From 40979b31346a33b275b952f1bd1231ff32738b0d Mon Sep 17 00:00:00 2001 From: oseoin Date: Sat, 25 Nov 2023 09:59:52 +0000 Subject: [PATCH] Remove redundant newlines in generated v1 configuration (#4699) --- .../configs/version1/nginx-plus.ingress.tmpl | 137 +++--- internal/configs/version1/nginx-plus.tmpl | 88 ++-- internal/configs/version1/nginx.ingress.tmpl | 124 +++--- internal/configs/version1/nginx.tmpl | 76 ++-- .../version2/nginx-plus.transportserver.tmpl | 48 +-- .../version2/nginx-plus.virtualserver.tmpl | 408 +++++++++--------- .../version2/nginx.transportserver.tmpl | 48 +-- .../configs/version2/nginx.virtualserver.tmpl | 311 +++++++------ 8 files changed, 619 insertions(+), 621 deletions(-) diff --git a/internal/configs/version1/nginx-plus.ingress.tmpl b/internal/configs/version1/nginx-plus.ingress.tmpl index e4b11629e8..14343e65d0 100644 --- a/internal/configs/version1/nginx-plus.ingress.tmpl +++ b/internal/configs/version1/nginx-plus.ingress.tmpl @@ -1,16 +1,16 @@ {{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version1.IngressNginxConfig*/ -}} # configuration for {{.Ingress.Namespace}}/{{.Ingress.Name}} -{{range $upstream := .Upstreams}} +{{- range $upstream := .Upstreams}} upstream {{$upstream.Name}} { zone {{$upstream.Name}} {{if ne $upstream.UpstreamZoneSize "0"}}{{$upstream.UpstreamZoneSize}}{{else}}512k{{end}}; - {{if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}} - {{range $server := $upstream.UpstreamServers}} + {{- if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}} + {{- range $server := $upstream.UpstreamServers}} server {{$server.Address}} max_fails={{$server.MaxFails}} fail_timeout={{$server.FailTimeout}} max_conns={{$server.MaxConns}} {{- if $server.SlowStart}} slow_start={{$server.SlowStart}}{{end}}{{if $server.Resolve}} resolve{{end}};{{end}} - {{if $upstream.StickyCookie}} + {{- if $upstream.StickyCookie}} sticky cookie {{$upstream.StickyCookie}}; - {{end}} - {{if $.Keepalive}}keepalive {{$.Keepalive}};{{end}} + {{- end}} + {{- if $.Keepalive}}keepalive {{$.Keepalive}};{{end}} {{- if $upstream.UpstreamServers -}} {{- if $upstream.Queue}} queue {{$upstream.Queue}} timeout={{$upstream.QueueTimeout}}s; @@ -21,46 +21,46 @@ upstream {{$upstream.Name}} { {{range $server := .Servers}} server { - {{if $server.SpiffeCerts}} + {{- if $server.SpiffeCerts}} listen 443 ssl; - {{if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}} + {{- if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}} ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; - {{else}} - {{if not $server.GRPCOnly}} - {{range $port := $server.Ports}} + {{- else}} + {{- if not $server.GRPCOnly}} + {{- range $port := $server.Ports}} listen {{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- end}} {{- end}} - {{end}} - {{if $server.SSL}} - {{if $server.TLSPassthrough}} + {{- if $server.SSL}} + {{- if $server.TLSPassthrough}} listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; - {{else}} + {{- else}} {{- range $port := $server.SSLPorts}} listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} {{- end}} - {{end}} - {{if $server.HTTP2}} + {{- end}} + {{- if $server.HTTP2}} http2 on; - {{end}} - {{if $server.SSLRejectHandshake}} + {{- end}} + {{- if $server.SSLRejectHandshake}} ssl_reject_handshake on; - {{else}} + {{- else}} ssl_certificate {{$server.SSLCertificate}}; ssl_certificate_key {{$server.SSLCertificateKey}}; - {{end}} - {{end}} - {{end}} + {{- end}} + {{- end}} + {{- end}} - {{range $setRealIPFrom := $server.SetRealIPFrom}} + {{- range $setRealIPFrom := $server.SetRealIPFrom}} set_real_ip_from {{$setRealIPFrom}};{{end}} - {{if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}} - {{if $server.RealIPRecursive}}real_ip_recursive on;{{end}} + {{- if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}} + {{- if $server.RealIPRecursive}}real_ip_recursive on;{{end}} server_tokens "{{$server.ServerTokens}}"; @@ -104,34 +104,34 @@ server { {{- end}} {{if not $server.GRPCOnly}} - {{range $proxyHideHeader := $server.ProxyHideHeaders}} + {{- range $proxyHideHeader := $server.ProxyHideHeaders}} proxy_hide_header {{$proxyHideHeader}};{{end}} - {{range $proxyPassHeader := $server.ProxyPassHeaders}} + {{- range $proxyPassHeader := $server.ProxyPassHeaders}} proxy_pass_header {{$proxyPassHeader}};{{end}} - {{end}} + {{- end}} {{- if and $server.HSTS (or $server.SSL $server.HSTSBehindProxy)}} set $hsts_header_val ""; proxy_hide_header Strict-Transport-Security; {{- if $server.HSTSBehindProxy}} if ($http_x_forwarded_proto = 'https') { - {{else}} + {{- else}} if ($https = on) { {{- end}} set $hsts_header_val "max-age={{$server.HSTSMaxAge}}; {{if $server.HSTSIncludeSubdomains}}includeSubDomains; {{end}}preload"; } add_header Strict-Transport-Security "$hsts_header_val" always; - {{end}} + {{- end}} - {{if $server.SSL}} - {{if not $server.GRPCOnly}} + {{- if $server.SSL}} + {{- if not $server.GRPCOnly}} {{- if $server.SSLRedirect}} if ($scheme = http) { return 301 https://$host:{{index $server.SSLPorts 0}}$request_uri; } {{- end}} - {{end}} + {{- end}} {{- end}} {{- if $server.RedirectToHTTPS}} @@ -152,10 +152,10 @@ server { {{- if $jwt.RedirectLocationName}} error_page 401 {{$jwt.RedirectLocationName}}; {{end}} - {{end}} + {{- end}} {{- if $server.ServerSnippets}} - {{range $value := $server.ServerSnippets}} + {{- range $value := $server.ServerSnippets}} {{$value}}{{end}} {{- end}} @@ -184,13 +184,13 @@ server { location {{ makeLocationPath $location $.Ingress.Annotations | printf }} { set $service "{{$location.ServiceName}}"; status_zone "{{ $location.ServiceName }}"; - {{with $location.MinionIngress}} + {{- with $location.MinionIngress}} # location for minion {{$location.MinionIngress.Namespace}}/{{$location.MinionIngress.Name}} set $resource_name "{{$location.MinionIngress.Name}}"; set $resource_namespace "{{$location.MinionIngress.Namespace}}"; - {{end}} - {{if $location.GRPC}} - {{if not $server.GRPCOnly}} + {{- end}} + {{- if $location.GRPC}} + {{- if not $server.GRPCOnly}} error_page 400 @grpcerror400; error_page 401 @grpcerror401; error_page 403 @grpcerror403; @@ -204,17 +204,17 @@ server { error_page 502 @grpcerror502; error_page 503 @grpcerror503; error_page 504 @grpcerror504; - {{end}} + {{- end}} {{- if $location.LocationSnippets}} - {{range $value := $location.LocationSnippets}} + {{- range $value := $location.LocationSnippets}} {{$value}}{{end}} {{- end}} - {{with $jwt := $location.JWTAuth}} + {{- with $jwt := $location.JWTAuth}} auth_jwt_key_file {{$jwt.Key}}; auth_jwt "{{.Realm}}"{{if $jwt.Token}} token={{$jwt.Token}}{{end}}; - {{end}} + {{- end}} {{- with $location.BasicAuth }} auth_basic {{ printf "%q" .Realm }}; @@ -234,7 +234,7 @@ server { {{- if $location.ProxyBufferSize}} grpc_buffer_size {{$location.ProxyBufferSize}}; {{- end}} - {{if $.SpiffeClientCerts}} + {{- if $.SpiffeClientCerts}} grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem; @@ -242,15 +242,15 @@ server { grpc_ssl_verify on; grpc_ssl_verify_depth 25; grpc_ssl_name {{$location.ProxySSLName}}; - {{end}} - {{if $location.SSL}} + {{- end}} + {{- if $location.SSL}} grpc_pass grpcs://{{$location.Upstream.Name}}; - {{else}} + {{- else}} grpc_pass grpc://{{$location.Upstream.Name}}; - {{end}} - {{else}} + {{- end}} + {{- else}} proxy_http_version 1.1; - {{if $location.Websocket}} + {{- if $location.Websocket}} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {{- else}} @@ -262,13 +262,13 @@ server { {{$value}}{{end}} {{- end}} - {{ with $jwt := $location.JWTAuth }} + {{- with $jwt := $location.JWTAuth }} auth_jwt_key_file {{$jwt.Key}}; auth_jwt "{{.Realm}}"{{if $jwt.Token}} token={{$jwt.Token}}{{end}}; - {{if $jwt.RedirectLocationName}} + {{- if $jwt.RedirectLocationName}} error_page 401 {{$jwt.RedirectLocationName}}; - {{end}} - {{end}} + {{- end}} + {{- end}} {{- with $location.BasicAuth }} auth_basic {{ printf "%q" .Realm }}; @@ -295,7 +295,7 @@ server { {{- if $location.ProxyMaxTempFileSize}} proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}}; {{- end}} - {{if $.SpiffeClientCerts}} + {{- if $.SpiffeClientCerts}} proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem; @@ -303,15 +303,16 @@ server { proxy_ssl_verify on; proxy_ssl_verify_depth 25; proxy_ssl_name {{$location.ProxySSLName}}; - {{end}} - {{if $location.SSL}} + {{- end}} + {{- if $location.SSL}} proxy_pass https://{{$location.Upstream.Name}}{{$location.Rewrite}}; - {{else}} + {{- else}} proxy_pass http://{{$location.Upstream.Name}}{{$location.Rewrite}}; - {{end}} - {{end}} - }{{end}} - {{if $server.GRPCOnly}} + {{- end}} + {{- end}} + } + {{end -}} + {{- if $server.GRPCOnly}} error_page 400 @grpcerror400; error_page 401 @grpcerror401; error_page 403 @grpcerror403; @@ -325,8 +326,8 @@ server { error_page 502 @grpcerror502; error_page 503 @grpcerror503; error_page 504 @grpcerror504; - {{end}} - {{if $server.HTTP2}} + {{- end}} + {{- if $server.HTTP2}} location @grpcerror400 { default_type application/grpc; return 400 "\n"; } location @grpcerror401 { default_type application/grpc; return 401 "\n"; } location @grpcerror403 { default_type application/grpc; return 403 "\n"; } @@ -340,5 +341,5 @@ server { location @grpcerror502 { default_type application/grpc; return 502 "\n"; } location @grpcerror503 { default_type application/grpc; return 503 "\n"; } location @grpcerror504 { default_type application/grpc; return 504 "\n"; } - {{end}} + {{- end}} }{{end}} diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index 07273db3b1..0675c97308 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -77,16 +77,16 @@ http { {{- end}} {{- end}} - {{if .AccessLogOff}} + {{- if .AccessLogOff}} access_log off; - {{else}} + {{- else}} access_log /dev/stdout main; - {{end}} + {{- end}} - {{if .LatencyMetrics}} + {{- if .LatencyMetrics}} log_format response_time '{"upstreamAddress":"$upstream_addr", "upstreamResponseTime":"$upstream_response_time", "proxyHost":"$proxy_host", "upstreamStatus": "$upstream_status"}'; access_log syslog:server=unix:/var/lib/nginx/nginx-syslog.sock,nohostname,tag=nginx response_time; - {{end}} + {{- end}} {{- if .AppProtectLoadModule}} {{if .AppProtectFailureModeAction}}app_protect_failure_mode_action {{.AppProtectFailureModeAction}};{{end}} @@ -124,24 +124,24 @@ http { default upgrade; '' $default_connection_header; } - {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}} - {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}} - {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}} - {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}} + {{- if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}} + {{- if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}} + {{- if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}} + {{- if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}} - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing on; - {{end}} - {{if .OpenTracingLoadModule}} + {{- end}} + {{- if .OpenTracingLoadModule}} opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json; - {{end}} + {{- end}} - {{if .ResolverAddresses}} + {{- if .ResolverAddresses}} resolver {{range $resolver := .ResolverAddresses}}{{$resolver}}{{end}}{{if .ResolverValid}} valid={{.ResolverValid}}{{end}}{{if not .ResolverIPV6}} ipv6=off{{end}}; - {{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}} - {{end}} + {{- if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}} + {{- end}} - {{if .OIDC}} + {{- if .OIDC}} include oidc/oidc_common.conf; {{- end}} @@ -154,44 +154,44 @@ http { set $service ""; listen {{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} - {{if .TLSPassthrough}} + {{- if .TLSPassthrough}} listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; - {{else}} + {{- else}} listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} - {{end}} + {{- end}} - {{if .HTTP2}} + {{- if .HTTP2}} http2 on; - {{end}} + {{- end}} - {{if .SSLRejectHandshake}} + {{- if .SSLRejectHandshake}} ssl_reject_handshake on; - {{else}} + {{- else}} ssl_certificate /etc/nginx/secrets/default; ssl_certificate_key /etc/nginx/secrets/default; - {{end}} + {{- end}} - {{range $setRealIPFrom := .SetRealIPFrom}} + {{- range $setRealIPFrom := .SetRealIPFrom}} set_real_ip_from {{$setRealIPFrom}};{{end}} - {{if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}} - {{if .RealIPRecursive}}real_ip_recursive on;{{end}} + {{- if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}} + {{- if .RealIPRecursive}}real_ip_recursive on;{{end}} server_name _; server_tokens "{{.ServerTokens}}"; - {{if .DefaultServerAccessLogOff}} + {{- if .DefaultServerAccessLogOff}} access_log off; - {{end}} + {{end -}} - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing off; - {{end}} + {{- end}} - {{if .HealthStatus}} + {{- if .HealthStatus}} location {{.HealthStatusURI}} { default_type text/plain; return 200 "healthy\n"; @@ -241,9 +241,9 @@ http { listen unix:/var/lib/nginx/nginx-plus-api.sock; access_log off; - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing off; - {{end}} + {{- end}} # $config_version_mismatch is defined in /etc/nginx/config-version.conf location /configVersionCheck { @@ -265,13 +265,13 @@ http { listen unix:/var/lib/nginx/nginx-418-server.sock; access_log off; - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing off; - {{end}} + {{- end -}} return 418; } - {{if .InternalRouteServer}} + {{- if .InternalRouteServer}} server { listen 443 ssl; {{if not .DisableIPV6}}listen [::]:443 ssl;{{end}} @@ -282,7 +282,7 @@ http { ssl_verify_client on; ssl_verify_depth 25; } - {{end}} + {{- end}} } stream { @@ -299,18 +299,18 @@ stream { access_log /dev/stdout stream-main; - {{range $value := .StreamSnippets}} + {{- range $value := .StreamSnippets}} {{$value}}{{end}} - {{if .ResolverAddresses}} + {{- if .ResolverAddresses}} resolver {{range $resolver := .ResolverAddresses}}{{$resolver}}{{end}}{{if .ResolverValid}} valid={{.ResolverValid}}{{end}}{{if not .ResolverIPV6}} ipv6=off{{end}}; {{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}} - {{end}} + {{- end}} map_hash_max_size {{.MapHashMaxSize}}; {{if .MapHashBucketSize}}map_hash_bucket_size {{.MapHashBucketSize}};{{end}} - {{if .TLSPassthrough}} + {{- if .TLSPassthrough}} map $ssl_preread_server_name $dest_internal_passthrough { default unix:/var/lib/nginx/passthrough-https.sock; include /etc/nginx/tls-passthrough-hosts.conf; diff --git a/internal/configs/version1/nginx.ingress.tmpl b/internal/configs/version1/nginx.ingress.tmpl index 670ad48f06..c5d110548c 100644 --- a/internal/configs/version1/nginx.ingress.tmpl +++ b/internal/configs/version1/nginx.ingress.tmpl @@ -1,56 +1,57 @@ {{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version1.IngressNginxConfig*/ -}} # configuration for {{.Ingress.Namespace}}/{{.Ingress.Name}} -{{range $upstream := .Upstreams}} +{{- range $upstream := .Upstreams}} upstream {{$upstream.Name}} { - {{if ne $upstream.UpstreamZoneSize "0"}}zone {{$upstream.Name}} {{$upstream.UpstreamZoneSize}};{{end}} - {{if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}} - {{range $server := $upstream.UpstreamServers}} + {{- if ne $upstream.UpstreamZoneSize "0"}}zone {{$upstream.Name}} {{$upstream.UpstreamZoneSize}};{{end}} + {{- if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}} + {{- range $server := $upstream.UpstreamServers}} server {{$server.Address}} max_fails={{$server.MaxFails}} fail_timeout={{$server.FailTimeout}} max_conns={{$server.MaxConns}};{{end}} - {{if $.Keepalive}}keepalive {{$.Keepalive}};{{end}} -}{{end}} + {{- if $.Keepalive}}keepalive {{$.Keepalive}};{{end}} +} +{{end -}} {{range $server := .Servers}} server { - {{if $server.SpiffeCerts}} + {{- if $server.SpiffeCerts}} listen 443 ssl; - {{if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}} + {{- if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}} ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; - {{else}} - {{if not $server.GRPCOnly}} - {{range $port := $server.Ports}} + {{- else}} + {{- if not $server.GRPCOnly}} + {{- range $port := $server.Ports}} listen {{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- end}} {{- end}} - {{end}} - {{if $server.SSL}} - {{if $server.TLSPassthrough}} + {{- if $server.SSL}} + {{- if $server.TLSPassthrough}} listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; - {{else}} + {{- else}} {{- range $port := $server.SSLPorts}} listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}}; - {{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- end}} {{- end}} - {{end}} - {{if $server.HTTP2}} + {{- if $server.HTTP2}} http2 on; - {{end}} - {{if $server.SSLRejectHandshake}} + {{- end}} + {{- if $server.SSLRejectHandshake}} ssl_reject_handshake on; - {{else}} + {{- else}} ssl_certificate {{$server.SSLCertificate}}; ssl_certificate_key {{$server.SSLCertificateKey}}; - {{end}} - {{end}} - {{end}} + {{- end}} + {{- end}} + {{- end}} - {{range $setRealIPFrom := $server.SetRealIPFrom}} + {{- range $setRealIPFrom := $server.SetRealIPFrom}} set_real_ip_from {{$setRealIPFrom}};{{end}} - {{if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}} - {{if $server.RealIPRecursive}}real_ip_recursive on;{{end}} + {{- if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}} + {{- if $server.RealIPRecursive}}real_ip_recursive on;{{end}} server_tokens {{$server.ServerTokens}}; @@ -60,9 +61,9 @@ server { set $resource_name "{{$.Ingress.Name}}"; set $resource_namespace "{{$.Ingress.Namespace}}"; - {{range $proxyHideHeader := $server.ProxyHideHeaders}} + {{- range $proxyHideHeader := $server.ProxyHideHeaders}} proxy_hide_header {{$proxyHideHeader}};{{end}} - {{range $proxyPassHeader := $server.ProxyPassHeaders}} + {{- range $proxyPassHeader := $server.ProxyPassHeaders}} proxy_pass_header {{$proxyPassHeader}};{{end}} {{- if and $server.HSTS (or $server.SSL $server.HSTSBehindProxy)}} @@ -70,23 +71,23 @@ server { proxy_hide_header Strict-Transport-Security; {{- if $server.HSTSBehindProxy}} if ($http_x_forwarded_proto = 'https') { - {{else}} + {{- else}} if ($https = on) { {{- end}} set $hsts_header_val "max-age={{$server.HSTSMaxAge}}; {{if $server.HSTSIncludeSubdomains}}includeSubDomains; {{end}}preload"; } add_header Strict-Transport-Security "$hsts_header_val" always; - {{end}} + {{- end}} - {{if $server.SSL}} - {{if not $server.GRPCOnly}} + {{- if $server.SSL}} + {{- if not $server.GRPCOnly}} {{- if $server.SSLRedirect}} if ($scheme = http) { return 301 https://$host:{{index $server.SSLPorts 0}}$request_uri; } {{- end}} - {{end}} + {{- end}} {{- end}} {{- if $server.RedirectToHTTPS}} @@ -101,20 +102,20 @@ server { {{- end }} {{- if $server.ServerSnippets}} - {{range $value := $server.ServerSnippets}} + {{- range $value := $server.ServerSnippets}} {{$value}}{{end}} {{- end}} - {{range $location := $server.Locations}} + {{- range $location := $server.Locations}} location {{ makeLocationPath $location $.Ingress.Annotations | printf }} { set $service "{{$location.ServiceName}}"; - {{with $location.MinionIngress}} + {{- with $location.MinionIngress}} # location for minion {{$location.MinionIngress.Namespace}}/{{$location.MinionIngress.Name}} set $resource_name "{{$location.MinionIngress.Name}}"; set $resource_namespace "{{$location.MinionIngress.Namespace}}"; - {{end}} - {{if $location.GRPC}} - {{if not $server.GRPCOnly}} + {{- end}} + {{- if $location.GRPC}} + {{- if not $server.GRPCOnly}} error_page 400 @grpcerror400; error_page 401 @grpcerror401; error_page 403 @grpcerror403; @@ -128,10 +129,10 @@ server { error_page 502 @grpcerror502; error_page 503 @grpcerror503; error_page 504 @grpcerror504; - {{end}} + {{- end}} {{- if $location.LocationSnippets}} - {{range $value := $location.LocationSnippets}} + {{- range $value := $location.LocationSnippets}} {{$value}}{{end}} {{- end}} @@ -153,7 +154,7 @@ server { {{- if $location.ProxyBufferSize}} grpc_buffer_size {{$location.ProxyBufferSize}}; {{- end}} - {{if $.SpiffeClientCerts}} + {{- if $.SpiffeClientCerts}} grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem; @@ -161,15 +162,15 @@ server { grpc_ssl_verify on; grpc_ssl_verify_depth 25; grpc_ssl_name {{$location.ProxySSLName}}; - {{end}} - {{if $location.SSL}} + {{- end}} + {{- if $location.SSL}} grpc_pass grpcs://{{$location.Upstream.Name}}{{$location.Rewrite}}; - {{else}} + {{- else}} grpc_pass grpc://{{$location.Upstream.Name}}{{$location.Rewrite}}; - {{end}} - {{else}} + {{- end}} + {{- else}} proxy_http_version 1.1; - {{if $location.Websocket}} + {{- if $location.Websocket}} proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; {{- else}} @@ -207,7 +208,7 @@ server { {{- if $location.ProxyMaxTempFileSize}} proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}}; {{- end}} - {{if $.SpiffeClientCerts}} + {{- if $.SpiffeClientCerts}} proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem; @@ -215,15 +216,16 @@ server { proxy_ssl_verify on; proxy_ssl_verify_depth 25; proxy_ssl_name {{$location.ProxySSLName}}; - {{end}} - {{if $location.SSL}} + {{- end}} + {{- if $location.SSL}} proxy_pass https://{{$location.Upstream.Name}}{{$location.Rewrite}}; - {{else}} + {{- else}} proxy_pass http://{{$location.Upstream.Name}}{{$location.Rewrite}}; - {{end}} - {{end}} - }{{end}} - {{if $server.GRPCOnly}} + {{- end}} + {{- end}} + } + {{end -}} + {{- if $server.GRPCOnly}} error_page 400 @grpcerror400; error_page 401 @grpcerror401; error_page 403 @grpcerror403; @@ -237,8 +239,8 @@ server { error_page 502 @grpcerror502; error_page 503 @grpcerror503; error_page 504 @grpcerror504; - {{end}} - {{if $server.HTTP2}} + {{- end}} + {{- if $server.HTTP2}} location @grpcerror400 { default_type application/grpc; return 400 "\n"; } location @grpcerror401 { default_type application/grpc; return 401 "\n"; } location @grpcerror403 { default_type application/grpc; return 403 "\n"; } @@ -252,5 +254,5 @@ server { location @grpcerror502 { default_type application/grpc; return 502 "\n"; } location @grpcerror503 { default_type application/grpc; return 503 "\n"; } location @grpcerror504 { default_type application/grpc; return 504 "\n"; } - {{end}} + {{- end}} }{{end}} diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index b765eec6a0..7a57c72803 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -49,16 +49,16 @@ http { '' $sent_http_grpc_status; } - {{if .AccessLogOff}} + {{- if .AccessLogOff}} access_log off; - {{else}} + {{- else}} access_log /dev/stdout main; - {{end}} + {{- end}} - {{if .LatencyMetrics}} + {{- if .LatencyMetrics}} log_format response_time '{"upstreamAddress":"$upstream_addr", "upstreamResponseTime":"$upstream_response_time", "proxyHost":"$proxy_host", "upstreamStatus": "$upstream_status"}'; access_log syslog:server=unix:/var/lib/nginx/nginx-syslog.sock,nohostname,tag=nginx response_time; - {{end}} + {{- end}} sendfile on; #tcp_nopush on; @@ -86,17 +86,17 @@ http { default upgrade; '' $default_connection_header; } - {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}} - {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}} - {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}} - {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}} + {{- if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}} + {{- if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}} + {{- if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}} + {{- if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}} - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing on; - {{end}} - {{if .OpenTracingLoadModule}} + {{- end}} + {{- if .OpenTracingLoadModule}} opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json; - {{end}} + {{- end}} server { # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes @@ -107,44 +107,44 @@ http { set $service ""; listen {{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + {{- if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} - {{if .TLSPassthrough}} + {{- if .TLSPassthrough}} listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; - {{else}} + {{- else}} listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} - {{end}} + {{- end}} - {{if .HTTP2}} + {{- if .HTTP2}} http2 on; - {{end}} + {{- end}} - {{if .SSLRejectHandshake}} + {{- if .SSLRejectHandshake}} ssl_reject_handshake on; - {{else}} + {{- else}} ssl_certificate /etc/nginx/secrets/default; ssl_certificate_key /etc/nginx/secrets/default; - {{end}} + {{- end}} - {{range $setRealIPFrom := .SetRealIPFrom}} + {{- range $setRealIPFrom := .SetRealIPFrom}} set_real_ip_from {{$setRealIPFrom}};{{end}} - {{if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}} - {{if .RealIPRecursive}}real_ip_recursive on;{{end}} + {{- if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}} + {{- if .RealIPRecursive}}real_ip_recursive on;{{end}} server_name _; server_tokens "{{.ServerTokens}}"; - {{if .DefaultServerAccessLogOff}} + {{- if .DefaultServerAccessLogOff}} access_log off; - {{end}} + {{end -}} - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing off; - {{end}} + {{- end}} - {{if .HealthStatus}} + {{- if .HealthStatus}} location {{.HealthStatusURI}} { default_type text/plain; return 200 "healthy\n"; @@ -180,9 +180,9 @@ http { listen unix:/var/lib/nginx/nginx-status.sock; access_log off; - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing off; - {{end}} + {{- end}} location /stub_status { stub_status; @@ -208,13 +208,13 @@ http { listen unix:/var/lib/nginx/nginx-418-server.sock; access_log off; - {{if .OpenTracingEnabled}} + {{- if .OpenTracingEnabled}} opentracing off; - {{end}} + {{- end -}} return 418; } - {{if .InternalRouteServer}} + {{- if .InternalRouteServer}} server { listen 443 ssl; {{if not .DisableIPV6}}listen [::]:443 ssl;{{end}} @@ -225,7 +225,7 @@ http { ssl_verify_client on; ssl_verify_depth 25; } - {{end}} + {{- end}} } stream { @@ -242,13 +242,13 @@ stream { access_log /dev/stdout stream-main; - {{range $value := .StreamSnippets}} + {{- range $value := .StreamSnippets}} {{$value}}{{end}} map_hash_max_size {{.MapHashMaxSize}}; {{if .MapHashBucketSize}}map_hash_bucket_size {{.MapHashBucketSize}};{{end}} - {{if .TLSPassthrough}} + {{- if .TLSPassthrough}} map $ssl_preread_server_name $dest_internal_passthrough { default unix:/var/lib/nginx/passthrough-https.sock; include /etc/nginx/tls-passthrough-hosts.conf; diff --git a/internal/configs/version2/nginx-plus.transportserver.tmpl b/internal/configs/version2/nginx-plus.transportserver.tmpl index a970cdd845..4f45a91e5f 100644 --- a/internal/configs/version2/nginx-plus.transportserver.tmpl +++ b/internal/configs/version2/nginx-plus.transportserver.tmpl @@ -1,19 +1,19 @@ {{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version2.TransportServerConfig*/ -}} -{{ range $u := .Upstreams }} +{{- range $u := .Upstreams }} upstream {{ $u.Name }} { zone {{ $u.Name }} 256k; - {{ if $u.LoadBalancingMethod }} + {{- if $u.LoadBalancingMethod }} {{ $u.LoadBalancingMethod }}; - {{ end }} + {{- end }} - {{ range $s := $u.Servers }} + {{- range $s := $u.Servers }} server {{ $s.Address }} max_fails={{ $s.MaxFails }} fail_timeout={{ $s.FailTimeout }} max_conns={{ $s.MaxConnections }}{{ if $u.Resolve }} resolve{{ end }}; - {{ end }} + {{- end }} } -{{ end }} +{{- end }} -{{ range $snippet := .StreamSnippets }} +{{- range $snippet := .StreamSnippets }} {{- $snippet }} {{ end }} @@ -27,37 +27,37 @@ match {{ $m.Name }} { expect {{ $m.ExpectRegexModifier }} "{{ $m.Expect }}"; {{ end }} } -{{ end }} +{{- end }} -{{ $s := .Server }} +{{- $s := .Server }} server { - {{ with $ssl := $s.SSL }} - {{ if $s.TLSPassthrough }} + {{- with $ssl := $s.SSL }} + {{- if $s.TLSPassthrough }} listen {{ $s.UnixSocket }} proxy_protocol; set_real_ip_from unix:; - {{ else }} + {{- else }} listen {{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }}; {{if not $s.DisableIPV6}}listen [::]:{{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};{{end}} - {{ end }} + {{- end }} - {{ if $ssl.Enabled }} + {{- if $ssl.Enabled }} ssl_certificate {{ $ssl.Certificate }}; ssl_certificate_key {{ $ssl.CertificateKey }}; - {{ end }} - {{ end }} + {{- end }} + {{- end }} status_zone {{ $s.StatusZone }}; - {{ if $s.ProxyRequests }} + {{- if $s.ProxyRequests }} proxy_requests {{ $s.ProxyRequests }}; - {{ end }} - {{ if $s.ProxyResponses }} + {{- end }} + {{- if $s.ProxyResponses }} proxy_responses {{ $s.ProxyResponses }}; - {{ end }} + {{- end }} - {{ range $snippet := $s.ServerSnippets }} + {{- range $snippet := $s.ServerSnippets }} {{- $snippet }} - {{ end }} + {{- end }} proxy_pass {{ $s.ProxyPass }}; @@ -70,9 +70,9 @@ server { proxy_timeout {{ $s.ProxyTimeout }}; proxy_connect_timeout {{ $s.ProxyConnectTimeout }}; - {{ if $s.ProxyNextUpstream }} + {{- if $s.ProxyNextUpstream }} proxy_next_upstream on; proxy_next_upstream_timeout {{ $s.ProxyNextUpstreamTimeout }}; proxy_next_upstream_tries {{ $s.ProxyNextUpstreamTries }}; - {{ end }} + {{- end }} } diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index c1e62f019c..c17d27d84a 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -3,77 +3,77 @@ upstream {{ $u.Name }} { zone {{ $u.Name }} {{ if ne $u.UpstreamZoneSize "0" }}{{ $u.UpstreamZoneSize }}{{ else }}512k{{ end }}; - {{ if $u.LBMethod }}{{ $u.LBMethod }};{{ end }} + {{- if $u.LBMethod }}{{ $u.LBMethod }};{{ end }} - {{ range $s := $u.Servers }} + {{- range $s := $u.Servers }} server {{ $s.Address }} max_fails={{ $u.MaxFails }} fail_timeout={{ $u.FailTimeout }}{{ if $u.SlowStart }} slow_start={{ $u.SlowStart }}{{ end }} max_conns={{ $u.MaxConns }}{{ if $u.Resolve }} resolve{{ end }}; - {{ end }} + {{- end }} - {{ if $u.Keepalive }} + {{- if $u.Keepalive }} keepalive {{ $u.Keepalive }}; - {{ end }} + {{- end }} - {{ if $u.Queue }} + {{- if $u.Queue }} queue {{ $u.Queue.Size }} timeout={{ $u.Queue.Timeout }}; - {{ end }} + {{- end }} - {{ with $u.SessionCookie }} - {{ if .Enable }} + {{- with $u.SessionCookie }} + {{- if .Enable }} sticky cookie {{ .Name }}{{ if .Expires }} expires={{ .Expires }}{{ end }}{{ if .Domain }} domain={{ .Domain }}{{ end }}{{ if .HTTPOnly }} httponly{{ end }}{{ if .SameSite}} samesite={{.SameSite | toLower }}{{ end }}{{ if .Secure }} secure{{ end }}{{ if .Path }} path={{ .Path }}{{ end }}; - {{ end }} - {{ end }} + {{- end }} + {{- end }} {{ if $u.NTLM }}ntlm;{{ end }} } {{ end }} -{{ range $sc := .SplitClients }} +{{- range $sc := .SplitClients }} split_clients {{ $sc.Source }} {{ $sc.Variable }} { - {{ range $d := $sc.Distributions }} + {{- range $d := $sc.Distributions }} {{ $d.Weight }} {{ $d.Value }}; - {{ end }} + {{- end }} } -{{ end }} +{{- end }} -{{ range $m := .Maps }} +{{- range $m := .Maps }} map {{ $m.Source }} {{ $m.Variable }} { - {{ range $p := $m.Parameters }} + {{- range $p := $m.Parameters }} {{ $p.Value }} {{ $p.Result }}; - {{ end }} + {{- end }} } -{{ end }} +{{- end }} -{{ range $snippet := .HTTPSnippets }} +{{- range $snippet := .HTTPSnippets }} {{- $snippet }} -{{ end }} +{{- end }} -{{ range $z := .LimitReqZones }} +{{- range $z := .LimitReqZones }} limit_req_zone {{ $z.Key }} zone={{ $z.ZoneName }}:{{ $z.ZoneSize }} rate={{ $z.Rate }}; -{{ end }} +{{- end }} -{{ range $m := .StatusMatches }} +{{- range $m := .StatusMatches }} match {{ $m.Name }} { status {{ $m.Code }}; } -{{ end }} +{{- end }} -{{ $s := .Server }} +{{- $s := .Server }} -{{ with $s.JWKSAuthEnabled }} +{{- with $s.JWKSAuthEnabled }} proxy_cache_path /var/cache/nginx/jwks_uri_{{$s.VSName}} levels=1 keys_zone=jwks_uri_{{$s.VSName}}:1m max_size=10m; -{{ end }} +{{- end }} server { - {{ if $s.Gunzip }}gunzip on;{{end}} - {{ if not $s.CustomListeners }} + {{- if $s.Gunzip }}gunzip on;{{end}} + {{- if not $s.CustomListeners }} listen 80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; {{ if not $s.DisableIPV6 }}listen [::]:80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ else }} - {{ if (gt $s.HTTPPort 0) }} + {{- else }} + {{- if (gt $s.HTTPPort 0) }} listen {{ $s.HTTPPort }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPPort }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ end }} - {{ end }} + {{- end }} + {{- end }} server_name {{ $s.ServerName }}; status_zone {{ $s.StatusZone }}; @@ -81,7 +81,7 @@ server { set $resource_name "{{$s.VSName}}"; set $resource_namespace "{{$s.VSNamespace}}"; - {{ with $oidc := $s.OIDC }} + {{- with $oidc := $s.OIDC }} include oidc/oidc.conf; set $oidc_pkce_enable 0; @@ -97,150 +97,149 @@ server { set $oidc_client "{{ $oidc.ClientID }}"; set $oidc_client_secret "{{ $oidc.ClientSecret }}"; set $redir_location "{{ $oidc.RedirectURI }}"; - {{ end }} + {{- end }} - {{ with $ssl := $s.SSL }} - {{ if $s.TLSPassthrough }} + {{- with $ssl := $s.SSL }} + {{- if $s.TLSPassthrough }} listen unix:/var/lib/nginx/passthrough-https.sock proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; - {{ else }} - {{ if not $s.CustomListeners }} + {{- else }} + {{- if not $s.CustomListeners }} listen 443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ else }} - {{ if (gt $s.HTTPSPort 0) }} + {{- if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + {{- else }} + {{- if (gt $s.HTTPSPort 0) }} listen {{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ end }} - {{ end }} - {{ end }} + {{- if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + {{- end }} + {{- end }} + {{- end }} - {{ if $ssl.HTTP2 }} + {{- if $ssl.HTTP2 }} http2 on; - {{ end }} + {{- end }} + - {{ if $ssl.RejectHandshake }} + {{- if $ssl.RejectHandshake }} ssl_reject_handshake on; - {{ else if $.SpiffeCerts }} + {{- else if $.SpiffeCerts }} ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; - {{ else }} + {{- else }} ssl_certificate {{ $ssl.Certificate }}; ssl_certificate_key {{ $ssl.CertificateKey }}; - {{ end }} - {{ else }} - {{ if $.SpiffeCerts }} + {{- end }} + {{- else }} + {{- if $.SpiffeCerts }} listen 443 ssl; {{if not $s.DisableIPV6}}listen [::]:443 ssl;{{end}} ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; - {{ end }} - {{ end }} + {{- end }} + {{- end }} - {{ with $s.IngressMTLS }} + {{- with $s.IngressMTLS }} ssl_client_certificate {{ .ClientCert }}; - {{ if .ClientCrl }} + {{- if .ClientCrl }} ssl_crl {{ .ClientCrl }}; - {{ end }} + {{- end }} ssl_verify_client {{ .VerifyClient }}; ssl_verify_depth {{ .VerifyDepth }}; - {{ end }} + {{- end }} - {{ with $s.TLSRedirect }} + {{- with $s.TLSRedirect }} if ({{ .BasedOn }} = 'http') { return {{ .Code }} https://$host$request_uri; } - {{ end }} + {{- end }} server_tokens "{{ $s.ServerTokens }}"; - {{ range $setRealIPFrom := $s.SetRealIPFrom }} + {{- range $setRealIPFrom := $s.SetRealIPFrom }} set_real_ip_from {{ $setRealIPFrom }}; - {{ end }} - {{ if $s.RealIPHeader }} + {{- end }} + {{- if $s.RealIPHeader }} real_ip_header {{ $s.RealIPHeader }}; - {{ end }} - {{ if $s.RealIPRecursive }} + {{- end }} + {{- if $s.RealIPRecursive }} real_ip_recursive on; - {{ end }} + {{- end }} - {{ with $s.PoliciesErrorReturn }} + {{- with $s.PoliciesErrorReturn }} return {{ .Code }}; - {{ end }} + {{- end }} - {{ range $allow := $s.Allow }} + {{- range $allow := $s.Allow }} allow {{ $allow }}; - {{ end }} - {{ if gt (len $s.Allow) 0 }} + {{- end }} + {{- if gt (len $s.Allow) 0 }} deny all; - {{ end }} + {{- end }} - {{ range $deny := $s.Deny }} + {{- range $deny := $s.Deny }} deny {{ $deny }}; - {{ end }} - {{ if gt (len $s.Deny) 0 }} + {{- end }} + {{- if gt (len $s.Deny) 0 }} allow all; - {{ end }} + {{- end }} - {{ if $s.LimitReqOptions.DryRun }} + {{- if $s.LimitReqOptions.DryRun }} limit_req_dry_run on; - {{ end }} + {{- end }} - {{ with $level := $s.LimitReqOptions.LogLevel }} + {{- with $level := $s.LimitReqOptions.LogLevel }} limit_req_log_level {{ $level }}; - {{ end }} + {{- end }} - {{ with $code := $s.LimitReqOptions.RejectCode }} + {{- with $code := $s.LimitReqOptions.RejectCode }} limit_req_status {{ $code }}; - {{ end }} + {{- end }} - {{ range $rl := $s.LimitReqs }} + {{- range $rl := $s.LimitReqs }} limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; - {{ end }} + {{- end }} - {{ with $s.JWTAuth }} + {{- with $s.JWTAuth }} auth_jwt "{{ .Realm }}"{{ if .Token }} token={{ .Token }}{{ end }}; {{ if .Secret}}auth_jwt_key_file {{ .Secret }};{{ end }} - {{ if .JwksURI.JwksHost }} + {{- if .JwksURI.JwksHost }} {{ if .KeyCache }}auth_jwt_key_cache {{ .KeyCache }};{{ end }} auth_jwt_key_request /_jwks_uri_server_{{ .Key }}; + {{- end }} + {{- end }} - {{ end }} - {{ end }} - - {{ range $index, $element := $s.JWTAuthList }} + {{- range $index, $element := $s.JWTAuthList }} location = /_jwks_uri_server_{{ .Key }} { internal; proxy_method GET; proxy_set_header Content-Length ""; - {{ if .KeyCache }} + {{- if .KeyCache }} proxy_cache jwks_uri_{{ $s.VSName }}; proxy_cache_valid 200 12h; - {{ end }} - {{ with .JwksURI }} + {{- end }} + {{- with .JwksURI }} proxy_set_header Host {{ .JwksHost }}; set $idp_backend {{ .JwksHost }}; proxy_pass {{ .JwksScheme}}://$idp_backend{{ if .JwksPort }}:{{ .JwksPort }}{{ end }}{{ .JwksPath }}; - {{ end }} + {{- end }} } + {{- end }} - {{ end }} - - {{ with $s.BasicAuth }} + {{- with $s.BasicAuth }} auth_basic {{ printf "%q" .Realm }}; auth_basic_user_file {{ .Secret }}; - {{ end }} + {{- end }} - {{ with $s.EgressMTLS }} - {{ if .Certificate }} + {{- with $s.EgressMTLS }} + {{- if .Certificate }} proxy_ssl_certificate {{ .Certificate }}; proxy_ssl_certificate_key {{ .CertificateKey }}; - {{ end }} - {{ if .TrustedCert }} + {{- end }} + {{- if .TrustedCert }} proxy_ssl_trusted_certificate {{ .TrustedCert }}; - {{ end }} + {{- end }} proxy_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; proxy_ssl_verify_depth {{ .VerifyDepth }}; @@ -249,9 +248,9 @@ server { proxy_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; proxy_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; proxy_ssl_name {{ .SSLName }}; - {{ end }} + {{- end }} - {{ with $s.WAF }} + {{- with $s.WAF }} app_protect_enable {{ .Enable }}; {{ if .ApPolicy }} app_protect_policy_file {{ .ApPolicy }}; @@ -300,39 +299,39 @@ server { {{- end }} - {{ range $snippet := $s.Snippets }} + {{- range $snippet := $s.Snippets }} {{- $snippet }} - {{ end }} + {{- end }} - {{ range $l := $s.InternalRedirectLocations }} + {{- range $l := $s.InternalRedirectLocations }} location {{ $l.Path }} { rewrite ^ {{ $l.Destination }} last; } - {{ end }} + {{- end }} - {{ range $hc := $s.HealthChecks }} + {{- range $hc := $s.HealthChecks }} location @hc-{{ $hc.Name }} { {{ $proxyOrGRPC := "proxy" }}{{ if $hc.GRPCPass }}{{ $proxyOrGRPC = "grpc" }}{{ end }} - {{ range $n, $v := $hc.Headers }} + {{- range $n, $v := $hc.Headers }} {{ $proxyOrGRPC }}_set_header {{ $n }} "{{ $v }}"; - {{ end }} + {{- end }} {{ $proxyOrGRPC }}_connect_timeout {{ $hc.ProxyConnectTimeout }}; {{ $proxyOrGRPC }}_read_timeout {{ $hc.ProxyReadTimeout }}; {{ $proxyOrGRPC }}_send_timeout {{ $hc.ProxySendTimeout }}; - {{ if $hc.GRPCPass }} + {{- if $hc.GRPCPass }} grpc_pass {{ $hc.GRPCPass }}; - {{ else }} + {{- else }} proxy_pass {{ $hc.ProxyPass }}; - {{ end }} + {{- end }} health_check {{ if $hc.URI }}uri={{ $hc.URI }} {{ end }}{{ if $hc.Port }}port={{ $hc.Port }} {{ end }}interval={{ $hc.Interval }} jitter={{ $hc.Jitter }} fails={{ $hc.Fails }} passes={{ $hc.Passes }}{{ if $hc.Match }} match={{ $hc.Match }}{{ end }} {{ if $hc.Mandatory }} mandatory{{ if $hc.Persistent }} persistent{{ end }}{{ end }} {{ if $hc.GRPCPass }} type=grpc{{ if $hc.GRPCStatus }} grpc_status={{ $hc.GRPCStatus }}{{ end }} {{ if $hc.GRPCService }} grpc_service={{ $hc.GRPCService }}{{ end }}{{ end }} keepalive_time={{ $hc.KeepaliveTime }}; } - {{ end }} + {{- end }} - {{ range $e := $s.ErrorPageLocations }} + {{- range $e := $s.ErrorPageLocations }} location {{ $e.Name }} { {{ if $e.DefaultType }} default_type "{{ $e.DefaultType }}"; @@ -357,79 +356,77 @@ server { location {{ $l.Path }} { set $service "{{ $l.ServiceName }}"; status_zone "{{ $l.ServiceName }}"; - {{ if $l.IsVSR }} + {{- if $l.IsVSR }} set $resource_type "virtualserverroute"; set $resource_name "{{ $l.VSRName }}"; set $resource_namespace "{{ $l.VSRNamespace }}"; - {{ end }} - - {{ if $l.Internal }} + {{- end }} + {{- if $l.Internal }} internal; - {{ end }} - {{ range $snippet := $l.Snippets }} + {{- end }} + {{- range $snippet := $l.Snippets }} {{- $snippet }} - {{ end }} + {{- end }} - {{ with $l.PoliciesErrorReturn }} + {{- with $l.PoliciesErrorReturn }} return {{ .Code }}; - {{ end }} + {{- end }} - {{ range $allow := $l.Allow }} + {{- range $allow := $l.Allow }} allow {{ $allow }}; - {{ end }} - {{ if gt (len $l.Allow) 0 }} + {{- end }} + {{- if gt (len $l.Allow) 0 }} deny all; - {{ end }} + {{- end }} - {{ range $deny := $l.Deny }} + {{- range $deny := $l.Deny }} deny {{ $deny }}; - {{ end }} - {{ if gt (len $l.Deny) 0 }} + {{- end }} + {{- if gt (len $l.Deny) 0 }} allow all; - {{ end }} + {{- end }} - {{ if $l.LimitReqOptions.DryRun }} + {{- if $l.LimitReqOptions.DryRun }} limit_req_dry_run on; - {{ end }} + {{- end }} - {{ with $level := $l.LimitReqOptions.LogLevel }} + {{- with $level := $l.LimitReqOptions.LogLevel }} limit_req_log_level {{ $level }}; - {{ end }} + {{- end }} - {{ with $code := $l.LimitReqOptions.RejectCode }} + {{- with $code := $l.LimitReqOptions.RejectCode }} limit_req_status {{ $code }}; - {{ end }} + {{- end }} - {{ range $rl := $l.LimitReqs }} + {{- range $rl := $l.LimitReqs }} limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; - {{ end }} + {{- end }} - {{ with $l.JWTAuth }} + {{- with $l.JWTAuth }} auth_jwt "{{ .Realm }}"{{ if .Token }} token={{ .Token }}{{ end }}; {{ if .Secret}}auth_jwt_key_file {{ .Secret }};{{ end }} - {{ if .JwksURI.JwksHost }} + {{- if .JwksURI.JwksHost }} {{ if .KeyCache }}auth_jwt_key_cache {{ .KeyCache }};{{ end }} auth_jwt_key_request /_jwks_uri_server_{{ .Key }}; - {{ end }} - {{ end }} + {{- end }} + {{- end }} - {{ with $l.BasicAuth }} + {{- with $l.BasicAuth }} auth_basic {{ printf "%q" .Realm }}; auth_basic_user_file {{ .Secret }}; - {{ end }} + {{- end }} {{ $proxyOrGRPC := "proxy" }}{{ if $l.GRPCPass }}{{ $proxyOrGRPC = "grpc" }}{{ end }} - {{ with $l.EgressMTLS }} - {{ if .Certificate }} + {{- with $l.EgressMTLS }} + {{- if .Certificate }} {{ $proxyOrGRPC }}_ssl_certificate {{ .Certificate }}; {{ $proxyOrGRPC }}_ssl_certificate_key {{ .CertificateKey }}; - {{ end }} + {{- end }} {{ if .TrustedCert }} {{ $proxyOrGRPC }}_ssl_trusted_certificate {{ .TrustedCert }}; - {{ end }} - + {{- end }} {{ $proxyOrGRPC }}_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; {{ $proxyOrGRPC }}_ssl_verify_depth {{ .VerifyDepth }}; {{ $proxyOrGRPC }}_ssl_protocols {{ .Protocols }}; @@ -437,37 +434,37 @@ server { {{ $proxyOrGRPC }}_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; {{ $proxyOrGRPC }}_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; {{ $proxyOrGRPC }}_ssl_name {{ .SSLName }}; - {{ end }} + {{- end }} - {{ if $l.OIDC }} + {{- if $l.OIDC }} auth_jwt "" token=$session_jwt; error_page 401 = @do_oidc_flow; auth_jwt_key_request /_jwks_uri; - {{ $proxyOrGRPC }}_set_header username $jwt_claim_sub; + {{- $proxyOrGRPC }}_set_header username $jwt_claim_sub; {{- if $s.OIDC.AccessTokenEnable }} {{ $proxyOrGRPC }}_set_header Authorization "Bearer $access_token"; {{- end }} - {{ end }} + {{- end }} - {{ with $l.WAF }} + {{- with $l.WAF }} app_protect_enable {{ .Enable }}; - {{ if .ApPolicy }} + {{- if .ApPolicy }} app_protect_policy_file {{ .ApPolicy }}; - {{ end }} + {{- end }} - {{ if .ApBundle }} + {{- if .ApBundle }} app_protect_policy_file {{ .ApBundle }}; - {{ end }} + {{- end }} - {{ if .ApSecurityLogEnable }} + {{- if .ApSecurityLogEnable }} app_protect_security_log_enable on; - {{ range $logconf := .ApLogConf }} + {{- range $logconf := .ApLogConf }} app_protect_security_log {{ $logconf }}; - {{ end }} - {{ end }} - {{ end }} + {{- end }} + {{- end }} + {{- end }} - {{ if $l.GRPCPass }} + {{- if $l.GRPCPass }} error_page 400 = @grpc_internal; error_page 401 = @grpc_unauthenticated; error_page 403 = @grpc_permission_denied; @@ -487,7 +484,7 @@ server { error_page 497 = @grpc_internal; error_page 500 = @grpc_internal; error_page 501 = @grpc_internal; - {{ end }} + {{- end }} {{- with $l.Dos }} app_protect_dos_enable {{ .Enable }}; @@ -519,46 +516,45 @@ server { {{- end}} {{- end }} - {{ range $e := $l.ErrorPages }} + {{- range $e := $l.ErrorPages }} error_page {{ $e.Codes }} {{ if ne 0 $e.ResponseCode }}={{ $e.ResponseCode }}{{ end }} "{{ $e.Name }}"; - {{ end }} + {{- end }} - {{ if $l.ProxyInterceptErrors }} + {{- if $l.ProxyInterceptErrors }} {{ $proxyOrGRPC }}_intercept_errors on; - {{ end }} + {{- end }} - {{ if $l.InternalProxyPass }} + {{- if $l.InternalProxyPass }} proxy_pass {{ $l.InternalProxyPass }}; - {{ end }} + {{- end }} - {{ if or $l.ProxyPass $l.GRPCPass }} - {{ range $r := $l.Rewrites }} + {{- if or $l.ProxyPass $l.GRPCPass }} + {{- range $r := $l.Rewrites }} rewrite {{ $r }}; - {{ end }} + {{- end }} {{ $proxyOrGRPC }}_connect_timeout {{ $l.ProxyConnectTimeout }}; {{ $proxyOrGRPC }}_read_timeout {{ $l.ProxyReadTimeout }}; {{ $proxyOrGRPC }}_send_timeout {{ $l.ProxySendTimeout }}; client_max_body_size {{ $l.ClientMaxBodySize }}; - {{ if $l.ProxyMaxTempFileSize }} + {{- if $l.ProxyMaxTempFileSize }} proxy_max_temp_file_size {{ $l.ProxyMaxTempFileSize }}; - {{ end }} + {{- end }} proxy_buffering {{ if $l.ProxyBuffering }}on{{ else }}off{{ end }}; - {{ if $l.ProxyBuffers }} + {{- if $l.ProxyBuffers }} proxy_buffers {{ $l.ProxyBuffers }}; - {{ end }} - {{ if $l.ProxyBufferSize }} + {{- end }} + {{- if $l.ProxyBufferSize }} {{ $proxyOrGRPC }}_buffer_size {{ $l.ProxyBufferSize }}; - {{ end }} - - {{ if not $l.GRPCPass }} + {{- end }} + {{- if not $l.GRPCPass }} proxy_http_version 1.1; set $default_connection_header {{ if $l.HasKeepalive }}""{{ else }}close{{ end }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $vs_connection_header; proxy_pass_request_headers {{ if $l.ProxyPassRequestHeaders }}on{{ else }}off{{ end }}; - {{ end }} + {{- end }} {{- $custom_headers := $l.ProxySetHeaders | headerListToCIMap }} @@ -586,19 +582,19 @@ server { {{ $proxyOrGRPC }}_set_header {{ $h.Name }} "{{ $h.Value }}"; {{- end }} - {{ range $h := $l.ProxyHideHeaders }} + {{- range $h := $l.ProxyHideHeaders }} {{ $proxyOrGRPC }}_hide_header {{ $h }}; - {{ end }} - {{ range $h := $l.ProxyPassHeaders }} + {{- end }} + {{- range $h := $l.ProxyPassHeaders }} {{ $proxyOrGRPC }}_pass_header {{ $h }}; - {{ end }} - {{ with $l.ProxyIgnoreHeaders }} + {{- end }} + {{- with $l.ProxyIgnoreHeaders }} {{ $proxyOrGRPC }}_ignore_headers {{ $l.ProxyIgnoreHeaders }}; - {{ end }} - {{ range $h := $l.AddHeaders }} + {{- end }} + {{- range $h := $l.AddHeaders }} add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }}; - {{ end }} - {{ if $.SpiffeClientCerts }} + {{- end }} + {{- if $.SpiffeClientCerts }} {{ $proxyOrGRPC }}_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; {{ $proxyOrGRPC }}_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; {{ $proxyOrGRPC }}_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem; @@ -606,20 +602,20 @@ server { {{ $proxyOrGRPC }}_ssl_verify on; {{ $proxyOrGRPC }}_ssl_verify_depth 25; {{ $proxyOrGRPC }}_ssl_name {{ $l.ProxySSLName }}; - {{ end }} - {{if $l.GRPCPass}} + {{- end }} + {{- if $l.GRPCPass }} grpc_pass {{ $l.GRPCPass }}; - {{ else }} + {{- else }} proxy_pass {{ $l.ProxyPass }}{{ $l.ProxyPassRewrite }}; - {{ end }} + {{- end }} {{ $proxyOrGRPC }}_next_upstream {{ $l.ProxyNextUpstream }}; {{ $proxyOrGRPC }}_next_upstream_timeout {{ $l.ProxyNextUpstreamTimeout }}; {{ $proxyOrGRPC }}_next_upstream_tries {{ $l.ProxyNextUpstreamTries }}; - {{ end }} + {{- end }} } - {{ end }} + {{- end }} - {{ with $ssl := $s.SSL }} + {{- with $ssl := $s.SSL }} {{ if $ssl.HTTP2 }} location @grpc_deadline_exceeded { default_type application/grpc; diff --git a/internal/configs/version2/nginx.transportserver.tmpl b/internal/configs/version2/nginx.transportserver.tmpl index 7cb8d8dffe..bd5afde5c5 100644 --- a/internal/configs/version2/nginx.transportserver.tmpl +++ b/internal/configs/version2/nginx.transportserver.tmpl @@ -1,58 +1,58 @@ {{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version2.TransportServerConfig*/ -}} -{{ range $u := .Upstreams }} +{{- range $u := .Upstreams }} upstream {{ $u.Name }} { zone {{ $u.Name }} 256k; - {{ if $u.LoadBalancingMethod }} + {{- if $u.LoadBalancingMethod }} {{ $u.LoadBalancingMethod }}; - {{ end }} + {{- end }} - {{ range $s := $u.Servers }} + {{- range $s := $u.Servers }} server {{ $s.Address }} max_fails={{ $s.MaxFails }} fail_timeout={{ $s.FailTimeout }} max_conns={{ $s.MaxConnections }}; - {{ end }} + {{- end }} } -{{ end }} +{{- end }} -{{ range $snippet := .StreamSnippets }} +{{- range $snippet := .StreamSnippets }} {{- $snippet }} -{{ end }} +{{- end }} -{{ $s := .Server }} +{{- $s := .Server }} server { - {{ with $ssl := $s.SSL }} - {{ if $s.TLSPassthrough }} + {{- with $ssl := $s.SSL }} + {{- if $s.TLSPassthrough }} listen {{ $s.UnixSocket }} proxy_protocol; set_real_ip_from unix:; - {{ else }} + {{- else }} listen {{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }}; {{if not $s.DisableIPV6}}listen [::]:{{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};{{end}} - {{ end }} + {{- end }} - {{ if $ssl.Enabled }} + {{- if $ssl.Enabled }} ssl_certificate {{ $ssl.Certificate }}; ssl_certificate_key {{ $ssl.CertificateKey }}; - {{ end }} - {{ end }} + {{- end }} + {{- end }} - {{ if $s.ProxyRequests }} + {{- if $s.ProxyRequests }} proxy_requests {{ $s.ProxyRequests }}; - {{ end }} - {{ if $s.ProxyResponses }} + {{- end }} + {{- if $s.ProxyResponses }} proxy_responses {{ $s.ProxyResponses }}; - {{ end }} + {{- end }} - {{ range $snippet := $s.ServerSnippets }} + {{- range $snippet := $s.ServerSnippets }} {{- $snippet }} - {{ end }} + {{- end }} proxy_pass {{ $s.ProxyPass }}; proxy_timeout {{ $s.ProxyTimeout }}; proxy_connect_timeout {{ $s.ProxyConnectTimeout }}; - {{ if $s.ProxyNextUpstream }} + {{- if $s.ProxyNextUpstream }} proxy_next_upstream on; proxy_next_upstream_timeout {{ $s.ProxyNextUpstreamTimeout }}; proxy_next_upstream_tries {{ $s.ProxyNextUpstreamTries }}; - {{ end }} + {{- end }} } diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl index fee0066a24..8a0db0d376 100644 --- a/internal/configs/version2/nginx.virtualserver.tmpl +++ b/internal/configs/version2/nginx.virtualserver.tmpl @@ -1,56 +1,56 @@ {{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version2.VirtualServerConfig*/ -}} {{ range $u := .Upstreams }} upstream {{ $u.Name }} { - {{ if ne $u.UpstreamZoneSize "0" }}zone {{ $u.Name }} {{ $u.UpstreamZoneSize }};{{ end }} + {{- if ne $u.UpstreamZoneSize "0" }}zone {{ $u.Name }} {{ $u.UpstreamZoneSize }};{{ end }} - {{ if $u.LBMethod }}{{ $u.LBMethod }};{{ end }} + {{- if $u.LBMethod }}{{ $u.LBMethod }};{{ end }} - {{ range $s := $u.Servers }} + {{- range $s := $u.Servers }} server {{ $s.Address }} max_fails={{ $u.MaxFails }} fail_timeout={{ $u.FailTimeout }} max_conns={{ $u.MaxConns }}; - {{ end }} + {{- end }} - {{ if $u.Keepalive }} + {{- if $u.Keepalive }} keepalive {{ $u.Keepalive }}; - {{ end }} + {{- end }} } {{ end }} -{{ range $sc := .SplitClients }} +{{- range $sc := .SplitClients }} split_clients {{ $sc.Source }} {{ $sc.Variable }} { - {{ range $d := $sc.Distributions }} + {{- range $d := $sc.Distributions }} {{ $d.Weight }} {{ $d.Value }}; - {{ end }} + {{- end }} } -{{ end }} +{{- end }} -{{ range $m := .Maps }} +{{- range $m := .Maps }} map {{ $m.Source }} {{ $m.Variable }} { - {{ range $p := $m.Parameters }} + {{- range $p := $m.Parameters }} {{ $p.Value }} {{ $p.Result }}; - {{ end }} + {{- end }} } -{{ end }} +{{- end }} -{{ range $snippet := .HTTPSnippets }} +{{- range $snippet := .HTTPSnippets }} {{- $snippet }} -{{ end }} +{{- end }} -{{ range $z := .LimitReqZones }} +{{- range $z := .LimitReqZones }} limit_req_zone {{ $z.Key }} zone={{ $z.ZoneName }}:{{ $z.ZoneSize }} rate={{ $z.Rate }}; -{{ end }} +{{- end }} -{{ $s := .Server }} +{{- $s := .Server }} server { - {{ if $s.Gunzip }}gunzip on;{{end}} - {{ if not $s.CustomListeners }} + {{- if $s.Gunzip }}gunzip on;{{end}} + {{- if not $s.CustomListeners }} listen 80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; {{ if not $s.DisableIPV6 }}listen [::]:80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ else }} - {{ if (gt $s.HTTPPort 0) }} + {{- else }} + {{- if (gt $s.HTTPPort 0) }} listen {{ $s.HTTPPort }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPPort }}{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ end }} - {{ end }} + {{- end }} + {{- end }} server_name {{ $s.ServerName }}; @@ -59,121 +59,121 @@ server { set $resource_namespace "{{$s.VSNamespace}}"; - {{ with $ssl := $s.SSL }} - {{ if $s.TLSPassthrough }} + {{- with $ssl := $s.SSL }} + {{- if $s.TLSPassthrough }} listen unix:/var/lib/nginx/passthrough-https.sock proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; - {{ else }} - {{ if not $s.CustomListeners }} + {{- else }} + {{- if not $s.CustomListeners }} listen 443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ else }} - {{ if (gt $s.HTTPSPort 0) }} + {{- if not $s.DisableIPV6 }}listen [::]:443 ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + {{- else }} + {{- if (gt $s.HTTPSPort 0) }} listen {{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }}; - {{ if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} - {{ end }} - {{ end }} - {{ end }} + {{- if not $s.DisableIPV6 }}listen [::]:{{ $s.HTTPSPort }} ssl{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }} + {{- end }} + {{- end }} + {{- end }} - {{ if $ssl.HTTP2 }} + {{- if $ssl.HTTP2 }} http2 on; - {{ end }} + {{- end }} - {{ if $ssl.RejectHandshake }} + {{- if $ssl.RejectHandshake }} ssl_reject_handshake on; - {{ else if $.SpiffeCerts }} + {{- else if $.SpiffeCerts }} ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; - {{ else }} + {{- else }} ssl_certificate {{ $ssl.Certificate }}; ssl_certificate_key {{ $ssl.CertificateKey }}; - {{ end }} - {{ else }} - {{ if $.SpiffeCerts }} + {{- end }} + {{- else }} + {{- if $.SpiffeCerts }} listen 443 ssl; {{if not $s.DisableIPV6}}listen [::]:443 ssl;{{end}} ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; - {{ end }} - {{ end }} + {{- end }} + {{- end }} - {{ with $s.IngressMTLS }} + {{- with $s.IngressMTLS }} ssl_client_certificate {{ .ClientCert }}; - {{ if .ClientCrl }} + {{- if .ClientCrl }} ssl_crl {{ .ClientCrl }}; - {{ end }} + {{- end }} ssl_verify_client {{ .VerifyClient }}; ssl_verify_depth {{ .VerifyDepth }}; - {{ end }} + {{- end }} - {{ with $s.TLSRedirect }} + {{- with $s.TLSRedirect }} if ({{ .BasedOn }} = 'http') { return {{ .Code }} https://$host$request_uri; } - {{ end }} + {{- end }} server_tokens "{{ $s.ServerTokens }}"; - {{ range $setRealIPFrom := $s.SetRealIPFrom }} + {{- range $setRealIPFrom := $s.SetRealIPFrom }} set_real_ip_from {{ $setRealIPFrom }}; - {{ end }} - {{ if $s.RealIPHeader }} + {{- end }} + {{- if $s.RealIPHeader }} real_ip_header {{ $s.RealIPHeader }}; - {{ end }} - {{ if $s.RealIPRecursive }} + {{- end }} + {{- if $s.RealIPRecursive }} real_ip_recursive on; - {{ end }} + {{- end }} - {{ with $s.PoliciesErrorReturn }} + {{- with $s.PoliciesErrorReturn }} return {{ .Code }}; - {{ end }} + {{- end }} - {{ range $allow := $s.Allow }} + {{- range $allow := $s.Allow }} allow {{ $allow }}; - {{ end }} - {{ if gt (len $s.Allow) 0 }} + {{- end }} + {{- if gt (len $s.Allow) 0 }} deny all; - {{ end }} + {{- end }} - {{ range $deny := $s.Deny }} + {{- range $deny := $s.Deny }} deny {{ $deny }}; - {{ end }} - {{ if gt (len $s.Deny) 0 }} + {{- end }} + {{- if gt (len $s.Deny) 0 }} allow all; - {{ end }} + {{- end }} - {{ if $s.LimitReqOptions.DryRun }} + {{- if $s.LimitReqOptions.DryRun }} limit_req_dry_run on; - {{ end }} + {{- end }} - {{ with $level := $s.LimitReqOptions.LogLevel }} + {{- with $level := $s.LimitReqOptions.LogLevel }} limit_req_log_level {{ $level }}; - {{ end }} + {{- end }} - {{ with $code := $s.LimitReqOptions.RejectCode }} + {{- with $code := $s.LimitReqOptions.RejectCode }} limit_req_status {{ $code }}; - {{ end }} + {{- end }} - {{ range $rl := $s.LimitReqs }} + {{- range $rl := $s.LimitReqs }} limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; - {{ end }} + {{- end }} - {{ with $s.BasicAuth }} + {{- with $s.BasicAuth }} auth_basic {{ printf "%q" .Realm }}; auth_basic_user_file {{ .Secret }}; - {{ end }} + {{- end }} - {{ with $s.EgressMTLS }} - {{ if .Certificate }} + {{- with $s.EgressMTLS }} + {{- if .Certificate }} proxy_ssl_certificate {{ .Certificate }}; proxy_ssl_certificate_key {{ .CertificateKey }}; - {{ end }} - {{ if .TrustedCert }} + {{- end }} + {{- if .TrustedCert }} proxy_ssl_trusted_certificate {{ .TrustedCert }}; - {{ end }} + {{- end }} proxy_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; proxy_ssl_verify_depth {{ .VerifyDepth }}; @@ -182,19 +182,19 @@ server { proxy_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; proxy_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; proxy_ssl_name {{ .SSLName }}; - {{ end }} + {{- end }} - {{ range $snippet := $s.Snippets }} + {{- range $snippet := $s.Snippets }} {{- $snippet }} - {{ end }} + {{- end }} - {{ range $l := $s.InternalRedirectLocations }} + {{- range $l := $s.InternalRedirectLocations }} location {{ $l.Path }} { rewrite ^ {{ $l.Destination }} last; } - {{ end }} + {{- end }} - {{ range $e := $s.ErrorPageLocations }} + {{- range $e := $s.ErrorPageLocations }} location {{ $e.Name }} { {{ if $e.DefaultType }} default_type "{{ $e.DefaultType }}"; @@ -218,69 +218,68 @@ server { {{ range $l := $s.Locations }} location {{ $l.Path }} { set $service "{{ $l.ServiceName }}"; - {{ if $l.IsVSR }} + {{- if $l.IsVSR }} set $resource_type "virtualserverroute"; set $resource_name "{{ $l.VSRName }}"; set $resource_namespace "{{ $l.VSRNamespace }}"; - {{ end }} - {{ if $l.Internal }} + {{- end }} + {{- if $l.Internal }} internal; - {{ end }} - {{ range $snippet := $l.Snippets }} + {{- end }} + {{- range $snippet := $l.Snippets }} {{- $snippet }} - {{ end }} + {{- end }} - {{ with $l.PoliciesErrorReturn }} + {{- with $l.PoliciesErrorReturn }} return {{ .Code }}; - {{ end }} + {{- end }} - {{ range $allow := $l.Allow }} + {{- range $allow := $l.Allow }} allow {{ $allow }}; - {{ end }} - {{ if gt (len $l.Allow) 0 }} + {{- end }} + {{- if gt (len $l.Allow) 0 }} deny all; - {{ end }} + {{- end }} - {{ range $deny := $l.Deny }} + {{- range $deny := $l.Deny }} deny {{ $deny }}; - {{ end }} - {{ if gt (len $l.Deny) 0 }} + {{- end }} + {{- if gt (len $l.Deny) 0 }} allow all; - {{ end }} + {{- end }} - {{ if $l.LimitReqOptions.DryRun }} + {{- if $l.LimitReqOptions.DryRun }} limit_req_dry_run on; - {{ end }} + {{- end }} - {{ with $level := $l.LimitReqOptions.LogLevel }} + {{- with $level := $l.LimitReqOptions.LogLevel }} limit_req_log_level {{ $level }}; - {{ end }} + {{- end }} - {{ with $code := $l.LimitReqOptions.RejectCode }} + {{- with $code := $l.LimitReqOptions.RejectCode }} limit_req_status {{ $code }}; - {{ end }} + {{- end }} - {{ range $rl := $l.LimitReqs }} + {{- range $rl := $l.LimitReqs }} limit_req zone={{ $rl.ZoneName }}{{ if $rl.Burst }} burst={{ $rl.Burst }}{{ end }} {{ if $rl.Delay }} delay={{ $rl.Delay }}{{ end }}{{ if $rl.NoDelay }} nodelay{{ end }}; - {{ end }} + {{- end }} - {{ with $l.BasicAuth }} + {{- with $l.BasicAuth }} auth_basic {{ printf "%q" .Realm }}; auth_basic_user_file {{ .Secret }}; - {{ end }} + {{- end }} {{ $proxyOrGRPC := "proxy" }}{{ if $l.GRPCPass }}{{ $proxyOrGRPC = "grpc" }}{{ end }} - {{ with $l.EgressMTLS }} - {{ if .Certificate }} + {{- with $l.EgressMTLS }} + {{- if .Certificate }} {{ $proxyOrGRPC }}_ssl_certificate {{ .Certificate }}; {{ $proxyOrGRPC }}_ssl_certificate_key {{ .CertificateKey }}; - {{ end }} + {{- end }} {{ if .TrustedCert }} {{ $proxyOrGRPC }}_ssl_trusted_certificate {{ .TrustedCert }}; - {{ end }} - + {{- end }} {{ $proxyOrGRPC }}_ssl_verify {{ if .VerifyServer }}on{{else}}off{{end}}; {{ $proxyOrGRPC }}_ssl_verify_depth {{ .VerifyDepth }}; {{ $proxyOrGRPC }}_ssl_protocols {{ .Protocols }}; @@ -288,9 +287,9 @@ server { {{ $proxyOrGRPC }}_ssl_session_reuse {{ if .SessionReuse }}on{{else}}off{{end}}; {{ $proxyOrGRPC }}_ssl_server_name {{ if .ServerName }}on{{else}}off{{end}}; {{ $proxyOrGRPC }}_ssl_name {{ .SSLName }}; - {{ end }} + {{- end }} - {{ if $l.GRPCPass }} + {{- if $l.GRPCPass }} error_page 400 = @grpc_internal; error_page 401 = @grpc_unauthenticated; error_page 403 = @grpc_permission_denied; @@ -310,47 +309,47 @@ server { error_page 497 = @grpc_internal; error_page 500 = @grpc_internal; error_page 501 = @grpc_internal; - {{ end }} + {{- end }} - {{ range $e := $l.ErrorPages }} + {{- range $e := $l.ErrorPages }} error_page {{ $e.Codes }} {{ if ne 0 $e.ResponseCode }}={{ $e.ResponseCode }}{{ end }} "{{ $e.Name }}"; - {{ end }} + {{- end }} - {{ if $l.ProxyInterceptErrors }} + {{- if $l.ProxyInterceptErrors }} {{ $proxyOrGRPC }}_intercept_errors on; - {{ end }} + {{- end }} - {{ if $l.InternalProxyPass }} + {{- if $l.InternalProxyPass }} proxy_pass {{ $l.InternalProxyPass }}; - {{ end }} + {{- end }} - {{ if or $l.ProxyPass $l.GRPCPass}} - {{ range $r := $l.Rewrites }} + {{- if or $l.ProxyPass $l.GRPCPass }} + {{- range $r := $l.Rewrites }} rewrite {{ $r }}; - {{ end }} + {{- end }} {{ $proxyOrGRPC }}_connect_timeout {{ $l.ProxyConnectTimeout }}; {{ $proxyOrGRPC }}_read_timeout {{ $l.ProxyReadTimeout }}; {{ $proxyOrGRPC }}_send_timeout {{ $l.ProxySendTimeout }}; client_max_body_size {{ $l.ClientMaxBodySize }}; - {{ if $l.ProxyMaxTempFileSize }} + {{- if $l.ProxyMaxTempFileSize }} proxy_max_temp_file_size {{ $l.ProxyMaxTempFileSize }}; - {{ end }} + {{- end }} proxy_buffering {{ if $l.ProxyBuffering }}on{{ else }}off{{ end }}; - {{ if $l.ProxyBuffers }} + {{- if $l.ProxyBuffers }} proxy_buffers {{ $l.ProxyBuffers }}; - {{ end }} - {{ if $l.ProxyBufferSize }} + {{- end }} + {{- if $l.ProxyBufferSize }} {{ $proxyOrGRPC }}_buffer_size {{ $l.ProxyBufferSize }}; - {{ end }} - {{ if not $l.GRPCPass }} + {{- end }} + {{- if not $l.GRPCPass }} proxy_http_version 1.1; set $default_connection_header {{ if $l.HasKeepalive }}""{{ else }}close{{ end }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $vs_connection_header; proxy_pass_request_headers {{ if $l.ProxyPassRequestHeaders }}on{{ else }}off{{ end }}; - {{ end }} + {{- end }} {{- $custom_headers := $l.ProxySetHeaders | headerListToCIMap }} @@ -378,19 +377,19 @@ server { {{ $proxyOrGRPC }}_set_header {{ $h.Name }} "{{ $h.Value }}"; {{- end }} - {{ range $h := $l.ProxyHideHeaders }} + {{- range $h := $l.ProxyHideHeaders }} {{ $proxyOrGRPC }}_hide_header {{ $h }}; - {{ end }} - {{ range $h := $l.ProxyPassHeaders }} + {{- end }} + {{- range $h := $l.ProxyPassHeaders }} {{ $proxyOrGRPC }}_pass_header {{ $h }}; - {{ end }} - {{ with $l.ProxyIgnoreHeaders }} + {{- end }} + {{- with $l.ProxyIgnoreHeaders }} {{ $proxyOrGRPC }}_ignore_headers {{ $l.ProxyIgnoreHeaders }}; - {{ end }} - {{ range $h := $l.AddHeaders }} + {{- end }} + {{- range $h := $l.AddHeaders }} add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }}; - {{ end }} - {{ if $.SpiffeClientCerts }} + {{- end }} + {{- if $.SpiffeClientCerts }} {{ $proxyOrGRPC }}_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem; {{ $proxyOrGRPC }}_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem; {{ $proxyOrGRPC }}_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem; @@ -398,20 +397,20 @@ server { {{ $proxyOrGRPC }}_ssl_verify on; {{ $proxyOrGRPC }}_ssl_verify_depth 25; {{ $proxyOrGRPC }}_ssl_name {{ $l.ProxySSLName }}; - {{ end }} - {{if $l.GRPCPass}} + {{- end }} + {{- if $l.GRPCPass }} grpc_pass {{ $l.GRPCPass }}; - {{ else }} + {{- else }} proxy_pass {{ $l.ProxyPass }}{{ $l.ProxyPassRewrite }}; - {{ end }} + {{- end }} {{ $proxyOrGRPC }}_next_upstream {{ $l.ProxyNextUpstream }}; {{ $proxyOrGRPC }}_next_upstream_timeout {{ $l.ProxyNextUpstreamTimeout }}; {{ $proxyOrGRPC }}_next_upstream_tries {{ $l.ProxyNextUpstreamTries }}; - {{ end }} + {{- end }} } - {{ end }} + {{- end }} - {{ with $ssl := $s.SSL }} + {{- with $ssl := $s.SSL }} {{ if $ssl.HTTP2 }} location @grpc_deadline_exceeded { default_type application/grpc;