Add SnippetsPolicy support and examples to documentation

Author: fabian4

charts/nginx-gateway-fabric/README.md

@@ -246,7 +246,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.usage.resolver` | The nameserver used to resolve the NGINX Plus usage reporting endpoint. Used with NGINX Instance Manager. | string | `""` |
 | `nginx.usage.secretName` | The name of the Secret containing the JWT for NGINX Plus usage reporting. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"nplus-license"` |
 | `nginx.usage.skipVerify` | Disable client verification of the NGINX Plus usage reporting server certificate. | bool | `false` |
-| `nginxGateway` | The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment. | object | `{"affinity":{},"autoscaling":{"enable":false},"config":{"logging":{"level":"info"}},"configAnnotations":{},"extraVolumeMounts":[],"extraVolumes":[],"gatewayClassAnnotations":{},"gatewayClassName":"nginx","gatewayControllerName":"gateway.nginx.org/nginx-gateway-controller","gwAPIExperimentalFeatures":{"enable":false},"gwAPIInferenceExtension":{"enable":false,"endpointPicker":{"disableTLS":false,"skipVerify":true}},"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric","tag":"edge"},"kind":"deployment","labels":{},"leaderElection":{"enable":true,"lockName":""},"lifecycle":{},"metrics":{"enable":true,"port":9113,"secure":false},"name":"","nodeSelector":{},"podAnnotations":{},"productTelemetry":{"enable":true},"readinessProbe":{"enable":true,"initialDelaySeconds":3,"port":8081},"replicas":1,"resources":{},"service":{"annotations":{},"labels":{}},"serviceAccount":{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""},"snippetsFilters":{"enable":false},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[]}` |
+| `nginxGateway` | The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment. | object | `{"affinity":{},"autoscaling":{"enable":false},"config":{"logging":{"level":"info"}},"configAnnotations":{},"extraVolumeMounts":[],"extraVolumes":[],"gatewayClassAnnotations":{},"gatewayClassName":"nginx","gatewayControllerName":"gateway.nginx.org/nginx-gateway-controller","gwAPIExperimentalFeatures":{"enable":false},"gwAPIInferenceExtension":{"enable":false,"endpointPicker":{"disableTLS":false,"skipVerify":true}},"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric","tag":"edge"},"kind":"deployment","labels":{},"leaderElection":{"enable":true,"lockName":""},"lifecycle":{},"metrics":{"enable":true,"port":9113,"secure":false},"name":"","nodeSelector":{},"podAnnotations":{},"productTelemetry":{"enable":true},"readinessProbe":{"enable":true,"initialDelaySeconds":3,"port":8081},"replicas":1,"resources":{},"service":{"annotations":{},"labels":{}},"serviceAccount":{"annotations":{},"imagePullSecret":"","imagePullSecrets":[],"name":""},"snippetsFilters":{"enable":false},"snippetsPolicies":{"enable":false},"terminationGracePeriodSeconds":30,"tolerations":[],"topologySpreadConstraints":[]}` |
 | `nginxGateway.affinity` | The affinity of the NGINX Gateway Fabric control plane pod. | object | `{}` |
 | `nginxGateway.autoscaling` | Autoscaling configuration for the NGINX Gateway Fabric control plane. | object | `{"enable":false}` |
 | `nginxGateway.autoscaling.enable` | Enable or disable Horizontal Pod Autoscaler for the control plane. | bool | `false` |
@@ -290,6 +290,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginxGateway.serviceAccount.imagePullSecrets` | A list of secret names containing docker registry credentials for the control plane. Secrets must exist in the same namespace as the helm release. | list | `[]` |
 | `nginxGateway.serviceAccount.name` | The name of the service account of the NGINX Gateway Fabric control plane pods. Used for RBAC. | string | Autogenerated if not set or set to "" |
 | `nginxGateway.snippetsFilters.enable` | Enable SnippetsFilters feature. SnippetsFilters allow inserting NGINX configuration into the generated NGINX config for HTTPRoute and GRPCRoute resources. | bool | `false` |
+| `nginxGateway.snippetsPolicies.enable` | Enable SnippetsPolicies feature. SnippetsPolicies allow inserting NGINX configuration into the generated NGINX config for Gateway, HTTPRoute and GRPCRoute resources. | bool | `false` |
 | `nginxGateway.terminationGracePeriodSeconds` | The termination grace period of the NGINX Gateway Fabric control plane pod. | int | `30` |
 | `nginxGateway.tolerations` | Tolerations for the NGINX Gateway Fabric control plane pod. | list | `[]` |
 | `nginxGateway.topologySpreadConstraints` | The topology spread constraints for the NGINX Gateway Fabric control plane pod. | list | `[]` |

charts/nginx-gateway-fabric/values.schema.json

@@ -1148,6 +1148,20 @@
           "title": "snippetsFilters",
           "type": "object"
         },
+        "snippetsPolicies": {
+          "properties": {
+            "enable": {
+              "default": false,
+              "description": "Enable SnippetsPolicies feature. SnippetsPolicies allow inserting NGINX configuration into the generated NGINX\nconfig for Gateway, HTTPRoute and GRPCRoute resources.",
+              "required": [],
+              "title": "enable",
+              "type": "boolean"
+            }
+          },
+          "required": [],
+          "title": "snippetsPolicies",
+          "type": "object"
+        },
         "terminationGracePeriodSeconds": {
           "default": 30,
           "description": "The termination grace period of the NGINX Gateway Fabric control plane pod.",

docs/snippets-policy.md

@@ -0,0 +1,75 @@
+# SnippetsPolicy
+
+The `SnippetsPolicy` Custom Resource Definition (CRD) allows you to inject NGINX snippets into the configuration generated by NGINX Gateway Fabric. This is useful for advanced use cases where you need to configure NGINX directives that are not exposed through the Gateway API or other NGINX Gateway Fabric policies.
+
+## Overview
+
+`SnippetsPolicy` is an Attached Policy that targets a `Gateway` resource. It allows you to define snippets for specific NGINX contexts: `main`, `http`, and `http.server`.
+
+> **Warning**: Using snippets can be dangerous. Incorrect snippets can cause NGINX to fail to reload or behave unexpectedly. Use with caution.
+
+## Configuration
+
+### SnippetsPolicy Spec
+
+The `SnippetsPolicy` spec consists of a `targetRef` and a list of `snippets`.
+
+- `targetRef`: Specifies the `Gateway` resource to attach the policy to.
+- `snippets`: A list of snippets to inject. Each snippet consists of:
+  - `context`: The NGINX context to inject the snippet into. Supported values: `main`, `http`, `http.server`.
+  - `value`: The NGINX configuration snippet string.
+
+### Validation
+
+NGINX Gateway Fabric validates the `SnippetsPolicy` to ensure:
+- Only one snippet is defined per context.
+- The context is one of the supported values.
+- The snippet size does not exceed the limit (4KB).
+
+If a snippet is invalid (e.g., contains syntax errors), NGINX might fail to reload. NGINX Gateway Fabric attempts to validate the configuration using `nginx -t` before applying it. If validation fails, the configuration is not applied, and the `SnippetsPolicy` status is updated.
+
+## Examples
+
+### Basic Usage
+
+The following example injects snippets into the `main`, `http`, and `http.server` contexts.
+
+```yaml
+apiVersion: gateway.nginx.org/v1alpha1
+kind: SnippetsPolicy
+metadata:
+  name: example-snippets-policy
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: my-gateway
+  snippets:
+  - context: main
+    value: |
+      worker_priority -5;
+  - context: http
+    value: |
+      keepalive_timeout 65;
+  - context: http.server
+    value: |
+      gzip on;
+      gzip_types text/plain application/xml;
+```
+
+### Enabling the Feature
+
+To use `SnippetsPolicy`, you must enable the `snippetsPolicies` feature flag in the NGINX Gateway Fabric configuration.
+
+If using Helm:
+
+```yaml
+nginxGateway:
+  snippetsPolicies: true
+```
+
+If using the command line:
+
+```bash
+--snippets-policies=true
+```

tests/suite/manifests/snippets-policy/cafe.yaml

@@ -0,0 +1,50 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: cafe
+spec:
+  parentRefs:
+  - name: gateway
+  hostnames:
+  - "cafe.example.com"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /coffee
+    backendRefs:
+    - name: coffee
+      port: 80
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: coffee
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: coffee
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: coffee
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: coffee
+  template:
+    metadata:
+      labels:
+        app: coffee
+    spec:
+      containers:
+      - name: coffee
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 80

tests/suite/manifests/snippets-policy/gateway.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: gateway
+spec:
+  gatewayClassName: nginx
+  listeners:
+  - name: http
+    port: 80
+    protocol: HTTP

tests/suite/manifests/snippets-policy/invalid-context-sp.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.nginx.org/v1alpha1
+kind: SnippetsPolicy
+metadata:
+  name: invalid-context-sp
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: gateway
+  snippets:
+  - context: http
+    value: "worker_priority 0;"

tests/suite/manifests/snippets-policy/invalid-duplicate-sp.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.nginx.org/v1alpha1
+kind: SnippetsPolicy
+metadata:
+  name: invalid-duplicate-sp
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: gateway
+  snippets:
+  - context: main
+    value: "worker_processes 1;"

tests/suite/manifests/snippets-policy/valid-sp.yaml

@@ -0,0 +1,16 @@
+apiVersion: gateway.nginx.org/v1alpha1
+kind: SnippetsPolicy
+metadata:
+  name: valid-sp
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: gateway
+  snippets:
+  - context: main
+    value: "worker_priority 0;"
+  - context: http
+    value: "aio off;"
+  - context: http.server
+    value: "auth_delay 0s;"