ingress

package
v0.0.0-...-cfb183a Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 23, 2020 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// DefaultSSLDirectory defines the location where the SSL certificates will be generated
	// This directory contains all the SSL certificates that are specified in Ingress rules.
	// The name of each file is <namespace>-<secret name>.pem. The content is the concatenated
	// certificate and key.
	DefaultSSLDirectory = "/ingress-controller/ssl"
)

Functions

This section is empty.

Types

type Backend

type Backend struct {
	// Name represents an unique apiv1.Service name formatted as <namespace>-<name>-<port>
	Name    string             `json:"name"`
	Service *apiv1.Service     `json:"service,omitempty"`
	Port    intstr.IntOrString `json:"port"`
	// SecureCACert has the filename and SHA1 of the certificate authorities used to validate
	// a secured connection to the backend
	SecureCACert resolver.AuthSSLCert `json:"secureCACert"`
	// SSLPassthrough indicates that Ingress controller will delegate TLS termination to the endpoints.
	SSLPassthrough bool `json:"sslPassthrough"`
	// Endpoints contains the list of endpoints currently running
	Endpoints []Endpoint `json:"endpoints,omitempty"`
	// StickySessionAffinitySession contains the StickyConfig object with stickyness configuration
	SessionAffinity SessionAffinityConfig `json:"sessionAffinityConfig"`
	// Consistent hashing by NGINX variable
	UpstreamHashBy string `json:"upstream-hash-by,omitempty"`
	// LB algorithm configuration per ingress
	LoadBalancing string `json:"load-balance,omitempty"`
	// Denotes if a backend has no server. The backend instead shares a server with another backend and acts as an
	// alternative backend.
	// This can be used to share multiple upstreams in the sam nginx server block.
	NoServer bool `json:"noServer"`
	// Policies to describe the characteristics of an alternative backend.
	// +optional
	TrafficShapingPolicy TrafficShapingPolicy `json:"trafficShapingPolicy,omitempty"`
	// Contains a list of backends without servers that are associated with this backend.
	// +optional
	AlternativeBackends []string `json:"alternativeBackends,omitempty"`
}

Backend describes one or more remote server/s (endpoints) associated with a service +k8s:deepcopy-gen=true

func (*Backend) DeepCopy

func (in *Backend) DeepCopy() *Backend

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Backend.

func (*Backend) DeepCopyInto

func (in *Backend) DeepCopyInto(out *Backend)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Backend) Equal

func (b1 *Backend) Equal(b2 *Backend) bool

Equal tests for equality between two Backend types

func (Backend) HashInclude

func (s Backend) HashInclude(field string, v interface{}) (bool, error)

HashInclude defines if a field should be used or not to calculate the hash

type Configuration

type Configuration struct {
	// Backends are a list of backends used by all the Ingress rules in the
	// ingress controller. This list includes the default backend
	Backends []*Backend `json:"backends,omitempty"`
	// Servers save the website config
	Servers []*Server `json:"servers,omitempty"`
	// TCPEndpoints contain endpoints for tcp streams handled by this backend
	// +optional
	TCPEndpoints []L4Service `json:"tcpEndpoints,omitempty"`
	// UDPEndpoints contain endpoints for udp streams handled by this backend
	// +optional
	UDPEndpoints []L4Service `json:"udpEndpoints,omitempty"`
	// PassthroughBackends contains the backends used for SSL passthrough.
	// It contains information about the associated Server Name Indication (SNI).
	// +optional
	PassthroughBackends []*SSLPassthroughBackend `json:"passthroughBackends,omitempty"`

	// BackendConfigChecksum contains the particular checksum of a Configuration object
	BackendConfigChecksum string `json:"BackendConfigChecksum,omitempty"`

	// ConfigurationChecksum contains the particular checksum of a Configuration object
	ConfigurationChecksum string `json:"configurationChecksum,omitempty"`
}

Configuration holds the definition of all the parts required to describe all ingresses reachable by the ingress controller (using a filter by namespace)

func (*Configuration) Equal

func (c1 *Configuration) Equal(c2 *Configuration) bool

Equal tests for equality between two Configuration types

type CookieSessionAffinity

type CookieSessionAffinity struct {
	Name      string              `json:"name"`
	Hash      string              `json:"hash"`
	Expires   string              `json:"expires,omitempty"`
	MaxAge    string              `json:"maxage,omitempty"`
	Locations map[string][]string `json:"locations,omitempty"`
	Path      string              `json:"path,omitempty"`
}

CookieSessionAffinity defines the structure used in Affinity configured by Cookies. +k8s:deepcopy-gen=true

func (*CookieSessionAffinity) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CookieSessionAffinity.

func (*CookieSessionAffinity) DeepCopyInto

func (in *CookieSessionAffinity) DeepCopyInto(out *CookieSessionAffinity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CookieSessionAffinity) Equal

Equal tests for equality between two CookieSessionAffinity types

type Endpoint

type Endpoint struct {
	// Address IP address of the endpoint
	Address string `json:"address"`
	// Port number of the TCP port
	Port string `json:"port"`
	// Target returns a reference to the object providing the endpoint
	Target *apiv1.ObjectReference `json:"target,omitempty"`
}

Endpoint describes a kubernetes endpoint in a backend +k8s:deepcopy-gen=true

func (*Endpoint) DeepCopy

func (in *Endpoint) DeepCopy() *Endpoint

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Endpoint.

func (*Endpoint) DeepCopyInto

func (in *Endpoint) DeepCopyInto(out *Endpoint)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Endpoint) Equal

func (e1 *Endpoint) Equal(e2 *Endpoint) bool

Equal checks the equality against an Endpoint

type Ingress

type Ingress struct {
	extensions.Ingress
	ParsedAnnotations *annotations.Ingress
}

Ingress holds the definition of an Ingress plus its annotations

type L4Backend

type L4Backend struct {
	Port      intstr.IntOrString `json:"port"`
	Name      string             `json:"name"`
	Namespace string             `json:"namespace"`
	Protocol  apiv1.Protocol     `json:"protocol"`
	// +optional
	ProxyProtocol ProxyProtocol `json:"proxyProtocol"`
}

L4Backend describes the kubernetes service behind L4 Ingress service

func (*L4Backend) Equal

func (l4b1 *L4Backend) Equal(l4b2 *L4Backend) bool

Equal tests for equality between two L4Backend types

type L4Service

type L4Service struct {
	// Port external port to expose
	Port int `json:"port"`
	// Backend of the service
	Backend L4Backend `json:"backend"`
	// Endpoints active endpoints of the service
	Endpoints []Endpoint `json:"endpoints,omitempty"`
}

L4Service describes a L4 Ingress service.

func (*L4Service) Equal

func (e1 *L4Service) Equal(e2 *L4Service) bool

Equal tests for equality between two L4Service types

type Location

type Location struct {
	// Path is an extended POSIX regex as defined by IEEE Std 1003.1,
	// (i.e this follows the egrep/unix syntax, not the perl syntax)
	// matched against the path of an incoming request. Currently it can
	// contain characters disallowed from the conventional "path"
	// part of a URL as defined by RFC 3986. Paths must begin with
	// a '/'. If unspecified, the path defaults to a catch all sending
	// traffic to the backend.
	Path string `json:"path"`
	// IsDefBackend indicates if service specified in the Ingress
	// contains active endpoints or not. Returning true means the location
	// uses the default backend.
	IsDefBackend bool `json:"isDefBackend"`
	// Ingress returns the ingress from which this location was generated
	Ingress *Ingress `json:"ingress"`
	// Backend describes the name of the backend to use.
	Backend string `json:"backend"`
	// Service describes the referenced services from the ingress
	Service *apiv1.Service `json:"service,omitempty"`
	// Port describes to which port from the service
	Port intstr.IntOrString `json:"port"`
	// Overwrite the Host header passed into the backend. Defaults to
	// vhost of the incoming request.
	// +optional
	UpstreamVhost string `json:"upstream-vhost"`
	// BasicDigestAuth returns authentication configuration for
	// an Ingress rule.
	// +optional
	BasicDigestAuth auth.Config `json:"basicDigestAuth,omitempty"`
	// Denied returns an error when this location cannot not be allowed
	// Requesting a denied location should return HTTP code 403.
	Denied error `json:"denied,omitempty"`
	// CorsConfig returns the Cors Configuration for the ingress rule
	// +optional
	CorsConfig cors.Config `json:"corsConfig,omitempty"`
	// ExternalAuth indicates the access to this location requires
	// authentication using an external provider
	// +optional
	ExternalAuth authreq.Config `json:"externalAuth,omitempty"`
	// RateLimit describes a limit in the number of connections per IP
	// address or connections per second.
	// The Redirect annotation precedes RateLimit
	// +optional
	RateLimit ratelimit.Config `json:"rateLimit,omitempty"`
	// Redirect describes a temporal o permanent redirection this location.
	// +optional
	Redirect redirect.Config `json:"redirect,omitempty"`
	// Rewrite describes the redirection this location.
	// +optional
	Rewrite rewrite.Config `json:"rewrite,omitempty"`
	// Whitelist indicates only connections from certain client
	// addresses or networks are allowed.
	// +optional
	Whitelist ipwhitelist.SourceRange `json:"whitelist,omitempty"`
	// Proxy contains information about timeouts and buffer sizes
	// to be used in connections against endpoints
	// +optional
	Proxy proxy.Config `json:"proxy,omitempty"`
	// UsePortInRedirects indicates if redirects must specify the port
	// +optional
	UsePortInRedirects bool `json:"usePortInRedirects"`
	// ConfigurationSnippet contains additional configuration for the backend
	// to be considered in the configuration of the location
	ConfigurationSnippet string `json:"configurationSnippet"`
	// Connection contains connection header to override the default Connection header
	// to the request.
	// +optional
	Connection connection.Config `json:"connection"`
	// ClientBodyBufferSize allows for the configuration of the client body
	// buffer size for a specific location.
	// +optional
	ClientBodyBufferSize string `json:"clientBodyBufferSize,omitempty"`
	// DefaultBackend allows the use of a custom default backend for this location.
	// +optional
	DefaultBackend *apiv1.Service `json:"defaultBackend,omitempty"`
	// XForwardedPrefix allows to add a header X-Forwarded-Prefix to the request with the
	// original location.
	// +optional
	XForwardedPrefix bool `json:"xForwardedPrefix,omitempty"`
	// Logs allows to enable or disable the nginx logs
	// By default access logs are enabled and rewrite logs are disabled
	Logs log.Config `json:"logs,omitempty"`
	// LuaRestyWAF contains parameters to configure lua-resty-waf
	LuaRestyWAF luarestywaf.Config `json:"luaRestyWAF"`
	// InfluxDB allows to monitor the incoming request by sending them to an influxdb database
	// +optional
	InfluxDB influxdb.Config `json:"influxDB,omitempty"`
	// BackendProtocol indicates which protocol should be used to communicate with the service
	// By default this is HTTP
	BackendProtocol string `json:"backend-protocol"`
	// CustomHTTPErrors specifies the error codes that should be intercepted.
	// +optional
	CustomHTTPErrors []int `json:"custom-http-errors"`
	// ModSecurity allows to enable and configure modsecurity
	// +optional
	ModSecurity modsecurity.Config `json:"modsecurity"`
}

Location describes an URI inside a server. Also contains additional information about annotations in the Ingress.

In some cases when more than one annotations is defined a particular order in the execution is required. The chain in the execution order of annotations should be: - Whitelist - RateLimit - BasicDigestAuth - ExternalAuth - Redirect

func (*Location) Equal

func (l1 *Location) Equal(l2 *Location) bool

Equal tests for equality between two Location types

type ProxyProtocol

type ProxyProtocol struct {
	Decode bool `json:"decode"`
	Encode bool `json:"encode"`
}

ProxyProtocol describes the proxy protocol configuration

type SSLCert

type SSLCert struct {
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Certificate       *x509.Certificate `json:"certificate,omitempty"`
	// CAFileName contains the path to the file with the root certificate
	CAFileName string `json:"caFileName"`
	// PemFileName contains the path to the file with the certificate and key concatenated
	PemFileName string `json:"pemFileName"`
	// FullChainPemFileName contains the path to the file with the certificate and key concatenated
	// This certificate contains the full chain (ca + intermediates + cert)
	FullChainPemFileName string `json:"fullChainPemFileName"`
	// PemSHA contains the sha1 of the pem file.
	// This is used to detect changes in the secret that contains the certificates
	PemSHA string `json:"pemSha"`
	// CN contains all the common names defined in the SSL certificate
	CN []string `json:"cn"`
	// ExpiresTime contains the expiration of this SSL certificate in timestamp format
	ExpireTime time.Time `json:"expires"`
	// Pem encoded certificate and key concatenated
	PemCertKey string `json:"pemCertKey"`
}

SSLCert describes a SSL certificate to be used in a server

func (*SSLCert) Equal

func (s1 *SSLCert) Equal(s2 *SSLCert) bool

Equal tests for equality between two SSLCert types

func (SSLCert) GetObjectKind

func (s SSLCert) GetObjectKind() schema.ObjectKind

GetObjectKind implements the ObjectKind interface as a noop

func (SSLCert) HashInclude

func (s SSLCert) HashInclude(field string, v interface{}) (bool, error)

HashInclude defines if a field should be used or not to calculate the hash

type SSLPassthroughBackend

type SSLPassthroughBackend struct {
	Service *apiv1.Service     `json:"service,omitempty"`
	Port    intstr.IntOrString `json:"port"`
	// Backend describes the endpoints to use.
	Backend string `json:"namespace,omitempty"`
	// Hostname returns the FQDN of the server
	Hostname string `json:"hostname"`
}

SSLPassthroughBackend describes a SSL upstream server configured as passthrough (no TLS termination in the ingress controller) The endpoints must provide the TLS termination exposing the required SSL certificate. The ingress controller only pipes the underlying TCP connection

func (*SSLPassthroughBackend) Equal

Equal tests for equality between two SSLPassthroughBackend types

type Server

type Server struct {
	// Hostname returns the FQDN of the server
	Hostname string `json:"hostname"`
	// SSLPassthrough indicates if the TLS termination is realized in
	// the server or in the remote endpoint
	SSLPassthrough bool `json:"sslPassthrough"`
	// SSLCert describes the certificate that will be used on the server
	SSLCert SSLCert `json:"sslCert"`
	// Locations list of URIs configured in the server.
	Locations []*Location `json:"locations,omitempty"`
	// Alias return the alias of the server name
	Alias string `json:"alias,omitempty"`
	// RedirectFromToWWW returns if a redirect to/from prefix www is required
	RedirectFromToWWW bool `json:"redirectFromToWWW,omitempty"`
	// CertificateAuth indicates the this server requires mutual authentication
	// +optional
	CertificateAuth authtls.Config `json:"certificateAuth"`
	// ServerSnippet returns the snippet of server
	// +optional
	ServerSnippet string `json:"serverSnippet"`
	// SSLCiphers returns list of ciphers to be enabled
	SSLCiphers string `json:"sslCiphers,omitempty"`
	// AuthTLSError contains the reason why the access to a server should be denied
	AuthTLSError string `json:"authTLSError,omitempty"`
}

Server describes a website

func (*Server) Equal

func (s1 *Server) Equal(s2 *Server) bool

Equal tests for equality between two Server types

type SessionAffinityConfig

type SessionAffinityConfig struct {
	AffinityType          string                `json:"name"`
	CookieSessionAffinity CookieSessionAffinity `json:"cookieSessionAffinity"`
}

SessionAffinityConfig describes different affinity configurations for new sessions. Once a session is mapped to a backend based on some affinity setting, it retains that mapping till the backend goes down, or the ingress controller restarts. Exactly one of these values will be set on the upstream, since multiple affinity values are incompatible. Once set, the backend makes no guarantees about honoring updates. +k8s:deepcopy-gen=true

func (*SessionAffinityConfig) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionAffinityConfig.

func (*SessionAffinityConfig) DeepCopyInto

func (in *SessionAffinityConfig) DeepCopyInto(out *SessionAffinityConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*SessionAffinityConfig) Equal

Equal tests for equality between two SessionAffinityConfig types

type TrafficShapingPolicy

type TrafficShapingPolicy struct {
	// Weight (0-100) of traffic to redirect to the backend.
	// e.g. Weight 20 means 20% of traffic will be redirected to the backend and 80% will remain
	// with the other backend. 0 weight will not send any traffic to this backend
	Weight int `json:"weight"`
	// Header on which to redirect requests to this backend
	Header string `json:"header"`
	// Cookie on which to redirect requests to this backend
	Cookie string `json:"cookie"`
}

TrafficShapingPolicy describes the policies to put in place when a backend has no server and is used as an alternative backend +k8s:deepcopy-gen=true

func (TrafficShapingPolicy) Equal

Equal checks for equality between two TrafficShapingPolicies

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL