Add configurable data plane log level (#2603)

Add Nginx error log level to NginxProxy.

Problem: Users would like to assign a log level for the data plane.

Solution: Add Nginx error log level to NginxProxy which allows users to set the error log level for Nginx.

Testing: Unit tests and manual testing.

Author: bjee19

Diff for: apis/v1alpha1/nginxproxy_types.go

@@ -45,6 +45,10 @@ type NginxProxySpec struct {
 	// +optional
 	//nolint:lll
 	RewriteClientIP *RewriteClientIP `json:"rewriteClientIP,omitempty"`
+	// Logging defines logging related settings for NGINX.
+	//
+	// +optional
+	Logging *NginxLogging `json:"logging,omitempty"`
 	// DisableHTTP2 defines if http2 should be disabled for all servers.
 	// Default is false, meaning http2 will be enabled for all servers.
 	//
@@ -202,3 +206,46 @@ const (
 	// HostnameAddressType specifies that the address is a Hostname.
 	HostnameAddressType AddressType = "Hostname"
 )
+
+// NginxLogging defines logging related settings for NGINX.
+type NginxLogging struct {
+	// ErrorLevel defines the error log level. Possible log levels listed in order of increasing severity are
+	// debug, info, notice, warn, error, crit, alert, and emerg. Setting a certain log level will cause all messages
+	// of the specified and more severe log levels to be logged. For example, the log level 'error' will cause error,
+	// crit, alert, and emerg messages to be logged. https://nginx.org/en/docs/ngx_core_module.html#error_log
+	//
+	// +optional
+	// +kubebuilder:default=info
+	ErrorLevel *NginxErrorLogLevel `json:"errorLevel,omitempty"`
+}
+
+// NginxErrorLogLevel type defines the log level of error logs for NGINX.
+//
+// +kubebuilder:validation:Enum=debug;info;notice;warn;error;crit;alert;emerg
+type NginxErrorLogLevel string
+
+const (
+	// NginxLogLevelDebug is the debug level for NGINX error logs.
+	NginxLogLevelDebug NginxErrorLogLevel = "debug"
+
+	// NginxLogLevelInfo is the info level for NGINX error logs.
+	NginxLogLevelInfo NginxErrorLogLevel = "info"
+
+	// NginxLogLevelNotice is the notice level for NGINX error logs.
+	NginxLogLevelNotice NginxErrorLogLevel = "notice"
+
+	// NginxLogLevelWarn is the warn level for NGINX error logs.
+	NginxLogLevelWarn NginxErrorLogLevel = "warn"
+
+	// NginxLogLevelError is the error level for NGINX error logs.
+	NginxLogLevelError NginxErrorLogLevel = "error"
+
+	// NginxLogLevelCrit is the crit level for NGINX error logs.
+	NginxLogLevelCrit NginxErrorLogLevel = "crit"
+
+	// NginxLogLevelAlert is the alert level for NGINX error logs.
+	NginxLogLevelAlert NginxErrorLogLevel = "alert"
+
+	// NginxLogLevelEmerg is the emerg level for NGINX error logs.
+	NginxLogLevelEmerg NginxErrorLogLevel = "emerg"
+)

Diff for: apis/v1alpha1/zz_generated.deepcopy.go

@@ -7,8 +7,10 @@ ARG BUILD_AGENT
 
 RUN apk add --no-cache libcap \
     && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
+    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
     && apk del libcap
 
 COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js
@@ -22,4 +24,4 @@ LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}"
 
 USER 101:1001
 
-CMD ["sh", "-c", "rm -rf /var/run/nginx/*.sock && /docker-entrypoint.sh nginx -g 'daemon off;'"]
+CMD ["sh", "-c", "rm -rf /var/run/nginx/*.sock && nginx -g 'daemon off;'"]

Diff for: build/Dockerfile.nginx

@@ -20,8 +20,10 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
     && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel libcap \
     && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
+    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
     && apk del libcap \
     # forward request and error logs to docker log collector
     && ln -sf /dev/stdout /var/log/nginx/access.log \

Diff for: build/Dockerfile.nginxplus

@@ -261,6 +261,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `metrics.port` | Set the port where the Prometheus metrics are exposed. | int | `9113` |
 | `metrics.secure` | Enable serving metrics via https. By default metrics are served via http. Please note that this endpoint will be secured with a self-signed certificate. | bool | `false` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. | object | `{}` |
+| `nginx.debug` | Enable debugging for NGINX. Uses the nginx-debug binary. The NGINX error log level should be set to debug in the NginxProxy resource. | bool | `false` |
 | `nginx.extraVolumeMounts` | extraVolumeMounts are the additional volume mounts for the nginx container. | list | `[]` |
 | `nginx.image.pullPolicy` |  | string | `"Always"` |
 | `nginx.image.repository` | The NGINX image to use. | string | `"ghcr.io/nginxinc/nginx-gateway-fabric/nginx"` |

Diff for: charts/nginx-gateway-fabric/README.md

@@ -131,8 +131,8 @@ spec:
           mountPath: /etc/nginx/conf.d
         - name: nginx-stream-conf
           mountPath: /etc/nginx/stream-conf.d
-        - name: module-includes
-          mountPath: /etc/nginx/module-includes
+        - name: nginx-main-includes
+          mountPath: /etc/nginx/main-includes
         - name: nginx-secrets
           mountPath: /etc/nginx/secrets
         - name: nginx-run
@@ -170,8 +170,8 @@ spec:
           mountPath: /etc/nginx/conf.d
         - name: nginx-stream-conf
           mountPath: /etc/nginx/stream-conf.d
-        - name: module-includes
-          mountPath: /etc/nginx/module-includes
+        - name: nginx-main-includes
+          mountPath: /etc/nginx/main-includes
         - name: nginx-secrets
           mountPath: /etc/nginx/secrets
         - name: nginx-run
@@ -183,6 +183,13 @@ spec:
         {{- with .Values.nginx.extraVolumeMounts -}}
         {{ toYaml . | nindent 8 }}
         {{- end }}
+        {{- if .Values.nginx.debug }}
+        command:
+          - "/bin/sh"
+        args:
+          - "-c"
+          - "rm -rf /var/run/nginx/*.sock && nginx-debug -g 'daemon off;'"
+        {{- end }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       {{- if .Values.affinity }}
       affinity:
@@ -206,7 +213,7 @@ spec:
         emptyDir: {}
       - name: nginx-stream-conf
         emptyDir: {}
-      - name: module-includes
+      - name: nginx-main-includes
         emptyDir: {}
       - name: nginx-secrets
         emptyDir: {}

Diff for: charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -72,6 +72,27 @@
               "required": [],
               "type": "string"
             },
+            "logging": {
+              "description": "Logging defines logging related settings for NGINX.",
+              "properties": {
+                "errorLevel": {
+                  "enum": [
+                    "debug",
+                    "info",
+                    "notice",
+                    "warn",
+                    "error",
+                    "crit",
+                    "alert",
+                    "emerg"
+                  ],
+                  "required": [],
+                  "type": "string"
+                }
+              },
+              "required": [],
+              "type": "object"
+            },
             "rewriteClientIP": {
               "description": "RewriteClientIP defines configuration for rewriting the client IP to the original client's IP.",
               "properties": {
@@ -179,6 +200,13 @@
           "title": "config",
           "type": "object"
         },
+        "debug": {
+          "default": false,
+          "description": "Enable debugging for NGINX. Uses the nginx-debug binary. The NGINX error log level should be set to debug in the NginxProxy resource.",
+          "required": [],
+          "title": "debug",
+          "type": "boolean"
+        },
         "extraVolumeMounts": {
           "description": "extraVolumeMounts are the additional volume mounts for the nginx container.",
           "items": {

Diff for: charts/nginx-gateway-fabric/values.schema.json

@@ -201,10 +201,28 @@ nginx:
   #               pattern: ^([^"$\\]|\\[^$])*$
   #               minLength: 1
   #               maxLength: 255
+  #   logging:
+  #     type: object
+  #     description: Logging defines logging related settings for NGINX.
+  #     properties:
+  #       errorLevel:
+  #         type: string
+  #         enum:
+  #           - debug
+  #           - info
+  #           - notice
+  #           - warn
+  #           - error
+  #           - crit
+  #           - alert
+  #           - emerg
   # @schema
   # -- The configuration for the data plane that is contained in the NginxProxy resource.
   config: {}
 
+  # -- Enable debugging for NGINX. Uses the nginx-debug binary. The NGINX error log level should be set to debug in the NginxProxy resource.
+  debug: false
+
   # Configuration for NGINX Plus usage reporting.
   usage:
     # -- The namespace/name of the Secret containing the credentials for NGINX Plus usage reporting.

Diff for: charts/nginx-gateway-fabric/values.yaml

@@ -62,6 +62,27 @@ spec:
                 - ipv4
                 - ipv6
                 type: string
+              logging:
+                description: Logging defines logging related settings for NGINX.
+                properties:
+                  errorLevel:
+                    default: info
+                    description: |-
+                      ErrorLevel defines the error log level. Possible log levels listed in order of increasing severity are
+                      debug, info, notice, warn, error, crit, alert, and emerg. Setting a certain log level will cause all messages
+                      of the specified and more severe log levels to be logged. For example, the log level 'error' will cause error,
+                      crit, alert, and emerg messages to be logged. https://nginx.org/en/docs/ngx_core_module.html#error_log
+                    enum:
+                    - debug
+                    - info
+                    - notice
+                    - warn
+                    - error
+                    - crit
+                    - alert
+                    - emerg
+                    type: string
+                type: object
               rewriteClientIP:
                 description: RewriteClientIP defines configuration for rewriting the
                   client IP to the original client's IP.

Diff for: config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -74,8 +74,8 @@ spec:
           mountPath: /etc/nginx/conf.d
         - name: nginx-stream-conf
           mountPath: /etc/nginx/stream-conf.d
-        - name: module-includes
-          mountPath: /etc/nginx/module-includes
+        - name: nginx-main-includes
+          mountPath: /etc/nginx/main-includes
         - name: nginx-secrets
           mountPath: /etc/nginx/secrets
         - name: nginx-run
@@ -106,8 +106,8 @@ spec:
           mountPath: /etc/nginx/conf.d
         - name: nginx-stream-conf
           mountPath: /etc/nginx/stream-conf.d
-        - name: module-includes
-          mountPath: /etc/nginx/module-includes
+        - name: nginx-main-includes
+          mountPath: /etc/nginx/main-includes
         - name: nginx-secrets
           mountPath: /etc/nginx/secrets
         - name: nginx-run
@@ -127,7 +127,7 @@ spec:
         emptyDir: {}
       - name: nginx-stream-conf
         emptyDir: {}
-      - name: module-includes
+      - name: nginx-main-includes
         emptyDir: {}
       - name: nginx-secrets
         emptyDir: {}

Diff for: config/tests/static-deployment.yaml

@@ -248,8 +248,8 @@ spec:
           name: nginx-conf
         - mountPath: /etc/nginx/stream-conf.d
           name: nginx-stream-conf
-        - mountPath: /etc/nginx/module-includes
-          name: module-includes
+        - mountPath: /etc/nginx/main-includes
+          name: nginx-main-includes
         - mountPath: /etc/nginx/secrets
           name: nginx-secrets
         - mountPath: /var/run/nginx
@@ -280,8 +280,8 @@ spec:
           name: nginx-conf
         - mountPath: /etc/nginx/stream-conf.d
           name: nginx-stream-conf
-        - mountPath: /etc/nginx/module-includes
-          name: module-includes
+        - mountPath: /etc/nginx/main-includes
+          name: nginx-main-includes
         - mountPath: /etc/nginx/secrets
           name: nginx-secrets
         - mountPath: /var/run/nginx
@@ -302,7 +302,7 @@ spec:
       - emptyDir: {}
         name: nginx-stream-conf
       - emptyDir: {}
-        name: module-includes
+        name: nginx-main-includes
       - emptyDir: {}
         name: nginx-secrets
       - emptyDir: {}

Diff for: deploy/aws-nlb/deploy.yaml

@@ -245,8 +245,8 @@ spec:
           name: nginx-conf
         - mountPath: /etc/nginx/stream-conf.d
           name: nginx-stream-conf
-        - mountPath: /etc/nginx/module-includes
-          name: module-includes
+        - mountPath: /etc/nginx/main-includes
+          name: nginx-main-includes
         - mountPath: /etc/nginx/secrets
           name: nginx-secrets
         - mountPath: /var/run/nginx
@@ -277,8 +277,8 @@ spec:
           name: nginx-conf
         - mountPath: /etc/nginx/stream-conf.d
           name: nginx-stream-conf
-        - mountPath: /etc/nginx/module-includes
-          name: module-includes
+        - mountPath: /etc/nginx/main-includes
+          name: nginx-main-includes
         - mountPath: /etc/nginx/secrets
           name: nginx-secrets
         - mountPath: /var/run/nginx
@@ -301,7 +301,7 @@ spec:
       - emptyDir: {}
         name: nginx-stream-conf
       - emptyDir: {}
-        name: module-includes
+        name: nginx-main-includes
       - emptyDir: {}
         name: nginx-secrets
       - emptyDir: {}