8000 Lazy loading OSS (#4788) · nginx/kubernetes-ingress@6fee254 · GitHub
[go: up one dir, main page]
Skip to content

Commit 6fee254

Browse files
oseoinoseoin
authored
Lazy loading OSS (#4788)
remove plus requirement for lazy loading
1 parent c3e9ae0 commit 6fee254

File tree

11 files changed

+45
-41
lines changed

11 files changed

+45
-41
lines changed

charts/nginx-ingress/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -458,7 +458,7 @@ The following tables lists the co 8000 nfigurable parameters of the NGINX Ingress Cont
458458
|`controller.defaultHTTPListenerPort` | Sets the port for the HTTP `default_server` listener. | 80 |
459459
|`controller.defaultHTTPSListenerPort` | Sets the port for the HTTPS `default_server` listener. | 443 |
460460
|`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false |
461-
|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates for NGINX Plus. | true |
461+
|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates. | true |
462462
|`rbac.create` | Configures RBAC. | true |
463463
|`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
464464
|`prometheus.port` | Configures the port to scrape the metrics. | 9113 |

cmd/nginx-ingress/flags.go

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -199,7 +199,7 @@ var (
199199

200200
defaultHTTPSListenerPort = flag.Int("default-https-listener-port", 443, "Sets a custom port for the HTTPS `default_server`. [1024 - 65535]")
201201

202-
enableDynamicSSLReload = flag.Bool(dynamicSSLReloadParam, true, "Enable reloading of SSL Certificates without restarting the NGINX process. Requires -nginx-plus")
202+
enableDynamicSSLReload = flag.Bool(dynamicSSLReloadParam, true, "Enable reloading of SSL Certificates without restarting the NGINX process.")
203203

204204
startupCheckFn func() error
205205
)
@@ -275,11 +275,6 @@ func parseFlags() {
275275
if *ingressLink != "" && *externalService != "" {
276276
glog.Fatal("ingresslink and external-service cannot both be set")
277277
}
278-
279-
if *enableDynamicSSLReload && !*nginxPlus {
280-
glog.V(3).Infof("%s flag requires -nginx-plus and will not be enabled", dynamicSSLReloadParam)
281-
*enableDynamicSSLReload = false
282-
}
283278
}
284279

285280
func initialChecks() {

docs/content/configuration/global-configuration/command-line-arguments.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -530,8 +530,8 @@ Default `443`.
530530

531531
### -ssl-dynamic-reload
532532

533-
Used to activate or deactivate lazy loading for SSL Certificates for NGINX Plus.
533+
Used to activate or deactivate lazy loading for SSL Certificates.
534534

535-
The default value is `true` when using NGINX Plus.
535+
The default value is `true`.
536536

537537
<a name="cmdoption-ssl-dynamic-reload"></a>

docs/content/installation/installing-nic/installation-with-helm.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -418,6 +418,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
418418
| **controller.strategy** | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} |
419419
| **controller.disableIPV6** | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
420420
| **controller.readOnlyRootFilesystem** | Configure root filesystem as read-only and add volumes for temporary data. | false |
421+
| **controller.enableSSLDynamicReload** | Enable lazy loading for SSL Certificates. | true |
421422
| **rbac.create** | Configures RBAC. | true |
422423
| **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
423424
| **prometheus.port** | Configures the port to scrape the metrics. | 9113 |

internal/configs/version1/nginx.ingress.tmpl

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,8 @@ server {
1515
{{- if $server.SpiffeCerts}}
1616
listen 443 ssl;
1717
{{- if not $server.DisableIPV6}}listen [::]:443 ssl;{{end}}
18-
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
19-
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
18+
ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/spiffe_cert.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
19+
ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/spiffe_key.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
2020
{{- else}}
2121
{{- if not $server.GRPCOnly}}
2222
{{- range $port := $server.Ports}}
@@ -42,8 +42,8 @@ server {
4242
{{- if $server.SSLRejectHandshake}}
4343
ssl_reject_handshake on;
4444
{{- else}}
45-
ssl_certificate {{$server.SSLCertificate}};
46-
ssl_certificate_key {{$server.SSLCertificateKey}};
45+
ssl_certificate {{ makeSecretPath $server.SSLCertificate $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
46+
ssl_certificate_key {{ makeSecretPath $server.SSLCertificateKey $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
4747
{{- end}}
4848
{{- end}}
4949
{{- end}}
@@ -155,8 +155,8 @@ server {
155155
grpc_buffer_size {{$location.ProxyBufferSize}};
156156
{{- end}}
157157
{{- if $.SpiffeClientCerts}}
158-
grpc_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
159-
grpc_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
158+
grpc_ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/spiffe_cert.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
159+
grpc_ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/spiffe_key.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
160160
grpc_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
161161
grpc_ssl_server_name on;
162162
grpc_ssl_verify on;
@@ -209,8 +209,8 @@ server {
209209
proxy_max_temp_file_size {{$location.ProxyMaxTempFileSize}};
210210
{{- end}}
211211
{{- if $.SpiffeClientCerts}}
212-
proxy_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
213-
proxy_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
212+
proxy_ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/spiffe_cert.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
213+
proxy_ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/spiffe_key.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
214214
proxy_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
215215
proxy_ssl_server_name on;
216216
proxy_ssl_verify on;

internal/configs/version1/nginx.tmpl

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,11 @@ http {
4949
'' $sent_http_grpc_status;
5050
}
5151

52+
{{- if .DynamicSSLReloadEnabled }}
53+
map $nginx_version $secret_dir_path {
54+
default "{{ .StaticSSLPath }}";
55+
}
56+
{{- end }}
5257
{{- if .AccessLogOff}}
5358
access_log off;
5459
{{- else}}
@@ -125,8 +130,8 @@ http {
125130
{{- if .SSLRejectHandshake}}
126131
ssl_reject_handshake on;
127132
{{- else}}
128-
ssl_certificate /etc/nginx/secrets/default;
129-
ssl_certificate_key /etc/nginx/secrets/default;
133+
ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/default" .StaticSSLPath "$secret_dir_path" .DynamicSSLReloadEnabled }};
134+
ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/default" .StaticSSLPath "$secret_dir_path" .DynamicSSLReloadEnabled }};
130135
{{- end}}
131136

132137
{{- range $setRealIPFrom := .SetRealIPFrom}}
@@ -219,8 +224,8 @@ http {
219224
listen 443 ssl;
220225
{{if not .DisableIPV6}}listen [::]:443 ssl;{{end}}
221226
server_name {{.InternalRouteServerName}};
222-
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
223-
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
227+
ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/spiffe_cert.pem" .StaticSSLPath "$secret_dir_path" .DynamicSSLReloadEnabled }};
228+
ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/spiffe_key.pem" .StaticSSLPath "$secret_dir_path" .DynamicSSLReloadEnabled }};
224229
ssl_client_certificate /etc/nginx/secrets/spiffe_rootca.pem;
225230
ssl_verify_client on;
226231
ssl_verify_depth 25;
@@ -248,6 +253,12 @@ stream {
248253
map_hash_max_size {{.MapHashMaxSize}};
249254
{{if .MapHashBucketSize}}map_hash_bucket_size {{.MapHashBucketSize}};{{end}}
250255

256+
{{- if .DynamicSSLReloadEnabled }}
257+
map $nginx_version $secret_dir_path {
258+
default "{{ .StaticSSLPath }}";
259+
}
260+
{{- end }}
261+
251262
{{- if .TLSPassthrough}}
252263
map $ssl_preread_server_name $dest_internal_passthrough {
253264
default unix:/var/lib/nginx/passthrough-https.sock;

internal/configs/version2/nginx.transportserver.tmpl

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@ server {
2929
{{- end }}
3030

3131
{{- if $ssl.Enabled }}
32-
ssl_certificate {{ $ssl.Certificate }};
33-
ssl_certificate_key {{ $ssl.CertificateKey }};
32+
ssl_certificate {{ makeSecretPath $ssl.Certificate $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
33+
ssl_certificate_key {{ makeSecretPath $ssl.CertificateKey $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
3434
{{- end }}
3535
{{- end }}
3636

internal/configs/version2/nginx.virtualserver.tmpl

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -65,18 +65,18 @@ server {
6565
{{- if $ssl.RejectHandshake }}
6666
ssl_reject_handshake on;
6767
{{- else if $.SpiffeCerts }}
68-
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
69-
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
68+
ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/spiffe_cert.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
69+
ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/spiffe_key.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
7070
{{- else }}
71-
ssl_certificate {{ $ssl.Certificate }};
72-
ssl_certificate_key {{ $ssl.CertificateKey }};
71+
ssl_certificate {{ makeSecretPath $ssl.Certificate $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
72+
ssl_certificate_key {{ makeSecretPath $ssl.CertificateKey $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
7373
{{- end }}
7474
{{- else }}
7575
{{- if $.SpiffeCerts }}
7676
listen 443 ssl;
7777
{{if not $s.DisableIPV6}}listen [::]:443 ssl;{{end}}
78-
ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
79-
ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
78+
ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/spiffe_cert.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
79+
ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/spiffe_key.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
8080
{{- end }}
8181
{{- end }}
8282

@@ -149,8 +149,8 @@ server {
149149

150150
{{- with $s.EgressMTLS }}
151151
{{- if .Certificate }}
152-
proxy_ssl_certificate {{ .Certificate }};
153-
proxy_ssl_certificate_key {{ .CertificateKey }};
152+
proxy_ssl_certificate {{ makeSecretPath .Certificate $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
153+
proxy_ssl_certificate_key {{ makeSecretPath .CertificateKey $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
154154
{{- end }}
155155
{{- if .TrustedCert }}
156156
proxy_ssl_trusted_certificate {{ .TrustedCert }};
@@ -255,8 +255,8 @@ server {
255255

256256
{{- with $l.EgressMTLS }}
257257
{{- if .Certificate }}
258-
{{ $proxyOrGRPC }}_ssl_certificate {{ .Certificate }};
259-
{{ $proxyOrGRPC }}_ssl_certificate_key {{ .CertificateKey }};
258+
{{ $proxyOrGRPC }}_ssl_certificate {{ makeSecretPath .Certificate $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
259+
{{ $proxyOrGRPC }}_ssl_certificate_key {{ makeSecretPath .CertificateKey $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
260260
{{- end }}
261261
{{ if .TrustedCert }}
262262
{{ $proxyOrGRPC }}_ssl_trusted_certificate {{ .TrustedCert }};
@@ -371,8 +371,8 @@ server {
371371
add_header {{ $h.Name }} "{{ $h.Value }}" {{ if $h.Always }}always{{ end }};
372372
{{- end }}
373373
{{- if $.SpiffeClientCerts }}
374-
{{ $proxyOrGRPC }}_ssl_certificate /etc/nginx/secrets/spiffe_cert.pem;
375-
{{ $proxyOrGRPC }}_ssl_certificate_key /etc/nginx/secrets/spiffe_key.pem;
374+
{{ $proxyOrGRPC }}_ssl_certificate {{ makeSecretPath "/etc/nginx/secrets/spiffe_cert.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
375+
{{ $proxyOrGRPC }}_ssl_certificate_key {{ makeSecretPath "/etc/nginx/secrets/spiffe_key.pem" $.StaticSSLPath "$secret_dir_path" $.DynamicSSLReloadEnabled }};
376376
{{ $proxyOrGRPC }}_ssl_trusted_certificate /etc/nginx/secrets/spiffe_rootca.pem;
377377
{{ $proxyOrGRPC }}_ssl_server_name on;
378378
{{ $proxyOrGRPC }}_ssl_verify on;

tests/suite/test_tls.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,7 @@ def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_name
138138
wait_before_test(1)
139139
assert_us_subject(ingress_controller_endpoint, tls_setup.ingress_host)
140140

141-
# for OSS and and 31D0 Plus with -ssl-dynamic-reload=false, we expect
141+
# with -ssl-dynamic-reload=false, we expect
142142
# replacing a secret to trigger a reload
143143
count_before_replace = get_reload_count(tls_setup.metrics_url)
144144

@@ -153,7 +153,6 @@ def test_tls_termination(self, kube_apis, ingress_controller_endpoint, test_name
153153
assert reloads == expected_reloads, f"expected {expected_reloads} reloads, got {reloads}"
154154

155155

156-
@pytest.mark.skip_for_nginx_oss
157156
@pytest.mark.ingresses
158157
@pytest.mark.parametrize(
159158
"ingress_controller, tls_setup",

tests/suite/test_transport_server_tcp_load_balance.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -623,7 +623,7 @@ def test_secure_tcp_request_load_balanced(
623623
endpoint = response.decode()
624624
print(f"Connected securely to: {endpoint}")
625625

626-
# for OSS and and Plus with -ssl-dynamic-reload=false, we expect
626+
# with -ssl-dynamic-reload=false, we expect
627627
# replacing a secret to trigger a reload
628628
count_before_replace = get_reload_count(transport_server_setup.metrics_url)
629629
print(f"replacing: {sec_name} in {transport_server_setup.namespace}")
@@ -639,7 +639,6 @@ def test_secure_tcp_request_load_balanced(
639639
delete_items_from_yaml(kube_apis, src_sec_yaml, transport_server_setup.namespace)
640640

641641

642-
@pytest.mark.skip_for_nginx_oss
643642
@pytest.mark.ts
644643
@pytest.mark.skip_for_loadbalancer
645644
@pytest.mark.parametrize(

0 commit comments

Comments
 (0)
0