nginxinc · Dean-Coakley · Feb 11, 2021 · Feb 4, 2021 · Feb 4, 2021 · Feb 9, 2021
diff --git a/build/kic_crds/k8s.nginx.org_policies.yaml b/build/kic_crds/k8s.nginx.org_policies.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.4.0
+    controller-gen.kubebuilder.io/version: v0.4.1
   creationTimestamp: null
   name: policies.k8s.nginx.org
 spec:
@@ -12,114 +12,124 @@ spec:
     listKind: PolicyList
     plural: policies
     shortNames:
-    - pol
+      - pol
     singular: policy
   scope: Namespaced
   versions:
-  - name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: Policy defines a Policy for VirtualServer and VirtualServerRoute
-          resources.
-        type: object
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: PolicySpec is the spec of the Policy resource. The spec includes
-              multiple fields, where each field represents a different policy. Only
-              one policy (field) is allowed.
-            type: object
-            properties:
-              accessControl:
-                description: AccessControl defines an access policy based on the source
-                  IP of a request.
-                type: object
-                properties:
-                  allow:
-                    type: array
-                    items:
-                      type: string
-                  deny:
-                    type: array
-                    items:
-                      type: string
-              egressMTLS:
-                description: EgressMTLS defines an Egress MTLS policy.
-                type: object
-                properties:
-                  ciphers:
-                    type: string
-                  protocols:
-                    type: string
-                  serverName:
-                    type: boolean
-                  sessionReuse:
-                    type: boolean
-                  sslName:
-                    type: string
-                  tlsSecret:
-                    type: string
-                  trustedCertSecret:
-                    type: string
-                  verifyDepth:
-                    type: integer
-                  verifyServer:
-                    type: boolean
-              ingressMTLS:
-                description: IngressMTLS defines an Ingress MTLS policy.
-                type: object
-                properties:
-                  clientCertSecret:
-                    type: string
-                  verifyClient:
-                    type: string
-                  verifyDepth:
-                    type: integer
-              jwt:
-                description: JWTAuth holds JWT authentication configuration.
-                type: object
-                properties:
-                  realm:
-                    type: string
-                  secret:
-                    type: string
-                  token:
-                    type: string
-              rateLimit:
-                description: RateLimit defines a rate limit policy.
-                type: object
-                properties:
-                  burst:
-                    type: integer
-                  delay:
-                    type: integer
-                  dryRun:
-                    type: boolean
-                  key:
-                    type: string
-                  logLevel:
-                    type: string
-                  noDelay:
-                    type: boolean
-                  rate:
-                    type: string
-                  rejectCode:
-                    type: integer
-                  zoneSize:
-                    type: string
-    served: true
-    storage: true
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          description: Policy defines a Policy for VirtualServer and VirtualServerRoute resources.
+          type: object
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: PolicySpec is the spec of the Policy resource. The spec includes multiple fields, where each field represents a different policy. Only one policy (field) is allowed.
+              type: object
+              properties:
+                accessControl:
+                  description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
+                  type: object
+                  properties:
+                    allow:
+                      type: array
+                      items:
+                        type: string
+                    deny:
+                      type: array
+                      items:
+                        type: string
+                egressMTLS:
+                  description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
+                  type: object
+                  properties:
+                    ciphers:
+                      type: string
+                    protocols:
+                      type: string
+                    serverName:
+                      type: boolean
+                    sessionReuse:
+                      type: boolean
+                    sslName:
+                      type: string
+                    tlsSecret:
+                      type: string
+                    trustedCertSecret:
+                      type: string
+                    verifyDepth:
+                      type: integer
+                    verifyServer:
+                      type: boolean
+                ingressMTLS:
+                  description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
+                  type: object
+                  properties:
+                    clientCertSecret:
+                      type: string
+                    verifyClient:
+                      type: string
+                    verifyDepth:
+                      type: integer
+                jwt:
+                  description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
+                  type: object
+                  properties:
+                    realm:
+                      type: string
+                    secret:
+                      type: string
+                    token:
+                      type: string
+                oidc:
+                  description: OIDC defines an Open ID Connect policy.
+                  type: object
+                  properties:
+                    authEndpoint:
+                      type: string
+                    clientID:
+                      type: string
+                    clientSecret:
+                      type: string
+                    jwksURI:
+                      type: string
+                    redirectURI:
+                      type: string
+                    scope:
+                      type: string
+                    tokenEndpoint:
+                      type: string
+                rateLimit:
+                  description: 'RateLimit defines a rate limit policy. policy status: preview'
+                  type: object
+                  properties:
+                    burst:
+                      type: integer
+                    delay:
+                      type: integer
+                    dryRun:
+                      type: boolean
+                    key:
+                      type: string
+                    logLevel:
+                      type: string
+                    noDelay:
+                      type: boolean
+                    rate:
+                      type: string
+                    rejectCode:
+                      type: integer
+                    zoneSize:
+                      type: string
+      served: true
+      storage: true
 status:
   acceptedNames:
     kind: ""

diff --git a/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml b/deploy/crds/k8s.nginx.org_nginxingresscontrollers_crd.yaml
@@ -73,6 +73,9 @@ spec:
                 controller reporting the status of Ingress resources – only one replica
                 will report status.
               type: boolean
+            enablePreviewPolicies:
+              description: Enables preview policies. Requires enableCRDs set to true.
+              type: boolean
             enableSnippets:
               description: Enable custom NGINX configuration snippets in VirtualServer
                 and VirtualServerRoute resources. Requires enableCRDs set to true.

diff --git a/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go b/pkg/apis/k8s/v1alpha1/nginxingresscontroller_types.go
@@ -40,6 +40,11 @@ type NginxIngressControllerSpec struct {
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
 	EnableSnippets bool `json:"enableSnippets"`
+	// Enables preview policies.
+	// Requires enableCRDs set to true.
+	// +kubebuilder:validation:Optional
+	// +operator-sdk:gen-csv:customresourcedefinitions.specDescriptors=true
+	EnablePreviewPolicies bool `json:"enablePreviewPolicies"`
 	// +kubebuilder:validation:Optional
 	// A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its
 	// class (in other words, have the annotation “kubernetes.io/ingress.class”).

diff --git a/pkg/controller/nginxingresscontroller/utils.go b/pkg/controller/nginxingresscontroller/utils.go
@@ -125,6 +125,10 @@ func generatePodArgs(instance *k8sv1alpha1.NginxIngressController) []string {
 		if instance.Spec.EnableSnippets {
 			args = append(args, "-enable-snippets")
 		}
+
+		if instance.Spec.EnablePreviewPolicies {
+			args = append(args, "-enable-preview-policies")
+		}
 	}
 
 	if instance.Spec.NginxReloadTimeout != 0 {

diff --git a/pkg/controller/nginxingresscontroller/utils_test.go b/pkg/controller/nginxingresscontroller/utils_test.go
@@ -5,6 +5,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
 	k8sv1alpha1 "github.com/nginxinc/nginx-ingress-operator/pkg/apis/k8s/v1alpha1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -130,10 +131,11 @@ func TestGeneratePodArgs(t *testing.T) {
 					Namespace: namespace,
 				},
 				Spec: k8sv1alpha1.NginxIngressControllerSpec{
-					EnableCRDs:           true,
-					EnableSnippets:       true,
-					EnableTLSPassthrough: true,
-					GlobalConfiguration:  "my-nginx-ingress/globalconfiguration",
+					EnableCRDs:            true,
+					EnableSnippets:        true,
+					EnablePreviewPolicies: true,
+					EnableTLSPassthrough:  true,
+					GlobalConfiguration:   "my-nginx-ingress/globalconfiguration",
 				},
 			},
 			expected: []string{
@@ -142,6 +144,7 @@ func TestGeneratePodArgs(t *testing.T) {
 				"-enable-tls-passthrough",
 				"-global-configuration=my-nginx-ingress/globalconfiguration",
 				"-enable-snippets",
+				"-enable-preview-policies",
 			},
 		},
 		{
@@ -153,7 +156,6 @@ func TestGeneratePodArgs(t *testing.T) {
 				Spec: k8sv1alpha1.NginxIngressControllerSpec{
 					NginxPlus:           true,
 					DefaultSecret:       "my-nginx-ingress/my-secret",
-					EnableCRDs:          false,
 					IngressClass:        "ingressClass",
 					UseIngressClassOnly: true,
 					WatchNamespace:      "default",
@@ -180,12 +182,14 @@ func TestGeneratePodArgs(t *testing.T) {
 					},
 					EnableLatencyMetrics: true,
 					GlobalConfiguration:  "my-nginx-ingress/globalconfiguration",
-					EnableSnippets:       true,
 					EnableTLSPassthrough: true,
 					AppProtect: &k8sv1alpha1.AppProtect{
 						Enable: true,
 					},
-					NginxReloadTimeout: 5000,
+					NginxReloadTimeout:    5000,
+					EnableCRDs:            false,
+					EnableSnippets:        true,
+					EnablePreviewPolicies: true,
 				},
 			},
 			expected: []string{
@@ -218,8 +222,8 @@ func TestGeneratePodArgs(t *testing.T) {
 
 	for _, test := range tests {
 		result := generatePodArgs(test.instance)
-		if !reflect.DeepEqual(result, test.expected) {
-			t.Errorf("generatePodArgs(%+v) returned \n %v but expected \n %v", test.instance, result, test.expected)
+		if diff := cmp.Diff(test.expected, result); diff != "" {
+			t.Errorf("generatePodArgs(%+v) mismatch (-want +got):\n%s", test.instance, diff)
 		}
 	}
 }