Merge branch 'release-2.4' into chore/add-CODEOWNERS-2.4

nginxinc · Oct 19, 2022 · be219b5 · be219b5
2 parents 47c32a3 + 1bc1a21
commit be219b5
Show file tree

Hide file tree

Showing 6 changed files with 121 additions and 10 deletions.
diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md
@@ -631,7 +631,7 @@ The ResponseHeaders field modifies the headers of the response to the client.
 {{% table %}}
 |Field | Description | Type | Required |
 | ---| ---| ---| --- |
-|``hide`` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the [proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directive for more information. | ``bool`` | No |
+|``hide`` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the [proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directive for more information. | ``[]string`` | No |
 |``pass`` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the [proxy_pass_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directive for more information. | ``[]string`` | No |
 |``ignore`` | Disables processing of certain headers** to the client from a proxied upstream server. See the [proxy_ignore_headers](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ignore_headers) directive for more information. | ``[]string`` | No |
 |``add`` | Adds headers to the response to the client. | [[]addHeader](#addheader) | No |

diff --git a/internal/configs/ingress.go b/internal/configs/ingress.go
@@ -156,6 +156,7 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes
 			AppProtectEnable:      cfgParams.AppProtectEnable,
 			AppProtectLogEnable:   cfgParams.AppProtectLogEnable,
 			SpiffeCerts:           cfgParams.SpiffeServerCerts,
+			DisableIPV6:           staticParams.DisableIPV6,
 		}
 
 		warnings := addSSLConfig(&server, ingEx.Ingress, rule.Host, ingEx.Ingress.Spec.TLS, ingEx.SecretRefs, isWildcardEnabled)

diff --git a/internal/configs/ingress_test.go b/internal/configs/ingress_test.go
@@ -152,6 +152,25 @@ func TestGenerateNginxCfgWithWildcardTLSSecret(t *testing.T) {
 	}
 }
 
+func TestGenerateNginxCfgWithIPV6Disabled(t *testing.T) {
+	t.Parallel()
+	cafeIngressEx := createCafeIngressEx()
+	isPlus := false
+	configParams := NewDefaultConfigParams(isPlus)
+
+	expected := createExpectedConfigForCafeIngressEx(isPlus)
+	expected.Servers[0].DisableIPV6 = true
+
+	result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, isPlus, false, &StaticConfigParams{DisableIPV6: true}, false)
+
+	if !cmp.Equal(expected, result) {
+		t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", cmp.Diff(expected, result))
+	}
+	if len(warnings) != 0 {
+		t.Errorf("generateNginxCfg() returned warnings: %v", warnings)
+	}
+}
+
 func TestPathOrDefaultReturnDefault(t *testing.T) {
 	t.Parallel()
 	path := ""

diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go
@@ -15,7 +15,6 @@ type IngressNginxConfig struct {
 	Keepalive         string
 	Ingress           Ingress
 	SpiffeClientCerts bool
-	DisableIPV6       bool
 }
 
 // Ingress holds information about an Ingress resource.

diff --git a/tests/suite/resources_utils.py b/tests/suite/resources_utils.py
@@ -239,7 +239,7 @@ def scale_deployment(v1: CoreV1Api, apps_v1_api: AppsV1Api, name, namespace, val
         now = time.time()
         wait_until_all_pods_are_ready(v1, namespace)
         later = time.time()
-        print(f"All pods came up in {int(later-now)} seconds")
+        print(f"All pods came up in {int(later - now)} seconds")
 
     elif value == 0:
         replica_num = (apps_v1_api.read_namespaced_deployment_scale(name, namespace)).spec.replicas
@@ -933,14 +933,16 @@ def clear_file_contents(v1: CoreV1Api, file_path, pod_name, pod_namespace):
     )
 
 
-def get_nginx_template_conf(v1: CoreV1Api, ingress_namespace) -> str:
+def get_nginx_template_conf(v1: CoreV1Api, ingress_namespace, ic_pod_name=None) -> str:
     """
     Get contents of /etc/nginx/nginx.conf in the pod
     :param v1: CoreV1Api
-    :param ingress_namespace:
+    :param ingress_namespace: str
+    :param ic_pod_name: str
     :return: str
     """
-    ic_pod_name = get_first_pod_name(v1, ingress_namespace)
+    if ic_pod_name is None:
+        ic_pod_name = get_first_pod_name(v1, ingress_namespace)
     file_path = "/etc/nginx/nginx.conf"
     return get_file_contents(v1, file_path, ic_pod_name, ingress_namespace)
 
@@ -1117,7 +1119,7 @@ def create_ingress_controller(v1: CoreV1Api, apps_v1_api: AppsV1Api, cli_argumen
     before = time.time()
     wait_until_all_pods_are_ready(v1, namespace)
     after = time.time()
-    print(f"All pods came up in {int(after-before)} seconds")
+    print(f"All pods came up in {int(after - before)} seconds")
     print(f"Ingress Controller was created with name '{name}'")
     return name
 
@@ -1160,7 +1162,7 @@ def create_dos_arbitrator(
     before = time.time()
     wait_until_all_pods_are_ready(v1, namespace)
     after = time.time()
-    print(f"All pods came up in {int(after-before)} seconds")
+    print(f"All pods came up in {int(after - before)} seconds")
     print(f"Dos arbitrator was created with name '{name}'")
 
     print("create dos svc")

diff --git a/tests/suite/test_disable_ipv6.py b/tests/suite/test_disable_ipv6.py
@@ -1,14 +1,26 @@
 import pytest
+from settings import TEST_DATA
 from suite.resources_utils import (
+    create_example_app,
+    create_items_from_yaml,
+    create_secret_from_yaml,
+    delete_common_app,
+    delete_items_from_yaml,
+    delete_secret,
+    ensure_connection_to_public_endpoint,
     get_first_pod_name,
+    get_ingress_nginx_template_conf,
     get_nginx_template_conf,
     get_ts_nginx_template_conf,
     wait_before_test,
+    wait_until_all_pods_are_ready,
 )
 from suite.vs_vsr_resources_utils import get_vs_nginx_template_conf
+from suite.yaml_utils import get_name_from_yaml
 
 
 @pytest.mark.vs
+@pytest.mark.ts
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup, transport_server_setup",
     [
@@ -27,8 +39,8 @@
     ],
     indirect=True,
 )
-class TestDisableIpv6:
-    def test_ipv6_is_disabled(
+class TestDisableIpv6VsTs:
+    def test_ipv6_listeners_not_in_config(
         self,
         kube_apis,
         ingress_controller_prerequisites,
@@ -56,3 +68,81 @@ def test_ipv6_is_disabled(
         assert "listen [::]:" not in nginx_config
         assert "listen [::]:" not in vs_config
         assert "listen [::]:" not in ts_config
+
+
+class IngressSetup:
+    """
+    Encapsulate the ingress_setup details.
+
+    Attributes:
+        ingress_name (str):
+        ingress_pod_name (str):
+        namespace (str):
+    """
+
+    def __init__(self, ingress_name, ingress_pod_name, namespace):
+        self.ingress_name = ingress_name
+        self.ingress_pod_name = ingress_pod_name
+        self.namespace = namespace
+
+
+@pytest.fixture(scope="class")
+def ingress_setup(
+    request,
+    kube_apis,
+    ingress_controller_prerequisites,
+    ingress_controller_endpoint,
+    ingress_controller,
+    test_namespace,
+) -> IngressSetup:
+    print("------------------------- Deploy Disable IPV6 Example -----------------------------------")
+    secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
+    create_items_from_yaml(kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace)
+    ingress_name = get_name_from_yaml(f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml")
+    create_example_app(kube_apis, "simple", test_namespace)
+    wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
+
+    ensure_connection_to_public_endpoint(
+        ingress_controller_endpoint.public_ip,
+        ingress_controller_endpoint.port,
+        ingress_controller_endpoint.port_ssl,
+    )
+    ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace)
+
+    def fin():
+        print("Clean up the Disable IPV6 Application:")
+        delete_common_app(kube_apis, "simple", test_namespace)
+        delete_items_from_yaml(kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace)
+        delete_secret(kube_apis.v1, secret_name, test_namespace)
+
+    request.addfinalizer(fin)
+
+    return IngressSetup(ingress_name, ic_pod_name, test_namespace)
+
+
+@pytest.mark.ingresses
+@pytest.mark.parametrize(
+    "ingress_controller",
+    [
+        pytest.param({"extra_args": ["-disable-ipv6=true"]}),
+    ],
+    indirect=True,
+)
+class TestDisableIPV6Ingress:
+    def test_ipv6_listeners_not_in_config(
+        self,
+        kube_apis,
+        ingress_setup,
+        ingress_controller_prerequisites,
+    ):
+        wait_before_test()
+        nginx_config = get_nginx_template_conf(kube_apis.v1, ingress_controller_prerequisites.namespace)
+        upstream_conf = get_ingress_nginx_template_conf(
+            kube_apis.v1,
+            ingress_setup.namespace,
+            ingress_setup.ingress_name,
+            ingress_setup.ingress_pod_name,
+            ingress_controller_prerequisites.namespace,
+        )
+        assert "listen [::]:" not in nginx_config
+        assert "listen [::]:" not in upstream_conf