Add preview policies feature flag

Dean-Coakley · Dean-Coakley · commit d652a427494a · 2021-01-06T13:07:54.000Z
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -157,6 +157,9 @@ var (
 	enableCustomResources = flag.Bool("enable-custom-resources", true,
 		"Enable custom resources")
 
+	enablePreviewPolicies = flag.Bool("enable-preview-policies", false,
+		"Enable preview policies")
+
 	enableSnippets = flag.Bool("enable-snippets", false,
 		"Enable custom NGINX configuration snippets in VirtualServer and VirtualServerRoute resources.")
 
@@ -227,7 +230,7 @@ func main() {
 	}
 
 	if *enableTLSPassthrough && !*enableCustomResources {
-		glog.Fatalf("enable-tls-passthrough flag requires -enable-custom-resources")
+		glog.Fatal("enable-tls-passthrough flag requires -enable-custom-resources")
 	}
 
 	if *appProtect && !*nginxPlus {
@@ -624,6 +627,7 @@ func main() {
 		ConfigMaps:                   *nginxConfigMaps,
 		GlobalConfiguration:          *globalConfiguration,
 		AreCustomResourcesEnabled:    *enableCustomResources,
+		EnablePreviewPolicies:        *enablePreviewPolicies,
 		MetricsCollector:             controllerCollector,
 		GlobalConfigurationValidator: globalConfigurationValidator,
 		TransportServerValidator:     transportServerValidator,
diff --git a/deployments/common/crds-v1beta1/k8s.nginx.org_policies.yaml b/deployments/common/crds-v1beta1/k8s.nginx.org_policies.yaml
@@ -34,7 +34,7 @@ spec:
           type: object
           properties:
             accessControl:
-              description: AccessControl defines an access policy based on the source IP of a request.
+              description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
               type: object
               properties:
                 allow:
@@ -46,7 +46,7 @@ spec:
                   items:
                     type: string
             egressMTLS:
-              description: EgressMTLS defines an Egress MTLS policy.
+              description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
               type: object
               properties:
                 ciphers:
@@ -68,7 +68,7 @@ spec:
                 verifyServer:
                   type: boolean
             ingressMTLS:
-              description: IngressMTLS defines an Ingress MTLS policy.
+              description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
               type: object
               properties:
                 clientCertSecret:
@@ -78,7 +78,7 @@ spec:
                 verifyDepth:
                   type: integer
             jwt:
-              description: JWTAuth holds JWT authentication configuration.
+              description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
               type: object
               properties:
                 realm:
@@ -88,7 +88,7 @@ spec:
                 token:
                   type: string
             rateLimit:
-              description: RateLimit defines a rate limit policy.
+              description: 'RateLimit defines a rate limit policy. policy status: preview'
               type: object
               properties:
                 burst:
diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml
@@ -35,7 +35,7 @@ spec:
               type: object
               properties:
                 accessControl:
-                  description: AccessControl defines an access policy based on the source IP of a request.
+                  description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
                   type: object
                   properties:
                     allow:
@@ -47,7 +47,7 @@ spec:
                       items:
                         type: string
                 egressMTLS:
-                  description: EgressMTLS defines an Egress MTLS policy.
+                  description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
                   type: object
                   properties:
                     ciphers:
@@ -69,7 +69,7 @@ spec:
                     verifyServer:
                       type: boolean
                 ingressMTLS:
-                  description: IngressMTLS defines an Ingress MTLS policy.
+                  description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
                   type: object
                   properties:
                     clientCertSecret:
@@ -79,7 +79,7 @@ spec:
                     verifyDepth:
                       type: integer
                 jwt:
-                  description: JWTAuth holds JWT authentication configuration.
+                  description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
                   type: object
                   properties:
                     realm:
@@ -89,7 +89,7 @@ spec:
                     token:
                       type: string
                 rateLimit:
-                  description: RateLimit defines a rate limit policy.
+                  description: 'RateLimit defines a rate limit policy. policy status: preview'
                   type: object
                   properties:
                     burst:
diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md
@@ -170,6 +170,7 @@ Parameter | Description | Default
 `controller.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass`. Only for kubernetes versions >= 1.18. | false
 `controller.watchNamespace` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | ""
 `controller.enableCustomResources` | Enable the custom resources. | true
+`controller.enablePreviewPolicies` | Enable preview policies. | false
 `controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false
 `controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false
 `controller.globalConfiguration.spec` | The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller. | {}
diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml
@@ -34,7 +34,7 @@ spec:
           type: object
           properties:
             accessControl:
-              description: AccessControl defines an access policy based on the source IP of a request.
+              description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
               type: object
               properties:
                 allow:
@@ -46,7 +46,7 @@ spec:
                   items:
                     type: string
             egressMTLS:
-              description: EgressMTLS defines an Egress MTLS policy.
+              description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
               type: object
               properties:
                 ciphers:
@@ -68,7 +68,7 @@ spec:
                 verifyServer:
                   type: boolean
             ingressMTLS:
-              description: IngressMTLS defines an Ingress MTLS policy.
+              description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
               type: object
               properties:
                 clientCertSecret:
@@ -78,7 +78,7 @@ spec:
                 verifyDepth:
                   type: integer
             jwt:
-              description: JWTAuth holds JWT authentication configuration.
+              description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
               type: object
               properties:
                 realm:
@@ -88,7 +88,7 @@ spec:
                 token:
                   type: string
             rateLimit:
-              description: RateLimit defines a rate limit policy.
+              description: 'RateLimit defines a rate limit policy. policy status: preview'
               type: object
               properties:
                 burst:
diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml
@@ -144,6 +144,7 @@ spec:
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
           - -enable-snippets={{ .Values.controller.enableSnippets }}
+          - -enable-preview-policies={{ .Values.controller.enablePreviewPolicies }}
 {{- if .Values.controller.globalConfiguration.create }}
           - -global-configuration=$(POD_NAMESPACE)/{{ include "nginx-ingress.name" . }}
 {{- end }}
diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml
@@ -146,6 +146,9 @@ controller:
   ## Enable the custom resources.
   enableCustomResources: true
 
+  ## Enable preview policies.
+  enablePreviewPolicies: false
+
   ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources.
   enableTLSPassthrough: false
 
diff --git a/docs-web/configuration/global-configuration/command-line-arguments.md b/docs-web/configuration/global-configuration/command-line-arguments.md
@@ -33,6 +33,10 @@ Below we describe the available command-line arguments:
 
 	Enables custom resources. (default true)
 
+.. option:: -enable-preview-policies
+
+	Enables preview policies. (default false)
+
 .. option:: -enable-leader-election
 
 	Enables Leader election to avoid multiple replicas of the controller reporting the status of Ingress, VirtualServer and VirtualServerRoute resources -- only one replica will report status. (default true)
diff --git a/docs-web/configuration/policy-resource.md b/docs-web/configuration/policy-resource.md
@@ -138,7 +138,7 @@ policies:
 
 ### RateLimit
 
-> **Feature Status**: Rate-Limiting is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases.
+> **Feature Status**: Rate-Limiting is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
 
 The rate limit policy configures NGINX to limit the processing rate of requests.
 
@@ -212,7 +212,7 @@ When you reference more than one rate limit policy, the Ingress Controller will
 
 ### JWT
 
-> **Feature Status**: JWT is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases.
+> **Feature Status**: JWT is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
 
 > Note: This feature is only available in NGINX Plus.
 
@@ -279,7 +279,7 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### IngressMTLS
 
-> **Feature Status**: IngressMTLS is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases.
+> **Feature Status**: IngressMTLS is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
 
 The IngressMTLS policy configures client certificate verification.
 
@@ -347,7 +347,7 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### EgressMTLS
 
-> **Feature Status**: EgressMTLS is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases.
+> **Feature Status**: EgressMTLS is available as a preview feature: it is suitable for experimenting and testing; however, it must be used with caution in production environments. Additionally, while the feature is in preview status, we might introduce some backward-incompatible changes to the resource specification in the next releases. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
 
 The EgressMTLS policy configures upstreams authentication and certificate verification.
 
diff --git a/docs-web/installation/installation-with-helm.md b/docs-web/installation/installation-with-helm.md
@@ -238,6 +238,9 @@ The following tables lists the configurable parameters of the NGINX Ingress cont
    * - ``controller.enableCustomResources``
      - Enable the custom resources.
      - true
+   * - ``controller.enablePreviewPolicies``
+     - Enable preview policies.
+     - false
    * - ``controller.enableTLSPassthrough``
      - Enable TLS Passthrough on port 443. Requires ``controller.enableCustomResources``.
      - false
diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go
@@ -171,6 +171,7 @@ type LoadBalancerController struct {
 	controllerNamespace           string
 	wildcardTLSSecret             string
 	areCustomResourcesEnabled     bool
+	enablePreviewPolicies         bool
 	metricsCollector              collectors.ControllerCollector
 	globalConfigurationValidator  *validation.GlobalConfigurationValidator
 	transportServerValidator      *validation.TransportServerValidator
@@ -210,6 +211,7 @@ type NewLoadBalancerControllerInput struct {
 	ConfigMaps                   string
 	GlobalConfiguration          string
 	AreCustomResourcesEnabled    bool
+	EnablePreviewPolicies        bool
 	MetricsCollector             collectors.ControllerCollector
 	GlobalConfigurationValidator *validation.GlobalConfigurationValidator
 	TransportServerValidator     *validation.TransportServerValidator
@@ -240,6 +242,7 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
 		controllerNamespace:          input.ControllerNamespace,
 		wildcardTLSSecret:            input.WildcardTLSSecret,
 		areCustomResourcesEnabled:    input.AreCustomResourcesEnabled,
+		enablePreviewPolicies:        input.EnablePreviewPolicies,
 		metricsCollector:             input.MetricsCollector,
 		globalConfigurationValidator: input.GlobalConfigurationValidator,
 		transportServerValidator:     input.TransportServerValidator,
@@ -843,7 +846,7 @@ func (lbc *LoadBalancerController) syncPolicy(task task) {
 
 	if polExists {
 		pol := obj.(*conf_v1.Policy)
-		err := validation.ValidatePolicy(pol, lbc.isNginxPlus)
+		err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies)
 		if err != nil {
 			lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", "Policy %v is invalid and was rejected: %v", key, err)
 		} else {
@@ -2326,7 +2329,7 @@ func (lbc *LoadBalancerController) getAllPolicies() []*conf_v1.Policy {
 	for _, obj := range lbc.policyLister.List() {
 		pol := obj.(*conf_v1.Policy)
 
-		err := validation.ValidatePolicy(pol, lbc.isNginxPlus)
+		err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enablePreviewPolicies)
 		if err != nil {
 			glog.V(3).Infof("Skipping invalid Policy %s/%s: %v", pol.Namespace, pol.Name, err)
 			continue
@@ -2363,7 +2366,7 @@ func (lbc *LoadBalancerController) getPolicies(policies []conf_v1.PolicyReferenc
 
 		policy := policyObj.(*conf_v1.Policy)
 
-		err = validation.ValidatePolicy(policy, lbc.isNginxPlus)
+		err = validation.ValidatePolicy(policy, lbc.isNginxPlus, lbc.enablePreviewPolicies)
 		if err != nil {
 			errors = append(errors, fmt.Errorf("Policy %s is invalid: %v", policyKey, err))
 			continue
diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go
@@ -349,12 +349,14 @@ type PolicyList struct {
 }
 
 // AccessControl defines an access policy based on the source IP of a request.
+// policy status: production-ready
 type AccessControl struct {
 	Allow []string `json:"allow"`
 	Deny  []string `json:"deny"`
 }
 
 // RateLimit defines a rate limit policy.
+// policy status: preview
 type RateLimit struct {
 	Rate       string `json:"rate"`
 	Key        string `json:"key"`
@@ -368,20 +370,23 @@ type RateLimit struct {
 }
 
 // JWTAuth holds JWT authentication configuration.
+// policy status: preview
 type JWTAuth struct {
 	Realm  string `json:"realm"`
 	Secret string `json:"secret"`
 	Token  string `json:"token"`
 }
 
 // IngressMTLS defines an Ingress MTLS policy.
+// policy status: preview
 type IngressMTLS struct {
 	ClientCertSecret string `json:"clientCertSecret"`
 	VerifyClient     string `json:"verifyClient"`
 	VerifyDepth      *int   `json:"verifyDepth"`
 }
 
 // EgressMTLS defines an Egress MTLS policy.
+// policy status: preview
 type EgressMTLS struct {
 	TLSSecret         string `json:"tlsSecret"`
 	VerifyServer      bool   `json:"verifyServer"`
diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go
@@ -13,12 +13,12 @@ import (
 )
 
 // ValidatePolicy validates a Policy.
-func ValidatePolicy(policy *v1.Policy, isPlus bool) error {
-	allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus)
+func ValidatePolicy(policy *v1.Policy, isPlus bool, enablePreviewPolicies bool) error {
+	allErrs := validatePolicySpec(&policy.Spec, field.NewPath("spec"), isPlus, enablePreviewPolicies)
 	return allErrs.ToAggregate()
 }
 
-func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus bool) field.ErrorList {
+func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus bool, enablePreviewPolicies bool) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	fieldCount := 0
@@ -29,11 +29,19 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus bool)
 	}
 
 	if spec.RateLimit != nil {
+		if !enablePreviewPolicies {
+			return append(allErrs, field.Forbidden(fieldPath.Child("rateLimit"),
+				"rateLimit is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
+		}
 		allErrs = append(allErrs, validateRateLimit(spec.RateLimit, fieldPath.Child("rateLimit"), isPlus)...)
 		fieldCount++
 	}
 
 	if spec.JWTAuth != nil {
+		if !enablePreviewPolicies {
+			allErrs = append(allErrs, field.Forbidden(fieldPath.Child("jwt"),
+				"jwt is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
+		}
 		if !isPlus {
 			return append(allErrs, field.Forbidden(fieldPath.Child("jwt"), "jwt secrets are only supported in NGINX Plus"))
 		}
@@ -43,11 +51,19 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus bool)
 	}
 
 	if spec.IngressMTLS != nil {
+		if !enablePreviewPolicies {
+			return append(allErrs, field.Forbidden(fieldPath.Child("ingressMTLS"),
+				"ingressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
+		}
 		allErrs = append(allErrs, validateIngressMTLS(spec.IngressMTLS, fieldPath.Child("ingressMTLS"))...)
 		fieldCount++
 	}
 
 	if spec.EgressMTLS != nil {
+		if !enablePreviewPolicies {
+			return append(allErrs, field.Forbidden(fieldPath.Child("egressMTLS"),
+				"egressMTLS is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
+		}
 		allErrs = append(allErrs, validateEgressMTLS(spec.EgressMTLS, fieldPath.Child("egressMTLS"))...)
 		fieldCount++
 	}
diff --git a/pkg/apis/configuration/validation/policy_test.go b/pkg/apis/configuration/validation/policy_test.go
