Update dependency nginxinc.nginx_config to v0.7.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
nginxinc.nginx_config	role	minor	0.3.3 → 0.7.1

---

Release Notes

nginxinc/ansible-role-nginx-config (nginxinc.nginx_config)

v0.7.1

Compare Source

ENHANCEMENTS:

• Implement directives for the http_v3 module.

BUG FIXES:

• Add handler to reload NGINX when SSL cert or key is changed.

CI/CD:

• Uncomment the ansible-compat version from the CI/CD pipeline.
• Implement F5 CLA.

v0.7.0

Compare Source

BREAKING CHANGES:

• Two parameters have been removed from the listen dictionary:

  • spdy -> This parameter is no longer supported.

  • http2 -> This parameter has been replaced by the http2 directive. To enable HTTP2, use the enable parameter in the newly implemented http2 module/dictionary:

    http2:
      enable: true

ENHANCEMENTS:

• Initial pass at implementing directives for the http2 (officially named http_v2) module.
• Bump the Ansible community.general collection to 7.1.0, ansible.posix collection to 1.5.4, community.crypto collection to 2.14.0, and community.docker collection to 3.4.7.

BUG FIXES:

• The default template now has a proper example value and comment for the map.mappings directive.

CI/CD:

• Split Ansible Lint into its own GitHub Actions job since Molecule no longer runs linters natively.
• Remove the "stable" part of the stable_push Molecule scenario since installing the NGINX stable branch is already tested by the core NGINX Ansible role.
• Replace molecule[docker] with molecule and molecule-plugins[docker].
• Explicitly set the ansible-compat version (commented out for the time being whilst waiting for a new release of Molecule).
• Add pre-releases to Release Drafter.

v0.6.0

Compare Source

ENHANCEMENTS:

• Standardize code from dot to array notation to keep in with the standards set by the other roles in the Ansible NGINX core collection.
• Bump the minimum version of Ansible core required to run the role to 2.12 (2.11 is no longer supported by Ansible).
• Support the include directive in the main NGINX context.
• Bump the Ansible community.general collection to 6.2.0 and community.docker collection to 3.4.0.

BUG FIXES:

• GitHub Actions should now correctly skip *plus* scenarios only when the NGINX Plus license secrets are not present.
• The ignore-tags GitHub Actions key does not exist. Replace it with the correct key, tags-ignore.

TESTS:

• Update GitHub Actions to run on Ubuntu 22.04 (and thus support cgroups v2).
• Explicitly specify amd64 as the platform used in NGINX Plus Molecule tests. This will ensure that tests involving NGINX App Protect will work as expected when run on different host architectures (e.g. newer Macbooks with arm processors).
• Update the versions of the Ansible NGINX and NGINX App Protect roles used by Molecule.

v0.5.2

Compare Source

ENHANCEMENTS:

• Bump the Ansible community.general collection to 5.5.0, ansible.posix collection to 1.4.0 and community.docker collection to 3.1.0.
• Add support for the latest NGINX Plus R26 directives:
  • auth_jwt_require now allows you to optionally set the error code you wish to return.
  • health_check now lets you set a keepalive_time.
• Add support for the latest NGINX App Protect DoS directives (app_protect_dos_arb_fqdn, app_protect_dos_api, and app_protect_dos_accelerated_mitigation).

BUG FIXES:

Improve the NGINX main config defaults to bring them closer to the standard NGINX defaults on a fresh NGINX install.

TESTS:

• Update GitHub Actions to only skip *plus* scenarios when the NGINX Plus license secrets are not present (it used to only run the NGINX Plus test scenarios during internal PRs).
• Remove Yamllint (Ansible Lint now incorporates Yamllint).
• Skip Ansible Lint line length rules. Slightly refactor code to incorporate changes added to Ansible Lint 6.7.0.

v0.5.1

Compare Source

FEATURES:

Rename all modules to use the fully qualified collection name (FQCN) per Ansible guidelines.

ENHANCEMENTS:

• Bump the Ansible community.general collection to 4.7.0 and community.docker collection to 2.3.0.
• Add labels to loops in tasks/config/template-config.yml to reduce amount of output data.
• Implement gunzip, map, mirror, realip and split_clients modules into http templates.
• Streamline configuring SELinux.
• Update Dependabot to trigger updates at the same time across all NGINX core roles at the same time and to avoid triggering release drafter on GitHub Actions dependency updates.

BUG FIXES:

Ansible check mode runs will no longer fail if NGINX has not yet been installed.

v0.5.0

Compare Source

BREAKING CHANGES:

• Remove parameters deprecated in release 0.4.0. To recap, these are nginx_config_main_upload_*, nginx_config_upload_html_*, and nginx_config_stream_upload_*. Use nginx_config_upload instead.
• Refactor all the stream Jinja2 templates!:

  • Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.

  • This avoids confusing and unnecessary code duplication, as well as hard to maintain code.

  • You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with servers:

    core:
      root: /usr/share/nginx/html
    proxy:
      set_header: []
    servers:
      - core: {}
        proxy: {}

  • Check defaults/main/template.yml and molecule/default/converge.yml for examples!

  • These changes follow in the footsteps of the http Jinja2 refactor introduced in the 0.4.0 release. If you want more information on how to port your stream configurations, the release notes/changelog for 0.4.0 are a good place to start.

• Replace conf_file_name and conf_file_location with deployment_location inside nginx_config_stream_template.
• Replace html_file_name and html_file_location with deployment_location inside nginx_config_html_demo_template.

FEATURES:

• Add backup variable to template and upload parameters. Set to false if you don't want to keep backups of your previous NGINX config files.
• Automatically create a NGINX client_body_temp_path directory if your NGINX config uses the directive.

ENHANCEMENTS:

Bump the Ansible community.general collection to 4.4.0 and community.docker collection to 2.1.1.

BUG FIXES:

• Fix a bug when using a single custom_directives entry and the http template.
• Fix check mode issue when running with SELinux enabled. Role no longer reports a change in check mode when setting the host to permissive mode.
• Fix typo in the REST API template.
• Fix incorrect REST API and status log variable names in defaults/main/template.yml.
• Fix bugged conditional check in the http/ssl.j2 Jinja2 template.

v0.4.2

Compare Source

BUG FIXES:

• Dictionaries are a sequence per Jinja2 contrary to Python's defaults (dictionaries are not a sequence in Python). The template conditionals assumed the latter.
• NAP DoS monitor directive would fail if some variables were commented out.
• NGINX listen so_keepalive parameter was not working as intended when setting specific values.
• Make sure all template objects are properly transformed into strings before doing Jinja2 operations.
• Remove unnecessary parentheses.

v0.4.1

Compare Source

BUG FIXES:

• Fix issue where your deployment_location directory would not be properly created due to an outdated variable.
• Remove duplicated brace in http/auth.j2.

v0.4.0

Compare Source

This is a very big release which fundamentally refactors the whole NGINX configuration templating engine. Almost all of the templates have undergone some breaking changes. Please take extra caution when upgrading your environment to this release and make sure you test any required changes before using the role in any potential production environments.

Efforts have been made to thoroughly test all these changes and make sure they work as intended, but due to the magnitude of the refactoring work, there will be some bugs that have escaped our tests. If you find any, please open an issue or PR through the usual channels.

DEPRECATION WARNINGS:

The nginx_config_main_upload_*, nginx_config_upload_html_*, and nginx_config_stream_upload_* parameters have been deprecated in favor of a newly introduced parameter, nginx_config_upload (previously nginx_config_snippet_upload_*). The new parameter provides greater flexibility in configuring your upload settings in addition to simplifying the upload Ansible tasks. The deprecated parameters will be removed in the next major release (0.5.0), due December 2021.

BREAKING CHANGES:

General updates:

• Rename upload related variables:
  • Rename the nginx_config_snippet_upload_* parameters to nginx_config_upload_* (check defaults/main/upload.yml for an example).
  • Rename the nginx_config_html_upload_* parameters to nginx_config_upload_html_*.
  • Rename the nginx_config_ssl_upload_* parameters to nginx_config_upload_ssl_*.
• Tweak the nginx_config_html_upload and nginx_config_ssl_upload parameters to use a list instead of a single src and dest value (check defaults/main/upload.yml for an example).

Template engine updates:

• Refactor all the http Jinja2 templates!:

  • Each NGINX module is now contained within its own templating file. Macros are then used, in turn, to import each respective module template into a top level template file.

  • This avoids confusing and unnecessary code duplication, as well as hard to maintain code.

  • You will notice that the overall structure of your NGINX config now follows a very simple dictionary structure where each top level key corresponds to an NGINX module. Top level lists are used when dealing with servers and locations:

    core:
      root: /usr/share/nginx/html
    proxy:
      set_header: []
    servers:
      - core: {}
        proxy: {}
        locations:
          - core: {}
            proxy: {}

  • Check defaults/main/template.yml and molecule/default/converge.yml for examples!

• Refactor the base config templates to simplify the creation of templates as well as development and maintenance moving forward:

  • Modify servers, servers.listen, server.locations, upstream and upstream.servers from nested dictionaries in the http and stream configuration templates to lists.
  • Remove/merge the web_server and reverse_proxy nested dictionary keys from the HTTP templates. These often lead to confusing and unnecessary code duplication and hard to maintain code. To update your templates, remove both keys and adjust your spacing accordingly.
  • Replaced conf_file_name and conf_file_location with a single variable, deployment_location.
  • All config related parameters now live under the config key in both the core/main and HTTP templates.
  • Modify the nginx_config_html_demo_template variable from a nested dictionary to a list.

• Refactor the nginx_config_main_template to now include all the respective core and events directives. The following variables have changed:

  • http_enable no longer exists, neither does http_settings. You can still use http.include to include files within the http context.
  • stream_enable no longer exists, neither does stream_settings. You can still use stream.include to include files within the stream context.

• Refactor the upstream HTTP config template into its own separate file. All the upstream module directives are now included. The following variables have changed:

  • port is no longer supported. Instead, include the port as part of your address.
  • lb_method is no longer supported. Instead, you will have to specifically set the method you want to use.
  • zone_name and zone_size have been modified into a dictionary.
  • sticky_cookie is no longer supported as is. You will now have to configure the respective sticky_cookie values.
  • The health_check parameter within the server dictionary is no longer supported. Instead, manually set max_fails and fail_timeout.

• Refactor various individual variables into the core HTTP config template. All the core module directives are now included. The following variables are now included in the core dictionary:

  • alias, client_max_body_size, error_log, error_page, include, index, keepalive_timeout, listen, root, send_file, server_name, server_names_hash_bucket_size, server_names_hash_max_size, server_tokens, tcp_nodelay, tcp_nopush, try_files
  • listen.port is now listen.address, and listen.opts no longer exists (there are now individual keys for each listen parameter).

• Refactor the ssl HTTP config template into its own separate file. All the ssl module directives are now included. Almost all variables have changed:

  • All ssl variables still live within an ssl dictionary, but the names have changed to reflect the official NGINX directive names.
  • ssl configs are now supported within both the http and server contexts.

• Refactor both the app_protect_waf and app_protect_dos modules into a single file:

  • The app_protect dictionary now has the app_protect_waf key.
  • app_protect_global directives are now found inside the app_protect_waf dictionary too.

• Refactor the proxy HTTP config template into its own separate file. All the proxy module directives are now included. All variables have changed:

  • All proxy_* related variables now live under the proxy dictionary key. You can specify the proxy dictionary key inside the http, server, and location contexts.

  • Removed the nginx_config_main_template.http_settings.cache dictionary variable. Use nginx_config_http_template.*.proxy.cache_path instead.

  • Removed the location.websocket variable. Use location.proxy.set_header instead:

    proxy:
      set_header:
        - field: Upgrade
          value: $http_upgrade
        - field: Connection
          value: Upgrade

• Combine the grpc_global directives with the grpc directives.

• Refactor the auth HTTP config template into its own separate auth modules file. All the various auth related module directives including all auth_jwt directives are now available. All variables have changed:

  • All the various auth variables now live within their respective auth dictionaries.
  • auth configs are now supported within the http, server, and location contexts.

• Refactor the autoindex HTTP config template into its own separate file modules file and added missing autoindex module directives. All variables have changed:

  • The autoindex directives now live within the autoindex dictionary.
  • The autoindex dictionary now lives in the HTTP template config instead of the Main template config.

• Refactor the add_headers dictionary into a headers dictionary that now includes all the headers HTTP config directives:

  • The add_headers directive now lives within the headers dictionary.

• Refactor the keyval directives into its own template config that now includes all the keyval HTTP module directives:

  • Both keyval directives now live within the keyval dictionary.
  • The keyval dictionary now lives in the HTTP template config instead of the Main template config.

• Refactor server.health_check_plus into its own dictionary that now includes all the health_check module directives (check defaults/main/template.yml for examples).

• Refactor the limit_req directive into its own dictionary:

  • The limit_req directives now live within the limit_req dictionary.
  • The limit_req dictionary now lives in the HTTP template config instead of the Main template config.

• Refactor the access_log and log_format directives into a log dictionary that now includes all the log module directives:

  • An access and format directive now lives within the log dictionary.
  • The log dictionary HTTP context now lives in the HTTP template config instead of the Main template config.

• Refactor the return and rewrite directives into their own dictionary that now includes all the rewrite HTTP module directives:

  • The rewrites directive has transitioned from a list of one liners

    rewrites:
      - (.*).html(.*) $1$2

    to

    rewrites:
      - regex: (.*).html(.*)
        replacement: $1$2

  • The return directive has transitioned from a slightly complex dictionary structure (wherein the location variable didn't necessarily have any effect)

    returns:
      return301:
        location: ^~ /old-path
        code: 301
        value: http://$host/new-path

    to a slightly less complicated structure

    return:  # 200 -- Alternatively you could also include a code here instead of fleshing out the dictionary.
      code: 200
      text: nginx

• Refactor the sub_filter directives into their own sub_filter dictionary that includes all the sub_filter HTTP module directives:

  • The only major difference is that one liners under the sub_filters dictionary key have changed from

    sub_filters:
      - sub_filter 'server_hostname' '$hostname';

    to

    sub_filters:
      - string: server_hostname
        replacement: $hostname

  • Removed the server.http_demo_conf dictionary. Use server.sub_filters instead:

    sub_filter:
      sub_filters:
        - string: server_hostname
          replacement: $hostname
        - string: server_address
          replacement: $server_addr:$server_port
        - string: server_url
          replacement: $request_uri
        - string: remote_addr
          replacement: '$remote_addr:$remote_port'
        - string: server_date
          replacement: $time_local
        - string: client_browser
          replacement: $http_user_agent
        - string: request_id
          replacement: $request_id
        - string: nginx_version
          replacement: $nginx_version
        - string: document_root
          replacement: $document_root
        - string: proxied_for_ip
          replacement: $http_x_forwarded_for

  • The sub_filter dictionary HTTP context now lives in the HTTP template config instead of the Main template config.

• Rename some NGINX template config parameters to align with NGINX directive names:

  • Rename html_file_location to root.
  • Rename html_file_name to index.

• NGINX App Protect 3.2 supports multiple log destinations per scope. Changing the security_log variable from a dictionary to a list of objects in order to support this.

• NGINX App Protect 3.5 supports a new timeout directive which allows the user to configure the period of time between reconnect retries of the module to the web application firewall (WAF) engine. Added this as a supported directive.

FEATURES:

• Replace Ansible community distribution with Ansible base and add the necessary extra collections as a dependency requirement. For reference, these are:

  ---
  collections:
    - name: community.general
      version: 3.8.0
    - name: ansible.posix
      version: 1.3.0
    - name: community.docker  # This collection is only used as part of the Molecule testing suite
      version: 1.10.0

• Explicitly list Jinja2 2.11.3 as a requirement, as well as detail the minimum supported version (2.11.x).

• Implement Release Drafter.

• Add support for configuring NGINX App Protect DoS (Denial of Service) module and directives.

• Add support for configuring the NGINX Rest API module and the NGINX stub status module.

ENHANCEMENTS:

• Move the gzip HTTP config template into the modules file. It's a small module and did not warrant being in its own individual file.
• Update Ansible Lint to 5.1.3, Molecule to 3.4.0, Yamllint to 1.26.3 and Docker Python SDK to 5.0.2.
• Consolidate Molecule testing scenarios to address changes introduced in Ansible Lint 5.*.
• Specify GitHub Actions Ubuntu release.
• Minor GitHub template tweaks, including the creation of a SECURITY doc.
• Replace Molecule tests using Debian stretch with Debian buster (stretch has reached its EoL), and update list of supported platforms.
• Replace Ansible base with Ansible core. Ansible core will be the "core" Ansible release moving forward from Ansible 2.11.
• Update GitHub Actions to add a workflow dispatch option.
• Update GitHub Actions if conditionals to use the contains function instead of checking for exact names.
• Remove Debian Buster from the plus Molecule scenario since it often fails in the GitHub Actions CI/CD pipeline.
• Replace "yes"/"no" boolean values with "true"/"false" to comply with YAML spec 1.2.
• Ensure the default values for the nginx.conf template match the default values found on a fresh NGINX installation.
• Change Dependabot frequency from daily to weekly.
• Minor touch-up of GitHub Actions workflows.

BUG FIXES:

• Add state parameter to package module in Molecule verification tests.
• In NGINX App Protect environments on SELinux enforced systems, the nginx -t handler fails when run from a directory that the NGINX process' user does not have access to.
• Fix missing GRPC boolean check in GRPC template.
• Fix nginx_config_cleanup_paths not working as intended.
• Fix issue with the app_protect.j2 template that was causing the default values for nginx.conf to fail.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.