Separate third party NGINX configuration (#10470)

* Document container separation

* Separate configurations

Author: rikatz

docs/enhancements/20231001-split-containers.md

@@ -0,0 +1,110 @@
+# Proposal to split containers
+
+* All the NGINX files should live on one container
+  * No file other than NGINX files should exist on this container
+  * This includes not mounting the service account
+* All the controller files should live on a different container
+  * Controller container should have bare minimum to work (just go program)
+  * ServiceAccount should be mounted just on controller
+
+* Inside nginx container, there should be a really small http listener just able 
+to start, stop and reload NGINX
+
+## Roadmap (what needs to be done)
+* Map what needs to be done to mount the SA just on controller container
+* Map all the required files for NGINX to work
+* Map all the required network calls between controller and NGINX
+  * eg.: Dynamic lua reconfiguration
+* Map problematic features that will need attention
+  * SSLPassthrough today happens on controller process and needs to happen on NGINX
+
+### Ports and endpoints on NGINX container
+* Public HTTP/HTTPs port - 80 and 443
+* Lua configuration port - 10246 (HTTP) and 10247 (Stream)
+* 3333 (temp) - Dataplane controller http server
+  * /reload - (POST) Reloads the configuration.
+    * "config" argument is the location of temporary file that should be used / moved to nginx.conf
+  * /test - (POST) Test the configuration of a given file location
+    * "config" argument is the location of temporary file that should be tested
+
+### Mounting empty SA on controller container
+
+```yaml
+kind: Pod
+apiVersion: v1
+metadata:
+  name: test
+spec:
+  containers:
+  - name: nginx
+    image: nginx:latest
+    ports:
+    - containerPort: 80
+  - name: othernginx
+    image: alpine:latest
+    command: ["/bin/sh"]
+    args: ["-c", "while true; do date; sleep 3; done"]
+    volumeMounts:
+    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+      name: emptysecret
+  volumes:
+  - name: emptysecret
+    emptyDir:
+      sizeLimit: 1Mi
+```
+
+### Mapped folders on NGINX configuration
+**WARNING** We need to be aware of inter mount containers and inode problems. If we 
+mount a file instead of a directory, it may take time to reflect the file value on 
+the target container
+
+*  "/etc/nginx/lua/?.lua;/etc/nginx/lua/vendor/?.lua;;"; - Lua scripts
+* "/var/log/nginx" - NGINX logs
+* "/tmp/nginx (nginx.pid)" - NGINX pid directory / file, fcgi socket, etc
+* " /etc/nginx/geoip" - GeoIP database directory - OK - /etc/ingress-controller/geoip
+* /etc/nginx/mime.types - Mime types
+* /etc/ingress-controller/ssl - SSL directory (fake cert, auth cert)
+* /etc/ingress-controller/auth - Authentication files
+* /etc/nginx/modsecurity - Modsecurity configuration
+* /etc/nginx/owasp-modsecurity-crs - Modsecurity rules
+* /etc/nginx/tickets.key - SSL tickets - OK - /etc/ingress-controller/tickets.key
+* /etc/nginx/opentelemetry.toml - OTEL config - OK - /etc/ingress-controller/telemetry
+* /etc/nginx/opentracing.json - Opentracing config - OK - /etc/ingress-controller/telemetry
+* /etc/nginx/modules - NGINX modules
+* /etc/nginx/fastcgi_params (maybe) - fcgi params
+* /etc/nginx/template - Template, may be used by controller only
+
+##### List of modules
+```
+ngx_http_auth_digest_module.so    ngx_http_modsecurity_module.so
+ngx_http_brotli_filter_module.so  ngx_http_opentracing_module.so
+ngx_http_brotli_static_module.so  ngx_stream_geoip2_module.so
+ngx_http_geoip2_module.so
+```
+
+##### List of files that may be removed
+```
+-rw-r--r--    1 www-data www-data      1077 Jun 23 19:44 fastcgi.conf
+-rw-r--r--    1 www-data www-data      1077 Jun 23 19:44 fastcgi.conf.default
+-rw-r--r--    1 www-data www-data      1007 Jun 23 19:44 fastcgi_params
+-rw-r--r--    1 www-data www-data      1007 Jun 23 19:44 fastcgi_params.default
+drwxr-xr-x    2 www-data www-data      4096 Jun 23 19:34 geoip
+-rw-r--r--    1 www-data www-data      2837 Jun 23 19:44 koi-utf
+-rw-r--r--    1 www-data www-data      2223 Jun 23 19:44 koi-win
+drwxr-xr-x    6 www-data www-data      4096 Sep 19 14:13 lua
+-rw-r--r--    1 www-data www-data      5349 Jun 23 19:44 mime.types
+-rw-r--r--    1 www-data www-data      5349 Jun 23 19:44 mime.types.default
+drwxr-xr-x    2 www-data www-data      4096 Jun 23 19:44 modsecurity
+drwxr-xr-x    2 www-data www-data      4096 Jun 23 19:44 modules
+-rw-r--r--    1 www-data www-data     18275 Oct  1 21:28 nginx.conf
+-rw-r--r--    1 www-data www-data      2656 Jun 23 19:44 nginx.conf.default
+-rwx------    1 www-data www-data       420 Oct  1 21:28 opentelemetry.toml
+-rw-r--r--    1 www-data www-data         2 Oct  1 21:28 opentracing.json
+drwxr-xr-x    7 www-data www-data      4096 Jun 23 19:44 owasp-modsecurity-crs
+-rw-r--r--    1 www-data www-data       636 Jun 23 19:44 scgi_params
+-rw-r--r--    1 www-data www-data       636 Jun 23 19:44 scgi_params.default
+drwxr-xr-x    2 www-data www-data      4096 Sep 19 14:13 template
+-rw-r--r--    1 www-data www-data       664 Jun 23 19:44 uwsgi_params
+-rw-r--r--    1 www-data www-data       664 Jun 23 19:44 uwsgi_params.default
+-rw-r--r--    1 www-data www-data      3610 Jun 23 19:44 win-utf
+```

docs/user-guide/nginx-configuration/configmap.md

@@ -164,7 +164,7 @@ The following table shows a configuration option's name, type, and the default v
 |[enable-opentelemetry](#enable-opentelemetry)|bool|"false"||
 |[opentelemetry-trust-incoming-span](#opentelemetry-trust-incoming-span)|bool|"true"||
 |[opentelemetry-operation-name](#opentelemetry-operation-name)|string|""||
-|[opentelemetry-config](#/etc/nginx/opentelemetry.toml)|string|"/etc/nginx/opentelemetry.toml"||
+|[opentelemetry-config](#/etc/ingress-controller/telemetry/opentelemetry.toml)|string|"/etc/ingress-controller/telemetry/opentelemetry.toml"||
 |[otlp-collector-host](#otlp-collector-host)|string|""||
 |[otlp-collector-port](#otlp-collector-port)|int|4317||
 |[otel-max-queuesize](#otel-max-queuesize)|int|||

docs/user-guide/third-party-addons/opentelemetry.md

@@ -165,7 +165,7 @@ To install the example and collectors run:
       kind: ConfigMap
       data:
         enable-opentelemetry: "true"
-        opentelemetry-config: "/etc/nginx/opentelemetry.toml"
+        opentelemetry-config: "/etc/ingress-controller/telemetry/opentelemetry.toml"
         opentelemetry-operation-name: "HTTP $request_method $service_name $uri"
         opentelemetry-trust-incoming-span: "true"
         otlp-collector-host: "otel-coll-collector.otel.svc"

go.work.sum

@@ -186,6 +186,7 @@ github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
 github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
@@ -199,6 +200,7 @@ github.com/onsi/gomega v1.27.4/go.mod h1:riYq/GJKh8hhoM01HN6Vmuy93AarCXCBGpvFDK3
 github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
 github.com/orisano/pixelmatch v0.0.0-20220722002657-fb0b55479cde/go.mod h1:nZgzbfBr3hhjoZnS66nKrHmduYNpc34ny7RK4z5/HM0=
 github.com/pierrec/lz4/v4 v4.1.15/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
+github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
@@ -254,6 +256,7 @@ golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -284,6 +287,7 @@ google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:xZnkP7mR
 google.golang.org/genproto v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:O9kGHb51iE/nOGvQaDUuadVYqovW56s5emA88lQnj6Y=
 google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g=
 google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0=
+google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d h1:VBu5YqKPv6XiJ199exd8Br+Aetz+o08F+PLMnwJQHAY=
 google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:vHYtlOoi6TsQ3Uk2yxR7NI5z8uoV+3pZtR4jmHIkRig=
 google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130/go.mod h1:mPBs5jNgx2GuQGvFwUvVKqtn6HsUw9nP64BedgvqEsQ=
 google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=

images/kube-webhook-certgen/rootfs/go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
-	github.com/google/uuid v1.3.0 // indirect
+	github.com/google/uuid v1.3.1 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect

images/kube-webhook-certgen/rootfs/go.sum

@@ -202,8 +202,8 @@ github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98/go.mod h1:czg5+yv1E0Z
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
+github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=

internal/ingress/controller/config/config.go

@@ -987,7 +987,7 @@ func NewDefault() Configuration {
 		BindAddressIpv6:                        defBindAddress,
 		OpentracingTrustIncomingSpan:           true,
 		OpentelemetryTrustIncomingSpan:         true,
-		OpentelemetryConfig:                    "/etc/nginx/opentelemetry.toml",
+		OpentelemetryConfig:                    "/etc/ingress-controller/telemetry/opentelemetry.toml",
 		OtlpCollectorPort:                      "4317",
 		OtelServiceName:                        "nginx",
 		OtelSampler:                            "AlwaysOn",

internal/ingress/controller/nginx.go

@@ -22,6 +22,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io/fs"
 	"net"
 	"net/http"
 	"os"
@@ -180,7 +181,11 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro
 	}
 
 	filesToWatch := []string{}
-	err = filepath.Walk("/etc/nginx/geoip/", func(path string, info os.FileInfo, err error) error {
+
+	if err := os.Mkdir("/etc/ingress-controller/geoip/", 0o755); err != nil && !os.IsExist(err) {
+		klog.Fatalf("Error creating geoip dir: %v", err)
+	}
+	err = filepath.WalkDir("/etc/ingress-controller/geoip/", func(path string, info fs.DirEntry, err error) error {
 		if err != nil {
 			return err
 		}
@@ -1107,7 +1112,7 @@ func createOpentracingCfg(cfg *ngx_config.Configuration) error {
 	// Expand possible environment variables before writing the configuration to file.
 	expanded := os.ExpandEnv(configData)
 
-	return os.WriteFile("/etc/nginx/opentracing.json", []byte(expanded), file.ReadWriteByUser)
+	return os.WriteFile("/etc/ingress-controller/telemetry/opentracing.json", []byte(expanded), file.ReadWriteByUser)
 }
 
 func createOpentelemetryCfg(cfg *ngx_config.Configuration) error {

internal/ingress/controller/store/store.go

@@ -1215,7 +1215,7 @@ func (s *k8sStore) setConfig(cmap *corev1.ConfigMap) {
 		s.backendConfig.UseGeoIP2 = false
 	}
 
-	s.writeSSLSessionTicketKey(cmap, "/etc/nginx/tickets.key")
+	s.writeSSLSessionTicketKey(cmap, "/etc/ingress-controller/tickets.key")
 }
 
 // Run initiates the synchronization of the informers and the initial

internal/ingress/controller/template/template.go

@@ -1230,11 +1230,11 @@ func buildOpentracing(c, s interface{}) string {
 
 	//nolint:gocritic // rewriting if-else to switch statement is not more readable
 	if cfg.DatadogCollectorHost != "" {
-		buf.WriteString("opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/nginx/opentracing.json;")
+		buf.WriteString("opentracing_load_tracer /usr/local/lib/libdd_opentracing.so /etc/ingress-controller/telemetry/opentracing.json;")
 	} else if cfg.ZipkinCollectorHost != "" {
-		buf.WriteString("opentracing_load_tracer /usr/local/lib/libzipkin_opentracing_plugin.so /etc/nginx/opentracing.json;")
+		buf.WriteString("opentracing_load_tracer /usr/local/lib/libzipkin_opentracing_plugin.so /etc/ingress-controller/telemetry/opentracing.json;")
 	} else if cfg.JaegerCollectorHost != "" || cfg.JaegerEndpoint != "" {
-		buf.WriteString("opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/nginx/opentracing.json;")
+		buf.WriteString("opentracing_load_tracer /usr/local/lib/libjaegertracing_plugin.so /etc/ingress-controller/telemetry/opentracing.json;")
 	}
 
 	buf.WriteString("\r\n")