Merged!

Author: Nico Schieder

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+### 0.6.0
+
+* [75](https://github.com/nginxinc/kubernetes-ingress/pull/75): Add the HSTS settings in the configmap and annotations. Thanks to [Nico Schieder](https://github.com/thetechnick).
+* [74](https://github.com/nginxinc/kubernetes-ingress/pull/74): Fix the issue of the `kubernetes.io/ingress.class` annotation handling. Thanks to [Tang Le](https://github.com/tangle329).
+* [70](https://github.com/nginxinc/kubernetes-ingress/pull/70): Add support for the alpine-based image for the NGINX controller.
+* [68](https://github.com/nginxinc/kubernetes-ingress/pull/68): Support for proxy-buffering settings in the configmap and annotations. Thanks to [Mark Daniel Reidel](https://github.com/df-mreidel).
+* [66](https://github.com/nginxinc/kubernetes-ingress/pull/66): Support for custom log-format in the configmap. Thanks to [Mark Daniel Reidel](https://github.com/df-mreidel).
+* [65](https://github.com/nginxinc/kubernetes-ingress/pull/65): Add HTTP/2 as an option in the configmap and annotations. Thanks to [Nico Schieder](https://github.com/thetechnick).
+* The NGINX Plus controller image is now based on Ubuntu Xenial.
+
 ### 0.5.0
 
 * Update NGINX version to 1.11.5.

examples/complete-example/nginx-ingress-rc.yaml

@@ -14,7 +14,7 @@ spec:
         app: nginx-ingress
     spec:
       containers:
-      - image: nginxdemos/nginx-ingress:0.5.0
+      - image: nginxdemos/nginx-ingress:0.6.0
         imagePullPolicy: Always
         name: nginx-ingress
         ports:

examples/complete-example/nginx-plus-ingress-rc.yaml

@@ -14,7 +14,7 @@ spec:
         app: nginx-plus-ingress
     spec:
       containers:
-      - image: nginx-plus-ingress:0.5.0
+      - image: nginx-plus-ingress:0.6.0
         imagePullPolicy: Always
         name: nginx-plus-ingress
         ports:

examples/customization/README.md

@@ -1,12 +1,25 @@
 # Customization of NGINX Configuration
 
-You can customize the NGINX configuration using ConfigMaps or Annotations. For now, you can set the values of the following
-NGINX directives:
-* [proxy_connect_timeout](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout)
-* [proxy_read_timeout](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout)
-* [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size)
-* [server_names_hash_max_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) via ConfigMaps only
-* [server_names_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size) via ConfigMaps only
+You can customize the NGINX configuration using ConfigMaps or Annotations.
+
+The table below summarizes some of the options. More options (extensions) are available, refer to the [examples](..) folder.
+
+| Annotation | ConfigMaps Key | Description | Default |
+| ---------- | -------------- | ----------- | ------- |
+| `nginx.org/proxy-read-timeout` | `proxy-read-timeout` | Sets the value of the [proxy_connect_timeout](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) directive. | `60s` |
+| `nginx.org/proxy-read-timeout` | `proxy-read-timeout` | Sets the value of the [proxy_read_timeout](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) directive. | `60s` |
+| `nginx.org/client-max-body-size` | `client-max-body-size` | Sets the value of the [client_max_body_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) directive. | `1m` |
+| `nginx.org/proxy-buffering` | `proxy-buffering` | Enables or disables [buffering of responses](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering) from the proxied server. | `True` |
+| `nginx.org/proxy-buffers` | `proxy-buffers` | Sets the value of the [proxy_buffers](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers) directive. | Depends on the platform. |
+| `nginx.org/proxy-buffer-size` | `proxy-buffer-size` | Sets the value of the [proxy_buffer_size](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) directive | Depends on the platform. |
+| `nginx.org/proxy-max-temp-file-size` | `proxy-max-temp-file-size` | Sets the value of the  [proxy_max_temp_file_size](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | `1024m` |
+| N/A | `server-names-hash-bucket-size` | Sets the value of the [server_names_hash_max_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) directive. | Depends on the size of the processor’s cache line. |
+| N/A | `server-names-hash-max-size` | Sets the value of the [server_names_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size) directive. | `512` |
+| `nginx.org/http2` | `http2` | Enables HTTP/2 in servers with SSL enabled. To support HTTP/2 for Chrome users, use the provided controller image based on the alpine Linux. It includes OpenSSL with ALPN support, [necessary for Chrome users](https://www.nginx.com/blog/supporting-http2-google-chrome-users/). | `False` |
+| N/A | `log-format` | Sets the custom [log format](http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format).  | See the [template file](../../nginx-controller/nginx/nginx.conf.tmpl). |  
+| `nginx.org/hsts` | `hsts` | Enables [HTTP Strict Transport Security (HSTS)](https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/): the HSTS header is added to the responses from backends. The `preload` directive is included in the header. | `False` |
+| `nginx.org/hsts-max-age` | `hsts-max-age` | Sets the value of the `max-age` directive of the HSTS header. | `2592000` (1 month) |
+| `nginx.org/hsts-include-subdomains` | `hsts-include-subdomains` | Adds the `includeSubDomains` directive to the HSTS header. | `False`|
 
 ## Using ConfigMaps
 

examples/customization/nginx-config.yaml

@@ -8,4 +8,13 @@ data:
   client-max-body-size: "2m" # default is "1m". See http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
   server-names-hash-bucket-size: "64" # default value depends on the size of the processor’s cache line. See http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_bucket_size
   server-names-hash-max-size: "1024" # default is "512". See http://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size
-  http2: 'True' # default is "False". Enables http2 in servers with SSL enabled. See https://nginx.org/en/docs/http/ngx_http_v2_module.html
+  http2: "True" # default is "False". Enables HTTP/2 in servers with SSL enabled. See https://nginx.org/en/docs/http/ngx_http_v2_module.html
+  proxy-buffering: "False" # default is "True". Enables or disables buffering of responses from the proxied server. See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering
+  proxy-buffers: "16 8k" # default value depends on the platform. See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers
+  proxy-buffer-size: "2k" # default value depends on the platform. See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+  proxy-max-temp-file-size: "0" # default is "1024m". See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size
+  log-format: '{ "@timestamp": "$time_iso8601", "@version": "1", "clientip": "$remote_addr", "tag": "ingress", "remote_user": "$remote_user", "bytes": $bytes_sent, "duration": $request_time, "status": $status, "request": "$request_uri", "urlpath": "$uri", "urlquery": "$args", "method": "$request_method", "referer": "$http_referer", "useragent": "$http_user_agent", "software": "nginx", "version": "$nginx_version", "host": "$host", "upstream": "$upstream_addr", "upstream-status": "$upstream_status" }'
+  # log-format default is set in the nginx.conf.tmpl file. Also see http://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
+  hsts: "True" # default is "False". Enables HTTP Strict Transport Security (HSTS): the HSTS header is added to the responses from backends. See https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
+  hsts-max-age: "31536000" # default is 2592000 (1 month).
+  hsts-include-subdomains: "True" # default is "False".

examples/daemon-set/nginx-ingress.yaml

@@ -11,7 +11,7 @@ spec:
       # nodeSelector:
       #   role: nginx-ingress
       containers:
-      - image: nginxdemos/nginx-ingress:0.5.0
+      - image: nginxdemos/nginx-ingress:0.6.0
         imagePullPolicy: Always
         name: nginx-ingress
         ports:

examples/daemon-set/nginx-plus-ingress.yaml

@@ -11,7 +11,7 @@ spec:
       # nodeSelector:
       #   role: nginx-ingress
       containers:
-      - image: nginx-plus-ingress:0.5.0
+      - image: nginx-plus-ingress:0.6.0
         imagePullPolicy: Always
         name: nginx-plus-ingress
         ports:

nginx-controller/Makefile

@@ -1,6 +1,6 @@
 all: push
 
-VERSION = 0.5.0
+VERSION = 0.6.0
 TAG = $(VERSION)
 PREFIX = nginxdemos/nginx-ingress
 

nginx-controller/controller/controller.go

@@ -19,7 +19,6 @@ package controller
 import (
 	"fmt"
 	"reflect"
-	"strconv"
 	"strings"
 	"time"
 
@@ -285,6 +284,9 @@ func (lbc *LoadBalancerController) syncEndp(key string) {
 		ings := lbc.getIngressForEndpoints(obj)
 
 		for _, ing := range ings {
+			if !isNginxIngress(&ing) {
+				continue
+			}
 			ingEx, err := lbc.createIngress(&ing)
 			if err != nil {
 				lbc.ingQueue.requeueAfter(key, err, 5*time.Second)
@@ -326,21 +328,54 @@ func (lbc *LoadBalancerController) syncCfgm(key string) {
 		if serverNamesHashMaxSize, exists := cfgm.Data["server-names-hash-max-size"]; exists {
 			cfg.MainServerNamesHashMaxSize = serverNamesHashMaxSize
 		}
-		if HTTP2Str, exists := cfgm.Data["http2"]; exists {
-			if HTTP2, err := strconv.ParseBool(HTTP2Str); err == nil {
+		if HTTP2, exists, err := nginx.GetMapKeyAsBool(cfgm.Data, "http2", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
+			} else {
 				cfg.HTTP2 = HTTP2
+			}
+		}
+
+		// HSTS block
+		if hsts, exists, err := nginx.GetMapKeyAsBool(cfgm.Data, "hsts", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
 			} else {
-				glog.Errorf("In configmap %v/%v 'http2' contains invalid declaration: %v, ignoring", cfgm.Namespace, cfgm.Name, err)
+				parsingErrors := false
+
+				hstsMaxAge, existsMA, err := nginx.GetMapKeyAsInt(cfgm.Data, "hsts-max-age", cfgm)
+				if existsMA && err != nil {
+					glog.Error(err)
+					parsingErrors = true
+				}
+				hstsIncludeSubdomains, existsIS, err := nginx.GetMapKeyAsBool(cfgm.Data, "hsts-include-subdomains", cfgm)
+				if existsIS && err != nil {
+					glog.Error(err)
+					parsingErrors = true
+				}
+
+				if parsingErrors {
+					glog.Errorf("Configmap %s/%s: There are configuration issues with hsts annotations, skipping options for all hsts settings", cfgm.GetNamespace(), cfgm.GetName())
+				} else {
+					cfg.HSTS = hsts
+					if existsMA {
+						cfg.HSTSMaxAge = hstsMaxAge
+					}
+					if existsIS {
+						cfg.HSTSIncludeSubdomains = hstsIncludeSubdomains
+					}
+				}
 			}
 		}
+
 		if logFormat, exists := cfgm.Data["log-format"]; exists {
 			cfg.MainLogFormat = logFormat
 		}
-		if proxyBufferingStr, exists := cfgm.Data["proxy-buffering"]; exists {
-			if ProxyBuffering, err := strconv.ParseBool(proxyBufferingStr); err == nil {
-				cfg.ProxyBuffering = ProxyBuffering
+		if proxyBuffering, exists, err := nginx.GetMapKeyAsBool(cfgm.Data, "proxy-buffering", cfgm); exists {
+			if err != nil {
+				glog.Error(err)
 			} else {
-				glog.Errorf("In configmap %v/%v 'proxy-buffering' contains invalid declaration: %v, ignoring", cfgm.Namespace, cfgm.Name, err)
+				cfg.ProxyBuffering = proxyBuffering
 			}
 		}
 		if proxyBuffers, exists := cfgm.Data["proxy-buffers"]; exists {
@@ -357,6 +392,9 @@ func (lbc *LoadBalancerController) syncCfgm(key string) {
 
 	ings, _ := lbc.ingLister.List()
 	for _, ing := range ings.Items {
+		if !isNginxIngress(&ing) {
+			continue
+		}
 		lbc.ingQueue.enqueue(&ing)
 	}
 }
@@ -393,6 +431,9 @@ func (lbc *LoadBalancerController) enqueueIngressForService(obj interface{}) {
 	svc := obj.(*api.Service)
 	ings := lbc.getIngressesForService(svc)
 	for _, ing := range ings {
+		if !isNginxIngress(&ing) {
+			continue
+		}
 		lbc.ingQueue.enqueue(&ing)
 	}
 }

nginx-controller/nginx/config.go

@@ -13,6 +13,9 @@ type Config struct {
 	ProxyBuffers                  string
 	ProxyBufferSize               string
 	ProxyMaxTempFileSize          string
+	HSTS                          bool
+	HSTSMaxAge                    int64
+	HSTSIncludeSubdomains         bool
 }
 
 // NewDefaultConfig creates a Config with default values
@@ -23,5 +26,6 @@ func NewDefaultConfig() *Config {
 		ClientMaxBodySize:          "1m",
 		MainServerNamesHashMaxSize: "512",
 		ProxyBuffering:             true,
+		HSTSMaxAge:                 2592000,
 	}
 }