ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

allow proxy-ssl-* annotations without proxy-ssl-secret

Open rittneje opened this issue 4 years ago • 18 comments

Allow the various proxy-ssl-* directives to be set independently.

What this PR does / why we need it:

Currently they are only applied if proxy-ssl-secret is set. However, not all proxy backends require mTLS, so making such a secret in this cases does not make any sense.

Types of changes

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Which issue/s this PR fixes

fixes #6728

How Has This Been Tested?

Checklist:

  • [x] My change requires a change to the documentation.
  • [ ] I have updated the documentation accordingly.
  • [x] I've read the CONTRIBUTION guide
  • [x] I have added tests to cover my changes.
  • [ ] All new and existing tests passed.

rittneje avatar Apr 28 '21 01:04 rittneje

Welcome @rittneje!

It looks like this is your first PR to kubernetes/ingress-nginx 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/ingress-nginx has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

k8s-ci-robot avatar Apr 28 '21 01:04 k8s-ci-robot

Hi @rittneje. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Apr 28 '21 01:04 k8s-ci-robot

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rittneje To complete the pull request process, please assign elvinefendi after the PR has been reviewed. You can assign the PR to them by writing /assign @elvinefendi in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Apr 28 '21 01:04 k8s-ci-robot

Hi,

Is this intended to be a draft?

rikatz avatar Jun 21 '21 12:06 rikatz

@rikatz To be honest, I don't remember why I did that. Let me open it up for review.

rittneje avatar Jun 21 '21 15:06 rittneje

/ok-to-test

rikatz avatar Jun 21 '21 16:06 rikatz

@rikatz Is there something I need to do at this point?

rittneje avatar Jun 30 '21 00:06 rittneje

@rittneje nothing to do at this point, I still need to review this. It's on my queue, I've been focused on fixing some bug fixes to make the v1 release together with k8s v1.22, and will come back to PR queue as soon as that one is released

rikatz avatar Jul 28 '21 03:07 rikatz

Also, so far I've already missed some e2e tests in https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e/annotations/proxyssl.go as well :)

rikatz avatar Jul 28 '21 03:07 rikatz

@rittneje Reminder for adding some e2e tests

iamNoah1 avatar Aug 03 '21 15:08 iamNoah1

@rikatz @iamNoah1 Can you clarify what exactly those tests are doing? It seems like they just validate the nginx config file, is that correct?

I'm assuming you are looking for the following test cases:

  1. proxy-ssl-verify=off
  2. proxy-ssl-verify=on, proxy-ssl-secret set
  3. proxy-ssl-verify=on, proxy-ssl-verify-depth set
  4. proxy-ssl-ciphers set
  5. protoxy-ssl-protocols set

rittneje avatar Aug 03 '21 15:08 rittneje

So what we expect with tests are:

  1. That no new configuration in template breaks the proxy (aka panics Nginx or places any wrong configuration in nginx.conf)
  2. That the desired configuration actually works

For the first step, we need to verify that ingress nginx is up, running and the configuration exists in the correct location. You can see some example in:

https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e/annotations/affinity.go#L51-L54

For the second one, we need to CALL nginx and receive the right answer:

https://github.com/kubernetes/ingress-nginx/blob/main/test/e2e/annotations/affinity.go#L56-L60

Both are examples, but we need those tests for all the scenarios :)

rikatz avatar Aug 03 '21 16:08 rikatz

@rittneje friendly ping

rikatz avatar Oct 24 '21 22:10 rikatz

@rittneje: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 10 '22 10:01 k8s-ci-robot

This is an important fix, because the workaround of specifying proxy-ssl-secret isn't easy to use with large CA bundles that don't fit into a k8s secret, such as a system CA bundle (~200KB).

EronWright avatar Apr 05 '22 21:04 EronWright

Friendly ping @rittneje. Also @EronWright we are super happy for any contribution, in case you want to follow up on the rittnejes work :)

iamNoah1 avatar Jun 14 '22 15:06 iamNoah1

Someone else will have to complete this.

rittneje avatar Jun 14 '22 23:06 rittneje

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Sep 13 '22 00:09 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Oct 13 '22 00:10 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Nov 12 '22 01:11 k8s-triage-robot

@k8s-triage-robot: Closed this PR.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Reopen this PR with /reopen
  • Mark this PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Nov 12 '22 01:11 k8s-ci-robot