Merge branch 'main' into chore/helm-values-gc-comment

nginx · Aug 25, 2023 · 550ba66 · 550ba66
2 parents 61883cc + 05ba01b
commit 550ba66
Show file tree

Hide file tree

Showing 25 changed files with 3,043 additions and 62 deletions.
diff --git a/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml b/deployments/common/crds/k8s.nginx.org_globalconfigurations.yaml
@@ -45,5 +45,7 @@ spec:
                         type: integer
                       protocol:
                         type: string
+                      ssl:
+                        type: boolean
       served: true
       storage: true
diff --git a/deployments/common/crds/k8s.nginx.org_virtualservers.yaml b/deployments/common/crds/k8s.nginx.org_virtualservers.yaml
@@ -97,6 +97,14 @@ spec:
                 internalRoute:
                   description: InternalRoute allows for the configuration of internal routing.
                   type: boolean
+                listener:
+                  description: Listener references a custom http and/or https listener defined in GlobalConfiguration.
+                  type: object
+                  properties:
+                    http:
+                      type: string
+                    https:
+                      type: string
                 policies:
                   type: array
                   items:

diff --git a/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml b/deployments/helm-chart/crds/k8s.nginx.org_globalconfigurations.yaml
@@ -45,5 +45,7 @@ spec:
                         type: integer
                       protocol:
                         type: string
+                      ssl:
+                        type: boolean
       served: true
       storage: true
diff --git a/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml b/deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml
@@ -97,6 +97,14 @@ spec:
                 internalRoute:
                   description: InternalRoute allows for the configuration of internal routing.
                   type: boolean
+                listener:
+                  description: Listener references a custom http and/or https listener defined in GlobalConfiguration.
+                  type: object
+                  properties:
+                    http:
+                      type: string
+                    https:
+                      type: string
                 policies:
                   type: array
                   items:

diff --git a/examples/custom-resources/custom-listeners/README.md b/examples/custom-resources/custom-listeners/README.md
@@ -0,0 +1,181 @@
+# Custom HTTP Listeners
+
+In this example, we will configure a VirtualServer resource with custom HTTP listeners.
+This will allow HTTP and/or HTTPs based requests to be made on non-default ports.
+
+## Prerequisites
+
+1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/)
+   instructions to deploy the Ingress Controller with custom resources enabled.
+2. Ensure the Ingress Controller is configured with the `-global-configuration` argument:
+   ```console
+   args:
+      - -global-configuration=$(POD_NAMESPACE)/nginx-configuration
+   ```
+
+3. Save the public IP address of the Ingress Controller into a shell variable:
+   ```console
+   IC_IP=XXX.YYY.ZZZ.III
+   ```
+
+4. If you have a NodePort or Loadbalancer service deployed, ensure they are updated to include the custom listener ports.
+Example YAML for a LoadBalancer:
+   ```yaml
+   apiVersion: v1
+   kind: Service
+   metadata:
+     name: nginx-ingress
+     namespace: nginx-ingress
+   spec:
+     type: LoadBalancer
+     ports:
+     - port: 8083
+       targetPort: 8083
+       protocol: TCP
+       name: http-8083
+     - port: 8443
+       targetPort: 8443
+       protocol: TCP
+       name: https-8443
+     selector:
+       app: nginx-ingress
+   ```
+## Step 1 - Deploy the GlobalConfiguration resource
+Similar to how listeners are configured in our [basic-tcp-udp](../../examples/custom-resource/basic-tcp-udp) examples,
+here we deploy a GlobalConfiguration resource with the listeners we want to use in our VirtualServer.
+   ```yaml
+   apiVersion: k8s.nginx.org/v1alpha1
+   kind: GlobalConfiguration
+   metadata:
+     name: nginx-configuration
+     namespace: nginx-ingress
+   spec:
+     listeners:
+     - name: http-8083
+       port: 8083
+       protocol: HTTP
+     - name: https-8443
+       port: 8443
+       protocol: HTTP
+       ssl: true
+   ```
+
+   ```console
+   kubectl create -f global-configuration.yaml
+   ```
+
+## Step 2 - Save the custom port numbers
+Save the custom HTTP and/or HTTPS ports into a shell variables for later:
+
+   ```console
+   IC_HTTP_PORT=8083
+   IC_HTTPS_PORT=8443
+   ```
+
+## Step 3 - Deploy the Cafe Application
+
+Create the coffee and the tea deployments and services:
+
+   ```console
+   kubectl create -f cafe.yaml
+   ```
+
+## Step 4 - Deploy the VirtualServer with custom listeners
+The VirtualServer in this example is set to use the listeners defined in the GlobalConfiguration resource
+that was deployed in Step 1. Below is the yaml of this example VirtualServer:
+
+   ```yaml
+   apiVersion: k8s.nginx.org/v1
+   kind: VirtualServer
+   metadata:
+     name: cafe
+   spec:
+     listener:
+       http: http-8083
+       https: https-8443
+     host: cafe.example.com
+     tls:
+       secret: cafe-secret
+     upstreams:
+     - name: tea
+       service: tea-svc
+       port: 80
+     - name: coffee
+       service: coffee-svc
+       port: 80
+     routes:
+     - path: /tea
+       action:
+         pass: tea
+     - path: /coffee
+       action:
+         pass: coffee
+   ```
+
+1. Create the secret with the TLS certificate and key:
+
+    ```console
+    kubectl create -f cafe-secret.yaml
+    ```
+
+2. Create the VirtualServer resource:
+
+    ```console
+    kubectl create -f cafe-virtual-server.yaml
+    ```
+
+## Step 5 - Test the Configuration
+
+1. Check that the configuration has been successfully applied by inspecting the events of the VirtualServer:
+
+    ```console
+    kubectl describe virtualserver cafe
+    ```
+
+   Below you will see the events as well as the new `Listeners` field
+    ```console
+   . . .
+   Spec:
+      Host:  cafe.example.com
+      Listener:
+         Http:   http-8083
+         Https:  https-8443
+   . . .
+   Routes:
+    . . .
+    Events:
+      Type    Reason          Age   From                      Message
+      ----    ------          ----  ----                      -------
+      Normal  AddedOrUpdated  7s    nginx-ingress-controller  Configuration for default/cafe was added or updated
+    ```
+
+2. Since the deployed VirtualServer is using ports `8083` and 8443` in this example. you must explicitly specify these ports
+when sending requests to the endpoints of this VirtualServer:
+
+    For `/coffee` on `8443`:
+
+    ```console
+    curl -k https://cafe.example.com:8443/coffee
+    ```
+
+    ```text
+    Server address: 10.32.0.40:8080
+    Server name: coffee-7dd75bc79b-qmhmv
+    ...
+    URI: /coffee
+    ...
+    ```
+
+    For `/coffee` on `8083`:
+
+    ```console
+    curl -k https://cafe.example.com:8083/coffee
+    ```
+
+    ```text
+    Server address: 10.32.0.40:8080
+    Server name: coffee-7dd75bc79b-qmhmv
+    ...
+    URI: /coffee
+    ...
+    ```
diff --git a/examples/custom-resources/custom-listeners/cafe-secret.yaml b/examples/custom-resources/custom-listeners/cafe-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cafe-secret
+type: kubernetes.io/tls
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
diff --git a/examples/custom-resources/custom-listeners/cafe-virtual-server.yaml b/examples/custom-resources/custom-listeners/cafe-virtual-server.yaml
@@ -0,0 +1,25 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: cafe
+spec:
+  listener:
+    http: http-8083
+    https: https-8443
+  host: cafe.example.com
+  tls:
+    secret: cafe-secret
+  upstreams:
+  - name: tea
+    service: tea-svc
+    port: 80
+  - name: coffee
+    service: coffee-svc
+    port: 80
+  routes:
+  - path: /tea
+    action:
+      pass: tea
+  - path: /coffee
+    action:
+      pass: coffee
diff --git a/examples/custom-resources/custom-listeners/cafe.yaml b/examples/custom-resources/custom-listeners/cafe.yaml
@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee-svc
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tea
+  template:
+    metadata:
+      labels:
+        app: tea
+    spec:
+      containers:
+      - name: tea
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tea-svc
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: tea
diff --git a/examples/custom-resources/custom-listeners/global-configuration.yaml b/examples/custom-resources/custom-listeners/global-configuration.yaml
@@ -0,0 +1,14 @@
+apiVersion: k8s.nginx.org/v1alpha1
+kind: GlobalConfiguration
+metadata:
+  name: nginx-configuration
+  namespace: nginx-ingress
+spec:
+  listeners:
+  - name: http-8083
+    port: 8083
+    protocol: HTTP
+  - name: https-8443
+    port: 8443
+    protocol: HTTP
+    ssl: true
diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go
@@ -1241,6 +1241,30 @@ func (cnf *Configurator) UpdateConfig(cfgParams *ConfigParams, resources Extende
 	return allWarnings, nil
 }
 
+// UpdateVirtualServers updates VirtualServers.
+func (cnf *Configurator) UpdateVirtualServers(updatedVSExes []*VirtualServerEx, deletedKeys []string) []error {
+	var errList []error
+	for _, vsEx := range updatedVSExes {
+		_, err := cnf.addOrUpdateVirtualServer(vsEx)
+		if err != nil {
+			errList = append(errList, fmt.Errorf("error adding or updating VirtualServer %v/%v: %w", vsEx.VirtualServer.Namespace, vsEx.VirtualServer.Name, err))
+		}
+	}
+
+	for _, key := range deletedKeys {
+		err := cnf.DeleteVirtualServer(key, true)
+		if err != nil {
+			errList = append(errList, fmt.Errorf("error when removing VirtualServer %v: %w", key, err))
+		}
+	}
+
+	if err := cnf.reload(nginx.ReloadForOtherUpdate); err != nil {
+		errList = append(errList, fmt.Errorf("error when updating VirtualServer: %w", err))
+	}
+
+	return errList
+}
+
 // UpdateTransportServers updates TransportServers.
 func (cnf *Configurator) UpdateTransportServers(updatedTSExes []*TransportServerEx, deletedKeys []string) []error {
 	var errList []error

diff --git a/internal/configs/version2/http.go b/internal/configs/version2/http.go
@@ -50,6 +50,9 @@ type UpstreamServer struct {
 type Server struct {
 	ServerName                string
 	StatusZone                string
+	CustomListeners           bool
+	HTTPPort                  int
+	HTTPSPort                 int
 	ProxyProtocol             bool
 	SSL                       *SSL
 	ServerTokens              string