Support customizing the nginx config with values (grafana#213)

kd7lxl · web-flow · commit 673e198a77f1 · 2021-09-10T10:51:51.000-07:00
Signed-off-by: Tom Hayward &lt;thayward@infoblox.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 * [FEATURE] Add autoscaler for queriers #190
 * [FEATURE] Add autoscaler for distributors #189
 * [FEATURE] Add autoscaler for ingesters #182
+* [ENHANCEMENT] Support customizing the nginx config with values #213
 * [ENHANCEMENT] Upgrade to Cortex v1.10.0 #204
 * [ENHANCEMENT] Populate config.querier.store_gateway_addresses automatically based on other config #201
 * [ENHANCEMENT] Graceful shutdown of ingesters #195
diff --git a/README.md b/README.md
@@ -591,6 +591,9 @@ Kubernetes: `^1.19.0-0`
 | nginx.&ZeroWidthSpace;config.&ZeroWidthSpace;basicAuthSecretName | string | `""` | (optional) Name of basic auth secret. In order to use this option, a secret with htpasswd formatted contents at the key ".htpasswd" must exist. For example:   apiVersion: v1   kind: Secret   metadata:     name: my-secret     namespace: <same as cortex installation>   stringData:     .htpasswd: |       user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0       user2:$apr1$QdR8fNLT$vbCEEzDj7LyqCMyNpSoBh/ Please note that the use of basic auth will not identify organizations the way X-Scope-OrgID does. Thus, the use of basic auth alone will not prevent one tenant from viewing the metrics of another. To ensure tenants are scoped appropriately, explicitly set the `X-Scope-OrgID` header in the nginx config. Example   setHeaders:     X-Scope-Org-Id: $remote_user |
 | nginx.&ZeroWidthSpace;config.&ZeroWidthSpace;client_max_body_size | string | `"1M"` |  |
 | nginx.&ZeroWidthSpace;config.&ZeroWidthSpace;dnsResolver | string | `"kube-dns.kube-system.svc.cluster.local"` |  |
+| nginx.&ZeroWidthSpace;config.&ZeroWidthSpace;httpSnippet | string | `""` | arbitrary snippet to inject in the http { } section of the nginx config |
+| nginx.&ZeroWidthSpace;config.&ZeroWidthSpace;mainSnippet | string | `""` | arbitrary snippet to inject in the top section of the nginx config |
+| nginx.&ZeroWidthSpace;config.&ZeroWidthSpace;serverSnippet | string | `""` | arbitrary snippet to inject in the server { } section of the nginx config |
 | nginx.&ZeroWidthSpace;config.&ZeroWidthSpace;setHeaders | object | `{}` |  |
 | nginx.&ZeroWidthSpace;containerSecurityContext.&ZeroWidthSpace;enabled | bool | `true` |  |
 | nginx.&ZeroWidthSpace;containerSecurityContext.&ZeroWidthSpace;readOnlyRootFilesystem | bool | `false` |  |
diff --git a/ci/test-values.yaml b/ci/test-values.yaml
@@ -69,6 +69,13 @@ querier:
     enabled: true
 nginx:
   replicas: 1
+  config:
+    httpSnippet: |-
+      # http snippet
+    mainSnippet: |-
+      # main snippet
+    serverSnippet: |-
+      # server snippet
 runtimeconfigmap:
   annotations:
     foo: bar
diff --git a/templates/nginx/nginx-config.yaml b/templates/nginx/nginx-config.yaml
@@ -18,6 +18,10 @@ data:
       worker_connections  4096;  ## Default: 1024
     }
 
+    {{- with .Values.nginx.config.mainSnippet }}
+    {{ tpl . $ | nindent 4 }}
+    {{- end }}
+
     http {
       default_type application/octet-stream;
       client_max_body_size {{.Values.nginx.config.client_max_body_size}};
@@ -29,6 +33,10 @@ data:
       tcp_nopush   on;
       resolver {{ default (printf "kube-dns.kube-system.svc.%s" .Values.clusterDomain ) .Values.nginx.config.dnsResolver }};
 
+      {{- with .Values.nginx.config.httpSnippet }}
+      {{ tpl . $ | nindent 6 }}
+      {{- end }}
+
       server { # simple reverse-proxy
         listen {{ .Values.nginx.http_listen_port }};
         proxy_connect_timeout 300s;
@@ -45,6 +53,10 @@ data:
         auth_basic_user_file /etc/apache2/.htpasswd;
         {{- end }}
 
+        {{- with .Values.nginx.config.serverSnippet }}
+        {{ tpl . $ | nindent 8 }}
+        {{- end }}
+
         location = /healthz {
           # auth_basic off is not set here, even when a basic auth directive is
           # included in the server block, as Nginx's NGX_HTTP_REWRITE_PHASE
diff --git a/values.yaml b/values.yaml
@@ -1162,6 +1162,12 @@ nginx:
     dnsResolver: kube-dns.kube-system.svc.cluster.local
     ## ref: http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
     client_max_body_size: 1M
+    # -- arbitrary snippet to inject in the http { } section of the nginx config
+    httpSnippet: ""
+    # -- arbitrary snippet to inject in the top section of the nginx config
+    mainSnippet: ""
+    # -- arbitrary snippet to inject in the server { } section of the nginx config
+    serverSnippet: ""
     setHeaders: {}
     # -- (optional) List of [auth tenants](https://cortexmetrics.io/docs/guides/auth/) to set in the nginx config
     auth_orgs: []
