diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 757aec41b6..1700f2035f 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -476,7 +476,7 @@ func main() { } } - cfgParams := configs.NewDefaultConfigParams() + cfgParams := configs.NewDefaultConfigParams(*nginxPlus) if *nginxConfigMaps != "" { ns, name, err := k8s.ParseNamespaceName(*nginxConfigMaps) diff --git a/docs/content/configuration/global-configuration/configmap-resource.md b/docs/content/configuration/global-configuration/configmap-resource.md index eaf87c7e47..714aa3ff49 100644 --- a/docs/content/configuration/global-configuration/configmap-resource.md +++ b/docs/content/configuration/global-configuration/configmap-resource.md @@ -151,7 +151,7 @@ See the doc about [VirtualServer and VirtualServerRoute resources](/nginx-ingres | ---| ---| ---| --- | |``lb-method`` | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify ``"round_robin"``. | ``"random two least_conn"`` | | |``max-fails`` | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the ``server`` directive. | ``1`` | | -|``upstream-zone-size`` | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | ``256K`` | | +|``upstream-zone-size`` | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | ``256k`` for NGINX, ``512k`` for NGINX Plus | | |``fail-timeout`` | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the ``server`` directive. | ``10s`` | | |``keepalive`` | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that ``proxy_set_header Connection "";`` is added to the generated configuration when the value > 0. | ``0`` | | {{% /table %}} diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go index 33b2c4df78..37d00698fe 100644 --- a/internal/configs/config_params.go +++ b/internal/configs/config_params.go @@ -133,7 +133,12 @@ type Listener struct { } // NewDefaultConfigParams creates a ConfigParams with default values. -func NewDefaultConfigParams() *ConfigParams { +func NewDefaultConfigParams(isPlus bool) *ConfigParams { + upstreamZoneSize := "256k" + if isPlus { + upstreamZoneSize = "512k" + } + return &ConfigParams{ DefaultServerReturn: "404", ServerTokens: "on", @@ -152,7 +157,7 @@ func NewDefaultConfigParams() *ConfigParams { SSLPorts: []int{443}, MaxFails: 1, MaxConns: 0, - UpstreamZoneSize: "256k", + UpstreamZoneSize: upstreamZoneSize, FailTimeout: "10s", LBMethod: "random two least_conn", MainErrorLogLevel: "notice", diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go index 7305192be9..7d4e219624 100644 --- a/internal/configs/configmaps.go +++ b/internal/configs/configmaps.go @@ -11,7 +11,7 @@ import ( // ParseConfigMap parses ConfigMap into ConfigParams. func ParseConfigMap(cfgm *v1.ConfigMap, nginxPlus bool, hasAppProtect bool) *ConfigParams { - cfgParams := NewDefaultConfigParams() + cfgParams := NewDefaultConfigParams(nginxPlus) if serverTokens, exists, err := GetMapKeyAsBool(cfgm.Data, "server-tokens", cfgm); exists { if err != nil { diff --git a/internal/configs/configurator_test.go b/internal/configs/configurator_test.go index 70562ec9e6..75e37f700b 100644 --- a/internal/configs/configurator_test.go +++ b/internal/configs/configurator_test.go @@ -41,7 +41,7 @@ func createTestConfigurator() (*Configurator, error) { manager := nginx.NewFakeManager("/etc/nginx") - cnf, err := NewConfigurator(manager, createTestStaticConfigParams(), NewDefaultConfigParams(), templateExecutor, templateExecutorV2, false, false, nil, false, nil, false), nil + cnf, err := NewConfigurator(manager, createTestStaticConfigParams(), NewDefaultConfigParams(false), templateExecutor, templateExecutorV2, false, false, nil, false, nil, false), nil if err != nil { return nil, err } @@ -64,7 +64,7 @@ func createTestConfiguratorInvalidIngressTemplate() (*Configurator, error) { manager := nginx.NewFakeManager("/etc/nginx") - cnf, err := NewConfigurator(manager, createTestStaticConfigParams(), NewDefaultConfigParams(), templateExecutor, &version2.TemplateExecutor{}, false, false, nil, false, nil, false), nil + cnf, err := NewConfigurator(manager, createTestStaticConfigParams(), NewDefaultConfigParams(false), templateExecutor, &version2.TemplateExecutor{}, false, false, nil, false, nil, false), nil if err != nil { return nil, err } diff --git a/internal/configs/ingress_test.go b/internal/configs/ingress_test.go index cf3d3d633b..7c9c147b03 100644 --- a/internal/configs/ingress_test.go +++ b/internal/configs/ingress_test.go @@ -17,13 +17,13 @@ import ( func TestGenerateNginxCfg(t *testing.T) { cafeIngressEx := createCafeIngressEx() - configParams := NewDefaultConfigParams() - isPlus := false + configParams := NewDefaultConfigParams(isPlus) + expected := createExpectedConfigForCafeIngressEx(isPlus) apRes := AppProtectResources{} - result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, false) + result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, isPlus, false, &StaticConfigParams{}, false) if diff := cmp.Diff(expected, result); diff != "" { t.Errorf("generateNginxCfg() returned unexpected result (-want +got):\n%s", diff) @@ -46,9 +46,8 @@ func TestGenerateNginxCfgForJWT(t *testing.T) { Path: "/etc/nginx/secrets/default-cafe-jwk", } - configParams := NewDefaultConfigParams() - isPlus := true + configParams := NewDefaultConfigParams(isPlus) expected := createExpectedConfigForCafeIngressEx(isPlus) expected.Servers[0].JWTAuth = &version1.JWTAuth{ @@ -81,7 +80,7 @@ func TestGenerateNginxCfgForJWT(t *testing.T) { func TestGenerateNginxCfgWithMissingTLSSecret(t *testing.T) { cafeIngressEx := createCafeIngressEx() cafeIngressEx.SecretRefs["cafe-secret"].Error = errors.New("secret doesn't exist") - configParams := NewDefaultConfigParams() + configParams := NewDefaultConfigParams(false) apRes := AppProtectResources{} result, resultWarnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, false) @@ -105,7 +104,7 @@ func TestGenerateNginxCfgWithMissingTLSSecret(t *testing.T) { func TestGenerateNginxCfgWithWildcardTLSSecret(t *testing.T) { cafeIngressEx := createCafeIngressEx() cafeIngressEx.Ingress.Spec.TLS[0].SecretName = "" - configParams := NewDefaultConfigParams() + configParams := NewDefaultConfigParams(false) apRes := AppProtectResources{} result, warnings := generateNginxCfg(&cafeIngressEx, apRes, false, configParams, false, false, &StaticConfigParams{}, true) @@ -176,10 +175,15 @@ func TestGenerateIngressPath(t *testing.T) { } func createExpectedConfigForCafeIngressEx(isPlus bool) version1.IngressNginxConfig { + upstreamZoneSize := "256k" + if isPlus { + upstreamZoneSize = "512k" + } + coffeeUpstream := version1.Upstream{ Name: "default-cafe-ingress-cafe.example.com-coffee-svc-80", LBMethod: "random two least_conn", - UpstreamZoneSize: "256k", + UpstreamZoneSize: upstreamZoneSize, UpstreamServers: []version1.UpstreamServer{ { Address: "10.0.0.1", @@ -202,7 +206,7 @@ func createExpectedConfigForCafeIngressEx(isPlus bool) version1.IngressNginxConf teaUpstream := version1.Upstream{ Name: "default-cafe-ingress-cafe.example.com-tea-svc-80", LBMethod: "random two least_conn", - UpstreamZoneSize: "256k", + UpstreamZoneSize: upstreamZoneSize, UpstreamServers: []version1.UpstreamServer{ { Address: "10.0.0.2", @@ -356,7 +360,7 @@ func TestGenerateNginxCfgForMergeableIngresses(t *testing.T) { isPlus := false expected := createExpectedConfigForMergeableCafeIngress(isPlus) - configParams := NewDefaultConfigParams() + configParams := NewDefaultConfigParams(isPlus) masterApRes := AppProtectResources{} result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, false, false, &StaticConfigParams{}, false) @@ -381,7 +385,7 @@ func TestGenerateNginxConfigForCrossNamespaceMergeableIngresses(t *testing.T) { } expected := createExpectedConfigForCrossNamespaceMergeableCafeIngress() - configParams := NewDefaultConfigParams() + configParams := NewDefaultConfigParams(false) emptyApResources := AppProtectResources{} result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, emptyApResources, configParams, false, false, &StaticConfigParams{}, false) @@ -446,7 +450,7 @@ func TestGenerateNginxCfgForMergeableIngressesForJWT(t *testing.T) { minionJwtKeyFileNames := make(map[string]string) minionJwtKeyFileNames[objectMetaToFileName(&mergeableIngresses.Minions[0].Ingress.ObjectMeta)] = "/etc/nginx/secrets/default-coffee-jwk" - configParams := NewDefaultConfigParams() + configParams := NewDefaultConfigParams(isPlus) masterApRes := AppProtectResources{} result, warnings := generateNginxCfgForMergeableIngresses(mergeableIngresses, masterApRes, configParams, isPlus, false, &StaticConfigParams{}, false) @@ -619,10 +623,15 @@ func createMergeableCafeIngress() *MergeableIngresses { } func createExpectedConfigForMergeableCafeIngress(isPlus bool) version1.IngressNginxConfig { + upstreamZoneSize := "256k" + if isPlus { + upstreamZoneSize = "512k" + } + coffeeUpstream := version1.Upstream{ Name: "default-cafe-ingress-coffee-minion-cafe.example.com-coffee-svc-80", LBMethod: "random two least_conn", - UpstreamZoneSize: "256k", + UpstreamZoneSize: upstreamZoneSize, UpstreamServers: []version1.UpstreamServer{ { Address: "10.0.0.1", @@ -645,7 +654,7 @@ func createExpectedConfigForMergeableCafeIngress(isPlus bool) version1.IngressNg teaUpstream := version1.Upstream{ Name: "default-cafe-ingress-tea-minion-cafe.example.com-tea-svc-80", LBMethod: "random two least_conn", - UpstreamZoneSize: "256k", + UpstreamZoneSize: upstreamZoneSize, UpstreamServers: []version1.UpstreamServer{ { Address: "10.0.0.2", @@ -842,9 +851,8 @@ func createExpectedConfigForCrossNamespaceMergeableCafeIngress() version1.Ingres func TestGenerateNginxCfgForSpiffe(t *testing.T) { cafeIngressEx := createCafeIngressEx() - configParams := NewDefaultConfigParams() - isPlus := false + configParams := NewDefaultConfigParams(isPlus) expected := createExpectedConfigForCafeIngressEx(isPlus) expected.SpiffeClientCerts = true @@ -868,9 +876,8 @@ func TestGenerateNginxCfgForInternalRoute(t *testing.T) { internalRouteAnnotation := "nsm.nginx.com/internal-route" cafeIngressEx := createCafeIngressEx() cafeIngressEx.Ingress.Annotations[internalRouteAnnotation] = "true" - configParams := NewDefaultConfigParams() - isPlus := false + configParams := NewDefaultConfigParams(isPlus) expected := createExpectedConfigForCafeIngressEx(isPlus) expected.Servers[0].SpiffeCerts = true @@ -1339,7 +1346,9 @@ func TestGenerateNginxCfgForAppProtect(t *testing.T) { }, } - configParams := NewDefaultConfigParams() + isPlus := true + + configParams := NewDefaultConfigParams(isPlus) apRes := AppProtectResources{ AppProtectPolicy: "/etc/nginx/waf/nac-policies/default_dataguard-alarm", AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"}, @@ -1348,8 +1357,6 @@ func TestGenerateNginxCfgForAppProtect(t *testing.T) { MainAppProtectLoadModule: true, } - isPlus := true - expected := createExpectedConfigForCafeIngressEx(isPlus) expected.Servers[0].AppProtectEnable = "on" expected.Servers[0].AppProtectPolicy = "/etc/nginx/waf/nac-policies/default_dataguard-alarm" @@ -1391,7 +1398,8 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtect(t *testing.T) { }, } - configParams := NewDefaultConfigParams() + isPlus := true + configParams := NewDefaultConfigParams(isPlus) apRes := AppProtectResources{ AppProtectPolicy: "/etc/nginx/waf/nac-policies/default_dataguard-alarm", AppProtectLogconfs: []string{"/etc/nginx/waf/nac-logconfs/default_logconf syslog:server=127.0.0.1:514"}, @@ -1400,8 +1408,6 @@ func TestGenerateNginxCfgForMergeableIngressesForAppProtect(t *testing.T) { MainAppProtectLoadModule: true, } - isPlus := true - expected := createExpectedConfigForMergeableCafeIngress(isPlus) expected.Servers[0].AppProtectEnable = "on" expected.Servers[0].AppProtectPolicy = "/etc/nginx/waf/nac-policies/default_dataguard-alarm" diff --git a/internal/configs/version1/nginx-plus.ingress.tmpl b/internal/configs/version1/nginx-plus.ingress.tmpl index 69d2ad8a17..0fb18c5962 100644 --- a/internal/configs/version1/nginx-plus.ingress.tmpl +++ b/internal/configs/version1/nginx-plus.ingress.tmpl @@ -1,7 +1,7 @@ # configuration for {{.Ingress.Namespace}}/{{.Ingress.Name}} {{range $upstream := .Upstreams}} upstream {{$upstream.Name}} { - zone {{$upstream.Name}} {{if ne $upstream.UpstreamZoneSize "0"}}{{$upstream.UpstreamZoneSize}}{{else}}256k{{end}}; + zone {{$upstream.Name}} {{if ne $upstream.UpstreamZoneSize "0"}}{{$upstream.UpstreamZoneSize}}{{else}}512k{{end}}; {{if $upstream.LBMethod }}{{$upstream.LBMethod}};{{end}} {{range $server := $upstream.UpstreamServers}} server {{$server.Address}}:{{$server.Port}} max_fails={{$server.MaxFails}} fail_timeout={{$server.FailTimeout}} max_conns={{$server.MaxConns}} diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index b8efae7d2f..c4c76c74f2 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -1,6 +1,6 @@ {{ range $u := .Upstreams }} upstream {{ $u.Name }} { - zone {{ $u.Name }} {{ if ne $u.UpstreamZoneSize "0" }}{{ $u.UpstreamZoneSize }}{{ else }}256k{{ end }}; + zone {{ $u.Name }} {{ if ne $u.UpstreamZoneSize "0" }}{{ $u.UpstreamZoneSize }}{{ else }}512k{{ end }}; {{ if $u.LBMethod }}{{ $u.LBMethod }};{{ end }} diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 107b63dd27..b4ba04146c 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -635,7 +635,7 @@ func (lbc *LoadBalancerController) syncConfigMap(task task) { } func (lbc *LoadBalancerController) updateAllConfigs() { - cfgParams := configs.NewDefaultConfigParams() + cfgParams := configs.NewDefaultConfigParams(lbc.isNginxPlus) if lbc.configMap != nil { cfgParams = configs.ParseConfigMap(lbc.configMap, lbc.isNginxPlus, lbc.appProtectEnabled) diff --git a/tests/suite/test_annotations.py b/tests/suite/test_annotations.py index 06d097d12b..a2acd0fc74 100644 --- a/tests/suite/test_annotations.py +++ b/tests/suite/test_annotations.py @@ -165,7 +165,7 @@ def fin(): @pytest.mark.ingresses @pytest.mark.parametrize('annotations_setup', ["standard", "mergeable"], indirect=True) class TestAnnotations: - def test_nginx_config_defaults(self, kube_apis, annotations_setup, ingress_controller_prerequisites): + def test_nginx_config_defaults(self, kube_apis, annotations_setup, ingress_controller_prerequisites, cli_arguments): print("Case 1: no ConfigMap keys, no annotations in Ingress") result_conf = get_ingress_nginx_template_conf(kube_apis.v1, annotations_setup.namespace, @@ -178,8 +178,12 @@ def test_nginx_config_defaults(self, kube_apis, annotations_setup, ingress_contr assert "Strict-Transport-Security" not in result_conf + expected_zone_size = "256k" + if cli_arguments["ic-type"] == "nginx-plus-ingress": + expected_zone_size = "512k" + for upstream in annotations_setup.upstream_names: - assert f"zone {upstream} 256k;" in result_conf + assert f"zone {upstream} {expected_zone_size};" in result_conf @pytest.mark.parametrize('annotations, expected_strings, unexpected_strings', [ ({"nginx.org/proxy-send-timeout": "10s", "nginx.org/max-conns": "1024", @@ -318,7 +322,7 @@ def test_upstream_zone_size_0(self, cli_arguments, kube_apis, if cli_arguments["ic-type"] == "nginx-plus-ingress": print("Run assertions for Nginx Plus case") assert "zone " in result_conf - assert " 256k;" in result_conf + assert " 512k;" in result_conf elif cli_arguments["ic-type"] == "nginx-ingress": print("Run assertions for Nginx OSS case") assert "zone " not in result_conf diff --git a/tests/suite/test_externalname_service.py b/tests/suite/test_externalname_service.py index 38f4c85dbf..c5662107de 100644 --- a/tests/suite/test_externalname_service.py +++ b/tests/suite/test_externalname_service.py @@ -93,7 +93,7 @@ def test_ic_template_config_upstream_zone(self, kube_apis, ingress_controller_pr ingress_controller_prerequisites.namespace) line = f"zone {external_name_setup.namespace}-" \ f"{external_name_setup.ingress_name}-" \ - f"{external_name_setup.ingress_host}-{external_name_setup.service}-80 256k;" + f"{external_name_setup.ingress_host}-{external_name_setup.service}-80 512k;" assert line in result_conf def test_ic_template_config_upstream_rule(self, kube_apis, ingress_controller_prerequisites, diff --git a/tests/suite/test_v_s_route_externalname.py b/tests/suite/test_v_s_route_externalname.py index 25c5d72394..1ef7cb14c7 100644 --- a/tests/suite/test_v_s_route_externalname.py +++ b/tests/suite/test_v_s_route_externalname.py @@ -123,7 +123,7 @@ def test_template_config(self, kube_apis, ingress_controller_prerequisites.namespace) line = f"zone vs_{vsr_externalname_setup.namespace}_{vsr_externalname_setup.vs_name}" \ - f"_vsr_{vsr_externalname_setup.route.namespace}_{vsr_externalname_setup.route.name}_ext-backend 256k;" + f"_vsr_{vsr_externalname_setup.route.namespace}_{vsr_externalname_setup.route.name}_ext-backend 512k;" assert line in initial_config assert "random two least_conn;" in initial_config assert f"server {vsr_externalname_setup.external_host}:80 max_fails=1 fail_timeout=10s max_conns=0 resolve;"\ diff --git a/tests/suite/test_virtual_server_configmap_keys.py b/tests/suite/test_virtual_server_configmap_keys.py index e418f72c39..1a725d2ec5 100644 --- a/tests/suite/test_virtual_server_configmap_keys.py +++ b/tests/suite/test_virtual_server_configmap_keys.py @@ -69,7 +69,7 @@ def assert_specific_keys_for_nginx_plus(config, expected_values): assert f"server_tokens \"{expected_values['server-tokens']}\";" in config assert "random two least_conn;" not in config \ and expected_values['lb-method'] in config - assert "zone " in config and " 256k;" in config + assert "zone " in config and " 512k;" in config def assert_specific_keys_for_nginx_oss(config, expected_values): @@ -79,8 +79,15 @@ def assert_specific_keys_for_nginx_oss(config, expected_values): and expected_values['lb-method'] in config assert "zone " not in config and " 256k;" not in config +def assert_defaults_of_keys_with_validation_for_nginx_plus(config, unexpected_values): + assert_common_defaults_of_keys_with_validation(config, unexpected_values) + assert "zone " in config and " 512k;" in config + +def assert_defaults_of_keys_with_validation_for_nginx_oss(config, unexpected_values): + assert_common_defaults_of_keys_with_validation(config, unexpected_values) + assert "zone " in config and " 256k;" in config -def assert_defaults_of_keys_with_validation(config, unexpected_values): +def assert_common_defaults_of_keys_with_validation(config, unexpected_values): assert "proxy_buffering on;" in config assert "real_ip_recursive" not in config assert "max_fails=1" in config @@ -89,7 +96,6 @@ def assert_defaults_of_keys_with_validation(config, unexpected_values): assert "server_tokens \"on\"" in config assert "random two least_conn;" in config and unexpected_values['lb-method'] not in config assert f"proxy_send_timeout 60s;" in config - assert "zone " in config and " 256k;" in config def assert_defaults_of_keys_with_validation_in_main_config(config, unexpected_values): @@ -222,7 +228,10 @@ def test_keys(self, cli_arguments, kube_apis, ingress_controller_prerequisites, ingress_controller_prerequisites.namespace) step_4_events = get_events(kube_apis.v1, virtual_server_setup.namespace) assert_update_event_count_increased(virtual_server_setup, step_4_events, step_3_events) - assert_defaults_of_keys_with_validation(step_4_config, expected_values) + if cli_arguments['ic-type'] == "nginx-ingress": + assert_defaults_of_keys_with_validation_for_nginx_oss(step_4_config, expected_values) + else: + assert_defaults_of_keys_with_validation_for_nginx_plus(step_4_config, expected_values) def test_keys_in_main_config(self, cli_arguments, kube_apis, ingress_controller_prerequisites, crd_ingress_controller, virtual_server_setup, clean_up): diff --git a/tests/suite/test_virtual_server_external_name.py b/tests/suite/test_virtual_server_external_name.py index 5799ca6ae9..f9d3f7c288 100644 --- a/tests/suite/test_virtual_server_external_name.py +++ b/tests/suite/test_virtual_server_external_name.py @@ -78,7 +78,7 @@ def test_template_config(self, kube_apis, ingress_controller_prerequisites, virtual_server_setup.vs_name, vs_externalname_setup.ic_pod_name, ingress_controller_prerequisites.namespace) - line = f"zone vs_{virtual_server_setup.namespace}_{virtual_server_setup.vs_name}_backend1 256k;" + line = f"zone vs_{virtual_server_setup.namespace}_{virtual_server_setup.vs_name}_backend1 512k;" assert line in result_conf assert "random two least_conn;" in result_conf assert f"server {vs_externalname_setup.external_host}:80 max_fails=1 fail_timeout=10s max_conns=0 resolve;"\