diff --git a/build/kic_crds/k8s.nginx.org_policies.yaml b/build/kic_crds/k8s.nginx.org_policies.yaml index 5325dcb6..c4125a1a 100644 --- a/build/kic_crds/k8s.nginx.org_policies.yaml +++ b/build/kic_crds/k8s.nginx.org_policies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.4.1 creationTimestamp: null name: policies.k8s.nginx.org spec: @@ -12,114 +12,124 @@ spec: listKind: PolicyList plural: policies shortNames: - - pol + - pol singular: policy scope: Namespaced versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Policy defines a Policy for VirtualServer and VirtualServerRoute - resources. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: PolicySpec is the spec of the Policy resource. The spec includes - multiple fields, where each field represents a different policy. Only - one policy (field) is allowed. - type: object - properties: - accessControl: - description: AccessControl defines an access policy based on the source - IP of a request. - type: object - properties: - allow: - type: array - items: - type: string - deny: - type: array - items: - type: string - egressMTLS: - description: EgressMTLS defines an Egress MTLS policy. - type: object - properties: - ciphers: - type: string - protocols: - type: string - serverName: - type: boolean - sessionReuse: - type: boolean - sslName: - type: string - tlsSecret: - type: string - trustedCertSecret: - type: string - verifyDepth: - type: integer - verifyServer: - type: boolean - ingressMTLS: - description: IngressMTLS defines an Ingress MTLS policy. - type: object - properties: - clientCertSecret: - type: string - verifyClient: - type: string - verifyDepth: - type: integer - jwt: - description: JWTAuth holds JWT authentication configuration. - type: object - properties: - realm: - type: string - secret: - type: string - token: - type: string - rateLimit: - description: RateLimit defines a rate limit policy. - type: object - properties: - burst: - type: integer - delay: - type: integer - dryRun: - type: boolean - key: - type: string - logLevel: - type: string - noDelay: - type: boolean - rate: - type: string - rejectCode: - type: integer - zoneSize: - type: string - served: true - storage: true + - name: v1 + schema: + openAPIV3Schema: + description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed. + type: object + properties: + accessControl: + description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready' + type: object + properties: + allow: + type: array + items: + type: string + deny: + type: array + items: + type: string + egressMTLS: + description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview' + type: object + properties: + ciphers: + type: string + protocols: + type: string + serverName: + type: boolean + sessionReuse: + type: boolean + sslName: + type: string + tlsSecret: + type: string + trustedCertSecret: + type: string + verifyDepth: + type: integer + verifyServer: + type: boolean + ingressMTLS: + description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview' + type: object + properties: + clientCertSecret: + type: string + verifyClient: + type: string + verifyDepth: + type: integer + jwt: + description: 'JWTAuth holds JWT authentication configuration. policy status: preview' + type: object + properties: + realm: + type: string + secret: + type: string + token: + type: string + oidc: + description: OIDC defines an Open ID Connect policy. + type: object + properties: + authEndpoint: + type: string + clientID: + type: string + clientSecret: + type: string + jwksURI: + type: string + redirectURI: + type: string + scope: + type: string + tokenEndpoint: + type: string + rateLimit: + description: 'RateLimit defines a rate limit policy. policy status: preview' + type: object + properties: + burst: + type: integer + delay: + type: integer + dryRun: + type: boolean + key: + type: string + logLevel: + type: string + noDelay: + type: boolean + rate: + type: string + rejectCode: + type: integer + zoneSize: + type: string + served: true + storage: true status: acceptedNames: kind: "" diff --git a/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml b/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml index 11cfd3b8..83427bb9 100644 --- a/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml +++ b/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml @@ -73,6 +73,9 @@ spec: controller reporting the status of Ingress resources – only one replica will report status. type: boolean + enablePreviewPolicies: + description: Enables preview policies. Requires enableCRDs set to true. + type: boolean enableSnippets: description: Enable custom NGINX configuration snippets in VirtualServer and VirtualServerRoute resources. Requires enableCRDs set to true. diff --git a/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go b/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go index 5a8c7e2a..3194bb0c 100644 --- a/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go +++ b/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go @@ -40,6 +40,11 @@ type NginxIngressControllerSpec struct { // +kubebuilder:validation:Optional // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true EnableSnippets bool `json:"enableSnippets"` + // Enables preview policies. + // Requires enableCRDs set to true. + // +kubebuilder:validation:Optional + // +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true + EnablePreviewPolicies bool `json:"enablePreviewPolicies"` // +kubebuilder:validation:Optional // A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its // class (in other words, have the annotation “kubernetes.io/ingress.class”). diff --git a/pkg/controller/nginxingresscontroller/utils.go b/pkg/controller/nginxingresscontroller/utils.go index 9d516463..adb428ae 100644 --- a/pkg/controller/nginxingresscontroller/utils.go +++ b/pkg/controller/nginxingresscontroller/utils.go @@ -125,6 +125,10 @@ func generatePodArgs(instance *k8sv1alpha1.NginxIngressController) []string { if instance.Spec.EnableSnippets { args = append(args, "-enable-snippets") } + + if instance.Spec.EnablePreviewPolicies { + args = append(args, "-enable-preview-policies") + } } if instance.Spec.NginxReloadTimeout != 0 { diff --git a/pkg/controller/nginxingresscontroller/utils_test.go b/pkg/controller/nginxingresscontroller/utils_test.go index 60a74355..f8d8069c 100644 --- a/pkg/controller/nginxingresscontroller/utils_test.go +++ b/pkg/controller/nginxingresscontroller/utils_test.go @@ -5,6 +5,7 @@ import ( "reflect" "testing" + "github.com/google/go-cmp/cmp" k8sv1alpha1 "github.com/nginxinc/nginx-ingress-operator/pkg/apis/k8s/v1alpha1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -130,10 +131,11 @@ func TestGeneratePodArgs(t *testing.T) { Namespace: namespace, }, Spec: k8sv1alpha1.NginxIngressControllerSpec{ - EnableCRDs: true, - EnableSnippets: true, - EnableTLSPassthrough: true, - GlobalConfiguration: "my-nginx-ingress/globalconfiguration", + EnableCRDs: true, + EnableSnippets: true, + EnablePreviewPolicies: true, + EnableTLSPassthrough: true, + GlobalConfiguration: "my-nginx-ingress/globalconfiguration", }, }, expected: []string{ @@ -142,6 +144,7 @@ func TestGeneratePodArgs(t *testing.T) { "-enable-tls-passthrough", "-global-configuration=my-nginx-ingress/globalconfiguration", "-enable-snippets", + "-enable-preview-policies", }, }, { @@ -153,7 +156,6 @@ func TestGeneratePodArgs(t *testing.T) { Spec: k8sv1alpha1.NginxIngressControllerSpec{ NginxPlus: true, DefaultSecret: "my-nginx-ingress/my-secret", - EnableCRDs: false, IngressClass: "ingressClass", UseIngressClassOnly: true, WatchNamespace: "default", @@ -180,12 +182,14 @@ func TestGeneratePodArgs(t *testing.T) { }, EnableLatencyMetrics: true, GlobalConfiguration: "my-nginx-ingress/globalconfiguration", - EnableSnippets: true, EnableTLSPassthrough: true, AppProtect: &k8sv1alpha1.AppProtect{ Enable: true, }, - NginxReloadTimeout: 5000, + NginxReloadTimeout: 5000, + EnableCRDs: false, + EnableSnippets: true, + EnablePreviewPolicies: true, }, }, expected: []string{ @@ -218,8 +222,8 @@ func TestGeneratePodArgs(t *testing.T) { for _, test := range tests { result := generatePodArgs(test.instance) - if !reflect.DeepEqual(result, test.expected) { - t.Errorf("generatePodArgs(%+v) returned \n %v but expected \n %v", test.instance, result, test.expected) + if diff := cmp.Diff(test.expected, result); diff != "" { + t.Errorf("generatePodArgs(%+v) mismatch (-want +got):\n%s", test.instance, diff) } } }