diff --git a/cluster/kube/lib/nginx.libsonnet b/cluster/kube/lib/nginx.libsonnet index 02422dc7..8e8673a8 100644 --- a/cluster/kube/lib/nginx.libsonnet +++ b/cluster/kube/lib/nginx.libsonnet @@ -41,7 +41,46 @@ local policies = import "../../../kube/policies.libsonnet"; make(name):: kube.ConfigMap(name) { metadata+: env.metadata, }, - configuration: env.maps.make("nginx-configuration"), + configuration: env.maps.make("nginx-configuration") { + data: { + "proxy-set-headers": "%s/nginx-custom-headers" % [cfg.namespace], + }, + }, + customHeaders: env.maps.make("nginx-custom-headers") { + data: { + # RFC6648 deprecates X-prefixed headers as a convention in + # multiple application protocols, including HTTP. It + # recommends that any new headers should just start off + # with a final standardized name, ie. suggests to use + # Toaster-ID instead of X-Toaster-ID. + # + # However, it also acknowledges that headers likely to + # never be standardized can still be prefixed with OrgName- + # or other constructs. And since we're not even attempting + # to standardize anything here, this is what we use to + # prefix hscloud-specific headers. + # + # Hscloud == hscloud, this repository. + # Nic == nginx-ingress-controller, this ingress controller. + + # Set source port/addr. Source-IP duplicates + # X-Forwarded-For, but is added for consistency with + # Source-Port. + # + # Source-IP is an IP address in two possible formats: + # IPv4: "1.2.3.4" + # IPv6: "2a0d:1234::42" + # Any other format received by services should be + # considered invalid, and the service should assume a + # misconfiguration of the N-I-C. + "Hscloud-Nic-Source-IP": "${remote_addr}", + # Source-Port is a stringified TCP port, encoding a port + # number from 1 to 65535. Any other value received by + # services should be considered invalid, and the service + # should assume a misconfiguration of the N-I-C. + "Hscloud-Nic-Source-Port": "${remote_port}", + }, + }, tcp: env.maps.make("tcp-services") { data: { "22": "gerrit/gerrit:22",