feat: add annotation to allow to add custom response headers (#9742)

* add custom headers Signed-off-by: Christian Groschupp <[email protected]> * add tests Signed-off-by: Christian Groschupp <[email protected]> * add docs * update copyright * change comments * add e2e test customheaders * add custom headers validation * remove escapeLiteralDollar filter * validate value in custom headers * add regex for header value * fix annotation test * Revert "remove escapeLiteralDollar filter" This reverts commit ab48392b60dee4ce146a4c17e046849f9633c7fb. * add annotationConfig * fix test * fix golangci-lint findings * fix: add missung exp module --------- Signed-off-by: Christian Groschupp <[email protected]>
kubernetes · Apr 9, 2024 · 1f4ee0e · 1f4ee0e
1 parent d56aacd
commit 1f4ee0e
Show file tree

Hide file tree

Showing 15 changed files with 537 additions and 4 deletions.
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
@@ -50,6 +50,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz
 |[nginx.ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
 |[nginx.ingress.kubernetes.io/configuration-snippet](#configuration-snippet)|string|
 |[nginx.ingress.kubernetes.io/custom-http-errors](#custom-http-errors)|[]int|
+|[nginx.ingress.kubernetes.io/custom-headers](#custom-headers)|string|
 |[nginx.ingress.kubernetes.io/default-backend](#default-backend)|string|
 |[nginx.ingress.kubernetes.io/enable-cors](#enable-cors)|"true" or "false"|
 |[nginx.ingress.kubernetes.io/cors-allow-origin](#enable-cors)|string|
@@ -338,6 +339,22 @@ Example usage:
 nginx.ingress.kubernetes.io/custom-http-errors: "404,415"
 ```
 
+### Custom Headers
+This annotation is of the form `nginx.ingress.kubernetes.io/custom-headers: custom-headers-configmap` to specify a configmap name that contains custom headers. This annotation uses `more_set_headers` nginx directive.
+
+Example configmap:
+```yaml
+apiVersion: v1
+data:
+  Content-Type: application/json
+kind: ConfigMap
+metadata:
+  name: custom-headers-configmap
+```
+
+!!! attention
+  First define the allowed response headers in [global-allowed-response-headers](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/configmap.md#global-allowed-response-headers).
+
 ### Default Backend
 
 This annotation is of the form `nginx.ingress.kubernetes.io/default-backend: <svc name>` to specify a custom default backend.  This `<svc name>` is a reference to a service inside of the same namespace in which you are applying this annotation. This annotation overrides the global default backend. In case the service has [multiple ports](https://kubernetes.io/docs/concepts/services-networking/service/#multi-port-services), the first one is the one which will receive the backend traffic. 

diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md
@@ -209,6 +209,7 @@ The following table shows a configuration option's name, type, and the default v
 |[syslog-host](#syslog-host)| string       | ""                                                                                                                                                                                                                                                                                                                                                           ||
 |[syslog-port](#syslog-port)| int          | 514                                                                                                                                                                                                                                                                                                                                                          ||
 |[no-tls-redirect-locations](#no-tls-redirect-locations)| string       | "/.well-known/acme-challenge"                                                                                                                                                                                                                                                                                                                                ||
+|[global-allowed-response-headers](#global-allowed-response-headers)|string|""||
 |[global-auth-url](#global-auth-url)| string       | ""                                                                                                                                                                                                                                                                                                                                                           ||
 |[global-auth-method](#global-auth-method)| string       | ""                                                                                                                                                                                                                                                                                                                                                           ||
 |[global-auth-signin](#global-auth-signin)| string       | ""                                                                                                                                                                                                                                                                                                                                                           ||
@@ -1285,6 +1286,10 @@ Sets the port of syslog server. _**default:**_ 514
 A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
 _**default:**_ "/.well-known/acme-challenge"
 
+## global-allowed-response-headers
+
+A comma-separated list of allowed response headers inside the [custom headers annotations](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#custom-headers)
+
 ## global-auth-url
 
 A url to an existing service that provides authentication for all the locations.

diff --git a/go.mod b/go.mod
@@ -26,6 +26,7 @@ require (
 	github.com/yudai/gojsondiff v1.0.0
 	github.com/zakjan/cert-chain-resolver v0.0.0-20221221105603-fcedb00c5b30
 	golang.org/x/crypto v0.22.0
+	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 	google.golang.org/grpc v1.63.2
 	google.golang.org/grpc/examples v0.0.0-20240223204917-5ccf176a08ab
 	gopkg.in/go-playground/pool.v3 v3.1.1