diff --git a/docs/virtualserver-and-virtualserverroute.md b/docs/virtualserver-and-virtualserverroute.md index fb88ef7cba..bc221c7309 100644 --- a/docs/virtualserver-and-virtualserverroute.md +++ b/docs/virtualserver-and-virtualserverroute.md @@ -13,6 +13,7 @@ This document is the reference documentation for the resources. To see additiona - [Prerequisites](#prerequisites) - [VirtualServer Specification](#virtualserver-specification) - [VirtualServer.TLS](#virtualservertls) + - [VirtualServer.TLS.Redirect](#virtualservertlsredirect) - [VirtualServer.Route](#virtualserverroute) - [VirtualServerRoute Specification](#virtualserverroute-specification) - [VirtualServerRoute.Subroute](#virtualserverroutesubroute) @@ -26,8 +27,8 @@ This document is the reference documentation for the resources. To see additiona - [Header](#header) - [Action](#action) - [Split](#split) - - [Condition](#condition) - [Match](#match) + - [Condition](#condition) - [Using VirtualServer and VirtualServerRoute](#using-virtualserver-and-virtualserverroute) - [Validation](#validation) - [Customization via ConfigMap](#customization-via-configmap) @@ -76,12 +77,30 @@ spec: The tls field defines TLS configuration for a VirtualServer. For example: ```yaml secret: cafe-secret +redirect: + code: 302 + basedOn: x-forwarded-proto ``` | Field | Description | Type | Required | | ----- | ----------- | ---- | -------- | | `secret` | The name of a secret with a TLS certificate and key. The secret must belong to the same namespace as the VirtualServer. The secret must contain keys named `tls.crt` and `tls.key` that contain the certificate and private key as described [here](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls). If the secret doesn't exist, NGINX will break any attempt to establish a TLS connection to the host of the VirtualServer. | `string` | Yes | +| `redirect` | The redirect configuration of the TLS for a VirtualServer. | [`tls.redirect`](#VirtualServerTLSRedirect) | No | + +### VirtualServer.TLS.Redirect +The redirect field configures a TLS redirect for a VirtualServer: +```yaml +enable: true +code: 301 +basedOn: scheme +``` + +| Field | Description | Type | Required | +| ----- | ----------- | ---- | -------- | +| `enable` | Enables a TLS redirect for a VirtualServer. The default is `False`. | `boolean` | No | +| `code` | The status code of a redirect. The allowed values are: `301`, `302`, `307`, `308`. The default is `301`. | `int` | No | +| `basedOn` | The attribute of a request that NGINX will evaluate to send a redirect. The allowed values are `scheme` (the scheme of the request) or `x-forwarded-proto` (the `X-Forwarded-Proto` header of the request). The default is `scheme`. | `string` | No | ### VirtualServer.Route @@ -205,7 +224,7 @@ next-upstream-timeout: 5s next-upstream-tries: 10 client-max-body-size: 2m tls: - enable: True + enable: true ``` **Note**: The WebSocket protocol is supported without any additional configuration. @@ -535,3 +554,5 @@ You can customize the NGINX configuration for VirtualServer and VirtualServerRou * `hsts-max-age` * `hsts-include-subdomains` * `hsts-behind-proxy` +* `redirect-to-https` +* `ssl-redirect` diff --git a/internal/configs/version2/config.go b/internal/configs/version2/config.go index 871d6f454a..38d82132b1 100644 --- a/internal/configs/version2/config.go +++ b/internal/configs/version2/config.go @@ -32,28 +32,27 @@ type UpstreamServer struct { // Server defines a server. type Server struct { - ServerName string - StatusZone string - ProxyProtocol bool - SSL *SSL - RedirectToHTTPSBasedOnXForwarderProto bool - ServerTokens string - RealIPHeader string - SetRealIPFrom []string - RealIPRecursive bool - Snippets []string - InternalRedirectLocations []InternalRedirectLocation - Locations []Location - HealthChecks []HealthCheck + ServerName string + StatusZone string + ProxyProtocol bool + SSL *SSL + ServerTokens string + RealIPHeader string + SetRealIPFrom []string + RealIPRecursive bool + Snippets []string + InternalRedirectLocations []InternalRedirectLocation + Locations []Location + HealthChecks []HealthCheck + TLSRedirect *TLSRedirect } // SSL defines SSL configuration for a server. type SSL struct { - HTTP2 bool - Certificate string - CertificateKey string - Ciphers string - RedirectToHTTPS bool + HTTP2 bool + Certificate string + CertificateKey string + Ciphers string } // Location defines a location. @@ -99,6 +98,12 @@ type HealthCheck struct { Match string } +// TLSRedirect defines a redirect in a Server. +type TLSRedirect struct { + Code int + BasedOn string +} + // SessionCookie defines a session cookie for an upstream. type SessionCookie struct { Enable bool diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index 6b5176a68e..886b97e814 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -62,17 +62,11 @@ server { {{ if $ssl.Ciphers }} ssl_ciphers {{ $ssl.Ciphers }}; {{ end }} - - {{ if $ssl.RedirectToHTTPS }} - if ($scheme = http) { - return 301 https://$host$request_uri; - } - {{ end }} {{ end }} - {{ if $s.RedirectToHTTPSBasedOnXForwarderProto }} - if ($http_x_forwarded_proto = 'http') { - return 301 https://$host$request_uri; + {{ with $s.TLSRedirect }} + if ({{ .BasedOn }} = 'http') { + return {{ .Code }} https://$host$request_uri; } {{ end }} diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl index 6f0afbef6a..442f5f2f88 100644 --- a/internal/configs/version2/nginx.virtualserver.tmpl +++ b/internal/configs/version2/nginx.virtualserver.tmpl @@ -45,17 +45,11 @@ server { {{ if $ssl.Ciphers }} ssl_ciphers {{ $ssl.Ciphers }}; {{ end }} - - {{ if $ssl.RedirectToHTTPS }} - if ($scheme = http) { - return 301 https://$host$request_uri; - } - {{ end }} {{ end }} - {{ if $s.RedirectToHTTPSBasedOnXForwarderProto }} - if ($http_x_forwarded_proto = 'http') { - return 301 https://$host$request_uri; + {{ with $s.TLSRedirect }} + if ({{ .BasedOn }} = 'http') { + return {{ .Code }} https://$host$request_uri; } {{ end }} diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index 70059b53cc..5e0d85286f 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -100,18 +100,20 @@ var virtualServerCfg = VirtualServerConfig{ StatusZone: "example.com", ProxyProtocol: true, SSL: &SSL{ - HTTP2: true, - Certificate: "cafe-secret.pem", - CertificateKey: "cafe-secret.pem", - Ciphers: "NULL", - RedirectToHTTPS: true, + HTTP2: true, + Certificate: "cafe-secret.pem", + CertificateKey: "cafe-secret.pem", + Ciphers: "NULL", }, - RedirectToHTTPSBasedOnXForwarderProto: true, - ServerTokens: "off", - SetRealIPFrom: []string{"0.0.0.0/0"}, - RealIPHeader: "X-Real-IP", - RealIPRecursive: true, - Snippets: []string{"# server snippet"}, + TLSRedirect: &TLSRedirect{ + BasedOn: "$scheme", + Code: 301, + }, + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Snippets: []string{"# server snippet"}, InternalRedirectLocations: []InternalRedirectLocation{ { Path: "/split", diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index b7fcb75780..ec3eba5c2a 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -162,6 +162,7 @@ func (vsc *virtualServerConfigurator) generateEndpointsForUpstream(owner runtime func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(virtualServerEx *VirtualServerEx, tlsPemFileName string) (version2.VirtualServerConfig, Warnings) { vsc.clearWarnings() ssl := generateSSLConfig(virtualServerEx.VirtualServer.Spec.TLS, tlsPemFileName, vsc.cfgParams) + tlsRedirectConfig := generateTLSRedirectConfig(virtualServerEx.VirtualServer.Spec.TLS) // crUpstreams maps an UpstreamName to its conf_v1alpha1.Upstream as they are generated // necessary for generateLocation to know what Upstream each Location references @@ -289,19 +290,19 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(virtualServerE Maps: maps, StatusMatches: statusMatches, Server: version2.Server{ - ServerName: virtualServerEx.VirtualServer.Spec.Host, - StatusZone: virtualServerEx.VirtualServer.Spec.Host, - ProxyProtocol: vsc.cfgParams.ProxyProtocol, - SSL: ssl, - RedirectToHTTPSBasedOnXForwarderProto: vsc.cfgParams.RedirectToHTTPS, - ServerTokens: vsc.cfgParams.ServerTokens, - SetRealIPFrom: vsc.cfgParams.SetRealIPFrom, - RealIPHeader: vsc.cfgParams.RealIPHeader, - RealIPRecursive: vsc.cfgParams.RealIPRecursive, - Snippets: vsc.cfgParams.ServerSnippets, - InternalRedirectLocations: internalRedirectLocations, - Locations: locations, - HealthChecks: healthChecks, + ServerName: virtualServerEx.VirtualServer.Spec.Host, + StatusZone: virtualServerEx.VirtualServer.Spec.Host, + ProxyProtocol: vsc.cfgParams.ProxyProtocol, + SSL: ssl, + ServerTokens: vsc.cfgParams.ServerTokens, + SetRealIPFrom: vsc.cfgParams.SetRealIPFrom, + RealIPHeader: vsc.cfgParams.RealIPHeader, + RealIPRecursive: vsc.cfgParams.RealIPRecursive, + Snippets: vsc.cfgParams.ServerSnippets, + InternalRedirectLocations: internalRedirectLocations, + Locations: locations, + HealthChecks: healthChecks, + TLSRedirect: tlsRedirectConfig, }, } @@ -771,16 +772,35 @@ func generateSSLConfig(tls *conf_v1alpha1.TLS, tlsPemFileName string, cfgParams } ssl := version2.SSL{ - HTTP2: cfgParams.HTTP2, - Certificate: name, - CertificateKey: name, - Ciphers: ciphers, - RedirectToHTTPS: cfgParams.SSLRedirect, + HTTP2: cfgParams.HTTP2, + Certificate: name, + CertificateKey: name, + Ciphers: ciphers, } return &ssl } +func generateTLSRedirectConfig(tls *conf_v1alpha1.TLS) *version2.TLSRedirect { + if tls == nil || tls.Redirect == nil || !tls.Redirect.Enable { + return nil + } + + redirect := &version2.TLSRedirect{ + Code: generateIntFromPointer(tls.Redirect.Code, 301), + BasedOn: generateTLSRedirectBasedOn(tls.Redirect.BasedOn), + } + + return redirect +} + +func generateTLSRedirectBasedOn(basedOn string) string { + if basedOn == "x-forwarded-proto" { + return "$http_x_forwarded_proto" + } + return "$scheme" +} + func createEndpointsFromUpstream(upstream version2.Upstream) []string { var endpoints []string diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 49d956ae1d..ef37ef2bbc 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -295,7 +295,6 @@ func TestGenerateVirtualServerConfig(t *testing.T) { SetRealIPFrom: []string{"0.0.0.0/0"}, RealIPHeader: "X-Real-IP", RealIPRecursive: true, - RedirectToHTTPS: true, } expected := version2.VirtualServerConfig{ @@ -338,15 +337,14 @@ func TestGenerateVirtualServerConfig(t *testing.T) { }, }, Server: version2.Server{ - ServerName: "cafe.example.com", - StatusZone: "cafe.example.com", - ProxyProtocol: true, - RedirectToHTTPSBasedOnXForwarderProto: true, - ServerTokens: "off", - SetRealIPFrom: []string{"0.0.0.0/0"}, - RealIPHeader: "X-Real-IP", - RealIPRecursive: true, - Snippets: []string{"# server snippet"}, + ServerName: "cafe.example.com", + StatusZone: "cafe.example.com", + ProxyProtocol: true, + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Snippets: []string{"# server snippet"}, Locations: []version2.Location{ { Path: "/tea", @@ -1171,13 +1169,12 @@ func TestGenerateSSLConfig(t *testing.T) { inputTLSPemFileName: "", inputCfgParams: &ConfigParams{}, expected: &version2.SSL{ - HTTP2: false, - Certificate: pemFileNameForMissingTLSSecret, - CertificateKey: pemFileNameForMissingTLSSecret, - Ciphers: "NULL", - RedirectToHTTPS: false, + HTTP2: false, + Certificate: pemFileNameForMissingTLSSecret, + CertificateKey: pemFileNameForMissingTLSSecret, + Ciphers: "NULL", }, - msg: "secret doesn't exist in the cluster with HTTP2 and SSLRedirect disabled", + msg: "secret doesn't exist in the cluster with HTTP2", }, { inputTLS: &conf_v1alpha1.TLS{ @@ -1186,38 +1183,109 @@ func TestGenerateSSLConfig(t *testing.T) { inputTLSPemFileName: "secret.pem", inputCfgParams: &ConfigParams{}, expected: &version2.SSL{ - HTTP2: false, - Certificate: "secret.pem", - CertificateKey: "secret.pem", - Ciphers: "", - RedirectToHTTPS: false, + HTTP2: false, + Certificate: "secret.pem", + CertificateKey: "secret.pem", + Ciphers: "", }, - msg: "normal case with HTTP2 and SSLRedirect disabled", + msg: "normal case with HTTP2", + }, + } + + for _, test := range tests { + result := generateSSLConfig(test.inputTLS, test.inputTLSPemFileName, test.inputCfgParams) + if !reflect.DeepEqual(result, test.expected) { + t.Errorf("generateSSLConfig() returned %v but expected %v for the case of %s", result, test.expected, test.msg) + } + } +} + +func TestGenerateRedirectConfig(t *testing.T) { + tests := []struct { + inputTLS *conf_v1alpha1.TLS + expected *version2.TLSRedirect + msg string + }{ + { + inputTLS: nil, + expected: nil, + msg: "no TLS field", + }, + { + inputTLS: &conf_v1alpha1.TLS{ + Secret: "secret", + Redirect: nil, + }, + expected: nil, + msg: "no redirect field", + }, + { + inputTLS: &conf_v1alpha1.TLS{ + Secret: "secret", + Redirect: &conf_v1alpha1.TLSRedirect{Enable: false}, + }, + expected: nil, + msg: "redirect disabled", }, { inputTLS: &conf_v1alpha1.TLS{ Secret: "secret", + Redirect: &conf_v1alpha1.TLSRedirect{ + Enable: true, + }, }, - inputTLSPemFileName: "secret.pem", - inputCfgParams: &ConfigParams{ - HTTP2: true, - SSLRedirect: true, + expected: &version2.TLSRedirect{ + Code: 301, + BasedOn: "$scheme", }, - expected: &version2.SSL{ - HTTP2: true, - Certificate: "secret.pem", - CertificateKey: "secret.pem", - Ciphers: "", - RedirectToHTTPS: true, + msg: "normal case with defaults", + }, + { + inputTLS: &conf_v1alpha1.TLS{ + Secret: "secret", + Redirect: &conf_v1alpha1.TLSRedirect{ + Enable: true, + BasedOn: "x-forwarded-proto", + }, + }, + expected: &version2.TLSRedirect{ + Code: 301, + BasedOn: "$http_x_forwarded_proto", }, - msg: "normal case with HTTP2 and SSLRedirect enabled", + msg: "normal case with BasedOn set", }, } for _, test := range tests { - result := generateSSLConfig(test.inputTLS, test.inputTLSPemFileName, test.inputCfgParams) + result := generateTLSRedirectConfig(test.inputTLS) if !reflect.DeepEqual(result, test.expected) { - t.Errorf("generateSSLConfig() returned %v but expected %v for the case of %s", result, test.expected, test.msg) + t.Errorf("generateTLSRedirectConfig() returned %v but expected %v for the case of %s", result, test.expected, test.msg) + } + } +} + +func TestGenerateTLSRedirectBasedOn(t *testing.T) { + tests := []struct { + basedOn string + expected string + }{ + { + basedOn: "scheme", + expected: "$scheme", + }, + { + basedOn: "x-forwarded-proto", + expected: "$http_x_forwarded_proto", + }, + { + basedOn: "", + expected: "$scheme", + }, + } + for _, test := range tests { + result := generateTLSRedirectBasedOn(test.basedOn) + if result != test.expected { + t.Errorf("generateTLSRedirectBasedOn(%v) returned %v but expected %v", test.basedOn, result, test.expected) } } } diff --git a/pkg/apis/configuration/v1alpha1/types.go b/pkg/apis/configuration/v1alpha1/types.go index a996cf924f..8db6c0da59 100644 --- a/pkg/apis/configuration/v1alpha1/types.go +++ b/pkg/apis/configuration/v1alpha1/types.go @@ -134,7 +134,15 @@ type Match struct { // TLS defines TLS configuration for a VirtualServer. type TLS struct { - Secret string `json:"secret"` + Secret string `json:"secret"` + Redirect *TLSRedirect `json:"redirect"` +} + +// TLSRedirect defines a redirect for a TLS. +type TLSRedirect struct { + Enable bool `json:"enable"` + Code *int `json:"code"` + BasedOn string `json:"basedOn"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go index ce7c32c819..997a2f548c 100644 --- a/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/configuration/v1alpha1/zz_generated.deepcopy.go @@ -190,6 +190,11 @@ func (in *Split) DeepCopy() *Split { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *TLS) DeepCopyInto(out *TLS) { *out = *in + if in.Redirect != nil { + in, out := &in.Redirect, &out.Redirect + *out = new(TLSRedirect) + (*in).DeepCopyInto(*out) + } return } @@ -203,6 +208,27 @@ func (in *TLS) DeepCopy() *TLS { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *TLSRedirect) DeepCopyInto(out *TLSRedirect) { + *out = *in + if in.Code != nil { + in, out := &in.Code, &out.Code + *out = new(int) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSRedirect. +func (in *TLSRedirect) DeepCopy() *TLSRedirect { + if in == nil { + return nil + } + out := new(TLSRedirect) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Upstream) DeepCopyInto(out *Upstream) { *out = *in @@ -471,7 +497,7 @@ func (in *VirtualServerSpec) DeepCopyInto(out *VirtualServerSpec) { if in.TLS != nil { in, out := &in.TLS, &out.TLS *out = new(TLS) - **out = **in + (*in).DeepCopyInto(*out) } if in.Upstreams != nil { in, out := &in.Upstreams, &out.Upstreams diff --git a/pkg/apis/configuration/validation/validation.go b/pkg/apis/configuration/validation/validation.go index f6b0816b49..45c8e0f15b 100644 --- a/pkg/apis/configuration/validation/validation.go +++ b/pkg/apis/configuration/validation/validation.go @@ -50,12 +50,53 @@ func validateHost(host string, fieldPath *field.Path) field.ErrorList { } func validateTLS(tls *v1alpha1.TLS, fieldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + if tls == nil { // valid case - tls is not defined - return field.ErrorList{} + return allErrs + } + + allErrs = append(allErrs, validateSecretName(tls.Secret, fieldPath.Child("secret"))...) + + allErrs = append(allErrs, validateTLSRedirect(tls.Redirect, fieldPath.Child("redirect"))...) + + return allErrs +} + +func validateTLSRedirect(redirect *v1alpha1.TLSRedirect, fieldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + + if redirect == nil { + return allErrs } - return validateSecretName(tls.Secret, fieldPath.Child("secret")) + if redirect.Code != nil { + allErrs = append(allErrs, validateTLSRedirectStatusCode(*redirect.Code, fieldPath.Child("code"))...) + } + + if redirect.BasedOn != "scheme" && redirect.BasedOn != "x-forwarded-proto" { + allErrs = append(allErrs, field.Invalid(fieldPath.Child("basedOn"), redirect.BasedOn, "accepted values are 'scheme' or 'x-forwarded-proto'")) + } + + return allErrs +} + +var validTLSRedirectStatusCodes = map[int]bool{ + 301: true, + 302: true, + 307: true, + 308: true, +} + +func validateTLSRedirectStatusCode(code int, fieldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + + if _, ok := validTLSRedirectStatusCodes[code]; !ok { + allErrs = append(allErrs, field.Invalid(fieldPath, code, "status code out of accepted range. accepted values are '301', '302', '307', '308'")) + } + + return allErrs } func validatePositiveIntOrZero(n int, fieldPath *field.Path) field.ErrorList { diff --git a/pkg/apis/configuration/validation/validation_test.go b/pkg/apis/configuration/validation/validation_test.go index 55289b8f5f..14acab6625 100644 --- a/pkg/apis/configuration/validation/validation_test.go +++ b/pkg/apis/configuration/validation/validation_test.go @@ -95,6 +95,14 @@ func TestValidateTLS(t *testing.T) { { Secret: "my-secret", }, + { + Secret: "my-secret", + Redirect: &v1alpha1.TLSRedirect{ + Enable: true, + Code: createPointerFromInt(302), + BasedOn: "scheme", + }, + }, } for _, tls := range validTLSes { @@ -114,6 +122,22 @@ func TestValidateTLS(t *testing.T) { { Secret: "a/b", }, + { + Secret: "my-secret", + Redirect: &v1alpha1.TLSRedirect{ + Enable: true, + Code: createPointerFromInt(305), + BasedOn: "scheme", + }, + }, + { + Secret: "my-secret", + Redirect: &v1alpha1.TLSRedirect{ + Enable: true, + Code: createPointerFromInt(301), + BasedOn: "invalidScheme", + }, + }, } for _, tls := range invalidTLSes { @@ -2223,3 +2247,36 @@ func TestValidateSessionCookieFails(t *testing.T) { } } } + +func TestValidateTLSRedirectStatusCode(t *testing.T) { + tests := []struct { + code int + }{ + {code: 301}, + {code: 302}, + {code: 307}, + {code: 308}, + } + for _, test := range tests { + allErrs := validateTLSRedirectStatusCode(test.code, field.NewPath("code")) + if len(allErrs) != 0 { + t.Errorf("validateTLSRedirectStatusCode(%v) returned errors %v for valid input", test.code, allErrs) + } + } +} + +func TestValidateTLSRedirectStatusCodeFails(t *testing.T) { + tests := []struct { + code int + }{ + {code: 309}, + {code: 299}, + {code: 305}, + } + for _, test := range tests { + allErrs := validateTLSRedirectStatusCode(test.code, field.NewPath("code")) + if len(allErrs) == 0 { + t.Errorf("validateTLSRedirectStatusCode(%v) returned no errors for invalid input", test.code) + } + } +} diff --git a/tests/data/virtual-server-configmap-keys/configmap-ssl-keys-invalid.yaml b/tests/data/virtual-server-configmap-keys/configmap-ssl-keys-invalid.yaml index 5c9e02c76d..3b26fc0663 100644 --- a/tests/data/virtual-server-configmap-keys/configmap-ssl-keys-invalid.yaml +++ b/tests/data/virtual-server-configmap-keys/configmap-ssl-keys-invalid.yaml @@ -4,6 +4,5 @@ metadata: name: nginx-config namespace: nginx-ingress data: - ssl-redirect: "invalid" proxy-protocol: "invalid" http2: "invalid" \ No newline at end of file diff --git a/tests/data/virtual-server-configmap-keys/configmap-ssl-keys.yaml b/tests/data/virtual-server-configmap-keys/configmap-ssl-keys.yaml index dd4ab526e8..d16f1764ce 100644 --- a/tests/data/virtual-server-configmap-keys/configmap-ssl-keys.yaml +++ b/tests/data/virtual-server-configmap-keys/configmap-ssl-keys.yaml @@ -4,6 +4,5 @@ metadata: name: nginx-config namespace: nginx-ingress data: - ssl-redirect: "false" proxy-protocol: "true" http2: "true" \ No newline at end of file diff --git a/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid-oss.yaml b/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid-oss.yaml index 32ae60a40c..1dd44ff187 100644 --- a/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid-oss.yaml +++ b/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid-oss.yaml @@ -10,5 +10,4 @@ data: lb-method: "least_time header inflight" # plus only max-fails: "invalid" keepalive: "invalid" - proxy-protocol: "invalid proxy" - redirect-to-https: "invalid" \ No newline at end of file + proxy-protocol: "invalid proxy" \ No newline at end of file diff --git a/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid.yaml b/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid.yaml index d5f0324c24..7ae39d5512 100644 --- a/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid.yaml +++ b/tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid.yaml @@ -11,6 +11,5 @@ data: max-fails: "invalid" keepalive: "invalid" proxy-protocol: "invalid proxy" - redirect-to-https: "invalid" variables-hash-bucket-size: "0" variables-hash-max-size: "-1024" \ No newline at end of file diff --git a/tests/data/virtual-server-configmap-keys/configmap-validation-keys-oss.yaml b/tests/data/virtual-server-configmap-keys/configmap-validation-keys-oss.yaml index 10445b74f9..3bd59c97bf 100644 --- a/tests/data/virtual-server-configmap-keys/configmap-validation-keys-oss.yaml +++ b/tests/data/virtual-server-configmap-keys/configmap-validation-keys-oss.yaml @@ -11,5 +11,4 @@ data: max-fails: "3" keepalive: "32" proxy-protocol: "true" - redirect-to-https: "true" upstream-zone-size: "0" # special value \ No newline at end of file diff --git a/tests/data/virtual-server-configmap-keys/configmap-validation-keys.yaml b/tests/data/virtual-server-configmap-keys/configmap-validation-keys.yaml index dc172070a9..75f99f24c8 100644 --- a/tests/data/virtual-server-configmap-keys/configmap-validation-keys.yaml +++ b/tests/data/virtual-server-configmap-keys/configmap-validation-keys.yaml @@ -11,7 +11,6 @@ data: max-fails: "3" keepalive: "32" proxy-protocol: "true" - redirect-to-https: "true" upstream-zone-size: "0" # special value variables-hash-bucket-size: "512" variables-hash-max-size: "2048" \ No newline at end of file diff --git a/tests/suite/test_virtual_server_configmap_keys.py b/tests/suite/test_virtual_server_configmap_keys.py index e1ab66278b..4fdb4277a9 100644 --- a/tests/suite/test_virtual_server_configmap_keys.py +++ b/tests/suite/test_virtual_server_configmap_keys.py @@ -53,7 +53,6 @@ def assert_keys_with_validation(config, expected_values): assert f"max_fails={expected_values['max-fails']}" in config assert f"keepalive {expected_values['keepalive']};" in config assert "listen 80 proxy_protocol;" in config - assert "if ($http_x_forwarded_proto = 'http') {" in config def assert_keys_with_validation_in_main_config(config, expected_values): @@ -84,7 +83,6 @@ def assert_defaults_of_keys_with_validation(config, unexpected_values): assert "max_fails=1" in config assert "keepalive" not in config assert "listen 80;" in config - assert "if ($http_x_forwarded_proto = 'http') {" not in config assert "server_tokens \"on\"" in config assert "random two least_conn;" in config and unexpected_values['lb-method'] not in config assert f"proxy_send_timeout 60s;" in config