Add SnippetsPolicies support to NGINX configuration

Author: fabian4

charts/nginx-gateway-fabric/templates/clusterrole.yaml

@@ -132,6 +132,9 @@ rules:
   {{- if .Values.nginxGateway.snippetsFilters.enable }}
   - snippetsfilters
   {{- end }}
+  {{- if .Values.nginxGateway.snippetsPolicies.enable }}
+  - snippetspolicies
+  {{- end }}
   verbs:
   - list
   - watch
@@ -145,6 +148,9 @@ rules:
   {{- if .Values.nginxGateway.snippetsFilters.enable }}
   - snippetsfilters/status
   {{- end }}
+  {{- if .Values.nginxGateway.snippetsPolicies.enable }}
+  - snippetspolicies/status
+  {{- end }}
   verbs:
   - update
 {{- if .Values.nginxGateway.gwAPIInferenceExtension.enable }}

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -110,6 +110,9 @@ spec:
         {{- if .Values.nginxGateway.snippetsFilters.enable }}
         - --snippets-filters
         {{- end }}
+        {{- if .Values.nginxGateway.snippetsPolicies.enable }}
+        - --snippets-policies
+        {{- end }}
         {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
         - --nginx-scc={{ include "nginx-gateway.scc-name" . }}-nginx
         {{- end}}

charts/nginx-gateway-fabric/values.yaml

@@ -232,6 +232,11 @@ nginxGateway:
     # config for HTTPRoute and GRPCRoute resources.
     enable: false
 
+  snippetsPolicies:
+    # -- Enable SnippetsPolicies feature. SnippetsPolicies allow inserting NGINX configuration into the generated NGINX
+    # config for Gateway, HTTPRoute and GRPCRoute resources.
+    enable: false
+
 # -- The nginx section contains the configuration for all NGINX data plane deployments
 # installed by the NGINX Gateway Fabric control plane.
 nginx:

cmd/gateway/commands.go

@@ -95,6 +95,7 @@ func createControllerCommand() *cobra.Command {
 		usageReportCASecretFlag             = "usage-report-ca-secret"         //nolint:gosec // not credentials
 		usageReportEnforceInitialReportFlag = "usage-report-enforce-initial-report"
 		snippetsFiltersFlag                 = "snippets-filters"
+		snippetsPoliciesFlag                = "snippets-policies"
 		nginxSCCFlag                        = "nginx-scc"
 	)
 
@@ -156,7 +157,8 @@ func createControllerCommand() *cobra.Command {
 
 		disableProductTelemetry bool
 
-		snippetsFilters bool
+		snippetsFilters  bool
+		snippetsPolicies bool
 
 		plus               bool
 		nginxDockerSecrets = stringSliceValidatingValue{
@@ -282,6 +284,7 @@ func createControllerCommand() *cobra.Command {
 					Values: flagValues,
 				},
 				SnippetsFilters:        snippetsFilters,
+				SnippetsPolicies:       snippetsPolicies,
 				NginxDockerSecretNames: nginxDockerSecrets.values,
 				AgentTLSSecretName:     agentTLSSecretName.value,
 				NGINXSCCName:           nginxSCCName.value,
@@ -512,6 +515,14 @@ func createControllerCommand() *cobra.Command {
 			"generated NGINX config for HTTPRoute and GRPCRoute resources.",
 	)
 
+	cmd.Flags().BoolVar(
+		&snippetsPolicies,
+		snippetsPoliciesFlag,
+		false,
+		"Enable SnippetsPolicies feature. SnippetsPolicies allow inserting NGINX configuration into the "+
+			"generated NGINX config for Gateway, HTTPRoute and GRPCRoute resources.",
+	)
+
 	cmd.Flags().Var(
 		&nginxSCCName,
 		nginxSCCFlag,

cmd/gateway/commands_test.go

@@ -163,6 +163,7 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 				"--nginx-one-tls-skip-verify",
 				"--endpoint-picker-disable-tls",
 				"--endpoint-picker-tls-skip-verify",
+				"--snippets-policies",
 			},
 			wantErr: false,
 		},
@@ -417,6 +418,15 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "snippets-policies is not a bool",
+			expectedErrPrefix: `invalid argument "not-a-bool" for "--snippets-policies" flag: strconv.ParseBool:` +
+				` parsing "not-a-bool": invalid syntax`,
+			args: []string{
+				"--snippets-policies=not-a-bool",
+			},
+			wantErr: true,
+		},
 		{
 			name: "nginx-scc is set to empty string",
 			args: []string{

internal/controller/config/config.go

@@ -52,6 +52,8 @@ type Config struct {
 	InferenceExtension bool
 	// SnippetsFilters indicates if SnippetsFilters are enabled.
 	SnippetsFilters bool
+	// SnippetsPolicies indicates if SnippetsPolicies are enabled.
+	SnippetsPolicies bool
 	// EndpointPickerDisableTLS indicates if TLS is disabled for EndpointPicker communication.
 	EndpointPickerDisableTLS bool
 	// EndpointPickerTLSSkipVerify indicates if secure verification is skipped for EndpointPicker communication.

internal/controller/manager.go

@@ -49,6 +49,7 @@ import (
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/policies"
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/policies/clientsettings"
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/policies/observability"
+	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/policies/snippetspolicy"
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/policies/upstreamsettings"
 	ngxvalidation "github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/config/validation"
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/provisioner"
@@ -124,7 +125,7 @@ func StartManager(cfg config.Config) error {
 	mustExtractGVK := kinds.NewMustExtractGKV(scheme)
 
 	genericValidator := ngxvalidation.GenericValidator{}
-	policyManager := createPolicyManager(mustExtractGVK, genericValidator)
+	policyManager := createPolicyManager(cfg, mustExtractGVK, genericValidator)
 
 	plusSecrets, err := createPlusSecretMetadata(cfg, mgr.GetAPIReader())
 	if err != nil {
@@ -321,6 +322,7 @@ func StartManager(cfg config.Config) error {
 }
 
 func createPolicyManager(
+	cfg config.Config,
 	mustExtractGVK kinds.MustExtractGVK,
 	validator validation.GenericValidator,
 ) *policies.CompositeValidator {
@@ -339,6 +341,13 @@ func createPolicyManager(
 		},
 	}
 
+	if cfg.SnippetsPolicies {
+		cfgs = append(cfgs, policies.ManagerConfig{
+			GVK:       mustExtractGVK(&ngfAPIv1alpha1.SnippetsPolicy{}),
+			Validator: snippetspolicy.NewValidator(),
+		})
+	}
+
 	return policies.NewManager(mustExtractGVK, cfgs...)
 }
 
@@ -586,6 +595,17 @@ func registerControllers(
 		)
 	}
 
+	if cfg.SnippetsPolicies {
+		controllerRegCfgs = append(controllerRegCfgs,
+			ctlrCfg{
+				objectType: &ngfAPIv1alpha1.SnippetsPolicy{},
+				options: []controller.Option{
+					controller.WithK8sPredicate(k8spredicate.GenerationChangedPredicate{}),
+				},
+			},
+		)
+	}
+
 	for _, regCfg := range controllerRegCfgs {
 		name := regCfg.objectType.GetObjectKind().GroupVersionKind().Kind
 		if regCfg.name != "" {
@@ -791,6 +811,13 @@ func prepareFirstEventBatchPreparerArgs(cfg config.Config) ([]client.Object, []c
 		)
 	}
 
+	if cfg.SnippetsPolicies {
+		objectLists = append(
+			objectLists,
+			&ngfAPIv1alpha1.SnippetsPolicyList{},
+		)
+	}
+
 	objectLists = append(objectLists, &gatewayv1.GatewayList{})
 
 	return objects, objectLists

internal/controller/manager_test.go

@@ -154,6 +154,34 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
 			},
 		},
+		{
+			name: "snippets policies enabled",
+			cfg: config.Config{
+				GatewayClassName: gcName,
+				SnippetsPolicies: true,
+			},
+			expectedObjects: []client.Object{
+				&gatewayv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "nginx"}},
+			},
+			expectedObjectLists: []client.ObjectList{
+				&apiv1.ServiceList{},
+				&apiv1.SecretList{},
+				&apiv1.NamespaceList{},
+				&discoveryV1.EndpointSliceList{},
+				&gatewayv1.HTTPRouteList{},
+				&gatewayv1.BackendTLSPolicyList{},
+				&apiv1.ConfigMapList{},
+				&gatewayv1.GatewayList{},
+				&gatewayv1beta1.ReferenceGrantList{},
+				&ngfAPIv1alpha2.NginxProxyList{},
+				partialObjectMetadataList,
+				&gatewayv1.GRPCRouteList{},
+				&ngfAPIv1alpha1.ClientSettingsPolicyList{},
+				&ngfAPIv1alpha2.ObservabilityPolicyList{},
+				&ngfAPIv1alpha1.SnippetsPolicyList{},
+				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+			},
+		},
 		{
 			name: "experimental, inference, and snippets filters enabled",
 			cfg: config.Config{
@@ -186,6 +214,40 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
 			},
 		},
+		{
+			name: "all features enabled",
+			cfg: config.Config{
+				GatewayClassName:     gcName,
+				ExperimentalFeatures: true,
+				InferenceExtension:   true,
+				SnippetsFilters:      true,
+				SnippetsPolicies:     true,
+			},
+			expectedObjects: []client.Object{
+				&gatewayv1.GatewayClass{ObjectMeta: metav1.ObjectMeta{Name: "nginx"}},
+			},
+			expectedObjectLists: []client.ObjectList{
+				&apiv1.ServiceList{},
+				&apiv1.SecretList{},
+				&apiv1.NamespaceList{},
+				&apiv1.ConfigMapList{},
+				&discoveryV1.EndpointSliceList{},
+				&gatewayv1.HTTPRouteList{},
+				&gatewayv1.GatewayList{},
+				&gatewayv1beta1.ReferenceGrantList{},
+				&ngfAPIv1alpha2.NginxProxyList{},
+				partialObjectMetadataList,
+				&inference.InferencePoolList{},
+				&gatewayv1.BackendTLSPolicyList{},
+				&gatewayv1alpha2.TLSRouteList{},
+				&gatewayv1.GRPCRouteList{},
+				&ngfAPIv1alpha1.ClientSettingsPolicyList{},
+				&ngfAPIv1alpha2.ObservabilityPolicyList{},
+				&ngfAPIv1alpha1.SnippetsFilterList{},
+				&ngfAPIv1alpha1.SnippetsPolicyList{},
+				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+			},
+		},
 	}
 
 	for _, test := range tests {