Generalize Rewrite Block Creation and Deprecate AddBaseUrl (not backwards compatible)

[zrdaley]

What this PR does / why we need it:

When the rewrite-target annotation is used and the written path uses regex and does not end in / (ex. foo/bar/.+), rewrite does not work as expected. This provides a regex check in BuildProxyPass and uses a custom rewrite block if the use-regex annotation is true for a location.

UPDATE
In addition to the above, this PR deprecates the AddBaseUrl annotation.

Problem

An ingress is created with use-regex="true" and rewrite-target="/new" and the path /foo/bar/.+.

This results in the following rewrite blocks for that location:

rewrite (?i)/foo/bar/.+/(.*) /new/$1 break;
rewrite (?i)/foo/bar/.+$ /new break;
...

Therefore a request to /foo/bar/bar will go to /new instead of /new/bar as a user may expect.

Solution

Check if a use-regex is true for a location when building the proxy pass.

An ingress is created with use-regex="true" and rewrite-target="/new/$1" and the path /foo/bar/(.+).

This results in the following rewrite blocks for that location:

rewrite (?i)/foo/bar/(.+) /new/$1 break;
...

Now a request to /foo/bar/bar will go to /new/bar.

[aledbf]

/lgtm
/hold

[ElvinEfendi]

The way I understand this is it enforces using regexp group references explicitly in rewrite-target annotation when use-regex is true.

So given an ingress with regexp path enabled and rewrite-target is "/new/$1". And there are two paths
foo/bar/(.+)
and
foo/baz

rewrite (?i)/foo/bar/(.+) /new/$1 break;
and
rewrite (?i)/foo/baz /new/$1 break;

will be generated accordingly. This means foo/baz/anything will be rewritten to /new/, which means breaking existing expectations.

I don't know what's the best solution here, maybe we should stop trying to make the controller smart about generating the correct rewrite syntax and let the user take are of that. Because to me it seems like impossible to find a common ground. Therefore it would make sense to let user do whatever they want. That would also simplify controller logic. Nginx rewrite directive has two required arguments:

rewrite regex replacement [flag];

So given that whenever rewrite target is used we enforce regepx path matching, I'd delete all the existing logic where we try to come up with correct arguments to rewrite and let the user take care of it the way she wants.

For example the simplest case when you want to rewrite foo/bar to /new you would need to set rewrite-target to /new/$1 and configure the path as (?i)/foo/bar/(.*). Then the controller would take the path and target as is and generate

rewrite (?i)/foo/bar/(.*) /new/$1 break;

this is obviously not backward compatible, but I really dislike the complexity around the current solution, and this solution will make it simpler to reason about.

[zrdaley]

@ElvinEfendi I completely agree.

Giving the user control of whether or not to append parameters to rewritten paths in all cases makes way more sense. Defaulting to enforcing this policy, especially now that regex is enabled, seems counterintuitive.

[aledbf]

@zrdaley please squash the commits

[ElvinEfendi]

Why is this false, when there's rewrite enforceRegex is always true, no?

[ElvinEfendi]

/hold

@zrdaley please update PR title and description accordingly now that we pivoted.

--

This change is not backward compatible and it is going to break every single rewrite configuration.
We should find some way to at least not fail silently (this is what's going to happen the PR as is).

The logic at https://github.com/kubernetes/ingress-nginx/pull/3174/files#diff-652deabba49a2a87d4c5a79700dfa1e3R331 does not make much sense with regexp path support and specially after this PR. With this PR users will have to have something like (.*) in their path to do rewrite with $1, which is going to render (?<baseuri>.*) useless. IMO we should completely drop support for AddBaseURL, the app has every knowledge to make that decision.

This test https://github.com/kubernetes/ingress-nginx/pull/3174/files#diff-780db26d3e78669defcf119bfb8a9b64R43 now is not so useful. We should make sure it tests that path suffix (/something/i-am-suffix) gets added to the target path prefix (/) when proxying.

[aledbf]

@zrdaley friendly ping

[zrdaley]

@ElvinEfendi I agree with the deprecation of AddBaseURL however, I think that maybe this should be addressed in a separate PR, following this one.

Also, is there an official way to notify users of backwards compatibility issues or will the change of name above be sufficient?

I am just going to remove this test https://github.com/kubernetes/ingress-nginx/pull/3174/files#diff-780db26d3e78669defcf119bfb8a9b64R43. This test https://github.com/kubernetes/ingress-nginx/pull/3174/files?utf8=%E2%9C%93&diff=unified#diff-780db26d3e78669defcf119bfb8a9b64R257 cover's suffix appending for both the index and all other path cases since there is no longer a special case for the index path.

[RAbraham]

@dshakey could you share your code change. That would be much appreciated.

[spacecat]

How can I configure nginx.ingress.kubernetes.io/rewrite-target and spec.rules.http.paths.path to satisfy the following URI patterns?

/aa/bb-aa/coolapp
/aa/bb-aa/coolapp/cc

Legend:

• a = Any letter between a-z. Lowercase. Exactly 2 letters - no more, no less.
• b = Any letter between a-z. Lowercase. Exactly 2 letters - no more, no less.
• c = any valid URI character. Lowercase. Of variable length - think slug.

Example URI:s that should match the above pattern:

/us/en-us/coolapp
/us/en-us/coolapp/faq
/us/en-us/coolapp/privacy-policy

[Gilgames000]

@spacecat does this answer your question?

[spacecat]

@Gilgames000 Thanks. I've updated the SO post.

[anhthang]

I'm using the latest nginx-ingress with a below yml file

kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/rewrite-target: /$1
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.class: nginx
  labels:
    app: app_name
  name: app_name-staging
  namespace: app_name
spec:
  rules:
  - host: my_url
    http:
      paths:
      - backend:
          serviceName: app_name-staging
          servicePort: http
        path: /dev/?(.*)
  tls:
  - hosts:
    - my_url
    secretName: app_name-staging-tls
status:
  loadBalancer:
    ingress:
    - ip: 34.87.60.27

When I go to my_url/dev/path it's showing default backend - 404 and when I go to my_url/path it show success response.

I'm expecting success response when I go to my_url/dev/path. Can anyone help me check this?

[spacecat]

@buianhthang try this:
nginx.ingress.kubernetes.io/rewrite-target: /$2
path: /dev(/|$)(.*)

[anhthang]

@spacecat thank you. i haven’t try yet, but my snippet working now. I’m guessing it’s ingress-nginx-default-backend issue. But I will try your suggestions

_{Sent with GitHawk}

[scniro]

Not happy about having my app break and needing to sift through these comments, reaching the bottom and not finding a reasonable workaround.

For clarity, what is now the canonical solution? This is a bit of a head scratcher.

[scniro]

I am quite confused about the implications of this PR. Do I even have to worry about anything if I do not specify use-regex=true anywhere? I also have no regex constructs in my rewrite-targets. Should I be worried?

We use Azure AKS, and have nginx.ingress.kubernetes.io/rewrite-target: in our helm charts. We don't have use-regex=true in our chart anywhere, but this change broke our rewrite targets.

@avik-so Have you found a reasonable solution? Facing the same - dead in the water

[aledbf]

@scniro this is a change introduced more than a year ago. The example https://kubernetes.github.io/ingress-nginx/examples/rewrite/#rewrite-target is up to date.
If you have an issue using the annotation please open a new one. Thanks

[avik-so]

@scniro Only options are to use the new syntax or use version 0.21.0

[zuzzas]

One day I'll write a blog post about migrating 80+ Kubernetes clusters:

1. From old annotation format to new one;
2. From old rewrite format to new one

via a mutating admission webhook that creates almost identical copy of an Ingress resource, but with a different ingress.class, and with proper annotations and rewrite the new rewrite. Once such a webhook is in place and all Ingress resources have a working copy, we've switched Nginx Ingress Controller to use previously create Ingresses via a new ingress.class cmdline option.

That was quite a journey. :)

[elafontaine]

For folks ending up here and wondering what they could do, we solved the backward incompatible by having the anntoation be the following;

nginx.ingress.kubernetes.io/rewrite-target: /$2
and the path
path: /paas-demo(/|$)(.*$) (Notice the dollar sign in the capture group)

This made sure that the baseuri regex is not taken into consideration for the match and allowed us to move forward.

[blurpy]

Are there any solutions at all that will work both before and after this change? We don't have the option of upgrading and having requests fail until all the teams redeploy all their apps with a fixed ingress.

Most of our rewrites are simple:

nginx.ingress.kubernetes.io/rewrite-target: /
path: /something/

I've tried different combinations of the new syntax, like:

nginx.ingress.kubernetes.io/rewrite-target: /$2
path: /something(/|$)(.*$)

And:

nginx.ingress.kubernetes.io/rewrite-target: /$1
path: /something/(.*)

But the rewrite rule ends up weird in the old version of the nginx.conf:

rewrite /something/(.*)/(.*) /$1/$1 break;

[kevin-pro]

This is a bad breaking change and not backward compatible. For a frontend web app with multiple backend services, the configuration of the ingress became very weird after the upgrades. Is it possible to add a switch for a user to decide if turn on the change or not?

[avik-so]

Are there any solutions at all that will work both before and after this change? We don't have the option of upgrading and having requests fail until all the teams redeploy all their apps with a fixed ingress.

Most of our rewrites are simple:

nginx.ingress.kubernetes.io/rewrite-target: /
path: /something/

I've tried different combinations of the new syntax, like:

nginx.ingress.kubernetes.io/rewrite-target: /$2
path: /something(/|$)(.*$)

And:

nginx.ingress.kubernetes.io/rewrite-target: /$1
path: /something/(.*)

But the rewrite rule ends up weird in the old version of the nginx.conf:

rewrite /something/(.*)/(.*) /$1/$1 break;

As far as we have been able to figure out, this change requires downtime to redeploy.
An alternative is to create two services, with two different ingress configurations, and do a slow migration that way.

[ghost]

@buianhthang试试这个：
nginx.ingress.kubernetes.io/rewrite-target: /$2
path: /dev(/|$)(.*)

It solved my problem! Thank You!

[maxisam]

how do you solve this case #3770 ?

[liakouras]

I have IC version 0.20.0 and the following configuration works, but NOT with 0.30.0:

======================
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
name: test-ingress
namespace: test
labels:
Name: test
name: test-ingress
namespace: test
spec:
rules:

• host: www.test.com
  http:
  paths:
  • backend:
    serviceName: test-application-1
    servicePort: 80
    path: /test/api1
  • backend:
    serviceName: test-application-2
    servicePort: 80
    path: /test/api2

======================

I replaced the nginx.ingress.kubernetes.io/rewrite-target: / with the following but still doesn't work:

======================
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
rewrite "(?i)/test/api1/(.)" /$1 break;
rewrite "(?i)/test/api1$" / break;
rewrite "(?i)/test/ap21/(.)" /$1 break;
rewrite "(?i)/test/ap21$" / break;
======================

can you please help?