Fix gunzip support for VS and add python tests (#3844)

* Add gunzip support for VirtualServer
nginx · May 4, 2023 · fab521e · fab521e
1 parent 85a353a
commit fab521e
Show file tree

Hide file tree

Showing 15 changed files with 7,045 additions and 5,846 deletions.
diff --git a/deployments/common/crds/k8s.nginx.org_virtualservers.yaml b/deployments/common/crds/k8s.nginx.org_virtualservers.yaml
@@ -87,7 +87,7 @@ spec:
                     recordType:
                       type: string
                 gunzip:
-                  type: string
+                  type: boolean
                 host:
                   type: string
                 http-snippets:

diff --git a/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml b/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml
@@ -87,7 +87,7 @@ spec:
                     recordType:
                       type: string
                 gunzip:
-                  type: string
+                  type: boolean
                 host:
                   type: string
                 http-snippets:

diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md
@@ -54,7 +54,7 @@ spec:
 | ---| ---| ---| --- |
 |``host`` | The host (domain name) of the server. Must be a valid subdomain as defined in RFC 1123, such as ``my-app`` or ``hello.example.com``. When using a wildcard domain like ``*.example.com`` the domain must be contained in double quotes.  The ``host`` value needs to be unique among all Ingress and VirtualServer resources. See also [Handling Host and Listener Collisions](/nginx-ingress-controller/configuration/handling-host-and-listener-collisions). | ``string`` | Yes |
 |``tls`` | The TLS termination configuration. | [tls](#virtualservertls) | No |
-|``gunzip`` | Enables or disables [decompression](https://docs.nginx.com/nginx/admin-guide/web-server/compression/) of gzipped responses for clients. Allowed values are: "on" or "off". If the ``gunzip`` value is not set, it defaults to ``off``.   | ``string`` | No |
+|``gunzip`` | Enables or disables [decompression](https://docs.nginx.com/nginx/admin-guide/web-server/compression/) of gzipped responses for clients. Allowed values “on”/“off”, “true”/“false” or “yes”/“no”. If the ``gunzip`` value is not set, it defaults to ``off``.   | ``boolean`` | No |
 |``externalDNS`` | The externalDNS configuration for a VirtualServer. | [externalDNS](#virtualserverexternaldns) | No |
 |``dos`` | A reference to a DosProtectedResource, setting this enables DOS protection of the VirtualServer. | ``string`` | No |
 |``policies`` | A list of policies. | [[]policy](#virtualserverpolicy) | No |

diff --git a/examples/custom-resources/jwt/README.md b/examples/custom-resources/jwt/README.md
@@ -67,3 +67,21 @@ Date: 10/Sep/2020:18:20:03 +0000
 URI: /
 Request ID: db2c07ce640755ccbe9f666d16f85620
 ```
+
+> **Note**:<br>
+You can add a ``gunzip`` option to the VirtualServer spec. Adding the ``gunzip`` allows NIC to decompress responses where an item
+like a JWT token is compressed by the IdP.<br>
+If an IdP compresses a JWT token and NIC is not configured to decompress responses (``gunzip`` not set to ``on``), the error "invalid JWK set while sending to client" is generated by NIC.<br>
+When the ``gunzip`` value is set to ``on``, NIC automatically decompresses responses with “Content-Encoding: gzip” header.
+
+Example:
+```yaml
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: webapp
+spec:
+  host: webapp.example.com
+  gunzip: on
+  ...
+```
diff --git a/internal/configs/version2/http.go b/internal/configs/version2/http.go
@@ -81,7 +81,7 @@ type Server struct {
 	VSNamespace               string
 	VSName                    string
 	DisableIPV6               bool
-	Gunzip                    string
+	Gunzip                    bool
 }
 
 // SSL defines SSL configuration for a server.

diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl
@@ -63,7 +63,7 @@ proxy_cache_path /var/cache/nginx/jwks_uri_{{$s.VSName}} levels=1 keys_zone=jwks
 {{ end }}
 
 server {
-    {{ if (eq $s.Gunzip "on") }}gunzip {{ $s.Gunzip }};{{end}}
+    {{ if $s.Gunzip }}gunzip on;{{end}}
     listen 80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};
     {{ if not $s.DisableIPV6 }}listen [::]:80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }}
 

diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl
@@ -40,7 +40,7 @@ limit_req_zone {{ $z.Key }} zone={{ $z.ZoneName }}:{{ $z.ZoneSize }} rate={{ $z.
 
 {{ $s := .Server }}
 server {
-    {{ if (eq $s.Gunzip "on") }}gunzip {{ $s.Gunzip }};{{end}}
+    {{ if $s.Gunzip }}gunzip on;{{end}}
     listen 80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};
     {{ if not $s.DisableIPV6 }}listen [::]:80{{ if $s.ProxyProtocol }} proxy_protocol{{ end }};{{ end }}
 

diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go
@@ -1,6 +1,7 @@
 package version2
 
 import (
+	"bytes"
 	"testing"
 )
 
@@ -38,6 +39,9 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipOn(t *testi
 	if err != nil {
 		t.Error(err)
 	}
+	if !bytes.Contains(got, []byte("gunzip on;")) {
+		t.Error("want `gunzip on` directive, got no directive")
+	}
 	t.Log(string(got))
 }
 
@@ -51,32 +55,25 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipOff(t *test
 	if err != nil {
 		t.Error(err)
 	}
-	t.Log(string(got))
-}
-
-func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipEmpty(t *testing.T) {
-	t.Parallel()
-	executor, err := NewTemplateExecutor(nginxPlusVirtualServerTmpl, nginxPlusTransportServerTmpl)
-	if err != nil {
-		t.Fatal(err)
-	}
-	got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithEmptyGunzip)
-	if err != nil {
-		t.Error(err)
+	if bytes.Contains(got, []byte("gunzip on;")) {
+		t.Error("want no directive, got `gunzip on`")
 	}
 	t.Log(string(got))
 }
 
-func TestExecuteVirtualServerTemplate_RendersTemplateWithoutServerGunzip(t *testing.T) {
+func TestExecuteVirtualServerTemplate_RendersTemplateWithServerGunzipNotSet(t *testing.T) {
 	t.Parallel()
 	executor, err := NewTemplateExecutor(nginxPlusVirtualServerTmpl, nginxPlusTransportServerTmpl)
 	if err != nil {
 		t.Fatal(err)
 	}
-	got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfg)
+	got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithGunzipNotSet)
 	if err != nil {
 		t.Error(err)
 	}
+	if bytes.Contains(got, []byte("gunzip on;")) {
+		t.Error("want no directive, got `gunzip on` directive")
+	}
 	t.Log(string(got))
 }
 
@@ -853,7 +850,7 @@ var (
 					},
 				},
 			},
-			Gunzip: "on",
+			Gunzip: true,
 		},
 	}
 
@@ -1199,11 +1196,11 @@ var (
 					},
 				},
 			},
-			Gunzip: "off",
+			Gunzip: false,
 		},
 	}
 
-	virtualServerCfgWithEmptyGunzip = VirtualServerConfig{
+	virtualServerCfgWithGunzipNotSet = VirtualServerConfig{
 		LimitReqZones: []LimitReqZone{
 			{
 				ZoneName: "pol_rl_test_test_test", Rate: "10r/s", ZoneSize: "10m", Key: "$url",
@@ -1545,7 +1542,6 @@ var (
 					},
 				},
 			},
-			Gunzip: "",
 		},
 	}
 

diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go
@@ -684,6 +684,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
 		HTTPSnippets:  httpSnippets,
 		Server: version2.Server{
 			ServerName:                vsEx.VirtualServer.Spec.Host,
+			Gunzip:                    vsEx.VirtualServer.Spec.Gunzip,
 			StatusZone:                vsEx.VirtualServer.Spec.Host,
 			ProxyProtocol:             vsc.cfgParams.ProxyProtocol,
 			SSL:                       sslConfig,