From e12d63bd01bc6f17c12144136b95c0279f66dd8c Mon Sep 17 00:00:00 2001 From: Hans Feldt <2808287+hafe@users.noreply.github.com> Date: Tue, 18 Oct 2022 20:08:43 +0200 Subject: [PATCH 1/3] Watch subset of namespaces for secrets Add new command line option "watch-secret-namespace" that can be used to configure namespaces watched for secrets. Closes #3154 --- cmd/nginx-ingress/flags.go | 20 +++++++++++++++++++ cmd/nginx-ingress/main.go | 9 ++++++--- deployments/helm-chart/README.md | 1 + .../templates/controller-daemonset.yaml | 3 +++ .../templates/controller-deployment.yaml | 3 +++ deployments/helm-chart/values.yaml | 3 +++ .../installation/installation-with-helm.md | 1 + internal/k8s/controller.go | 5 ++++- 8 files changed, 41 insertions(+), 4 deletions(-) diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go index 239aae2624..bbeaaff1c5 100644 --- a/cmd/nginx-ingress/flags.go +++ b/cmd/nginx-ingress/flags.go @@ -40,6 +40,11 @@ var ( watchNamespaces []string + watchSecretNamespace = flag.String("watch-secret-namespace", "", + `Comma separated list of namespaces the Ingress Controller should watch for secrets. By default the Ingress Controller watches all namespaces`) + + watchSecretNamespaces []string + nginxConfigMaps = flag.String("nginx-configmaps", "", `A ConfigMap resource for customizing NGINX configuration. If a ConfigMap is set, but the Ingress Controller is not able to fetch it from Kubernetes API, the Ingress Controller will fail to start. @@ -200,6 +205,16 @@ func parseFlags(versionInfo string, binaryInfo string) { glog.Info(binaryInfo) watchNamespaces = strings.Split(*watchNamespace, ",") + glog.Infof("Namespaces watched: %v", watchNamespaces) + + if len(*watchSecretNamespace) > 0 { + watchSecretNamespaces = strings.Split(*watchSecretNamespace, ",") + } else { + // empty => default to watched namespaces + watchSecretNamespaces = watchNamespaces + } + + glog.Infof("Namespaces watched for secrets: %v", watchSecretNamespaces) validationChecks() @@ -314,6 +329,11 @@ func validationChecks() { glog.Fatalf("Invalid values for namespaces: %v", namespacesNameValidationError) } + namespacesNameValidationError = validateNamespaceNames(watchSecretNamespaces) + if namespacesNameValidationError != nil { + glog.Fatalf("Invalid values for secret namespaces: %v", namespacesNameValidationError) + } + statusPortValidationError := validatePort(*nginxStatusPort) if statusPortValidationError != nil { glog.Fatalf("Invalid value for nginx-status-port: %v", statusPortValidationError) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 83a68f7b04..0d1b90e9ad 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -47,7 +47,9 @@ func main() { validateIngressClass(kubeClient) - checkNamespaceExists(kubeClient) + checkNamespaceExists(kubeClient, watchNamespaces) + + checkNamespaceExists(kubeClient, watchSecretNamespaces) dynClient, confClient := createCustomClients(config) @@ -121,6 +123,7 @@ func main() { RestConfig: config, ResyncPeriod: 30 * time.Second, Namespace: watchNamespaces, + SecretNamespace: watchSecretNamespaces, NginxConfigurator: cnf, DefaultServerSecret: *defaultServerSecret, AppProtectEnabled: *appProtect, @@ -234,8 +237,8 @@ func validateIngressClass(kubeClient kubernetes.Interface) { } } -func checkNamespaceExists(kubeClient kubernetes.Interface) { - for _, ns := range watchNamespaces { +func checkNamespaceExists(kubeClient kubernetes.Interface, namespaces []string) { + for _, ns := range namespaces { if ns != "" { _, err := kubeClient.CoreV1().Namespaces().Get(context.TODO(), ns, meta_v1.GetOptions{}) if err != nil { diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index bbac839578..4117149ee5 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -187,6 +187,7 @@ Parameter | Description | Default `controller.ingressClass` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of kubernetes. | nginx `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. | false `controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" +`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" `controller.enableCustomResources` | Enable the custom resources. | true `controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false `controller.enableOIDC` | Enable OIDC policies. | false diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index 6a109bfe1c..7b311fa2d8 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -163,6 +163,9 @@ spec: - -ingress-class={{ .Values.controller.ingressClass }} {{- if .Values.controller.watchNamespace }} - -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} + - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} {{- end }} - -health-status={{ .Values.controller.healthStatus }} - -health-status-uri={{ .Values.controller.healthStatusURI }} diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index ba1cb22ce2..9ec53bf972 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -166,6 +166,9 @@ spec: - -ingress-class={{ .Values.controller.ingressClass }} {{- if .Values.controller.watchNamespace }} - -watch-namespace={{ .Values.controller.watchNamespace }} +{{- end }} +{{- if .Values.controller.watchSecretNamespace }} + - -watch-secret-namespace={{ .Values.controller.watchSecretNamespace }} {{- end }} - -health-status={{ .Values.controller.healthStatus }} - -health-status-uri={{ .Values.controller.healthStatusURI }} diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index 984e2da311..85788bd8b8 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -186,6 +186,9 @@ controller: ## Comma separated list of namespaces to watch for Ingress resources. By default the Ingress Controller watches all namespaces. watchNamespace: "" + ## Comma separated list of namespaces to watch for Secret resources. By default the Ingress Controller watches all namespaces. + watchSecretNamespace: "" + ## Enable the custom resources. enableCustomResources: true diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index 204565bb0a..1e01471f25 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -185,6 +185,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |``controller.ingressClass`` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of kubernetes. | nginx | |``controller.setAsDefaultIngress`` | New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. | false | |``controller.watchNamespace`` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. ``--set controller.watchNamespace="default\,nginx-ingress"``. | "" | +|``controller.watchSecretNamespace`` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. ``--set controller.watchSecretNamespace="default\,nginx-ingress"``. | "" | |``controller.enableCustomResources`` | Enable the custom resources. | true | |``controller.enablePreviewPolicies`` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use ``controller.enableOIDC`` instead. | false | |``controller.enableOIDC`` | Enable OIDC policies. | false | diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index cf5a9d4e5b..64822d1d62 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -150,6 +150,7 @@ type LoadBalancerController struct { leaderElectionLockName string resync time.Duration namespaceList []string + secretNamespaceList []string controllerNamespace string wildcardTLSSecret string areCustomResourcesEnabled bool @@ -184,6 +185,7 @@ type NewLoadBalancerControllerInput struct { RestConfig *rest.Config ResyncPeriod time.Duration Namespace []string + SecretNamespace []string NginxConfigurator *configs.Configurator DefaultServerSecret string AppProtectEnabled bool @@ -234,6 +236,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc leaderElectionLockName: input.LeaderElectionLockName, resync: input.ResyncPeriod, namespaceList: input.Namespace, + secretNamespaceList: input.SecretNamespace, controllerNamespace: input.ControllerNamespace, wildcardTLSSecret: input.WildcardTLSSecret, areCustomResourcesEnabled: input.AreCustomResourcesEnabled, @@ -297,7 +300,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc } // Creating a separate informer for secrets. - for _, ns := range lbc.namespaceList { + for _, ns := range lbc.secretNamespaceList { lbc.secretInformerFactory = append(lbc.secretInformerFactory, informers.NewSharedInformerFactoryWithOptions(lbc.client, input.ResyncPeriod, informers.WithNamespace(ns), informers.WithTweakListOptions(secretsTweakListOptionsFunc))) } From 52b97a6a40f2f575ca32a0ecb0c3a6de5e1d6839 Mon Sep 17 00:00:00 2001 From: Hans Feldt <2808287+hafe@users.noreply.github.com> Date: Tue, 8 Nov 2022 19:08:29 +0100 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- cmd/nginx-ingress/flags.go | 2 +- deployments/helm-chart/README.md | 2 +- docs/content/installation/installation-with-helm.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go index bbeaaff1c5..a57b827c3c 100644 --- a/cmd/nginx-ingress/flags.go +++ b/cmd/nginx-ingress/flags.go @@ -41,7 +41,7 @@ var ( watchNamespaces []string watchSecretNamespace = flag.String("watch-secret-namespace", "", - `Comma separated list of namespaces the Ingress Controller should watch for secrets. By default the Ingress Controller watches all namespaces`) + `Comma separated list of namespaces the Ingress Controller should watch for secrets. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `watch-namespace`. `) watchSecretNamespaces []string diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 4117149ee5..65a402e799 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -187,7 +187,7 @@ Parameter | Description | Default `controller.ingressClass` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of kubernetes. | nginx `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. | false `controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" -`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" +`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `watch-namespace`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" `controller.enableCustomResources` | Enable the custom resources. | true `controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false `controller.enableOIDC` | Enable OIDC policies. | false diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index 1e01471f25..646b4a749e 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -185,7 +185,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |``controller.ingressClass`` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of kubernetes. | nginx | |``controller.setAsDefaultIngress`` | New Ingresses without an ingressClassName field specified will be assigned the class specified in `controller.ingressClass`. | false | |``controller.watchNamespace`` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. ``--set controller.watchNamespace="default\,nginx-ingress"``. | "" | -|``controller.watchSecretNamespace`` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. By default the Ingress Controller watches all namespaces. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. ``--set controller.watchSecretNamespace="default\,nginx-ingress"``. | "" | +|``controller.watchSecretNamespace`` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `watch-namespace`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. ``--set controller.watchSecretNamespace="default\,nginx-ingress"``. | "" | |``controller.enableCustomResources`` | Enable the custom resources. | true | |``controller.enablePreviewPolicies`` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use ``controller.enableOIDC`` instead. | false | |``controller.enableOIDC`` | Enable OIDC policies. | false | From 1963c28e5e1a38d12ddb93df878a2bf7178b6a96 Mon Sep 17 00:00:00 2001 From: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> Date: Tue, 8 Nov 2022 21:26:42 +0000 Subject: [PATCH 3/3] Update cmd/nginx-ingress/flags.go --- cmd/nginx-ingress/flags.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go index a57b827c3c..c8dd7ac3d1 100644 --- a/cmd/nginx-ingress/flags.go +++ b/cmd/nginx-ingress/flags.go @@ -41,7 +41,7 @@ var ( watchNamespaces []string watchSecretNamespace = flag.String("watch-secret-namespace", "", - `Comma separated list of namespaces the Ingress Controller should watch for secrets. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `watch-namespace`. `) + `Comma separated list of namespaces the Ingress Controller should watch for secrets. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See "watch-namespace". `) watchSecretNamespaces []string