From 91866767636e9df9fd3f6f4be728e68cf7db5d44 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 6 Apr 2022 12:25:06 +0100 Subject: [PATCH 1/9] Add new cli flag --- cmd/nginx-ingress/main.go | 9 ++++++++- deployments/helm-chart/README.md | 1 + .../helm-chart/templates/controller-daemonset.yaml | 1 + .../helm-chart/templates/controller-deployment.yaml | 1 + deployments/helm-chart/values.yaml | 3 +++ .../global-configuration/command-line-arguments.md | 10 +++++++++- docs/content/configuration/policy-resource.md | 6 +----- 7 files changed, 24 insertions(+), 7 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index b6342c990d..0893025b9e 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -163,7 +163,10 @@ var ( "Enable custom resources") enablePreviewPolicies = flag.Bool("enable-preview-policies", false, - "Enable preview policies") + "Enable preview policies. This flag is deprecated in favour of enable-oidc.") + + enableOIDC = flag.Bool("enable-oidc", false, + "Enable OIDC Policies.") enableSnippets = flag.Bool("enable-snippets", false, "Enable custom NGINX configuration snippets in Ingress, VirtualServer, VirtualServerRoute and TransportServer resources.") @@ -250,6 +253,10 @@ func main() { glog.Fatal("enable-tls-passthrough flag requires -enable-custom-resources") } + if *enableOIDC && !*enablePreviewPolicies { + enablePreviewPolicies = enableOIDC + } + if *appProtect && !*nginxPlus { glog.Fatal("NGINX App Protect support is for NGINX Plus only") } diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index f0dfe2edf0..c8d1033bc6 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -183,6 +183,7 @@ Parameter | Description | Default `controller.watchNamespace` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | "" `controller.enableCustomResources` | Enable the custom resources. | true `controller.enablePreviewPolicies` | Enable preview policies. | false +`controller.enableOIDC` | Enable OIDC policies. | false `controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false `controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false `controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index 140b084bf8..6c8a87c0ff 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -182,6 +182,7 @@ spec: - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} + - -enable-oidc={{ .Values.controller.enableOIDC }} {{- if .Values.controller.globalConfiguration.create }} - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.name" . }} {{- end }} diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index 021f7198b2..7990b04642 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -180,6 +180,7 @@ spec: - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }} - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }} - -enable-cert-manager={{ .Values.controller.enableCertManager }} + - -enable-oidc={{ .Values.controller.enableOIDC }} {{- if .Values.controller.globalConfiguration.create }} - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.name" . }} {{- end }} diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index b37471d0e1..439ed87fa1 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -165,6 +165,9 @@ controller: ## Enable preview policies. enablePreviewPolicies: false + ## Enable OIDC policies. + enableOIDC: false + ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources. enableTLSPassthrough: false diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md index 3812eb2df5..2a2e5e3249 100644 --- a/docs/content/configuration/global-configuration/command-line-arguments.md +++ b/docs/content/configuration/global-configuration/command-line-arguments.md @@ -59,7 +59,15 @@ Default `true`. ### -enable-preview-policies -Enables preview policies. +Enables preview policies. Deprecated in favour of [-enable-oidc](#cmdoption-enable-oidc). + +Default `false`. +  + + +### -enable-oidc + +Enables OIDC policies. Requires [-enable-custom-resources](#cmdoption-enable-custom-resources) Default `false`.   diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index cab154e016..81a0e2d497 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -276,7 +276,7 @@ In this example the Ingress Controller will use the configuration from the first ### OIDC -> **Feature Status**: OIDC is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller. +> **Feature Status**: This feature is disabled by default. To enable it, set the [enable-oidc](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-oidc) command-line argument of the Ingress Controller. The OIDC policy configures NGINX Plus as a relying party for OpenID Connect authentication. @@ -532,7 +532,3 @@ Status: ``` **Note**: If you make an existing resource invalid, the Ingress Controller will reject it. - -## Footnotes - -[^1]: Capabilities labeled in preview status are fully supported. From 19638135f8e84166839111f3b9de6b63a475756f Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 6 Apr 2022 12:46:55 +0100 Subject: [PATCH 2/9] Remove preview from description --- deployments/common/crds/k8s.nginx.org_policies.yaml | 2 +- deployments/helm-chart/crds/k8s.nginx.org_policies.yaml | 2 +- pkg/apis/configuration/v1/types.go | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml index e9bbcd7fc1..05587bd0a3 100644 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ b/deployments/common/crds/k8s.nginx.org_policies.yaml @@ -99,7 +99,7 @@ spec: token: type: string oidc: - description: 'OIDC defines an Open ID Connect policy. policy status: preview' + description: OIDC defines an Open ID Connect policy. type: object properties: authEndpoint: diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml index e9bbcd7fc1..05587bd0a3 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml @@ -99,7 +99,7 @@ spec: token: type: string oidc: - description: 'OIDC defines an Open ID Connect policy. policy status: preview' + description: OIDC defines an Open ID Connect policy. type: object properties: authEndpoint: diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 9729cbc212..26137e808e 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -433,7 +433,6 @@ type EgressMTLS struct { } // OIDC defines an Open ID Connect policy. -// policy status: preview type OIDC struct { AuthEndpoint string `json:"authEndpoint"` TokenEndpoint string `json:"tokenEndpoint"` From 109ba562baa9203bbfad31331fc5978b87f1e612 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Wed, 6 Apr 2022 16:19:49 +0100 Subject: [PATCH 3/9] update flag --- cmd/nginx-ingress/main.go | 7 ++++--- docs/content/installation/installation-with-manifests.md | 2 +- pkg/apis/configuration/validation/policy.go | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 0893025b9e..79bc04efff 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -164,7 +164,7 @@ var ( enablePreviewPolicies = flag.Bool("enable-preview-policies", false, "Enable preview policies. This flag is deprecated in favour of enable-oidc.") - + enableOIDC = flag.Bool("enable-oidc", false, "Enable OIDC Policies.") @@ -253,9 +253,10 @@ func main() { glog.Fatal("enable-tls-passthrough flag requires -enable-custom-resources") } - if *enableOIDC && !*enablePreviewPolicies { - enablePreviewPolicies = enableOIDC + if *enablePreviewPolicies { + glog.Warning("enable-preview-policies is deprecated. Please use -enable-oidc instead.") } + *enablePreviewPolicies = *enablePreviewPolicies || *enableOIDC if *appProtect && !*nginxPlus { glog.Fatal("NGINX App Protect support is for NGINX Plus only") diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md index b2e7b2e23d..659d1e183e 100644 --- a/docs/content/installation/installation-with-manifests.md +++ b/docs/content/installation/installation-with-manifests.md @@ -90,7 +90,7 @@ If you would like to use the TCP and UDP load balancing features of the Ingress $ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml ``` -> **Feature Status**: The Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. +> **Feature Status**: The OIDC Policy is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. ### Resources for NGINX App Protect diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go index 4bb1e97b71..572ca8780e 100644 --- a/pkg/apis/configuration/validation/policy.go +++ b/pkg/apis/configuration/validation/policy.go @@ -56,7 +56,7 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab if spec.OIDC != nil { if !enablePreviewPolicies { allErrs = append(allErrs, field.Forbidden(fieldPath.Child("oidc"), - "oidc is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies")) + "OIDC policy must be enabled to use via cli argument -enable-oidc")) } if !isPlus { return append(allErrs, field.Forbidden(fieldPath.Child("oidc"), "OIDC is only supported in NGINX Plus")) From ed0e2a2aca1e60b262ad363304f53b58aaf16411 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Wed, 6 Apr 2022 17:42:36 +0100 Subject: [PATCH 4/9] Fix linting --- cmd/nginx-ingress/main.go | 2 +- .../global-configuration/command-line-arguments.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 79bc04efff..b05ad3c3f8 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -163,7 +163,7 @@ var ( "Enable custom resources") enablePreviewPolicies = flag.Bool("enable-preview-policies", false, - "Enable preview policies. This flag is deprecated in favour of enable-oidc.") + "Enable preview policies. This flag is deprecated in favor of enable-oidc.") enableOIDC = flag.Bool("enable-oidc", false, "Enable OIDC Policies.") diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md index 2a2e5e3249..63a92cf183 100644 --- a/docs/content/configuration/global-configuration/command-line-arguments.md +++ b/docs/content/configuration/global-configuration/command-line-arguments.md @@ -59,7 +59,7 @@ Default `true`. ### -enable-preview-policies -Enables preview policies. Deprecated in favour of [-enable-oidc](#cmdoption-enable-oidc). +Enables preview policies. Deprecated in favor of [-enable-oidc](#cmdoption-enable-oidc). Default `false`.   From a24576a93d5898688c6f3abf4bd7a4480f7bd804 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Thu, 7 Apr 2022 11:21:01 +0100 Subject: [PATCH 5/9] Update documentation --- cmd/nginx-ingress/main.go | 4 +- deployments/helm-chart/README.md | 48 +++++++++---------- deployments/helm-chart/values.yaml | 2 +- .../installation/installation-with-helm.md | 3 +- .../installation-with-manifests.md | 8 +--- 5 files changed, 30 insertions(+), 35 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index b05ad3c3f8..2722d084d4 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -163,7 +163,7 @@ var ( "Enable custom resources") enablePreviewPolicies = flag.Bool("enable-preview-policies", false, - "Enable preview policies. This flag is deprecated in favor of enable-oidc.") + "Enable preview policies. This flag is deprecated. To enable OIDC Policies please use -enable-oidc instead.") enableOIDC = flag.Bool("enable-oidc", false, "Enable OIDC Policies.") @@ -254,7 +254,7 @@ func main() { } if *enablePreviewPolicies { - glog.Warning("enable-preview-policies is deprecated. Please use -enable-oidc instead.") + glog.Warning("enable-preview-policies is universally deprecated. To enable OIDC Policies please use -enable-oidc instead.") } *enablePreviewPolicies = *enablePreviewPolicies || *enableOIDC diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index c8d1033bc6..d767100a41 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -182,7 +182,7 @@ Parameter | Description | Default `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. | false `controller.watchNamespace` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | "" `controller.enableCustomResources` | Enable the custom resources. | true -`controller.enablePreviewPolicies` | Enable preview policies. | false +`controller.enablePreviewPolicies` | Enable preview policies. This field is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false `controller.enableOIDC` | Enable OIDC policies. | false `controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false `controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false @@ -216,29 +216,29 @@ Parameter | Description | Default `controller.serviceAccount.name` | The name of the service account of the Ingress controller pods. Used for RBAC. | Autogenerated `controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" `controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true -`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated -`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" -`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true -`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated -`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} -`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} -`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} -`controller.appprotect.enable` | Enables the App Protect module in the Ingress Controller. | false -`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false -`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false -`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 -`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine -`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller -`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true -`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 -`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false -`rbac.create` | Configures RBAC. | true -`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | false -`prometheus.port` | Configures the port to scrape the metrics. | 9113 -`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http -`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" -`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false -`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false +`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated +`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" +`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true +`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated +`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} +`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} +`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} +`controller.appprotect.enable` | Enables the App Protect module in the Ingress Controller. | false +`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false +`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false +`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 +`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine +`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller +`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true +`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 +`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false +`rbac.create` | Configures RBAC. | true +`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | false +`prometheus.port` | Configures the port to scrape the metrics. | 9113 +`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http +`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" +`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false +`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false ## Notes * The values-icp.yaml file is used for deploying the Ingress controller on IBM Cloud Private. See the [blog post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index 439ed87fa1..c7fb7f085c 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -162,7 +162,7 @@ controller: ## Enable the custom resources. enableCustomResources: true - ## Enable preview policies. + ## Enable preview policies. This field is deprecated. To enable OIDC Policies please use controller.enableOIDC instead. enablePreviewPolicies: false ## Enable OIDC policies. diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index 6784676dea..5c2239d963 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -185,7 +185,8 @@ The following tables lists the configurable parameters of the NGINX Ingress cont |``controller.setAsDefaultIngress`` | New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. | false | |``controller.watchNamespace`` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | "" | |``controller.enableCustomResources`` | Enable the custom resources. | true | -|``controller.enablePreviewPolicies`` | Enable preview policies. | false | +|``controller.enablePreviewPolicies`` | Enable preview policies. This field is deprecated. To enable OIDC Policies please use ``controller.enableOIDC`` instead. | false | +|``controller.enableOIDC`` | Enable OIDC policies. | false | |``controller.enableTLSPassthrough`` | Enable TLS Passthrough on port 443. Requires ``controller.enableCustomResources``. | false | |``controller.globalConfiguration.create`` | Creates the GlobalConfiguration custom resource. Requires ``controller.enableCustomResources``. | false | |``controller.globalConfiguration.spec`` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {} | diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md index 659d1e183e..4d1542addd 100644 --- a/docs/content/installation/installation-with-manifests.md +++ b/docs/content/installation/installation-with-manifests.md @@ -90,8 +90,6 @@ If you would like to use the TCP and UDP load balancing features of the Ingress $ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml ``` -> **Feature Status**: The OIDC Policy is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. - ### Resources for NGINX App Protect If you would like to use the App Protect module, create the following additional resources: @@ -256,8 +254,4 @@ $ kubectl get pods --namespace=nginx-ingress ``` $ kubectl delete -f common/crds/ - ``` - -## Footnotes - -[^1]: Capabilities labeled in preview status are fully supported. + ``` \ No newline at end of file From 95c90022f8a1659c896576182aa9aeb1190c07b3 Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Thu, 7 Apr 2022 11:32:39 +0100 Subject: [PATCH 6/9] Remove all preview references from codebase. --- cmd/nginx-ingress/main.go | 6 +- internal/configs/config_params.go | 2 +- internal/configs/configmaps.go | 2 +- internal/configs/version1/config.go | 2 +- internal/configs/version1/nginx-plus.tmpl | 4 +- internal/k8s/controller.go | 14 +- pkg/apis/configuration/validation/policy.go | 10 +- .../configuration/validation/policy_test.go | 172 ++++++------------ 8 files changed, 72 insertions(+), 140 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 2722d084d4..5830441cbb 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -256,7 +256,7 @@ func main() { if *enablePreviewPolicies { glog.Warning("enable-preview-policies is universally deprecated. To enable OIDC Policies please use -enable-oidc instead.") } - *enablePreviewPolicies = *enablePreviewPolicies || *enableOIDC + *enableOIDC = *enablePreviewPolicies || *enableOIDC if *appProtect && !*nginxPlus { glog.Fatal("NGINX App Protect support is for NGINX Plus only") @@ -588,7 +588,7 @@ func main() { MainAppProtectLoadModule: *appProtect, MainAppProtectDosLoadModule: *appProtectDos, EnableLatencyMetrics: *enableLatencyMetrics, - EnablePreviewPolicies: *enablePreviewPolicies, + EnableOIDC: *enableOIDC, SSLRejectHandshake: sslRejectHandshake, EnableCertManager: *enableCertManager, } @@ -698,7 +698,7 @@ func main() { ConfigMaps: *nginxConfigMaps, GlobalConfiguration: *globalConfiguration, AreCustomResourcesEnabled: *enableCustomResources, - EnablePreviewPolicies: *enablePreviewPolicies, + EnableOIDC: *enableOIDC, MetricsCollector: controllerCollector, GlobalConfigurationValidator: globalConfigurationValidator, TransportServerValidator: transportServerValidator, diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go index 1513384e19..ec3a81aff5 100644 --- a/internal/configs/config_params.go +++ b/internal/configs/config_params.go @@ -121,7 +121,7 @@ type StaticConfigParams struct { MainAppProtectDosLoadModule bool PodName string EnableLatencyMetrics bool - EnablePreviewPolicies bool + EnableOIDC bool SSLRejectHandshake bool EnableCertManager bool } diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go index f752f5d57f..a9d8b9ee64 100644 --- a/internal/configs/configmaps.go +++ b/internal/configs/configmaps.go @@ -593,7 +593,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config InternalRouteServer: staticCfgParams.EnableInternalRoutes, InternalRouteServerName: staticCfgParams.PodName, LatencyMetrics: staticCfgParams.EnableLatencyMetrics, - PreviewPolicies: staticCfgParams.EnablePreviewPolicies, + OIDC: staticCfgParams.EnableOIDC, } return nginxCfg } diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go index f950f62c2c..cb6a63b182 100644 --- a/internal/configs/version1/config.go +++ b/internal/configs/version1/config.go @@ -212,7 +212,7 @@ type MainConfig struct { InternalRouteServer bool InternalRouteServerName string LatencyMetrics bool - PreviewPolicies bool + OIDC bool } // NewUpstreamWithDefaultServer creates an upstream with the default server. diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index 884a14ad20..3fc0686382 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -26,7 +26,7 @@ load_module modules/ngx_http_app_protect_dos_module.so; {{$value}}{{end}} {{- end}} -{{if .PreviewPolicies}} +{{if .OIDC}} load_module modules/ngx_http_js_module.so; {{- end}} @@ -137,7 +137,7 @@ http { {{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}} {{end}} - {{if .PreviewPolicies}} + {{if .OIDC}} include oidc/oidc_common.conf; {{- end}} diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index d5062a8b5e..ed8762e3a5 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -148,7 +148,7 @@ type LoadBalancerController struct { controllerNamespace string wildcardTLSSecret string areCustomResourcesEnabled bool - enablePreviewPolicies bool + enableOIDC bool metricsCollector collectors.ControllerCollector globalConfigurationValidator *validation.GlobalConfigurationValidator transportServerValidator *validation.TransportServerValidator @@ -192,7 +192,7 @@ type NewLoadBalancerControllerInput struct { ConfigMaps string GlobalConfiguration string AreCustomResourcesEnabled bool - EnablePreviewPolicies bool + EnableOIDC bool MetricsCollector collectors.ControllerCollector GlobalConfigurationValidator *validation.GlobalConfigurationValidator TransportServerValidator *validation.TransportServerValidator @@ -227,7 +227,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc controllerNamespace: input.ControllerNamespace, wildcardTLSSecret: input.WildcardTLSSecret, areCustomResourcesEnabled: input.AreCustomResourcesEnabled, - enablePreviewPolicies: input.EnablePreviewPolicies, + enableOIDC: input.EnableOIDC, metricsCollector: input.MetricsCollector, globalConfigurationValidator: input.GlobalConfigurationValidator, transportServerValidator: input.TransportServerValidator, @@ -893,7 +893,7 @@ func (lbc *LoadBalancerController) syncPolicy(task task) { if polExists && lbc.HasCorrectIngressClass(obj) { pol := obj.(*conf_v1.Policy) - err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies, lbc.appProtectEnabled) + err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) if err != nil { msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err) lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", msg) @@ -2093,7 +2093,7 @@ func (lbc *LoadBalancerController) updatePoliciesStatus() error { for _, obj := range lbc.policyLister.List() { pol := obj.(*conf_v1.Policy) - err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies, lbc.appProtectEnabled) + err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) if err != nil { msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err) err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg) @@ -2641,7 +2641,7 @@ func (lbc *LoadBalancerController) getAllPolicies() []*conf_v1.Policy { for _, obj := range lbc.policyLister.List() { pol := obj.(*conf_v1.Policy) - err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies, lbc.appProtectEnabled) + err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) if err != nil { glog.V(3).Infof("Skipping invalid Policy %s/%s: %v", pol.Namespace, pol.Name, err) continue @@ -2683,7 +2683,7 @@ func (lbc *LoadBalancerController) getPolicies(policies []conf_v1.PolicyReferenc continue } - err = validation.ValidatePolicy(policy, lbc.isNginxPlus, lbc.enablePreviewPolicies, lbc.appProtectEnabled) + err = validation.ValidatePolicy(policy, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) if err != nil { errors = append(errors, fmt.Errorf("Policy %s is invalid: %w", policyKey, err)) continue diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go index 572ca8780e..6bb834ff21 100644 --- a/pkg/apis/configuration/validation/policy.go +++ b/pkg/apis/configuration/validation/policy.go @@ -14,12 +14,12 @@ import ( ) // ValidatePolicy validates a Policy. -func ValidatePolicy(policy *v1.Policy, isPlus, enablePreviewPolicies, enableAppProtect bool) error { - allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus, enablePreviewPolicies, enableAppProtect) +func ValidatePolicy(policy *v1.Policy, isPlus, enableOIDC, enableAppProtect bool) error { + allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus, enableOIDC, enableAppProtect) return allErrs.ToAggregate() } -func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enablePreviewPolicies, enableAppProtect bool) field.ErrorList { +func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enableOIDC, enableAppProtect bool) field.ErrorList { allErrs := field.ErrorList{} fieldCount := 0 @@ -54,9 +54,9 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab } if spec.OIDC != nil { - if !enablePreviewPolicies { + if !enableOIDC { allErrs = append(allErrs, field.Forbidden(fieldPath.Child("oidc"), - "OIDC policy must be enabled to use via cli argument -enable-oidc")) + "OIDC must be enabled via cli argument -enable-oidc to use OIDC policy")) } if !isPlus { return append(allErrs, field.Forbidden(fieldPath.Child("oidc"), "OIDC is only supported in NGINX Plus")) diff --git a/pkg/apis/configuration/validation/policy_test.go b/pkg/apis/configuration/validation/policy_test.go index e175220aac..073ca8a47f 100644 --- a/pkg/apis/configuration/validation/policy_test.go +++ b/pkg/apis/configuration/validation/policy_test.go @@ -10,11 +10,11 @@ import ( func TestValidatePolicy(t *testing.T) { t.Parallel() tests := []struct { - policy *v1.Policy - isPlus bool - enablePreviewPolicies bool - enableAppProtect bool - msg string + policy *v1.Policy + isPlus bool + enableOIDC bool + enableAppProtect bool + msg string }{ { policy: &v1.Policy{ @@ -24,9 +24,9 @@ func TestValidatePolicy(t *testing.T) { }, }, }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, + isPlus: false, + enableOIDC: false, + enableAppProtect: false, }, { policy: &v1.Policy{ @@ -37,10 +37,10 @@ func TestValidatePolicy(t *testing.T) { }, }, }, - isPlus: true, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "use jwt(plus only) policy", + isPlus: true, + enableOIDC: false, + enableAppProtect: false, + msg: "use jwt(plus only) policy", }, { policy: &v1.Policy{ @@ -55,9 +55,9 @@ func TestValidatePolicy(t *testing.T) { }, }, }, - isPlus: true, - enablePreviewPolicies: true, - msg: "use OIDC (plus only)", + isPlus: true, + enableOIDC: true, + msg: "use OIDC (plus only)", }, { policy: &v1.Policy{ @@ -67,82 +67,14 @@ func TestValidatePolicy(t *testing.T) { }, }, }, - isPlus: true, - enablePreviewPolicies: false, - enableAppProtect: true, - msg: "use WAF(plus only) policy", - }, - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{ - WAF: &v1.WAF{ - Enable: true, - }, - }, - }, - isPlus: true, - enablePreviewPolicies: false, - enableAppProtect: true, - msg: "WAF policy with preview policies disabled", - }, - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{ - RateLimit: &v1.RateLimit{ - Rate: "10r/s", - ZoneSize: "10M", - Key: "${request_uri}", - }, - }, - }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "rateLimit policy with preview policies disabled", - }, - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{ - JWTAuth: &v1.JWTAuth{ - Realm: "My Product API", - Secret: "my-jwk", - }, - }, - }, - isPlus: true, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "jwt policy with preview policies disabled", - }, - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{ - IngressMTLS: &v1.IngressMTLS{ - ClientCertSecret: "mtls-secret", - }, - }, - }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "ingressMTLS policy with preview policies disabled", - }, - { - policy: &v1.Policy{ - Spec: v1.PolicySpec{ - EgressMTLS: &v1.EgressMTLS{ - TLSSecret: "mtls-secret", - }, - }, - }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "egressMTLS policy with preview policies disabled", + isPlus: true, + enableOIDC: false, + enableAppProtect: true, + msg: "use WAF(plus only) policy", }, } for _, test := range tests { - err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect) + err := ValidatePolicy(test.policy, test.isPlus, test.enableOIDC, test.enableAppProtect) if err != nil { t.Errorf("ValidatePolicy() returned error %v for valid input for the case of %v", err, test.msg) } @@ -152,20 +84,20 @@ func TestValidatePolicy(t *testing.T) { func TestValidatePolicyFails(t *testing.T) { t.Parallel() tests := []struct { - policy *v1.Policy - isPlus bool - enablePreviewPolicies bool - enableAppProtect bool - msg string + policy *v1.Policy + isPlus bool + enableOIDC bool + enableAppProtect bool + msg string }{ { policy: &v1.Policy{ Spec: v1.PolicySpec{}, }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "empty policy spec", + isPlus: false, + enableOIDC: false, + enableAppProtect: false, + msg: "empty policy spec", }, { policy: &v1.Policy{ @@ -180,10 +112,10 @@ func TestValidatePolicyFails(t *testing.T) { }, }, }, - isPlus: true, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "multiple policies in spec", + isPlus: true, + enableOIDC: false, + enableAppProtect: false, + msg: "multiple policies in spec", }, { policy: &v1.Policy{ @@ -194,10 +126,10 @@ func TestValidatePolicyFails(t *testing.T) { }, }, }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "jwt(plus only) policy on OSS", + isPlus: false, + enableOIDC: false, + enableAppProtect: false, + msg: "jwt(plus only) policy on OSS", }, { policy: &v1.Policy{ @@ -207,10 +139,10 @@ func TestValidatePolicyFails(t *testing.T) { }, }, }, - isPlus: false, - enablePreviewPolicies: false, - enableAppProtect: false, - msg: "WAF(plus only) policy on OSS", + isPlus: false, + enableOIDC: false, + enableAppProtect: false, + msg: "WAF(plus only) policy on OSS", }, { policy: &v1.Policy{ @@ -225,9 +157,9 @@ func TestValidatePolicyFails(t *testing.T) { }, }, }, - isPlus: true, - enablePreviewPolicies: false, - msg: "OIDC policy with preview policies disabled", + isPlus: true, + enableOIDC: false, + msg: "OIDC policy with enable OIDC flag disabled", }, { policy: &v1.Policy{ @@ -242,9 +174,9 @@ func TestValidatePolicyFails(t *testing.T) { }, }, }, - isPlus: false, - enablePreviewPolicies: true, - msg: "OIDC policy in OSS", + isPlus: false, + enableOIDC: true, + msg: "OIDC policy in OSS", }, { policy: &v1.Policy{ @@ -254,14 +186,14 @@ func TestValidatePolicyFails(t *testing.T) { }, }, }, - isPlus: true, - enablePreviewPolicies: true, - enableAppProtect: false, - msg: "WAF policy with AP disabled", + isPlus: true, + enableOIDC: false, + enableAppProtect: false, + msg: "WAF policy with AP disabled", }, } for _, test := range tests { - err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect) + err := ValidatePolicy(test.policy, test.isPlus, test.enableOIDC, test.enableAppProtect) if err == nil { t.Errorf("ValidatePolicy() returned no error for invalid input") } From 6cd72a6d9d19de330ba8bea19a71b341a0de561c Mon Sep 17 00:00:00 2001 From: Ciara Stacke Date: Thu, 7 Apr 2022 15:34:20 +0100 Subject: [PATCH 7/9] Revert the whitespace changes to the Helm README --- deployments/helm-chart/README.md | 46 +++++++++---------- .../installation-with-manifests.md | 2 +- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index d767100a41..a871b93c35 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -216,29 +216,29 @@ Parameter | Description | Default `controller.serviceAccount.name` | The name of the service account of the Ingress controller pods. Used for RBAC. | Autogenerated `controller.serviceAccount.imagePullSecretName` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. | "" `controller.reportIngressStatus.enable` | Updates the address field in the status of Ingress resources with an external address of the Ingress controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService`, `controller.reportIngressStatus.ingressLink` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence over the others. | true -`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated -`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" -`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true -`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated -`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} -`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} -`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} -`controller.appprotect.enable` | Enables the App Protect module in the Ingress Controller. | false -`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false -`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false -`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 -`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine -`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller -`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true -`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 -`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false -`rbac.create` | Configures RBAC. | true -`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | false -`prometheus.port` | Configures the port to scrape the metrics. | 9113 -`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http -`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" -`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false -`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false +`controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress controller is exposed externally. The external address of the service is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. The default is autogenerated and enabled when `controller.service.create` is set to `true` and `controller.service.type` is set to `LoadBalancer`. | Autogenerated +`controller.reportIngressStatus.ingressLink` | Specifies the name of the IngressLink resource, which exposes the Ingress Controller pods via a BIG-IP system. The IP of the BIG-IP system is used when reporting the status of Ingress, VirtualServer and VirtualServerRoute resources. `controller.reportIngressStatus.enable` must be set to `true`. | "" +`controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true +`controller.reportIngressStatus.leaderElectionLockName` | Specifies the name of the ConfigMap, within the same namespace as the controller, used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. | Autogenerated +`controller.reportIngressStatus.annotations` | The annotations of the leader election configmap. | {} +`controller.pod.annotations` | The annotations of the Ingress Controller pod. | {} +`controller.pod.extraLabels` | The additional extra labels of the Ingress Controller pod. | {} +`controller.appprotect.enable` | Enables the App Protect module in the Ingress Controller. | false +`controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false +`controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false +`controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 +`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine +`controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller +`controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true +`controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 +`controller.enableLatencyMetrics` | Enable collection of latency metrics for upstreams. Requires `prometheus.create`. | false +`rbac.create` | Configures RBAC. | true +`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | false +`prometheus.port` | Configures the port to scrape the metrics. | 9113 +`prometheus.scheme` | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http +`prometheus.secret` | The namespace / name of a Kubernetes TLS Secret. If specified, this secret is used to secure the Prometheus endpoint with TLS connections. | "" +`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false +`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false ## Notes * The values-icp.yaml file is used for deploying the Ingress controller on IBM Cloud Private. See the [blog post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. diff --git a/docs/content/installation/installation-with-manifests.md b/docs/content/installation/installation-with-manifests.md index 4d1542addd..553db50eb0 100644 --- a/docs/content/installation/installation-with-manifests.md +++ b/docs/content/installation/installation-with-manifests.md @@ -254,4 +254,4 @@ $ kubectl get pods --namespace=nginx-ingress ``` $ kubectl delete -f common/crds/ - ``` \ No newline at end of file + ``` From 480df7b6670c8d448da47d499154da704a6233a4 Mon Sep 17 00:00:00 2001 From: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> Date: Thu, 7 Apr 2022 17:47:59 +0100 Subject: [PATCH 8/9] Update deployments/helm-chart/README.md Co-authored-by: Luca Comellini --- deployments/helm-chart/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index a871b93c35..5efb5a5505 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -227,7 +227,7 @@ Parameter | Description | Default `controller.appprotectdos.enable` | Enables the App Protect DoS module in the Ingress Controller. | false `controller.appprotectdos.debug` | Enable debugging for App Protect DoS. | false `controller.appprotectdos.maxDaemons` | Max number of ADMD instances. | 1 -`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine +`controller.appprotectdos.maxWorkers` | Max number of nginx processes to support. | Number of CPU cores in the machine `controller.appprotectdos.memory` | RAM memory size to consume in MB. | 50% of free RAM in the container or 80MB, the smaller `controller.readyStatus.enable` | Enables the readiness endpoint `"/nginx-ready"`. The endpoint returns a success code when NGINX has loaded all the config after the startup. This also configures a readiness probe for the Ingress Controller pods that uses the readiness endpoint. | true `controller.readyStatus.port` | The HTTP port for the readiness endpoint. | 8081 From d883a063327c535668064d5529bff2bdf42c32f8 Mon Sep 17 00:00:00 2001 From: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> Date: Fri, 8 Apr 2022 07:27:06 +0100 Subject: [PATCH 9/9] Apply suggestions from code review Co-authored-by: Michael Pleshakov --- deployments/helm-chart/README.md | 2 +- deployments/helm-chart/values.yaml | 2 +- .../global-configuration/command-line-arguments.md | 4 ++-- docs/content/installation/installation-with-helm.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 5efb5a5505..9cc6bdd6cd 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -182,7 +182,7 @@ Parameter | Description | Default `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. | false `controller.watchNamespace` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | "" `controller.enableCustomResources` | Enable the custom resources. | true -`controller.enablePreviewPolicies` | Enable preview policies. This field is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false +`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false `controller.enableOIDC` | Enable OIDC policies. | false `controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false `controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index c7fb7f085c..542aa81b2a 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -162,7 +162,7 @@ controller: ## Enable the custom resources. enableCustomResources: true - ## Enable preview policies. This field is deprecated. To enable OIDC Policies please use controller.enableOIDC instead. + ## Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use controller.enableOIDC instead. enablePreviewPolicies: false ## Enable OIDC policies. diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md index 63a92cf183..03bd7f3624 100644 --- a/docs/content/configuration/global-configuration/command-line-arguments.md +++ b/docs/content/configuration/global-configuration/command-line-arguments.md @@ -59,7 +59,7 @@ Default `true`. ### -enable-preview-policies -Enables preview policies. Deprecated in favor of [-enable-oidc](#cmdoption-enable-oidc). +Enables preview policies. This flag is deprecated. To enable OIDC Policies please[-enable-oidc](#cmdoption-enable-oidc) instead. Default `false`.   @@ -67,7 +67,7 @@ Default `false`. ### -enable-oidc -Enables OIDC policies. Requires [-enable-custom-resources](#cmdoption-enable-custom-resources) +Enables OIDC policies. Default `false`.   diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index 5c2239d963..197ee76c1e 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -185,7 +185,7 @@ The following tables lists the configurable parameters of the NGINX Ingress cont |``controller.setAsDefaultIngress`` | New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. | false | |``controller.watchNamespace`` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | "" | |``controller.enableCustomResources`` | Enable the custom resources. | true | -|``controller.enablePreviewPolicies`` | Enable preview policies. This field is deprecated. To enable OIDC Policies please use ``controller.enableOIDC`` instead. | false | +|``controller.enablePreviewPolicies`` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use ``controller.enableOIDC`` instead. | false | |``controller.enableOIDC`` | Enable OIDC policies. | false | |``controller.enableTLSPassthrough`` | Enable TLS Passthrough on port 443. Requires ``controller.enableCustomResources``. | false | |``controller.globalConfiguration.create`` | Creates the GlobalConfiguration custom resource. Requires ``controller.enableCustomResources``. | false |