make epp flags configurable using NGF flags

Author: salonichf5

cmd/gateway/commands.go

@@ -37,9 +37,17 @@ const (
 		`The controller name must be of the form: DOMAIN/PATH. The controller's domain is '%s'`
 	plusFlag = "nginx-plus"
 
-	serverTLSSecret               = "server-tls"
-	agentTLSSecret                = "agent-tls"
-	nginxOneTelemetryEndpointHost = "agent.connect.nginx.com"
+	serverTLSSecret                    = "server-tls"
+	agentTLSSecret                     = "agent-tls"
+	nginxOneTelemetryEndpointHost      = "agent.connect.nginx.com"
+	endpointPickerEnableTLSFlag        = "endpoint-picker-enable-tls"
+	endpointPickerSkipSecureVerifyFlag = "endpoint-picker-skip-secure-verify"
+)
+
+// common flags.
+var (
+	endpointPickerEnableTLS        bool
+	endpointPickerSkipSecureVerify bool
 )
 
 // usageReportParams holds the parameters for building the usage report configuration for PLUS.
@@ -288,6 +296,8 @@ func createControllerCommand() *cobra.Command {
 					EndpointPort:           nginxOneConsoleTelemetryEndpointPort.value,
 					EndpointTLSSkipVerify:  nginxOneConsoleTLSSkipVerify,
 				},
+				EndpointPickerEnableTLS:        endpointPickerEnableTLS,
+				EndpointPickerSkipSecureVerify: endpointPickerSkipSecureVerify,
 			}
 
 			if err := controller.StartManager(conf); err != nil {
@@ -320,6 +330,20 @@ func createControllerCommand() *cobra.Command {
 			` Lives in the same Namespace as the controller.`,
 	)
 
+	cmd.Flags().BoolVar(
+		&endpointPickerEnableTLS,
+		endpointPickerEnableTLSFlag,
+		true,
+		"Enables TLS when connecting to the endpoint picker.",
+	)
+
+	cmd.Flags().BoolVar(
+		&endpointPickerSkipSecureVerify,
+		endpointPickerSkipSecureVerifyFlag,
+		true,
+		"Disables server certificate verification when connecting to the endpoint picker, if TLS is enabled",
+	)
+
 	cmd.Flags().Var(
 		&serviceName,
 		serviceFlag,
@@ -763,11 +787,28 @@ func createEndpointPickerCommand() *cobra.Command {
 		Short: "Shim server for communication between NGINX and the Gateway API Inference Extension Endpoint Picker",
 		RunE: func(_ *cobra.Command, _ []string) error {
 			logger := ctlrZap.New().WithName("endpoint-picker-shim")
-			handler := createEndpointPickerHandler(realExtProcClientFactory(), logger)
+			handler := createEndpointPickerHandler(
+				realExtProcClientFactory(endpointPickerEnableTLS, endpointPickerSkipSecureVerify),
+				logger,
+			)
 			return endpointPickerServer(handler)
 		},
 	}
 
+	cmd.Flags().BoolVar(
+		&endpointPickerEnableTLS,
+		endpointPickerEnableTLSFlag,
+		true,
+		"Enables TLS when connecting to the endpoint picker.",
+	)
+
+	cmd.Flags().BoolVar(
+		&endpointPickerSkipSecureVerify,
+		endpointPickerSkipSecureVerifyFlag,
+		true,
+		"Disables server certificate verification when connecting to the endpoint picker, if TLS is enabled",
+	)
+
 	return cmd
 }
 

cmd/gateway/commands_test.go

@@ -161,6 +161,8 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 				"--nginx-one-telemetry-endpoint-host=telemetry-endpoint-host",
 				"--nginx-one-telemetry-endpoint-port=443",
 				"--nginx-one-tls-skip-verify",
+				"--endpoint-picker-enable-tls",
+				"--endpoint-picker-skip-secure-verify",
 			},
 			wantErr: false,
 		},
@@ -924,3 +926,43 @@ func TestUsageReportConfig(t *testing.T) {
 		})
 	}
 }
+
+func TestEndpointPickerFlags(t *testing.T) {
+	t.Parallel()
+	tests := []flagTestCase{
+		{
+			name: "valid flags",
+			args: []string{
+				"--endpoint-picker-enable-tls=true",
+				"--endpoint-picker-skip-secure-verify=false",
+			},
+			wantErr: false,
+		},
+		{
+			name: "endpoint-picker-enable-tls is not a bool",
+			args: []string{
+				"--endpoint-picker-enable-tls=not-a-bool",
+			},
+			wantErr: true,
+			expectedErrPrefix: `invalid argument "not-a-bool" for "--endpoint-picker-enable-tls" flag:` +
+				` strconv.ParseBool: parsing "not-a-bool": invalid syntax`,
+		},
+		{
+			name: "endpoint-picker-skip-secure-verify is not a bool",
+			args: []string{
+				"--endpoint-picker-skip-secure-verify=not-a-bool",
+			},
+			wantErr: true,
+			expectedErrPrefix: `invalid argument "not-a-bool" for "--endpoint-picker-skip-secure-verify" flag:` +
+				` strconv.ParseBool: parsing "not-a-bool": invalid syntax`,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			cmd := createEndpointPickerCommand()
+			testFlag(t, cmd, test)
+		})
+	}
+}

cmd/gateway/endpoint_picker.go

@@ -35,20 +35,19 @@ func endpointPickerServer(handler http.Handler) error {
 }
 
 // realExtProcClientFactory returns a factory that creates a new gRPC connection and client per request.
-func realExtProcClientFactory() extProcClientFactory {
+func realExtProcClientFactory(enableTLS, skipSecureVerify bool) extProcClientFactory {
 	return func(target string) (extprocv3.ExternalProcessorClient, func() error, error) {
 		var opts []grpc.DialOption
-		enableTLS := true
-		insecureSkipVerify := true
 
 		if !enableTLS {
 			opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 		} else {
 			creds := credentials.NewTLS(&tls.Config{
-				InsecureSkipVerify: insecureSkipVerify, //nolint:gosec
+				InsecureSkipVerify: skipSecureVerify, //nolint:gosec
 			})
 			opts = append(opts, grpc.WithTransportCredentials(creds))
 		}
+
 		conn, err := grpc.NewClient(target, opts...)
 		if err != nil {
 			return nil, nil, err

gateway

@@ -52,6 +52,10 @@ type Config struct {
 	InferenceExtension bool
 	// SnippetsFilters indicates if SnippetsFilters are enabled.
 	SnippetsFilters bool
+	// EndpointPickerEnableTLS indicates if TLS is enabled for EndpointPicker communication.
+	EndpointPickerEnableTLS bool
+	// EndpointPickerSkipSecureVerify indicates if secure verification is skipped for EndpointPicker communication.
+	EndpointPickerSkipSecureVerify bool
 }
 
 // GatewayPodConfig contains information about this Pod.

internal/controller/config/config.go

@@ -221,6 +221,8 @@ func StartManager(cfg config.Config) error {
 			PlusUsageConfig:                &cfg.UsageReportConfig,
 			NginxOneConsoleTelemetryConfig: cfg.NginxOneConsoleTelemetryConfig,
 			InferenceExtension:             cfg.InferenceExtension,
+			EndpointPickerEnableTLS:        cfg.EndpointPickerEnableTLS,
+			EndpointPickerSkipSecureVerify: cfg.EndpointPickerSkipSecureVerify,
 		},
 	)
 	if err != nil {

internal/controller/manager.go

@@ -1121,14 +1121,23 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec(
 	}
 
 	if p.cfg.InferenceExtension {
+		command := []string{
+			"/usr/bin/gateway",
+			"endpoint-picker",
+		}
+
+		if p.cfg.EndpointPickerEnableTLS {
+			command = append(command, "--endpoint-picker-enable-tls")
+		}
+		if p.cfg.EndpointPickerSkipSecureVerify {
+			command = append(command, "--endpoint-picker-skip-secure-verify")
+		}
+
 		spec.Spec.Containers = append(spec.Spec.Containers, corev1.Container{
 			Name:            "endpoint-picker-shim",
 			Image:           p.cfg.GatewayPodConfig.Image,
 			ImagePullPolicy: pullPolicy,
-			Command: []string{
-				"/usr/bin/gateway",
-				"endpoint-picker",
-			},
+			Command:         command,
 			SecurityContext: &corev1.SecurityContext{
 				AllowPrivilegeEscalation: helpers.GetPointer(false),
 				Capabilities: &corev1.Capabilities{

internal/controller/provisioner/objects.go

@@ -59,6 +59,8 @@ type Config struct {
 	NginxOneConsoleTelemetryConfig config.NginxOneConsoleTelemetryConfig
 	Plus                           bool
 	InferenceExtension             bool
+	EndpointPickerEnableTLS        bool
+	EndpointPickerSkipSecureVerify bool
 }
 
 // NginxProvisioner handles provisioning nginx kubernetes resources.