Merge pull request #159 from Shopify/sync-upstream

Sync upstream

Makefile

@@ -61,7 +61,7 @@ IMAGE = $(REGISTRY)/$(IMGNAME)
 MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)
 
 # Set default base image dynamically for each arch
-BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.69
+BASEIMAGE?=quay.io/kubernetes-ingress-controller/nginx-$(ARCH):0.70
 
 ifeq ($(ARCH),arm)
 	QEMUARCH=arm

build/go-in-docker.sh

@@ -40,7 +40,7 @@ if [ "$missing" = true ];then
   exit 1
 fi
 
-E2E_IMAGE=quay.io/kubernetes-ingress-controller/e2e:v11122018-14fe4898a
+E2E_IMAGE=quay.io/kubernetes-ingress-controller/e2e:v11162018-ef7143f5a
 
 DOCKER_OPTS=${DOCKER_OPTS:-""}
 

cmd/nginx/flags.go

@@ -64,6 +64,18 @@ Takes the form "namespace/name". When used together with update-status, the
 controller mirrors the address of this service's endpoints to the load-balancer
 status of all Ingress objects it satisfies.`)
 
+		tcpConfigMapName = flags.String("tcp-services-configmap", "",
+			`Name of the ConfigMap containing the definition of the TCP services to expose.
+The key in the map indicates the external port to be used. The value is a
+reference to a Service in the form "namespace/name:port", where "port" can
+either be a port number or name. TCP ports 80 and 443 are reserved by the
+controller for servicing HTTP traffic.`)
+		udpConfigMapName = flags.String("udp-services-configmap", "",
+			`Name of the ConfigMap containing the definition of the UDP services to expose.
+The key in the map indicates the external port to be used. The value is a
+reference to a Service in the form "namespace/name:port", where "port" can
+either be a port name or number.`)
+
 		resyncPeriod = flags.Duration("sync-period", 0,
 			`Period at which the controller forces the repopulation of its local object stores. Disabled by default.`)
 
@@ -217,6 +229,8 @@ Feature backed by OpenResty Lua libraries. Requires that OCSP stapling is not en
 		DefaultService:             *defaultSvc,
 		Namespace:                  *watchNamespace,
 		ConfigMapName:              *configMap,
+		TCPConfigMapName:           *tcpConfigMapName,
+		UDPConfigMapName:           *udpConfigMapName,
 		DefaultSSLCertificate:      *defSSLCertificate,
 		DefaultHealthzURL:          *defHealthzURL,
 		HealthCheckTimeout:         *healthCheckTimeout,

deploy/configmap.yaml

@@ -8,4 +8,21 @@ metadata:
     app.kubernetes.io/part-of: ingress-nginx
 
 ---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: tcp-services
+  namespace: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
 
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: udp-services
+  namespace: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx

deploy/mandatory.yaml

@@ -4,7 +4,6 @@ metadata:
   name: ingress-nginx
 
 ---
-
 kind: ConfigMap
 apiVersion: v1
 metadata:
@@ -15,7 +14,6 @@ metadata:
     app.kubernetes.io/part-of: ingress-nginx
 
 ---
-
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -162,7 +160,6 @@ subjects:
     namespace: ingress-nginx
 
 ---
-
 apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
@@ -193,6 +190,8 @@ spec:
           args:
             - /nginx-ingress-controller
             - --configmap=$(POD_NAMESPACE)/nginx-configuration
+            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
+            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
             - --annotations-prefix=nginx.ingress.kubernetes.io
           securityContext:
@@ -238,3 +237,4 @@ spec:
             timeoutSeconds: 1
 
 ---
+

deploy/with-rbac.yaml

@@ -28,6 +28,8 @@ spec:
           args:
             - /nginx-ingress-controller
             - --configmap=$(POD_NAMESPACE)/nginx-configuration
+            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
+            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
             - --publish-service=$(POD_NAMESPACE)/ingress-nginx
             - --annotations-prefix=nginx.ingress.kubernetes.io
           securityContext:

docs/deploy/index.md

@@ -158,7 +158,7 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/mast
 ```
 
 !!! tip
-    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](./baremetal.md/).
+    For extended notes regarding deployments on bare-metal, see [Bare-metal considerations](./baremetal.md).
 
 ### Verify installation
 

docs/examples/customization/configuration-snippets/README.md

@@ -2,7 +2,7 @@
 
 ## Ingress
 
-The Ingress in this example adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at [this example](/examples/customization/custom-headers/README).
+The Ingress in this example adds a custom header to Nginx configuration that only applies to that specific Ingress. If you want to add headers that apply globally to all Ingresses, please have a look at [this example](../custom-headers/README.md).
 
 ```console
 $ kubectl apply -f ingress.yaml

docs/user-guide/cli-arguments.md

@@ -38,6 +38,8 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
 | `--stderrthreshold severity`      | logs at or above this threshold go to stderr (default 2) |
 | `--sync-period duration`          | Period at which the controller forces the repopulation of its local object stores. Disabled by default. |
 | `--sync-rate-limit float32`       | Define the sync frequency upper limit (default 0.3) |
+| `--tcp-services-configmap string` | Name of the ConfigMap containing the definition of the TCP services to expose. The key in the map indicates the external port to be used. The value is a reference to a Service in the form "namespace/name:port", where "port" can either be a port number or name. TCP ports 80 and 443 are reserved by the controller for servicing HTTP traffic. |
+| `--udp-services-configmap string` | Name of the ConfigMap containing the definition of the UDP services to expose. The key in the map indicates the external port to be used. The value is a reference to a Service in the form "namespace/name:port", where "port" can either be a port name or number. |
 | `--update-status`                 | Update the load-balancer status of Ingress objects this controller satisfies. Requires setting the publish-service parameter to a valid Service reference. (default true) |
 | `--update-status-on-shutdown`     | Update the load-balancer status of Ingress objects when the controller shuts down. Requires the update-status parameter. (default true) |
 | `-v`, `--v Level`                 | log level for V logs |

docs/user-guide/exposing-tcp-udp-services.md

@@ -0,0 +1,63 @@
+# Exposing TCP and UDP services
+
+Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags `--tcp-services-configmap` and `--udp-services-configmap` to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format:
+`<namespace/service name>:<service port>:[PROXY]:[PROXY]`
+
+It is also possible to use a number or the name of the port. The two last fields are optional.
+Adding `PROXY` in either or both of the two last fields we can use Proxy Protocol decoding (listen) and/or encoding (proxy_pass) in a TCP service https://www.nginx.com/resources/admin-guide/proxy-protocol
+
+The next example shows how to expose the service `example-go` running in the namespace `default` in the port `8080` using the port `9000`
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tcp-services
+  namespace: ingress-nginx
+data:
+  9000: "default/example-go:8080"
+```
+
+Since 1.9.13 NGINX provides [UDP Load Balancing](https://www.nginx.com/blog/announcing-udp-load-balancing/).
+The next example shows how to expose the service `kube-dns` running in the namespace `kube-system` in the port `53` using the port `53`
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: udp-services
+  namespace: ingress-nginx
+data:
+  53: "kube-system/kube-dns:53"
+```
+
+If TCP/UDP proxy support is used, then those ports need to be exposed in the Service defined for the Ingress.
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+  labels:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+spec:
+  type: LoadBalancer
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+      protocol: TCP
+    - name: https
+      port: 443
+      targetPort: 443
+      protocol: TCP
+    - name: proxied-tcp-9000
+      port: 9000
+      targetPort: 9000
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/part-of: ingress-nginx
+```

docs/user-guide/nginx-configuration/annotations.md

@@ -70,6 +70,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/service-upstream](#service-upstream)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/session-cookie-name](#cookie-affinity)|string|
 |[nginx.ingress.kubernetes.io/session-cookie-hash](#cookie-affinity)|string|
+|[nginx.ingress.kubernetes.io/session-cookie-path](#cookie-affinity)|string|
 |[nginx.ingress.kubernetes.io/ssl-redirect](#server-side-https-enforcement-through-redirect)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/ssl-passthrough](#ssl-passthrough)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/upstream-hash-by](#custom-nginx-upstream-hashing)|string|
@@ -98,7 +99,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/enable-modsecurity](#modsecurity)|bool|
 |[nginx.ingress.kubernetes.io/enable-owasp-core-rules](#modsecurity)|bool|
 |[nginx.ingress.kubernetes.io/modsecurity-transaction-id](#modsecurity)|string|
-
+|[nginx.ingress.kubernetes.io/modsecurity-snippet](#modsecurity)|string|
 
 ### Canary
 
@@ -136,6 +137,9 @@ If the Application Root is exposed in a different path and needs to be redirecte
 The annotation `nginx.ingress.kubernetes.io/affinity` enables and sets the affinity type in all Upstreams of an Ingress. This way, a request will always be directed to the same upstream server.
 The only affinity type available for NGINX is `cookie`.
 
+!!! attention
+    If more than one Ingress is defined for a host and at least one Ingress uses `nginx.ingress.kubernetes.io/affinity: cookie`, then only paths on the Ingress using `nginx.ingress.kubernetes.io/affinity` will use session cookie affinity. All paths defined on other Ingresses for the host will be load balanced through the random selection of a backend server. 
+
 !!! example
     Please check the [affinity](../../examples/affinity/cookie/README.md) example.
 
@@ -145,6 +149,8 @@ If you use the ``cookie`` affinity type you can also specify the name of the coo
 
 In case of NGINX the annotation `nginx.ingress.kubernetes.io/session-cookie-hash` defines which algorithm will be used to hash the used upstream. Default value is `md5` and possible values are `md5`, `sha1` and `index`.
 
+The NGINX annotation `nginx.ingress.kubernetes.io/session-cookie-path` defines the path that will be set on the cookie. This is optional unless the annotation `nginx.ingress.kubernetes.io/use-regex` is set to true; Session cookie paths do not support regex.  
+
 !!! attention
     The `index` option is not an actual hash; an in-memory index is used instead, which has less overhead.
     However, with `index`, matching against a changing upstream server list is inconsistent.
@@ -649,6 +655,7 @@ It can be enabled using the following annotation:
 ```yaml
 nginx.ingress.kubernetes.io/enable-modsecurity: "true"
 ```
+ModSecurity will run in "Detection-Only" mode using the [recommended configuration](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended).
 
 You can enable the [OWASP Core Rule Set](https://www.modsecurity.org/CRS/Documentation/) by
 setting the following annotation:
@@ -661,6 +668,23 @@ You can pass transactionIDs from nginx by setting up the following:
 nginx.ingress.kubernetes.io/modsecurity-transaction-id: "$request_id"
 ```
 
+You can also add your own set of modsecurity rules via a snippet:
+```yaml
+nginx.ingress.kubernetes.io/modsecurity-snippet: |
+SecRuleEngine On
+SecDebugLog /tmp/modsec_debug.log
+```
+
+Note: If you use both `enable-owasp-core-rules` and `modsecurity-snippet` annotations together, only the
+`modsecurity-snippet` will take effect. If you wish to include the [OWASP Core Rule Set](https://www.modsecurity.org/CRS/Documentation/) or 
+[recommended configuration](https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) simply use the include
+statement:
+```yaml
+nginx.ingress.kubernetes.io/modsecurity-snippet: |
+Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
+Include /etc/nginx/modsecurity/modsecurity.conf
+```
+
 ### InfluxDB
 
 Using `influxdb-*` annotations we can monitor requests passing through a Location by sending them to an InfluxDB backend exposing the UDP socket
@@ -699,6 +723,9 @@ nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
 
 ### Use Regex
 
+!!! attention
+When using this annotation with the NGINX annotation `nginx.ingress.kubernetes.io/affinity` of type `cookie`,  `nginx.ingress.kubernetes.io/session-cookie-path` must be also set; Session cookie paths do not support regex.  
+
 Using the `nginx.ingress.kubernetes.io/use-regex` annotation will indicate whether or not the paths defined on an Ingress use regular expressions.  The default value is `false`.
 
 The following will indicate that regular expression paths are being used:

docs/user-guide/nginx-configuration/configmap.md

@@ -57,7 +57,7 @@ The following table shows a configuration option's name, type, and the default v
 |[keep-alive-requests](#keep-alive-requests)|int|100|
 |[large-client-header-buffers](#large-client-header-buffers)|string|"4 8k"|
 |[log-format-escape-json](#log-format-escape-json)|bool|"false"|
-|[log-format-upstream](#log-format-upstream)|string|`%v - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status`|
+|[log-format-upstream](#log-format-upstream)|string|`%v - [$the_real_ip] - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_length $request_time [$proxy_upstream_name] $upstream_addr $upstream_response_length $upstream_response_time $upstream_status $req_id`|
 |[log-format-stream](#log-format-stream)|string|`[$time_local] $protocol $status $bytes_sent $bytes_received $session_time`|
 |[enable-multi-accept](#enable-multi-accept)|bool|"true"|
 |[max-worker-connections](#max-worker-connections)|int|16384|

docs/user-guide/nginx-configuration/log-format.md

@@ -8,7 +8,7 @@ log_format upstreaminfo
     '[$the_real_ip] - $remote_user [$time_local] "$request" '
     '$status $body_bytes_sent "$http_referer" "$http_user_agent" '
     '$request_length $request_time [$proxy_upstream_name] $upstream_addr '
-    '$upstream_response_length $upstream_response_time $upstream_status';
+    '$upstream_response_length $upstream_response_time $upstream_status $req_id';
 ```
 
 | Placeholder | Description |
@@ -30,6 +30,7 @@ log_format upstreaminfo
 | `$upstream_response_length` | the length of the response obtained from the upstream server |
 | `$upstream_response_time` | time spent on receiving the response from the upstream server as seconds with millisecond resolution |
 | `$upstream_status` | status code of the response obtained from the upstream server |
+| `$req_id` | the randomly generated ID of the request  |
 
 Additional available variables: