Implement ClientSettingsPolicy Attachment

Author: Kate Osborn

apis/v1alpha1/clientsettingspolicy_types.go

@@ -95,7 +95,11 @@ type ClientKeepAlive struct {
 
 	// Timeout defines the keep-alive timeouts for clients.
 	//
+	// +kubebuilder:validation:XValidation:message="header can only be specified if server is specified",rule="!(has(self.header) && !has(self.server))"
+	//
+	//
 	// +optional
+	//nolint:lll
 	Timeout *ClientKeepAliveTimeout `json:"timeout,omitempty"`
 }
 

apis/v1alpha1/policy_methods.go

@@ -0,0 +1,21 @@
+package v1alpha1
+
+import (
+	"sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+// FIXME(kate-osborn): https://github.com/nginxinc/nginx-gateway-fabric/issues/1939.
+// Figure out a way to generate these methods for all our policies.
+// These methods implement the policies.Policy interface which extends client.Object to add the following methods.
+
+func (p *ClientSettingsPolicy) GetTargetRef() v1alpha2.PolicyTargetReference {
+	return p.Spec.TargetRef
+}
+
+func (p *ClientSettingsPolicy) GetPolicyStatus() v1alpha2.PolicyStatus {
+	return p.Status
+}
+
+func (p *ClientSettingsPolicy) SetPolicyStatus(status v1alpha2.PolicyStatus) {
+	p.Status = status
+}

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -124,6 +124,8 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
         {{- with .Values.nginxGateway.extraVolumeMounts -}}
         {{ toYaml . | nindent 8 }}
         {{- end }}
@@ -161,6 +163,8 @@ spec:
           mountPath: /var/cache/nginx
         - name: nginx-lib
           mountPath: /var/lib/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
         {{- with .Values.nginx.extraVolumeMounts -}}
         {{ toYaml . | nindent 8 }}
         {{- end }}
@@ -195,6 +199,8 @@ spec:
         emptyDir: {}
       - name: nginx-lib
         emptyDir: {}
+      - name: nginx-includes
+        emptyDir: {}
       {{- with .Values.extraVolumes -}}
       {{ toYaml . | nindent 6 }}
       {{- end }}

charts/nginx-gateway-fabric/templates/rbac.yaml

@@ -113,6 +113,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways
+  - clientsettingspolicies
   verbs:
   - get
   - list
@@ -128,6 +129,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways/status
+  - clientsettingspolicies/status
   verbs:
   - update
 {{- if .Values.nginxGateway.leaderElection.enable }}

config/crd/bases/gateway.nginx.org_clientsettingspolicies.yaml

@@ -108,6 +108,9 @@ spec:
                         pattern: ^\d{1,4}(ms|s)?$
                         type: string
                     type: object
+                    x-kubernetes-validations:
+                    - message: header can only be specified if server is specified
+                      rule: '!(has(self.header) && !has(self.server))'
                 type: object
               targetRef:
                 description: |-

conformance/provisioner/static-deployment.yaml

@@ -76,6 +76,8 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
@@ -106,6 +108,8 @@ spec:
           mountPath: /var/cache/nginx
         - name: nginx-lib
           mountPath: /var/lib/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       terminationGracePeriodSeconds: 30
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
@@ -125,3 +129,5 @@ spec:
         emptyDir: {}
       - name: nginx-lib
         emptyDir: {}
+      - name: nginx-includes
+        emptyDir: {}

deploy/manifests/nginx-gateway-experimental.yaml

@@ -95,6 +95,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways
+  - clientsettingspolicies
   verbs:
   - get
   - list
@@ -110,6 +111,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways/status
+  - clientsettingspolicies/status
   verbs:
   - update
 - apiGroups:
@@ -228,6 +230,8 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
@@ -258,6 +262,8 @@ spec:
           mountPath: /var/cache/nginx
         - name: nginx-lib
           mountPath: /var/lib/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       terminationGracePeriodSeconds: 30
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
@@ -277,6 +283,8 @@ spec:
         emptyDir: {}
       - name: nginx-lib
         emptyDir: {}
+      - name: nginx-includes
+        emptyDir: {}
 ---
 # Source: nginx-gateway-fabric/templates/gatewayclass.yaml
 apiVersion: gateway.networking.k8s.io/v1

deploy/manifests/nginx-gateway.yaml

@@ -90,6 +90,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways
+  - clientsettingspolicies
   verbs:
   - get
   - list
@@ -105,6 +106,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways/status
+  - clientsettingspolicies/status
   verbs:
   - update
 - apiGroups:
@@ -222,6 +224,8 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
         imagePullPolicy: Always
         name: nginx
@@ -252,6 +256,8 @@ spec:
           mountPath: /var/cache/nginx
         - name: nginx-lib
           mountPath: /var/lib/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       terminationGracePeriodSeconds: 30
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
@@ -271,6 +277,8 @@ spec:
         emptyDir: {}
       - name: nginx-lib
         emptyDir: {}
+      - name: nginx-includes
+        emptyDir: {}
 ---
 # Source: nginx-gateway-fabric/templates/gatewayclass.yaml
 apiVersion: gateway.networking.k8s.io/v1

deploy/manifests/nginx-plus-gateway-experimental.yaml

@@ -101,6 +101,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways
+  - clientsettingspolicies
   verbs:
   - get
   - list
@@ -116,6 +117,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways/status
+  - clientsettingspolicies/status
   verbs:
   - update
 - apiGroups:
@@ -235,6 +237,8 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       - image: nginx-gateway-fabric/nginx-plus:edge
         imagePullPolicy: Always
         name: nginx
@@ -265,6 +269,8 @@ spec:
           mountPath: /var/cache/nginx
         - name: nginx-lib
           mountPath: /var/lib/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       terminationGracePeriodSeconds: 30
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
@@ -284,6 +290,8 @@ spec:
         emptyDir: {}
       - name: nginx-lib
         emptyDir: {}
+      - name: nginx-includes
+        emptyDir: {}
 ---
 # Source: nginx-gateway-fabric/templates/gatewayclass.yaml
 apiVersion: gateway.networking.k8s.io/v1

deploy/manifests/nginx-plus-gateway.yaml

@@ -96,6 +96,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways
+  - clientsettingspolicies
   verbs:
   - get
   - list
@@ -111,6 +112,7 @@ rules:
   - gateway.nginx.org
   resources:
   - nginxgateways/status
+  - clientsettingspolicies/status
   verbs:
   - update
 - apiGroups:
@@ -229,6 +231,8 @@ spec:
           mountPath: /etc/nginx/secrets
         - name: nginx-run
           mountPath: /var/run/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       - image: nginx-gateway-fabric/nginx-plus:edge
         imagePullPolicy: Always
         name: nginx
@@ -259,6 +263,8 @@ spec:
           mountPath: /var/cache/nginx
         - name: nginx-lib
           mountPath: /var/lib/nginx
+        - name: nginx-includes
+          mountPath: /etc/nginx/includes
       terminationGracePeriodSeconds: 30
       serviceAccountName: nginx-gateway
       shareProcessNamespace: true
@@ -278,6 +284,8 @@ spec:
         emptyDir: {}
       - name: nginx-lib
         emptyDir: {}
+      - name: nginx-includes
+        emptyDir: {}
 ---
 # Source: nginx-gateway-fabric/templates/gatewayclass.yaml
 apiVersion: gateway.networking.k8s.io/v1

examples/client-settings-policy/README.md

@@ -0,0 +1,5 @@
+TODO(kate-osborn): remove before merging to main
+
+# Client Settings Policy
+
+This contains examples for testing Client Settings Policy.

examples/client-settings-policy/cafe-routes.yaml

@@ -0,0 +1,43 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  - name: gateway
+    sectionName: http2
+  hostnames:
+  - "cafe.example.com"
+  - "cafe.example.org"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee
+    backendRefs:
+    - name: coffee
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: tea
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  - name: gateway
+    sectionName: http2
+  hostnames:
+  - "cafe.example.com"
+  - "cafe.example.org"
+  rules:
+  - matches:
+    - path:
+        type: Exact
+        value: /tea
+    backendRefs:
+    - name: tea
+      port: 80

examples/client-settings-policy/cafe.yaml

@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tea
+  template:
+    metadata:
+      labels:
+        app: tea
+    spec:
+      containers:
+      - name: tea
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tea
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: tea