Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ingress: Add force-https annotation support #30616

Merged
merged 1 commit into from
Feb 15, 2024
Merged

ingress: Add force-https annotation support #30616

merged 1 commit into from
Feb 15, 2024

Conversation

youngnick
Copy link
Contributor

This change adds support for the new ingress.cilium.io/force-https annotation. This annotation changes generated model.Listeners such that, if a TLS Listener is present, any config for that secure listener is copied to an insecure listener, with redirects to the secure listener for routing instead of direct routing.

The annotation itself can be set to enabled, disabled, or any truthy or false-y value (as understood by Go's strconv.ParseBool() function).

The annotation overrides the exsiting "enforce-https" config, which does the same thing.

That is, if both ingress.cilium.io/force-https and enforce-https are set, the annotation's value will override the value of enforce-https.

When the annotation is unset, enforce-https produces similar functionality.

Tests for all cases have been added.

Implementation details:

  • model.Listener now has a ForceHTTPtoHTTPSRedirect field that controls if the redirect behavior will be used.
  • The value of enforceHTTPS is no longer passed into Translators. Ingress ingestion now handles folding the possible values of enforceHTTPS into the model.Listener, so the Translators now don't need to know.

Updates: #22887

Support `ingress.cilium.io/force-https` annotation (functionally equivalent to `nginx.ingress.kubernetes.io/force-ssl-redirect`)

@youngnick youngnick requested review from a team as code owners February 4, 2024 11:40
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 4, 2024
@youngnick youngnick added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Feb 4, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 4, 2024
@youngnick youngnick force-pushed the force-https-annotation branch from d23f7b3 to 9499019 Compare February 4, 2024 11:43
@youngnick
Copy link
Contributor Author

/test

@sayboras sayboras changed the title Add force-https annotation support ingress: Add force-https annotation support Feb 4, 2024
@sayboras sayboras added area/servicemesh GH issues or PRs regarding servicemesh feature/k8s-ingress labels Feb 4, 2024
lambdanis
lambdanis approved these changes Feb 5, 2024
View reviewed changes
Copy link
Contributor

@lambdanis lambdanis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small non-blocking suggestion for docs

Documentation/network/servicemesh/ingress.rst Outdated Show resolved Hide resolved
@youngnick youngnick force-pushed the force-https-annotation branch 3 times, most recently from 221e34b to c968dba Compare February 7, 2024 15:23
@youngnick
Copy link
Contributor Author

/test

@youngnick youngnick force-pushed the force-https-annotation branch from c968dba to 3ea4f63 Compare February 9, 2024 08:53
@youngnick
Copy link
Contributor Author

/test

@youngnick youngnick force-pushed the force-https-annotation branch from 3ea4f63 to 055edd6 Compare February 13, 2024 00:46
@youngnick
Copy link
Contributor Author

/test

mhofstetter
mhofstetter reviewed Feb 13, 2024
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice - thanks Nick! 🎉 Some small comments and improvements inline.

Documentation/network/servicemesh/ingress.rst Outdated Show resolved Hide resolved
operator/pkg/ingress/annotations/annotations.go Outdated Show resolved Hide resolved
operator/pkg/ingress/annotations/annotations.go Outdated Show resolved Hide resolved
operator/pkg/ingress/annotations/annotations.go Show resolved Hide resolved
operator/pkg/model/ingestion/ingress.go Outdated Show resolved Hide resolved
operator/pkg/model/ingestion/ingress_test.go Outdated Show resolved Hide resolved
operator/pkg/model/ingestion/ingress.go Outdated Show resolved Hide resolved
@youngnick youngnick force-pushed the force-https-annotation branch 2 times, most recently from 7c00575 to a8eb9f2 Compare February 14, 2024 03:38
@youngnick youngnick removed the request for review from meyskens February 14, 2024 03:51
@youngnick
Copy link
Contributor Author

/test

@youngnick youngnick force-pushed the force-https-annotation branch from a8eb9f2 to 2276144 Compare February 14, 2024 04:05
@youngnick
Copy link
Contributor Author

/test

1 similar comment
@youngnick
Copy link
Contributor Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 14, 2024
@mhofstetter mhofstetter removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 14, 2024
@youngnick youngnick force-pushed the force-https-annotation branch from 2276144 to 704f872 Compare February 14, 2024 09:00
@youngnick
Copy link
Contributor Author

/test

mhofstetter
mhofstetter requested changes Feb 14, 2024
View reviewed changes
operator/pkg/ingress/annotations/annotations.go Outdated Show resolved Hide resolved
Documentation/network/servicemesh/ingress.rst Outdated Show resolved Hide resolved
operator/pkg/ingress/annotations/annotations.go Outdated Show resolved Hide resolved
operator/pkg/ingress/annotations/annotations.go Outdated Show resolved Hide resolved
operator/pkg/ingress/annotations/annotations_test.go Outdated Show resolved Hide resolved
@youngnick youngnick force-pushed the force-https-annotation branch 2 times, most recently from 240386e to 31756af Compare February 14, 2024 22:58
@youngnick
Add force-https annotation support
2dbe133 
This change adds support for the new `ingress.cilium.io/force-https` annotation.
This annotation changes generated model.Listeners such that, if a TLS Listener
is present, any config for that secure listener is copied to an insecure listener,
with redirects to the secure listener for routing instead of direct routing.

The annotation itself can be set to `enabled`, `disabled`, or any truthy or false-y
value (as understood by Go's `strconv.ParseBool()` function).

The annotation _overrides_ the exsiting "enforce-https" config, which does the same
thing.

That is, if both `ingress.cilium.io/force-https` and `enforce-https` are set, the
annotation's value will override the value of `enforce-https`.

When the annotation is unset, `enforce-https` produces similar functionality.

Tests for all cases have been added.

Implementation details:
- `model.Listener` now has a `ForceHTTPtoHTTPSRedirect` field that controls if the
  redirect behavior will be used.
- The value of `enforceHTTPS` is no longer passed into Translators. Ingress ingestion
  now handles folding the possible values of `enforceHTTPS` into the `model.Listener`,
  so the Translators now don't need to know.

Signed-off-by: Nick Young <[email protected]>
@youngnick youngnick force-pushed the force-https-annotation branch from 31756af to 2dbe133 Compare February 14, 2024 23:21
@youngnick
Copy link
Contributor Author

/test

mhofstetter
mhofstetter approved these changes Feb 15, 2024
View reviewed changes
Copy link
Member

@mhofstetter mhofstetter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks Nick!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 15, 2024
@youngnick youngnick added this pull request to the merge queue Feb 15, 2024
Merged via the queue into cilium:main with commit 7b0948c Feb 15, 2024
62 checks passed
@youngnick youngnick deleted the force-https-annotation branch February 15, 2024 21:43
mhofstetter added a commit to mhofstetter/cilium that referenced this pull request Feb 16, 2024
@mhofstetter
ingress: pass enforcedHttps from config (cell) to reconciler
3f08763 
Currently, the config property `enforce-ingress-https` doesn't have any effect
as its value isn't propagated to the ingresscontroller reconciler. Hence,
Ingress HTTPS is never enforced globally (only via annotation).

This commit fixes this by passing the config value to the reconciler.

Fixes: cilium#30616

Signed-off-by: Marco Hofstetter <[email protected]>
@mhofstetter mhofstetter mentioned this pull request Feb 16, 2024
Merged
mhofstetter
mhofstetter reviewed Feb 16, 2024
View reviewed changes
operator/pkg/ingress/ingress.go
@@ -38,6 +38,7 @@ type ingressReconciler struct {
defaultLoadbalancerMode string
defaultSecretNamespace string
defaultSecretName string
enforcedHTTPS bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@youngnick looks enforcedHTTPS isn't handled in newIngressReconciler - hence it's always false. We should pass the corresponding config value from the cell.

I opened #30804

github-merge-queue bot pushed a commit that referenced this pull request Feb 16, 2024
@mhofstetter @youngnick
ingress: pass enforcedHttps from config (cell) to reconciler
9ff8d31 
Currently, the config property `enforce-ingress-https` doesn't have any effect
as its value isn't propagated to the ingresscontroller reconciler. Hence,
Ingress HTTPS is never enforced globally (only via annotation).

This commit fixes this by passing the config value to the reconciler.

Fixes: #30616

Signed-off-by: Marco Hofstetter <[email protected]>
aanm pushed a commit to aanm/cilium that referenced this pull request Feb 19, 2024
@mhofstetter @aanm
ingress: pass enforcedHttps from config (cell) to reconciler
c934696 
Currently, the config property `enforce-ingress-https` doesn't have any effect
as its value isn't propagated to the ingresscontroller reconciler. Hence,
Ingress HTTPS is never enforced globally (only via annotation).

This commit fixes this by passing the config value to the reconciler.

Fixes: cilium#30616

Signed-off-by: Marco Hofstetter <[email protected]>
@mhofstetter mhofstetter mentioned this pull request Feb 22, 2024
Merged
@aanm aanm added the affects/v1.15 This issue affects v1.15 branch label Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhofstetter mhofstetter mhofstetter approved these changes

@lambdanis lambdanis lambdanis approved these changes

Assignees
No one assigned
Labels
affects/v1.15 This issue affects v1.15 branch area/servicemesh GH issues or PRs regarding servicemesh feature/k8s-ingress ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@youngnick @lambdanis @mhofstetter @aanm @sayboras