From 1bc1a21499e2f8050486e86a8388206d1620e846 Mon Sep 17 00:00:00 2001 From: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> Date: Wed, 19 Oct 2022 15:44:17 +0100 Subject: [PATCH] Chery Pick #3139 #3157 (#3180) * Remove all IPV6 listeners in ingress resources with -disable-ipv6 command line (#3139) * Remove ipv6 listeners in ingress upstream with command line argument Co-authored-by: Venktesh (cherry picked from commit 4e6caf02b9ffa2718fc0d5f34a7de98760b5c944) * Fix typo in Action.Proxy.ResponseHeaders (#3157) Corrected bool to []string in Action.Proxy.ResponseHeaders section (cherry picked from commit 4824823c706e72411316accbda97a2553649bcbf) Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> Co-authored-by: tomasohaodha <86358393+tomasohaodha@users.noreply.github.com> --- ...server-and-virtualserverroute-resources.md | 2 +- internal/configs/ingress.go | 1 + internal/configs/ingress_test.go | 19 ++++ internal/configs/version1/config.go | 1 - tests/suite/resources_utils.py | 14 +-- tests/suite/test_disable_ipv6.py | 94 ++++++++++++++++++- 6 files changed, 121 insertions(+), 10 deletions(-) diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md index 41c02f28a6..16bb2742da 100644 --- a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md +++ b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md @@ -631,7 +631,7 @@ The ResponseHeaders field modifies the headers of the response to the client. {{% table %}} |Field | Description | Type | Required | | ---| ---| ---| --- | -|``hide`` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the [proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directive for more information. | ``bool`` | No | +|``hide`` | The headers that will not be passed* in the response to the client from a proxied upstream server. See the [proxy_hide_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directive for more information. | ``[]string`` | No | |``pass`` | Allows passing the hidden header fields* to the client from a proxied upstream server. See the [proxy_pass_header](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directive for more information. | ``[]string`` | No | |``ignore`` | Disables processing of certain headers** to the client from a proxied upstream server. See the [proxy_ignore_headers](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ignore_headers) directive for more information. | ``[]string`` | No | |``add`` | Adds headers to the response to the client. | [[]addHeader](#addheader) | No | diff --git a/internal/configs/ingress.go b/internal/configs/ingress.go index 303f2e5040..f92700ed88 100644 --- a/internal/configs/ingress.go +++ b/internal/configs/ingress.go @@ -156,6 +156,7 @@ func generateNginxCfg(ingEx *IngressEx, apResources *AppProtectResources, dosRes AppProtectEnable: cfgParams.AppProtectEnable, AppProtectLogEnable: cfgParams.AppProtectLogEnable, SpiffeCerts: cfgParams.SpiffeServerCerts, + DisableIPV6: staticParams.DisableIPV6, } warnings := addSSLConfig(&server, ingEx.Ingress, rule.Host, ingEx.Ingress.Spec.TLS, ingEx.SecretRefs, isWildcardEnabled) diff --git a/internal/configs/ingress_test.go b/internal/configs/ingress_test.go index 1e3aab9eb0..0da7f9ac25 100644 --- a/internal/configs/ingress_test.go +++ b/internal/configs/ingress_test.go @@ -152,6 +152,25 @@ func TestGenerateNginxCfgWithWildcardTLSSecret(t *testing.T) { } } +func TestGenerateNginxCfgWithIPV6Disabled(t *testing.T) { + t.Parallel() + cafeIngressEx := createCafeIngressEx() + isPlus := false + configParams := NewDefaultConfigParams(isPlus) + + expected := createExpectedConfigForCafeIngressEx(isPlus) + expected.Servers[0].DisableIPV6 = true + + result, warnings := generateNginxCfg(&cafeIngressEx, nil, nil, false, configParams, isPlus, false, &StaticConfigParams{DisableIPV6: true}, false) + + if !cmp.Equal(expected, result) { + t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", cmp.Diff(expected, result)) + } + if len(warnings) != 0 { + t.Errorf("generateNginxCfg() returned warnings: %v", warnings) + } +} + func TestPathOrDefaultReturnDefault(t *testing.T) { t.Parallel() path := "" diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go index fb7bfdd6d6..1f3496e82f 100644 --- a/internal/configs/version1/config.go +++ b/internal/configs/version1/config.go @@ -15,7 +15,6 @@ type IngressNginxConfig struct { Keepalive string Ingress Ingress SpiffeClientCerts bool - DisableIPV6 bool } // Ingress holds information about an Ingress resource. diff --git a/tests/suite/resources_utils.py b/tests/suite/resources_utils.py index 75f3616750..3c0adfb585 100644 --- a/tests/suite/resources_utils.py +++ b/tests/suite/resources_utils.py @@ -239,7 +239,7 @@ def scale_deployment(v1: CoreV1Api, apps_v1_api: AppsV1Api, name, namespace, val now = time.time() wait_until_all_pods_are_ready(v1, namespace) later = time.time() - print(f"All pods came up in {int(later-now)} seconds") + print(f"All pods came up in {int(later - now)} seconds") elif value == 0: replica_num = (apps_v1_api.read_namespaced_deployment_scale(name, namespace)).spec.replicas @@ -933,14 +933,16 @@ def clear_file_contents(v1: CoreV1Api, file_path, pod_name, pod_namespace): ) -def get_nginx_template_conf(v1: CoreV1Api, ingress_namespace) -> str: +def get_nginx_template_conf(v1: CoreV1Api, ingress_namespace, ic_pod_name=None) -> str: """ Get contents of /etc/nginx/nginx.conf in the pod :param v1: CoreV1Api - :param ingress_namespace: + :param ingress_namespace: str + :param ic_pod_name: str :return: str """ - ic_pod_name = get_first_pod_name(v1, ingress_namespace) + if ic_pod_name is None: + ic_pod_name = get_first_pod_name(v1, ingress_namespace) file_path = "/etc/nginx/nginx.conf" return get_file_contents(v1, file_path, ic_pod_name, ingress_namespace) @@ -1117,7 +1119,7 @@ def create_ingress_controller(v1: CoreV1Api, apps_v1_api: AppsV1Api, cli_argumen before = time.time() wait_until_all_pods_are_ready(v1, namespace) after = time.time() - print(f"All pods came up in {int(after-before)} seconds") + print(f"All pods came up in {int(after - before)} seconds") print(f"Ingress Controller was created with name '{name}'") return name @@ -1160,7 +1162,7 @@ def create_dos_arbitrator( before = time.time() wait_until_all_pods_are_ready(v1, namespace) after = time.time() - print(f"All pods came up in {int(after-before)} seconds") + print(f"All pods came up in {int(after - before)} seconds") print(f"Dos arbitrator was created with name '{name}'") print("create dos svc") diff --git a/tests/suite/test_disable_ipv6.py b/tests/suite/test_disable_ipv6.py index 31d83bb0c9..2102921123 100644 --- a/tests/suite/test_disable_ipv6.py +++ b/tests/suite/test_disable_ipv6.py @@ -1,14 +1,26 @@ import pytest +from settings import TEST_DATA from suite.resources_utils import ( + create_example_app, + create_items_from_yaml, + create_secret_from_yaml, + delete_common_app, + delete_items_from_yaml, + delete_secret, + ensure_connection_to_public_endpoint, get_first_pod_name, + get_ingress_nginx_template_conf, get_nginx_template_conf, get_ts_nginx_template_conf, wait_before_test, + wait_until_all_pods_are_ready, ) from suite.vs_vsr_resources_utils import get_vs_nginx_template_conf +from suite.yaml_utils import get_name_from_yaml @pytest.mark.vs +@pytest.mark.ts @pytest.mark.parametrize( "crd_ingress_controller, virtual_server_setup, transport_server_setup", [ @@ -27,8 +39,8 @@ ], indirect=True, ) -class TestDisableIpv6: - def test_ipv6_is_disabled( +class TestDisableIpv6VsTs: + def test_ipv6_listeners_not_in_config( self, kube_apis, ingress_controller_prerequisites, @@ -56,3 +68,81 @@ def test_ipv6_is_disabled( assert "listen [::]:" not in nginx_config assert "listen [::]:" not in vs_config assert "listen [::]:" not in ts_config + + +class IngressSetup: + """ + Encapsulate the ingress_setup details. + + Attributes: + ingress_name (str): + ingress_pod_name (str): + namespace (str): + """ + + def __init__(self, ingress_name, ingress_pod_name, namespace): + self.ingress_name = ingress_name + self.ingress_pod_name = ingress_pod_name + self.namespace = namespace + + +@pytest.fixture(scope="class") +def ingress_setup( + request, + kube_apis, + ingress_controller_prerequisites, + ingress_controller_endpoint, + ingress_controller, + test_namespace, +) -> IngressSetup: + print("------------------------- Deploy Disable IPV6 Example -----------------------------------") + secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml") + create_items_from_yaml(kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace) + ingress_name = get_name_from_yaml(f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml") + create_example_app(kube_apis, "simple", test_namespace) + wait_until_all_pods_are_ready(kube_apis.v1, test_namespace) + + ensure_connection_to_public_endpoint( + ingress_controller_endpoint.public_ip, + ingress_controller_endpoint.port, + ingress_controller_endpoint.port_ssl, + ) + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + + def fin(): + print("Clean up the Disable IPV6 Application:") + delete_common_app(kube_apis, "simple", test_namespace) + delete_items_from_yaml(kube_apis, f"{TEST_DATA}/smoke/standard/smoke-ingress.yaml", test_namespace) + delete_secret(kube_apis.v1, secret_name, test_namespace) + + request.addfinalizer(fin) + + return IngressSetup(ingress_name, ic_pod_name, test_namespace) + + +@pytest.mark.ingresses +@pytest.mark.parametrize( + "ingress_controller", + [ + pytest.param({"extra_args": ["-disable-ipv6=true"]}), + ], + indirect=True, +) +class TestDisableIPV6Ingress: + def test_ipv6_listeners_not_in_config( + self, + kube_apis, + ingress_setup, + ingress_controller_prerequisites, + ): + wait_before_test() + nginx_config = get_nginx_template_conf(kube_apis.v1, ingress_controller_prerequisites.namespace) + upstream_conf = get_ingress_nginx_template_conf( + kube_apis.v1, + ingress_setup.namespace, + ingress_setup.ingress_name, + ingress_setup.ingress_pod_name, + ingress_controller_prerequisites.namespace, + ) + assert "listen [::]:" not in nginx_config + assert "listen [::]:" not in upstream_conf