Agent management and helm configuration

build/Dockerfile

@@ -366,8 +366,9 @@ RUN --mount=type=bind,target=/tmp mkdir -p /var/lib/nginx /etc/nginx/secrets /et
 	&& setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx 'cap_net_bind_service=+eip' /usr/sbin/nginx-debug \
 	&& [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \
 	/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
-	&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \
-	&& chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \
+	&& mkdir -p /etc/ssl/nms \
+	&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl /etc/ssl/nms \
+	&& chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl /etc/ssl/nms \
 	&& rm -f /etc/nginx/conf.d/*
 
 # Uncomment the line below if you would like to add the default.pem to the image

charts/nginx-ingress/README.md

@@ -489,6 +489,19 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`serviceNameOverride` | Used to prevent cloud load balancers from being replaced due to service name change during helm upgrades. | "" |
 |`nginxServiceMesh.enable` | Enable integration with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. Requires `controller.nginxplus`. | false |
 |`nginxServiceMesh.enableEgress` | Enable NGINX Service Mesh workloads to route egress traffic through the Ingress Controller. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/#enabling-egress) for more details. Requires `nginxServiceMesh.enable`. | false |
+|`nginxAgent.enable` | Enable NGINX Agent to enable Security Monitoring integration with App Protect WAF module. Requires `controller.appprotect.enable`. | false |
+|`nginxAgent.instanceGroup` | Set a custom Instance Group name which the deployment will be shown as when connected to NGINX Instance Manager. `nginx-ingress.controller.fullname` will be used if not set. | "" |
+|`nginxAgent.logLevel` | Log level for NGINX Agent. | "error |
+|`nginxAgent.instanceManager.host` | FQDN or IP for connecting to Ingress Controller. Required when `nginxAgent.enable` is set to `true` | "" |
+|`nginxAgent.instanceManager.grpcPort` | Port for connecting to Ingress Controller. | 443 |
+|`nginxAgent.instanceManager.sni` | Server Name Indication for Instance Manager. See the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" |
+|`nginxAgent.instanceManager.tls.enable` | Enable TLS for Instance Manager connection. | true |
+|`nginxAgent.instanceManager.tls.skipVerify` | Skip certification verification for Instance Manager connection. | false |
+|`nginxAgent.instanceManager.tls.caSecret` | Name of `nginx.org/ca` secret used for verification of Instance Manager TLS. | "" |
+|`nginxAgent.instanceManager.tls.secret` | Name of `kubernetes.io/tls` secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager. See the NGINX Instance Manager [docs](https://docs.nginx.com/nginx-management-suite/admin-guides/configuration/secure-traffic/#mutual-client-certificate-auth-setup-mtls) and the NGINX Agent [docs](https://docs.nginx.com/nginx-agent/configuration/encrypt-communication/) for more details. | "" |
+|`nginxAgent.syslog.host` | Address for NGINX Agent to run syslog listener. | 127.0.0.1 |
+|`nginxAgent.syslog.port` | Port for NGINX Agent to run syslog listener. | 1514 |
+|`nginxAgent.customConfigMap` | The name of a custom ConfigMap to use instead of the one provided by default. | "" |
 
 ## Notes
 

charts/nginx-ingress/templates/_helpers.tpl

@@ -70,6 +70,9 @@ nsm.nginx.com/enable-ingress: "true"
 nsm.nginx.com/enable-egress: "{{ .Values.nginxServiceMesh.enableEgress }}"
 nsm.nginx.com/{{ .Values.controller.kind }}: {{ include "nginx-ingress.controller.fullname" . }}
 {{- end }}
+{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }}
+agent-configuration-revision-hash: {{ include "nginx-ingress.agentConfiguration" . | sha1sum | trunc 8 | quote }}
+{{- end }}
 {{- if .Values.controller.pod.extraLabels }}
 {{ toYaml .Values.controller.pod.extraLabels }}
 {{- end }}
@@ -98,6 +101,17 @@ Expand the name of the configmap.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Expand the name of the configmap used for NGINX Agent.
+*/}}
+{{- define "nginx-ingress.agentConfigName" -}}
+{{- if ne (.Values.nginxAgent.customConfigMap | default "") "" -}}
+{{ .Values.nginxAgent.customConfigMap }}
+{{- else -}}
+{{- printf "%s-agent-config"  (include "nginx-ingress.fullname" . | trunc 49 | trimSuffix "-") -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Expand leader election lock name.
 */}}
@@ -264,15 +278,29 @@ Build the args for the service binary.
 - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }}
 - -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }}
 - -enable-telemetry-reporting={{ .Values.controller.enableTelemetryReporting}}
+{{- if .Values.nginxAgent.enable }}
+- -agent=true
+- -agent-instance-group={{ default (include "nginx-ingress.controller.fullname" .) .Values.nginxAgent.instanceGroup }}
+{{- end }}
 {{- end -}}
 
 {{/*
 Volumes for controller.
 */}}
 {{- define "nginx-ingress.volumes" -}}
-{{- if or (eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumes }}
+{{- $volumesSet := "false" }}
 volumes:
-{{- end }}
+{{- if eq (include "nginx-ingress.volumeEntries" .) "" -}}
+{{ toYaml list | printf " %s" }}
+{{- else }}
+{{ include "nginx-ingress.volumeEntries" . }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+List of volumes for controller.
+*/}}
+{{- define "nginx-ingress.volumeEntries" -}}
 {{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
 - name: nginx-etc
   emptyDir: {}
@@ -286,15 +314,42 @@ volumes:
 {{- if .Values.controller.volumes }}
 {{ toYaml .Values.controller.volumes }}
 {{- end }}
+{{- if .Values.nginxAgent.enable }}
+- name: agent-conf
+  configMap:
+    name: {{ include "nginx-ingress.agentConfigName" . }}
+- name: agent-dynamic
+  emptyDir: {}
+{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }}
+- name: nginx-agent-tls
+  projected:
+    sources:
+{{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }}
+      - secret:
+          name: {{ .Values.nginxAgent.instanceManager.tls.secret }}
+{{- end }}
+{{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }}
+      - secret:
+          name: {{ .Values.nginxAgent.instanceManager.tls.caSecret }}
+{{- end }}
+{{- end }}
+{{- end -}}
 {{- end -}}
 
 {{/*
 Volume mounts for controller.
 */}}
 {{- define "nginx-ingress.volumeMounts" -}}
-{{- if or ( eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" ) .Values.controller.volumeMounts }}
+{{- $volumesSet := "false" }}
 volumeMounts:
-{{- end }}
+{{- if eq (include "nginx-ingress.volumeMountEntries" .) "" -}}
+{{ toYaml list | printf " %s" }}
+{{- else }}
+{{ include "nginx-ingress.volumeMountEntries" . }}
+{{- end -}}
+{{- end -}}
+
+{{- define "nginx-ingress.volumeMountEntries" -}}
 {{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
 - mountPath: /etc/nginx
   name: nginx-etc
@@ -305,7 +360,61 @@ volumeMounts:
 - mountPath: /var/log/nginx
   name: nginx-log
 {{- end }}
-{{- if .Values.controller.volumeMounts}}
+{{- if .Values.controller.volumeMounts }}
 {{ toYaml .Values.controller.volumeMounts }}
 {{- end }}
+{{- if .Values.nginxAgent.enable }}
+- name: agent-conf
+  mountPath: /etc/nginx-agent/nginx-agent.conf
+  subPath: nginx-agent.conf
+- name: agent-dynamic
+  mountPath: /var/lib/nginx-agent
+{{- if and .Values.nginxAgent.instanceManager.tls (or (ne (.Values.nginxAgent.instanceManager.tls.secret | default "") "") (ne (.Values.nginxAgent.instanceManager.tls.caSecret | default "") "")) }}
+- name: nginx-agent-tls
+  mountPath: /etc/ssl/nms
+  readOnly: true
+{{- end }}
 {{- end -}}
+{{- end -}}
+
+{{- define "nginx-ingress.agentConfiguration" -}}
+log:
+  level: {{ .Values.nginxAgent.logLevel }}
+  path: ""
+server:
+  host: {{ required ".Values.nginxAgent.instanceManager.host is required when setting .Values.nginxAgent.enable to true" .Values.nginxAgent.instanceManager.host }}
+  grpcPort: {{ .Values.nginxAgent.instanceManager.grpcPort }}
+{{- if ne (.Values.nginxAgent.instanceManager.sni | default "") ""  }}
+  metrics: {{ .Values.nginxAgent.instanceManager.sni }}
+  command: {{ .Values.nginxAgent.instanceManager.sni }}
+{{- end }}
+{{- if .Values.nginxAgent.instanceManager.tls  }}
+tls:
+  enable: {{ .Values.nginxAgent.instanceManager.tls.enable | default false }}
+  skip_verify: {{ .Values.nginxAgent.instanceManager.tls.skipVerify | default false }}
+  {{- if ne .Values.nginxAgent.instanceManager.tls.caSecret "" }}
+  ca: "/etc/ssl/nms/ca.crt"
+  {{- end }}
+  {{- if ne .Values.nginxAgent.instanceManager.tls.secret "" }}
+  cert: "/etc/ssl/nms/tls.crt"
+  key: "/etc/ssl/nms/tls.key"
+  {{- end }}
+{{- end }}
+features:
+  - registration
+  - nginx-counting
+  - metrics-sender
+  - dataplane-status
+extensions:
+  - nginx-app-protect
+  - nap-monitoring
+nginx_app_protect:
+  report_interval: 15s
+  precompiled_publication: true
+nap_monitoring:
+  collector_buffer_size: 50000
+  processor_buffer_size: 50000
+  syslog_ip: "127.0.0.1"
+  syslog_port: 1514
+
+{{ end -}}

charts/nginx-ingress/templates/controller-configmap.yaml

@@ -11,7 +11,22 @@ metadata:
 {{ toYaml .Values.controller.config.annotations | indent 4 }}
 {{- end }}
 data:
-{{- if .Values.controller.config.entries }}
-{{ toYaml .Values.controller.config.entries | indent 2 }}
+{{ toYaml (default dict .Values.controller.config.entries) | indent 2 }}
 {{- end }}
+---
+{{- if and .Values.nginxAgent.enable (eq (.Values.nginxAgent.customConfigMap | default "") "") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "nginx-ingress.agentConfigName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nginx-ingress.labels" . | nindent 4 }}
+{{- if .Values.controller.config.annotations }}
+  annotations:
+{{ toYaml .Values.controller.config.annotations | indent 4 }}
+{{- end }}
+data:
+  nginx-agent.conf: |-
+{{ include "nginx-ingress.agentConfiguration" . | indent 4 }}
 {{- end }}

charts/nginx-ingress/values.schema.json

@@ -1803,6 +1803,137 @@
           "enableEgress": false
         }
       ]
+    },
+    "nginxAgent": {
+      "type": "object",
+      "default": {
+        "enable": false
+      },
+      "title": "Configuration for NGINX Agent.",
+      "required": [
+        "enable"
+      ],
+      "properties": {
+        "enable": {
+          "type": "boolean",
+          "default": false,
+          "title": "Enable NGINX Agent",
+          "examples": [
+            false
+          ]
+        },
+        "instanceGroup": {
+          "type": "string",
+          "default": "",
+          "title": "Set the --instance-group argument for NGINX Agent",
+          "examples": [
+            "my-instance-group"
+          ]
+        },
+        "logLevel": {
+          "type": "string",
+          "default": "error",
+          "title": "Log level for NGINX Agent",
+          "examples": [
+            "error"
+          ]
+        },
+        "instanceManager": {
+          "type": "object",
+          "default": {},
+          "title": "Configuration for the connection to NGINX Instance Manager",
+          "examples": [],
+          "required": [
+            "host"
+          ],
+          "properties": {
+            "host": {
+              "type": "string",
+              "title": "FQDN or IP for connecting to Ingress Controller",
+              "examples": [
+                "nim.example.com"
+              ]
+            },
+            "grpcPort": {
+              "type": "integer",
+              "title": "Port for connecting to Ingress Controller",
+              "default": 443,
+              "examples": [
+                443
+              ]
+            },
+            "sni": {
+              "type": "string",
+              "title": "Server Name Indication for Instance Manager",
+              "default": "",
+              "examples": [
+                "nim.example.com"
+              ]
+            },
+            "tls": {
+              "type": "object",
+              "default": {},
+              "title": "TLS configuration for connection between NGINX Agent and Instance Manager",
+              "properties": {
+                "enable": {
+                  "type": "boolean",
+                  "default": "true",
+                  "title": "enable TLS for Instance Manager connection"
+                },
+                "secret": {
+                  "type": "string",
+                  "default": "",
+                  "title": "kubernetes.io/tls secret with a TLS certificate and key for using mTLS between NGINX Agent and Instance Manager"
+                },
+                "caSecret": {
+                  "type": "string",
+                  "default": "",
+                  "title": "nginx.org/ca secret for verification of Instance Manager TLS"
+                },
+                "skipVerify": {
+                  "type": "boolean",
+                  "default": "false",
+                  "title": "skip certificate verification"
+                }
+              }
+            }
+          }
+        },
+        "syslog": {
+          "type": "object",
+          "default": {
+            "host": "127.0.0.1",
+            "port": 1514
+          },
+          "title": "Syslog listener which NGINX Agent uses to accept messages from App Protect WAF",
+          "properties": {
+            "host": {
+              "type": "string",
+              "title": "Address for NGINX Agent to run syslog listener",
+              "default": "127.0.0.1",
+              "examples": [
+                "127.0.0.1"
+              ]
+            },
+            "port": {
+              "type": "integer",
+              "title": "Port for NGINX Agent to run syslog listener",
+              "default": 1514,
+              "examples": [
+                1514
+              ]
+            }
+          }
+        },
+        "customConfigMap": {
+          "type": "string",
+          "title": "The name of a custom ConfigMap to use instead of the one provided by default",
+          "default": "",
+          "examples": [
+            "my-custom-configmap"
+          ]
+        }
+      }
     }
   },
   "examples": [