Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove redundant newlines in generated v1 configuration #4699

Merged
merged 7 commits into from
Nov 25, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 69 additions & 68 deletions internal/configs/version1/nginx-plus.ingress.tmpl
Original file line number Diff line number Diff line change
@@ -1,16 +1,16 @@
{{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version1.IngressNginxConfig*/ -}}
# configuration for {{.Ingress.Namespace}}/{{.Ingress.Name}}
{{range $upstream := .Upstreams}}
{{- range $upstream := .Upstreams}}
upstream {{$upstream.Name}} {
zone {{$upstream.Name}} {{if ne $upstream.UpstreamZoneSize "0"}}{{$upstream.UpstreamZoneSize}}{{else}}512k{{end}};
{{if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}}
{{range $server := $upstream.UpstreamServers}}
{{- if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}}
{{- range $server := $upstream.UpstreamServers}}
server {{$server.Address}} max_fails={{$server.MaxFails}} fail_timeout={{$server.FailTimeout}} max_conns={{$server.MaxConns}}
{{- if $server.SlowStart}} slow_start={{$server.SlowStart}}{{end}}{{if $server.Resolve}} resolve{{end}};{{end}}
{{if $upstream.StickyCookie}}
{{- if $upstream.StickyCookie}}
sticky cookie {{$upstream.StickyCookie}};
{{end}}
{{if $.Keepalive}}keepalive {{$.Keepalive}};{{end}}
{{- end}}
{{- if $.Keepalive}}keepalive {{$.Keepalive}};{{end}}
{{- if $upstream.UpstreamServers -}}
{{- if $upstream.Queue}}
queue {{$upstream.Queue}} timeout={{$upstream.QueueTimeout}}s;
@@ -21,46 +21,46 @@ upstream {{$upstream.Name}} {

{{range $server := .Servers}}
server {
{{if $server.SpiffeCerts}}
{{- if $server.SpiffeCerts}}
listen 443 ssl;
{{if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}}
{{- if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}}
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
{{else}}
{{if not $server.GRPCOnly}}
{{range $port := $server.Ports}}
{{- else}}
{{- if not $server.GRPCOnly}}
{{- range $port := $server.Ports}}
listen {{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};
{{if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- end}}
{{- end}}
{{end}}

{{if $server.SSL}}
{{if $server.TLSPassthrough}}
{{- if $server.SSL}}
{{- if $server.TLSPassthrough}}
listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol;
set_real_ip_from unix:;
real_ip_header proxy_protocol;
{{else}}
{{- else}}
{{- range $port := $server.SSLPorts}}
listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};
{{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- end}}
{{end}}
{{if $server.HTTP2}}
{{- end}}
{{- if $server.HTTP2}}
http2 on;
{{end}}
{{if $server.SSLRejectHandshake}}
{{- end}}
{{- if $server.SSLRejectHandshake}}
ssl_reject_handshake on;
{{else}}
{{- else}}
ssl_certificate {{$server.SSLCertificate}};
ssl_certificate_key {{$server.SSLCertificateKey}};
{{end}}
{{end}}
{{end}}
{{- end}}
{{- end}}
{{- end}}

{{range $setRealIPFrom := $server.SetRealIPFrom}}
{{- range $setRealIPFrom := $server.SetRealIPFrom}}
set_real_ip_from {{$setRealIPFrom}};{{end}}
{{if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}}
{{if $server.RealIPRecursive}}real_ip_recursive on;{{end}}
{{- if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}}
{{- if $server.RealIPRecursive}}real_ip_recursive on;{{end}}

server_tokens "{{$server.ServerTokens}}";

@@ -104,34 +104,34 @@ server {
{{- end}}

{{if not $server.GRPCOnly}}
{{range $proxyHideHeader := $server.ProxyHideHeaders}}
{{- range $proxyHideHeader := $server.ProxyHideHeaders}}
proxy_hide_header {{$proxyHideHeader}};{{end}}
{{range $proxyPassHeader := $server.ProxyPassHeaders}}
{{- range $proxyPassHeader := $server.ProxyPassHeaders}}
proxy_pass_header {{$proxyPassHeader}};{{end}}
{{end}}
{{- end}}

{{- if and $server.HSTS (or $server.SSL $server.HSTSBehindProxy)}}
set $hsts_header_val "";
proxy_hide_header Strict-Transport-Security;
{{- if $server.HSTSBehindProxy}}
if ($http_x_forwarded_proto = 'https') {
{{else}}
{{- else}}
if ($https = on) {
{{- end}}
set $hsts_header_val "max-age={{$server.HSTSMaxAge}}; {{if $server.HSTSIncludeSubdomains}}includeSubDomains; {{end}}preload";
}

add_header Strict-Transport-Security "$hsts_header_val" always;
{{end}}
{{- end}}

{{if $server.SSL}}
{{if not $server.GRPCOnly}}
{{- if $server.SSL}}
{{- if not $server.GRPCOnly}}
{{- if $server.SSLRedirect}}
if ($scheme = http) {
return 301 https://$host:{{index $server.SSLPorts 0}}$request_uri;
}
{{- end}}
{{end}}
{{- end}}
{{- end}}

{{- if $server.RedirectToHTTPS}}
@@ -152,10 +152,10 @@ server {
{{- if $jwt.RedirectLocationName}}
error_page 401 {{$jwt.RedirectLocationName}};
{{end}}
{{end}}
{{- end}}

{{- if $server.ServerSnippets}}
{{range $value := $server.ServerSnippets}}
{{- range $value := $server.ServerSnippets}}
{{$value}}{{end}}
{{- end}}

@@ -184,13 +184,13 @@ server {
location {{ makeLocationPath $location $.Ingress.Annotations | printf }} {
set $service "{{$location.ServiceName}}";
status_zone "{{ $location.ServiceName }}";
{{with $location.MinionIngress}}
{{- with $location.MinionIngress}}
# location for minion {{$location.MinionIngress.Namespace}}/{{$location.MinionIngress.Name}}
set $resource_name "{{$location.MinionIngress.Name}}";
set $resource_namespace "{{$location.MinionIngress.Namespace}}";
{{end}}
{{if $location.GRPC}}
{{if not $server.GRPCOnly}}
{{- end}}
{{- if $location.GRPC}}
{{- if not $server.GRPCOnly}}
error_page 400 @grpcerror400;
error_page 401 @grpcerror401;
error_page 403 @grpcerror403;
@@ -204,17 +204,17 @@ server {
error_page 502 @grpcerror502;
error_page 503 @grpcerror503;
error_page 504 @grpcerror504;
{{end}}
{{- end}}

{{- if $location.LocationSnippets}}
{{range $value := $location.LocationSnippets}}
{{- range $value := $location.LocationSnippets}}
{{$value}}{{end}}
{{- end}}

{{with $jwt := $location.JWTAuth}}
{{- with $jwt := $location.JWTAuth}}
auth_jwt_key_file {{$jwt.Key}};
auth_jwt "{{.Realm}}"{{if $jwt.Token}} token={{$jwt.Token}}{{end}};
{{end}}
{{- end}}

{{- with $location.BasicAuth }}
auth_basic {{ printf "%q" .Realm }};
@@ -234,23 +234,23 @@ server {
{{- if $location.ProxyBufferSize}}
grpc_buffer_size {{$location.ProxyBufferSize}};
{{- end}}
{{if $.SpiffeClientCerts}}
{{- if $.SpiffeClientCerts}}
grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
grpc_ssl_server_name on;
grpc_ssl_verify on;
grpc_ssl_verify_depth 25;
grpc_ssl_name {{$location.ProxySSLName}};
{{end}}
{{if $location.SSL}}
{{- end}}
{{- if $location.SSL}}
grpc_pass grpcs://{{$location.Upstream.Name}};
{{else}}
{{- else}}
grpc_pass grpc://{{$location.Upstream.Name}};
{{end}}
{{else}}
{{- end}}
{{- else}}
proxy_http_version 1.1;
{{if $location.Websocket}}
{{- if $location.Websocket}}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{{- else}}
@@ -262,13 +262,13 @@ server {
{{$value}}{{end}}
{{- end}}

{{ with $jwt := $location.JWTAuth }}
{{- with $jwt := $location.JWTAuth }}
auth_jwt_key_file {{$jwt.Key}};
auth_jwt "{{.Realm}}"{{if $jwt.Token}} token={{$jwt.Token}}{{end}};
{{if $jwt.RedirectLocationName}}
{{- if $jwt.RedirectLocationName}}
error_page 401 {{$jwt.RedirectLocationName}};
{{end}}
{{end}}
{{- end}}
{{- end}}

{{- with $location.BasicAuth }}
auth_basic {{ printf "%q" .Realm }};
@@ -295,23 +295,24 @@ server {
{{- if $location.ProxyMaxTempFileSize}}
proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}};
{{- end}}
{{if $.SpiffeClientCerts}}
{{- if $.SpiffeClientCerts}}
proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_verify_depth 25;
proxy_ssl_name {{$location.ProxySSLName}};
{{end}}
{{if $location.SSL}}
{{- end}}
{{- if $location.SSL}}
proxy_pass https://{{$location.Upstream.Name}}{{$location.Rewrite}};
{{else}}
{{- else}}
proxy_pass http://{{$location.Upstream.Name}}{{$location.Rewrite}};
{{end}}
{{end}}
}{{end}}
{{if $server.GRPCOnly}}
{{- end}}
{{- end}}
}
{{end -}}
{{- if $server.GRPCOnly}}
error_page 400 @grpcerror400;
error_page 401 @grpcerror401;
error_page 403 @grpcerror403;
@@ -325,8 +326,8 @@ server {
error_page 502 @grpcerror502;
error_page 503 @grpcerror503;
error_page 504 @grpcerror504;
{{end}}
{{if $server.HTTP2}}
{{- end}}
{{- if $server.HTTP2}}
location @grpcerror400 { default_type application/grpc; return 400 "\n"; }
location @grpcerror401 { default_type application/grpc; return 401 "\n"; }
location @grpcerror403 { default_type application/grpc; return 403 "\n"; }
@@ -340,5 +341,5 @@ server {
location @grpcerror502 { default_type application/grpc; return 502 "\n"; }
location @grpcerror503 { default_type application/grpc; return 503 "\n"; }
location @grpcerror504 { default_type application/grpc; return 504 "\n"; }
{{end}}
{{- end}}
}{{end}}
88 changes: 44 additions & 44 deletions internal/configs/version1/nginx-plus.tmpl
Original file line number Diff line number Diff line change
@@ -77,16 +77,16 @@ http {
{{- end}}
{{- end}}

{{if .AccessLogOff}}
{{- if .AccessLogOff}}
access_log off;
{{else}}
{{- else}}
access_log /dev/stdout main;
{{end}}
{{- end}}

{{if .LatencyMetrics}}
{{- if .LatencyMetrics}}
log_format response_time '{"upstreamAddress":"$upstream_addr", "upstreamResponseTime":"$upstream_response_time", "proxyHost":"$proxy_host", "upstreamStatus": "$upstream_status"}';
access_log syslog:server=unix:/var/lib/nginx/nginx-syslog.sock,nohostname,tag=nginx response_time;
{{end}}
{{- end}}

{{- if .AppProtectLoadModule}}
{{if .AppProtectFailureModeAction}}app_protect_failure_mode_action {{.AppProtectFailureModeAction}};{{end}}
@@ -124,24 +124,24 @@ http {
default upgrade;
'' $default_connection_header;
}
{{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
{{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
{{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
{{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}
{{- if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
{{- if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
{{- if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
{{- if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing on;
{{end}}
{{if .OpenTracingLoadModule}}
{{- end}}
{{- if .OpenTracingLoadModule}}
opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json;
{{end}}
{{- end}}

{{if .ResolverAddresses}}
{{- if .ResolverAddresses}}
resolver {{range $resolver := .ResolverAddresses}}{{$resolver}}{{end}}{{if .ResolverValid}} valid={{.ResolverValid}}{{end}}{{if not .ResolverIPV6}} ipv6=off{{end}};
{{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}}
{{end}}
{{- if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}}
{{- end}}

{{if .OIDC}}
{{- if .OIDC}}
include oidc/oidc_common.conf;
{{- end}}

@@ -154,44 +154,44 @@ http {
set $service "";

listen {{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
{{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}

{{if .TLSPassthrough}}
{{- if .TLSPassthrough}}
listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol;
set_real_ip_from unix:;
real_ip_header proxy_protocol;
{{else}}
{{- else}}
listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
{{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{end}}
{{- end}}

{{if .HTTP2}}
{{- if .HTTP2}}
http2 on;
{{end}}
{{- end}}

{{if .SSLRejectHandshake}}
{{- if .SSLRejectHandshake}}
ssl_reject_handshake on;
{{else}}
{{- else}}
ssl_certificate /etc/nginx/secrets/default;
ssl_certificate_key /etc/nginx/secrets/default;
{{end}}
{{- end}}

{{range $setRealIPFrom := .SetRealIPFrom}}
{{- range $setRealIPFrom := .SetRealIPFrom}}
set_real_ip_from {{$setRealIPFrom}};{{end}}
{{if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}}
{{if .RealIPRecursive}}real_ip_recursive on;{{end}}
{{- if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}}
{{- if .RealIPRecursive}}real_ip_recursive on;{{end}}

server_name _;
server_tokens "{{.ServerTokens}}";
{{if .DefaultServerAccessLogOff}}
{{- if .DefaultServerAccessLogOff}}
access_log off;
{{end}}
{{end -}}

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing off;
{{end}}
{{- end}}

{{if .HealthStatus}}
{{- if .HealthStatus}}
location {{.HealthStatusURI}} {
default_type text/plain;
return 200 "healthy\n";
@@ -241,9 +241,9 @@ http {
listen unix:/var/lib/nginx/nginx-plus-api.sock;
access_log off;

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing off;
{{end}}
{{- end}}

# $config_version_mismatch is defined in /etc/nginx/config-version.conf
location /configVersionCheck {
@@ -265,13 +265,13 @@ http {
listen unix:/var/lib/nginx/nginx-418-server.sock;
access_log off;

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing off;
{{end}}
{{- end -}}

return 418;
}
{{if .InternalRouteServer}}
{{- if .InternalRouteServer}}
server {
listen 443 ssl;
{{if not .DisableIPV6}}listen [::]:443 ssl;{{end}}
@@ -282,7 +282,7 @@ http {
ssl_verify_client on;
ssl_verify_depth 25;
}
{{end}}
{{- end}}
}

stream {
@@ -299,18 +299,18 @@ stream {

access_log /dev/stdout stream-main;

{{range $value := .StreamSnippets}}
{{- range $value := .StreamSnippets}}
{{$value}}{{end}}

{{if .ResolverAddresses}}
{{- if .ResolverAddresses}}
resolver {{range $resolver := .ResolverAddresses}}{{$resolver}}{{end}}{{if .ResolverValid}} valid={{.ResolverValid}}{{end}}{{if not .ResolverIPV6}} ipv6=off{{end}};
{{if .ResolverTimeout}}resolver_timeout {{.ResolverTimeout}};{{end}}
{{end}}
{{- end}}

map_hash_max_size {{.MapHashMaxSize}};
{{if .MapHashBucketSize}}map_hash_bucket_size {{.MapHashBucketSize}};{{end}}

{{if .TLSPassthrough}}
{{- if .TLSPassthrough}}
map $ssl_preread_server_name $dest_internal_passthrough {
default unix:/var/lib/nginx/passthrough-https.sock;
include /etc/nginx/tls-passthrough-hosts.conf;
124 changes: 63 additions & 61 deletions internal/configs/version1/nginx.ingress.tmpl
Original file line number Diff line number Diff line change
@@ -1,56 +1,57 @@
{{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version1.IngressNginxConfig*/ -}}
# configuration for {{.Ingress.Namespace}}/{{.Ingress.Name}}
{{range $upstream := .Upstreams}}
{{- range $upstream := .Upstreams}}
upstream {{$upstream.Name}} {
{{if ne $upstream.UpstreamZoneSize "0"}}zone {{$upstream.Name}} {{$upstream.UpstreamZoneSize}};{{end}}
{{if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}}
{{range $server := $upstream.UpstreamServers}}
{{- if ne $upstream.UpstreamZoneSize "0"}}zone {{$upstream.Name}} {{$upstream.UpstreamZoneSize}};{{end}}
{{- if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}}
{{- range $server := $upstream.UpstreamServers}}
server {{$server.Address}} max_fails={{$server.MaxFails}} fail_timeout={{$server.FailTimeout}} max_conns={{$server.MaxConns}};{{end}}
{{if $.Keepalive}}keepalive {{$.Keepalive}};{{end}}
}{{end}}
{{- if $.Keepalive}}keepalive {{$.Keepalive}};{{end}}
}
{{end -}}

{{range $server := .Servers}}
server {
{{if $server.SpiffeCerts}}
{{- if $server.SpiffeCerts}}
listen 443 ssl;
{{if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}}
{{- if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}}
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
{{else}}
{{if not $server.GRPCOnly}}
{{range $port := $server.Ports}}
{{- else}}
{{- if not $server.GRPCOnly}}
{{- range $port := $server.Ports}}
listen {{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};
{{if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- if not $server.DisableIPV6}}listen [::]:{{$port}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- end}}
{{- end}}
{{end}}

{{if $server.SSL}}
{{if $server.TLSPassthrough}}
{{- if $server.SSL}}
{{- if $server.TLSPassthrough}}
listen unix:/var/lib/nginx/passthrough-https.sock ssl proxy_protocol;
set_real_ip_from unix:;
real_ip_header proxy_protocol;
{{else}}
{{- else}}
{{- range $port := $server.SSLPorts}}
listen {{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};
{{if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- if not $server.DisableIPV6}}listen [::]:{{$port}} ssl{{if $server.ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- end}}
{{- end}}
{{end}}
{{if $server.HTTP2}}
{{- if $server.HTTP2}}
http2 on;
{{end}}
{{if $server.SSLRejectHandshake}}
{{- end}}
{{- if $server.SSLRejectHandshake}}
ssl_reject_handshake on;
{{else}}
{{- else}}
ssl_certificate {{$server.SSLCertificate}};
ssl_certificate_key {{$server.SSLCertificateKey}};
{{end}}
{{end}}
{{end}}
{{- end}}
{{- end}}
{{- end}}

{{range $setRealIPFrom := $server.SetRealIPFrom}}
{{- range $setRealIPFrom := $server.SetRealIPFrom}}
set_real_ip_from {{$setRealIPFrom}};{{end}}
{{if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}}
{{if $server.RealIPRecursive}}real_ip_recursive on;{{end}}
{{- if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}}
{{- if $server.RealIPRecursive}}real_ip_recursive on;{{end}}

server_tokens {{$server.ServerTokens}};

@@ -60,33 +61,33 @@ server {
set $resource_name "{{$.Ingress.Name}}";
set $resource_namespace "{{$.Ingress.Namespace}}";

{{range $proxyHideHeader := $server.ProxyHideHeaders}}
{{- range $proxyHideHeader := $server.ProxyHideHeaders}}
proxy_hide_header {{$proxyHideHeader}};{{end}}
{{range $proxyPassHeader := $server.ProxyPassHeaders}}
{{- range $proxyPassHeader := $server.ProxyPassHeaders}}
proxy_pass_header {{$proxyPassHeader}};{{end}}

{{- if and $server.HSTS (or $server.SSL $server.HSTSBehindProxy)}}
set $hsts_header_val "";
proxy_hide_header Strict-Transport-Security;
{{- if $server.HSTSBehindProxy}}
if ($http_x_forwarded_proto = 'https') {
{{else}}
{{- else}}
if ($https = on) {
{{- end}}
set $hsts_header_val "max-age={{$server.HSTSMaxAge}}; {{if $server.HSTSIncludeSubdomains}}includeSubDomains; {{end}}preload";
}

add_header Strict-Transport-Security "$hsts_header_val" always;
{{end}}
{{- end}}

{{if $server.SSL}}
{{if not $server.GRPCOnly}}
{{- if $server.SSL}}
{{- if not $server.GRPCOnly}}
{{- if $server.SSLRedirect}}
if ($scheme = http) {
return 301 https://$host:{{index $server.SSLPorts 0}}$request_uri;
}
{{- end}}
{{end}}
{{- end}}
{{- end}}

{{- if $server.RedirectToHTTPS}}
@@ -101,20 +102,20 @@ server {
{{- end }}

{{- if $server.ServerSnippets}}
{{range $value := $server.ServerSnippets}}
{{- range $value := $server.ServerSnippets}}
{{$value}}{{end}}
{{- end}}

{{range $location := $server.Locations}}
{{- range $location := $server.Locations}}
location {{ makeLocationPath $location $.Ingress.Annotations | printf }} {
set $service "{{$location.ServiceName}}";
{{with $location.MinionIngress}}
{{- with $location.MinionIngress}}
# location for minion {{$location.MinionIngress.Namespace}}/{{$location.MinionIngress.Name}}
set $resource_name "{{$location.MinionIngress.Name}}";
set $resource_namespace "{{$location.MinionIngress.Namespace}}";
{{end}}
{{if $location.GRPC}}
{{if not $server.GRPCOnly}}
{{- end}}
{{- if $location.GRPC}}
{{- if not $server.GRPCOnly}}
error_page 400 @grpcerror400;
error_page 401 @grpcerror401;
error_page 403 @grpcerror403;
@@ -128,10 +129,10 @@ server {
error_page 502 @grpcerror502;
error_page 503 @grpcerror503;
error_page 504 @grpcerror504;
{{end}}
{{- end}}

{{- if $location.LocationSnippets}}
{{range $value := $location.LocationSnippets}}
{{- range $value := $location.LocationSnippets}}
{{$value}}{{end}}
{{- end}}

@@ -153,23 +154,23 @@ server {
{{- if $location.ProxyBufferSize}}
grpc_buffer_size {{$location.ProxyBufferSize}};
{{- end}}
{{if $.SpiffeClientCerts}}
{{- if $.SpiffeClientCerts}}
grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
grpc_ssl_server_name on;
grpc_ssl_verify on;
grpc_ssl_verify_depth 25;
grpc_ssl_name {{$location.ProxySSLName}};
{{end}}
{{if $location.SSL}}
{{- end}}
{{- if $location.SSL}}
grpc_pass grpcs://{{$location.Upstream.Name}}{{$location.Rewrite}};
{{else}}
{{- else}}
grpc_pass grpc://{{$location.Upstream.Name}}{{$location.Rewrite}};
{{end}}
{{else}}
{{- end}}
{{- else}}
proxy_http_version 1.1;
{{if $location.Websocket}}
{{- if $location.Websocket}}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{{- else}}
@@ -207,23 +208,24 @@ server {
{{- if $location.ProxyMaxTempFileSize}}
proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}};
{{- end}}
{{if $.SpiffeClientCerts}}
{{- if $.SpiffeClientCerts}}
proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
proxy_ssl_server_name on;
proxy_ssl_verify on;
proxy_ssl_verify_depth 25;
proxy_ssl_name {{$location.ProxySSLName}};
{{end}}
{{if $location.SSL}}
{{- end}}
{{- if $location.SSL}}
proxy_pass https://{{$location.Upstream.Name}}{{$location.Rewrite}};
{{else}}
{{- else}}
proxy_pass http://{{$location.Upstream.Name}}{{$location.Rewrite}};
{{end}}
{{end}}
}{{end}}
{{if $server.GRPCOnly}}
{{- end}}
{{- end}}
}
{{end -}}
{{- if $server.GRPCOnly}}
error_page 400 @grpcerror400;
error_page 401 @grpcerror401;
error_page 403 @grpcerror403;
@@ -237,8 +239,8 @@ server {
error_page 502 @grpcerror502;
error_page 503 @grpcerror503;
error_page 504 @grpcerror504;
{{end}}
{{if $server.HTTP2}}
{{- end}}
{{- if $server.HTTP2}}
location @grpcerror400 { default_type application/grpc; return 400 "\n"; }
location @grpcerror401 { default_type application/grpc; return 401 "\n"; }
location @grpcerror403 { default_type application/grpc; return 403 "\n"; }
@@ -252,5 +254,5 @@ server {
location @grpcerror502 { default_type application/grpc; return 502 "\n"; }
location @grpcerror503 { default_type application/grpc; return 503 "\n"; }
location @grpcerror504 { default_type application/grpc; return 504 "\n"; }
{{end}}
{{- end}}
}{{end}}
76 changes: 38 additions & 38 deletions internal/configs/version1/nginx.tmpl
Original file line number Diff line number Diff line change
@@ -49,16 +49,16 @@ http {
'' $sent_http_grpc_status;
}

{{if .AccessLogOff}}
{{- if .AccessLogOff}}
access_log off;
{{else}}
{{- else}}
access_log /dev/stdout main;
{{end}}
{{- end}}

{{if .LatencyMetrics}}
{{- if .LatencyMetrics}}
log_format response_time '{"upstreamAddress":"$upstream_addr", "upstreamResponseTime":"$upstream_response_time", "proxyHost":"$proxy_host", "upstreamStatus": "$upstream_status"}';
access_log syslog:server=unix:/var/lib/nginx/nginx-syslog.sock,nohostname,tag=nginx response_time;
{{end}}
{{- end}}

sendfile on;
#tcp_nopush on;
@@ -86,17 +86,17 @@ http {
default upgrade;
'' $default_connection_header;
}
{{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
{{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
{{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
{{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}
{{- if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
{{- if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
{{- if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
{{- if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing on;
{{end}}
{{if .OpenTracingLoadModule}}
{{- end}}
{{- if .OpenTracingLoadModule}}
opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json;
{{end}}
{{- end}}

server {
# required to support the Websocket protocol in VirtualServer/VirtualServerRoutes
@@ -107,44 +107,44 @@ http {
set $service "";

listen {{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
{{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{- if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}

{{if .TLSPassthrough}}
{{- if .TLSPassthrough}}
listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server proxy_protocol;
set_real_ip_from unix:;
real_ip_header proxy_protocol;
{{else}}
{{- else}}
listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
{{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
{{end}}
{{- end}}

{{if .HTTP2}}
{{- if .HTTP2}}
http2 on;
{{end}}
{{- end}}

{{if .SSLRejectHandshake}}
{{- if .SSLRejectHandshake}}
ssl_reject_handshake on;
{{else}}
{{- else}}
ssl_certificate /etc/nginx/secrets/default;
ssl_certificate_key /etc/nginx/secrets/default;
{{end}}
{{- end}}

{{range $setRealIPFrom := .SetRealIPFrom}}
{{- range $setRealIPFrom := .SetRealIPFrom}}
set_real_ip_from {{$setRealIPFrom}};{{end}}
{{if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}}
{{if .RealIPRecursive}}real_ip_recursive on;{{end}}
{{- if .RealIPHeader}}real_ip_header {{.RealIPHeader}};{{end}}
{{- if .RealIPRecursive}}real_ip_recursive on;{{end}}

server_name _;
server_tokens "{{.ServerTokens}}";
{{if .DefaultServerAccessLogOff}}
{{- if .DefaultServerAccessLogOff}}
access_log off;
{{end}}
{{end -}}

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing off;
{{end}}
{{- end}}

{{if .HealthStatus}}
{{- if .HealthStatus}}
location {{.HealthStatusURI}} {
default_type text/plain;
return 200 "healthy\n";
@@ -180,9 +180,9 @@ http {
listen unix:/var/lib/nginx/nginx-status.sock;
access_log off;

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing off;
{{end}}
{{- end}}

location /stub_status {
stub_status;
@@ -208,13 +208,13 @@ http {
listen unix:/var/lib/nginx/nginx-418-server.sock;
access_log off;

{{if .OpenTracingEnabled}}
{{- if .OpenTracingEnabled}}
opentracing off;
{{end}}
{{- end -}}

return 418;
}
{{if .InternalRouteServer}}
{{- if .InternalRouteServer}}
server {
listen 443 ssl;
{{if not .DisableIPV6}}listen [::]:443 ssl;{{end}}
@@ -225,7 +225,7 @@ http {
ssl_verify_client on;
ssl_verify_depth 25;
}
{{end}}
{{- end}}
}

stream {
@@ -242,13 +242,13 @@ stream {

access_log /dev/stdout stream-main;

{{range $value := .StreamSnippets}}
{{- range $value := .StreamSnippets}}
{{$value}}{{end}}

map_hash_max_size {{.MapHashMaxSize}};
{{if .MapHashBucketSize}}map_hash_bucket_size {{.MapHashBucketSize}};{{end}}

{{if .TLSPassthrough}}
{{- if .TLSPassthrough}}
map $ssl_preread_server_name $dest_internal_passthrough {
default unix:/var/lib/nginx/passthrough-https.sock;
include /etc/nginx/tls-passthrough-hosts.conf;
48 changes: 24 additions & 24 deletions internal/configs/version2/nginx-plus.transportserver.tmpl
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
{{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version2.TransportServerConfig*/ -}}
{{ range $u := .Upstreams }}
{{- range $u := .Upstreams }}
upstream {{ $u.Name }} {
zone {{ $u.Name }} 256k;

{{ if $u.LoadBalancingMethod }}
{{- if $u.LoadBalancingMethod }}
{{ $u.LoadBalancingMethod }};
{{ end }}
{{- end }}

{{ range $s := $u.Servers }}
{{- range $s := $u.Servers }}
server {{ $s.Address }} max_fails={{ $s.MaxFails }} fail_timeout={{ $s.FailTimeout }} max_conns={{ $s.MaxConnections }}{{ if $u.Resolve }} resolve{{ end }};
{{ end }}
{{- end }}
}
{{ end }}
{{- end }}

{{ range $snippet := .StreamSnippets }}
{{- range $snippet := .StreamSnippets }}
{{- $snippet }}
{{ end }}

@@ -27,37 +27,37 @@ match {{ $m.Name }} {
expect {{ $m.ExpectRegexModifier }} "{{ $m.Expect }}";
{{ end }}
}
{{ end }}
{{- end }}

{{ $s := .Server }}
{{- $s := .Server }}
server {
{{ with $ssl := $s.SSL }}
{{ if $s.TLSPassthrough }}
{{- with $ssl := $s.SSL }}
{{- if $s.TLSPassthrough }}
listen {{ $s.UnixSocket }} proxy_protocol;
set_real_ip_from unix:;
{{ else }}
{{- else }}
listen {{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};
{{if not $s.DisableIPV6}}listen [::]:{{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};{{end}}
{{ end }}
{{- end }}

{{ if $ssl.Enabled }}
{{- if $ssl.Enabled }}
ssl_certificate {{ $ssl.Certificate }};
ssl_certificate_key {{ $ssl.CertificateKey }};
{{ end }}
{{ end }}
{{- end }}
{{- end }}

status_zone {{ $s.StatusZone }};

{{ if $s.ProxyRequests }}
{{- if $s.ProxyRequests }}
proxy_requests {{ $s.ProxyRequests }};
{{ end }}
{{ if $s.ProxyResponses }}
{{- end }}
{{- if $s.ProxyResponses }}
proxy_responses {{ $s.ProxyResponses }};
{{ end }}
{{- end }}

{{ range $snippet := $s.ServerSnippets }}
{{- range $snippet := $s.ServerSnippets }}
{{- $snippet }}
{{ end }}
{{- end }}

proxy_pass {{ $s.ProxyPass }};

@@ -70,9 +70,9 @@ server {
proxy_timeout {{ $s.ProxyTimeout }};
proxy_connect_timeout {{ $s.ProxyConnectTimeout }};

{{ if $s.ProxyNextUpstream }}
{{- if $s.ProxyNextUpstream }}
proxy_next_upstream on;
proxy_next_upstream_timeout {{ $s.ProxyNextUpstreamTimeout }};
proxy_next_upstream_tries {{ $s.ProxyNextUpstreamTries }};
{{ end }}
{{- end }}
}
408 changes: 202 additions & 206 deletions internal/configs/version2/nginx-plus.virtualserver.tmpl

Large diffs are not rendered by default.

48 changes: 24 additions & 24 deletions internal/configs/version2/nginx.transportserver.tmpl
Original file line number Diff line number Diff line change
@@ -1,58 +1,58 @@
{{- /*gotype: github.com/nginxinc/kubernetes-ingress/internal/configs/version2.TransportServerConfig*/ -}}
{{ range $u := .Upstreams }}
{{- range $u := .Upstreams }}
upstream {{ $u.Name }} {
zone {{ $u.Name }} 256k;

{{ if $u.LoadBalancingMethod }}
{{- if $u.LoadBalancingMethod }}
{{ $u.LoadBalancingMethod }};
{{ end }}
{{- end }}

{{ range $s := $u.Servers }}
{{- range $s := $u.Servers }}
server {{ $s.Address }} max_fails={{ $s.MaxFails }} fail_timeout={{ $s.FailTimeout }} max_conns={{ $s.MaxConnections }};
{{ end }}
{{- end }}
}
{{ end }}
{{- end }}

{{ range $snippet := .StreamSnippets }}
{{- range $snippet := .StreamSnippets }}
{{- $snippet }}
{{ end }}
{{- end }}

{{ $s := .Server }}
{{- $s := .Server }}
server {
{{ with $ssl := $s.SSL }}
{{ if $s.TLSPassthrough }}
{{- with $ssl := $s.SSL }}
{{- if $s.TLSPassthrough }}
listen {{ $s.UnixSocket }} proxy_protocol;
set_real_ip_from unix:;
{{ else }}
{{- else }}
listen {{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};
{{if not $s.DisableIPV6}}listen [::]:{{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};{{end}}
{{ end }}
{{- end }}

{{ if $ssl.Enabled }}
{{- if $ssl.Enabled }}
ssl_certificate {{ $ssl.Certificate }};
ssl_certificate_key {{ $ssl.CertificateKey }};
{{ end }}
{{ end }}
{{- end }}
{{- end }}

{{ if $s.ProxyRequests }}
{{- if $s.ProxyRequests }}
proxy_requests {{ $s.ProxyRequests }};
{{ end }}
{{ if $s.ProxyResponses }}
{{- end }}
{{- if $s.ProxyResponses }}
proxy_responses {{ $s.ProxyResponses }};
{{ end }}
{{- end }}

{{ range $snippet := $s.ServerSnippets }}
{{- range $snippet := $s.ServerSnippets }}
{{- $snippet }}
{{ end }}
{{- end }}

proxy_pass {{ $s.ProxyPass }};

proxy_timeout {{ $s.ProxyTimeout }};
proxy_connect_timeout {{ $s.ProxyConnectTimeout }};

{{ if $s.ProxyNextUpstream }}
{{- if $s.ProxyNextUpstream }}
proxy_next_upstream on;
proxy_next_upstream_timeout {{ $s.ProxyNextUpstreamTimeout }};
proxy_next_upstream_tries {{ $s.ProxyNextUpstreamTries }};
{{ end }}
{{- end }}
}
311 changes: 155 additions & 156 deletions internal/configs/version2/nginx.virtualserver.tmpl

Large diffs are not rendered by default.