feat: Add NGINX Agent config template

Author: alessfg

CHANGELOG.md

@@ -10,6 +10,7 @@ BREAKING CHANGES:
 
 FEATURES:
 
+- Add support for templating the entire NGINX Agent configuration file.
 - Add support for installing NGINX Open Source on Alpine Linux 3.20.
 - Add support for installing NGINX Agent on Ubuntu noble.
 - Add validation tasks to check the Ansible version, the Jinja2 version, and whether the required Ansible collections for this role are installed.

defaults/main/agent.yml

@@ -1,19 +1,86 @@
 ---
-# Install NGINX Agent.
+# Install the NGINX Agent.
 # Requires access to either the NGINX stub_status or the NGINX Plus REST API.
 nginx_agent_enable: false
 
-# Specify the NGINX Agent data plane key/token.
-# This is required to authenticate the NGINX Agent with the NGINX One SaaS control plane available in F5 Distributed Cloud.
-# Default is null.
-nginx_agent_data_plane_key: null
+# Configure the NGINX Agent.
+nginx_agent_configure: false
 
-# Specify the control plane server host and port.
+#######################################################################################################################
+# The following parameters let you configure NGINX Agent.                                                             #
+# By default, the config produced is as close a match to the default config provided by NGINX Agent upon installation.#
+#######################################################################################################################
+
+# Specify the NGINX Agent API host and port. Optionally, specify the path to the cert and key.
+# Default is not enabled.
+# nginx_agent_api:
+#   host: 127.0.0.1
+#   port: 8081
+#   cert: /path/to/cert
+#   key: /path/to/key
+
+# Specify the control plane server host, port, and data plane key/token.
+# The data plane key is required to authenticate NGINX Agent with the NGINX One SaaS control plane available in F5 Distributed Cloud.
 # Default is the NGINX One SaaS control plane available in F5 Distributed Cloud.
-nginx_agent_server_host: agent.connect.nginx.com
-nginx_agent_server_port: 443
+# nginx_agent_server:
+#   host: agent.connect.nginx.com
+#   port: 443
+#   data_plane_key: ''
+
+# Enable TLS communication between data plane and control plane.
+# Optionally, specify the path to the TLS certificate, key, and CA certificate to enable mTLS.
+# nginx_agent_tls:
+#   enable: true
+#   skip_verify: false
+#   cert: /path/to/cert
+#   key: /path/to/key
+#   ca: /path/to/ca
+
+# Specify the log level and path.
+# Default is info for the log level and /var/log/nginx-agent/ for the log path.
+nginx_agent_log:
+  level: info
+  path: /var/log/nginx-agent/
+
+# Specify NGINX specific options within NGINX Agent.
+# Default is to not exclude any logs, to use the default socket path and to not treat warnings as errors.
+nginx_agent_nginx:
+  exclude_logs: '""'
+  socket: '"unix:/var/run/nginx-agent/nginx.sock"'
+  # treat_warnings_as_errors: false
+
+# Specify how often NGINX Agent polls the dataplane.
+# Default is 30s for poll interval and 24h for report interval.
+nginx_agent_dataplane_status:
+  poll_interval: 30s
+  report_interval: 24h
+
+# Specify how often NGINX Agent reports metrics to the control plane.
+# Default is 20 for the buffer/bulk size, 1m for report interval, 15s for collection interval and aggregated for mode.
+nginx_agent_metrics:
+  bulk_size: 20
+  report_interval: 1m
+  collection_interval: 15s
+  mode: aggregated
+
+# NGINX Open Source default config paths.
+# Default can be seen below.
+# nginx_agent_config_dirs: '"/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules"'
+
+# Internal NGINX Agent queue size.
+# Default is 100.
+# nginx_agent_queue_size: 100
+
+# NGINX Agent features.
+# Default is an empty list. See https://docs.nginx.com/nginx-agent/configuration/configuration-overview/ for more details.
+# nginx_agent_features: []
+
+# NGINX Agent extensions.
+# Default is an empty list. To enable NGINX App Protect reporting within NGINX Agent, use the 'nginx-app-protect' extension as below.
+# nginx_agent_extensions: ['nginx-app-protect']
 
-# Enable TLS communication between data plane and control plane
-# Default is true.
-nginx_agent_tls_enable: true
-nginx_agent_tls_skip_verify: false
+# NGINX Agent NGINX App Protect settings.
+# Default is not enabled.
+# nginx_agent_app_protect:
+#   report_interval: 15s
+#   precompiled_publication: true

handlers/main.yml

@@ -46,7 +46,7 @@
 - name: (Handler) Start NGINX Agent
   ansible.builtin.service:
     name: nginx-agent
-    state: started
+    state: restarted
     enabled: true
 
 - name: (Handler) Start logrotate

molecule/agent/converge.yml

@@ -7,4 +7,21 @@
         name: ansible-role-nginx
       vars:
         nginx_agent_enable: true
-        nginx_agent_data_plane_key: "{{ lookup('env', 'AGENT_DATA_PLANE_KEY') }}"
+        nginx_agent_configure: true
+        nginx_agent_server:
+          host: agent.connect.nginx.com
+          port: 443
+          data_plane_key: "{{ lookup('env', 'AGENT_DATA_PLANE_KEY') }}"
+        nginx_agent_tls:
+          enable: true
+          skip_verify: false
+        nginx_agent_nginx:
+          exclude_logs: '""'
+          socket: '"unix:/var/run/nginx-agent/nginx.sock"'
+          treat_warnings_as_errors: false
+        nginx_agent_config_dirs: '"/etc/nginx:/usr/local/etc/nginx:/usr/share/nginx/modules"'
+        nginx_agent_queue_size: 100
+        nginx_agent_extensions: ['metrics']
+        nginx_agent_api:
+          host: 127.0.0.1
+          port: 8081

tasks/agent/install-agent.yml

@@ -9,17 +9,10 @@
     state: present
 
 - name: Configure NGINX Agent
-  ansible.builtin.blockinfile:
-    backup: true
+  ansible.builtin.template:
+    src: nginx-agent/nginx-agent.conf.j2
+    dest: /etc/nginx-agent/nginx-agent.conf
     mode: "0644"
-    path: /etc/nginx-agent/nginx-agent.conf
-    block: |
-      server:
-        {{ ("token: " + nginx_agent_data_plane_key) if nginx_agent_data_plane_key is defined and nginx_agent_data_plane_key | length > 0 }}
-        host: {{ nginx_agent_server_host }}
-        grpcPort: {{ nginx_agent_server_port }}
-
-      tls:
-        enable: {{ nginx_agent_tls_enable }}
-        skip_verify: {{ nginx_agent_tls_skip_verify }}
+    backup: true
+  when: nginx_agent_configure | bool
   notify: (Handler) Start NGINX Agent

templates/nginx-agent/nginx-agent.conf.j2

@@ -0,0 +1,123 @@
+{{ ansible_managed | comment }}
+
+{% if nginx_agent_server is defined and nginx_agent_server is mapping %}
+server:
+{% if nginx_agent_server['data_plane_key'] is defined %}
+  token: {{ nginx_agent_server['data_plane_key'] }}
+{% endif %}
+  host: {{ nginx_agent_server['host'] }}
+  grpcPort: {{ nginx_agent_server['port'] }}
+{% endif %}
+
+{% if nginx_agent_tls is defined and nginx_agent_tls is mapping %}
+tls:
+  enable: {{ nginx_agent_tls['enable'] | bool }}
+  skip_verify: {{ nginx_agent_tls['skip_verify'] | bool }}
+{% if nginx_agent_tls['cert'] is defined %}
+  cert: {{ nginx_agent_tls['cert'] }}
+{% endif %}
+{% if nginx_agent_tls['key'] is defined %}
+  key: {{ nginx_agent_tls['key'] }}
+{% endif %}
+{% if nginx_agent_tls['ca'] is defined %}
+  ca: {{ nginx_agent_tls['ca'] }}
+{% endif %}
+{% endif %}
+
+{% if nginx_agent_log is defined and nginx_agent_log is mapping %}
+log:
+{% if nginx_agent_log['level'] is defined %}
+  level: {{ nginx_agent_log['level'] }}
+{% endif %}
+{% if nginx_agent_log['path'] is defined %}
+  path: {{ nginx_agent_log['path'] }}
+{% endif %}
+{% endif %}
+
+{% if nginx_agent_nginx is defined and nginx_agent_nginx is mapping %}
+nginx:
+{% if nginx_agent_nginx['exclude_logs'] is defined %}
+  exclude_logs: {{ nginx_agent_nginx['exclude_logs'] }}
+{% endif %}
+{% if nginx_agent_nginx['socket'] is defined %}
+  socket: {{ nginx_agent_nginx['socket'] }}
+{% endif %}
+{% if nginx_agent_nginx['treat_warnings_as_errors'] is defined and nginx_agent_nginx['treat_warnings_as_errors'] is boolean %}
+  treat_warnings_as_errors: {{ nginx_agent_nginx['treat_warnings_as_errors'] | ternary('true', 'false') }}
+{% endif %}
+{% endif %}
+
+{% if nginx_agent_dataplane_status is defined and nginx_agent_dataplane_status is mapping %}
+dataplane:
+  status:
+{% if nginx_agent_dataplane_status['poll_interval'] is defined %}
+    poll_interval: {{ nginx_agent_dataplane_status['poll_interval'] }}
+{% endif %}
+{% if nginx_agent_dataplane_status['report_interval'] is defined %}
+    report_interval: {{ nginx_agent_dataplane_status['report_interval'] }}
+{% endif %}
+{% endif %}
+
+{% if nginx_agent_metrics is defined and nginx_agent_metrics is mapping %}
+metrics:
+{% if nginx_agent_metrics['bulk_size'] is defined and nginx_agent_metrics['bulk_size'] is number %}
+  bulk_size: {{ nginx_agent_metrics['bulk_size'] }}
+{% endif %}
+{% if nginx_agent_metrics['report_interval'] is defined %}
+  report_interval: {{ nginx_agent_metrics['report_interval'] }}
+{% endif %}
+{% if nginx_agent_metrics['collection_interval'] is defined %}
+  collection_interval: {{ nginx_agent_metrics['collection_interval'] }}
+{% endif %}
+{% if nginx_agent_metrics['mode'] is defined %}
+  mode: {{ nginx_agent_metrics['mode'] }}
+{% endif %}
+{% endif %}
+
+{% if nginx_agent_config_dirs is defined %}
+config_dirs: {{ nginx_agent_config_dirs }}
+{% endif %}
+
+{% if nginx_agent_queue_size is defined and nginx_agent_queue_size is number %}
+queue_size: {{ nginx_agent_queue_size }}
+{% endif %}
+
+{% if nginx_agent_features is defined and nginx_agent_features is not mapping and nginx_agent_features is not string and nginx_agent_features | length > 0 %}
+features:
+{% for feature in nginx_agent_features %}
+  {{ "- " + feature }}
+{% endfor %}
+{% endif %}
+
+{% if nginx_agent_extensions is defined and nginx_agent_extensions is not mapping and nginx_agent_extensions is not string  and nginx_agent_extensions | length > 0 %}
+extensions:
+{% for extension in nginx_agent_extensions %}
+  {{ "- " + extension }}
+{% endfor %}
+{% endif %}
+
+{% if nginx_agent_app_protect is defined and nginx_agent_app_protect is mapping %}
+nginx_app_protect:
+{% if nginx_agent_app_protect['report_interval'] is defined %}
+  report_interval: {{ nginx_agent_app_protect['report_interval'] }}
+{% endif %}
+{% if nginx_agent_app_protect['precompiled_publication'] is defined and nginx_agent_app_protect['precompiled_publication'] is boolean %}
+  precompiled_publication: {{ nginx_agent_app_protect['precompiled_publication'] | ternary('true', 'false') }}
+{% endif %}
+{% endif %}
+
+{% if nginx_agent_api is defined and nginx_agent_api is mapping %}
+api:
+{% if nginx_agent_api['host'] is defined %}
+  host: {{ nginx_agent_api['host'] }}
+{% endif %}
+{% if nginx_agent_api['port'] is defined %}
+  port: {{ nginx_agent_api['port'] }}
+{% endif %}
+{% if nginx_agent_api['cert'] is defined %}
+  cert: {{ nginx_agent_api['cert'] }}
+{% endif %}
+{% if nginx_agent_api['key'] is defined %}
+  key: {{ nginx_agent_api['key'] }}
+{% endif %}
+{% endif %}