Add command line argument for custom TLS Passthrough port (#4108)

* Allow custom port for TLS Passthrough
* update helm chart and add automated tests
---------

Signed-off-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Venktesh Shivam Patel <ve.patel@f5.com>

cmd/nginx-ingress/flags.go

@@ -164,7 +164,9 @@ var (
 		`The namespace/name of the GlobalConfiguration resource for global configuration of the Ingress Controller. Requires -enable-custom-resources. Format: <namespace>/<name>`)
 
 	enableTLSPassthrough = flag.Bool("enable-tls-passthrough", false,
-		"Enable TLS Passthrough on port 443. Requires -enable-custom-resources")
+		"Enable TLS Passthrough on default port 443. Requires -enable-custom-resources")
+
+	tlsPassthroughPort = flag.Int("tls-passthrough-port", 443, "Set custom port for TLS Passthrough. [1024 - 65535]")
 
 	spireAgentAddress = flag.String("spire-agent-address", "",
 		`Specifies the address of the running Spire agent. Requires -nginx-plus and is for use with NGINX Service Mesh only. If the flag is set,

cmd/nginx-ingress/main.go

@@ -97,6 +97,7 @@ func main() {
 		NginxStatusPort:                *nginxStatusPort,
 		StubStatusOverUnixSocketForOSS: *enablePrometheusMetrics,
 		TLSPassthrough:                 *enableTLSPassthrough,
+		TLSPassthroughPort:             *tlsPassthroughPort,
 		EnableSnippets:                 *enableSnippets,
 		NginxServiceMesh:               *spireAgentAddress != "",
 		MainAppProtectLoadModule:       *appProtect,
@@ -166,6 +167,7 @@ func main() {
 		IsPrometheusEnabled:          *enablePrometheusMetrics,
 		IsLatencyMetricsEnabled:      *enableLatencyMetrics,
 		IsTLSPassthroughEnabled:      *enableTLSPassthrough,
+		TLSPassthroughPort:           *tlsPassthroughPort,
 		SnippetsEnabled:              *enableSnippets,
 		CertManagerEnabled:           *enableCertManager,
 		ExternalDNSEnabled:           *enableExternalDNS,
@@ -459,6 +461,10 @@ func createGlobalConfigurationValidator() *cr_validation.GlobalConfigurationVali
 		forbiddenListenerPorts[*serviceInsightListenPort] = true
 	}
 
+	if *enableTLSPassthrough {
+		forbiddenListenerPorts[*tlsPassthroughPort] = true
+	}
+
 	return cr_validation.NewGlobalConfigurationValidator(forbiddenListenerPorts)
 }
 

deployments/helm-chart/README.md

@@ -251,7 +251,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.enableCustomResources` | Enable the custom resources. | true |
 |`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false |
 |`controller.enableOIDC` | Enable OIDC policies. | false |
-|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false |
+|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false |
+|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`.  | 443 |
 |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false |
 |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false |
 |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false |

deployments/helm-chart/templates/controller-daemonset.yaml

@@ -228,6 +228,9 @@ spec:
           - -disable-ipv6={{ .Values.controller.disableIPV6 }}
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
+{{ if .Values.controller.enableTLSPassthrough }}
+          - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }}
+{{ end }}
           - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}

deployments/helm-chart/templates/controller-deployment.yaml

@@ -233,6 +233,9 @@ spec:
           - -disable-ipv6={{ .Values.controller.disableIPV6 }}
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
+{{ if .Values.controller.enableTLSPassthrough }}
+          - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }}
+{{ end }}
           - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}

deployments/helm-chart/values.schema.json

@@ -619,6 +619,14 @@
             false
           ]
         },
+        "tlsPassthroughPort": {
+          "type": "integer",
+          "default": 443,
+          "title": "The tlsPassthroughPort",
+          "examples": [
+            443
+          ]
+        },
         "enableCertManager": {
           "type": "boolean",
           "default": false,
@@ -1332,6 +1340,7 @@
           "enableOIDC": false,
           "includeYear": false,
           "enableTLSPassthrough": false,
+          "tlsPassthroughPort": 443,
           "enableCertManager": false,
           "enableExternalDNS": false,
           "globalConfiguration": {

deployments/helm-chart/values.yaml

@@ -239,6 +239,9 @@ controller:
   ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources.
   enableTLSPassthrough: false
 
+  ## Set the port for TLS Passthrough. Requires controller.enableCustomResources and controller.enableTLSPassthrough.
+  tlsPassthroughPort: 443
+
   ## Enable cert manager for Virtual Server resources. Requires controller.enableCustomResources.
   enableCertManager: false
 

docs/content/configuration/global-configuration/command-line-arguments.md

@@ -94,6 +94,15 @@ See [-report-ingress-status](#cmdoption-report-ingress-status) flag.
 
 Enable TLS Passthrough on port 443.
 
+Requires [-enable-custom-resources](#cmdoption-enable-custom-resources).
+ 
+<a name="cmdoption-tls-passthrough-port"></a>
+
+### -tls-passthrough-port `<int>`
+
+Set the port for TLS Passthrough.
+Format: `[1024 - 65535]` (default `443`)
+
 Requires [-enable-custom-resources](#cmdoption-enable-custom-resources).
 &nbsp;
 <a name="cmdoption-enable-cert-manager"></a>

docs/content/installation/installation-with-helm.md

@@ -228,7 +228,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.enableCustomResources` | Enable the custom resources. | true |
 |`controller.enablePreviewPolicies` | Enable preview policies. This parameter is deprecated. To enable OIDC Policies please use `controller.enableOIDC` instead. | false |
 |`controller.enableOIDC` | Enable OIDC policies. | false |
-|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false |
+|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false |
+|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`.  | 443 |
 |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false |
 |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false |
 |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false |

examples/custom-resources/tls-passthrough/README.md

@@ -34,12 +34,21 @@ You can see how the Secure App is implemented in the `secure-app.yaml` file.
       and
       [`-enable-tls-passthrough`](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-tls-passthrough)
       command-line arguments of the Ingress Controller to enable the TLS Passthrough feature.
+    - If you would like to use any other port than 443 for TLS Passthrough, set
+      the [`-tls-passthrough-port`](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-tls-passthrough-port)
+      command-line argument of the Ingress Controller, and configure the load balancer to forward traffic to that port.
+
 1. Save the public IP address of the Ingress Controller into a shell variable:
 
     ```console
     IC_IP=XXX.YYY.ZZZ.III
     ```
 
+1. Save the HTTPS port of the Ingress Controller where TLS Passthrough is enabled into a shell variable:
+
+    ```console
+    $ IC_HTTPS_PORT=<port number>
+
 1. Save the HTTPS port of the Ingress Controller into a shell variable:
 
     ```console

internal/configs/config_params.go

@@ -121,6 +121,7 @@ type StaticConfigParams struct {
 	NginxStatusPort                int
 	StubStatusOverUnixSocketForOSS bool
 	TLSPassthrough                 bool
+	TLSPassthroughPort             int
 	EnableSnippets                 bool
 	NginxServiceMesh               bool
 	EnableInternalRoutes           bool

internal/configs/configmaps.go

@@ -550,6 +550,7 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
 		SSLProtocols:                       config.MainServerSSLProtocols,
 		SSLRejectHandshake:                 staticCfgParams.SSLRejectHandshake,
 		TLSPassthrough:                     staticCfgParams.TLSPassthrough,
+		TLSPassthroughPort:                 staticCfgParams.TLSPassthroughPort,
 		StreamLogFormat:                    config.MainStreamLogFormat,
 		StreamLogFormatEscaping:            config.MainStreamLogFormatEscaping,
 		StreamSnippets:                     config.MainStreamSnippets,

internal/configs/version1/config.go

@@ -205,6 +205,7 @@ type MainConfig struct {
 	StreamSnippets                     []string
 	StubStatusOverUnixSocketForOSS     bool
 	TLSPassthrough                     bool
+	TLSPassthroughPort                 int
 	VariablesHashBucketSize            uint64
 	VariablesHashMaxSize               uint64
 	WorkerConnections                  string

internal/configs/version1/nginx-plus.tmpl

@@ -313,8 +313,8 @@ stream {
     }
 
     server {
-        listen 443{{if .ProxyProtocol}} proxy_protocol{{end}};
-        {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+        listen {{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+        {{if not .DisableIPV6}}listen [::]:{{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
 
         {{if .ProxyProtocol}}
         {{range $setRealIPFrom := .SetRealIPFrom}}

internal/configs/version1/nginx.tmpl

@@ -251,8 +251,8 @@ stream {
     }
 
     server {
-        listen 443{{if .ProxyProtocol}} proxy_protocol{{end}};
-        {{if not .DisableIPV6}}listen [::]:443{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+        listen {{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+        {{if not .DisableIPV6}}listen [::]:{{.TLSPassthroughPort}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
 
 
         {{if .ProxyProtocol}}