Merge pull request #106 from nginxinc/plus-controller

Add new features to Plus controller

Author: pleshakov

nginx-plus-controller/controller/controller.go

@@ -335,10 +335,14 @@ func (lbc *LoadBalancerController) syncEndp(key string) {
 			if !isNginxIngress(&ing) {
 				continue
 			}
-			ingEx := lbc.createIngress(&ing)
+			ingEx, err := lbc.createIngress(&ing)
+			if err != nil {
+				glog.Warningf("Error updating endpoints for %v/%v: %v, skipping", ing.Namespace, ing.Name, err)
+				continue
+			}
 			glog.V(3).Infof("Updating Endpoints for %v/%v", ing.Name, ing.Namespace)
 			name := ing.Namespace + "-" + ing.Name
-			lbc.cnf.UpdateEndpoints(name, &ingEx)
+			lbc.cnf.UpdateEndpoints(name, ingEx)
 		}
 	}
 
@@ -363,6 +367,20 @@ func (lbc *LoadBalancerController) syncCfgm(key string) {
 		if proxyReadTimeout, exists := cfgm.Data["proxy-read-timeout"]; exists {
 			cfg.ProxyReadTimeout = proxyReadTimeout
 		}
+		if proxyHideHeaders, exists, err := nginx.GetMapKeyAsStringSlice(cfgm.Data, "proxy-hide-headers", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
+				cfg.ProxyHideHeaders = proxyHideHeaders
+			}
+		}
+		if proxyPassHeaders, exists, err := nginx.GetMapKeyAsStringSlice(cfgm.Data, "proxy-pass-headers", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
+				cfg.ProxyPassHeaders = proxyPassHeaders
+			}
+		}
 		if clientMaxBodySize, exists := cfgm.Data["client-max-body-size"]; exists {
 			cfg.ClientMaxBodySize = clientMaxBodySize
 		}
@@ -412,6 +430,57 @@ func (lbc *LoadBalancerController) syncCfgm(key string) {
 			}
 		}
 
+		if proxyProtocol, exists, err := nginx.GetMapKeyAsBool(cfgm.Data, "proxy-protocol", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
+				cfg.ProxyProtocol = proxyProtocol
+			}
+		}
+
+		// ngx_http_realip_module
+		if realIPHeader, exists := cfgm.Data["real-ip-header"]; exists {
+			cfg.RealIPHeader = realIPHeader
+		}
+		if setRealIPFrom, exists, err := nginx.GetMapKeyAsStringSlice(cfgm.Data, "set-real-ip-from", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
+				cfg.SetRealIPFrom = setRealIPFrom
+			}
+		}
+		if realIPRecursive, exists, err := nginx.GetMapKeyAsBool(cfgm.Data, "real-ip-recursive", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
+				cfg.RealIPRecursive = realIPRecursive
+			}
+		}
+
+		// SSL block
+		if sslProtocols, exists := cfgm.Data["ssl-protocols"]; exists {
+			cfg.MainServerSSLProtocols = sslProtocols
+		}
+		if sslPreferServerCiphers, exists, err := nginx.GetMapKeyAsBool(cfgm.Data, "ssl-prefer-server-ciphers", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
+				cfg.MainServerSSLPreferServerCiphers = sslPreferServerCiphers
+			}
+		}
+		if sslCiphers, exists := cfgm.Data["ssl-ciphers"]; exists {
+			cfg.MainServerSSLCiphers = strings.Trim(sslCiphers, "\n")
+		}
+		if sslDHParamFile, exists := cfgm.Data["ssl-dhparam-file"]; exists {
+			sslDHParamFile = strings.Trim(sslDHParamFile, "\n")
+			fileName, err := lbc.cnf.AddOrUpdateDHParam(sslDHParamFile)
+			if err != nil {
+				glog.Errorf("Configmap %s/%s: Could not update dhparams: %v", cfgm.GetNamespace(), cfgm.GetName(), err)
+			} else {
+				cfg.MainServerSSLDHParam = fileName
+			}
+		}
+
 		if logFormat, exists := cfgm.Data["log-format"]; exists {
 			cfg.MainLogFormat = logFormat
 		}
@@ -462,8 +531,12 @@ func (lbc *LoadBalancerController) syncIng(key string) {
 		glog.V(2).Infof("Adding or Updating Ingress: %v\n", key)
 
 		ing := obj.(*extensions.Ingress)
-		ingEx := lbc.createIngress(ing)
-		lbc.cnf.AddOrUpdateIngress(name, &ingEx)
+		ingEx, err := lbc.createIngress(ing)
+		if err != nil {
+			lbc.ingQueue.requeueAfter(key, err, 5*time.Second)
+			return
+		}
+		lbc.cnf.AddOrUpdateIngress(name, ingEx)
 	}
 }
 
@@ -501,8 +574,8 @@ func (lbc *LoadBalancerController) getIngressForEndpoints(obj interface{}) []ext
 	return ings
 }
 
-func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) nginx.IngressEx {
-	ingEx := nginx.IngressEx{
+func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) (*nginx.IngressEx, error) {
+	ingEx := &nginx.IngressEx{
 		Ingress: ing,
 	}
 
@@ -511,8 +584,7 @@ func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) nginx.
 		secretName := tls.SecretName
 		secret, err := lbc.client.Secrets(ing.Namespace).Get(secretName)
 		if err != nil {
-			glog.Warningf("Error retrieving secret %v for Ingress %v: %v", secretName, ing.Name, err)
-			continue
+			return nil, fmt.Errorf("Error retrieving secret %v for Ingress %v: %v", secretName, ing.Name, err)
 		}
 		ingEx.Secrets[secretName] = secret
 	}
@@ -542,7 +614,7 @@ func (lbc *LoadBalancerController) createIngress(ing *extensions.Ingress) nginx.
 		}
 	}
 
-	return ingEx
+	return ingEx, nil
 }
 
 func (lbc *LoadBalancerController) getEndpointsForIngressBackend(backend *extensions.IngressBackend, namespace string) ([]string, error) {

nginx-plus-controller/controller/utils.go

@@ -59,6 +59,14 @@ func (t *taskQueue) requeue(key string, err error) {
 	t.queue.Add(key)
 }
 
+func (t *taskQueue) requeueAfter(key string, err error, after time.Duration) {
+	glog.Errorf("Requeuing %v after %s, err %v", key, after.String(), err)
+	go func(key string, after time.Duration) {
+		time.Sleep(after)
+		t.queue.Add(key)
+	}(key, after)
+}
+
 // worker processes work in the queue through sync.
 func (t *taskQueue) worker() {
 	for {

nginx-plus-controller/nginx/config.go

@@ -13,9 +13,23 @@ type Config struct {
 	ProxyBuffers                  string
 	ProxyBufferSize               string
 	ProxyMaxTempFileSize          string
+	ProxyProtocol                 bool
+	ProxyHideHeaders              []string
+	ProxyPassHeaders              []string
 	HSTS                          bool
 	HSTSMaxAge                    int64
 	HSTSIncludeSubdomains         bool
+
+	// http://nginx.org/en/docs/http/ngx_http_realip_module.html
+	RealIPHeader    string
+	SetRealIPFrom   []string
+	RealIPRecursive bool
+
+	// http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+	MainServerSSLProtocols           string
+	MainServerSSLPreferServerCiphers bool
+	MainServerSSLCiphers             string
+	MainServerSSLDHParam             string
 }
 
 // NewDefaultConfig creates a Config with default values

nginx-plus-controller/nginx/configurator.go

@@ -32,6 +32,10 @@ func NewConfigurator(nginx *NginxController, config *Config, nginxAPI *NginxAPIC
 	return &cnf
 }
 
+func (cnf *Configurator) AddOrUpdateDHParam(content string) (string, error) {
+	return cnf.nginx.AddOrUpdateDHParam(content)
+}
+
 // AddOrUpdateIngress adds or updates NGINX configuration for an Ingress resource
 func (cnf *Configurator) AddOrUpdateIngress(name string, ingEx *IngressEx) {
 	cnf.lock.Lock()
@@ -115,10 +119,16 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 		server := Server{
 			Name:                  serverName,
 			HTTP2:                 ingCfg.HTTP2,
+			ProxyProtocol:         ingCfg.ProxyProtocol,
 			HSTS:                  ingCfg.HSTS,
 			HSTSMaxAge:            ingCfg.HSTSMaxAge,
 			HSTSIncludeSubdomains: ingCfg.HSTSIncludeSubdomains,
 			StatusZone:            statuzZone,
+			RealIPHeader:          ingCfg.RealIPHeader,
+			SetRealIPFrom:         ingCfg.SetRealIPFrom,
+			RealIPRecursive:       ingCfg.RealIPRecursive,
+			ProxyHideHeaders:      ingCfg.ProxyHideHeaders,
+			ProxyPassHeaders:      ingCfg.ProxyPassHeaders,
 		}
 
 		if pemFile, ok := pems[serverName]; ok {
@@ -164,10 +174,16 @@ func (cnf *Configurator) generateNginxCfg(ingEx *IngressEx, pems map[string]stri
 		server := Server{
 			Name:                  serverName,
 			HTTP2:                 ingCfg.HTTP2,
+			ProxyProtocol:         ingCfg.ProxyProtocol,
 			HSTS:                  ingCfg.HSTS,
 			HSTSMaxAge:            ingCfg.HSTSMaxAge,
 			HSTSIncludeSubdomains: ingCfg.HSTSIncludeSubdomains,
 			StatusZone:            statuzZone,
+			RealIPHeader:          ingCfg.RealIPHeader,
+			SetRealIPFrom:         ingCfg.SetRealIPFrom,
+			RealIPRecursive:       ingCfg.RealIPRecursive,
+			ProxyHideHeaders:      ingCfg.ProxyHideHeaders,
+			ProxyPassHeaders:      ingCfg.ProxyPassHeaders,
 		}
 
 		if pemFile, ok := pems[emptyHost]; ok {
@@ -198,6 +214,20 @@ func (cnf *Configurator) createConfig(ingEx *IngressEx) Config {
 	if proxyReadTimeout, exists := ingEx.Ingress.Annotations["nginx.org/proxy-read-timeout"]; exists {
 		ingCfg.ProxyReadTimeout = proxyReadTimeout
 	}
+	if proxyHideHeaders, exists, err := GetMapKeyAsStringSlice(ingEx.Ingress.Annotations, "nginx.org/proxy-hide-headers", ingEx.Ingress); exists {
+		if err != nil {
+			glog.Error(err)
+		} else {
+			ingCfg.ProxyHideHeaders = proxyHideHeaders
+		}
+	}
+	if proxyPassHeaders, exists, err := GetMapKeyAsStringSlice(ingEx.Ingress.Annotations, "nginx.org/proxy-pass-headers", ingEx.Ingress); exists {
+		if err != nil {
+			glog.Error(err)
+		} else {
+			ingCfg.ProxyPassHeaders = proxyPassHeaders
+		}
+	}
 	if clientMaxBodySize, exists := ingEx.Ingress.Annotations["nginx.org/client-max-body-size"]; exists {
 		ingCfg.ClientMaxBodySize = clientMaxBodySize
 	}
@@ -451,6 +481,10 @@ func (cnf *Configurator) UpdateConfig(config *Config) {
 		ServerNamesHashBucketSize: config.MainServerNamesHashBucketSize,
 		ServerNamesHashMaxSize:    config.MainServerNamesHashMaxSize,
 		LogFormat:                 config.MainLogFormat,
+		SSLProtocols:              config.MainServerSSLProtocols,
+		SSLCiphers:                config.MainServerSSLCiphers,
+		SSLDHParam:                config.MainServerSSLDHParam,
+		SSLPreferServerCiphers:    config.MainServerSSLPreferServerCiphers,
 	}
 
 	cnf.nginx.UpdateMainConfigFile(mainCfg)

nginx-plus-controller/nginx/convert.go

@@ -3,6 +3,7 @@ package nginx
 import (
 	"fmt"
 	"strconv"
+	"strings"
 
 	"k8s.io/kubernetes/pkg/api/meta"
 	"k8s.io/kubernetes/pkg/runtime"
@@ -38,3 +39,12 @@ func GetMapKeyAsInt(m map[string]string, key string, context apiObject) (int64,
 	}
 	return 0, false, nil
 }
+
+// GetMapKeyAsStringSlice tries to find and parse a key in the map as string slice splitting it on ','
+func GetMapKeyAsStringSlice(m map[string]string, key string, context apiObject) ([]string, bool, error) {
+	if str, exists := m[key]; exists {
+		slice := strings.Split(str, ",")
+		return slice, exists, nil
+	}
+	return nil, false, nil
+}

nginx-plus-controller/nginx/convert_test.go

@@ -1,6 +1,7 @@
 package nginx
 
 import (
+	"reflect"
 	"testing"
 
 	"k8s.io/kubernetes/pkg/api"
@@ -153,3 +154,36 @@ func TestGetMapKeyAsIntErrorMessage(t *testing.T) {
 		t.Errorf("The error message does not match expectations:\nGot: %v\nExpected: %v", err, expected)
 	}
 }
+
+//
+// GetMapKeyAsStringSlice
+//
+func TestGetMapKeyAsStringSlice(t *testing.T) {
+	configMap := configMap
+	configMap.Data = map[string]string{
+		"key": "1.String,2.String,3.String",
+	}
+
+	slice, exists, err := GetMapKeyAsStringSlice(configMap.Data, "key", &configMap)
+	if err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+	if !exists {
+		t.Errorf("The key 'key' must exist in the configMap")
+	}
+	expected := []string{"1.String", "2.String", "3.String"}
+	t.Log(expected)
+	if !reflect.DeepEqual(expected, slice) {
+		t.Errorf("Unexpected return value:\nGot: %#v\nExpected: %#v", slice, expected)
+	}
+}
+
+func TestGetMapKeyAsStringSliceNotFound(t *testing.T) {
+	configMap := configMap
+	configMap.Data = map[string]string{}
+
+	_, exists, _ := GetMapKeyAsStringSlice(configMap.Data, "key", &configMap)
+	if exists {
+		t.Errorf("The key 'key' must not exist in the configMap")
+	}
+}

nginx-plus-controller/nginx/ingress.tmpl

@@ -9,19 +9,28 @@ upstream {{$upstream.Name}} {
 
 {{range $server := .Servers}}
 server {
-	listen 80;
+	listen 80{{if $server.ProxyProtocol}} proxy_protocol{{end}};
 	{{if $server.SSL}}
-	listen 443 ssl{{if $server.HTTP2}} http2{{end}};
+	listen 443 ssl{{if $server.HTTP2}} http2{{end}}{{if $server.ProxyProtocol}} proxy_protocol{{end}};
 	ssl_certificate {{$server.SSLCertificate}};
 	ssl_certificate_key {{$server.SSLCertificateKey}};
 	{{end}}
+	{{range $setRealIPFrom := $server.SetRealIPFrom}}
+	set_real_ip_from {{$setRealIPFrom}};{{end}}
+	{{if $server.RealIPHeader}}real_ip_header {{$server.RealIPHeader}};{{end}}
+	{{if $server.RealIPRecursive}}real_ip_recursive on;{{end}}
 
 	{{if $server.Name}}
 	server_name {{$server.Name}};
 	{{end}}
 
 	status_zone {{$server.StatusZone}};
 
+	{{range $proxyHideHeader := $server.ProxyHideHeaders}}
+	proxy_hide_header {{$proxyHideHeader}};{{end}}
+	{{range $proxyPassHeader := $server.ProxyPassHeaders}}
+	proxy_pass_header {{$proxyPassHeader}};{{end}}
+
 	{{if $server.SSL}}
 	if ($scheme = http) {
 		return 301 https://$host$request_uri;

nginx-plus-controller/nginx/nginx.conf.tmpl

@@ -39,6 +39,11 @@ http {
         ''      close;
     }
 
+    {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
+    {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
+    {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
+    {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}
+
     {{if .HealthStatus}}
     server {
         listen 80 default_server;