Add Safe Proxy Buffer Configuration Adjustments (#8133)

Signed-off-by: AlexFenlon <[email protected]>
Co-authored-by: Alex Fenlon <[email protected]>

Author: javorszky

charts/nginx-ingress/templates/_helpers.tpl

@@ -338,6 +338,9 @@ Build the args for the service binary.
 - -enable-custom-resources={{ .Values.controller.enableCustomResources }}
 - -enable-snippets={{ .Values.controller.enableSnippets }}
 - -disable-ipv6={{ .Values.controller.disableIPV6 }}
+{{- if .Values.controller.directiveAutoAdjust }}
+- -enable-directive-autoadjust={{ .Values.controller.directiveAutoAdjust }}
+{{- end }}
 {{- if .Values.controller.enableCustomResources }}
 - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
 {{- if .Values.controller.enableTLSPassthrough }}

charts/nginx-ingress/values.schema.json

@@ -657,6 +657,15 @@
             "json"
           ]
         },
+        "directiveAutoAdjust": {
+          "type": "boolean",
+          "default": false,
+          "title": "Enables automatic adjustment of the NGINX buffers directives",
+          "examples": [
+            false,
+            true
+          ]
+        },
         "customPorts": {
           "type": "array",
           "default": [],

charts/nginx-ingress/values.yaml

@@ -164,6 +164,10 @@ controller:
   ## Sets the log format of Ingress Controller. Options include: glog, json, text
   logFormat: glog
 
+  ## Enables auto adjusting some of the NGINX directives to help with safe configuration and prevent NGINX misconfigurations.
+  ## See https://docs.nginx.com/nginx-ingress-controller/configuration/proxy-buffers-configuration/  for more details of which configuration options are affected
+  directiveAutoAdjust: false
+
   ## Cache configuration options
   cache:
     ## Enables shared cache across multiple pods using an external persistent volume

cmd/nginx-ingress/flags.go

@@ -225,6 +225,8 @@ var (
 
 	enableDynamicWeightChangesReload = flag.Bool(dynamicWeightChangesParam, false, "Enable changing weights of split clients without reloading NGINX. Requires -nginx-plus")
 
+	enableDirectiveAutoadjust = flag.Bool("enable-directive-autoadjust", false, "Enable automatic adjustment of NGINX directives to avoid conflicting NGINX configuration. Results may vary and might not be ideal in all cases.")
+
 	startupCheckFn func() error
 )
 

cmd/nginx-ingress/main.go

@@ -221,6 +221,7 @@ func main() {
 		EnableCertManager:              *enableCertManager,
 		DynamicSSLReload:               *enableDynamicSSLReload,
 		DynamicWeightChangesReload:     *enableDynamicWeightChangesReload,
+		IsDirectiveAutoadjustEnabled:   *enableDirectiveAutoadjust,
 		StaticSSLPath:                  staticSSLPath,
 		NginxVersion:                   nginxVersion,
 		AppProtectBundlePath:           appProtectBundlePath,
@@ -274,6 +275,7 @@ func main() {
 		cr_validation.IsDosEnabled(*appProtectDos),
 		cr_validation.IsCertManagerEnabled(*enableCertManager),
 		cr_validation.IsExternalDNSEnabled(*enableExternalDNS),
+		cr_validation.IsDirectiveAutoadjustEnabled(*enableDirectiveAutoadjust),
 	)
 
 	if *enableServiceInsight {
@@ -324,6 +326,7 @@ func main() {
 		CertManagerEnabled:           *enableCertManager,
 		ExternalDNSEnabled:           *enableExternalDNS,
 		IsIPV6Disabled:               *disableIPV6,
+		IsDirectiveAutoadjustEnabled: *enableDirectiveAutoadjust,
 		WatchNamespaceLabel:          *watchNamespaceLabel,
 		EnableTelemetryReporting:     *enableTelemetryReporting,
 		TelemetryReportingEndpoint:   telemetryEndpoint,
@@ -996,7 +999,7 @@ func processConfigMaps(kubeClient *kubernetes.Clientset, cfgParams *configs.Conf
 		if err != nil {
 			nl.Fatalf(l, "Error when getting %v: %v", *nginxConfigMaps, err)
 		}
-		cfgParams, _ = configs.ParseConfigMap(cfgParams.Context, cfm, *nginxPlus, *appProtect, *appProtectDos, *enableTLSPassthrough, eventLog)
+		cfgParams, _ = configs.ParseConfigMap(cfgParams.Context, cfm, *nginxPlus, *appProtect, *appProtectDos, *enableTLSPassthrough, *enableDirectiveAutoadjust, eventLog)
 		if cfgParams.MainServerSSLDHParamFileContent != nil {
 			fileName, err := nginxManager.CreateDHParam(*cfgParams.MainServerSSLDHParamFileContent)
 			if err != nil {

config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml

@@ -872,6 +872,12 @@ spec:
                             is set in the proxy-buffers ConfigMap key.
                           type: string
                       type: object
+                    busy-buffers-size:
+                      description: Sets the size of the buffers used for reading a
+                        response from the upstream server when the proxy_buffering
+                        is enabled. The default is set in the proxy-busy-buffers-size
+                        ConfigMap key.'
+                      type: string
                     client-max-body-size:
                       description: Sets the maximum allowed size of the client request
                         body. The default is set in the client-max-body-size ConfigMap

config/crd/bases/k8s.nginx.org_virtualservers.yaml

@@ -1061,6 +1061,12 @@ spec:
                             is set in the proxy-buffers ConfigMap key.
                           type: string
                       type: object
+                    busy-buffers-size:
+                      description: Sets the size of the buffers used for reading a
+                        response from the upstream server when the proxy_buffering
+                        is enabled. The default is set in the proxy-busy-buffers-size
+                        ConfigMap key.'
+                      type: string
                     client-max-body-size:
                       description: Sets the maximum allowed size of the client request
                         body. The default is set in the client-max-body-size ConfigMap

deploy/crds.yaml

@@ -1891,6 +1891,12 @@ spec:
                             is set in the proxy-buffers ConfigMap key.
                           type: string
                       type: object
+                    busy-buffers-size:
+                      description: Sets the size of the buffers used for reading a
+                        response from the upstream server when the proxy_buffering
+                        is enabled. The default is set in the proxy-busy-buffers-size
+                        ConfigMap key.'
+                      type: string
                     client-max-body-size:
                       description: Sets the maximum allowed size of the client request
                         body. The default is set in the client-max-body-size ConfigMap
@@ -3303,6 +3309,12 @@ spec:
                             is set in the proxy-buffers ConfigMap key.
                           type: string
                       type: object
+                    busy-buffers-size:
+                      description: Sets the size of the buffers used for reading a
+                        response from the upstream server when the proxy_buffering
+                        is enabled. The default is set in the proxy-busy-buffers-size
+                        ConfigMap key.'
+                      type: string
                     client-max-body-size:
                       description: Sets the maximum allowed size of the client request
                         body. The default is set in the client-max-body-size ConfigMap

docs/crd/k8s.nginx.org_virtualserverroutes.md

@@ -168,6 +168,7 @@ The `.spec` object supports the following fields:
 | `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. |
 | `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. |
 | `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. |
+| `upstreams[].busy-buffers-size` | `string` | Sets the size of the buffers used for reading a response from the upstream server when the proxy_buffering is enabled. The default is set in the proxy-busy-buffers-size ConfigMap key.' |
 | `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. |
 | `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. |
 | `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. |

docs/crd/k8s.nginx.org_virtualservers.md

@@ -203,6 +203,7 @@ The `.spec` object supports the following fields:
 | `upstreams[].buffers` | `object` | Configures the buffers used for reading a response from the upstream server for a single connection. |
 | `upstreams[].buffers.number` | `integer` | Configures the number of buffers. The default is set in the proxy-buffers ConfigMap key. |
 | `upstreams[].buffers.size` | `string` | Configures the size of a buffer. The default is set in the proxy-buffers ConfigMap key. |
+| `upstreams[].busy-buffers-size` | `string` | Sets the size of the buffers used for reading a response from the upstream server when the proxy_buffering is enabled. The default is set in the proxy-busy-buffers-size ConfigMap key.' |
 | `upstreams[].client-max-body-size` | `string` | Sets the maximum allowed size of the client request body. The default is set in the client-max-body-size ConfigMap key. |
 | `upstreams[].connect-timeout` | `string` | The timeout for establishing a connection with an upstream server. The default is specified in the proxy-connect-timeout ConfigMap key. |
 | `upstreams[].fail-timeout` | `string` | The time during which the specified number of unsuccessful attempts to communicate with an upstream server should happen to consider the server unavailable. The default is set in the fail-timeout ConfigMap key. |