Configure Agent

Makefile

@@ -12,7 +12,7 @@ OUT_DIR=$(shell pwd)/build/.out
 
 .DEFAULT_GOAL := help
 
-AGENT_VERSION ?= 2.22.1
+AGENT_VERSION ?= 2.24.1
 ALPINE_VERSION ?= 3.16
 NGINX_WITH_AGENT_PREFIX ?= nginx-with-agent
 

build/Dockerfile

@@ -1,44 +1,27 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1.5
 FROM golang:1.20 as builder
 ARG VERSION
 ARG GIT_COMMIT
 ARG DATE
 
 WORKDIR /go/src/github.com/nginxinc/nginx-kubernetes-gateway/cmd/gateway
 
-COPY go.mod go.sum /go/src/github.com/nginxinc/nginx-kubernetes-gateway
+COPY go.mod go.sum /go/src/github.com/nginxinc/nginx-kubernetes-gateway/
 RUN go mod download
 
 COPY cmd /go/src/github.com/nginxinc/nginx-kubernetes-gateway/cmd
 COPY internal /go/src/github.com/nginxinc/nginx-kubernetes-gateway/internal
-COPY pkg /go/src/github.com/nginxinc/nginx-kubernetes-gateway/pkg
 RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -a -ldflags "-s -w -X main.version=${VERSION} -X main.commit=${GIT_COMMIT} -X main.date=${DATE}" -o gateway .
 
-FROM alpine:3.17 as capabilizer
-RUN apk add --no-cache libcap
-
-FROM capabilizer as local-capabilizer
-COPY ./build/.out/gateway /usr/bin/
-RUN setcap 'cap_kill=+ep' /usr/bin/gateway
-
-FROM capabilizer as container-capabilizer
-COPY --from=builder /go/src/github.com/nginxinc/nginx-kubernetes-gateway/cmd/gateway/gateway /usr/bin/
-RUN setcap 'cap_kill=+ep' /usr/bin/gateway
-
-FROM capabilizer as goreleaser-capabilizer
-ARG TARGETARCH
-COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/
-RUN setcap 'cap_kill=+ep' /usr/bin/gateway
-
 FROM scratch as common
 USER 1001:1001
 ENTRYPOINT [ "/usr/bin/gateway" ]
 
 FROM common as container
-COPY --from=container-capabilizer /usr/bin/gateway /usr/bin/
+COPY --from=builder /go/src/github.com/nginxinc/nginx-kubernetes-gateway/cmd/gateway/gateway /usr/bin/
 
 FROM common as local
-COPY --from=local-capabilizer /usr/bin/gateway /usr/bin/
+COPY ./build/.out/gateway /usr/bin/
 
 FROM common as goreleaser
-COPY --from=goreleaser-capabilizer /usr/bin/gateway /usr/bin/
+COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/

build/nginx-with-agent/nginx-agent.conf

@@ -31,10 +31,10 @@ metrics:
 
 # OSS NGINX default config path
 # path to aux file dirs can also be added
-config_dirs: "/etc/nginx"
+config_dirs: "/etc/nginx:/etc/nginx/conf.d:/etc/nginx/secrets"
 
 server:
-  host: 127.0.0.1 # change to nginx-gateway.nginx-gateway if testing agent in separate deployment
+  host: nginx-gateway.nginx-gateway
   grpcPort: 54789
 
 # TLS is temporarily disabled. Once we fully separate the data plane from the control plane TLS will be enabled.

deploy/manifests/nginx-gateway.yaml

@@ -84,71 +84,30 @@ spec:
       labels:
         app: nginx-gateway
     spec:
-      shareProcessNamespace: true
       serviceAccountName: nginx-gateway
-      securityContext:
-        sysctls:
-        - name: "net.ipv4.ip_unprivileged_port_start"
-          value: "0"
-      volumes:
-      - name: nginx-config
-        emptyDir: { }
-      - name: var-lib-nginx
-        emptyDir: { }
-      - name: njs-modules
-        configMap:
-          name: njs-modules
-      initContainers:
-      - image: busybox:1.34 # FIXME(pleshakov): use gateway container to init the Config with proper main config
-        name: nginx-config-initializer
-        command: [ 'sh', '-c', 'echo "load_module /usr/lib/nginx/modules/ngx_http_js_module.so; events {}  pid /etc/nginx/nginx.pid; error_log stderr debug; http { include /etc/nginx/conf.d/*.conf; js_import /usr/lib/nginx/modules/njs/httpmatches.js; }" > /etc/nginx/nginx.conf && mkdir /etc/nginx/conf.d /etc/nginx/secrets && chown 1001:0 /etc/nginx/conf.d /etc/nginx/secrets' ]
-        volumeMounts:
-        - name: nginx-config
-          mountPath: /etc/nginx
       containers:
-      - image: docker.io/nginx-kubernetes-gateway:edge # FIXME(kate-osborn): change back to ghcr before merging to main
+      - image: docker.io/library/nginx-kubernetes-gateway:edge # FIXME(kate-osborn): change back to ghcr before merging to main
         imagePullPolicy: IfNotPresent # FIXME(kate-osborn): change back to Always before merging to main
         name: nginx-gateway
         ports:
         - name: grpc
           containerPort: 54789
-        volumeMounts:
-        - name: nginx-config
-          mountPath: /etc/nginx
         securityContext:
-          runAsUser: 1001
-          # FIXME(pleshakov) - figure out which capabilities are required
-          # dropping ALL and adding only CAP_KILL doesn't work
-          # Note: CAP_KILL is needed for sending HUP signal to NGINX main process
+          runAsUser: 1001 #FIXME(kate-osborn): figure out what securityContext we need.
         args:
         - --gateway-ctlr-name=k8s-gateway.nginx.org/nginx-gateway-controller
         - --gatewayclass=nginx
-      - image: nginx:1.23 # I will remove the nginx container once the control plane can push config to nginx-with-agent.
-        imagePullPolicy: IfNotPresent
-        name: nginx
-        ports:
-        - name: http
-          containerPort: 80
-        - name: https
-          containerPort: 443
-        volumeMounts:
-        - name: nginx-config
-          mountPath: /etc/nginx
-        - name: var-lib-nginx
-          mountPath: /var/lib/nginx
-        - name: njs-modules
-          mountPath: /usr/lib/nginx/modules/njs
-      - name: nginx-with-agent
-        image: docker.io/nginx-kubernetes-gateway/nginx-with-agent:edge
-        imagePullPolicy: IfNotPresent
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: 101 #nginx
-          capabilities:
-            drop:
-            - ALL
-        ports:
-        - name: http
-          containerPort: 80
-        - name: https
-          containerPort: 443
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-gateway
+  namespace: nginx-gateway
+spec:
+  ports:
+  - port: 54789
+    targetPort: 54789
+    protocol: TCP
+    name: grpc
+  selector:
+    app: nginx-gateway

build/nginx-with-agent/nginx-with-agent.yaml → deploy/manifests/nginx-with-agent.yaml

@@ -3,6 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: nginx-with-agent
+  namespace: nginx-gateway
 spec:
   replicas: 1
   selector:

deploy/manifests/service/loadbalancer-aws-nlb.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: nginx-gateway
+  name: nginx-with-agent
   namespace: nginx-gateway
   annotations:
     service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
@@ -13,4 +13,4 @@ spec:
     protocol: TCP
     name: http
   selector:
-    app: nginx-gateway
+    app: nginx-with-agent

deploy/manifests/service/loadbalancer.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: nginx-gateway
+  name: nginx-with-agent
   namespace: nginx-gateway
 spec:
   externalTrafficPolicy: Local
@@ -16,4 +16,4 @@ spec:
     protocol: TCP
     name: https
   selector:
-    app: nginx-gateway
+    app: nginx-with-agent

deploy/manifests/service/nodeport.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: nginx-gateway
+  name: nginx-with-agent
   namespace: nginx-gateway
 spec:
   type: NodePort 
@@ -11,4 +11,4 @@ spec:
     protocol: TCP
     name: http
   selector:
-    app: nginx-gateway
+    app: nginx-with-agent

examples/many-updates/1-cafe-routes.yaml

@@ -0,0 +1,37 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee
+    backendRefs:
+    - name: coffee
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: tea
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /tea
+    backendRefs:
+    - name: tea
+      port: 80

examples/many-updates/2-cafe-routes.yaml

@@ -0,0 +1,37 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee-v2
+    backendRefs:
+    - name: coffee
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: tea
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /tea-v2
+    backendRefs:
+    - name: tea
+      port: 80

examples/many-updates/3-cafe-routes.yaml

@@ -0,0 +1,37 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee-v3
+    backendRefs:
+    - name: coffee
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: tea
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /tea-v3
+    backendRefs:
+    - name: tea
+      port: 80

examples/many-updates/4-cafe-routes.yaml

@@ -0,0 +1,37 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: coffee
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee-v4
+    backendRefs:
+    - name: coffee
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: tea
+spec:
+  parentRefs:
+  - name: gateway
+    sectionName: http
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /tea-v4
+    backendRefs:
+    - name: tea
+      port: 80