Skip to content

feat: Add ability to patch dataplane Service, Deployment, and DaemonSet in NginxProxy #3630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Add ability to patch dataplane Service, Deployment, and DaemonSet in NginxProxy #3630

wants to merge 3 commits into from
+625 −25

Conversation

ciarams87
Copy link
Contributor

Proposed changes

Problem: There are many Deployment and Service fields that can be customized, and having to expose all of them in the NginxProxy resource is tedious and unnecessary for uncommonly used fields.

Solution: Add a way to submit custom patches to unblock users who need to set fields that are not yet exposed in the NginxProxy CRD. This commit adds support for patching the Service, Deployment, and DaemonSet resources using StrategicMerge (default kubernetes patch strategy), Merge (used when the intelligent strategic merge behaviour is not desired, e.g. to replace an array instead of merging them), and JSONPatch (used when precise modifications are needed, such as adding elements to specific array indices or performing conditional operations based on existing values).

Testing: Unit testing, and manual testing all the variations. Example NginxProxy:

apiVersion: gateway.nginx.org/v1alpha2
kind: NginxProxy
metadata:
  name: custom-proxy
spec:
  kubernetes:
    # Service patches - demonstrates all three patch types
    service:
      patches:
        # Strategic merge patch - adds custom labels and annotations
        - type: StrategicMerge
          value:
            metadata:
              labels:
                custom-label: "service-patched"
                environment: "test"
              annotations:
                custom-annotation: "applied-via-patch"
        # Merge patch - modifies spec fields
        - type: Merge
          value:
            spec:
              sessionAffinity: "ClientIP"
        # JSON patch - adds a specific annotation
        - type: JSONPatch
          value:
            - op: add
              path: "/metadata/annotations/patched-by"
              value: "json-patch"
            - op: add
              path: "/spec/loadBalancerSourceRanges"
              value: ["10.0.0.0/8", "192.168.0.0/16"]

    # Deployment patches - for when nginx.kind is "deployment"
    deployment:
      patches:
        # Strategic merge patch - adds deployment-specific labels
        - type: StrategicMerge
          value:
            metadata:
              labels:
                deployment-type: "nginx-proxy"
                patched: "true"
            spec:
              template:
                metadata:
                  labels:
                    pod-patched: "true"
        # JSON patch - modifies strategy and adds env var
        - type: JSONPatch
          value:
            - op: add
              path: "/spec/strategy"
              value:
                type: "RollingUpdate"
                rollingUpdate:
                  maxUnavailable: 1
                  maxSurge: 1
            - op: add
              path: "/spec/template/spec/containers/0/env"
              value:
                - name: "PATCHED_BY"
                  value: "json-patch"
                - name: "DEPLOYMENT_MODE"
                  value: "patched"

Note 1: We don't have the ability to perform validation on patches. Errors in Patches will be logged in the control plane, but will not be reported in the status of the NginxProxy. Additionally, the resources will be created regardless - I don't believe we should fail the resource creation because of patch errors. It will be on the user to ensure patches have been applied correctly (this will be documented in the data plane configuration doc)

Note 2: Uses gopkg.in/evanphx/json-patch.v4 instead of the latest v5 to match Kubernetes ecosystem libraries and ensure consistent RFC 6902 compliance with kubectl. See this issue for a similar example

Closes #3568

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Added the ability to patch the dataplane Service, Deployment, and DaemonSet resources through NginxProxy

@ciarams87 ciarams87 requested a review from a team as a code owner July 16, 2025 16:02
@github-actions github-actions bot added enhancement New feature or request dependencies Pull requests that update a dependency file labels Jul 16, 2025
@codecov Codecov
Copy link

codecov bot commented Jul 16, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 83.51648% with 15 lines in your changes missing coverage. Please review.

Project coverage is 87.02%. Comparing base (0ca388f) to head (20b981d).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/controller/provisioner/objects.go 83.51% 10 Missing and 5 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3630      +/-   ##
==========================================
- Coverage   87.11%   87.02%   -0.09%     
==========================================
  Files         127      127              
  Lines       15517    15579      +62     
  Branches       62       62              
==========================================
+ Hits        13517    13557      +40     
- Misses       1847     1862      +15     
- Partials      153      160       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sjberman
sjberman reviewed Jul 16, 2025
View reviewed changes
apis/v1alpha2/nginxproxy_types.go Outdated
// For JSONPatch patches, this should be a JSON array of patch operations.
//
// +kubebuilder:validation:XPreserveUnknownFields
Value *apiextv1.JSON `json:"value"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this field be marked as optional?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we omitempty or does the linter say it's unnecessary?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, it's not required but it is actually best practice so I'll add it

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just know that sometimes my IDE or linter says that it's not necessary for certain nested structs. Can't remember the reasoning, but functionally it ends up the same.

internal/controller/provisioner/objects.go Outdated
Comment on lines 182 to 186
if len(errs) > 0 {
return objects, errors.Join(errs...)
}

return objects, nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you could just do return objects, errors.Join(errs...). If errs is empty, it should return nil.

apis/v1alpha2/nginxproxy_types.go

const (
// PatchTypeStrategicMerge uses strategic merge patch.
PatchTypeStrategicMerge PatchType = "StrategicMerge"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does k8s define these types at all? If so, it'd be nice to alias our types to theirs, instead of using the string literal.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see there are some definitions here: https://github.com/kubernetes/apimachinery/blob/1ebcba2516a6683ca3be753b0b7e2cb203daf5dd/pkg/types/patch.go#L22

Which are used in the apiextentions-apiserver test code here: https://github.com/kubernetes/apiextensions-apiserver/blob/9fbc252b2071ab031a4011dd3d07fde4e281fe3c/test/integration/scope_test.go#L132-L138

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really. The definitions @bjee19 links above are MIME types. I couldn't find any appropriate user friendly, CRD style definitions we could reference.

bjee19
bjee19 reviewed Jul 16, 2025
View reviewed changes
bjee19
bjee19 reviewed Jul 16, 2025
View reviewed changes
bjee19
bjee19 reviewed Jul 16, 2025
View reviewed changes
@sjberman sjberman mentioned this pull request Jul 17, 2025
Open
6 tasks
@ciarams87 ciarams87 force-pushed the feat/patch-nginx-proxy branch from da6ed02 to 086855b Compare July 21, 2025 14:30
@ciarams87 ciarams87 force-pushed the feat/patch-nginx-proxy branch from 086855b to d03daba Compare July 21, 2025 14:33
@ciarams87 ciarams87 requested review from sjberman and bjee19 July 21, 2025 14:34
bjee19
bjee19 approved these changes Jul 21, 2025
View reviewed changes
Copy link
Contributor

@bjee19 bjee19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice job! 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjberman sjberman sjberman approved these changes

@bjee19 bjee19 bjee19 approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file enhancement New feature or request release-notes
Projects
NGINX Gateway Fabric
Status: 🆕 New
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow users to submit custom patches to nginx deployment/service specs
3 participants
@ciarams87 @sjberman @bjee19