diff --git a/docs/images/client-settings/attach-1.png b/docs/images/client-settings/attach-1.png new file mode 100644 index 0000000000..ea62836468 Binary files /dev/null and b/docs/images/client-settings/attach-1.png differ diff --git a/docs/images/client-settings/attach-2.png b/docs/images/client-settings/attach-2.png new file mode 100644 index 0000000000..77b2c646ca Binary files /dev/null and b/docs/images/client-settings/attach-2.png differ diff --git a/docs/images/client-settings/attach-3.png b/docs/images/client-settings/attach-3.png new file mode 100644 index 0000000000..9824cb5aa4 Binary files /dev/null and b/docs/images/client-settings/attach-3.png differ diff --git a/docs/images/client-settings/example-a1.png b/docs/images/client-settings/example-a1.png new file mode 100644 index 0000000000..40fa3d07ce Binary files /dev/null and b/docs/images/client-settings/example-a1.png differ diff --git a/docs/images/client-settings/example-a2.png b/docs/images/client-settings/example-a2.png new file mode 100644 index 0000000000..286ecf00fc Binary files /dev/null and b/docs/images/client-settings/example-a2.png differ diff --git a/docs/images/client-settings/example-a3.png b/docs/images/client-settings/example-a3.png new file mode 100644 index 0000000000..ef5fc892c3 Binary files /dev/null and b/docs/images/client-settings/example-a3.png differ diff --git a/docs/images/client-settings/example-b1.png b/docs/images/client-settings/example-b1.png new file mode 100644 index 0000000000..d919d300c8 Binary files /dev/null and b/docs/images/client-settings/example-b1.png differ diff --git a/docs/images/client-settings/example-b2.png b/docs/images/client-settings/example-b2.png new file mode 100644 index 0000000000..d87d3a6026 Binary files /dev/null and b/docs/images/client-settings/example-b2.png differ diff --git a/docs/images/client-settings/example-b3.png b/docs/images/client-settings/example-b3.png new file mode 100644 index 0000000000..7ff32e7827 Binary files /dev/null and b/docs/images/client-settings/example-b3.png differ diff --git a/docs/images/client-settings/example-c1.png b/docs/images/client-settings/example-c1.png new file mode 100644 index 0000000000..09b24aed8f Binary files /dev/null and b/docs/images/client-settings/example-c1.png differ diff --git a/docs/images/client-settings/example-c2.png b/docs/images/client-settings/example-c2.png new file mode 100644 index 0000000000..b956a70cdd Binary files /dev/null and b/docs/images/client-settings/example-c2.png differ diff --git a/docs/images/client-settings/example-c3.png b/docs/images/client-settings/example-c3.png new file mode 100644 index 0000000000..67723cb7ab Binary files /dev/null and b/docs/images/client-settings/example-c3.png differ diff --git a/docs/images/client-settings/mapping-a.png b/docs/images/client-settings/mapping-a.png new file mode 100644 index 0000000000..359e1a5a15 Binary files /dev/null and b/docs/images/client-settings/mapping-a.png differ diff --git a/docs/images/client-settings/mapping-b.png b/docs/images/client-settings/mapping-b.png new file mode 100644 index 0000000000..34f3b3591b Binary files /dev/null and b/docs/images/client-settings/mapping-b.png differ diff --git a/docs/images/client-settings/mapping-c.png b/docs/images/client-settings/mapping-c.png new file mode 100644 index 0000000000..89ecd68448 Binary files /dev/null and b/docs/images/client-settings/mapping-c.png differ diff --git a/docs/proposals/client-settings.md b/docs/proposals/client-settings.md new file mode 100644 index 0000000000..31c79ab427 --- /dev/null +++ b/docs/proposals/client-settings.md @@ -0,0 +1,394 @@ +# Enhancement Proposal-1632: Client Settings Policy + +- Issue: https://github.com/nginxinc/nginx-gateway-fabric/issues/1632 +- Status: Implementable + +## Summary + +This Enhancement Proposal introduces the `ClientSettingsPolicy` API that allows Cluster Operators and Application developers to configure the behavior of the connection between the client and NGINX. + +## TODO + +The Policy and Metaresources GEP is currently under construction. There is an open [PR](https://github.com/kubernetes-sigs/gateway-api/pull/2813/) that contains significant changes to the Policy API. +While this proposal is based on the latest (as of 3/13/2024) state of the PR, there are still open discussions that may introduce changes to the API. Once the PR is merged, this proposal will need to be revisited to ensure it aligns with the final Policy API. + +## Goals + +- Define client settings. +- Define an API for client settings. +- Outline the attachment points and scenarios for the client settings policy. +- Describe the inheritance behavior of client settings when multiple policies exist. + +## Non-Goals + +- Provide implementation details for implementing the client settings policy. +- Define attachment and inheritance behavior for multiple Gateways. + +## Introduction + +### Client Settings + +Client settings are NGINX directives that affect requests sent from the downstream client to NGINX Gateway Fabric. + +To begin, the Client Settings Policy will include the following NGINX directives: + +- [`client_max_body_size`](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) +- [`client_body_timeout`](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout) +- [`keepalive_requests`](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests) +- [`keepalive_time`](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_time) +- [`keepalive_timeout`](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) +- [`keepalive_disable`](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_disable) + +In the future, we can extend the Client Settings Policy to include more client-related directives, such as `client_body_buffer_size`, `client_header_buffer_size`. + +## Use Cases + +- As a Cluster Operator, I want to set defaults for client settings that will work for most applications so that most Application Developers will not have to tweak these settings. +- As an Application Developer, I want to be able to configure client settings for my application based on its behavior or requirements. +- As an Application Developer, I was to override the defaults for client settings set by the Cluster Operator because the defaults do not satisfy my application's requirements or behavior. + +## API + +The `ClientSettingsPolicy` API is a CRD that is a part of the `gateway.nginx.org` Group. It adheres to the guidelines and requirements of an Inherited Policy as outlined in the [Policy and Metaresources GEP](https://gateway-api.sigs.k8s.io/geps/gep-713/). + +Below is the Golang API for the `ClientSettingsPolicy` API: + +### Go + +```go +package v1alpha1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + +type ClientSettingsPolicy struct { + metav1.TypeMeta `json:",inline"` + metav1.ObjectMeta `json:"metadata,omitempty"` + + // Spec defines the desired state of the ClientSettingsPolicy. + Spec ClientSettingsPolicySpec `json:"spec"` + + // Status defines the state of the ClientSettingsPolicy. + Status ClientSettingsPolicyStatus `json:"status,omitempty"` +} + +type ClientSettingsPolicySpec struct { + // TargetRef identifies an API object to apply the policy to. + // Object must be in the same namespace as the policy. + // Support: Gateway and HTTPRoute + TargetRef gatewayv1alpha2.PolicyTargetReference `json:"targetRef"` + + // Default defines default policy configuration for the targeted resource. + // +optional + Default *ClientSettingsPolicyConfig `json:"default,omitempty"` +} + +type ClientSettingsPolicyStatus struct { + // Conditions describe the current conditions of the ClientSettingsPolicy + // +optional + Conditions []metav1.Condition +} + +type ClientSettingsPolicyConfig struct { + // MaxBodySize sets the maximum allowed size of the client request body. + // Setting size to 0 disables checking of client request body size. + // +optional + MaxBodySize *Size `json:"maxBodySize,omitempty"` + + // BodyTimeout defines a timeout for reading client request body. The timeout is set only for a period between + // two successive read operations, not for the transmission of the whole request body. + // +optional + BodyTimeout *Duration `json:"bodyTimeout,omitempty"` + + // KeepAlive defines the keep-alive settings. + // +optional + KeepAlive *KeepAlive `json:"keepAlive,omitempty"` +} + +// KeepAlive defines the keepalive settings. +type KeepAlive struct { + // Requests sets the maximum number of requests that can be served through one keep-alive connection. + // After the maximum number of requests are made, the connection is closed. + // +optional + Requests *int32 `json:"requests,omitempty"` + + // Time defines the maximum time during which requests can be processed through one keep-alive connection. + // After this time is reached, the connection is closed following the subsequent request processing. + // +optional + Time *Duration `json:"time,omitempty"` + + // Timeout defines the keep-alive timeouts. + // +optional + Timeout *KeepAliveTimeout `json:"timeout,omitempty"` + + // Disable disables keep-alive connections for misbehaving browsers. + // +optional + Disable *DisableType `json:"disable"` +} + +type KeepAliveTimeout struct { + // ServerTimeout sets the timeout during which a keep-alive client connection will stay open on the server side. + // The zero value disables keep-alive client connections. + // +optional + ServerTimeout *Duration + + // HeaderTimeout sets the timeout in the "Keep-Alive: timeout=time" response header field. + // +optional + HeaderTimeout *Duration +} + +// DisableType is the type of browsers to disable keep-alive connections on. +type DisableType string + +var ( + // NoneDisableType enables keep-alive connections for all browsers. + NoneDisableType DisableType = "None" + + // SafariDisableType disables keep-alive connections for Safari and Safari-like browsers on macOS and macOS-like + // operating systems. + SafariDisableType DisableType = "Safari" + + // MSIEDisableType disables keep-alive connections for old versions of MSIE, once a POST request is received. + MSIEDisableType DisableType = "MSIE" + + // AllDisableType disables keep-alive connections for MSIE and Safari browsers. + AllDisableType DisableType = "All" +) + +// Duration is a string value representing a duration in time. +// The format is a subset of the syntax parsed by Golang time.ParseDuration. +// Examples: 1h, 12m, 30s, 150ms. +type Duration string + +// Size is a string value representing a size. Size can be specified in bytes, kilobytes (suffix k), +// or megabytes (suffix m). +// Examples: 1024, 8k, 1m. +type Size string +``` + +### Versioning and Installation + +The version of the `ClientSettingsPolicy` API will be `v1alpha1`. + +The `ClientSettingsPolicy` CRD _may_ be installed by the Cluster Operator via Helm or with manifests. It will _not_ be required, and if the `ClientSettingsPolicy` CRD does not exist in the cluster, NGINX Gateway Fabric will not fail or log an error. + +### Status + +#### CRD Label + +According to the [Policy and Metaresources GEP](https://gateway-api.sigs.k8s.io/geps/gep-713/), the `ClientSettingsPolicy` CRD must have the `gateway.networking.k8s.io/policy: inherited` label to specify that it is an inherited policy. +This label will help with discoverability and will be used by the planned Gateway API Policy [kubectl plugin](https://gateway-api.sigs.k8s.io/geps/gep-713/#kubectl-plugin-or-command-line-tool). + +#### Conditions + +According to the [Policy and Metaresources GEP](https://gateway-api.sigs.k8s.io/geps/gep-713/), the `ClientSettingsPolicy` CRD must include a `status` stanza with a slice of Conditions. + +The `Accepted` Condition must be populated on the `ClientSettingsPolicy` CRD using the reasons defined in the [PolicyCondition API](https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1alpha2/policy_types.go). If these reasons are not sufficient, we can add implementation-specific reasons. + +#### Setting Status on Objects Affected by a Policy + +In the Policy and Metaresources GEP, there's a provisional status described [here](https://gateway-api.sigs.k8s.io/geps/gep-713/#standard-status-condition-on-policy-affected-objects) that involves adding a Condition or annotation to all objects affected by a Policy. + +This solution gives the object owners some knowledge that their object is affected by a policy but minimizes status updates by limiting them to when the affected object starts or stops being affected by a policy. +Even though this status is provisional, implementing it now will help with discoverability and allow us to give feedback on the solution. + +Implementing this involves defining a new Condition type and reason: + +```go +package conditions + +import ( + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" +) + + +const ( + ClientSettingsPolicyAffected gatewayv1alpha2.PolicyConditionType = "gateway.nginx.org/ClientSettingsPolicyAffected" + PolicyAffectedReason gatewayv1alpha2.PolicyConditionReason = "PolicyAffected" +) + +``` + +NGINX Gateway Fabric must set this Condition on all HTTPRoutes and Gateways affected by a `ClientSettingsPolicy`. +Below is an example of what this Condition may look like: + +```yaml +Conditions: + Type: gateway.nginx.org/ClientSettingsPolicyAffected + Message: Object affected by a ClientSettingsPolicy. + Observed Generation: 1 + Reason: PolicyAffected + Status: True +``` + +Some additional rules: + +- This Condition should be added when the affected object starts or stops being affected by a `ClientSettingsPolicy`. +- If an object is affected by multiple `ClientSettingsPolicy`, only one Condition should exist. +- When the last `ClientSettingsPolicy` affecting that object is removed, the Condition should be removed. +- The Observed Generation is the generation of the affected object, not the generation of the `ClientSettingsPolicy`. + +#### Policy Ancestor Status + +In the updated version of the [Policy and Metaresources GEP](https://github.com/kubernetes-sigs/gateway-api/pull/2813/files), which is still under review, the `PolicyAncestorStatus` only applies to Direct Policies. +[`PolicyAncestorStatus`](https://github.com/kubernetes-sigs/gateway-api/blob/f1758d1bc233d78a3e1e6cfba34336526655d03d/apis/v1alpha2/policy_types.go#L156) contains a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy for each ancestor. +This status provides a view of the resources the policy is affecting. It is beneficial for policies implemented by multiple controllers (e.g., BackendTLSPolicy) or that attach to resources with different capabilities. + +Since the `ClientSettingsPolicy` is an Inherited Policy and there is no expectation that other implementations will implement this policy, `PolicyAncestorStatus` is not required and may have limited user benefits. +However, it's possible that future Gateway API tooling will expect policy status to include this status, so we may end up adding it later. + +#### Future Status + +Beyond the Condition requirements discussed above, there are no other status requirements for Inherited Policies. This topic is currently up for discussion, and solutions may be added to the Spec. + +## Attachment and Inheritance + +The `ClientSettingsPolicy` may be attached to Gateways and HTTPRoutes. + +There are three possible attachment scenarios: + +**1. Gateway Attachment** + +![attach-1](/docs/images/client-settings/attach-1.png) + +When a `ClientSettingsPolicy` is attached to a Gateway only, all the HTTPRoutes attached to the Gateway inherit the client settings. + +**2: HTTPRoute Attachment** + +![attach-2](/docs/images/client-settings/attach-2.png) + +When a `ClientSettingsPolicy` is attached to an HTTPRoute only, the settings in that policy apply to that HTTPRoute only. In this case, the `foo` HTTPRoute is the only route affected by a `ClientSettingsPolicy`. The Gateway, `bar`, and `baz` HTTPRoutes will use the default NGINX values for client settings. + +**3: Gateway and HTTPRoute Attachment** + +![attach-3](/docs/images/client-settings/attach-3.png) + +When a `ClientSettingsPolicy` is attached to a Gateway and one or more of the HTTPRoutes that are attached to that Gateway, the effective policy is calculated by accepting the "lowest" default configured. +Let's examine each HTTPRoute's effective policy: + +- `baz`: This HTTPRoute has a `ClientSettingsPolicy` attached to it that sets both the max body size and the body timeout. It's also affected by the `ClientSettingsPolicy` attached to the Gateway, which also sets these two values. Since HTTPRoutes are a "lower" object than Gateways in the inheritance hierarchy, the defaults set by the policy attached to the `baz` route win. +- `bar`: This HTTPRoute does not have a policy attached to it but is affected by the policy attached to the Gateway. As a result, it inherits the settings from the Gateway's policy. +- `foo`: This HTTPRoute is similar to the `baz` route because it is affected by two policies: the policy attached to the Gateway and the policy attached to itself. However, since the policy attached to itself only sets the value for max body size, the `foo` route inherits the value for body timeout from the Gateway policy. + +For more information on how to calculate effective policies, see the [hierarchy](https://gateway-api.sigs.k8s.io/geps/gep-713/#hierarchy) and [merging](https://gateway-api.sigs.k8s.io/geps/gep-713/#merging-into-existing-spec-fields) sections in the Policy and Metaresources GEP. + +### NGINX Inheritance Behavior + +The client settings NGINX directives are available in three NGINX contexts: http, server, and location. Similar to Gateway API resources, there is a hierarchy among these contexts: + +```mermaid +graph TD + http --> server --> location +``` + +In general, NGINX directives inherit downwards only. The location context inherits values set above it in the server and http contexts, and the server context inherits values set in the http context. Additionally, directives specified in a lower context will replace those specified in a higher context. So, a directive set in the location context will replace those set in the server and http contexts. +When a request is rewritten internally from one location to another, only directives in the second location apply. In other words, a location cannot inherit directives from another location. + +There are some nuances to the inheritance behavior when dealing with array directives and action directives (see [NGINX Inheritance Behavior](https://blog.martinfjordvald.com/understanding-the-nginx-configuration-inheritance-model/) for more information), but the directives included in this policy follow this top-down inheritance pattern. + +### Mapping Gateway API Resources to NGINX Contexts + +We need to examine how NGINX Gateway Fabric maps Gateway API resources to NGINX contexts to understand how policy attachment and inheritance will work with NGINX. Below are the three types of possible mappings (simplified for brevity): + +**A. Distinct Hostnames** + +![map-a](/docs/images/client-settings/mapping-a.png) + +When each HTTPRoute attached to a Gateway has a distinct set of hostnames, NGINX Gateway Fabric will generate a server block for each hostname. All the locations contained in the server block belong to a single HTTPRoute. +In this scenario, each server block is "owned" by a single HTTPRoute. + +> Note: This mapping only applies to "Exact" path matches. "PathPrefix" path matches will generate internal locations and look and act like the mapping shown below in scenario C. + +**B. Same Hostname** + +![map-b](/docs/images/client-settings/mapping-b.png) + +When HTTPRoutes attached to a Gateway specify the same hostname, NGINX Gateway Fabric generates a single server block containing the locations from all HTTPRoutes that specify the server's hostname. +In this scenario, the HTTPRoutes share "ownership" of the server block. + +**C. Internal Redirect** + +![map-c](/docs/images/client-settings/mapping-c.png) + +When HTTPRoutes attached to a Gateway specify the same hostname _and_ path, NGINX Gateway Fabric will generate a single server block and a single (external) location for that path. In addition, it will generate one internal location block -- only used for internal requests -- per HTTPRoute match rule. +The external location will offload the routing decision to an NGINX JavaScript (NJS) function that will route the request to the appropriate internal location. +In this scenario, the HTTPRoutes share "ownership" of the server block and the external location block. + +### Creating the Effective Policy in NGINX Config + +To determine how to reliably and consistently create the effective policy in NGINX config, we need to apply the policies for each attachment scenario to the three NGINX mappings. + +**1. Gateway Attachment** + +A. Distinct Hostname: +![example-a1](/docs/images/client-settings/example-a1.png) + +B. Same Hostname: +![example-b1](/docs/images/client-settings/example-b1.png) + +C. Internal Redirect: +![example-c1](/docs/images/client-settings/example-c1.png) + +For this attachment scenario, specifying the directives in every server context creates the effective policies for the attached HTTPRoutes. Specifying the directives in the http context would have the same effect, but this would not work once we add support for [multiple Gateway resources](https://github.com/nginxinc/nginx-gateway-fabric/issues/1443). + +**2. HTTPRoute Attachment** + +A. Distinct Hostname: +![example-a2](/docs/images/client-settings/example-a2.png) + +B. Same Hostname: +![example-b2](/docs/images/client-settings/example-b2.png) + +C. Internal Redirect +![example-c2](/docs/images/client-settings/example-c2.png) + +For this attachment scenario, specifying the directives in the _final_ location blocks generated from the HTTPRoute with the policy attached achieves the effective policy. _Final_ means the location that ultimately handles the request. + +**3. Gateway and HTTPRoute Attachment** + +A. Distinct Hostname: +![example-a3](/docs/images/client-settings/example-a3.png) + +B. Same Hostname: +![example-b3](/docs/images/client-settings/example-b3.png) + +C. Internal Redirect +![example-c3](/docs/images/client-settings/example-c3.png) + +For this attachment scenario, specifying the directives in the server and the _final_ location blocks creates the effective policies. All settings specified in the Gateway's policy are set as directives in the server block. For the HTTPRoute policies, only the settings whose values differ from the Gateway policy's settings are set in the location contexts. + +#### Overall Strategy + +The findings in the prior section can be condensed and generalized into the following two rules: + +- When a `ClientSettingsPolicy` is attached to a Gateway, add the corresponding NGINX directives to each server block generated from that Gateway. +- When a `ClientSettingsPolicy` is attached to an HTTPRoute, compute the set of values that differ from the accepted `ClientSettingsPolicy` attached to its Gateway. For each value in this set, add the corresponding NGINX directive to each of the _final_ location blocks generated for the HTTPRoute. If no accepted `ClientSettingsPolicy` is attached to its Gateway, then the set of values contains all the values in the HTTPRoute's policy. + +## Testing + +- Unit tests +- Functional tests that test the attachment and inheritance behavior outlined in this document. The details of these tests are out of scope for this document. + +## Security Considerations + +### Validation + +Validating all fields in the `ClientSettingsPolicy` is critical to ensuring that the NGINX config generated by NGINX Gateway Fabric is correct and secure. + +All fields in the `ClientSettingsPolicy` will be validated with Open API Schema. If the Open API Schema validation rules are not sufficient, we will use [CEL](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules). + +## Future Work + +- Add support for more client-related directives, such as `client_body_buffer_size`, `client_header_buffer_size`. +- Extend implementation to support multiple Gateways. +- Add more attachment points. For example, allowing attachment to GatewayClasses or Gateway Listeners. +- Improve on status and discoverability. + +## References + +- [NGINX Extensions Enhancement Proposal](nginx-extensions.md) +- [Policy and Metaresources Gateway Enhancement Proposal](https://gateway-api.sigs.k8s.io/geps/gep-713/) +- [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md) +- [NGINX Inheritance Behavior](https://blog.martinfjordvald.com/understanding-the-nginx-configuration-inheritance-model/)