diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 3b5c1ffa1..dc739c6e2 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -461,7 +461,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" @@ -550,7 +550,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" @@ -646,7 +646,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 30f0ef565..d518f8251 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -284,7 +284,7 @@ jobs: plus-jwt: ${{ secrets.PLUS_JWT }} - name: Upload Test Results - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: ${{ steps.regression-tests.outputs.test-results-name }} path: ${{ steps.regression-tests.outputs.test-results-path }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 290e20f51..05c0920b6 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 4790ed41b..e4fbb5b14 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -169,7 +169,7 @@ jobs: if: ${{ steps.stable_exists.outputs.exists != 'true' }} - name: Upload Test Results - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: ${{ steps.smoke-tests.outputs.test-results-name }} path: ${{ steps.smoke-tests.outputs.test-results-path }} diff --git a/build/Dockerfile b/build/Dockerfile index ea129ec58..8101a5f55 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -16,7 +16,7 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3-alpine@sha256:8def19bba FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.3@sha256:4cda07664f09f16d780d1e803b9748c31489ea21c463bbcca50d9dcf26081a6f AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.17@sha256:67b69b49aff96e185be841e2b2ff2d8236551ea5c18002bffa4344798d803fd8 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.20@sha256:4c29e5c50b122354d9d4ba6b97cdf64647468e788b965fc0240ead541653454a AS alpine-fips-3.20 -FROM redhat/ubi9-minimal:9.5@sha256:dee813b83663d420eb108983a1c94c614ff5d3fcb5159a7bd0324f0edbe7fca1 AS ubi-minimal +FROM redhat/ubi9-minimal:9.5@sha256:daa61d6103e98bccf40d7a69a0d4f8786ec390e2204fd94f7cc49053e9949360 AS ubi-minimal FROM golang:1.23-alpine@sha256:6c5c9590f169f77c8046e45c611d3b28fe477789acd8d3762d23d4744de69812 AS golang-builder @@ -439,7 +439,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI8 with NGINX Plus and App Protect WAF ############################################# -FROM redhat/ubi8@sha256:7287624c777a5812893fb02e180acf7d85569858c217d9b1dfb5179bf4ae6ee1 AS ubi-8-plus-nap +FROM redhat/ubi8@sha256:37cdac4ec130a64050d6df4e1f2ef3f53868bea55d11f623d141f139ee342bd8 AS ubi-8-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -484,7 +484,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI8 with NGINX Plus and App Protect WAFv5 ############################################# -FROM redhat/ubi8@sha256:7287624c777a5812893fb02e180acf7d85569858c217d9b1dfb5179bf4ae6ee1 AS ubi-8-plus-nap-v5 +FROM redhat/ubi8@sha256:37cdac4ec130a64050d6df4e1f2ef3f53868bea55d11f623d141f139ee342bd8 AS ubi-8-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION diff --git a/go.mod b/go.mod index 8a9478933..7b4ef92d6 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/gkampitakis/go-snaps v0.5.7 github.com/golang-jwt/jwt/v4 v4.5.1 github.com/google/go-cmp v0.6.0 - github.com/gruntwork-io/terratest v0.48.0 + github.com/gruntwork-io/terratest v0.48.1 github.com/jinzhu/copier v0.4.0 github.com/nginxinc/nginx-plus-go-client/v2 v2.1.0 github.com/nginxinc/nginx-prometheus-exporter v1.4.0 diff --git a/go.sum b/go.sum index f10c61b8b..33b7a58d5 100644 --- a/go.sum +++ b/go.sum @@ -213,8 +213,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5 github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= -github.com/gruntwork-io/terratest v0.48.0 h1:OoqJYAnBxejInn7TPizFGJNMCFvPHbiWNS3hGFKdHhA= -github.com/gruntwork-io/terratest v0.48.0/go.mod h1:U2EQW4Odlz75XJUH16Kqkr9c93p+ZZtkpVez7GkZFa4= +github.com/gruntwork-io/terratest v0.48.1 h1:pnydDjkWbZCUYXvQkr24y21fBo8PfJC5hRGdwbl1eXM= +github.com/gruntwork-io/terratest v0.48.1/go.mod h1:U2EQW4Odlz75XJUH16Kqkr9c93p+ZZtkpVez7GkZFa4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= diff --git a/site/content/installation/installing-nic/installation-with-helm.md b/site/content/installation/installing-nic/installation-with-helm.md index 4134bc6d8..c0fe568b7 100644 --- a/site/content/installation/installing-nic/installation-with-helm.md +++ b/site/content/installation/installing-nic/installation-with-helm.md @@ -419,15 +419,15 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.appprotect.volumes** | Volumes for App Protect WAF v5. | [{"name": "app-protect-bd-config", "emptyDir": {}},{"name": "app-protect-config", "emptyDir": {}},{"name": "app-protect-bundles", "emptyDir": {}}] | | **controller.appprotect.enforcer.host** | Host that the App Protect WAF v5 Enforcer runs on. | "127.0.0.1" | | **controller.appprotect.enforcer.port** | Port that the App Protect WAF v5 Enforcer runs on. | 50000 | -| **controller.appprotect.enforcer.image** | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer | -| **controller.appprotect.enforcer.tag** | The tag of the App Protect WAF v5 Enforcer. | "5.4.0" | -| **controller.appprotect.enforcer.digest** | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "" | -| **controller.appprotect.enforcer.pullPolicy** | The pull policy for the App Protect WAF v5 Enforcer image. | IfNotPresent | +| **controller.appprotect.enforcer.image.repository** | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer | +| **controller.appprotect.enforcer.image.tag** | The tag of the App Protect WAF v5 Enforcer. | "5.4.0" | +| **controller.appprotect.enforcer.image.digest** | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "" | +| **controller.appprotect.enforcer.image.pullPolicy** | The pull policy for the App Protect WAF v5 Enforcer image. | IfNotPresent | | **controller.appprotect.enforcer.securityContext** | The security context for App Protect WAF v5 Enforcer container. | {} | -| **controller.appprotect.configManager.image** | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr | -| **controller.appprotect.configManager.tag** | The tag of the App Protect WAF v5 Configuration Manager. | "5.4.0" | -| **controller.appprotect.configManager.digest** | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "" | -| **controller.appprotect.configManager.pullPolicy** | The pull policy for the App Protect WAF v5 Configuration Manager image. | IfNotPresent | +| **controller.appprotect.configManager.image.repository** | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr | +| **controller.appprotect.configManager.image.tag** | The tag of the App Protect WAF v5 Configuration Manager. | "5.4.0" | +| **controller.appprotect.configManager.image.digest** | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "" | +| **controller.appprotect.configManager.image.pullPolicy** | The pull policy for the App Protect WAF v5 Configuration Manager image. | IfNotPresent | | **controller.appprotect.configManager.securityContext** | The security context for App Protect WAF v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} | | **controller.appprotectdos.enable** | Enables the App Protect DoS module in the Ingress Controller. | false | | **controller.appprotectdos.enable** | Enables the App Protect DoS module in the Ingress Controller. | false | diff --git a/tests/Makefile b/tests/Makefile index 73d03877f..0ae510209 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -1,30 +1,31 @@ -SHELL = /bin/bash -ROOT_DIR = $(shell git rev-parse --show-toplevel) -CONTEXT = -PULL_POLICY = IfNotPresent -DEPLOYMENT_TYPE = deployment -SERVICE = nodeport -NODE_IP = -TEST_PREFIX = test-runner -KUBE_CONFIG_FOLDER = ${HOME}/.kube -KIND_KUBE_CONFIG_FOLDER = $(KUBE_CONFIG_FOLDER)/kind -DOCKERFILEPATH := ${ROOT_DIR}/tests/Dockerfile -IP_FAMILY = dual -IC_TYPE ?= nginx-ingress ## The Ingress Controller type to use, "nginx-ingress" or "nginx-plus-ingress". Defaults to "nginx-ingress" -SHOW_IC_LOGS ?= no ## Should the tests show the Ingress Controller logs on failure, "yes" or "no". Defaults to "no" -TEST_TAG ?= latest ## The Tag to use for the test image. e.g. commitsha -REGISTRY ?= docker.io ## The registry where the image is located. For example, docker.io -PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress -TAG ?= edge ## The tag of the image. For example, edge -K8S_CLUSTER_NAME ?= local ## The name used when creating/using a Kind Kubernetes cluster -K8S_CLUSTER_VERSION ?= $(shell grep -m1 'FROM kindest/node' < ${DOCKERFILEPATH} | cut -d ':' -f 2 | sed -e 's/^v//' | cut -d '@' -f 1) ## The version used when creating a Kind Kubernetes cluster -K8S_TIMEOUT ?= 75s ## The timeout used when creating a Kind Kubernetes cluster -AD_SECRET ?= -PYTEST_ARGS ?= +SHELL = /bin/bash +ROOT_DIR = $(shell git rev-parse --show-toplevel) +CONTEXT = +PULL_POLICY = IfNotPresent +DEPLOYMENT_TYPE = deployment +SERVICE = nodeport +NODE_IP = +TEST_PREFIX = test-runner +KUBE_CONFIG_FOLDER = ${HOME}/.kube +KIND_KUBE_CONFIG_FOLDER = $(KUBE_CONFIG_FOLDER)/kind +MINIKUBE_KUBE_CONFIG_FOLDER = $(KUBE_CONFIG_FOLDER)/minikube +DOCKERFILEPATH := ${ROOT_DIR}/tests/Dockerfile +IP_FAMILY = dual +IC_TYPE ?= nginx-ingress ## The Ingress Controller type to use, "nginx-ingress" or "nginx-plus-ingress". Defaults to "nginx-ingress" +SHOW_IC_LOGS ?= no ## Should the tests show the Ingress Controller logs on failure, "yes" or "no". Defaults to "no" +TEST_TAG ?= latest ## The Tag to use for the test image. e.g. commitsha +REGISTRY ?= docker.io ## The registry where the image is located. For example, docker.io +PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress +TAG ?= edge ## The tag of the image. For example, edge +K8S_CLUSTER_NAME ?= local ## The name used when creating/using a Kind Kubernetes cluster +K8S_CLUSTER_VERSION ?= $(shell grep -m1 'FROM kindest/node' < ${DOCKERFILEPATH} | cut -d ':' -f 2 | sed -e 's/^v//' | cut -d '@' -f 1) ## The version used when creating a Kind Kubernetes cluster +K8S_TIMEOUT ?= 75s ## The timeout used when creating a Kind Kubernetes cluster +AD_SECRET ?= +PYTEST_ARGS ?= ifeq (${REGISTRY},) -BUILD_IMAGE := $(strip $(PREFIX)):$(strip $(TAG)) +BUILD_IMAGE := $(strip $(PREFIX)):$(strip $(TAG)) else -BUILD_IMAGE := $(strip $(REGISTRY))/$(strip $(PREFIX)):$(strip $(TAG)) +BUILD_IMAGE := $(strip $(REGISTRY))/$(strip $(PREFIX)):$(strip $(TAG)) endif .PHONY: help ## Show this help @@ -45,6 +46,10 @@ $(KIND_KUBE_CONFIG_FOLDER): $(KUBE_CONFIG_FOLDER) @mkdir -p $@ +$(MINIKUBE_KUBE_CONFIG_FOLDER): $(KUBE_CONFIG_FOLDER) + @mkdir -p $@ + + .PHONY: run-tests run-tests: ## Run tests docker run --rm -v $(KUBE_CONFIG_FOLDER):/root/.kube $(TEST_PREFIX):$(TEST_TAG) --context=$(CONTEXT) --image=$(BUILD_IMAGE) --image-pull-policy=$(PULL_POLICY) --deployment-type=$(DEPLOYMENT_TYPE) --ic-type=$(IC_TYPE) --service=$(SERVICE) --node-ip=$(NODE_IP) --show-ic-logs=$(SHOW_IC_LOGS) $(PYTEST_ARGS) @@ -91,6 +96,45 @@ image-load: ## Load the image into the Kind K8S cluster @kind load docker-image $(BUILD_IMAGE) --name $(K8S_CLUSTER_NAME) +.PHONY: run-tests-in-minikube +run-tests-in-minikube: ## Run tests in Minikube + docker run --network=minikube --rm \ + -v $(MINIKUBE_KUBE_CONFIG_FOLDER):/root/.kube \ + -v $(ROOT_DIR)/tests:/workspace/tests \ + -v $$HOME/.minikube:$$HOME/.minikube \ + -v $(ROOT_DIR)/examples/common-secrets:/workspace/examples/common-secrets \ + -v $(ROOT_DIR)/deployments:/workspace/deployments \ + -v $(ROOT_DIR)/config:/workspace/config \ + -v $(ROOT_DIR)/pyproject.toml:/workspace/pyproject.toml \ + $(TEST_PREFIX):$(TEST_TAG) \ + --context=minikube \ + --image=$(BUILD_IMAGE) --image-pull-policy=Never \ + --deployment-type=$(DEPLOYMENT_TYPE) \ + --ic-type=$(IC_TYPE) \ + --service=nodeport \ + --node-ip=minikube \ + --show-ic-logs=$(SHOW_IC_LOGS) \ + $(PYTEST_ARGS) + + +.PHONY: create-mini-cluster +create-mini-cluster: $(MINIKUBE_KUBE_CONFIG_FOLDER) ## Create a Minikube K8S cluster + @minikube start --kubernetes-version=v$(K8S_CLUSTER_VERSION) \ + && KUBECONFIG=$(MINIKUBE_KUBE_CONFIG_FOLDER)/config minikube update-context \ + && KUBECONFIG=$(MINIKUBE_KUBE_CONFIG_FOLDER)/config kubectl config set-cluster minikube --server=https://minikube:8443 + + +.PHONY: delete-mini-cluster +delete-mini-cluster: ## Delete a Minikube K8S cluster + @minikube delete + @rm -f $(MINIKUBE_KUBE_CONFIG_FOLDER)/config + + +.PHONY: mini-image-load +mini-image-load: ## Load the image into the Minikube K8S cluster + @minikube image load $(BUILD_IMAGE) + + .PHONY: test-lint test-lint: ## Run Python linting tools isort . diff --git a/tests/requirements.txt b/tests/requirements.txt index e3e4f493d..7abfc0618 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -4,9 +4,9 @@ # # pip-compile --generate-hashes --resolver=backtracking requirements.txt # -attrs==24.2.0 \ - --hash=sha256:5cfb1b9148b5b086569baec03f20d7b6bf3bcacc9a42bebf87ffaaca362f6346 \ - --hash=sha256:81921eb96de3191c8258c199618104dd27ac608d9366f5e35d011eae1867ede2 +attrs==24.3.0 \ + --hash=sha256:8f5c07333d543103541ba7be0e2ce16eeee8130cb0b3f9238ab904ce1e85baff \ + --hash=sha256:ac96cd038792094f438ad1f6ff80837353805ac950cd2aa0e0625ef19850c308 # via -r requirements.txt cachetools==5.5.0 \ --hash=sha256:02134e8439cdc2ffb62023ce1debca2944c3f289d66bb17ead3ab3dede74b292 \ @@ -14,9 +14,9 @@ cachetools==5.5.0 \ # via # -r requirements.txt # google-auth -certifi==2024.8.30 \ - --hash=sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8 \ - --hash=sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9 +certifi==2024.12.14 \ + --hash=sha256:1275f7a45be9464efc1173084eaa30f866fe2e47d389406136d332ed4967ec56 \ + --hash=sha256:b650d30f370c2b724812bee08008be0c4163b163ddaec3f2546c1caf65f191db # via # -r requirements.txt # kubernetes @@ -248,9 +248,9 @@ forcediphttpsadapter==1.1.0 \ --hash=sha256:0d224cf6e8e50eb788c9f5994a7afa6d389bac6dbe540b7dfd77a32590ad0153 \ --hash=sha256:5e7662ece61735585332d09b87d94fffe4752469d5c0d3feff48746e5d70744b # via -r requirements.txt -google-auth==2.36.0 \ - --hash=sha256:51a15d47028b66fd36e5c64a82d2d57480075bccc7da37cde257fc94177a61fb \ - --hash=sha256:545e9618f2df0bcbb7dcbc45a546485b1212624716975a1ea5ae8149ce769ab1 +google-auth==2.37.0 \ + --hash=sha256:0054623abf1f9c83492c63d3f47e77f0a544caa3d40b2d98e099a611c2dd5d00 \ + --hash=sha256:42664f18290a6be591be5329a96fe30184be1a1badb7292a7f686a9659de9ca0 # via # -r requirements.txt # kubernetes