Add agent config option to set NGINX API URL

dhurley · dhurley · commit 07466825e37b · 2026-01-13T16:47:43.000Z
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -502,7 +502,7 @@ func registerDataPlaneFlags(fs *flag.FlagSet) {
 	)
 
 	fs.String(
-		NginxApiTlsCa,
+		NginxApiTlsCaKey,
 		DefNginxApiTlsCa,
 		"The NGINX Plus CA certificate file location needed to call the NGINX Plus API if SSL is enabled.",
 	)
@@ -1095,7 +1095,10 @@ func resolveDataPlaneConfig() *DataPlaneConfig {
 			ReloadMonitoringPeriod: viperInstance.GetDuration(NginxReloadMonitoringPeriodKey),
 			TreatWarningsAsErrors:  viperInstance.GetBool(NginxTreatWarningsAsErrorsKey),
 			ExcludeLogs:            viperInstance.GetStringSlice(NginxExcludeLogsKey),
-			APITls:                 TLSConfig{Ca: viperInstance.GetString(NginxApiTlsCa)},
+			API: &NginxAPI{
+				URL: viperInstance.GetString(NginxApiURLKey),
+				TLS: TLSConfig{Ca: viperInstance.GetString(NginxApiTlsCaKey)},
+			},
 			ReloadBackoff: &BackOff{
 				InitialInterval:     viperInstance.GetDuration(NginxReloadBackoffInitialIntervalKey),
 				MaxInterval:         viperInstance.GetDuration(NginxReloadBackoffMaxIntervalKey),
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
@@ -1212,6 +1212,9 @@ func createConfig() *Config {
 					RandomizationFactor: 1.5,
 					Multiplier:          1.5,
 				},
+				API: &NginxAPI{
+					URL: "http://127.0.0.1:80/api",
+				},
 			},
 		},
 		Collector: &Collector{
diff --git a/internal/config/flags.go b/internal/config/flags.go
@@ -137,7 +137,8 @@ var (
 	NginxReloadBackoffRandomizationFactorKey = pre(NginxReloadBackoffKey) + "randomization_factor"
 	NginxReloadBackoffMultiplierKey          = pre(NginxReloadBackoffKey) + "multiplier"
 	NginxExcludeLogsKey                      = pre(DataPlaneConfigRootKey, "nginx") + "exclude_logs"
-	NginxApiTlsCa                            = pre(DataPlaneConfigRootKey, "nginx") + "api_tls_ca"
+	NginxApiTlsCaKey                         = pre(DataPlaneConfigRootKey, "nginx") + "api_tls_ca"
+	NginxApiURLKey                           = pre(DataPlaneConfigRootKey, "nginx") + "api_url"
 
 	SyslogServerPort = pre("syslog_server") + "port"
 
diff --git a/internal/config/testdata/nginx-agent.conf b/internal/config/testdata/nginx-agent.conf
@@ -18,29 +18,31 @@ labels:
   label3: 123
   
 features:
-      - certificates
-      - file-watcher
-      - metrics
-      - api-action
-      - logs-nap
+  - certificates
+  - file-watcher
+  - metrics
+  - api-action
+  - logs-nap
 
 
 syslog_server:
-    port: 1512
+  port: 1512
     
 data_plane_config:
-    nginx:
-        reload_monitoring_period: 30s
-        treat_warnings_as_errors: true
-        exclude_logs: 
-            - /var/log/nginx/error.log
-            - ^/var/log/nginx/.*.log$
-        reload_backoff:
-            initial_interval: 100ms
-            max_interval: 20s
-            max_elapsed_time: 15s
-            randomization_factor: 1.5
-            multiplier: 1.5
+  nginx:
+    api:
+      url: "http://127.0.0.1:80/api"
+    reload_monitoring_period: 30s
+    treat_warnings_as_errors: true
+    exclude_logs: 
+      - /var/log/nginx/error.log
+      - ^/var/log/nginx/.*.log$
+    reload_backoff:
+      initial_interval: 100ms
+      max_interval: 20s
+      max_elapsed_time: 15s
+      randomization_factor: 1.5
+      multiplier: 1.5
 client:
     http: 
         timeout: 15s
diff --git a/internal/config/types.go b/internal/config/types.go
@@ -67,12 +67,17 @@ type (
 	}
 	NginxDataPlaneConfig struct {
 		ReloadBackoff          *BackOff      `yaml:"reload_backoff"           mapstructure:"reload_backoff"`
-		APITls                 TLSConfig     `yaml:"api_tls"                  mapstructure:"api_tls"`
+		API                    *NginxAPI     `yaml:"api"                      mapstructure:"api"`
 		ExcludeLogs            []string      `yaml:"exclude_logs"             mapstructure:"exclude_logs"`
 		ReloadMonitoringPeriod time.Duration `yaml:"reload_monitoring_period" mapstructure:"reload_monitoring_period"`
 		TreatWarningsAsErrors  bool          `yaml:"treat_warnings_as_errors" mapstructure:"treat_warnings_as_errors"`
 	}
 
+	NginxAPI struct {
+		URL string    `yaml:"url" mapstructure:"url"`
+		TLS TLSConfig `yaml:"tls" mapstructure:"tls"`
+	}
+
 	Client struct {
 		HTTP    *HTTP    `yaml:"http"    mapstructure:"http"`
 		Grpc    *GRPC    `yaml:"grpc"    mapstructure:"grpc"`
@@ -496,3 +501,19 @@ func checkDirIsAllowed(path string, allowedDirs []string) bool {
 
 	return checkDirIsAllowed(filepath.Dir(path), allowedDirs)
 }
+
+func (c *Config) IsNginxApiUrlConfigured() bool {
+	if !c.IsNginxApiConfigured() {
+		return false
+	}
+
+	return c.DataPlaneConfig.Nginx.API.URL != ""
+}
+
+func (c *Config) IsNginxApiConfigured() bool {
+	if c.DataPlaneConfig == nil || c.DataPlaneConfig.Nginx == nil || c.DataPlaneConfig.Nginx.API == nil {
+		return false
+	}
+
+	return true
+}
diff --git a/internal/datasource/config/nginx_config_parser.go b/internal/datasource/config/nginx_config_parser.go
@@ -16,6 +16,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -269,18 +270,20 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 			return nginxConfigContext, fmt.Errorf("traverse nginx config: %w", err)
 		}
 
-		stubStatuses := ncp.crossplaneConfigTraverseAPIDetails(
-			ctx, &conf, ncp.apiCallback, stubStatusAPIDirective,
-		)
-		if stubStatuses != nil {
-			nginxConfigContext.StubStatuses = append(nginxConfigContext.StubStatuses, stubStatuses...)
-		}
+		if !ncp.agentConfig.IsNginxApiUrlConfigured() {
+			stubStatuses := ncp.crossplaneConfigTraverseAPIDetails(
+				ctx, &conf, ncp.apiCallback, stubStatusAPIDirective,
+			)
+			if stubStatuses != nil {
+				nginxConfigContext.StubStatuses = append(nginxConfigContext.StubStatuses, stubStatuses...)
+			}
 
-		plusAPIs := ncp.crossplaneConfigTraverseAPIDetails(
-			ctx, &conf, ncp.apiCallback, plusAPIDirective,
-		)
-		if plusAPIs != nil {
-			nginxConfigContext.PlusAPIs = append(nginxConfigContext.PlusAPIs, plusAPIs...)
+			plusAPIs := ncp.crossplaneConfigTraverseAPIDetails(
+				ctx, &conf, ncp.apiCallback, plusAPIDirective,
+			)
+			if plusAPIs != nil {
+				nginxConfigContext.PlusAPIs = append(nginxConfigContext.PlusAPIs, plusAPIs...)
+			}
 		}
 
 		fileMeta, err := files.FileMeta(conf.File)
@@ -300,13 +303,48 @@ func (ncp *NginxConfigParser) createNginxConfigContext(
 			"server configured on port %s", ncp.agentConfig.SyslogServer.Port))
 	}
 
-	nginxConfigContext.PlusAPIs = ncp.sortPlusAPIs(ctx, nginxConfigContext.PlusAPIs)
-	nginxConfigContext.StubStatus = ncp.FindStubStatusAPI(ctx, nginxConfigContext)
-	nginxConfigContext.PlusAPI = ncp.FindPlusAPI(ctx, nginxConfigContext)
+	if !ncp.agentConfig.IsNginxApiUrlConfigured() {
+		nginxConfigContext.PlusAPIs = ncp.sortPlusAPIs(ctx, nginxConfigContext.PlusAPIs)
+		nginxConfigContext.StubStatus = ncp.FindStubStatusAPI(ctx, nginxConfigContext)
+		nginxConfigContext.PlusAPI = ncp.FindPlusAPI(ctx, nginxConfigContext)
+	} else {
+		nginxConfigContext = ncp.addApiToNginxConfigContext(ctx, nginxConfigContext)
+	}
 
 	return nginxConfigContext, nil
 }
 
+func (ncp *NginxConfigParser) addApiToNginxConfigContext(
+	ctx context.Context,
+	nginxConfigContext *model.NginxConfigContext,
+) *model.NginxConfigContext {
+	apiDetails, err := parseURL(ncp.agentConfig.DataPlaneConfig.Nginx.API.URL)
+	if err != nil {
+		slog.ErrorContext(
+			ctx,
+			"Configured NGINX API URL is invalid",
+			"url", ncp.agentConfig.DataPlaneConfig.Nginx.API.URL,
+			"error", err,
+		)
+
+		return nginxConfigContext
+	}
+
+	if ncp.pingAPIEndpoint(ctx, apiDetails, stubStatusAPIDirective) {
+		nginxConfigContext.StubStatus = apiDetails
+	} else if ncp.pingAPIEndpoint(ctx, apiDetails, plusAPIDirective) {
+		nginxConfigContext.PlusAPI = apiDetails
+	} else {
+		slog.WarnContext(
+			ctx,
+			"Configured NGINX API URL is not reachable",
+			"url", ncp.agentConfig.DataPlaneConfig.Nginx.API.URL,
+		)
+	}
+
+	return nginxConfigContext
+}
+
 func (ncp *NginxConfigParser) findLocalSysLogServers(sysLogServer string) string {
 	re := regexp.MustCompile(`syslog:server=([\S]+)`)
 	matches := re.FindStringSubmatch(sysLogServer)
@@ -886,24 +924,26 @@ func (ncp *NginxConfigParser) socketClient(socketPath string) *http.Client {
 // prepareHTTPClient handles TLS config
 func (ncp *NginxConfigParser) prepareHTTPClient(ctx context.Context) (*http.Client, error) {
 	httpClient := http.DefaultClient
-	caCertLocation := ncp.agentConfig.DataPlaneConfig.Nginx.APITls.Ca
-
-	if caCertLocation != "" && ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
-		slog.DebugContext(ctx, "Reading CA certificate", "file_path", caCertLocation)
-		caCert, err := os.ReadFile(caCertLocation)
-		if err != nil {
-			return nil, err
-		}
-		caCertPool := x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM(caCert)
-
-		httpClient = &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					RootCAs:    caCertPool,
-					MinVersion: tls.VersionTLS13,
+	if ncp.agentConfig.IsNginxApiConfigured() {
+		caCertLocation := ncp.agentConfig.DataPlaneConfig.Nginx.API.TLS.Ca
+
+		if caCertLocation != "" && ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
+			slog.DebugContext(ctx, "Reading CA certificate", "file_path", caCertLocation)
+			caCert, err := os.ReadFile(caCertLocation)
+			if err != nil {
+				return nil, err
+			}
+			caCertPool := x509.NewCertPool()
+			caCertPool.AppendCertsFromPEM(caCert)
+
+			httpClient = &http.Client{
+				Transport: &http.Transport{
+					TLSClientConfig: &tls.Config{
+						RootCAs:    caCertPool,
+						MinVersion: tls.VersionTLS13,
+					},
 				},
-			},
+			}
 		}
 	}
 
@@ -912,15 +952,19 @@ func (ncp *NginxConfigParser) prepareHTTPClient(ctx context.Context) (*http.Clie
 
 // Populate the CA cert location based ondirectory allowance.
 func (ncp *NginxConfigParser) selfSignedCACertLocation(ctx context.Context) string {
-	caCertLocation := ncp.agentConfig.DataPlaneConfig.Nginx.APITls.Ca
+	if ncp.agentConfig.IsNginxApiConfigured() {
+		caCertLocation := ncp.agentConfig.DataPlaneConfig.Nginx.API.TLS.Ca
+
+		if caCertLocation != "" && !ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
+			// If SSL is enabled but CA cert is provided and not allowed, treat it as if no CA cert
+			slog.WarnContext(ctx, "CA certificate location is not allowed, treating as if no CA cert provided.")
+			return ""
+		}
 
-	if caCertLocation != "" && !ncp.agentConfig.IsDirectoryAllowed(caCertLocation) {
-		// If SSL is enabled but CA cert is provided and not allowed, treat it as if no CA cert
-		slog.WarnContext(ctx, "CA certificate location is not allowed, treating as if no CA cert provided.")
-		return ""
+		return caCertLocation
 	}
 
-	return caCertLocation
+	return ""
 }
 
 func (ncp *NginxConfigParser) isDuplicateFile(nginxConfigContextFiles []*mpi.File, newFile *mpi.File) bool {
@@ -976,3 +1020,16 @@ func (ncp *NginxConfigParser) sortPlusAPIs(ctx context.Context, apis []*model.AP
 
 	return apis
 }
+
+func parseURL(unparsedUrl string) (*model.APIDetails, error) {
+	parsedURL, err := url.Parse(unparsedUrl)
+	if err != nil {
+		return nil, err
+	}
+
+	return &model.APIDetails{
+		URL:      unparsedUrl,
+		Listen:   parsedURL.Host,
+		Location: parsedURL.Path,
+	}, nil
+}
diff --git a/internal/datasource/config/nginx_config_parser_test.go b/internal/datasource/config/nginx_config_parser_test.go
diff --git a/test/config/nginx/nginx-plus-api.conf b/test/config/nginx/nginx-plus-api.conf
diff --git a/test/config/nginx_config.go b/test/config/nginx_config.go
