Watch SnippetsFilters when feature is enabled and add to graph (#2519)

Problem: SnippetsFilters need to be in graph before we can write status to them.

Solution: Register controller for SnippetsFilter when the flag --snippets-filter is set. Add SnippetsFilter to graph so we can write its status. Validate SnippetsFilter.

Author: kate-osborn

apis/v1alpha1/snippetsfilter_types.go

@@ -38,6 +38,10 @@ type SnippetsFilterSpec struct {
 	// Snippets is a list of NGINX configuration snippets.
 	// There can only be one snippet per context.
 	// Allowed contexts: main, http, http.server, http.server.location.
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:MaxItems=4
+	// +kubebuilder:validation:XValidation:message="Only one snippet allowed per context",rule="self.all(s1, self.exists_one(s2, s1.context == s2.context))"
+	//nolint:lll
 	Snippets []Snippet `json:"snippets"`
 }
 
@@ -47,6 +51,7 @@ type Snippet struct {
 	Context NginxContext `json:"context"`
 
 	// Value is the NGINX configuration snippet.
+	// +kubebuilder:validation:MinLength=1
 	Value string `json:"value"`
 }
 
@@ -104,7 +109,7 @@ const (
 	// the condition is true.
 	SnippetsFilterConditionReasonAccepted SnippetsFilterConditionReason = "Accepted"
 
-	// SnippetsFilterConditionTypeInvalid is used with the Accepted condition type when
+	// SnippetsFilterConditionReasonInvalid is used with the Accepted condition type when
 	// SnippetsFilter is invalid.
-	SnippetsFilterConditionTypeInvalid SnippetsFilterConditionType = "Invalid"
+	SnippetsFilterConditionReasonInvalid SnippetsFilterConditionReason = "Invalid"
 )

charts/nginx-gateway-fabric/README.md

@@ -294,6 +294,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginxGateway.replicaCount` | The number of replicas of the NGINX Gateway Fabric Deployment. | int | `1` |
 | `nginxGateway.resources` | The resource requests and/or limits of the nginx-gateway container. | object | `{}` |
 | `nginxGateway.securityContext.allowPrivilegeEscalation` | Some environments may need this set to true in order for the control plane to successfully reload NGINX. | bool | `false` |
+| `nginxGateway.snippetsFilters.enable` | Enable SnippetsFilters feature. SnippetsFilters allow inserting NGINX configuration into the generated NGINX config for HTTPRoute and GRPCRoute resources. | bool | `false` |
 | `nodeSelector` | The nodeSelector of the NGINX Gateway Fabric pod. | object | `{}` |
 | `service.annotations` | The annotations of the NGINX Gateway Fabric service. | object | `{}` |
 | `service.create` | Creates a service to expose the NGINX Gateway Fabric pods. | bool | `true` |

charts/nginx-gateway-fabric/templates/clusterrole.yaml

@@ -104,6 +104,9 @@ rules:
   - nginxproxies
   - clientsettingspolicies
   - observabilitypolicies
+  {{- if .Values.nginxGateway.snippetsFilters.enable }}
+  - snippetsfilters
+  {{- end }}
   verbs:
   - list
   - watch
@@ -113,6 +116,9 @@ rules:
   - nginxgateways/status
   - clientsettingspolicies/status
   - observabilitypolicies/status
+  {{- if .Values.nginxGateway.snippetsFilters.enable }}
+  - snippetsfilters/status
+  {{- end }}
   verbs:
   - update
 {{- if .Values.nginxGateway.leaderElection.enable }}

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -102,6 +102,9 @@ spec:
         {{- if .Values.nginx.usage.insecureSkipVerify }}
         - --usage-report-skip-verify
         {{- end }}
+        {{- if .Values.nginxGateway.snippetsFilters.enable }}
+        - --snippets-filters
+        {{- end }}
         env:
         - name: POD_IP
           valueFrom:

charts/nginx-gateway-fabric/values.yaml

@@ -113,6 +113,11 @@ nginxGateway:
     # APIs installed from the experimental channel.
     enable: false
 
+  snippetsFilters:
+    # -- Enable SnippetsFilters feature. SnippetsFilters allow inserting NGINX configuration into the generated NGINX
+    # config for HTTPRoute and GRPCRoute resources.
+    enable: false
+
 nginx:
   image:
     # -- The NGINX image to use.

cmd/gateway/commands.go

@@ -67,6 +67,7 @@ func createStaticModeCommand() *cobra.Command {
 		usageReportServerURLFlag    = "usage-report-server-url"
 		usageReportSkipVerifyFlag   = "usage-report-skip-verify"
 		usageReportClusterNameFlag  = "usage-report-cluster-name"
+		snippetsFiltersFlag         = "snippets-filters"
 	)
 
 	// flag values
@@ -118,6 +119,8 @@ func createStaticModeCommand() *cobra.Command {
 		usageReportServerURL  = stringValidatingValue{
 			validator: validateURL,
 		}
+
+		snippetsFilters bool
 	)
 
 	cmd := &cobra.Command{
@@ -243,6 +246,7 @@ func createStaticModeCommand() *cobra.Command {
 					Names:  flagKeys,
 					Values: flagValues,
 				},
+				SnippetsFilters: snippetsFilters,
 			}
 
 			if err := static.StartManager(conf); err != nil {
@@ -398,6 +402,14 @@ func createStaticModeCommand() *cobra.Command {
 		"Disable client verification of the NGINX Plus usage reporting server certificate.",
 	)
 
+	cmd.Flags().BoolVar(
+		&snippetsFilters,
+		snippetsFiltersFlag,
+		false,
+		"Enable SnippetsFilters feature. SnippetsFilters allow inserting NGINX configuration into the "+
+			"generated NGINX config for HTTPRoute and GRPCRoute resources.",
+	)
+
 	return cmd
 }
 

cmd/gateway/commands_test.go

@@ -151,6 +151,7 @@ func TestStaticModeCmdFlagValidation(t *testing.T) {
 				"--usage-report-secret=default/my-secret",
 				"--usage-report-server-url=https://my-api.com",
 				"--usage-report-cluster-name=my-cluster",
+				"--snippets-filters",
 			},
 			wantErr: false,
 		},
@@ -366,6 +367,15 @@ func TestStaticModeCmdFlagValidation(t *testing.T) {
 			wantErr:           true,
 			expectedErrPrefix: `invalid argument "$invalid*(#)" for "--usage-report-cluster-name" flag: invalid format`,
 		},
+		{
+			name: "snippets-filters is not a bool",
+			expectedErrPrefix: `invalid argument "not-a-bool" for "--snippets-filters" flag: strconv.ParseBool:` +
+				` parsing "not-a-bool": invalid syntax`,
+			args: []string{
+				"--snippets-filters=not-a-bool",
+			},
+			wantErr: true,
+		},
 	}
 
 	// common flags validation is tested separately

config/crd/bases/gateway.nginx.org_snippetsfilters.yaml

@@ -68,12 +68,18 @@ spec:
                       type: string
                     value:
                       description: Value is the NGINX configuration snippet.
+                      minLength: 1
                       type: string
                   required:
                   - context
                   - value
                   type: object
+                maxItems: 4
+                minItems: 1
                 type: array
+                x-kubernetes-validations:
+                - message: Only one snippet allowed per context
+                  rule: self.all(s1, self.exists_one(s2, s1.context == s2.context))
             required:
             - snippets
             type: object