Added configmap option to disable IPv6 in nginx DNS resolver (#1992)

docs/user-guide/configmap.md

@@ -37,11 +37,12 @@ The following table shows a configuration option's name, type, and the default v
 |[client‑header‑timeout](#client-header-timeout)|int|60|
 |[client‑body‑buffer‑size](#client-body-buffer-size)|string|"8k"|
 |[client‑body‑timeout](#client-body-timeout)|int|60|
-|[disable‑access‑log](#disable-access-log)|bool|"false"|
-|[disable‑ipv6](#disable-ipv6)|bool|"false"|
-|[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|"false"|
-|[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|"true"|
-|[enable‑vts‑status](#enable-vts-status)|bool|"false"|
+|[disable‑access‑log](#disable-access-log)|bool|false|
+|[disable‑ipv6](#disable-ipv6)|bool|false|
+|[disable‑ipv6‑dns](#disable-ipv6-dns)|bool|false|
+|[enable‑underscores‑in‑headers](#enable-underscores-in-headers)|bool|false|
+|[ignore‑invalid‑headers](#ignore-invalid-headers)|bool|true|
+|[enable‑vts‑status](#enable-vts-status)|bool|false|
 |[vts‑status‑zone‑size](#vts-status-zone-size)|string|"10m"|
 |[vts‑default‑filter‑key](#vts-default-filter-key)|string|"$geoip_country_code country::*"|
 |[retry‑non‑idempotent](#retry-non-idempotent)|bool|"false"|
@@ -211,6 +212,10 @@ _References:_
 
 Disable listening on IPV6. By default this is disabled.
 
+## disable-ipv6-dns
+
+Disable IPV6 for nginx DNS reslover. By default this is disabled.
+
 ## enable-underscores-in-headers
 
 Enables underscores in header names. By default this is disabled.
@@ -707,4 +712,4 @@ Enables or disables [buffering of responses from the proxied server](http://ngin
 
 ## limit-request-status-code
 
-Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503
+Sets the [status code to return in response to rejected requests](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_status).Default: 503

internal/ingress/controller/config/config.go

@@ -140,6 +140,9 @@ type Configuration struct {
 	//http://nginx.org/en/docs/http/ngx_http_log_module.html
 	DisableAccessLog bool `json:"disable-access-log,omitempty"`
 
+	// DisableIpv6DNS disables IPv6 for nginx resolver
+	DisableIpv6DNS bool `json:"disable-ipv6-dns"`
+
 	// DisableIpv6 disable listening on ipv6 address
 	DisableIpv6 bool `json:"disable-ipv6,omitempty"`
 

internal/ingress/controller/template/configmap.go

@@ -144,6 +144,7 @@ func ReadConfig(src map[string]string) config.Configuration {
 	to.HideHeaders = hideHeaderslist
 	to.HTTPRedirectCode = redirectCode
 	to.ProxyStreamResponses = streamResponses
+	to.DisableIpv6DNS = !ing_net.IsIPv6Enabled()
 
 	config := &mapstructure.DecoderConfig{
 		Metadata:         nil,

internal/ingress/controller/template/template.go

@@ -163,11 +163,16 @@ func formatIP(input string) string {
 }
 
 // buildResolvers returns the resolvers reading the /etc/resolv.conf file
-func buildResolvers(input interface{}) string {
+func buildResolvers(res interface{}, disableIpv6 interface{}) string {
 	// NGINX need IPV6 addresses to be surrounded by brackets
-	nss, ok := input.([]net.IP)
+	nss, ok := res.([]net.IP)
 	if !ok {
-		glog.Errorf("expected a '[]net.IP' type but %T was returned", input)
+		glog.Errorf("expected a '[]net.IP' type but %T was returned", res)
+		return ""
+	}
+	no6, ok := disableIpv6.(bool)
+	if !ok {
+		glog.Errorf("expected a 'bool' type but %T was returned", disableIpv6)
 		return ""
 	}
 
@@ -178,14 +183,21 @@ func buildResolvers(input interface{}) string {
 	r := []string{"resolver"}
 	for _, ns := range nss {
 		if ing_net.IsIPV6(ns) {
+			if no6 {
+				continue
+			}
 			r = append(r, fmt.Sprintf("[%v]", ns))
 		} else {
 			r = append(r, fmt.Sprintf("%v", ns))
 		}
 	}
-	r = append(r, "valid=30s;")
+	r = append(r, "valid=30s")
+
+	if no6 {
+		r = append(r, "ipv6=off")
+	}
 
-	return strings.Join(r, " ")
+	return strings.Join(r, " ") + ";"
 }
 
 // buildLocation produces the location string, if the ingress has redirects

internal/ingress/controller/template/template_test.go

@@ -28,6 +28,7 @@ import (
 
 	"encoding/base64"
 	"fmt"
+
 	"k8s.io/ingress-nginx/internal/file"
 	"k8s.io/ingress-nginx/internal/ingress"
 	"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
@@ -352,7 +353,14 @@ func TestBuildResolvers(t *testing.T) {
 	ipList := []net.IP{ipOne, ipTwo}
 
 	validResolver := "resolver 192.0.0.1 [2001:db8:1234::] valid=30s;"
-	resolver := buildResolvers(ipList)
+	resolver := buildResolvers(ipList, false)
+
+	if resolver != validResolver {
+		t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
+	}
+
+	validResolver = "resolver 192.0.0.1 valid=30s ipv6=off;"
+	resolver = buildResolvers(ipList, true)
 
 	if resolver != validResolver {
 		t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)

rootfs/etc/nginx/template/nginx.tmpl

@@ -172,7 +172,7 @@ http {
     {{ end }}
     error_log  {{ $cfg.ErrorLogPath }} {{ $cfg.ErrorLogLevel }};
 
-    {{ buildResolvers $cfg.Resolver }}
+    {{ buildResolvers $cfg.Resolver $cfg.DisableIpv6DNS }}
 
     {{/* Whenever nginx proxies a request without a "Connection" header, the "Connection" header is set to "close" */}}
     {{/* when making the target request.  This means that you cannot simply use */}}