Add support for NGINX GRPC directives (#56)

Author: alessfg

.github/workflows/galaxy.yml

@@ -2,6 +2,8 @@
 name: Ansible Galaxy import
 on:
   release:
+    types:
+      - published
 jobs:
   galaxy:
     name: Galaxy

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.3.3 (Unreleased)
+
+ENHANCEMENTS:
+
+*   Add support for NGINX GRPC directives.
+*   Only run GitHub actions Galaxy CI/CD workflow when a new release is published.
+*   Update list of supported platforms.
+
 ## 0.3.2 (January 11, 2021)
 
 ENHANCEMENTS:

README.md

@@ -40,19 +40,16 @@ The NGINX config Ansible role supports all platforms supported by [NGINX Open So
 
 ```yaml
 Alpine:
-  - 3.9
   - 3.10
   - 3.11
   - 3.12
 CentOS:
-  - 6
   - 7.4+
   - 8
 Debian:
   - stretch
   - buster
 RedHat:
-  - 6
   - 7.4+
   - 8
 SUSE/SLES:
@@ -61,36 +58,33 @@ SUSE/SLES:
 Ubuntu:
   - xenial
   - bionic
-  - eoan
   - focal
+  - groovy
 ```
 
 ### NGINX Plus
 
 ```yaml
 Alpine:
-  - 3.9
   - 3.10
   - 3.11
+  - 3.12
 Amazon Linux:
   - 2018.03
 Amazon Linux 2:
   - any
 CentOS:
-  - 6.5+
   - 7.4+
   - 8
 Debian:
   - stretch
   - buster
 FreeBSD:
   - 11.2+
-  - 12
+  - 12.1+
 Oracle Linux:
-  - 6.5+
   - 7.4+
 RedHat:
-  - 6.5+
   - 7.4+
   - 8
 SUSE/SLES:
@@ -99,7 +93,6 @@ SUSE/SLES:
 Ubuntu:
   - xenial
   - bionic
-  - eoan
   - focal
 ```
 

defaults/main/template.yml

@@ -34,11 +34,50 @@ nginx_config_main_template:
     #   cpu_thresholds:  # Optional
     #     high: 100  # Required
     #     low: 100  # Required
-    #   failure_mode_action: pass  # Optional -- `pass` or `drop`
+    #   failure_mode_action: pass  # Optional -- 'pass' or 'drop'
     #   cookie_seed: encryptionseed  # Optional
-    #   compressed_requests_action: drop  # Optional -- `pass` or `drop`
-    #   request_buffer_overflow_action: pass  # Optional -- `pass` or `drop`
+    #   compressed_requests_action: drop  # Optional -- 'pass' or 'drop'
+    #   request_buffer_overflow_action: pass  # Optional -- 'pass' or 'drop'
     #   user_defined_signatures: []  # Optional list
+    # app_protect:  # Optional -- Configure NGINX App Protect
+    #   enable: false  # Optional
+    #   policy_file: path  # Optional
+    #   security_log_enable: false  # Optional
+    #   security_log:  # Optional
+    #     path: path  # Required
+    #     destination: dest  # Required
+    # grpc_global:  # Optional -- Configure GRPC
+    #   bind:  # Optional -- Set to 'false' and remove/comment nested variables to disable grpc_bind
+    #     address: $remote_addr  # Required
+    #     transparent: true  # Optional
+    #   buffer_size: 4k  # Optional
+    #   connect_timeout: 60s  # Optional
+    #   hide_header: []  # Optional list
+    #   ignore_headers: []  # Optional list -- 'X-Accel-Redirect' or 'X-Accel-Charset'
+    #   intercept_errors: false  # Optional
+    #   next_upstream: []  # Optional list
+    #   next_upstream_timeout: 0  # Optional
+    #   next_upstream_tries: 0  # Optional
+    #   pass_header: []  # Optional list
+    #   read_timeout: 60s  # Optional
+    #   send_timeout: 60s  # Optional
+    #   set_header:  # Optional
+    #     - field: Accept-Encoding  # Required
+    #       value: '""'  # Required
+    #   socket_keepalive: false  # Optional
+    #   ssl_certificate: fileLocation  # Optional
+    #   ssl_certificate_key: fileLocation  # Optional
+    #   ssl_ciphers: DEFAULT  # Optional
+    #   ssl_conf_command: command  # Optional
+    #   ssl_crl: fileLocation  # Optional
+    #   ssl_name: serverName  # Optional
+    #   ssl_password_file: fileLocation  # Optional
+    #   ssl_protocols: []  # Optional list
+    #   ssl_server_name: false  # Optional
+    #   ssl_session_reuse: true  # Optional
+    #   ssl_trusted_certificate: fileLocation  # Optional
+    #   ssl_verify: false  # Optional
+    #   ssl_verify_depth: 1  # Optional
     access_log_format:
       - name: main
         format: |-
@@ -96,6 +135,38 @@ nginx_config_http_template:
         #   security_log:  # Optional
         #     path: path  # Required
         #     destination: dest  # Required
+        # grpc_global:  # Optional -- Configure GRPC
+        #   bind:  # Optional -- Set to 'false' and remove/comment nested variables to disable grpc_bind
+        #     address: $remote_addr  # Required
+        #     transparent: true  # Optional
+        #   buffer_size: 4k  # Optional
+        #   connect_timeout: 60s  # Optional
+        #   hide_header: []  # Optional list
+        #   ignore_headers: []  # Optional list -- 'X-Accel-Redirect' or 'X-Accel-Charset'
+        #   intercept_errors: false  # Optional
+        #   next_upstream: []  # Optional list
+        #   next_upstream_timeout: 0  # Optional
+        #   next_upstream_tries: 0  # Optional
+        #   pass_header: []  # Optional list
+        #   read_timeout: 60s  # Optional
+        #   send_timeout: 60s  # Optional
+        #   set_header:  # Optional
+        #     - field: Accept-Encoding  # Required
+        #       value: '""'  # Required
+        #   socket_keepalive: false  # Optional
+        #   ssl_certificate: fileLocation  # Optional
+        #   ssl_certificate_key: fileLocation  # Optional
+        #   ssl_ciphers: DEFAULT  # Optional
+        #   ssl_conf_command: command  # Optional
+        #   ssl_crl: fileLocation  # Optional
+        #   ssl_name: serverName  # Optional
+        #   ssl_password_file: fileLocation  # Optional
+        #   ssl_protocols: []  # Optional list
+        #   ssl_server_name: false  # Optional
+        #   ssl_session_reuse: true  # Optional
+        #   ssl_trusted_certificate: fileLocation  # Optional
+        #   ssl_verify: false  # Optional
+        #   ssl_verify_depth: 1  # Optional
         ssl:
           cert: /etc/ssl/certs/default.crt
           key: /etc/ssl/private/default.key
@@ -161,6 +232,40 @@ nginx_config_http_template:
               #   security_log:  # Optional
               #     path: path  # Required
               #     destination: dest  # Required
+              # grpc_global:  # Optional -- Configure GRPC
+              #   bind:  # Optional -- Set to 'false' and remove/comment nested variables to disable grpc_bind
+              #     address: $remote_addr  # Required
+              #     transparent: true  # Optional
+              #   buffer_size: 4k  # Optional
+              #   connect_timeout: 60s  # Optional
+              #   hide_header: []  # Optional list
+              #   ignore_headers: []  # Optional list -- 'X-Accel-Redirect' or 'X-Accel-Charset'
+              #   intercept_errors: false  # Optional
+              #   next_upstream: []  # Optional list
+              #   next_upstream_timeout: 0  # Optional
+              #   next_upstream_tries: 0  # Optional
+              #   pass_header: []  # Optional list
+              #   read_timeout: 60s  # Optional
+              #   send_timeout: 60s  # Optional
+              #   set_header:  # Optional
+              #     - field: Accept-Encoding  # Required
+              #       value: '""'  # Required
+              #   socket_keepalive: false  # Optional
+              #   ssl_certificate: fileLocation  # Optional
+              #   ssl_certificate_key: fileLocation  # Optional
+              #   ssl_ciphers: DEFAULT  # Optional
+              #   ssl_conf_command: command  # Optional
+              #   ssl_crl: fileLocation  # Optional
+              #   ssl_name: serverName  # Optional
+              #   ssl_password_file: fileLocation  # Optional
+              #   ssl_protocols: []  # Optional list
+              #   ssl_server_name: false  # Optional
+              #   ssl_session_reuse: true  # Optional
+              #   ssl_trusted_certificate: fileLocation  # Optional
+              #   ssl_verify: false  # Optional
+              #   ssl_verify_depth: 1  # Optional
+              # grpc:  # Optional -- Configure GRPC
+              #   pass: localhost:9000  # Optional
               include_files: []
               proxy_hide_headers: []  # A list of headers which shouldn't be passed to the application
               add_headers:
@@ -361,7 +466,7 @@ nginx_config_status_enable: false
 nginx_config_status_template_file: http/status.conf.j2
 nginx_config_status_file_location: /etc/nginx/conf.d/status.conf
 nginx_config_status_port: 8080  # Optional -- Defaults to 8080
-nginx_config_status_access_log:  # Optional -- Set to 'false' to disable access log
+nginx_config_status_access_log:  # Optional -- Set to 'false' and remove/comment nested variables to disable access log
   location: /var/log/nginx/access.log  # Required
   name: main  # Required
 nginx_config_status_allow:  # Optional
@@ -377,7 +482,7 @@ nginx_config_rest_api_template_file: http/api.conf.j2
 nginx_config_rest_api_file_location: /etc/nginx/conf.d/api.conf
 nginx_config_rest_api_port: 8080  # Optional-- Defaults to 8080
 nginx_config_rest_api_write: false  # Optional
-nginx_config_rest_api_access_log:  # Optional -- Set to 'false' to disable access log
+nginx_config_rest_api_access_log:  # Optional -- Set to 'false' and remove/comment nested variables to disable access log
   location: /var/log/nginx/access.log  # Required
   name: main  # Required
 nginx_config_rest_api_allow:  # Optional

meta/main.yml

@@ -30,12 +30,13 @@ galaxy_info:
     - name: FreeBSD
       versions:
         - 11.2
-        - 12.0
+        - 12.1
     - name: Ubuntu
       versions:
         - xenial
         - bionic
         - focal
+        - groovy
     - name: SLES
       versions:
         - 12

molecule/common/playbooks/oss_requirements.yml

@@ -1,4 +1,4 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.18.1
+    version: 0.19.1

molecule/common/playbooks/plus_requirements.yml

@@ -1,6 +1,6 @@
 ---
 roles:
   - name: nginxinc.nginx
-    version: 0.18.1
+    version: 0.19.1
   - name: nginxinc.nginx_app_protect
-    version: 0.4.1
+    version: 0.4.2

molecule/default/converge.yml

@@ -28,6 +28,29 @@
           worker_connections: 1024
           http_enable: true
           http_settings:
+            grpc_global:
+              bind:
+                address: $remote_addr
+                transparent: false
+              buffer_size: 4k
+              connect_timeout: 60s
+              hide_header:
+                - X-Accel-Redirect
+              ignore_headers:
+                - X-Accel-Redirect
+              intercept_errors: false
+              next_upstream:
+                - timeout
+              next_upstream_timeout: 0
+              next_upstream_tries: 0
+              pass_header:
+                - X-Accel-Charset
+              read_timeout: 60s
+              send_timeout: 60s
+              set_header:
+                - field: Accept-Encoding
+                  value: '""'
+              socket_keepalive: false
             default_type: application/octet-stream
             access_log_format:
               - name: main
@@ -116,6 +139,8 @@
                   locations:
                     frontend:
                       location: /
+                      grpc:
+                        pass: localhost:9000
                       proxy_hide_headers:
                         - X-Powered-By
                       add_headers:

templates/http/default.conf.j2

@@ -85,10 +85,16 @@ server {
     server_name {{ item.value.servers[server].server_name | default('localhost') }};
 {% if item.value.servers[server].app_protect is defined %}
 {% from 'app_protect.j2' import app_protect_local with context %}
-{% filter indent(8) %}
+{% filter indent(4) %}
     {{ app_protect_local(item.value.servers[server].app_protect) }}
 {% endfilter %}
 {% endif %}
+{% if item.value.servers[server].grpc_global is defined %}
+{% from 'http/grpc.j2' import grpc_global with context %}
+{% filter indent(4) %}
+    {{ grpc_global(item.value.servers[server].grpc_global) }}
+{% endfilter %}
+{% endif %}
 {% if item.value.servers[server].ssl is defined and item.value.servers[server].ssl %}
     ssl_certificate {{ item.value.servers[server].ssl.cert }};
     ssl_certificate_key {{ item.value.servers[server].ssl.key }};
@@ -199,8 +205,20 @@ server {
 {% endif %}
 {% if item.value.servers[server].reverse_proxy.locations[location].app_protect is defined %}
 {% from 'app_protect.j2' import app_protect_local with context %}
-{% filter indent(12) %}
-    {{ app_protect_local(item.value.servers[server].reverse_proxy.locations[location].app_protect) }}
+{% filter indent(8) %}
+        {{ app_protect_local(item.value.servers[server].reverse_proxy.locations[location].app_protect) }}
+{% endfilter %}
+{% endif %}
+{% if item.value.servers[server].reverse_proxy.locations[location].grpc_global is defined %}
+{% from 'http/grpc.j2' import grpc_global with context %}
+{% filter indent(8) %}
+        {{ grpc_global(item.value.servers[server].reverse_proxy.locations[location].grpc_global) }}
+{% endfilter %}
+{% endif %}
+{% if item.value.servers[server].reverse_proxy.locations[location].grpc is defined %}
+{% from 'http/grpc.j2' import grpc_local with context %}
+{% filter indent(8) %}
+        {{ grpc_local(item.value.servers[server].reverse_proxy.locations[location].grpc) }}
 {% endfilter %}
 {% endif %}
 {% if item.value.servers[server].reverse_proxy.locations[location].include_files is defined and item.value.servers[server].reverse_proxy.locations[location].include_files | length %}