Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unbind policy from preview policies #2566

Merged
merged 8 commits into from
Apr 6, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions deployments/common/crds/k8s.nginx.org_policies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:
type: object
properties:
accessControl:
description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
description: AccessControl defines an access policy based on the source IP of a request.
type: object
properties:
allow:
Expand All @@ -55,7 +55,7 @@ spec:
items:
type: string
egressMTLS:
description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
description: EgressMTLS defines an Egress MTLS policy.
type: object
properties:
ciphers:
Expand All @@ -79,7 +79,7 @@ spec:
ingressClassName:
type: string
ingressMTLS:
description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
description: IngressMTLS defines an Ingress MTLS policy.
type: object
properties:
clientCertSecret:
Expand All @@ -89,7 +89,7 @@ spec:
verifyDepth:
type: integer
jwt:
description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
description: JWTAuth holds JWT authentication configuration.
type: object
properties:
realm:
Expand All @@ -99,7 +99,7 @@ spec:
token:
type: string
oidc:
description: OIDC defines an Open ID Connect policy.
description: 'OIDC defines an Open ID Connect policy. policy status: preview'
type: object
properties:
authEndpoint:
Expand All @@ -117,7 +117,7 @@ spec:
tokenEndpoint:
type: string
rateLimit:
description: 'RateLimit defines a rate limit policy. policy status: preview'
description: RateLimit defines a rate limit policy.
type: object
properties:
burst:
Expand All @@ -139,7 +139,7 @@ spec:
zoneSize:
type: string
waf:
description: 'WAF defines an WAF policy. policy status: preview'
description: WAF defines an WAF policy.
type: object
properties:
apPolicy:
Expand Down
14 changes: 7 additions & 7 deletions deployments/helm-chart/crds/k8s.nginx.org_policies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ spec:
type: object
properties:
accessControl:
description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
description: AccessControl defines an access policy based on the source IP of a request.
type: object
properties:
allow:
Expand All @@ -55,7 +55,7 @@ spec:
items:
type: string
egressMTLS:
description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
description: EgressMTLS defines an Egress MTLS policy.
type: object
properties:
ciphers:
Expand All @@ -79,7 +79,7 @@ spec:
ingressClassName:
type: string
ingressMTLS:
description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
description: IngressMTLS defines an Ingress MTLS policy.
type: object
properties:
clientCertSecret:
Expand All @@ -89,7 +89,7 @@ spec:
verifyDepth:
type: integer
jwt:
description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
description: JWTAuth holds JWT authentication configuration.
type: object
properties:
realm:
Expand All @@ -99,7 +99,7 @@ spec:
token:
type: string
oidc:
description: OIDC defines an Open ID Connect policy.
description: 'OIDC defines an Open ID Connect policy. policy status: preview'
type: object
properties:
authEndpoint:
Expand All @@ -117,7 +117,7 @@ spec:
tokenEndpoint:
type: string
rateLimit:
description: 'RateLimit defines a rate limit policy. policy status: preview'
description: RateLimit defines a rate limit policy.
type: object
properties:
burst:
Expand All @@ -139,7 +139,7 @@ spec:
zoneSize:
type: string
waf:
description: 'WAF defines an WAF policy. policy status: preview'
description: WAF defines an WAF policy.
type: object
properties:
apPolicy:
Expand Down
8 changes: 0 additions & 8 deletions docs/content/configuration/policy-resource.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,8 +94,6 @@ policies:

### RateLimit

> **Feature Status**: Rate-Limiting is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.

The rate limit policy configures NGINX to limit the processing rate of requests.

For example, the following policy will limit all subsequent requests coming from a single IP address once a rate of 10 requests per second is exceeded:
Expand Down Expand Up @@ -136,8 +134,6 @@ When you reference more than one rate limit policy, the Ingress Controller will

### JWT

> **Feature Status**: JWT is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.

> Note: This feature is only available in NGINX Plus.

The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens.
Expand Down Expand Up @@ -189,8 +185,6 @@ In this example the Ingress Controller will use the configuration from the first

### IngressMTLS

> **Feature Status**: IngressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.

The IngressMTLS policy configures client certificate verification.

For example, the following policy will verify a client certificate using the CA certificate specified in the `ingress-mtls-secret`:
Expand Down Expand Up @@ -243,8 +237,6 @@ In this example the Ingress Controller will use the configuration from the first

### EgressMTLS

> **Feature Status**: EgressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.

The EgressMTLS policy configures upstreams authentication and certificate verification.

For example, the following policy will use `egress-mtls-secret` to authenticate with the upstream application and `egress-trusted-ca-secret` to verify the certificate of the application:
Expand Down
2 changes: 1 addition & 1 deletion docs/content/installation/installation-with-manifests.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ If you would like to use the TCP and UDP load balancing features of the Ingress
$ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml
```

> **Feature Status**: The TransportServer, GlobalConfiguration and Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default.
> **Feature Status**: The Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default.

### Resources for NGINX App Protect

Expand Down
7 changes: 1 addition & 6 deletions pkg/apis/configuration/v1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -374,14 +374,12 @@ type PolicyList struct {
}

// AccessControl defines an access policy based on the source IP of a request.
// policy status: production-ready
type AccessControl struct {
Allow []string `json:"allow"`
Deny []string `json:"deny"`
}

// RateLimit defines a rate limit policy.
// policy status: preview
type RateLimit struct {
Rate string `json:"rate"`
Key string `json:"key"`
Expand All @@ -395,23 +393,20 @@ type RateLimit struct {
}

// JWTAuth holds JWT authentication configuration.
// policy status: preview
type JWTAuth struct {
Realm string `json:"realm"`
Secret string `json:"secret"`
Token string `json:"token"`
}

// IngressMTLS defines an Ingress MTLS policy.
// policy status: preview
type IngressMTLS struct {
ClientCertSecret string `json:"clientCertSecret"`
VerifyClient string `json:"verifyClient"`
VerifyDepth *int `json:"verifyDepth"`
}

// EgressMTLS defines an Egress MTLS policy.
// policy status: preview
type EgressMTLS struct {
TLSSecret string `json:"tlsSecret"`
VerifyServer bool `json:"verifyServer"`
Expand All @@ -425,6 +420,7 @@ type EgressMTLS struct {
}

// OIDC defines an Open ID Connect policy.
// policy status: preview
type OIDC struct {
AuthEndpoint string `json:"authEndpoint"`
TokenEndpoint string `json:"tokenEndpoint"`
Expand All @@ -436,7 +432,6 @@ type OIDC struct {
}

// WAF defines an WAF policy.
// policy status: preview
type WAF struct {
Enable bool `json:"enable"`
ApPolicy string `json:"apPolicy"`
Expand Down
16 changes: 0 additions & 16 deletions pkg/apis/configuration/validation/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,19 +30,11 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab
}

if spec.RateLimit != nil {
if !enablePreviewPolicies {
return append(allErrs, field.Forbidden(fieldPath.Child("rateLimit"),
"rateLimit is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
}
allErrs = append(allErrs, validateRateLimit(spec.RateLimit, fieldPath.Child("rateLimit"), isPlus)...)
fieldCount++
}

if spec.JWTAuth != nil {
if !enablePreviewPolicies {
allErrs = append(allErrs, field.Forbidden(fieldPath.Child("jwt"),
"jwt is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
}
if !isPlus {
return append(allErrs, field.Forbidden(fieldPath.Child("jwt"), "jwt secrets are only supported in NGINX Plus"))
}
Expand All @@ -52,19 +44,11 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab
}

if spec.IngressMTLS != nil {
if !enablePreviewPolicies {
return append(allErrs, field.Forbidden(fieldPath.Child("ingressMTLS"),
"ingressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
}
allErrs = append(allErrs, validateIngressMTLS(spec.IngressMTLS, fieldPath.Child("ingressMTLS"))...)
fieldCount++
}

if spec.EgressMTLS != nil {
if !enablePreviewPolicies {
return append(allErrs, field.Forbidden(fieldPath.Child("egressMTLS"),
"egressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
}
allErrs = append(allErrs, validateEgressMTLS(spec.EgressMTLS, fieldPath.Child("egressMTLS"))...)
fieldCount++
}
Expand Down
Loading