├── .codecov.yml ├── .dockerignore ├── .fossa.yml ├── .github ├── ISSUE_TEMPLATE │ ├── BUG-REPORT.yml │ ├── config.yml │ └── feature_request.md ├── PULL_REQUEST_TEMPLATE.md ├── actionlint.yaml ├── actions │ ├── certify-openshift-image │ │ └── action.yml │ └── smoke-tests │ │ └── action.yaml ├── config │ ├── config-gcr-retag │ ├── config-oss-dockerhub │ ├── config-oss-ecr │ ├── config-oss-gcr-release │ ├── config-oss-github │ ├── config-oss-quay │ ├── config-plus-azure │ ├── config-plus-ecr │ ├── config-plus-gcr-public │ ├── config-plus-gcr-release │ └── config-plus-nginx ├── data │ ├── matrix-images-nap.json │ ├── matrix-images-oss.json │ ├── matrix-images-plus.json │ ├── matrix-regression.json │ ├── matrix-smoke-nap.json │ ├── matrix-smoke-oss.json │ ├── matrix-smoke-plus.json │ ├── patch-images.json │ └── version.txt ├── dependabot.yml ├── labeler.yml ├── release.yml ├── scripts │ ├── copy-images.sh │ ├── create-release-tarballs.sh │ ├── docker-updater.sh │ ├── exclude_ci_files.txt │ ├── release-notes-update.sh │ ├── release-version-update.sh │ └── variables.sh └── workflows │ ├── build-base-images.yml │ ├── build-oss.yml │ ├── build-plus.yml │ ├── build-single-image.yml │ ├── build-test-image.yml │ ├── build-ubi-dependency.yml │ ├── cache-update.yml │ ├── certify-ubi-image.yml │ ├── cherry-pick.yml │ ├── ci.yml │ ├── codeql-analysis.yml │ ├── create-release-branch.yml │ ├── dependabot-auto-merge.yml │ ├── dependabot-hugo.yml │ ├── dependency-review.yml │ ├── dockerhub-description.yml │ ├── docs-build-push.yml │ ├── f5-cla.yml │ ├── fossa.yml │ ├── image-promotion.yml │ ├── issues.yaml │ ├── labeler.yml │ ├── lint-format.yml │ ├── mend.yml │ ├── notifications.yml │ ├── oss-release.yml │ ├── patch-image.yml │ ├── plus-release.yml │ ├── publish-helm.yml │ ├── regression.yml │ ├── release-pr.yml │ ├── release.yml │ ├── retag-images.yml │ ├── scorecards.yml │ ├── setup-smoke.yml │ ├── single-image-regression.yml │ ├── stale.yml │ ├── update-docker-images.yml │ ├── update-docker-sha.yml │ ├── update-kubernetes-version.yml │ ├── update-release-draft.yml │ ├── updates-notification.yml │ └── version-bump.yml ├── .gitignore ├── .golangci.yml ├── .goreleaser.yml ├── .markdownlint-cli2.yaml ├── .pre-commit-config.yaml ├── CHANGELOG.md ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── ISSUE_LIFECYCLE.md ├── LICENSE ├── Makefile ├── README.md ├── SECURITY.md ├── build ├── Dockerfile ├── README.md ├── dependencies │ ├── Dockerfile.ubi8 │ ├── Dockerfile.ubi9 │ └── tracking.info.default └── scripts │ ├── agent.sh │ ├── common.sh │ ├── nap-dos.sh │ ├── nap-waf.sh │ ├── ubi-clean.sh │ └── ubi-setup.sh ├── charts ├── nginx-ingress │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── chart-icon.png │ ├── crds │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── controller-configmap.yaml │ │ ├── controller-daemonset.yaml │ │ ├── controller-deployment.yaml │ │ ├── controller-globalconfiguration.yaml │ │ ├── controller-hpa.yaml │ │ ├── controller-ingress-class.yaml │ │ ├── controller-leader-election-configmap.yaml │ │ ├── controller-lease.yaml │ │ ├── controller-pdb.yaml │ │ ├── controller-prometheus-service.yaml │ │ ├── controller-role.yaml │ │ ├── controller-rolebinding.yaml │ │ ├── controller-secret.yaml │ │ ├── controller-service.yaml │ │ ├── controller-serviceaccount.yaml │ │ ├── controller-servicemonitor.yaml │ │ └── controller-wildcard-secret.yaml │ ├── values-icp.yaml │ ├── values-nsm.yaml │ ├── values-plus.yaml │ ├── values.schema.json │ └── values.yaml └── tests │ ├── __snapshots__ │ └── helmunit_test.snap │ ├── helmunit_test.go │ └── testdata │ ├── app-protect-dos.yaml │ ├── app-protect-waf-agentv2.yaml │ ├── app-protect-waf.yaml │ ├── app-protect-wafv5-agentv2.yaml │ ├── app-protect-wafv5.yaml │ ├── custom-resources.yaml │ ├── daemonset.yaml │ ├── global-configuration.yaml │ ├── ingress-class.yaml │ ├── plus-debug.yaml │ ├── plus-mgmt-custom-endpoint.yaml │ ├── plus-mgmt-proxy-host-auth.yaml │ ├── plus-mgmt-proxy-host.yaml │ ├── plus-mgmt.yaml │ └── plus.yaml ├── cmd └── nginx-ingress │ ├── aws.go │ ├── aws_test.go │ ├── flags.go │ ├── flags_test.go │ ├── main.go │ ├── main_test.go │ └── utils.go ├── config └── crd │ ├── app-protect-dos │ └── kustomization.yaml │ ├── app-protect-waf │ └── kustomization.yaml │ ├── bases │ ├── appprotect.f5.com_aplogconfs.yaml │ ├── appprotect.f5.com_appolicies.yaml │ ├── appprotect.f5.com_apusersigs.yaml │ ├── appprotectdos.f5.com_apdoslogconfs.yaml │ ├── appprotectdos.f5.com_apdospolicy.yaml │ ├── appprotectdos.f5.com_dosprotectedresources.yaml │ ├── externaldns.nginx.org_dnsendpoints.yaml │ ├── k8s.nginx.org_globalconfigurations.yaml │ ├── k8s.nginx.org_policies.yaml │ ├── k8s.nginx.org_transportservers.yaml │ ├── k8s.nginx.org_virtualserverroutes.yaml │ └── k8s.nginx.org_virtualservers.yaml │ └── kustomization.yaml ├── deploy ├── crds-nap-dos.yaml ├── crds-nap-waf.yaml └── crds.yaml ├── deployments ├── README.md ├── common │ ├── ingress-class.yaml │ ├── nginx-config.yaml │ ├── ns-and-sa.yaml │ └── plus-mgmt-configmap.yaml ├── daemon-set │ ├── nginx-ingress.yaml │ └── nginx-plus-ingress.yaml ├── deployment │ ├── appprotect-dos-arb.yaml │ ├── nginx-ingress.yaml │ └── nginx-plus-ingress.yaml ├── rbac │ ├── ap-rbac.yaml │ ├── apdos-rbac.yaml │ └── rbac.yaml └── service │ ├── appprotect-dos-arb-svc.yaml │ ├── loadbalancer-aws-elb.yaml │ ├── loadbalancer.yaml │ └── nodeport.yaml ├── examples ├── common-secrets │ ├── app-tls-secret-app.example.com.yaml │ ├── cafe-secret-cafe.example.com.yaml │ ├── default-server-secret-NGINXIngressController.yaml │ ├── greeter-secret-virtual-server.example.com.yaml │ ├── mongo-secret-mongo.example.com.yaml │ ├── service-insight-secret-cafe.example.com.yaml │ ├── tls-secret-webapp.example.com.yaml │ ├── tls-secret-wildcard.example.com.yaml │ └── webapp-secret-cafe.example.com.yaml ├── custom-resources │ ├── access-control │ │ ├── README.md │ │ ├── access-control-policy-allow.yaml │ │ ├── access-control-policy-deny.yaml │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── advanced-routing │ │ ├── README.md │ │ ├── cafe-virtual-server.yaml │ │ └── cafe.yaml │ ├── api-key │ │ ├── README.md │ │ ├── api-key-policy.yaml │ │ ├── api-key-secret.yaml │ │ ├── cafe-secret.yaml │ │ ├── cafe-virtual-server.yaml │ │ └── cafe.yaml │ ├── app-protect-dos │ │ ├── README.md │ │ ├── apdos-logconf.yaml │ │ ├── apdos-policy.yaml │ │ ├── apdos-protected.yaml │ │ ├── syslog.yaml │ │ ├── syslog2.yaml │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── app-protect-waf-v5 │ │ ├── README.md │ │ ├── syslog.yaml │ │ ├── virtual-server.yaml │ │ ├── waf.yaml │ │ └── webapp.yaml │ ├── app-protect-waf │ │ ├── README.md │ │ ├── ap-apple-uds.yaml │ │ ├── ap-dataguard-alarm-policy.yaml │ │ ├── ap-logconf.yaml │ │ ├── syslog.yaml │ │ ├── virtual-server.yaml │ │ ├── waf.yaml │ │ └── webapp.yaml │ ├── backup-directive │ │ ├── transport-server │ │ │ ├── README.md │ │ │ ├── app-tls-secret.yaml │ │ │ ├── backup-svc.yaml │ │ │ ├── external-secure-app.yaml │ │ │ ├── nginx-config.yaml │ │ │ ├── secure-app.yaml │ │ │ └── transport-server-passthrough.yaml │ │ └── virtual-server │ │ │ ├── README.md │ │ │ ├── backup-svc.yaml │ │ │ ├── cafe-secret.yaml │ │ │ ├── cafe-virtual-server-backup.yaml │ │ │ ├── cafe.yaml │ │ │ ├── external-cafe.yaml │ │ │ └── nginx-config.yaml │ ├── basic-auth │ │ ├── README.md │ │ ├── basic-auth-policy.yaml │ │ ├── cafe-passwd.yaml │ │ ├── cafe-secret.yaml │ │ ├── cafe-virtual-server.yaml │ │ └── cafe.yaml │ ├── basic-configuration │ │ ├── README.md │ │ ├── cafe-secret.yaml │ │ ├── cafe-virtual-server.yaml │ │ └── cafe.yaml │ ├── basic-tcp-udp │ │ ├── README.md │ │ ├── dns.yaml │ │ ├── global-configuration.yaml │ │ ├── transport-server-tcp.yaml │ │ └── transport-server-udp.yaml │ ├── certmanager │ │ ├── README.md │ │ ├── cafe-virtual-server.yaml │ │ ├── cafe.yaml │ │ └── self-signed.yaml │ ├── cross-namespace-configuration │ │ ├── README.md │ │ ├── cafe-secret.yaml │ │ ├── cafe-virtual-server.yaml │ │ ├── coffee-virtual-server-route.yaml │ │ ├── coffee.yaml │ │ ├── namespaces.yaml │ │ ├── tea-virtual-server-route.yaml │ │ └── tea.yaml │ ├── custom-ip-listeners │ │ ├── transportserver │ │ │ ├── README.md │ │ │ ├── dns.yaml │ │ │ ├── global-configuration.yaml │ │ │ ├── tcp-transport-server.yaml │ │ │ └── udp-transport-server.yaml │ │ └── virtualserver │ │ │ ├── README.md │ │ │ ├── cafe-secret.yaml │ │ │ ├── cafe-virtual-server.yaml │ │ │ ├── cafe.yaml │ │ │ └── global-configuration.yaml │ ├── custom-listeners │ │ ├── README.md │ │ ├── cafe-secret.yaml │ │ ├── cafe-virtual-server.yaml │ │ ├── cafe.yaml │ │ └── global-configuration.yaml │ ├── custom-templates │ │ └── README.md │ ├── egress-mtls │ │ ├── README.md │ │ ├── egress-mtls-secret.yaml │ │ ├── egress-mtls.yaml │ │ ├── egress-trusted-ca-secret.yaml │ │ ├── secure-app.yaml │ │ └── virtual-server.yaml │ ├── external-dns │ │ ├── README.md │ │ ├── cafe-secret.yaml │ │ ├── cafe-virtual-server.yaml │ │ ├── cafe.yaml │ │ └── external-dns-route53.yaml │ ├── externalname-services │ │ ├── README.md │ │ └── transport-server │ │ │ ├── README.md │ │ │ ├── app-tls-secret.yaml │ │ │ ├── externalname-svc.yaml │ │ │ ├── nginx-config.yaml │ │ │ └── secure-app-external.yaml │ ├── grpc-upstreams │ │ ├── README.md │ │ ├── greeter-app.yaml │ │ ├── greeter-secret.yaml │ │ ├── greeter-virtual-server.yaml │ │ ├── helloworld.proto │ │ └── nginx-config.yaml │ ├── health-checks │ │ └── README.md │ ├── ingress-mtls │ │ ├── README.md │ │ ├── client-cert.pem │ │ ├── client-key.pem │ │ ├── ingress-mtls-secret.yaml │ │ ├── ingress-mtls.yaml │ │ ├── tls-secret.yaml │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── jwks │ │ ├── README.md │ │ ├── jwks.yaml │ │ ├── keycloak.yaml │ │ ├── nginx-config.yaml │ │ ├── tls-secret.yaml │ │ ├── virtual-server-idp.yaml │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── jwt │ │ ├── README.md │ │ ├── jwk-secret.yaml │ │ ├── jwt.yaml │ │ ├── token.jwt │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── oidc │ │ ├── README.md │ │ ├── client-secret.yaml │ │ ├── keycloak.png │ │ ├── keycloak.yaml │ │ ├── keycloak_setup.md │ │ ├── logout.png │ │ ├── nginx-config.yaml │ │ ├── oidc.yaml │ │ ├── tls-secret.yaml │ │ ├── virtual-server-idp.yaml │ │ ├── virtual-server.yaml │ │ ├── webapp.png │ │ └── webapp.yaml │ ├── rate-limit-jwt-claim │ │ ├── README.md │ │ ├── rate-limit.yaml │ │ ├── token.jwt │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── rate-limit-tiered-jwt-claim │ │ ├── README.md │ │ ├── basic-token.jwt │ │ ├── cafe-secret.yaml │ │ ├── cafe-virtual-server.yaml │ │ ├── coffee.yaml │ │ ├── default-token.jwt │ │ ├── premium-token.jwt │ │ └── rate-limits.yaml │ ├── rate-limit │ │ ├── README.md │ │ ├── rate-limit.yaml │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── rewrites │ │ └── README.md │ ├── security-monitoring │ │ ├── README.md │ │ ├── ap-apple-uds.yaml │ │ ├── ap-dataguard-alarm-policy.yaml │ │ ├── ap-logconf.yaml │ │ ├── virtual-server.yaml │ │ ├── waf.yaml │ │ └── webapp.yaml │ ├── service-insight │ │ ├── README.md │ │ └── service-insight-secret.yaml │ ├── session-persistence │ │ └── README.md │ ├── tls-passthrough │ │ ├── README.md │ │ ├── app-tls-secret.yaml │ │ ├── secure-app.yaml │ │ └── transport-server-passthrough.yaml │ ├── traffic-splitting │ │ ├── README.md │ │ ├── cafe-virtual-server.yaml │ │ └── cafe.yaml │ ├── transport-server-sni │ │ ├── README.md │ │ ├── cafe-secret.yaml │ │ ├── cafe-transport-server.yaml │ │ ├── mongo-secret.yaml │ │ ├── mongo-transport-server.yaml │ │ ├── mongo.yaml │ │ └── tcp-echo-server.yaml │ └── zone-sync │ │ ├── README.md │ │ └── nginx-config.yaml ├── ingress-resources │ ├── app-protect-dos │ │ ├── README.md │ │ ├── apdos-logconf.yaml │ │ ├── apdos-policy.yaml │ │ ├── apdos-protected.yaml │ │ ├── syslog.yaml │ │ ├── syslog2.yaml │ │ ├── webapp-ingress.yaml │ │ ├── webapp-secret.yaml │ │ └── webapp.yaml │ ├── app-protect-waf │ │ ├── README.md │ │ ├── ap-apple-uds.yaml │ │ ├── ap-dataguard-alarm-policy.yaml │ │ ├── ap-logconf.yaml │ │ ├── cafe-ingress.yaml │ │ ├── cafe-secret.yaml │ │ ├── cafe.yaml │ │ └── syslog.yaml │ ├── basic-auth │ │ ├── README.md │ │ ├── cafe-ingress.yaml │ │ ├── cafe-passwd.yaml │ │ ├── cafe-secret.yaml │ │ └── cafe.yaml │ ├── complete-example │ │ ├── README.md │ │ ├── cafe-ingress.yaml │ │ ├── cafe-secret.yaml │ │ ├── cafe.yaml │ │ └── dashboard.png │ ├── custom-annotations │ │ └── README.md │ ├── custom-templates │ │ └── README.md │ ├── customization │ │ └── README.md │ ├── daemon-set │ │ └── README.md │ ├── externalname-services │ │ └── README.md │ ├── grpc-services │ │ └── README.md │ ├── health-checks │ │ └── README.md │ ├── jwt │ │ └── README.md │ ├── mergeable-ingress-types │ │ ├── README.md │ │ ├── cafe-master.yaml │ │ ├── cafe-secret.yaml │ │ ├── cafe.yaml │ │ ├── coffee-minion.yaml │ │ └── tea-minion.yaml │ ├── path-regex │ │ └── README.md │ ├── proxy-set-headers │ │ ├── README.md │ │ ├── mergeable-ingress │ │ │ ├── cafe-master.yaml │ │ │ ├── cafe-secret.yaml │ │ │ ├── cafe.yaml │ │ │ ├── coffee-minion.yaml │ │ │ └── tea-minion.yaml │ │ └── standard-ingress │ │ │ ├── cafe-ingress.yaml │ │ │ ├── cafe-secret.yaml │ │ │ └── cafe.yaml │ ├── rate-limit │ │ ├── README.md │ │ ├── cafe-ingress.yaml │ │ ├── cafe-secret.yaml │ │ └── cafe.yaml │ ├── rewrites │ │ └── README.md │ ├── security-monitoring │ │ ├── README.md │ │ ├── ap-apple-uds.yaml │ │ ├── ap-dataguard-alarm-policy.yaml │ │ ├── ap-logconf.yaml │ │ ├── cafe-ingress.yaml │ │ ├── cafe-secret.yaml │ │ └── cafe.yaml │ ├── session-persistence │ │ ├── README.md │ │ └── cafe-ingress-with-session-persistence.yaml │ ├── ssl-services │ │ └── README.md │ ├── tcp-udp │ │ ├── README.md │ │ ├── dns.yaml │ │ ├── nginx-config.yaml │ │ └── nginx-plus-config.yaml │ └── websocket │ │ └── README.md └── shared-examples │ ├── custom-log-format │ └── README.md │ ├── custom-templates │ └── README.md │ ├── default-server-secret │ └── default-server-secret.yaml │ ├── nginx-plus-secret │ ├── README.md │ └── configmap.yaml │ ├── otel │ ├── README.md │ └── nginx-config.yaml │ ├── proxy-protocol │ └── README.md │ ├── rbac │ └── README.md │ ├── usage-reporting │ ├── cluster-connector.yaml │ └── scc.yaml │ └── wildcard-tls-certificate │ └── README.md ├── go.mod ├── go.sum ├── grafana ├── NGINXPlusICDashboard.json ├── README.md └── dashboard.png ├── hack ├── boilerplate.go.txt ├── changelog-template.txt ├── docker.sh ├── update-codegen.sh └── verify-codegen.sh ├── internal ├── certmanager │ ├── cm_controller.go │ ├── cm_controller_test.go │ ├── helper.go │ ├── helper_test.go │ ├── sync.go │ ├── sync_test.go │ └── test_files │ │ ├── actions.go │ │ ├── context.go │ │ ├── context_builder.go │ │ ├── reactors.go │ │ ├── recorder.go │ │ └── util.go ├── common_cluster_info │ └── common_cluster_info.go ├── configs │ ├── annotations.go │ ├── annotations_test.go │ ├── commonhelpers │ │ ├── common_template_helpers.go │ │ └── common_template_helpers_test.go │ ├── config_params.go │ ├── config_params_test.go │ ├── configmaps.go │ ├── configmaps_test.go │ ├── configurator.go │ ├── configurator_bench_test.go │ ├── configurator_test.go │ ├── dos.go │ ├── dos_test.go │ ├── ingress.go │ ├── ingress_test.go │ ├── njs │ │ └── apikey_auth.js │ ├── oidc │ │ ├── oidc.conf │ │ ├── oidc_common.conf │ │ └── openid_connect.js │ ├── parsing_helpers.go │ ├── parsing_helpers_test.go │ ├── transportserver.go │ ├── transportserver_test.go │ ├── version1 │ │ ├── __snapshots__ │ │ │ └── template_test.snap │ │ ├── config.go │ │ ├── nginx-plus.ingress.tmpl │ │ ├── nginx-plus.tmpl │ │ ├── nginx.ingress.tmpl │ │ ├── nginx.tmpl │ │ ├── template_executor.go │ │ ├── template_executor_test.go │ │ ├── template_helper.go │ │ ├── template_helper_test.go │ │ └── template_test.go │ ├── version2 │ │ ├── __snapshots__ │ │ │ └── templates_test.snap │ │ ├── http.go │ │ ├── nginx-plus.transportserver.tmpl │ │ ├── nginx-plus.virtualserver.tmpl │ │ ├── nginx.transportserver.tmpl │ │ ├── nginx.virtualserver.tmpl │ │ ├── stream.go │ │ ├── template_executor.go │ │ ├── template_executor_test.go │ │ ├── template_helper.go │ │ ├── template_helper_test.go │ │ └── templates_test.go │ ├── virtualserver.go │ ├── virtualserver_test.go │ └── warnings.go ├── externaldns │ ├── controller.go │ ├── doc.go │ ├── handlers.go │ ├── sync.go │ └── sync_test.go ├── healthcheck │ ├── healthcheck.go │ └── healthcheck_test.go ├── k8s │ ├── appprotect │ │ ├── app_protect_configuration.go │ │ └── app_protect_configuration_test.go │ ├── appprotect_dos.go │ ├── appprotect_waf.go │ ├── appprotect_waf_test.go │ ├── appprotectcommon │ │ ├── app_protect_common_resources.go │ │ └── app_protect_common_resources_test.go │ ├── appprotectdos │ │ ├── app_protect_dos_configuration.go │ │ └── app_protect_dos_configuration_test.go │ ├── configmap.go │ ├── configuration.go │ ├── configuration_test.go │ ├── controller.go │ ├── controller_test.go │ ├── endpoint_slice.go │ ├── global_configuration.go │ ├── handlers.go │ ├── handlers_test.go │ ├── ingress_link.go │ ├── leader.go │ ├── namespace.go │ ├── policy.go │ ├── reference_checkers.go │ ├── reference_checkers_test.go │ ├── secrets │ │ ├── store.go │ │ ├── store_test.go │ │ ├── validation.go │ │ └── validation_test.go │ ├── service.go │ ├── service_test.go │ ├── status.go │ ├── status_test.go │ ├── task_queue.go │ ├── transport_server.go │ ├── utils.go │ ├── validation.go │ └── validation_test.go ├── license_reporting │ ├── license_reporting.go │ └── license_reporting_test.go ├── logger │ ├── events.go │ ├── glog │ │ ├── handler.go │ │ └── handler_test.go │ ├── levels │ │ └── levels.go │ └── logger.go ├── metadata │ ├── metadata.go │ └── metadata_test.go ├── metrics │ ├── collectors │ │ ├── collectors.go │ │ ├── controller.go │ │ ├── latency.go │ │ ├── latency_test.go │ │ ├── manager.go │ │ ├── processes.go │ │ └── workqueue.go │ ├── listener.go │ └── syslog_listener.go ├── nginx │ ├── fake_manager.go │ ├── manager.go │ ├── manager_test.go │ ├── utils.go │ ├── verify.go │ ├── verify_test.go │ ├── version.go │ └── version_test.go ├── telemetry │ ├── cluster.go │ ├── cluster_test.go │ ├── collector.go │ ├── collector_test.go │ ├── data.avdl │ ├── data_attributes_generated.go │ ├── exporter.go │ └── nicresourcecounts_attributes_generated.go └── validation │ ├── validation.go │ └── validation_test.go ├── perf-tests ├── .gitignore ├── README.md ├── conftest.py ├── data │ ├── appprotect-ingress.yaml │ └── non-ap-ingress.yaml └── suite │ ├── ap_request_perf.py │ ├── common.py │ ├── ing_request_perf.py │ ├── test_ap_reload_perf.py │ ├── test_ingress_perf.py │ ├── test_vs_perf.py │ └── vs_request_perf.py ├── pkg ├── apis │ ├── configuration │ │ ├── register.go │ │ ├── v1 │ │ │ ├── doc.go │ │ │ ├── register.go │ │ │ ├── types.go │ │ │ └── zz_generated.deepcopy.go │ │ └── validation │ │ │ ├── appprotect.go │ │ │ ├── appprotect_common.go │ │ │ ├── appprotect_common_test.go │ │ │ ├── appprotect_test.go │ │ │ ├── common.go │ │ │ ├── common_test.go │ │ │ ├── globalconfiguration.go │ │ │ ├── globalconfiguration_test.go │ │ │ ├── policy.go │ │ │ ├── policy_test.go │ │ │ ├── transportserver.go │ │ │ ├── transportserver_test.go │ │ │ ├── virtualserver.go │ │ │ └── virtualserver_test.go │ ├── dos │ │ ├── register.go │ │ ├── v1beta1 │ │ │ ├── doc.go │ │ │ ├── register.go │ │ │ ├── types.go │ │ │ └── zz_generated.deepcopy.go │ │ └── validation │ │ │ ├── dos.go │ │ │ └── dos_test.go │ └── externaldns │ │ ├── register.go │ │ ├── v1 │ │ ├── doc.go │ │ ├── register.go │ │ ├── types.go │ │ └── zz_generated.deepcopy.go │ │ └── validation │ │ ├── doc.go │ │ ├── externaldns.go │ │ └── externaldns_test.go └── client │ ├── clientset │ └── versioned │ │ ├── clientset.go │ │ ├── fake │ │ ├── clientset_generated.go │ │ ├── doc.go │ │ └── register.go │ │ ├── scheme │ │ ├── doc.go │ │ └── register.go │ │ └── typed │ │ ├── configuration │ │ └── v1 │ │ │ ├── configuration_client.go │ │ │ ├── doc.go │ │ │ ├── fake │ │ │ ├── doc.go │ │ │ ├── fake_configuration_client.go │ │ │ ├── fake_globalconfiguration.go │ │ │ ├── fake_policy.go │ │ │ ├── fake_transportserver.go │ │ │ ├── fake_virtualserver.go │ │ │ └── fake_virtualserverroute.go │ │ │ ├── generated_expansion.go │ │ │ ├── globalconfiguration.go │ │ │ ├── policy.go │ │ │ ├── transportserver.go │ │ │ ├── virtualserver.go │ │ │ └── virtualserverroute.go │ │ ├── dos │ │ └── v1beta1 │ │ │ ├── doc.go │ │ │ ├── dos_client.go │ │ │ ├── dosprotectedresource.go │ │ │ ├── fake │ │ │ ├── doc.go │ │ │ ├── fake_dos_client.go │ │ │ └── fake_dosprotectedresource.go │ │ │ └── generated_expansion.go │ │ └── externaldns │ │ └── v1 │ │ ├── dnsendpoint.go │ │ ├── doc.go │ │ ├── externaldns_client.go │ │ ├── fake │ │ ├── doc.go │ │ ├── fake_dnsendpoint.go │ │ └── fake_externaldns_client.go │ │ └── generated_expansion.go │ ├── informers │ └── externalversions │ │ ├── configuration │ │ ├── interface.go │ │ └── v1 │ │ │ ├── globalconfiguration.go │ │ │ ├── interface.go │ │ │ ├── policy.go │ │ │ ├── transportserver.go │ │ │ ├── virtualserver.go │ │ │ └── virtualserverroute.go │ │ ├── dos │ │ ├── interface.go │ │ └── v1beta1 │ │ │ ├── dosprotectedresource.go │ │ │ └── interface.go │ │ ├── externaldns │ │ ├── interface.go │ │ └── v1 │ │ │ ├── dnsendpoint.go │ │ │ └── interface.go │ │ ├── factory.go │ │ ├── generic.go │ │ └── internalinterfaces │ │ └── factory_interfaces.go │ └── listers │ ├── configuration │ └── v1 │ │ ├── expansion_generated.go │ │ ├── globalconfiguration.go │ │ ├── policy.go │ │ ├── transportserver.go │ │ ├── virtualserver.go │ │ └── virtualserverroute.go │ ├── dos │ └── v1beta1 │ │ ├── dosprotectedresource.go │ │ └── expansion_generated.go │ └── externaldns │ └── v1 │ ├── dnsendpoint.go │ └── expansion_generated.go ├── pyproject.toml ├── site ├── .hugo_build.lock ├── .markdownlint.json ├── Makefile ├── README.md ├── config │ ├── _default │ │ └── config.toml │ ├── development │ │ └── config.toml │ ├── docker │ │ └── config.toml │ ├── production │ │ └── config.toml │ └── staging │ │ └── config.toml ├── content │ ├── _index.md │ ├── community.md │ ├── configuration │ │ ├── _index.md │ │ ├── access-control.md │ │ ├── configuration-examples.md │ │ ├── global-configuration │ │ │ ├── _index.md │ │ │ ├── command-line-arguments.md │ │ │ ├── configmap-resource.md │ │ │ ├── custom-templates.md │ │ │ ├── globalconfiguration-resource.md │ │ │ ├── mgmt-configmap-resource.md │ │ │ └── reporting-resources-status.md │ │ ├── host-and-listener-collisions.md │ │ ├── ingress-resources │ │ │ ├── _index.md │ │ │ ├── advanced-configuration-with-annotations.md │ │ │ ├── advanced-configuration-with-snippets.md │ │ │ ├── basic-configuration.md │ │ │ ├── cross-namespace-configuration.md │ │ │ └── custom-annotations.md │ │ ├── policy-resource.md │ │ ├── security.md │ │ ├── transportserver-resource.md │ │ └── virtualserver-and-virtualserverroute-resources.md │ ├── glossary.md │ ├── includes │ │ ├── compatibility-tables │ │ │ └── nic-nap.md │ │ ├── index.md │ │ ├── installation │ │ │ ├── create-common-resources.md │ │ │ ├── create-custom-resources.md │ │ │ ├── deploy-controller.md │ │ │ ├── download-jwt.md │ │ │ ├── jwt-password-note.md │ │ │ └── manifests │ │ │ │ ├── daemonset.md │ │ │ │ ├── deployment.md │ │ │ │ └── verify-pods-are-running.md │ │ └── rbac │ │ │ └── set-up-rbac.md │ ├── installation │ │ ├── _index.md │ │ ├── build-nginx-ingress-controller.md │ │ ├── create-license-secret.md │ │ ├── ingress-nginx.md │ │ ├── installing-nic │ │ │ ├── _index.md │ │ │ ├── deploy-with-nap-using-helm.md │ │ │ ├── installation-with-helm.md │ │ │ ├── installation-with-manifests.md │ │ │ ├── installation-with-operator.md │ │ │ └── upgrade-to-v4.md │ │ ├── integrations │ │ │ ├── _index.md │ │ │ ├── app-protect-dos │ │ │ │ ├── _index.md │ │ │ │ ├── configuration.md │ │ │ │ ├── dos-protected.md │ │ │ │ ├── installation.md │ │ │ │ └── troubleshoot-app-protect-dos.md │ │ │ ├── app-protect-waf-v5 │ │ │ │ ├── _index.md │ │ │ │ ├── compile-waf-policies.md │ │ │ │ ├── configuration.md │ │ │ │ ├── installation.md │ │ │ │ └── troubleshoot-app-protect-waf.md │ │ │ ├── app-protect-waf │ │ │ │ ├── _index.md │ │ │ │ ├── configuration.md │ │ │ │ └── installation.md │ │ │ ├── f5-ingresslink.md │ │ │ ├── nic-n1-console.md │ │ │ └── opentracing.md │ │ ├── nic-images │ │ │ ├── _index.md │ │ │ ├── get-image-using-jwt.md │ │ │ ├── get-registry-image.md │ │ │ ├── use-aws-image.md │ │ │ └── use-gcp-image.md │ │ └── run-multiple-ingress-controllers.md │ ├── logging-and-monitoring │ │ ├── _index.md │ │ ├── logging.md │ │ ├── prometheus.md │ │ ├── service-insight.md │ │ └── status-page.md │ ├── overview │ │ ├── _index.md │ │ ├── about.md │ │ ├── controller-comparison.md │ │ ├── design.md │ │ ├── nginx-plus.md │ │ └── product-telemetry.md │ ├── releases.md │ ├── technical-specifications.md │ ├── troubleshooting │ │ ├── _index.md │ │ ├── troubleshoot-common.md │ │ ├── troubleshoot-configmap-policy.md │ │ ├── troubleshoot-ingress.md │ │ ├── troubleshoot-support.md │ │ ├── troubleshoot-transportserver.md │ │ └── troubleshoot-virtualserver.md │ ├── tutorials │ │ ├── _index.md │ │ ├── custom-listen-ports.md │ │ ├── ingress-path-regex-annotation.md │ │ ├── nginx-dynamic-module.md │ │ ├── nginx-ingress-istio.md │ │ ├── nginx-ingress-linkerd.md │ │ ├── nginx-ingress-osm.md │ │ ├── oidc-custom-configuration.md │ │ ├── security-monitoring.md │ │ └── virtual-server-with-custom-listener-ports.md │ └── usage-reporting.md ├── developer │ ├── README.md │ ├── debugging.md │ └── telemetry-schema-generation.md ├── go.mod ├── go.sum ├── hugo-entrypoint.sh ├── layouts │ └── shortcodes │ │ ├── call-out.html │ │ ├── custom-styles.html │ │ ├── nic-helm-version.html │ │ ├── nic-operator-version.html │ │ └── nic-version.html ├── md-linkcheck-config.json └── static │ └── img │ ├── control-loop.png │ ├── controller-sync.png │ ├── ecr-pull-instructions.png │ ├── gke-create-cluster.png │ ├── gke-creating-cluster.png │ ├── gke-existing-cluster.png │ ├── gke-ingress-controller-application.png │ ├── gke-install-to-new-cluster.png │ ├── ic-high-level.png │ ├── ic-pod.png │ ├── ic-process-components.png │ ├── ic-process.png │ ├── nginx-envoy.png │ ├── nginx_istio_small.png │ └── nginx_plain.png ├── tests ├── .flake8 ├── .gitignore ├── Dockerfile ├── Makefile ├── README.md ├── ci-files │ └── ci-kind-config.yaml ├── conftest.py ├── data │ ├── access-control │ │ ├── configmap │ │ │ └── nginx-config.yaml │ │ ├── policies │ │ │ ├── access-control-policy-allow.yaml │ │ │ ├── access-control-policy-deny.yaml │ │ │ └── access-control-policy-invalid.yaml │ │ ├── route-subroute │ │ │ ├── virtual-server-allow-route.yaml │ │ │ ├── virtual-server-deny-route.yaml │ │ │ ├── virtual-server-invalid-route.yaml │ │ │ ├── virtual-server-override-route.yaml │ │ │ ├── virtual-server-override-spec-route.yaml │ │ │ ├── virtual-server-route-allow-subroute.yaml │ │ │ ├── virtual-server-route-deny-subroute.yaml │ │ │ ├── virtual-server-route-invalid-subroute.yaml │ │ │ ├── virtual-server-route-override-subroute.yaml │ │ │ ├── virtual-server-vsr-route-override.yaml │ │ │ └── virtual-server-vsr-spec-override.yaml │ │ ├── spec │ │ │ ├── virtual-server-allow.yaml │ │ │ ├── virtual-server-deny.yaml │ │ │ ├── virtual-server-invalid.yaml │ │ │ └── virtual-server-override.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── annotations │ │ ├── configmap-with-keys.yaml │ │ ├── grpc │ │ │ └── annotations-ingress.yaml │ │ ├── mergeable │ │ │ ├── annotations-ingress.yaml │ │ │ └── minion-annotations-differ.yaml │ │ └── standard │ │ │ ├── annotations-ingress-snippets.yaml │ │ │ └── annotations-ingress.yaml │ ├── ap-waf-grpc │ │ ├── grpc-block-saygoodbye.yaml │ │ ├── grpc-block-sayhello.yaml │ │ ├── logconf.yaml │ │ ├── nginx-config.yaml │ │ ├── policies │ │ │ ├── waf-block-saygoodbye.yaml │ │ │ └── waf-block-sayhello.yaml │ │ ├── syslog.yaml │ │ ├── tls-secret.yaml │ │ ├── virtual-server-route-waf.yaml │ │ ├── virtual-server-waf-spec.yaml │ │ └── vsr-virtual-server-spec.yaml │ ├── ap-waf-v5 │ │ ├── policies │ │ │ └── waf.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-route-waf-subroute.yaml │ │ ├── virtual-server-waf-route.yaml │ │ ├── virtual-server-waf-spec.yaml │ │ └── wafv5.json │ ├── ap-waf │ │ ├── ap-ic-uds.yaml │ │ ├── dataguard-alarm-uds.yaml │ │ ├── logconf-esc.yaml │ │ ├── logconf.yaml │ │ ├── policies │ │ │ ├── waf-dataguard.yaml │ │ │ └── waf-default.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── syslog.yaml │ │ ├── syslog2.yaml │ │ ├── virtual-server-route-waf-subroute.yaml │ │ ├── virtual-server-waf-route.yaml │ │ ├── virtual-server-waf-spec.yaml │ │ └── webapp.yaml │ ├── apikey-auth-policy │ │ ├── policies │ │ │ ├── apikey-policy-server.yaml │ │ │ ├── apikey-policy-valid-2.yaml │ │ │ ├── apikey-policy-valid.yaml │ │ │ └── apikey-policy-vs-route.yaml │ │ ├── secret │ │ │ ├── apikey-secret-1.yaml │ │ │ ├── apikey-secret-2.yaml │ │ │ ├── apikey-secret-route.yaml │ │ │ └── apikey-secret-server.yaml │ │ └── spec │ │ │ ├── virtual-server-policy-single.yaml │ │ │ └── vsr │ │ │ ├── backend1-vsr.yaml │ │ │ ├── backend2-vsr.yaml │ │ │ └── virtual-server-with-vsr.yaml │ ├── appprotect │ │ ├── ap-ic-uds.yaml │ │ ├── ap-user-def-browser.yaml │ │ ├── appprotect-ingress.yaml │ │ ├── appprotect-secret.yaml │ │ ├── csrf.yaml │ │ ├── dataguard-alarm-uds.yaml │ │ ├── dataguard-alarm.yaml │ │ ├── file-block.yaml │ │ ├── grpc │ │ │ ├── grpc-block-saygoodbye.yaml │ │ │ ├── grpc-block-sayhello.yaml │ │ │ ├── ingress.yaml │ │ │ └── nginx-config.yaml │ │ ├── logconf.yaml │ │ ├── malformed-block.yaml │ │ ├── syslog.yaml │ │ └── syslog2.yaml │ ├── auth-basic-auth-mergeable │ │ ├── auth-basic-master-secret-updated.yaml │ │ ├── auth-basic-master-secret.yaml │ │ ├── auth-basic-minion-secret-updated.yaml │ │ ├── auth-basic-minion-secret.yaml │ │ ├── credentials │ │ │ ├── auth-basic-auth-master-credentials.txt │ │ │ └── auth-basic-auth-minion-credentials.txt │ │ └── mergeable │ │ │ └── auth-basic-auth-ingress.yaml │ ├── auth-basic-policy │ │ ├── credentials.txt │ │ ├── credentials2.txt │ │ ├── invalid-credentials-no-pwd.txt │ │ ├── invalid-credentials-no-user.txt │ │ ├── invalid-credentials-pwd.txt │ │ ├── invalid-credentials-user.txt │ │ ├── invalid-credentials.txt │ │ ├── policies │ │ │ ├── auth-basic-policy-invalid-secret.yaml │ │ │ ├── auth-basic-policy-invalid.yaml │ │ │ ├── auth-basic-policy-valid-multi.yaml │ │ │ └── auth-basic-policy-valid.yaml │ │ ├── route-subroute │ │ │ ├── virtual-server-override-route.yaml │ │ │ ├── virtual-server-override-spec-route-1.yaml │ │ │ ├── virtual-server-override-spec-route-2.yaml │ │ │ ├── virtual-server-route-invalid-subroute-secret.yaml │ │ │ ├── virtual-server-route-invalid-subroute.yaml │ │ │ ├── virtual-server-route-override-subroute.yaml │ │ │ ├── virtual-server-route-valid-subroute-multi.yaml │ │ │ ├── virtual-server-route-valid-subroute.yaml │ │ │ ├── virtual-server-vsr-route-override.yaml │ │ │ └── virtual-server-vsr-spec-override.yaml │ │ ├── secret │ │ │ ├── htpasswd-secret-invalid.yaml │ │ │ ├── htpasswd-secret-valid-empty.yaml │ │ │ └── htpasswd-secret-valid.yaml │ │ └── spec │ │ │ ├── virtual-server-policy-multi-1.yaml │ │ │ ├── virtual-server-policy-multi-2.yaml │ │ │ ├── virtual-server-policy-single-invalid-pol.yaml │ │ │ ├── virtual-server-policy-single-invalid-secret.yaml │ │ │ └── virtual-server-policy-single.yaml │ ├── auth-basic-secrets │ │ ├── auth-basic-secret-invalid.yaml │ │ ├── auth-basic-secret-updated.yaml │ │ ├── auth-basic-secret.yaml │ │ ├── credentials │ │ │ └── credentials.txt │ │ ├── mergeable │ │ │ └── auth-basic-secrets-ingress.yaml │ │ └── standard │ │ │ └── auth-basic-secrets-ingress.yaml │ ├── common-secrets │ │ ├── app-tls-secret-app.example.com.yaml │ │ ├── appprotect-secret-appprotect.example.com.yaml │ │ ├── cafe-secret-cafe.example.com.yaml │ │ ├── default-server-secret-NGINXIngressController.yaml │ │ ├── default-server-secret-cafe.example.com-gb.yaml │ │ ├── test-secret-cafe.example.com.yaml │ │ ├── tls-secret-cafe.example.com-gb.yaml │ │ ├── tls-secret-cafe.example.com.yaml │ │ ├── tls-secret-invalid-cafe.example.com.yaml │ │ ├── tls-secret-virtual-server.example.com.yaml │ │ ├── transport-server-tls-secret-cafe.example.com-gb.yaml │ │ ├── transport-server-tls-secret-kic.example.com.yaml │ │ ├── wildcard-tls-secret-example.com-gb.yaml │ │ ├── wildcard-tls-secret-example.com.yaml │ │ └── wildcard-tls-secret-invalid-example.com.yaml │ ├── common │ │ ├── app │ │ │ ├── advanced-routing │ │ │ │ └── app.yaml │ │ │ ├── dos │ │ │ │ └── app.yaml │ │ │ ├── extended │ │ │ │ └── app.yaml │ │ │ ├── grpc-vs-mixed │ │ │ │ └── app.yaml │ │ │ ├── grpc-vs │ │ │ │ └── app.yaml │ │ │ ├── grpc │ │ │ │ └── app.yaml │ │ │ ├── keycloak │ │ │ │ └── app.yaml │ │ │ ├── secure-ca │ │ │ │ └── app.yaml │ │ │ ├── secure │ │ │ │ ├── app.yaml │ │ │ │ ├── config-map │ │ │ │ │ └── secure-config.yaml │ │ │ │ ├── deployment │ │ │ │ │ └── secure-app.yaml │ │ │ │ └── secret │ │ │ │ │ └── app-tls-secret.yaml │ │ │ ├── simple │ │ │ │ └── app.yaml │ │ │ ├── split │ │ │ │ └── app.yaml │ │ │ ├── vsr │ │ │ │ └── secure │ │ │ │ │ ├── multiple.yaml │ │ │ │ │ └── single.yaml │ │ │ ├── weight-changes-dynamic-reload-vsr-many-splits │ │ │ │ └── app.yaml │ │ │ └── weight-changes-dynamic-reload-vsr │ │ │ │ └── app.yaml │ │ ├── backend1-svc.yaml │ │ ├── backend1.yaml │ │ ├── configmap-with-grpc.yaml │ │ ├── default-server-secret.yaml │ │ ├── ns-patch.yaml │ │ ├── ns.yaml │ │ └── service │ │ │ ├── loadbalancer-with-additional-ports.yaml │ │ │ └── nodeport-with-additional-ports.yaml │ ├── custom-annotations │ │ ├── mergeable │ │ │ ├── annotations-ingress.yaml │ │ │ └── nginx-config.yaml │ │ └── standard │ │ │ ├── annotations-ingress.yaml │ │ │ └── nginx-config.yaml │ ├── default-server │ │ ├── invalid-tls-secret.yaml │ │ └── new-tls-secret.yaml │ ├── dos │ │ ├── appprotect-dos-arb-svc.yaml │ │ ├── appprotect-dos-arb.yaml │ │ ├── arbitrator_ns.yaml │ │ ├── bad_clients_xff.sh │ │ ├── dos-accesslog.yaml │ │ ├── dos-ingress.yaml │ │ ├── dos-logconf.yaml │ │ ├── dos-policy.yaml │ │ ├── dos-protected.yaml │ │ ├── dos-syslog.yaml │ │ ├── good_clients_xff.sh │ │ ├── nginx-config-arb-dif-ns.yaml │ │ ├── nginx-config.yaml │ │ └── tls-secret.yaml │ ├── egress-mtls │ │ ├── policies │ │ │ ├── egress-mtls-invalid.yaml │ │ │ └── egress-mtls.yaml │ │ ├── route-subroute │ │ │ ├── virtual-server-mtls.yaml │ │ │ ├── virtual-server-route-mtls.yaml │ │ │ └── virtual-server-vsr.yaml │ │ ├── secret │ │ │ ├── egress-mtls-secret-crl.yaml │ │ │ ├── egress-mtls-secret.yaml │ │ │ └── tls-secret.yaml │ │ ├── spec │ │ │ ├── virtual-server-mtls-diff-host.yaml │ │ │ └── virtual-server-mtls.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── externalname-services │ │ ├── externalname-ingress.yaml │ │ ├── externalname-svc.yaml │ │ └── nginx-config.yaml │ ├── filter-secrets │ │ ├── filtered-secret-1.yaml │ │ ├── filtered-secret-2.yaml │ │ └── nginx-ingress-secret.yaml │ ├── hsts │ │ ├── mergeable-tls │ │ │ └── hsts-ingress.yaml │ │ ├── mergeable │ │ │ └── hsts-ingress.yaml │ │ ├── standard-tls │ │ │ └── hsts-ingress.yaml │ │ ├── standard │ │ │ └── hsts-ingress.yaml │ │ └── tls-no-secret │ │ │ └── hsts-ingress.yaml │ ├── ingress-class │ │ ├── custom-class-ingress.yaml │ │ ├── nginx-class-ingress.yaml │ │ ├── no-class-ingress.yaml │ │ └── resource │ │ │ └── custom-ingress-class-res.yaml │ ├── ingress-mtls │ │ ├── client-auth │ │ │ ├── crl │ │ │ │ └── webapp.crl │ │ │ ├── invalid │ │ │ │ ├── client-cert.pem │ │ │ │ └── client-key.pem │ │ │ ├── not-revoked │ │ │ │ ├── client-cert.pem │ │ │ │ └── client-key.pem │ │ │ ├── revoked │ │ │ │ ├── client-cert.pem │ │ │ │ └── client-key.pem │ │ │ └── valid │ │ │ │ ├── client-cert.pem │ │ │ │ └── client-key.pem │ │ ├── policies │ │ │ ├── ingress-mtls-crl.yaml │ │ │ ├── ingress-mtls-invalid.yaml │ │ │ └── ingress-mtls.yaml │ │ ├── route-subroute │ │ │ ├── virtual-server-mtls.yaml │ │ │ ├── virtual-server-route-mtls.yaml │ │ │ └── virtual-server-vsr.yaml │ │ ├── secret │ │ │ ├── ingress-mtls-secret-crl.yaml │ │ │ ├── ingress-mtls-secret.yaml │ │ │ └── tls-secret.yaml │ │ ├── spec │ │ │ └── virtual-server-mtls.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── jwt-auth-mergeable │ │ ├── jwt-master-secret-updated.yaml │ │ ├── jwt-master-secret.yaml │ │ ├── jwt-minion-secret-updated.yaml │ │ ├── jwt-minion-secret.yaml │ │ ├── mergeable │ │ │ └── jwt-auth-ingress.yaml │ │ └── tokens │ │ │ ├── jwt-auth-master-token.jwt │ │ │ └── jwt-auth-minion-token.jwt │ ├── jwt-policy-jwksuri │ │ ├── configmap │ │ │ └── nginx-config.yaml │ │ ├── policies │ │ │ ├── jwt-policy-invalid.yaml │ │ │ └── jwt-policy-valid.yaml │ │ ├── virtual-server-route │ │ │ ├── virtual-server-route-invalid-policy-subroute.yaml │ │ │ └── virtual-server-route-policy-subroute.yaml │ │ └── virtual-server │ │ │ ├── virtual-server-invalid-policy-route-subpath.yaml │ │ │ ├── virtual-server-invalid-policy-route.yaml │ │ │ ├── virtual-server-invalid-policy-spec.yaml │ │ │ ├── virtual-server-policy-route-subpath-diff-host.yaml │ │ │ ├── virtual-server-policy-route-subpath.yaml │ │ │ ├── virtual-server-policy-route.yaml │ │ │ ├── virtual-server-policy-spec-and-route.yaml │ │ │ └── virtual-server-policy-spec.yaml │ ├── jwt-policy │ │ ├── invalid-token.jwt │ │ ├── policies │ │ │ ├── jwt-policy-invalid-secret.yaml │ │ │ ├── jwt-policy-invalid.yaml │ │ │ ├── jwt-policy-valid-multi.yaml │ │ │ └── jwt-policy-valid.yaml │ │ ├── route-subroute │ │ │ ├── virtual-server-override-route.yaml │ │ │ ├── virtual-server-override-spec-route-1.yaml │ │ │ ├── virtual-server-override-spec-route-2.yaml │ │ │ ├── virtual-server-route-invalid-subroute-secret.yaml │ │ │ ├── virtual-server-route-invalid-subroute.yaml │ │ │ ├── virtual-server-route-override-subroute.yaml │ │ │ ├── virtual-server-route-valid-subroute-multi.yaml │ │ │ ├── virtual-server-route-valid-subroute.yaml │ │ │ ├── virtual-server-vsr-route-override.yaml │ │ │ └── virtual-server-vsr-spec-override.yaml │ │ ├── secret │ │ │ ├── jwk-secret-invalid.yaml │ │ │ └── jwk-secret-valid.yaml │ │ ├── spec │ │ │ ├── virtual-server-policy-multi-1.yaml │ │ │ ├── virtual-server-policy-multi-2.yaml │ │ │ ├── virtual-server-policy-single-invalid-pol.yaml │ │ │ ├── virtual-server-policy-single-invalid-secret.yaml │ │ │ └── virtual-server-policy-single.yaml │ │ └── token.jwt │ ├── jwt-secrets │ │ ├── jwt-secret-invalid.yaml │ │ ├── jwt-secret-updated.yaml │ │ ├── jwt-secret.yaml │ │ ├── mergeable │ │ │ └── jwt-secrets-ingress.yaml │ │ ├── standard │ │ │ └── jwt-secrets-ingress.yaml │ │ └── tokens │ │ │ └── jwt-secrets-token.jwt │ ├── mgmt-configmap-keys │ │ ├── all-options.yaml │ │ ├── plus-token-name-keys.yaml │ │ ├── ssl-cert.yaml │ │ └── ssl-trusted-cert.yaml │ ├── oidc │ │ ├── client-secret.yaml │ │ ├── nginx-config-zs.yaml │ │ ├── nginx-config.yaml │ │ ├── nginx-ingress-headless.yaml │ │ ├── oidc.yaml │ │ ├── virtual-server-idp.yaml │ │ └── virtual-server.yaml │ ├── otel │ │ ├── configmap-with-all-except-endpoint.yaml │ │ ├── configmap-with-all.yaml │ │ ├── configmap-with-endpoint.yaml │ │ ├── configmap-with-header.yaml │ │ ├── configmap-with-only-header-name.yaml │ │ ├── configmap-with-only-header-value.yaml │ │ ├── configmap-with-otel-trace.yaml │ │ ├── configmap-with-service-name.yaml │ │ └── default-configmap.yaml │ ├── policy-ingress-class │ │ ├── policy-ingress-class.yaml │ │ ├── policy-other-ingress-class.yaml │ │ ├── policy.yaml │ │ ├── virtual-server-policy.yaml │ │ └── virtual-server.yaml │ ├── prometheus │ │ ├── secret.yaml │ │ └── transport-server │ │ │ ├── global-configuration.yaml │ │ │ ├── passthrough.yaml │ │ │ ├── tcp.yaml │ │ │ └── udp.yaml │ ├── rate-limit │ │ ├── ingress │ │ │ ├── mergeable-scaled │ │ │ │ └── annotations-rl-ingress.yaml │ │ │ ├── mergeable │ │ │ │ └── annotations-rl-ingress.yaml │ │ │ ├── standard-scaled │ │ │ │ └── annotations-rl-ingress.yaml │ │ │ └── standard │ │ │ │ └── annotations-rl-ingress.yaml │ │ ├── policies │ │ │ ├── rate-limit-invalid.yaml │ │ │ ├── rate-limit-jwt-claim-sub.yaml │ │ │ ├── rate-limit-primary-scaled.yaml │ │ │ ├── rate-limit-primary.yaml │ │ │ ├── rate-limit-secondary.yaml │ │ │ ├── rate-limit-tiered-basic-no-default-jwt-claim-sub.yaml │ │ │ ├── rate-limit-tiered-basic-with-default-jwt-claim-sub.yaml │ │ │ ├── rate-limit-tiered-bronze-with-default-jwt-claim-sub.yaml │ │ │ ├── rate-limit-tiered-gold-no-default-jwt-claim-sub.yaml │ │ │ ├── rate-limit-tiered-premium-no-default-jwt-claim-sub.yaml │ │ │ ├── rate-limit-tiered-premium-with-default-jwt-claim-sub.yaml │ │ │ └── rate-limit-tiered-silver-no-default-jwt-claim-sub.yaml │ │ ├── route-subroute │ │ │ ├── virtual-server-override-route.yaml │ │ │ ├── virtual-server-override-spec-route.yaml │ │ │ ├── virtual-server-route-invalid-subroute.yaml │ │ │ ├── virtual-server-route-jwt-claim-sub.yaml │ │ │ ├── virtual-server-route-mutliple-tiered-jwt-claim-sub.yaml │ │ │ ├── virtual-server-route-override-subroute.yaml │ │ │ ├── virtual-server-route-pri-subroute-scaled.yaml │ │ │ ├── virtual-server-route-pri-subroute.yaml │ │ │ ├── virtual-server-route-sec-subroute.yaml │ │ │ ├── virtual-server-route-tiered-basic-premium-jwt-claim-sub.yaml │ │ │ ├── virtual-server-route-tiered-bronze-silver-gold-jwt-claim-sub.yaml │ │ │ ├── virtual-server-vsr-route-override.yaml │ │ │ ├── virtual-server-vsr-spec-override.yaml │ │ │ ├── virtual-server-vsr-tiered-basic-premium-route-override.yaml │ │ │ └── virtual-server-vsr-tiered-basic-premium-spec-override.yaml │ │ ├── spec │ │ │ ├── virtual-server-invalid.yaml │ │ │ ├── virtual-server-jwt-claim-sub.yaml │ │ │ ├── virtual-server-override.yaml │ │ │ ├── virtual-server-primary-scaled.yaml │ │ │ ├── virtual-server-primary.yaml │ │ │ ├── virtual-server-route-tiered-basic-premium-jwt-claim-sub.yaml │ │ │ ├── virtual-server-secondary.yaml │ │ │ └── virtual-server-tiered-basic-premium-jwt-claim-sub.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── rewrites │ │ ├── hello.yaml │ │ ├── virtual-server-parent.yaml │ │ ├── virtual-server-rewrite.yaml │ │ ├── virtual-server-route-prefixes.yaml │ │ ├── virtual-server-route-regex1.yaml │ │ └── virtual-server-route-regex2.yaml │ ├── service-insight │ │ ├── app.yaml │ │ └── secret.yaml │ ├── smoke │ │ ├── implementation-specific-pathtype │ │ │ └── smoke-ingress.yaml │ │ ├── mergeable │ │ │ └── smoke-ingress.yaml │ │ ├── smoke-secret.yaml │ │ └── standard │ │ │ └── smoke-ingress.yaml │ ├── startup │ │ └── virtual-server-routes │ │ │ ├── route.yaml │ │ │ └── virtual-server.yaml │ ├── tls │ │ ├── invalid-tls-secret.yaml │ │ ├── mergeable │ │ │ └── ingress.yaml │ │ ├── new-tls-secret.yaml │ │ ├── standard │ │ │ └── ingress.yaml │ │ └── tls-secret.yaml │ ├── transport-server-backup-service │ │ ├── backup-svc.yaml │ │ ├── nginx-config.yaml │ │ ├── standard │ │ │ ├── secure-app.yaml │ │ │ └── transport-server.yaml │ │ └── transport-server-with-backup.yaml │ ├── transport-server-custom-ip-listener │ │ ├── global-configuration.yaml │ │ └── transport-server.yaml │ ├── transport-server-externalname │ │ ├── external-svc-deployment.yaml │ │ ├── externalname-svc.yaml │ │ ├── nginx-config.yaml │ │ └── standard │ │ │ ├── global-configuration.yaml │ │ │ ├── service_deployment.yaml │ │ │ └── transport-server.yaml │ ├── transport-server-status │ │ ├── rejected-invalid.yaml │ │ ├── rejected-warning.yaml │ │ └── standard │ │ │ ├── global-configuration-invalid-preceding-udp.yaml │ │ │ ├── global-configuration-invalid-tcp.yaml │ │ │ ├── global-configuration.yaml │ │ │ ├── service_deployment.yaml │ │ │ └── transport-server.yaml │ ├── transport-server-tcp-load-balance │ │ ├── failing-hc-transport-server.yaml │ │ ├── max-connections-transport-server.yaml │ │ ├── method-transport-server.yaml │ │ ├── missing-service-transport-server.yaml │ │ ├── new-tls-secret.yaml │ │ ├── passing-hc-transport-server.yaml │ │ ├── second-transport-server.yaml │ │ ├── standard │ │ │ ├── global-configuration.yaml │ │ │ ├── service_deployment.yaml │ │ │ └── transport-server.yaml │ │ ├── tcp-tls-secret.yaml │ │ ├── transport-server-tls.yaml │ │ └── wrong-port-transport-server.yaml │ ├── transport-server-tls-passthrough │ │ ├── nginx-config.yaml │ │ ├── standard │ │ │ ├── secure-app.yaml │ │ │ └── transport-server.yaml │ │ ├── transport-server-same-host.yaml │ │ └── virtual-server-same-host.yaml │ ├── transport-server-udp-load-balance │ │ ├── failing-hc-transport-server.yaml │ │ ├── missing-service-transport-server.yaml │ │ ├── passing-hc-transport-server.yaml │ │ ├── second-transport-server.yaml │ │ ├── standard │ │ │ ├── global-configuration.yaml │ │ │ ├── service_deployment.yaml │ │ │ └── transport-server.yaml │ │ └── wrong-port-transport-server.yaml │ ├── transport-server-with-host │ │ ├── cafe-secret.yaml │ │ └── transport-server-with-host.yaml │ ├── transport-server │ │ ├── transport-server-configurable-timeouts.yaml │ │ └── transport-server-snippets.yaml │ ├── udp-http-listeners-together │ │ ├── global-configuration.yaml │ │ ├── transport-server.yaml │ │ └── virtual-server.yaml │ ├── upgrade-test-resources │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── ns.yaml │ │ ├── secret.yaml │ │ ├── service.yaml │ │ ├── tcp-deployment.yaml │ │ ├── transport-server.yaml │ │ └── virtual-server.yaml │ ├── use-cluster-ip │ │ └── ingress │ │ │ ├── mergeable │ │ │ ├── minion-ingress.yaml │ │ │ └── use-cluster-ip-ingress.yaml │ │ │ └── standard │ │ │ └── use-cluster-ip-ingress.yaml │ ├── virtual-server-advanced-routing │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-argument.yaml │ │ ├── virtual-server-complex.yaml │ │ ├── virtual-server-cookie.yaml │ │ └── virtual-server-variable.yaml │ ├── virtual-server-backup-service │ │ ├── backup-svc.yaml │ │ ├── nginx-config.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── virtual-server-backup.yaml │ ├── virtual-server-canned-responses │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-invalid-openapi.yaml │ │ ├── virtual-server-invalid.yaml │ │ └── virtual-server-updated.yaml │ ├── virtual-server-certmanager │ │ ├── ca-issuer.yaml │ │ ├── certmanager.yaml │ │ ├── self-signed.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── tls-secret.yaml │ │ ├── virtual-server-no-cm.yaml │ │ ├── virtual-server-no-secret.yaml │ │ ├── virtual-server-no-tls.yaml │ │ └── virtual-server-updated.yaml │ ├── virtual-server-configmap-keys │ │ ├── configmap-global-variables.yaml │ │ ├── configmap-invalid.yaml │ │ ├── configmap-no-validation-keys-invalid.yaml │ │ ├── configmap-no-validation-keys.yaml │ │ ├── configmap-ssl-keys-invalid.yaml │ │ ├── configmap-ssl-keys.yaml │ │ ├── configmap-valid.yaml │ │ ├── configmap-validation-keys-invalid-oss.yaml │ │ ├── configmap-validation-keys-invalid.yaml │ │ ├── configmap-validation-keys-oss.yaml │ │ ├── configmap-validation-keys.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-custom-listeners │ │ ├── global-configuration-forbidden-port-http.yaml │ │ ├── global-configuration-forbidden-port-preceding-udp.yaml │ │ ├── global-configuration-http-https-ipv4ip-http-https-ipv6ip.yaml │ │ ├── global-configuration-http-ipv4ip-https-ipv6ip.yaml │ │ ├── global-configuration-http-listener-with-ssl.yaml │ │ ├── global-configuration-https-listener-without-ssl.yaml │ │ ├── global-configuration-missing-http-https.yaml │ │ ├── global-configuration-missing-http.yaml │ │ ├── global-configuration-missing-https.yaml │ │ ├── global-configuration-repeated-http-port.yaml │ │ ├── global-configuration.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-http-https-listeners-switched.yaml │ │ ├── virtual-server-http-listener-in-https-block.yaml │ │ ├── virtual-server-https-listener-in-http-block.yaml │ │ └── virtual-server.yaml │ ├── virtual-server-dos │ │ ├── dos-logconf.yaml │ │ ├── dos-policy.yaml │ │ ├── dos-protected.yaml │ │ ├── syslog.yaml │ │ ├── virtual-server-block-server.yaml │ │ ├── virtual-server.yaml │ │ └── webapp.yaml │ ├── virtual-server-dynamic-configuration │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-error-pages │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-invalid-openapi.yaml │ │ ├── virtual-server-invalid.yaml │ │ ├── virtual-server-matches.yaml │ │ ├── virtual-server-splits.yaml │ │ └── virtual-server-updated.yaml │ ├── virtual-server-external-dns │ │ ├── external-dns.yaml │ │ ├── nginx-config.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-no-ed.yaml │ │ └── virtual-server-updated.yaml │ ├── virtual-server-externalname │ │ ├── externalname-svc.yaml │ │ ├── nginx-config.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-focused-canary │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-grpc-mixed │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-grpc │ │ ├── nginx-config.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── tls-secret.yaml │ │ ├── virtual-server-error-page.yaml │ │ ├── virtual-server-healthcheck-fail.yaml │ │ ├── virtual-server-healthcheck-invalid.yaml │ │ ├── virtual-server-healthcheck.yaml │ │ ├── virtual-server-invalid-type.yaml │ │ └── virtual-server-updated.yaml │ ├── virtual-server-redirects │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-invalid-openapi.yaml │ │ ├── virtual-server-invalid.yaml │ │ └── virtual-server-updated.yaml │ ├── virtual-server-route-advanced-routing │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-route-argument.yaml │ │ ├── virtual-server-route-complex.yaml │ │ ├── virtual-server-route-cookie.yaml │ │ ├── virtual-server-route-header.yaml │ │ └── virtual-server-route-variable.yaml │ ├── virtual-server-route-canned-responses │ │ ├── route-multiple-invalid-openapi.yaml │ │ ├── route-multiple-invalid.yaml │ │ ├── route-multiple-updated.yaml │ │ ├── route-multiple.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-dynamic-configuration │ │ ├── route-multiple.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-error-pages │ │ ├── route-multiple-invalid-openapi.yaml │ │ ├── route-multiple-invalid.yaml │ │ ├── route-multiple-matches.yaml │ │ ├── route-multiple-splits.yaml │ │ ├── route-multiple-updated.yaml │ │ ├── route-multiple.yaml │ │ ├── route-single-invalid.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ ├── virtual-server-updated.yaml │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-externalname │ │ ├── externalname-svc.yaml │ │ ├── nginx-config.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-focused-canary │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── virtual-server-route.yaml │ ├── virtual-server-route-grpc │ │ ├── nginx-config.yaml │ │ ├── route-invalid-type.yaml │ │ ├── route-multiple-mixed.yaml │ │ ├── route-multiple.yaml │ │ ├── route-single.yaml │ │ ├── route-updated.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── tls-secret.yaml │ ├── virtual-server-route-redirects │ │ ├── route-multiple-invalid-openapi.yaml │ │ ├── route-multiple-invalid.yaml │ │ ├── route-multiple-updated.yaml │ │ ├── route-multiple.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-regexp-location │ │ ├── additional-case │ │ │ ├── route-exact.yaml │ │ │ ├── route-prefix.yaml │ │ │ ├── route-regexp.yaml │ │ │ ├── virtual-server-exact-over-all.yaml │ │ │ └── virtual-server-regexp-over-prefix.yaml │ │ ├── route-multiple-invalid-multiple-regexp-subroutes.yaml │ │ ├── route-multiple.yaml │ │ ├── route-single-case-insensitive.yaml │ │ ├── route-single-case-sensitive.yaml │ │ ├── route-single-exact.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ ├── virtual-server-case-insensitive.yaml │ │ │ ├── virtual-server-case-sensitive.yaml │ │ │ ├── virtual-server-exact.yaml │ │ │ ├── virtual-server-invalid-duplicate-routes.yaml │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-split-traffic │ │ ├── route-multiple.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-status │ │ ├── route-multiple-invalid-prefixed-path.yaml │ │ ├── route-multiple-invalid.yaml │ │ ├── route-multiple.yaml │ │ ├── route-single-invalid-prefixed-path.yaml │ │ ├── route-single-invalid.yaml │ │ ├── route-single.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── virtual-server-invalid.yaml │ ├── virtual-server-route-upstream-options │ │ ├── configmap-with-keys.yaml │ │ ├── plus-route-m-invalid-keys.yaml │ │ ├── plus-route-s-invalid-keys-openapi.yaml │ │ ├── plus-route-s-invalid-keys.yaml │ │ ├── route-multiple-invalid-keys.yaml │ │ ├── route-multiple.yaml │ │ ├── route-single-invalid-keys-openapi.yaml │ │ ├── route-single-invalid-keys.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-upstream-tls │ │ ├── route-multiple.yaml │ │ ├── route-single-disable-tls.yaml │ │ ├── route-single-invalid.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-route-weight-changes-dynamic-reload │ │ ├── configmap │ │ │ └── nginx-config.yaml │ │ ├── standard │ │ │ ├── virtual-server-many.yaml │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-route-initial.yaml │ │ ├── virtual-server-route-many-splits-initial.yaml │ │ ├── virtual-server-route-many-splits-swap.yaml │ │ └── virtual-server-route-swap.yaml │ ├── virtual-server-route │ │ ├── route-multiple-updated.yaml │ │ ├── route-multiple.yaml │ │ ├── route-orphan.yaml │ │ ├── route-single-duplicate-path.yaml │ │ ├── route-single-invalid-host.yaml │ │ ├── route-single-invalid-openapi.yaml │ │ ├── route-single.yaml │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-split-traffic │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-status │ │ ├── invalid-state.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── warning-state.yaml │ ├── virtual-server-tls-redirect │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-default-redirect.yaml │ │ ├── virtual-server-header-redirect.yaml │ │ ├── virtual-server-invalid.yaml │ │ ├── virtual-server-no-tls-termination-redirect.yaml │ │ └── virtual-server-scheme-redirect.yaml │ ├── virtual-server-tls │ │ ├── invalid-tls-secret.yaml │ │ ├── new-tls-secret.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── tls-secret.yaml │ ├── virtual-server-upstream-options │ │ ├── configmap-with-keys.yaml │ │ ├── plus-virtual-server-with-invalid-keys-openapi.yaml │ │ ├── plus-virtual-server-with-invalid-keys.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-with-invalid-keys-openapi.yaml │ │ └── virtual-server-with-invalid-keys.yaml │ ├── virtual-server-upstream-tls │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-disable-tls.yaml │ │ └── virtual-server-invalid.yaml │ ├── virtual-server-use-cluster-ip │ │ └── standard │ │ │ └── virtual-server.yaml │ ├── virtual-server-validation │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ ├── virtual-server-invalid-cookie.yaml │ │ └── virtual-server-no-default-action.yaml │ ├── virtual-server-weight-changes-dynamic-reload │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── virtual-server-weight-swap.yaml │ ├── virtual-server-wildcard │ │ └── virtual-server-wildcard.yaml │ ├── virtual-server │ │ ├── rbac-without-vs.yaml │ │ ├── standard │ │ │ ├── virtual-server-updated.yaml │ │ │ └── virtual-server.yaml │ │ └── virtual-server-gunzip.yaml │ ├── watch-namespace │ │ ├── foreign-ns-ingress.yaml │ │ ├── foreign-ns-virtual-server.yaml │ │ ├── watched-ns-ingress.yaml │ │ ├── watched-ns-virtual-server.yaml │ │ ├── watched-ns2-ingress.yaml │ │ └── watched-ns2-virtual-server.yaml │ ├── watch-secret-namespace │ │ ├── route-multiple.yaml │ │ ├── route-single.yaml │ │ ├── standard │ │ │ └── virtual-server.yaml │ │ └── tls-secret.yaml │ ├── wildcard-tls-secret │ │ ├── gb-wildcard-tls-secret.yaml │ │ ├── invalid-wildcard-tls-secret.yaml │ │ ├── mergeable │ │ │ └── wildcard-secret-ingress.yaml │ │ ├── standard │ │ │ └── wildcard-secret-ingress.yaml │ │ └── wildcard-tls-secret.yaml │ └── zone-sync │ │ ├── configmap-with-zonesync-disabled-with-all-fields.yaml │ │ ├── configmap-with-zonesync-disabled.yaml │ │ ├── configmap-with-zonesync-minimal-changed-port.yaml │ │ ├── configmap-with-zonesync-minimal.yaml │ │ ├── configmap-with-zonesync-port-resolver.yaml │ │ ├── configmap-with-zonesync-resolver-valid.yaml │ │ └── default-configmap.yaml ├── requirements.txt ├── settings.py └── suite │ ├── fixtures │ ├── custom_resource_fixtures.py │ ├── fixtures.py │ └── ic_fixtures.py │ ├── grpc │ ├── README.md │ ├── helloworld.proto │ ├── helloworld_pb2.py │ └── helloworld_pb2_grpc.py │ ├── test_ac_policies.py │ ├── test_ac_policies_vsr.py │ ├── test_agent_app_protect.py │ ├── test_annotations.py │ ├── test_apikey_auth_policies.py │ ├── test_app_protect_integration.py │ ├── test_app_protect_waf_policies.py │ ├── test_app_protect_waf_policies_grpc.py │ ├── test_app_protect_wafv5_integration.py │ ├── test_app_protect_wafv5_integration_rorfs.py │ ├── test_app_protect_watch_namespace.py │ ├── test_app_protect_watch_namespace_label.py │ ├── test_auth_basic_auth_mergeable.py │ ├── test_auth_basic_policies.py │ ├── test_auth_basic_policies_vsr.py │ ├── test_auth_basic_secrets.py │ ├── test_batch_reloads.py │ ├── test_batch_startup_times.py │ ├── test_build_info.py │ ├── test_custom_annotations.py │ ├── test_default_server.py │ ├── test_disable_ipv6.py │ ├── test_dos.py │ ├── test_egress_mtls.py │ ├── test_externalname_service.py │ ├── test_filter_secrets.py │ ├── test_healthcheck_uri.py │ ├── test_hsts.py │ ├── test_ingress_class.py │ ├── test_ingress_mtls.py │ ├── test_jwt_auth_mergeable.py │ ├── test_jwt_policies.py │ ├── test_jwt_policies_jwksuri.py │ ├── test_jwt_policies_jwksuri_vsr.py │ ├── test_jwt_policies_vsr.py │ ├── test_jwt_secrets.py │ ├── test_mgmt_configmap_keys.py │ ├── test_multiple_ns_perf.py │ ├── test_oidc.py │ ├── test_otel.py │ ├── test_policy_ingress_class.py │ ├── test_prometheus_metrics.py │ ├── test_rewrites.py │ ├── test_rl_ingress.py │ ├── test_rl_policies.py │ ├── test_rl_policies_vsr.py │ ├── test_smoke.py │ ├── test_snippet_flag.py │ ├── test_tls.py │ ├── test_transport_server.py │ ├── test_transport_server_backup_service.py │ ├── test_transport_server_custom_ip_listener.py │ ├── test_transport_server_external_name.py │ ├── test_transport_server_service_insight.py │ ├── test_transport_server_status.py │ ├── test_transport_server_tcp_load_balance.py │ ├── test_transport_server_udp_load_balance.py │ ├── test_transport_server_with_host.py │ ├── test_ts_tls_passthrough.py │ ├── test_udp_http_listeners_together.py │ ├── test_upgrade_resources.py │ ├── test_use_cluster_ip.py │ ├── test_v_s_route.py │ ├── test_v_s_route_advanced_routing.py │ ├── test_v_s_route_api.py │ ├── test_v_s_route_canned_responses.py │ ├── test_v_s_route_error_pages.py │ ├── test_v_s_route_externalname.py │ ├── test_v_s_route_focused_canary.py │ ├── test_v_s_route_grpc.py │ ├── test_v_s_route_redirects.py │ ├── test_v_s_route_regexp_location.py │ ├── test_v_s_route_split_traffic.py │ ├── test_v_s_route_status.py │ ├── test_v_s_route_upstream_options.py │ ├── test_v_s_route_upstream_tls.py │ ├── test_v_s_route_weight_changes_dynamic_reload.py │ ├── test_v_s_route_weight_changes_dynamic_reload_many_splits.py │ ├── test_virtual_server.py │ ├── test_virtual_server_advanced_routing.py │ ├── test_virtual_server_api.py │ ├── test_virtual_server_backup_service.py │ ├── test_virtual_server_canned_responses.py │ ├── test_virtual_server_certmanager.py │ ├── test_virtual_server_configmap_keys.py │ ├── test_virtual_server_custom_ip_listeners.py │ ├── test_virtual_server_custom_listeners.py │ ├── test_virtual_server_dos.py │ ├── test_virtual_server_error_pages.py │ ├── test_virtual_server_external_name.py │ ├── test_virtual_server_externaldns.py │ ├── test_virtual_server_focused_canary.py │ ├── test_virtual_server_grpc.py │ ├── test_virtual_server_mixed_grpc.py │ ├── test_virtual_server_redirects.py │ ├── test_virtual_server_service_insight.py │ ├── test_virtual_server_split_traffic.py │ ├── test_virtual_server_status.py │ ├── test_virtual_server_tls.py │ ├── test_virtual_server_tls_redirect.py │ ├── test_virtual_server_upstream_options.py │ ├── test_virtual_server_upstream_tls.py │ ├── test_virtual_server_use_cluster_ip_reloads.py │ ├── test_virtual_server_validation.py │ ├── test_virtual_server_weight_changes_without_reload.py │ ├── test_virtual_server_wildcard.py │ ├── test_watch_namespace.py │ ├── test_watch_namespace_label.py │ ├── test_watch_secret_namespace.py │ ├── test_wildcard_tls_secret.py │ ├── test_zone_sync.py │ └── utils │ ├── ap_resources_utils.py │ ├── custom_assertions.py │ ├── custom_resources_utils.py │ ├── dos_utils.py │ ├── kube_config_utils.py │ ├── nginx_api_utils.py │ ├── policy_resources_utils.py │ ├── resources_utils.py │ ├── ssl_utils.py │ ├── vs_vsr_resources_utils.py │ └── yaml_utils.py └── tools.go /.codecov.yml: -------------------------------------------------------------------------------- 1 | coverage: 2 | status: 3 | project: 4 | default: 5 | informational: true 6 | target: auto 7 | threshold: 0% 8 | patch: 9 | default: 10 | informational: true 11 | target: auto 12 | threshold: 0% 13 | changes: false 14 | ignore: 15 | - "pkg/client" 16 | - "**/*generated*.go" 17 | -------------------------------------------------------------------------------- /.dockerignore: -------------------------------------------------------------------------------- 1 | docs* 2 | examples* 3 | grafana 4 | tests/.pytest_cache 5 | tests/__pycache__ 6 | hack 7 | .git/modules 8 | .git/rr-cache 9 | .git/logs 10 | *.md 11 | *.crt 12 | *.key 13 | -------------------------------------------------------------------------------- /.fossa.yml: -------------------------------------------------------------------------------- 1 | version: 3 2 | targets: 3 | exclude: 4 | - type: setuptools 5 | paths: 6 | exclude: 7 | - site 8 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: NGINX Ingress Controller Documentation 4 | url: https://docs.nginx.com/nginx-ingress-controller 5 | about: Check out our documentation. 6 | - name: General inquiries 7 | url: https://github.com/nginx/kubernetes-ingress/discussions 8 | about: Please use Discussions for all other questions. 9 | -------------------------------------------------------------------------------- /.github/actionlint.yaml: -------------------------------------------------------------------------------- 1 | self-hosted-runner: 2 | # Labels of self-hosted runner in array of strings. 3 | labels: 4 | - kic-plus 5 | # Configuration variables in array of strings defined in your repository or 6 | # organization. `null` means disabling configuration variables check. 7 | # Empty array means no configuration variable is allowed. 8 | config-variables: null 9 | -------------------------------------------------------------------------------- /.github/config/config-gcr-retag: -------------------------------------------------------------------------------- 1 | export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev 2 | declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") 3 | declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl" "-alpine-fips") 4 | declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") 5 | declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") 6 | declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") 7 | declare -a ADDITIONAL_TAGS=() 8 | -------------------------------------------------------------------------------- /.github/config/config-oss-dockerhub: -------------------------------------------------------------------------------- 1 | export TARGET_REGISTRY=docker.io 2 | export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress" 3 | export PUBLISH_PLUS=false 4 | export PUBLISH_WAF=false 5 | export PUBLISH_DOS=false 6 | export PUBLISH_WAF_DOS=false 7 | -------------------------------------------------------------------------------- /.github/config/config-oss-ecr: -------------------------------------------------------------------------------- 1 | export TARGET_REGISTRY=public.ecr.aws 2 | export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress" 3 | export PUBLISH_PLUS=false 4 | export PUBLISH_WAF=false 5 | export PUBLISH_DOS=false 6 | export PUBLISH_WAF_DOS=false 7 | -------------------------------------------------------------------------------- /.github/config/config-oss-gcr-release: -------------------------------------------------------------------------------- 1 | export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release 2 | export PUBLISH_PLUS=false 3 | export PUBLISH_WAF=false 4 | export PUBLISH_DOS=false 5 | export PUBLISH_WAF_DOS=false 6 | -------------------------------------------------------------------------------- /.github/config/config-oss-github: -------------------------------------------------------------------------------- 1 | export TARGET_REGISTRY=ghcr.io 2 | export TARGET_OSS_IMAGE_PREFIX="nginx/kubernetes-ingress" 3 | export PUBLISH_PLUS=false 4 | export PUBLISH_WAF=false 5 | export PUBLISH_DOS=false 6 | export PUBLISH_WAF_DOS=false 7 | -------------------------------------------------------------------------------- /.github/config/config-oss-quay: -------------------------------------------------------------------------------- 1 | export TARGET_REGISTRY=quay.io 2 | export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress" 3 | export PUBLISH_PLUS=false 4 | export PUBLISH_WAF=false 5 | export PUBLISH_DOS=false 6 | export PUBLISH_WAF_DOS=false 7 | -------------------------------------------------------------------------------- /.github/data/matrix-images-oss.json: -------------------------------------------------------------------------------- 1 | { 2 | "image": [ 3 | "debian", 4 | "alpine" 5 | ], 6 | "platforms": [ 7 | "linux/arm64, linux/amd64" 8 | ], 9 | "include": [ 10 | { 11 | "image": "ubi", 12 | "platforms": "linux/arm64, linux/amd64" 13 | } 14 | ] 15 | } 16 | -------------------------------------------------------------------------------- /.github/data/version.txt: -------------------------------------------------------------------------------- 1 | IC_VERSION=5.1.0 2 | HELM_CHART_VERSION=2.2.0 3 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @nginx/kic 2 | /site/ @nginx/kic @nginx/nginx-docs 3 | -------------------------------------------------------------------------------- /build/README.md: -------------------------------------------------------------------------------- 1 | # NGINX Ingress Controller 2 | 3 | For instructions, read the [Build NGINX Ingress Controller](https://docs.nginx.com/nginx-ingress-controller/installation/build-nginx-ingress-controller/>) documentation. 4 | -------------------------------------------------------------------------------- /build/dependencies/tracking.info.default: -------------------------------------------------------------------------------- 1 | {"integration": "nic"} 2 | -------------------------------------------------------------------------------- /build/scripts/agent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | 6 | if [ -z "${WAF_VERSION##*v4*}" ]; then 7 | NAP_VERSION=$(cat /opt/app_protect/VERSION) 8 | 9 | mkdir -p /etc/ssl/nms /opt/nms-nap-compiler 10 | chown -R 101:0 /etc/ssl/nms /opt/nms-nap-compiler 11 | chmod -R g=u /etc/ssl/nms /opt/nms-nap-compiler 12 | 13 | ln -s /opt/app_protect "/opt/nms-nap-compiler/app_protect-${NAP_VERSION}" 14 | fi 15 | -------------------------------------------------------------------------------- /build/scripts/nap-dos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | mkdir -p /root/app_protect_dos /etc/nginx/dos/policies /etc/nginx/dos/logconfs /etc/nginx/dos/allowlist /shared/cores /var/log/adm /var/run/adm 6 | chmod 777 /shared/cores /var/log/adm /var/run/adm /etc/app_protect_dos 7 | -------------------------------------------------------------------------------- /build/scripts/nap-waf.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | for i in /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/; do 6 | if [ ! -d ${i} ]; then 7 | mkdir -p ${i} 8 | fi 9 | chown -R 101:0 ${i} 10 | chmod -R g=u ${i} 11 | done 12 | 13 | touch /etc/nginx/waf/nac-usersigs/index.conf 14 | -------------------------------------------------------------------------------- /build/scripts/ubi-clean.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | microdnf remove -y shadow-utils subscription-manager python3-requests python3-cloud-what python3-subscription-manager-rhsm python3-setuptools python3-inotify python3-requests python3-urllib3 python3-idna 6 | microdnf clean all && rm -rf /var/cache/dnf 7 | -------------------------------------------------------------------------------- /build/scripts/ubi-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | microdnf --nodocs install -y shadow-utils subscription-manager 6 | groupadd --system --gid 101 nginx 7 | useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx 8 | rpm --import /tmp/nginx_signing.key 9 | -------------------------------------------------------------------------------- /charts/nginx-ingress/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | *.png 3 | -------------------------------------------------------------------------------- /charts/nginx-ingress/README.md: -------------------------------------------------------------------------------- 1 | # Helm Documentation 2 | 3 | Please refer to the [Installation with Helm](https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/installation-with-helm/) guide in the NGINX Ingress Controller documentation site. 4 | -------------------------------------------------------------------------------- /charts/nginx-ingress/chart-icon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/charts/nginx-ingress/chart-icon.png -------------------------------------------------------------------------------- /charts/nginx-ingress/crds: -------------------------------------------------------------------------------- 1 | ../../config/crd/bases/ -------------------------------------------------------------------------------- /charts/nginx-ingress/templates/controller-globalconfiguration.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.controller.globalConfiguration.create }} 2 | apiVersion: k8s.nginx.org/v1 3 | kind: GlobalConfiguration 4 | metadata: 5 | name: {{ include "nginx-ingress.controller.fullname" . }} 6 | namespace: {{ .Release.Namespace }} 7 | labels: 8 | {{- include "nginx-ingress.labels" . | nindent 4 }} 9 | spec: 10 | {{ toYaml .Values.controller.globalConfiguration.spec | indent 2 }} 11 | {{- end }} 12 | -------------------------------------------------------------------------------- /charts/nginx-ingress/values-nsm.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | name: controller 3 | enableLatencyMetrics: true 4 | nginxServiceMesh: 5 | enable: true 6 | enableEgress: true 7 | -------------------------------------------------------------------------------- /charts/nginx-ingress/values-plus.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | name: controller 3 | nginxplus: true 4 | image: 5 | repository: nginx-plus-ingress 6 | tag: "5.0.0" 7 | -------------------------------------------------------------------------------- /charts/tests/testdata/app-protect-dos.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | nginxplus: true 3 | appprotectdos: 4 | ## Enable the App Protect DoS module in the Ingress Controller. 5 | enable: true 6 | ## Enable debugging for App Protect DoS. 7 | debug: true 8 | ## Max number of nginx processes to support. 9 | maxWorkers: 5 10 | ## Max number of ADMD instances. 11 | maxDaemons: 10 12 | ## RAM memory size to consume in MB. 13 | memory: 1024 14 | -------------------------------------------------------------------------------- /charts/tests/testdata/app-protect-waf.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | nginxplus: true 3 | appprotect: 4 | enable: true 5 | -------------------------------------------------------------------------------- /charts/tests/testdata/custom-resources.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | enableCustomResources: false 3 | -------------------------------------------------------------------------------- /charts/tests/testdata/daemonset.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | kind: daemonset 3 | -------------------------------------------------------------------------------- /charts/tests/testdata/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | globalConfiguration: 3 | create: true 4 | spec: 5 | listeners: 6 | - name: dns-udp 7 | port: 5353 8 | protocol: UDP 9 | - name: dns-tcp 10 | port: 5353 11 | protocol: TCP 12 | -------------------------------------------------------------------------------- /charts/tests/testdata/ingress-class.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | ingressClass: 3 | name: changed 4 | create: true 5 | setAsDefaultIngress: true 6 | -------------------------------------------------------------------------------- /charts/tests/testdata/plus-debug.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | nginxplus: true 3 | debug: 4 | enable: true 5 | continue: true 6 | -------------------------------------------------------------------------------- /charts/tests/testdata/plus-mgmt-custom-endpoint.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | nginxplus: true 3 | mgmt: 4 | usageReport: 5 | endpoint: "11.22.33.44" 6 | -------------------------------------------------------------------------------- /charts/tests/testdata/plus-mgmt-proxy-host-auth.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | nginxplus: true 3 | mgmt: 4 | usageReport: 5 | proxyHost: "44.55.66.77:88" 6 | proxyCredentialsSecretName: "custom-credentials" 7 | -------------------------------------------------------------------------------- /charts/tests/testdata/plus-mgmt-proxy-host.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | nginxplus: true 3 | mgmt: 4 | usageReport: 5 | proxyHost: "44.55.66.77:88" 6 | -------------------------------------------------------------------------------- /charts/tests/testdata/plus.yaml: -------------------------------------------------------------------------------- 1 | controller: 2 | nginxplus: true 3 | -------------------------------------------------------------------------------- /config/crd/app-protect-dos/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../bases/appprotectdos.f5.com_apdoslogconfs.yaml 5 | - ../bases/appprotectdos.f5.com_apdospolicy.yaml 6 | - ../bases/appprotectdos.f5.com_dosprotectedresources.yaml 7 | -------------------------------------------------------------------------------- /config/crd/app-protect-waf/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../bases/appprotect.f5.com_aplogconfs.yaml 5 | - ../bases/appprotect.f5.com_appolicies.yaml 6 | - ../bases/appprotect.f5.com_apusersigs.yaml 7 | -------------------------------------------------------------------------------- /config/crd/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - bases/externaldns.nginx.org_dnsendpoints.yaml 5 | - bases/k8s.nginx.org_globalconfigurations.yaml 6 | - bases/k8s.nginx.org_policies.yaml 7 | - bases/k8s.nginx.org_transportservers.yaml 8 | - bases/k8s.nginx.org_virtualserverroutes.yaml 9 | - bases/k8s.nginx.org_virtualservers.yaml 10 | -------------------------------------------------------------------------------- /deployments/README.md: -------------------------------------------------------------------------------- 1 | # Installation 2 | 3 | This folder includes Kubernetes manifests for installing NGINX or NGINX Plus Ingress Controller. Read [the installation 4 | instructions](https://docs.nginx.com/nginx-ingress-controller/installation/). 5 | -------------------------------------------------------------------------------- /deployments/common/ingress-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: IngressClass 3 | metadata: 4 | name: nginx 5 | # annotations: 6 | # ingressclass.kubernetes.io/is-default-class: "true" 7 | spec: 8 | controller: nginx.org/ingress-controller 9 | -------------------------------------------------------------------------------- /deployments/common/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | -------------------------------------------------------------------------------- /deployments/common/ns-and-sa.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: nginx-ingress 5 | --- 6 | apiVersion: v1 7 | kind: ServiceAccount 8 | metadata: 9 | name: nginx-ingress 10 | namespace: nginx-ingress 11 | #automountServiceAccountToken: false 12 | -------------------------------------------------------------------------------- /deployments/common/plus-mgmt-configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nginx-config-mgmt 5 | namespace: nginx-ingress 6 | data: 7 | license-token-secret-name: "license-token" 8 | -------------------------------------------------------------------------------- /deployments/service/appprotect-dos-arb-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: svc-appprotect-dos-arb 5 | namespace: nginx-ingress 6 | spec: 7 | selector: 8 | app: appprotect-dos-arb 9 | ports: 10 | - name: arb 11 | port: 3000 12 | protocol: TCP 13 | targetPort: 3000 14 | clusterIP: None 15 | -------------------------------------------------------------------------------- /deployments/service/loadbalancer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress 5 | namespace: nginx-ingress 6 | spec: 7 | externalTrafficPolicy: Local 8 | type: LoadBalancer 9 | ports: 10 | - port: 80 11 | targetPort: 80 12 | protocol: TCP 13 | name: http 14 | - port: 443 15 | targetPort: 443 16 | protocol: TCP 17 | name: https 18 | selector: 19 | app: nginx-ingress 20 | -------------------------------------------------------------------------------- /deployments/service/nodeport.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress 5 | namespace: nginx-ingress 6 | spec: 7 | type: NodePort 8 | ports: 9 | - port: 80 10 | targetPort: 80 11 | protocol: TCP 12 | name: http 13 | - port: 443 14 | targetPort: 443 15 | protocol: TCP 16 | name: https 17 | selector: 18 | app: nginx-ingress 19 | -------------------------------------------------------------------------------- /examples/custom-resources/access-control/README.md: -------------------------------------------------------------------------------- 1 | # Deploy a Policy for access control 2 | 3 | This is the example code used in the [Deploy a Policy for access control](https://docs.nginx.com/nginx-ingress-controller/configuration/access-control/) documentation. 4 | -------------------------------------------------------------------------------- /examples/custom-resources/access-control/access-control-policy-allow.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: webapp-policy 5 | spec: 6 | accessControl: 7 | allow: 8 | - 10.0.0.0/8 9 | -------------------------------------------------------------------------------- /examples/custom-resources/access-control/access-control-policy-deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: webapp-policy 5 | spec: 6 | accessControl: 7 | deny: 8 | - 10.0.0.0/8 9 | -------------------------------------------------------------------------------- /examples/custom-resources/access-control/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: webapp-policy 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/api-key/api-key-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: api-key-policy 5 | spec: 6 | apiKey: 7 | suppliedIn: 8 | header: 9 | - "X-header-name" 10 | query: 11 | - "queryName" 12 | clientSecret: api-key-client-secret 13 | -------------------------------------------------------------------------------- /examples/custom-resources/api-key/api-key-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: api-key-client-secret 5 | type: nginx.org/apikey 6 | data: 7 | client1: cGFzc3dvcmQ= # password 8 | client2: YW5vdGhlci1wYXNzd29yZA== # another-password 9 | -------------------------------------------------------------------------------- /examples/custom-resources/api-key/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/api-key/cafe-virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: cafe 5 | spec: 6 | host: cafe.example.com 7 | tls: 8 | secret: cafe-secret 9 | policies: 10 | - name: api-key-policy 11 | upstreams: 12 | - name: coffee 13 | service: coffee-svc 14 | port: 80 15 | routes: 16 | - path: /coffee 17 | action: 18 | pass: coffee 19 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-dos/apdos-logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosLogConf 3 | metadata: 4 | name: doslogconf 5 | spec: 6 | filter: 7 | traffic-mitigation-stats: all 8 | bad-actors: top 10 9 | attack-signatures: top 10 10 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-dos/apdos-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosPolicy 3 | metadata: 4 | name: dospolicy 5 | spec: 6 | mitigation_mode: "standard" 7 | signatures: "on" 8 | bad_actors: "on" 9 | automation_tools_detection: "on" 10 | tls_fingerprint: "on" 11 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-dos/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | upstreams: 8 | - name: webapp 9 | service: webapp-svc 10 | port: 80 11 | routes: 12 | - path: / 13 | dos: dos-protected 14 | action: 15 | pass: webapp 16 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-waf-v5/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: waf-policy 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-waf-v5/waf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | waf: 7 | enable: true 8 | apBundle: ".tgz" 9 | securityLogs: 10 | - enable: true 11 | apLogBundle: ".tgz" 12 | logDest: "syslog:server=syslog-svc.default:514" 13 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-waf/ap-logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APLogConf 3 | metadata: 4 | name: logconf 5 | spec: 6 | content: 7 | format: default 8 | max_message_size: 64k 9 | max_request_size: any 10 | filter: 11 | request_type: all 12 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-waf/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: waf-policy 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/app-protect-waf/waf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | waf: 7 | enable: true 8 | apPolicy: "default/dataguard-alarm" 9 | securityLogs: 10 | - enable: true 11 | apLogConf: "default/logconf" 12 | logDest: "syslog:server=syslog-svc.default:514" 13 | -------------------------------------------------------------------------------- /examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../common-secrets/app-tls-secret-app.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/backup-directive/transport-server/backup-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: backup-svc-ts 5 | spec: 6 | type: ExternalName 7 | externalName: secure-app-backup.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /examples/custom-resources/backup-directive/transport-server/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 8 | -------------------------------------------------------------------------------- /examples/custom-resources/backup-directive/virtual-server/backup-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: backup-svc 5 | spec: 6 | type: ExternalName 7 | externalName: coffee-backup-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/backup-directive/virtual-server/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 8 | -------------------------------------------------------------------------------- /examples/custom-resources/basic-auth/basic-auth-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: basic-auth-policy 5 | spec: 6 | basicAuth: 7 | realm: Cafe App 8 | secret: cafe-passwd 9 | -------------------------------------------------------------------------------- /examples/custom-resources/basic-auth/cafe-passwd.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: cafe-passwd 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | foo:$2y$10$e4CiBWaLq9JW93jV8r9CW.RE6fbsT3szmIsUhwqYuPfVlggXiBY76 9 | qux:$apr1$st218vzc$A3H7I83N9vLmczj73Byi3/ 10 | # bar 11 | # quux 12 | -------------------------------------------------------------------------------- /examples/custom-resources/basic-auth/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/basic-configuration/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/basic-tcp-udp/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | namespace: nginx-ingress 6 | spec: 7 | listeners: 8 | - name: dns-udp 9 | port: 5353 10 | protocol: UDP 11 | - name: dns-tcp 12 | port: 5353 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /examples/custom-resources/basic-tcp-udp/transport-server-tcp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: dns-tcp 5 | spec: 6 | listener: 7 | name: dns-tcp 8 | protocol: TCP 9 | upstreams: 10 | - name: dns-app 11 | service: coredns 12 | port: 5353 13 | action: 14 | pass: dns-app 15 | -------------------------------------------------------------------------------- /examples/custom-resources/basic-tcp-udp/transport-server-udp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: dns-udp 5 | spec: 6 | listener: 7 | name: dns-udp 8 | protocol: UDP 9 | upstreams: 10 | - name: dns-app 11 | service: coredns 12 | port: 5353 13 | upstreamParameters: 14 | udpRequests: 1 15 | udpResponses: 1 16 | action: 17 | pass: dns-app 18 | -------------------------------------------------------------------------------- /examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/cross-namespace-configuration/cafe-virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: cafe 5 | namespace: cafe 6 | spec: 7 | host: cafe.example.com 8 | tls: 9 | secret: cafe-secret 10 | routes: 11 | - path: /tea 12 | route: tea/tea 13 | - path: /coffee 14 | route: coffee/coffee 15 | -------------------------------------------------------------------------------- /examples/custom-resources/cross-namespace-configuration/coffee-virtual-server-route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: coffee 5 | namespace: coffee 6 | spec: 7 | host: cafe.example.com 8 | upstreams: 9 | - name: coffee 10 | service: coffee-svc 11 | port: 80 12 | subroutes: 13 | - path: /coffee 14 | action: 15 | pass: coffee 16 | -------------------------------------------------------------------------------- /examples/custom-resources/cross-namespace-configuration/namespaces.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: cafe 5 | --- 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | name: tea 10 | --- 11 | apiVersion: v1 12 | kind: Namespace 13 | metadata: 14 | name: coffee 15 | -------------------------------------------------------------------------------- /examples/custom-resources/cross-namespace-configuration/tea-virtual-server-route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: tea 5 | namespace: tea 6 | spec: 7 | host: cafe.example.com 8 | upstreams: 9 | - name: tea 10 | service: tea-svc 11 | port: 80 12 | subroutes: 13 | - path: /tea 14 | action: 15 | pass: tea 16 | -------------------------------------------------------------------------------- /examples/custom-resources/custom-ip-listeners/transportserver/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: my-release-nginx-ingress-controller 5 | spec: 6 | listeners: 7 | - name: tcp-ip-dns-listener 8 | port: 5353 9 | protocol: TCP 10 | ipv4: 127.0.0.1 11 | ipv6: ::1 12 | - name: udp-ip-dns-listener 13 | port: 5252 14 | protocol: UDP 15 | ipv4: 127.0.0.2 16 | ipv6: ::1 17 | -------------------------------------------------------------------------------- /examples/custom-resources/custom-ip-listeners/transportserver/tcp-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: tcp-dns 5 | spec: 6 | listener: 7 | name: tcp-ip-dns-listener 8 | protocol: TCP 9 | upstreams: 10 | - name: dns-app 11 | service: coredns 12 | port: 5353 13 | action: 14 | pass: dns-app 15 | -------------------------------------------------------------------------------- /examples/custom-resources/custom-ip-listeners/transportserver/udp-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: dns-udp 5 | spec: 6 | listener: 7 | name: udp-ip-dns-listener 8 | protocol: UDP 9 | upstreams: 10 | - name: dns-app 11 | service: coredns 12 | port: 5353 13 | upstreamParameters: 14 | udpRequests: 1 15 | udpResponses: 1 16 | action: 17 | pass: dns-app 18 | -------------------------------------------------------------------------------- /examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/custom-listeners/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/custom-listeners/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | namespace: nginx-ingress 6 | spec: 7 | listeners: 8 | - name: http-8083 9 | port: 8083 10 | protocol: HTTP 11 | - name: https-8443 12 | port: 8443 13 | protocol: HTTP 14 | ssl: true 15 | -------------------------------------------------------------------------------- /examples/custom-resources/custom-templates/README.md: -------------------------------------------------------------------------------- 1 | # Custom Templates 2 | 3 | The Ingress Controller uses a template to generate NGINX configuration for VirtualServer resources. You can customize 4 | the template and apply it via the ConfigMap. See the [combined custom 5 | templates](../../examples/shared-examples/custom-templates/README.md) example, which shows how to customize the template 6 | for the VirtualServer resource as well as the other templates used by the Ingress Controller. 7 | -------------------------------------------------------------------------------- /examples/custom-resources/egress-mtls/egress-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: egress-mtls-policy 5 | spec: 6 | egressMTLS: 7 | tlsSecret: egress-mtls-secret 8 | trustedCertSecret: egress-trusted-ca-secret 9 | verifyServer: on 10 | verifyDepth: 2 11 | serverName: on 12 | sslName: secure-app.example.com 13 | -------------------------------------------------------------------------------- /examples/custom-resources/egress-mtls/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | upstreams: 8 | - name: secure-app 9 | service: secure-app 10 | port: 8443 11 | tls: 12 | enable: true 13 | routes: 14 | - path: / 15 | policies: 16 | - name: egress-mtls-policy 17 | action: 18 | pass: secure-app 19 | -------------------------------------------------------------------------------- /examples/custom-resources/external-dns/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../common-secrets/app-tls-secret-app.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/externalname-services/transport-server/externalname-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: externalname-service 5 | spec: 6 | type: ExternalName 7 | externalName: secure-app-external-backend-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /examples/custom-resources/externalname-services/transport-server/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 8 | -------------------------------------------------------------------------------- /examples/custom-resources/grpc-upstreams/greeter-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/greeter-secret-virtual-server.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/grpc-upstreams/greeter-virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: cafe 5 | spec: 6 | host: greeter.example.com 7 | tls: 8 | secret: greeter-secret 9 | upstreams: 10 | - name: grpc 11 | service: grpc-svc 12 | port: 50051 13 | type: grpc 14 | routes: 15 | - path: "/helloworld.Greeter" 16 | action: 17 | pass: grpc 18 | -------------------------------------------------------------------------------- /examples/custom-resources/grpc-upstreams/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | http2: "true" 8 | -------------------------------------------------------------------------------- /examples/custom-resources/ingress-mtls/ingress-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: ingress-mtls-policy 5 | spec: 6 | ingressMTLS: 7 | clientCertSecret: ingress-mtls-secret 8 | verifyClient: "on" 9 | verifyDepth: 1 10 | -------------------------------------------------------------------------------- /examples/custom-resources/ingress-mtls/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/tls-secret-webapp.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/ingress-mtls/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | tls: 8 | secret: tls-secret 9 | policies: 10 | - name: ingress-mtls-policy 11 | upstreams: 12 | - name: webapp 13 | service: webapp-svc 14 | port: 80 15 | routes: 16 | - path: / 17 | action: 18 | pass: webapp 19 | -------------------------------------------------------------------------------- /examples/custom-resources/jwks/jwks.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | token: $http_token 9 | jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs 10 | keyCache: 1h 11 | -------------------------------------------------------------------------------- /examples/custom-resources/jwks/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 8 | -------------------------------------------------------------------------------- /examples/custom-resources/jwks/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/tls-secret-wildcard.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/jwks/virtual-server-idp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: keycloak 5 | spec: 6 | host: keycloak.example.com 7 | tls: 8 | secret: tls-secret 9 | redirect: 10 | enable: true 11 | upstreams: 12 | - name: keycloak 13 | service: keycloak 14 | port: 8080 15 | routes: 16 | - path: / 17 | action: 18 | pass: keycloak 19 | -------------------------------------------------------------------------------- /examples/custom-resources/jwks/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: jwt-policy 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/jwt/jwk-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: jwk-secret 5 | type: nginx.org/jwk 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJabUZ1ZEdGemRHbGphbmQwIiwKICAgICAgICAia3R5Ijoib2N0IiwKICAgICAgICAia2lkIjoiMDAwMSIKICAgIH1dCn0K 8 | -------------------------------------------------------------------------------- /examples/custom-resources/jwt/jwt.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | secret: jwk-secret 9 | token: $http_token 10 | -------------------------------------------------------------------------------- /examples/custom-resources/jwt/token.jwt: -------------------------------------------------------------------------------- 1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ.eyJuYW1lIjoiUXVvdGF0aW9uIFN5c3RlbSIsInN1YiI6InF1b3RlcyIsImlzcyI6Ik15IEFQSSBHYXRld2F5In0.ggVOHYnVFB8GVPE-VOIo3jD71gTkLffAY0hQOGXPL2I 2 | -------------------------------------------------------------------------------- /examples/custom-resources/jwt/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: jwt-policy 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/oidc/client-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: oidc-secret 5 | type: nginx.org/oidc 6 | data: 7 | client-secret: 8 | -------------------------------------------------------------------------------- /examples/custom-resources/oidc/keycloak.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/examples/custom-resources/oidc/keycloak.png -------------------------------------------------------------------------------- /examples/custom-resources/oidc/logout.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/examples/custom-resources/oidc/logout.png -------------------------------------------------------------------------------- /examples/custom-resources/oidc/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "true" 8 | resolver-addresses: kube-dns.kube-system.svc.cluster.local 9 | resolver-valid: 5s 10 | -------------------------------------------------------------------------------- /examples/custom-resources/oidc/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/tls-secret-webapp.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/oidc/virtual-server-idp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: keycloak 5 | spec: 6 | host: keycloak.example.com 7 | tls: 8 | secret: tls-secret 9 | redirect: 10 | enable: true 11 | upstreams: 12 | - name: keycloak 13 | service: keycloak 14 | port: 8080 15 | routes: 16 | - path: / 17 | action: 18 | pass: keycloak 19 | -------------------------------------------------------------------------------- /examples/custom-resources/oidc/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | tls: 8 | secret: tls-secret 9 | redirect: 10 | enable: true 11 | upstreams: 12 | - name: webapp 13 | service: webapp-svc 14 | port: 80 15 | routes: 16 | - path: / 17 | policies: 18 | - name: oidc-policy 19 | action: 20 | pass: webapp 21 | -------------------------------------------------------------------------------- /examples/custom-resources/oidc/webapp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/examples/custom-resources/oidc/webapp.png -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-jwt-claim/rate-limit.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt 5 | spec: 6 | rateLimit: 7 | rate: 1r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-jwt-claim/token.jwt: -------------------------------------------------------------------------------- 1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ.eyJuYW1lIjoiUXVvdGF0aW9uIFN5c3RlbSIsInN1YiI6InF1b3RlcyIsImlzcyI6Ik15IEFQSSBHYXRld2F5In0.ggVOHYnVFB8GVPE-VOIo3jD71gTkLffAY0hQOGXPL2I 2 | -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-jwt-claim/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: rate-limit-jwt 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-tiered-jwt-claim/basic-token.jwt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjAwMDEifQ.eyJ1c2VyX2RldGFpbHMiOnsibGV2ZWwiOiJCYXNpYyJ9LCJzdWIiOiJjbGllbnQyIiwibmFtZSI6IkphbmUgRG9lIn0.Iy187N0_DQF-uQwGzsnn4fOwADNAYotNWB8nSMQaD2M -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: cafe 5 | spec: 6 | host: cafe.example.com 7 | tls: 8 | secret: cafe-secret 9 | upstreams: 10 | - name: coffee 11 | service: coffee-svc 12 | port: 80 13 | policies: 14 | - name: rate-limit-jwt-premium 15 | - name: rate-limit-jwt-basic 16 | routes: 17 | - path: /coffee 18 | action: 19 | pass: coffee 20 | -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-tiered-jwt-claim/default-token.jwt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjAwMDEifQ.eyJzdWIiOiJjbGllbnQzIiwibmFtZSI6IkJpbGx5IEJsb2dncyJ9.i0CScSOYEaMCkrIA8HpvElfjrdDr4pp2HEkpgnc8UVc -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit-tiered-jwt-claim/premium-token.jwt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjAwMDEifQ.eyJ1c2VyX2RldGFpbHMiOnsibGV2ZWwiOiJQcmVtaXVtIn0sInN1YiI6ImNsaWVudDUiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE1MTYyMzkwMjJ9.v2s74eW_jIkR0VKKv0JmQZ6WwQSdDDDtUTWFjAwg82c -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit/rate-limit.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-policy 5 | spec: 6 | rateLimit: 7 | rate: 1r/s 8 | key: ${binary_remote_addr} 9 | zoneSize: 10M 10 | -------------------------------------------------------------------------------- /examples/custom-resources/rate-limit/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: rate-limit-policy 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/security-monitoring/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: webapp 5 | spec: 6 | host: webapp.example.com 7 | policies: 8 | - name: waf-policy 9 | upstreams: 10 | - name: webapp 11 | service: webapp-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | action: 16 | pass: webapp 17 | -------------------------------------------------------------------------------- /examples/custom-resources/security-monitoring/waf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | waf: 7 | enable: true 8 | apPolicy: "default/dataguard-alarm" 9 | securityLogs: 10 | - enable: true 11 | apLogConf: "default/logconf" 12 | logDest: "syslog:server=127.0.0.1:1514" 13 | -------------------------------------------------------------------------------- /examples/custom-resources/service-insight/service-insight-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/service-insight-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/tls-passthrough/app-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/app-tls-secret-app.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/tls-passthrough/transport-server-passthrough.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: secure-app 5 | spec: 6 | listener: 7 | name: tls-passthrough 8 | protocol: TLS_PASSTHROUGH 9 | host: app.example.com 10 | upstreams: 11 | - name: secure-app 12 | service: secure-app 13 | port: 8443 14 | action: 15 | pass: secure-app 16 | -------------------------------------------------------------------------------- /examples/custom-resources/transport-server-sni/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/transport-server-sni/cafe-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: cafe-ts 5 | spec: 6 | host: cafe.example.com 7 | listener: 8 | name: tcp-listener 9 | protocol: TCP 10 | tls: 11 | secret: cafe-secret 12 | upstreams: 13 | - name: tcp-echo 14 | service: tcp-echo-service 15 | port: 7000 16 | action: 17 | pass: tcp-echo 18 | -------------------------------------------------------------------------------- /examples/custom-resources/transport-server-sni/mongo-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../examples/common-secrets/mongo-secret-mongo.example.com.yaml -------------------------------------------------------------------------------- /examples/custom-resources/transport-server-sni/mongo-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: mongo-ts 5 | spec: 6 | host: mongo.example.com 7 | tls: 8 | secret: mongo-secret 9 | listener: 10 | name: tcp-listener 11 | protocol: TCP 12 | upstreams: 13 | - name: mongo 14 | service: mongodb 15 | port: 27017 16 | action: 17 | pass: mongo 18 | -------------------------------------------------------------------------------- /examples/custom-resources/zone-sync/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "true" 8 | -------------------------------------------------------------------------------- /examples/ingress-resources/app-protect-dos/apdos-logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosLogConf 3 | metadata: 4 | name: doslogconf 5 | spec: 6 | filter: 7 | traffic-mitigation-stats: all 8 | bad-actors: top 10 9 | attack-signatures: top 10 10 | -------------------------------------------------------------------------------- /examples/ingress-resources/app-protect-dos/apdos-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosPolicy 3 | metadata: 4 | name: dospolicy 5 | spec: 6 | mitigation_mode: "standard" 7 | signatures: "on" 8 | bad_actors: "on" 9 | automation_tools_detection: "on" 10 | tls_fingerprint: "on" 11 | -------------------------------------------------------------------------------- /examples/ingress-resources/app-protect-dos/webapp-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/webapp-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/app-protect-waf/ap-logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APLogConf 3 | metadata: 4 | name: logconf 5 | spec: 6 | content: 7 | format: default 8 | max_message_size: 64k 9 | max_request_size: any 10 | filter: 11 | request_type: all 12 | -------------------------------------------------------------------------------- /examples/ingress-resources/app-protect-waf/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/basic-auth/cafe-passwd.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: cafe-passwd 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | foo:$2y$10$e4CiBWaLq9JW93jV8r9CW.RE6fbsT3szmIsUhwqYuPfVlggXiBY76 9 | # bar 10 | -------------------------------------------------------------------------------- /examples/ingress-resources/basic-auth/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/complete-example/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/complete-example/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/examples/ingress-resources/complete-example/dashboard.png -------------------------------------------------------------------------------- /examples/ingress-resources/custom-templates/README.md: -------------------------------------------------------------------------------- 1 | # Custom Templates 2 | 3 | The Ingress Controller uses a template to generate NGINX configuration for Ingress resources. You can customize the 4 | template and apply it via the ConfigMap. See the [combined custom 5 | templates](../../shared-examples/custom-templates/README.md) example, which shows how to customize the template 6 | for the Ingress resource as well as the other templates used by the Ingress Controller. 7 | -------------------------------------------------------------------------------- /examples/ingress-resources/customization/README.md: -------------------------------------------------------------------------------- 1 | # Customization of NGINX Configuration 2 | 3 | This example has been transformed into the 4 | [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) and 5 | [Annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/) 6 | doc. 7 | -------------------------------------------------------------------------------- /examples/ingress-resources/daemon-set/README.md: -------------------------------------------------------------------------------- 1 | # Deploying NGINX and NGINX Plus Controllers as a Daemon Set 2 | 3 | You can deploy the NGINX or NGINX Plus controller as a [Daemon Set](https://kubernetes.io/docs/admin/daemons/). This 4 | allows you to deploy the controller on all or select nodes of your cluster. 5 | 6 | Read [the installation instructions](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/). 7 | -------------------------------------------------------------------------------- /examples/ingress-resources/mergeable-ingress-types/cafe-master.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: cafe-ingress-master 5 | annotations: 6 | nginx.org/mergeable-ingress-type: "master" 7 | spec: 8 | ingressClassName: nginx 9 | tls: 10 | - hosts: 11 | - cafe.example.com 12 | secretName: cafe-secret 13 | rules: 14 | - host: cafe.example.com 15 | -------------------------------------------------------------------------------- /examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-master.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: cafe-ingress-master 5 | annotations: 6 | nginx.org/mergeable-ingress-type: "master" 7 | nginx.org/proxy-set-headers: "X-Forwarded-Master" 8 | spec: 9 | ingressClassName: nginx 10 | tls: 11 | - hosts: 12 | - cafe.example.com 13 | secretName: cafe-secret 14 | rules: 15 | - host: cafe.example.com 16 | -------------------------------------------------------------------------------- /examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/rate-limit/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/ingress-resources/security-monitoring/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /examples/shared-examples/default-server-secret/default-server-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/default-server-secret-NGINXIngressController.yaml -------------------------------------------------------------------------------- /examples/shared-examples/nginx-plus-secret/README.md: -------------------------------------------------------------------------------- 1 | # NGINX Plus Secret 2 | 3 | Refer to the [Create License Secret](https://docs.nginx.com/nginx-ingress-controller/installation/create-license-secret/) docs to download and create a License Secret 4 | -------------------------------------------------------------------------------- /examples/shared-examples/nginx-plus-secret/configmap.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nginx-config-mgmt 5 | namespace: nginx-ingress 6 | data: 7 | license-token-secret-name: "license-token" 8 | -------------------------------------------------------------------------------- /examples/shared-examples/otel/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | otel-service-name: "nginx-ingress-controller:nginx" 9 | otel-exporter-header-name: "x-otel-header" 10 | otel-exporter-header-value: "otel-header-value" 11 | # otel-trace-in-http: "true" # Uncomment to enable tracing at the HTTP level 12 | -------------------------------------------------------------------------------- /examples/shared-examples/rbac/README.md: -------------------------------------------------------------------------------- 1 | # RBAC 2 | 3 | It is possible to run the Ingress Controller in a cluster with 4 | [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) enabled. 5 | Read the [installation instructions](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/). 6 | -------------------------------------------------------------------------------- /grafana/dashboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/grafana/dashboard.png -------------------------------------------------------------------------------- /hack/boilerplate.go.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/hack/boilerplate.go.txt -------------------------------------------------------------------------------- /internal/externaldns/doc.go: -------------------------------------------------------------------------------- 1 | // Package externaldns implements External DNS controller for Virtual Server. 2 | package externaldns 3 | -------------------------------------------------------------------------------- /internal/metrics/collectors/collectors.go: -------------------------------------------------------------------------------- 1 | package collectors 2 | 3 | const metricsNamespace = "nginx_ingress_controller" 4 | -------------------------------------------------------------------------------- /perf-tests/.gitignore: -------------------------------------------------------------------------------- 1 | # IntelliJ project files 2 | .idea 3 | out 4 | gen 5 | 6 | # Python specific files 7 | # Byte-compiled / optimized / DLL files 8 | __pycache__ 9 | *.py[cod] 10 | .pytest_cache 11 | 12 | # Perf test outputs 13 | *.json 14 | *.csv 15 | -------------------------------------------------------------------------------- /pkg/apis/configuration/register.go: -------------------------------------------------------------------------------- 1 | package configuration 2 | 3 | const ( 4 | // GroupName is the name of the group. 5 | GroupName = "k8s.nginx.org" 6 | ) 7 | -------------------------------------------------------------------------------- /pkg/apis/configuration/v1/doc.go: -------------------------------------------------------------------------------- 1 | // +k8s:deepcopy-gen=package 2 | // +groupName=k8s.nginx.org 3 | 4 | // Package v1 is the v1 version of the API. 5 | package v1 6 | -------------------------------------------------------------------------------- /pkg/apis/dos/register.go: -------------------------------------------------------------------------------- 1 | package dos 2 | 3 | const ( 4 | // GroupName the name of the group used by kubernetes. 5 | GroupName = "appprotectdos.f5.com" 6 | ) 7 | -------------------------------------------------------------------------------- /pkg/apis/dos/v1beta1/doc.go: -------------------------------------------------------------------------------- 1 | // +k8s:deepcopy-gen=package 2 | // +groupName=appprotectdos.f5.com 3 | 4 | // Package v1beta1 is the v1beta1 version of the API. 5 | package v1beta1 6 | -------------------------------------------------------------------------------- /pkg/apis/externaldns/register.go: -------------------------------------------------------------------------------- 1 | package externaldns 2 | 3 | const ( 4 | // GroupName the name of the group used by kubernetes. 5 | GroupName = "externaldns.nginx.org" 6 | ) 7 | -------------------------------------------------------------------------------- /pkg/apis/externaldns/v1/doc.go: -------------------------------------------------------------------------------- 1 | // +k8s:deepcopy-gen=package 2 | // +groupName=externaldns.nginx.org 3 | 4 | // Package v1 is the v1 version of the API. 5 | package v1 6 | -------------------------------------------------------------------------------- /pkg/apis/externaldns/validation/doc.go: -------------------------------------------------------------------------------- 1 | // Package validation provides validation rules for the ExternalDNS CRD. 2 | package validation 3 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/fake/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // This package has the automatically generated fake clientset. 4 | package fake 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/scheme/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // This package contains the scheme of the automatically generated clientset. 4 | package scheme 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/configuration/v1/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // This package has the automatically generated typed clients. 4 | package v1 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/configuration/v1/fake/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // Package fake has the automatically generated clients. 4 | package fake 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/configuration/v1/generated_expansion.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | package v1 4 | 5 | type GlobalConfigurationExpansion interface{} 6 | 7 | type PolicyExpansion interface{} 8 | 9 | type TransportServerExpansion interface{} 10 | 11 | type VirtualServerExpansion interface{} 12 | 13 | type VirtualServerRouteExpansion interface{} 14 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/dos/v1beta1/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // This package has the automatically generated typed clients. 4 | package v1beta1 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/dos/v1beta1/fake/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // Package fake has the automatically generated clients. 4 | package fake 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/dos/v1beta1/generated_expansion.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | package v1beta1 4 | 5 | type DosProtectedResourceExpansion interface{} 6 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/externaldns/v1/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // This package has the automatically generated typed clients. 4 | package v1 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/externaldns/v1/fake/doc.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | // Package fake has the automatically generated clients. 4 | package fake 5 | -------------------------------------------------------------------------------- /pkg/client/clientset/versioned/typed/externaldns/v1/generated_expansion.go: -------------------------------------------------------------------------------- 1 | // Code generated by client-gen. DO NOT EDIT. 2 | 3 | package v1 4 | 5 | type DNSEndpointExpansion interface{} 6 | -------------------------------------------------------------------------------- /pkg/client/listers/externaldns/v1/expansion_generated.go: -------------------------------------------------------------------------------- 1 | // Code generated by lister-gen. DO NOT EDIT. 2 | 3 | package v1 4 | 5 | // DNSEndpointListerExpansion allows custom methods to be added to 6 | // DNSEndpointLister. 7 | type DNSEndpointListerExpansion interface{} 8 | 9 | // DNSEndpointNamespaceListerExpansion allows custom methods to be added to 10 | // DNSEndpointNamespaceLister. 11 | type DNSEndpointNamespaceListerExpansion interface{} 12 | -------------------------------------------------------------------------------- /site/.hugo_build.lock: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/.hugo_build.lock -------------------------------------------------------------------------------- /site/.markdownlint.json: -------------------------------------------------------------------------------- 1 | { 2 | "MD009": false, 3 | "MD012": false, 4 | "MD010": false, 5 | "MD013": false, 6 | "MD004": { 7 | "style": "dash" 8 | }, 9 | "MD022": false, 10 | "MD033": false, 11 | "MD041": false, 12 | "MD003": false, 13 | "MD002": false, 14 | "MD024": { 15 | "siblings_only": true 16 | }, 17 | "MD046": false, 18 | "MD001": false, 19 | "MD049": false, 20 | "MD055": false, 21 | "MD056": false 22 | } 23 | -------------------------------------------------------------------------------- /site/config/development/config.toml: -------------------------------------------------------------------------------- 1 | baseURL = "https://docs-dev.nginx.com/nginx-ingress-controller" 2 | title = "DEV -- NGINX Ingress Controller Docs" 3 | publishDir = "public/nginx-ingress-controller" 4 | canonifyURLs = false 5 | 6 | [Params] 7 | buildtype = "webdocs" 8 | -------------------------------------------------------------------------------- /site/config/docker/config.toml: -------------------------------------------------------------------------------- 1 | enableGitInfo = false 2 | -------------------------------------------------------------------------------- /site/config/staging/config.toml: -------------------------------------------------------------------------------- 1 | baseURL = "https://docs-staging.nginx.com/nginx-ingress-controller" 2 | title = "STAGING -- NGINX Ingress Controller Docs" 3 | publishDir = "public/nginx-ingress-controller" 4 | canonifyURLs = false 5 | -------------------------------------------------------------------------------- /site/content/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NGINX Ingress Controller 3 | description: 4 | linkTitle: "NGINX Ingress Controller" 5 | menu: docs 6 | --- 7 | -------------------------------------------------------------------------------- /site/content/configuration/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Configuration 3 | description: 4 | weight: 1400 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/configuration/global-configuration/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Global configuration 3 | description: 4 | weight: 100 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/configuration/ingress-resources/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Ingress resources 3 | description: 4 | weight: 200 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/includes/index.md: -------------------------------------------------------------------------------- 1 | --- 2 | headless: true 3 | --- 4 | -------------------------------------------------------------------------------- /site/content/includes/installation/manifests/verify-pods-are-running.md: -------------------------------------------------------------------------------- 1 | --- 2 | docs: DOCS-1466 3 | --- 4 | 5 | 6 | To confirm the NGINX Ingress Controller pods are operational, run: 7 | 8 | ```shell 9 | kubectl get pods --namespace=nginx-ingress 10 | ``` 11 | -------------------------------------------------------------------------------- /site/content/installation/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Installation 3 | description: 4 | weight: 400 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/installation/installing-nic/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Install NGINX Ingress Controller 3 | description: 4 | weight: 100 5 | --- 6 | -------------------------------------------------------------------------------- /site/content/installation/integrations/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Integrations 3 | description: 4 | weight: 600 5 | --- 6 | -------------------------------------------------------------------------------- /site/content/installation/integrations/app-protect-dos/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NGINX App Protect DoS 3 | description: Learn how to use NGINX Ingress Controller for Kubernetes with NGINX App Protect DoS. 4 | weight: 300 5 | menu: 6 | docs: 7 | parent: Integrations 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/installation/integrations/app-protect-waf-v5/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NGINX App Protect WAF v5 3 | description: Learn how to use NGINX Ingress Controller for Kubernetes with NGINX App Protect version 5. 4 | weight: 200 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/installation/integrations/app-protect-waf/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NGINX App Protect WAF 3 | description: Learn how to use NGINX Ingress Controller for Kubernetes with NGINX App Protect. 4 | weight: 100 5 | aliases: ["/nginx-ingress-controller/app-protect/"] 6 | menu: 7 | docs: 8 | parent: NGINX Ingress Controller 9 | --- 10 | -------------------------------------------------------------------------------- /site/content/installation/nic-images/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: NGINX Ingress Controller images 3 | weight: 200 4 | --- 5 | -------------------------------------------------------------------------------- /site/content/logging-and-monitoring/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Logging And Monitoring 3 | description: 4 | weight: 1500 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/overview/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Overview 3 | description: 4 | weight: 100 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/troubleshooting/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Troubleshooting 3 | description: 4 | weight: 1800 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/content/troubleshooting/troubleshoot-transportserver.md: -------------------------------------------------------------------------------- 1 | --- 2 | doctypes: 3 | - '' 4 | draft: true 5 | title: Troubleshooting TransportServer Resources 6 | weight: 500 7 | --- 8 | 9 | # Troubleshooting TransportServer Resources 10 | -------------------------------------------------------------------------------- /site/content/tutorials/_index.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Tutorials 3 | description: 4 | weight: 1900 5 | menu: 6 | docs: 7 | parent: NGINX Ingress Controller 8 | --- 9 | -------------------------------------------------------------------------------- /site/developer/README.md: -------------------------------------------------------------------------------- 1 | # Guides for developing this project 2 | 3 | - [Debugging](./debugging.md) 4 | -------------------------------------------------------------------------------- /site/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/nginx/kubernetes-ingress/docs 2 | 3 | go 1.23.0 4 | 5 | require github.com/nginxinc/nginx-hugo-theme v0.41.20 // indirect 6 | -------------------------------------------------------------------------------- /site/go.sum: -------------------------------------------------------------------------------- 1 | github.com/nginxinc/nginx-hugo-theme v0.41.20 h1:6BJGRGdHW17OpkC4qbcHARo9TRrJPFrALBjFltwedf8= 2 | github.com/nginxinc/nginx-hugo-theme v0.41.20/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= 3 | -------------------------------------------------------------------------------- /site/hugo-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | hugo mod get -u github.com/nginxinc/nginx-hugo-theme 4 | hugo --environment docker $* 5 | -------------------------------------------------------------------------------- /site/layouts/shortcodes/call-out.html: -------------------------------------------------------------------------------- 1 |
2 |
{{ .Get 1 }}
{{ .Inner | markdownify }}
3 |
4 | -------------------------------------------------------------------------------- /site/layouts/shortcodes/nic-helm-version.html: -------------------------------------------------------------------------------- 1 | 2.1.0 -------------------------------------------------------------------------------- /site/layouts/shortcodes/nic-operator-version.html: -------------------------------------------------------------------------------- 1 | 3.1.0 -------------------------------------------------------------------------------- /site/layouts/shortcodes/nic-version.html: -------------------------------------------------------------------------------- 1 | 5.0.0 -------------------------------------------------------------------------------- /site/md-linkcheck-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "replacementPatterns": [ 3 | { 4 | "pattern": "^/", 5 | "replacement": "/" 6 | } 7 | ], 8 | "ignorePatterns": [ 9 | { 10 | "pattern": "^.+localhost.+$|/.+yaml" 11 | } 12 | ] 13 | } 14 | -------------------------------------------------------------------------------- /site/static/img/control-loop.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/control-loop.png -------------------------------------------------------------------------------- /site/static/img/controller-sync.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/controller-sync.png -------------------------------------------------------------------------------- /site/static/img/ecr-pull-instructions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/ecr-pull-instructions.png -------------------------------------------------------------------------------- /site/static/img/gke-create-cluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/gke-create-cluster.png -------------------------------------------------------------------------------- /site/static/img/gke-creating-cluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/gke-creating-cluster.png -------------------------------------------------------------------------------- /site/static/img/gke-existing-cluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/gke-existing-cluster.png -------------------------------------------------------------------------------- /site/static/img/gke-ingress-controller-application.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/gke-ingress-controller-application.png -------------------------------------------------------------------------------- /site/static/img/gke-install-to-new-cluster.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/gke-install-to-new-cluster.png -------------------------------------------------------------------------------- /site/static/img/ic-high-level.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/ic-high-level.png -------------------------------------------------------------------------------- /site/static/img/ic-pod.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/ic-pod.png -------------------------------------------------------------------------------- /site/static/img/ic-process-components.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/ic-process-components.png -------------------------------------------------------------------------------- /site/static/img/ic-process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/ic-process.png -------------------------------------------------------------------------------- /site/static/img/nginx-envoy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/nginx-envoy.png -------------------------------------------------------------------------------- /site/static/img/nginx_istio_small.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/nginx_istio_small.png -------------------------------------------------------------------------------- /site/static/img/nginx_plain.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nginx/kubernetes-ingress/b422a76de64adf103f686de04fa8e46bdaa98f76/site/static/img/nginx_plain.png -------------------------------------------------------------------------------- /tests/.flake8: -------------------------------------------------------------------------------- 1 | [flake8] 2 | format = pylint 3 | max-complexity = 10 4 | max-line-length = 120 5 | exclude = .git,__pycache__,data,.idea.pytest_cache 6 | -------------------------------------------------------------------------------- /tests/.gitignore: -------------------------------------------------------------------------------- 1 | # IntelliJ project files 2 | .idea 3 | out 4 | gen 5 | 6 | # Junit-style report for Jenkins integration 7 | *.xml 8 | 9 | # Python specific files 10 | # Byte-compiled / optimized / DLL files 11 | __pycache__/ 12 | *.py[cod] 13 | .pytest_cache 14 | 15 | # Pytest HTML report 16 | *.html 17 | *.css 18 | 19 | # Profiling report files 20 | *.prof 21 | 22 | # json artifacts 23 | json_files/* 24 | -------------------------------------------------------------------------------- /tests/data/access-control/configmap/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | set-real-ip-from: "0.0.0.0/0,::/0" 8 | -------------------------------------------------------------------------------- /tests/data/access-control/policies/access-control-policy-allow.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: allow-policy 5 | spec: 6 | accessControl: 7 | allow: 8 | - 10.0.0.1 9 | -------------------------------------------------------------------------------- /tests/data/access-control/policies/access-control-policy-deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: deny-policy 5 | spec: 6 | accessControl: 7 | deny: 8 | - 10.0.0.1 9 | -------------------------------------------------------------------------------- /tests/data/access-control/policies/access-control-policy-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: invalid-policy 5 | spec: 6 | accessControl: 7 | deny: 8 | - 192.168.0.0/255 9 | -------------------------------------------------------------------------------- /tests/data/access-control/route-subroute/virtual-server-vsr-route-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | policies: 10 | - name: deny-policy 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/access-control/route-subroute/virtual-server-vsr-spec-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | policies: 8 | - name: deny-policy 9 | routes: 10 | - path: "/backends" 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/annotations/configmap-with-keys.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | proxy-send-timeout: "33s" 8 | hsts: "True" 9 | hsts-behind-proxy: "True" 10 | upstream-zone-size: "100k" 11 | -------------------------------------------------------------------------------- /tests/data/ap-waf-grpc/logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APLogConf 3 | metadata: 4 | name: logconf 5 | spec: 6 | content: 7 | format: default 8 | max_message_size: 64k 9 | max_request_size: any 10 | filter: 11 | request_type: all 12 | -------------------------------------------------------------------------------- /tests/data/ap-waf-grpc/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | http2: "true" 8 | -------------------------------------------------------------------------------- /tests/data/ap-waf-grpc/policies/waf-block-saygoodbye.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | ingressClassName: nginx 7 | waf: 8 | enable: true 9 | apPolicy: "default/grpc-block-saygoodbye" 10 | securityLog: 11 | enable: true 12 | apLogConf: "default/logconf" 13 | logDest: "syslog:server=127.0.0.1:514" 14 | -------------------------------------------------------------------------------- /tests/data/ap-waf-grpc/policies/waf-block-sayhello.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | waf: 7 | enable: true 8 | apPolicy: "default/grpc-block-sayhello" 9 | securityLog: 10 | enable: true 11 | apLogConf: "default/logconf" 12 | logDest: "syslog:server=127.0.0.1:514" 13 | -------------------------------------------------------------------------------- /tests/data/ap-waf-grpc/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-virtual-server.example.com.yaml -------------------------------------------------------------------------------- /tests/data/ap-waf-grpc/virtual-server-route-waf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: helloworld.greeter 5 | spec: 6 | host: virtual-server.example.com 7 | upstreams: 8 | - name: grpc1 9 | service: grpc1-svc 10 | port: 50051 11 | type: grpc 12 | subroutes: 13 | - path: "~* /helloworld.greeter/" 14 | action: 15 | pass: grpc1 16 | policies: 17 | - name: waf-policy 18 | -------------------------------------------------------------------------------- /tests/data/ap-waf-grpc/vsr-virtual-server-spec.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server.example.com 7 | tls: 8 | secret: tls-secret 9 | routes: 10 | - path: "~* /helloworld.greeter/" 11 | route: helloworld.greeter 12 | -------------------------------------------------------------------------------- /tests/data/ap-waf-v5/policies/waf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | waf: 7 | enable: true 8 | apBundle: "wafv5.tgz" 9 | -------------------------------------------------------------------------------- /tests/data/ap-waf/logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APLogConf 3 | metadata: 4 | name: logconf 5 | spec: 6 | content: 7 | format: default 8 | max_message_size: 64k 9 | max_request_size: any 10 | filter: 11 | request_type: all 12 | -------------------------------------------------------------------------------- /tests/data/ap-waf/policies/waf-dataguard.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | ingressClassName: nginx 7 | waf: 8 | enable: true 9 | apPolicy: "default/dataguard-alarm" 10 | securityLog: 11 | enable: true 12 | apLogConf: "default/logconf" 13 | logDest: "syslog:server=127.0.0.1:514" 14 | -------------------------------------------------------------------------------- /tests/data/ap-waf/policies/waf-default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: waf-policy 5 | spec: 6 | waf: 7 | enable: true 8 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/policies/apikey-policy-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: api-key-policy-server 5 | spec: 6 | apiKey: 7 | suppliedIn: 8 | header: 9 | - "header-server-1" 10 | - "header-server-2" 11 | - "header-server-3" 12 | query: 13 | - "queryServer1" 14 | - "queryServer2" 15 | clientSecret: api-key-client-secret-server 16 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/policies/apikey-policy-valid-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: api-key-policy-2 5 | spec: 6 | apiKey: 7 | suppliedIn: 8 | header: 9 | - "this-is-another-header" 10 | - "and-other-one" 11 | - "some-other-header" 12 | query: 13 | - "query1" 14 | - "query2" 15 | clientSecret: api-key-client-secret-2 16 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/policies/apikey-policy-valid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: api-key-policy 5 | spec: 6 | apiKey: 7 | suppliedIn: 8 | header: 9 | - "X-header-name" 10 | - "apikey" 11 | - "some-other-header" 12 | query: 13 | - "queryName" 14 | clientSecret: api-key-client-secret-1 15 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/policies/apikey-policy-vs-route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: api-key-policy-vs-route 5 | spec: 6 | apiKey: 7 | suppliedIn: 8 | header: 9 | - "header-route-1" 10 | - "header-route-2" 11 | - "header-route-3" 12 | query: 13 | - "queryRoute1" 14 | - "queryRoute2" 15 | clientSecret: api-key-client-secret-route 16 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/secret/apikey-secret-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: api-key-client-secret-1 5 | type: nginx.org/apikey 6 | data: 7 | client1: cGFzc3dvcmQ= # password 8 | client2: cGFzc3dvcmQy # password2 9 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/secret/apikey-secret-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: api-key-client-secret-2 5 | type: nginx.org/apikey 6 | data: 7 | client3: cGFzc3dvcmQz # password3 8 | client4: cGFzc3dvcmQ0 # password4 9 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/secret/apikey-secret-route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: api-key-client-secret-route 5 | type: nginx.org/apikey 6 | data: 7 | client1: cGFzc3dvcmQ3 # password7 8 | client2: cGFzc3dvcmQ4 # password8 9 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/secret/apikey-secret-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: api-key-client-secret-server 5 | type: nginx.org/apikey 6 | data: 7 | client1: cGFzc3dvcmQ1 # password5 8 | client2: cGFzc3dvcmQ2 # password6 9 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/spec/vsr/backend1-vsr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend1 5 | spec: 6 | host: virtual-server.example.com 7 | upstreams: 8 | - name: backend1 9 | service: backend1-svc 10 | port: 80 11 | subroutes: 12 | - path: /backend1 13 | action: 14 | pass: backend1 15 | -------------------------------------------------------------------------------- /tests/data/apikey-auth-policy/spec/vsr/backend2-vsr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: /backend2 13 | action: 14 | pass: backend2 15 | policies: 16 | - name: api-key-policy-vs-route 17 | -------------------------------------------------------------------------------- /tests/data/appprotect/appprotect-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/appprotect-secret-appprotect.example.com.yaml -------------------------------------------------------------------------------- /tests/data/appprotect/grpc/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | http2: "True" 8 | -------------------------------------------------------------------------------- /tests/data/appprotect/logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotect.f5.com/v1beta1 2 | kind: APLogConf 3 | metadata: 4 | name: logconf 5 | spec: 6 | content: 7 | format: default 8 | max_message_size: 64k 9 | max_request_size: any 10 | filter: 11 | request_types: all 12 | -------------------------------------------------------------------------------- /tests/data/auth-basic-auth-mergeable/auth-basic-master-secret-updated.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: auth-basic-master-htpasswd 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | qux:$apr1$st218vzc$A3H7I83N9vLmczj73Byi3/ 9 | # quux 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-auth-mergeable/auth-basic-master-secret.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: auth-basic-master-htpasswd 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | foo:$2y$10$mnb.J7DxTtC8/2EGRkmwsehTlNgQS0VbaryPr19aqIgI6IaukL77u 9 | # bar 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-auth-mergeable/auth-basic-minion-secret-updated.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: auth-basic-minion-htpasswd 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | foo:$2y$10$mnb.J7DxTtC8/2EGRkmwsehTlNgQS0VbaryPr19aqIgI6IaukL77u 9 | # bar 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-auth-mergeable/auth-basic-minion-secret.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: auth-basic-minion-htpasswd 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | qux:$apr1$st218vzc$A3H7I83N9vLmczj73Byi3/ 9 | # quux 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-auth-mergeable/credentials/auth-basic-auth-master-credentials.txt: -------------------------------------------------------------------------------- 1 | foo:bar 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-auth-mergeable/credentials/auth-basic-auth-minion-credentials.txt: -------------------------------------------------------------------------------- 1 | qux:quux 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/credentials.txt: -------------------------------------------------------------------------------- 1 | foo:bar 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/credentials2.txt: -------------------------------------------------------------------------------- 1 | qux:quux 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/invalid-credentials-no-pwd.txt: -------------------------------------------------------------------------------- 1 | foo: 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/invalid-credentials-no-user.txt: -------------------------------------------------------------------------------- 1 | :bar 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/invalid-credentials-pwd.txt: -------------------------------------------------------------------------------- 1 | foo:baz 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/invalid-credentials-user.txt: -------------------------------------------------------------------------------- 1 | foobar:bar 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/invalid-credentials.txt: -------------------------------------------------------------------------------- 1 | foobar 2 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/policies/auth-basic-policy-invalid-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: auth-basic-policy-invalid-secret 5 | spec: 6 | basicAuth: 7 | realm: MyProductAPI 8 | secret: htpasswd-secret-invalid 9 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/policies/auth-basic-policy-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: auth-basic-policy-invalid 5 | spec: 6 | basicAuth: 7 | realm: MyProductAPI 8 | secret: $$htpasswd-secret-valid 9 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/policies/auth-basic-policy-valid-multi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: auth-basic-policy-valid-multi 5 | spec: 6 | basicAuth: 7 | realm: MyProductAPI 8 | secret: htpasswd-secret-valid-empty 9 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/policies/auth-basic-policy-valid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: auth-basic-policy-valid 5 | spec: 6 | basicAuth: 7 | realm: MyProductAPI 8 | secret: htpasswd-secret-valid 9 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/route-subroute/virtual-server-vsr-route-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | policies: 10 | - name: auth-basic-policy-valid 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/route-subroute/virtual-server-vsr-spec-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | policies: 8 | - name: auth-basic-policy-valid 9 | routes: 10 | - path: "/backends" 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/secret/htpasswd-secret-invalid.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: htpasswd-secret-invalid 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | invalid-htpasswd: | 8 | foo:$2y$10$mnb.J7DxTtC8/2EGRkmwsehTlNgQS0VbaryPr19aqIgI6IaukL77u 9 | qux:$apr1$st218vzc$A3H7I83N9vLmczj73Byi3/ 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/secret/htpasswd-secret-valid-empty.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: htpasswd-secret-valid-empty 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: "" 8 | -------------------------------------------------------------------------------- /tests/data/auth-basic-policy/secret/htpasswd-secret-valid.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: htpasswd-secret-valid 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | foo:$2y$10$mnb.J7DxTtC8/2EGRkmwsehTlNgQS0VbaryPr19aqIgI6IaukL77u 9 | qux:$apr1$st218vzc$A3H7I83N9vLmczj73Byi3/ 10 | # bar 11 | # quux 12 | -------------------------------------------------------------------------------- /tests/data/auth-basic-secrets/auth-basic-secret-invalid.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: auth-basic-secrets-key 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | invalid-htpasswd: | 8 | foo:$2y$10$mnb.J7DxTtC8/2EGRkmwsehTlNgQS0VbaryPr19aqIgI6IaukL77u 9 | qux:$apr1$st218vzc$A3H7I83N9vLmczj73Byi3/ 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-secrets/auth-basic-secret-updated.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: auth-basic-secrets-key 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | qux:$apr1$st218vzc$A3H7I83N9vLmczj73Byi3/ 9 | # quux 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-secrets/auth-basic-secret.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: auth-basic-secrets-key 4 | apiVersion: v1 5 | type: nginx.org/htpasswd 6 | stringData: 7 | htpasswd: | 8 | foo:$2y$10$e4CiBWaLq9JW93jV8r9CW.RE6fbsT3szmIsUhwqYuPfVlggXiBY76 9 | # bar 10 | -------------------------------------------------------------------------------- /tests/data/auth-basic-secrets/credentials/credentials.txt: -------------------------------------------------------------------------------- 1 | foo:bar 2 | -------------------------------------------------------------------------------- /tests/data/common/app/secure/secret/app-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../../../common-secrets/app-tls-secret-app.example.com.yaml -------------------------------------------------------------------------------- /tests/data/common/backend1-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: backend1-svc 5 | spec: 6 | ports: 7 | - port: 80 8 | targetPort: 8080 9 | protocol: TCP 10 | name: http 11 | selector: 12 | app: backend1 13 | -------------------------------------------------------------------------------- /tests/data/common/backend1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: backend1 5 | spec: 6 | replicas: 2 7 | selector: 8 | matchLabels: 9 | app: backend1 10 | template: 11 | metadata: 12 | labels: 13 | app: backend1 14 | spec: 15 | containers: 16 | - name: backend1 17 | image: nginxdemos/nginx-hello:plain-text 18 | ports: 19 | - containerPort: 8080 20 | -------------------------------------------------------------------------------- /tests/data/common/configmap-with-grpc.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | http2: "true" 8 | -------------------------------------------------------------------------------- /tests/data/common/default-server-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/default-server-secret-NGINXIngressController.yaml -------------------------------------------------------------------------------- /tests/data/common/ns-patch.yaml: -------------------------------------------------------------------------------- 1 | metadata: 2 | labels: 3 | app: watch 4 | -------------------------------------------------------------------------------- /tests/data/common/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: new-name-here 5 | -------------------------------------------------------------------------------- /tests/data/default-server/new-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/default-server-secret-cafe.example.com-gb.yaml -------------------------------------------------------------------------------- /tests/data/dos/appprotect-dos-arb-svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: svc-appprotect-dos-arb 5 | spec: 6 | selector: 7 | app: appprotect-dos-arb 8 | ports: 9 | - name: arb 10 | port: 3000 11 | protocol: TCP 12 | targetPort: 3000 13 | clusterIP: None 14 | -------------------------------------------------------------------------------- /tests/data/dos/arbitrator_ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: arbitrator 5 | -------------------------------------------------------------------------------- /tests/data/dos/dos-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: dos-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | spec: 8 | rules: 9 | - host: dos.example.com 10 | http: 11 | paths: 12 | - path: / 13 | pathType: Prefix 14 | backend: 15 | service: 16 | name: dos-svc 17 | port: 18 | number: 80 19 | -------------------------------------------------------------------------------- /tests/data/dos/dos-logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosLogConf 3 | metadata: 4 | name: doslogconf 5 | spec: 6 | filter: 7 | traffic-mitigation-stats: all 8 | bad-actors: top 10 9 | attack-signatures: top 10 10 | -------------------------------------------------------------------------------- /tests/data/dos/dos-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosPolicy 3 | metadata: 4 | name: dospolicy 5 | spec: 6 | mitigation_mode: "standard" 7 | signatures: "on" 8 | bad_actors: "on" 9 | automation_tools_detection: "on" 10 | tls_fingerprint: "on" 11 | -------------------------------------------------------------------------------- /tests/data/dos/nginx-config-arb-dif-ns.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | real-ip-header: "X-Forwarded-For" 8 | real-ip-recursive: "True" 9 | set-real-ip-from: "0.0.0.0/0" 10 | worker-connections: "30000" 11 | worker-rlimit-nofile: "65535" 12 | worker-rlimit-core: "500M" 13 | app-protect-dos-arb-fqdn: "svc-appprotect-dos-arb.arbitrator.svc.cluster.local" 14 | -------------------------------------------------------------------------------- /tests/data/dos/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | real-ip-header: "X-Forwarded-For" 8 | real-ip-recursive: "True" 9 | set-real-ip-from: "0.0.0.0/0,::/0" 10 | worker-connections: "30000" 11 | worker-rlimit-nofile: "65535" 12 | worker-rlimit-core: "500M" 13 | -------------------------------------------------------------------------------- /tests/data/dos/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/egress-mtls/policies/egress-mtls-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: egress-mtls-policy 5 | spec: 6 | egress_MTLS: 7 | tlsSecret: egress-tls-secret 8 | trustedCertSecret: egress-mtls-secret 9 | verifyServer: on 10 | verifyDepth: 2 11 | serverName: on 12 | sslName: secure-app.example.com 13 | -------------------------------------------------------------------------------- /tests/data/egress-mtls/policies/egress-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: egress-mtls-policy 5 | spec: 6 | egressMTLS: 7 | tlsSecret: egress-tls-secret 8 | trustedCertSecret: egress-mtls-secret 9 | verifyServer: on 10 | verifyDepth: 2 11 | serverName: on 12 | sslName: secure-app.example.com 13 | -------------------------------------------------------------------------------- /tests/data/egress-mtls/route-subroute/virtual-server-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server.example.com 7 | upstreams: 8 | - name: secure-app 9 | service: secure-app 10 | port: 8443 11 | tls: 12 | enable: true 13 | routes: 14 | - path: "/backend1" 15 | policies: 16 | - name: egress-mtls-policy 17 | action: 18 | pass: secure-app 19 | -------------------------------------------------------------------------------- /tests/data/egress-mtls/route-subroute/virtual-server-route-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backends 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: secure-app 9 | service: secure-app 10 | port: 8443 11 | tls: 12 | enable: true 13 | subroutes: 14 | - path: "/backends/backend1" 15 | policies: 16 | - name: egress-mtls-policy 17 | action: 18 | pass: secure-app 19 | -------------------------------------------------------------------------------- /tests/data/egress-mtls/route-subroute/virtual-server-vsr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends # implicit namespace 10 | -------------------------------------------------------------------------------- /tests/data/egress-mtls/spec/virtual-server-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server.example.com 7 | policies: 8 | - name: egress-mtls-policy 9 | upstreams: 10 | - name: secure-app 11 | service: secure-app 12 | port: 8443 13 | tls: 14 | enable: true 15 | routes: 16 | - path: "/backend1" 17 | action: 18 | pass: secure-app 19 | -------------------------------------------------------------------------------- /tests/data/externalname-services/externalname-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: example-ingress 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | spec: 8 | rules: 9 | - host: externalnginx.com 10 | http: 11 | paths: 12 | - path: / 13 | pathType: Prefix 14 | backend: 15 | service: 16 | name: externalname-service 17 | port: 18 | number: 80 19 | -------------------------------------------------------------------------------- /tests/data/externalname-services/externalname-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: externalname-service 5 | spec: 6 | type: ExternalName 7 | externalName: external-backend-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /tests/data/externalname-services/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | data: 6 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 7 | -------------------------------------------------------------------------------- /tests/data/filter-secrets/filtered-secret-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: filtered-secret-1 5 | namespace: filtered-ns-1 6 | type: helm.sh/release.v1 7 | -------------------------------------------------------------------------------- /tests/data/filter-secrets/filtered-secret-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: filtered-secret-2 5 | namespace: filtered-ns-2 6 | type: helm.sh/release.v1 7 | -------------------------------------------------------------------------------- /tests/data/filter-secrets/nginx-ingress-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: nginx-ingress-secret 5 | namespace: nginx-ingress 6 | type: helm.sh/release.v1 7 | -------------------------------------------------------------------------------- /tests/data/ingress-class/resource/custom-ingress-class-res.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: IngressClass 3 | metadata: 4 | name: custom 5 | spec: 6 | controller: nginx.org/ingress-controller 7 | -------------------------------------------------------------------------------- /tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: ingress-mtls-policy 5 | spec: 6 | ingressMTLS: 7 | clientCertSecret: ingress-mtls-secret 8 | verifyClient: "on" 9 | verifyDepth: 1 10 | crlFileName: webapp.crl 11 | -------------------------------------------------------------------------------- /tests/data/ingress-mtls/policies/ingress-mtls-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: ingress-mtls-policy 5 | spec: 6 | ingress_MTLS: # invalid/mis-spelled yaml keys 7 | clientCertSecret_: ingress-mtls-secret 8 | verifyadClient: "on" 9 | verifyDeaerpth: 1 10 | -------------------------------------------------------------------------------- /tests/data/ingress-mtls/policies/ingress-mtls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: ingress-mtls-policy 5 | spec: 6 | ingressMTLS: 7 | clientCertSecret: ingress-mtls-secret 8 | verifyClient: "on" 9 | verifyDepth: 1 10 | -------------------------------------------------------------------------------- /tests/data/ingress-mtls/route-subroute/virtual-server-vsr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | tls: 8 | secret: tls-secret 9 | routes: 10 | - path: "/backends" 11 | route: backends # implicit namespace 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/ingress-mtls/secret/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../../common-secrets/tls-secret-virtual-server.example.com.yaml -------------------------------------------------------------------------------- /tests/data/jwt-auth-mergeable/jwt-master-secret-updated.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: jwt-master-jwk 5 | type: nginx.org/jwk 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJZWGRsYzI5dFpXcDNkQSIsCiAgICAgICAgImt0eSI6Im9jdCIsCiAgICAgICAgImtpZCI6IjAwMDEiCiAgICB9XQp9 8 | -------------------------------------------------------------------------------- /tests/data/jwt-auth-mergeable/jwt-master-secret.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: jwt-master-jwk 4 | type: nginx.org/jwk 5 | apiVersion: v1 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJabUZ1ZEdGemRHbGphbmQwIiwKICAgICAgICAia3R5Ijoib2N0IiwKICAgICAgICAia2lkIjoiMDAwMSIKICAgIH1dCn0K 8 | -------------------------------------------------------------------------------- /tests/data/jwt-auth-mergeable/jwt-minion-secret-updated.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: jwt-minion-jwk 4 | apiVersion: v1 5 | type: nginx.org/jwk 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJabUZ1ZEdGemRHbGphbmQwIiwKICAgICAgICAia3R5Ijoib2N0IiwKICAgICAgICAia2lkIjoiMDAwMSIKICAgIH1dCn0K 8 | -------------------------------------------------------------------------------- /tests/data/jwt-auth-mergeable/jwt-minion-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: jwt-minion-jwk 5 | type: nginx.org/jwk 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJZWGRsYzI5dFpXcDNkQSIsCiAgICAgICAgImt0eSI6Im9jdCIsCiAgICAgICAgImtpZCI6IjAwMDEiCiAgICB9XQp9 8 | -------------------------------------------------------------------------------- /tests/data/jwt-auth-mergeable/tokens/jwt-auth-master-token.jwt: -------------------------------------------------------------------------------- 1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ.eyJuYW1lIjoiUXVvdGF0aW9uIFN5c3RlbSIsInN1YiI6InF1b3RlcyIsImlzcyI6Ik15IEFQSSBHYXRld2F5In0.ggVOHYnVFB8GVPE-VOIo3jD71gTkLffAY0hQOGXPL2I 2 | -------------------------------------------------------------------------------- /tests/data/jwt-auth-mergeable/tokens/jwt-auth-minion-token.jwt: -------------------------------------------------------------------------------- 1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ.eyJuYW1lIjoiUXVvdGF0aW9uIFN5c3RlbSIsInN1YiI6InF1b3RlcyIsImlzcyI6Ik15IEFQSSBHYXRld2F5In0.E4Onuo44Qjz1rSNEKLqMFGCAesui2ELx3C79Aa0_XpY 2 | -------------------------------------------------------------------------------- /tests/data/jwt-policy-jwksuri/configmap/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 8 | -------------------------------------------------------------------------------- /tests/data/jwt-policy-jwksuri/policies/jwt-policy-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy-invalid 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | token: $$http_token 9 | jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs 10 | keyCache: 1h 11 | -------------------------------------------------------------------------------- /tests/data/jwt-policy-jwksuri/policies/jwt-policy-valid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy-valid 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | token: $http_token 9 | jwksURI: http://keycloak.default.svc.cluster.local:8080/realms/jwks-example/protocol/openid-connect/certs 10 | keyCache: 1h 11 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/invalid-token.jwt: -------------------------------------------------------------------------------- 1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ..ggVOHYnVFB8GVPE-VOIo3jD71gTkLffAY0hQOGXPL2IhjjhhHHHhhhhhkhYGIUGHiladth 2 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/policies/jwt-policy-invalid-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy-invalid-secret 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | secret: jwk-secret-invalid 9 | token: $http_token 10 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/policies/jwt-policy-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy-invalid 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | secret: jwk-secret-valid 9 | token: $$http_token 10 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/policies/jwt-policy-valid-multi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy-valid-multi 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | secret: jwk-secret-valid 9 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/policies/jwt-policy-valid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: jwt-policy-valid 5 | spec: 6 | jwt: 7 | realm: MyProductAPI 8 | secret: jwk-secret-valid 9 | token: $http_token 10 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/route-subroute/virtual-server-vsr-route-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | policies: 10 | - name: jwt-policy-valid 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/route-subroute/virtual-server-vsr-spec-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | policies: 8 | - name: jwt-policy-valid 9 | routes: 10 | - path: "/backends" 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/secret/jwk-secret-invalid.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: jwk-secret-invalid 4 | apiVersion: v1 5 | type: nginx.org/jwk 6 | data: 7 | invalid-jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJabUZ1ZEdGemRHbGphbmQwIiwKICAgICAgICAia3R5Ijoib2N0IiwKICAgICAgICAia2lkIjoiMDAwMSIKICAgIH1dCn0K 8 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/secret/jwk-secret-valid.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: jwk-secret-valid 4 | apiVersion: v1 5 | type: nginx.org/jwk 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJabUZ1ZEdGemRHbGphbmQwIiwKICAgICAgICAia3R5Ijoib2N0IiwKICAgICAgICAia2lkIjoiMDAwMSIKICAgIH1dCn0K 8 | -------------------------------------------------------------------------------- /tests/data/jwt-policy/token.jwt: -------------------------------------------------------------------------------- 1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ.eyJuYW1lIjoiUXVvdGF0aW9uIFN5c3RlbSIsInN1YiI6InF1b3RlcyIsImlzcyI6Ik15IEFQSSBHYXRld2F5In0.ggVOHYnVFB8GVPE-VOIo3jD71gTkLffAY0hQOGXPL2I 2 | -------------------------------------------------------------------------------- /tests/data/jwt-secrets/jwt-secret-invalid.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: jwt-secrets-key 4 | apiVersion: v1 5 | type: nginx.org/jwk 6 | data: 7 | invalid-jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJabUZ1ZEdGemRHbGphbmQwIiwKICAgICAgICAia3R5Ijoib2N0IiwKICAgICAgICAia2lkIjoiMDAwMSIKICAgIH1dCn0K 8 | -------------------------------------------------------------------------------- /tests/data/jwt-secrets/jwt-secret-updated.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: jwt-secrets-key 5 | type: nginx.org/jwk 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJZWGRsYzI5dFpXcDNkQSIsCiAgICAgICAgImt0eSI6Im9jdCIsCiAgICAgICAgImtpZCI6IjAwMDEiCiAgICB9XQp9 8 | -------------------------------------------------------------------------------- /tests/data/jwt-secrets/jwt-secret.yaml: -------------------------------------------------------------------------------- 1 | kind: Secret 2 | metadata: 3 | name: jwt-secrets-key 4 | apiVersion: v1 5 | type: nginx.org/jwk 6 | data: 7 | jwk: eyJrZXlzIjoKICAgIFt7CiAgICAgICAgImsiOiJabUZ1ZEdGemRHbGphbmQwIiwKICAgICAgICAia3R5Ijoib2N0IiwKICAgICAgICAia2lkIjoiMDAwMSIKICAgIH1dCn0K 8 | -------------------------------------------------------------------------------- /tests/data/jwt-secrets/tokens/jwt-secrets-token.jwt: -------------------------------------------------------------------------------- 1 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IjAwMDEifQ.eyJuYW1lIjoiUXVvdGF0aW9uIFN5c3RlbSIsInN1YiI6InF1b3RlcyIsImlzcyI6Ik15IEFQSSBHYXRld2F5In0.ggVOHYnVFB8GVPE-VOIo3jD71gTkLffAY0hQOGXPL2I 2 | -------------------------------------------------------------------------------- /tests/data/mgmt-configmap-keys/plus-token-name-keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nginx-config-mgmt 5 | namespace: nginx-ingress 6 | data: 7 | license-token-secret-name: "license-token-changed" 8 | -------------------------------------------------------------------------------- /tests/data/oidc/client-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: oidc-secret 5 | type: nginx.org/oidc 6 | data: 7 | client-secret: 8 | -------------------------------------------------------------------------------- /tests/data/oidc/nginx-config-zs.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "true" 8 | resolver-addresses: kube-dns.kube-system.svc.cluster.local 9 | resolver-valid: 5s 10 | -------------------------------------------------------------------------------- /tests/data/oidc/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | stream-snippets: | 8 | server { 9 | listen 12345; 10 | listen [::]:12345; 11 | zone_sync; 12 | zone_sync_server nginx-ingress-headless.nginx-ingress.svc.cluster.local:12345 resolve; 13 | } 14 | resolver-addresses: kube-dns.kube-system.svc.cluster.local 15 | resolver-valid: 5s 16 | -------------------------------------------------------------------------------- /tests/data/oidc/nginx-ingress-headless.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: nginx-ingress-headless 5 | spec: 6 | clusterIP: None 7 | selector: 8 | app: nginx-ingress 9 | -------------------------------------------------------------------------------- /tests/data/oidc/virtual-server-idp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: keycloak 5 | spec: 6 | host: keycloak.example.com 7 | tls: 8 | secret: tls-secret 9 | redirect: 10 | enable: true 11 | upstreams: 12 | - name: keycloak 13 | service: keycloak 14 | port: 8080 15 | routes: 16 | - path: / 17 | action: 18 | pass: keycloak 19 | -------------------------------------------------------------------------------- /tests/data/oidc/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-tls 5 | spec: 6 | host: virtual-server-tls.example.com 7 | tls: 8 | secret: tls-secret 9 | upstreams: 10 | - name: backend1 11 | service: backend1-svc 12 | port: 80 13 | routes: 14 | - path: / 15 | policies: 16 | - name: oidc-policy 17 | action: 18 | pass: backend1 19 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-all-except-endpoint.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-header-name: "x-otel-header" 8 | otel-exporter-header-value: "otel-header-value" 9 | otel-service-name: "nginx-ingress-controller:nginx" 10 | otel-trace-in-http: "true" 11 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-all.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | otel-exporter-header-name: "x-otel-header" 9 | otel-exporter-header-value: "otel-header-value" 10 | otel-service-name: "nginx-ingress-controller:nginx" 11 | otel-trace-in-http: "true" 12 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-endpoint.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-header.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | otel-exporter-header-name: "x-otel-header" 9 | otel-exporter-header-value: "otel-header-value" 10 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-only-header-name.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | otel-exporter-header-name: "x-otel-header" 9 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-only-header-value.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | otel-exporter-header-value: "otel-header-value" 9 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-otel-trace.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | otel-trace-in-http: "true" 9 | -------------------------------------------------------------------------------- /tests/data/otel/configmap-with-service-name.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | otel-exporter-endpoint: "otel.example.com:4317" 8 | otel-service-name: "nginx-ingress-controller:nginx" 9 | -------------------------------------------------------------------------------- /tests/data/otel/default-configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | -------------------------------------------------------------------------------- /tests/data/policy-ingress-class/policy-ingress-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-primary 5 | spec: 6 | ingressClasName: nginx 7 | rateLimit: 8 | rate: 1r/s 9 | key: ${binary_remote_addr} 10 | zoneSize: 10M 11 | -------------------------------------------------------------------------------- /tests/data/policy-ingress-class/policy-other-ingress-class.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-primary 5 | spec: 6 | ingressClassName: other 7 | rateLimit: 8 | rate: 1r/s 9 | key: ${binary_remote_addr} 10 | zoneSize: 10M 11 | -------------------------------------------------------------------------------- /tests/data/policy-ingress-class/policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-primary 5 | spec: 6 | rateLimit: 7 | rate: 1r/s 8 | key: ${binary_remote_addr} 9 | zoneSize: 10M 10 | -------------------------------------------------------------------------------- /tests/data/prometheus/secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/prometheus/transport-server/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | spec: 6 | listeners: 7 | - name: tcp-server 8 | port: 3333 9 | protocol: TCP 10 | - name: udp-server 11 | port: 3333 12 | protocol: UDP 13 | -------------------------------------------------------------------------------- /tests/data/prometheus/transport-server/passthrough.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: passthrough 5 | spec: 6 | listener: 7 | name: tls-passthrough 8 | protocol: TLS_PASSTHROUGH 9 | host: app.example.com 10 | upstreams: 11 | - name: secure-app 12 | service: secure-app 13 | port: 8443 14 | action: 15 | pass: secure-app 16 | -------------------------------------------------------------------------------- /tests/data/prometheus/transport-server/tcp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: tcp 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: tcp-service 12 | port: 3333 13 | action: 14 | pass: tcp-app 15 | -------------------------------------------------------------------------------- /tests/data/prometheus/transport-server/udp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: udp 5 | spec: 6 | listener: 7 | name: udp-server 8 | protocol: UDP 9 | upstreams: 10 | - name: udp-app 11 | service: udp-service 12 | port: 3333 13 | action: 14 | pass: udp-app 15 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-invalid 5 | spec: 6 | rateLimit: 7 | rate: a1sfd/s 8 | key: ${binary_remote_addr} 9 | zoneSize: 10M 10 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub 5 | spec: 6 | rateLimit: 7 | rate: 1r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-primary-scaled.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-primary-scaled 5 | spec: 6 | rateLimit: 7 | rate: 40r/s 8 | key: ${binary_remote_addr} 9 | zoneSize: 10M 10 | scale: true 11 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-primary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-primary 5 | spec: 6 | rateLimit: 7 | rate: 1r/s 8 | key: ${binary_remote_addr} 9 | zoneSize: 10M 10 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-secondary.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-secondary 5 | spec: 6 | rateLimit: 7 | rate: 5r/s 8 | key: ${binary_remote_addr} 9 | zoneSize: 10M 10 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-tiered-basic-no-default-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub-basic 5 | spec: 6 | rateLimit: 7 | rate: 1r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | condition: 11 | jwt: 12 | match: Basic 13 | claim: user_details.level 14 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-tiered-basic-with-default-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub-basic 5 | spec: 6 | rateLimit: 7 | rate: 1r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | condition: 11 | jwt: 12 | match: Basic 13 | claim: user_details.level 14 | default: true 15 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-tiered-bronze-with-default-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub-bronze 5 | spec: 6 | rateLimit: 7 | rate: 5r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | condition: 11 | jwt: 12 | match: Bronze 13 | claim: user_details.tier 14 | default: true 15 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-tiered-gold-no-default-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub-gold 5 | spec: 6 | rateLimit: 7 | rate: 15r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | condition: 11 | jwt: 12 | match: Gold 13 | claim: user_details.tier 14 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-tiered-premium-no-default-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub-premium 5 | spec: 6 | rateLimit: 7 | rate: 5r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | condition: 11 | jwt: 12 | match: Premium 13 | claim: user_details.level 14 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-tiered-premium-with-default-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub-premium 5 | spec: 6 | rateLimit: 7 | rate: 5r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | condition: 11 | jwt: 12 | match: Premium 13 | claim: user_details.level 14 | default: true 15 | -------------------------------------------------------------------------------- /tests/data/rate-limit/policies/rate-limit-tiered-silver-no-default-jwt-claim-sub.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: Policy 3 | metadata: 4 | name: rate-limit-jwt-claim-sub-silver 5 | spec: 6 | rateLimit: 7 | rate: 10r/s 8 | key: ${jwt_claim_sub} 9 | zoneSize: 10M 10 | condition: 11 | jwt: 12 | match: Silver 13 | claim: user_details.tier 14 | -------------------------------------------------------------------------------- /tests/data/rate-limit/route-subroute/virtual-server-vsr-route-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | policies: 10 | - name: rate-limit-primary 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/rate-limit/route-subroute/virtual-server-vsr-spec-override.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | policies: 8 | - name: rate-limit-primary 9 | routes: 10 | - path: "/backends" 11 | route: backends 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/rewrites/virtual-server-parent.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: rewrite-parent 5 | spec: 6 | host: vsr.example.com 7 | upstreams: 8 | - name: hello 9 | service: hello-svc 10 | port: 80 11 | routes: 12 | - path: / 13 | route: prefixes 14 | - path: ~ /regex1/?(.*) 15 | route: regex-1 16 | - path: ~ /regex2/?(.*) 17 | route: regex-2 18 | -------------------------------------------------------------------------------- /tests/data/rewrites/virtual-server-route-regex1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: regex-1 5 | spec: 6 | host: vsr.example.com 7 | upstreams: 8 | - name: hello 9 | service: hello-svc 10 | port: 80 11 | subroutes: 12 | - path: ~ /regex1/?(.*) 13 | action: 14 | proxy: 15 | upstream: hello 16 | rewritePath: /$1 17 | -------------------------------------------------------------------------------- /tests/data/rewrites/virtual-server-route-regex2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: regex-2 5 | spec: 6 | host: vsr.example.com 7 | upstreams: 8 | - name: hello 9 | service: hello-svc 10 | port: 80 11 | subroutes: 12 | - path: ~ /regex2/?(.*) 13 | action: 14 | proxy: 15 | upstream: hello 16 | rewritePath: /$1 17 | -------------------------------------------------------------------------------- /tests/data/service-insight/app.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: backend1 5 | spec: 6 | replicas: 5 7 | selector: 8 | matchLabels: 9 | app: backend1 10 | template: 11 | metadata: 12 | labels: 13 | app: backend1 14 | spec: 15 | containers: 16 | - name: backend1 17 | image: nginxdemos/nginx-hello:plain-text 18 | ports: 19 | - containerPort: 8080 20 | -------------------------------------------------------------------------------- /tests/data/service-insight/secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/test-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/smoke/smoke-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/startup/virtual-server-routes/route.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: route 5 | spec: 6 | host: example.com 7 | subroutes: 8 | - path: "/route" 9 | action: 10 | return: 11 | body: "Hello World\n" 12 | -------------------------------------------------------------------------------- /tests/data/startup/virtual-server-routes/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: example.com 7 | routes: 8 | -------------------------------------------------------------------------------- /tests/data/tls/invalid-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-invalid-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/tls/mergeable/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: ingress-master 5 | annotations: 6 | kubernetes.io/ingress.class: "nginx" 7 | nginx.org/mergeable-ingress-type: "master" 8 | spec: 9 | tls: 10 | - hosts: 11 | - cafe.example.com 12 | secretName: tls-secret 13 | rules: 14 | - host: cafe.example.com 15 | -------------------------------------------------------------------------------- /tests/data/tls/new-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com-gb.yaml -------------------------------------------------------------------------------- /tests/data/tls/standard/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | annotations: 5 | kubernetes.io/ingress.class: "nginx" 6 | name: ingress 7 | spec: 8 | tls: 9 | - hosts: 10 | - cafe.example.com 11 | secretName: tls-secret 12 | rules: 13 | - host: cafe.example.com 14 | -------------------------------------------------------------------------------- /tests/data/tls/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/transport-server-backup-service/backup-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: backup-svc-ts 5 | spec: 6 | type: ExternalName 7 | externalName: external-backend-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /tests/data/transport-server-backup-service/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 8 | -------------------------------------------------------------------------------- /tests/data/transport-server-backup-service/standard/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tls-passthrough 8 | protocol: TLS_PASSTHROUGH 9 | host: app.example.com 10 | upstreams: 11 | - name: secure-app 12 | service: secure-app 13 | port: 8443 14 | action: 15 | pass: secure-app 16 | -------------------------------------------------------------------------------- /tests/data/transport-server-custom-ip-listener/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | namespace: nginx-ingress 6 | spec: 7 | listeners: 8 | - name: dns-tcp-ip 9 | port: 5353 10 | protocol: TCP 11 | ipv4: 127.0.0.1 12 | ipv6: ::1 13 | -------------------------------------------------------------------------------- /tests/data/transport-server-custom-ip-listener/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: dns-tcp-ip 8 | protocol: TCP 9 | upstreams: 10 | - name: dns-app 11 | service: coredns 12 | port: 5353 13 | action: 14 | pass: dns-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-externalname/externalname-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: externalname-service 5 | spec: 6 | type: ExternalName 7 | externalName: core-dns-external-backend-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /tests/data/transport-server-externalname/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | data: 6 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 7 | -------------------------------------------------------------------------------- /tests/data/transport-server-externalname/standard/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | spec: 6 | listeners: 7 | - name: dns-udp 8 | port: 5353 9 | protocol: UDP 10 | - name: dns-tcp 11 | port: 5353 12 | protocol: TCP 13 | -------------------------------------------------------------------------------- /tests/data/transport-server-externalname/standard/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: dns-tcp 8 | protocol: TCP 9 | upstreams: 10 | - name: dns-app 11 | service: externalname-service 12 | port: 5353 13 | action: 14 | pass: dns-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-status/rejected-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: dns-tcp 8 | # we specify an invalid protocol to generate an 'Invalid' state 9 | protocol: invalid-protocol 10 | upstreams: 11 | - name: dns-app 12 | service: coredns 13 | port: 5353 14 | action: 15 | pass: dns-app 16 | -------------------------------------------------------------------------------- /tests/data/transport-server-status/rejected-warning.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | # we specify a missing listener to generate a 'Warning' state 8 | name: invalid-listener 9 | protocol: TCP 10 | upstreams: 11 | - name: dns-app 12 | service: coredns 13 | port: 5353 14 | action: 15 | pass: dns-app 16 | -------------------------------------------------------------------------------- /tests/data/transport-server-status/standard/global-configuration-invalid-preceding-udp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | spec: 6 | listeners: 7 | - name: dns-udp 8 | port: 9113 9 | protocol: UDP 10 | - name: dns-tcp 11 | port: 5353 12 | protocol: TCP 13 | -------------------------------------------------------------------------------- /tests/data/transport-server-status/standard/global-configuration-invalid-tcp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | spec: 6 | listeners: 7 | - name: dns-udp 8 | port: 5353 9 | protocol: UDP 10 | - name: dns-tcp 11 | port: 9113 12 | protocol: TCP 13 | -------------------------------------------------------------------------------- /tests/data/transport-server-status/standard/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | spec: 6 | listeners: 7 | - name: dns-udp 8 | port: 5353 9 | protocol: UDP 10 | - name: dns-tcp 11 | port: 5353 12 | protocol: TCP 13 | -------------------------------------------------------------------------------- /tests/data/transport-server-status/standard/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: dns-tcp 8 | protocol: TCP 9 | upstreams: 10 | - name: dns-app 11 | service: coredns 12 | port: 5353 13 | action: 14 | pass: dns-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/max-connections-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: tcp-service 12 | port: 3333 13 | maxConns: 2 14 | action: 15 | pass: tcp-app 16 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/method-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: tcp-service 12 | port: 3333 13 | loadBalancingMethod: hash ${remote_addr} 14 | action: 15 | pass: tcp-app 16 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/missing-service-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: missing-service 12 | port: 3333 13 | action: 14 | pass: tcp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/transport-server-tls-secret-cafe.example.com-gb.yaml -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/second-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server-two 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: tcp-service 12 | port: 3333 13 | action: 14 | pass: tcp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/standard/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | spec: 6 | listeners: 7 | - name: tcp-server 8 | port: 3333 9 | protocol: TCP 10 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/standard/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: tcp-service 12 | port: 3333 13 | action: 14 | pass: tcp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/transport-server-tls-secret-kic.example.com.yaml -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/transport-server-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | tls: 10 | secret: transport-server-tls-secret 11 | upstreams: 12 | - name: tcp-app 13 | service: tcp-service 14 | port: 3333 15 | action: 16 | pass: tcp-app 17 | -------------------------------------------------------------------------------- /tests/data/transport-server-tcp-load-balance/wrong-port-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: tcp-service 12 | port: 2222 13 | action: 14 | pass: tcp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-tls-passthrough/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | data: 6 | proxy-protocol: "True" 7 | real-ip-header: "proxy_protocol" 8 | set-real-ip-from: "0.0.0.0/0" 9 | -------------------------------------------------------------------------------- /tests/data/transport-server-tls-passthrough/standard/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tls-passthrough 8 | protocol: TLS_PASSTHROUGH 9 | host: app.example.com 10 | upstreams: 11 | - name: secure-app 12 | service: secure-app 13 | port: 8443 14 | action: 15 | pass: secure-app 16 | -------------------------------------------------------------------------------- /tests/data/transport-server-tls-passthrough/transport-server-same-host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server-2 5 | spec: 6 | listener: 7 | name: tls-passthrough 8 | protocol: TLS_PASSTHROUGH 9 | host: app.example.com 10 | upstreams: 11 | - name: secure-app 12 | service: secure-app 13 | port: 8443 14 | action: 15 | pass: secure-app 16 | -------------------------------------------------------------------------------- /tests/data/transport-server-udp-load-balance/missing-service-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: udp-server 8 | protocol: UDP 9 | upstreams: 10 | - name: udp-app 11 | service: missing-service 12 | port: 3334 13 | action: 14 | pass: udp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-udp-load-balance/second-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server-two 5 | spec: 6 | listener: 7 | name: udp-server 8 | protocol: UDP 9 | upstreams: 10 | - name: udp-app 11 | service: udp-service 12 | port: 3334 13 | action: 14 | pass: udp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-udp-load-balance/standard/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | spec: 6 | listeners: 7 | - name: udp-server 8 | port: 3334 9 | protocol: UDP 10 | -------------------------------------------------------------------------------- /tests/data/transport-server-udp-load-balance/standard/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: udp-server 8 | protocol: UDP 9 | upstreams: 10 | - name: udp-app 11 | service: udp-service 12 | port: 3334 13 | action: 14 | pass: udp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-udp-load-balance/wrong-port-transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: udp-server 8 | protocol: UDP 9 | upstreams: 10 | - name: udp-app 11 | service: udp-service 12 | port: 2222 13 | action: 14 | pass: udp-app 15 | -------------------------------------------------------------------------------- /tests/data/transport-server-with-host/cafe-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/cafe-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/transport-server-with-host/transport-server-with-host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | host: cafe.example.com 7 | listener: 8 | name: dns-tcp 9 | protocol: TCP 10 | tls: 11 | secret: cafe-secret 12 | upstreams: 13 | - name: dns-app 14 | service: coredns 15 | port: 5353 16 | action: 17 | pass: dns-app 18 | -------------------------------------------------------------------------------- /tests/data/udp-http-listeners-together/global-configuration.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | namespace: nginx-ingress 6 | spec: 7 | listeners: 8 | - name: udp-listener 9 | port: 5454 10 | protocol: UDP 11 | - name: http-listener 12 | port: 5454 13 | protocol: HTTP 14 | -------------------------------------------------------------------------------- /tests/data/udp-http-listeners-together/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: udp-listener 8 | protocol: UDP 9 | upstreams: 10 | - name: dns-app 11 | service: coredns 12 | port: 5353 13 | action: 14 | pass: dns-app 15 | -------------------------------------------------------------------------------- /tests/data/upgrade-test-resources/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: backend 5 | spec: 6 | replicas: 2 7 | selector: 8 | matchLabels: 9 | app: backend 10 | template: 11 | metadata: 12 | labels: 13 | app: backend 14 | spec: 15 | containers: 16 | - name: backend 17 | image: nginxdemos/nginx-hello:plain-text 18 | ports: 19 | - containerPort: 8080 20 | -------------------------------------------------------------------------------- /tests/data/upgrade-test-resources/ns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: ns 5 | -------------------------------------------------------------------------------- /tests/data/upgrade-test-resources/secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/test-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/upgrade-test-resources/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: backend-svc 5 | spec: 6 | ports: 7 | - port: 80 8 | targetPort: 8080 9 | protocol: TCP 10 | name: http 11 | selector: 12 | app: backend 13 | -------------------------------------------------------------------------------- /tests/data/upgrade-test-resources/transport-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: TransportServer 3 | metadata: 4 | name: transport-server 5 | spec: 6 | listener: 7 | name: tcp-server 8 | protocol: TCP 9 | upstreams: 10 | - name: tcp-app 11 | service: tcp-service 12 | port: 3333 13 | action: 14 | pass: tcp-app 15 | -------------------------------------------------------------------------------- /tests/data/upgrade-test-resources/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: vs 5 | spec: 6 | host: vs.example.com 7 | tls: 8 | secret: secret 9 | upstreams: 10 | - name: backend 11 | service: backend-svc 12 | port: 80 13 | routes: 14 | - path: "/backend" 15 | action: 16 | pass: backend 17 | -------------------------------------------------------------------------------- /tests/data/use-cluster-ip/ingress/mergeable/use-cluster-ip-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | annotations: 5 | nginx.org/mergeable-ingress-type: "master" 6 | name: use-cluster-ip-ingress-master 7 | spec: 8 | ingressClassName: nginx 9 | rules: 10 | - host: use-cluster-ip.example.com 11 | -------------------------------------------------------------------------------- /tests/data/virtual-server-backup-service/backup-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: backup-svc 5 | spec: 6 | type: ExternalName 7 | externalName: external-backend-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /tests/data/virtual-server-backup-service/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 8 | -------------------------------------------------------------------------------- /tests/data/virtual-server-canned-responses/virtual-server-invalid-openapi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server.example.com 7 | routes: 8 | - path: "/canned-response" 9 | action: 10 | return: 11 | code: "301" 12 | type: 100 13 | body: True 14 | headers: "String" 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-canned-responses/virtual-server-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server.example.com 7 | routes: 8 | - path: "/canned-response" 9 | action: 10 | return: 11 | code: 301 12 | type: "anything will do" 13 | body: "Variables must be enclosed in curly brackets: $request_uri" 14 | -------------------------------------------------------------------------------- /tests/data/virtual-server-certmanager/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/virtual-server-configmap-keys/configmap-global-variables.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | variables-hash-bucket-size: "124" 8 | variables-hash-max-size: "0" 9 | -------------------------------------------------------------------------------- /tests/data/virtual-server-configmap-keys/configmap-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | proxy-buffering: "invalid" # Invalid boolean 8 | proxy-read-timeout: "60s" 9 | -------------------------------------------------------------------------------- /tests/data/virtual-server-configmap-keys/configmap-ssl-keys-invalid.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | proxy-protocol: "invalid" 8 | http2: "invalid" 9 | -------------------------------------------------------------------------------- /tests/data/virtual-server-configmap-keys/configmap-ssl-keys.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | proxy-protocol: "true" 8 | http2: "true" 9 | -------------------------------------------------------------------------------- /tests/data/virtual-server-configmap-keys/configmap-valid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | proxy-buffering: "on" 8 | proxy-read-timeout: "60s" 9 | -------------------------------------------------------------------------------- /tests/data/virtual-server-configmap-keys/configmap-validation-keys-invalid-oss.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | proxy-buffering: "invalid" 8 | real-ip-recursive: "invalid" 9 | server-tokens: "invalid" 10 | lb-method: "least_time header inflight" # plus only 11 | max-fails: "invalid" 12 | keepalive: "invalid" 13 | proxy-protocol: "invalid proxy" 14 | -------------------------------------------------------------------------------- /tests/data/virtual-server-configmap-keys/configmap-validation-keys-oss.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | proxy-buffering: "false" 8 | real-ip-recursive: "true" 9 | server-tokens: "false" 10 | lb-method: "ip_hash" 11 | max-fails: "3" 12 | keepalive: "32" 13 | proxy-protocol: "true" 14 | upstream-zone-size: "0" # special value 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-custom-listeners/global-configuration-missing-http-https.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | namespace: nginx-ingress 6 | spec: 7 | listeners: 8 | - name: dns-udp 9 | port: 5353 10 | protocol: UDP 11 | - name: dns-tcp 12 | port: 5353 13 | protocol: TCP 14 | -------------------------------------------------------------------------------- /tests/data/virtual-server-custom-listeners/global-configuration-missing-http.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | namespace: nginx-ingress 6 | spec: 7 | listeners: 8 | - name: dns-udp 9 | port: 5353 10 | protocol: UDP 11 | - name: dns-tcp 12 | port: 5353 13 | protocol: TCP 14 | - name: https-8445 15 | port: 8445 16 | protocol: HTTP 17 | ssl: true 18 | -------------------------------------------------------------------------------- /tests/data/virtual-server-custom-listeners/global-configuration-missing-https.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: GlobalConfiguration 3 | metadata: 4 | name: nginx-configuration 5 | namespace: nginx-ingress 6 | spec: 7 | listeners: 8 | - name: dns-udp 9 | port: 5353 10 | protocol: UDP 11 | - name: dns-tcp 12 | port: 5353 13 | protocol: TCP 14 | - name: http-8085 15 | port: 8085 16 | protocol: HTTP 17 | -------------------------------------------------------------------------------- /tests/data/virtual-server-dos/dos-logconf.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosLogConf 3 | metadata: 4 | name: doslogconf 5 | spec: 6 | filter: 7 | traffic-mitigation-stats: all 8 | bad-actors: top 10 9 | attack-signatures: top 10 10 | -------------------------------------------------------------------------------- /tests/data/virtual-server-dos/dos-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: appprotectdos.f5.com/v1beta1 2 | kind: APDosPolicy 3 | metadata: 4 | name: dospolicy 5 | spec: 6 | mitigation_mode: "standard" 7 | signatures: "on" 8 | bad_actors: "on" 9 | automation_tools_detection: "on" 10 | tls_fingerprint: "on" 11 | -------------------------------------------------------------------------------- /tests/data/virtual-server-dos/virtual-server-block-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: dosapp 5 | spec: 6 | host: dos.example.com 7 | 8 | upstreams: 9 | - name: dosapp 10 | service: dos-svc 11 | port: 80 12 | dos: dos-protected 13 | routes: 14 | - path: / 15 | action: 16 | pass: dosapp 17 | -------------------------------------------------------------------------------- /tests/data/virtual-server-dos/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: dosapp 5 | spec: 6 | host: dos.example.com 7 | 8 | upstreams: 9 | - name: dosapp 10 | service: dos-svc 11 | port: 80 12 | routes: 13 | - path: / 14 | dos: dos-protected 15 | action: 16 | pass: dosapp 17 | -------------------------------------------------------------------------------- /tests/data/virtual-server-external-dns/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | external-status-address: "1.2.3.4" 8 | -------------------------------------------------------------------------------- /tests/data/virtual-server-externalname/externalname-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: externalname-service 5 | spec: 6 | type: ExternalName 7 | externalName: external-backend-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /tests/data/virtual-server-externalname/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | data: 6 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 7 | -------------------------------------------------------------------------------- /tests/data/virtual-server-grpc/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | http2: "true" 8 | log-format: '$remote_addr - $remote_user [$time_local] "$request" $status $grpc_status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"' 9 | -------------------------------------------------------------------------------- /tests/data/virtual-server-grpc/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-virtual-server.example.com.yaml -------------------------------------------------------------------------------- /tests/data/virtual-server-redirects/virtual-server-invalid-openapi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server.example.com 7 | routes: 8 | - path: "/custom-redirect" 9 | action: 10 | redirect: 11 | code: 304 12 | url: "http://example.com" 13 | - path: "/default-redirect" 14 | action: 15 | redirect: 16 | code: "code" 17 | url: 100 18 | -------------------------------------------------------------------------------- /tests/data/virtual-server-redirects/virtual-server-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server.example.com 7 | routes: 8 | - path: "/custom-redirect" 9 | action: 10 | redirect: 11 | code: 304 12 | url: "http://example.com" 13 | - path: "/default-redirect" 14 | action: 15 | redirect: 16 | code: 204 17 | url: "${nginx_version}" 18 | -------------------------------------------------------------------------------- /tests/data/virtual-server-redirects/virtual-server-updated.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server.example.com 7 | routes: 8 | - path: "/custom-redirect" 9 | action: 10 | redirect: 11 | url: "http://demo.nginx.com" 12 | - path: "/default-redirect" 13 | action: 14 | redirect: 15 | code: 302 16 | url: "http://demo.nginx.com" 17 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-advanced-routing/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-canned-responses/route-multiple-invalid-openapi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backends 5 | spec: 6 | host: virtual-server-route.example.com 7 | subroutes: 8 | - path: "/backends/canned-response" 9 | action: 10 | return: 11 | code: "301" 12 | type: 100 13 | body: True 14 | headers: "String" 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-canned-responses/route-multiple-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backends 5 | spec: 6 | host: virtual-server-route.example.com 7 | subroutes: 8 | - path: "/backends/canned-response" 9 | action: 10 | return: 11 | code: 301 12 | type: "anything will do" 13 | body: "Variables must be inclosed in curly brackets: $request_uri" 14 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-canned-responses/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends 10 | - path: "/backend2" 11 | route: backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-dynamic-configuration/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | - path: "/backend2" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-error-pages/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends # implicit namespace 10 | - path: "/backend2" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-externalname/externalname-svc.yaml: -------------------------------------------------------------------------------- 1 | kind: Service 2 | apiVersion: v1 3 | metadata: 4 | name: externalname-service 5 | spec: 6 | type: ExternalName 7 | externalName: external-backend-svc.external-ns.svc.cluster.local 8 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-externalname/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | data: 6 | resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 7 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-externalname/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: externalname-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: ext-backend 9 | service: externalname-service 10 | port: 80 11 | subroutes: 12 | - path: "/external-backend" 13 | action: 14 | pass: ext-backend 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-externalname/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/external-backend" 9 | route: route-namespace/externalname-route 10 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-focused-canary/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-grpc/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | http2: "true" 8 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-grpc/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: grpc2 5 | spec: 6 | host: virtual-server.example.com 7 | upstreams: 8 | - name: grpc2 9 | service: grpc2-svc 10 | port: 50051 11 | type: grpc 12 | subroutes: 13 | - path: /helloworld.Greeter 14 | action: 15 | pass: grpc2 16 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-grpc/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server.example.com 7 | tls: 8 | secret: tls-secret 9 | routes: 10 | - path: "/grpcs" 11 | route: grpcs 12 | - path: "/grpc2" 13 | route: grpc2 14 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-grpc/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-virtual-server.example.com.yaml -------------------------------------------------------------------------------- /tests/data/virtual-server-route-redirects/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | subroutes: 8 | - path: "/backend2" 9 | action: 10 | redirect: 11 | code: 307 12 | url: "http://example.com" 13 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-redirects/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends 10 | - path: "/backend2" 11 | route: backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/additional-case/route-exact.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "=/backends/match" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/additional-case/route-prefix.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend1 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend1 9 | service: backend1-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backends/match" 13 | action: 14 | pass: backend1 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/additional-case/route-regexp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend3 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend3 9 | service: backend3-svc 10 | port: 80 11 | subroutes: 12 | - path: "~ /backends/match" 13 | action: 14 | pass: backend3 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/additional-case/virtual-server-exact-over-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends/match" 9 | route: backend1 10 | - path: "=/backends/match" 11 | route: backend2 12 | - path: "~ /backends/match" 13 | route: backend3 14 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/additional-case/virtual-server-regexp-over-prefix.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends/match" 9 | route: backend1 10 | - path: "~ /backends/match" 11 | route: backend3 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/route-single-case-insensitive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "~* /case-inSENsitiVe/match" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/route-single-case-sensitive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "~ /case-SENsitiVe/match" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/route-single-exact.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: '=/exact-match$request' 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/standard/virtual-server-case-insensitive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "~* /backends/case-inSENsitiVe/match" 9 | route: backends-namespace/backends 10 | - path: "~* /case-inSENsitiVe/match" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/standard/virtual-server-case-sensitive.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "~ /backends/case-inSENsitiVe/match" 9 | route: backends-namespace/backend1 10 | - path: "~ /case-SENsitiVe/match" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/standard/virtual-server-exact.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "=/backends/exact-match$request" 9 | route: backends-namespace/backends 10 | - path: '=/exact-match$request' 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/standard/virtual-server-invalid-duplicate-routes.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "=/exact-match$request" 9 | route: backends-namespace/backends 10 | - path: "=/exact-match$request" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-regexp-location/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | - path: "/backend2" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-split-traffic/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-split-traffic/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | - path: "/backend2" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-status/route-single-invalid-prefixed-path.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: /backend6 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-status/route-single-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: backend2 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-status/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: /backend2 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-status/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: /backends 9 | route: backends-namespace/backends 10 | - path: /backend2 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-status/virtual-server-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: /backend_x 9 | route: backends-namespace/backend_x 10 | - path: /backend_y 11 | route: backend2-namespace/backend_y 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-upstream-options/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-upstream-options/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | - path: "/backend2" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-upstream-tls/route-single-disable-tls.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-upstream-tls/route-single-invalid.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | tls: 12 | enable: "" 13 | subroutes: 14 | - path: "/backend2" 15 | action: 16 | pass: backend2 17 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-upstream-tls/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | tls: 12 | enable: True 13 | subroutes: 14 | - path: "/backend2" 15 | action: 16 | pass: backend2 17 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-upstream-tls/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | - path: "/backend2" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-weight-changes-dynamic-reload/configmap/nginx-config.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | map-hash-bucket-size: "512" 8 | map-hash-max-size: "8192" 9 | variables-hash-bucket-size: "256" 10 | variables-hash-max-size: "16384" 11 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-weight-changes-dynamic-reload/standard/virtual-server-many.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route-many 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends2-namespace/backendsmany 10 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route-weight-changes-dynamic-reload/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends-namespace/backends 10 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route/route-orphan.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend-orphan 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/alone-backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route/route-single-duplicate-path.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | - path: "/backend2" 16 | action: 17 | pass: backend2 18 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route/route-single-invalid-host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: invalid-host.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route/route-single-invalid-openapi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: 22 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/virtual-server-route/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | routes: 8 | - path: "/backends" 9 | route: backends # implicit namespace 10 | - path: "/backend2" 11 | route: backend2-namespace/backend2 12 | -------------------------------------------------------------------------------- /tests/data/virtual-server-tls/invalid-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-invalid-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/virtual-server-tls/new-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com-gb.yaml -------------------------------------------------------------------------------- /tests/data/virtual-server-tls/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/watch-secret-namespace/route-single.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServerRoute 3 | metadata: 4 | name: backend2 5 | spec: 6 | host: virtual-server-route.example.com 7 | upstreams: 8 | - name: backend2 9 | service: backend2-svc 10 | port: 80 11 | subroutes: 12 | - path: "/backend2" 13 | action: 14 | pass: backend2 15 | -------------------------------------------------------------------------------- /tests/data/watch-secret-namespace/standard/virtual-server.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.nginx.org/v1 2 | kind: VirtualServer 3 | metadata: 4 | name: virtual-server-route 5 | spec: 6 | host: virtual-server-route.example.com 7 | tls: 8 | secret: tls-secret 9 | routes: 10 | - path: "/backends" 11 | route: backends # implicit namespace 12 | - path: "/backend2" 13 | route: backend2-namespace/backend2 14 | -------------------------------------------------------------------------------- /tests/data/watch-secret-namespace/tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/tls-secret-cafe.example.com.yaml -------------------------------------------------------------------------------- /tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/wildcard-tls-secret-example.com-gb.yaml -------------------------------------------------------------------------------- /tests/data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/wildcard-tls-secret-invalid-example.com.yaml -------------------------------------------------------------------------------- /tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml: -------------------------------------------------------------------------------- 1 | ../common-secrets/wildcard-tls-secret-example.com.yaml -------------------------------------------------------------------------------- /tests/data/zone-sync/configmap-with-zonesync-disabled-with-all-fields.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "false" 8 | zone-sync-port: "34100" 9 | zone-sync-resolver-valid: "5s" 10 | zone-sync-resolver-ipv6: "true" 11 | zone-sync-resolver-addresses: "kube-dns.kube-system.svc.cluster.local" 12 | -------------------------------------------------------------------------------- /tests/data/zone-sync/configmap-with-zonesync-disabled.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "false" 8 | -------------------------------------------------------------------------------- /tests/data/zone-sync/configmap-with-zonesync-minimal-changed-port.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "true" 8 | zone-sync-port: "34100" 9 | -------------------------------------------------------------------------------- /tests/data/zone-sync/configmap-with-zonesync-minimal.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "true" 8 | -------------------------------------------------------------------------------- /tests/data/zone-sync/configmap-with-zonesync-port-resolver.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "true" 8 | zone-sync-port: "34100" 9 | zone-sync-resolver-valid: "5s" 10 | zone-sync-resolver-ipv6: "true" 11 | -------------------------------------------------------------------------------- /tests/data/zone-sync/configmap-with-zonesync-resolver-valid.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | zone-sync: "true" 8 | zone-sync-resolver-valid: "10s" 9 | -------------------------------------------------------------------------------- /tests/data/zone-sync/default-configmap.yaml: -------------------------------------------------------------------------------- 1 | kind: ConfigMap 2 | apiVersion: v1 3 | metadata: 4 | name: nginx-config 5 | namespace: nginx-ingress 6 | data: 7 | -------------------------------------------------------------------------------- /tests/suite/grpc/README.md: -------------------------------------------------------------------------------- 1 | # How to generate the gRPC files 2 | 3 | The files here are generated using `helloworld.proto` from the grpc 4 | [repo](https://github.com/grpc/grpc-go/tree/master/examples/helloworld/helloworld). 5 | 6 | To update the files run the following command: 7 | 8 | ```console 9 | python3 -m grpc_tools.protoc --proto_path=. --python_out=. --grpc_python_out=. helloworld.proto 10 | ``` 11 | -------------------------------------------------------------------------------- /tools.go: -------------------------------------------------------------------------------- 1 | //go:build tools 2 | // +build tools 3 | 4 | // This file just exists to ensure we download the tools we need for building 5 | // See https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module 6 | 7 | package tools 8 | 9 | import ( 10 | _ "k8s.io/code-generator" 11 | _ "sigs.k8s.io/controller-tools/cmd/controller-gen" 12 | ) 13 | --------------------------------------------------------------------------------