E586 Egress via Ingress VirtualServer Resource (#3491) (#3847) · nginx/kubernetes-ingress@5dcba0f · GitHub
[go: up one dir, main page]
Skip to content

Commit 5dcba0f

Browse files
lucacomechase-kiefer
lucacome
and
chase-kiefer
authored
Egress via Ingress VirtualServer Resource (#3491) (#3847)
* Add ability for nginx service mesh to egress through a virtualserver resource - added internalRoute field to the vir 10BC0 tualserver CRD - added templates for internal routes in virtualserver templates for n+ and oss - added unit test to validate virtualserver internal routes - added enableInternalRoutes boolean to virtualServerConfigurator type - updated virtualserver configuration items to include internRoute docs * Add a description for the InternalRoute field in the VS CRD * Add test case for nsmEgress being true in TestIsTLSEnabled * Update the isTLSEnabled function for clarity * Reverse function params for isTLSEnabled * Add virtual server internal route validation and warning - Add warning to catch cases where a virtual server internal route should not be created - Switch variable names to match ingress naming scheme * Add refactored VS templates to avoid duplicate listen blocks * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Add conditional to prevent SpiffeClientCerts being set for internal routes * Fix unit tests --------- Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: Tomás Ó hAodha <86358393+tomasohaodha@users.noreply.github.com> Co-authored-by: Venktesh Shivam Patel <ve.patel@f5.com> (cherry picked from commit 36ac2ef) Co-authored-by: Chase Kiefer <112438922+chase-kiefer@users.noreply.github.com>
1 parent 6b9da03 commit 5dcba0f

File tree

9 files changed

+303
-19
lines changed

9 files changed

+303
-19
lines changed

deployments/common/crds/k8s.nginx.org_virtualservers.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,9 @@ spec:
9393
type: string
9494
ingressClassName:
9595
type: string
96+
internalRoute:
97+
description: InternalRoute allows for the configuration of internal routing.
98+
type: boolean
9699
policies:
97100
type: array
98101
items:

deployments/helm-chart/crds/k8s.nginx.org_virtualservers.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,9 @@ spec:
9393
type: string
9494
ingressClassName:
9595
type: string
96+
internalRoute:
97+
description: InternalRoute allows for the configuration of internal routing.
98+
type: boolean
9699
policies:
97100
type: array
98101
items:

docs/content/configuration/virtualserver-and-virtualserverroute-resources.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@ spec:
5959
|``upstreams`` | A list of upstreams. | [[]upstream](#upstream) | No |
6060
|``routes`` | A list of routes. | [[]route](#virtualserverroute) | No |
6161
|``ingressClassName`` | Specifies which Ingress Controller must handle the VirtualServer resource. | ``string`` | No |
62+
|``internalRoute`` | Specifies if the VirtualServer resource is an internal route or not. | ``boolean`` | No |
6263
|``http-snippets`` | Sets a custom snippet in the http context. | ``string`` | No |
6364
|``server-snippets`` | Sets a custom snippet in server context. Overrides the ``server-snippets`` ConfigMap key. | ``string`` | No |
6465
{{% /table %}}

internal/configs/version2/http.go

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,14 +12,15 @@ type UpstreamLabels struct {
1212

1313
// VirtualServerConfig holds NGINX configuration for a VirtualServer.
1414
type VirtualServerConfig struct {
15-
HTTPSnippets []string
16-
LimitReqZones []LimitReqZone
17-
Maps []Map
18-
Server Server
19-
SpiffeCerts bool
20-
SplitClients []SplitClient
21-
StatusMatches []StatusMatch
22-
Upstreams []Upstream
15+
HTTPSnippets []string
16+
LimitReqZones []LimitReqZone
17+
Maps []Map
18+
Server Server
19+
SpiffeCerts bool
20+
SpiffeClientCerts bool
21+
SplitClients []SplitClient
22+
StatusMatches []StatusMatch
23+
Upstreams []Upstream
2324
}
2425

2526
// Upstream defines an upstream.

internal/configs/version2/nginx-plus.virtualserver.tmpl

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -107,11 +107,21 @@ server {
107107

108108
{{ if $ssl.RejectHandshake }}
109109
ssl_reject_handshake on;
110+
{{ else if $.SpiffeCerts }}
111+
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
112+
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
110113
{{ else }}
111114
ssl_certificate {{ $ssl.Certificate }};
112115
ssl_certificate_key {{ $ssl.CertificateKey }};
113116
{{ end }}
114-
{{ end }}
117+
{{ else }}
118+
{{ if $.SpiffeCerts }}
119+
listen 443 ssl;
120+
{{if not $s.DisableIPV6}}listen [::]:443 ssl;{{end}}
121+
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
122+
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
123+
{{ end }}
124+
{{ end }}
115125

116126
{{ with $s.IngressMTLS }}
117127
ssl_client_certificate {{ .ClientCert }};
@@ -584,7 +594,7 @@ server {
584594
{{ range $h := $l.AddHeaders }}
585595
add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }};
586596
{{ end }}
587-
{{ if $.SpiffeCerts }}
597+
{{ if $.SpiffeClientCerts }}
588598
{{ $proxyOrGRPC }}_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
589599
{{ $proxyOrGRPC }}_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
590600
{{ $proxyOrGRPC }}_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;

internal/configs/version2/nginx.virtualserver.tmpl

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,10 +62,20 @@ server {
6262

6363
{{ if $ssl.RejectHandshake }}
6464
ssl_reject_handshake on;
65+
{{ else if $.SpiffeCerts }}
66+
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
67+
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
6568
{{ else }}
6669
ssl_certificate {{ $ssl.Certificate }};
6770
ssl_certificate_key {{ $ssl.CertificateKey }};
6871
{{ end }}
72+
{{ else }}
73+
{{ if $.SpiffeCerts }}
74+
listen 443 ssl;
75+
{{if not $s.DisableIPV6}}listen [::]:443 ssl;{{end}}
76+
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
77+
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
78+
{{ end }}
6979
{{ end }}
7080

7181
{{ with $s.IngressMTLS }}
@@ -313,7 +323,6 @@ server {
313323
{{ if $l.ProxyBufferSize }}
314324
{{ $proxyOrGRPC }}_buffer_size {{ $l.ProxyBufferSize }};
315325
{{ end }}
316-
317326
{{ if not $l.GRPCPass }}
318327
proxy_http_version 1.1;
319328
set $default_connection_header {{ if $l.HasKeepalive }}""{{ else }}close{{ end }};
@@ -360,7 +369,7 @@ server {
360369
{{ range $h := $l.AddHeaders }}
361370
add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }};
362371
{{ end }}
363-
{{ if $.SpiffeCerts }}
372+
{{ if $.SpiffeClientCerts }}
364373
{{ $proxyOrGRPC }}_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
365374
{{ $proxyOrGRPC }}_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
366375 C02E
{{ $proxyOrGRPC }}_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;

internal/configs/virtualserver.go

Lines changed: 23 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -232,6 +232,7 @@ type virtualServerConfigurator struct {
232232
enableSnippets bool
233233
warnings Warnings
234234
spiffeCerts bool
235+
enableInternalRoutes bool
235236
oidcPolCfg *oidcPolicyCfg
236237
isIPV6Disabled bool
237238
}
@@ -272,6 +273,7 @@ func newVirtualServerConfigurator(
272273
enableSnippets: staticParams.EnableSnippets,
273274
warnings: make(map[runtime.Object][]string),
274275
spiffeCerts: staticParams.NginxServiceMesh,
276+
enableInternalRoutes: staticParams.EnableInternalRoutes,
275277
oidcPolCfg: &oidcPolicyCfg{},
276278
isIPV6Disabled: staticParams.DisableIPV6,
277279
}
@@ -327,6 +329,13 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
327329

328330
dosCfg := generateDosCfg(dosResources[""])
329331

332+
// enabledInternalRoutes controls if a virtual server is configured as an internal route.
333+
enabledInternalRoutes := vsEx.VirtualServer.Spec.InternalRoute
334+
if vsEx.VirtualServer.Spec.InternalRoute && !vsc.enableInternalRoutes {
335+
vsc.addWarningf(vsEx.VirtualServer, "Internal Route cannot be configured for virtual server %s. Internal Routes can be enabled by setting the enable-internal-routes flag", vsEx.VirtualServer.Name)
336+
enabledInternalRoutes = false
337+
}
338+
330339
// crUpstreams maps an UpstreamName to its conf_v1.Upstream as they are generated
331340
// necessary for generateLocation to know what Upstream each Location references
332341
crUpstreams := make(map[string]conf_v1.Upstream)
@@ -355,7 +364,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
355364
ups := vsc.generateUpstream(vsEx.VirtualServer, upstreamName, u, isExternalNameSvc, endpoints)
356365
upstreams = append(upstreams, ups)
357366

358-
u.TLS.Enable = isTLSEnabled(u, vsc.spiffeCerts)
367+
u.TLS.Enable = isTLSEnabled(u, vsc.spiffeCerts, vsEx.VirtualServer.Spec.InternalRoute)
359368
crUpstreams[upstreamName] = u
360369

361370
if hc := generateHealthCheck(u, upstreamName, vsc.cfgParams); hc != nil {
@@ -384,7 +393,7 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
384393
_, isExternalNameSvc := vsEx.ExternalNameSvcs[GenerateExternalNameSvcKey(upstreamNamespace, u.Service)]
385394
ups := vsc.generateUpstream(vsr, upstreamName, u, isExternalNameSvc, endpoints)
386395
upstreams = append(upstreams, ups)
387-
u.TLS.Enable = isTLSEnabled(u, vsc.spiffeCerts)
396+
u.TLS.Enable = isTLSEnabled(u, vsc.spiffeCerts, vsEx.VirtualServer.Spec.InternalRoute)
388397
crUpstreams[upstreamName] = u
389398

390399
if hc := generateHealthCheck(u, upstreamName, vsc.cfgParams); hc != nil {
@@ -676,7 +685,8 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig(
676685
VSName: vsEx.VirtualServer.Name,
677686
DisableIPV6: vsc.isIPV6Disabled,
678687
},
679-
SpiffeCerts: vsc.spiffeCerts,
688+
SpiffeCerts: enabledInternalRoutes,
689+
SpiffeClientCerts: vsc.spiffeCerts && !enabledInternalRoutes,
680690
}
681691

682692
return vsCfg, vsc.warnings
@@ -2474,8 +2484,16 @@ func generateProxySSLName(svcName, ns string) string {
24742484
return fmt.Sprintf("%s.%s.svc", svcName, ns)
24752485
}
24762486

2477-
func isTLSEnabled(u conf_v1.Upstream, spiffeCerts bool) bool {
2478-
return u.TLS.Enable || spiffeCerts
2487+
// isTLSEnabled checks whether TLS is enabled for the given upstream, taking into account the configuration
2488+
// of the NGINX Service Mesh and the presence of SPIFFE certificates.
2489+
func isTLSEnabled(upstream conf_v1.Upstream, hasSpiffeCerts, isInternalRoute bool) bool {
2490+
if isInternalRoute {
2491+
// Internal routes in the NGINX Service Mesh do not require TLS.
2492+
return false
2493+
}
2494+
2495+
// TLS is enabled if explicitly configured for the upstream or if SPIFFE certificates are present.
2496+
return upstream.TLS.Enable || hasSpiffeCerts
24792497
}
24802498

24812499
func isGRPC(protocolType string) bool {

0 commit comments

Comments
 (0)
0