HTTP/3 support

build/kind.yaml

@@ -16,3 +16,6 @@ nodes:
       - containerPort: 443
         hostPort: 443
         protocol: TCP
+      - containerPort: 443
+        hostPort: 443
+        protocol: UDP

charts/ingress-nginx/README.md

@@ -316,8 +316,9 @@ metadata:
 | controller.configAnnotations | object | `{}` | Annotations to be added to the controller config configuration configmap. |
 | controller.configMapNamespace | string | `""` | Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE) |
 | controller.containerName | string | `"controller"` | Configures the controller container name |
-| controller.containerPort | object | `{"http":80,"https":443}` | Configures the ports that the nginx-controller listens on |
+| controller.containerPort | object | `{"http":80,"https":443}` | Configures the TCP ports that the nginx-controller listens on |
 | controller.containerSecurityContext | object | `{}` | Security context for controller containers |
+| controller.containerUdpPort | list | `[]` | Configures the UDP ports that the nginx-controller listens on |
 | controller.customTemplate.configMapKey | string | `""` |  |
 | controller.customTemplate.configMapName | string | `""` |  |
 | controller.disableLeaderElection | bool | `false` | This configuration disable Nginx Controller Leader Election |
@@ -342,6 +343,7 @@ metadata:
 | controller.hostPort.enabled | bool | `false` | Enable 'hostPort' or not |
 | controller.hostPort.ports.http | int | `80` | 'hostPort' http port |
 | controller.hostPort.ports.https | int | `443` | 'hostPort' https port |
+| controller.hostPort.ports.quic | int | `443` | 'hostPort' quic port |
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
@@ -451,6 +453,7 @@ metadata:
 | controller.service.clusterIPs | list | `[]` | Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services. This value is immutable. Set once, it can not be changed without deleting and re-creating the service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address |
 | controller.service.enableHttp | bool | `true` | Enable the HTTP listener on both controller services or not. |
 | controller.service.enableHttps | bool | `true` | Enable the HTTPS listener on both controller services or not. |
+| controller.service.enableQuic | bool | `false` | Enable the QUIC listener on both controller services or not. |
 | controller.service.enabled | bool | `true` | Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service. |
 | controller.service.external.enabled | bool | `true` | Enable the external controller service or not. Useful for internal-only deployments. |
 | controller.service.external.labels | object | `{}` | Labels to be added to the external controller service. |
@@ -471,6 +474,7 @@ metadata:
 | controller.service.internal.loadBalancerSourceRanges | list | `[]` | Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default. |
 | controller.service.internal.nodePorts.http | string | `""` | Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
 | controller.service.internal.nodePorts.https | string | `""` | Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.internal.nodePorts.quic | string | `""` | Node port allocated for the internal QUIC listener. If left empty, the service controller allocates one from the configured node port range. |
 | controller.service.internal.nodePorts.tcp | object | `{}` | Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
 | controller.service.internal.nodePorts.udp | object | `{}` | Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
 | controller.service.internal.ports | object | `{}` |  |
@@ -486,13 +490,16 @@ metadata:
 | controller.service.loadBalancerSourceRanges | list | `[]` | Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default. |
 | controller.service.nodePorts.http | string | `""` | Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range. |
 | controller.service.nodePorts.https | string | `""` | Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range. |
+| controller.service.nodePorts.quic | string | `""` | Node port allocated for the external QUIC listener. If left empty, the service controller allocates one from the configured node port range. |
 | controller.service.nodePorts.tcp | object | `{}` | Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range. Example: tcp:   8080: 30080 |
 | controller.service.nodePorts.udp | object | `{}` | Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range. Example: udp:   53: 30053 |
 | controller.service.ports.http | int | `80` | Port the external HTTP listener is published with. |
 | controller.service.ports.https | int | `443` | Port the external HTTPS listener is published with. |
+| controller.service.ports.quic | int | `443` | Port the external QUIC listener is published with. |
 | controller.service.sessionAffinity | string | `""` | Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None". Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity |
 | controller.service.targetPorts.http | string | `"http"` | Port of the ingress controller the external HTTP listener is mapped to. |
 | controller.service.targetPorts.https | string | `"https"` | Port of the ingress controller the external HTTPS listener is mapped to. |
+| controller.service.targetPorts.quic | string | `"quic"` | Port of the ingress controller the external QUIC listener is mapped to. |
 | controller.service.trafficDistribution | string | `""` | Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution |
 | controller.service.type | string | `"LoadBalancer"` | Type of the external controller service. Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
 | controller.shareProcessNamespace | bool | `false` |  |

charts/ingress-nginx/templates/controller-daemonset.yaml

@@ -121,6 +121,14 @@ spec:
               hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
               {{- end }}
           {{- end }}
+          {{- range $key, $value := .Values.controller.containerUdpPort }}
+            - name: {{ $key }}
+              containerPort: {{ $value }}
+              protocol: UDP
+              {{- if $.Values.controller.hostPort.enabled }}
+              hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
+              {{- end }}
+          {{- end }}
           {{- if .Values.controller.metrics.enabled }}
             - name: {{ .Values.controller.metrics.portName }}
               containerPort: {{ .Values.controller.metrics.port }}

charts/ingress-nginx/templates/controller-deployment.yaml

@@ -127,6 +127,14 @@ spec:
               hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
               {{- end }}
           {{- end }}
+          {{- range $key, $value := .Values.controller.containerUdpPort }}
+            - name: {{ $key }}
+              containerPort: {{ $value }}
+              protocol: UDP
+              {{- if $.Values.controller.hostPort.enabled }}
+              hostPort: {{ index $.Values.controller.hostPort.ports $key | default $value }}
+              {{- end }}
+          {{- end }}
           {{- if .Values.controller.metrics.enabled }}
             - name: {{ .Values.controller.metrics.portName }}
               containerPort: {{ .Values.controller.metrics.port }}

charts/ingress-nginx/templates/controller-networkpolicy.yaml

@@ -24,6 +24,10 @@ spec:
         - protocol: TCP
           port: {{ $value }}
       {{- end }}
+      {{- range $key, $value := .Values.controller.containerUdpPort }}
+        - protocol: UDP
+          port: {{ $value }}
+      {{- end }}
       {{- if .Values.controller.metrics.enabled }}
         - protocol: TCP
           port: {{ .Values.controller.metrics.port }}

charts/ingress-nginx/templates/controller-service-internal.yaml

@@ -88,6 +88,18 @@ spec:
       nodePort: {{ .Values.controller.service.internal.nodePorts.https }}
     {{- end }}
   {{- end }}
+  {{- if .Values.controller.service.enableQuic }}
+    - name: quic
+      port: {{ .Values.controller.service.internal.ports.quic | default .Values.controller.service.ports.quic }}
+      protocol: UDP
+      targetPort: {{ .Values.controller.service.internal.targetPorts.quic | default .Values.controller.service.targetPorts.quic }}
+    {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.internal.appProtocol) }}
+      appProtocol: https
+    {{- end }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.internal.nodePorts.quic))) }}
+      nodePort: {{ .Values.controller.service.internal.nodePorts.quic }}
+    {{- end }}
+  {{- end }}
   {{- range $key, $value := .Values.tcp }}
     - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
       port: {{ $key }}

charts/ingress-nginx/templates/controller-service.yaml

@@ -88,6 +88,18 @@ spec:
       nodePort: {{ .Values.controller.service.nodePorts.https }}
     {{- end }}
   {{- end }}
+  {{- if .Values.controller.service.enableQuic }}
+    - name: quic
+      port: {{ .Values.controller.service.ports.quic }}
+      protocol: UDP
+      targetPort: {{ .Values.controller.service.targetPorts.quic }}
+    {{- if and (semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version) (.Values.controller.service.appProtocol) }}
+      appProtocol: https
+    {{- end }}
+    {{- if (and $setNodePorts (not (empty .Values.controller.service.nodePorts.quic))) }}
+      nodePort: {{ .Values.controller.service.nodePorts.quic }}
+    {{- end }}
+  {{- end }}
   {{- range $key, $value := .Values.tcp }}
     - name: {{ if $.Values.portNamePrefix }}{{ $.Values.portNamePrefix }}-{{ end }}{{ $key }}-tcp
       port: {{ $key }}

charts/ingress-nginx/tests/controller-daemonset_test.yaml

@@ -208,3 +208,14 @@ tests:
       - equal:
           path: spec.template.spec.runtimeClassName
           value: myClass
+  - it: should create a DaemonSet with a custom UDP container port if `controller.containerUdpPort.quic` is set
+    set:
+      controller.kind: DaemonSet
+      controller.containerUdpPort.quic: 1234
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: quic
+            containerPort: 1234
+            protocol: UDP

charts/ingress-nginx/tests/controller-deployment_test.yaml

@@ -231,3 +231,14 @@ tests:
       - equal:
           path: spec.template.spec.runtimeClassName
           value: myClass
+
+  - it: should create a Deployment with a custom UDP container port if `controller.containerUdpPort.quic` is set
+    set:
+      controller.containerUdpPort.quic: 1234
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].ports
+          content:
+            name: quic
+            containerPort: 1234
+            protocol: UDP

charts/ingress-nginx/tests/controller-networkpolicy_test.yaml

@@ -21,3 +21,14 @@ tests:
       - equal:
           path: metadata.name
           value: RELEASE-NAME-ingress-nginx-controller
+
+  - it: should create a NetworkPolicy with a custom UDP port if `controller.containerUdpPort.quic` is set
+    set:
+      controller.networkPolicy.enabled: true
+      controller.containerUdpPort.quic: 1234
+    asserts:
+      - contains:
+          path: spec.ingress[0].ports
+          content:
+            protocol: UDP
+            port: 1234

charts/ingress-nginx/tests/controller-service-internal_test.yaml

@@ -73,3 +73,57 @@ tests:
       - equal:
           path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
           value: internal.example.com
+
+  - it: should create a Service with a default UDP port if `controller.service.enableQuic` is set
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.enableQuic: true
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: quic
+            port: 443
+            protocol: UDP
+            targetPort: quic
+            appProtocol: https
+
+  - it: should create a Service with a custom internal UDP port if `controller.service.enableQuic` is set
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.enableQuic: true
+      controller.service.ports.quic: 1234
+      controller.service.targetPorts.quic: 5678
+      controller.service.internal.ports.quic: 4321
+      controller.service.internal.targetPorts.quic: 8765
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: quic
+            port: 4321
+            protocol: UDP
+            targetPort: 8765
+            appProtocol: https
+
+  - it: should create a Service with a custom service UDP port if `controller.service.enableQuic` is set
+    set:
+      controller.service.internal.enabled: true
+      controller.service.internal.annotations:
+        test.annotation: "true"
+      controller.service.enableQuic: true
+      controller.service.ports.quic: 1234
+      controller.service.targetPorts.quic: 5678
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: quic
+            port: 1234
+            protocol: UDP
+            targetPort: 5678
+            appProtocol: https

charts/ingress-nginx/tests/controller-service_test.yaml

@@ -72,3 +72,31 @@ tests:
       - equal:
           path: metadata.labels["external-dns.alpha.kubernetes.io/hostname"]
           value: external.example.com
+
+  - it: should create a Service with a default UDP port if `controller.service.enableQuic` is set
+    set:
+      controller.service.enableQuic: true
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: quic
+            port: 443
+            protocol: UDP
+            targetPort: quic
+            appProtocol: https
+
+  - it: should create a Service with a custom UDP port if `controller.service.enableQuic` is set
+    set:
+      controller.service.enableQuic: true
+      controller.service.ports.quic: 1234
+      controller.service.targetPorts.quic: 5678
+    asserts:
+      - contains:
+          path: spec.ports
+          content:
+            name: quic
+            port: 1234
+            protocol: UDP
+            targetPort: 5678
+            appProtocol: https

charts/ingress-nginx/values.yaml

@@ -47,10 +47,13 @@ controller:
     readOnlyRootFilesystem: false
   # -- Configures the controller container name
   containerName: controller
-  # -- Configures the ports that the nginx-controller listens on
+  # -- Configures the TCP ports that the nginx-controller listens on
   containerPort:
     http: 80
     https: 443
+  # -- Configures the UDP ports that the nginx-controller listens on
+  containerUdpPort: []
+  # quic: 443
   # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
   # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
   config: {}
@@ -115,6 +118,8 @@ controller:
       http: 80
       # -- 'hostPort' https port
       https: 443
+      # -- 'hostPort' quic port
+      quic: 443
   # NetworkPolicy for controller component.
   networkPolicy:
     # -- Enable 'networkPolicy' or not
@@ -546,16 +551,22 @@ controller:
     enableHttp: true
     # -- Enable the HTTPS listener on both controller services or not.
     enableHttps: true
+    # -- Enable the QUIC listener on both controller services or not.
+    enableQuic: false
     ports:
       # -- Port the external HTTP listener is published with.
       http: 80
       # -- Port the external HTTPS listener is published with.
       https: 443
+      # -- Port the external QUIC listener is published with.
+      quic: 443
     targetPorts:
       # -- Port of the ingress controller the external HTTP listener is mapped to.
       http: http
       # -- Port of the ingress controller the external HTTPS listener is mapped to.
       https: https
+      # -- Port of the ingress controller the external QUIC listener is mapped to.
+      quic: quic
     # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
     # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
     appProtocol: true
@@ -564,6 +575,8 @@ controller:
       http: ""
       # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
       https: ""
+      # -- Node port allocated for the external QUIC listener. If left empty, the service controller allocates one from the configured node port range.
+      quic: ""
       # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range.
       # Example:
       # tcp:
@@ -638,6 +651,9 @@ controller:
       # -- Port the internal HTTPS listener is published with.
       # Defaults to the value of `controller.service.ports.https`.
       # https: 443
+      # -- Port the internal QUIC listener is published with.
+      # Defaults to the value of `controller.service.ports.quic`.
+      # quic: 443
 
       targetPorts: {}
       # -- Port of the ingress controller the internal HTTP listener is mapped to.
@@ -646,6 +662,9 @@ controller:
       # -- Port of the ingress controller the internal HTTPS listener is mapped to.
       # Defaults to the value of `controller.service.targetPorts.https`.
       # https: https
+      # -- Port of the ingress controller the internal QUIC listener is mapped to.
+      # Defaults to the value of `controller.service.targetPorts.quic`.
+      # quic: quic
 
       # -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
       # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
@@ -655,6 +674,8 @@ controller:
         http: ""
         # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
         https: ""
+        # -- Node port allocated for the internal QUIC listener. If left empty, the service controller allocates one from the configured node port range.
+        quic: ""
         # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range.
         # Example:
         # tcp:

cmd/nginx/main_test.go

@@ -98,7 +98,7 @@ func TestHandleSigterm(t *testing.T) {
 		os.Args = oldArgs
 	}()
 
-	os.Args = []string{"cmd", "--default-backend-service", "ingress-nginx/default-backend-http", "--http-port", "0", "--https-port", "0"}
+	os.Args = []string{"cmd", "--default-backend-service", "ingress-nginx/default-backend-http", "--http-port", "0", "--https-port", "0", "--quic-port", "0"}
 	_, conf, err := ingressflags.ParseFlags()
 	if err != nil {
 		t.Errorf("Unexpected error creating NGINX controller: %v", err)