From 09427b8f05f0ac2946abfcca5c332e46df6a9a5a Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Wed, 23 Mar 2022 14:01:32 +0000 Subject: [PATCH 1/7] Remove requirement of preview flag for policy --- pkg/apis/configuration/validation/policy.go | 24 +-- .../configuration/validation/policy_test.go | 140 +++++++++--------- 2 files changed, 72 insertions(+), 92 deletions(-) diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go index af6d6a6508..5ec6a1065f 100644 --- a/pkg/apis/configuration/validation/policy.go +++ b/pkg/apis/configuration/validation/policy.go @@ -15,11 +15,11 @@ import ( // ValidatePolicy validates a Policy. func ValidatePolicy(policy *v1.Policy, isPlus, enablePreviewPolicies, enableAppProtect bool) error { - allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus, enablePreviewPolicies, enableAppProtect) + allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus, enableAppProtect) return allErrs.ToAggregate() } -func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enablePreviewPolicies, enableAppProtect bool) field.ErrorList { +func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enableAppProtect bool) field.ErrorList { allErrs := field.ErrorList{} fieldCount := 0 @@ -30,19 +30,11 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab } if spec.RateLimit != nil { - if !enablePreviewPolicies { - return append(allErrs, field.Forbidden(fieldPath.Child("rateLimit"), - "rateLimit is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) - } allErrs = append(allErrs, validateRateLimit(spec.RateLimit, fieldPath.Child("rateLimit"), isPlus)...) fieldCount++ } if spec.JWTAuth != nil { - if !enablePreviewPolicies { - allErrs = append(allErrs, field.Forbidden(fieldPath.Child("jwt"), - "jwt is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) - } if !isPlus { return append(allErrs, field.Forbidden(fieldPath.Child("jwt"), "jwt secrets are only supported in NGINX Plus")) } @@ -52,28 +44,16 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab } if spec.IngressMTLS != nil { - if !enablePreviewPolicies { - return append(allErrs, field.Forbidden(fieldPath.Child("ingressMTLS"), - "ingressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) - } allErrs = append(allErrs, validateIngressMTLS(spec.IngressMTLS, fieldPath.Child("ingressMTLS"))...) fieldCount++ } if spec.EgressMTLS != nil { - if !enablePreviewPolicies { - return append(allErrs, field.Forbidden(fieldPath.Child("egressMTLS"), - "egressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) - } allErrs = append(allErrs, validateEgressMTLS(spec.EgressMTLS, fieldPath.Child("egressMTLS"))...) fieldCount++ } if spec.OIDC != nil { - if !enablePreviewPolicies { - allErrs = append(allErrs, field.Forbidden(fieldPath.Child("oidc"), - "oidc is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) - } if !isPlus { return append(allErrs, field.Forbidden(fieldPath.Child("oidc"), "OIDC is only supported in NGINX Plus")) } diff --git a/pkg/apis/configuration/validation/policy_test.go b/pkg/apis/configuration/validation/policy_test.go index 1e47c7a718..c46c809cee 100644 --- a/pkg/apis/configuration/validation/policy_test.go +++ b/pkg/apis/configuration/validation/policy_test.go @@ -85,50 +85,20 @@ func TestValidatePolicy(t *testing.T) { enableAppProtect: true, msg: "WAF policy with preview policies disabled", }, - } - for _, test := range tests { - err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect) - if err != nil { - t.Errorf("ValidatePolicy() returned error %v for valid input for the case of %v", err, test.msg) - } - } -} - -func TestValidatePolicyFails(t *testing.T) { - t.Parallel() - tests := []struct { - policy *v1.Policy - isPlus bool - enablePreviewPolicies bool - enableAppProtect bool - msg string - }{ - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{}, - }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "empty policy spec", - }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ - AccessControl: &v1.AccessControl{ - Allow: []string{"127.0.0.1"}, - }, RateLimit: &v1.RateLimit{ - Key: "${uri}", - ZoneSize: "10M", Rate: "10r/s", + ZoneSize: "10M", + Key: "${request_uri}", }, }, }, - isPlus: true, - enablePreviewPolicies: true, + isPlus: false, + enablePreviewPolicies: false, enableAppProtect: false, - msg: "multiple policies in spec", + msg: "rateLimit policy with preview policies disabled", }, { policy: &v1.Policy{ @@ -139,95 +109,125 @@ func TestValidatePolicyFails(t *testing.T) { }, }, }, - isPlus: false, - enablePreviewPolicies: true, + isPlus: true, + enablePreviewPolicies: false, enableAppProtect: false, - msg: "jwt(plus only) policy on OSS", + msg: "jwt policy with preview policies disabled", }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ - WAF: &v1.WAF{ - Enable: true, + IngressMTLS: &v1.IngressMTLS{ + ClientCertSecret: "mtls-secret", }, }, }, isPlus: false, - enablePreviewPolicies: true, + enablePreviewPolicies: false, enableAppProtect: false, - msg: "WAF(plus only) policy on OSS", + msg: "ingressMTLS policy with preview policies disabled", }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ - RateLimit: &v1.RateLimit{ - Rate: "10r/s", - ZoneSize: "10M", - Key: "${request_uri}", + EgressMTLS: &v1.EgressMTLS{ + TLSSecret: "mtls-secret", }, }, }, isPlus: false, enablePreviewPolicies: false, enableAppProtect: false, - msg: "rateLimit policy with preview policies disabled", + msg: "egressMTLS policy with preview policies disabled", }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ - JWTAuth: &v1.JWTAuth{ - Realm: "My Product API", - Secret: "my-jwk", + OIDC: &v1.OIDC{ + AuthEndpoint: "https://foo.bar/auth", + TokenEndpoint: "https://foo.bar/token", + JWKSURI: "https://foo.bar/certs", + ClientID: "random-string", + ClientSecret: "random-secret", + Scope: "openid", }, }, }, isPlus: true, enablePreviewPolicies: false, + msg: "OIDC policy with preview policies disabled", + }, + } + for _, test := range tests { + err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect) + if err != nil { + t.Errorf("ValidatePolicy() returned error %v for valid input for the case of %v", err, test.msg) + } + } +} + +func TestValidatePolicyFails(t *testing.T) { + t.Parallel() + tests := []struct { + policy *v1.Policy + isPlus bool + enablePreviewPolicies bool + enableAppProtect bool + msg string + }{ + { + policy: &v1.Policy{ + Spec: v1.PolicySpec{}, + }, + isPlus: false, + enablePreviewPolicies: false, enableAppProtect: false, - msg: "jwt policy with preview policies disabled", + msg: "empty policy spec", }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ - IngressMTLS: &v1.IngressMTLS{ - ClientCertSecret: "mtls-secret", + AccessControl: &v1.AccessControl{ + Allow: []string{"127.0.0.1"}, + }, + RateLimit: &v1.RateLimit{ + Key: "${uri}", + ZoneSize: "10M", + Rate: "10r/s", }, }, }, - isPlus: false, - enablePreviewPolicies: false, + isPlus: true, + enablePreviewPolicies: true, enableAppProtect: false, - msg: "ingressMTLS policy with preview policies disabled", + msg: "multiple policies in spec", }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ - EgressMTLS: &v1.EgressMTLS{ - TLSSecret: "mtls-secret", + JWTAuth: &v1.JWTAuth{ + Realm: "My Product API", + Secret: "my-jwk", }, }, }, isPlus: false, - enablePreviewPolicies: false, + enablePreviewPolicies: true, enableAppProtect: false, - msg: "egressMTLS policy with preview policies disabled", + msg: "jwt(plus only) policy on OSS", }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ - OIDC: &v1.OIDC{ - AuthEndpoint: "https://foo.bar/auth", - TokenEndpoint: "https://foo.bar/token", - JWKSURI: "https://foo.bar/certs", - ClientID: "random-string", - ClientSecret: "random-secret", - Scope: "openid", + WAF: &v1.WAF{ + Enable: true, }, }, }, - isPlus: true, - enablePreviewPolicies: false, - msg: "OIDC policy with preview policies disabled", + isPlus: false, + enablePreviewPolicies: true, + enableAppProtect: false, + msg: "WAF(plus only) policy on OSS", }, { policy: &v1.Policy{ From 375470fa4f9b1ea8627f83a1490f159ef072a4a7 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Tue, 29 Mar 2022 15:45:47 +0100 Subject: [PATCH 2/7] Update automated tests --- pkg/apis/configuration/v1/types.go | 4 ---- tests/suite/test_ingress_mtls.py | 2 -- tests/suite/test_jwt_policies.py | 1 - tests/suite/test_jwt_policies_vsr.py | 1 - tests/suite/test_policy_ingress_class.py | 1 - tests/suite/test_rl_policies.py | 1 - tests/suite/test_rl_policies_vsr.py | 1 - 7 files changed, 11 deletions(-) diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 390fb06225..12512611a5 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -381,7 +381,6 @@ type AccessControl struct { } // RateLimit defines a rate limit policy. -// policy status: preview type RateLimit struct { Rate string `json:"rate"` Key string `json:"key"` @@ -395,7 +394,6 @@ type RateLimit struct { } // JWTAuth holds JWT authentication configuration. -// policy status: preview type JWTAuth struct { Realm string `json:"realm"` Secret string `json:"secret"` @@ -403,7 +401,6 @@ type JWTAuth struct { } // IngressMTLS defines an Ingress MTLS policy. -// policy status: preview type IngressMTLS struct { ClientCertSecret string `json:"clientCertSecret"` VerifyClient string `json:"verifyClient"` @@ -411,7 +408,6 @@ type IngressMTLS struct { } // EgressMTLS defines an Egress MTLS policy. -// policy status: preview type EgressMTLS struct { TLSSecret string `json:"tlsSecret"` VerifyServer bool `json:"verifyServer"` diff --git a/tests/suite/test_ingress_mtls.py b/tests/suite/test_ingress_mtls.py index 0ae45a8153..64fa56e1cc 100644 --- a/tests/suite/test_ingress_mtls.py +++ b/tests/suite/test_ingress_mtls.py @@ -69,7 +69,6 @@ def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret "type": "complete", "extra_args": [ f"-enable-leader-election=false", - f"-enable-preview-policies", ], }, { @@ -246,7 +245,6 @@ def test_ingress_mtls_policy_cert( "type": "complete", "extra_args": [ f"-enable-leader-election=false", - f"-enable-preview-policies", ], }, {"example": "virtual-server-route"}, diff --git a/tests/suite/test_jwt_policies.py b/tests/suite/test_jwt_policies.py index 95d5153843..91d43bd00d 100644 --- a/tests/suite/test_jwt_policies.py +++ b/tests/suite/test_jwt_policies.py @@ -59,7 +59,6 @@ "type": "complete", "extra_args": [ f"-enable-custom-resources", - f"-enable-preview-policies", f"-enable-leader-election=false", ], }, diff --git a/tests/suite/test_jwt_policies_vsr.py b/tests/suite/test_jwt_policies_vsr.py index c8526e133b..50d147b690 100644 --- a/tests/suite/test_jwt_policies_vsr.py +++ b/tests/suite/test_jwt_policies_vsr.py @@ -65,7 +65,6 @@ "type": "complete", "extra_args": [ f"-enable-custom-resources", - f"-enable-preview-policies", f"-enable-leader-election=false", ], }, diff --git a/tests/suite/test_policy_ingress_class.py b/tests/suite/test_policy_ingress_class.py index 95e750229f..3d4715c153 100644 --- a/tests/suite/test_policy_ingress_class.py +++ b/tests/suite/test_policy_ingress_class.py @@ -36,7 +36,6 @@ "type": "complete", "extra_args": [ f"-enable-custom-resources", - f"-enable-preview-policies", f"-enable-leader-election=false", ], }, diff --git a/tests/suite/test_rl_policies.py b/tests/suite/test_rl_policies.py index 20d920219d..950305d3a1 100644 --- a/tests/suite/test_rl_policies.py +++ b/tests/suite/test_rl_policies.py @@ -39,7 +39,6 @@ "type": "complete", "extra_args": [ f"-enable-custom-resources", - f"-enable-preview-policies", f"-enable-leader-election=false", ], }, diff --git a/tests/suite/test_rl_policies_vsr.py b/tests/suite/test_rl_policies_vsr.py index b4687ed433..aa130db89d 100644 --- a/tests/suite/test_rl_policies_vsr.py +++ b/tests/suite/test_rl_policies_vsr.py @@ -46,7 +46,6 @@ "type": "complete", "extra_args": [ f"-enable-custom-resources", - f"-enable-preview-policies", f"-enable-leader-election=false", ], }, From e5fee41e4b1a9ae599f5a837e12374e49705bf92 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Wed, 30 Mar 2022 10:37:17 +0100 Subject: [PATCH 3/7] Remove preview policy requirement --- internal/configs/version1/nginx-plus.tmpl | 4 ---- 1 file changed, 4 deletions(-) diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index 87967d6c9b..c1e26364d5 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -26,9 +26,7 @@ load_module modules/ngx_http_app_protect_dos_module.so; {{$value}}{{end}} {{- end}} -{{if .PreviewPolicies}} load_module modules/ngx_http_js_module.so; -{{- end}} events { worker_connections {{.WorkerConnections}}; @@ -137,9 +135,7 @@ http { {{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}} {{end}} - {{if .PreviewPolicies}} include oidc/oidc_common.conf; - {{- end}} server { # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes From 0aee8ec261353e8908ce4f4dc929974c874b4324 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Wed, 30 Mar 2022 19:18:29 +0100 Subject: [PATCH 4/7] Update documentation and descriptions in crd --- deployments/common/crds/k8s.nginx.org_policies.yaml | 12 ++++++------ .../helm-chart/crds/k8s.nginx.org_policies.yaml | 12 ++++++------ docs/content/configuration/policy-resource.md | 13 +++++++------ .../installation/installation-with-manifests.md | 4 ++-- pkg/apis/configuration/v1/types.go | 2 -- tests/suite/test_app_protect_waf_policies_grpc.py | 2 -- 6 files changed, 21 insertions(+), 24 deletions(-) diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml index 00ff87b1b6..05587bd0a3 100644 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ b/deployments/common/crds/k8s.nginx.org_policies.yaml @@ -43,7 +43,7 @@ spec: type: object properties: accessControl: - description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready' + description: AccessControl defines an access policy based on the source IP of a request. type: object properties: allow: @@ -55,7 +55,7 @@ spec: items: type: string egressMTLS: - description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview' + description: EgressMTLS defines an Egress MTLS policy. type: object properties: ciphers: @@ -79,7 +79,7 @@ spec: ingressClassName: type: string ingressMTLS: - description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview' + description: IngressMTLS defines an Ingress MTLS policy. type: object properties: clientCertSecret: @@ -89,7 +89,7 @@ spec: verifyDepth: type: integer jwt: - description: 'JWTAuth holds JWT authentication configuration. policy status: preview' + description: JWTAuth holds JWT authentication configuration. type: object properties: realm: @@ -117,7 +117,7 @@ spec: tokenEndpoint: type: string rateLimit: - description: 'RateLimit defines a rate limit policy. policy status: preview' + description: RateLimit defines a rate limit policy. type: object properties: burst: @@ -139,7 +139,7 @@ spec: zoneSize: type: string waf: - description: 'WAF defines an WAF policy. policy status: preview' + description: WAF defines an WAF policy. type: object properties: apPolicy: diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml index 00ff87b1b6..05587bd0a3 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml @@ -43,7 +43,7 @@ spec: type: object properties: accessControl: - description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready' + description: AccessControl defines an access policy based on the source IP of a request. type: object properties: allow: @@ -55,7 +55,7 @@ spec: items: type: string egressMTLS: - description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview' + description: EgressMTLS defines an Egress MTLS policy. type: object properties: ciphers: @@ -79,7 +79,7 @@ spec: ingressClassName: type: string ingressMTLS: - description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview' + description: IngressMTLS defines an Ingress MTLS policy. type: object properties: clientCertSecret: @@ -89,7 +89,7 @@ spec: verifyDepth: type: integer jwt: - description: 'JWTAuth holds JWT authentication configuration. policy status: preview' + description: JWTAuth holds JWT authentication configuration. type: object properties: realm: @@ -117,7 +117,7 @@ spec: tokenEndpoint: type: string rateLimit: - description: 'RateLimit defines a rate limit policy. policy status: preview' + description: RateLimit defines a rate limit policy. type: object properties: burst: @@ -139,7 +139,7 @@ spec: zoneSize: type: string waf: - description: 'WAF defines an WAF policy. policy status: preview' + description: WAF defines an WAF policy. type: object properties: apPolicy: diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 76c4b71e7e..f4db67a72c 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -94,7 +94,7 @@ policies: ### RateLimit -> **Feature Status**: Rate-Limiting is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. +> **Feature Status**: Rate-Limiting is in preview status until release 2.1.2.[^1] The rate limit policy configures NGINX to limit the processing rate of requests. @@ -136,7 +136,7 @@ When you reference more than one rate limit policy, the Ingress Controller will ### JWT -> **Feature Status**: JWT is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. +> **Feature Status**: JWT is in preview status until release 2.1.2.[^1] > Note: This feature is only available in NGINX Plus. @@ -189,7 +189,7 @@ In this example the Ingress Controller will use the configuration from the first ### IngressMTLS -> **Feature Status**: IngressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. +> **Feature Status**: IngressMTLS is in preview status until release 2.1.2.[^1] The IngressMTLS policy configures client certificate verification. @@ -243,7 +243,7 @@ In this example the Ingress Controller will use the configuration from the first ### EgressMTLS -> **Feature Status**: EgressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. +> **Feature Status**: EgressMTLS is in preview status until release 2.1.2.[^1] The EgressMTLS policy configures upstreams authentication and certificate verification. @@ -284,7 +284,7 @@ In this example the Ingress Controller will use the configuration from the first ### OIDC -> **Feature Status**: OIDC is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. +> **Feature Status**: OIDC is in preview status until release 2.1.2.[^1] The OIDC policy configures NGINX Plus as a relying party for OpenID Connect authentication. @@ -543,4 +543,5 @@ Status: ## Footnotes -[^1]: Capabilities labeled in preview status are fully supported. +[^1]: Capabilities labeled in preview status are fully supported. The preview status is used in releases up to 2.1.2 and is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. From release 2.2.0, the capabilities are no longer in preview status and do not require the command-line argument. + diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md index 59740c6877..5da4b5cccd 100644 --- a/docs/content/installation/installation-with-manifests.md +++ b/docs/content/installation/installation-with-manifests.md @@ -90,7 +90,7 @@ If you would like to use the TCP and UDP load balancing features of the Ingress $ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml ``` -> **Feature Status**: The TransportServer, GlobalConfiguration and Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. +> **Feature Status**: The Policy resources are in preview status until release 2.1.2.[^1] ### Resources for NGINX App Protect @@ -260,4 +260,4 @@ $ kubectl get pods --namespace=nginx-ingress ## Footnotes -[^1]: Capabilities labeled in preview status are fully supported. +[^1]: Capabilities labeled in preview status are fully supported. The preview status is used in releases up to 2.1.2 and is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. From release 2.2.0, the capabilities are no longer in preview status and do not require the command-line argument. diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 12512611a5..eddc8c4ae1 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -374,7 +374,6 @@ type PolicyList struct { } // AccessControl defines an access policy based on the source IP of a request. -// policy status: production-ready type AccessControl struct { Allow []string `json:"allow"` Deny []string `json:"deny"` @@ -432,7 +431,6 @@ type OIDC struct { } // WAF defines an WAF policy. -// policy status: preview type WAF struct { Enable bool `json:"enable"` ApPolicy string `json:"apPolicy"` diff --git a/tests/suite/test_app_protect_waf_policies_grpc.py b/tests/suite/test_app_protect_waf_policies_grpc.py index 263318a1e8..14147f5bf4 100644 --- a/tests/suite/test_app_protect_waf_policies_grpc.py +++ b/tests/suite/test_app_protect_waf_policies_grpc.py @@ -223,7 +223,6 @@ def grpc_waf_allow(kube_apis, test_namespace, public_ip, vs_host, port_ssl): f"-enable-custom-resources", f"-enable-leader-election=false", f"-enable-app-protect", - f"-enable-preview-policies", ], }, ], @@ -287,7 +286,6 @@ def test_responses_grpc_allow( f"-enable-custom-resources", f"-enable-leader-election=false", f"-enable-app-protect", - f"-enable-preview-policies", ], }, ], From 51c03d5cc9138d11db45a2a423c78dfe129bca90 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:37:53 +0100 Subject: [PATCH 5/7] Add preview policy requirement to OIDC --- .../common/crds/k8s.nginx.org_policies.yaml | 2 +- .../crds/k8s.nginx.org_policies.yaml | 2 +- docs/content/configuration/policy-resource.md | 13 +----- internal/configs/version1/nginx-plus.tmpl | 4 ++ pkg/apis/configuration/v1/types.go | 1 + pkg/apis/configuration/validation/policy.go | 8 +++- .../configuration/validation/policy_test.go | 45 ++++++++++--------- 7 files changed, 38 insertions(+), 37 deletions(-) diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml index 05587bd0a3..e9bbcd7fc1 100644 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ b/deployments/common/crds/k8s.nginx.org_policies.yaml @@ -99,7 +99,7 @@ spec: token: type: string oidc: - description: OIDC defines an Open ID Connect policy. + description: 'OIDC defines an Open ID Connect policy. policy status: preview' type: object properties: authEndpoint: diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml index 05587bd0a3..e9bbcd7fc1 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml @@ -99,7 +99,7 @@ spec: token: type: string oidc: - description: OIDC defines an Open ID Connect policy. + description: 'OIDC defines an Open ID Connect policy. policy status: preview' type: object properties: authEndpoint: diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index f4db67a72c..cab154e016 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -94,8 +94,6 @@ policies: ### RateLimit -> **Feature Status**: Rate-Limiting is in preview status until release 2.1.2.[^1] - The rate limit policy configures NGINX to limit the processing rate of requests. For example, the following policy will limit all subsequent requests coming from a single IP address once a rate of 10 requests per second is exceeded: @@ -136,8 +134,6 @@ When you reference more than one rate limit policy, the Ingress Controller will ### JWT -> **Feature Status**: JWT is in preview status until release 2.1.2.[^1] - > Note: This feature is only available in NGINX Plus. The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens. @@ -189,8 +185,6 @@ In this example the Ingress Controller will use the configuration from the first ### IngressMTLS -> **Feature Status**: IngressMTLS is in preview status until release 2.1.2.[^1] - The IngressMTLS policy configures client certificate verification. For example, the following policy will verify a client certificate using the CA certificate specified in the `ingress-mtls-secret`: @@ -243,8 +237,6 @@ In this example the Ingress Controller will use the configuration from the first ### EgressMTLS -> **Feature Status**: EgressMTLS is in preview status until release 2.1.2.[^1] - The EgressMTLS policy configures upstreams authentication and certificate verification. For example, the following policy will use `egress-mtls-secret` to authenticate with the upstream application and `egress-trusted-ca-secret` to verify the certificate of the application: @@ -284,7 +276,7 @@ In this example the Ingress Controller will use the configuration from the first ### OIDC -> **Feature Status**: OIDC is in preview status until release 2.1.2.[^1] +> **Feature Status**: OIDC is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. The OIDC policy configures NGINX Plus as a relying party for OpenID Connect authentication. @@ -543,5 +535,4 @@ Status: ## Footnotes -[^1]: Capabilities labeled in preview status are fully supported. The preview status is used in releases up to 2.1.2 and is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. From release 2.2.0, the capabilities are no longer in preview status and do not require the command-line argument. - +[^1]: Capabilities labeled in preview status are fully supported. diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index c1e26364d5..87967d6c9b 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -26,7 +26,9 @@ load_module modules/ngx_http_app_protect_dos_module.so; {{$value}}{{end}} {{- end}} +{{if .PreviewPolicies}} load_module modules/ngx_http_js_module.so; +{{- end}} events { worker_connections {{.WorkerConnections}}; @@ -135,7 +137,9 @@ http { {{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}} {{end}} + {{if .PreviewPolicies}} include oidc/oidc_common.conf; + {{- end}} server { # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index eddc8c4ae1..d0ef60e8c4 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -420,6 +420,7 @@ type EgressMTLS struct { } // OIDC defines an Open ID Connect policy. +// policy status: preview type OIDC struct { AuthEndpoint string `json:"authEndpoint"` TokenEndpoint string `json:"tokenEndpoint"` diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go index 5ec6a1065f..4bb1e97b71 100644 --- a/pkg/apis/configuration/validation/policy.go +++ b/pkg/apis/configuration/validation/policy.go @@ -15,11 +15,11 @@ import ( // ValidatePolicy validates a Policy. func ValidatePolicy(policy *v1.Policy, isPlus, enablePreviewPolicies, enableAppProtect bool) error { - allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus, enableAppProtect) + allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus, enablePreviewPolicies, enableAppProtect) return allErrs.ToAggregate() } -func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enableAppProtect bool) field.ErrorList { +func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enablePreviewPolicies, enableAppProtect bool) field.ErrorList { allErrs := field.ErrorList{} fieldCount := 0 @@ -54,6 +54,10 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab } if spec.OIDC != nil { + if !enablePreviewPolicies { + allErrs = append(allErrs, field.Forbidden(fieldPath.Child("oidc"), + "oidc is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) + } if !isPlus { return append(allErrs, field.Forbidden(fieldPath.Child("oidc"), "OIDC is only supported in NGINX Plus")) } diff --git a/pkg/apis/configuration/validation/policy_test.go b/pkg/apis/configuration/validation/policy_test.go index c46c809cee..45306f011d 100644 --- a/pkg/apis/configuration/validation/policy_test.go +++ b/pkg/apis/configuration/validation/policy_test.go @@ -38,7 +38,7 @@ func TestValidatePolicy(t *testing.T) { }, }, isPlus: true, - enablePreviewPolicies: true, + enablePreviewPolicies: false, enableAppProtect: false, msg: "use jwt(plus only) policy", }, @@ -68,7 +68,7 @@ func TestValidatePolicy(t *testing.T) { }, }, isPlus: true, - enablePreviewPolicies: true, + enablePreviewPolicies: false, enableAppProtect: true, msg: "use WAF(plus only) policy", }, @@ -100,6 +100,7 @@ func TestValidatePolicy(t *testing.T) { enableAppProtect: false, msg: "rateLimit policy with preview policies disabled", }, + { policy: &v1.Policy{ Spec: v1.PolicySpec{ @@ -140,23 +141,6 @@ func TestValidatePolicy(t *testing.T) { enableAppProtect: false, msg: "egressMTLS policy with preview policies disabled", }, - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{ - OIDC: &v1.OIDC{ - AuthEndpoint: "https://foo.bar/auth", - TokenEndpoint: "https://foo.bar/token", - JWKSURI: "https://foo.bar/certs", - ClientID: "random-string", - ClientSecret: "random-secret", - Scope: "openid", - }, - }, - }, - isPlus: true, - enablePreviewPolicies: false, - msg: "OIDC policy with preview policies disabled", - }, } for _, test := range tests { err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect) @@ -198,7 +182,7 @@ func TestValidatePolicyFails(t *testing.T) { }, }, isPlus: true, - enablePreviewPolicies: true, + enablePreviewPolicies: false, enableAppProtect: false, msg: "multiple policies in spec", }, @@ -212,7 +196,7 @@ func TestValidatePolicyFails(t *testing.T) { }, }, isPlus: false, - enablePreviewPolicies: true, + enablePreviewPolicies: false, enableAppProtect: false, msg: "jwt(plus only) policy on OSS", }, @@ -225,10 +209,27 @@ func TestValidatePolicyFails(t *testing.T) { }, }, isPlus: false, - enablePreviewPolicies: true, + enablePreviewPolicies: false, enableAppProtect: false, msg: "WAF(plus only) policy on OSS", }, + { + policy: &v1.Policy{ + Spec: v1.PolicySpec{ + OIDC: &v1.OIDC{ + AuthEndpoint: "https://foo.bar/auth", + TokenEndpoint: "https://foo.bar/token", + JWKSURI: "https://foo.bar/certs", + ClientID: "random-string", + ClientSecret: "random-secret", + Scope: "openid", + }, + }, + }, + isPlus: true, + enablePreviewPolicies: false, + msg: "OIDC policy with preview policies disabled", + }, { policy: &v1.Policy{ Spec: v1.PolicySpec{ From 706aea7269a8564906dbe24c418d8c259cc05deb Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:45:08 +0100 Subject: [PATCH 6/7] Update documentation --- docs/content/installation/installation-with-manifests.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md index 5da4b5cccd..b2e7b2e23d 100644 --- a/docs/content/installation/installation-with-manifests.md +++ b/docs/content/installation/installation-with-manifests.md @@ -90,7 +90,7 @@ If you would like to use the TCP and UDP load balancing features of the Ingress $ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml ``` -> **Feature Status**: The Policy resources are in preview status until release 2.1.2.[^1] +> **Feature Status**: The Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. ### Resources for NGINX App Protect @@ -260,4 +260,4 @@ $ kubectl get pods --namespace=nginx-ingress ## Footnotes -[^1]: Capabilities labeled in preview status are fully supported. The preview status is used in releases up to 2.1.2 and is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. From release 2.2.0, the capabilities are no longer in preview status and do not require the command-line argument. +[^1]: Capabilities labeled in preview status are fully supported. From 8e6f52fdc2687c7b1c350d8725755a608a1b9ed9 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Tue, 5 Apr 2022 11:49:48 +0100 Subject: [PATCH 7/7] linting --- pkg/apis/configuration/validation/policy_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/apis/configuration/validation/policy_test.go b/pkg/apis/configuration/validation/policy_test.go index 45306f011d..e175220aac 100644 --- a/pkg/apis/configuration/validation/policy_test.go +++ b/pkg/apis/configuration/validation/policy_test.go @@ -100,7 +100,6 @@ func TestValidatePolicy(t *testing.T) { enableAppProtect: false, msg: "rateLimit policy with preview policies disabled", }, - { policy: &v1.Policy{ Spec: v1.PolicySpec{