From 08a740e839733288ba1b2b60655ccdb4c94bc065 Mon Sep 17 00:00:00 2001 From: Saylor Berman Date: Thu, 26 Dec 2024 09:42:31 -0700 Subject: [PATCH 1/2] Add agent/nginx container and deployment Updating the nginx docker containers to build and include agent. Once agent is officially released, we can use the published binary instead of building. Added a temporary nginx deployment to the helm chart to deploy a standalone nginx pod. Added the basic gRPC server and agent API implementation to allow for the agent pod to connect to the control plane without errors. --- .yamllint.yaml | 3 +- build/Dockerfile.nginx | 30 ++- build/Dockerfile.nginxplus | 16 +- build/entrypoint.sh | 53 +++++ .../templates/deployment.yaml | 2 + .../templates/service.yaml | 4 +- .../templates/tmp-nginx-agent-conf.yaml | 19 ++ .../templates/tmp-nginx-deployment.yaml | 186 ++++++++++++++++++ .../templates/tmp-nginx-service.yaml | 36 ++++ .../tmp/tmp-nginx-deployment.yaml | 169 ---------------- .../tmp/tmp-nginx-service.yaml | 35 ---- config/tests/static-deployment.yaml | 2 + deploy/aws-nlb/deploy.yaml | 172 +++++++++++++++- deploy/azure/deploy.yaml | 171 +++++++++++++++- deploy/default/deploy.yaml | 169 +++++++++++++++- deploy/experimental-nginx-plus/deploy.yaml | 182 ++++++++++++++++- deploy/experimental/deploy.yaml | 169 +++++++++++++++- deploy/nginx-plus/deploy.yaml | 182 ++++++++++++++++- deploy/nodeport/deploy.yaml | 169 +++++++++++++++- deploy/openshift/deploy.yaml | 169 +++++++++++++++- .../snippets-filters-nginx-plus/deploy.yaml | 182 ++++++++++++++++- deploy/snippets-filters/deploy.yaml | 169 +++++++++++++++- go.mod | 12 +- go.sum | 30 ++- internal/mode/static/manager.go | 23 ++- internal/mode/static/nginx/agent/agent.go | 15 +- internal/mode/static/nginx/agent/command.go | 89 +++++++++ internal/mode/static/nginx/agent/file.go | 62 ++++++ internal/mode/static/nginx/agent/grpc.go | 54 +++++ tests/go.mod | 8 +- tests/go.sum | 30 ++- 31 files changed, 2345 insertions(+), 267 deletions(-) create mode 100755 build/entrypoint.sh create mode 100644 charts/nginx-gateway-fabric/templates/tmp-nginx-agent-conf.yaml create mode 100644 charts/nginx-gateway-fabric/templates/tmp-nginx-deployment.yaml create mode 100644 charts/nginx-gateway-fabric/templates/tmp-nginx-service.yaml delete mode 100644 charts/nginx-gateway-fabric/tmp/tmp-nginx-deployment.yaml delete mode 100644 charts/nginx-gateway-fabric/tmp/tmp-nginx-service.yaml create mode 100644 internal/mode/static/nginx/agent/command.go create mode 100644 internal/mode/static/nginx/agent/file.go create mode 100644 internal/mode/static/nginx/agent/grpc.go diff --git a/.yamllint.yaml b/.yamllint.yaml index b2d07c848f..83713689aa 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -2,8 +2,7 @@ ignore: - charts/nginx-gateway-fabric/templates - config/crd/bases/ - - deploy/crds.yaml - - deploy/*nginx-plus + - deploy - site/static rules: diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index a857aee989..f3236a4312 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -1,18 +1,40 @@ # syntax=docker/dockerfile:1.12 +# FROM scratch AS nginx-files + +# # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +# ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub + +FROM golang:alpine AS builder + +WORKDIR /tmp + +RUN apk add --no-cache git make \ + && git clone https://github.com/nginx/agent.git \ + && cd agent \ + && git checkout v3 \ + && make build + FROM nginx:1.27.3-alpine-otel ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -RUN apk add --no-cache libcap \ +# RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ +# printf "%s\n" "http://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ +# && apk add --no-cache nginx-agent + +RUN apk add --no-cache libcap bash \ && mkdir -p /usr/lib/nginx/modules \ - && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ - && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ + && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \ && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \ && apk del libcap +COPY --from=builder /tmp/agent/build/nginx-agent /usr/bin/nginx-agent + +COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf @@ -24,4 +46,4 @@ LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" USER 101:1001 -CMD ["sh", "-c", "rm -rf /var/run/nginx/*.sock && nginx -g 'daemon off;'"] +ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/build/Dockerfile.nginxplus b/build/Dockerfile.nginxplus index 7005e22fe0..ef1051139b 100644 --- a/build/Dockerfile.nginxplus +++ b/build/Dockerfile.nginxplus @@ -4,6 +4,15 @@ FROM scratch AS nginx-files # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub +FROM golang:alpine AS builder + +WORKDIR /tmp + +RUN apk add --no-cache git make \ + && git clone https://github.com/nginx/agent.git \ + && cd agent \ + && git checkout v3 \ + && make build FROM alpine:3.20 @@ -18,7 +27,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ addgroup -g 1001 -S nginx \ && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel libcap \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel libcap bash \ && mkdir -p /usr/lib/nginx/modules \ && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \ && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \ @@ -29,6 +38,9 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log +COPY --from=builder /tmp/agent/build/nginx-agent /usr/bin/nginx-agent + +COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js COPY ${NGINX_CONF_DIR}/nginx-plus.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf @@ -40,4 +52,4 @@ USER 101:1001 LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" -CMD ["sh", "-c", "rm -rf /var/run/nginx/*.sock && nginx -g 'daemon off;'"] +ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/build/entrypoint.sh b/build/entrypoint.sh new file mode 100755 index 0000000000..1095831c57 --- /dev/null +++ b/build/entrypoint.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +set -euxo pipefail + +handle_term() { + echo "received TERM signal" + echo "stopping nginx-agent ..." + kill -TERM "${agent_pid}" 2>/dev/null + echo "stopping nginx ..." + kill -TERM "${nginx_pid}" 2>/dev/null +} + +trap 'handle_term' TERM + +rm -rf /var/run/nginx/*.sock + +# Launch nginx +echo "starting nginx ..." +/usr/sbin/nginx -g "daemon off;" & + +nginx_pid=$! + +SECONDS=0 + +while ! ps -ef | grep "nginx: master process" | grep -v grep; do + if ((SECONDS > 5)); then + echo "couldn't find nginx master process" + exit 1 + fi +done + +# start nginx-agent, pass args +echo "starting nginx-agent ..." +nginx-agent "$@" & + +agent_pid=$! + +if [ $? != 0 ]; then + echo "couldn't start the agent, please check the log file" + exit 1 +fi + +wait_term() { + wait ${agent_pid} + trap - TERM + kill -QUIT "${nginx_pid}" 2>/dev/null + echo "waiting for nginx to stop..." + wait ${nginx_pid} +} + +wait_term + +echo "nginx-agent process has stopped, exiting." diff --git a/charts/nginx-gateway-fabric/templates/deployment.yaml b/charts/nginx-gateway-fabric/templates/deployment.yaml index 00fef5f7f2..35468e682b 100644 --- a/charts/nginx-gateway-fabric/templates/deployment.yaml +++ b/charts/nginx-gateway-fabric/templates/deployment.yaml @@ -117,6 +117,8 @@ spec: {{- toYaml .Values.nginxGateway.resources | nindent 10 }} {{- end }} ports: + - name: agent-grpc + containerPort: 8443 {{- if .Values.metrics.enable }} - name: metrics containerPort: {{ .Values.metrics.port }} diff --git a/charts/nginx-gateway-fabric/templates/service.yaml b/charts/nginx-gateway-fabric/templates/service.yaml index 7324f04723..6a0ed7cfef 100644 --- a/charts/nginx-gateway-fabric/templates/service.yaml +++ b/charts/nginx-gateway-fabric/templates/service.yaml @@ -14,7 +14,7 @@ spec: selector: {{- include "nginx-gateway.selectorLabels" . | nindent 4 }} ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 diff --git a/charts/nginx-gateway-fabric/templates/tmp-nginx-agent-conf.yaml b/charts/nginx-gateway-fabric/templates/tmp-nginx-agent-conf.yaml new file mode 100644 index 0000000000..80aba1c868 --- /dev/null +++ b/charts/nginx-gateway-fabric/templates/tmp-nginx-agent-conf.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: {{ .Release.Namespace }} +data: + nginx-agent.conf: |- + command: + server: + host: {{ include "nginx-gateway.fullname" . }}.{{ .Release.Namespace }}.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug diff --git a/charts/nginx-gateway-fabric/templates/tmp-nginx-deployment.yaml b/charts/nginx-gateway-fabric/templates/tmp-nginx-deployment.yaml new file mode 100644 index 0000000000..55c9ee5970 --- /dev/null +++ b/charts/nginx-gateway-fabric/templates/tmp-nginx-deployment.yaml @@ -0,0 +1,186 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: tmp-nginx-deployment + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: tmp-nginx-deployment + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + initContainers: + - name: sleep # wait for a bit for control plane to be ready + image: {{ .Values.nginxGateway.image.repository }}:{{ default .Chart.AppVersion .Values.nginxGateway.image.tag }} + imagePullPolicy: {{ .Values.nginxGateway.image.pullPolicy }} + command: + - /usr/bin/gateway + - sleep + - --duration=15s + - name: init + image: {{ .Values.nginxGateway.image.repository }}:{{ default .Chart.AppVersion .Values.nginxGateway.image.tag }} + imagePullPolicy: {{ .Values.nginxGateway.image.pullPolicy }} + command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + {{- if .Values.nginx.plus }} + - --source + - /includes/mgmt.conf + - --nginx-plus + {{- end }} + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + securityContext: + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 102 + runAsGroup: 1001 + volumeMounts: + - name: nginx-includes-bootstrap + mountPath: /includes + - name: nginx-main-includes + mountPath: /etc/nginx/main-includes + containers: + - image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} + name: nginx + {{- if .Values.nginx.lifecycle }} + lifecycle: + {{- toYaml .Values.nginx.lifecycle | nindent 10 }} + {{- end }} + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: {{ .Values.nginx.securityContext.allowPrivilegeEscalation }} + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 101 + runAsGroup: 1001 + volumeMounts: + - name: nginx-agent + mountPath: /etc/nginx-agent + - name: nginx-conf + mountPath: /etc/nginx/conf.d + - name: nginx-stream-conf + mountPath: /etc/nginx/stream-conf.d + - name: nginx-main-includes + mountPath: /etc/nginx/main-includes + - name: nginx-secrets + mountPath: /etc/nginx/secrets + - name: nginx-run + mountPath: /var/run/nginx + - name: nginx-cache + mountPath: /var/cache/nginx + - name: nginx-includes + mountPath: /etc/nginx/includes + {{- if .Values.nginx.plus }} + - name: nginx-lib + mountPath: /var/lib/nginx/state + {{- if .Values.nginx.usage.secretName }} + - name: nginx-plus-license + mountPath: /etc/nginx/license.jwt + subPath: license.jwt + {{- end }} + {{- if or .Values.nginx.usage.caSecretName .Values.nginx.usage.clientSSLSecretName }} + - name: nginx-plus-usage-certs + mountPath: /etc/nginx/certs-bootstrap/ + {{- end }} + {{- end }} + {{- with .Values.nginx.extraVolumeMounts -}} + {{ toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.nginx.debug }} + command: + - "/bin/sh" + args: + - "-c" + - "rm -rf /var/run/nginx/*.sock && nginx-debug -g 'daemon off;'" + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }} + securityContext: + fsGroup: 1001 + runAsNonRoot: true + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 6 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + volumes: + - name: nginx-agent + configMap: + name: nginx-agent-config + - name: nginx-conf + emptyDir: {} + - name: nginx-stream-conf + emptyDir: {} + - name: nginx-main-includes + emptyDir: {} + - name: nginx-secrets + emptyDir: {} + - name: nginx-run + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-includes + emptyDir: {} + - name: nginx-includes-bootstrap + configMap: + name: nginx-includes-bootstrap + {{- if .Values.nginx.plus }} + - name: nginx-lib + emptyDir: {} + {{- if .Values.nginx.usage.secretName }} + - name: nginx-plus-license + secret: + secretName: {{ .Values.nginx.usage.secretName }} + {{- end }} + {{- if or .Values.nginx.usage.caSecretName .Values.nginx.usage.clientSSLSecretName }} + - name: nginx-plus-usage-certs + projected: + sources: + {{- if .Values.nginx.usage.caSecretName }} + - secret: + name: {{ .Values.nginx.usage.caSecretName }} + {{- end }} + {{- if .Values.nginx.usage.clientSSLSecretName }} + - secret: + name: {{ .Values.nginx.usage.clientSSLSecretName }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.extraVolumes -}} + {{ toYaml . | nindent 6 }} + {{- end }} diff --git a/charts/nginx-gateway-fabric/templates/tmp-nginx-service.yaml b/charts/nginx-gateway-fabric/templates/tmp-nginx-service.yaml new file mode 100644 index 0000000000..6b82fd1e78 --- /dev/null +++ b/charts/nginx-gateway-fabric/templates/tmp-nginx-service.yaml @@ -0,0 +1,36 @@ +{{- if .Values.service.create }} +apiVersion: v1 +kind: Service +metadata: + name: tmp-nginx-deployment + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-gateway.labels" . | nindent 4 }} +{{- if .Values.service.annotations }} + annotations: +{{ toYaml .Values.service.annotations | indent 4 }} +{{- end }} +spec: +{{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + {{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} + {{- end }} +{{- end }} + type: {{ .Values.service.type }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{ toYaml .Values.service.loadBalancerSourceRanges | nindent 2 }} + {{- end }} +{{- end}} + selector: + app.kubernetes.io/name: tmp-nginx-deployment + app.kubernetes.io/instance: {{ .Release.Name }} + ports: # Update the following ports to match your Gateway Listener ports +{{- if .Values.service.ports }} +{{ toYaml .Values.service.ports | indent 2 }} +{{ end }} +{{- end }} diff --git a/charts/nginx-gateway-fabric/tmp/tmp-nginx-deployment.yaml b/charts/nginx-gateway-fabric/tmp/tmp-nginx-deployment.yaml deleted file mode 100644 index 9ddaea89f1..0000000000 --- a/charts/nginx-gateway-fabric/tmp/tmp-nginx-deployment.yaml +++ /dev/null @@ -1,169 +0,0 @@ -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: tmp-nginx-deployment -# namespace: {{ .Release.Namespace }} -# spec: -# template: -# spec: -# initContainers: -# - name: init -# image: {{ .Values.nginxGateway.image.repository }}:{{ default .Chart.AppVersion .Values.nginxGateway.image.tag }} -# imagePullPolicy: {{ .Values.nginxGateway.image.pullPolicy }} -# command: -# - /usr/bin/gateway -# - initialize -# - --source -# - /includes/main.conf -# {{- if .Values.nginx.plus }} -# - --source -# - /includes/mgmt.conf -# - --nginx-plus -# {{- end }} -# - --destination -# - /etc/nginx/main-includes -# env: -# - name: POD_UID -# valueFrom: -# fieldRef: -# fieldPath: metadata.uid -# securityContext: -# seccompProfile: -# type: RuntimeDefault -# capabilities: -# add: -# - KILL # Set because the binary has CAP_KILL for the main controller process. Not used by init. -# drop: -# - ALL -# readOnlyRootFilesystem: true -# runAsUser: 102 -# runAsGroup: 1001 -# volumeMounts: -# - name: nginx-includes-bootstrap -# mountPath: /includes -# - name: nginx-main-includes -# mountPath: /etc/nginx/main-includes -# containers: -# - image: {{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag | default .Chart.AppVersion }} -# imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} -# name: nginx -# {{- if .Values.nginx.lifecycle }} -# lifecycle: -# {{- toYaml .Values.nginx.lifecycle | nindent 10 }} -# {{- end }} -# ports: -# - containerPort: 80 -# name: http -# - containerPort: 443 -# name: https -# securityContext: -# seccompProfile: -# type: RuntimeDefault -# allowPrivilegeEscalation: {{ .Values.nginx.securityContext.allowPrivilegeEscalation }} -# capabilities: -# add: -# - NET_BIND_SERVICE -# drop: -# - ALL -# readOnlyRootFilesystem: true -# runAsUser: 101 -# runAsGroup: 1001 -# volumeMounts: -# - name: nginx-conf -# mountPath: /etc/nginx/conf.d -# - name: nginx-stream-conf -# mountPath: /etc/nginx/stream-conf.d -# - name: nginx-main-includes -# mountPath: /etc/nginx/main-includes -# - name: nginx-secrets -# mountPath: /etc/nginx/secrets -# - name: nginx-run -# mountPath: /var/run/nginx -# - name: nginx-cache -# mountPath: /var/cache/nginx -# - name: nginx-includes -# mountPath: /etc/nginx/includes -# {{- if .Values.nginx.plus }} -# - name: nginx-lib -# mountPath: /var/lib/nginx/state -# {{- if .Values.nginx.usage.secretName }} -# - name: nginx-plus-license -# mountPath: /etc/nginx/license.jwt -# subPath: license.jwt -# {{- end }} -# {{- if or .Values.nginx.usage.caSecretName .Values.nginx.usage.clientSSLSecretName }} -# - name: nginx-plus-usage-certs -# mountPath: /etc/nginx/certs-bootstrap/ -# {{- end }} -# {{- end }} -# {{- with .Values.nginx.extraVolumeMounts -}} -# {{ toYaml . | nindent 8 }} -# {{- end }} -# {{- if .Values.nginx.debug }} -# command: -# - "/bin/sh" -# args: -# - "-c" -# - "rm -rf /var/run/nginx/*.sock && nginx-debug -g 'daemon off;'" -# {{- end }} -# terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} -# {{- if .Values.affinity }} -# affinity: -# {{- toYaml .Values.affinity | nindent 8 }} -# {{- end }} -# serviceAccountName: {{ include "nginx-gateway.serviceAccountName" . }} -# shareProcessNamespace: true -# securityContext: -# fsGroup: 1001 -# runAsNonRoot: true -# {{- if .Values.tolerations }} -# tolerations: -# {{- toYaml .Values.tolerations | nindent 6 }} -# {{- end }} -# {{- if .Values.nodeSelector }} -# nodeSelector: -# {{- toYaml .Values.nodeSelector | nindent 8 }} -# {{- end }} -# volumes: -# - name: nginx-conf -# emptyDir: {} -# - name: nginx-stream-conf -# emptyDir: {} -# - name: nginx-main-includes -# emptyDir: {} -# - name: nginx-secrets -# emptyDir: {} -# - name: nginx-run -# emptyDir: {} -# - name: nginx-cache -# emptyDir: {} -# - name: nginx-includes -# emptyDir: {} -# - name: nginx-includes-bootstrap -# configMap: -# name: nginx-includes-bootstrap -# {{- if .Values.nginx.plus }} -# - name: nginx-lib -# emptyDir: {} -# {{- if .Values.nginx.usage.secretName }} -# - name: nginx-plus-license -# secret: -# secretName: {{ .Values.nginx.usage.secretName }} -# {{- end }} -# {{- if or .Values.nginx.usage.caSecretName .Values.nginx.usage.clientSSLSecretName }} -# - name: nginx-plus-usage-certs -# projected: -# sources: -# {{- if .Values.nginx.usage.caSecretName }} -# - secret: -# name: {{ .Values.nginx.usage.caSecretName }} -# {{- end }} -# {{- if .Values.nginx.usage.clientSSLSecretName }} -# - secret: -# name: {{ .Values.nginx.usage.clientSSLSecretName }} -# {{- end }} -# {{- end }} -# {{- end }} -# {{- with .Values.extraVolumes -}} -# {{ toYaml . | nindent 6 }} -# {{- end }} diff --git a/charts/nginx-gateway-fabric/tmp/tmp-nginx-service.yaml b/charts/nginx-gateway-fabric/tmp/tmp-nginx-service.yaml deleted file mode 100644 index 30901bfb6a..0000000000 --- a/charts/nginx-gateway-fabric/tmp/tmp-nginx-service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# {{- if .Values.service.create }} -# apiVersion: v1 -# kind: Service -# metadata: -# name: {{ include "nginx-gateway.fullname" . }} -# namespace: {{ .Release.Namespace }} -# labels: -# {{- include "nginx-gateway.labels" . | nindent 4 }} -# {{- if .Values.service.annotations }} -# annotations: -# {{ toYaml .Values.service.annotations | indent 4 }} -# {{- end }} -# spec: -# {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} -# {{- if .Values.service.externalTrafficPolicy }} -# externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} -# {{- end }} -# {{- end }} -# type: {{ .Values.service.type }} -# {{- if eq .Values.service.type "LoadBalancer" }} -# {{- if .Values.service.loadBalancerIP }} -# loadBalancerIP: {{ .Values.service.loadBalancerIP }} -# {{- end }} -# {{- if .Values.service.loadBalancerSourceRanges }} -# loadBalancerSourceRanges: -# {{ toYaml .Values.service.loadBalancerSourceRanges | nindent 2 }} -# {{- end }} -# {{- end}} -# selector: -# {{- include "nginx-gateway.selectorLabels" . | nindent 4 }} -# ports: # Update the following ports to match your Gateway Listener ports -# {{- if .Values.service.ports }} -# {{ toYaml .Values.service.ports | indent 2 }} -# {{ end }} -# {{- end }} diff --git a/config/tests/static-deployment.yaml b/config/tests/static-deployment.yaml index 0997a8e2cb..8e581ff569 100644 --- a/config/tests/static-deployment.yaml +++ b/config/tests/static-deployment.yaml @@ -53,6 +53,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - name: agent-grpc + containerPort: 8443 - name: health containerPort: 8081 readinessProbe: diff --git a/deploy/aws-nlb/deploy.yaml b/deploy/aws-nlb/deploy.yaml index 4f815d2520..295cb42d07 100644 --- a/deploy/aws-nlb/deploy.yaml +++ b/deploy/aws-nlb/deploy.yaml @@ -145,6 +145,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -168,15 +188,43 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip + service.beta.kubernetes.io/aws-load-balancer-type: external + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -232,6 +280,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -257,6 +307,124 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml index 2250415ec0..45121bf502 100644 --- a/deploy/azure/deploy.yaml +++ b/deploy/azure/deploy.yaml @@ -145,6 +145,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -168,15 +188,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -232,6 +277,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -259,6 +306,126 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + nodeSelector: + kubernetes.io/os: linux + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml index 4f815d2520..2e1a53f3e1 100644 --- a/deploy/default/deploy.yaml +++ b/deploy/default/deploy.yaml @@ -145,6 +145,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -168,15 +188,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -232,6 +277,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -257,6 +304,124 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml index b4965aed6f..f846d0ca76 100644 --- a/deploy/experimental-nginx-plus/deploy.yaml +++ b/deploy/experimental-nginx-plus/deploy.yaml @@ -158,6 +158,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -186,15 +206,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -253,6 +298,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -278,6 +325,137 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + - mountPath: /var/lib/nginx/state + name: nginx-lib + - mountPath: /etc/nginx/license.jwt + name: nginx-plus-license + subPath: license.jwt + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --source + - /includes/mgmt.conf + - --nginx-plus + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap + - emptyDir: {} + name: nginx-lib + - name: nginx-plus-license + secret: + secretName: nplus-license +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml index 3f5ce9f10f..68bd273be1 100644 --- a/deploy/experimental/deploy.yaml +++ b/deploy/experimental/deploy.yaml @@ -150,6 +150,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -173,15 +193,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -238,6 +283,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -263,6 +310,124 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml index 95586af37c..adb6593de8 100644 --- a/deploy/nginx-plus/deploy.yaml +++ b/deploy/nginx-plus/deploy.yaml @@ -153,6 +153,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -181,15 +201,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -247,6 +292,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -272,6 +319,137 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + - mountPath: /var/lib/nginx/state + name: nginx-lib + - mountPath: /etc/nginx/license.jwt + name: nginx-plus-license + subPath: license.jwt + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --source + - /includes/mgmt.conf + - --nginx-plus + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap + - emptyDir: {} + name: nginx-lib + - name: nginx-plus-license + secret: + secretName: nplus-license +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml index 4f815d2520..af66c8fafc 100644 --- a/deploy/nodeport/deploy.yaml +++ b/deploy/nodeport/deploy.yaml @@ -145,6 +145,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -168,15 +188,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: NodePort +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -232,6 +277,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -257,6 +304,124 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml index ede56b948b..a3bc1b01e9 100644 --- a/deploy/openshift/deploy.yaml +++ b/deploy/openshift/deploy.yaml @@ -153,6 +153,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -176,15 +196,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -240,6 +285,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -265,6 +312,124 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml index 49bac6d55f..6278c799f2 100644 --- a/deploy/snippets-filters-nginx-plus/deploy.yaml +++ b/deploy/snippets-filters-nginx-plus/deploy.yaml @@ -155,6 +155,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -183,15 +203,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -250,6 +295,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -275,6 +322,137 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + - mountPath: /var/lib/nginx/state + name: nginx-lib + - mountPath: /etc/nginx/license.jwt + name: nginx-plus-license + subPath: license.jwt + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --source + - /includes/mgmt.conf + - --nginx-plus + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap + - emptyDir: {} + name: nginx-lib + - name: nginx-plus-license + secret: + secretName: nplus-license +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml index 45f8802d2a..b4d01ca6f6 100644 --- a/deploy/snippets-filters/deploy.yaml +++ b/deploy/snippets-filters/deploy.yaml @@ -147,6 +147,26 @@ subjects: namespace: nginx-gateway --- apiVersion: v1 +data: + nginx-agent.conf: |- + command: + server: + host: nginx-gateway.nginx-gateway.svc + port: 443 + allowed_directories: + - /etc/nginx + - /usr/share/nginx + - /var/run/nginx + features: + - connection + log: + level: debug +kind: ConfigMap +metadata: + name: nginx-agent-config + namespace: nginx-gateway +--- +apiVersion: v1 data: main.conf: | error_log stderr info; @@ -170,15 +190,40 @@ metadata: namespace: nginx-gateway spec: ports: - - name: grpc + - name: agent-grpc port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 selector: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway type: ClusterIP --- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: nginx-gateway + app.kubernetes.io/version: edge + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + selector: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + type: LoadBalancer +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -235,6 +280,8 @@ spec: imagePullPolicy: Always name: nginx-gateway ports: + - containerPort: 8443 + name: agent-grpc - containerPort: 9113 name: metrics - containerPort: 8081 @@ -260,6 +307,124 @@ spec: serviceAccountName: nginx-gateway terminationGracePeriodSeconds: 30 --- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tmp-nginx-deployment + namespace: nginx-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + template: + metadata: + labels: + app.kubernetes.io/instance: nginx-gateway + app.kubernetes.io/name: tmp-nginx-deployment + spec: + containers: + - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge + imagePullPolicy: Always + name: nginx + ports: + - containerPort: 80 + name: http + - containerPort: 443 + name: https + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/nginx-agent + name: nginx-agent + - mountPath: /etc/nginx/conf.d + name: nginx-conf + - mountPath: /etc/nginx/stream-conf.d + name: nginx-stream-conf + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + - mountPath: /etc/nginx/secrets + name: nginx-secrets + - mountPath: /var/run/nginx + name: nginx-run + - mountPath: /var/cache/nginx + name: nginx-cache + - mountPath: /etc/nginx/includes + name: nginx-includes + initContainers: + - command: + - /usr/bin/gateway + - sleep + - --duration=15s + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: sleep + - command: + - /usr/bin/gateway + - initialize + - --source + - /includes/main.conf + - --destination + - /etc/nginx/main-includes + env: + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + image: ghcr.io/nginxinc/nginx-gateway-fabric:edge + imagePullPolicy: Always + name: init + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsUser: 102 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /includes + name: nginx-includes-bootstrap + - mountPath: /etc/nginx/main-includes + name: nginx-main-includes + securityContext: + fsGroup: 1001 + runAsNonRoot: true + serviceAccountName: nginx-gateway + terminationGracePeriodSeconds: 30 + volumes: + - configMap: + name: nginx-agent-config + name: nginx-agent + - emptyDir: {} + name: nginx-conf + - emptyDir: {} + name: nginx-stream-conf + - emptyDir: {} + name: nginx-main-includes + - emptyDir: {} + name: nginx-secrets + - emptyDir: {} + name: nginx-run + - emptyDir: {} + name: nginx-cache + - emptyDir: {} + name: nginx-includes + - configMap: + name: nginx-includes-bootstrap + name: nginx-includes-bootstrap +--- apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: diff --git a/go.mod b/go.mod index df195fe1b5..01b9604df8 100644 --- a/go.mod +++ b/go.mod @@ -7,6 +7,7 @@ require ( github.com/go-logr/logr v1.4.2 github.com/google/go-cmp v0.6.0 github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2 + github.com/nginx/agent/v3 v3.0.0-20241220140549-28adb688a8b4 github.com/nginxinc/telemetry-exporter v0.1.2 github.com/onsi/ginkgo/v2 v2.22.1 github.com/onsi/gomega v1.36.1 @@ -17,6 +18,7 @@ require ( go.opentelemetry.io/otel v1.33.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 go.uber.org/zap v1.27.0 + google.golang.org/grpc v1.69.2 k8s.io/api v0.32.0 k8s.io/apiextensions-apiserver v0.32.0 k8s.io/apimachinery v0.32.0 @@ -27,6 +29,7 @@ require ( ) require ( + buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.33.0-20240401165935-b983156c5e99.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect @@ -34,7 +37,7 @@ require ( github.com/emicklei/go-restful/v3 v3.12.0 // indirect github.com/evanphx/json-patch/v5 v5.9.0 // indirect github.com/fxamacker/cbor/v2 v2.7.0 // indirect - github.com/go-logfmt/logfmt v0.5.1 // indirect + github.com/go-logfmt/logfmt v0.6.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.21.0 // indirect @@ -51,7 +54,7 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -67,9 +70,9 @@ require ( go.opentelemetry.io/otel/trace v1.33.0 // indirect go.opentelemetry.io/proto/otlp v1.4.0 // indirect go.uber.org/multierr v1.11.0 // indirect - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // indirect golang.org/x/mod v0.22.0 // indirect - golang.org/x/net v0.32.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.24.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/sys v0.28.0 // indirect @@ -80,7 +83,6 @@ require ( gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect - google.golang.org/grpc v1.68.1 // indirect google.golang.org/protobuf v1.35.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index f8357426c4..b88cbe43f8 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.33.0-20240401165935-b983156c5e99.1 h1:2IGhRovxlsOIQgx2ekZWo4wTPAYpck41+18ICxs37is= +buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.33.0-20240401165935-b983156c5e99.1/go.mod h1:Tgn5bgL220vkFOI0KPStlcClPeOJzAv4uT+V8JXGUnw= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= @@ -19,8 +21,8 @@ github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0= -github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA= -github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= +github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4= +github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -38,10 +40,12 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -62,8 +66,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -81,6 +85,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/nginx/agent/v3 v3.0.0-20241220140549-28adb688a8b4 h1:Tn0SOlxq9uaJuqc6DUGZGYszrtHAHOaLnhbBWMzK1Bs= +github.com/nginx/agent/v3 v3.0.0-20241220140549-28adb688a8b4/go.mod h1:HDi/Je5AKCe5by/hWs2jbzUqi3BN4K32hMD2/hWN5G8= github.com/nginxinc/telemetry-exporter v0.1.2 h1:97vUGhQYgQ2KEsXKCBmr5gqfuujJCKPHwdg5HKoANUs= github.com/nginxinc/telemetry-exporter v0.1.2/go.mod h1:eKa/Ceh9irmyZ1xV2QxBIxduIyVC5RlmtiWwcTlHuMg= github.com/onsi/ginkgo/v2 v2.22.1 h1:QW7tbJAUDyVDVOM5dFa7qaybo+CRfR7bemlQUN6Z8aM= @@ -129,6 +135,8 @@ go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5W go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= +go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU= +go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ= go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= @@ -142,8 +150,8 @@ go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= @@ -152,8 +160,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= -golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -190,8 +198,10 @@ google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1: google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= -google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= -google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= +google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/internal/mode/static/manager.go b/internal/mode/static/manager.go index fc2ced95f2..0c72745345 100644 --- a/internal/mode/static/manager.go +++ b/internal/mode/static/manager.go @@ -9,6 +9,7 @@ import ( tel "github.com/nginxinc/telemetry-exporter/pkg/telemetry" "github.com/prometheus/client_golang/prometheus" "go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc" + "google.golang.org/grpc" appsv1 "k8s.io/api/apps/v1" apiv1 "k8s.io/api/core/v1" discoveryV1 "k8s.io/api/discovery/v1" @@ -70,6 +71,7 @@ const ( plusCAField = "ca.crt" plusClientCertField = "tls.crt" plusClientKeyField = "tls.key" + grpcServerPort = 8443 ) var scheme = runtime.NewScheme() @@ -176,11 +178,24 @@ func StartManager(cfg config.Config) error { Logger: cfg.Logger.WithName("deployCtxCollector"), }) - eventHandler := newEventHandlerImpl(eventHandlerConfig{ - nginxUpdater: &agent.NginxUpdaterImpl{ - Logger: cfg.Logger.WithName("nginxUpdater"), - Plus: cfg.Plus, + nginxUpdater := agent.NewNginxUpdater(cfg.Logger.WithName("nginxUpdater"), cfg.Plus) + + grpcServer := &agent.GRPCServer{ + Logger: cfg.Logger.WithName("agentGRPCServer"), + RegisterServices: []func(*grpc.Server){ + nginxUpdater.CommandService.Register, + nginxUpdater.FileService.Register, }, + Port: grpcServerPort, + } + + if err = mgr.Add(&runnables.LeaderOrNonLeader{Runnable: grpcServer}); err != nil { + return fmt.Errorf("cannot register grpc server: %w", err) + } + + // TODO(sberman): event handler loop should wait on a channel until the grpc server has started + eventHandler := newEventHandlerImpl(eventHandlerConfig{ + nginxUpdater: nginxUpdater, metricsCollector: handlerCollector, statusUpdater: groupStatusUpdater, processor: processor, diff --git a/internal/mode/static/nginx/agent/agent.go b/internal/mode/static/nginx/agent/agent.go index 93777628f2..c6955040cb 100644 --- a/internal/mode/static/nginx/agent/agent.go +++ b/internal/mode/static/nginx/agent/agent.go @@ -16,8 +16,19 @@ type NginxUpdater interface { // NginxUpdaterImpl implements the NginxUpdater interface. type NginxUpdaterImpl struct { - Logger logr.Logger - Plus bool + CommandService *commandService + FileService *fileService + Logger logr.Logger + Plus bool +} + +func NewNginxUpdater(logger logr.Logger, plus bool) *NginxUpdaterImpl { + return &NginxUpdaterImpl{ + Logger: logger, + Plus: plus, + CommandService: newCommandService(), + FileService: newFileService(), + } } // UpdateConfig sends the nginx configuration to the agent. diff --git a/internal/mode/static/nginx/agent/command.go b/internal/mode/static/nginx/agent/command.go new file mode 100644 index 0000000000..3cdf6ce101 --- /dev/null +++ b/internal/mode/static/nginx/agent/command.go @@ -0,0 +1,89 @@ +package agent + +import ( + "context" + "errors" + "fmt" + "time" + + pb "github.com/nginx/agent/v3/api/grpc/mpi/v1" + "google.golang.org/grpc" +) + +// commandService handles the connection and subscription to the agent. +type commandService struct { + pb.CommandServiceServer +} + +func newCommandService() *commandService { + return &commandService{} +} + +func (cs *commandService) Register(server *grpc.Server) { + pb.RegisterCommandServiceServer(server, cs) +} + +func (cs *commandService) CreateConnection( + _ context.Context, + req *pb.CreateConnectionRequest, +) (*pb.CreateConnectionResponse, error) { + if req == nil { + return nil, errors.New("empty connection request") + } + + fmt.Printf("Creating connection for nginx pod: %s\n", req.GetResource().GetContainerInfo().GetHostname()) + + return &pb.CreateConnectionResponse{ + Response: &pb.CommandResponse{ + Status: pb.CommandResponse_COMMAND_STATUS_OK, + }, + }, nil +} + +func (cs *commandService) Subscribe(in pb.CommandService_SubscribeServer) error { + fmt.Println("Received subscribe request") + + ctx := in.Context() + + for { + select { + case <-ctx.Done(): + return ctx.Err() + case <-time.After(1 * time.Minute): + dummyRequest := &pb.ManagementPlaneRequest{ + Request: &pb.ManagementPlaneRequest_StatusRequest{ + StatusRequest: &pb.StatusRequest{}, + }, + } + if err := in.Send(dummyRequest); err != nil { // will likely need retry logic + fmt.Printf("ERROR: %v\n", err) + } + } + } +} + +func (cs *commandService) UpdateDataPlaneStatus( + _ context.Context, + req *pb.UpdateDataPlaneStatusRequest, +) (*pb.UpdateDataPlaneStatusResponse, error) { + fmt.Println("Updating data plane status") + + if req == nil { + return nil, errors.New("empty update data plane status request") + } + + return &pb.UpdateDataPlaneStatusResponse{}, nil +} + +func (cs *commandService) UpdateDataPlaneHealth( + _ context.Context, + req *pb.UpdateDataPlaneHealthRequest, +) (*pb.UpdateDataPlaneHealthResponse, error) { + fmt.Println("Updating data plane health") + + if req == nil { + return nil, errors.New("empty update dataplane health request") + } + + return &pb.UpdateDataPlaneHealthResponse{}, nil +} diff --git a/internal/mode/static/nginx/agent/file.go b/internal/mode/static/nginx/agent/file.go new file mode 100644 index 0000000000..9a3df38c4e --- /dev/null +++ b/internal/mode/static/nginx/agent/file.go @@ -0,0 +1,62 @@ +package agent + +import ( + "context" + "fmt" + + pb "github.com/nginx/agent/v3/api/grpc/mpi/v1" + "google.golang.org/grpc" +) + +// fileService handles file management between the control plane and the agent. +type fileService struct { + pb.FileServiceServer +} + +func newFileService() *fileService { + return &fileService{} +} + +func (fs *fileService) Register(server *grpc.Server) { + pb.RegisterFileServiceServer(server, fs) +} + +func (fs *fileService) GetOverview( + _ context.Context, + _ *pb.GetOverviewRequest, +) (*pb.GetOverviewResponse, error) { + fmt.Println("Get overview request") + + return &pb.GetOverviewResponse{ + Overview: &pb.FileOverview{}, + }, nil +} + +func (fs *fileService) UpdateOverview( + _ context.Context, + _ *pb.UpdateOverviewRequest, +) (*pb.UpdateOverviewResponse, error) { + fmt.Println("Update overview request") + + return &pb.UpdateOverviewResponse{}, nil +} + +func (fs *fileService) GetFile( + _ context.Context, + req *pb.GetFileRequest, +) (*pb.GetFileResponse, error) { + filename := req.GetFileMeta().GetName() + hash := req.GetFileMeta().GetHash() + fmt.Printf("Getting file: %s, %s\n", filename, hash) + + return &pb.GetFileResponse{}, nil +} + +func (fs *fileService) UpdateFile( + _ context.Context, + req *pb.UpdateFileRequest, +) (*pb.UpdateFileResponse, error) { + fmt.Println("Update file request for: ", req.GetFile().GetFileMeta().GetName()) + + return &pb.UpdateFileResponse{}, nil +} diff --git a/internal/mode/static/nginx/agent/grpc.go b/internal/mode/static/nginx/agent/grpc.go new file mode 100644 index 0000000000..ef52b72e18 --- /dev/null +++ b/internal/mode/static/nginx/agent/grpc.go @@ -0,0 +1,54 @@ +package agent + +import ( + "context" + "fmt" + "net" + "time" + + "github.com/go-logr/logr" + "google.golang.org/grpc" + "google.golang.org/grpc/keepalive" + "sigs.k8s.io/controller-runtime/pkg/manager" +) + +// GRPCServer is a gRPC server for communicating with the nginx agent. +type GRPCServer struct { + Logger logr.Logger + // RegisterServices is a list of functions to register gRPC services to the gRPC server. + RegisterServices []func(*grpc.Server) + // Port is the port that the server is listening on. + // Must be exposed in the control plane deployment/service. + Port int +} + +// Start is a runnable that starts the gRPC server for communicating with the nginx agent. +func (g *GRPCServer) Start(ctx context.Context) error { + listener, err := net.Listen("tcp", fmt.Sprintf(":%d", g.Port)) + if err != nil { + return err + } + + server := grpc.NewServer( + grpc.KeepaliveParams( + keepalive.ServerParameters{ + Time: 1 * time.Minute, + Timeout: 15 * time.Second, + }, + ), + ) + + for _, registerSvc := range g.RegisterServices { + registerSvc(server) + } + + go func() { + <-ctx.Done() + g.Logger.Info("Shutting down GRPC Server") + server.GracefulStop() + }() + + return server.Serve(listener) +} + +var _ manager.Runnable = &GRPCServer{} diff --git a/tests/go.mod b/tests/go.mod index f48aed64fe..2ca50a5bc7 100644 --- a/tests/go.mod +++ b/tests/go.mod @@ -43,7 +43,7 @@ require ( github.com/influxdata/tdigest v0.0.1 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.9 // indirect + github.com/klauspost/compress v1.17.11 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/miekg/dns v1.1.62 // indirect github.com/moby/spdystream v0.5.0 // indirect @@ -59,9 +59,9 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/stretchr/testify v1.9.0 // indirect github.com/x448/float16 v0.8.4 // indirect - golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e // indirect golang.org/x/mod v0.22.0 // indirect - golang.org/x/net v0.32.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.24.0 // indirect golang.org/x/sync v0.10.0 // indirect golang.org/x/sys v0.28.0 // indirect @@ -71,7 +71,7 @@ require ( golang.org/x/tools v0.28.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect - google.golang.org/grpc v1.68.1 // indirect + google.golang.org/grpc v1.69.2 // indirect google.golang.org/protobuf v1.35.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/tests/go.sum b/tests/go.sum index 0eb57c31c4..8418d36ab2 100644 --- a/tests/go.sum +++ b/tests/go.sum @@ -22,6 +22,8 @@ github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ= @@ -61,8 +63,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= -github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= +github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -121,6 +123,18 @@ github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= +go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= +go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= +go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= +go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= +go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= +go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= +go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= +go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= +go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= +go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -131,8 +145,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= -golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e h1:I88y4caeGeuDQxgdoFPUq097j7kNfw6uvuiNxUBfcBk= +golang.org/x/exp v0.0.0-20240904232852-e7e105dedf7e/go.mod h1:akd2r19cwCdwSwWeIdzYQGa/EZZyqcOdwWiwj5L5eKQ= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= @@ -141,8 +155,8 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= -golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -181,8 +195,8 @@ gonum.org/v1/gonum v0.0.0-20181121035319-3f7ecaa7e8ca/go.mod h1:Y+Yx5eoAFn32cQvJ gonum.org/v1/netlib v0.0.0-20181029234149-ec6d1f5cefe6/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= -google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= -google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= +google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= +google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4= google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 57cb436ad16cecc11181fa666176f274beed6e1b Mon Sep 17 00:00:00 2001 From: Saylor Berman Date: Thu, 2 Jan 2025 09:57:06 -0700 Subject: [PATCH 2/2] Code review --- build/Dockerfile.nginx | 1 + internal/mode/static/nginx/agent/grpc.go | 9 +++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx index f3236a4312..27576c0fc1 100644 --- a/build/Dockerfile.nginx +++ b/build/Dockerfile.nginx @@ -1,4 +1,5 @@ # syntax=docker/dockerfile:1.12 +# TODO(sberman): the commented out lines are for when we use the published agent release # FROM scratch AS nginx-files # # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 diff --git a/internal/mode/static/nginx/agent/grpc.go b/internal/mode/static/nginx/agent/grpc.go index ef52b72e18..6c558da2f3 100644 --- a/internal/mode/static/nginx/agent/grpc.go +++ b/internal/mode/static/nginx/agent/grpc.go @@ -12,6 +12,11 @@ import ( "sigs.k8s.io/controller-runtime/pkg/manager" ) +const ( + keepAliveTime = 1 * time.Minute + keepAliveTimeout = 15 * time.Second +) + // GRPCServer is a gRPC server for communicating with the nginx agent. type GRPCServer struct { Logger logr.Logger @@ -32,8 +37,8 @@ func (g *GRPCServer) Start(ctx context.Context) error { server := grpc.NewServer( grpc.KeepaliveParams( keepalive.ServerParameters{ - Time: 1 * time.Minute, - Timeout: 15 * time.Second, + Time: keepAliveTime, + Timeout: keepAliveTimeout, }, ), )