nginxinc · lucacome · Nov 7, 2022 · Nov 4, 2022
@@ -1,6 +1,6 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-exclude: docs/_vendor/
+exclude: (^docs/_vendor/|.*pb2.*)
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v4.3.0
@@ -9,13 +9,23 @@ repos:
       - id: end-of-file-fixer
       - id: check-yaml
         args: [--allow-multiple-documents]
+        exclude: ^(deployments/helm-chart.*/templates|deployments/helm-chart/crds)
       - id: check-ast
       - id: check-added-large-files
       - id: check-merge-conflict
       - id: check-shebang-scripts-are-executable
+      - id: check-executables-have-shebangs
+      - id: check-symlinks
+      - id: check-case-conflict
+      - id: check-vcs-permalinks
+      - id: check-json
+      - id: pretty-format-json
+        args: [--autofix, --no-sort-keys, --no-ensure-ascii]
       - id: mixed-line-ending
         args: [--fix=lf]
       - id: name-tests-test
+        args: [--pytest-test-first]
+        exclude: ^(tests/suite/utils|tests/suite/fixtures|tests/suite/grpc|tests/settings.py)
       - id: no-commit-to-branch
       - id: requirements-txt-fixer
       - id: fix-byte-order-marker

@@ -1,5 +1,5 @@
 #!/bin/bash
 
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout default.key -out default.crt -subj "/CN=NGINXIngressController"
-cat default.key default.crt > default.pem 
-rm default.key default.crt
+cat default.key default.crt > default.pem
+rm default.key default.crt
@@ -1,10 +1,10 @@
 {
-    "filter": {
-        "request_type": "all"
-    },
-    "content": {
-        "format": "default",
-        "max_request_size": "any",
-        "max_message_size": "5k"
-    }
+  "filter": {
+    "request_type": "all"
+  },
+  "content": {
+    "format": "default",
+    "max_request_size": "any",
+    "max_message_size": "5k"
+  }
 }
@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: nginx-ingress 
+  name: nginx-ingress
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: nginx-ingress 
+  name: nginx-ingress
   namespace: nginx-ingress
-#automountServiceAccountToken: false
+#automountServiceAccountToken: false
@@ -15,4 +15,4 @@ app.kubernetes.io/name: {{ include "arbitrator.name" . }}
 helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end -}}
+{{- end -}}
@@ -1,6 +1,6 @@
 arbitrator:
   ## The resources of the Arbitrator pods.
-  resources: 
+  resources:
     limits:
       cpu: 500m
       memory: 128Mi

@@ -1 +1 @@
-The NGINX Ingress Controller has been installed.
+The NGINX Ingress Controller has been installed.
@@ -7,14 +7,14 @@ metadata:
     {{- include "nginx-ingress.labels" . | nindent 4 }}
 rules:
 {{- if .Values.controller.appprotect.enable }}
-- apiGroups: 
+- apiGroups:
   - appprotect.f5.com
-  resources: 
+  resources:
   - appolicies
   - aplogconfs
   - apusersigs
-  verbs: 
-  - get 
+  verbs:
+  - get
   - watch
   - list
 {{- end }}

@@ -3,15 +3,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: nginx-ingress-app-protect
 rules:
-- apiGroups: 
+- apiGroups:
   - appprotect.f5.com
-  resources: 
+  resources:
   - appolicies
   - aplogconfs
   - apusersigs
-  verbs: 
-  - "get" 
-  - "watch" 
+  verbs:
+  - "get"
+  - "watch"
   - "list"
 ---
 kind: ClusterRoleBinding

@@ -11,4 +11,4 @@ spec:
       port: 3000
       protocol: TCP
       targetPort: 3000
-  clusterIP: None
+  clusterIP: None
@@ -4,7 +4,7 @@ metadata:
   name: nginx-ingress
   namespace: nginx-ingress
 spec:
-  type: NodePort 
+  type: NodePort
   ports:
   - port: 80
     targetPort: 80

@@ -22,7 +22,7 @@ hugo-mod:
 
 build-production:
 	hugo --gc -e production
-	
+
 build-staging:
 	hugo --gc -e staging
 
@@ -37,4 +37,4 @@ netlify:
 	netlify deploy -d public
 
 replace-theme:
-	go mod edit -replace "$(THEME_MODULE)"="$(THEME_PATH)"
+	go mod edit -replace "$(THEME_MODULE)"="$(THEME_PATH)"
@@ -1,6 +1,6 @@
 ---
 title: NGINX Ingress Controller
-description: 
+description:
 linkTitle: "NGINX Ingress Controller"
 menu: docs
 ---
@@ -17,10 +17,10 @@ The NGINX Ingress Controller has a set of global configuration parameters that a
 
 ## Enabling App Protect
 
-You can enable and configure NGINX App Protect WAF on the Custom Resources (VirtualServer, VirtualServerRoute) or on the Ingress-resource basis. 
-	
+You can enable and configure NGINX App Protect WAF on the Custom Resources (VirtualServer, VirtualServerRoute) or on the Ingress-resource basis.
+
 To configure NGINX App Protect WAF on a VirtualServer resource, you would create a Policy Custom Resource referencing the APPolicy Custom Resource, and add this to the VirtualServer definition. See the documentation on the [App Protect WAF Policy](/nginx-ingress-controller/configuration/policy-resource/#waf).
-	
+
 To configure NGINX App Protect WAF on an Ingress resource, you would apply the [App Protect annotations](/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/#app-protect) to each desired resource.
 
 
@@ -211,15 +211,15 @@ spec:
 
 ## OpenAPI Specification in NGINX Ingress Controller
 
-The OpenAPI Specification defines the spec file format needed to describe RESTful APIs. The spec file can be written either in JSON or YAML. Using a spec file simplifies the work of implementing API protection. Refer to the [OpenAPI Specification](#https://github.com/OAI/OpenAPI-Specification) (formerly called Swagger) for details. 
+The OpenAPI Specification defines the spec file format needed to describe RESTful APIs. The spec file can be written either in JSON or YAML. Using a spec file simplifies the work of implementing API protection. Refer to the [OpenAPI Specification](#https://github.com/OAI/OpenAPI-Specification) (formerly called Swagger) for details.
 
 NGINX Ingress Controller supports OpenAPI Specification versions 2.0 and 3.0.
 
 The simplest way to create an API protection policy is using an OpenAPI Specification file to import the details of the APIs. If you use an OpenAPI Specification file, NGINX App Protect WAF will automatically create a policy for the following properties (depending on what's included in the spec file):
 * Methods
 * URLs
 * Parameters
-* JSON profiles 
+* JSON profiles
 
 An OpenAPI-ready policy template is provided with the NGINX App Protect WAF packages and is located in: `/etc/app_protect/conf/NginxApiSecurityPolicy.json`
 
@@ -359,7 +359,7 @@ paths:
           required: false
           allowEmptyValue: true
           schema:
-            type: string           
+            type: string
       responses:
         200:
           description: OK
@@ -398,7 +398,7 @@ In this example we deploy the NGINX Plus Ingress Controller with NGINX App Prote
     $ IC_HTTP_PORT=<port number>
     ```
 
-### Step 1. Deploy a Web Application 
+### Step 1. Deploy a Web Application
 
 Create the application deployment and service:
   ```
@@ -423,7 +423,7 @@ Create the application deployment and service:
 ### Step 3 - Deploy the WAF Policy
 
 Create the WAF policy
- ``` 
+ ```
   $ kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v2.4.1/examples/custom-resources/waf/waf.yaml
   ```
   Note the App Protect configuration settings in the Policy resource. They enable WAF protection by configuring App Protect with the policy and log configuration created in the previous step.
@@ -486,4 +486,4 @@ spec:
   - path: /
     action:
       pass: webapp
-```
+```
@@ -1,6 +1,6 @@
 ---
 title: Configuration
-description: 
+description:
 weight: 1400
 menu:
   docs:

@@ -1,6 +1,6 @@
 ---
 title: Global Configuration
-description: 
+description:
 weight: 1400
 menu:
   docs:

@@ -466,4 +466,4 @@ Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack.
 
 Default `false`.
 &nbsp;
-<a name="cmdoption-disable-ipv6"></a>
+<a name="cmdoption-disable-ipv6"></a>
@@ -22,7 +22,7 @@ When [installing](/nginx-ingress-controller/installation/installation-with-manif
 The GlobalConfiguration resource defines the global configuration parameters of the Ingress Controller. Below is an example:
 ```yaml
 apiVersion: k8s.nginx.org/v1alpha1
-kind: GlobalConfiguration 
+kind: GlobalConfiguration
 metadata:
   name: nginx-configuration
   namespace: nginx-ingress
@@ -34,13 +34,13 @@ spec:
   - name: dns-tcp
     port: 5353
     protocol: TCP
-``` 
+```
 
-{{% table %}} 
-|Field | Description | Type | Required | 
-| ---| ---| ---| --- | 
-|``listeners`` | A list of listeners. | [[]listener](#listener) | No | 
-{{% /table %}} 
+{{% table %}}
+|Field | Description | Type | Required |
+| ---| ---| ---| --- |
+|``listeners`` | A list of listeners. | [[]listener](#listener) | No |
+{{% /table %}}
 
 ### Listener
 
@@ -51,15 +51,15 @@ port: 5353
 protocol: TCP
 ```
 
-{{% table %}} 
-|Field | Description | Type | Required | 
-| ---| ---| ---| --- | 
-|``name`` | The name of the listener. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``listener-123`` are valid. The name must be unique among all listeners. The name ``tls-passthrough`` is reserved for the built-in TLS Passthrough listener and cannot be used. | ``string`` | Yes | 
-|``port`` | The port of the listener. The port must fall into the range ``1..65535`` with the following exceptions: ``80``, ``443``, the [status port](/nginx-ingress-controller/logging-and-monitoring/status-page), the [Prometheus metrics port](/nginx-ingress-controller/logging-and-monitoring/prometheus). Among all listeners, only a single combination of a port-protocol is allowed. | ``int`` | Yes | 
-|``protocol`` | The protocol of the listener. Supported values: ``TCP`` and ``UDP``. | ``string`` | Yes | 
-{{% /table %}} 
+{{% table %}}
+|Field | Description | Type | Required |
+| ---| ---| ---| --- |
+|``name`` | The name of the listener. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``listener-123`` are valid. The name must be unique among all listeners. The name ``tls-passthrough`` is reserved for the built-in TLS Passthrough listener and cannot be used. | ``string`` | Yes |
+|``port`` | The port of the listener. The port must fall into the range ``1..65535`` with the following exceptions: ``80``, ``443``, the [status port](/nginx-ingress-controller/logging-and-monitoring/status-page), the [Prometheus metrics port](/nginx-ingress-controller/logging-and-monitoring/prometheus). Among all listeners, only a single combination of a port-protocol is allowed. | ``int`` | Yes |
+|``protocol`` | The protocol of the listener. Supported values: ``TCP`` and ``UDP``. | ``string`` | Yes |
+{{% /table %}}
 
-## Using GlobalConfiguration 
+## Using GlobalConfiguration
 
 You can use the usual `kubectl` commands to work with a GlobalConfiguration resource.
 
@@ -107,7 +107,7 @@ If a resource is not rejected (it doesn't violate the structural schema), the In
 
 The Ingress Controller validates the fields of a GlobalConfiguration resource. If a resource is invalid, the Ingress Controller will not use it. Consider the following two cases:
 1. When the Ingress Controller pod starts, if the GlobalConfiguration resource is invalid, the Ingress Controller will fail to start and exit with an error.
-1. When the Ingress Controller is running, if the GlobalConfiguration resource becomes invalid, the Ingress Controller will ignore the new version. It will report an error and continue to use the previous version. When the resource becomes valid again, the Ingress Controller will start using it. 
+1. When the Ingress Controller is running, if the GlobalConfiguration resource becomes invalid, the Ingress Controller will ignore the new version. It will report an error and continue to use the previous version. When the resource becomes valid again, the Ingress Controller will start using it.
 
 **Note**: If a GlobalConfiguration is deleted while the Ingress Controller is running, the controller will keep using the previous version of the resource.
 

@@ -47,7 +47,7 @@ $ kubectl get virtualservers
 To see an external hostname address associated with a VirtualServer resource, use the `-o wide` option:
 
 ```
-$ kubectl get virtualservers -o wide 
+$ kubectl get virtualservers -o wide
   NAME   STATE   HOST               IP    EXTERNALHOSTNAME                                                         PORTS      AGE
   cafe   Valid   cafe.example.com         ae430f41a1a0042908655abcdefghijkl-12345678.eu-west-2.elb.amazonaws.com   [80,443]   106s
 ```

@@ -1,6 +1,6 @@
 ---
 title: Ingress Resources
-description: 
+description:
 weight: 1500
 menu:
   docs:

@@ -1,6 +1,6 @@
 ---
 title: Installation
-description: 
+description:
 weight: 1300
 menu:
   docs:

@@ -86,9 +86,9 @@ In this section, we create resources common for most of the Ingress Controller i
 2. If you would like to use the TCP and UDP load balancing features of the Ingress Controller, create the following additional resources:
 
 Create a custom resource definition for [GlobalConfiguration](/nginx-ingress-controller/configuration/global-configuration/globalconfiguration-resource) resource:
-  
+
     $ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml
-    
+
 3. If you would like to use the App Protect WAF module, create the following additional resources:
 
 Create a custom resource definition for `APPolicy`, `APLogConf` and `APUserSig`:

@@ -1,6 +1,6 @@
 ---
 title: Intro
-description: 
+description:
 weight: 1200
 menu:
   docs:

@@ -266,7 +266,7 @@ Reloading NGINX is necessary to apply the new configuration and involves the fol
 1. The administrator sends a HUP (hangup) signal to the NGINX master process to trigger a reload.
 1. The master process brings down the worker processes with the old configuration and starts worker processes with the new configuration.
 1. The administrator verifies the reload has successfully finished.
-  
+
 > Refer to the [NGINX documentation](https://nginx.org/en/docs/control.html#reconfiguration) for more details about reloading. See also [this blog post](https://www.nginx.com/blog/inside-nginx-how-we-designed-for-performance-scale/) for an overview of the NGINX architecture.
 
 #### How to Reload
@@ -298,13 +298,13 @@ Since both the old and new NGINX worker processes coexist during a reload, reloa
 
 ### Reloading in the IC
 
-The Ingress Controller reloads NGINX to apply configuration changes. 
+The Ingress Controller reloads NGINX to apply configuration changes.
 
-To facilitate reloading, the Ingress Controller configures a server listening on the Unix socket `unix:/var/lib/nginx/nginx-config-version.sock` that responds with the config version for `/configVersion` URI. The Ingress Controller writes the config to  `/etc/nginx/config-version.conf`. 
+To facilitate reloading, the Ingress Controller configures a server listening on the Unix socket `unix:/var/lib/nginx/nginx-config-version.sock` that responds with the config version for `/configVersion` URI. The Ingress Controller writes the config to  `/etc/nginx/config-version.conf`.
 
 A reload involves multiple steps:
 1. The Ingress Controller updates generated configuration files, including any secrets.
-1. The Ingress Controller updates the config version in `/etc/nginx/config-version.conf`. 
+1. The Ingress Controller updates the config version in `/etc/nginx/config-version.conf`.
 1. The Ingress Controller runs `nginx -s reload`. If the command fails, the Ingress Controller logs the error and considers the reload failed.
 2. Assuming the command succeeds, the Ingress Controller periodically checks for the config version by sending an HTTP request to the config version server on  `unix:/var/lib/nginx/nginx-config-version.sock`.
 3. Once the Ingress Controller sees the correct config version returned by NGINX, it considers the reload successful. If it doesn't see the correct config version after the configurable timeout (see `-nginx-reload-timeout` [cli argument](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments), the Ingress Controller considers the reload failed.