Add EnforceInitialReport variable everywhere

Author: tataruty

charts/nginx-gateway-fabric/README.md

@@ -207,7 +207,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` |
 | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` |
-| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"autoscaling":{"enable":false},"config":{},"container":{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","nginxOneConsole":{"dataplaneKeySecretName":"","endpointHost":"agent.connect.nginx.com","endpointPort":443,"skipVerify":false},"patches":[],"plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"patches":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
+| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"autoscaling":{"enable":false},"config":{},"container":{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","nginxOneConsole":{"dataplaneKeySecretName":"","endpointHost":"agent.connect.nginx.com","endpointPort":443,"skipVerify":false},"patches":[],"plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"patches":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","enforceInitialReport":false,"resolver":"","secretName":"nplus-license","skipVerify":false}}` |
 | `nginx.autoscaling` | Autoscaling configuration for the NGINX data plane. | object | `{"enable":false}` |
 | `nginx.autoscaling.enable` | Enable or disable Horizontal Pod Autoscaler for the NGINX data plane. | bool | `false` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
@@ -241,6 +241,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.usage.caSecretName` | The name of the Secret containing the NGINX Instance Manager CA certificate. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `""` |
 | `nginx.usage.clientSSLSecretName` | The name of the Secret containing the client certificate and key for authenticating with NGINX Instance Manager. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `""` |
 | `nginx.usage.endpoint` | The endpoint of the NGINX Plus usage reporting server. Default: product.connect.nginx.com | string | `""` |
+| `nginx.usage.enforceInitialReport` | Enable enforcement of the initial NGINX Plus licensing report. If set to false, the initial report is not enforced. | bool | `false` |
 | `nginx.usage.resolver` | The nameserver used to resolve the NGINX Plus usage reporting endpoint. Used with NGINX Instance Manager. | string | `""` |
 | `nginx.usage.secretName` | The name of the Secret containing the JWT for NGINX Plus usage reporting. Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `"nplus-license"` |
 | `nginx.usage.skipVerify` | Disable client verification of the NGINX Plus usage reporting server certificate. | bool | `false` |

charts/nginx-gateway-fabric/templates/_helpers.tpl

@@ -110,3 +110,14 @@ Filters out empty fields from a struct.
 {{- $result | toYaml -}}
 {{- end -}}
 {{- end }}
+
+{{/*
+Enforcing the initial NGINX Plus licensing report.
+*/}}
+{{- define "nginx-gateway.enforceInitialReport" -}}
+{{- if .Values.Usage.enforceInitialReport }}
+enforce_initial_report on;
+{{- else }}
+enforce_initial_report off;
+{{- end }}
+{{- end }}

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -72,6 +72,9 @@ spec:
           {{- if .Values.nginx.usage.clientSSLSecretName }}
         - --usage-report-client-ssl-secret={{ .Values.nginx.usage.clientSSLSecretName }}
           {{- end }}
+          {{- if .Values.nginx.usage.enforceInitialReport }}
+        - --usage-report-enforce-initial-report={{ .Values.nginx.usage.enforceInitialReport }}
+          {{- end }}
         {{- end }}
         {{- if .Values.nginxGateway.metrics.enable }}
         - --metrics-port={{ .Values.nginxGateway.metrics.port }}

charts/nginx-gateway-fabric/values.schema.json

@@ -692,6 +692,13 @@
               "title": "endpoint",
               "type": "string"
             },
+            "enforceInitialReport": {
+              "default": false,
+              "description": "Enable enforcement of the initial NGINX Plus licensing report. If set to false, the initial report is not enforced.",
+              "required": [],
+              "title": "enforceInitialReport",
+              "type": "boolean"
+            },
             "resolver": {
               "default": "",
               "description": "The nameserver used to resolve the NGINX Plus usage reporting endpoint. Used with NGINX Instance Manager.",

charts/nginx-gateway-fabric/values.yaml

@@ -337,6 +337,9 @@ nginx:
     # Must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway).
     clientSSLSecretName: ""
 
+    # -- Enable enforcement of the initial NGINX Plus licensing report. If set to false, the initial report is not enforced.
+    enforceInitialReport: false
+
   # @schema
   # type: object
   # properties:

cmd/gateway/commands.go

@@ -58,31 +58,32 @@ func createRootCommand() *cobra.Command {
 func createControllerCommand() *cobra.Command {
 	// flag names
 	const (
-		configFlag                        = "config"
-		serviceFlag                       = "service"
-		agentTLSSecretFlag                = "agent-tls-secret"
-		nginxOneDataplaneKeySecretFlag    = "nginx-one-dataplane-key-secret" //nolint:gosec // not credentials
-		nginxOneTelemetryEndpointHostFlag = "nginx-one-telemetry-endpoint-host"
-		nginxOneTelemetryEndpointPortFlag = "nginx-one-telemetry-endpoint-port"
-		nginxOneTLSSkipVerifyFlag         = "nginx-one-tls-skip-verify"
-		metricsDisableFlag                = "metrics-disable"
-		metricsSecureFlag                 = "metrics-secure-serving"
-		metricsPortFlag                   = "metrics-port"
-		healthDisableFlag                 = "health-disable"
-		healthPortFlag                    = "health-port"
-		leaderElectionDisableFlag         = "leader-election-disable"
-		leaderElectionLockNameFlag        = "leader-election-lock-name"
-		productTelemetryDisableFlag       = "product-telemetry-disable"
-		gwAPIExperimentalFlag             = "gateway-api-experimental-features"
-		nginxDockerSecretFlag             = "nginx-docker-secret" //nolint:gosec // not credentials
-		usageReportSecretFlag             = "usage-report-secret"
-		usageReportEndpointFlag           = "usage-report-endpoint"
-		usageReportResolverFlag           = "usage-report-resolver"
-		usageReportSkipVerifyFlag         = "usage-report-skip-verify"
-		usageReportClientSSLSecretFlag    = "usage-report-client-ssl-secret" //nolint:gosec // not credentials
-		usageReportCASecretFlag           = "usage-report-ca-secret"         //nolint:gosec // not credentials
-		snippetsFiltersFlag               = "snippets-filters"
-		nginxSCCFlag                      = "nginx-scc"
+		configFlag                          = "config"
+		serviceFlag                         = "service"
+		agentTLSSecretFlag                  = "agent-tls-secret"
+		nginxOneDataplaneKeySecretFlag      = "nginx-one-dataplane-key-secret" //nolint:gosec // not credentials
+		nginxOneTelemetryEndpointHostFlag   = "nginx-one-telemetry-endpoint-host"
+		nginxOneTelemetryEndpointPortFlag   = "nginx-one-telemetry-endpoint-port"
+		nginxOneTLSSkipVerifyFlag           = "nginx-one-tls-skip-verify"
+		metricsDisableFlag                  = "metrics-disable"
+		metricsSecureFlag                   = "metrics-secure-serving"
+		metricsPortFlag                     = "metrics-port"
+		healthDisableFlag                   = "health-disable"
+		healthPortFlag                      = "health-port"
+		leaderElectionDisableFlag           = "leader-election-disable"
+		leaderElectionLockNameFlag          = "leader-election-lock-name"
+		productTelemetryDisableFlag         = "product-telemetry-disable"
+		gwAPIExperimentalFlag               = "gateway-api-experimental-features"
+		nginxDockerSecretFlag               = "nginx-docker-secret" //nolint:gosec // not credentials
+		usageReportSecretFlag               = "usage-report-secret"
+		usageReportEndpointFlag             = "usage-report-endpoint"
+		usageReportResolverFlag             = "usage-report-resolver"
+		usageReportSkipVerifyFlag           = "usage-report-skip-verify"
+		usageReportClientSSLSecretFlag      = "usage-report-client-ssl-secret" //nolint:gosec // not credentials
+		usageReportCASecretFlag             = "usage-report-ca-secret"         //nolint:gosec // not credentials
+		snippetsFiltersFlag                 = "snippets-filters"
+		nginxSCCFlag                        = "nginx-scc"
+		usageReportEnforceInitialReportFlag = "usage-report-enforce-initial-report"
 	)
 
 	// flag values
@@ -165,6 +166,7 @@ func createControllerCommand() *cobra.Command {
 		usageReportCASecretName = stringValidatingValue{
 			validator: validateResourceName,
 		}
+		usageReportEnforceInitialReport bool
 	)
 
 	cmd := &cobra.Command{
@@ -218,12 +220,13 @@ func createControllerCommand() *cobra.Command {
 
 			if plus {
 				usageReportConfig = config.UsageReportConfig{
-					SecretName:          usageReportSecretName.value,
-					ClientSSLSecretName: usageReportClientSSLSecretName.value,
-					CASecretName:        usageReportCASecretName.value,
-					Endpoint:            usageReportEndpoint.value,
-					Resolver:            usageReportResolver.value,
-					SkipVerify:          usageReportSkipVerify,
+					SecretName:           usageReportSecretName.value,
+					ClientSSLSecretName:  usageReportClientSSLSecretName.value,
+					CASecretName:         usageReportCASecretName.value,
+					Endpoint:             usageReportEndpoint.value,
+					Resolver:             usageReportResolver.value,
+					SkipVerify:           usageReportSkipVerify,
+					EnforceInitialReport: usageReportEnforceInitialReport,
 				}
 			}
 
@@ -488,6 +491,13 @@ func createControllerCommand() *cobra.Command {
 			` Only applicable in OpenShift.`,
 	)
 
+	cmd.Flags().BoolVar(
+		&usageReportEnforceInitialReport,
+		usageReportEnforceInitialReportFlag,
+		false,
+		"Enable enforcement of the initial NGINX Plus licensing report. If set to false, the initial report is not enforced.",
+	)
+
 	return cmd
 }
 

cmd/gateway/commands_test.go

@@ -154,6 +154,7 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 				"--usage-report-resolver=resolver.com",
 				"--usage-report-ca-secret=ca-secret",
 				"--usage-report-client-ssl-secret=client-secret",
+				"--usage-report-enforce-initial-report=true",
 				"--snippets-filters",
 				"--nginx-scc=nginx-sscc-name",
 				"--nginx-one-dataplane-key-secret=dataplane-key-secret",

internal/controller/config/config.go

@@ -125,6 +125,8 @@ type UsageReportConfig struct {
 	Resolver string
 	// SkipVerify controls whether the nginx verifies the server certificate.
 	SkipVerify bool
+	// Enabled is the flag for toggling usage reporting on or off.
+	EnforceInitialReport bool
 }
 
 // Flags contains the NGF command-line flag names and values.

internal/controller/nginx/config/main_config.go

@@ -55,13 +55,14 @@ func executeEventsConfig(conf dataplane.Configuration) []executeResult {
 }
 
 type mgmtConf struct {
-	Endpoint          string
-	Resolver          string
-	LicenseTokenFile  string
-	CACertFile        string
-	ClientSSLCertFile string
-	ClientSSLKeyFile  string
-	SkipVerify        bool
+	Endpoint             string
+	Resolver             string
+	LicenseTokenFile     string
+	CACertFile           string
+	ClientSSLCertFile    string
+	ClientSSLKeyFile     string
+	SkipVerify           bool
+	EnforceInitialReport bool
 }
 
 // generateMgmtFiles generates the NGINX Plus configuration file for the mgmt block. As part of this,
@@ -88,10 +89,11 @@ func (g GeneratorImpl) generateMgmtFiles(conf dataplane.Configuration) []agent.F
 	files := []agent.File{tokenFile}
 
 	cfg := mgmtConf{
-		Endpoint:         g.usageReportConfig.Endpoint,
-		Resolver:         g.usageReportConfig.Resolver,
-		LicenseTokenFile: tokenFile.Meta.Name,
-		SkipVerify:       g.usageReportConfig.SkipVerify,
+		Endpoint:             g.usageReportConfig.Endpoint,
+		Resolver:             g.usageReportConfig.Resolver,
+		LicenseTokenFile:     tokenFile.Meta.Name,
+		SkipVerify:           g.usageReportConfig.SkipVerify,
+		EnforceInitialReport: g.usageReportConfig.EnforceInitialReport,
 	}
 
 	if content, ok := conf.AuxiliarySecrets[graph.PlusReportCACertificate]; ok {

internal/controller/provisioner/objects.go

@@ -435,6 +435,7 @@ func (p *NginxProvisioner) buildNginxConfigMaps(
 			"SkipVerify":           p.cfg.PlusUsageConfig.SkipVerify,
 			"UsageCASecret":        caSecret,
 			"UsageClientSSLSecret": clientSSLSecret,
+			"EnforceInitialReport": p.cfg.PlusUsageConfig.EnforceInitialReport,
 		}
 
 		bootstrapCM.Data["mgmt.conf"] = string(helpers.MustExecuteTemplate(mgmtTemplate, mgmtFields))