Allow configuration of NGINX Plus API access (#3066)

Allow configuration of NGINX Plus API access.

Problem: We want the ability to configure access to the NGINX Plus dashboard.

Solution: Add a field AllowedAddresses in the NginxProxy API to allow the user to configure access to the NGINX Plus dashboard.

Testing: Unit tests. Manually configured an NginxProxy resource, set up a Kind cluster with a Nodeport following our Get started guide, and confirmed that I could access the dashboard without needing to port-forward. Verified nginx plus template code is present when running on nginx plus and not present when running on nginx oss.

Author: bjee19

apis/v1alpha1/nginxproxy_types.go

@@ -49,11 +49,21 @@ type NginxProxySpec struct {
 	//
 	// +optional
 	Logging *NginxLogging `json:"logging,omitempty"`
+	// NginxPlus specifies NGINX Plus additional settings.
+	//
+	// +optional
+	NginxPlus *NginxPlus `json:"nginxPlus,omitempty"`
 	// DisableHTTP2 defines if http2 should be disabled for all servers.
 	// Default is false, meaning http2 will be enabled for all servers.
+	DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
+}
+
+// NginxPlus specifies NGINX Plus additional settings. These will only be applied if NGINX Plus is being used.
+type NginxPlus struct {
+	// AllowedAddresses specifies IPAddresses or CIDR blocks to the allow list for accessing the NGINX Plus API.
 	//
 	// +optional
-	DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
+	AllowedAddresses []NginxPlusAllowAddress `json:"allowedAddresses,omitempty"`
 }
 
 // Telemetry specifies the OpenTelemetry configuration.
@@ -149,7 +159,7 @@ type RewriteClientIP struct {
 	// +listType=map
 	// +listMapKey=type
 	// +kubebuilder:validation:MaxItems=16
-	TrustedAddresses []Address `json:"trustedAddresses,omitempty"`
+	TrustedAddresses []RewriteClientIPAddress `json:"trustedAddresses,omitempty"`
 }
 
 // RewriteClientIPModeType defines how NGINX Gateway Fabric will determine the client's original IP address.
@@ -183,28 +193,49 @@ const (
 	IPv6 IPFamilyType = "ipv6"
 )
 
-// Address is a struct that specifies address type and value.
-type Address struct {
+// RewriteClientIPAddress specifies the address type and value for a RewriteClientIP address.
+type RewriteClientIPAddress struct {
 	// Type specifies the type of address.
-	Type AddressType `json:"type"`
+	Type RewriteClientIPAddressType `json:"type"`
 
 	// Value specifies the address value.
 	Value string `json:"value"`
 }
 
-// AddressType specifies the type of address.
+// RewriteClientIPAddressType specifies the type of address.
 // +kubebuilder:validation:Enum=CIDR;IPAddress;Hostname
-type AddressType string
+type RewriteClientIPAddressType string
 
 const (
-	// CIDRAddressType specifies that the address is a CIDR block.
-	CIDRAddressType AddressType = "CIDR"
+	// RewriteClientIPCIDRAddressType specifies that the address is a CIDR block.
+	RewriteClientIPCIDRAddressType RewriteClientIPAddressType = "CIDR"
+
+	// RewriteClientIPIPAddressType specifies that the address is an IP address.
+	RewriteClientIPIPAddressType RewriteClientIPAddressType = "IPAddress"
+
+	// RewriteClientIPHostnameAddressType specifies that the address is a Hostname.
+	RewriteClientIPHostnameAddressType RewriteClientIPAddressType = "Hostname"
+)
 
-	// IPAddressType specifies that the address is an IP address.
-	IPAddressType AddressType = "IPAddress"
+// NginxPlusAllowAddress specifies the address type and value for an NginxPlus allow address.
+type NginxPlusAllowAddress struct {
+	// Type specifies the type of address.
+	Type NginxPlusAllowAddressType `json:"type"`
+
+	// Value specifies the address value.
+	Value string `json:"value"`
+}
+
+// NginxPlusAllowAddressType specifies the type of address.
+// +kubebuilder:validation:Enum=CIDR;IPAddress
+type NginxPlusAllowAddressType string
+
+const (
+	// NginxPlusAllowCIDRAddressType specifies that the address is a CIDR block.
+	NginxPlusAllowCIDRAddressType NginxPlusAllowAddressType = "CIDR"
 
-	// HostnameAddressType specifies that the address is a Hostname.
-	HostnameAddressType AddressType = "Hostname"
+	// NginxPlusAllowIPAddressType specifies that the address is an IP address.
+	NginxPlusAllowIPAddressType NginxPlusAllowAddressType = "IPAddress"
 )
 
 // NginxLogging defines logging related settings for NGINX.

apis/v1alpha1/zz_generated.deepcopy.go

@@ -93,6 +93,34 @@
               "required": [],
               "type": "object"
             },
+            "nginxPlus": {
+              "description": "NginxPlus specifies NGINX Plus additional settings.",
+              "properties": {
+                "allowedAddresses": {
+                  "items": {
+                    "properties": {
+                      "type": {
+                        "enum": [
+                          "CIDR",
+                          "IPAddress"
+                        ],
+                        "required": [],
+                        "type": "string"
+                      },
+                      "value": {
+                        "required": [],
+                        "type": "string"
+                      }
+                    },
+                    "required": []
+                  },
+                  "required": [],
+                  "type": "array"
+                }
+              },
+              "required": [],
+              "type": "object"
+            },
             "rewriteClientIP": {
               "description": "RewriteClientIP defines configuration for rewriting the client IP to the original client's IP.",
               "properties": {

charts/nginx-gateway-fabric/values.schema.json

@@ -244,6 +244,21 @@ nginx:
   #           - crit
   #           - alert
   #           - emerg
+  #   nginxPlus:
+  #     type: object
+  #     description: NginxPlus specifies NGINX Plus additional settings.
+  #     properties:
+  #       allowedAddresses:
+  #         type: array
+  #         items:
+  #           properties:
+  #             type:
+  #               type: string
+  #               enum:
+  #                 - CIDR
+  #                 - IPAddress
+  #             value:
+  #               type: string
   # @schema
   # -- The configuration for the data plane that is contained in the NginxProxy resource.
   config: {}

charts/nginx-gateway-fabric/values.yaml

@@ -83,6 +83,31 @@ spec:
                     - emerg
                     type: string
                 type: object
+              nginxPlus:
+                description: NginxPlus specifies NGINX Plus additional settings.
+                properties:
+                  allowedAddresses:
+                    description: AllowedAddresses specifies IPAddresses or CIDR blocks
+                      to the allow list for accessing the NGINX Plus API.
+                    items:
+                      description: NginxPlusAllowAddress specifies the address type
+                        and value for an NginxPlus allow address.
+                      properties:
+                        type:
+                          description: Type specifies the type of address.
+                          enum:
+                          - CIDR
+                          - IPAddress
+                          type: string
+                        value:
+                          description: Value specifies the address value.
+                          type: string
+                      required:
+                      - type
+                      - value
+                      type: object
+                    type: array
+                type: object
               rewriteClientIP:
                 description: RewriteClientIP defines configuration for rewriting the
                   client IP to the original client's IP.
@@ -122,8 +147,8 @@ spec:
                       Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                       This field is required if mode is set.
                     items:
-                      description: Address is a struct that specifies address type
-                        and value.
+                      description: RewriteClientIPAddress specifies the address type
+                        and value for a RewriteClientIP address.
                       properties:
                         type:
                           description: Type specifies the type of address.

config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -668,6 +668,31 @@ spec:
                     - emerg
                     type: string
                 type: object
+              nginxPlus:
+                description: NginxPlus specifies NGINX Plus additional settings.
+                properties:
+                  allowedAddresses:
+                    description: AllowedAddresses specifies IPAddresses or CIDR blocks
+                      to the allow list for accessing the NGINX Plus API.
+                    items:
+                      description: NginxPlusAllowAddress specifies the address type
+                        and value for an NginxPlus allow address.
+                      properties:
+                        type:
+                          description: Type specifies the type of address.
+                          enum:
+                          - CIDR
+                          - IPAddress
+                          type: string
+                        value:
+                          description: Value specifies the address value.
+                          type: string
+                      required:
+                      - type
+                      - value
+                      type: object
+                    type: array
+                type: object
               rewriteClientIP:
                 description: RewriteClientIP defines configuration for rewriting the
                   client IP to the original client's IP.
@@ -707,8 +732,8 @@ spec:
                       Sets NGINX directive set_real_ip_from: https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
                       This field is required if mode is set.
                     items:
-                      description: Address is a struct that specifies address type
-                        and value.
+                      description: RewriteClientIPAddress specifies the address type
+                        and value for a RewriteClientIP address.
                       properties:
                         type:
                           description: Type specifies the type of address.

deploy/crds.yaml

@@ -174,7 +174,7 @@ func (h *eventHandlerImpl) HandleEventBatch(ctx context.Context, logger logr.Log
 		return
 	case state.EndpointsOnlyChange:
 		h.version++
-		cfg := dataplane.BuildConfiguration(ctx, gr, h.cfg.serviceResolver, h.version)
+		cfg := dataplane.BuildConfiguration(ctx, gr, h.cfg.serviceResolver, h.version, h.cfg.plus)
 		depCtx, getErr := h.getDeploymentContext(ctx)
 		if getErr != nil {
 			logger.Error(getErr, "error getting deployment context for usage reporting")
@@ -190,7 +190,7 @@ func (h *eventHandlerImpl) HandleEventBatch(ctx context.Context, logger logr.Log
 		}
 	case state.ClusterStateChange:
 		h.version++
-		cfg := dataplane.BuildConfiguration(ctx, gr, h.cfg.serviceResolver, h.version)
+		cfg := dataplane.BuildConfiguration(ctx, gr, h.cfg.serviceResolver, h.version, h.cfg.plus)
 		depCtx, getErr := h.getDeploymentContext(ctx)
 		if getErr != nil {
 			logger.Error(getErr, "error getting deployment context for usage reporting")

internal/mode/static/handler.go

@@ -442,6 +442,7 @@ var _ = Describe("eventHandler", func() {
 				handler.HandleEventBatch(context.Background(), ctlrZap.New(), batch)
 
 				dcfg := dataplane.GetDefaultConfiguration(&graph.Graph{}, 1)
+				dcfg.NginxPlus = dataplane.NginxPlus{AllowedAddresses: []string{"127.0.0.1"}}
 				Expect(helpers.Diff(handler.GetLatestConfiguration(), &dcfg)).To(BeEmpty())
 
 				Expect(fakeGenerator.GenerateCallCount()).To(Equal(0))

internal/mode/static/handler_test.go

@@ -27,30 +27,6 @@ http {
   tcp_nopush on;
 
   server_tokens off;
-
-  server {
-    listen 127.0.0.1:8765;
-    root /usr/share/nginx/html;
-    access_log off;
-
-    allow 127.0.0.1;
-    deny all;
-
-    location = /dashboard.html {}
-
-    location /api {
-      api write=off;
-    }
-  }
-
-  server {
-    listen unix:/var/run/nginx/nginx-plus-api.sock;
-    access_log off;
-
-    location /api {
-        api write=on;
-    }
-  }
 }
 
 stream {