Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add annotation to allow to add custom response headers #9742

Merged
merged 16 commits into from
Apr 9, 2024
Merged

feat: add annotation to allow to add custom response headers #9742

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
87f27d9
add custom headers
cgroschupp Mar 15, 2023
8c34a2d
add tests
cgroschupp Mar 15, 2023
15bbdf9
add docs
cgroschupp Mar 15, 2023
21fc50f
update copyright
cgroschupp Mar 15, 2023
0f5c9fa
change comments
cgroschupp Mar 15, 2023
d2a2a11
add e2e test customheaders
cgroschupp Mar 22, 2023
196d49d
add custom headers validation
cgroschupp Jun 12, 2023
ba3525b
remove escapeLiteralDollar filter
cgroschupp Jun 13, 2023
3673b36
validate value in custom headers
cgroschupp Jun 13, 2023
6836b71
add regex for header value
cgroschupp Jun 14, 2023
ccb990e
fix annotation test
cgroschupp Jun 14, 2023
e659988
Revert "remove escapeLiteralDollar filter"
cgroschupp Jun 14, 2023
e82f1cf
add annotationConfig
cgroschupp Aug 10, 2023
42dd6b6
fix test
cgroschupp Aug 10, 2023
47cb871
fix golangci-lint findings
cgroschupp Sep 18, 2023
0d2ea1a
fix: add missung exp module
cgroschupp Apr 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions docs/user-guide/nginx-configuration/annotations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
|[nginx.ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
|[nginx.ingress.kubernetes.io/configuration-snippet](#configuration-snippet)|string|
|[nginx.ingress.kubernetes.io/custom-http-errors](#custom-http-errors)|[]int|
|[nginx.ingress.kubernetes.io/custom-headers](#custom-headers)|string|
|[nginx.ingress.kubernetes.io/default-backend](#default-backend)|string|
|[nginx.ingress.kubernetes.io/enable-cors](#enable-cors)|"true" or "false"|
|[nginx.ingress.kubernetes.io/cors-allow-origin](#enable-cors)|string|
Expand Down Expand Up @@ -338,6 +339,22 @@ Example usage:
nginx.ingress.kubernetes.io/custom-http-errors: "404,415"
```

### Custom Headers
This annotation is of the form `nginx.ingress.kubernetes.io/custom-headers: custom-headers-configmap` to specify a configmap name that contains custom headers. This annotation uses `more_set_headers` nginx directive.

Example configmap:
```yaml
apiVersion: v1
data:
Content-Type: application/json
kind: ConfigMap
metadata:
name: custom-headers-configmap
```

!!! attention
First define the allowed response headers in [global-allowed-response-headers](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#global-allowed-response-headers).
Comment on lines +355 to +356
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could this be made optional?
Many shops will run admission controllers that can achieve the same thing. It would be very inconvenient if we had to force users to now configure allowed headers in two places (admission controller rules and nginx ingress).


### Default Backend

This annotation is of the form `nginx.ingress.kubernetes.io/default-backend: <svc name>` to specify a custom default backend. This `<svc name>` is a reference to a service inside of the same namespace in which you are applying this annotation. This annotation overrides the global default backend. In case the service has [multiple ports](https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services), the first one is the one which will receive the backend traffic.
Expand Down
5 changes: 5 additions & 0 deletions docs/user-guide/nginx-configuration/configmap.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,7 @@ The following table shows a configuration option's name, type, and the default v
|[syslog-host](#syslog-host)| string | "" ||
|[syslog-port](#syslog-port)| int | 514 ||
|[no-tls-redirect-locations](#no-tls-redirect-locations)| string | "/.well-known/acme-challenge" ||
|[global-allowed-response-headers](#global-allowed-response-headers)|string|""||
|[global-auth-url](#global-auth-url)| string | "" ||
|[global-auth-method](#global-auth-method)| string | "" ||
|[global-auth-signin](#global-auth-signin)| string | "" ||
Expand Down Expand Up @@ -1285,6 +1286,10 @@ Sets the port of syslog server. _**default:**_ 514
A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
_**default:**_ "/.well-known/acme-challenge"

## global-allowed-response-headers

A comma-separated list of allowed response headers inside the [custom headers annotations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#custom-headers)
Comment on lines +1289 to +1291
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible document how to allow any arbitrary headers (for example for an isolated "dev" environment)?

Copy link
Contributor Author

@cgroschupp cgroschupp Jun 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are several possible solutions to achieve this:

  • Allow regex/glob inside the list
  • empty list = allow all
  • or add a special bool to enable the function.

which solution do you like or do you have other ideas?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rikatz do you have a preference?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or add a special bool to enable the function.

I like this. Its behavior is controlled by clear switches.
Allowing arbitrary headers is a dangerous action.


## global-auth-url

A url to an existing service that provides authentication for all the locations.
Expand Down
1 change: 1 addition & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ require (
github.com/yudai/gojsondiff v1.0.0
github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30
golang.org/x/crypto v0.22.0
golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
google.golang.org/grpc v1.63.2
google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab
gopkg.in/go-playground/pool.v3 v3.1.1
Expand Down
Loading
Loading