpstream(p.ingEx.Ingress, rule.Host, &path.Backend) if cfgParams.HealthCheckEnabled { - if hc, exists := ingEx.HealthChecks[path.Backend.Service.Name+GetBackendPortAsString(path.Backend.Service.Port)]; exists { + if hc, exists := p.ingEx.HealthChecks[path.Backend.Service.Name+GetBackendPortAsString(path.Backend.Service.Port)]; exists { healthChecks[upsName] = createHealthCheck(hc, upsName, &cfgParams) } } if _, exists := upstreams[upsName]; !exists { - upstream := createUpstream(ingEx, upsName, &path.Backend, spServices[path.Backend.Service.Name], &cfgParams, isPlus, isResolverConfigured, staticParams.EnableLatencyMetrics) + upstream := createUpstream(p.ingEx, upsName, &path.Backend, spServices[path.Backend.Service.Name], &cfgParams, p.isPlus, p.isResolverConfigured, p.staticParams.EnableLatencyMetrics) upstreams[upsName] = upstream } - ssl := isSSLEnabled(sslServices[path.Backend.Service.Name], cfgParams, staticParams) - proxySSLName := generateProxySSLName(path.Backend.Service.Name, ingEx.Ingress.Namespace) + ssl := isSSLEnabled(sslServices[path.Backend.Service.Name], cfgParams, p.staticParams) + proxySSLName := generateProxySSLName(path.Backend.Service.Name, p.ingEx.Ingress.Namespace) loc := createLocation(pathOrDefault(path.Path), upstreams[upsName], &cfgParams, wsServices[path.Backend.Service.Name], rewrites[path.Backend.Service.Name], ssl, grpcServices[path.Backend.Service.Name], proxySSLName, path.PathType, path.Backend.Service.Name) - if isMinion && cfgParams.JWTKey != "" { - jwtAuth, redirectLoc, warnings := generateJWTConfig(ingEx.Ingress, ingEx.SecretRefs, &cfgParams, getNameForRedirectLocation(ingEx.Ingress)) + if p.isMinion && cfgParams.JWTKey != "" { + jwtAuth, redirectLoc, warnings := generateJWTConfig(p.ingEx.Ingress, p.ingEx.SecretRefs, &cfgParams, getNameForRedirectLocation(p.ingEx.Ingress)) loc.JWTAuth = jwtAuth if redirectLoc != nil { server.JWTRedirectLocations = append(server.JWTRedirectLocations, *redirectLoc) @@ -244,8 +259,8 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes allWarnings.Add(warnings) } - if isMinion && cfgParams.BasicAuthSecret != "" { - basicAuth, warnings := generateBasicAuthConfig(ingEx.Ingress, ingEx.SecretRefs, &cfgParams) + if p.isMinion && cfgParams.BasicAuthSecret != "" { + basicAuth, warnings := generateBasicAuthConfig(p.ingEx.Ingress, p.ingEx.SecretRefs, &cfgParams) loc.BasicAuth = basicAuth allWarnings.Add(warnings) } @@ -257,23 +272,23 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes } } - if !rootLocation && ingEx.Ingress.Spec.DefaultBackend != nil { - upsName := getNameForUpstream(ingEx.Ingress, emptyHost, ingEx.Ingress.Spec.DefaultBackend) - ssl := isSSLEnabled(sslServices[ingEx.Ingress.Spec.DefaultBackend.Service.Name], cfgParams, staticParams) - proxySSLName := generateProxySSLName(ingEx.Ingress.Spec.DefaultBackend.Service.Name, ingEx.Ingress.Namespace) + if !rootLocation && p.ingEx.Ingress.Spec.DefaultBackend != nil { + upsName := getNameForUpstream(p.ingEx.Ingress, emptyHost, p.ingEx.Ingress.Spec.DefaultBackend) + ssl := isSSLEnabled(sslServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], cfgParams, p.staticParams) + proxySSLName := generateProxySSLName(p.ingEx.Ingress.Spec.DefaultBackend.Service.Name, p.ingEx.Ingress.Namespace) pathtype := networking.PathTypePrefix - loc := createLocation(pathOrDefault("/"), upstreams[upsName], &cfgParams, wsServices[ingEx.Ingress.Spec.DefaultBackend.Service.Name], rewrites[ingEx.Ingress.Spec.DefaultBackend.Service.Name], - ssl, grpcServices[ingEx.Ingress.Spec.DefaultBackend.Service.Name], proxySSLName, &pathtype, ingEx.Ingress.Spec.DefaultBackend.Service.Name) + loc := createLocation(pathOrDefault("/"), upstreams[upsName], &cfgParams, wsServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], rewrites[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], + ssl, grpcServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], proxySSLName, &pathtype, p.ingEx.Ingress.Spec.DefaultBackend.Service.Name) locations = append(locations, loc) if cfgParams.HealthCheckEnabled { - if hc, exists := ingEx.HealthChecks[ingEx.Ingress.Spec.DefaultBackend.Service.Name+GetBackendPortAsString(ingEx.Ingress.Spec.DefaultBackend.Service.Port)]; exists { + if hc, exists := p.ingEx.HealthChecks[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name+GetBackendPortAsString(p.ingEx.Ingress.Spec.DefaultBackend.Service.Port)]; exists { healthChecks[upsName] = createHealthCheck(hc, upsName, &cfgParams) } } - if _, exists := grpcServices[ingEx.Ingress.Spec.DefaultBackend.Service.Name]; !exists { + if _, exists := grpcServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name]; !exists { grpcOnly = false } } @@ -295,11 +310,11 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes Servers: servers, Keepalive: keepalive, Ingress: version1.Ingress{ - Name: ingEx.Ingress.Name, - Namespace: ingEx.Ingress.Namespace, - Annotations: ingEx.Ingress.Annotations, + Name: p.ingEx.Ingress.Name, + Namespace: p.ingEx.Ingress.Namespace, + Annotations: p.ingEx.Ingress.Annotations, }, - SpiffeClientCerts: staticParams.NginxServiceMesh && !cfgParams.SpiffeServerCerts, + SpiffeClientCerts: p.staticParams.NginxServiceMesh && !cfgParams.SpiffeServerCerts, }, allWarnings } @@ -571,10 +586,7 @@ func upstreamMapToSlice(upstreams map[string]version1.Upstream) []version1.Upstr return result } -func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, apResources *AppProtectResources, - dosResource *appProtectDosResource, baseCfgParams *ConfigParams, isPlus bool, isResolverConfigured bool, - staticParams *StaticConfigParams, isWildcardEnabled bool, -) (version1.IngressNginxConfig, Warnings) { +func generateNginxCfgForMergeableIngresses(p NginxCfgParams) (version1.IngressNginxConfig, Warnings) { var masterServer version1.Server var locations []version1.Location var upstreams []version1.Upstream @@ -582,23 +594,33 @@ func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, ap var keepalive string // replace master with a deepcopy because we will modify it - originalMaster := mergeableIngs.Master.Ingress - mergeableIngs.Master.Ingress = mergeableIngs.Master.Ingress.DeepCopy() + originalMaster := p.mergeableIngs.Master.Ingress + p.mergeableIngs.Master.Ingress = p.mergeableIngs.Master.Ingress.DeepCopy() - removedAnnotations := filterMasterAnnotations(mergeableIngs.Master.Ingress.Annotations) + removedAnnotations := filterMasterAnnotations(p.mergeableIngs.Master.Ingress.Annotations) if len(removedAnnotations) != 0 { glog.Errorf("Ingress Resource %v/%v with the annotation 'nginx.org/mergeable-ingress-type' set to 'master' cannot contain the '%v' annotation(s). They will be ignored", - mergeableIngs.Master.Ingress.Namespace, mergeableIngs.Master.Ingress.Name, strings.Join(removedAnnotations, ",")) + p.mergeableIngs.Master.Ingress.Namespace, p.mergeableIngs.Master.Ingress.Name, strings.Join(removedAnnotations, ",")) } isMinion := false - masterNginxCfg, warnings := generateNginxCfg(mergeableIngs.Master, apResources, dosResource, isMinion, baseCfgParams, isPlus, isResolverConfigured, staticParams, isWildcardEnabled) - - // because mergeableIngs.Master.Ingress is a deepcopy of the original master + masterNginxCfg, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: p.staticParams, + ingEx: p.mergeableIngs.Master, + apResources: p.apResources, + dosResource: p.dosResource, + isMinion: isMinion, + isPlus: p.isPlus, + baseCfgParams: p.baseCfgParams, + isResolverConfigured: p.isResolverConfigured, + isWildcardEnabled: p.isWildcardEnabled, + }) + + // because p.mergeableIngs.Master.Ingress is a deepcopy of the original master // we need to change the key in the warnings to the original master - if _, exists := warnings[mergeableIngs.Master.Ingress]; exists { - warnings[originalMaster] = warnings[mergeableIngs.Master.Ingress] - delete(warnings, mergeableIngs.Master.Ingress) + if _, exists := warnings[p.mergeableIngs.Master.Ingress]; exists { + warnings[originalMaster] = warnings[p.mergeableIngs.Master.Ingress] + delete(warnings, p.mergeableIngs.Master.Ingress) } masterServer = masterNginxCfg.Servers[0] @@ -610,7 +632,7 @@ func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, ap keepalive = masterNginxCfg.Keepalive } - minions := mergeableIngs.Minions + minions := p.mergeableIngs.Minions for _, minion := range minions { // replace minion with a deepcopy because we will modify it originalMinion := minion.Ingress @@ -620,7 +642,7 @@ func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, ap minion.Ingress.Spec.DefaultBackend = nil // Add acceptable master annotations to minion - mergeMasterAnnotationsIntoMinion(minion.Ingress.Annotations, mergeableIngs.Master.Ingress.Annotations) + mergeMasterAnnotationsIntoMinion(minion.Ingress.Annotations, p.mergeableIngs.Master.Ingress.Annotations) removedAnnotations = filterMinionAnnotations(minion.Ingress.Annotations) if len(removedAnnotations) != 0 { @@ -632,7 +654,17 @@ func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, ap // App Protect Resources not allowed in minions - pass empty struct dummyApResources := &AppProtectResources{} dummyDosResource := &appProtectDosResource{} - nginxCfg, minionWarnings := generateNginxCfg(minion, dummyApResources, dummyDosResource, isMinion, baseCfgParams, isPlus, isResolverConfigured, staticParams, isWildcardEnabled) + nginxCfg, minionWarnings := generateNginxCfg(NginxCfgParams{ + staticParams: p.staticParams, + ingEx: minion, + apResources: dummyApResources, + dosResource: dummyDosResource, + isMinion: isMinion, + isPlus: p.isPlus, + baseCfgParams: p.baseCfgParams, + isResolverConfigured: p.isResolverConfigured, + isWildcardEnabled: p.isWildcardEnabled, + }) warnings.Add(minionWarnings) // because minion.Ingress is a deepcopy of the original minion @@ -664,7 +696,7 @@ func generateNginxCfgForMergeableIngresses(mergeableIngs *MergeableIngresses, ap Upstreams: upstreams, Keepalive: keepalive, Ingress: masterNginxCfg.Ingress, - SpiffeClientCerts: staticParams.NginxServiceMesh && !baseCfgParams.SpiffeServerCerts, + SpiffeClientCerts: p.staticParams.NginxServiceMesh && !p.baseCfgParams.SpiffeServerCerts, }, warnings } diff --git a/internal/configs/ingress_test.go b/internal/configs/ingress_test.go index 0da7f9ac25..29911e0977 100644 --- a/internal/configs/ingress_test.go +++ b/internal/configs/ingress_test.go @@ -22,8 +22,17 @@ func TestGenerateNginxCfg(t *testing.T) { configParams := NewDefaultConfigParams(isPlus) expected := createExpectedConfigForCafeIngressEx(isPlus) - - result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, isPlus, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: isPlus, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff) @@ -64,7 +73,17 @@ func TestGenerateNginxCfgForJWT(t *testing.T) { }, } - result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, true, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: true, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if !reflect.DeepEqual(result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) { t.Errorf("generateNginxCfg returned \n%v, but expected \n%v", result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) @@ -98,7 +117,17 @@ func TestGenerateNginxCfgForBasicAuth(t *testing.T) { Realm: "Cafe App", } - result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, true, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: true, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if !reflect.DeepEqual(result.Servers[0].BasicAuth, expected.Servers[0].BasicAuth) { t.Errorf("generateNginxCfg returned \n%v, but expected \n%v", result.Servers[0].BasicAuth, expected.Servers[0].BasicAuth) @@ -114,7 +143,17 @@ func TestGenerateNginxCfgWithMissingTLSSecret(t *testing.T) { cafeIngressEx.SecretRefs["cafe-secret"].Error = errors.New("secret doesn't exist") configParams := NewDefaultConfigParams(false) - result, resultWarnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, false, false, &StaticConfigParams{}, false) + result, resultWarnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: false, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) expectedSSLRejectHandshake := true expectedWarnings := Warnings{ @@ -138,7 +177,17 @@ func TestGenerateNginxCfgWithWildcardTLSSecret(t *testing.T) { cafeIngressEx.Ingress.Spec.TLS[0].SecretName = "" configParams := NewDefaultConfigParams(false) - result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, false, false, &StaticConfigParams{}, true) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: false, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: true, + }) resultServer := result.Servers[0] if !reflect.DeepEqual(resultServer.SSLCertificate, pemFileNameForWildcardTLSSecret) { @@ -161,7 +210,17 @@ func TestGenerateNginxCfgWithIPV6Disabled(t *testing.T) { expected := createExpectedConfigForCafeIngressEx(isPlus) expected.Servers[0].DisableIPV6 = true - result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, isPlus, false, &StaticConfigParams{DisableIPV6: true}, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{DisableIPV6: true}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: isPlus, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if !cmp.Equal(expected, result) { t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", cmp.Diff(expected, result)) @@ -414,7 +473,16 @@ func TestGenerateNginxCfgForMergeableIngresses(t *testing.T) { configParams := NewDefaultConfigParams(isPlus) - result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, nil, nil, configParams, false, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfgForMergeableIngresses(NginxCfgParams{ + mergeableIngs: mergeableIngresses, + apResources: nil, + dosResource: nil, + baseCfgParams: configParams, + isPlus: false, + isResolverConfigured: false, + staticParams: &StaticConfigParams{}, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfgForMergeableIngresses() returned unexpected result (-want +got):\n%s", diff) @@ -439,7 +507,16 @@ func TestGenerateNginxConfigForCrossNamespaceMergeableIngresses(t *testing.T) { expected := createExpectedConfigForCrossNamespaceMergeableCafeIngress() configParams := NewDefaultConfigParams(false) - result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, nil, nil, configParams, false, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfgForMergeableIngresses(NginxCfgParams{ + mergeableIngs: mergeableIngresses, + apResources: nil, + dosResource: nil, + baseCfgParams: configParams, + isPlus: false, + isResolverConfigured: false, + staticParams: &StaticConfigParams{}, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfgForMergeableIngresses() returned unexpected result (-want +got):\n%s", diff) @@ -504,7 +581,16 @@ func TestGenerateNginxCfgForMergeableIngressesForJWT(t *testing.T) { minionJwtKeyFileNames[objectMetaToFileName(&mergeableIngresses.Minions[0].Ingress.ObjectMeta)] = "/etc/nginx/secrets/default-coffee-jwk" configParams := NewDefaultConfigParams(isPlus) - result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, nil, nil, configParams, isPlus, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfgForMergeableIngresses(NginxCfgParams{ + mergeableIngs: mergeableIngresses, + apResources: nil, + dosResource: nil, + baseCfgParams: configParams, + isPlus: isPlus, + isResolverConfigured: false, + staticParams: &StaticConfigParams{}, + isWildcardEnabled: false, + }) if !reflect.DeepEqual(result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) { t.Errorf("generateNginxCfgForMergeableIngresses returned \n%v, but expected \n%v", result.Servers[0].JWTAuth, expected.Servers[0].JWTAuth) @@ -555,7 +641,16 @@ func TestGenerateNginxCfgForMergeableIngressesForBasicAuth(t *testing.T) { configParams := NewDefaultConfigParams(isPlus) - result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, nil, nil, configParams, isPlus, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfgForMergeableIngresses(NginxCfgParams{ + mergeableIngs: mergeableIngresses, + apResources: nil, + dosResource: nil, + baseCfgParams: configParams, + isPlus: isPlus, + isResolverConfigured: false, + staticParams: &StaticConfigParams{}, + isWildcardEnabled: false, + }) if !reflect.DeepEqual(result.Servers[0].BasicAuth, expected.Servers[0].BasicAuth) { t.Errorf("generateNginxCfgForMergeableIngresses returned \n%v, but expected \n%v", result.Servers[0].BasicAuth, expected.Servers[0].BasicAuth) @@ -956,8 +1051,17 @@ func TestGenerateNginxCfgForSpiffe(t *testing.T) { expected.Servers[0].Locations[i].SSL = true } - result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, false, false, - &StaticConfigParams{NginxServiceMesh: true}, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{NginxServiceMesh: true}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: false, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff) @@ -979,8 +1083,17 @@ func TestGenerateNginxCfgForInternalRoute(t *testing.T) { expected.Servers[0].SpiffeCerts = true expected.Ingress.Annotations[internalRouteAnnotation] = "true" - result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, false, false, - &StaticConfigParams{NginxServiceMesh: true, EnableInternalRoutes: true}, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: &StaticConfigParams{NginxServiceMesh: true, EnableInternalRoutes: true}, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: nil, + isMinion: false, + isPlus: false, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff) @@ -1463,7 +1576,17 @@ func TestGenerateNginxCfgForAppProtect(t *testing.T) { expected.Servers[0].AppProtectLogEnable = "on" expected.Ingress.Annotations = cafeIngressEx.Ingress.Annotations - result, warnings := generateNginxCfg(&cafeIngressEx, apResources, nil, false, configParams, isPlus, false, staticCfgParams, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: staticCfgParams, + ingEx: &cafeIngressEx, + apResources: apResources, + dosResource: nil, + isMinion: false, + isPlus: isPlus, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff) } @@ -1515,7 +1638,16 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtect(t *testing.T) { expected.Servers[0].AppProtectLogEnable = "on" expected.Ingress.Annotations = mergeableIngresses.Master.Ingress.Annotations - result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, apResources, nil, configParams, isPlus, false, staticCfgParams, false) + result, warnings := generateNginxCfgForMergeableIngresses(NginxCfgParams{ + mergeableIngs: mergeableIngresses, + apResources: apResources, + dosResource: nil, + baseCfgParams: configParams, + isPlus: isPlus, + isResolverConfigured: false, + staticParams: staticCfgParams, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfgForMergeableIngresses() returned unexpected result (-want +got):\n%s", diff) } @@ -1554,7 +1686,17 @@ func TestGenerateNginxCfgForAppProtectDos(t *testing.T) { expected.Servers[0].AppProtectDosAccessLogDst = "access-log-dest" expected.Ingress.Annotations = cafeIngressEx.Ingress.Annotations - result, warnings := generateNginxCfg(&cafeIngressEx, nil, dosResource, false, configParams, isPlus, false, staticCfgParams, false) + result, warnings := generateNginxCfg(NginxCfgParams{ + staticParams: staticCfgParams, + ingEx: &cafeIngressEx, + apResources: nil, + dosResource: dosResource, + isMinion: false, + isPlus: isPlus, + baseCfgParams: configParams, + isResolverConfigured: false, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff) } @@ -1588,7 +1730,7 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtectDos(t *testing.T) { isPlus := true configParams := NewDefaultConfigParams(isPlus) - apRes := &appProtectDosResource{ + dosResource := &appProtectDosResource{ AppProtectDosEnable: "on", AppProtectDosName: "dos.example.com", AppProtectDosMonitorURI: "monitor-name", @@ -1611,7 +1753,16 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtectDos(t *testing.T) { expected.Servers[0].AppProtectDosAccessLogDst = "access-log-dest" expected.Ingress.Annotations = mergeableIngresses.Master.Ingress.Annotations - result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, nil, apRes, configParams, isPlus, false, staticCfgParams, false) + result, warnings := generateNginxCfgForMergeableIngresses(NginxCfgParams{ + mergeableIngs: mergeableIngresses, + apResources: nil, + dosResource: dosResource, + baseCfgParams: configParams, + isPlus: isPlus, + isResolverConfigured: false, + staticParams: staticCfgParams, + isWildcardEnabled: false, + }) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfgForMergeableIngresses() returned unexpected result (-want +got):\n%s", diff) } diff --git a/internal/k8s/controller_test.go b/internal/k8s/controller_test.go index 7a7331f428..4987336e3e 100644 --- a/internal/k8s/controller_test.go +++ b/internal/k8s/controller_test.go @@ -419,7 +419,20 @@ func TestFindProbeForPods(t *testing.T) { func TestGetServicePortForIngressPort(t *testing.T) { t.Parallel() fakeClient := fake.NewSimpleClientset() - cnf := configs.NewConfigurator(&nginx.LocalManager{}, &configs.StaticConfigParams{}, &configs.ConfigParams{}, &version1.TemplateExecutor{}, &version2.TemplateExecutor{}, false, false, nil, false, nil, false) + + cnf := configs.NewConfigurator(configs.ConfiguratorParams{ + NginxManager: &nginx.LocalManager{}, + StaticCfgParams: &configs.StaticConfigParams{}, + Config: &configs.ConfigParams{}, + TemplateExecutor: &version1.TemplateExecutor{}, + TemplateExecutorV2: &version2.TemplateExecutor{}, + LatencyCollector: nil, + LabelUpdater: nil, + IsPlus: false, + IsWildcardEnabled: false, + IsPrometheusEnabled: false, + IsLatencyMetricsEnabled: false, + }) lbc := LoadBalancerController{ client: fakeClient, ingressClass: "nginx",