Merge branch 'main' into mo/uaf

ngrok · Dec 13, 2023 · 59b4bfd · 59b4bfd
2 parents 2be01b2 + 84534fe
commit 59b4bfd
Show file tree

Hide file tree

Showing 49 changed files with 1,596 additions and 188 deletions.
diff --git a/.github/ISSUE_TEMPLATE/controller_bug_report.yaml b/.github/ISSUE_TEMPLATE/controller_bug_report.yaml
@@ -10,6 +10,40 @@ body:
 
       Note, you do not need to create an issue if you have a change ready to submit.
       You can open a [pull request](https://github.com/ngrok/kubernetes-ingress-controller/pulls) immediately instead.
+- type: input
+  attributes:
+    label: Kubernetes Version
+    description: Which Kubernetes Version do you use?
+  validations:
+    required: true
+- type: input
+  attributes:
+    label: Helm Chart Version
+    description: Which version of the Helm chart do you use?
+  validations:
+    required: true
+- type: input
+  attributes:
+    label: Ingress Controller Version
+    description: Which version of the Ingress controller do you use?
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: System Info
+    description: We want to know your OS, architecture etc.
+    placeholder: >
+      Run `uname -a` or `systeminfo` and copy the output here.
+  validations:
+    required: true
+- type: textarea
+  attributes:
+    label: Helm Chart configuration
+    description: Additional description of your Helm Chart configuration.
+    placeholder: >
+      Enter any relevant details of your Helm Chart configuration. Maybe you can
+      paste your `values.yaml` or important parts of it here? Make sure to surround the code
+      you paste with ``` ```.
 - type: textarea
   attributes:
     label: What happened

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,14 +5,53 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.10.1
+
+### Fixed
+
+- IPPolicy controller wasn't applying the attached rules, leaving the IP policy in its current state [#315](https://github.com/ngrok/kubernetes-ingress-controller/pull/315)
+
+## 0.10.0
+
+### Added
+
+- TLSEdge CRD, see the [TCP and TLS Edges Guide](https://github.com/ngrok/kubernetes-ingress-controller/blob/main/docs/user-guide/tcp-tls-edges.md) for more details.
+
+### Fixed
+
+- Added support for TLS Renegotiation for backends that use it [#314](https://github.com/ngrok/kubernetes-ingress-controller/pull/314)
+
+## 0.9.1
+
+### Fixed
+
+- Send FQDN in SNI when using backend https [#304](https://github.com/ngrok/kubernetes-ingress-controller/pull/304)
+
+## 0.9.0
+
+### Changed
+
+- Update ngrok-go to 1.4.0 [#298](https://github.com/ngrok/kubernetes-ingress-controller/pull/298)
+- Tunnels are now unique in their respective namespace, not across the cluster [#281](https://github.com/ngrok/kubernetes-ingress-controller/pull/281)
+- The CRs that ingress controller creates are uniquely marked and managed by it. Other CRs created manually are no longer deleted when the ingress controller is not using them [#267](https://github.com/ngrok/kubernetes-ingress-controller/issues/267); fixed for tunnel in [#285](https://github.com/ngrok/kubernetes-ingress-controller/pull/285) and for https edges in [#286](https://github.com/ngrok/kubernetes-ingress-controller/pull/286)
+- Better error handling and retry, specifically for the case where we try to create an https edge for a domain which is not created yet [#283](https://github.com/ngrok/kubernetes-ingress-controller/issues/283); fixed in [#288](https://github.com/ngrok/kubernetes-ingress-controller/pull/288)
+- Watch and apply ngrok module set CR changes [#287](https://github.com/ngrok/kubernetes-ingress-controller/issues/287); fixed in [#290](https://github.com/ngrok/kubernetes-ingress-controller/pull/290)
+- Label https edges and tunnels with service UID to make them more unique within ngrok [#291](https://github.com/ngrok/kubernetes-ingress-controller/issues/291); fixed in [#293](https://github.com/ngrok/kubernetes-ingress-controller/pull/293) and [#302](https://github.com/ngrok/kubernetes-ingress-controller/pull/302)
+
+### Fixed
+
+- The controller stopping at the first resource create [#270](https://github.com/ngrok/kubernetes-ingress-controller/pull/270)
+- Using `make deploy` now requires `NGROK_AUTHTOKEN` and `NGROK_API_KEY` to be set [#292](https://github.com/ngrok/kubernetes-ingress-controller/pull/292)
+
+
 ## 0.8.1
+
 ### Fixed
 - Handle special case for changing auth types that causes an error during state transition [#259](https://github.com/ngrok/kubernetes-ingress-controller/pull/259)
 - Handle IP Policy CRD state transitions in a safer way [#260](https://github.com/ngrok/kubernetes-ingress-controller/pull/260)
 - Better handling when changing pathType between 'Exact' and 'Prefix' [#262](https://github.com/ngrok/kubernetes-ingress-controller/pull/262)
 
 ## 0.8.0
-
 ### Changed
 - tunneldriver: plumb the version through ngrok-go [#228](https://github.com/ngrok/kubernetes-ingress-controller/pull/228)
 - Support HTTPS backends via service annotation [#238](https://github.com/ngrok/kubernetes-ingress-controller/pull/238)
@@ -35,6 +74,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added e2e config init script [#234](https://github.com/ngrok/kubernetes-ingress-controller/pull/234)
 - Some updates to handle different cases for e2e run [#226](https://github.com/ngrok/kubernetes-ingress-controller/pull/226).
 
+
 ## 0.7.0
 
 ### Changed
@@ -46,6 +86,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 ## 0.6.0
+
 ### Changed
 - Added Ingress controller version to user-agent [#198](https://github.com/ngrok/kubernetes-ingress-controller/pull/198).
 - Don't default to development mode for logging [#199](https://github.com/ngrok/kubernetes-ingress-controller/pull/199).
@@ -55,6 +96,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 
 ## 0.5.0
+
 ### Changed
 - Bumped go version to 1.20 [#167](https://github.com/ngrok/kubernetes-ingress-controller/pull/167)
 - Refactored Route Module Updates to be lazy [#168](https://github.com/ngrok/kubernetes-ingress-controller/pull/168)
@@ -67,7 +109,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for OIDC route module [#173](https://github.com/ngrok/kubernetes-ingress-controller/pull/173)
 - Added support for SAML route module [#186](https://github.com/ngrok/kubernetes-ingress-controller/pull/186)
 - Added support for OAuth route module [#192](https://github.com/ngrok/kubernetes-ingress-controller/pull/192)
+
+
 ## 0.4.0
+
 ### Changed
 - When no region override is passed to helm, the controller now does not default to the US and instead uses the closes geographic edge servers [#160](https://github.com/ngrok/kubernetes-ingress-controller/pull/160)
 - Ingress Class has Default set to false [#109](https://github.com/ngrok/kubernetes-ingress-controller/pull/109)
@@ -89,6 +134,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Remove routes from remote API when they are removed from the ingress object [#124](https://github.com/ngrok/kubernetes-ingress-controller/pull/124)
 
 ## 0.3.0
+
 ### Changed
 - Renamed docker image from `ngrok/ngrok-ingress-controller` to `ngrok/kubernetes-ingress-controller`.
 - Added new controllers for `domains`, `tcpedges`, and `httpsedges`.
@@ -98,11 +144,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Created `serverAddr` flag and plumbed it through to `ngrok-go`
 - Read environment variable `NGROK_API_ADDR` for an override to the ngrok API address.
 
+
 ## 0.2.0
+
 ### Changed
 
 - Moved from calling ngrok-agent sidecar to using the ngrok-go library in process.
 
+
 ## 0.1.X
 
 ### Initial Alpha Releases

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.8.1
+0.10.1
diff --git a/api/v1alpha1/ngrok_common.go b/api/v1alpha1/ngrok_common.go
@@ -63,6 +63,22 @@ type EndpointHeaders struct {
 	Response *EndpointResponseHeaders `json:"response,omitempty"`
 }
 
+type EndpointMutualTLS struct {
+	// List of CA IDs that will be used to validate incoming connections to the
+	// edge.
+	CertificateAuthorities []string `json:"certificateAuthorities,omitempty"`
+}
+
+type EndpointTLSTermination struct {
+	// TerminateAt determines where the TLS connection should be terminated.
+	// "edge" if the ngrok edge should terminate TLS traffic, "upstream" if TLS
+	// traffic should be passed through to the upstream ngrok agent /
+	// application server for termination.
+	TerminateAt string `json:"terminateAt,omitempty"`
+	// MinVersion is the minimum TLS version to allow for connections to the edge
+	MinVersion *string `json:"minVersion,omitempty"`
+}
+
 type EndpointTLSTerminationAtEdge struct {
 	// MinVersion is the minimum TLS version to allow for connections to the edge
 	MinVersion string `json:"minVersion,omitempty"`
@@ -78,7 +94,7 @@ type SecretKeyRef struct {
 type EndpointWebhookVerification struct {
 	// a string indicating which webhook provider will be sending webhooks to this
 	// endpoint. Value must be one of the supported providers defined at
-	// https://ngrok.com/docs/cloud-edge#webhook-verification
+	// https://ngrok.com/docs/http/webhook-verification/#supported-providers
 	Provider string `json:"provider,omitempty"`
 	// SecretRef is a reference to a secret containing the secret used to validate
 	// requests from the given provider. All providers except AWS SNS require a secret

diff --git a/api/v1alpha1/tcpedge_types.go b/api/v1alpha1/tcpedge_types.go
@@ -31,13 +31,6 @@ import (
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
-type TunnelGroupBackend struct {
-	ngrokAPICommon `json:",inline"`
-
-	// Labels to watch for tunnels on this backend
-	Labels map[string]string `json:"labels,omitempty"`
-}
-
 // TCPEdgeSpec defines the desired state of TCPEdge
 type TCPEdgeSpec struct {
 	ngrokAPICommon `json:",inline"`
@@ -47,15 +40,10 @@ type TCPEdgeSpec struct {
 	// +kubebuilder:validation:Required
 	Backend TunnelGroupBackend `json:"backend,omitempty"`
 
-	// IPRestriction is an IPRestriction to apply to this route
+	// IPRestriction is an IPRestriction to apply to this edge
 	IPRestriction *EndpointIPPolicy `json:"ipRestriction,omitempty"`
 }
 
-type TunnelGroupBackendStatus struct {
-	// ID is the unique identifier for this backend
-	ID string `json:"id,omitempty"`
-}
-
 // TCPEdgeStatus defines the observed state of TCPEdge
 type TCPEdgeStatus struct {
 	// ID is the unique identifier for this edge

diff --git a/api/v1alpha1/tlsedge_types.go b/api/v1alpha1/tlsedge_types.go
@@ -0,0 +1,98 @@
+/*
+MIT License
+
+Copyright (c) 2022 ngrok, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// TLSEdgeSpec defines the desired state of TLSEdge
+type TLSEdgeSpec struct {
+	ngrokAPICommon `json:",inline"`
+
+	// Backend is the definition for the tunnel group backend
+	// that serves traffic for this edge
+	// +kubebuilder:validation:Required
+	Backend TunnelGroupBackend `json:"backend,omitempty"`
+
+	// Hostports is a list of hostports served by this edge
+	// +kubebuilder:validation:Required
+	Hostports []string `json:"hostports,omitempty"`
+
+	// IPRestriction is an IPRestriction to apply to this edge
+	IPRestriction *EndpointIPPolicy `json:"ipRestriction,omitempty"`
+
+	TLSTermination *EndpointTLSTermination `json:"tlsTermination,omitempty"`
+
+	MutualTLS *EndpointMutualTLS `json:"mutualTls,omitempty"`
+}
+
+// TLSEdgeStatus defines the observed state of TLSEdge
+type TLSEdgeStatus struct {
+	// ID is the unique identifier for this edge
+	ID string `json:"id,omitempty"`
+
+	// URI is the URI of the edge
+	URI string `json:"uri,omitempty"`
+
+	// Hostports served by this edge
+	Hostports []string `json:"hostports,omitempty"`
+
+	// Backend stores the status of the tunnel group backend,
+	// mainly the ID of the backend
+	Backend TunnelGroupBackendStatus `json:"backend,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+//+kubebuilder:printcolumn:name="ID",type=string,JSONPath=`.status.id`,description="Domain ID"
+//+kubebuilder:printcolumn:name="Hostports",type=string,JSONPath=`.status.hostports`,description="Hostports"
+//+kubebuilder:printcolumn:name="Backend ID",type=string,JSONPath=`.status.backend.id`,description="Tunnel Group Backend ID"
+//+kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`,description="Age"
+
+// TLSEdge is the Schema for the tlsedges API
+type TLSEdge struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   TLSEdgeSpec   `json:"spec,omitempty"`
+	Status TLSEdgeStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// TLSEdgeList contains a list of TLSEdge
+type TLSEdgeList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []TLSEdge `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&TLSEdge{}, &TLSEdgeList{})
+}
diff --git a/api/v1alpha1/tunnel_types.go b/api/v1alpha1/tunnel_types.go
@@ -45,6 +45,9 @@ type TunnelSpec struct {
 
 	// The configuration for backend connections to services
 	BackendConfig *BackendConfig `json:"backend,omitempty"`
+
+	// The appProtocol for the backend. Currently only supports `http2`
+	AppProtocol string `json:"appProtocol,omitempty"`
 }
 
 // BackendConfig defines the configuration for backend connections to services.
@@ -82,6 +85,18 @@ type TunnelList struct {
 	Items           []Tunnel `json:"items"`
 }
 
+type TunnelGroupBackend struct {
+	ngrokAPICommon `json:",inline"`
+
+	// Labels to watch for tunnels on this backend
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+type TunnelGroupBackendStatus struct {
+	// ID is the unique identifier for this backend
+	ID string `json:"id,omitempty"`
+}
+
 func init() {
 	SchemeBuilder.Register(&Tunnel{}, &TunnelList{})
 }