From aad4fc9ced4d118e19d480f151e22a1d536044db Mon Sep 17 00:00:00 2001 From: Shaun Date: Thu, 12 Oct 2023 11:21:34 +0100 Subject: [PATCH] Allow `default_server` listeners to be customised (#4464) --- charts/nginx-ingress/README.md | 2 + .../templates/controller-daemonset.yaml | 2 + .../templates/controller-deployment.yaml | 2 + charts/nginx-ingress/values.schema.json | 20 ++ charts/nginx-ingress/values.yaml | 6 + cmd/nginx-ingress/flags.go | 4 + cmd/nginx-ingress/main.go | 2 + .../command-line-arguments.md | 16 + internal/configs/config_params.go | 2 + internal/configs/configmaps.go | 2 + internal/configs/version1/config.go | 2 + internal/configs/version1/nginx-plus.tmpl | 8 +- internal/configs/version1/nginx.tmpl | 8 +- internal/configs/version1/template_test.go | 340 +++++++++++++++++- tests/suite/test_default_server.py | 50 +++ 15 files changed, 450 insertions(+), 16 deletions(-) diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md index da6e2a1418..846ac2d12a 100644 --- a/charts/nginx-ingress/README.md +++ b/charts/nginx-ingress/README.md @@ -452,6 +452,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 | |`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} | |`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false | +|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 | +|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 | |`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false | |`rbac.create` | Configures RBAC. | true | |`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml index d6012c3a3b..fafc597da3 100644 --- a/charts/nginx-ingress/templates/controller-daemonset.yaml +++ b/charts/nginx-ingress/templates/controller-daemonset.yaml @@ -237,6 +237,8 @@ spec: - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} - -enable-external-dns={{ .Values.controller.enableExternalDNS }} + - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} + - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} {{- if .Values.controller.globalConfiguration.create }} - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} {{- end }} diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml index f23f515ef3..0658cba140 100644 --- a/charts/nginx-ingress/templates/controller-deployment.yaml +++ b/charts/nginx-ingress/templates/controller-deployment.yaml @@ -244,6 +244,8 @@ spec: - -enable-cert-manager={{ .Values.controller.enableCertManager }} - -enable-oidc={{ .Values.controller.enableOIDC }} - -enable-external-dns={{ .Values.controller.enableExternalDNS }} + - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}} + - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}} {{- if .Values.controller.globalConfiguration.create }} - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }} {{- end }} diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 39f65da624..b6a1bc98f9 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -1262,6 +1262,22 @@ false ] }, + "defaultHTTPListenerPort": { + "type": "integer", + "default": 80, + "title": "The defaultHTTPListenerPort", + "examples": [ + 80 + ] + }, + "defaultHTTPSListenerPort": { + "type": "integer", + "default": 443, + "title": "The defaultHTTPSListenerPort", + "examples": [ + 443 + ] + }, "readOnlyRootFilesystem": { "type": "boolean", "default": false, @@ -1411,6 +1427,8 @@ }, "enableLatencyMetrics": false, "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, "readOnlyRootFilesystem": false } ] @@ -1776,6 +1794,8 @@ }, "enableLatencyMetrics": false, "disableIPV6": false, + "defaultHTTPListenerPort": 80, + "defaultHTTPSListenerPort": 443, "readOnlyRootFilesystem": false }, "rbac": { diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 9dd9a9a021..b3e8ed1682 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -443,6 +443,12 @@ controller: ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. disableIPV6: false + ## Sets the port for the HTTP `default_server` listener. + defaultHTTPListenerPort: 80 + + ## Sets the port for the HTTPS `default_server` listener. + defaultHTTPSListenerPort: 443 + ## Configure root filesystem as read-only and add volumes for temporary data. readOnlyRootFilesystem: false diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go index 19799d362f..83515d58a0 100644 --- a/cmd/nginx-ingress/flags.go +++ b/cmd/nginx-ingress/flags.go @@ -194,6 +194,10 @@ var ( disableIPV6 = flag.Bool("disable-ipv6", false, `Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack`) + defaultHTTPListenerPort = flag.Int("default-http-listener-port", 80, "Sets a custom port for the HTTP NGINX `default_server`. [1024 - 65535]") + + defaultHTTPSListenerPort = flag.Int("default-https-listener-port", 443, "Sets a custom port for the HTTPS `default_server`. [1024 - 65535]") + startupCheckFn func() error ) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 93caaa3a31..32a826331d 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -90,6 +90,8 @@ func main() { staticCfgParams := &configs.StaticConfigParams{ DisableIPV6: *disableIPV6, + DefaultHTTPListenerPort: *defaultHTTPListenerPort, + DefaultHTTPSListenerPort: *defaultHTTPSListenerPort, HealthStatus: *healthStatus, HealthStatusURI: *healthStatusURI, NginxStatus: *nginxStatus, diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md index 56172fb3a3..ac5378dc1d 100644 --- a/docs/content/configuration/global-configuration/command-line-arguments.md +++ b/docs/content/configuration/global-configuration/command-line-arguments.md @@ -508,3 +508,19 @@ Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. Default `false`.   + +### -default-http-listener-port + +Sets the port for the HTTP `default_server` listener. + +Default `80`. +  + + +### -default-https-listener-port + +Sets the port for the HTTPS `default_server` listener. + +Default `443`. +  + diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go index ba4be02d86..9e8b4a9479 100644 --- a/internal/configs/config_params.go +++ b/internal/configs/config_params.go @@ -114,6 +114,8 @@ type ConfigParams struct { // StaticConfigParams holds immutable NGINX configuration parameters that affect the main NGINX config. type StaticConfigParams struct { DisableIPV6 bool + DefaultHTTPListenerPort int + DefaultHTTPSListenerPort int HealthStatus bool HealthStatusURI string NginxStatus bool diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go index 675fc7e443..006f70c74c 100644 --- a/internal/configs/configmaps.go +++ b/internal/configs/configmaps.go @@ -514,6 +514,8 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config DefaultServerAccessLogOff: config.DefaultServerAccessLogOff, DefaultServerReturn: config.DefaultServerReturn, DisableIPV6: staticCfgParams.DisableIPV6, + DefaultHTTPListenerPort: staticCfgParams.DefaultHTTPListenerPort, + DefaultHTTPSListenerPort: staticCfgParams.DefaultHTTPSListenerPort, ErrorLogLevel: config.MainErrorLogLevel, HealthStatus: staticCfgParams.HealthStatus, HealthStatusURI: staticCfgParams.HealthStatusURI, diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go index 4afb16796b..eda5ffebbd 100644 --- a/internal/configs/version1/config.go +++ b/internal/configs/version1/config.go @@ -165,6 +165,8 @@ type MainConfig struct { DefaultServerAccessLogOff bool DefaultServerReturn string DisableIPV6 bool + DefaultHTTPListenerPort int + DefaultHTTPSListenerPort int ErrorLogLevel string HealthStatus bool HealthStatusURI string diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index 851ecb4125..cc8cf394dd 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -153,16 +153,16 @@ http { set $resource_namespace ""; set $service ""; - listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .TLSPassthrough}} listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} - listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{end}} {{if .SSLRejectHandshake}} diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl index 5f50e6bfed..c1d4ec590c 100644 --- a/internal/configs/version1/nginx.tmpl +++ b/internal/configs/version1/nginx.tmpl @@ -106,16 +106,16 @@ http { set $resource_namespace ""; set $service ""; - listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{if .TLSPassthrough}} listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol; set_real_ip_from unix:; real_ip_header proxy_protocol; {{else}} - listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; - {{if not .DisableIPV6}}listen [::]:443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} + listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}}; + {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}} {{end}} {{if .SSLRejectHandshake}} diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index 3f77862145..4ef7b96737 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -343,7 +343,7 @@ func TestExecuteTemplate_ForMainForNGINXWithoutCustomTLSPassthroughPort(t *testi tmpl := newNGINXMainTmpl(t) buf := &bytes.Buffer{} - err := tmpl.Execute(buf, mainCfg) + err := tmpl.Execute(buf, mainCfgDefaultTLSPassthroughPort) t.Log(buf.String()) if err != nil { t.Fatalf("Failed to write template %v", err) @@ -369,7 +369,7 @@ func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomTLSPassthroughPort(t *t tmpl := newNGINXPlusMainTmpl(t) buf := &bytes.Buffer{} - err := tmpl.Execute(buf, mainCfg) + err := tmpl.Execute(buf, mainCfgDefaultTLSPassthroughPort) t.Log(buf.String()) if err != nil { t.Fatalf("Failed to write template %v", err) @@ -441,6 +441,230 @@ func TestExecuteTemplate_ForMainForNGINXPlusTLSPassthroughPortDisabled(t *testin } } +func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPAndHTTPSListenerPorts) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 8083 default_server;", + "listen [::]:8083 default_server;", + "listen 8443 ssl default_server;", + "listen [::]:8443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPAndHTTPSListenerPorts) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 8083 default_server;", + "listen [::]:8083 default_server;", + "listen 8443 ssl default_server;", + "listen [::]:8443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXWithoutCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 80 default_server;", + "listen [::]:80 default_server;", + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithoutCustomDefaultHTTPAndHTTPSListenerPorts(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfg) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 80 default_server;", + "listen [::]:80 default_server;", + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPListenerPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPListenerPort) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 8083 default_server;", + "listen [::]:8083 default_server;", + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXWithCustomDefaultHTTPSListenerPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPSListenerPort) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 80 default_server;", + "listen [::]:80 default_server;", + "listen 8443 ssl default_server;", + "listen [::]:8443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPListenerPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPListenerPort) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 8083 default_server;", + "listen [::]:8083 default_server;", + "listen 443 ssl default_server;", + "listen [::]:443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + +func TestExecuteTemplate_ForMainForNGINXPlusWithCustomDefaultHTTPSListenerPort(t *testing.T) { + t.Parallel() + + tmpl := newNGINXPlusMainTmpl(t) + buf := &bytes.Buffer{} + + err := tmpl.Execute(buf, mainCfgCustomDefaultHTTPSListenerPort) + t.Log(buf.String()) + + if err != nil { + t.Fatalf("Failed to write template %v", err) + } + + wantDirectives := []string{ + "listen 80 default_server;", + "listen [::]:80 default_server;", + "listen 8443 ssl default_server;", + "listen [::]:8443 ssl default_server;", + } + + mainConf := buf.String() + for _, want := range wantDirectives { + if !strings.Contains(mainConf, want) { + t.Errorf("want %q in generated config", want) + } + } +} + func newNGINXPlusIngressTmpl(t *testing.T) *template.Template { t.Helper() tmpl, err := template.New("nginx-plus.ingress.tmpl").Funcs(helperFunctions).ParseFiles("nginx-plus.ingress.tmpl") @@ -753,6 +977,31 @@ var ( } mainCfg = MainConfig{ + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + } + + mainCfgCustomTLSPassthroughPort = MainConfig{ ServerNamesHashMaxSize: "512", ServerTokens: "off", WorkerProcesses: "auto", @@ -774,10 +1023,10 @@ var ( VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, TLSPassthrough: true, - TLSPassthroughPort: 443, + TLSPassthroughPort: 8443, } - mainCfgCustomTLSPassthroughPort = MainConfig{ + mainCfgWithoutTLSPassthrough = MainConfig{ ServerNamesHashMaxSize: "512", ServerTokens: "off", WorkerProcesses: "auto", @@ -798,11 +1047,11 @@ var ( KeepaliveRequests: 100, VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, - TLSPassthrough: true, + TLSPassthrough: false, TLSPassthroughPort: 8443, } - mainCfgWithoutTLSPassthrough = MainConfig{ + mainCfgDefaultTLSPassthroughPort = MainConfig{ ServerNamesHashMaxSize: "512", ServerTokens: "off", WorkerProcesses: "auto", @@ -823,8 +1072,83 @@ var ( KeepaliveRequests: 100, VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, - TLSPassthrough: false, - TLSPassthroughPort: 8443, + TLSPassthrough: true, + TLSPassthroughPort: 443, + } + + mainCfgCustomDefaultHTTPAndHTTPSListenerPorts = MainConfig{ + DefaultHTTPListenerPort: 8083, + DefaultHTTPSListenerPort: 8443, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + } + + mainCfgCustomDefaultHTTPListenerPort = MainConfig{ + DefaultHTTPListenerPort: 8083, + DefaultHTTPSListenerPort: 443, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + } + + mainCfgCustomDefaultHTTPSListenerPort = MainConfig{ + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 8443, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, } // Vars for Mergable Ingress Master - Minion tests diff --git a/tests/suite/test_default_server.py b/tests/suite/test_default_server.py index 5539079aa0..31e5da5814 100644 --- a/tests/suite/test_default_server.py +++ b/tests/suite/test_default_server.py @@ -1,6 +1,8 @@ from ssl import SSLError import pytest +import requests +from requests.exceptions import ConnectionError from settings import BASEDIR, DEPLOYMENTS, TEST_DATA from suite.utils.resources_utils import ( create_secret_from_yaml, @@ -42,6 +44,12 @@ def default_server_setup(ingress_controller_endpoint, ingress_controller): ensure_connection(f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/") +@pytest.fixture(scope="class") +def default_server_setup_custom_port(ingress_controller_endpoint, ingress_controller): + ensure_connection(f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_http}/") + ensure_connection(f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_https}/") + + @pytest.fixture(scope="class") def secret_setup(request, kube_apis): def fin(): @@ -95,3 +103,45 @@ def test_with_default_tls_secret(self, kube_apis, ingress_controller_endpoint, s def test_without_default_tls_secret(self, ingress_controller_endpoint, default_server_setup): print("Ensure connection to HTTPS cannot be established") assert_unrecognized_name_error(ingress_controller_endpoint) + + @pytest.mark.parametrize( + "ingress_controller", + [ + pytest.param( + {"extra_args": [f"-default-http-listener-port=8085", f"-default-https-listener-port=8445"]}, + ), + ], + indirect=True, + ) + def test_disable_default_listeners_true(self, ingress_controller_endpoint, ingress_controller): + print("Ensure ports 80 and 443 return result in an ERR_CONNECTION_REFUSED") + request_url_80 = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port}/" + with pytest.raises(ConnectionError, match="Connection refused") as e: + requests.get(request_url_80, headers={}) + + request_url_443 = f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.port_ssl}/" + with pytest.raises(ConnectionError, match="Connection refused") as e: + requests.get(request_url_443, headers={}, verify=False) + + @pytest.mark.parametrize( + "ingress_controller", + [ + pytest.param( + {"extra_args": [f"-default-http-listener-port=8085", f"-default-https-listener-port=8445"]}, + ), + ], + indirect=True, + ) + def test_custom_default_listeners( + self, kube_apis, ingress_controller_endpoint, ingress_controller, default_server_setup_custom_port + ): + print("Ensure custom ports for default listeners return 404") + request_url_http = f"http://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_http}/" + resp = requests.get(request_url_http, headers={}) + assert resp.status_code == 404 + + request_url_https = ( + f"https://{ingress_controller_endpoint.public_ip}:{ingress_controller_endpoint.custom_https}/" + ) + resp = requests.get(request_url_https, headers={}, verify=False) + assert resp.status_code == 404