Skip to content

Commit

Permalink
Unified nghttpx secret
Browse files Browse the repository at this point in the history 
This commit introduces new nghttpx secret.  The Secret previously
specified by quic-keying-materials-secret flag is integrated to this
new Secret.  The name of new Secret defaults to nghttpx-secret and can
be configured by nghttpx-secret flag.  quic-keying-materials-secret
flag has been removed.

Refer to HTTP/3 section of README.md for the migration from the
previous release.
  • Loading branch information
@tatsuhiro-t
tatsuhiro-t committed Feb 2, 2024
1 parent c917f31 commit ce5614e
Show file tree
Hide file tree
Showing 6 changed files with 253 additions and 132 deletions.
9 changes: 9 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,15 @@ Pod. The controller maintains the secret as a whole, and it should
not be altered by an external tool or user. nghttpx listens on UDP
port specified by `--nghttpx-https-port` flag.

> [!WARNING]
> As of v0.66.0, Secret is integrated to the one specified by
> `--nghttpx-secret` flag, and `--quic-keying-materials-secret` flag
> has been removed. The default value is also changed. Previously,
> it is `nghttpx-quic-km` but now `nghttpx-km`. To migrate from the
> previous release, before upgrading nghttpx-ingress-controller to
> v0.66.0, copy Secret `nghttpx-quic-km` to `nghttpx-km`, and upgrade
> nghttpx-ingress-controller.

HTTP/3 requires writing Secret and extra capabilities to load eBPF
program. For writing Secret, you might need to add the following
entry to ClusterRole:
Expand Down
66 changes: 33 additions & 33 deletions cmd/nghttpx-ingress-controller/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,37 +62,37 @@ var (
gitRepo = ""

// Command-line flags
defaultSvc string
ngxConfigMap string
kubeconfig string
watchNamespace = metav1.NamespaceAll
healthzPort = int32(11249)
nghttpxHealthPort = int32(10901)
nghttpxAPIPort = int32(10902)
profiling = true
allowInternalIP = false
defaultTLSSecret string
ingressClass = "nghttpx"
ingressClassController = "zlab.co.jp/nghttpx"
nghttpxConfDir = "/etc/nghttpx"
nghttpxExecPath = "/usr/local/bin/nghttpx"
nghttpxHTTPPort = int32(80)
nghttpxHTTPSPort = int32(443)
fetchOCSPRespFromSecret = false
proxyProto = false
ocspRespKey = "tls.ocsp-resp"
publishSvc string
endpointSlices = true
reloadRate = 1.0
reloadBurst = 1
noDefaultBackendOverride = false
deferredShutdownPeriod time.Duration
configOverrides clientcmd.ConfigOverrides
internalDefaultBackend = false
http3 = false
quicKeyingMaterialsSecret = "nghttpx-quic-km"
reconcileTimeout = 10 * time.Minute
leaderElectionConfig = componentbaseconfig.LeaderElectionConfiguration{
defaultSvc string
ngxConfigMap string
kubeconfig string
watchNamespace = metav1.NamespaceAll
healthzPort = int32(11249)
nghttpxHealthPort = int32(10901)
nghttpxAPIPort = int32(10902)
profiling = true
allowInternalIP = false
defaultTLSSecret string
ingressClass = "nghttpx"
ingressClassController = "zlab.co.jp/nghttpx"
nghttpxConfDir = "/etc/nghttpx"
nghttpxExecPath = "/usr/local/bin/nghttpx"
nghttpxHTTPPort = int32(80)
nghttpxHTTPSPort = int32(443)
fetchOCSPRespFromSecret = false
proxyProto = false
ocspRespKey = "tls.ocsp-resp"
publishSvc string
endpointSlices = true
reloadRate = 1.0
reloadBurst = 1
noDefaultBackendOverride = false
deferredShutdownPeriod time.Duration
configOverrides clientcmd.ConfigOverrides
internalDefaultBackend = false
http3 = false
nghttpxSecret = "nghttpx-km"
reconcileTimeout = 10 * time.Minute
leaderElectionConfig = componentbaseconfig.LeaderElectionConfiguration{
LeaseDuration: metav1.Duration{Duration: 15 * time.Second},
RenewDeadline: metav1.Duration{Duration: 10 * time.Second},
RetryPeriod: metav1.Duration{Duration: 2 * time.Second},
Expand Down Expand Up @@ -189,7 +189,7 @@ func main() {

rootCmd.Flags().BoolVar(&http3, "http3", http3, `Enable HTTP/3. This makes nghttpx listen to UDP port specified by nghttpx-https-port for HTTP/3 traffic.`)

rootCmd.Flags().StringVar(&quicKeyingMaterialsSecret, "quic-keying-materials-secret", quicKeyingMaterialsSecret, `The name of Secret resource which contains QUIC keying materials for nghttpx. The resource must belong to the same namespace as the controller Pod.`)
rootCmd.Flags().StringVar(&nghttpxSecret, "nghttpx-secret", nghttpxSecret, `The name of Secret resource which contains the keying materials for nghttpx. The resource must belong to the same namespace as the controller Pod. If it is not found, the controller will create new one.`)

rootCmd.Flags().DurationVar(&reconcileTimeout, "reconcile-timeout", reconcileTimeout,
`A timeout for a single reconciliation. It is a safe guard to prevent a reconciliation from getting stuck indefinitely.`)
Expand Down Expand Up @@ -369,6 +369,7 @@ func run(ctx context.Context, _ *cobra.Command, _ []string) {
NghttpxWorkers: nghttpxWorkers,
NghttpxWorkerProcessGraceShutdownPeriod: nghttpxWorkerProcessGraceShutdownPeriod,
NghttpxMaxWorkerProcesses: nghttpxMaxWorkerProcesses,
NghttpxSecret: types.NamespacedName{Name: nghttpxSecret, Namespace: thisPod.Namespace},
DefaultTLSSecret: defaultTLSSecretKey,
IngressClassController: ingressClassController,
AllowInternalIP: allowInternalIP,
Expand All @@ -384,7 +385,6 @@ func run(ctx context.Context, _ *cobra.Command, _ []string) {
HealthzPort: healthzPort,
InternalDefaultBackend: internalDefaultBackend,
HTTP3: http3,
QUICKeyingMaterialsSecret: &types.NamespacedName{Name: quicKeyingMaterialsSecret, Namespace: thisPod.Namespace},
ReconcileTimeout: reconcileTimeout,
LeaderElectionConfig: leaderElectionConfig,
RequireIngressClass: requireIngressClass,
Expand Down
Loading

0 comments on commit ce5614e

Please sign in to comment.