From cdd28169d3794749e7975b6e89238ef1d8008cae Mon Sep 17 00:00:00 2001
From: blasko03 <60181060+blasko03@users.noreply.github.com>
Date: Tue, 17 Feb 2026 12:30:07 +0100
Subject: [PATCH] Support NGINX buffering annotations
---
.golangci.yml | 1 +
.../configuration-options.md | 6 +
.../kubernetes/kubernetes-ingress-nginx.md | 67 +-
.../kubernetes/ingress-nginx.md | 37 +-
go.mod | 6 +-
go.sum | 16 +-
pkg/config/dynamic/middlewares.go | 4 +
pkg/middlewares/buffering/buffering.go | 16 +-
.../traefikio/v1alpha1/buffering.go | 83 +++
.../traefikio/v1alpha1/middlewarespec.go | 6 +-
.../crd/generated/applyconfiguration/utils.go | 2 +
pkg/provider/kubernetes/crd/kubernetes.go | 16 +-
.../crd/traefikio/v1alpha1/middleware.go | 28 +-
.../v1alpha1/zz_generated.deepcopy.go | 18 +-
.../kubernetes/ingress-nginx/annotations.go | 31 +-
.../ingress-nginx/annotations_test.go | 50 +-
.../ingress-with-client-body-buffer-size.yml | 23 +
...-body-size-and-client-body-buffer-size.yml | 24 +
.../ingress-with-proxy-body-size.yml | 23 +
...ress-with-proxy-buffer-size-and-number.yml | 24 +
.../ingress-with-proxy-buffer-size.yml | 23 +
.../ingress-with-proxy-buffers-number.yml | 23 +
.../ingress-with-proxy-max-temp-file-size.yml | 23 +
.../kubernetes/ingress-nginx/kubernetes.go | 140 +++-
.../ingress-nginx/kubernetes_test.go | 659 +++++++++++++++---
25 files changed, 1160 insertions(+), 189 deletions(-)
create mode 100644 pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go
create mode 100644 pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-client-body-buffer-size.yml
create mode 100644 pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size-and-client-body-buffer-size.yml
create mode 100644 pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size.yml
create mode 100644 pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size-and-number.yml
create mode 100644 pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size.yml
create mode 100644 pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffers-number.yml
create mode 100644 pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-max-temp-file-size.yml
diff --git a/.golangci.yml b/.golangci.yml
index fa489d956a..46ff9f60d5 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -90,6 +90,7 @@ linters:
- github.com/mailgun/multibuf
- github.com/jaguilar/vt100
- github.com/cucumber/godog
+ - github.com/vulcand/oxy/v2
govet:
enable-all: true
disable:
diff --git a/docs/content/reference/install-configuration/configuration-options.md b/docs/content/reference/install-configuration/configuration-options.md
index f799629382..4f3db1473d 100644
--- a/docs/content/reference/install-configuration/configuration-options.md
+++ b/docs/content/reference/install-configuration/configuration-options.md
@@ -393,13 +393,19 @@ THIS FILE MUST NOT BE EDITED BY HAND
| providers.kubernetesingress.token | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
| providers.kubernetesingressnginx | Enables Kubernetes Ingress NGINX provider. | false |
| providers.kubernetesingressnginx.certauthfilepath | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| providers.kubernetesingressnginx.clientbodybuffersize | Default buffer size for reading client request body. | 16384 |
| providers.kubernetesingressnginx.controllerclass | Ingress Class Controller value this controller satisfies. | k8s.io/ingress-nginx |
| providers.kubernetesingressnginx.defaultbackendservice | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | |
| providers.kubernetesingressnginx.disablesvcexternalname | Disable support for Services of type ExternalName. | false |
| providers.kubernetesingressnginx.endpoint | Kubernetes server endpoint (required for external cluster client). | |
| providers.kubernetesingressnginx.ingressclass | Name of the ingress class this controller satisfies. | nginx |
| providers.kubernetesingressnginx.ingressclassbyname | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false |
+| providers.kubernetesingressnginx.proxybodysize | Default maximum size of a client request body in bytes. | 1048576 |
+| providers.kubernetesingressnginx.proxybuffering | Defines whether to enable response buffering. | false |
+| providers.kubernetesingressnginx.proxybuffersize | Default buffer size for reading the response body. | 8192 |
+| providers.kubernetesingressnginx.proxybuffersnumber | Default number of buffers for reading a response. | 4 |
| providers.kubernetesingressnginx.proxyconnecttimeout | Amount of time to wait until a connection to a server can be established. Timeout value is unitless and in seconds. | 60 |
+| providers.kubernetesingressnginx.proxyrequestbuffering | Defines whether to enable request buffering. | false |
| providers.kubernetesingressnginx.publishservice | Service fronting the Ingress controller. Takes the form 'namespace/name'. | |
| providers.kubernetesingressnginx.publishstatusaddress | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | |
| providers.kubernetesingressnginx.throttleduration | Ingress refresh throttle duration. | 0 |
diff --git a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
index 0524f4d2bc..902bdd5612 100644
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md
@@ -19,8 +19,8 @@ It also supports many of the [ingress-nginx](https://kubernetes.github.io/ingres
## Requirements
-When you install Traefik without using the Helm Chart,
-ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider.
+When you install Traefik without using the Helm Chart,
+ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider.
!!! note "Additional RBAC for Namespace Selector"
@@ -59,6 +59,13 @@ providers:
controllerClass: "k8s.io/ingress-nginx"
watchIngressWithoutClass: false
ingressClassByName: false
+ proxyConnectTimeout: 60
+ proxyRequestBuffering: false
+ clientBodyBufferSize: "16384" # 16k
+ proxyBuffering: false
+ proxyBodySize: "1048576" # 1m
+ proxyBufferSize: "8192" # 8k
+ proxyBuffersNumber: 8
```
```toml tab="File (TOML)"
@@ -73,6 +80,13 @@ providers:
controllerClass = "k8s.io/ingress-nginx"
watchIngressWithoutClass = false
ingressClassByName = false
+ proxyConnectTimeout = 60
+ proxyRequestBuffering = false
+ clientBodyBufferSize = "16384" # 16k
+ proxyBuffering = false
+ proxyBodySize = "1048576" # 1m
+ proxyBufferSize = "8192" # 8k
+ proxyBuffersNumber = 8
```
```bash tab="CLI"
@@ -82,6 +96,13 @@ providers:
--providers.kubernetesingressnginx.controllerclass=k8s.io/ingress-nginx
--providers.kubernetesingressnginx.watchingresswithoutclass=false
--providers.kubernetesingressnginx.ingressclassbyname=false
+--providers.kubernetesingressnginx.proxyconnecttimeout=60
+--providers.kubernetesingressnginx.proxyrequestbuffering=false
+--providers.kubernetesingressnginx.clientbodybuffersize=16384 # 16k
+--providers.kubernetesingressnginx.proxybuffering=false
+--providers.kubernetesingressnginx.proxybodysize=1048576 # 1m
+--providers.kubernetesingressnginx.proxybuffersize=8192 # 8k
+--providers.kubernetesingressnginx.proxybuffersnumber=8
```
```yaml tab="Helm Chart Values"
@@ -114,24 +135,30 @@ This provider watches for incoming Ingress events and automatically translates N
## Configuration Options
-| Field | Description | Default | Required |
-|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| `providers.providers`
`ThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.
If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.
**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
-| `providers.`
`kubernetesIngressNGINX.`
`endpoint` | Server endpoint URL.
More information [here](#endpoint). | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`token` | Bearer token used for the Kubernetes client configuration. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`certAuthFilePath` | Path to the certificate authority file.
Used for the Kubernetes client configuration. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.
This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If empty, every event is caught. | 0s | No |
-| `providers.`
`kubernetesIngressNGINX.`
`watchNamespace` | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`watchNamespaceSelector` | Selector selects namespaces the controller watches for updates to Kubernetes objects. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`ingressClass` | Name of the ingress class this controller satisfies. | "nginx" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`controllerClass` | Ingress Class Controller value this controller satisfies. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`watchIngressWithoutClass` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false | No |
-| `providers.`
`kubernetesIngressNGINX.`
`ingressClassByName` | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false | No |
-| `providers.`
`kubernetesIngressNGINX.`
`publishService` | Service fronting the Ingress controller. Takes the form `namespace/name`. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`publishStatusAddress` | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`defaultBackendService` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | "" | No |
-| `providers.`
`kubernetesIngressNGINX.`
`disableSvcExternalName` | Disable support for Services of type ExternalName. | false | No |
-| `providers.`
`kubernetesIngressNGINX.`
`proxyConnectTimeout` | Amount of time to wait until a connection to a server can be established. The value is unitless and in seconds. This is used as the global connection timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-connect-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout) annotation. | 60 | No |
+| Field | Description | Default | Required |
+|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| `providers.providers`
`ThrottleDuration` | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.
If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.
**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s | No |
+| `providers.`
`kubernetesIngressNGINX.`
`endpoint` | Server endpoint URL.
More information [here](#endpoint). | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`token` | Bearer token used for the Kubernetes client configuration. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`certAuthFilePath` | Path to the certificate authority file.
Used for the Kubernetes client configuration. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.
This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If empty, every event is caught. | 0s | No |
+| `providers.`
`kubernetesIngressNGINX.`
`watchNamespace` | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`watchNamespaceSelector` | Selector selects namespaces the controller watches for updates to Kubernetes objects. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`ingressClass` | Name of the ingress class this controller satisfies. | "nginx" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`controllerClass` | Ingress Class Controller value this controller satisfies. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`watchIngressWithoutClass` | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false | No |
+| `providers.`
`kubernetesIngressNGINX.`
`ingressClassByName` | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false | No |
+| `providers.`
`kubernetesIngressNGINX.`
`publishService` | Service fronting the Ingress controller. Takes the form `namespace/name`. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`publishStatusAddress` | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`defaultBackendService` | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | "" | No |
+| `providers.`
`kubernetesIngressNGINX.`
`disableSvcExternalName` | Disable support for Services of type ExternalName. | false | No |
+| `providers.`
`kubernetesIngressNGINX.`
`proxyConnectTimeout` | Amount of time to wait until a connection to a server can be established. The value is unitless and in seconds. This is used as the global connection timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-connect-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout) annotation. | 60 | No |
+| `providers.`
`kubernetesIngressNGINX.`
`proxyrequestbuffering` | Defines whether request buffering is enabled by default for all ingresses. | false | No |
+| `providers.`
`kubernetesIngressNGINX.`
`clientBodyBufferSize` | Default buffer size for reading client request body in bytes. | 16384 | No |
+| `providers.`
`kubernetesIngressNGINX.`
`proxybuffering` | Defines whether response buffering is enabled by default for all ingresses. | false | No |
+| `providers.`
`kubernetesIngressNGINX.`
`proxyBodySize` | Default maximum size of a client request body in bytes. | 1048576 | No |
+| `providers.`
`kubernetesIngressNGINX.`
`proxyBufferSize` | Default buffer size for reading the response body in bytes. | 8192 | No |
+| `providers.`
`kubernetesIngressNGINX.`
`proxyBuffersNumber` | Default number of buffers for reading a response. | 8 | No |
diff --git a/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md b/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
index b53d6d7dd2..fc69d61213 100644
--- a/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
+++ b/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
@@ -19,7 +19,8 @@ Enable seamless migration from NGINX Ingress Controller to Traefik with NGINX an
## Ingress Discovery
-This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.
+This provider discovers all Ingresses in the cluster by default,
+which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.
**Best Practices:**
@@ -29,7 +30,21 @@ This provider discovers all Ingresses in the cluster by default, which may lead
## Routing Configuration
-This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration, creating the corresponding routers, services, middlewares, and other components needed to handle your traffic.
+This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration,
+creating the corresponding routers, services, middlewares, and other components needed to handle your traffic.
+
+!!! warning "ConfigMap Configuration and Default Behaviors"
+
+ Routing annotations take precedence over provider-level defaults,
+ but they don't control all behaviors that NGINX Ingress Controller's ConfigMap configuration would handle globally.
+
+ Important differences in default behaviors:
+
+ - **Request buffering**: NGINX enables `proxy-request-buffering` by default, while Traefik requires explicit opt-in via the provider's `proxyRequestBuffering` option.
+
+ To ensure consistent behavior during migration,
+ review and configure Traefik's provider-level options to match your current NGINX ConfigMap settings.
+ See the [provider configuration options](../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md) for available settings.
## Configuration Example
@@ -335,6 +350,18 @@ The following annotations are organized by category for easier navigation.
| `nginx.ingress.kubernetes.io/whitelist-source-range` | |
| `nginx.ingress.kubernetes.io/allowlist-source-range` | |
+### Buffering
+
+| Annotation | Limitations / Notes |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|
+| `nginx.ingress.kubernetes.io/proxy-request-buffering` | |
+| `nginx.ingress.kubernetes.io/proxy-body-size` | |
+| `nginx.ingress.kubernetes.io/client-body-buffer-size` | |
+| `nginx.ingress.kubernetes.io/proxy-buffering` | |
+| `nginx.ingress.kubernetes.io/proxy-buffer-size` | |
+| `nginx.ingress.kubernetes.io/proxy-buffers-number` | With Traefik, `proxy-buffer-numbers` is actually used to compute the size of a single buffer (size * number). |
+| `nginx.ingress.kubernetes.io/proxy-max-temp-file-size` | |
+
### Timeout
| Annotation | Limitations / Notes |
@@ -388,7 +415,6 @@ The following annotations are organized by category for easier navigation.
| `nginx.ingress.kubernetes.io/canary-by-cookie` | |
| `nginx.ingress.kubernetes.io/canary-weight` | |
| `nginx.ingress.kubernetes.io/canary-weight-total` | |
-| `nginx.ingress.kubernetes.io/client-body-buffer-size` | |
| `nginx.ingress.kubernetes.io/configuration-snippet` | |
| `nginx.ingress.kubernetes.io/custom-http-errors` | |
| `nginx.ingress.kubernetes.io/disable-proxy-intercept-errors` | |
@@ -412,7 +438,6 @@ The following annotations are organized by category for easier navigation.
| `nginx.ingress.kubernetes.io/proxy-next-upstream` | |
| `nginx.ingress.kubernetes.io/proxy-next-upstream-timeout` | |
| `nginx.ingress.kubernetes.io/proxy-next-upstream-tries` | |
-| `nginx.ingress.kubernetes.io/proxy-request-buffering` | |
| `nginx.ingress.kubernetes.io/proxy-redirect-from` | |
| `nginx.ingress.kubernetes.io/proxy-redirect-to` | |
| `nginx.ingress.kubernetes.io/proxy-http-version` | |
@@ -443,10 +468,6 @@ The following annotations are organized by category for easier navigation.
| `nginx.ingress.kubernetes.io/x-forwarded-prefix` | |
| `nginx.ingress.kubernetes.io/upstream-hash-by` | |
| `nginx.ingress.kubernetes.io/denylist-source-range` | |
-| `nginx.ingress.kubernetes.io/proxy-buffering` | |
-| `nginx.ingress.kubernetes.io/proxy-buffers-number` | |
-| `nginx.ingress.kubernetes.io/proxy-buffer-size` | |
-| `nginx.ingress.kubernetes.io/proxy-max-temp-file-size` | |
| `nginx.ingress.kubernetes.io/stream-snippet` | |
### Global Configuration
diff --git a/go.mod b/go.mod
index b017d66db2..0e1daea86d 100644
--- a/go.mod
+++ b/go.mod
@@ -78,7 +78,7 @@ require (
github.com/unrolled/secure v1.0.9
github.com/valyala/fasthttp v1.58.0
github.com/vulcand/oxy/v2 v2.0.3
- github.com/vulcand/predicate v1.2.0
+ github.com/vulcand/predicate v1.3.0
github.com/yuin/gopher-lua v1.1.1
go.opentelemetry.io/collector/pdata v1.41.0
go.opentelemetry.io/contrib/bridges/otellogrus v0.13.0
@@ -244,7 +244,7 @@ require (
github.com/googleapis/gax-go/v2 v2.16.0 // indirect
github.com/gophercloud/gophercloud v1.14.1 // indirect
github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
- github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
+ github.com/gravitational/trace v1.5.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
github.com/hashicorp/cronexpr v1.1.2 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -260,7 +260,6 @@ require (
github.com/imdario/mergo v0.3.16 // indirect
github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
- github.com/jonboulle/clockwork v0.5.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
@@ -420,6 +419,7 @@ replace (
github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e
github.com/gorilla/mux => github.com/containous/mux v0.0.0-20250523120546-41b6ec3aed59
github.com/mailgun/minheap => github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595
+ github.com/vulcand/oxy/v2 => github.com/traefik/oxy/v2 v2.0.0-20260126093803-fb11d60e0fdf
)
// ambiguous import: found package github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/http in multiple modules
diff --git a/go.sum b/go.sum
index 57d3e30a68..f3687035f4 100644
--- a/go.sum
+++ b/go.sum
@@ -645,8 +645,8 @@ github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
-github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf h1:C1GPyPJrOlJlIrcaBBiBpDsqZena2Ks8spa5xZqr1XQ=
-github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf/go.mod h1:zXqxTI6jXDdKnlf8s+nT+3c8LrwUEy3yNpO4XJL90lA=
+github.com/gravitational/trace v1.5.0 h1:JbeL2HDGyzgy7G72Z2hP2gExEyA6Y2p7fCiSjyZwCJw=
+github.com/gravitational/trace v1.5.0/go.mod h1:dxezSkKm880IIDx+czWG8fq+pLnXjETBewMgN3jOBlg=
github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
@@ -763,9 +763,6 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfC
github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
-github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
-github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
-github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
@@ -1287,6 +1284,8 @@ github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XV
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/traefik/grpc-web v0.16.0 h1:eeUWZaFg6ZU0I9dWOYE2D5qkNzRBmXzzuRlxdltascY=
github.com/traefik/grpc-web v0.16.0/go.mod h1:2ttniSv7pTgBWIU2HZLokxRfFX3SA60c/DTmQQgVml4=
+github.com/traefik/oxy/v2 v2.0.0-20260126093803-fb11d60e0fdf h1:qOjmGqgXvycy0+tda6rWhTPulgQxnImwRrM1AROIvJ4=
+github.com/traefik/oxy/v2 v2.0.0-20260126093803-fb11d60e0fdf/go.mod h1:as06A23Znc9S/ilJpKqJ/UhO3Zu5JztlxVwQuKl+iZs=
github.com/traefik/paerser v0.2.2 h1:cpzW/ZrQrBh3mdwD/jnp6aXASiUFKOVr6ldP+keJTcQ=
github.com/traefik/paerser v0.2.2/go.mod h1:7BBDd4FANoVgaTZG+yh26jI6CA2nds7D/4VTEdIsh24=
github.com/traefik/yaegi v0.16.1 h1:f1De3DVJqIDKmnasUF6MwmWv1dSEEat0wcpXhD2On3E=
@@ -1322,10 +1321,8 @@ github.com/vinyldns/go-vinyldns v0.9.17 h1:hfPZfCaxcRBX6Gsgl42rLCeoal58/BH8kkvJS
github.com/vinyldns/go-vinyldns v0.9.17/go.mod h1:pwWhE9K/leGDOIduVhRGvQ3ecVMHWRfEnKYUTEU3gB4=
github.com/volcengine/volc-sdk-golang v1.0.233 h1:Hh2pzwu/Wq19rsZgNo3HdpjQB28D/F0+m6EjLVggmhM=
github.com/volcengine/volc-sdk-golang v1.0.233/go.mod h1:zHJlaqiMbIB+0mcrsZPTwOb3FB7S/0MCfqlnO8R7hlM=
-github.com/vulcand/oxy/v2 v2.0.3 h1:CPWVPfW4hVZXzwwiQzpFidbnJKpahjPHezM+7TkZRNw=
-github.com/vulcand/oxy/v2 v2.0.3/go.mod h1:k3t+xjyqmXVh88FdFDbYmUKMEvNpaejvBW14es6H70A=
-github.com/vulcand/predicate v1.2.0 h1:uFsW1gcnnR7R+QTID+FVcs0sSYlIGntoGOTb3rQJt50=
-github.com/vulcand/predicate v1.2.0/go.mod h1:VipoNYXny6c8N381zGUWkjuuNHiRbeAZhE7Qm9c+2GA=
+github.com/vulcand/predicate v1.3.0 h1:jtNe4PHbLJ649dR7Gl+MSAzUhLGtLspAkWlSjoOiXg8=
+github.com/vulcand/predicate v1.3.0/go.mod h1:opzv9MetRuMNnuoPeTSWtwzjcXsxQC00/fuWzkPTn4s=
github.com/vultr/govultr/v3 v3.26.1 h1:G/M0rMQKwVSmL+gb0UgETbW5mcQi0Vf/o/ZSGdBCxJw=
github.com/vultr/govultr/v3 v3.26.1/go.mod h1:9WwnWGCKnwDlNjHjtt+j+nP+0QWq6hQXzaHgddqrLWY=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -1594,7 +1591,6 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
diff --git a/pkg/config/dynamic/middlewares.go b/pkg/config/dynamic/middlewares.go
index 198fad628b..66da932991 100644
--- a/pkg/config/dynamic/middlewares.go
+++ b/pkg/config/dynamic/middlewares.go
@@ -134,6 +134,10 @@ type Buffering struct {
// It is a logical combination of functions with operators AND (&&) and OR (||).
// More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#retryexpression
RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"`
+
+ // Only configurable via code, not via configuration files.
+ DisableRequestBuffer bool `json:"disableRequestBuffer,omitempty" toml:"-" yaml:"-" label:"-" file:"-" kv:"-" export:"true"`
+ DisableResponseBuffer bool `json:"disableResponseBuffer,omitempty" toml:"-" yaml:"-" label:"-" file:"-" kv:"-" export:"true"`
}
// +k8s:deepcopy-gen=true
diff --git a/pkg/middlewares/buffering/buffering.go b/pkg/middlewares/buffering/buffering.go
index 753436add4..fd503086ca 100644
--- a/pkg/middlewares/buffering/buffering.go
+++ b/pkg/middlewares/buffering/buffering.go
@@ -27,8 +27,7 @@ func New(ctx context.Context, next http.Handler, config dynamic.Buffering, name
logger.Debug().Msgf("Setting up buffering: request limits: %d (mem), %d (max), response limits: %d (mem), %d (max) with retry: '%s'",
config.MemRequestBodyBytes, config.MaxRequestBodyBytes, config.MemResponseBodyBytes, config.MaxResponseBodyBytes, config.RetryExpression)
- oxyBuffer, err := oxybuffer.New(
- next,
+ options := []oxybuffer.Option{
oxybuffer.MemRequestBodyBytes(config.MemRequestBodyBytes),
oxybuffer.MaxRequestBodyBytes(config.MaxRequestBodyBytes),
oxybuffer.MemResponseBodyBytes(config.MemResponseBodyBytes),
@@ -36,6 +35,19 @@ func New(ctx context.Context, next http.Handler, config dynamic.Buffering, name
oxybuffer.Logger(logs.NewOxyWrapper(*logger)),
oxybuffer.Verbose(logger.GetLevel() == zerolog.TraceLevel),
oxybuffer.Cond(len(config.RetryExpression) > 0, oxybuffer.Retry(config.RetryExpression)),
+ }
+
+ if config.DisableRequestBuffer {
+ options = append(options, oxybuffer.DisableRequestBuffer())
+ }
+
+ if config.DisableResponseBuffer {
+ options = append(options, oxybuffer.DisableResponseBuffer())
+ }
+
+ oxyBuffer, err := oxybuffer.New(
+ next,
+ options...,
)
if err != nil {
return nil, err
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go
new file mode 100644
index 0000000000..47ed405d8a
--- /dev/null
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/buffering.go
@@ -0,0 +1,83 @@
+/*
+The MIT License (MIT)
+
+Copyright (c) 2016-2020 Containous SAS; 2020-2026 Traefik Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// BufferingApplyConfiguration represents a declarative configuration of the Buffering type for use
+// with apply.
+type BufferingApplyConfiguration struct {
+ MaxRequestBodyBytes *int64 `json:"maxRequestBodyBytes,omitempty"`
+ MemRequestBodyBytes *int64 `json:"memRequestBodyBytes,omitempty"`
+ MaxResponseBodyBytes *int64 `json:"maxResponseBodyBytes,omitempty"`
+ MemResponseBodyBytes *int64 `json:"memResponseBodyBytes,omitempty"`
+ RetryExpression *string `json:"retryExpression,omitempty"`
+}
+
+// BufferingApplyConfiguration constructs a declarative configuration of the Buffering type for use with
+// apply.
+func Buffering() *BufferingApplyConfiguration {
+ return &BufferingApplyConfiguration{}
+}
+
+// WithMaxRequestBodyBytes sets the MaxRequestBodyBytes field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MaxRequestBodyBytes field is set to the value of the last call.
+func (b *BufferingApplyConfiguration) WithMaxRequestBodyBytes(value int64) *BufferingApplyConfiguration {
+ b.MaxRequestBodyBytes = &value
+ return b
+}
+
+// WithMemRequestBodyBytes sets the MemRequestBodyBytes field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MemRequestBodyBytes field is set to the value of the last call.
+func (b *BufferingApplyConfiguration) WithMemRequestBodyBytes(value int64) *BufferingApplyConfiguration {
+ b.MemRequestBodyBytes = &value
+ return b
+}
+
+// WithMaxResponseBodyBytes sets the MaxResponseBodyBytes field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MaxResponseBodyBytes field is set to the value of the last call.
+func (b *BufferingApplyConfiguration) WithMaxResponseBodyBytes(value int64) *BufferingApplyConfiguration {
+ b.MaxResponseBodyBytes = &value
+ return b
+}
+
+// WithMemResponseBodyBytes sets the MemResponseBodyBytes field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the MemResponseBodyBytes field is set to the value of the last call.
+func (b *BufferingApplyConfiguration) WithMemResponseBodyBytes(value int64) *BufferingApplyConfiguration {
+ b.MemResponseBodyBytes = &value
+ return b
+}
+
+// WithRetryExpression sets the RetryExpression field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the RetryExpression field is set to the value of the last call.
+func (b *BufferingApplyConfiguration) WithRetryExpression(value string) *BufferingApplyConfiguration {
+ b.RetryExpression = &value
+ return b
+}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go
index 48ace65fb0..138aecb490 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/traefikio/v1alpha1/middlewarespec.go
@@ -52,7 +52,7 @@ type MiddlewareSpecApplyConfiguration struct {
DigestAuth *DigestAuthApplyConfiguration `json:"digestAuth,omitempty"`
ForwardAuth *ForwardAuthApplyConfiguration `json:"forwardAuth,omitempty"`
InFlightReq *dynamic.InFlightReq `json:"inFlightReq,omitempty"`
- Buffering *dynamic.Buffering `json:"buffering,omitempty"`
+ Buffering *BufferingApplyConfiguration `json:"buffering,omitempty"`
CircuitBreaker *CircuitBreakerApplyConfiguration `json:"circuitBreaker,omitempty"`
Compress *CompressApplyConfiguration `json:"compress,omitempty"`
PassTLSClientCert *dynamic.PassTLSClientCert `json:"passTLSClientCert,omitempty"`
@@ -215,8 +215,8 @@ func (b *MiddlewareSpecApplyConfiguration) WithInFlightReq(value dynamic.InFligh
// WithBuffering sets the Buffering field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the Buffering field is set to the value of the last call.
-func (b *MiddlewareSpecApplyConfiguration) WithBuffering(value dynamic.Buffering) *MiddlewareSpecApplyConfiguration {
- b.Buffering = &value
+func (b *MiddlewareSpecApplyConfiguration) WithBuffering(value *BufferingApplyConfiguration) *MiddlewareSpecApplyConfiguration {
+ b.Buffering = value
return b
}
diff --git a/pkg/provider/kubernetes/crd/generated/applyconfiguration/utils.go b/pkg/provider/kubernetes/crd/generated/applyconfiguration/utils.go
index aa7141accd..62333ea430 100644
--- a/pkg/provider/kubernetes/crd/generated/applyconfiguration/utils.go
+++ b/pkg/provider/kubernetes/crd/generated/applyconfiguration/utils.go
@@ -42,6 +42,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
// Group=traefik.io, Version=v1alpha1
case v1alpha1.SchemeGroupVersion.WithKind("BasicAuth"):
return &traefikiov1alpha1.BasicAuthApplyConfiguration{}
+ case v1alpha1.SchemeGroupVersion.WithKind("Buffering"):
+ return &traefikiov1alpha1.BufferingApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("Certificate"):
return &traefikiov1alpha1.CertificateApplyConfiguration{}
case v1alpha1.SchemeGroupVersion.WithKind("Chain"):
diff --git a/pkg/provider/kubernetes/crd/kubernetes.go b/pkg/provider/kubernetes/crd/kubernetes.go
index b26d9925cd..74a7024c7a 100644
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@@ -321,7 +321,7 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
DigestAuth: digestAuth,
ForwardAuth: forwardAuth,
InFlightReq: middleware.Spec.InFlightReq,
- Buffering: middleware.Spec.Buffering,
+ Buffering: createBufferingMiddleware(middleware.Spec.Buffering),
CircuitBreaker: circuitBreaker,
Compress: createCompressMiddleware(middleware.Spec.Compress),
PassTLSClientCert: middleware.Spec.PassTLSClientCert,
@@ -1196,6 +1196,20 @@ func createDigestAuthMiddleware(client Client, namespace string, digestAuth *tra
}, nil
}
+func createBufferingMiddleware(buffering *traefikv1alpha1.Buffering) *dynamic.Buffering {
+ if buffering == nil {
+ return nil
+ }
+
+ return &dynamic.Buffering{
+ MemRequestBodyBytes: buffering.MemRequestBodyBytes,
+ MaxRequestBodyBytes: buffering.MaxRequestBodyBytes,
+ MemResponseBodyBytes: buffering.MemResponseBodyBytes,
+ MaxResponseBodyBytes: buffering.MaxResponseBodyBytes,
+ RetryExpression: buffering.RetryExpression,
+ }
+}
+
func loadBasicAuthCredentials(secret *corev1.Secret) ([]string, error) {
username, usernameExists := secret.Data["username"]
password, passwordExists := secret.Data["password"]
diff --git a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go
index 4f30d35fe6..adde0b5192 100644
--- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go
+++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go
@@ -45,7 +45,7 @@ type MiddlewareSpec struct {
DigestAuth *DigestAuth `json:"digestAuth,omitempty"`
ForwardAuth *ForwardAuth `json:"forwardAuth,omitempty"`
InFlightReq *dynamic.InFlightReq `json:"inFlightReq,omitempty"`
- Buffering *dynamic.Buffering `json:"buffering,omitempty"`
+ Buffering *Buffering `json:"buffering,omitempty"`
CircuitBreaker *CircuitBreaker `json:"circuitBreaker,omitempty"`
Compress *Compress `json:"compress,omitempty"`
PassTLSClientCert *dynamic.PassTLSClientCert `json:"passTLSClientCert,omitempty"`
@@ -59,6 +59,32 @@ type MiddlewareSpec struct {
// +k8s:deepcopy-gen=true
+// Buffering holds the buffering middleware configuration.
+// This middleware retries or limits the size of requests that can be forwarded to backends.
+// More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#maxrequestbodybytes
+type Buffering struct {
+ // MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).
+ // If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.
+ // Default: 0 (no maximum).
+ MaxRequestBodyBytes int64 `json:"maxRequestBodyBytes,omitempty" toml:"maxRequestBodyBytes,omitempty" yaml:"maxRequestBodyBytes,omitempty" export:"true"`
+ // MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.
+ // Default: 1048576 (1Mi).
+ MemRequestBodyBytes int64 `json:"memRequestBodyBytes,omitempty" toml:"memRequestBodyBytes,omitempty" yaml:"memRequestBodyBytes,omitempty" export:"true"`
+ // MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).
+ // If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.
+ // Default: 0 (no maximum).
+ MaxResponseBodyBytes int64 `json:"maxResponseBodyBytes,omitempty" toml:"maxResponseBodyBytes,omitempty" yaml:"maxResponseBodyBytes,omitempty" export:"true"`
+ // MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.
+ // Default: 1048576 (1Mi).
+ MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"`
+ // RetryExpression defines the retry conditions.
+ // It is a logical combination of functions with operators AND (&&) and OR (||).
+ // More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#retryexpression
+ RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"`
+}
+
+// +k8s:deepcopy-gen=true
+
// ErrorPage holds the custom error middleware configuration.
// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
// More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/
diff --git a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/zz_generated.deepcopy.go b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/zz_generated.deepcopy.go
index c50c122302..6ee9c972da 100644
--- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/zz_generated.deepcopy.go
@@ -54,6 +54,22 @@ func (in *BasicAuth) DeepCopy() *BasicAuth {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Buffering) DeepCopyInto(out *Buffering) {
+ *out = *in
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Buffering.
+func (in *Buffering) DeepCopy() *Buffering {
+ if in == nil {
+ return nil
+ }
+ out := new(Buffering)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Certificate) DeepCopyInto(out *Certificate) {
*out = *in
@@ -910,7 +926,7 @@ func (in *MiddlewareSpec) DeepCopyInto(out *MiddlewareSpec) {
}
if in.Buffering != nil {
in, out := &in.Buffering, &out.Buffering
- *out = new(dynamic.Buffering)
+ *out = new(Buffering)
**out = **in
}
if in.CircuitBreaker != nil {
diff --git a/pkg/provider/kubernetes/ingress-nginx/annotations.go b/pkg/provider/kubernetes/ingress-nginx/annotations.go
index f1677ea562..70467c87a4 100644
--- a/pkg/provider/kubernetes/ingress-nginx/annotations.go
+++ b/pkg/provider/kubernetes/ingress-nginx/annotations.go
@@ -1,7 +1,6 @@
package ingressnginx
import (
- "errors"
"reflect"
"strconv"
"strings"
@@ -70,10 +69,26 @@ type ingressConfig struct {
CustomHeaders *string `annotation:"nginx.ingress.kubernetes.io/custom-headers"`
UpstreamVhost *string `annotation:"nginx.ingress.kubernetes.io/upstream-vhost"`
+
+ // ProxyRequestBuffering controls whether request buffering is enabled.
+ ProxyRequestBuffering *string `annotation:"nginx.ingress.kubernetes.io/proxy-request-buffering"`
+ // ClientBodyBufferSize sets the size of the buffer used for reading request body.
+ ClientBodyBufferSize *string `annotation:"nginx.ingress.kubernetes.io/client-body-buffer-size"`
+ // ProxyBodySize sets the maximum allowed size of the client request body.
+ ProxyBodySize *string `annotation:"nginx.ingress.kubernetes.io/proxy-body-size"`
+
+ // ProxyBuffering controls whether response buffering is enabled.
+ ProxyBuffering *string `annotation:"nginx.ingress.kubernetes.io/proxy-buffering"`
+ // ProxyBufferSize sets the size of the memory buffer used for reading the response.
+ ProxyBufferSize *string `annotation:"nginx.ingress.kubernetes.io/proxy-buffer-size"`
+ // ProxyBuffersNumber sets the number of memory buffers used for reading the response.
+ ProxyBuffersNumber *int `annotation:"nginx.ingress.kubernetes.io/proxy-buffers-number"`
+ // ProxyMaxTempFileSize sets the maximum size of a temporary file used to buffer responses.
+ ProxyMaxTempFileSize *string `annotation:"nginx.ingress.kubernetes.io/proxy-max-temp-file-size"`
}
// parseIngressConfig parses the annotations from an Ingress object into an ingressConfig struct.
-func parseIngressConfig(ing *netv1.Ingress) (ingressConfig, error) {
+func parseIngressConfig(ing *netv1.Ingress) ingressConfig {
cfg := ingressConfig{}
cfgType := reflect.TypeFor[ingressConfig]()
cfgValue := reflect.ValueOf(&cfg).Elem()
@@ -94,10 +109,8 @@ func parseIngressConfig(ing *netv1.Ingress) (ingressConfig, error) {
case reflect.String:
cfgValue.Field(i).Set(reflect.ValueOf(&val))
case reflect.Bool:
- parsed, err := strconv.ParseBool(val)
- if err == nil {
- cfgValue.Field(i).Set(reflect.ValueOf(&parsed))
- }
+ b := strings.EqualFold(val, "true")
+ cfgValue.Field(i).Set(reflect.ValueOf(&b))
case reflect.Int:
parsed, err := strconv.Atoi(val)
if err == nil {
@@ -111,15 +124,13 @@ func parseIngressConfig(ing *netv1.Ingress) (ingressConfig, error) {
slice = append(slice, strings.TrimSpace(elt))
}
cfgValue.Field(i).Set(reflect.ValueOf(&slice))
- } else {
- return cfg, errors.New("unsupported slice type in annotations")
}
default:
- return cfg, errors.New("unsupported kind")
+ continue
}
}
- return cfg, nil
+ return cfg
}
// parseBackendProtocol parses the backend protocol annotation and returns the corresponding protocol string.
diff --git a/pkg/provider/kubernetes/ingress-nginx/annotations_test.go b/pkg/provider/kubernetes/ingress-nginx/annotations_test.go
index 64ccb03a83..22b225c53e 100644
--- a/pkg/provider/kubernetes/ingress-nginx/annotations_test.go
+++ b/pkg/provider/kubernetes/ingress-nginx/annotations_test.go
@@ -4,7 +4,6 @@ import (
"testing"
"github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
netv1 "k8s.io/api/networking/v1"
"k8s.io/utils/ptr"
)
@@ -18,19 +17,26 @@ func Test_parseIngressConfig(t *testing.T) {
{
desc: "all fields set",
annotations: map[string]string{
- "nginx.ingress.kubernetes.io/ssl-passthrough": "true",
- "nginx.ingress.kubernetes.io/affinity": "cookie",
- "nginx.ingress.kubernetes.io/session-cookie-name": "mycookie",
- "nginx.ingress.kubernetes.io/session-cookie-secure": "true",
- "nginx.ingress.kubernetes.io/session-cookie-path": "/foo",
- "nginx.ingress.kubernetes.io/session-cookie-domain": "example.com",
- "nginx.ingress.kubernetes.io/session-cookie-samesite": "Strict",
- "nginx.ingress.kubernetes.io/session-cookie-max-age": "3600",
- "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
- "nginx.ingress.kubernetes.io/cors-expose-headers": "foo, bar",
- "nginx.ingress.kubernetes.io/auth-url": "http://auth.example.com/verify",
- "nginx.ingress.kubernetes.io/auth-signin": "https://auth.example.com/oauth2/start?rd=foo",
- "nginx.ingress.kubernetes.io/proxy-connect-timeout": "30",
+ "nginx.ingress.kubernetes.io/ssl-passthrough": "true",
+ "nginx.ingress.kubernetes.io/affinity": "cookie",
+ "nginx.ingress.kubernetes.io/session-cookie-name": "mycookie",
+ "nginx.ingress.kubernetes.io/session-cookie-secure": "true",
+ "nginx.ingress.kubernetes.io/session-cookie-path": "/foo",
+ "nginx.ingress.kubernetes.io/session-cookie-domain": "example.com",
+ "nginx.ingress.kubernetes.io/session-cookie-samesite": "Strict",
+ "nginx.ingress.kubernetes.io/session-cookie-max-age": "3600",
+ "nginx.ingress.kubernetes.io/backend-protocol": "HTTPS",
+ "nginx.ingress.kubernetes.io/cors-expose-headers": "foo, bar",
+ "nginx.ingress.kubernetes.io/auth-url": "http://auth.example.com/verify",
+ "nginx.ingress.kubernetes.io/auth-signin": "https://auth.example.com/oauth2/start?rd=foo",
+ "nginx.ingress.kubernetes.io/proxy-connect-timeout": "30",
+ "nginx.ingress.kubernetes.io/proxy-request-buffering": "on",
+ "nginx.ingress.kubernetes.io/client-body-buffer-size": "16k",
+ "nginx.ingress.kubernetes.io/proxy-body-size": "16k",
+ "nginx.ingress.kubernetes.io/proxy-buffering": "on",
+ "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
+ "nginx.ingress.kubernetes.io/proxy-buffers-number": "8",
+ "nginx.ingress.kubernetes.io/proxy-max-temp-file-size": "100m",
},
expected: ingressConfig{
SSLPassthrough: ptr.To(true),
@@ -46,6 +52,13 @@ func Test_parseIngressConfig(t *testing.T) {
AuthURL: ptr.To("http://auth.example.com/verify"),
AuthSignin: ptr.To("https://auth.example.com/oauth2/start?rd=foo"),
ProxyConnectTimeout: ptr.To(30),
+ ProxyRequestBuffering: ptr.To("on"),
+ ClientBodyBufferSize: ptr.To("16k"),
+ ProxyBodySize: ptr.To("16k"),
+ ProxyBuffering: ptr.To("on"),
+ ProxyBufferSize: ptr.To("16k"),
+ ProxyBuffersNumber: ptr.To(8),
+ ProxyMaxTempFileSize: ptr.To("100m"),
},
},
{
@@ -62,7 +75,9 @@ func Test_parseIngressConfig(t *testing.T) {
annotations: map[string]string{
"nginx.ingress.kubernetes.io/ssl-passthrough": "notabool",
"nginx.ingress.kubernetes.io/session-cookie-max-age (in seconds)": "notanint",
- "nginx.ingress.kubernetes.io/proxy-connect-timeout": "notanint",
+ },
+ expected: ingressConfig{
+ SSLPassthrough: ptr.To(false),
},
},
}
@@ -74,10 +89,7 @@ func Test_parseIngressConfig(t *testing.T) {
var ing netv1.Ingress
ing.SetAnnotations(test.annotations)
- cfg, err := parseIngressConfig(&ing)
- require.NoError(t, err)
-
- assert.Equal(t, test.expected, cfg)
+ assert.Equal(t, test.expected, parseIngressConfig(&ing))
})
}
}
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-client-body-buffer-size.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-client-body-buffer-size.yml
new file mode 100644
index 0000000000..09082d1eba
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-client-body-buffer-size.yml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-client-body-buffer-size
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
+ nginx.ingress.kubernetes.io/client-body-buffer-size: "10M"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: hostname.localhost
+ http:
+ paths:
+ - path: /
+ pathType: Exact
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size-and-client-body-buffer-size.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size-and-client-body-buffer-size.yml
new file mode 100644
index 0000000000..9aa88ece09
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size-and-client-body-buffer-size.yml
@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-proxy-body-size-and-client-body-buffer-size
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
+ nginx.ingress.kubernetes.io/proxy-body-size: "10M"
+ nginx.ingress.kubernetes.io/client-body-buffer-size: "10K"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: hostname.localhost
+ http:
+ paths:
+ - path: /
+ pathType: Exact
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size.yml
new file mode 100644
index 0000000000..4aa71fccc6
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-body-size.yml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-proxy-body-size
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
+ nginx.ingress.kubernetes.io/proxy-body-size: "10M"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: hostname.localhost
+ http:
+ paths:
+ - path: /
+ pathType: Exact
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size-and-number.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size-and-number.yml
new file mode 100644
index 0000000000..6447903caf
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size-and-number.yml
@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-proxy-buffer-size-and-number
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffering: "on"
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+ nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: hostname.localhost
+ http:
+ paths:
+ - path: /
+ pathType: Exact
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size.yml
new file mode 100644
index 0000000000..6ed4978db7
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffer-size.yml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-proxy-buffer-size
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffering: "on"
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: hostname.localhost
+ http:
+ paths:
+ - path: /
+ pathType: Exact
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffers-number.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffers-number.yml
new file mode 100644
index 0000000000..b1d93964b6
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-buffers-number.yml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-proxy-buffers-number
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffering: "on"
+ nginx.ingress.kubernetes.io/proxy-buffers-number: "8"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: hostname.localhost
+ http:
+ paths:
+ - path: /
+ pathType: Exact
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-max-temp-file-size.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-max-temp-file-size.yml
new file mode 100644
index 0000000000..6c4187e57b
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/ingress-with-proxy-max-temp-file-size.yml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-proxy-max-temp-file-size
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/proxy-buffering: "on"
+ nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "100m"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: hostname.localhost
+ http:
+ paths:
+ - path: /
+ pathType: Exact
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/kubernetes.go b/pkg/provider/kubernetes/ingress-nginx/kubernetes.go
index 5d6e87d5ea..2a6372cb01 100644
--- a/pkg/provider/kubernetes/ingress-nginx/kubernetes.go
+++ b/pkg/provider/kubernetes/ingress-nginx/kubernetes.go
@@ -34,6 +34,7 @@ import (
const (
providerName = "kubernetesingressnginx"
+ // NGINX default values.
annotationIngressClass = "kubernetes.io/ingress.class"
defaultControllerName = "k8s.io/ingress-nginx"
@@ -43,8 +44,20 @@ const (
defaultBackendTLSName = "default-backend-tls"
defaultProxyConnectTimeout = 60
+ // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
+ defaultProxyBodySize = int64(1024 * 1024) // 1MB
+ // https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_buffer_size
+ defaultClientBodyBufferSize = int64(16 * 1024) // 16KB
+ // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+ defaultProxyBufferSize = int64(8 * 1024) // 8KB
+ // https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#proxy-buffers-number
+ defaultProxyBuffersNumber = 4
+ // https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size
+ defaultProxyMaxTempFileSize = int64(1024 * 1024 * 1024) // 1GB
)
+var nginxSizeRegexp = regexp.MustCompile(`^(?i)\s*([0-9]+)\s*([bkmg]?)\s*$`)
+
type backendAddress struct {
Address string
Fenced bool
@@ -84,6 +97,14 @@ type Provider struct {
ProxyConnectTimeout int `description:"Amount of time to wait until a connection to a server can be established. Timeout value is unitless and in seconds." json:"proxyConnectTimeout,omitempty" toml:"proxyConnectTimeout,omitempty" yaml:"proxyConnectTimeout,omitempty" export:"true"`
+ // Configuration options available within the NGINX Ingress Controller ConfigMap.
+ ProxyRequestBuffering bool `description:"Defines whether to enable request buffering." json:"proxyRequestBuffering,omitempty" toml:"proxyRequestBuffering,omitempty" yaml:"proxyRequestBuffering,omitempty" export:"true"`
+ ClientBodyBufferSize int64 `description:"Default buffer size for reading client request body." json:"clientBodyBufferSize,omitempty" toml:"clientBodyBufferSize,omitempty" yaml:"clientBodyBufferSize,omitempty" export:"true"`
+ ProxyBodySize int64 `description:"Default maximum size of a client request body in bytes." json:"proxyBodySize,omitempty" toml:"proxyBodySize,omitempty" yaml:"proxyBodySize,omitempty" export:"true"`
+ ProxyBuffering bool `description:"Defines whether to enable response buffering." json:"proxyBuffering,omitempty" toml:"proxyBuffering,omitempty" yaml:"proxyBuffering,omitempty" export:"true"`
+ ProxyBufferSize int64 `description:"Default buffer size for reading the response body." json:"proxyBufferSize,omitempty" toml:"proxyBufferSize,omitempty" yaml:"proxyBufferSize,omitempty" export:"true"`
+ ProxyBuffersNumber int `description:"Default number of buffers for reading a response." json:"proxyBuffersNumber,omitempty" toml:"proxyBuffersNumber,omitempty" yaml:"proxyBuffersNumber,omitempty" export:"true"`
+
// NonTLSEntryPoints contains the names of entrypoints that are configured without TLS.
NonTLSEntryPoints []string `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
@@ -98,6 +119,10 @@ func (p *Provider) SetDefaults() {
p.IngressClass = defaultAnnotationValue
p.ControllerClass = defaultControllerName
p.ProxyConnectTimeout = defaultProxyConnectTimeout
+ p.ClientBodyBufferSize = defaultClientBodyBufferSize
+ p.ProxyBodySize = defaultProxyBodySize
+ p.ProxyBufferSize = defaultProxyBufferSize
+ p.ProxyBuffersNumber = defaultProxyBuffersNumber
}
// Init the provider.
@@ -289,12 +314,6 @@ func (p *Provider) loadConfiguration(ctx context.Context) *dynamic.Configuration
continue
}
- ingressConfig, err := parseIngressConfig(ingress)
- if err != nil {
- logger.Error().Err(err).Msg("Error parsing ingress configuration")
- continue
- }
-
if err := p.updateIngressStatus(ingress); err != nil {
logger.Error().Err(err).Msg("Error while updating ingress status")
}
@@ -308,6 +327,8 @@ func (p *Provider) loadConfiguration(ctx context.Context) *dynamic.Configuration
}
}
+ ingressConfig := parseIngressConfig(ingress)
+
var clientAuthTLSOptionName string
if ingressConfig.AuthTLSSecret != nil {
tlsOptName := provider.Normalize(ingress.Namespace + "-" + ingress.Name + "-" + *ingressConfig.AuthTLSSecret)
@@ -543,7 +564,10 @@ func (p *Provider) loadConfiguration(ctx context.Context) *dynamic.Configuration
conf.TLS = &dynamic.TLSConfiguration{
Certificates: slices.Collect(maps.Values(uniqCerts)),
- Options: tlsOptions,
+ }
+
+ if len(tlsOptions) > 0 {
+ conf.TLS.Options = tlsOptions
}
return conf
@@ -856,6 +880,10 @@ func (p *Provider) applyMiddlewares(namespace, routerKey, rulePath, ruleHost str
return fmt.Errorf("applying basic auth configuration: %w", err)
}
+ if err := p.applyBufferingConfiguration(routerKey, ingressConfig, rt, conf); err != nil {
+ return fmt.Errorf("applying buffering: %w", err)
+ }
+
if err := applyForwardAuthConfiguration(routerKey, ingressConfig, rt, conf); err != nil {
return fmt.Errorf("applying forward auth configuration: %w", err)
}
@@ -1189,6 +1217,83 @@ func applyAllowedSourceRangeConfiguration(routerName string, ingressConfig ingre
rt.Middlewares = append(rt.Middlewares, allowedSourceRangeMiddlewareName)
}
+func (p *Provider) applyBufferingConfiguration(routerName string, ingressConfig ingressConfig, rt *dynamic.Router, conf *dynamic.Configuration) error {
+ disableRequestBuffering := !p.ProxyRequestBuffering
+ if ingressConfig.ProxyRequestBuffering != nil {
+ // Without value validation, lean on disabling by checking for "on", which is more likely to satisfy user input.
+ disableRequestBuffering = *ingressConfig.ProxyRequestBuffering != "on"
+ }
+
+ disableResponseBuffering := !p.ProxyBuffering
+ if ingressConfig.ProxyBuffering != nil {
+ // Without value validation, lean on disabling by checking for "on", which is more likely to satisfy user input.
+ disableResponseBuffering = *ingressConfig.ProxyBuffering != "on"
+ }
+
+ if disableRequestBuffering && disableResponseBuffering {
+ return nil
+ }
+
+ buffering := &dynamic.Buffering{
+ DisableRequestBuffer: disableRequestBuffering,
+ DisableResponseBuffer: disableResponseBuffering,
+ MemRequestBodyBytes: p.ClientBodyBufferSize,
+ MaxRequestBodyBytes: p.ProxyBodySize,
+ MemResponseBodyBytes: p.ProxyBufferSize * int64(p.ProxyBuffersNumber),
+ }
+
+ if !disableRequestBuffering {
+ if clientBodyBufferSize := ptr.Deref(ingressConfig.ClientBodyBufferSize, ""); clientBodyBufferSize != "" {
+ memRequestBodySize, err := nginxSizeToBytes(clientBodyBufferSize)
+ if err != nil {
+ return fmt.Errorf("client-body-buffer-size annotation has invalid value: %w", err)
+ }
+ buffering.MemRequestBodyBytes = memRequestBodySize
+ }
+
+ if proxyBodySize := ptr.Deref(ingressConfig.ProxyBodySize, ""); proxyBodySize != "" {
+ maxRequestBody, err := nginxSizeToBytes(proxyBodySize)
+ if err != nil {
+ return fmt.Errorf("proxy-body-size annotation has invalid value: %w", err)
+ }
+
+ buffering.MaxRequestBodyBytes = maxRequestBody
+ }
+ }
+
+ if !disableResponseBuffering {
+ if ingressConfig.ProxyBufferSize != nil || ingressConfig.ProxyBuffersNumber != nil {
+ bufferSize := p.ProxyBufferSize
+ if proxyBufferSize := ptr.Deref(ingressConfig.ProxyBufferSize, ""); proxyBufferSize != "" {
+ var err error
+ if bufferSize, err = nginxSizeToBytes(proxyBufferSize); err != nil {
+ return fmt.Errorf("proxy-buffer-size annotation has invalid value: %w", err)
+ }
+ }
+
+ buffering.MemResponseBodyBytes = bufferSize * int64(ptr.Deref(ingressConfig.ProxyBuffersNumber, p.ProxyBuffersNumber))
+ }
+
+ proxyMaxTempFileSize := defaultProxyMaxTempFileSize
+ if ingressConfig.ProxyMaxTempFileSize != nil {
+ var err error
+ if proxyMaxTempFileSize, err = nginxSizeToBytes(*ingressConfig.ProxyMaxTempFileSize); err != nil {
+ return fmt.Errorf("proxy-max-temp-file-size annotation has invalid value: %w", err)
+ }
+ }
+
+ buffering.MaxResponseBodyBytes = buffering.MemResponseBodyBytes + proxyMaxTempFileSize
+ }
+
+ bufferingMiddlewareName := routerName + "-buffering"
+ conf.HTTP.Middlewares[bufferingMiddlewareName] = &dynamic.Middleware{
+ Buffering: buffering,
+ }
+ rt.Middlewares = append(rt.Middlewares, bufferingMiddlewareName)
+
+ return nil
+}
+
func (p *Provider) applySSLRedirectConfiguration(routerName string, ingressConfig ingressConfig, hasTLS bool, rt *dynamic.Router, conf *dynamic.Configuration) {
var forceSSLRedirect bool
if ingressConfig.ForceSSLRedirect != nil {
@@ -1443,3 +1548,24 @@ func (p *Provider) buildClientAuthTLSOption(ingressNamespace string, config ingr
return tlsOpt, nil
}
+
+// nginxSizeToBytes convert nginx size to memory bytes as defined in https://nginx.org/en/docs/syntax.html.
+func nginxSizeToBytes(nginxSize string) (int64, error) {
+ units := map[string]int64{
+ "g": 1024 * 1024 * 1024,
+ "m": 1024 * 1024,
+ "k": 1024,
+ "b": 1,
+ "": 1,
+ }
+
+ if !nginxSizeRegexp.MatchString(nginxSize) {
+ return 0, fmt.Errorf("unable to parse number %s", nginxSize)
+ }
+ size := nginxSizeRegexp.FindStringSubmatch(nginxSize)
+ bytes, err := strconv.ParseInt(size[1], 10, 64)
+ if err != nil {
+ return 0, err
+ }
+ return bytes * units[strings.ToLower(size[2])], nil
+}
diff --git a/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go b/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go
index c790340740..efc87c3388 100644
--- a/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go
+++ b/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go
@@ -1,6 +1,7 @@
package ingressnginx
import (
+ "errors"
"math"
"net/http"
"os"
@@ -47,9 +48,7 @@ func TestLoadIngresses(t *testing.T) {
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -108,9 +107,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -187,7 +184,6 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- Options: map[string]tls.Options{},
},
},
},
@@ -250,9 +246,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -314,9 +308,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -463,7 +455,6 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- Options: map[string]tls.Options{},
},
},
},
@@ -508,9 +499,7 @@ func TestLoadIngresses(t *testing.T) {
Services: map[string]*dynamic.Service{},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -575,9 +564,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -633,9 +620,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -699,9 +684,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -750,9 +733,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -811,9 +792,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -865,9 +844,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -927,9 +904,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -989,9 +964,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1043,9 +1016,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1111,9 +1082,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1179,9 +1148,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1261,9 +1228,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1316,9 +1281,7 @@ func TestLoadIngresses(t *testing.T) {
},
ServersTransports: map[string]*dynamic.ServersTransport{},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1377,9 +1340,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1438,9 +1399,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1499,9 +1458,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1554,9 +1511,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1609,9 +1564,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1670,9 +1623,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1731,9 +1682,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1792,9 +1741,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1855,9 +1802,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1918,9 +1863,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -1981,9 +1924,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -2044,9 +1985,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -2107,9 +2046,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -2170,9 +2107,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -2233,9 +2168,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -2283,9 +2216,7 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
- TLS: &dynamic.TLSConfiguration{
- Options: map[string]tls.Options{},
- },
+ TLS: &dynamic.TLSConfiguration{},
},
},
{
@@ -2495,6 +2426,444 @@ func TestLoadIngresses(t *testing.T) {
},
},
},
+ {
+ desc: "Buffering with proxy body size of 10MB",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/ingress-with-proxy-body-size.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-proxy-body-size-rule-0-path-0": {
+ Rule: "Host(`hostname.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-proxy-body-size-rule-0-path-0-buffering"},
+ Service: "default-ingress-with-proxy-body-size-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-proxy-body-size-rule-0-path-0-buffering": {
+ Buffering: &dynamic.Buffering{
+ MaxRequestBodyBytes: 10 * 1024 * 1024,
+ MemRequestBodyBytes: defaultClientBodyBufferSize,
+ MemResponseBodyBytes: defaultProxyBufferSize * int64(defaultProxyBuffersNumber),
+ DisableResponseBuffer: true,
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-proxy-body-size-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ ServersTransport: "default-ingress-with-proxy-body-size",
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{
+ "default-ingress-with-proxy-body-size": {
+ ForwardingTimeouts: &dynamic.ForwardingTimeouts{
+ DialTimeout: ptypes.Duration(60 * time.Second),
+ },
+ },
+ },
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
+ {
+ desc: "Buffering with client body buffer size of 10MB",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/ingress-with-client-body-buffer-size.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-client-body-buffer-size-rule-0-path-0": {
+ Rule: "Host(`hostname.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-client-body-buffer-size-rule-0-path-0-buffering"},
+ Service: "default-ingress-with-client-body-buffer-size-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-client-body-buffer-size-rule-0-path-0-buffering": {
+ Buffering: &dynamic.Buffering{
+ MemRequestBodyBytes: 10 * 1024 * 1024,
+ MaxRequestBodyBytes: defaultProxyBodySize,
+ MemResponseBodyBytes: defaultProxyBufferSize * int64(defaultProxyBuffersNumber),
+ DisableResponseBuffer: true,
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-client-body-buffer-size-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ ServersTransport: "default-ingress-with-client-body-buffer-size",
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{
+ "default-ingress-with-client-body-buffer-size": {
+ ForwardingTimeouts: &dynamic.ForwardingTimeouts{
+ DialTimeout: ptypes.Duration(60 * time.Second),
+ },
+ },
+ },
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
+ {
+ desc: "Buffering with proxy body size and client body buffer",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/ingress-with-proxy-body-size-and-client-body-buffer-size.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-proxy-body-size-and-client-body-buffer-size-rule-0-path-0": {
+ Rule: "Host(`hostname.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-proxy-body-size-and-client-body-buffer-size-rule-0-path-0-buffering"},
+ Service: "default-ingress-with-proxy-body-size-and-client-body-buffer-size-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-proxy-body-size-and-client-body-buffer-size-rule-0-path-0-buffering": {
+ Buffering: &dynamic.Buffering{
+ MaxRequestBodyBytes: 10 * 1024 * 1024,
+ MemRequestBodyBytes: 10 * 1024,
+ MemResponseBodyBytes: defaultProxyBufferSize * int64(defaultProxyBuffersNumber),
+ DisableResponseBuffer: true,
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-proxy-body-size-and-client-body-buffer-size-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ ServersTransport: "default-ingress-with-proxy-body-size-and-client-body-buffer-size",
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{
+ "default-ingress-with-proxy-body-size-and-client-body-buffer-size": {
+ ForwardingTimeouts: &dynamic.ForwardingTimeouts{
+ DialTimeout: ptypes.Duration(60 * time.Second),
+ },
+ },
+ },
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
+ {
+ desc: "Buffering with proxy buffer size",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/ingress-with-proxy-buffer-size.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-proxy-buffer-size-rule-0-path-0": {
+ Rule: "Host(`hostname.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-proxy-buffer-size-rule-0-path-0-buffering"},
+ Service: "default-ingress-with-proxy-buffer-size-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-proxy-buffer-size-rule-0-path-0-buffering": {
+ Buffering: &dynamic.Buffering{
+ DisableRequestBuffer: true,
+ MaxRequestBodyBytes: defaultProxyBodySize,
+ MemRequestBodyBytes: defaultClientBodyBufferSize,
+ MemResponseBodyBytes: 16 * 1024 * int64(defaultProxyBuffersNumber),
+ MaxResponseBodyBytes: defaultProxyMaxTempFileSize + (defaultProxyBufferSize * 8),
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-proxy-buffer-size-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ ServersTransport: "default-ingress-with-proxy-buffer-size",
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{
+ "default-ingress-with-proxy-buffer-size": {
+ ForwardingTimeouts: &dynamic.ForwardingTimeouts{
+ DialTimeout: ptypes.Duration(60 * time.Second),
+ },
+ },
+ },
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
+ {
+ desc: "Buffering with proxy buffers number",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/ingress-with-proxy-buffers-number.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-proxy-buffers-number-rule-0-path-0": {
+ Rule: "Host(`hostname.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-proxy-buffers-number-rule-0-path-0-buffering"},
+ Service: "default-ingress-with-proxy-buffers-number-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-proxy-buffers-number-rule-0-path-0-buffering": {
+ Buffering: &dynamic.Buffering{
+ DisableRequestBuffer: true,
+ MaxRequestBodyBytes: defaultProxyBodySize,
+ MemRequestBodyBytes: defaultClientBodyBufferSize,
+ MemResponseBodyBytes: defaultProxyBufferSize * 8,
+ MaxResponseBodyBytes: defaultProxyMaxTempFileSize + (defaultProxyBufferSize * 8),
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-proxy-buffers-number-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ ServersTransport: "default-ingress-with-proxy-buffers-number",
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{
+ "default-ingress-with-proxy-buffers-number": {
+ ForwardingTimeouts: &dynamic.ForwardingTimeouts{
+ DialTimeout: ptypes.Duration(60 * time.Second),
+ },
+ },
+ },
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
+ {
+ desc: "Buffering with proxy buffer size and proxy buffers number",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/ingress-with-proxy-buffer-size-and-number.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-proxy-buffer-size-and-number-rule-0-path-0": {
+ Rule: "Host(`hostname.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-proxy-buffer-size-and-number-rule-0-path-0-buffering"},
+ Service: "default-ingress-with-proxy-buffer-size-and-number-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-proxy-buffer-size-and-number-rule-0-path-0-buffering": {
+ Buffering: &dynamic.Buffering{
+ DisableRequestBuffer: true,
+ MaxRequestBodyBytes: defaultProxyBodySize,
+ MemRequestBodyBytes: defaultClientBodyBufferSize,
+ MemResponseBodyBytes: 16 * 1024 * 8,
+ MaxResponseBodyBytes: defaultProxyMaxTempFileSize + (16 * 1024 * 8),
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-proxy-buffer-size-and-number-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ ServersTransport: "default-ingress-with-proxy-buffer-size-and-number",
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{
+ "default-ingress-with-proxy-buffer-size-and-number": {
+ ForwardingTimeouts: &dynamic.ForwardingTimeouts{
+ DialTimeout: ptypes.Duration(60 * time.Second),
+ },
+ },
+ },
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
+ {
+ desc: "Buffering with proxy max temp file size",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/ingress-with-proxy-max-temp-file-size.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-proxy-max-temp-file-size-rule-0-path-0": {
+ Rule: "Host(`hostname.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-proxy-max-temp-file-size-rule-0-path-0-buffering"},
+ Service: "default-ingress-with-proxy-max-temp-file-size-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-proxy-max-temp-file-size-rule-0-path-0-buffering": {
+ Buffering: &dynamic.Buffering{
+ DisableRequestBuffer: true,
+ MaxRequestBodyBytes: defaultProxyBodySize,
+ MemRequestBodyBytes: defaultClientBodyBufferSize,
+ MemResponseBodyBytes: defaultProxyBufferSize * int64(defaultProxyBuffersNumber),
+ MaxResponseBodyBytes: (defaultProxyBufferSize * int64(defaultProxyBuffersNumber)) + (100 * 1024 * 1024),
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-proxy-max-temp-file-size-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ ServersTransport: "default-ingress-with-proxy-max-temp-file-size",
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{
+ "default-ingress-with-proxy-max-temp-file-size": {
+ ForwardingTimeouts: &dynamic.ForwardingTimeouts{
+ DialTimeout: ptypes.Duration(60 * time.Second),
+ },
+ },
+ },
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
}
for _, test := range testCases {
@@ -2527,6 +2896,88 @@ func TestLoadIngresses(t *testing.T) {
}
}
+func TestNginxSizeToBytes(t *testing.T) {
+ testCases := []struct {
+ desc string
+ value string
+ err error
+ expected int64
+ }{
+ {
+ desc: "Testing no unit",
+ expected: 100,
+ value: "100",
+ },
+ {
+ desc: "Testing unit b",
+ expected: 100,
+ value: "100b",
+ },
+ {
+ desc: "Testing unit B",
+ expected: 100,
+ value: "100B",
+ },
+ {
+ desc: "Testing unit KB",
+ expected: 100 * 1024,
+ value: "100k",
+ },
+ {
+ desc: "Testing unit MB",
+ expected: 100 * 1024 * 1024,
+ value: "100m",
+ },
+ {
+ desc: "Testing unit GB",
+ expected: 100 * 1024 * 1024 * 1024,
+ value: "100g",
+ },
+ {
+ desc: "Testing unit GB with whitespaces",
+ expected: 100 * 1024 * 1024 * 1024,
+ value: " 100 g ",
+ },
+ {
+ desc: "Testing unit KB uppercase",
+ expected: 100 * 1024,
+ value: "100K",
+ },
+ {
+ desc: "Testing unit MB uppercase",
+ expected: 100 * 1024 * 1024,
+ value: "100M",
+ },
+ {
+ desc: "Testing unit GB uppercase",
+ expected: 100 * 1024 * 1024 * 1024,
+ value: "100G",
+ },
+ {
+ desc: "Testing invalid input",
+ expected: 0,
+ value: "100A",
+ err: errors.New("unable to parse number 100A"),
+ },
+ {
+ desc: "Testing pipe character is invalid",
+ expected: 0,
+ value: "100|",
+ err: errors.New("unable to parse number 100|"),
+ },
+ }
+
+ for _, test := range testCases {
+ t.Run(test.desc, func(t *testing.T) {
+ t.Parallel()
+
+ size, err := nginxSizeToBytes(test.value)
+ assert.Equal(t, test.err, err)
+ assert.Equal(t, test.expected, size)
+ })
+ }
+}
+
func readResources(t *testing.T, paths []string) []runtime.Object {
t.Helper()