cluster/kube: nginx: add Hscloud-Nic-Source-* headers

These can be used by production jobs to get the source port of the client connecting over HTTP. A followup CR implements just that. Change-Id: Ic8e29eaf806bb196d8cfcfb604ff66ae4d0d166a
2021-05-22 19:10:30 +00:00 · 2021-05-22 19:10:30 +00:00 · e17f7edde0
parent ba28a04c65
commit e17f7edde0
1 changed files with 40 additions and 1 deletions
--- a/cluster/kube/lib/nginx.libsonnet
+++ b/cluster/kube/lib/nginx.libsonnet
@ -41,7 +41,46 @@ local policies = import "../../../kube/policies.libsonnet";
            make(name):: kube.ConfigMap(name) {
                metadata+: env.metadata,
            },
-            configuration: env.maps.make("nginx-configuration"),
+            configuration: env.maps.make("nginx-configuration") {
+                data: {
+                    "proxy-set-headers": "%s/nginx-custom-headers" % [cfg.namespace],
+                },
+            },
+            customHeaders: env.maps.make("nginx-custom-headers") {
+                data: {
+                    # RFC6648 deprecates X-prefixed headers as a convention in
+                    # multiple application protocols, including HTTP. It
+                    # recommends that any new headers should just start off
+                    # with a final standardized name, ie. suggests to use
+                    # Toaster-ID instead of X-Toaster-ID.
+                    #
+                    # However, it also acknowledges that headers likely to
+                    # never be standardized can still be prefixed with OrgName-
+                    # or other constructs. And since we're not even attempting
+                    # to standardize anything here, this is what we use to
+                    # prefix hscloud-specific headers.
+                    #
+                    # Hscloud == hscloud, this repository.
+                    # Nic == nginx-ingress-controller, this ingress controller.
+
+                    # Set source port/addr. Source-IP duplicates
+                    # X-Forwarded-For, but is added for consistency with
+                    # Source-Port.
+                    #
+                    # Source-IP is an IP address in two possible formats:
+                    #   IPv4: "1.2.3.4"
+                    #   IPv6: "2a0d:1234::42"
+                    # Any other format received by services should be
+                    # considered invalid, and the service should assume a
+                    # misconfiguration of the N-I-C.
+                    "Hscloud-Nic-Source-IP": "${remote_addr}",
+                    # Source-Port is a stringified TCP port, encoding a port
+                    # number from 1 to 65535. Any other value received by
+                    # services should be considered invalid, and the service
+                    # should assume a misconfiguration of the N-I-C.
+                    "Hscloud-Nic-Source-Port": "${remote_port}",
+                },
+            },
            tcp: env.maps.make("tcp-services") {
                data: {
                    "22": "gerrit/gerrit:22",