Allow default_server listeners to be customised (#4464)

shaun-nx · web-flow · commit aad4fc9ced4d · 2023-10-12T11:21:34.000+01:00
diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md
@@ -452,6 +452,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.podDisruptionBudget.maxUnavailable` | The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable". | 0 |
 |`controller.strategy` | Specifies the strategy used to replace old Pods with new ones. Docs for [Deployment update strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) and [Daemonset update strategy](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy) | {} |
 |`controller.disableIPV6` | Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack. | false |
+|`controller.defaultHTTPListenerPort`  | Sets the port for the HTTP `default_server` listener. | 80 |
+|`controller.defaultHTTPSListenerPort`  | Sets the port for the HTTPS `default_server` listener. | 443 |
 |`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false |
 |`rbac.create` | Configures RBAC. | true |
 |`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
diff --git a/charts/nginx-ingress/templates/controller-daemonset.yaml b/charts/nginx-ingress/templates/controller-daemonset.yaml
@@ -237,6 +237,8 @@ spec:
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}
           - -enable-external-dns={{ .Values.controller.enableExternalDNS }}
+          - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}}
+          - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}}
 {{- if .Values.controller.globalConfiguration.create }}
           - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }}
 {{- end }}
diff --git a/charts/nginx-ingress/templates/controller-deployment.yaml b/charts/nginx-ingress/templates/controller-deployment.yaml
@@ -244,6 +244,8 @@ spec:
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}
           - -enable-external-dns={{ .Values.controller.enableExternalDNS }}
+          - -default-http-listener-port={{ .Values.controller.defaultHTTPListenerPort}}
+          - -default-https-listener-port={{ .Values.controller.defaultHTTPSListenerPort}}
 {{- if .Values.controller.globalConfiguration.create }}
           - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.controller.fullname" . }}
 {{- end }}
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
@@ -1262,6 +1262,22 @@
             false
           ]
         },
+        "defaultHTTPListenerPort": {
+          "type": "integer",
+          "default": 80,
+          "title": "The defaultHTTPListenerPort",
+          "examples": [
+            80
+          ]
+        },
+        "defaultHTTPSListenerPort": {
+          "type": "integer",
+          "default": 443,
+          "title": "The defaultHTTPSListenerPort",
+          "examples": [
+            443
+          ]
+        },
         "readOnlyRootFilesystem": {
           "type": "boolean",
           "default": false,
@@ -1411,6 +1427,8 @@
           },
           "enableLatencyMetrics": false,
           "disableIPV6": false,
+          "defaultHTTPListenerPort": 80,
+          "defaultHTTPSListenerPort": 443,
           "readOnlyRootFilesystem": false
         }
       ]
@@ -1776,6 +1794,8 @@
         },
         "enableLatencyMetrics": false,
         "disableIPV6": false,
+        "defaultHTTPListenerPort": 80,
+        "defaultHTTPSListenerPort": 443,
         "readOnlyRootFilesystem": false
       },
       "rbac": {
diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
@@ -443,6 +443,12 @@ controller:
   ## Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack.
   disableIPV6: false
 
+  ## Sets the port for the HTTP `default_server` listener.
+  defaultHTTPListenerPort: 80
+
+  ## Sets the port for the HTTPS `default_server` listener.
+  defaultHTTPSListenerPort: 443
+
   ## Configure root filesystem as read-only and add volumes for temporary data.
   readOnlyRootFilesystem: false
 
diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go
@@ -194,6 +194,10 @@ var (
 	disableIPV6 = flag.Bool("disable-ipv6", false,
 		`Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack`)
 
+	defaultHTTPListenerPort = flag.Int("default-http-listener-port", 80, "Sets a custom port for the HTTP NGINX `default_server`. [1024 - 65535]")
+
+	defaultHTTPSListenerPort = flag.Int("default-https-listener-port", 443, "Sets a custom port for the HTTPS `default_server`. [1024 - 65535]")
+
 	startupCheckFn func() error
 )
 
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -90,6 +90,8 @@ func main() {
 
 	staticCfgParams := &configs.StaticConfigParams{
 		DisableIPV6:                    *disableIPV6,
+		DefaultHTTPListenerPort:        *defaultHTTPListenerPort,
+		DefaultHTTPSListenerPort:       *defaultHTTPSListenerPort,
 		HealthStatus:                   *healthStatus,
 		HealthStatusURI:                *healthStatusURI,
 		NginxStatus:                    *nginxStatus,
diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md
@@ -508,3 +508,19 @@ Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack.
 Default `false`.
 &nbsp;
 <a name="cmdoption-disable-ipv6"></a>
+
+### -default-http-listener-port
+
+Sets the port for the HTTP `default_server` listener.
+
+Default `80`.
+&nbsp;
+<a name="cmdoption-default-http-listener-port"></a>
+
+### -default-https-listener-port
+
+Sets the port for the HTTPS `default_server` listener.
+
+Default `443`.
+&nbsp;
+<a name="cmdoption-default-https-listener-port"></a>
diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go
@@ -114,6 +114,8 @@ type ConfigParams struct {
 // StaticConfigParams holds immutable NGINX configuration parameters that affect the main NGINX config.
 type StaticConfigParams struct {
 	DisableIPV6                    bool
+	DefaultHTTPListenerPort        int
+	DefaultHTTPSListenerPort       int
 	HealthStatus                   bool
 	HealthStatusURI                string
 	NginxStatus                    bool
diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go
@@ -514,6 +514,8 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
 		DefaultServerAccessLogOff:          config.DefaultServerAccessLogOff,
 		DefaultServerReturn:                config.DefaultServerReturn,
 		DisableIPV6:                        staticCfgParams.DisableIPV6,
+		DefaultHTTPListenerPort:            staticCfgParams.DefaultHTTPListenerPort,
+		DefaultHTTPSListenerPort:           staticCfgParams.DefaultHTTPSListenerPort,
 		ErrorLogLevel:                      config.MainErrorLogLevel,
 		HealthStatus:                       staticCfgParams.HealthStatus,
 		HealthStatusURI:                    staticCfgParams.HealthStatusURI,
diff --git a/internal/configs/version1/config.go b/internal/configs/version1/config.go
@@ -165,6 +165,8 @@ type MainConfig struct {
 	DefaultServerAccessLogOff          bool
 	DefaultServerReturn                string
 	DisableIPV6                        bool
+	DefaultHTTPListenerPort            int
+	DefaultHTTPSListenerPort           int
 	ErrorLogLevel                      string
 	HealthStatus                       bool
 	HealthStatusURI                    string
diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl
@@ -153,16 +153,16 @@ http {
         set $resource_namespace "";
         set $service "";
 
-        listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
-        {{if not .DisableIPV6}}listen [::]:80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+        listen {{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
+        {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort }} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
 
         {{if .TLSPassthrough}}
         listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol;
         set_real_ip_from unix:;
         real_ip_header proxy_protocol;
         {{else}}
-        listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
-        {{if not .DisableIPV6}}listen [::]:443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+        listen {{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+        {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort }} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
         {{end}}
 
         {{if .SSLRejectHandshake}}
diff --git a/internal/configs/version1/nginx.tmpl b/internal/configs/version1/nginx.tmpl
@@ -106,16 +106,16 @@ http {
         set $resource_namespace "";
         set $service "";
 
-        listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
-        {{if not .DisableIPV6}}listen [::]:80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+        listen {{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
+        {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPListenerPort}} default_server{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
 
         {{if .TLSPassthrough}}
         listen unix:/var/lib/nginx/passthrough-https.sock ssl default_server{{if .HTTP2}} http2{{end}} proxy_protocol;
         set_real_ip_from unix:;
         real_ip_header proxy_protocol;
         {{else}}
-        listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
-        {{if not .DisableIPV6}}listen [::]:443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
+        listen {{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+        {{if not .DisableIPV6}}listen [::]:{{ .DefaultHTTPSListenerPort}} ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};{{end}}
         {{end}}
 
         {{if .SSLRejectHandshake}}
diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go
diff --git a/tests/suite/test_default_server.py b/tests/suite/test_default_server.py

Original file line number	Diff line number	Diff line change
`@@ -194,6 +194,10 @@ var (`
`194`	`194`	`disableIPV6 = flag.Bool("disable-ipv6", false,`
`195`	`195`	`Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack`)
`196`	`196`
	`197`	+ defaultHTTPListenerPort = flag.Int("default-http-listener-port", 80, "Sets a custom port for the HTTP NGINX `default_server`. [1024 - 65535]")
	`198`	`+`
	`199`	+ defaultHTTPSListenerPort = flag.Int("default-https-listener-port", 443, "Sets a custom port for the HTTPS `default_server`. [1024 - 65535]")
	`200`	`+`
`197`	`201`	`startupCheckFn func() error`
`198`	`202`	`)`
`199`	`203`