Dynamic reload of SSL certificates for NGINX Plus (#4764)

ssl certificate lazy loading for nginx plus
nginx · Dec 12, 2023 · bd29988 · bd29988
1 parent a122d11
commit bd29988
Show file tree

Hide file tree

Showing 41 changed files with 1,077 additions and 354 deletions.
diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md
@@ -458,6 +458,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.defaultHTTPListenerPort`  | Sets the port for the HTTP `default_server` listener. | 80 |
 |`controller.defaultHTTPSListenerPort`  | Sets the port for the HTTPS `default_server` listener. | 443 |
 |`controller.readOnlyRootFilesystem` | Configure root filesystem as read-only and add volumes for temporary data. | false |
+|`controller.enableSSLDynamicReload` | Enable lazy loading for SSL Certificates for NGINX Plus. | true |
 |`rbac.create` | Configures RBAC. | true |
 |`prometheus.create` | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true |
 |`prometheus.port` | Configures the port to scrape the metrics. | 9113 |

diff --git a/charts/nginx-ingress/templates/_helpers.tpl b/charts/nginx-ingress/templates/_helpers.tpl
@@ -222,4 +222,5 @@ Build the args for the service binary.
 - -ready-status={{ .Values.controller.readyStatus.enable }}
 - -ready-status-port={{ .Values.controller.readyStatus.port }}
 - -enable-latency-metrics={{ .Values.controller.enableLatencyMetrics }}
+- -ssl-dynamic-reload={{ .Values.controller.enableSSLDynamicReload }}
 {{- end -}}
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
@@ -1359,6 +1359,14 @@
           "examples": [
             false
           ]
+        },
+        "enableSSLDynamicReload": {
+          "type": "boolean",
+          "default": true,
+          "title": "Enable dynamic certificate reloads for NGINX Plus",
+          "examples": [
+            true
+          ]
         }
       },
       "examples": [

diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
@@ -463,6 +463,9 @@ controller:
   ## Configure root filesystem as read-only and add volumes for temporary data.
   readOnlyRootFilesystem: false
 
+  ## Enable dynamic reloading of certificates for NGINX Plus
+  enableSSLDynamicReload: true
+
 rbac:
   ## Configures RBAC.
   create: true

diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go
@@ -15,6 +15,10 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation"
 )
 
+const (
+	dynamicSSLReloadParam = "ssl-dynamic-reload"
+)
+
 var (
 	healthStatus = flag.Bool("health-status", false,
 		`Add a location based on the value of health-status-uri to the default server. The location responds with the 200 status code for any request.
@@ -195,6 +199,8 @@ var (
 
 	defaultHTTPSListenerPort = flag.Int("default-https-listener-port", 443, "Sets a custom port for the HTTPS `default_server`. [1024 - 65535]")
 
+	enableDynamicSSLReload = flag.Bool(dynamicSSLReloadParam, true, "Enable reloading of SSL Certificates without restarting the NGINX process. Requires -nginx-plus")
+
 	startupCheckFn func() error
 )
 
@@ -269,6 +275,11 @@ func parseFlags() {
 	if *ingressLink != "" && *externalService != "" {
 		glog.Fatal("ingresslink and external-service cannot both be set")
 	}
+
+	if *enableDynamicSSLReload && !*nginxPlus {
+		glog.V(3).Infof("%s flag requires -nginx-plus and will not be enabled", dynamicSSLReloadParam)
+		*enableDynamicSSLReload = false
+	}
 }
 
 func initialChecks() {

diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -116,6 +116,8 @@ func main() {
 		EnableOIDC:                     *enableOIDC,
 		SSLRejectHandshake:             sslRejectHandshake,
 		EnableCertManager:              *enableCertManager,
+		DynamicSSLReload:               *enableDynamicSSLReload,
+		StaticSSLPath:                  nginxManager.GetSecretsDir(),
 	}
 
 	processNginxConfig(staticCfgParams, cfgParams, templateExecutor, nginxManager)
@@ -132,17 +134,18 @@ func main() {
 
 	plusCollector, syslogListener, latencyCollector := createPlusAndLatencyCollectors(registry, constLabels, kubeClient, plusClient, staticCfgParams.NginxServiceMesh)
 	cnf := configs.NewConfigurator(configs.ConfiguratorParams{
-		NginxManager:            nginxManager,
-		StaticCfgParams:         staticCfgParams,
-		Config:                  cfgParams,
-		TemplateExecutor:        templateExecutor,
-		TemplateExecutorV2:      templateExecutorV2,
-		LatencyCollector:        latencyCollector,
-		LabelUpdater:            plusCollector,
-		IsPlus:                  *nginxPlus,
-		IsWildcardEnabled:       isWildcardEnabled,
-		IsPrometheusEnabled:     *enablePrometheusMetrics,
-		IsLatencyMetricsEnabled: *enableLatencyMetrics,
+		NginxManager:              nginxManager,
+		StaticCfgParams:           staticCfgParams,
+		Config:                    cfgParams,
+		TemplateExecutor:          templateExecutor,
+		TemplateExecutorV2:        templateExecutorV2,
+		LatencyCollector:          latencyCollector,
+		LabelUpdater:              plusCollector,
+		IsPlus:                    *nginxPlus,
+		IsWildcardEnabled:         isWildcardEnabled,
+		IsPrometheusEnabled:       *enablePrometheusMetrics,
+		IsLatencyMetricsEnabled:   *enableLatencyMetrics,
+		IsDynamicSSLReloadEnabled: *enableDynamicSSLReload,
 	})
 
 	controllerNamespace := os.Getenv("POD_NAMESPACE")

diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md
@@ -527,3 +527,11 @@ Sets the port for the HTTPS `default_server` listener.
 Default `443`.
 
 <a name="cmdoption-default-https-listener-port"></a>
+
+### -ssl-dynamic-reload
+
+Used to activate or deactivate lazy loading for SSL Certificates for NGINX Plus.
+
+The default value is `true` when using NGINX Plus.
+
+<a name="cmdoption-ssl-dynamic-reload"></a>
diff --git a/internal/configs/commonhelpers/common_template_helpers.go b/internal/configs/commonhelpers/common_template_helpers.go
@@ -0,0 +1,15 @@
+// Package commonhelpers contains template helpers used in v1 and v2
+package commonhelpers
+
+import (
+	"strings"
+)
+
+// MakeSecretPath will return the path to the secret with the base secrets
+// path replaced with the given variable
+func MakeSecretPath(path, defaultPath, variable string, useVariable bool) string {
+	if useVariable {
+		return strings.Replace(path, defaultPath, variable, 1)
+	}
+	return path
+}
diff --git a/internal/configs/commonhelpers/common_template_helpers_test.go b/internal/configs/commonhelpers/common_template_helpers_test.go
@@ -0,0 +1,63 @@
+package commonhelpers
+
+import (
+	"bytes"
+	"html/template"
+	"testing"
+)
+
+var helperFunctions = template.FuncMap{
+	"makeSecretPath": MakeSecretPath,
+}
+
+func TestMakeSecretPath(t *testing.T) {
+	t.Parallel()
+
+	tmpl := newMakeSecretPathTemplate(t)
+	testCases := []struct {
+		Secret   string
+		Path     string
+		Variable string
+		Enabled  bool
+		expected string
+	}{
+		{
+			Secret:   "/etc/nginx/secret/thing.crt",
+			Path:     "/etc/nginx/secret",
+			Variable: "$secrets_path",
+			Enabled:  true,
+			expected: "$secrets_path/thing.crt",
+		},
+		{
+			Secret:   "/etc/nginx/secret/thing.crt",
+			Path:     "/etc/nginx/secret",
+			Variable: "$secrets_path",
+			Enabled:  false,
+			expected: "/etc/nginx/secret/thing.crt",
+		},
+		{
+			Secret:   "/etc/nginx/secret/thing.crt",
+			expected: "/etc/nginx/secret/thing.crt",
+		},
+	}
+
+	for _, tc := range testCases {
+		var buf bytes.Buffer
+		err := tmpl.Execute(&buf, tc)
+		if err != nil {
+			t.Fatalf("Failed to execute the template %v", err)
+		}
+		if buf.String() != tc.expected {
+			t.Errorf("Template generated wrong config, got '%v' but expected '%v'.", buf.String(), tc.expected)
+		}
+	}
+}
+
+func newMakeSecretPathTemplate(t *testing.T) *template.Template {
+	t.Helper()
+	tmpl, err := template.New("testTemplate").Funcs(helperFunctions).Parse(`{{makeSecretPath .Secret .Path .Variable .Enabled}}`)
+	if err != nil {
+		t.Fatalf("Failed to parse template: %v", err)
+	}
+	return tmpl
+}
diff --git a/internal/configs/config_params.go b/internal/configs/config_params.go
@@ -134,6 +134,8 @@ type StaticConfigParams struct {
 	EnableOIDC                     bool
 	SSLRejectHandshake             bool
 	EnableCertManager              bool
+	DynamicSSLReload               bool
+	StaticSSLPath                  string
 }
 
 // GlobalConfigParams holds global configuration parameters. For now, it only holds listeners.

diff --git a/internal/configs/configmaps.go b/internal/configs/configmaps.go
@@ -579,6 +579,8 @@ func GenerateNginxMainConfig(staticCfgParams *StaticConfigParams, config *Config
 		InternalRouteServerName:            staticCfgParams.InternalRouteServerName,
 		LatencyMetrics:                     staticCfgParams.EnableLatencyMetrics,
 		OIDC:                               staticCfgParams.EnableOIDC,
+		DynamicSSLReloadEnabled:            staticCfgParams.DynamicSSLReload,
+		StaticSSLPath:                      staticCfgParams.StaticSSLPath,
 	}
 	return nginxCfg
 }