Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update nginx #4150

Merged
merged 2 commits into from
Jun 4, 2019
Merged

Update nginx #4150

merged 2 commits into from
Jun 4, 2019

Conversation

aledbf
Copy link
Member

@aledbf aledbf commented Jun 4, 2019

What this PR does / why we need it:

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 4, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 4, 2019
@aledbf aledbf force-pushed the update-nginx branch 3 times, most recently from d0f6e46 to 86bf112 Compare June 4, 2019 15:37
@aledbf aledbf merged commit 14a394f into kubernetes:master Jun 4, 2019
@aledbf aledbf deleted the update-nginx branch June 4, 2019 16:18
morganwu277 added a commit to morganwu277/ingress-nginx that referenced this pull request Jun 20, 2019
* update GKE header to match link in contents

* extract common logic into a helper

* do not repeat cert verification against root ca

* clean up certificate processing

* adjust unit tests

* bugfix: when secret includes ca.crt store it on disk even in dynamic cert mode

* fix function comment

* Allow the use of a secret located in a different namespace

* Refactor status update

* Fix status tests

* Add promehteus metric about leader election status

* Use full election leader ID

* Fix documentation

* Remove useless nodeip call and deprecate --force-namespace-isolation

* Improve text, error level, tests...

* Only the leader updates metrics for SSL certificate expiration

* Force travis rebuild

* Improve kubectl plugin

* Separate out annotation assignment logic

* Make sure cli-arguments doc is in alphabetical order

* Remove sort-backends flag from cli docs

* Correctly format ipv6 resolver config for lua

Fixes kubernetes#3881

* enable dynamic SSL mode by default

* Improve "Sticky sessions" documentation page

* Remove unnecessary copy of GeoIP databases

* Update nginx image

* Migrate e2e cluster to kind

* Add support for IPV6 resolvers

* Set `X-Request-ID` for the `default-backend`, too.

* Aligned to `golint`

* Add lint subcommand

* Update apiVersion to apps/v1, drop duplicate line

* Update nginx to 1.15.10

* Update nginx image

* Fix dynamic SSL certificate for aliases and redirect-from-to-www

* Update dependencies client-go to release-11.0 and kubernetes-1.14.0

* Update go dependencies

* fix typo: delete '`'

fix typo: delete '`'

* Adds a log warning when falling back to default fake cert

* Simplify x-forwarded-prefix annotation

* Fix e2e-tests

* Add plugin lint for this change

* replace some of the Nginx configuration to Lua code

* properly parse x-forwarded-host

* Fix load-balance configmap value

* Plugin select deployment using replicaset name

* Fix segfault on reference to nonexistent configmap

* Refactor equals

* lua plugin system

* Proper use of quotes for running the command

$1 on a shell has a special meaning and inside of double quotes (") it will be expaned to an empty string. Using single quotes fixes the issue.

* Update nginx image (kubernetes#3968)

* Update nginx image to 0.84 (kubernetes#3969)

* Release 0.24.0

* Update yaml files to 0.24.0 [skip-ci] (kubernetes#3975)

* Fix CA certificate example docs

* Refactor isIterable

* Add missing PR in changelog [skip ci] (kubernetes#3981)

* Add kubectl plugin docs

* Link to kubectl plugin docs in nav

* fix custom default backend test title

* regression test for dynamic cert related default-certificate issue

* fix dynamic cert bug

* Update README.md

* Remove valgrind

* better logging in certificate.lua

* properly handle default and custom default certs in dynamic ssl mode

* handle default certificate correctly in Lua

* better certificate lua unit tests

* adjust default ssl cert e2e test

* fix luacheck warning

* do not create empty access_by_lua_block

* make sure unit test create fakecertificate

* Release 0.24.1

* refactor GetFakeSSLCert

* Switch to go modules

* Support proxy_next_upstream_timeout

* Add homepage and .exe to plugin

* Update nginx to 1.15.12

* Update nginx image and Go to 1.12.4 (kubernetes#4010)

* add e2e coverage for multi auth

* Implement a validation webhook

In case some ingress have a syntax error in the snippet configuration,
the freshly generated configuration will not be reloaded to prevent tearing down existing rules.
Although, once inserted, this configuration is preventing from any other valid configuration to be inserted as it remains in the ingresses of the cluster.
To solve this problem, implement an optional validation webhook that simulates the addition of the ingress to be added together with the rest of ingresses.
In case the generated configuration is not validated by nginx, deny the insertion of the ingress.

In case certificates are mounted using kubernetes secrets, when those
changes, keys are automatically updated in the container volume, and the
controller reloads it using the filewatcher.

Related changes:

- Update vendors
- Extract useful functions to check configuration with an additional ingress
- Update documentation for validating webhook
- Add validating webhook examples
- Add a metric for each syntax check success and errors
- Add more certificate generation examples

* 🔧 fix navigation error in file baremetal.md

Signed-off-by: William Zhang <[email protected]>

* Docs have incorrect command in baremetal.md

The output shown is for `kubectl get node` and not `kubectl describe node`.

I've updated the docs to use the correct command.

* [doc] fixing regex in example of rewrite

avoids /somethingfoo to be matched by regex

Signed-off-by: Marcos Estevez <[email protected]>

* Fix default Content-Type for custom-error-pages example

This should fix issue [4039](kubernetes#4039). This default backend fails to send the correct `Content-Type` header when it fails to decode the `Accept` request header.

This patch simply forces `text/html` in that specific scenario.

* Release custom error pages image v0.4 [skip-ci] (kubernetes#4042)

* Added Global External Authentication settings to configmap parameters incl. addons

* Fixed typos

* Update go to 1.12.5, kubectl to 1.14.1 and kind to 0.2.1 (kubernetes#4064)

* Trim spaces from annotations that can contain multiple lines

* fix e2e-test make target

- explicitly wait for api token
- only use posix shell conditionals

* fix typo: deployement->deployment

* Don't try to create e2e runner rbac resources twice

* load modsecurity.conf on ModSecurity.Enable

* Explain references in custom-headers documentation

Augment description of custom-headers behavior. Explain the purpose of the two configmaps, making explicit that one cites the other by `namespace/name`. Link the two example yaml files, so they're more easily navigated to from a browser looking at https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers/

Campfire: grammar, standard installation is in the `ingress-nginx` namespace.

* Add image for prow jobs

* Run tests with only one worker

* Add option to run scripts in debug mode

* Refactor scripts to run e2e tests

* Update generated code

* Add dependencies for code generator

* Docs: configmap: use-gzip

Move the "gzip-types" value default from the "use-gzip" to the "gzip-types"
heading, and link to it from use-gzip.

Document that the "use-gzip" default is "true", matching the style of other
configmap items.

* Cleanup

* Add binaries required by kubernetes-sigs/testing_frameworks

* Allow to use a custom k8s version in e2e tests

* Update configmap about adding custom locations

* Remove stop controller endpoint

* Docs - Update capture group `placeholder`

The current ingress example uses the `$2` capture group placeholder, however the description refers to the `$1` placeholder (this was previously correct, but was not updated when the ingress example changed from $1 to $2).

* reduce memory footprint and cpu usage when modsecurity and owasp rules are enabled globally

* Rearrange deployment files into kustomizations

* UPT: Add variable to define custom sampler host and port, add commituser

* UPT: Modify configmap to include jaeger sampler host and jaeger sampler port

* UPT: Opentracing configmap  documentation

* Clear up some inconsistent / unclear wording

IPv6 enabled/disabled working was confusing or contradicting itself. This updates the wording to what is expected, based on the default values in the table above, and the behaviour that I could find in code.

* Refactor ListIngresses to add filters

* Use a real apiserver to test the store

* Update go dependencies

* Add retry to  LookupHost used to check the content of ExternalName

* Update e2e images (kubernetes#4110)

* Force GOOS to linux

* log info when endpoints change for a balancer

* updated nginx and some other modules

* Update nginx image to 0.86

* use nkeys for counting lua table elements

* Refactor whitelist from map to standard allow directives

* Added support for annotation `session-cookie-change-on-failure`

1. Session cookie is updated on previous attempt failure when `session-cookie-change-on-failure = true` (default value is `false`).
2. Added tests to check both cases.
3. Updated docs.

Co-Authored-By: Vladimir Grishin <[email protected]>

* Refactor e2e test

* feature(collectors): Added services to collectorLabels and requests Countervec to capture the name of the kubernetes service used to serve the client request.

* Update README.md for external-auth Test 4

Title for Test 4 should be `secure service with valid auth header`. The current one is the same as Test 3.

* Use apps/v1 api group in e2e tests

* Run PodSecurityPolicy E2E test in parallel

Previously, this test modified a ClusterRole used by _every_ test.  It had to be run serially, with a special teardown function that restored the state of the ClusterRole for any other serial tests.

Now every test gets its own cluster role, which means this test can be safely run in parallel with all the others, without any special teardown.

* update modsecurity to latest, libmodsecurity to v3.0.3 and owasp-scrs to v3.1.0 (kubernetes#4140)

* Update nginx (kubernetes#4150)

* Update nginx image
* Fix IPV6 test issues in Prow

* Add clarification on how to enable path matching

The fact that you need to explicitly add the annotation is easy to miss.
This makes this more explicit, while leaving the finer details to the
linked annotations document.

* Partially revert usage of kustomize for installation (kubernetes#4159)

* SSL expiration metrics cannot be tied to dynamic updates

* fix source file mods

* Session Affinity ChangeOnFailure should be boolean

* Add "text/javascript" to compressible MIME types

Based on the HTML Standard, https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages, servers _should_ use `text/javascript`.

* simplify sticky balancer

* bugfix: check all previously failing upstreams, not just the last one

* Add unit test case for balancer.route_to_alternative_balancer()

* Add unit test case for canary by weight

* Add unit test case for canary by cookie

* Add unit test case for canary by header

* Only load modsecurity_module when ModSec is active

* increase lua_shared_dict config data

* Fix: fillout missing health check timeout on health check.

* Migrate to new networking.k8s.io/v1beta1 package

* Update go dependencies

* Add e2e test for service type=ExternalName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants