initial commit for rewrite-target annotation

Author: vepatel

internal/configs/annotations.go

@@ -18,6 +18,9 @@ const BasicAuthSecretAnnotation = "nginx.org/basic-auth-secret" // #nosec G101
 // PathRegexAnnotation is the annotation where the regex location (path) modifier is specified.
 const PathRegexAnnotation = "nginx.org/path-regex"
 
+// RewriteTargetAnnotation is the annotation where the regex-based rewrite target is specified.
+const RewriteTargetAnnotation = "nginx.org/rewrite-target"
+
 // SSLCiphersAnnotation is the annotation where SSL ciphers are specified.
 const SSLCiphersAnnotation = "nginx.org/ssl-ciphers"
 
@@ -590,6 +593,26 @@ func getRewrites(ctx context.Context, ingEx *IngressEx) map[string]string {
 	return nil
 }
 
+func getRewriteTarget(ctx context.Context, ingEx *IngressEx) (string, Warnings) {
+	l := nl.LoggerFromContext(ctx)
+	warnings := newWarnings()
+	
+	// Check for mutual exclusivity
+	if _, hasRewrites := ingEx.Ingress.Annotations["nginx.org/rewrites"]; hasRewrites {
+		if _, hasRewriteTarget := ingEx.Ingress.Annotations[RewriteTargetAnnotation]; hasRewriteTarget {
+			warningMsg := "nginx.org/rewrites and nginx.org/rewrite-target annotations are mutually exclusive; nginx.org/rewrites will take precedence"
+			nl.Errorf(l, "Ingress %s/%s: %s", ingEx.Ingress.Namespace, ingEx.Ingress.Name, warningMsg)
+			warnings.AddWarning(ingEx.Ingress, warningMsg)
+			return "", warnings
+		}
+	}
+	
+	if value, exists := ingEx.Ingress.Annotations[RewriteTargetAnnotation]; exists {
+		return value, warnings
+	}
+	return "", warnings
+}
+
 func getSSLServices(ingEx *IngressEx) map[string]bool {
 	if value, exists := ingEx.Ingress.Annotations["nginx.org/ssl-services"]; exists {
 		return ParseServiceList(value)

internal/configs/ingress.go

@@ -103,6 +103,7 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)
 	wsServices := getWebsocketServices(p.ingEx)
 	spServices := getSessionPersistenceServices(p.BaseCfgParams.Context, p.ingEx)
 	rewrites := getRewrites(p.BaseCfgParams.Context, p.ingEx)
+	rewriteTarget, rewriteTargetWarnings := getRewriteTarget(p.BaseCfgParams.Context, p.ingEx)
 	sslServices := getSSLServices(p.ingEx)
 	grpcServices := getGrpcServices(p.ingEx)
 
@@ -129,6 +130,7 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)
 	}
 
 	allWarnings := newWarnings()
+	allWarnings.Add(rewriteTargetWarnings)
 
 	var servers []version1.Server
 	var limitReqZones []version1.LimitReqZone
@@ -255,7 +257,7 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)
 			ssl := isSSLEnabled(sslServices[path.Backend.Service.Name], cfgParams, p.staticParams)
 			proxySSLName := generateProxySSLName(path.Backend.Service.Name, p.ingEx.Ingress.Namespace)
 			loc := createLocation(pathOrDefault(path.Path), upstreams[upsName], &cfgParams, wsServices[path.Backend.Service.Name], rewrites[path.Backend.Service.Name],
-				ssl, grpcServices[path.Backend.Service.Name], proxySSLName, path.PathType, path.Backend.Service.Name)
+				ssl, grpcServices[path.Backend.Service.Name], proxySSLName, path.PathType, path.Backend.Service.Name, rewriteTarget, path.Path)
 
 			if p.isMinion && cfgParams.JWTKey != "" {
 				jwtAuth, redirectLoc, warnings := generateJWTConfig(p.ingEx.Ingress, p.ingEx.SecretRefs, &cfgParams, getNameForRedirectLocation(p.ingEx.Ingress))
@@ -320,7 +322,7 @@ func generateNginxCfg(p NginxCfgParams) (version1.IngressNginxConfig, Warnings)
 			pathtype := networking.PathTypePrefix
 
 			loc := createLocation(pathOrDefault("/"), upstreams[upsName], &cfgParams, wsServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], rewrites[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name],
-				ssl, grpcServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], proxySSLName, &pathtype, p.ingEx.Ingress.Spec.DefaultBackend.Service.Name)
+				ssl, grpcServices[p.ingEx.Ingress.Spec.DefaultBackend.Service.Name], proxySSLName, &pathtype, p.ingEx.Ingress.Spec.DefaultBackend.Service.Name, rewriteTarget, "/")
 			locations = append(locations, loc)
 
 			if cfgParams.HealthCheckEnabled {
@@ -487,9 +489,10 @@ func generateIngressPath(path string, pathType *networking.PathType) string {
 	return path
 }
 
-func createLocation(path string, upstream version1.Upstream, cfg *ConfigParams, websocket bool, rewrite string, ssl bool, grpc bool, proxySSLName string, pathType *networking.PathType, serviceName string) version1.Location {
+func createLocation(path string, upstream version1.Upstream, cfg *ConfigParams, websocket bool, rewrite string, ssl bool, grpc bool, proxySSLName string, pathType *networking.PathType, serviceName string, rewriteTarget string, originalPath string) version1.Location {
 	loc := version1.Location{
 		Path:                 generateIngressPath(path, pathType),
+		OriginalPath:         originalPath,
 		Upstream:             upstream,
 		ProxyConnectTimeout:  cfg.ProxyConnectTimeout,
 		ProxyReadTimeout:     cfg.ProxyReadTimeout,
@@ -498,6 +501,7 @@ func createLocation(path string, upstream version1.Upstream, cfg *ConfigParams,
 		ClientMaxBodySize:    cfg.ClientMaxBodySize,
 		Websocket:            websocket,
 		Rewrite:              rewrite,
+		RewriteTarget:        rewriteTarget,
 		SSL:                  ssl,
 		GRPC:                 grpc,
 		ProxyBuffering:       cfg.ProxyBuffering,

internal/configs/version1/config.go

@@ -169,6 +169,7 @@ type LimitReq struct {
 type Location struct {
 	LocationSnippets     []string
 	Path                 string
+	OriginalPath         string
 	Upstream             Upstream
 	ProxyConnectTimeout  string
 	ProxyReadTimeout     string
@@ -177,6 +178,7 @@ type Location struct {
 	ClientMaxBodySize    string
 	Websocket            bool
 	Rewrite              string
+	RewriteTarget        string
 	SSL                  bool
 	GRPC                 bool
 	ProxyBuffering       bool

internal/configs/version1/nginx-plus.ingress.tmpl

@@ -202,6 +202,9 @@ server {
 		set $resource_name "{{$location.MinionIngress.Name}}";
 		set $resource_namespace "{{$location.MinionIngress.Namespace}}";
 		{{- end}}
+		{{- if $location.RewriteTarget}}
+		rewrite {{ makeRewritePattern $location $.Ingress.Annotations }} {{$location.RewriteTarget}} break;
+		{{- end}}
 		{{- if $location.GRPC}}
 		{{- if not $server.GRPCOnly}}
 		error_page 400 @grpcerror400;

internal/configs/version1/nginx.ingress.tmpl

@@ -124,6 +124,9 @@ server {
 		set $resource_name "{{$location.MinionIngress.Name}}";
 		set $resource_namespace "{{$location.MinionIngress.Namespace}}";
 		{{- end}}
+		{{- if $location.RewriteTarget}}
+		rewrite {{ makeRewritePattern $location $.Ingress.Annotations }} {{$location.RewriteTarget}} break;
+		{{- end}}
 		{{- if $location.GRPC}}
 		{{- if not $server.GRPCOnly}}
 		error_page 400 @grpcerror400;

internal/configs/version1/template_helper.go

@@ -202,6 +202,44 @@ func makeResolver(resolverAddresses []string, resolverValid string, resolverIPV6
 	return builder.String()
 }
 
+// makeRewritePattern takes a location and Ingress annotations and returns
+// a rewrite pattern that matches the location pattern used.
+// This ensures the rewrite regex matches the same requests as the location.
+func makeRewritePattern(loc *Location, ingressAnnotations map[string]string) string {
+	var regexType string
+	var hasRegex bool
+
+	// Check for path-regex annotation (same logic as makeLocationPath)
+	if loc.MinionIngress != nil {
+		ingressType, isMergeable := loc.MinionIngress.Annotations["nginx.org/mergeable-ingress-type"]
+		regexType, hasRegex = loc.MinionIngress.Annotations["nginx.org/path-regex"]
+		if !(isMergeable && ingressType == "minion" && hasRegex) {
+			hasRegex = false
+		}
+	}
+
+	if !hasRegex {
+		regexType, hasRegex = ingressAnnotations["nginx.org/path-regex"]
+	}
+
+	// If no path-regex annotation, return original path
+	if !hasRegex {
+		return loc.OriginalPath
+	}
+
+	// Generate rewrite pattern based on regex type
+	switch regexType {
+	case "case_sensitive":
+		return fmt.Sprintf("^%s", loc.OriginalPath)
+	case "case_insensitive":
+		return fmt.Sprintf("(?i)^%s", loc.OriginalPath)
+	case "exact":
+		return loc.OriginalPath // exact matches don't need anchors in rewrite
+	default:
+		return loc.OriginalPath
+	}
+}
+
 var helperFunctions = template.FuncMap{
 	"split":                   split,
 	"trim":                    trim,
@@ -212,6 +250,7 @@ var helperFunctions = template.FuncMap{
 	"toUpper":                 strings.ToUpper,
 	"replaceAll":              strings.ReplaceAll,
 	"makeLocationPath":        makeLocationPath,
+	"makeRewritePattern":      makeRewritePattern,
 	"makeSecretPath":          commonhelpers.MakeSecretPath,
 	"makeOnOffFromBool":       commonhelpers.MakeOnOffFromBool,
 	"generateProxySetHeaders": generateProxySetHeaders,