nginx
diff --git a/‎charts/nginx-gateway-fabric/README.md‎
Lines changed: 2 additions & 1 deletion b/‎charts/nginx-gateway-fabric/README.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎charts/nginx-gateway-fabric/templates/certs-job.yaml‎
Lines changed: 2 additions & 0 deletions b/‎charts/nginx-gateway-fabric/templates/certs-job.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎charts/nginx-gateway-fabric/values.schema.json‎
Lines changed: 7 additions & 0 deletions b/‎charts/nginx-gateway-fabric/values.schema.json‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎charts/nginx-gateway-fabric/values.yaml‎
Lines changed: 2 additions & 0 deletions b/‎charts/nginx-gateway-fabric/values.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎internal/controller/handler.go‎
Lines changed: 15 additions & 2 deletions b/‎internal/controller/handler.go‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎internal/controller/handler_test.go‎
Lines changed: 100 additions & 1 deletion b/‎internal/controller/handler_test.go‎
Lines changed: 100 additions & 1 deletion
diff --git a/‎internal/controller/nginx/agent/agent.go‎
Lines changed: 4 additions & 2 deletions b/‎internal/controller/nginx/agent/agent.go‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎internal/controller/nginx/agent/agent_test.go‎
Lines changed: 5 additions & 4 deletions b/‎internal/controller/nginx/agent/agent_test.go‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎internal/controller/nginx/agent/agentfakes/fake_nginx_updater.go‎
Lines changed: 16 additions & 8 deletions b/‎internal/controller/nginx/agent/agentfakes/fake_nginx_updater.go‎
Lines changed: 16 additions & 8 deletions
diff --git a/‎internal/controller/nginx/agent/command_test.go‎
Lines changed: 2 additions & 2 deletions b/‎internal/controller/nginx/agent/command_test.go‎
Lines changed: 2 additions & 2 deletions
@@ -195,10 +195,11 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 
 | Key | Description | Type | Default |
 |-----|-------------|------|---------|
-| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` |
+| `certGenerator` | The certGenerator section contains the configuration for the cert-generator Job. | object | `{"affinity":{},"agentTLSSecretName":"agent-tls","annotations":{},"enable":true,"nodeSelector":{},"overwrite":false,"serverTLSSecretName":"server-tls","tolerations":[],"topologySpreadConstraints":[],"ttlSecondsAfterFinished":30}` |
 | `certGenerator.affinity` | The affinity of the cert-generator pod. | object | `{}` |
 | `certGenerator.agentTLSSecretName` | The name of the base Secret containing TLS CA, certificate, and key for the NGINX Agent to securely communicate with the NGINX Gateway Fabric control plane. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"agent-tls"` |
 | `certGenerator.annotations` | The annotations of the cert-generator Job. | object | `{}` |
+| `certGenerator.enable` | Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets. | bool | `true` |
 | `certGenerator.nodeSelector` | The nodeSelector of the cert-generator pod. | object | `{}` |
 | `certGenerator.overwrite` | Overwrite existing TLS Secrets on startup. | bool | `false` |
 | `certGenerator.serverTLSSecretName` | The name of the Secret containing TLS CA, certificate, and key for the NGINX Gateway Fabric control plane to securely communicate with the NGINX Agent. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"server-tls"` |
 
@@ -1,3 +1,4 @@
+{{- if .Values.certGenerator.enable }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -172,3 +173,4 @@ spec:
       {{- toYaml .Values.certGenerator.nodeSelector | nindent 8 }}
       {{- end }}
   ttlSecondsAfterFinished: {{ .Values.certGenerator.ttlSecondsAfterFinished }}
+{{- end }}
@@ -23,6 +23,13 @@
           "title": "annotations",
           "type": "object"
         },
+        "enable": {
+          "default": true,
+          "description": "Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets.",
+          "required": [],
+          "title": "enable",
+          "type": "boolean"
+        },
         "nodeSelector": {
           "description": "The nodeSelector of the cert-generator pod.",
           "required": [],
 
@@ -672,6 +672,8 @@ nginx:
 
 # -- The certGenerator section contains the configuration for the cert-generator Job.
 certGenerator:
+  # -- Enable the cert-generator Job. If this is disabled, then cert-manager or some other method must be used to create the required Secrets.
+  enable: true
   # -- The annotations of the cert-generator Job.
   annotations: {}
 
 
@@ -241,8 +241,20 @@ func (h *eventHandlerImpl) sendNginxConfig(ctx context.Context, logger logr.Logg
 
 		h.setLatestConfiguration(gw, &cfg)
 
+		vm := []v1.VolumeMount{}
+		if gw.EffectiveNginxProxy != nil &&
+			gw.EffectiveNginxProxy.Kubernetes != nil {
+			if gw.EffectiveNginxProxy.Kubernetes.Deployment != nil {
+				vm = gw.EffectiveNginxProxy.Kubernetes.Deployment.Container.VolumeMounts
+			}
+
+			if gw.EffectiveNginxProxy.Kubernetes.DaemonSet != nil {
+				vm = gw.EffectiveNginxProxy.Kubernetes.DaemonSet.Container.VolumeMounts
+			}
+		}
+
 		deployment.FileLock.Lock()
-		h.updateNginxConf(deployment, cfg)
+		h.updateNginxConf(deployment, cfg, vm)
 		deployment.FileLock.Unlock()
 
 		configErr := deployment.GetLatestConfigError()
@@ -454,9 +466,10 @@ func (h *eventHandlerImpl) parseAndCaptureEvent(ctx context.Context, logger logr
 func (h *eventHandlerImpl) updateNginxConf(
 	deployment *agent.Deployment,
 	conf dataplane.Configuration,
+	volumeMounts []v1.VolumeMount,
 ) {
 	files := h.cfg.generator.Generate(conf)
-	h.cfg.nginxUpdater.UpdateConfig(deployment, files)
+	h.cfg.nginxUpdater.UpdateConfig(deployment, files, volumeMounts)
 
 	// If using NGINX Plus, update upstream servers using the API.
 	if h.cfg.plus {
 
@@ -22,6 +22,7 @@ import (
 	gatewayv1 "sigs.k8s.io/gateway-api/apis/v1"
 
 	ngfAPI "github.com/nginx/nginx-gateway-fabric/v2/apis/v1alpha1"
+	"github.com/nginx/nginx-gateway-fabric/v2/apis/v1alpha2"
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/config"
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/licensing/licensingfakes"
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/metrics/collectors"
@@ -66,7 +67,7 @@ var _ = Describe("eventHandler", func() {
 		Expect(fakeGenerator.GenerateArgsForCall(0)).Should(Equal(expectedConf))
 
 		Expect(fakeNginxUpdater.UpdateConfigCallCount()).Should(Equal(1))
-		_, files := fakeNginxUpdater.UpdateConfigArgsForCall(0)
+		_, files, _ := fakeNginxUpdater.UpdateConfigArgsForCall(0)
 		Expect(expectedFiles).To(Equal(files))
 
 		Eventually(
@@ -642,6 +643,104 @@ var _ = Describe("eventHandler", func() {
 
 		Expect(handler.GetLatestConfiguration()).To(BeEmpty())
 	})
+
+	It("should process events with volume mounts from Deployment", func() {
+		// Create a gateway with EffectiveNginxProxy containing Deployment VolumeMounts
+		gatewayWithVolumeMounts := &graph.Graph{
+			Gateways: map[types.NamespacedName]*graph.Gateway{
+				{Namespace: "test", Name: "gateway"}: {
+					Valid: true,
+					Source: &gatewayv1.Gateway{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "gateway",
+							Namespace: "test",
+						},
+					},
+					DeploymentName: types.NamespacedName{
+						Namespace: "test",
+						Name:      controller.CreateNginxResourceName("gateway", "nginx"),
+					},
+					EffectiveNginxProxy: &graph.EffectiveNginxProxy{
+						Kubernetes: &v1alpha2.KubernetesSpec{
+							Deployment: &v1alpha2.DeploymentSpec{
+								Container: v1alpha2.ContainerSpec{
+									VolumeMounts: []v1.VolumeMount{
+										{
+											Name:      "test-volume",
+											MountPath: "/etc/test",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+
+		fakeProcessor.ProcessReturns(gatewayWithVolumeMounts)
+
+		e := &events.UpsertEvent{Resource: &gatewayv1.HTTPRoute{}}
+		batch := []interface{}{e}
+
+		handler.HandleEventBatch(context.Background(), logr.Discard(), batch)
+
+		// Verify that UpdateConfig was called with the volume mounts
+		Expect(fakeNginxUpdater.UpdateConfigCallCount()).Should(Equal(1))
+		_, _, volumeMounts := fakeNginxUpdater.UpdateConfigArgsForCall(0)
+		Expect(volumeMounts).To(HaveLen(1))
+		Expect(volumeMounts[0].Name).To(Equal("test-volume"))
+		Expect(volumeMounts[0].MountPath).To(Equal("/etc/test"))
+	})
+
+	It("should process events with volume mounts from DaemonSet", func() {
+		// Create a gateway with EffectiveNginxProxy containing DaemonSet VolumeMounts
+		gatewayWithVolumeMounts := &graph.Graph{
+			Gateways: map[types.NamespacedName]*graph.Gateway{
+				{Namespace: "test", Name: "gateway"}: {
+					Valid: true,
+					Source: &gatewayv1.Gateway{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "gateway",
+							Namespace: "test",
+						},
+					},
+					DeploymentName: types.NamespacedName{
+						Namespace: "test",
+						Name:      controller.CreateNginxResourceName("gateway", "nginx"),
+					},
+					EffectiveNginxProxy: &graph.EffectiveNginxProxy{
+						Kubernetes: &v1alpha2.KubernetesSpec{
+							DaemonSet: &v1alpha2.DaemonSetSpec{
+								Container: v1alpha2.ContainerSpec{
+									VolumeMounts: []v1.VolumeMount{
+										{
+											Name:      "daemon-volume",
+											MountPath: "/var/daemon",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		}
+
+		fakeProcessor.ProcessReturns(gatewayWithVolumeMounts)
+
+		e := &events.UpsertEvent{Resource: &gatewayv1.HTTPRoute{}}
+		batch := []interface{}{e}
+
+		handler.HandleEventBatch(context.Background(), logr.Discard(), batch)
+
+		// Verify that UpdateConfig was called with the volume mounts
+		Expect(fakeNginxUpdater.UpdateConfigCallCount()).Should(Equal(1))
+		_, _, volumeMounts := fakeNginxUpdater.UpdateConfigArgsForCall(0)
+		Expect(volumeMounts).To(HaveLen(1))
+		Expect(volumeMounts[0].Name).To(Equal("daemon-volume"))
+		Expect(volumeMounts[0].MountPath).To(Equal("/var/daemon"))
+	})
 })
 
 var _ = Describe("getGatewayAddresses", func() {
 
@@ -10,6 +10,7 @@ import (
 	"github.com/go-logr/logr"
 	pb "github.com/nginx/agent/v3/api/grpc/mpi/v1"
 	"google.golang.org/protobuf/types/known/structpb"
+	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -29,7 +30,7 @@ const retryUpstreamTimeout = 5 * time.Second
 
 // NginxUpdater is an interface for updating NGINX using the NGINX agent.
 type NginxUpdater interface {
-	UpdateConfig(deployment *Deployment, files []File)
+	UpdateConfig(deployment *Deployment, files []File, volumeMounts []v1.VolumeMount)
 	UpdateUpstreamServers(deployment *Deployment, conf dataplane.Configuration)
 }
 
@@ -87,8 +88,9 @@ func NewNginxUpdater(
 func (n *NginxUpdaterImpl) UpdateConfig(
 	deployment *Deployment,
 	files []File,
+	volumeMounts []v1.VolumeMount,
 ) {
-	msg := deployment.SetFiles(files)
+	msg := deployment.SetFiles(files, volumeMounts)
 	if msg == nil {
 		n.logger.V(1).Info("No changes to nginx configuration files, not sending to agent")
 		return
 
@@ -9,6 +9,7 @@ import (
 	pb "github.com/nginx/agent/v3/api/grpc/mpi/v1"
 	. "github.com/onsi/gomega"
 	"google.golang.org/protobuf/types/known/structpb"
+	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	"github.com/nginx/nginx-gateway-fabric/v2/internal/controller/nginx/agent/broadcast/broadcastfakes"
@@ -63,7 +64,7 @@ func TestUpdateConfig(t *testing.T) {
 				deployment.SetPodErrorStatus("pod1", testErr)
 			}
 
-			updater.UpdateConfig(deployment, []File{file})
+			updater.UpdateConfig(deployment, []File{file}, []v1.VolumeMount{})
 
 			g.Expect(fakeBroadcaster.SendCallCount()).To(Equal(1))
 			fileContents, _ := deployment.GetFile(file.Meta.Name, file.Meta.Hash)
@@ -74,7 +75,7 @@ func TestUpdateConfig(t *testing.T) {
 				// ensure that the error is cleared after the next config is applied
 				deployment.SetPodErrorStatus("pod1", nil)
 				file.Meta.Hash = "5678"
-				updater.UpdateConfig(deployment, []File{file})
+				updater.UpdateConfig(deployment, []File{file}, []v1.VolumeMount{})
 				g.Expect(deployment.GetLatestConfigError()).ToNot(HaveOccurred())
 			} else {
 				g.Expect(deployment.GetLatestConfigError()).ToNot(HaveOccurred())
@@ -105,10 +106,10 @@ func TestUpdateConfig_NoChange(t *testing.T) {
 	}
 
 	// Set the initial files on the deployment
-	deployment.SetFiles([]File{file})
+	deployment.SetFiles([]File{file}, []v1.VolumeMount{})
 
 	// Call UpdateConfig with the same files
-	updater.UpdateConfig(deployment, []File{file})
+	updater.UpdateConfig(deployment, []File{file}, []v1.VolumeMount{})
 
 	// Verify that no new configuration was sent
 	g.Expect(fakeBroadcaster.SendCallCount()).To(Equal(0))
 
@@ -342,7 +342,7 @@ func TestSubscribe(t *testing.T) {
 			Contents: []byte("file contents"),
 		},
 	}
-	deployment.SetFiles(files)
+	deployment.SetFiles(files, []v1.VolumeMount{})
 	deployment.SetImageVersion("nginx:v1.0.0")
 
 	initialAction := &pb.NGINXPlusAction{
@@ -488,7 +488,7 @@ func TestSubscribe_Reset(t *testing.T) {
 			Contents: []byte("file contents"),
 		},
 	}
-	deployment.SetFiles(files)
+	deployment.SetFiles(files, []v1.VolumeMount{})
 	deployment.SetImageVersion("nginx:v1.0.0")
 
 	ctx, cancel := createGrpcContextWithCancel()