Skip to content

Commit

Permalink
Merge pull request #296 from zlabjp/unified-nghttpx-secret
Browse files Browse the repository at this point in the history 
Unified nghttpx secret
  • Loading branch information
@tatsuhiro-t
tatsuhiro-t authored Feb 2, 2024
2 parents c917f31 + 9d01f45 commit 8f9ad55
Show file tree
Hide file tree
Showing 9 changed files with 322 additions and 165 deletions.
28 changes: 11 additions & 17 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,23 +188,17 @@ Pod. The controller maintains the secret as a whole, and it should
not be altered by an external tool or user. nghttpx listens on UDP
port specified by `--nghttpx-https-port` flag.

HTTP/3 requires writing Secret and extra capabilities to load eBPF
program. For writing Secret, you might need to add the following
entry to ClusterRole:

```yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
...
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "update", "patch"]
...
```

Add the following capabilities to the nghttpx-ingress-controller
container:
> [!WARNING]
> As of v0.66.0, Secret is integrated to the one specified by
> `--nghttpx-secret` flag, and `--quic-keying-materials-secret` flag
> has been removed. The default value is also changed. Previously,
> it is `nghttpx-quic-km` but now `nghttpx-km`. To migrate from the
> previous release, before upgrading nghttpx-ingress-controller to
> v0.66.0, copy Secret `nghttpx-quic-km` to `nghttpx-km`, and upgrade
> nghttpx-ingress-controller.

HTTP/3 requires the extra capabilities to load eBPF program. Add the
following capabilities to the nghttpx-ingress-controller container:

```yaml
apiVersion: apps/v1
Expand Down
66 changes: 33 additions & 33 deletions cmd/nghttpx-ingress-controller/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,37 +62,37 @@ var (
gitRepo = ""

// Command-line flags
defaultSvc string
ngxConfigMap string
kubeconfig string
watchNamespace = metav1.NamespaceAll
healthzPort = int32(11249)
nghttpxHealthPort = int32(10901)
nghttpxAPIPort = int32(10902)
profiling = true
allowInternalIP = false
defaultTLSSecret string
ingressClass = "nghttpx"
ingressClassController = "zlab.co.jp/nghttpx"
nghttpxConfDir = "/etc/nghttpx"
nghttpxExecPath = "/usr/local/bin/nghttpx"
nghttpxHTTPPort = int32(80)
nghttpxHTTPSPort = int32(443)
fetchOCSPRespFromSecret = false
proxyProto = false
ocspRespKey = "tls.ocsp-resp"
publishSvc string
endpointSlices = true
reloadRate = 1.0
reloadBurst = 1
noDefaultBackendOverride = false
deferredShutdownPeriod time.Duration
configOverrides clientcmd.ConfigOverrides
internalDefaultBackend = false
http3 = false
quicKeyingMaterialsSecret = "nghttpx-quic-km"
reconcileTimeout = 10 * time.Minute
leaderElectionConfig = componentbaseconfig.LeaderElectionConfiguration{
defaultSvc string
ngxConfigMap string
kubeconfig string
watchNamespace = metav1.NamespaceAll
healthzPort = int32(11249)
nghttpxHealthPort = int32(10901)
nghttpxAPIPort = int32(10902)
profiling = true
allowInternalIP = false
defaultTLSSecret string
ingressClass = "nghttpx"
ingressClassController = "zlab.co.jp/nghttpx"
nghttpxConfDir = "/etc/nghttpx"
nghttpxExecPath = "/usr/local/bin/nghttpx"
nghttpxHTTPPort = int32(80)
nghttpxHTTPSPort = int32(443)
fetchOCSPRespFromSecret = false
proxyProto = false
ocspRespKey = "tls.ocsp-resp"
publishSvc string
endpointSlices = true
reloadRate = 1.0
reloadBurst = 1
noDefaultBackendOverride = false
deferredShutdownPeriod time.Duration
configOverrides clientcmd.ConfigOverrides
internalDefaultBackend = false
http3 = false
nghttpxSecret = "nghttpx-km"
reconcileTimeout = 10 * time.Minute
leaderElectionConfig = componentbaseconfig.LeaderElectionConfiguration{
LeaseDuration: metav1.Duration{Duration: 15 * time.Second},
RenewDeadline: metav1.Duration{Duration: 10 * time.Second},
RetryPeriod: metav1.Duration{Duration: 2 * time.Second},
Expand Down Expand Up @@ -189,7 +189,7 @@ func main() {

rootCmd.Flags().BoolVar(&http3, "http3", http3, `Enable HTTP/3. This makes nghttpx listen to UDP port specified by nghttpx-https-port for HTTP/3 traffic.`)

rootCmd.Flags().StringVar(&quicKeyingMaterialsSecret, "quic-keying-materials-secret", quicKeyingMaterialsSecret, `The name of Secret resource which contains QUIC keying materials for nghttpx. The resource must belong to the same namespace as the controller Pod.`)
rootCmd.Flags().StringVar(&nghttpxSecret, "nghttpx-secret", nghttpxSecret, `The name of Secret resource which contains the keying materials for nghttpx. The resource must belong to the same namespace as the controller Pod. If it is not found, the controller will create new one.`)

rootCmd.Flags().DurationVar(&reconcileTimeout, "reconcile-timeout", reconcileTimeout,
`A timeout for a single reconciliation. It is a safe guard to prevent a reconciliation from getting stuck indefinitely.`)
Expand Down Expand Up @@ -369,6 +369,7 @@ func run(ctx context.Context, _ *cobra.Command, _ []string) {
NghttpxWorkers: nghttpxWorkers,
NghttpxWorkerProcessGraceShutdownPeriod: nghttpxWorkerProcessGraceShutdownPeriod,
NghttpxMaxWorkerProcesses: nghttpxMaxWorkerProcesses,
NghttpxSecret: types.NamespacedName{Name: nghttpxSecret, Namespace: thisPod.Namespace},
DefaultTLSSecret: defaultTLSSecretKey,
IngressClassController: ingressClassController,
AllowInternalIP: allowInternalIP,
Expand All @@ -384,7 +385,6 @@ func run(ctx context.Context, _ *cobra.Command, _ []string) {
HealthzPort: healthzPort,
InternalDefaultBackend: internalDefaultBackend,
HTTP3: http3,
QUICKeyingMaterialsSecret: &types.NamespacedName{Name: quicKeyingMaterialsSecret, Namespace: thisPod.Namespace},
ReconcileTimeout: reconcileTimeout,
LeaderElectionConfig: leaderElectionConfig,
RequireIngressClass: requireIngressClass,
Expand Down
28 changes: 26 additions & 2 deletions examples/default/service-account.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,22 +21,46 @@ rules:
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress
subjects:
- kind: ServiceAccount
name: ingress
namespace: kube-system
roleRef:
kind: ClusterRole
name: ingress
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "update", "patch"]
- apiGroups: ["events.k8s.io"]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
kind: ClusterRoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ingress
namespace: kube-system
subjects:
- kind: ServiceAccount
name: ingress
namespace: kube-system
roleRef:
kind: ClusterRole
kind: Role
name: ingress
apiGroup: rbac.authorization.k8s.io
22 changes: 15 additions & 7 deletions examples/proxyproto/02-nghttpx-rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,6 @@ rules:
- get
- list
- watch
- apiGroups:
- "events.k8s.io"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "networking.k8s.io"
resources:
Expand Down Expand Up @@ -107,6 +100,21 @@ rules:
- get
- create
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- update
- patch
- apiGroups:
- "events.k8s.io"
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "coordination.k8s.io"
resources:
Expand Down
Loading

0 comments on commit 8f9ad55

Please sign in to comment.