alibaba / tengine-ingress Goto Github PK

Tengine Ingress Controller for Kubernetes

License: Apache License 2.0

Makefile 1.13% Shell 5.93% Dockerfile 1.47% HCL 0.50% Go 82.53% Smarty 0.20% Python 0.35% HTML 0.01% Starlark 0.25% Lua 7.60% Awk 0.04%

ingress tengine ingress-controller kubernetes http3 quic

tengine-ingress's Introduction

Tengine-Ingress

Visit tengine.taobao.org for the full documentation, examples and guides.

Overview

Tengine-Ingress is an Ingress controller for Kubernetes using Tengine as a reverse proxy and load balancer. Tengine-Ingress supports the standard Ingress specification based on kubernetes/ingress-nginx repo.

Features

Ingress specification support.
Dynamically configure the servers, locations and upstreams for Ingress, Secret, Service and Endpoint changes, without reloading or restarting worker processes.
HTTP/3 support (QUIC v1 and draft-29).
Dynamically configure different TLS protocols for different ingress.
Dynamically configure multiple default TLS certificates for client-hello without SNI.
Support for hybrid ECC and RSA certificates for the same ingress/path.
Dynamically configure certificates and keys.
Dynamically configure canary routing based on multiple values of a specific header, cookie or query parameter.
Dynamically configure canary routing based on multiple upstream according to weight.
Dynamically configure canary routing based on modulo operation for a specific header, cookie or query parameter.
Dynamically configure timeout setting, SSL Redirects, CORS and enabling/disabling robots for the ingress/path.
Dynamically configure canary routing to add/append custom headers or add query parameter to the HTTP request.
Dynamically configure canary routing to add custom headers to the HTTP response.
Supports watching Ingress and Secrets in a dedicated storage k8s cluster via kubeconfig.
Watch changes in Ingress and Secrets and do rolling upgrades for associated StatefulSet of Tengine-Ingress, without tengine reload.
New CRD IngressCheckSum and SecretCheckSum to verify the integrity of Ingress and Secret in the cluster.

Installation

Docker images

Supported linux distributions:

Supported tags:

1.1.0 : based on image Anolis
1.1.0-alpine : based on image Alpine

Supported architectures:

AMD64, ARM64

Pull image command:

docker pull tengine-ingress-registry.cn-hangzhou.cr.aliyuncs.com/tengine/tengine-ingress:1.1.0

Building from source

The tengine-ingress image is based on the tengine image.

Supported Linux distributions:

Anolis : build arg BASE_IMAGE="docker.io/openanolis/anolisos:latest", LINUX_RELEASE="anolisos"
Alpine : build arg BASE_IMAGE="alpine:latest", LINUX_RELEASE="alpine"

Build image command:

# First: build tengine image
docker build --no-cache --build-arg BASE_IMAGE="docker.io/openanolis/anolisos:latest" --build-arg LINUX_RELEASE="anolisos" -t tengine:3.1.0 images/tengine/rootfs/

# Second: build tengine-ingress image
docker build --no-cache --build-arg BASE_IMAGE="tengine:3.1.0" --build-arg VERSION="1.1.0" -f build/Dockerfile -t tengine-ingress:1.1.0 .

Changelog

See the list of releases to find out about feature changes. For detailed changes for each release; please check the Changelog.tengine.md file.

Supported Versions table

	Tengine-Ingress Version	Tengine Version	K8s Supported Version	Anolis Linux Version	Alpine Linux Version	Helm Chart Version
🔄	v1.1.0	v3.1.0	1.28,1.27,1.26,1.25 1.24,1.23,1.22,1.21 1.20	8.6	3.18.4
🔄	v1.0.0	v3.0.0	1.27,1.26,1.25,1.24 1.23,1.22,1.21,1.20	8.6	3.18.2

Documentation

The homepage of Tengine-Ingress is at https://tengine.taobao.org.

Contact

https://github.com/alibaba/tengine-ingress/issues

Dingtalk user group: 23394285

License

Apache License 2.0

tengine-ingress's People

Contributors

Stargazers

Watchers

Forkers

lianglli tengine-opensource drawing frank-zsy alanjiang guoyhang eailoo lemon9921010 ahh0623 ignatius-n shengwang52005 gotogin styluxlive charygao ryanbekabe

tengine-ingress's Issues

Supports multi-ssl protocols for different ingress (domain)

Supports appending HTTP headers of the user request to upstream based on canary routing of header, cookie or query

请帮忙给出https双向认证的配置写法，以及指定nginx.conf server位置的写法哈。或者指定配置前端html指定目录也行

ingress配置如下双向认证无效了。还有 ingress指定配置 nginx.ingress.kubernetes.io/server-snippet: 也无效了。例如：

kind: Ingress
metadata:
name: log
namespace: default
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
====
nginx.ingress.kubernetes.io/server-snippet: |
add_header nginxingress 888;
gzip_static on;
gzip_proxied expired no-cache no-store private auth;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.0;
gzip_comp_level 9;
gzip_types text/plain application/javascript text/css application/xml text/javascript application/json font/woff image/jpeg image/gif image/png;
gzip_vary on;

@drawing 请帮忙给出https双向认证的配置写法，以及指定nginx.conf server位置的写法哈。或者指定配置前端html指定目录也行
.另外configmap 加入 tengine-reload: 'true' ，tengine-static-service-cfg: 'true' 后容器日志显示 duplicate location "/robots.txt"

Error: exit status 1
2023/08/06 18:56:19 [warn] 857#857: protocol options redefined for 0.0.0.0:443 in /tmp/nginx-cfg2360560639:2760
nginx: [warn] protocol options redefined for 0.0.0.0:443 in /tmp/nginx-cfg2360560639:2760
2023/08/06 18:56:19 [warn] 857#857: protocol options redefined for [::]:443 in /tmp/nginx-cfg2360560639:2761
nginx: [warn] protocol options redefined for [::]:443 in /tmp/nginx-cfg2360560639:2761
2023/08/06 18:56:19 [emerg] 857#857: duplicate location "/robots.txt" in /tmp/nginx-cfg2360560639:894
nginx: [emerg] duplicate location "/robots.txt" in /tmp/nginx-cfg2360560639:894
nginx: configuration file /tmp/nginx-cfg2360560639 test failed

Supports routing priority of multi canary ingresses for the ingress and path

nginx.ingress.kubernetes.io/canary-priority-list

Supports canary routing of modulo operation (mod) based on value of header

nginx.ingress.kubernetes.io/canary-mod-divisor

nginx.ingress.kubernetes.io/canary-mod-relational-operator

nginx.ingress.kubernetes.io/canary-mod-remainder

Supports ingressclass

Supports canary routing with multiple values for one cookie

nginx.ingress.kubernetes.io/canary-by-cookie-value

Supports different ingress and canary ingress with the same backend

Configmap add a config for user (root / admin) of Tengine worker processes

If the user of Tengine work process is root, the xquic lib will be listen on 443 (< 1024) for HTTP/3.

Supports canary routing with multiple values for one query param

Supports multi canary ingress with same upstream for one host

Supports canary routing with multiple values for one header

nginx.ingress.kubernetes.io/canary-by-header-value

Watch changes in Ingress and Secrets and do rolling upgrades in one time

Supports adding HTTP query parameter of the user request to upstream based on canary routing of header, cookie or query

nginx.ingress.kubernetes.io/canary-request-add-query

config "use-ingress-storage-cluster" of configmap is not working

Do not wait for informers to read the configmap configuration

Tengine-Ingress should read configmap firstly.

Use config in configmap for watching ingress and secret to a Kubernetes cluster as a dedicated storage cluster during startup.

Supports multiple origins for CORS

Supports appending HTTP headers of the user response to client based on canary routing of header, cookie or query

nginx.ingress.kubernetes.io/canary-response-append-header

duplicate location "/robots.txt" when ingress has multipath

when ingress config multipath and open tengine-reload, Ingress-Controller will generate locations where there are multiple robots.txt in the configuration.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
spec:
  rules:
  - host: echo.w1.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: echo-service
            port:
              number: 80
      - path: /abc
        pathType: Prefix
        backend:
          service:
            name: echo-service-2
            port:
              number: 80
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: tengine-ingress-configuration
  namespace: default
data:
  tengine-reload: 'true'
  tengine-static-service-cfg: 'true'

HTTP Route: multiple canary ingress can be use the same upstream

Supports multiple default SSL certificates

CORS is not working with lua

Remove unnecessary locations

Remove unnecessary paths

default server

        # health checks in cloud providers require the use of port 80
        location /healthz {

                access_log off;
                return 200;
        }

        # this is required to avoid error if nginx is being monitored
        # with an external software (like sysdig)
        location /nginx_status {

                allow 127.0.0.1;

                allow ::1;

                deny all;

                sysguard   off;
                access_log off;
                stub_status on;
        }

        location /traffic_status {

                allow 127.0.0.1;

                allow ::1;

                deny all;

                sysguard   off;
                access_log off;
                req_status_show;
        }

        location /deny_reload_data {

                sysguard   off;
                access_log off;
                content_by_lua_file /etc/nginx/lua/load_deny.lua;
        }

listen 10246 server

location /deny_reload_data {
        content_by_lua_file /etc/nginx/lua/load_deny.lua;
}

Environment

Images: tengine-ingress-registry.cn-hangzhou.cr.aliyuncs.com/tengine/tengine-ingress:1.0.0

How to reproduce

Add secret for domain:

kubectl create secret tls https-server-1 --key certs/server_1_no.key --cert certs/server_1.crt

Add Ingress Config:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: minimal-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - host: echo.test.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: echo-service
            port:
              number: 80
  tls:
  - hosts:
    - echo.test-taobao.com
    secretName: https-server-1

A certificate is configured for domain name echo.test.com, But only http2 protocol can be matched normally, and http3 protocol certificate cannot be used.

apiVersion: v1
data:
  access-log-path: |-
    "pipe:rollback /home/admin/tengine-ingress/logs/tengine-access.log
     baknum=10 maxsize=5G interval=1d adjust=600"
  error-log-path: |-
    "pipe:rollback /home/admin/tengine-ingress/logs/tengine-error.log
     baknum=10 maxsize=2G interval=1d adjust=600"
  https-allow-http: "true"
  log-format-upstream: $request_time|$status|$upstream_status|$remote_addr|$upstream_addr|$upstream_response_time|$time_local|$request_method|$scheme|$host|$server_port|$request_uri|$body_bytes_sent|$http_referer|$http_user_agent|$proxy_add_x_forwarded_for|$http_x_forwarded_for|$http_ns_client_ip|$http_accept_language|$connection_requests|$ssl_protocol|$ssl_cipher|$ssl_session_reused|$host|$request_length|$bytes_sent|$metadata_ssl_protocols|$ingress_route_target|$http_open|
kind: ConfigMap
metadata:
  creationTimestamp: "2023-11-01T08:20:16Z"
  name: tengine-ingress-configmap-anolis-configuration
  namespace: default
  resourceVersion: "28532685"
  uid: 7d53db52-7af0-4626-a3c7-cdd7ba87e85a

listen 443 default_server reuseport backlog=4096 ssl http2 https_allow_http ;

        ## start server _
        server {
                server_name _ ;

                listen 80 default_server reuseport backlog=4096 ;
                listen [::]:80 default_server reuseport backlog=4096 ;
                listen 443 default_server reuseport backlog=4096 ssl http2 https_allow_http ;
                listen [::]:443 default_server reuseport backlog=4096 ssl http2 https_allow_http ;
                listen 443 default_server reuseport backlog=4096 xquic ;
                listen [::]:443 default_server reuseport backlog=4096 xquic ;

                ingress_gateway shm_service_cfg;
                ingress_gateway_metadata "ssl-protocols" $metadata_ssl_protocols;

                # set log host
                set $log_host $host;

                set $proxy_upstream_name "-";

                ssl_certificate_by_lua_block {
                        certificate.call()
                }

                location = /status.tengine {
                if ($host !~* "^\d{1,3}(\.\d{1,3}){3}|^status\.tengine\.com$") {
                        return 404;
                        break;
                }
                sysguard off;
                access_log off;
                root /etc/nginx/htdocs;
        }

sh-4.4# curl -i http://127.0.0.1:80/status.tengine
HTTP/1.1 200 OK
Server: Tengine/3.1.0
Date: Thu, 02 Nov 2023 03:34:31 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Thu, 02 Nov 2023 03:31:20 GMT
Connection: keep-alive
ETag: "65431808-0"
Accept-Ranges: bytes

sh-4.4# curl -i http://127.0.0.1:443/status.tengine
HTTP/1.1 200 OK
Server: Tengine/3.1.0
Date: Thu, 02 Nov 2023 03:34:35 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Thu, 02 Nov 2023 03:31:20 GMT
Connection: keep-alive
ETag: "65431808-0"
Accept-Ranges: bytes