Allow configuration of NGINX Plus API access

Add back removed comments

Adjust comment

Author: bjee19

apis/v1alpha1/nginxproxy_types.go

@@ -49,11 +49,23 @@ type NginxProxySpec struct {
 	//
 	// +optional
 	Logging *NginxLogging `json:"logging,omitempty"`
+	// NginxPlus specifies NGINX Plus additional settings.
+	//
+	// +optional
+	NginxPlus *NginxPlus `json:"nginxPlus,omitempty"`
 	// DisableHTTP2 defines if http2 should be disabled for all servers.
 	// Default is false, meaning http2 will be enabled for all servers.
+	DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
+}
+
+// NginxPlus specifies NGINX Plus additional settings. These will only be applied if NGINX Plus is being used.
+type NginxPlus struct {
+	// AllowedAddresses specifies IPAddresses or CIDR blocks to the allow list for accessing the NGINX Plus API.
 	//
+	//nolint:lll
 	// +optional
-	DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
+	// +kubebuilder:validation:items:XValidation:message="Address Type must be either CIDR or IPAddress",rule="(self.type=='CIDR' || self.type=='IPAddress')"
+	AllowedAddresses []Address `json:"allowedAddresses,omitempty"`
 }
 
 // Telemetry specifies the OpenTelemetry configuration.

apis/v1alpha1/zz_generated.deepcopy.go

@@ -83,6 +83,35 @@ spec:
                     - emerg
                     type: string
                 type: object
+              nginxPlus:
+                description: NginxPlus specifies NGINX Plus additional settings.
+                properties:
+                  allowedAddresses:
+                    description: AllowedAddresses specifies IPAddresses or CIDR blocks
+                      to the allow list for accessing the NGINX Plus API.
+                    items:
+                      description: Address is a struct that specifies address type
+                        and value.
+                      properties:
+                        type:
+                          description: Type specifies the type of address.
+                          enum:
+                          - CIDR
+                          - IPAddress
+                          - Hostname
+                          type: string
+                        value:
+                          description: Value specifies the address value.
+                          type: string
+                      required:
+                      - type
+                      - value
+                      type: object
+                      x-kubernetes-validations:
+                      - message: Address Type must be either CIDR or IPAddress
+                        rule: (self.type=='CIDR' || self.type=='IPAddress')
+                    type: array
+                type: object
               rewriteClientIP:
                 description: RewriteClientIP defines configuration for rewriting the
                   client IP to the original client's IP.

config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -668,6 +668,35 @@ spec:
                     - emerg
                     type: string
                 type: object
+              nginxPlus:
+                description: NginxPlus specifies NGINX Plus additional settings.
+                properties:
+                  allowedAddresses:
+                    description: AllowedAddresses specifies IPAddresses or CIDR blocks
+                      to the allow list for accessing the NGINX Plus API.
+                    items:
+                      description: Address is a struct that specifies address type
+                        and value.
+                      properties:
+                        type:
+                          description: Type specifies the type of address.
+                          enum:
+                          - CIDR
+                          - IPAddress
+                          - Hostname
+                          type: string
+                        value:
+                          description: Value specifies the address value.
+                          type: string
+                      required:
+                      - type
+                      - value
+                      type: object
+                      x-kubernetes-validations:
+                      - message: Address Type must be either CIDR or IPAddress
+                        rule: (self.type=='CIDR' || self.type=='IPAddress')
+                    type: array
+                type: object
               rewriteClientIP:
                 description: RewriteClientIP defines configuration for rewriting the
                   client IP to the original client's IP.

deploy/crds.yaml

@@ -27,30 +27,6 @@ http {
   tcp_nopush on;
 
   server_tokens off;
-
-  server {
-    listen 127.0.0.1:8765;
-    root /usr/share/nginx/html;
-    access_log off;
-
-    allow 127.0.0.1;
-    deny all;
-
-    location = /dashboard.html {}
-
-    location /api {
-      api write=off;
-    }
-  }
-
-  server {
-    listen unix:/var/run/nginx/nginx-plus-api.sock;
-    access_log off;
-
-    location /api {
-        api write=on;
-    }
-  }
 }
 
 stream {

internal/mode/static/nginx/conf/nginx-plus.conf

@@ -58,6 +58,9 @@ const (
 
 	// mgmtIncludesFile is the path to the file containing the NGINX Plus mgmt config.
 	mgmtIncludesFile = mainIncludesFolder + "/mgmt.conf"
+
+	// nginxPlusConfigFile is the path to the file containing the NGINX Plus API config.
+	nginxPlusConfigFile = httpFolder + "/plus-api.conf"
 )
 
 // ConfigFolders is a list of folders where NGINX configuration files are stored.
@@ -199,6 +202,7 @@ func (g GeneratorImpl) getExecuteFuncs(
 		g.executeStreamUpstreams,
 		executeStreamMaps,
 		executeVersion,
+		executePlusAPI,
 	}
 }
 

internal/mode/static/nginx/config/generator.go

@@ -132,6 +132,7 @@ func TestGenerate(t *testing.T) {
 			graph.PlusReportClientSSLCertificate: []byte("cert"),
 			graph.PlusReportClientSSLKey:         []byte("key"),
 		},
+		NginxPlus: dataplane.NginxPlus{AllowedAddresses: []string{"127.0.0.3", "25.0.0.3"}},
 	}
 	g := NewWithT(t)
 
@@ -144,7 +145,7 @@ func TestGenerate(t *testing.T) {
 
 	files := generator.Generate(conf)
 
-	g.Expect(files).To(HaveLen(17))
+	g.Expect(files).To(HaveLen(18))
 	arrange := func(i, j int) bool {
 		return files[i].Path < files[j].Path
 	}
@@ -155,6 +156,7 @@ func TestGenerate(t *testing.T) {
 		/etc/nginx/conf.d/config-version.conf
 		/etc/nginx/conf.d/http.conf
 		/etc/nginx/conf.d/matches.json
+		/etc/nginx/conf.d/plus-api.conf
 		/etc/nginx/includes/http_snippet1.conf
 		/etc/nginx/includes/http_snippet2.conf
 		/etc/nginx/includes/main_snippet1.conf
@@ -196,65 +198,76 @@ func TestGenerate(t *testing.T) {
 	g.Expect(httpCfg).To(ContainSubstring("include /etc/nginx/includes/http_snippet2.conf;"))
 
 	g.Expect(files[2].Path).To(Equal("/etc/nginx/conf.d/matches.json"))
-
 	g.Expect(files[2].Type).To(Equal(file.TypeRegular))
 	expString := "{}"
 	g.Expect(string(files[2].Content)).To(Equal(expString))
 
+	g.Expect(files[3].Path).To(Equal("/etc/nginx/conf.d/plus-api.conf"))
+	g.Expect(files[3].Type).To(Equal(file.TypeRegular))
+	httpCfg = string(files[3].Content)
+	g.Expect(httpCfg).To(ContainSubstring("listen unix:/var/run/nginx/nginx-plus-api.sock;"))
+	g.Expect(httpCfg).To(ContainSubstring("access_log off;"))
+	g.Expect(httpCfg).To(ContainSubstring("listen 8765;"))
+	g.Expect(httpCfg).To(ContainSubstring("root /usr/share/nginx/html;"))
+	g.Expect(httpCfg).To(ContainSubstring("allow 127.0.0.3;"))
+	g.Expect(httpCfg).To(ContainSubstring("allow 25.0.0.3;"))
+	g.Expect(httpCfg).To(ContainSubstring("deny all;"))
+	g.Expect(httpCfg).To(ContainSubstring("location = /dashboard.html {}"))
+
 	// snippet include files
 	// content is not checked in this test.
-	g.Expect(files[3].Path).To(Equal("/etc/nginx/includes/http_snippet1.conf"))
-	g.Expect(files[4].Path).To(Equal("/etc/nginx/includes/http_snippet2.conf"))
-	g.Expect(files[5].Path).To(Equal("/etc/nginx/includes/main_snippet1.conf"))
-	g.Expect(files[6].Path).To(Equal("/etc/nginx/includes/main_snippet2.conf"))
+	g.Expect(files[4].Path).To(Equal("/etc/nginx/includes/http_snippet1.conf"))
+	g.Expect(files[5].Path).To(Equal("/etc/nginx/includes/http_snippet2.conf"))
+	g.Expect(files[6].Path).To(Equal("/etc/nginx/includes/main_snippet1.conf"))
+	g.Expect(files[7].Path).To(Equal("/etc/nginx/includes/main_snippet2.conf"))
 
-	g.Expect(files[7].Path).To(Equal("/etc/nginx/main-includes/deployment_ctx.json"))
-	deploymentCtx := string(files[7].Content)
+	g.Expect(files[8].Path).To(Equal("/etc/nginx/main-includes/deployment_ctx.json"))
+	deploymentCtx := string(files[8].Content)
 	g.Expect(deploymentCtx).To(ContainSubstring("\"integration\":\"ngf\""))
 	g.Expect(deploymentCtx).To(ContainSubstring("\"cluster_id\":\"test-uid\""))
 	g.Expect(deploymentCtx).To(ContainSubstring("\"installation_id\":\"test-uid-replicaSet\""))
 	g.Expect(deploymentCtx).To(ContainSubstring("\"cluster_node_count\":1"))
 
-	g.Expect(files[8].Path).To(Equal("/etc/nginx/main-includes/main.conf"))
-	mainConfStr := string(files[8].Content)
+	g.Expect(files[9].Path).To(Equal("/etc/nginx/main-includes/main.conf"))
+	mainConfStr := string(files[9].Content)
 	g.Expect(mainConfStr).To(ContainSubstring("load_module modules/ngx_otel_module.so;"))
 	g.Expect(mainConfStr).To(ContainSubstring("include /etc/nginx/includes/main_snippet1.conf;"))
 	g.Expect(mainConfStr).To(ContainSubstring("include /etc/nginx/includes/main_snippet2.conf;"))
 
-	g.Expect(files[9].Path).To(Equal("/etc/nginx/main-includes/mgmt.conf"))
-	mgmtConf := string(files[9].Content)
+	g.Expect(files[10].Path).To(Equal("/etc/nginx/main-includes/mgmt.conf"))
+	mgmtConf := string(files[10].Content)
 	g.Expect(mgmtConf).To(ContainSubstring("usage_report endpoint=test-endpoint"))
 	g.Expect(mgmtConf).To(ContainSubstring("license_token /etc/nginx/secrets/license.jwt"))
 	g.Expect(mgmtConf).To(ContainSubstring("deployment_context /etc/nginx/main-includes/deployment_ctx.json"))
 	g.Expect(mgmtConf).To(ContainSubstring("ssl_trusted_certificate /etc/nginx/secrets/mgmt-ca.crt"))
 	g.Expect(mgmtConf).To(ContainSubstring("ssl_certificate /etc/nginx/secrets/mgmt-tls.crt"))
 	g.Expect(mgmtConf).To(ContainSubstring("ssl_certificate_key /etc/nginx/secrets/mgmt-tls.key"))
 
-	g.Expect(files[10].Path).To(Equal("/etc/nginx/secrets/license.jwt"))
-	g.Expect(string(files[10].Content)).To(Equal("license"))
+	g.Expect(files[11].Path).To(Equal("/etc/nginx/secrets/license.jwt"))
+	g.Expect(string(files[11].Content)).To(Equal("license"))
 
-	g.Expect(files[11].Path).To(Equal("/etc/nginx/secrets/mgmt-ca.crt"))
-	g.Expect(string(files[11].Content)).To(Equal("ca"))
+	g.Expect(files[12].Path).To(Equal("/etc/nginx/secrets/mgmt-ca.crt"))
+	g.Expect(string(files[12].Content)).To(Equal("ca"))
 
-	g.Expect(files[12].Path).To(Equal("/etc/nginx/secrets/mgmt-tls.crt"))
-	g.Expect(string(files[12].Content)).To(Equal("cert"))
+	g.Expect(files[13].Path).To(Equal("/etc/nginx/secrets/mgmt-tls.crt"))
+	g.Expect(string(files[13].Content)).To(Equal("cert"))
 
-	g.Expect(files[13].Path).To(Equal("/etc/nginx/secrets/mgmt-tls.key"))
-	g.Expect(string(files[13].Content)).To(Equal("key"))
+	g.Expect(files[14].Path).To(Equal("/etc/nginx/secrets/mgmt-tls.key"))
+	g.Expect(string(files[14].Content)).To(Equal("key"))
 
-	g.Expect(files[14].Path).To(Equal("/etc/nginx/secrets/test-certbundle.crt"))
-	certBundle := string(files[14].Content)
+	g.Expect(files[15].Path).To(Equal("/etc/nginx/secrets/test-certbundle.crt"))
+	certBundle := string(files[15].Content)
 	g.Expect(certBundle).To(Equal("test-cert"))
 
-	g.Expect(files[15]).To(Equal(file.File{
+	g.Expect(files[16]).To(Equal(file.File{
 		Type:    file.TypeSecret,
 		Path:    "/etc/nginx/secrets/test-keypair.pem",
 		Content: []byte("test-cert\ntest-key"),
 	}))
 
-	g.Expect(files[16].Path).To(Equal("/etc/nginx/stream-conf.d/stream.conf"))
-	g.Expect(files[16].Type).To(Equal(file.TypeRegular))
-	streamCfg := string(files[16].Content)
+	g.Expect(files[17].Path).To(Equal("/etc/nginx/stream-conf.d/stream.conf"))
+	g.Expect(files[17].Type).To(Equal(file.TypeRegular))
+	streamCfg := string(files[17].Content)
 	g.Expect(streamCfg).To(ContainSubstring("listen unix:/var/run/nginx/app.example.com-443.sock"))
 	g.Expect(streamCfg).To(ContainSubstring("listen 443"))
 	g.Expect(streamCfg).To(ContainSubstring("app.example.com unix:/var/run/nginx/app.example.com-443.sock"))

internal/mode/static/nginx/config/generator_test.go

@@ -0,0 +1,19 @@
+package config
+
+import (
+	gotemplate "text/template"
+
+	"github.com/nginx/nginx-gateway-fabric/internal/framework/helpers"
+	"github.com/nginx/nginx-gateway-fabric/internal/mode/static/state/dataplane"
+)
+
+var plusAPITemplate = gotemplate.Must(gotemplate.New("plusAPI").Parse(plusAPITemplateText))
+
+func executePlusAPI(conf dataplane.Configuration) []executeResult {
+	result := executeResult{
+		dest: nginxPlusConfigFile,
+		data: helpers.MustExecuteTemplate(plusAPITemplate, conf.NginxPlus),
+	}
+
+	return []executeResult{result}
+}

internal/mode/static/nginx/config/plus_api.go

@@ -0,0 +1,28 @@
+package config
+
+const plusAPITemplateText = `
+server {
+    listen unix:/var/run/nginx/nginx-plus-api.sock;
+    access_log off;
+
+    location /api {
+	    api write=on;
+    }
+}
+
+server {
+    listen 8765;
+    root /usr/share/nginx/html;
+    access_log off;
+    {{ range $address := .AllowedAddresses }}
+    allow {{ $address }};
+    {{- end }}
+    deny all;
+
+    location = /dashboard.html {}
+
+    location /api {
+      api write=off;
+    }
+}
+`

internal/mode/static/nginx/config/plus_api_template.go

@@ -0,0 +1,37 @@
+package config
+
+import (
+	"strings"
+	"testing"
+
+	. "github.com/onsi/gomega"
+
+	"github.com/nginx/nginx-gateway-fabric/internal/mode/static/state/dataplane"
+)
+
+func TestExecutePlusAPI(t *testing.T) {
+	t.Parallel()
+	conf := dataplane.Configuration{
+		NginxPlus: dataplane.NginxPlus{AllowedAddresses: []string{"127.0.0.1", "25.0.0.3"}},
+	}
+
+	g := NewWithT(t)
+	expSubStrings := map[string]int{
+		"listen unix:/var/run/nginx/nginx-plus-api.sock;": 1,
+		"access_log off;":               2,
+		"api write=on;":                 1,
+		"listen 8765;":                  1,
+		"root /usr/share/nginx/html;":   1,
+		"allow 127.0.0.1;":              1,
+		"allow 25.0.0.3;":               1,
+		"deny all;":                     1,
+		"location = /dashboard.html {}": 1,
+		"api write=off;":                1,
+	}
+
+	for expSubStr, expCount := range expSubStrings {
+		res := executePlusAPI(conf)
+		g.Expect(res).To(HaveLen(1))
+		g.Expect(expCount).To(Equal(strings.Count(string(res[0].data), expSubStr)))
+	}
+}