Dynamic reload of SSL certificates for NGINX Plus

[oseoin]

Proposed changes

Enable lazy loading of SSL Certificates for NGINX Plus. This works by replacing the /etc/nginx/secrets with a map which returns that path by default for the variable $secret_dir_path.

E.g.

ssl_certificate /etc/nginx/secrets/default-my-secret.crt

Becomes:

map $nginx_version $secret_dir_path {
    default "/etc/nginx/secrets";
}

...

ssl_certificate $secret_dir_path/default-my-secret.crt

When this is enabled NIC checks secret updates and skips a reload of NGINX if there are no changes to the configuration files which reference that secret.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[codecov]

Codecov Report

Attention: 146 lines in your changes are missing coverage. Please review.

Comparison is base (a122d11) 52.11% compared to head (cfd97c3) 51.96%.

Files	Patch %	Lines
internal/configs/configurator.go	28.44%	78 Missing ⚠️
internal/nginx/manager.go	0.00%	21 Missing ⚠️
cmd/nginx-ingress/main.go	0.00%	14 Missing ⚠️
internal/nginx/fake_manager.go	0.00%	11 Missing ⚠️
internal/configs/transportserver.go	85.00%	4 Missing and 2 partials ⚠️
cmd/nginx-ingress/flags.go	0.00%	4 Missing ⚠️
internal/k8s/controller.go	0.00%	4 Missing ⚠️
internal/configs/ingress.go	76.92%	2 Missing and 1 partial ⚠️
internal/configs/virtualserver.go	86.95%	2 Missing and 1 partial ⚠️
internal/configs/version1/template_executor.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4764      +/-   ##
==========================================
- Coverage   52.11%   51.96%   -0.16%     
==========================================
  Files          59       60       +1     
  Lines       17100    17191      +91     
==========================================
+ Hits         8912     8933      +21     
- Misses       7890     7954      +64     
- Partials      298      304       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[vepatel]

  File "/workspace/tests/suite/test_virtual_server_tls.py", line 201, in test_tls_termination
    assert reloads == expected_reloads, f"expected {expected_reloads} reloads, got {reloads}"
AssertionError: expected 0 reloads, got 1
assert 1 == 0

[oseoin]

  File "/workspace/tests/suite/test_virtual_server_tls.py", line 201, in test_tls_termination
    assert reloads == expected_reloads, f"expected {expected_reloads} reloads, got {reloads}"
AssertionError: expected 0 reloads, got 1
assert 1 == 0

Should hopefully be resolved in the latest commit, always passed locally but upstream ordering for the virtualserver resource was not stable before now.

[shaun-nx]

👏