Skip to content

Remove support for Open Tracing for NGINX Plus #7567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Apr 3, 2025
Merged

Remove support for Open Tracing for NGINX Plus #7567

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
b9dca7d
Don't install opentracing on N+ images
jjngx Mar 24, 2025
0da1283
Determine if OpenTracing should be supported
jjngx Mar 26, 2025
20212a2
Set OpenTracing config
jjngx Mar 26, 2025
d8c86de
Don't load OT module if not enabled
jjngx Mar 26, 2025
5720bc5
Don't load OT module if not enabled
jjngx Mar 26, 2025
66d5142
Add docs for function
jjngx Mar 26, 2025
68ef340
Verify OTracing only for N+
jjngx Mar 26, 2025
d4d2bbe
Remove ref to OT in plus tmpl
jjngx Mar 26, 2025
130dfc8
Update snaps
jjngx Mar 26, 2025
2c1c724
check nginxplus flag, add tests
haywoodsh Apr 2, 2025
7550180
fix linting, update dockerfile
haywoodsh Apr 2, 2025
e94501d
Merge branch 'main' into chore/no-opentracing
pdabelf5 Apr 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 5 additions & 14 deletions build/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,14 +114,12 @@ ENV NGINX_VERSION=${NGINX_PLUS_VERSION}

RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
--mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
--mount=type=bind,from=nginx-files,src=user_agent,target=/tmp/user_agent \
--mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \
export $(cat /tmp/user_agent) \
&& printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \
&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check libcap libcurl \
&& mkdir -p /etc/nginx/reporting/ && cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
&& ldconfig /usr/local/lib/ \
&& sed -i -e '/nginx.com/d' /etc/apk/repositories
Expand Down Expand Up @@ -154,7 +152,6 @@ ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
--mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
--mount=type=bind,from=nginx-files,src=app-protect-security-updates.rsa.pub,target=/etc/apk/keys/app-protect-security-updates.rsa.pub \
--mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
--mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \
Expand All @@ -164,13 +161,12 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
&& printf "%s\n" "https://${PACKAGE_REPO}/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check \
&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
&& if [ "${NGINX_AGENT}" = "true" ]; then apk add --no-cache nginx-agent; fi \
&& mkdir -p /usr/ssl \
&& cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \
&& cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \
&& cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \
&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& mkdir -p /etc/nginx/reporting/ \
&& cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
&& ldconfig /usr/local/lib/ \
Expand All @@ -194,21 +190,19 @@ ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
--mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
--mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
--mount=type=bind,from=nginx-files,src=agent.sh,target=/usr/local/bin/agent.sh \
--mount=type=bind,from=nginx-files,src=nap-waf.sh,target=/usr/local/bin/nap-waf.sh \
--mount=type=bind,from=nginx-files,src=tracking.info,target=/tmp/nginx/reporting/tracking.info \
printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& printf "%s\n" "https://${PACKAGE_REPO}/app-protect-x-plus/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check \
&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
&& if [ "${NGINX_AGENT}" = "true" ]; then apk add --no-cache nginx-agent; fi \
&& mkdir -p /usr/ssl \
&& cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \
&& cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \
&& cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \
&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& mkdir -p /etc/nginx/reporting/ \
&& cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
&& ldconfig /usr/local/lib/ \
Expand All @@ -229,7 +223,6 @@ ENV NGINX_VERSION=${NGINX_PLUS_VERSION}
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
--mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
--mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \
--mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \
Expand All @@ -243,9 +236,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
&& gpg --dearmor -o /usr/share/keyrings/app-protect-archive-keyring.gpg /tmp/app-protect-security-updates.key \
&& cp /tmp/nginx-plus.sources /etc/apt/sources.list.d/nginx-plus.sources \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check \
&& apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \
&& apt-get purge --auto-remove -y gpg \
&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
&& mkdir -p /etc/nginx/reporting/ \
&& cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
&& ldconfig \
Expand All @@ -262,7 +254,6 @@ ENV NGINX_VERSION=${NGINX_PLUS_VERSION}

RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \
--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
--mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
--mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \
--mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \
--mount=type=bind,from=nginx-files,src=nap-waf-12.sources,target=/tmp/app-protect.sources \
Expand Down Expand Up @@ -321,7 +312,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
&& apt-get update \
&& if [ "${NGINX_AGENT}" = "true" ]; then apt-get install --no-install-recommends --no-install-suggests -y nginx-agent; fi \
&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=33+5.264* nginx-plus-module-appprotect=33+5.264*; \
apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=33+5.264* nginx-plus-module-appprotect=33+5.264* app-protect-plugin=6.9.0*; \
rm -f /etc/apt/sources.list.d/app-protect.sources; \
nap-waf.sh; \
fi \
Expand Down
20 changes: 15 additions & 5 deletions internal/configs/configmaps.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -538,7 +538,7 @@ func ParseConfigMap(ctx context.Context, cfgm *v1.ConfigMap, nginxPlus bool, has
cfgParams.MainOpenTracingTracerConfig = openTracingTracerConfig
}

if cfgParams.MainOpenTracingTracer != "" || cfgParams.MainOpenTracingTracerConfig != "" {
if cfgParams.MainOpenTracingTracer != "" && cfgParams.MainOpenTracingTracerConfig != "" {
cfgParams.MainOpenTracingLoadModule = true
}

Expand All @@ -547,11 +547,14 @@ func ParseConfigMap(ctx context.Context, cfgm *v1.ConfigMap, nginxPlus bool, has
nl.Error(l, err)
eventLog.Event(cfgm, v1.EventTypeWarning, nl.EventReasonInvalidValue, err.Error())
configOk = false
} else if openTracing && nginxPlus {
errorText := fmt.Sprintf("ConfigMap %s/%s key %s is not compatible with NGINX Plus", cfgm.Namespace, cfgm.Name, "opentracing")
nl.Warn(l, errorText)
eventLog.Event(cfgm, v1.EventTypeWarning, nl.EventReasonInvalidValue, errorText)
configOk = false
clearOpenTracingParams(cfgParams)
} else if !openTracing {
cfgParams.MainOpenTracingEnabled = false
cfgParams.MainOpenTracingLoadModule = false
cfgParams.MainOpenTracingTracer = ""
cfgParams.MainOpenTracingTracerConfig = ""
clearOpenTracingParams(cfgParams)
} else {
if cfgParams.MainOpenTracingLoadModule {
cfgParams.MainOpenTracingEnabled = openTracing
Expand Down Expand Up @@ -674,6 +677,13 @@ func ParseConfigMap(ctx context.Context, cfgm *v1.ConfigMap, nginxPlus bool, has
return cfgParams, configOk
}

func clearOpenTracingParams(cfgParams *ConfigParams) {
cfgParams.MainOpenTracingEnabled = false
cfgParams.MainOpenTracingLoadModule = false
cfgParams.MainOpenTracingTracer = ""
cfgParams.MainOpenTracingTracerConfig = ""
}

//nolint:gocyclo
func parseConfigMapZoneSync(l *slog.Logger, cfgm *v1.ConfigMap, cfgParams *ConfigParams, eventLog record.EventRecorder, nginxPlus bool) (*ZoneSync, error) {
if zoneSync, exists, err := GetMapKeyAsBool(cfgm.Data, "zone-sync", cfgm); exists {
Expand Down
175 changes: 142 additions & 33 deletions internal/configs/configmaps_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1170,12 +1170,14 @@ func makeEventLogger() record.EventRecorder {
func TestOpenTracingConfiguration(t *testing.T) {
t.Parallel()
tests := []struct {
configMap *v1.ConfigMap
enabled bool
loadModule bool
tracer string
tracerConfig string
msg string
configMap *v1.ConfigMap
isPlus bool
expectedOpenTracingEnabled bool
expectedLoadModule bool
expectedTracer string
expectedTracerConfig string
expectedConfigOk bool
msg string
}{
{
configMap: &v1.ConfigMap{
Expand All @@ -1185,11 +1187,42 @@ func TestOpenTracingConfiguration(t *testing.T) {
"opentracing-tracer-config": "/etc/nginx/opentracing.json",
},
},
enabled: true,
loadModule: true,
tracer: "/usr/local/lib/libjaegertracing.so",
tracerConfig: "/etc/nginx/opentracing.json",
msg: "opentracing enabled",
isPlus: false,
expectedOpenTracingEnabled: true,
expectedLoadModule: true,
expectedTracer: "/usr/local/lib/libjaegertracing.so",
expectedTracerConfig: "/etc/nginx/opentracing.json",
expectedConfigOk: true,
msg: "oss: opentracing enabled (valid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{
"opentracing": "true",
"opentracing-tracer": "/usr/local/lib/libjaegertracing.so",
},
},
isPlus: false,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "/usr/local/lib/libjaegertracing.so",
expectedTracerConfig: "",
expectedConfigOk: false,
msg: "oss: opentracing enabled, tracer-config not set (invalid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{
"opentracing": "true",
},
},
isPlus: false,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: false,
msg: "oss: opentracing enabled, tracer and tracer-config not set (invalid)",
},
{
configMap: &v1.ConfigMap{
Expand All @@ -1199,56 +1232,132 @@ func TestOpenTracingConfiguration(t *testing.T) {
"opentracing-tracer-config": "/etc/nginx/opentracing.json",
},
},
enabled: false,
loadModule: false,
tracer: "",
tracerConfig: "",
msg: "opentracing disabled",
isPlus: false,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: true,
msg: "oss: opentracing disabled, tracer and tracer-config set (valid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{
"opentracing": "false",
},
},
enabled: false,
loadModule: false,
tracer: "",
tracerConfig: "",
msg: "opentracing disabled",
isPlus: false,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: true,
msg: "oss: opentracing disabled (valid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{
"opentracing": "false",
},
},
isPlus: true,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: true,
msg: "plus: opentracing explicitly disabled (valid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{},
},
isPlus: true,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: true,
msg: "plus: no opentracing keys set (valid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{
"opentracing": "false",
"opentracing-tracer": "/usr/local/lib/libjaegertracing.so",
"opentracing-tracer-config": "/etc/nginx/opentracing.json",
},
},
isPlus: true,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: true,
msg: "plus: opentracing disabled, tracer and tracer-config set (valid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{
"opentracing": "true",
},
},
isPlus: true,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: false,
msg: "plus: opentracing enabled (invalid)",
},
{
configMap: &v1.ConfigMap{
Data: map[string]string{
"opentracing": "true",
"opentracing-tracer": "/usr/local/lib/libjaegertracing.so",
"opentracing-tracer-config": "/etc/nginx/opentracing.json",
},
},
isPlus: true,
expectedOpenTracingEnabled: false,
expectedLoadModule: false,
expectedTracer: "",
expectedTracerConfig: "",
expectedConfigOk: false,
msg: "plus: opentracing enabled, tracer and tracer-config set (invalid)",
},
}
nginxPlus := false

hasAppProtect := false
hasAppProtectDos := false
hasTLSPassthrough := false

for _, test := range tests {
t.Run(test.msg, func(t *testing.T) {
result, configOk := ParseConfigMap(context.Background(), test.configMap, nginxPlus,
result, configOk := ParseConfigMap(context.Background(), test.configMap, test.isPlus,
hasAppProtect, hasAppProtectDos, hasTLSPassthrough, makeEventLogger())

if !configOk {
t.Errorf("Expected valid config, got invalid")
if configOk != test.expectedConfigOk {
t.Errorf("configOk: want %v, got %v", test.expectedConfigOk, configOk)
}
if result.MainOpenTracingEnabled != test.enabled {
if result.MainOpenTracingEnabled != test.expectedOpenTracingEnabled {
t.Errorf("MainOpenTracingEnabled: want %v, got %v",
test.enabled, result.MainOpenTracingEnabled)
test.expectedOpenTracingEnabled, result.MainOpenTracingEnabled)
}

if result.MainOpenTracingLoadModule != test.loadModule {
if result.MainOpenTracingLoadModule != test.expectedLoadModule {
t.Errorf("MainOpenTracingLoadModule: want %v, got %v",
test.loadModule, result.MainOpenTracingLoadModule)
test.expectedLoadModule, result.MainOpenTracingLoadModule)
}

if result.MainOpenTracingTracer != test.tracer {
if result.MainOpenTracingTracer != test.expectedTracer {
t.Errorf("MainOpenTracingTracer: want %q, got %q",
test.tracer, result.MainOpenTracingTracer)
test.expectedTracer, result.MainOpenTracingTracer)
}

if result.MainOpenTracingTracerConfig != test.tracerConfig {
if result.MainOpenTracingTracerConfig != test.expectedTracerConfig {
t.Errorf("MainOpenTracingTracerConfig: want %q, got %q",
test.tracerConfig, result.MainOpenTracingTracerConfig)
test.expectedTracerConfig, result.MainOpenTracingTracerConfig)
}
})
}
Expand Down
Loading