From e7c2aba1eecf57f76ec14001534c21232c70f6b6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 22 Aug 2024 10:01:12 +0100 Subject: [PATCH 01/83] Bump the actions group with 3 updates (#6272) Bumps the actions group with 3 updates: [google-github-actions/auth](https://github.com/google-github-actions/auth), [nginxinc/docs-actions](https://github.com/nginxinc/docs-actions) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `google-github-actions/auth` from 2.1.4 to 2.1.5 - [Release notes](https://github.com/google-github-actions/auth/releases) - [Changelog](https://github.com/google-github-actions/auth/blob/main/CHANGELOG.md) - [Commits](https://github.com/google-github-actions/auth/compare/f112390a2df9932162083945e46d439060d66ec2...62cf5bd3e4211a0a0b51f2c6d6a37129d828611d) Updates `nginxinc/docs-actions` from 1.0.2 to 1.0.3 - [Release notes](https://github.com/nginxinc/docs-actions/releases) - [Commits](https://github.com/nginxinc/docs-actions/compare/03a9a3808fcb77cd0c19d7fa5d59b25565dd1d6d...a733e84a262f8d5d885bfc8eac80bc85928da322) Updates `anchore/sbom-action` from 0.17.1 to 0.17.2 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57...61119d458adab75f756bc0b9e4bde25725f86a7a) --- updated-dependencies: - dependency-name: google-github-actions/auth dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: nginxinc/docs-actions dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-base-images.yml | 6 +++--- .github/workflows/build-oss.yml | 2 +- .github/workflows/build-plus.yml | 2 +- .github/workflows/build-single-image.yml | 2 +- .github/workflows/build-test-image.yml | 2 +- .github/workflows/ci.yml | 6 +++--- .github/workflows/docs-build-push.yml | 2 +- .github/workflows/image-promotion.yml | 8 ++++---- .github/workflows/oss-release.yml | 10 +++++----- .github/workflows/patch-image.yml | 2 +- .github/workflows/plus-release.yml | 12 ++++++------ .github/workflows/regression.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/retag-images.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- .github/workflows/single-image-regression.yml | 2 +- 16 files changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 31dfa8c459..cee9289906 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -67,7 +67,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -132,7 +132,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -195,7 +195,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index cc3f56d247..ec7710b23e 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -59,7 +59,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 4f6cdf1f74..c3c09057bb 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -61,7 +61,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index 6a120fd019..d239c37602 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -63,7 +63,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml index b2223a322b..7e970c9fa5 100644 --- a/.github/workflows/build-test-image.yml +++ b/.github/workflows/build-test-image.yml @@ -35,7 +35,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0bf36995b9..44cca97d5a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -117,7 +117,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -368,7 +368,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -502,7 +502,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/docs-build-push.yml b/.github/workflows/docs-build-push.yml index 0487ed98a3..df4cf50195 100644 --- a/.github/workflows/docs-build-push.yml +++ b/.github/workflows/docs-build-push.yml @@ -43,7 +43,7 @@ jobs: echo forked_workflow: ${{ steps.vars.outputs.forked_workflow }} call-docs-build-push: - uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@03a9a3808fcb77cd0c19d7fa5d59b25565dd1d6d # v1.0.2 + uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@a733e84a262f8d5d885bfc8eac80bc85928da322 # v1.0.3 permissions: pull-requests: write # needed to write preview url comment to PR contents: read diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 85cf3f164f..b9900c6c7b 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -80,7 +80,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -417,7 +417,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -507,7 +507,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -604,7 +604,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 49ed4a370f..43f66abcfc 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -75,7 +75,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -111,7 +111,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -158,7 +158,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -200,7 +200,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -244,7 +244,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml index 88c4b318cd..6c11c7009e 100644 --- a/.github/workflows/patch-image.yml +++ b/.github/workflows/patch-image.yml @@ -56,7 +56,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml index 351d3ce379..936159ab5a 100644 --- a/.github/workflows/plus-release.yml +++ b/.github/workflows/plus-release.yml @@ -75,7 +75,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -111,7 +111,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -162,7 +162,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-priv-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -170,7 +170,7 @@ jobs: - name: Authenticate to Google Cloud Marketplace id: gcr-mktpl-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }} @@ -201,7 +201,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -248,7 +248,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index ec31bc7131..da61ba37a5 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -128,7 +128,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -233,7 +233,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ddd5925a30..73d421b224 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -426,7 +426,7 @@ jobs: - name: Download Syft id: syft - uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1 + uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }} - name: Install Cosign diff --git a/.github/workflows/retag-images.yml b/.github/workflows/retag-images.yml index 01d32f2e9c..a057321acc 100644 --- a/.github/workflows/retag-images.yml +++ b/.github/workflows/retag-images.yml @@ -44,7 +44,7 @@ jobs: - name: Authenticate to Google Cloud id: gcr-auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 0bf7df7397..ad533db730 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -60,7 +60,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index 5b6dcc26d9..369e9fad23 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -80,7 +80,7 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2 # v2.1.4 + uses: google-github-actions/auth@62cf5bd3e4211a0a0b51f2c6d6a37129d828611d # v2.1.5 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} From e753ec4531f8cec15ba2496d01560283e71a8164 Mon Sep 17 00:00:00 2001 From: Hans Feldt <2808287+hafe@users.noreply.github.com> Date: Thu, 22 Aug 2024 11:54:52 +0200 Subject: [PATCH 02/83] Fix panic when creating VirtualServer (#6232) Closes #6231 Co-authored-by: Jim Ryan --- internal/k8s/controller.go | 8 ++- internal/k8s/controller_test.go | 98 ++++++++++++++++++++++++++++++++- 2 files changed, 104 insertions(+), 2 deletions(-) diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index e8f74eab6b..6211a94aa1 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -3420,7 +3420,13 @@ func (lbc *LoadBalancerController) getPolicies(policies []conf_v1.PolicyReferenc var exists bool var err error - policyObj, exists, err = lbc.getNamespacedInformer(polNamespace).policyLister.GetByKey(policyKey) + nsi := lbc.getNamespacedInformer(polNamespace) + if nsi == nil { + errors = append(errors, fmt.Errorf("failed to get namespace %s", polNamespace)) + continue + } + + policyObj, exists, err = nsi.policyLister.GetByKey(policyKey) if err != nil { errors = append(errors, fmt.Errorf("failed to get policy %s: %w", policyKey, err)) continue diff --git a/internal/k8s/controller_test.go b/internal/k8s/controller_test.go index 988493d337..55daf2d183 100644 --- a/internal/k8s/controller_test.go +++ b/internal/k8s/controller_test.go @@ -2005,7 +2005,7 @@ func TestGetStatusFromEventTitle(t *testing.T) { } } -func TestGetPolicies(t *testing.T) { +func TestGetPoliciesGlobalWatch(t *testing.T) { t.Parallel() validPolicy := &conf_v1.Policy{ ObjectMeta: meta_v1.ObjectMeta{ @@ -2105,6 +2105,102 @@ func TestGetPolicies(t *testing.T) { } } +func TestGetPoliciesNamespacedWatch(t *testing.T) { + t.Parallel() + validPolicy := &conf_v1.Policy{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "valid-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + AccessControl: &conf_v1.AccessControl{ + Allow: []string{"127.0.0.1"}, + }, + }, + } + + validPolicyIngressClass := &conf_v1.Policy{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "valid-policy-ingress-class", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + IngressClass: "test-class", + AccessControl: &conf_v1.AccessControl{ + Allow: []string{"127.0.0.1"}, + }, + }, + } + + invalidPolicy := &conf_v1.Policy{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "invalid-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{}, + } + + policyLister := &cache.FakeCustomStore{ + GetByKeyFunc: func(key string) (item interface{}, exists bool, err error) { + switch key { + case "default/valid-policy": + return validPolicy, true, nil + case "default/valid-policy-ingress-class": + return validPolicyIngressClass, true, nil + case "default/invalid-policy": + return invalidPolicy, true, nil + case "nginx-ingress/valid-policy": + return nil, false, nil + default: + return nil, false, errors.New("GetByKey error") + } + }, + } + + nsi := make(map[string]*namespacedInformer) + // simulate a watch of the default namespace + nsi["default"] = &namespacedInformer{policyLister: policyLister} + + lbc := LoadBalancerController{ + isNginxPlus: true, + namespacedInformers: nsi, + } + + policyRefs := []conf_v1.PolicyReference{ + { + Name: "valid-policy", + // Namespace is implicit here + }, + { + Name: "invalid-policy", + Namespace: "default", + }, + { + Name: "valid-policy", // doesn't exist + Namespace: "nginx-ingress", // not watched + }, + { + Name: "valid-policy-ingress-class", + Namespace: "default", + }, + } + + expectedPolicies := []*conf_v1.Policy{validPolicy} + expectedErrors := []error{ + errors.New("policy default/invalid-policy is invalid: spec: Invalid value: \"\": must specify exactly one of: `accessControl`, `rateLimit`, `ingressMTLS`, `egressMTLS`, `basicAuth`, `apiKey`, `jwt`, `oidc`, `waf`"), + errors.New("failed to get namespace nginx-ingress"), + errors.New("referenced policy default/valid-policy-ingress-class has incorrect ingress class: test-class (controller ingress class: )"), + } + + result, errors := lbc.getPolicies(policyRefs, "default") + if !reflect.DeepEqual(result, expectedPolicies) { + t.Errorf("lbc.getPolicies() returned \n%v but \nexpected %v", result, expectedPolicies) + } + if diff := cmp.Diff(expectedErrors, errors, cmp.Comparer(errorComparer)); diff != "" { + t.Errorf("lbc.getPolicies() mismatch (-want +got):\n%s", diff) + } +} + func TestCreatePolicyMap(t *testing.T) { t.Parallel() policies := []*conf_v1.Policy{ From 7693e8bb4f3425788833d29119e9e9b2902ca586 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 22 Aug 2024 13:44:29 +0100 Subject: [PATCH 03/83] ignore generated go files for codecov report (#6265) --- .codecov.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.codecov.yml b/.codecov.yml index 3cac278dfb..f3e7c00ed0 100644 --- a/.codecov.yml +++ b/.codecov.yml @@ -11,3 +11,6 @@ coverage: target: auto threshold: 0% changes: false +ignore: + - "pkg/client" + - "**/*generated*.go" From d1f03bb2d00823af43f9ee37fa3641a83698270f Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 22 Aug 2024 14:29:37 +0100 Subject: [PATCH 04/83] tag and release ubi8 waf images (#6271) --- .github/config/config-gcr-retag | 3 ++- .github/config/config-plus-gcr-release | 4 ++-- .github/config/config-plus-nginx | 4 ++-- .github/data/matrix-smoke-nap.json | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag index 218de07652..3273e6ffaf 100644 --- a/.github/config/config-gcr-retag +++ b/.github/config/config-gcr-retag @@ -1,6 +1,7 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a ADDITIONAL_TAGS=() diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release index 73df01d812..c5be8ee8fd 100644 --- a/.github/config/config-plus-gcr-release +++ b/.github/config/config-plus-gcr-release @@ -1,7 +1,7 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "ubi8" "-mktpl") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "ubi8") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}") diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx index 2c177716e9..2d3bfb2da1 100644 --- a/.github/config/config-plus-nginx +++ b/.github/config/config-plus-nginx @@ -1,8 +1,8 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress" declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "ubi8") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "ubi8") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") export PUBLISH_OSS=false diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index bb3f384153..6855f6b89e 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -2,7 +2,7 @@ "images": [ { "label": "AP_WAF 1/4", - "image": "ubi-9-plus-nap", + "image": "ubi-8-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "appprotect_waf_policies_allow", From 14a71d74a75b68e4cc832f3f455fda70d83e32c2 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 22 Aug 2024 14:42:09 +0100 Subject: [PATCH 05/83] fix typo in ubi8 image promotion (#6276) --- .github/config/config-plus-gcr-release | 4 ++-- .github/config/config-plus-nginx | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release index c5be8ee8fd..175f34cc3d 100644 --- a/.github/config/config-plus-gcr-release +++ b/.github/config/config-plus-gcr-release @@ -1,7 +1,7 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "ubi8" "-mktpl") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "ubi8") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}") diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx index 2d3bfb2da1..0490242f7d 100644 --- a/.github/config/config-plus-nginx +++ b/.github/config/config-plus-nginx @@ -1,8 +1,8 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress" declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "ubi8") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "ubi8") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8") declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") export PUBLISH_OSS=false From e4525c913f726ce0e5ad525a4510f0aab4b386ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 08:40:02 +0100 Subject: [PATCH 06/83] Bump skopeo/stable from v1.15.2 to v1.16.0 in /tests in the docker-tests group (#6242) Bump skopeo/stable in /tests in the docker-tests group Bumps the docker-tests group in /tests with 1 update: [skopeo/stable](https://github.com/containers/image_build). Updates `skopeo/stable` from v1.15.2 to v1.16.0 - [Commits](https://github.com/containers/image_build/commits) --- updated-dependencies: - dependency-name: skopeo/stable dependency-type: direct:production dependency-group: docker-tests ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Dockerfile b/tests/Dockerfile index a5c1ebedeb..213ca2bad0 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -3,7 +3,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date -FROM quay.io/skopeo/stable:v1.15.2 +FROM quay.io/skopeo/stable:v1.16.0 FROM python:3.12@sha256:e3d5b6f95ce66923b5e48a06ee5755abb097de96a8617c3f2f7d431d48e63d35 From 63cd0a8e30364026988d8152bc8a82242327dfca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Aug 2024 10:28:56 +0000 Subject: [PATCH 07/83] Bump github/codeql-action from 3.26.3 to 3.26.4 in the actions group (#6277) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.26.3 to 3.26.4 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/883d8588e56d1753a8a58c1c86e88976f0c23449...f0f3afee809481da311ca3a6ff1ff51d81dbeb24) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/image-promotion.yml | 8 ++++---- .github/workflows/scorecards.yml | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 5d1a531a48..b7dc3b23a5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -70,7 +70,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/init@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -89,7 +89,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/autobuild@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -102,6 +102,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/analyze@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index b9900c6c7b..e9db66e63d 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -143,7 +143,7 @@ jobs: fi - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 if: steps.check-sarif.outputs.sarif_has_results == 'true' with: sarif_file: govulncheck.sarif @@ -466,7 +466,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -556,7 +556,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -653,7 +653,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 with: sarif_file: "${{ steps.directory.outputs.directory }}/" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index f9cbd584b4..ac39ba6289 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3 + uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 with: sarif_file: results.sarif From 43ae6af6aea745eeb1eabdf80181831308ec6e47 Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Fri, 23 Aug 2024 12:05:03 +0100 Subject: [PATCH 08/83] Chore/ensure telemetry generation up to date (#6280) * remove data.avdl from pre commit trailing whitespace * add telemetry schema check to ci.yml * add gofumpt * add go/bin to path so gofumpt can be called in makefile * add go bin to path in make telemetry step --- .github/workflows/ci.yml | 8 ++++ .pre-commit-config.yaml | 2 +- internal/telemetry/data.avdl | 74 ++++++++++++++++++------------------ 3 files changed, 46 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 44cca97d5a..22a5f2dd42 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -180,6 +180,14 @@ jobs: make update-codegen && git diff --name-only --exit-code pkg/** cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress + - name: Install gofumpt + run: go install mvdan.cc/gofumpt@latest + + - name: Check if telemetry schema changed + run: | + export PATH=$PATH:$(go env GOPATH)/bin + make telemetry-schema && git diff --name-only --exit-code internal/telemetry + unit-tests: name: Unit Tests runs-on: ubuntu-22.04 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1bfacca6ca..a4703ca764 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,7 +6,7 @@ repos: rev: v4.6.0 hooks: - id: trailing-whitespace - exclude: '(\.md|\.snap)$' + exclude: '(\.md|\.snap|\.avdl)$' - id: end-of-file-fixer exclude: docs/layouts/shortcodes/nic-.*.html - id: check-yaml diff --git a/internal/telemetry/data.avdl b/internal/telemetry/data.avdl index aae75fec77..51cea3cc72 100644 --- a/internal/telemetry/data.avdl +++ b/internal/telemetry/data.avdl @@ -8,115 +8,115 @@ /** The time our edge ingested the event */ long ingestTime; - + /** ProjectName is the name of the project. */ string? ProjectName = null; - + /** ProjectVersion is the version of the project. */ string? ProjectVersion = null; - + /** ProjectArchitecture is the architecture of the project. For example, "amd64". */ string? ProjectArchitecture = null; - + /** ClusterID is the unique id of the Kubernetes cluster where the project is installed. It is the UID of the `kube-system` Namespace. */ string? ClusterID = null; - + /** ClusterVersion is the Kubernetes version of the cluster. */ string? ClusterVersion = null; - + /** ClusterPlatform is the Kubernetes platform of the cluster. */ string? ClusterPlatform = null; - + /** InstallationID is the unique id of the project installation in the cluster. */ string? InstallationID = null; - + /** ClusterNodeCount is the number of nodes in the cluster. */ long? ClusterNodeCount = null; - + /** VirtualServers is the number of VirtualServer resources managed by the Ingress Controller. */ long? VirtualServers = null; - + /** VirtualServerRoutes is the number of VirtualServerRoute resources managed by the Ingress Controller. */ long? VirtualServerRoutes = null; - + /** TransportServers is the number of TransportServer resources managed by the Ingress Controller. */ long? TransportServers = null; - + /** Replicas is the number of NIC replicas. */ long? Replicas = null; - + /** Secrets is the number of Secret resources managed by the Ingress Controller. */ long? Secrets = null; - + /** ClusterIPServices is the number of ClusterIP services managed by NGINX Ingress Controller. */ long? ClusterIPServices = null; - + /** NodePortServices is the number of NodePort services managed by NGINX Ingress Controller. */ long? NodePortServices = null; - + /** LoadBalancerServices is the number of LoadBalancer services managed by NGINX Ingress Controller. */ long? LoadBalancerServices = null; - + /** ExternalNameServices is the number of ExternalName services managed by NGINX Ingress Controller. */ long? ExternalNameServices = null; - + /** RegularIngressCount is the number of Regular Ingress resources managed by NGINX Ingress Controller. */ long? RegularIngressCount = null; - + /** MasterIngressCount is the number of Regular Ingress resources managed by NGINX Ingress Controller. */ long? MasterIngressCount = null; - + /** MinionIngressCount is the number of Regular Ingress resources managed by NGINX Ingress Controller. */ long? MinionIngressCount = null; - + /** IngressClasses is the number of Ingress Classes. */ long? IngressClasses = null; - + /** AccessControlPolicies is the number of AccessControl policies managed by NGINX Ingress Controller */ long? AccessControlPolicies = null; - + /** RateLimitPolicies is the number of RateLimit policies managed by NGINX Ingress Controller */ long? RateLimitPolicies = null; - + /** APIKeyPolicies is the number of APIKey policies managed by NGINX Ingress Controller */ long? APIKeyPolicies = null; - + /** JWTAuthPolicies is the number of JWTAuth policies managed by NGINX Ingress Controller */ long? JWTAuthPolicies = null; - + /** BasicAuthPolicies is the number of BasicAuth policies managed by NGINX Ingress Controller */ long? BasicAuthPolicies = null; - + /** IngressMTLSPolicies is the number of IngressMTLS policies managed by NGINX Ingress Controller */ long? IngressMTLSPolicies = null; - + /** EgressMTLSPolicies is the number of EgressMTLS policies managed by NGINX Ingress Controller */ long? EgressMTLSPolicies = null; - + /** OIDCPolicies is the number of OIDC policies managed by NGINX Ingress Controller */ long? OIDCPolicies = null; - + /** WAFPolicies is the number of WAF policies managed by NGINX Ingress Controller */ long? WAFPolicies = null; - + /** GlobalConfiguration indicates if a GlobalConfiguration resource is used. */ boolean? GlobalConfiguration = null; - + /** IngressAnnotations is the list of annotations resources managed by NGINX Ingress Controller */ union {null, array} IngressAnnotations = null; - + /** AppProtectVersion represents the version of AppProtect. */ string? AppProtectVersion = null; - + /** IsPlus represents whether NGINX is Plus or OSS */ boolean? IsPlus = null; - + /** InstallationFlags is the list of command line arguments configured for NGINX Ingress Controller */ union {null, array} InstallationFlags = null; - + /** BuildOS represents the base operating system image */ string? BuildOS = null; - + } } From fa1e037010f168f49556a5a41e2090bf5ac7389c Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Fri, 23 Aug 2024 13:16:16 +0000 Subject: [PATCH 09/83] Remove deprecated use cases from Helm installation documentation (#6279) This commit removes the "Notes" section from the Helm installation document, which mentioned an IBM Cloud use case not developed since 2018, and NGINX Service Mesh, which went EOS last year. It also updates some content to be adherent with contemporary standards, and shifts some context-specific NGINX App DoS information to the relevant page. --- .../installing-nic/installation-with-helm.md | 89 +++++++++---------- .../app-protect-dos/installation.md | 2 + 2 files changed, 45 insertions(+), 46 deletions(-) diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index f13b2bf240..a6a6fedee0 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -1,7 +1,5 @@ --- docs: DOCS-602 -doctypes: -- '' title: Installation with Helm toc: true weight: 100 @@ -9,7 +7,7 @@ weight: 100 This document explains how to install F5 NGINX Ingress Controller using [Helm](https://helm.sh/). -## Before you start +## Before you begin {{< note >}} All documentation should only be used with the latest stable release, indicated on [the releases page]({{< relref "releases.md" >}}) of the GitHub repository. {{< /note >}} @@ -20,17 +18,20 @@ This document explains how to install F5 NGINX Ingress Controller using [Helm](h - The [Get the NGINX Ingress Controller image with JWT]({{< relref "installation/nic-images/get-image-using-jwt.md" >}}) topic describes how to use your subscription JWT token to get the image. - The [Build NGINX Ingress Controller]({{< relref "installation/build-nginx-ingress-controller.md" >}}) topic explains how to push an image to a private Docker registry. - Update the `controller.image.repository` field of the `values-plus.yaml` accordingly. -- To use App Protect DoS, install the App Protect DoS Arbitrator [Helm Chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart) in the same namespace as NGINX Ingress Controller. If you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because there can only be one Arbitrator in a single namespace. -## CRDs +--- + +## Custom Resource Definitions -By default, the Ingress Controller requires a number of custom resource definitions (CRDs) installed in the cluster. The Helm client will install those CRDs. If the CRDs are not installed, the Ingress Controller pods will not become `Ready`. +NGINX Ingress Controller requires custom resource definitions (CRDs) installed in the cluster, which Helm will install. If the CRDs are not installed, NGINX Ingress Controller pods will not become `Ready`. If you do not use the custom resources that require those CRDs (which corresponds to `controller.enableCustomResources` set to `false` and `controller.appprotect.enable` set to `false` and `controller.appprotectdos.enable` set to `false`), the installation of the CRDs can be skipped by specifying `--skip-crds` for the helm install command. -### Upgrading the CRDs +--- + +### Upgrade the CRDs -To upgrade the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: +To upgrade the CRDs, pull the chart sources as described in [Pull the Chart](#pull-the-chart) and then run: ```shell kubectl apply -f crds/ @@ -38,32 +39,32 @@ kubectl apply -f crds/ Alternatively, CRDs can be upgraded without pulling the chart by running: -```console +```shell kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{< nic-version >}}/deploy/crds.yaml ``` In the above command, `v{{< nic-version >}}` represents the version of NGINX Ingress Controller release rather than the Helm chart version. -{{}}The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. +{{< note >}} The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`. -Make sure to check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release for any special upgrade procedures. -{{}} +Check the [release notes](https://www.github.com/nginxinc/kubernetes-ingress/releases) for a new release for any special upgrade procedures. +{{< /note >}} -### Uninstalling the CRDs +### Uninstall the CRDs -To remove the CRDs, pull the chart sources as described in [Pulling the Chart](#pulling-the-chart) and then run: +To remove the CRDs, pull the chart sources as described in [Pull the Chart](#pull-the-chart) and then run: ```shell kubectl delete -f crds/ ``` -{{}}This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure there are no custom resources that you want to keep and there are no other Ingress Controller releases running in the cluster.{{}} +{{< warning >}} This command will delete all the corresponding custom resources in your cluster across all namespaces. Please ensure there are no custom resources that you want to keep and there are no other NGINX Ingress Controller instances running in the cluster. {{< /warning >}} -## Managing the Chart via OCI Registry +## Manage the chart with OCI Registry -### Installing the Chart +### Install the chart -To install the chart with the release name my-release (my-release is the name that you choose): +Run the following commands to install the chart with the release name my-release (my-release is the name that you choose): - For NGINX: @@ -71,17 +72,17 @@ To install the chart with the release name my-release (my-release is the name th helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version {{< nic-helm-version >}} ``` -- For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) +- For NGINX Plus: (This assumes you have pushed NGINX Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`) ```shell helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version {{< nic-helm-version >}} --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true ``` -This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. +These commands install the latest `edge` version of NGINX Ingress Controller from GitHub Container Registry. If you prefer using Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`. -### Upgrading the Chart +### Upgrade the chart -Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the CRDs](#upgrading-the-crds). +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrade the CRDs](#upgrade-the-crds). To upgrade the release `my-release`: @@ -89,7 +90,7 @@ To upgrade the release `my-release`: helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version {{< nic-helm-version >}} ``` -### Uninstalling the Chart +### Uninstall the chart To uninstall/delete the release `my-release`: @@ -99,9 +100,9 @@ helm uninstall my-release The command removes all the Kubernetes components associated with the release and deletes the release. -Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the CRDs](#uninstalling-the-crds). +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstall the CRDs](#uninstall-the-crds). -### Edge Version +### Edge version To test the latest changes in NGINX Ingress Controller before a new release, you can install the `edge` version. This version is built from the `main` branch of the NGINX Ingress Controller repository. You can install the `edge` version by specifying the `--version` flag with the value `0.0.0-edge`: @@ -112,11 +113,11 @@ helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0. {{< warning >}} The `edge` version is not intended for production use. It is intended for testing and development purposes only. {{< /warning >}} -## Managing the Chart via Sources +## Manage the chart with Sources -### Pulling the Chart +### Pull the chart -This step is required if you're installing the chart using its sources. Additionally, the step is also required for managing the custom resource definitions (CRDs), which the Ingress Controller requires by default, or for upgrading/deleting the CRDs. +This step is required if you're installing the chart using its sources. It also manages the custom resource definitions (CRDs) which NGINX Ingress Controller requires, and for upgrading or deleting the CRDs. 1. Pull the chart sources: @@ -130,7 +131,7 @@ This step is required if you're installing the chart using its sources. Addition cd nginx-ingress ``` -### Installing the Chart +### Install the chart To install the chart with the release name my-release (my-release is the name that you choose): @@ -148,9 +149,9 @@ To install the chart with the release name my-release (my-release is the name th The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. -### Upgrading the Chart +### Upgrade the chart -Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrading the CRDs](#upgrading-the-crds). +Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a release, see [Upgrade the CRDs](#upgrade-the-crds). To upgrade the release `my-release`: @@ -158,7 +159,7 @@ To upgrade the release `my-release`: helm upgrade my-release . ``` -### Uninstalling the Chart +### Uninstall the chart To uninstall/delete the release `my-release`: @@ -168,21 +169,20 @@ helm uninstall my-release The command removes all the Kubernetes components associated with the release and deletes the release. -Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstalling the CRDs](#uninstalling-the-crds). +Uninstalling the release does not remove the CRDs. To remove the CRDs, see [Uninstall the CRDs](#uninstall-the-crds). - -## Upgrading without downtime +## Upgrade without downtime ### Background In NGINX Ingress Controller version 3.1.0, [changes were introduced](https://github.com/nginxinc/kubernetes-ingress/pull/3606) to Helm resource names, labels and annotations to fit with Helm best practices. When using Helm to upgrade from a version prior to 3.1.0, certain resources like Deployment, DaemonSet and Service will be recreated due to the aforementioned changes, which will result in downtime. -Although the advisory is to update all resources in accordance with new naming convention, to avoid the downtime please follow the steps listed in this page. +Although the advisory is to update all resources in accordance with new naming convention, to avoid downtime follow the steps listed below. -### Upgrade Steps +### Upgrade steps -{{}} The following steps apply to both 2.x and 3.0.x releases.{{}} +{{< note >}} The following steps apply to both 2.x and 3.0.x releases. {{}} The steps you should follow depend on the Helm release name: @@ -285,9 +285,11 @@ The steps you should follow depend on the Helm release name: {{}} -## Run multiple Ingress Controllers +## Run multiple NGINX Ingress Controllers + +If you are running NGINX Ingress Controller releases in your cluster with custom resources enabled, the releases will share a single version of the CRDs. -If you are running multiple Ingress Controller releases in your cluster with enabled custom resources, the releases will share a single version of the CRDs. Ensure the Ingress Controller versions match the version of the CRDs. When uninstalling a release, ensure that you don’t remove the CRDs until there are no other Ingress Controller releases running in the cluster. +Ensure the NGINX Ingress Controller versions match the version of the CRDs. When uninstalling a release, ensure that you don’t remove the CRDs until there are no other NGINX Ingress Controller releases running in the cluster. The [Run multiple NGINX Ingress Controllers]({{< relref "installation/run-multiple-ingress-controllers.md" >}}) topic has more details. @@ -296,7 +298,7 @@ The [Run multiple NGINX Ingress Controllers]({{< relref "installation/run-multip The following tables lists the configurable parameters of the NGINX Ingress Controller chart and their default values. {{< table >}} -{{}} +{{}} |Parameter | Description | Default | | --- | --- | --- | | **controller.name** | The name of the Ingress Controller daemonset or deployment. | Autogenerated | @@ -478,8 +480,3 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |**nginxAgent.customConfigMap** | The name of a custom ConfigMap to use instead of the one provided by default. | "" | {{}} {{< /table >}} - -## Notes - -- The values-icp.yaml file is used for deploying the Ingress Controller on IBM Cloud Private. See the [blog post](https://www.nginx.com/blog/nginx-ingress-controller-ibm-cloud-private/) for more details. -- The values-nsm.yaml file is used for deploying the Ingress Controller with NGINX Service Mesh. See the NGINX Service Mesh [docs](https://docs.nginx.com/nginx-service-mesh/tutorials/kic/deploy-with-kic/) for more details. diff --git a/docs/content/installation/integrations/app-protect-dos/installation.md b/docs/content/installation/integrations/app-protect-dos/installation.md index 79e9eee27f..1a5bd14247 100644 --- a/docs/content/installation/integrations/app-protect-dos/installation.md +++ b/docs/content/installation/integrations/app-protect-dos/installation.md @@ -176,6 +176,8 @@ kubectl apply -f config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yam ## Install the App Protect DoS Arbitrator +{{< note >}} If you install multiple NGINX Ingress Controllers in the same namespace, they will need to share the same Arbitrator because there can only be one Arbitrator in a single namespace. {{< /note >}} + ### Helm Chart The App Protect DoS Arbitrator can be installed using the [NGINX App Protect DoS Helm Chart](https://github.com/nginxinc/nap-dos-arbitrator-helm-chart). From 9adee8c93ee30dd6b14b6bf7e189d600fb0b6b93 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Aug 2024 11:05:06 +0100 Subject: [PATCH 10/83] Bump github.com/aws/aws-sdk-go-v2/config from 1.27.28 to 1.27.29 in the go group (#6283) Bump github.com/aws/aws-sdk-go-v2/config in the go group Bumps the go group with 1 update: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.28 to 1.27.29 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.28...config/v1.27.29) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 0b3a54d22d..ea59ac2519 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/nginxinc/kubernetes-ingress go 1.22.5 require ( - github.com/aws/aws-sdk-go-v2/config v1.27.28 + github.com/aws/aws-sdk-go-v2/config v1.27.29 github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.4 github.com/cert-manager/cert-manager v1.15.3 github.com/dlclark/regexp2 v1.11.4 @@ -37,7 +37,7 @@ require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/aws/aws-sdk-go-v2 v1.30.4 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.28 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.29 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect @@ -46,7 +46,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 // indirect github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.30.4 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 // indirect github.com/aws/smithy-go v1.20.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect diff --git a/go.sum b/go.sum index ac82e4f3d6..fae07a66a7 100644 --- a/go.sum +++ b/go.sum @@ -6,10 +6,10 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8= github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= -github.com/aws/aws-sdk-go-v2/config v1.27.28 h1:OTxWGW/91C61QlneCtnD62NLb4W616/NM1jA8LhJqbg= -github.com/aws/aws-sdk-go-v2/config v1.27.28/go.mod h1:uzVRVtJSU5EFv6Fu82AoVFKozJi2ZCY6WRCXj06rbvs= -github.com/aws/aws-sdk-go-v2/credentials v1.17.28 h1:m8+AHY/ND8CMHJnPoH7PJIRakWGa4gbfbxuY9TGTUXM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.28/go.mod h1:6TF7dSc78ehD1SL6KpRIPKMA1GyyWflIkjqg+qmf4+c= +github.com/aws/aws-sdk-go-v2/config v1.27.29 h1:+ZPKb3u9Up4KZWLGTtpTmC5T3XmRD1ZQ8XQjRCHUvJw= +github.com/aws/aws-sdk-go-v2/config v1.27.29/go.mod h1:yxqvuubha9Vw8stEgNiStO+yZpP68Wm9hLmcm+R/Qk4= +github.com/aws/aws-sdk-go-v2/credentials v1.17.29 h1:CwGsupsXIlAFYuDVHv1nnK0wnxO0wZ/g1L8DSK/xiIw= +github.com/aws/aws-sdk-go-v2/credentials v1.17.29/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJCkMC0lMy6FaCD51jm6ayE= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12/go.mod h1:fuR57fAgMk7ot3WcNQfb6rSEn+SUffl7ri+aa8uKysI= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 h1:TNyt/+X43KJ9IJJMjKfa3bNTiZbUP7DeCxfbTROESwY= @@ -28,8 +28,8 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 h1:zCsFCKvbj25i7p1u94imVoO447I/ github.com/aws/aws-sdk-go-v2/service/sso v1.22.5/go.mod h1:ZeDX1SnKsVlejeuz41GiajjZpRSWR7/42q/EyA/QEiM= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 h1:SKvPgvdvmiTWoi0GAJ7AsJfOz3ngVkD/ERbs5pUnHNI= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5/go.mod h1:20sz31hv/WsPa3HhU3hfrIet2kxM4Pe0r20eBZ20Tac= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.4 h1:iAckBT2OeEK/kBDyN/jDtpEExhjeeA/Im2q4X0rJZT8= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.4/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 h1:OMsEmCyz2i89XwRwPouAJvhj81wINh+4UK+k/0Yo/q8= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.5/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0= github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4= github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= From 2d0d19390ffd4fc2381310320cbfc37e991cd950 Mon Sep 17 00:00:00 2001 From: Shaun Date: Mon, 26 Aug 2024 12:59:49 +0100 Subject: [PATCH 11/83] Update bug report template to use issue form fields (#6269) --- .github/ISSUE_TEMPLATE/BUG-REPORT.yml | 121 ++++++++++++++++++++++++++ .github/ISSUE_TEMPLATE/bug_report.md | 32 ------- 2 files changed, 121 insertions(+), 32 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/BUG-REPORT.yml delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md diff --git a/.github/ISSUE_TEMPLATE/BUG-REPORT.yml b/.github/ISSUE_TEMPLATE/BUG-REPORT.yml new file mode 100644 index 0000000000..f04ee11539 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/BUG-REPORT.yml @@ -0,0 +1,121 @@ +name: Bug Report +description: File a bug report. +title: "[Bug]: " +labels: ["bug", "ready for refinement"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to fill out this bug report! + - type: dropdown + id: version + attributes: + label: Version + description: What version of our F5 NGINX Ingress Controller are you running? + options: + - edge + - 3.6.2 + - 3.6.1 + - 3.6.0 + - 3.5.2 + - 3.5.1 + - 3.5.0 + - 3.4.3 + - 3.4.2 + - 3.4.1 + - 3.4.0 + - 3.3.2 + - 3.3.1 + - 3.3.0 + - 3.2.1 + - 3.2.0 + - 3.1.1 + - 3.1.0 + - 3.0.2 + - 3.0.1 + - 3.0.0 + - 2.4.2 + - 2.4.1 + - 2.4.0 + - 2.3.1 + - 2.3.0 + - 2.2.2 + - 2.2.1 + - 2.2.0 + - 2.1.2 + - 2.1.1 + - 2.1.0 + - 2.0.3 + - 2.0.2 + - 2.0.1 + - 2.0.0 + default: 0 + validations: + required: true + - type: dropdown + id: platform + attributes: + label: What Kubernetes platforms are you running on? + options: + - Kind + - Minikube + - Rancher + - EKS Amazon + - AKS Azure + - GKE Google Cloud + - Openshift + - Other + default: 0 + validations: + required: true + - type: textarea + id: describe-bug + attributes: + label: What happened? + description: Add as much details about the bug as you can. + placeholder: Tell is what you see! + validations: + required: true + - type: textarea + id: steps-to-reproduce + attributes: + label: Steps to reproduce + description: These steps will help us best reproduce the issue and come to a resolution. + placeholder: | + 1. Deploy x to '...' using some.yaml + 2. View logs on '....' + 3. See error + validations: + required: false + - type: textarea + id: expected-behaviour + attributes: + label: Expected behaviour + description: How did you expect the product/feature to behave? + placeholder: What way did you expect this to behave? + validations: + required: false + - type: textarea + id: kubernetes-describe-output + attributes: + label: Kubectl Describe output + description: Please run `kubectl describe` on any relevant Kubernetes resources. e.g. `kubectl describe deployment my-nginx-ingress-controller-deployment`. This will be automatically formatted into code, so no need for backticks. + render: shell + validations: + required: false + - type: textarea + id: logs + attributes: + label: Log output + description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. + render: shell + validations: + required: false + - type: checkboxes + id: terms + attributes: + label: Contributing Guidelines + description: By submitting this issue, you agree that you have read the [Report a Bug](https://github.com/nginxinc/kubernetes-ingress/blob/main/CONTRIBUTING.md#report-a-bug) section of our [Contributing Guidelines](https://github.com/nginxinc/kubernetes-ingress/blob/main/CONTRIBUTING.md) + options: + - label: I confirm that I have read the Report a Bug section of the Contributing Guidelines + required: true diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index f4e9de75ca..0000000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve -title: '' -labels: '' -assignees: '' - ---- - -**Describe the bug** -A clear and concise description of what the bug is. - -**To Reproduce** -Steps to reproduce the behavior: - -1. Deploy x to '...' using some.yaml -2. View logs on '....' -3. See error - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**Your environment** - -- Version of the Ingress Controller - release version or a specific commit -- Version of Kubernetes -- Kubernetes platform (e.g. Mini-kube or GCP) -- Using NGINX or NGINX Plus - - -**Additional context** -Add any other context about the problem here. Any log files you want to share. From 4af2c12bde48e1b9ec2fe7802576d3f6c8a610f1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 09:21:24 +0100 Subject: [PATCH 12/83] Bump the python group in /tests with 4 updates (#6286) Bumps the python group in /tests with 4 updates: [grpcio](https://github.com/grpc/grpc), [grpcio-tools](https://github.com/grpc/grpc), [idna](https://github.com/kjd/idna) and [pyparsing](https://github.com/pyparsing/pyparsing). Updates `grpcio` from 1.65.5 to 1.66.0 - [Release notes](https://github.com/grpc/grpc/releases) - [Changelog](https://github.com/grpc/grpc/blob/master/doc/grpc_release_schedule.md) - [Commits](https://github.com/grpc/grpc/compare/v1.65.5...v1.66.0) Updates `grpcio-tools` from 1.65.5 to 1.66.0 - [Release notes](https://github.com/grpc/grpc/releases) - [Changelog](https://github.com/grpc/grpc/blob/master/doc/grpc_release_schedule.md) - [Commits](https://github.com/grpc/grpc/compare/v1.65.5...v1.66.0) Updates `idna` from 3.7 to 3.8 - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst) - [Commits](https://github.com/kjd/idna/compare/v3.7...v3.8) Updates `pyparsing` from 3.1.2 to 3.1.4 - [Release notes](https://github.com/pyparsing/pyparsing/releases) - [Changelog](https://github.com/pyparsing/pyparsing/blob/master/CHANGES) - [Commits](https://github.com/pyparsing/pyparsing/compare/pyparsing_3.1.2...3.1.4) --- updated-dependencies: - dependency-name: grpcio dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: grpcio-tools dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: idna dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: pyparsing dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/requirements.txt | 200 ++++++++++++++++++++--------------------- 1 file changed, 100 insertions(+), 100 deletions(-) diff --git a/tests/requirements.txt b/tests/requirements.txt index d33ad785f3..3111283608 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -237,107 +237,107 @@ gprof2dot==2024.6.6 \ # via # -r requirements.txt # pytest-profiling -grpcio==1.65.5 \ - --hash=sha256:05f02d68fc720e085f061b704ee653b181e6d5abfe315daef085719728d3d1fd \ - --hash=sha256:078038e150a897e5e402ed3d57f1d31ebf604cbed80f595bd281b5da40762a92 \ - --hash=sha256:0b2944390a496567de9e70418f3742b477d85d8ca065afa90432edc91b4bb8ad \ - --hash=sha256:11f8b16121768c1cb99d7dcb84e01510e60e6a206bf9123e134118802486f035 \ - --hash=sha256:1c4caafe71aef4dabf53274bbf4affd6df651e9f80beedd6b8e08ff438ed3260 \ - --hash=sha256:1cbc208edb9acf1cc339396a1a36b83796939be52f34e591c90292045b579fbf \ - --hash=sha256:238a625f391a1b9f5f069bdc5930f4fd71b74426bea52196fc7b83f51fa97d34 \ - --hash=sha256:2a6d8169812932feac514b420daffae8ab8e36f90f3122b94ae767e633296b17 \ - --hash=sha256:2b91ce647b6307f25650872454a4d02a2801f26a475f90d0b91ed8110baae589 \ - --hash=sha256:3207ae60d07e5282c134b6e02f9271a2cb523c6d7a346c6315211fe2bf8d61ed \ - --hash=sha256:32d60e18ff7c34fe3f6db3d35ad5c6dc99f5b43ff3982cb26fad4174462d10b1 \ - --hash=sha256:33158e56c6378063923c417e9fbdb28660b6e0e2835af42e67f5a7793f587af7 \ - --hash=sha256:47d0aaaab82823f0aa6adea5184350b46e2252e13a42a942db84da5b733f2e05 \ - --hash=sha256:55714ea852396ec9568f45f487639945ab674de83c12bea19d5ddbc3ae41ada3 \ - --hash=sha256:6c4e62bcf297a1568f627f39576dbfc27f1e5338a691c6dd5dd6b3979da51d1c \ - --hash=sha256:76991b7a6fb98630a3328839755181ce7c1aa2b1842aa085fd4198f0e5198960 \ - --hash=sha256:770bd4bd721961f6dd8049bc27338564ba8739913f77c0f381a9815e465ff965 \ - --hash=sha256:7a412959aa5f08c5ac04aa7b7c3c041f5e4298cadd4fcc2acff195b56d185ebc \ - --hash=sha256:84c901cdec16a092099f251ef3360d15e29ef59772150fa261d94573612539b5 \ - --hash=sha256:85ae8f8517d5bcc21fb07dbf791e94ed84cc28f84c903cdc2bd7eaeb437c8f45 \ - --hash=sha256:89c00a18801b1ed9cc441e29b521c354725d4af38c127981f2c950c796a09b6e \ - --hash=sha256:8da58ff80bc4556cf29bc03f5fff1f03b8387d6aaa7b852af9eb65b2cf833be4 \ - --hash=sha256:8e5c4c15ac3fe1eb68e46bc51e66ad29be887479f231f8237cf8416058bf0cc1 \ - --hash=sha256:a101696f9ece90a0829988ff72f1b1ea2358f3df035bdf6d675dd8b60c2c0894 \ - --hash=sha256:a2f80510f99f82d4eb825849c486df703f50652cea21c189eacc2b84f2bde764 \ - --hash=sha256:a70a20eed87bba647a38bedd93b3ce7db64b3f0e8e0952315237f7f5ca97b02d \ - --hash=sha256:a80e9a5e3f93c54f5eb82a3825ea1fc4965b2fa0026db2abfecb139a5c4ecdf1 \ - --hash=sha256:ab5ec837d8cee8dbce9ef6386125f119b231e4333cc6b6d57b6c5c7c82a72331 \ - --hash=sha256:b67d450f1e008fedcd81e097a3a400a711d8be1a8b20f852a7b8a73fead50fe3 \ - --hash=sha256:b7ca419f1462390851eec395b2089aad1e49546b52d4e2c972ceb76da69b10f8 \ - --hash=sha256:b8270b15b99781461b244f5c81d5c2bc9696ab9189fb5ff86c841417fb3b39fe \ - --hash=sha256:bc74f3f745c37e2c5685c9d2a2d5a94de00f286963f5213f763ae137bf4f2358 \ - --hash=sha256:c3655139d7be213c32c79ef6fb2367cae28e56ef68e39b1961c43214b457f257 \ - --hash=sha256:c97962720489ef31b5ad8a916e22bc31bba3664e063fb9f6702dce056d4aa61b \ - --hash=sha256:cabd706183ee08d8026a015af5819a0b3a8959bdc9d1f6fdacd1810f09200f2a \ - --hash=sha256:d3a9e35bcb045e39d7cac30464c285389b9a816ac2067e4884ad2c02e709ef8e \ - --hash=sha256:d750e9330eb14236ca11b78d0c494eed13d6a95eb55472298f0e547c165ee324 \ - --hash=sha256:d7df567b67d16d4177835a68d3f767bbcbad04da9dfb52cbd19171f430c898bd \ - --hash=sha256:ec6f219fb5d677a522b0deaf43cea6697b16f338cb68d009e30930c4aa0d2209 \ - --hash=sha256:ec71fc5b39821ad7d80db7473c8f8c2910f3382f0ddadfbcfc2c6c437107eb67 \ - --hash=sha256:ee6ed64a27588a2c94e8fa84fe8f3b5c89427d4d69c37690903d428ec61ca7e4 \ - --hash=sha256:f17f9fa2d947dbfaca01b3ab2c62eefa8240131fdc67b924eb42ce6032e3e5c1 \ - --hash=sha256:f5b5970341359341d0e4c789da7568264b2a89cd976c05ea476036852b5950cd \ - --hash=sha256:f79c87c114bf37adf408026b9e2e333fe9ff31dfc9648f6f80776c513145c813 \ - --hash=sha256:fa36dd8496d3af0d40165252a669fa4f6fd2db4b4026b9a9411cbf060b9d6a15 \ - --hash=sha256:fe6505376f5b00bb008e4e1418152e3ad3d954b629da286c7913ff3cfc0ff740 +grpcio==1.66.0 \ + --hash=sha256:0f3010bf46b2a01c9e40644cb9ed91b4b8435e5c500a275da5f9f62580e31e80 \ + --hash=sha256:1c5466222470cb7fbc9cc898af1d48eefd297cb2e2f59af6d4a851c862fa90ac \ + --hash=sha256:1eb03524d0f55b965d6c86aa44e5db9e5eaa15f9ed3b164621e652e5b927f4b8 \ + --hash=sha256:230cdd696751e7eb1395718cd308234749daa217bb8d128f00357dc4df102558 \ + --hash=sha256:245b08f9b3c645a6a623f3ed4fa43dcfcd6ad701eb9c32511c1bb7380e8c3d23 \ + --hash=sha256:296a45ea835e12a1cc35ab0c57e455346c272af7b0d178e29c67742167262b4c \ + --hash=sha256:37514b68a42e9cf24536345d3cf9e580ffd29117c158b4eeea34625200256067 \ + --hash=sha256:375b58892301a5fc6ca7d7ff689c9dc9d00895f5d560604ace9f4f0573013c63 \ + --hash=sha256:423ae18637cd99ddcf2e5a6851c61828c49e9b9d022d0442d979b4f230109787 \ + --hash=sha256:49234580a073ce7ac490112f6c67c874cbcb27804c4525978cdb21ba7f3f193c \ + --hash=sha256:508411df1f2b7cfa05d4d7dbf3d576fe4f949cd61c03f3a6f0378c84e3d7b963 \ + --hash=sha256:50cea8ce2552865b87e3dffbb85eb21e6b98d928621600c0feda2f02449cd837 \ + --hash=sha256:516fdbc8e156db71a004bc431a6303bca24cfde186babe96dde7bd01e8f0cc70 \ + --hash=sha256:526d4f6ca19f31b25606d5c470ecba55c0b22707b524e4de8987919e8920437d \ + --hash=sha256:53d4c6706b49e358a2a33345dbe9b6b3bb047cecd7e8c07ba383bd09349bfef8 \ + --hash=sha256:5b15ef1b296c4e78f15f64fc65bf8081f8774480ffcac45642f69d9d753d9c6b \ + --hash=sha256:5e8140b39f10d7be2263afa2838112de29374c5c740eb0afd99146cb5bdbd990 \ + --hash=sha256:5ea27f4ce8c0daccfdd2c7961e6ba404b6599f47c948415c4cca5728739107a3 \ + --hash=sha256:5f4b3357e59dfba9140a51597287297bc638710d6a163f99ee14efc19967a821 \ + --hash=sha256:5f93fc84b72bbc7b84a42f3ca9dc055fa00d2303d9803be011ebf7a10a4eb833 \ + --hash=sha256:643d8d9632a688ae69661e924b862e23c83a3575b24e52917ec5bcc59543d212 \ + --hash=sha256:684a4c07883cbd4ac864f0d08d927267404f5f0c76f31c85f9bbe05f2daae2f2 \ + --hash=sha256:6d586a95c05c82a5354be48bb4537e1accaf2472d8eb7e9086d844cbff934482 \ + --hash=sha256:6ed35bf7da3fb3b1949e32bdf47a8b5ffe0aed11722d948933bd068531cd4682 \ + --hash=sha256:748452dbd5a047475d5413bdef08b0b9ceb2c0c0e249d4ee905a5fb82c6328dc \ + --hash=sha256:7bc9d823e05d63a87511fb456dcc48dc0fced86c282bf60229675e7ee7aac1a1 \ + --hash=sha256:8096a922eb91bc97c839f675c3efa1257c6ef181ae1b25d3fb97f2cae4c57c01 \ + --hash=sha256:832945e64176520520317b50d64ec7d79924429528d5747669b52d0bf2c7bd78 \ + --hash=sha256:8fc5c710ddd51b5a0dc36ef1b6663430aa620e0ce029b87b150dafd313b978c3 \ + --hash=sha256:921b8f7f25d5300d7c6837a1e0639ef145fbdbfb728e0a5db2dbccc9fc0fd891 \ + --hash=sha256:9d5251578767fe44602688c851c2373b5513048ac84c21a0fe946590a8e7933d \ + --hash=sha256:a639d3866bfb5a678b5c0b92cd7ab543033ed8988854290fd86145e71731fd4c \ + --hash=sha256:aaf30c75cbaf30e561ca45f21eb1f729f0fab3f15c592c1074795ed43e3ff96f \ + --hash=sha256:ad7256f224437b2c29c2bef98ddd3130454c5b1ab1f0471fc11794cefd4dbd3d \ + --hash=sha256:ba18cfdc09312eb2eea6fa0ce5d2eec3cf345ea78f6528b2eaed6432105e0bd0 \ + --hash=sha256:ba60ae3b465b3e85080ae3bfbc36fd0305ae495ab16fcf8022fc7d7a23aac846 \ + --hash=sha256:bc008c6afa1e7c8df99bd9154abc4f0470d26b7730ca2521122e99e771baa8c7 \ + --hash=sha256:c072f90a1f0409f827ae86266984cba65e89c5831a0726b9fc7f4b5fb940b853 \ + --hash=sha256:c1ea4c528e7db6660718e4165fd1b5ac24b79a70c870a7bc0b7bdb9babab7c1e \ + --hash=sha256:c3084e590e857ba7585ae91078e4c9b6ef55aaf1dc343ce26400ba59a146eada \ + --hash=sha256:c3f6feb0dc8456d025e566709f7dd02885add99bedaac50229013069242a1bfd \ + --hash=sha256:d0439a970d65327de21c299ea0e0c2ad0987cdaf18ba5066621dea5f427f922b \ + --hash=sha256:dd614370e939f9fceeeb2915111a0795271b4c11dfb5fc0f58449bee40c726a5 \ + --hash=sha256:de9e20a0acb709dcfa15a622c91f584f12c9739a79c47999f73435d2b3cc8a3b \ + --hash=sha256:e36fa838ac1d6c87198ca149cbfcc92e1af06bb8c8cd852622f8e58f33ea3324 \ + --hash=sha256:e8d20308eeae15b3e182f47876f05acbdec1eebd9473a9814a44e46ec4a84c04 # via # -r requirements.txt # grpcio-tools -grpcio-tools==1.65.5 \ - --hash=sha256:02ed771ce6aea1a5620d818ae41380a7fcf65c6d499c53d1ddaf6ded882640a9 \ - --hash=sha256:0e092c51089251f41e6e2c03519311509162be3aba2c71a91983d7d86ed300f3 \ - --hash=sha256:0f698f34be22a89426f986310ee866b8faa812355aab5d241fdaf742b546c36c \ - --hash=sha256:13b4f00f66a3f024e9bfaf535e2be8a373ada199eb928507945685208bf29536 \ - --hash=sha256:21122fa43c48e15ff0d656258f942fdf7c3ed2b7ab1530c7d37d3027b71a5872 \ - --hash=sha256:221fd8f4c3f54ced15d9dac2b8800fd1b254bf9cd29414d500ce6f7ddb59be25 \ - --hash=sha256:23bce4fcee7cad2e085923fdfd65ed2bd2173bfc298c8c8964d3dddaef1f49ae \ - --hash=sha256:2819a3a50c61306074cc95938db97e365acfca873b2cce986ad2d1f519d51f2f \ - --hash=sha256:2a520fbb9be5a05b5a0cdb5c5d481f63fea5db2f048f47f19b613685009890f2 \ - --hash=sha256:3d8cee4c1f0bca80115cfa99f25ab6e6c6797b4443b1f0d5fa949bf2e9ac5af9 \ - --hash=sha256:3ddce72654ce415cbe36561b5e124fc0fcb461582e829016b7aa726824bcadc9 \ - --hash=sha256:474d5905ee0700662b42f71ce2fc5901786c88d5a54c08749fa5bccae1db27af \ - --hash=sha256:475ef5e8d91cbcf9bd9edbf51ac135931853d1c2fe6f8ae0c496b9ef422b41e4 \ - --hash=sha256:553b3f406a681719f6c11e70c993fe77383ab6adead9173ad1c6a611e5aaaf48 \ - --hash=sha256:56617905a4e478132b3732fd9dda71e35f1e7adedd34c92248c9a04a3892cb01 \ - --hash=sha256:5b6a50253f950fd02caff90a021d6564731a86ffad38b7c0a76423f6ed58e779 \ - --hash=sha256:5c38a8dc81900b7211fc5b1a14ace7f4ffd8cfbfd17e504f40044f0918b99825 \ - --hash=sha256:6077a87bb3028797175dd437e08ff42b559045f9588a14eb9c943dd8bde32dcc \ - --hash=sha256:675df59961e2ab7808a3c0222ad995d8886bbbb7e77000fba1059214c9ce3e09 \ - --hash=sha256:777243e4f7152da9d226d9cc1e6d7c2b94335e267c618260e6255a063bb7dfcb \ - --hash=sha256:7c3a47ad0070bc907c7818caf55aa1948e9282d24e27afd21015872a25594bc7 \ - --hash=sha256:853ebfa33ed5336b51d0fa5d068bd5b42cb84d09077670ffa6b2dc7980f000cd \ - --hash=sha256:8848d509b88631be77b4c40119c02a37d0e884d10b10f0ddb1e3e551d7023b0d \ - --hash=sha256:8ee220c430f87378c598b7217c8c32ce7aeab3d8a93bc92cee92ce6940d870dd \ - --hash=sha256:969c0b5079beb08ae0a22237652289bfc0e34602403e040bab419f46cb775e50 \ - --hash=sha256:9d0d7d34b4b3fba78075a923de2f962b33bcc04926569966c00219d5f41f2589 \ - --hash=sha256:a2e63bf9b6444f28ec684faf3c5fc8394b035fe221842186c3b9ff0121c20534 \ - --hash=sha256:a6d05950c62024ac54dfb7b7987fd45e22e832143aa88768439aa12073e9d035 \ - --hash=sha256:ac013d5d118dfafc887c3da1649dbd5087a7161d969dab236050e54c55fa0725 \ - --hash=sha256:b2072ad56bec624d0190e605c6b56205a6336f31a35617b90d927791c14aa4ad \ - --hash=sha256:b48943492a7c00a3ce6d7159c37761d006085f7dcd4a13931dcc74ecb8a24b56 \ - --hash=sha256:b6b33e23bfc6919c71329dabec632e7693de62efbed24b3e34616c09827909d8 \ - --hash=sha256:b9aefd9dc742c20bc5fb16f497f6d04b4f4f5c7d44cc86654a334ce7ea9c8021 \ - --hash=sha256:ba27d67421dad33cbb42cdcd144dabed0516f0a5ee48d37250dd1b37c97cca72 \ - --hash=sha256:bf78ed1cfc9304dca4d1a5ec578a91b65a5946bf4ee923358a721fb47e35ffdf \ - --hash=sha256:c86a003bfcbf98b6261a89c2aad97197672c99d057fe441440210f052c9b54f1 \ - --hash=sha256:c8f8241b859413b8f0c5c8cfd4d9021862d29cf090e60fb8b30968737b575b52 \ - --hash=sha256:cc6b010bc26566ca35e858a94daa18992a02e7b70f688a78f3308dada54fc063 \ - --hash=sha256:cd1e9134e266fefdd49e1c9989d1bdf74578a9f237d7d9df01d871d898deda9b \ - --hash=sha256:e099bff2328931064aef565e811a7ce6ecbe7359c4d377534eee12dc6c35deb8 \ - --hash=sha256:e5ae4a000c3344c32c1fa63e137ef42e65eae9adb5576dab636e3bc092653ae6 \ - --hash=sha256:e680b32e90c42d08363a02e9971e690bcf2509cb7bf647e232113b3e777eac9a \ - --hash=sha256:eca7be231ba6de3ac38556dcba1f94c05422e7cc62341bc2787ac9881aed3026 \ - --hash=sha256:ef44822eee4834158eb03cd432e4cf7e716d7d03051cc8314be4956ee9e9da3f \ - --hash=sha256:f141f247a93e4c7faf33ac683a9cab93bb6570946a219260d33e2e62079db6e8 \ - --hash=sha256:fe5a21e4970cc2555066ba37c7c743749ccd0bd056d4262e97678927c586def8 +grpcio-tools==1.66.0 \ + --hash=sha256:00aafd7714f2e2f618ec75b0f13df6a6f174f2bc50ad70c79443d8f5aa60df96 \ + --hash=sha256:01449e9b20347fc7661f79090a9c0317e6de2759748170ac04cc0a4db74a681f \ + --hash=sha256:24773294210f554cdf282feaa3f95b79e22de56f78ec7a2e66c990266100480b \ + --hash=sha256:2a76db15aea734e583158c7190615f9e82de19fbb1f8d15f7a34fa9e4c3938a5 \ + --hash=sha256:2da55cab0569eb2bae8fc445cb9eaafad488918e4a443f831dbdd2ce60c47684 \ + --hash=sha256:2e31ac9a93feb5a4fbbb72de7a9a39709f28eea8183bab5e88f90a7facccf00b \ + --hash=sha256:2e78e94d9db3d686bc76f0ecedf5634ca3fad2d94e50c564a7d87630326719e8 \ + --hash=sha256:30261ab79e460e93002117627ec42a960c0d3d6292e3fd44a43eae94aedbae9a \ + --hash=sha256:4ecd2caa15c2070182e49aa1771cbf8e6181e5072833222401d965c6338a075c \ + --hash=sha256:51cdcdf9dc9087bfc5d7aa03c4c76614350e0f7ef0689763f69938d1a7ebfac4 \ + --hash=sha256:63897f679ea55bc25accc825329b53acef2ad1266237d90be63c5aeaaa5bf175 \ + --hash=sha256:65dfc1019a6dc3343161360a9436ca34f4aa4ffc40f4cdcd98e1e887dbe87cf8 \ + --hash=sha256:6e111f73f400d64b8dc32f5dab67c5e806c290eb2658fecdbfc44c2bb1020efc \ + --hash=sha256:7055599f250713662022f5096956c220ff0f43a7ab500d080b0f343ba8d98e14 \ + --hash=sha256:72e86d15d5dab2f25385e40608f5dc6b512172c3b10d01952d3d25f2d0648b7c \ + --hash=sha256:7ca7080ac2aed6d303fab162c5945d920c0243a7a393df71c9f98882583dcda5 \ + --hash=sha256:7d38a0b97d16343b3389228edc58c9dfea69bd3833fe458681f9cf66d13bb2e0 \ + --hash=sha256:81123f93a4f93f8e2bd7ba4a106c1eb1529e0336368c3b93c077f7649b48d784 \ + --hash=sha256:879a70a153f05d61fae8e7dd88ad67c63c1a30ee22c344509ec2b898f1e29250 \ + --hash=sha256:87a654381cdc43a64f890e1f68ca14f09c5bcafe9fe2481f50029a220b748d15 \ + --hash=sha256:8e197458cc1747f56a5b6bddd635247f86d3eb2a8a191e3f43ce0e6f2bf374c5 \ + --hash=sha256:923c60602e2025e1082cd3a1d7a5f74314f945ebb4763a939cc3f5a667d48d7f \ + --hash=sha256:95e3d1506bb3c6574c9d359ac78eaaad18276a3aaa328852796ee10d28a10656 \ + --hash=sha256:95edac51be6cd1391726024dea3a2a852c0a4c63e90de1ec52b5857d1ad5fef1 \ + --hash=sha256:95f1d076a310007fff710b4eea648a98ec75e0eb755b9df9af03b38a120ed8ac \ + --hash=sha256:9c026adf37d1dacc3270c60ef479945c68756a251c362aef51c250e1f69f6a18 \ + --hash=sha256:a236df9ac2dd1f6009adc94bce1da10ac46dd87a04dea86bfbeadaa261c7adea \ + --hash=sha256:af2f8f944e779cb8dd5b5e8a689514775c745068cd564df662e00cab45430d40 \ + --hash=sha256:b117868e2040489d8d542348a45cce6225fc87e1bc5e6092ad05bea343d4723d \ + --hash=sha256:b7da029e5a1270a0342c01f897436ab690677502e12f18664b7387a5e6938134 \ + --hash=sha256:bcb7f09c1569c2e5f1600e5b1eb6a8321e789a3e1d2f9ec5c236c62d61d22879 \ + --hash=sha256:bde2aca5fd16e5ab37cf83a8a7b805ccb7faceb804c562387852a3146bfd7eaf \ + --hash=sha256:ca654c732029483a0355164f551b4531eae1d1f64e269d389d97d79a0b087966 \ + --hash=sha256:cc188a5fbaf25e3a5f91f815d3928b1e40ba38f5a5f5b5e86f640c575f7db1c9 \ + --hash=sha256:cf5906367329121b90942de6a2f77b316090ce15980254c61ecd5043526dc03d \ + --hash=sha256:d72c6a8e1470832199764a4ac4aa999def0ccfb0fe0266c73aae003812acb957 \ + --hash=sha256:d84db86038507c86bfa148c9b6dde5a17b8b2e529eecbf1ca427c367043a56e8 \ + --hash=sha256:e0841fe0aa865694468243b682792d6649a9eaaeec103984a74fcf4289851a83 \ + --hash=sha256:e5507e1fee9caa19e2525d280016af8f4404affaad1a7c08beb7060797bd7972 \ + --hash=sha256:e5ef97b6e945e77575d07dc2158773313aa1b36ddab41c59a1c51803b4620abd \ + --hash=sha256:e67a36da1ca3501933f26bd65589b7a5abdf5cfed79fd419054a0924f79fa760 \ + --hash=sha256:eaf20f8141646b1db73f36711960d1bdf96435fbce670417e0754b15fbc52e76 \ + --hash=sha256:ecb781e41b08b094742137f56740acebedc29a18480a37c16d5dfed2aef0597a \ + --hash=sha256:fd70b60d6b62df3d232e6c4f6c061c6bb5e071af88fe6323487d0b3b97ac87d2 \ + --hash=sha256:fddc8f3216199f47f2370f8a22ecc10a4e0b5c434eeab0ec47a79fb292e5a6f8 \ + --hash=sha256:ff704d5b2c66e15aee1f34c74d8a44f0b613e9205d69c22172ffa056f9791db4 # via -r requirements.txt -idna==3.7 \ - --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \ - --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0 +idna==3.8 \ + --hash=sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac \ + --hash=sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603 # via # -r requirements.txt # requests @@ -489,9 +489,9 @@ pyopenssl==24.2.1 \ --hash=sha256:4247f0dbe3748d560dcbb2ff3ea01af0f9a1a001ef5f7c4c647956ed8cbf0e95 \ --hash=sha256:967d5719b12b243588573f39b0c677637145c7a1ffedcd495a487e58177fbb8d # via -r requirements.txt -pyparsing==3.1.2 \ - --hash=sha256:a1bac0ce561155ecc3ed78ca94d3c9378656ad4c94c1270de543f621420f94ad \ - --hash=sha256:f9db75911801ed778fe61bb643079ff86601aca99fcae6345aa67292038fb742 +pyparsing==3.1.4 \ + --hash=sha256:a6a7ee4235a3f944aa1fa2249307708f893fe5717dc603503c6c7969c070fb7c \ + --hash=sha256:f86ec8d1a83f11977c9a6ea7598e8c27fc5cddfa5b07ea2241edbbde1d7bc032 # via -r requirements.txt pytest==8.3.2 \ --hash=sha256:4ba08f9ae7dcf84ded419494d229b48d0903ea6407b030eaec46df5e6a73bba5 \ From ac5bd15ecbfd698e11224ca65e72306eff048dfc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 08:45:06 +0000 Subject: [PATCH 13/83] Bump the go group with 4 updates (#6287) Bumps the go group with 4 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang), [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) and [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.29 to 1.27.30 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.29...config/v1.27.30) Updates `github.com/prometheus/client_golang` from 1.20.1 to 1.20.2 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.20.1...v1.20.2) Updates `go.opentelemetry.io/otel` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.28.0 to 1.29.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.28.0...v1.29.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> --- go.mod | 26 +++++++++++++------------- go.sum | 52 ++++++++++++++++++++++++++-------------------------- 2 files changed, 39 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index ea59ac2519..8c36b1b985 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/nginxinc/kubernetes-ingress go 1.22.5 require ( - github.com/aws/aws-sdk-go-v2/config v1.27.29 + github.com/aws/aws-sdk-go-v2/config v1.27.30 github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.4 github.com/cert-manager/cert-manager v1.15.3 github.com/dlclark/regexp2 v1.11.4 @@ -19,11 +19,11 @@ require ( github.com/nginxinc/nginx-prometheus-exporter v1.3.0 github.com/nginxinc/nginx-service-mesh v1.7.0 github.com/nginxinc/telemetry-exporter v0.1.1 - github.com/prometheus/client_golang v1.20.1 + github.com/prometheus/client_golang v1.20.2 github.com/spiffe/go-spiffe/v2 v2.3.0 github.com/stretchr/testify v1.9.0 - go.opentelemetry.io/otel v1.28.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 + go.opentelemetry.io/otel v1.29.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 k8s.io/api v0.31.0 k8s.io/apimachinery v0.31.0 @@ -79,7 +79,7 @@ require ( github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect @@ -113,25 +113,25 @@ require ( go.etcd.io/etcd/client/v3 v3.5.14 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/sdk v1.28.0 // indirect - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 // indirect + go.opentelemetry.io/otel/metric v1.29.0 // indirect + go.opentelemetry.io/otel/sdk v1.29.0 // indirect + go.opentelemetry.io/otel/trace v1.29.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/crypto v0.26.0 // indirect golang.org/x/mod v0.20.0 // indirect golang.org/x/net v0.28.0 // indirect - golang.org/x/oauth2 v0.21.0 // indirect + golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.23.0 // indirect + golang.org/x/sys v0.24.0 // indirect golang.org/x/term v0.23.0 // indirect golang.org/x/text v0.17.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect google.golang.org/grpc v1.65.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect diff --git a/go.sum b/go.sum index fae07a66a7..188c00b164 100644 --- a/go.sum +++ b/go.sum @@ -6,8 +6,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8= github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= -github.com/aws/aws-sdk-go-v2/config v1.27.29 h1:+ZPKb3u9Up4KZWLGTtpTmC5T3XmRD1ZQ8XQjRCHUvJw= -github.com/aws/aws-sdk-go-v2/config v1.27.29/go.mod h1:yxqvuubha9Vw8stEgNiStO+yZpP68Wm9hLmcm+R/Qk4= +github.com/aws/aws-sdk-go-v2/config v1.27.30 h1:AQF3/+rOgeJBQP3iI4vojlPib5X6eeOYoa/af7OxAYg= +github.com/aws/aws-sdk-go-v2/config v1.27.30/go.mod h1:yxqvuubha9Vw8stEgNiStO+yZpP68Wm9hLmcm+R/Qk4= github.com/aws/aws-sdk-go-v2/credentials v1.17.29 h1:CwGsupsXIlAFYuDVHv1nnK0wnxO0wZ/g1L8DSK/xiIw= github.com/aws/aws-sdk-go-v2/credentials v1.17.29/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJCkMC0lMy6FaCD51jm6ayE= @@ -135,8 +135,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -214,8 +214,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.20.1 h1:IMJXHOD6eARkQpxo8KkhgEVFlBNm+nkrFUyGlIu7Na8= -github.com/prometheus/client_golang v1.20.1/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= +github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= @@ -287,18 +287,18 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= -go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= +go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 h1:dIIDULZJpgdiHz5tXrTgKIMLkus6jEFa7x5SOKcyR7E= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0/go.mod h1:jlRVBe7+Z1wyxFSUs48L6OBQZ5JwH2Hg/Vbl+t9rAgI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0 h1:nSiV3s7wiCam610XcLbYOmMfJxB9gO4uK3Xgv5gmTgg= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0/go.mod h1:hKn/e/Nmd19/x1gvIHwtOwVWM+VhuITSWip3JUDghj0= +go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= +go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= +go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= +go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= +go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -338,8 +338,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= +golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -360,8 +360,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= -golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= +golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= @@ -394,10 +394,10 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda/go.mod h1:g2LLCvCeCSir/JJSWosk19BR4NVxGqHUC6rxIRsd7Aw= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= +google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= From cb027b60226988f5943da356ec1b1205cc7646cc Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 15:04:59 +0000 Subject: [PATCH 14/83] [pre-commit.ci] pre-commit autoupdate (#6289) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a4703ca764..e8e785c539 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -44,7 +44,7 @@ repos: pass_filenames: false - repo: https://github.com/golangci/golangci-lint - rev: v1.60.1 + rev: v1.60.3 hooks: - id: golangci-lint args: [--new-from-patch=/tmp/diff.patch] @@ -77,7 +77,7 @@ repos: ] - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.29.1 + rev: 0.29.2 hooks: - id: check-jsonschema name: "Check Helm Chart JSON Schema" From 4ed6c5be03b4da08339164e23f00b9059ca83c4e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 27 Aug 2024 15:09:14 +0000 Subject: [PATCH 15/83] Bump github/codeql-action from 3.26.4 to 3.26.5 in the actions group (#6288) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.26.4 to 3.26.5 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f0f3afee809481da311ca3a6ff1ff51d81dbeb24...2c779ab0d087cd7fe7b826087247c2c81f27bfa6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Fenlon --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/image-promotion.yml | 8 ++++---- .github/workflows/scorecards.yml | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b7dc3b23a5..2f25210c08 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -70,7 +70,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -89,7 +89,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -102,6 +102,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index e9db66e63d..0ec13f6138 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -143,7 +143,7 @@ jobs: fi - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 if: steps.check-sarif.outputs.sarif_has_results == 'true' with: sarif_file: govulncheck.sarif @@ -466,7 +466,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -556,7 +556,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -653,7 +653,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: sarif_file: "${{ steps.directory.outputs.directory }}/" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index ac39ba6289..5f01728fdb 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 with: sarif_file: results.sarif From 135f110ba4b12d7819881cdfdce8d5ec679aaf72 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Tue, 27 Aug 2024 18:53:38 -0700 Subject: [PATCH 16/83] Docker image update 5a227c6f (#6290) Update docker images 5a227c6f --- build/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index a03f6a4e49..f91413fca0 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -11,8 +11,8 @@ ARG PACKAGE_REPO=pkgs.nginx.com ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1@sha256:b4cdec38ce7eb975dd0cdbc8c111e011349f4c8b3a04a7a2166e68875983c108 AS opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:97a8501241d63fb484c18db7f4039b8441044ecaf4a074f58bdee660d9913362 AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1@sha256:9467a2ef495e938f37b3001e350c42ca0c10401e33dc2a0d0ddde7b221e47e82 AS opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:df2f20a532abb4907219072458489008987a1ea6fea4c92604543e93b771c5ed AS alpine-opentracing-lib FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e2bd639b269ec54343ea66b7acbdb0eb67bed44383e1be937c483c451d AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 From 47699632989feea66102ee5f1f8e808f527d71c3 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 28 Aug 2024 09:52:57 +0100 Subject: [PATCH 17/83] refactor App Protect WAF controller (#6263) --- internal/k8s/appprotect_dos.go | 7 - internal/k8s/appprotect_waf.go | 511 ++++++++++++++++++++++++++++ internal/k8s/appprotect_waf_test.go | 427 +++++++++++++++++++++++ internal/k8s/controller.go | 414 ---------------------- internal/k8s/controller_test.go | 418 ----------------------- internal/k8s/handlers.go | 81 ----- 6 files changed, 938 insertions(+), 920 deletions(-) create mode 100644 internal/k8s/appprotect_waf.go create mode 100644 internal/k8s/appprotect_waf_test.go diff --git a/internal/k8s/appprotect_dos.go b/internal/k8s/appprotect_dos.go index 2827a654d1..fe97548979 100644 --- a/internal/k8s/appprotect_dos.go +++ b/internal/k8s/appprotect_dos.go @@ -1,10 +1,3 @@ -/** - * Copyright (c) F5, Inc. - * - * This source code is licensed under the Apache License, Version 2.0 license found in the - * LICENSE file in the root directory of this source tree. - */ - package k8s import ( diff --git a/internal/k8s/appprotect_waf.go b/internal/k8s/appprotect_waf.go new file mode 100644 index 0000000000..d313f6a669 --- /dev/null +++ b/internal/k8s/appprotect_waf.go @@ -0,0 +1,511 @@ +package k8s + +import ( + "fmt" + "strings" + + "github.com/golang/glog" + "github.com/nginxinc/kubernetes-ingress/internal/configs" + "github.com/nginxinc/kubernetes-ingress/internal/k8s/appprotect" + "github.com/nginxinc/kubernetes-ingress/internal/k8s/appprotectcommon" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" + api_v1 "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/client-go/tools/cache" +) + +func createAppProtectPolicyHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + handlers := cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + pol := obj.(*unstructured.Unstructured) + glog.V(3).Infof("Adding AppProtectPolicy: %v", pol.GetName()) + lbc.AddSyncQueue(pol) + }, + UpdateFunc: func(oldObj, obj interface{}) { + oldPol := oldObj.(*unstructured.Unstructured) + newPol := obj.(*unstructured.Unstructured) + different, err := areResourcesDifferent(oldPol, newPol) + if err != nil { + glog.V(3).Infof("Error when comparing policy %v", err) + lbc.AddSyncQueue(newPol) + } + if different { + glog.V(3).Infof("ApPolicy %v changed, syncing", oldPol.GetName()) + lbc.AddSyncQueue(newPol) + } + }, + DeleteFunc: func(obj interface{}) { + lbc.AddSyncQueue(obj) + }, + } + return handlers +} + +func createAppProtectLogConfHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + handlers := cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + conf := obj.(*unstructured.Unstructured) + glog.V(3).Infof("Adding AppProtectLogConf: %v", conf.GetName()) + lbc.AddSyncQueue(conf) + }, + UpdateFunc: func(oldObj, obj interface{}) { + oldConf := oldObj.(*unstructured.Unstructured) + newConf := obj.(*unstructured.Unstructured) + different, err := areResourcesDifferent(oldConf, newConf) + if err != nil { + glog.V(3).Infof("Error when comparing LogConfs %v", err) + lbc.AddSyncQueue(newConf) + } + if different { + glog.V(3).Infof("ApLogConf %v changed, syncing", oldConf.GetName()) + lbc.AddSyncQueue(newConf) + } + }, + DeleteFunc: func(obj interface{}) { + lbc.AddSyncQueue(obj) + }, + } + return handlers +} + +func createAppProtectUserSigHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + handlers := cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + sig := obj.(*unstructured.Unstructured) + glog.V(3).Infof("Adding AppProtectUserSig: %v", sig.GetName()) + lbc.AddSyncQueue(sig) + }, + UpdateFunc: func(oldObj, obj interface{}) { + oldSig := oldObj.(*unstructured.Unstructured) + newSig := obj.(*unstructured.Unstructured) + different, err := areResourcesDifferent(oldSig, newSig) + if err != nil { + glog.V(3).Infof("Error when comparing UserSigs %v", err) + lbc.AddSyncQueue(newSig) + } + if different { + glog.V(3).Infof("ApUserSig %v changed, syncing", oldSig.GetName()) + lbc.AddSyncQueue(newSig) + } + }, + DeleteFunc: func(obj interface{}) { + lbc.AddSyncQueue(obj) + }, + } + return handlers +} + +// addAppProtectPolicyHandler creates dynamic informers for custom appprotect policy resource +func (nsi *namespacedInformer) addAppProtectPolicyHandler(handlers cache.ResourceEventHandlerFuncs) { + informer := nsi.dynInformerFactory.ForResource(appprotect.PolicyGVR).Informer() + informer.AddEventHandler(handlers) //nolint:errcheck,gosec + nsi.appProtectPolicyLister = informer.GetStore() + + nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) +} + +// addAppProtectLogConfHandler creates dynamic informer for custom appprotect logging config resource +func (nsi *namespacedInformer) addAppProtectLogConfHandler(handlers cache.ResourceEventHandlerFuncs) { + informer := nsi.dynInformerFactory.ForResource(appprotect.LogConfGVR).Informer() + informer.AddEventHandler(handlers) //nolint:errcheck,gosec + nsi.appProtectLogConfLister = informer.GetStore() + + nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) +} + +// addAppProtectUserSigHandler creates dynamic informer for custom appprotect user defined signature resource +func (nsi *namespacedInformer) addAppProtectUserSigHandler(handlers cache.ResourceEventHandlerFuncs) { + informer := nsi.dynInformerFactory.ForResource(appprotect.UserSigGVR).Informer() + informer.AddEventHandler(handlers) //nolint:errcheck,gosec + nsi.appProtectUserSigLister = informer.GetStore() + + nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) +} + +func (lbc *LoadBalancerController) syncAppProtectPolicy(task task) { + key := task.Key + glog.V(3).Infof("Syncing AppProtectPolicy %v", key) + + var obj interface{} + var polExists bool + var err error + + ns, _, _ := cache.SplitMetaNamespaceKey(key) + obj, polExists, err = lbc.getNamespacedInformer(ns).appProtectPolicyLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + var changes []appprotect.Change + var problems []appprotect.Problem + + if !polExists { + glog.V(2).Infof("Deleting AppProtectPolicy: %v\n", key) + + changes, problems = lbc.appProtectConfiguration.DeletePolicy(key) + } else { + glog.V(2).Infof("Adding or Updating AppProtectPolicy: %v\n", key) + + changes, problems = lbc.appProtectConfiguration.AddOrUpdatePolicy(obj.(*unstructured.Unstructured)) + } + + lbc.processAppProtectChanges(changes) + lbc.processAppProtectProblems(problems) +} + +func (lbc *LoadBalancerController) syncAppProtectLogConf(task task) { + key := task.Key + glog.V(3).Infof("Syncing AppProtectLogConf %v", key) + var obj interface{} + var confExists bool + var err error + + ns, _, _ := cache.SplitMetaNamespaceKey(key) + obj, confExists, err = lbc.getNamespacedInformer(ns).appProtectLogConfLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + var changes []appprotect.Change + var problems []appprotect.Problem + + if !confExists { + glog.V(2).Infof("Deleting AppProtectLogConf: %v\n", key) + + changes, problems = lbc.appProtectConfiguration.DeleteLogConf(key) + } else { + glog.V(2).Infof("Adding or Updating AppProtectLogConf: %v\n", key) + + changes, problems = lbc.appProtectConfiguration.AddOrUpdateLogConf(obj.(*unstructured.Unstructured)) + } + + lbc.processAppProtectChanges(changes) + lbc.processAppProtectProblems(problems) +} + +func (lbc *LoadBalancerController) syncAppProtectUserSig(task task) { + key := task.Key + glog.V(3).Infof("Syncing AppProtectUserSig %v", key) + var obj interface{} + var sigExists bool + var err error + + ns, _, _ := cache.SplitMetaNamespaceKey(key) + obj, sigExists, err = lbc.getNamespacedInformer(ns).appProtectUserSigLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + var change appprotect.UserSigChange + var problems []appprotect.Problem + + if !sigExists { + glog.V(2).Infof("Deleting AppProtectUserSig: %v\n", key) + + change, problems = lbc.appProtectConfiguration.DeleteUserSig(key) + } else { + glog.V(2).Infof("Adding or Updating AppProtectUserSig: %v\n", key) + + change, problems = lbc.appProtectConfiguration.AddOrUpdateUserSig(obj.(*unstructured.Unstructured)) + } + + lbc.processAppProtectUserSigChange(change) + lbc.processAppProtectProblems(problems) +} + +func getWAFPoliciesForAppProtectPolicy(pols []*conf_v1.Policy, key string) []*conf_v1.Policy { + var policies []*conf_v1.Policy + + for _, pol := range pols { + if pol.Spec.WAF != nil && isMatchingResourceRef(pol.Namespace, pol.Spec.WAF.ApPolicy, key) { + policies = append(policies, pol) + } + } + + return policies +} + +func getWAFPoliciesForAppProtectLogConf(pols []*conf_v1.Policy, key string) []*conf_v1.Policy { + var policies []*conf_v1.Policy + + for _, pol := range pols { + if pol.Spec.WAF != nil && pol.Spec.WAF.SecurityLog != nil && isMatchingResourceRef(pol.Namespace, pol.Spec.WAF.SecurityLog.ApLogConf, key) { + policies = append(policies, pol) + } + if pol.Spec.WAF != nil && pol.Spec.WAF.SecurityLogs != nil { + for _, logConf := range pol.Spec.WAF.SecurityLogs { + if isMatchingResourceRef(pol.Namespace, logConf.ApLogConf, key) { + policies = append(policies, pol) + } + } + } + } + + return policies +} + +func isMatchingResourceRef(ownerNs, resRef, key string) bool { + hasNamespace := strings.Contains(resRef, "/") + if !hasNamespace { + resRef = fmt.Sprintf("%v/%v", ownerNs, resRef) + } + return resRef == key +} + +// addWAFPolicyRefs ensures the app protect resources that are referenced in policies exist. +// nolint:gocyclo +func (lbc *LoadBalancerController) addWAFPolicyRefs( + apPolRef, logConfRef map[string]*unstructured.Unstructured, + policies []*conf_v1.Policy, +) error { + for _, pol := range policies { + if pol.Spec.WAF == nil { + continue + } + + if pol.Spec.WAF.ApPolicy != "" { + apPolKey := pol.Spec.WAF.ApPolicy + if !strings.Contains(pol.Spec.WAF.ApPolicy, "/") { + apPolKey = fmt.Sprintf("%v/%v", pol.Namespace, apPolKey) + } + + apPolicy, err := lbc.appProtectConfiguration.GetAppResource(appprotect.PolicyGVK.Kind, apPolKey) + if err != nil { + return fmt.Errorf("WAF policy %q is invalid: %w", apPolKey, err) + } + apPolRef[apPolKey] = apPolicy + } + + if pol.Spec.WAF.SecurityLog != nil && pol.Spec.WAF.SecurityLogs == nil { + if pol.Spec.WAF.SecurityLog.ApLogConf != "" { + logConfKey := pol.Spec.WAF.SecurityLog.ApLogConf + if !strings.Contains(pol.Spec.WAF.SecurityLog.ApLogConf, "/") { + logConfKey = fmt.Sprintf("%v/%v", pol.Namespace, logConfKey) + } + + logConf, err := lbc.appProtectConfiguration.GetAppResource(appprotect.LogConfGVK.Kind, logConfKey) + if err != nil { + return fmt.Errorf("WAF policy %q is invalid: %w", logConfKey, err) + } + logConfRef[logConfKey] = logConf + } + } + + if pol.Spec.WAF.SecurityLogs != nil { + for _, SecLog := range pol.Spec.WAF.SecurityLogs { + if SecLog.ApLogConf != "" { + logConfKey := SecLog.ApLogConf + if !strings.Contains(SecLog.ApLogConf, "/") { + logConfKey = fmt.Sprintf("%v/%v", pol.Namespace, logConfKey) + } + + logConf, err := lbc.appProtectConfiguration.GetAppResource(appprotect.LogConfGVK.Kind, logConfKey) + if err != nil { + return fmt.Errorf("WAF policy %q is invalid: %w", logConfKey, err) + } + logConfRef[logConfKey] = logConf + } + } + } + } + return nil +} + +func (lbc *LoadBalancerController) getAppProtectLogConfAndDst(ing *networking.Ingress) ([]configs.AppProtectLog, error) { + var apLogs []configs.AppProtectLog + if _, exists := ing.Annotations[configs.AppProtectLogConfDstAnnotation]; !exists { + return apLogs, fmt.Errorf("error: %v requires %v in %v", configs.AppProtectLogConfAnnotation, configs.AppProtectLogConfDstAnnotation, ing.Name) + } + + logDsts := strings.Split(ing.Annotations[configs.AppProtectLogConfDstAnnotation], ",") + logConfNsNs := appprotectcommon.ParseResourceReferenceAnnotationList(ing.Namespace, ing.Annotations[configs.AppProtectLogConfAnnotation]) + if len(logDsts) != len(logConfNsNs) { + return apLogs, fmt.Errorf("error Validating App Protect Destination and Config for Ingress %v: LogConf and LogDestination must have equal number of items", ing.Name) + } + + for i, logConfNsN := range logConfNsNs { + logConf, err := lbc.appProtectConfiguration.GetAppResource(appprotect.LogConfGVK.Kind, logConfNsN) + if err != nil { + return apLogs, fmt.Errorf("error retrieving App Protect Log Config for Ingress %v: %w", ing.Name, err) + } + apLogs = append(apLogs, configs.AppProtectLog{ + LogConf: logConf, + Dest: logDsts[i], + }) + } + + return apLogs, nil +} + +func (lbc *LoadBalancerController) getAppProtectPolicy(ing *networking.Ingress) (apPolicy *unstructured.Unstructured, err error) { + polNsN := appprotectcommon.ParseResourceReferenceAnnotation(ing.Namespace, ing.Annotations[configs.AppProtectPolicyAnnotation]) + + apPolicy, err = lbc.appProtectConfiguration.GetAppResource(appprotect.PolicyGVK.Kind, polNsN) + if err != nil { + return nil, fmt.Errorf("error retrieving App Protect Policy for Ingress %v: %w", ing.Name, err) + } + + return apPolicy, nil +} + +func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect.Change) { + glog.V(3).Infof("Processing %v App Protect changes", len(changes)) + + for _, c := range changes { + if c.Op == appprotect.AddOrUpdate { + switch impl := c.Resource.(type) { + case *appprotect.PolicyEx: + namespace := impl.Obj.GetNamespace() + name := impl.Obj.GetName() + resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(namespace, name) + + for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name) { + resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) + } + + resourceExes := lbc.createExtendedResources(resources) + + warnings, updateErr := lbc.configurator.AddOrUpdateAppProtectResource(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) + lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) + lbc.recorder.Eventf(impl.Obj, api_v1.EventTypeNormal, "AddedOrUpdated", "AppProtectPolicy %v was added or updated", namespace+"/"+name) + case *appprotect.LogConfEx: + namespace := impl.Obj.GetNamespace() + name := impl.Obj.GetName() + resources := lbc.configuration.FindResourcesForAppProtectLogConfAnnotation(namespace, name) + + for _, wafPol := range getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name) { + resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) + } + + resourceExes := lbc.createExtendedResources(resources) + + warnings, updateErr := lbc.configurator.AddOrUpdateAppProtectResource(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) + lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) + lbc.recorder.Eventf(impl.Obj, api_v1.EventTypeNormal, "AddedOrUpdated", "AppProtectLogConfig %v was added or updated", namespace+"/"+name) + } + } else if c.Op == appprotect.Delete { + switch impl := c.Resource.(type) { + case *appprotect.PolicyEx: + namespace := impl.Obj.GetNamespace() + name := impl.Obj.GetName() + resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(namespace, name) + + for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name) { + resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) + } + + resourceExes := lbc.createExtendedResources(resources) + + warnings, deleteErr := lbc.configurator.DeleteAppProtectPolicy(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) + + lbc.updateResourcesStatusAndEvents(resources, warnings, deleteErr) + + case *appprotect.LogConfEx: + namespace := impl.Obj.GetNamespace() + name := impl.Obj.GetName() + resources := lbc.configuration.FindResourcesForAppProtectLogConfAnnotation(namespace, name) + + for _, wafPol := range getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name) { + resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) + } + + resourceExes := lbc.createExtendedResources(resources) + + warnings, deleteErr := lbc.configurator.DeleteAppProtectLogConf(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) + + lbc.updateResourcesStatusAndEvents(resources, warnings, deleteErr) + } + } + } +} + +func (lbc *LoadBalancerController) processAppProtectUserSigChange(change appprotect.UserSigChange) { + var delPols []string + var allIngExes []*configs.IngressEx + var allMergeableIngresses []*configs.MergeableIngresses + var allVsExes []*configs.VirtualServerEx + var allResources []Resource + + for _, poladd := range change.PolicyAddsOrUpdates { + resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(poladd.GetNamespace(), poladd.GetName()) + + for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), appprotectcommon.GetNsName(poladd)) { + resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) + } + + resourceExes := lbc.createExtendedResources(resources) + allIngExes = append(allIngExes, resourceExes.IngressExes...) + allMergeableIngresses = append(allMergeableIngresses, resourceExes.MergeableIngresses...) + allVsExes = append(allVsExes, resourceExes.VirtualServerExes...) + allResources = append(allResources, resources...) + } + for _, poldel := range change.PolicyDeletions { + resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(poldel.GetNamespace(), poldel.GetName()) + + polNsName := appprotectcommon.GetNsName(poldel) + for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), polNsName) { + resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) + } + + resourceExes := lbc.createExtendedResources(resources) + allIngExes = append(allIngExes, resourceExes.IngressExes...) + allMergeableIngresses = append(allMergeableIngresses, resourceExes.MergeableIngresses...) + allVsExes = append(allVsExes, resourceExes.VirtualServerExes...) + allResources = append(allResources, resources...) + if len(resourceExes.IngressExes)+len(resourceExes.MergeableIngresses)+len(resourceExes.VirtualServerExes) > 0 { + delPols = append(delPols, polNsName) + } + } + + warnings, err := lbc.configurator.RefreshAppProtectUserSigs(change.UserSigs, delPols, allIngExes, allMergeableIngresses, allVsExes) + if err != nil { + glog.Errorf("Error when refreshing App Protect Policy User defined signatures: %v", err) + } + lbc.updateResourcesStatusAndEvents(allResources, warnings, err) +} + +func (lbc *LoadBalancerController) processAppProtectProblems(problems []appprotect.Problem) { + glog.V(3).Infof("Processing %v App Protect problems", len(problems)) + + for _, p := range problems { + eventType := api_v1.EventTypeWarning + lbc.recorder.Event(p.Object, eventType, p.Reason, p.Message) + } +} + +func (lbc *LoadBalancerController) cleanupUnwatchedAppWafResources(nsi *namespacedInformer) { + for _, obj := range nsi.appProtectPolicyLister.List() { + glog.V(3).Infof("Cleaning up unwatched appprotect policies in namespace: %v", nsi.namespace) + appPol := obj.((*unstructured.Unstructured)) + namespace := appPol.GetNamespace() + name := appPol.GetName() + + changes, problems := lbc.appProtectConfiguration.DeletePolicy(namespace + "/" + name) + lbc.processAppProtectChanges(changes) + lbc.processAppProtectProblems(problems) + } + for _, obj := range nsi.appProtectLogConfLister.List() { + glog.V(3).Infof("Cleaning up unwatched approtect logconfs in namespace: %v", nsi.namespace) + appLogConf := obj.((*unstructured.Unstructured)) + namespace := appLogConf.GetNamespace() + name := appLogConf.GetName() + + changes, problems := lbc.appProtectConfiguration.DeleteLogConf(namespace + "/" + name) + lbc.processAppProtectChanges(changes) + lbc.processAppProtectProblems(problems) + } + for _, obj := range nsi.appProtectUserSigLister.List() { + glog.V(3).Infof("Cleaning up unwatched usersigs in namespace: %v", nsi.namespace) + appUserSig := obj.((*unstructured.Unstructured)) + namespace := appUserSig.GetNamespace() + name := appUserSig.GetName() + + changes, problems := lbc.appProtectConfiguration.DeleteUserSig(namespace + "/" + name) + lbc.processAppProtectUserSigChange(changes) + lbc.processAppProtectProblems(problems) + } +} diff --git a/internal/k8s/appprotect_waf_test.go b/internal/k8s/appprotect_waf_test.go new file mode 100644 index 0000000000..a73ea006e6 --- /dev/null +++ b/internal/k8s/appprotect_waf_test.go @@ -0,0 +1,427 @@ +package k8s + +import ( + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/nginxinc/kubernetes-ingress/internal/k8s/appprotect" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" +) + +func TestAddWAFPolicyRefs(t *testing.T) { + t.Parallel() + apPol := &unstructured.Unstructured{ + Object: map[string]interface{}{ + "metadata": map[string]interface{}{ + "namespace": "default", + "name": "ap-pol", + }, + }, + } + + logConf := &unstructured.Unstructured{ + Object: map[string]interface{}{ + "metadata": map[string]interface{}{ + "namespace": "default", + "name": "log-conf", + }, + }, + } + + additionalLogConf := &unstructured.Unstructured{ + Object: map[string]interface{}{ + "metadata": map[string]interface{}{ + "namespace": "default", + "name": "additional-log-conf", + }, + }, + } + + tests := []struct { + policies []*conf_v1.Policy + expectedApPolRefs map[string]*unstructured.Unstructured + expectedLogConfRefs map[string]*unstructured.Unstructured + wantErr bool + msg string + }{ + { + policies: []*conf_v1.Policy{ + { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "waf-pol", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "default/ap-pol", + SecurityLog: &conf_v1.SecurityLog{ + Enable: true, + ApLogConf: "log-conf", + }, + }, + }, + }, + }, + expectedApPolRefs: map[string]*unstructured.Unstructured{ + "default/ap-pol": apPol, + }, + expectedLogConfRefs: map[string]*unstructured.Unstructured{ + "default/log-conf": logConf, + }, + wantErr: false, + msg: "base test", + }, + { + policies: []*conf_v1.Policy{ + { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "waf-pol", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "non-existing-ap-pol", + }, + }, + }, + }, + wantErr: true, + expectedApPolRefs: make(map[string]*unstructured.Unstructured), + expectedLogConfRefs: make(map[string]*unstructured.Unstructured), + msg: "apPol doesn't exist", + }, + { + policies: []*conf_v1.Policy{ + { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "waf-pol", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "ap-pol", + SecurityLog: &conf_v1.SecurityLog{ + Enable: true, + ApLogConf: "non-existing-log-conf", + }, + }, + }, + }, + }, + wantErr: true, + expectedApPolRefs: map[string]*unstructured.Unstructured{ + "default/ap-pol": apPol, + }, + expectedLogConfRefs: make(map[string]*unstructured.Unstructured), + msg: "logConf doesn't exist", + }, + { + policies: []*conf_v1.Policy{ + { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "waf-pol", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "ap-pol", + SecurityLogs: []*conf_v1.SecurityLog{ + { + Enable: true, + ApLogConf: "log-conf", + }, + }, + }, + }, + }, + }, + wantErr: false, + expectedApPolRefs: map[string]*unstructured.Unstructured{ + "default/ap-pol": apPol, + }, + expectedLogConfRefs: map[string]*unstructured.Unstructured{ + "default/log-conf": logConf, + }, + }, + { + policies: []*conf_v1.Policy{ + { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "waf-pol", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "ap-pol", + SecurityLogs: []*conf_v1.SecurityLog{ + { + Enable: true, + ApLogConf: "log-conf", + }, + { + Enable: true, + ApLogConf: "additional-log-conf", + }, + }, + }, + }, + }, + }, + wantErr: false, + expectedApPolRefs: map[string]*unstructured.Unstructured{ + "default/ap-pol": apPol, + }, + expectedLogConfRefs: map[string]*unstructured.Unstructured{ + "default/log-conf": logConf, + "default/additional-log-conf": additionalLogConf, + }, + }, + { + policies: []*conf_v1.Policy{ + { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "waf-pol", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "ap-pol", + SecurityLog: &conf_v1.SecurityLog{ + Enable: true, + ApLogConf: "additional-log-conf", + }, + SecurityLogs: []*conf_v1.SecurityLog{ + { + Enable: true, + ApLogConf: "log-conf", + }, + }, + }, + }, + }, + }, + wantErr: false, + expectedApPolRefs: map[string]*unstructured.Unstructured{ + "default/ap-pol": apPol, + }, + expectedLogConfRefs: map[string]*unstructured.Unstructured{ + "default/log-conf": logConf, + }, + }, + } + + lbc := LoadBalancerController{ + appProtectConfiguration: appprotect.NewFakeConfiguration(), + } + lbc.appProtectConfiguration.AddOrUpdatePolicy(apPol) + lbc.appProtectConfiguration.AddOrUpdateLogConf(logConf) + lbc.appProtectConfiguration.AddOrUpdateLogConf(additionalLogConf) + + for _, test := range tests { + resApPolicy := make(map[string]*unstructured.Unstructured) + resLogConf := make(map[string]*unstructured.Unstructured) + + if err := lbc.addWAFPolicyRefs(resApPolicy, resLogConf, test.policies); (err != nil) != test.wantErr { + t.Errorf("LoadBalancerController.addWAFPolicyRefs() error = %v, wantErr %v", err, test.wantErr) + } + if diff := cmp.Diff(test.expectedApPolRefs, resApPolicy); diff != "" { + t.Errorf("LoadBalancerController.addWAFPolicyRefs() '%v' mismatch (-want +got):\n%s", test.msg, diff) + } + if diff := cmp.Diff(test.expectedLogConfRefs, resLogConf); diff != "" { + t.Errorf("LoadBalancerController.addWAFPolicyRefs() '%v' mismatch (-want +got):\n%s", test.msg, diff) + } + } +} + +func TestGetWAFPoliciesForAppProtectPolicy(t *testing.T) { + t.Parallel() + apPol := &conf_v1.Policy{ + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "ns1/apPol", + }, + }, + } + + apPolNs2 := &conf_v1.Policy{ + ObjectMeta: meta_v1.ObjectMeta{ + Namespace: "ns1", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "ns2/apPol", + }, + }, + } + + apPolNoNs := &conf_v1.Policy{ + ObjectMeta: meta_v1.ObjectMeta{ + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + ApPolicy: "apPol", + }, + }, + } + + policies := []*conf_v1.Policy{ + apPol, apPolNs2, apPolNoNs, + } + + tests := []struct { + pols []*conf_v1.Policy + key string + want []*conf_v1.Policy + msg string + }{ + { + pols: policies, + key: "ns1/apPol", + want: []*conf_v1.Policy{apPol}, + msg: "WAF pols that ref apPol which has a namespace", + }, + { + pols: policies, + key: "default/apPol", + want: []*conf_v1.Policy{apPolNoNs}, + msg: "WAF pols that ref apPol which has no namespace", + }, + { + pols: policies, + key: "ns2/apPol", + want: []*conf_v1.Policy{apPolNs2}, + msg: "WAF pols that ref apPol which is in another ns", + }, + { + pols: policies, + key: "ns1/apPol-with-no-valid-refs", + want: nil, + msg: "WAF pols where there is no valid ref", + }, + } + for _, test := range tests { + got := getWAFPoliciesForAppProtectPolicy(test.pols, test.key) + if diff := cmp.Diff(test.want, got); diff != "" { + t.Errorf("getWAFPoliciesForAppProtectPolicy() returned unexpected result for the case of: %v (-want +got):\n%s", test.msg, diff) + } + } +} + +func TestGetWAFPoliciesForAppProtectLogConf(t *testing.T) { + t.Parallel() + logConf := &conf_v1.Policy{ + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + SecurityLog: &conf_v1.SecurityLog{ + Enable: true, + ApLogConf: "ns1/logConf", + }, + }, + }, + } + + logConfs := &conf_v1.Policy{ + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + SecurityLogs: []*conf_v1.SecurityLog{ + { + Enable: true, + ApLogConf: "ns1/logConfs", + }, + }, + }, + }, + } + + logConfNs2 := &conf_v1.Policy{ + ObjectMeta: meta_v1.ObjectMeta{ + Namespace: "ns1", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + SecurityLog: &conf_v1.SecurityLog{ + Enable: true, + ApLogConf: "ns2/logConf", + }, + }, + }, + } + + logConfNoNs := &conf_v1.Policy{ + ObjectMeta: meta_v1.ObjectMeta{ + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + WAF: &conf_v1.WAF{ + Enable: true, + SecurityLog: &conf_v1.SecurityLog{ + Enable: true, + ApLogConf: "logConf", + }, + }, + }, + } + + policies := []*conf_v1.Policy{ + logConf, logConfs, logConfNs2, logConfNoNs, + } + + tests := []struct { + pols []*conf_v1.Policy + key string + want []*conf_v1.Policy + msg string + }{ + { + pols: policies, + key: "ns1/logConf", + want: []*conf_v1.Policy{logConf}, + msg: "WAF pols that ref logConf which has a namespace", + }, + { + pols: policies, + key: "default/logConf", + want: []*conf_v1.Policy{logConfNoNs}, + msg: "WAF pols that ref logConf which has no namespace", + }, + { + pols: policies, + key: "ns1/logConfs", + want: []*conf_v1.Policy{logConfs}, + msg: "WAF pols that ref logConf via logConfs field", + }, + { + pols: policies, + key: "ns2/logConf", + want: []*conf_v1.Policy{logConfNs2}, + msg: "WAF pols that ref logConf which is in another ns", + }, + { + pols: policies, + key: "ns1/logConf-with-no-valid-refs", + want: nil, + msg: "WAF pols where there is no valid logConf ref", + }, + } + for _, test := range tests { + got := getWAFPoliciesForAppProtectLogConf(test.pols, test.key) + if diff := cmp.Diff(test.want, got); diff != "" { + t.Errorf("getWAFPoliciesForAppProtectLogConf() returned unexpected result for the case of: %v (-want +got):\n%s", test.msg, diff) + } + } +} diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 6211a94aa1..44c9394e8a 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -30,7 +30,6 @@ import ( "golang.org/x/exp/maps" "github.com/nginxinc/kubernetes-ingress/internal/k8s/appprotect" - "github.com/nginxinc/kubernetes-ingress/internal/k8s/appprotectcommon" "github.com/nginxinc/kubernetes-ingress/internal/k8s/appprotectdos" "k8s.io/client-go/informers" "k8s.io/client-go/rest" @@ -508,33 +507,6 @@ func (lbc *LoadBalancerController) AddSyncQueue(item interface{}) { lbc.syncQueue.Enqueue(item) } -// addAppProtectPolicyHandler creates dynamic informers for custom appprotect policy resource -func (nsi *namespacedInformer) addAppProtectPolicyHandler(handlers cache.ResourceEventHandlerFuncs) { - informer := nsi.dynInformerFactory.ForResource(appprotect.PolicyGVR).Informer() - informer.AddEventHandler(handlers) - nsi.appProtectPolicyLister = informer.GetStore() - - nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) -} - -// addAppProtectLogConfHandler creates dynamic informer for custom appprotect logging config resource -func (nsi *namespacedInformer) addAppProtectLogConfHandler(handlers cache.ResourceEventHandlerFuncs) { - informer := nsi.dynInformerFactory.ForResource(appprotect.LogConfGVR).Informer() - informer.AddEventHandler(handlers) - nsi.appProtectLogConfLister = informer.GetStore() - - nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) -} - -// addAppProtectUserSigHandler creates dynamic informer for custom appprotect user defined signature resource -func (nsi *namespacedInformer) addAppProtectUserSigHandler(handlers cache.ResourceEventHandlerFuncs) { - informer := nsi.dynInformerFactory.ForResource(appprotect.UserSigGVR).Informer() - informer.AddEventHandler(handlers) - nsi.appProtectUserSigLister = informer.GetStore() - - nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) -} - // addSecretHandler adds the handler for secrets to the controller func (nsi *namespacedInformer) addSecretHandler(handlers cache.ResourceEventHandlerFuncs) { informer := nsi.secretInformerFactory.Core().V1().Secrets().Informer() @@ -1389,39 +1361,6 @@ func (lbc *LoadBalancerController) cleanupUnwatchedNamespacedResources(nsi *name nsi.stop() } -func (lbc *LoadBalancerController) cleanupUnwatchedAppWafResources(nsi *namespacedInformer) { - for _, obj := range nsi.appProtectPolicyLister.List() { - glog.V(3).Infof("Cleaning up unwatched appprotect policies in namespace: %v", nsi.namespace) - appPol := obj.((*unstructured.Unstructured)) - namespace := appPol.GetNamespace() - name := appPol.GetName() - - changes, problems := lbc.appProtectConfiguration.DeletePolicy(namespace + "/" + name) - lbc.processAppProtectChanges(changes) - lbc.processAppProtectProblems(problems) - } - for _, obj := range nsi.appProtectLogConfLister.List() { - glog.V(3).Infof("Cleaning up unwatched approtect logconfs in namespace: %v", nsi.namespace) - appLogConf := obj.((*unstructured.Unstructured)) - namespace := appLogConf.GetNamespace() - name := appLogConf.GetName() - - changes, problems := lbc.appProtectConfiguration.DeleteLogConf(namespace + "/" + name) - lbc.processAppProtectChanges(changes) - lbc.processAppProtectProblems(problems) - } - for _, obj := range nsi.appProtectUserSigLister.List() { - glog.V(3).Infof("Cleaning up unwatched usersigs in namespace: %v", nsi.namespace) - appUserSig := obj.((*unstructured.Unstructured)) - namespace := appUserSig.GetNamespace() - name := appUserSig.GetName() - - changes, problems := lbc.appProtectConfiguration.DeleteUserSig(namespace + "/" + name) - lbc.processAppProtectUserSigChange(changes) - lbc.processAppProtectProblems(problems) - } -} - func (lbc *LoadBalancerController) syncIngressLink(task task) { key := task.Key glog.V(2).Infof("Adding, Updating or Deleting IngressLink: %v", key) @@ -1844,131 +1783,6 @@ func (lbc *LoadBalancerController) processChangesFromGlobalConfiguration(changes return updateErr } -func (lbc *LoadBalancerController) processAppProtectChanges(changes []appprotect.Change) { - glog.V(3).Infof("Processing %v App Protect changes", len(changes)) - - for _, c := range changes { - if c.Op == appprotect.AddOrUpdate { - switch impl := c.Resource.(type) { - case *appprotect.PolicyEx: - namespace := impl.Obj.GetNamespace() - name := impl.Obj.GetName() - resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(namespace, name) - - for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name) { - resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) - } - - resourceExes := lbc.createExtendedResources(resources) - - warnings, updateErr := lbc.configurator.AddOrUpdateAppProtectResource(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) - lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) - lbc.recorder.Eventf(impl.Obj, api_v1.EventTypeNormal, "AddedOrUpdated", "AppProtectPolicy %v was added or updated", namespace+"/"+name) - case *appprotect.LogConfEx: - namespace := impl.Obj.GetNamespace() - name := impl.Obj.GetName() - resources := lbc.configuration.FindResourcesForAppProtectLogConfAnnotation(namespace, name) - - for _, wafPol := range getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name) { - resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) - } - - resourceExes := lbc.createExtendedResources(resources) - - warnings, updateErr := lbc.configurator.AddOrUpdateAppProtectResource(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) - lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) - lbc.recorder.Eventf(impl.Obj, api_v1.EventTypeNormal, "AddedOrUpdated", "AppProtectLogConfig %v was added or updated", namespace+"/"+name) - } - } else if c.Op == appprotect.Delete { - switch impl := c.Resource.(type) { - case *appprotect.PolicyEx: - namespace := impl.Obj.GetNamespace() - name := impl.Obj.GetName() - resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(namespace, name) - - for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), namespace+"/"+name) { - resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) - } - - resourceExes := lbc.createExtendedResources(resources) - - warnings, deleteErr := lbc.configurator.DeleteAppProtectPolicy(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) - - lbc.updateResourcesStatusAndEvents(resources, warnings, deleteErr) - - case *appprotect.LogConfEx: - namespace := impl.Obj.GetNamespace() - name := impl.Obj.GetName() - resources := lbc.configuration.FindResourcesForAppProtectLogConfAnnotation(namespace, name) - - for _, wafPol := range getWAFPoliciesForAppProtectLogConf(lbc.getAllPolicies(), namespace+"/"+name) { - resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) - } - - resourceExes := lbc.createExtendedResources(resources) - - warnings, deleteErr := lbc.configurator.DeleteAppProtectLogConf(impl.Obj, resourceExes.IngressExes, resourceExes.MergeableIngresses, resourceExes.VirtualServerExes) - - lbc.updateResourcesStatusAndEvents(resources, warnings, deleteErr) - } - } - } -} - -func (lbc *LoadBalancerController) processAppProtectUserSigChange(change appprotect.UserSigChange) { - var delPols []string - var allIngExes []*configs.IngressEx - var allMergeableIngresses []*configs.MergeableIngresses - var allVsExes []*configs.VirtualServerEx - var allResources []Resource - - for _, poladd := range change.PolicyAddsOrUpdates { - resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(poladd.GetNamespace(), poladd.GetName()) - - for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), appprotectcommon.GetNsName(poladd)) { - resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) - } - - resourceExes := lbc.createExtendedResources(resources) - allIngExes = append(allIngExes, resourceExes.IngressExes...) - allMergeableIngresses = append(allMergeableIngresses, resourceExes.MergeableIngresses...) - allVsExes = append(allVsExes, resourceExes.VirtualServerExes...) - allResources = append(allResources, resources...) - } - for _, poldel := range change.PolicyDeletions { - resources := lbc.configuration.FindResourcesForAppProtectPolicyAnnotation(poldel.GetNamespace(), poldel.GetName()) - - polNsName := appprotectcommon.GetNsName(poldel) - for _, wafPol := range getWAFPoliciesForAppProtectPolicy(lbc.getAllPolicies(), polNsName) { - resources = append(resources, lbc.configuration.FindResourcesForPolicy(wafPol.Namespace, wafPol.Name)...) - } - - resourceExes := lbc.createExtendedResources(resources) - allIngExes = append(allIngExes, resourceExes.IngressExes...) - allMergeableIngresses = append(allMergeableIngresses, resourceExes.MergeableIngresses...) - allVsExes = append(allVsExes, resourceExes.VirtualServerExes...) - allResources = append(allResources, resources...) - if len(resourceExes.IngressExes)+len(resourceExes.MergeableIngresses)+len(resourceExes.VirtualServerExes) > 0 { - delPols = append(delPols, polNsName) - } - } - - warnings, err := lbc.configurator.RefreshAppProtectUserSigs(change.UserSigs, delPols, allIngExes, allMergeableIngresses, allVsExes) - if err != nil { - glog.Errorf("Error when refreshing App Protect Policy User defined signatures: %v", err) - } - lbc.updateResourcesStatusAndEvents(allResources, warnings, err) -} - -func (lbc *LoadBalancerController) processAppProtectProblems(problems []appprotect.Problem) { - glog.V(3).Infof("Processing %v App Protect problems", len(problems)) - - for _, p := range problems { - eventType := api_v1.EventTypeWarning - lbc.recorder.Event(p.Object, eventType, p.Reason, p.Message) - } -} - func (lbc *LoadBalancerController) updateTransportServerStatusAndEventsOnDelete(tsConfig *TransportServerConfiguration, changeError string, deleteErr error) { eventType := api_v1.EventTypeWarning eventTitle := "Rejected" @@ -3048,43 +2862,6 @@ func (lbc *LoadBalancerController) createIngressEx(ing *networking.Ingress, vali return ingEx } -func (lbc *LoadBalancerController) getAppProtectLogConfAndDst(ing *networking.Ingress) ([]configs.AppProtectLog, error) { - var apLogs []configs.AppProtectLog - if _, exists := ing.Annotations[configs.AppProtectLogConfDstAnnotation]; !exists { - return apLogs, fmt.Errorf("error: %v requires %v in %v", configs.AppProtectLogConfAnnotation, configs.AppProtectLogConfDstAnnotation, ing.Name) - } - - logDsts := strings.Split(ing.Annotations[configs.AppProtectLogConfDstAnnotation], ",") - logConfNsNs := appprotectcommon.ParseResourceReferenceAnnotationList(ing.Namespace, ing.Annotations[configs.AppProtectLogConfAnnotation]) - if len(logDsts) != len(logConfNsNs) { - return apLogs, fmt.Errorf("error Validating App Protect Destination and Config for Ingress %v: LogConf and LogDestination must have equal number of items", ing.Name) - } - - for i, logConfNsN := range logConfNsNs { - logConf, err := lbc.appProtectConfiguration.GetAppResource(appprotect.LogConfGVK.Kind, logConfNsN) - if err != nil { - return apLogs, fmt.Errorf("error retrieving App Protect Log Config for Ingress %v: %w", ing.Name, err) - } - apLogs = append(apLogs, configs.AppProtectLog{ - LogConf: logConf, - Dest: logDsts[i], - }) - } - - return apLogs, nil -} - -func (lbc *LoadBalancerController) getAppProtectPolicy(ing *networking.Ingress) (apPolicy *unstructured.Unstructured, err error) { - polNsN := appprotectcommon.ParseResourceReferenceAnnotation(ing.Namespace, ing.Annotations[configs.AppProtectPolicyAnnotation]) - - apPolicy, err = lbc.appProtectConfiguration.GetAppResource(appprotect.PolicyGVK.Kind, polNsN) - if err != nil { - return nil, fmt.Errorf("error retrieving App Protect Policy for Ingress %v: %w", ing.Name, err) - } - - return apPolicy, nil -} - func (lbc *LoadBalancerController) createVirtualServerEx(virtualServer *conf_v1.VirtualServer, virtualServerRoutes []*conf_v1.VirtualServerRoute) *configs.VirtualServerEx { virtualServerEx := configs.VirtualServerEx{ VirtualServer: virtualServer, @@ -3582,64 +3359,6 @@ func (lbc *LoadBalancerController) addAPIKeySecretRefs(secretRefs map[string]*se return nil } -// addWAFPolicyRefs ensures the app protect resources that are referenced in policies exist. -func (lbc *LoadBalancerController) addWAFPolicyRefs( - apPolRef, logConfRef map[string]*unstructured.Unstructured, - policies []*conf_v1.Policy, -) error { - for _, pol := range policies { - if pol.Spec.WAF == nil { - continue - } - - if pol.Spec.WAF.ApPolicy != "" { - apPolKey := pol.Spec.WAF.ApPolicy - if !strings.Contains(pol.Spec.WAF.ApPolicy, "/") { - apPolKey = fmt.Sprintf("%v/%v", pol.Namespace, apPolKey) - } - - apPolicy, err := lbc.appProtectConfiguration.GetAppResource(appprotect.PolicyGVK.Kind, apPolKey) - if err != nil { - return fmt.Errorf("WAF policy %q is invalid: %w", apPolKey, err) - } - apPolRef[apPolKey] = apPolicy - } - - if pol.Spec.WAF.SecurityLog != nil && pol.Spec.WAF.SecurityLogs == nil { - if pol.Spec.WAF.SecurityLog.ApLogConf != "" { - logConfKey := pol.Spec.WAF.SecurityLog.ApLogConf - if !strings.Contains(pol.Spec.WAF.SecurityLog.ApLogConf, "/") { - logConfKey = fmt.Sprintf("%v/%v", pol.Namespace, logConfKey) - } - - logConf, err := lbc.appProtectConfiguration.GetAppResource(appprotect.LogConfGVK.Kind, logConfKey) - if err != nil { - return fmt.Errorf("WAF policy %q is invalid: %w", logConfKey, err) - } - logConfRef[logConfKey] = logConf - } - } - - if pol.Spec.WAF.SecurityLogs != nil { - for _, SecLog := range pol.Spec.WAF.SecurityLogs { - if SecLog.ApLogConf != "" { - logConfKey := SecLog.ApLogConf - if !strings.Contains(SecLog.ApLogConf, "/") { - logConfKey = fmt.Sprintf("%v/%v", pol.Namespace, logConfKey) - } - - logConf, err := lbc.appProtectConfiguration.GetAppResource(appprotect.LogConfGVK.Kind, logConfKey) - if err != nil { - return fmt.Errorf("WAF policy %q is invalid: %w", logConfKey, err) - } - logConfRef[logConfKey] = logConf - } - } - } - } - return nil -} - func (lbc *LoadBalancerController) getPoliciesForSecret(secretNamespace string, secretName string) []*conf_v1.Policy { return findPoliciesForSecret(lbc.getAllPolicies(), secretNamespace, secretName) } @@ -3668,45 +3387,6 @@ func findPoliciesForSecret(policies []*conf_v1.Policy, secretNamespace string, s return res } -func getWAFPoliciesForAppProtectPolicy(pols []*conf_v1.Policy, key string) []*conf_v1.Policy { - var policies []*conf_v1.Policy - - for _, pol := range pols { - if pol.Spec.WAF != nil && isMatchingResourceRef(pol.Namespace, pol.Spec.WAF.ApPolicy, key) { - policies = append(policies, pol) - } - } - - return policies -} - -func getWAFPoliciesForAppProtectLogConf(pols []*conf_v1.Policy, key string) []*conf_v1.Policy { - var policies []*conf_v1.Policy - - for _, pol := range pols { - if pol.Spec.WAF != nil && pol.Spec.WAF.SecurityLog != nil && isMatchingResourceRef(pol.Namespace, pol.Spec.WAF.SecurityLog.ApLogConf, key) { - policies = append(policies, pol) - } - if pol.Spec.WAF != nil && pol.Spec.WAF.SecurityLogs != nil { - for _, logConf := range pol.Spec.WAF.SecurityLogs { - if isMatchingResourceRef(pol.Namespace, logConf.ApLogConf, key) { - policies = append(policies, pol) - } - } - } - } - - return policies -} - -func isMatchingResourceRef(ownerNs, resRef, key string) bool { - hasNamespace := strings.Contains(resRef, "/") - if !hasNamespace { - resRef = fmt.Sprintf("%v/%v", ownerNs, resRef) - } - return resRef == key -} - func (lbc *LoadBalancerController) createTransportServerEx(transportServer *conf_v1.TransportServer, listenerPort int) *configs.TransportServerEx { endpoints := make(map[string][]string) externalNameSvcs := make(map[string]bool) @@ -4205,100 +3885,6 @@ func (lbc *LoadBalancerController) syncSVIDRotation(svidResponse *workloadapi.X5 } } -func (lbc *LoadBalancerController) syncAppProtectPolicy(task task) { - key := task.Key - glog.V(3).Infof("Syncing AppProtectPolicy %v", key) - - var obj interface{} - var polExists bool - var err error - - ns, _, _ := cache.SplitMetaNamespaceKey(key) - obj, polExists, err = lbc.getNamespacedInformer(ns).appProtectPolicyLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - var changes []appprotect.Change - var problems []appprotect.Problem - - if !polExists { - glog.V(2).Infof("Deleting AppProtectPolicy: %v\n", key) - - changes, problems = lbc.appProtectConfiguration.DeletePolicy(key) - } else { - glog.V(2).Infof("Adding or Updating AppProtectPolicy: %v\n", key) - - changes, problems = lbc.appProtectConfiguration.AddOrUpdatePolicy(obj.(*unstructured.Unstructured)) - } - - lbc.processAppProtectChanges(changes) - lbc.processAppProtectProblems(problems) -} - -func (lbc *LoadBalancerController) syncAppProtectLogConf(task task) { - key := task.Key - glog.V(3).Infof("Syncing AppProtectLogConf %v", key) - var obj interface{} - var confExists bool - var err error - - ns, _, _ := cache.SplitMetaNamespaceKey(key) - obj, confExists, err = lbc.getNamespacedInformer(ns).appProtectLogConfLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - var changes []appprotect.Change - var problems []appprotect.Problem - - if !confExists { - glog.V(2).Infof("Deleting AppProtectLogConf: %v\n", key) - - changes, problems = lbc.appProtectConfiguration.DeleteLogConf(key) - } else { - glog.V(2).Infof("Adding or Updating AppProtectLogConf: %v\n", key) - - changes, problems = lbc.appProtectConfiguration.AddOrUpdateLogConf(obj.(*unstructured.Unstructured)) - } - - lbc.processAppProtectChanges(changes) - lbc.processAppProtectProblems(problems) -} - -func (lbc *LoadBalancerController) syncAppProtectUserSig(task task) { - key := task.Key - glog.V(3).Infof("Syncing AppProtectUserSig %v", key) - var obj interface{} - var sigExists bool - var err error - - ns, _, _ := cache.SplitMetaNamespaceKey(key) - obj, sigExists, err = lbc.getNamespacedInformer(ns).appProtectUserSigLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - var change appprotect.UserSigChange - var problems []appprotect.Problem - - if !sigExists { - glog.V(2).Infof("Deleting AppProtectUserSig: %v\n", key) - - change, problems = lbc.appProtectConfiguration.DeleteUserSig(key) - } else { - glog.V(2).Infof("Adding or Updating AppProtectUserSig: %v\n", key) - - change, problems = lbc.appProtectConfiguration.AddOrUpdateUserSig(obj.(*unstructured.Unstructured)) - } - - lbc.processAppProtectUserSigChange(change) - lbc.processAppProtectProblems(problems) -} - // IsNginxReady returns ready status of NGINX func (lbc *LoadBalancerController) IsNginxReady() bool { return lbc.isNginxReady diff --git a/internal/k8s/controller_test.go b/internal/k8s/controller_test.go index 55daf2d183..a87f85b749 100644 --- a/internal/k8s/controller_test.go +++ b/internal/k8s/controller_test.go @@ -17,7 +17,6 @@ import ( "github.com/nginxinc/kubernetes-ingress/internal/configs" "github.com/nginxinc/kubernetes-ingress/internal/configs/version1" "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" - "github.com/nginxinc/kubernetes-ingress/internal/k8s/appprotect" "github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets" "github.com/nginxinc/kubernetes-ingress/internal/metrics/collectors" "github.com/nginxinc/kubernetes-ingress/internal/nginx" @@ -25,7 +24,6 @@ import ( api_v1 "k8s.io/api/core/v1" networking "k8s.io/api/networking/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes/fake" "k8s.io/client-go/tools/cache" @@ -3392,422 +3390,6 @@ func TestAddOidcSecret(t *testing.T) { } } -func TestAddWAFPolicyRefs(t *testing.T) { - t.Parallel() - apPol := &unstructured.Unstructured{ - Object: map[string]interface{}{ - "metadata": map[string]interface{}{ - "namespace": "default", - "name": "ap-pol", - }, - }, - } - - logConf := &unstructured.Unstructured{ - Object: map[string]interface{}{ - "metadata": map[string]interface{}{ - "namespace": "default", - "name": "log-conf", - }, - }, - } - - additionalLogConf := &unstructured.Unstructured{ - Object: map[string]interface{}{ - "metadata": map[string]interface{}{ - "namespace": "default", - "name": "additional-log-conf", - }, - }, - } - - tests := []struct { - policies []*conf_v1.Policy - expectedApPolRefs map[string]*unstructured.Unstructured - expectedLogConfRefs map[string]*unstructured.Unstructured - wantErr bool - msg string - }{ - { - policies: []*conf_v1.Policy{ - { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "waf-pol", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "default/ap-pol", - SecurityLog: &conf_v1.SecurityLog{ - Enable: true, - ApLogConf: "log-conf", - }, - }, - }, - }, - }, - expectedApPolRefs: map[string]*unstructured.Unstructured{ - "default/ap-pol": apPol, - }, - expectedLogConfRefs: map[string]*unstructured.Unstructured{ - "default/log-conf": logConf, - }, - wantErr: false, - msg: "base test", - }, - { - policies: []*conf_v1.Policy{ - { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "waf-pol", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "non-existing-ap-pol", - }, - }, - }, - }, - wantErr: true, - expectedApPolRefs: make(map[string]*unstructured.Unstructured), - expectedLogConfRefs: make(map[string]*unstructured.Unstructured), - msg: "apPol doesn't exist", - }, - { - policies: []*conf_v1.Policy{ - { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "waf-pol", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "ap-pol", - SecurityLog: &conf_v1.SecurityLog{ - Enable: true, - ApLogConf: "non-existing-log-conf", - }, - }, - }, - }, - }, - wantErr: true, - expectedApPolRefs: map[string]*unstructured.Unstructured{ - "default/ap-pol": apPol, - }, - expectedLogConfRefs: make(map[string]*unstructured.Unstructured), - msg: "logConf doesn't exist", - }, - { - policies: []*conf_v1.Policy{ - { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "waf-pol", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "ap-pol", - SecurityLogs: []*conf_v1.SecurityLog{ - { - Enable: true, - ApLogConf: "log-conf", - }, - }, - }, - }, - }, - }, - wantErr: false, - expectedApPolRefs: map[string]*unstructured.Unstructured{ - "default/ap-pol": apPol, - }, - expectedLogConfRefs: map[string]*unstructured.Unstructured{ - "default/log-conf": logConf, - }, - }, - { - policies: []*conf_v1.Policy{ - { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "waf-pol", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "ap-pol", - SecurityLogs: []*conf_v1.SecurityLog{ - { - Enable: true, - ApLogConf: "log-conf", - }, - { - Enable: true, - ApLogConf: "additional-log-conf", - }, - }, - }, - }, - }, - }, - wantErr: false, - expectedApPolRefs: map[string]*unstructured.Unstructured{ - "default/ap-pol": apPol, - }, - expectedLogConfRefs: map[string]*unstructured.Unstructured{ - "default/log-conf": logConf, - "default/additional-log-conf": additionalLogConf, - }, - }, - { - policies: []*conf_v1.Policy{ - { - ObjectMeta: meta_v1.ObjectMeta{ - Name: "waf-pol", - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "ap-pol", - SecurityLog: &conf_v1.SecurityLog{ - Enable: true, - ApLogConf: "additional-log-conf", - }, - SecurityLogs: []*conf_v1.SecurityLog{ - { - Enable: true, - ApLogConf: "log-conf", - }, - }, - }, - }, - }, - }, - wantErr: false, - expectedApPolRefs: map[string]*unstructured.Unstructured{ - "default/ap-pol": apPol, - }, - expectedLogConfRefs: map[string]*unstructured.Unstructured{ - "default/log-conf": logConf, - }, - }, - } - - lbc := LoadBalancerController{ - appProtectConfiguration: appprotect.NewFakeConfiguration(), - } - lbc.appProtectConfiguration.AddOrUpdatePolicy(apPol) - lbc.appProtectConfiguration.AddOrUpdateLogConf(logConf) - lbc.appProtectConfiguration.AddOrUpdateLogConf(additionalLogConf) - - for _, test := range tests { - resApPolicy := make(map[string]*unstructured.Unstructured) - resLogConf := make(map[string]*unstructured.Unstructured) - - if err := lbc.addWAFPolicyRefs(resApPolicy, resLogConf, test.policies); (err != nil) != test.wantErr { - t.Errorf("LoadBalancerController.addWAFPolicyRefs() error = %v, wantErr %v", err, test.wantErr) - } - if diff := cmp.Diff(test.expectedApPolRefs, resApPolicy); diff != "" { - t.Errorf("LoadBalancerController.addWAFPolicyRefs() '%v' mismatch (-want +got):\n%s", test.msg, diff) - } - if diff := cmp.Diff(test.expectedLogConfRefs, resLogConf); diff != "" { - t.Errorf("LoadBalancerController.addWAFPolicyRefs() '%v' mismatch (-want +got):\n%s", test.msg, diff) - } - } -} - -func TestGetWAFPoliciesForAppProtectPolicy(t *testing.T) { - t.Parallel() - apPol := &conf_v1.Policy{ - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "ns1/apPol", - }, - }, - } - - apPolNs2 := &conf_v1.Policy{ - ObjectMeta: meta_v1.ObjectMeta{ - Namespace: "ns1", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "ns2/apPol", - }, - }, - } - - apPolNoNs := &conf_v1.Policy{ - ObjectMeta: meta_v1.ObjectMeta{ - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - ApPolicy: "apPol", - }, - }, - } - - policies := []*conf_v1.Policy{ - apPol, apPolNs2, apPolNoNs, - } - - tests := []struct { - pols []*conf_v1.Policy - key string - want []*conf_v1.Policy - msg string - }{ - { - pols: policies, - key: "ns1/apPol", - want: []*conf_v1.Policy{apPol}, - msg: "WAF pols that ref apPol which has a namespace", - }, - { - pols: policies, - key: "default/apPol", - want: []*conf_v1.Policy{apPolNoNs}, - msg: "WAF pols that ref apPol which has no namespace", - }, - { - pols: policies, - key: "ns2/apPol", - want: []*conf_v1.Policy{apPolNs2}, - msg: "WAF pols that ref apPol which is in another ns", - }, - { - pols: policies, - key: "ns1/apPol-with-no-valid-refs", - want: nil, - msg: "WAF pols where there is no valid ref", - }, - } - for _, test := range tests { - got := getWAFPoliciesForAppProtectPolicy(test.pols, test.key) - if diff := cmp.Diff(test.want, got); diff != "" { - t.Errorf("getWAFPoliciesForAppProtectPolicy() returned unexpected result for the case of: %v (-want +got):\n%s", test.msg, diff) - } - } -} - -func TestGetWAFPoliciesForAppProtectLogConf(t *testing.T) { - t.Parallel() - logConf := &conf_v1.Policy{ - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - SecurityLog: &conf_v1.SecurityLog{ - Enable: true, - ApLogConf: "ns1/logConf", - }, - }, - }, - } - - logConfs := &conf_v1.Policy{ - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - SecurityLogs: []*conf_v1.SecurityLog{ - { - Enable: true, - ApLogConf: "ns1/logConfs", - }, - }, - }, - }, - } - - logConfNs2 := &conf_v1.Policy{ - ObjectMeta: meta_v1.ObjectMeta{ - Namespace: "ns1", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - SecurityLog: &conf_v1.SecurityLog{ - Enable: true, - ApLogConf: "ns2/logConf", - }, - }, - }, - } - - logConfNoNs := &conf_v1.Policy{ - ObjectMeta: meta_v1.ObjectMeta{ - Namespace: "default", - }, - Spec: conf_v1.PolicySpec{ - WAF: &conf_v1.WAF{ - Enable: true, - SecurityLog: &conf_v1.SecurityLog{ - Enable: true, - ApLogConf: "logConf", - }, - }, - }, - } - - policies := []*conf_v1.Policy{ - logConf, logConfs, logConfNs2, logConfNoNs, - } - - tests := []struct { - pols []*conf_v1.Policy - key string - want []*conf_v1.Policy - msg string - }{ - { - pols: policies, - key: "ns1/logConf", - want: []*conf_v1.Policy{logConf}, - msg: "WAF pols that ref logConf which has a namespace", - }, - { - pols: policies, - key: "default/logConf", - want: []*conf_v1.Policy{logConfNoNs}, - msg: "WAF pols that ref logConf which has no namespace", - }, - { - pols: policies, - key: "ns1/logConfs", - want: []*conf_v1.Policy{logConfs}, - msg: "WAF pols that ref logConf via logConfs field", - }, - { - pols: policies, - key: "ns2/logConf", - want: []*conf_v1.Policy{logConfNs2}, - msg: "WAF pols that ref logConf which is in another ns", - }, - { - pols: policies, - key: "ns1/logConf-with-no-valid-refs", - want: nil, - msg: "WAF pols where there is no valid logConf ref", - }, - } - for _, test := range tests { - got := getWAFPoliciesForAppProtectLogConf(test.pols, test.key) - if diff := cmp.Diff(test.want, got); diff != "" { - t.Errorf("getWAFPoliciesForAppProtectLogConf() returned unexpected result for the case of: %v (-want +got):\n%s", test.msg, diff) - } - } -} - func TestPreSyncSecrets(t *testing.T) { t.Parallel() secretLister := &cache.FakeCustomStore{ diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index 59ead14bc4..eb53880e49 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -547,33 +547,6 @@ func createIngressLinkHandlers(lbc *LoadBalancerController) cache.ResourceEventH } } -func createAppProtectPolicyHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - handlers := cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - pol := obj.(*unstructured.Unstructured) - glog.V(3).Infof("Adding AppProtectPolicy: %v", pol.GetName()) - lbc.AddSyncQueue(pol) - }, - UpdateFunc: func(oldObj, obj interface{}) { - oldPol := oldObj.(*unstructured.Unstructured) - newPol := obj.(*unstructured.Unstructured) - different, err := areResourcesDifferent(oldPol, newPol) - if err != nil { - glog.V(3).Infof("Error when comparing policy %v", err) - lbc.AddSyncQueue(newPol) - } - if different { - glog.V(3).Infof("ApPolicy %v changed, syncing", oldPol.GetName()) - lbc.AddSyncQueue(newPol) - } - }, - DeleteFunc: func(obj interface{}) { - lbc.AddSyncQueue(obj) - }, - } - return handlers -} - // areResourcesDifferent returns true if the resources are different based on their spec. func areResourcesDifferent(oldresource, resource *unstructured.Unstructured) (bool, error) { oldSpec, found, err := unstructured.NestedMap(oldresource.Object, "spec") @@ -597,60 +570,6 @@ func areResourcesDifferent(oldresource, resource *unstructured.Unstructured) (bo return !eq, nil } -func createAppProtectLogConfHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - handlers := cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - conf := obj.(*unstructured.Unstructured) - glog.V(3).Infof("Adding AppProtectLogConf: %v", conf.GetName()) - lbc.AddSyncQueue(conf) - }, - UpdateFunc: func(oldObj, obj interface{}) { - oldConf := oldObj.(*unstructured.Unstructured) - newConf := obj.(*unstructured.Unstructured) - different, err := areResourcesDifferent(oldConf, newConf) - if err != nil { - glog.V(3).Infof("Error when comparing LogConfs %v", err) - lbc.AddSyncQueue(newConf) - } - if different { - glog.V(3).Infof("ApLogConf %v changed, syncing", oldConf.GetName()) - lbc.AddSyncQueue(newConf) - } - }, - DeleteFunc: func(obj interface{}) { - lbc.AddSyncQueue(obj) - }, - } - return handlers -} - -func createAppProtectUserSigHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - handlers := cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - sig := obj.(*unstructured.Unstructured) - glog.V(3).Infof("Adding AppProtectUserSig: %v", sig.GetName()) - lbc.AddSyncQueue(sig) - }, - UpdateFunc: func(oldObj, obj interface{}) { - oldSig := oldObj.(*unstructured.Unstructured) - newSig := obj.(*unstructured.Unstructured) - different, err := areResourcesDifferent(oldSig, newSig) - if err != nil { - glog.V(3).Infof("Error when comparing UserSigs %v", err) - lbc.AddSyncQueue(newSig) - } - if different { - glog.V(3).Infof("ApUserSig %v changed, syncing", oldSig.GetName()) - lbc.AddSyncQueue(newSig) - } - }, - DeleteFunc: func(obj interface{}) { - lbc.AddSyncQueue(obj) - }, - } - return handlers -} - // createNamespaceHandlers builds the handler funcs for namespaces func createNamespaceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { return cache.ResourceEventHandlerFuncs{ From 843497868af5974f7fcfac9bd550c1d93dbf67f3 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 28 Aug 2024 10:07:12 +0100 Subject: [PATCH 18/83] trigger mend workflow from release (#6298) --- .github/workflows/mend.yml | 18 ++++++++++++++---- .github/workflows/release.yml | 9 +++++++++ 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml index 9881f969a5..822f0a7478 100644 --- a/.github/workflows/mend.yml +++ b/.github/workflows/mend.yml @@ -4,11 +4,20 @@ on: push: branches: - main - tags: - - "v[0-9]+.[0-9]+.[0-9]+" paths-ignore: - docs/** - examples/** + workflow_dispatch: + inputs: + branch: + type: string + required: false + default: main + workflow_call: + inputs: + branch: + type: string + required: true concurrency: group: ${{ github.ref_name }}-mend @@ -21,10 +30,11 @@ jobs: scan: name: Mend runs-on: ubuntu-22.04 - if: ${{ github.event.repository.fork == false }} steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch && inputs.branch || github.ref }} - name: Download agent run: curl -fsSLJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar @@ -34,6 +44,6 @@ jobs: - name: Scan and upload env: - PRODUCT_NAME: kubernetes-ingress-controller_${{ github.ref_name }} + PRODUCT_NAME: kubernetes-ingress-controller_${{ inputs.branch && inputs.branch || github.ref_name }} PROJECT_NAME: nic run: java -jar wss-unified-agent.jar -noConfig true -wss.url ${{ secrets.WSS_URL }} -apiKey ${{ secrets.WSS_NGINX_TOKEN }} -product $PRODUCT_NAME -project $PROJECT_NAME -d . diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 73d421b224..8f44995249 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -124,6 +124,15 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} + mend: + if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'mend') }} + name: Run Mend workflow + uses: ./.github/workflows/mend.yml + needs: [tag] + with: + branch: "v${{ inputs.nic_version }}" + secrets: inherit + release-oss: if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-oss') }} name: Release Docker OSS From b2774f2e4d69d961b74d385850d6d266f9796a40 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Wed, 28 Aug 2024 11:32:42 +0100 Subject: [PATCH 19/83] include version.txt (#6301) --- .github/scripts/release-version-update.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/scripts/release-version-update.sh b/.github/scripts/release-version-update.sh index 79136e1f9b..002c1e3c22 100755 --- a/.github/scripts/release-version-update.sh +++ b/.github/scripts/release-version-update.sh @@ -11,6 +11,7 @@ DEBUG=${DEBUG:-"false"} DOCS_TO_UPDATE_FOLDER=${ROOTDIR}/docs/content FILES_TO_UPDATE_IC_VERSION=( + "${ROOTDIR}/.github/data/version.txt" "${ROOTDIR}/README.md" "${DEPLOYMENT_PATH}/daemon-set/nginx-ingress.yaml" "${DEPLOYMENT_PATH}/daemon-set/nginx-plus-ingress.yaml" @@ -23,6 +24,7 @@ FILES_TO_UPDATE_IC_VERSION=( "${HELM_CHART_PATH}/values.yaml" ) FILE_TO_UPDATE_HELM_CHART_VERSION=( + "${ROOTDIR}/.github/data/version.txt" "${HELM_CHART_PATH}/Chart.yaml" ) From 95c617f038a52dbcba137713477703437f3346ad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 28 Aug 2024 13:53:51 +0100 Subject: [PATCH 20/83] Bump github.com/aws/aws-sdk-go-v2/config from 1.27.30 to 1.27.31 in the go group (#6299) Bump github.com/aws/aws-sdk-go-v2/config in the go group Bumps the go group with 1 update: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.30 to 1.27.31 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.30...config/v1.27.31) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Fenlon --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 8c36b1b985..a89af5637a 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/nginxinc/kubernetes-ingress go 1.22.5 require ( - github.com/aws/aws-sdk-go-v2/config v1.27.30 + github.com/aws/aws-sdk-go-v2/config v1.27.31 github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.4 github.com/cert-manager/cert-manager v1.15.3 github.com/dlclark/regexp2 v1.11.4 @@ -37,7 +37,7 @@ require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/aws/aws-sdk-go-v2 v1.30.4 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.29 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.30 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect diff --git a/go.sum b/go.sum index 188c00b164..c301eeb174 100644 --- a/go.sum +++ b/go.sum @@ -6,10 +6,10 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8= github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= -github.com/aws/aws-sdk-go-v2/config v1.27.30 h1:AQF3/+rOgeJBQP3iI4vojlPib5X6eeOYoa/af7OxAYg= -github.com/aws/aws-sdk-go-v2/config v1.27.30/go.mod h1:yxqvuubha9Vw8stEgNiStO+yZpP68Wm9hLmcm+R/Qk4= -github.com/aws/aws-sdk-go-v2/credentials v1.17.29 h1:CwGsupsXIlAFYuDVHv1nnK0wnxO0wZ/g1L8DSK/xiIw= -github.com/aws/aws-sdk-go-v2/credentials v1.17.29/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g= +github.com/aws/aws-sdk-go-v2/config v1.27.31 h1:kxBoRsjhT3pq0cKthgj6RU6bXTm/2SgdoUMyrVw0rAI= +github.com/aws/aws-sdk-go-v2/config v1.27.31/go.mod h1:z04nZdSWFPaDwK3DdJOG2r+scLQzMYuJeW0CujEm9FM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.30 h1:aau/oYFtibVovr2rDt8FHlU17BTicFEMAi29V1U+L5Q= +github.com/aws/aws-sdk-go-v2/credentials v1.17.30/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJCkMC0lMy6FaCD51jm6ayE= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12/go.mod h1:fuR57fAgMk7ot3WcNQfb6rSEn+SUffl7ri+aa8uKysI= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 h1:TNyt/+X43KJ9IJJMjKfa3bNTiZbUP7DeCxfbTROESwY= From 81bcf9662553f0bb788235a411d585a510bc7d10 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 29 Aug 2024 13:19:59 +0100 Subject: [PATCH 21/83] assert version from log and chart (#6307) --- .github/actions/smoke-tests/action.yaml | 1 + tests/settings.py | 1 + tests/suite/test_build_info.py | 16 ++++++++++++---- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index 697002aeaa..c99bcf8cf0 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -78,6 +78,7 @@ runs: --network=kind \ -v ${{ github.workspace }}/tests:/workspace/tests \ -v ${{ github.workspace }}/deployments:/workspace/deployments \ + -v ${{ github.workspace }}/charts:/workspace/charts \ -v ${{ github.workspace }}/config:/workspace/config \ -v ${{ github.workspace }}/pyproject.toml:/workspace/pyproject.toml \ -v ${{ steps.k8s.outputs.test_output_path }}:${{ steps.k8s.outputs.test_output_path }} \ diff --git a/tests/settings.py b/tests/settings.py index 20420aa794..d3a988c536 100644 --- a/tests/settings.py +++ b/tests/settings.py @@ -4,6 +4,7 @@ BASEDIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) DEPLOYMENTS = f"{BASEDIR}/deployments" +HELM_CHARTS = f"{BASEDIR}/charts/nginx-ingress" CRDS = f"{BASEDIR}/config/crd/bases" PROJECT_ROOT = os.path.abspath(os.path.dirname(__file__)) TEST_DATA = f"{PROJECT_ROOT}/data" diff --git a/tests/suite/test_build_info.py b/tests/suite/test_build_info.py index 436a83d247..c36f00dfc0 100644 --- a/tests/suite/test_build_info.py +++ b/tests/suite/test_build_info.py @@ -1,9 +1,10 @@ import io import logging -import time import pytest -from suite.utils.resources_utils import get_first_pod_name, wait_until_all_pods_are_ready +import yaml +from settings import HELM_CHARTS +from suite.utils.resources_utils import get_first_pod_name, wait_before_test, wait_until_all_pods_are_ready @pytest.mark.ingresses @@ -11,12 +12,18 @@ class TestBuildVersion: def test_build_version(self, ingress_controller, kube_apis, ingress_controller_prerequisites): """ - Test Version tag of build i.e. 'Version=' + Test Version tag of build i.e. 'Version=' is same as the version in the chart.yaml file """ + with open(f"{HELM_CHARTS}/Chart.yaml") as f: + chart = yaml.safe_load(f) + ic_ver = chart["appVersion"] + print(f"NIC version from chart: {ic_ver}") + _info = self.send_build_info(kube_apis, ingress_controller_prerequisites) _version = _info[_info.find("Version=") + len("Version=") : _info.rfind("GitCommit=")] logging.info(_version) assert _version != " " + assert ic_ver in _version def send_build_info(self, kube_apis, ingress_controller_prerequisites) -> str: """ @@ -27,7 +34,7 @@ def send_build_info(self, kube_apis, ingress_controller_prerequisites) -> str: pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) wait_until_all_pods_are_ready(kube_apis.v1, ingress_controller_prerequisites.namespace) while not ready: - time.sleep(1) + wait_before_test() try: api_response = kube_apis.v1.read_namespaced_pod_log( name=pod_name, @@ -49,6 +56,7 @@ def send_build_info(self, kube_apis, ingress_controller_prerequisites) -> str: _log = br.readline().strip() try: _info = _log[_log.find("Version") :].strip() + print(f"Version and GitCommit info: {_info}") logging.info(f"Version and GitCommit info: {_info}") except Exception: logging.exception(f"Tag labels not found") From 6f51ffb405c7f74de3a3674f6aefa3987b6a0146 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 29 Aug 2024 15:59:17 +0100 Subject: [PATCH 22/83] update runners to ubuntu-24.04 (#6308) --- .github/workflows/build-base-images.yml | 8 +++---- .github/workflows/build-oss.yml | 2 +- .github/workflows/build-ot-dependency.yml | 2 +- .github/workflows/build-plus.yml | 2 +- .github/workflows/build-single-image.yml | 2 +- .github/workflows/build-test-image.yml | 2 +- .github/workflows/build-ubi-dependency.yml | 4 ++-- .github/workflows/cache-update.yml | 2 +- .github/workflows/cherry-pick.yml | 2 +- .github/workflows/ci.yml | 14 ++++++------ .github/workflows/codeql-analysis.yml | 4 ++-- .github/workflows/dependabot-auto-merge.yml | 2 +- .github/workflows/dependabot-hugo.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/dockerhub-description.yml | 2 +- .github/workflows/docs-build-push.yml | 2 +- .github/workflows/fossa.yml | 2 +- .github/workflows/image-promotion.yml | 16 +++++++------- .github/workflows/issues.yaml | 2 +- .github/workflows/labeler.yml | 2 +- .github/workflows/lint-format.yml | 10 ++++----- .github/workflows/mend.yml | 2 +- .github/workflows/notifications.yml | 2 +- .github/workflows/oss-release.yml | 10 ++++----- .github/workflows/patch-image.yml | 2 +- .github/workflows/plus-release.yml | 8 +++---- .github/workflows/publish-helm.yml | 2 +- .github/workflows/regression.yml | 10 ++++----- .github/workflows/release-pr.yml | 2 +- .github/workflows/release.yml | 22 +++++++++---------- .github/workflows/retag-images.yml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- .github/workflows/single-image-regression.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/update-docker-images.yml | 4 ++-- .github/workflows/update-docker-sha.yml | 4 ++-- .../workflows/update-kubernetes-version.yml | 2 +- .github/workflows/update-release-draft.yml | 4 ++-- .github/workflows/updates-notification.yml | 2 +- .github/workflows/version-bump.yml | 2 +- 41 files changed, 87 insertions(+), 87 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index cee9289906..5accc62128 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -20,7 +20,7 @@ permissions: jobs: checks: name: Checks and variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: docker_md5: ${{ steps.vars.outputs.docker_md5 }} ic_version: ${{ steps.vars.outputs.ic_version }} @@ -44,7 +44,7 @@ jobs: build-oss: name: Build OSS base images - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: checks permissions: contents: read @@ -109,7 +109,7 @@ jobs: build-plus: name: Build Plus base images - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: checks permissions: contents: read @@ -177,7 +177,7 @@ jobs: build-plus-nap: name: Build Plus NAP base images - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: checks permissions: contents: read diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index ec7710b23e..0c83326f9c 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -41,7 +41,7 @@ permissions: jobs: build: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read # for docker/build-push-action to read repo content id-token: write # for OIDC login to GCR diff --git a/.github/workflows/build-ot-dependency.yml b/.github/workflows/build-ot-dependency.yml index faa882fccb..711aa73fb0 100644 --- a/.github/workflows/build-ot-dependency.yml +++ b/.github/workflows/build-ot-dependency.yml @@ -23,7 +23,7 @@ permissions: jobs: build-docker: name: Build Docker Image - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: packages: write contents: read diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index c3c09057bb..093f631d0b 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -51,7 +51,7 @@ jobs: contents: read # for docker/build-push-action to read repo content id-token: write # for OIDC login to AWS pull-requests: write # for scout report - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/build-single-image.yml b/.github/workflows/build-single-image.yml index d239c37602..0ebbf7f301 100644 --- a/.github/workflows/build-single-image.yml +++ b/.github/workflows/build-single-image.yml @@ -42,7 +42,7 @@ jobs: permissions: contents: read # for docker/build-push-action to read repo content id-token: write # for login to GCP - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml index 7e970c9fa5..5857b93fa9 100644 --- a/.github/workflows/build-test-image.yml +++ b/.github/workflows/build-test-image.yml @@ -25,7 +25,7 @@ permissions: jobs: build: name: Build test image - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml index ba059f1643..851d9a7802 100644 --- a/.github/workflows/build-ubi-dependency.yml +++ b/.github/workflows/build-ubi-dependency.yml @@ -31,7 +31,7 @@ permissions: jobs: checks: name: Check versions - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: packages: read contents: read @@ -81,7 +81,7 @@ jobs: name: Build Binary Container Image if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }} needs: checks - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: packages: write contents: read diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml index 9e12b59f56..b069618bf3 100644 --- a/.github/workflows/cache-update.yml +++ b/.github/workflows/cache-update.yml @@ -17,7 +17,7 @@ permissions: jobs: checks: name: Checks and variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} docker_md5: ${{ steps.vars.outputs.docker_md5 }} diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index 2a23ce8bf5..31e814d12f 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -13,7 +13,7 @@ jobs: permissions: contents: write pull-requests: write - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 name: Cherry pick into release branch if: ${{ (contains(github.event.pull_request.labels.*.name, 'dependencies') || contains(github.event.pull_request.labels.*.name, 'needs cherry pick')) && github.event.pull_request.merged == true }} steps: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 22a5f2dd42..e00338c5b6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,7 +29,7 @@ permissions: jobs: checks: name: Checks and variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -161,7 +161,7 @@ jobs: verify-codegen: name: Verify generated code - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read steps: @@ -190,7 +190,7 @@ jobs: unit-tests: name: Unit Tests - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: checks steps: - name: Checkout Repository @@ -215,7 +215,7 @@ jobs: binaries: name: Build Binaries - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks, unit-tests, verify-codegen] permissions: contents: write # for goreleaser/goreleaser-action to manage releases @@ -353,7 +353,7 @@ jobs: helm-tests: if: ${{ needs.checks.outputs.docs_only != 'true' }} name: Helm Tests ${{ matrix.base-os }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks, binaries, build-docker, build-docker-plus] strategy: fail-fast: false @@ -486,7 +486,7 @@ jobs: setup-matrix: if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }} name: Setup Matrix for Smoke Tests - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [binaries, checks] permissions: contents: read @@ -642,7 +642,7 @@ jobs: final-results: if: ${{ !cancelled() }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 name: Final CI Results needs: [tag-stable, smoke-tests-oss, smoke-tests-plus, smoke-tests-nap] steps: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2f25210c08..3a096b5de8 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,7 +23,7 @@ permissions: jobs: checks: name: Checks and variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }} steps: @@ -53,7 +53,7 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 strategy: fail-fast: false diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 4dbcf1a2b4..86948ba61c 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -6,7 +6,7 @@ permissions: jobs: dependabot: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} permissions: pull-requests: write diff --git a/.github/workflows/dependabot-hugo.yml b/.github/workflows/dependabot-hugo.yml index 1be7cb78d8..9204cedf47 100644 --- a/.github/workflows/dependabot-hugo.yml +++ b/.github/workflows/dependabot-hugo.yml @@ -16,7 +16,7 @@ defaults: jobs: build: if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: write pull-requests: read diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 9c9d82986b..eafd079b9a 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,7 +15,7 @@ permissions: jobs: dependency-review: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read # for actions/checkout pull-requests: write # for actions/dependency-review-action to post comments diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index a4634a72a2..0d2636b8c4 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -16,7 +16,7 @@ permissions: jobs: dockerHubDescription: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 if: ${{ github.event.repository.fork == false }} steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/docs-build-push.yml b/.github/workflows/docs-build-push.yml index df4cf50195..8c7c5a2f61 100644 --- a/.github/workflows/docs-build-push.yml +++ b/.github/workflows/docs-build-push.yml @@ -24,7 +24,7 @@ permissions: jobs: checks: name: Checks and variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read outputs: diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 6f6e7dd699..c78a1844aa 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -19,7 +19,7 @@ permissions: jobs: scan: name: Fossa - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 if: ${{ github.event.repository.fork == false }} steps: - name: Checkout Repository diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 0ec13f6138..7eddc80ea6 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -29,7 +29,7 @@ permissions: jobs: checks: name: Checks and variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -114,7 +114,7 @@ jobs: govulncheck: name: Run govulncheck - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read security-events: write @@ -150,7 +150,7 @@ jobs: binaries: name: Build Binaries - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks] permissions: contents: read @@ -366,7 +366,7 @@ jobs: certify-openshift-images: if: ${{ !cancelled() && !failure() && github.ref_name == github.event.repository.default_branch }} name: Certify OpenShift UBI images - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [release-oss] steps: - name: Checkout Repository @@ -382,7 +382,7 @@ jobs: scan-docker-oss: name: Scan ${{ matrix.image }}-${{ matrix.target }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks] permissions: contents: read @@ -472,7 +472,7 @@ jobs: scan-docker-plus: name: Scan ${{ matrix.image }}-${{ matrix.target }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks] permissions: contents: read @@ -562,7 +562,7 @@ jobs: scan-docker-nap: name: Scan ${{ matrix.image }}-${{ matrix.target }}-${{ matrix.nap_modules }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks] permissions: contents: read @@ -659,7 +659,7 @@ jobs: update-release-draft: name: Update Release Draft - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks] permissions: contents: write diff --git a/.github/workflows/issues.yaml b/.github/workflows/issues.yaml index 21156f1785..8c9a37ccb5 100644 --- a/.github/workflows/issues.yaml +++ b/.github/workflows/issues.yaml @@ -11,7 +11,7 @@ jobs: comment: name: Issue comment if: ${{ !github.event.issue.pull_request }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read issues: write # for actions/github-script to create comments diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index b9665d47f5..115cbf0d77 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -10,7 +10,7 @@ jobs: permissions: contents: read pull-requests: write # for actions/labeler to add labels - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml index ef451dac98..327f76d390 100644 --- a/.github/workflows/lint-format.yml +++ b/.github/workflows/lint-format.yml @@ -21,7 +21,7 @@ jobs: format: name: Format - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -38,7 +38,7 @@ jobs: lint: name: Lint - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read pull-requests: read # for golangci-lint-action @@ -58,7 +58,7 @@ jobs: actionlint: name: Actionlint - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -69,7 +69,7 @@ jobs: chart-lint: name: Chart Lint - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -79,7 +79,7 @@ jobs: markdown-lint: name: Markdown Lint - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml index 822f0a7478..d434d8b351 100644 --- a/.github/workflows/mend.yml +++ b/.github/workflows/mend.yml @@ -29,7 +29,7 @@ permissions: jobs: scan: name: Mend - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index ab7304833f..36e7807827 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -21,7 +21,7 @@ permissions: jobs: on-failure: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }} permissions: contents: read diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 43f66abcfc..7c23c40f3d 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -64,7 +64,7 @@ permissions: jobs: release-to-gcr-release-registry: name: Push images to the GCR Release Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -100,7 +100,7 @@ jobs: release-oss-to-ecr-public-registry: name: Push OSS images to the AWS Public Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -147,7 +147,7 @@ jobs: release-oss-to-dockerhub-public-registry: name: Push OSS images to the DockerHub Public Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -189,7 +189,7 @@ jobs: release-oss-to-quay-public-registry: name: Push OSS images to the Quay Public Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -232,7 +232,7 @@ jobs: release-oss-to-github-public-registry: name: Push OSS images to the GitHub Public Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml index 6c11c7009e..b76a93592a 100644 --- a/.github/workflows/patch-image.yml +++ b/.github/workflows/patch-image.yml @@ -38,7 +38,7 @@ permissions: jobs: patch-image: name: Patch image - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml index 936159ab5a..8bd25977d4 100644 --- a/.github/workflows/plus-release.yml +++ b/.github/workflows/plus-release.yml @@ -64,7 +64,7 @@ permissions: jobs: release-to-gcr-release-registry: name: Push images to the GCR Release Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -151,7 +151,7 @@ jobs: release-plus-to-gcr-marketplace-registry: name: Push Plus images to the GCR Marketplace Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -190,7 +190,7 @@ jobs: release-plus-to-ecr-marketplace-registry: name: Push Plus images to the AWS Marketplace Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -237,7 +237,7 @@ jobs: release-plus-to-azure-marketplace-registry: name: Push Plus images to the Azure Marketplace Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 208fdde6b0..3a1dbb60c5 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -52,7 +52,7 @@ permissions: jobs: publish-helm: name: Package and Publish Helm Chart - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: write # for pushing to Helm Charts repository packages: write # for helm to push to GHCR diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index da61ba37a5..11c48b52b2 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -25,7 +25,7 @@ permissions: jobs: checks: name: Checks and variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write @@ -82,7 +82,7 @@ jobs: unit-tests: name: Unit Tests - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -103,7 +103,7 @@ jobs: helm-tests: name: Helm Tests ${{ matrix.base-os }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks] strategy: fail-fast: false @@ -192,7 +192,7 @@ jobs: setup-regression-matrix: name: Setup Matrix for Smoke Tests - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks] permissions: contents: read @@ -211,7 +211,7 @@ jobs: regression-tests: name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} regression tests - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [checks, setup-regression-matrix] strategy: fail-fast: false diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 30e780710f..d909f10230 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -47,7 +47,7 @@ jobs: release: permissions: contents: write - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Branch id: branch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8f44995249..013656d2a1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ permissions: jobs: variables: name: Set Variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read outputs: @@ -92,7 +92,7 @@ jobs: tag: name: Create Tag on release branch in NIC repo - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: write steps: @@ -281,7 +281,7 @@ jobs: certify-openshift-images: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }} name: Certify OpenShift UBI images - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [release-oss] steps: - name: Checkout Repository @@ -300,7 +300,7 @@ jobs: operator: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }} name: Trigger PR for Operator - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [variables,publish-helm-chart] steps: - name: @@ -324,7 +324,7 @@ jobs: gcp-marketplace: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'gcp-marketplace') }} name: Trigger PR for GCP Marketplace - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [publish-helm-chart,release-plus-gcr-mktpl] steps: - name: @@ -345,7 +345,7 @@ jobs: azure-marketplace: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }} name: Trigger CNAB Build for Azure Marketplace - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [publish-helm-chart,release-plus-azure-mktpl] steps: - name: @@ -368,7 +368,7 @@ jobs: aws-marketplace: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'aws-marketplace') }} name: Publish to AWS Marketplace - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [release-plus-aws-mktpl] permissions: contents: read @@ -415,7 +415,7 @@ jobs: binaries: name: Process Binaries - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [variables] permissions: contents: read @@ -459,7 +459,7 @@ jobs: azure-upload: if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'azure-upload') }} name: Upload packages to Azure - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [variables, binaries] permissions: id-token: write @@ -502,7 +502,7 @@ jobs: github-release: if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'github-release') }} name: Publish release to GitHub - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [variables, binaries, release-oss, release-plus-gcr-nginx, azure-upload] permissions: contents: write # to modify the release @@ -607,7 +607,7 @@ jobs: release-image-notification: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'release-image-notification') }} name: Notify Slack channels about image release - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [variables, binaries, release-oss, release-plus-gcr-nginx] permissions: contents: read diff --git a/.github/workflows/retag-images.yml b/.github/workflows/retag-images.yml index a057321acc..47b69d8eb4 100644 --- a/.github/workflows/retag-images.yml +++ b/.github/workflows/retag-images.yml @@ -34,7 +34,7 @@ permissions: jobs: copy-to-gcr-dev-registry: name: Re-tag images in GCR Dev Registry - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 5f01728fdb..f245b515a5 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -17,7 +17,7 @@ permissions: read-all jobs: analysis: name: Scorecard analysis - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: # Needed to upload the results to code-scanning dashboard. security-events: write diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index ad533db730..33c4bb73b8 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -46,7 +46,7 @@ jobs: permissions: contents: read # for docker/build-push-action to read repo content id-token: write # for OIDC login to GCR - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/single-image-regression.yml b/.github/workflows/single-image-regression.yml index 369e9fad23..021a1aeaa2 100644 --- a/.github/workflows/single-image-regression.yml +++ b/.github/workflows/single-image-regression.yml @@ -70,7 +70,7 @@ permissions: jobs: checks: name: Run regression - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read id-token: write diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index e213b736fb..43d555599a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -11,7 +11,7 @@ jobs: permissions: issues: write # for actions/stale to close stale issues pull-requests: write # for actions/stale to close stale PRs - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 with: diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index c003b81d32..863fddd17e 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -26,7 +26,7 @@ permissions: jobs: variables: name: Set variables for workflow - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: tag: ${{ steps.kic.outputs.tag }} short_tag: ${{ steps.kic.outputs.short }} @@ -313,7 +313,7 @@ jobs: certify-openshift-images: name: Certify OpenShift UBI images - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [variables, release-oss-public] steps: - name: Checkout Repository diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index cb4663fbfb..0112d786af 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -30,7 +30,7 @@ jobs: vars: permissions: contents: read - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: source_branch: ${{ steps.vars.outputs.source_branch }} steps: @@ -46,7 +46,7 @@ jobs: update-docker-sha: permissions: contents: write - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [vars] steps: - name: Checkout Repository diff --git a/.github/workflows/update-kubernetes-version.yml b/.github/workflows/update-kubernetes-version.yml index 23b38fdb6b..5f68bd8964 100644 --- a/.github/workflows/update-kubernetes-version.yml +++ b/.github/workflows/update-kubernetes-version.yml @@ -16,7 +16,7 @@ permissions: jobs: update-k8s-version: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/update-release-draft.yml b/.github/workflows/update-release-draft.yml index 4ce853e0a4..12a56c1beb 100644 --- a/.github/workflows/update-release-draft.yml +++ b/.github/workflows/update-release-draft.yml @@ -22,7 +22,7 @@ permissions: jobs: variables: name: Set variables - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read outputs: @@ -50,7 +50,7 @@ jobs: update-release-draft: name: Update Release Draft - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: [variables] permissions: contents: write diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index 1e7185f372..b276708a1d 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -26,7 +26,7 @@ permissions: jobs: send-notifications: name: Send Notifications - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 permissions: contents: read actions: read # for 8398a7/action-slack diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index d913c23450..342601cb56 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -27,7 +27,7 @@ jobs: version-bump: permissions: contents: write - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 From a41fc130da9bbc7bb9793bbcd4c7500c60b3cdad Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Thu, 29 Aug 2024 18:51:29 -0700 Subject: [PATCH 23/83] Docker image update 41b01cd0 (#6303) Update docker images 41b01cd0 --- build/dependencies/Dockerfile.ubi-ppc64le | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le index eae099c489..59e28fc956 100644 --- a/build/dependencies/Dockerfile.ubi-ppc64le +++ b/build/dependencies/Dockerfile.ubi-ppc64le @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.8 FROM nginx:1.27.1@sha256:1540e37eebb9abc5afa4256de1bade6542d50bf69b61b1dd855cb7804aaaf444 AS nginx -FROM redhat/ubi9:9.4@sha256:1ee4d8c50d14d9c9e9229d9a039d793fcbc9aa803806d194c957a397cf1d2b17 AS rpm-build +FROM redhat/ubi9:9.4@sha256:9e6a89ab2a9224712391c77fab2ab01009e387aff42854826427aaf18b98b1ff AS rpm-build ARG NGINX ARG NJS ENV NGINX_VERSION ${NGINX} From f6c958aabd6ba07ce3bf138f35d12b5f7181d13b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 09:22:07 +0100 Subject: [PATCH 24/83] Bump github/codeql-action from 3.26.5 to 3.26.6 in the actions group (#6311) Bumps the actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 3.26.5 to 3.26.6 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/2c779ab0d087cd7fe7b826087247c2c81f27bfa6...4dd16135b69a43b6c8efb853346f8437d92d3c93) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Fenlon --- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/image-promotion.yml | 8 ++++---- .github/workflows/scorecards.yml | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3a096b5de8..769df2b922 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -70,7 +70,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/init@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -89,7 +89,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/autobuild@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -102,6 +102,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/analyze@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 7eddc80ea6..ab1f387b15 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -143,7 +143,7 @@ jobs: fi - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 if: steps.check-sarif.outputs.sarif_has_results == 'true' with: sarif_file: govulncheck.sarif @@ -466,7 +466,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -556,7 +556,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -653,7 +653,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: "${{ steps.directory.outputs.directory }}/" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index f245b515a5..0127eadde5 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: sarif_file: results.sarif From 6f720bd271e9fdecdd1f076b902d46edb86429ca Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 30 Aug 2024 08:55:49 +0000 Subject: [PATCH 25/83] Bump sigs.k8s.io/controller-tools from 0.16.1 to 0.16.2 in the go group (#6310) * Bump sigs.k8s.io/controller-tools from 0.16.1 to 0.16.2 in the go group Bumps the go group with 1 update: [sigs.k8s.io/controller-tools](https://github.com/kubernetes-sigs/controller-tools). Updates `sigs.k8s.io/controller-tools` from 0.16.1 to 0.16.2 - [Release notes](https://github.com/kubernetes-sigs/controller-tools/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-tools/blob/main/envtest-releases.yaml) - [Commits](https://github.com/kubernetes-sigs/controller-tools/compare/v0.16.1...v0.16.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-tools dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] * update crds --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Fenlon --- .../appprotectdos.f5.com_dosprotectedresources.yaml | 2 +- .../bases/externaldns.nginx.org_dnsendpoints.yaml | 2 +- .../bases/k8s.nginx.org_globalconfigurations.yaml | 2 +- config/crd/bases/k8s.nginx.org_policies.yaml | 2 +- config/crd/bases/k8s.nginx.org_transportservers.yaml | 2 +- .../crd/bases/k8s.nginx.org_virtualserverroutes.yaml | 2 +- config/crd/bases/k8s.nginx.org_virtualservers.yaml | 2 +- deploy/crds-nap-dos.yaml | 2 +- deploy/crds.yaml | 12 ++++++------ go.mod | 2 +- go.sum | 4 ++-- 11 files changed, 17 insertions(+), 17 deletions(-) diff --git a/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml b/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml index e84f2ec982..c17851d244 100644 --- a/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml +++ b/config/crd/bases/appprotectdos.f5.com_dosprotectedresources.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: dosprotectedresources.appprotectdos.f5.com spec: group: appprotectdos.f5.com diff --git a/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml b/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml index 7ca7bd37ca..c23b00585a 100644 --- a/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml +++ b/config/crd/bases/externaldns.nginx.org_dnsendpoints.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: dnsendpoints.externaldns.nginx.org spec: group: externaldns.nginx.org diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index 93da45a3ac..b70d87debe 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: globalconfigurations.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/config/crd/bases/k8s.nginx.org_policies.yaml b/config/crd/bases/k8s.nginx.org_policies.yaml index 237197bd2b..84046bc1cf 100644 --- a/config/crd/bases/k8s.nginx.org_policies.yaml +++ b/config/crd/bases/k8s.nginx.org_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: policies.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/config/crd/bases/k8s.nginx.org_transportservers.yaml b/config/crd/bases/k8s.nginx.org_transportservers.yaml index 47322dce6d..b752ce5359 100644 --- a/config/crd/bases/k8s.nginx.org_transportservers.yaml +++ b/config/crd/bases/k8s.nginx.org_transportservers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: transportservers.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml index 4959f32380..231e99d3c5 100644 --- a/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualserverroutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: virtualserverroutes.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/config/crd/bases/k8s.nginx.org_virtualservers.yaml b/config/crd/bases/k8s.nginx.org_virtualservers.yaml index ab3e1066c5..23e680028b 100644 --- a/config/crd/bases/k8s.nginx.org_virtualservers.yaml +++ b/config/crd/bases/k8s.nginx.org_virtualservers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: virtualservers.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/deploy/crds-nap-dos.yaml b/deploy/crds-nap-dos.yaml index 01028e399a..9f40f4c5aa 100644 --- a/deploy/crds-nap-dos.yaml +++ b/deploy/crds-nap-dos.yaml @@ -148,7 +148,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: dosprotectedresources.appprotectdos.f5.com spec: group: appprotectdos.f5.com diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 68e8830323..411e32c025 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: dnsendpoints.externaldns.nginx.org spec: group: externaldns.nginx.org @@ -99,7 +99,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: globalconfigurations.k8s.nginx.org spec: group: k8s.nginx.org @@ -205,7 +205,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: policies.k8s.nginx.org spec: group: k8s.nginx.org @@ -567,7 +567,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: transportservers.k8s.nginx.org spec: group: k8s.nginx.org @@ -899,7 +899,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: virtualserverroutes.k8s.nginx.org spec: group: k8s.nginx.org @@ -1628,7 +1628,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.1 + controller-gen.kubebuilder.io/version: v0.16.2 name: virtualservers.k8s.nginx.org spec: group: k8s.nginx.org diff --git a/go.mod b/go.mod index a89af5637a..bc6c0ef81b 100644 --- a/go.mod +++ b/go.mod @@ -30,7 +30,7 @@ require ( k8s.io/client-go v0.31.0 k8s.io/code-generator v0.31.0 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 - sigs.k8s.io/controller-tools v0.16.1 + sigs.k8s.io/controller-tools v0.16.2 ) require ( diff --git a/go.sum b/go.sum index c301eeb174..ac9248ea7e 100644 --- a/go.sum +++ b/go.sum @@ -444,8 +444,8 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3 h1:2770sDpzrjjsAtVhSeUFseziht227YAWYHLGNM8QPwY= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.30.3/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw= -sigs.k8s.io/controller-tools v0.16.1 h1:gvIsZm+2aimFDIBiDKumR7EBkc+oLxljoUVfRbDI6RI= -sigs.k8s.io/controller-tools v0.16.1/go.mod h1:0I0xqjR65YTfoO12iR+mZR6s6UAVcUARgXRlsu0ljB0= +sigs.k8s.io/controller-tools v0.16.2 h1:uUFF/AW3phBWPiERvkSNOVct//L427bPS7xGfKi6Tz4= +sigs.k8s.io/controller-tools v0.16.2/go.mod h1:0I0xqjR65YTfoO12iR+mZR6s6UAVcUARgXRlsu0ljB0= sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM= sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= From 51af7485f148ec14c6a08e17d0a88172e783c8ac Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Fri, 30 Aug 2024 12:13:50 +0100 Subject: [PATCH 26/83] Chore/refactor transport server listens (#6315) * add makeTransportListener function * add snap update --- .../__snapshots__/templates_test.snap | 1 + .../version2/nginx-plus.transportserver.tmpl | 3 +- .../version2/nginx.transportserver.tmpl | 3 +- internal/configs/version2/template_helper.go | 61 +++++++++++++---- .../configs/version2/template_helper_test.go | 66 +++++++++++++++++++ 5 files changed, 118 insertions(+), 16 deletions(-) diff --git a/internal/configs/version2/__snapshots__/templates_test.snap b/internal/configs/version2/__snapshots__/templates_test.snap index 5a57399f9f..23e822183e 100644 --- a/internal/configs/version2/__snapshots__/templates_test.snap +++ b/internal/configs/version2/__snapshots__/templates_test.snap @@ -5708,6 +5708,7 @@ match match_udp-upstream { server { listen 1234 ssl udp; listen [::]:1234 ssl udp; + ssl_certificate cafe-secret.pem; ssl_certificate_key cafe-secret.pem; diff --git a/internal/configs/version2/nginx-plus.transportserver.tmpl b/internal/configs/version2/nginx-plus.transportserver.tmpl index ac5b3ff8bf..8b959b548f 100644 --- a/internal/configs/version2/nginx-plus.transportserver.tmpl +++ b/internal/configs/version2/nginx-plus.transportserver.tmpl @@ -39,8 +39,7 @@ server { listen {{ $s.UnixSocket }} proxy_protocol; set_real_ip_from unix:; {{- else }} - listen {{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }}; - {{if not $s.DisableIPV6}}listen [::]:{{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};{{end}} + {{ makeTransportListener $s | printf }} {{- end }} {{- if $ssl.Enabled }} diff --git a/internal/configs/version2/nginx.transportserver.tmpl b/internal/configs/version2/nginx.transportserver.tmpl index 3d6cdb9e75..eff9df8665 100644 --- a/internal/configs/version2/nginx.transportserver.tmpl +++ b/internal/configs/version2/nginx.transportserver.tmpl @@ -23,8 +23,7 @@ server { listen {{ $s.UnixSocket }} proxy_protocol; set_real_ip_from unix:; {{- else }} - listen {{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }}; - {{if not $s.DisableIPV6}}listen [::]:{{ $s.Port }}{{ if $ssl.Enabled }} ssl{{ end }}{{ if $s.UDP }} udp{{ end }};{{end}} + {{ makeTransportListener $s | printf }} {{- end }} {{- if $ssl.Enabled }} diff --git a/internal/configs/version2/template_helper.go b/internal/configs/version2/template_helper.go index 1f9356959f..9669fb802e 100644 --- a/internal/configs/version2/template_helper.go +++ b/internal/configs/version2/template_helper.go @@ -114,6 +114,28 @@ func buildListenDirective(port string, proxyProtocol bool, listenType listenerTy return directive } +func buildTransportListenDirective(listenType listenerType, port string, ssl *StreamSSL, udp bool) string { + base := "listen" + var directive string + + if listenType == ipv6 { + directive = base + " [::]:" + port + } else { + directive = base + " " + port + } + + if ssl.Enabled { + directive += " ssl" + } + + if udp { + directive += " udp" + } + + directive += ";\n" + return directive +} + func makeHTTPListener(s Server) string { return makeListener(http, s) } @@ -122,6 +144,20 @@ func makeHTTPSListener(s Server) string { return makeListener(https, s) } +func makeTransportListener(s StreamServer) string { + var directives string + port := strconv.Itoa(s.Port) + + directives += buildTransportListenDirective(ipv4, port, s.SSL, s.UDP) + + if !s.DisableIPV6 { + directives += spacing + directives += buildTransportListenDirective(ipv6, port, s.SSL, s.UDP) + } + + return directives +} + func makeHeaderQueryValue(apiKey APIKey) string { var parts []string @@ -140,16 +176,17 @@ func makeHeaderQueryValue(apiKey APIKey) string { } var helperFunctions = template.FuncMap{ - "headerListToCIMap": headerListToCIMap, - "hasCIKey": hasCIKey, - "contains": strings.Contains, - "hasPrefix": strings.HasPrefix, - "hasSuffix": strings.HasSuffix, - "toLower": strings.ToLower, - "toUpper": strings.ToUpper, - "replaceAll": strings.ReplaceAll, - "makeHTTPListener": makeHTTPListener, - "makeHTTPSListener": makeHTTPSListener, - "makeSecretPath": commonhelpers.MakeSecretPath, - "makeHeaderQueryValue": makeHeaderQueryValue, + "headerListToCIMap": headerListToCIMap, + "hasCIKey": hasCIKey, + "contains": strings.Contains, + "hasPrefix": strings.HasPrefix, + "hasSuffix": strings.HasSuffix, + "toLower": strings.ToLower, + "toUpper": strings.ToUpper, + "replaceAll": strings.ReplaceAll, + "makeHTTPListener": makeHTTPListener, + "makeHTTPSListener": makeHTTPSListener, + "makeSecretPath": commonhelpers.MakeSecretPath, + "makeHeaderQueryValue": makeHeaderQueryValue, + "makeTransportListener": makeTransportListener, } diff --git a/internal/configs/version2/template_helper_test.go b/internal/configs/version2/template_helper_test.go index ed0650ae06..a79fd47bc4 100644 --- a/internal/configs/version2/template_helper_test.go +++ b/internal/configs/version2/template_helper_test.go @@ -268,6 +268,72 @@ func TestMakeHTTPSListener(t *testing.T) { } } +func TestMakeTransportListener(t *testing.T) { + t.Parallel() + + testCases := []struct { + server StreamServer + expected string + }{ + {server: StreamServer{ + UDP: false, + SSL: &StreamSSL{ + Enabled: false, + }, + DisableIPV6: true, + Port: 5353, + }, expected: "listen 5353;\n"}, + {server: StreamServer{ + UDP: true, + SSL: &StreamSSL{ + Enabled: false, + }, + DisableIPV6: true, + Port: 5353, + }, expected: "listen 5353 udp;\n"}, + {server: StreamServer{ + UDP: true, + SSL: &StreamSSL{ + Enabled: true, + }, + DisableIPV6: true, + Port: 5353, + }, expected: "listen 5353 ssl udp;\n"}, + + {server: StreamServer{ + UDP: false, + SSL: &StreamSSL{ + Enabled: false, + }, + DisableIPV6: false, + Port: 5353, + }, expected: "listen 5353;\n listen [::]:5353;\n"}, + {server: StreamServer{ + UDP: true, + SSL: &StreamSSL{ + Enabled: false, + }, + DisableIPV6: false, + Port: 5353, + }, expected: "listen 5353 udp;\n listen [::]:5353 udp;\n"}, + {server: StreamServer{ + UDP: true, + SSL: &StreamSSL{ + Enabled: true, + }, + DisableIPV6: false, + Port: 5353, + }, expected: "listen 5353 ssl udp;\n listen [::]:5353 ssl udp;\n"}, + } + + for _, tc := range testCases { + got := makeTransportListener(tc.server) + if got != tc.expected { + t.Errorf("Function generated wrong config, got %q but expected %q.", got, tc.expected) + } + } +} + func newContainsTemplate(t *testing.T) *template.Template { t.Helper() tmpl, err := template.New("testTemplate").Funcs(helperFunctions).Parse(`{{contains .InputString .Substring}}`) From 06d875c4d922ae45e03d80be507535c718641ed0 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Fri, 30 Aug 2024 14:00:21 +0100 Subject: [PATCH 27/83] update tech specs and regression k8s matrix (#6316) - remove versions older than 2 years from tech specs - update regression job to run tests on last 5 k8s version --- .github/workflows/regression.yml | 2 +- docs/content/technical-specifications.md | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 11c48b52b2..300ea4c980 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -58,7 +58,7 @@ jobs: | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | sort -rV \ | awk -F. '!seen[$1"."$2]++' \ - | head -n 7 \ + | head -n 5 \ | sort -V \ | sed 's/v//g' \ | sed 's/$//' \ diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index c212f7b564..5112d7d6c3 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -37,13 +37,6 @@ We test NGINX Ingress Controller on a range of Kubernetes platforms for each rel | 3.0.2 | 1.21 - 1.26 | 0.16.2 | 1.3.1 | 1.23.3 / R28 | | 2.4.2 | 1.19 - 1.25 | 0.15.2 | 1.2.1 | 1.23.2 / R28 | | 2.3.1 | 1.19 - 1.24 | 0.14.1 | 1.1.0 | 1.23.1 / R27 | -| 2.2.2 | 1.19 - 1.23 | 0.13.2 | 1.0.0 | 1.21.6 / R26 | -| 2.1.2 | 1.19 - 1.23 | 0.12.1 | 0.5.1 | 1.21.6 / R26 | -| 2.0.3 | 1.19 - 1.22 | 0.11.3 | 0.4.0 | 1.21.3 / R25 | -| 1.12.4 | 1.16 - 1.21 | 0.10.4 | 0.3.0 | 1.21.6 / R26 | -| 1.11.3 | 1.16 - 1.20 | 0.9.0 | 0.2.0 | 1.21.0 / R23 P1 | -| 1.10.1 | 1.16 - 1.19 | 0.8.0 | 0.1.0 | 1.19.8 / R23 | -| 1.9.1 | 1.16 - 1.18 | 0.7.1 | 0.0.7 | 1.19.3 / R22 | {{% /bootstrap-table %}} --- From a07980535b6aabed632a726dc077e89821431a3f Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Fri, 30 Aug 2024 14:03:58 +0100 Subject: [PATCH 28/83] Add docs for proxy-set-header (#6317) --- .../ingress-resources/advanced-configuration-with-annotations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md index 64a69dccea..46d02dffd2 100644 --- a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md +++ b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md @@ -121,6 +121,7 @@ The table below summarizes the available annotations. | *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: ``"nginx.org/proxy-hide-headers": "header-a,header-b"* | N/A | | | *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: ``"nginx.org/proxy-pass-headers": "header-a,header-b"* | N/A | | | *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/rewrites) | +|*nginx.org/proxy-set-headers* | N/A | Enables customization of proxy headers and values using the [proxy_set_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header) directive. Example: ``"nginx.org/proxy-set-headers": "header-a: valueA,header-b: valueB,header-c: valueC"`` | N/A | [Proxy Set Headers](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/ingress-resources/proxy-set-headers). | {{}} ### Auth and SSL/TLS From 65d7b0b924791b1965a4ef0e5ba491c320a98243 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 2 Sep 2024 10:37:17 +0100 Subject: [PATCH 29/83] refactor ConfigMap controller (#6321) move configmap functions to their own file --- internal/k8s/configmap.go | 100 +++++++++++++++++++++++++++++++++++++ internal/k8s/controller.go | 47 ----------------- internal/k8s/handlers.go | 41 --------------- 3 files changed, 100 insertions(+), 88 deletions(-) create mode 100644 internal/k8s/configmap.go diff --git a/internal/k8s/configmap.go b/internal/k8s/configmap.go new file mode 100644 index 0000000000..676e7a7569 --- /dev/null +++ b/internal/k8s/configmap.go @@ -0,0 +1,100 @@ +package k8s + +import ( + "reflect" + + "github.com/golang/glog" + api_v1 "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/fields" + "k8s.io/client-go/tools/cache" +) + +// createConfigMapHandlers builds the handler funcs for config maps +func createConfigMapHandlers(lbc *LoadBalancerController, name string) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + configMap := obj.(*v1.ConfigMap) + if configMap.Name == name { + glog.V(3).Infof("Adding ConfigMap: %v", configMap.Name) + lbc.AddSyncQueue(obj) + } + }, + DeleteFunc: func(obj interface{}) { + configMap, isConfigMap := obj.(*v1.ConfigMap) + if !isConfigMap { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + configMap, ok = deletedState.Obj.(*v1.ConfigMap) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-ConfigMap object: %v", deletedState.Obj) + return + } + } + if configMap.Name == name { + glog.V(3).Infof("Removing ConfigMap: %v", configMap.Name) + lbc.AddSyncQueue(obj) + } + }, + UpdateFunc: func(old, cur interface{}) { + if !reflect.DeepEqual(old, cur) { + configMap := cur.(*v1.ConfigMap) + if configMap.Name == name { + glog.V(3).Infof("ConfigMap %v changed, syncing", cur.(*v1.ConfigMap).Name) + lbc.AddSyncQueue(cur) + } + } + }, + } +} + +// addConfigMapHandler adds the handler for config maps to the controller +func (lbc *LoadBalancerController) addConfigMapHandler(handlers cache.ResourceEventHandlerFuncs, namespace string) { + options := cache.InformerOptions{ + ListerWatcher: cache.NewListWatchFromClient( + lbc.client.CoreV1().RESTClient(), + "configmaps", + namespace, + fields.Everything()), + ObjectType: &api_v1.ConfigMap{}, + ResyncPeriod: lbc.resync, + Handler: handlers, + } + lbc.configMapLister.Store, lbc.configMapController = cache.NewInformerWithOptions(options) + lbc.cacheSyncs = append(lbc.cacheSyncs, lbc.configMapController.HasSynced) +} + +func (lbc *LoadBalancerController) syncConfigMap(task task) { + key := task.Key + glog.V(3).Infof("Syncing configmap %v", key) + + obj, configExists, err := lbc.configMapLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + if configExists { + lbc.configMap = obj.(*api_v1.ConfigMap) + externalStatusAddress, exists := lbc.configMap.Data["external-status-address"] + if exists { + lbc.statusUpdater.SaveStatusFromExternalStatus(externalStatusAddress) + } + } else { + lbc.configMap = nil + } + + if !lbc.isNginxReady { + glog.V(3).Infof("Skipping ConfigMap update because the pod is not ready yet") + return + } + + if lbc.batchSyncEnabled { + glog.V(3).Infof("Skipping ConfigMap update because batch sync is on") + return + } + + lbc.updateAllConfigs() +} diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 44c9394e8a..54f69ee0ee 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -545,21 +545,6 @@ func (nsi *namespacedInformer) addEndpointSliceHandler(handlers cache.ResourceEv nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -// addConfigMapHandler adds the handler for config maps to the controller -func (lbc *LoadBalancerController) addConfigMapHandler(handlers cache.ResourceEventHandlerFuncs, namespace string) { - lbc.configMapLister.Store, lbc.configMapController = cache.NewInformer( - cache.NewListWatchFromClient( - lbc.client.CoreV1().RESTClient(), - "configmaps", - namespace, - fields.Everything()), - &api_v1.ConfigMap{}, - lbc.resync, - handlers, - ) - lbc.cacheSyncs = append(lbc.cacheSyncs, lbc.configMapController.HasSynced) -} - func (nsi *namespacedInformer) addPodHandler() { informer := nsi.sharedInformerFactory.Core().V1().Pods().Informer() nsi.podLister = indexerToPodLister{Indexer: informer.GetIndexer()} @@ -1018,38 +1003,6 @@ func (lbc *LoadBalancerController) createExtendedResources(resources []Resource) return result } -func (lbc *LoadBalancerController) syncConfigMap(task task) { - key := task.Key - glog.V(3).Infof("Syncing configmap %v", key) - - obj, configExists, err := lbc.configMapLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - if configExists { - lbc.configMap = obj.(*api_v1.ConfigMap) - externalStatusAddress, exists := lbc.configMap.Data["external-status-address"] - if exists { - lbc.statusUpdater.SaveStatusFromExternalStatus(externalStatusAddress) - } - } else { - lbc.configMap = nil - } - - if !lbc.isNginxReady { - glog.V(3).Infof("Skipping ConfigMap update because the pod is not ready yet") - return - } - - if lbc.batchSyncEnabled { - glog.V(3).Infof("Skipping ConfigMap update because batch sync is on") - return - } - - lbc.updateAllConfigs() -} - func (lbc *LoadBalancerController) updateAllConfigs() { cfgParams := configs.NewDefaultConfigParams(lbc.isNginxPlus) diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index eb53880e49..fe55da5954 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -19,47 +19,6 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) -// createConfigMapHandlers builds the handler funcs for config maps -func createConfigMapHandlers(lbc *LoadBalancerController, name string) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - configMap := obj.(*v1.ConfigMap) - if configMap.Name == name { - glog.V(3).Infof("Adding ConfigMap: %v", configMap.Name) - lbc.AddSyncQueue(obj) - } - }, - DeleteFunc: func(obj interface{}) { - configMap, isConfigMap := obj.(*v1.ConfigMap) - if !isConfigMap { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - configMap, ok = deletedState.Obj.(*v1.ConfigMap) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-ConfigMap object: %v", deletedState.Obj) - return - } - } - if configMap.Name == name { - glog.V(3).Infof("Removing ConfigMap: %v", configMap.Name) - lbc.AddSyncQueue(obj) - } - }, - UpdateFunc: func(old, cur interface{}) { - if !reflect.DeepEqual(old, cur) { - configMap := cur.(*v1.ConfigMap) - if configMap.Name == name { - glog.V(3).Infof("ConfigMap %v changed, syncing", cur.(*v1.ConfigMap).Name) - lbc.AddSyncQueue(cur) - } - } - }, - } -} - // createEndpointSliceHandlers builds the handler funcs for EndpointSlices func createEndpointSliceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { return cache.ResourceEventHandlerFuncs{ From 1a8870e5a3b20f483e4071829a5067c23afe2960 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 2 Sep 2024 12:07:59 +0100 Subject: [PATCH 30/83] refactor EndpointSlice controller (#6323) move endpoint_slice functions to their own file --- internal/k8s/controller.go | 95 ----------------------- internal/k8s/endpoint_slice.go | 138 +++++++++++++++++++++++++++++++++ internal/k8s/handlers.go | 35 --------- 3 files changed, 138 insertions(+), 130 deletions(-) create mode 100644 internal/k8s/endpoint_slice.go diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 54f69ee0ee..7f62e608d6 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -534,17 +534,6 @@ func (nsi *namespacedInformer) addIngressHandler(handlers cache.ResourceEventHan nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -// addEndpointSliceHandler adds the handler for EndpointSlices to the controller -func (nsi *namespacedInformer) addEndpointSliceHandler(handlers cache.ResourceEventHandlerFuncs) { - informer := nsi.sharedInformerFactory.Discovery().V1().EndpointSlices().Informer() - informer.AddEventHandler(handlers) - var el storeToEndpointSliceLister - el.Store = informer.GetStore() - nsi.endpointSliceLister = el - - nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) -} - func (nsi *namespacedInformer) addPodHandler() { informer := nsi.sharedInformerFactory.Core().V1().Pods().Informer() nsi.podLister = indexerToPodLister{Indexer: informer.GetIndexer()} @@ -767,90 +756,6 @@ func (lbc *LoadBalancerController) getNamespacedInformer(ns string) *namespacedI return nsi } -func (lbc *LoadBalancerController) syncEndpointSlices(task task) bool { - key := task.Key - var obj interface{} - var endpointSliceExists bool - var err error - var resourcesFound bool - - ns, _, _ := cache.SplitMetaNamespaceKey(key) - obj, endpointSliceExists, err = lbc.getNamespacedInformer(ns).endpointSliceLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return false - } - - if !endpointSliceExists { - return false - } - - endpointSlice := obj.(*discovery_v1.EndpointSlice) - svcName := endpointSlice.Labels["kubernetes.io/service-name"] - svcResource := lbc.configuration.FindResourcesForService(endpointSlice.Namespace, svcName) - - // check if this is the endpointslice for the controller's own service - if lbc.statusUpdater.namespace == endpointSlice.Namespace && lbc.statusUpdater.externalServiceName == svcName { - return lbc.updateNumberOfIngressControllerReplicas(*endpointSlice) - } - - resourceExes := lbc.createExtendedResources(svcResource) - - if len(resourceExes.IngressExes) > 0 { - for _, ingEx := range resourceExes.IngressExes { - if lbc.ingressRequiresEndpointsUpdate(ingEx, svcName) { - resourcesFound = true - glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.IngressExes) - err = lbc.configurator.UpdateEndpoints(resourceExes.IngressExes) - if err != nil { - glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.IngressExes, err) - } - break - } - } - } - - if len(resourceExes.MergeableIngresses) > 0 { - for _, mergeableIngresses := range resourceExes.MergeableIngresses { - if lbc.mergeableIngressRequiresEndpointsUpdate(mergeableIngresses, svcName) { - resourcesFound = true - glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.MergeableIngresses) - err = lbc.configurator.UpdateEndpointsMergeableIngress(resourceExes.MergeableIngresses) - if err != nil { - glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.MergeableIngresses, err) - } - break - } - } - } - - if lbc.areCustomResourcesEnabled { - if len(resourceExes.VirtualServerExes) > 0 { - for _, vsEx := range resourceExes.VirtualServerExes { - if lbc.virtualServerRequiresEndpointsUpdate(vsEx, svcName) { - resourcesFound = true - glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.VirtualServerExes) - err := lbc.configurator.UpdateEndpointsForVirtualServers(resourceExes.VirtualServerExes) - if err != nil { - glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.VirtualServerExes, err) - } - break - } - } - } - - if len(resourceExes.TransportServerExes) > 0 { - resourcesFound = true - glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.TransportServerExes) - err := lbc.configurator.UpdateEndpointsForTransportServers(resourceExes.TransportServerExes) - if err != nil { - glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.TransportServerExes, err) - } - } - } - return resourcesFound -} - // finds the number of currently active endpoints for the service pointing at the ingresscontroller and updates all configs that depend on that number func (lbc *LoadBalancerController) updateNumberOfIngressControllerReplicas(controllerEndpointSlice discovery_v1.EndpointSlice) bool { previous := lbc.configurator.GetIngressControllerReplicas() diff --git a/internal/k8s/endpoint_slice.go b/internal/k8s/endpoint_slice.go new file mode 100644 index 0000000000..6c691bf5ec --- /dev/null +++ b/internal/k8s/endpoint_slice.go @@ -0,0 +1,138 @@ +package k8s + +import ( + "reflect" + + "github.com/golang/glog" + discovery_v1 "k8s.io/api/discovery/v1" + "k8s.io/client-go/tools/cache" +) + +// createEndpointSliceHandlers builds the handler funcs for EndpointSlices +func createEndpointSliceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + endpointSlice := obj.(*discovery_v1.EndpointSlice) + glog.V(3).Infof("Adding EndpointSlice: %v", endpointSlice.Name) + lbc.AddSyncQueue(obj) + }, + DeleteFunc: func(obj interface{}) { + endpointSlice, isEndpointSlice := obj.(*discovery_v1.EndpointSlice) + if !isEndpointSlice { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + endpointSlice, ok = deletedState.Obj.(*discovery_v1.EndpointSlice) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-EndpointSlice object: %v", deletedState.Obj) + return + } + } + glog.V(3).Infof("Removing EndpointSlice: %v", endpointSlice.Name) + lbc.AddSyncQueue(obj) + }, UpdateFunc: func(old, cur interface{}) { + if !reflect.DeepEqual(old, cur) { + glog.V(3).Infof("EndpointSlice %v changed, syncing", cur.(*discovery_v1.EndpointSlice).Name) + lbc.AddSyncQueue(cur) + } + }, + } +} + +// addEndpointSliceHandler adds the handler for EndpointSlices to the controller +func (nsi *namespacedInformer) addEndpointSliceHandler(handlers cache.ResourceEventHandlerFuncs) { + informer := nsi.sharedInformerFactory.Discovery().V1().EndpointSlices().Informer() + informer.AddEventHandler(handlers) //nolint:errcheck,gosec + var el storeToEndpointSliceLister + el.Store = informer.GetStore() + nsi.endpointSliceLister = el + + nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) +} + +// nolint:gocyclo +func (lbc *LoadBalancerController) syncEndpointSlices(task task) bool { + key := task.Key + var obj interface{} + var endpointSliceExists bool + var err error + var resourcesFound bool + + ns, _, _ := cache.SplitMetaNamespaceKey(key) + obj, endpointSliceExists, err = lbc.getNamespacedInformer(ns).endpointSliceLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return false + } + + if !endpointSliceExists { + return false + } + + endpointSlice := obj.(*discovery_v1.EndpointSlice) + svcName := endpointSlice.Labels["kubernetes.io/service-name"] + svcResource := lbc.configuration.FindResourcesForService(endpointSlice.Namespace, svcName) + + // check if this is the endpointslice for the controller's own service + if lbc.statusUpdater.namespace == endpointSlice.Namespace && lbc.statusUpdater.externalServiceName == svcName { + return lbc.updateNumberOfIngressControllerReplicas(*endpointSlice) + } + + resourceExes := lbc.createExtendedResources(svcResource) + + if len(resourceExes.IngressExes) > 0 { + for _, ingEx := range resourceExes.IngressExes { + if lbc.ingressRequiresEndpointsUpdate(ingEx, svcName) { + resourcesFound = true + glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.IngressExes) + err = lbc.configurator.UpdateEndpoints(resourceExes.IngressExes) + if err != nil { + glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.IngressExes, err) + } + break + } + } + } + + if len(resourceExes.MergeableIngresses) > 0 { + for _, mergeableIngresses := range resourceExes.MergeableIngresses { + if lbc.mergeableIngressRequiresEndpointsUpdate(mergeableIngresses, svcName) { + resourcesFound = true + glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.MergeableIngresses) + err = lbc.configurator.UpdateEndpointsMergeableIngress(resourceExes.MergeableIngresses) + if err != nil { + glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.MergeableIngresses, err) + } + break + } + } + } + + if lbc.areCustomResourcesEnabled { + if len(resourceExes.VirtualServerExes) > 0 { + for _, vsEx := range resourceExes.VirtualServerExes { + if lbc.virtualServerRequiresEndpointsUpdate(vsEx, svcName) { + resourcesFound = true + glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.VirtualServerExes) + err := lbc.configurator.UpdateEndpointsForVirtualServers(resourceExes.VirtualServerExes) + if err != nil { + glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.VirtualServerExes, err) + } + break + } + } + } + + if len(resourceExes.TransportServerExes) > 0 { + resourcesFound = true + glog.V(3).Infof("Updating EndpointSlices for %v", resourceExes.TransportServerExes) + err := lbc.configurator.UpdateEndpointsForTransportServers(resourceExes.TransportServerExes) + if err != nil { + glog.Errorf("Error updating EndpointSlices for %v: %v", resourceExes.TransportServerExes, err) + } + } + } + return resourcesFound +} diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index fe55da5954..8589f1f7bf 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -5,8 +5,6 @@ import ( "reflect" "sort" - discovery_v1 "k8s.io/api/discovery/v1" - "github.com/jinzhu/copier" "github.com/golang/glog" @@ -19,39 +17,6 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) -// createEndpointSliceHandlers builds the handler funcs for EndpointSlices -func createEndpointSliceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - endpointSlice := obj.(*discovery_v1.EndpointSlice) - glog.V(3).Infof("Adding EndpointSlice: %v", endpointSlice.Name) - lbc.AddSyncQueue(obj) - }, - DeleteFunc: func(obj interface{}) { - endpointSlice, isEndpointSlice := obj.(*discovery_v1.EndpointSlice) - if !isEndpointSlice { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - endpointSlice, ok = deletedState.Obj.(*discovery_v1.EndpointSlice) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-EndpointSlice object: %v", deletedState.Obj) - return - } - } - glog.V(3).Infof("Removing EndpointSlice: %v", endpointSlice.Name) - lbc.AddSyncQueue(obj) - }, UpdateFunc: func(old, cur interface{}) { - if !reflect.DeepEqual(old, cur) { - glog.V(3).Infof("EndpointSlice %v changed, syncing", cur.(*discovery_v1.EndpointSlice).Name) - lbc.AddSyncQueue(cur) - } - }, - } -} - // createIngressHandlers builds the handler funcs for ingresses func createIngressHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { return cache.ResourceEventHandlerFuncs{ From fbeed767ea658ebf54ba4e0e4003ea84e80bcf97 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Mon, 2 Sep 2024 13:28:43 +0000 Subject: [PATCH 31/83] Bump documentation theme version (#6320) * Bump documentation theme version * Use go mod tidy to clean dependencies * hugo mod tidy --------- Co-authored-by: Jim Ryan --- docs/Makefile | 5 ++++- docs/go.mod | 2 +- docs/go.sum | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/Makefile b/docs/Makefile index 2eda42e6fb..b0d647edc4 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -4,7 +4,7 @@ HUGO_IMG?=hugomods/hugo:0.115.3 THEME_MODULE = github.com/nginxinc/nginx-hugo-theme ## Pulls the current theme version from the Netlify settings -THEME_VERSION = $(NGINX_THEME_VERSION) +THEME_VERSION = 0.41.14 NETLIFY_DEPLOY_URL = ${DEPLOY_PRIME_URL} # if there's no local hugo, fallback to docker @@ -75,6 +75,9 @@ lint-markdown: hugo-mod: hugo mod get $(THEME_MODULE)@v$(THEME_VERSION) +hugo-tidy: + hugo mod tidy + build-production: hugo --gc -e production diff --git a/docs/go.mod b/docs/go.mod index 48a8895f7f..d58d27303b 100644 --- a/docs/go.mod +++ b/docs/go.mod @@ -2,4 +2,4 @@ module github.com/nginxinc/kubernetes-ingress/docs go 1.19 -require github.com/nginxinc/nginx-hugo-theme v0.41.8 // indirect +require github.com/nginxinc/nginx-hugo-theme v0.41.14 // indirect diff --git a/docs/go.sum b/docs/go.sum index 93628509d3..1cbbb6618c 100644 --- a/docs/go.sum +++ b/docs/go.sum @@ -1,2 +1,2 @@ -github.com/nginxinc/nginx-hugo-theme v0.41.8 h1:l9Lsl9NMaTmNCSMa/W9sdqwhlKFxfb+6ue6w6+bsMC0= -github.com/nginxinc/nginx-hugo-theme v0.41.8/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= +github.com/nginxinc/nginx-hugo-theme v0.41.14 h1:OraNB01CdMJXufPddvIVt6qn6Mj38Z/XCVIWBgVtuY0= +github.com/nginxinc/nginx-hugo-theme v0.41.14/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= From 802888afe8bf0d01d6a69fcba27d71f8411b10d2 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 3 Sep 2024 09:06:20 +0100 Subject: [PATCH 32/83] images to patch sourced from json file (#6326) --- .github/data/patch-images.json | 110 ++++++++++++++ .github/workflows/image-promotion.yml | 2 + .github/workflows/oss-release.yml | 18 +++ .github/workflows/plus-release.yml | 18 +++ .github/workflows/regression.yml | 5 + .github/workflows/release.yml | 5 + .github/workflows/update-docker-images.yml | 159 +++------------------ 7 files changed, 176 insertions(+), 141 deletions(-) create mode 100644 .github/data/patch-images.json diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json new file mode 100644 index 0000000000..3587d0d313 --- /dev/null +++ b/.github/data/patch-images.json @@ -0,0 +1,110 @@ +[ + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress", + "source_os": "debian", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress", + "source_os": "alpine", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress", + "source_os": "ubi", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", + "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", + "source_os": "debian", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", + "platforms": "linux/arm64, linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", + "source_os": "mktpl", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", + "platforms": "linux/arm64, linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", + "source_os": "alpine", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", + "platforms": "linux/arm64, linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", + "source_os": "ubi", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", + "platforms": "linux/arm64, linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "debian", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "mktpl", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", + "source_os": "ubi", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", + "source_os": "debian", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", + "source_os": "ubi", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress", + "source_os": "debian", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress", + "source_os": "mktpl", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress", + "source_os": "ubi", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", + "source_os": "debian", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", + "source_os": "mktpl", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + }, + { + "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", + "source_os": "ubi", + "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", + "platforms": "linux/amd64" + } +] diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index ab1f387b15..076555c0db 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -321,6 +321,7 @@ jobs: github_public_registry: true source_tag: ${{ needs.checks.outputs.stable_tag }} target_tag: "edge" + branch: ${{ github.ref_name }} dry_run: false permissions: contents: read @@ -342,6 +343,7 @@ jobs: az_mktpl_registry: false source_tag: ${{ needs.checks.outputs.stable_tag }} target_tag: "edge" + branch: ${{ github.ref_name }} dry_run: false permissions: contents: read diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 7c23c40f3d..0931d0ce8d 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -24,6 +24,10 @@ on: target_tag: required: true type: string + branch: + required: false + type: string + default: "main" dry_run: type: boolean default: false @@ -50,6 +54,10 @@ on: target_tag: required: true type: string + branch: + required: false + type: string + default: "main" dry_run: type: boolean default: false @@ -72,6 +80,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth @@ -108,6 +118,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth @@ -155,6 +167,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth @@ -197,6 +211,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth @@ -241,6 +257,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml index 8bd25977d4..d3420e04a4 100644 --- a/.github/workflows/plus-release.yml +++ b/.github/workflows/plus-release.yml @@ -24,6 +24,10 @@ on: target_tag: required: true type: string + branch: + required: false + type: string + default: "main" dry_run: type: boolean default: false @@ -50,6 +54,10 @@ on: target_tag: required: true type: string + branch: + required: false + type: string + default: "main" dry_run: type: boolean default: false @@ -72,6 +80,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth @@ -108,6 +118,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth @@ -159,6 +171,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-priv-auth @@ -198,6 +212,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth @@ -245,6 +261,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ inputs.branch }} - name: Authenticate to Google Cloud id: gcr-auth diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 300ea4c980..94c761c54e 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -83,9 +83,12 @@ jobs: unit-tests: name: Unit Tests runs-on: ubuntu-24.04 + needs: [checks] steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: ${{ needs.checks.outputs.branch }} - name: Setup Golang Environment uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 @@ -302,6 +305,7 @@ jobs: quay_public_registry: true github_public_registry: true source_tag: ${{ needs.checks.outputs.stable_tag }} + branch: ${{ needs.checks.outputs.branch }} target_tag: "nightly" dry_run: false permissions: @@ -323,6 +327,7 @@ jobs: az_mktpl_registry: false source_tag: ${{ needs.checks.outputs.stable_tag }} target_tag: "nightly" + branch: ${{ needs.checks.outputs.branch }} dry_run: false permissions: contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 013656d2a1..f5b8ea0e49 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -154,6 +154,7 @@ jobs: github_public_registry: true source_tag: ${{ needs.variables.outputs.source_tag }} target_tag: ${{ matrix.tag }} + branch: ${{ inputs.release_branch }} dry_run: ${{ inputs.dry_run }} permissions: contents: read @@ -182,6 +183,7 @@ jobs: az_mktpl_registry: false source_tag: ${{ needs.variables.outputs.source_tag }} target_tag: ${{ inputs.nic_version }} + branch: ${{ inputs.release_branch }} dry_run: ${{ inputs.dry_run }} permissions: contents: read @@ -208,6 +210,7 @@ jobs: az_mktpl_registry: false source_tag: ${{ needs.variables.outputs.source_tag }} target_tag: ${{ inputs.nic_version }} + branch: ${{ inputs.release_branch }} dry_run: ${{ inputs.dry_run }} permissions: contents: read @@ -233,6 +236,7 @@ jobs: az_mktpl_registry: false source_tag: ${{ needs.variables.outputs.source_tag }} target_tag: ${{ inputs.nic_version }} + branch: ${{ inputs.release_branch }} dry_run: ${{ inputs.dry_run }} permissions: contents: read @@ -258,6 +262,7 @@ jobs: az_mktpl_registry: true source_tag: ${{ needs.variables.outputs.source_tag }} target_tag: ${{ inputs.nic_version }} + branch: ${{ inputs.release_branch }} dry_run: ${{ inputs.dry_run }} permissions: contents: read diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 863fddd17e..a2c503a27d 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -31,6 +31,7 @@ jobs: tag: ${{ steps.kic.outputs.tag }} short_tag: ${{ steps.kic.outputs.short }} date: ${{ steps.kic.outputs.date }} + matrix: ${{ steps.kic.outputs.matrix }} steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -51,153 +52,24 @@ jobs: echo "date=${date}" >> $GITHUB_OUTPUT short="${tag%.*}" echo "short=$short" >> $GITHUB_OUTPUT + echo "matrix=$(cat .github/data/patch-images.json" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT - patch-oss-images: - name: Build OSS Images + patch-images: + name: Patch Images needs: [variables] strategy: fail-fast: false matrix: - include: - - tag: ${{ needs.variables.outputs.tag }} - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress" - platforms: "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - - tag: ${{ needs.variables.outputs.tag }}-alpine - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-alpine" - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress" - platforms: "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - - tag: ${{ needs.variables.outputs.tag }}-ubi - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi" - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress" - platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + include: ${{ fromJSON( needs.variables.outputs.matrix ) }} uses: ./.github/workflows/patch-image.yml with: platforms: ${{ matrix.platforms }} - image: ${{ matrix.image }} - tag: ${{ matrix.tag }} + image: ${{ matrix.source_image }} + tag: ${{ matrix.source_os == 'debian' && needs.variables.outputs.tag || format('{0}-{1}', needs.variables.outputs.tag, matrix.source_os) }} ic_version: ${{ needs.variables.outputs.tag }} target_image: ${{ matrix.target_image }} - target_tag: ${{ matrix.target_tag }} - permissions: - contents: read - id-token: write - secrets: inherit - - patch-plus-images: - name: Build Plus Images - needs: [variables] - strategy: - fail-fast: false - matrix: - include: - - tag: ${{ needs.variables.outputs.tag }} - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress - target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - platforms: "linux/arm64, linux/amd64" - - tag: ${{ needs.variables.outputs.tag }}-alpine - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-alpine" - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress - target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - platforms: "linux/arm64, linux/amd64" - - tag: ${{ needs.variables.outputs.tag }}-mktpl - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-mktpl" - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress - target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - platforms: "linux/arm64, linux/amd64" - - tag: ${{ needs.variables.outputs.tag }}-ubi - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi" - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress - target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress - platforms: "linux/arm64, linux/amd64, linux/s390x" - uses: ./.github/workflows/patch-image.yml - with: - platforms: ${{ matrix.platforms }} - image: ${{ matrix.image }} - tag: ${{ matrix.tag }} - ic_version: ${{ needs.variables.outputs.tag }} - target_image: ${{ matrix.target_image }} - target_tag: ${{ matrix.target_tag }} - permissions: - contents: read - id-token: write - secrets: inherit - - patch-plus-nap-images: - name: Build Plus NAP Images - needs: [variables] - strategy: - fail-fast: false - matrix: - include: - - tag: "${{ needs.variables.outputs.tag }}" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}-ubi" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}-mktpl" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-mktpl" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}-ubi" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}-ubi" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}-mktpl" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-mktpl" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}-ubi" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress" - platforms: "linux/amd64" - - tag: "${{ needs.variables.outputs.tag }}-mktpl" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-mktpl" - image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress" - target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress" - platforms: "linux/amd64" - uses: ./.github/workflows/patch-image.yml - with: - platforms: ${{ matrix.platforms }} - image: ${{ matrix.image }} - tag: ${{ matrix.tag }} - ic_version: ${{ needs.variables.outputs.tag }} - target_image: ${{ matrix.target_image }} - target_tag: ${{ matrix.target_tag }} + target_tag: ${{ matrix.source_os == 'debian' && format('{0}-{1}', needs.variables.outputs.tag, needs.variables.outputs.date) || format('{0}-{1}-{2}', needs.variables.outputs.tag, needs.variables.outputs.date, matrix.source_os) }} permissions: contents: read id-token: write @@ -205,7 +77,7 @@ jobs: release-oss-internal: name: "Publish Docker OSS ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to internal release Registries" - needs: [variables, patch-oss-images] + needs: [variables, patch-images] uses: ./.github/workflows/oss-release.yml with: gcr_release_registry: true @@ -215,6 +87,7 @@ jobs: github_public_registry: false source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" + branch: "release-${{ needs.variables.outputs.short_tag }}" dry_run: ${{ inputs.dry_run || false }} permissions: contents: read @@ -224,7 +97,7 @@ jobs: release-oss-public: name: Publish Docker OSS ${{ matrix.tag }} to Public Registries - needs: [variables, patch-oss-images] + needs: [variables, patch-images] strategy: fail-fast: false matrix: @@ -242,6 +115,7 @@ jobs: github_public_registry: true source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" target_tag: ${{ matrix.tag }} + branch: "release-${{ needs.variables.outputs.short_tag }}" dry_run: ${{ inputs.dry_run || false }} permissions: contents: read @@ -251,7 +125,7 @@ jobs: release-plus-nginx-gcr: name: Publish Docker Plus ${{ matrix.tag }} to NGINX & GCR Marketplace registries - needs: [variables, patch-plus-images, patch-plus-nap-images] + needs: [variables, patch-images] strategy: fail-fast: false matrix: @@ -269,6 +143,7 @@ jobs: az_mktpl_registry: false source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" target_tag: ${{ matrix.tag }} + branch: "release-${{ needs.variables.outputs.short_tag }}" dry_run: ${{ inputs.dry_run || false }} permissions: contents: read @@ -277,7 +152,7 @@ jobs: release-plus-azure-ecr-marketplace: name: Publish Docker Plus ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to Azure & ECR Marketplace registries - needs: [variables, patch-plus-images, patch-plus-nap-images] + needs: [variables, patch-images] uses: ./.github/workflows/plus-release.yml with: nginx_registry: false @@ -287,6 +162,7 @@ jobs: az_mktpl_registry: true source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" + branch: "release-${{ needs.variables.outputs.short_tag }}" dry_run: ${{ inputs.dry_run || false }} permissions: contents: read @@ -295,7 +171,7 @@ jobs: release-plus-internal: name: Publish Docker Plus ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to internal release Registries - needs: [variables, patch-plus-images, patch-plus-nap-images] + needs: [variables, patch-images] uses: ./.github/workflows/plus-release.yml with: nginx_registry: false @@ -305,6 +181,7 @@ jobs: az_mktpl_registry: false source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" + branch: "release-${{ needs.variables.outputs.short_tag }}" dry_run: ${{ inputs.dry_run || false }} permissions: contents: read From ca4482469b9788c3b32bc666207ac9e37ca052f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 08:36:13 +0000 Subject: [PATCH 33/83] Bump the python group in /tests with 4 updates (#6329) Bumps the python group in /tests with 4 updates: [certifi](https://github.com/certifi/python-certifi), [grpcio](https://github.com/grpc/grpc), [grpcio-tools](https://github.com/grpc/grpc) and [protobuf](https://github.com/protocolbuffers/protobuf). Updates `certifi` from 2024.7.4 to 2024.8.30 - [Commits](https://github.com/certifi/python-certifi/compare/2024.07.04...2024.08.30) Updates `grpcio` from 1.66.0 to 1.66.1 - [Release notes](https://github.com/grpc/grpc/releases) - [Changelog](https://github.com/grpc/grpc/blob/master/doc/grpc_release_schedule.md) - [Commits](https://github.com/grpc/grpc/compare/v1.66.0...v1.66.1) Updates `grpcio-tools` from 1.66.0 to 1.66.1 - [Release notes](https://github.com/grpc/grpc/releases) - [Changelog](https://github.com/grpc/grpc/blob/master/doc/grpc_release_schedule.md) - [Commits](https://github.com/grpc/grpc/compare/v1.66.0...v1.66.1) Updates `protobuf` from 5.27.3 to 5.28.0 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Changelog](https://github.com/protocolbuffers/protobuf/blob/main/protobuf_release.bzl) - [Commits](https://github.com/protocolbuffers/protobuf/compare/v5.27.3...v5.28.0) --- updated-dependencies: - dependency-name: certifi dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python - dependency-name: grpcio dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: grpcio-tools dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: protobuf dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- tests/requirements.txt | 218 ++++++++++++++++++++--------------------- 1 file changed, 109 insertions(+), 109 deletions(-) diff --git a/tests/requirements.txt b/tests/requirements.txt index 3111283608..a38452786d 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -14,9 +14,9 @@ cachetools==5.5.0 \ # via # -r requirements.txt # google-auth -certifi==2024.7.4 \ - --hash=sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b \ - --hash=sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90 +certifi==2024.8.30 \ + --hash=sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8 \ + --hash=sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9 # via # -r requirements.txt # kubernetes @@ -237,103 +237,103 @@ gprof2dot==2024.6.6 \ # via # -r requirements.txt # pytest-profiling -grpcio==1.66.0 \ - --hash=sha256:0f3010bf46b2a01c9e40644cb9ed91b4b8435e5c500a275da5f9f62580e31e80 \ - --hash=sha256:1c5466222470cb7fbc9cc898af1d48eefd297cb2e2f59af6d4a851c862fa90ac \ - --hash=sha256:1eb03524d0f55b965d6c86aa44e5db9e5eaa15f9ed3b164621e652e5b927f4b8 \ - --hash=sha256:230cdd696751e7eb1395718cd308234749daa217bb8d128f00357dc4df102558 \ - --hash=sha256:245b08f9b3c645a6a623f3ed4fa43dcfcd6ad701eb9c32511c1bb7380e8c3d23 \ - --hash=sha256:296a45ea835e12a1cc35ab0c57e455346c272af7b0d178e29c67742167262b4c \ - --hash=sha256:37514b68a42e9cf24536345d3cf9e580ffd29117c158b4eeea34625200256067 \ - --hash=sha256:375b58892301a5fc6ca7d7ff689c9dc9d00895f5d560604ace9f4f0573013c63 \ - --hash=sha256:423ae18637cd99ddcf2e5a6851c61828c49e9b9d022d0442d979b4f230109787 \ - --hash=sha256:49234580a073ce7ac490112f6c67c874cbcb27804c4525978cdb21ba7f3f193c \ - --hash=sha256:508411df1f2b7cfa05d4d7dbf3d576fe4f949cd61c03f3a6f0378c84e3d7b963 \ - --hash=sha256:50cea8ce2552865b87e3dffbb85eb21e6b98d928621600c0feda2f02449cd837 \ - --hash=sha256:516fdbc8e156db71a004bc431a6303bca24cfde186babe96dde7bd01e8f0cc70 \ - --hash=sha256:526d4f6ca19f31b25606d5c470ecba55c0b22707b524e4de8987919e8920437d \ - --hash=sha256:53d4c6706b49e358a2a33345dbe9b6b3bb047cecd7e8c07ba383bd09349bfef8 \ - --hash=sha256:5b15ef1b296c4e78f15f64fc65bf8081f8774480ffcac45642f69d9d753d9c6b \ - --hash=sha256:5e8140b39f10d7be2263afa2838112de29374c5c740eb0afd99146cb5bdbd990 \ - --hash=sha256:5ea27f4ce8c0daccfdd2c7961e6ba404b6599f47c948415c4cca5728739107a3 \ - --hash=sha256:5f4b3357e59dfba9140a51597287297bc638710d6a163f99ee14efc19967a821 \ - --hash=sha256:5f93fc84b72bbc7b84a42f3ca9dc055fa00d2303d9803be011ebf7a10a4eb833 \ - --hash=sha256:643d8d9632a688ae69661e924b862e23c83a3575b24e52917ec5bcc59543d212 \ - --hash=sha256:684a4c07883cbd4ac864f0d08d927267404f5f0c76f31c85f9bbe05f2daae2f2 \ - --hash=sha256:6d586a95c05c82a5354be48bb4537e1accaf2472d8eb7e9086d844cbff934482 \ - --hash=sha256:6ed35bf7da3fb3b1949e32bdf47a8b5ffe0aed11722d948933bd068531cd4682 \ - --hash=sha256:748452dbd5a047475d5413bdef08b0b9ceb2c0c0e249d4ee905a5fb82c6328dc \ - --hash=sha256:7bc9d823e05d63a87511fb456dcc48dc0fced86c282bf60229675e7ee7aac1a1 \ - --hash=sha256:8096a922eb91bc97c839f675c3efa1257c6ef181ae1b25d3fb97f2cae4c57c01 \ - --hash=sha256:832945e64176520520317b50d64ec7d79924429528d5747669b52d0bf2c7bd78 \ - --hash=sha256:8fc5c710ddd51b5a0dc36ef1b6663430aa620e0ce029b87b150dafd313b978c3 \ - --hash=sha256:921b8f7f25d5300d7c6837a1e0639ef145fbdbfb728e0a5db2dbccc9fc0fd891 \ - --hash=sha256:9d5251578767fe44602688c851c2373b5513048ac84c21a0fe946590a8e7933d \ - --hash=sha256:a639d3866bfb5a678b5c0b92cd7ab543033ed8988854290fd86145e71731fd4c \ - --hash=sha256:aaf30c75cbaf30e561ca45f21eb1f729f0fab3f15c592c1074795ed43e3ff96f \ - --hash=sha256:ad7256f224437b2c29c2bef98ddd3130454c5b1ab1f0471fc11794cefd4dbd3d \ - --hash=sha256:ba18cfdc09312eb2eea6fa0ce5d2eec3cf345ea78f6528b2eaed6432105e0bd0 \ - --hash=sha256:ba60ae3b465b3e85080ae3bfbc36fd0305ae495ab16fcf8022fc7d7a23aac846 \ - --hash=sha256:bc008c6afa1e7c8df99bd9154abc4f0470d26b7730ca2521122e99e771baa8c7 \ - --hash=sha256:c072f90a1f0409f827ae86266984cba65e89c5831a0726b9fc7f4b5fb940b853 \ - --hash=sha256:c1ea4c528e7db6660718e4165fd1b5ac24b79a70c870a7bc0b7bdb9babab7c1e \ - --hash=sha256:c3084e590e857ba7585ae91078e4c9b6ef55aaf1dc343ce26400ba59a146eada \ - --hash=sha256:c3f6feb0dc8456d025e566709f7dd02885add99bedaac50229013069242a1bfd \ - --hash=sha256:d0439a970d65327de21c299ea0e0c2ad0987cdaf18ba5066621dea5f427f922b \ - --hash=sha256:dd614370e939f9fceeeb2915111a0795271b4c11dfb5fc0f58449bee40c726a5 \ - --hash=sha256:de9e20a0acb709dcfa15a622c91f584f12c9739a79c47999f73435d2b3cc8a3b \ - --hash=sha256:e36fa838ac1d6c87198ca149cbfcc92e1af06bb8c8cd852622f8e58f33ea3324 \ - --hash=sha256:e8d20308eeae15b3e182f47876f05acbdec1eebd9473a9814a44e46ec4a84c04 +grpcio==1.66.1 \ + --hash=sha256:0e6c9b42ded5d02b6b1fea3a25f036a2236eeb75d0579bfd43c0018c88bf0a3e \ + --hash=sha256:161d5c535c2bdf61b95080e7f0f017a1dfcb812bf54093e71e5562b16225b4ce \ + --hash=sha256:17663598aadbedc3cacd7bbde432f541c8e07d2496564e22b214b22c7523dac8 \ + --hash=sha256:1c17ebcec157cfb8dd445890a03e20caf6209a5bd4ac5b040ae9dbc59eef091d \ + --hash=sha256:292a846b92cdcd40ecca46e694997dd6b9be6c4c01a94a0dfb3fcb75d20da858 \ + --hash=sha256:2ca2559692d8e7e245d456877a85ee41525f3ed425aa97eb7a70fc9a79df91a0 \ + --hash=sha256:307b1d538140f19ccbd3aed7a93d8f71103c5d525f3c96f8616111614b14bf2a \ + --hash=sha256:30a1c2cf9390c894c90bbc70147f2372130ad189cffef161f0432d0157973f45 \ + --hash=sha256:31a049daa428f928f21090403e5d18ea02670e3d5d172581670be006100db9ef \ + --hash=sha256:35334f9c9745add3e357e3372756fd32d925bd52c41da97f4dfdafbde0bf0ee2 \ + --hash=sha256:3750c5a00bd644c75f4507f77a804d0189d97a107eb1481945a0cf3af3e7a5ac \ + --hash=sha256:3885f037eb11f1cacc41f207b705f38a44b69478086f40608959bf5ad85826dd \ + --hash=sha256:4573608e23f7e091acfbe3e84ac2045680b69751d8d67685ffa193a4429fedb1 \ + --hash=sha256:4825a3aa5648010842e1c9d35a082187746aa0cdbf1b7a2a930595a94fb10fce \ + --hash=sha256:4877ba180591acdf127afe21ec1c7ff8a5ecf0fe2600f0d3c50e8c4a1cbc6492 \ + --hash=sha256:48b0d92d45ce3be2084b92fb5bae2f64c208fea8ceed7fccf6a7b524d3c4942e \ + --hash=sha256:4d813316d1a752be6f5c4360c49f55b06d4fe212d7df03253dfdae90c8a402bb \ + --hash=sha256:5dd67ed9da78e5121efc5c510f0122a972216808d6de70953a740560c572eb44 \ + --hash=sha256:6f914386e52cbdeb5d2a7ce3bf1fdfacbe9d818dd81b6099a05b741aaf3848bb \ + --hash=sha256:7101db1bd4cd9b880294dec41a93fcdce465bdbb602cd8dc5bd2d6362b618759 \ + --hash=sha256:7e06aa1f764ec8265b19d8f00140b8c4b6ca179a6dc67aa9413867c47e1fb04e \ + --hash=sha256:84ca1be089fb4446490dd1135828bd42a7c7f8421e74fa581611f7afdf7ab761 \ + --hash=sha256:8a1e224ce6f740dbb6b24c58f885422deebd7eb724aff0671a847f8951857c26 \ + --hash=sha256:97ae7edd3f3f91480e48ede5d3e7d431ad6005bfdbd65c1b56913799ec79e791 \ + --hash=sha256:9c9bebc6627873ec27a70fc800f6083a13c70b23a5564788754b9ee52c5aef6c \ + --hash=sha256:a013c5fbb12bfb5f927444b477a26f1080755a931d5d362e6a9a720ca7dbae60 \ + --hash=sha256:a66fe4dc35d2330c185cfbb42959f57ad36f257e0cc4557d11d9f0a3f14311df \ + --hash=sha256:a92c4f58c01c77205df6ff999faa008540475c39b835277fb8883b11cada127a \ + --hash=sha256:aa8ba945c96e73de29d25331b26f3e416e0c0f621e984a3ebdb2d0d0b596a3b3 \ + --hash=sha256:b0aa03d240b5539648d996cc60438f128c7f46050989e35b25f5c18286c86734 \ + --hash=sha256:b1b24c23d51a1e8790b25514157d43f0a4dce1ac12b3f0b8e9f66a5e2c4c132f \ + --hash=sha256:b7ffb8ea674d68de4cac6f57d2498fef477cef582f1fa849e9f844863af50083 \ + --hash=sha256:b9feb4e5ec8dc2d15709f4d5fc367794d69277f5d680baf1910fc9915c633524 \ + --hash=sha256:bff2096bdba686019fb32d2dde45b95981f0d1490e054400f70fc9a8af34b49d \ + --hash=sha256:c30aeceeaff11cd5ddbc348f37c58bcb96da8d5aa93fed78ab329de5f37a0d7a \ + --hash=sha256:c9f80f9fad93a8cf71c7f161778ba47fd730d13a343a46258065c4deb4b550c0 \ + --hash=sha256:cfd349de4158d797db2bd82d2020554a121674e98fbe6b15328456b3bf2495bb \ + --hash=sha256:d0cd7050397b3609ea51727b1811e663ffda8bda39c6a5bb69525ef12414b503 \ + --hash=sha256:d639c939ad7c440c7b2819a28d559179a4508783f7e5b991166f8d7a34b52815 \ + --hash=sha256:e3ba04659e4fce609de2658fe4dbf7d6ed21987a94460f5f92df7579fd5d0e22 \ + --hash=sha256:ecfe735e7a59e5a98208447293ff8580e9db1e890e232b8b292dc8bd15afc0d2 \ + --hash=sha256:ef82d361ed5849d34cf09105d00b94b6728d289d6b9235513cb2fcc79f7c432c \ + --hash=sha256:f03a5884c56256e08fd9e262e11b5cfacf1af96e2ce78dc095d2c41ccae2c80d \ + --hash=sha256:f1fe60d0772831d96d263b53d83fb9a3d050a94b0e94b6d004a5ad111faa5b5b \ + --hash=sha256:f517fd7259fe823ef3bd21e508b653d5492e706e9f0ef82c16ce3347a8a5620c \ + --hash=sha256:fdb14bad0835914f325349ed34a51940bc2ad965142eb3090081593c6e347be9 # via # -r requirements.txt # grpcio-tools -grpcio-tools==1.66.0 \ - --hash=sha256:00aafd7714f2e2f618ec75b0f13df6a6f174f2bc50ad70c79443d8f5aa60df96 \ - --hash=sha256:01449e9b20347fc7661f79090a9c0317e6de2759748170ac04cc0a4db74a681f \ - --hash=sha256:24773294210f554cdf282feaa3f95b79e22de56f78ec7a2e66c990266100480b \ - --hash=sha256:2a76db15aea734e583158c7190615f9e82de19fbb1f8d15f7a34fa9e4c3938a5 \ - --hash=sha256:2da55cab0569eb2bae8fc445cb9eaafad488918e4a443f831dbdd2ce60c47684 \ - --hash=sha256:2e31ac9a93feb5a4fbbb72de7a9a39709f28eea8183bab5e88f90a7facccf00b \ - --hash=sha256:2e78e94d9db3d686bc76f0ecedf5634ca3fad2d94e50c564a7d87630326719e8 \ - --hash=sha256:30261ab79e460e93002117627ec42a960c0d3d6292e3fd44a43eae94aedbae9a \ - --hash=sha256:4ecd2caa15c2070182e49aa1771cbf8e6181e5072833222401d965c6338a075c \ - --hash=sha256:51cdcdf9dc9087bfc5d7aa03c4c76614350e0f7ef0689763f69938d1a7ebfac4 \ - --hash=sha256:63897f679ea55bc25accc825329b53acef2ad1266237d90be63c5aeaaa5bf175 \ - --hash=sha256:65dfc1019a6dc3343161360a9436ca34f4aa4ffc40f4cdcd98e1e887dbe87cf8 \ - --hash=sha256:6e111f73f400d64b8dc32f5dab67c5e806c290eb2658fecdbfc44c2bb1020efc \ - --hash=sha256:7055599f250713662022f5096956c220ff0f43a7ab500d080b0f343ba8d98e14 \ - --hash=sha256:72e86d15d5dab2f25385e40608f5dc6b512172c3b10d01952d3d25f2d0648b7c \ - --hash=sha256:7ca7080ac2aed6d303fab162c5945d920c0243a7a393df71c9f98882583dcda5 \ - --hash=sha256:7d38a0b97d16343b3389228edc58c9dfea69bd3833fe458681f9cf66d13bb2e0 \ - --hash=sha256:81123f93a4f93f8e2bd7ba4a106c1eb1529e0336368c3b93c077f7649b48d784 \ - --hash=sha256:879a70a153f05d61fae8e7dd88ad67c63c1a30ee22c344509ec2b898f1e29250 \ - --hash=sha256:87a654381cdc43a64f890e1f68ca14f09c5bcafe9fe2481f50029a220b748d15 \ - --hash=sha256:8e197458cc1747f56a5b6bddd635247f86d3eb2a8a191e3f43ce0e6f2bf374c5 \ - --hash=sha256:923c60602e2025e1082cd3a1d7a5f74314f945ebb4763a939cc3f5a667d48d7f \ - --hash=sha256:95e3d1506bb3c6574c9d359ac78eaaad18276a3aaa328852796ee10d28a10656 \ - --hash=sha256:95edac51be6cd1391726024dea3a2a852c0a4c63e90de1ec52b5857d1ad5fef1 \ - --hash=sha256:95f1d076a310007fff710b4eea648a98ec75e0eb755b9df9af03b38a120ed8ac \ - --hash=sha256:9c026adf37d1dacc3270c60ef479945c68756a251c362aef51c250e1f69f6a18 \ - --hash=sha256:a236df9ac2dd1f6009adc94bce1da10ac46dd87a04dea86bfbeadaa261c7adea \ - --hash=sha256:af2f8f944e779cb8dd5b5e8a689514775c745068cd564df662e00cab45430d40 \ - --hash=sha256:b117868e2040489d8d542348a45cce6225fc87e1bc5e6092ad05bea343d4723d \ - --hash=sha256:b7da029e5a1270a0342c01f897436ab690677502e12f18664b7387a5e6938134 \ - --hash=sha256:bcb7f09c1569c2e5f1600e5b1eb6a8321e789a3e1d2f9ec5c236c62d61d22879 \ - --hash=sha256:bde2aca5fd16e5ab37cf83a8a7b805ccb7faceb804c562387852a3146bfd7eaf \ - --hash=sha256:ca654c732029483a0355164f551b4531eae1d1f64e269d389d97d79a0b087966 \ - --hash=sha256:cc188a5fbaf25e3a5f91f815d3928b1e40ba38f5a5f5b5e86f640c575f7db1c9 \ - --hash=sha256:cf5906367329121b90942de6a2f77b316090ce15980254c61ecd5043526dc03d \ - --hash=sha256:d72c6a8e1470832199764a4ac4aa999def0ccfb0fe0266c73aae003812acb957 \ - --hash=sha256:d84db86038507c86bfa148c9b6dde5a17b8b2e529eecbf1ca427c367043a56e8 \ - --hash=sha256:e0841fe0aa865694468243b682792d6649a9eaaeec103984a74fcf4289851a83 \ - --hash=sha256:e5507e1fee9caa19e2525d280016af8f4404affaad1a7c08beb7060797bd7972 \ - --hash=sha256:e5ef97b6e945e77575d07dc2158773313aa1b36ddab41c59a1c51803b4620abd \ - --hash=sha256:e67a36da1ca3501933f26bd65589b7a5abdf5cfed79fd419054a0924f79fa760 \ - --hash=sha256:eaf20f8141646b1db73f36711960d1bdf96435fbce670417e0754b15fbc52e76 \ - --hash=sha256:ecb781e41b08b094742137f56740acebedc29a18480a37c16d5dfed2aef0597a \ - --hash=sha256:fd70b60d6b62df3d232e6c4f6c061c6bb5e071af88fe6323487d0b3b97ac87d2 \ - --hash=sha256:fddc8f3216199f47f2370f8a22ecc10a4e0b5c434eeab0ec47a79fb292e5a6f8 \ - --hash=sha256:ff704d5b2c66e15aee1f34c74d8a44f0b613e9205d69c22172ffa056f9791db4 +grpcio-tools==1.66.1 \ + --hash=sha256:0067e79b6001560ac6acc78cca11fd3504fa27f8af46e3cdbac2f4998505e597 \ + --hash=sha256:016fa273dc696c9d8045091ac50e000bce766183a6b150801f51c2946e33dbe3 \ + --hash=sha256:066648543f786cb74b1fef5652359952455dbba37e832642026fd9fd8a219b5f \ + --hash=sha256:097a069e7c640043921ecaf3e88d7af78ccd40c25dbddc91db2a4a2adbd0393d \ + --hash=sha256:0a86398a4cd0665bc7f09fa90b89bac592c959d2c895bf3cf5d47a98c0f2d24c \ + --hash=sha256:1b4acb53338072ab3023e418a5c7059cb15686abd1607516fa1453406dd5f69d \ + --hash=sha256:1ec9f4f964f8e8ed5e9cc13deb678c83d5597074c256805373220627833bc5ad \ + --hash=sha256:2226ff8d3ecba83b7622946df19d6e8e15cb52f761b8d9e2f807b228db5f1b1e \ + --hash=sha256:222d8dc218560698e1abf652fb47e4015994ec7a265ef46e012fd9c9e77a4d6b \ + --hash=sha256:23cad65ff22459aa387f543d293f54834c9aac8f76fb7416a7046556df75b567 \ + --hash=sha256:2f4b1498cb8b422fbae32a491c9154e8d47650caf5852fbe6b3b34253e824343 \ + --hash=sha256:3198815814cdd12bdb69b7580d7770a4ad4c8b2093e0bd6b987bc817618e3eec \ + --hash=sha256:3acce426f5e643de63019311171f4d31131da8149de518716a95c29a2c12dd38 \ + --hash=sha256:3d17a27c567a5e4d18f487368215cb51b43e2499059fd6113b92f7ae1fee48be \ + --hash=sha256:4df167e67b083f96bc277032a526f6186e98662aaa49baea1dfb8ecfe26ce117 \ + --hash=sha256:5055ffe840ea8f505c30378be02afb4dbecb33480e554debe10b63d6b2f641c3 \ + --hash=sha256:56e17a11f34df252b4c6fb8aa8cd7b44d162dba9f3333be87ddf7c8bf496622a \ + --hash=sha256:5b4fc56abeafae74140f5da29af1093e88ce64811d77f1a81c3146e9e996fb6a \ + --hash=sha256:5daceb9716e31edc0e1ba0f93303785211438c43502edddad7a919fc4cb3d664 \ + --hash=sha256:5f1f04578b72c281e39274348a61d240c48d5321ba8d7a8838e194099ecbc322 \ + --hash=sha256:66f527a1e3f063065e29cf6f3e55892434d13a5a51e3b22402e09da9521e98a3 \ + --hash=sha256:68d9390bf9ba863ac147fc722d6548caa587235e887cac1bc2438212e89d1de7 \ + --hash=sha256:739c53571130b359b738ac7d6d0a1f772e15779b66df7e6764bee4071cd38689 \ + --hash=sha256:796620fc41d3fbb566d9614ef22bc55df67fac1f1e19c1e0fb6ec48bc9b6a44b \ + --hash=sha256:7d789bfe53fce9e87aa80c3694a366258ce4c41b706258e9228ed4994832b780 \ + --hash=sha256:7fc3f62494f238774755ff90f0e66a93ac7972ea1eb7180c45acf4fd53b25cca \ + --hash=sha256:869b6960d5daffda0dac1a474b44144f0dace0d4336394e499c4f400c5e2f8d9 \ + --hash=sha256:88e04b7546101bc79c868c941777efd5088063a9e4f03b4d7263dde796fbabf7 \ + --hash=sha256:93d2d9e14e81affdc63d67c42eb16a8da1b6fecc16442a703ca60eb0e7591691 \ + --hash=sha256:95c44a265ff01fd05166edae9350bc2e7d1d9a95e8f53b8cd04d2ae0a588c583 \ + --hash=sha256:9a07e24feb7472419cf70ebbb38dd4299aea696f91f191b62a99b3ee9ff03f89 \ + --hash=sha256:b8660401beca7e3af28722439e07b0bcdca80b4a68f5a5a1138ae7b7780a6abf \ + --hash=sha256:b962a8767c3c0f9afe92e0dd6bb0b2305d35195a1053f84d4d31f585b87557ed \ + --hash=sha256:d19d47744c30e6bafa76b3113740e71f382d75ebb2918c1efd62ebe6ba7e20f9 \ + --hash=sha256:d4dd2ff982c1aa328ef47ce34f07af82f1f13599912fb1618ebc5fe1e14dddb8 \ + --hash=sha256:d761dfd97a10e4aae73628b5120c64e56f0cded88651d0003d2d80e678c3e7c9 \ + --hash=sha256:d8616773126ec3cdf747b06a12e957b43ac15c34e4728def91fa67249a7c689a \ + --hash=sha256:da9b0c08dbbf07535ee1b75a22d0acc5675a808a3a3df9f9b21e0e73ddfbb3a9 \ + --hash=sha256:df1a174a6f9d3b4c380f005f33352d2e95464f33f021fb08084735a2eb6e23b1 \ + --hash=sha256:e0c71405399ef59782600b1f0bdebc69ba12d7c9527cd268162a86273971d294 \ + --hash=sha256:e1c2ac0955f5fb87b8444316e475242d194c3f3cd0b7b6e54b889a7b6f05156f \ + --hash=sha256:e302b4e1fa856d74ff65c65888b3a37153287ce6ad5bad80b2fdf95130accec2 \ + --hash=sha256:eb67b9aa9cd69468bceb933e8e0f89fd13695746c018c4d2e6b3b84e73f3ad97 \ + --hash=sha256:edd52d667f2aa3c73233be0a821596937f24536647c12d96bfc54aa4cb04747d \ + --hash=sha256:f94d5193b2f2a9595795b83e7978b2bee1c0399da66f2f24d179c388f81fb99c \ + --hash=sha256:fa4f95a79a34afc3b5464895d091cd1911227fc3ab0441b9a37cd1817cf7db86 # via -r requirements.txt idna==3.8 \ --hash=sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac \ @@ -447,18 +447,18 @@ pluggy==1.5.0 \ # via # -r requirements.txt # pytest -protobuf==5.27.3 \ - --hash=sha256:043853dcb55cc262bf2e116215ad43fa0859caab79bb0b2d31b708f128ece035 \ - --hash=sha256:16ddf3f8c6c41e1e803da7abea17b1793a97ef079a912e42351eabb19b2cffe7 \ - --hash=sha256:68248c60d53f6168f565a8c76dc58ba4fa2ade31c2d1ebdae6d80f969cdc2d4f \ - --hash=sha256:82460903e640f2b7e34ee81a947fdaad89de796d324bcbc38ff5430bcdead82c \ - --hash=sha256:8572c6533e544ebf6899c360e91d6bcbbee2549251643d32c52cf8a5de295ba5 \ - --hash=sha256:a55c48f2a2092d8e213bd143474df33a6ae751b781dd1d1f4d953c128a415b25 \ - --hash=sha256:af7c0b7cfbbb649ad26132e53faa348580f844d9ca46fd3ec7ca48a1ea5db8a1 \ - --hash=sha256:b8a994fb3d1c11156e7d1e427186662b64694a62b55936b2b9348f0a7c6625ce \ - --hash=sha256:c2a105c24f08b1e53d6c7ffe69cb09d0031512f0b72f812dd4005b8112dbe91e \ - --hash=sha256:c84eee2c71ed83704f1afbf1a85c3171eab0fd1ade3b399b3fad0884cbcca8bf \ - --hash=sha256:dcb307cd4ef8fec0cf52cb9105a03d06fbb5275ce6d84a6ae33bc6cf84e0a07b +protobuf==5.28.0 \ + --hash=sha256:018db9056b9d75eb93d12a9d35120f97a84d9a919bcab11ed56ad2d399d6e8dd \ + --hash=sha256:510ed78cd0980f6d3218099e874714cdf0d8a95582e7b059b06cabad855ed0a0 \ + --hash=sha256:532627e8fdd825cf8767a2d2b94d77e874d5ddb0adefb04b237f7cc296748681 \ + --hash=sha256:6206afcb2d90181ae8722798dcb56dc76675ab67458ac24c0dd7d75d632ac9bd \ + --hash=sha256:66c3edeedb774a3508ae70d87b3a19786445fe9a068dd3585e0cefa8a77b83d0 \ + --hash=sha256:6d7cc9e60f976cf3e873acb9a40fed04afb5d224608ed5c1a105db4a3f09c5b6 \ + --hash=sha256:853db610214e77ee817ecf0514e0d1d052dff7f63a0c157aa6eabae98db8a8de \ + --hash=sha256:d001a73c8bc2bf5b5c1360d59dd7573744e163b3607fa92788b7f3d5fefbd9a5 \ + --hash=sha256:dde74af0fa774fa98892209992295adbfb91da3fa98c8f67a88afe8f5a349add \ + --hash=sha256:dde9fcaa24e7a9654f4baf2a55250b13a5ea701493d904c54069776b99a8216b \ + --hash=sha256:eef7a8a2f4318e2cb2dee8666d26e58eaf437c14788f3a2911d0c3da40405ae8 # via # -r requirements.txt # grpcio-tools From b862c3e226e69b95ef5d0d018e7fe7ff662642a6 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Tue, 3 Sep 2024 02:06:06 -0700 Subject: [PATCH 34/83] Docker image update adae1d57 (#6330) Update docker images adae1d57 Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> --- build/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index f91413fca0..6ac97c9751 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -11,8 +11,8 @@ ARG PACKAGE_REPO=pkgs.nginx.com ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1@sha256:9467a2ef495e938f37b3001e350c42ca0c10401e33dc2a0d0ddde7b221e47e82 AS opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:df2f20a532abb4907219072458489008987a1ea6fea4c92604543e93b771c5ed AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1@sha256:df790013503caa036b0a0f620ede777216412441adba6326ab7f6e10896264d7 AS opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:cfc4ec96e5cac0a9890db1e200332534d0086575e69b43e0744c11541976bd5e AS alpine-opentracing-lib FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e2bd639b269ec54343ea66b7acbdb0eb67bed44383e1be937c483c451d AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 From 37b1444886c5a631019e1b046aff93cb7165479d Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 3 Sep 2024 13:52:20 +0100 Subject: [PATCH 35/83] Image patching fix (#6335) --- .github/workflows/update-docker-images.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index a2c503a27d..30af2d5b61 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -43,16 +43,16 @@ jobs: run: | tag="$(git tag --sort=-version:refname | head -n1)" if [ -n "${{ inputs.tag }}" ]; then - echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT + tag=${{ inputs.tag }} else tag=${tag//v} - echo "tag=${tag//v}" >> $GITHUB_OUTPUT fi + echo "tag=${tag}" >> $GITHUB_OUTPUT date=$(date "+%Y%m%d") echo "date=${date}" >> $GITHUB_OUTPUT short="${tag%.*}" echo "short=$short" >> $GITHUB_OUTPUT - echo "matrix=$(cat .github/data/patch-images.json" >> $GITHUB_OUTPUT + echo "matrix=$(cat .github/data/patch-images.json | jq -c)" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT patch-images: From e2342a3fe3777b4a47b3c1e3c9536add97a97f12 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Sep 2024 13:49:17 +0000 Subject: [PATCH 36/83] Bump the actions group across 1 directory with 3 updates (#6332) Bumps the actions group with 3 updates in the / directory: [actions/upload-artifact](https://github.com/actions/upload-artifact), [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) and [azure/CLI](https://github.com/azure/cli). Updates `actions/upload-artifact` from 4.3.6 to 4.4.0 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/834a144ee995460fba8ed112a2fc961b36a5ec5a...50769540e7f4bd5e21e526ee35c689e35e0d6874) Updates `peter-evans/create-pull-request` from 6.1.0 to 7.0.0 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/c5a7806660adbe173f04e3e038b0ccdcd758773c...4320041ed380b20e97d388d56a7fb4f9b8c20e79) Updates `azure/CLI` from 2.0.0 to 2.1.0 - [Release notes](https://github.com/azure/cli/releases) - [Changelog](https://github.com/Azure/cli/blob/master/ReleaseProcess.md) - [Commits](https://github.com/azure/cli/compare/965c8d7571d2231a54e321ddd07f7b10317f34d9...089eac9d8cc39f5d003e94f8b65efc51076c9cbd) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: azure/CLI dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> --- .github/workflows/image-promotion.yml | 6 +++--- .github/workflows/regression.yml | 2 +- .github/workflows/release-pr.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- .github/workflows/update-docker-sha.yml | 2 +- .github/workflows/update-kubernetes-version.yml | 2 +- .github/workflows/version-bump.yml | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 076555c0db..8b65e9e132 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -461,7 +461,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" @@ -551,7 +551,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" @@ -648,7 +648,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 94c761c54e..e88814404f 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -274,7 +274,7 @@ jobs: test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - name: Upload Test Results - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: ${{ steps.regression-tests.outputs.test-results-name }} path: ${{ steps.regression-tests.outputs.test-results-path }} diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index d909f10230..7e8254bf30 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -70,7 +70,7 @@ jobs: .github/scripts/release-notes-update.sh ${{ github.event.inputs.new_version }} ${{ github.event.inputs.new_helm_version }} "${{ github.event.inputs.k8s_versions }}" "${{ github.event.inputs.release_date }}" - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 with: token: ${{ secrets.NGINX_PAT }} commit-message: Release ${{ github.event.inputs.new_version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f5b8ea0e49..4a9fed65b8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -490,7 +490,7 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Azure Upload Release Packages - uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0 + uses: azure/CLI@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 with: inlineScript: | for i in $(find tarballs -type f); do diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 0127eadde5..6db9c3d148 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 33c4bb73b8..d3253622fa 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -162,7 +162,7 @@ jobs: if: ${{ steps.stable_exists.outputs.exists != 'true' }} - name: Upload Test Results - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: ${{ steps.smoke-tests.outputs.test-results-name }} path: ${{ steps.smoke-tests.outputs.test-results-path }} diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index 0112d786af..c03c439f05 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -75,7 +75,7 @@ jobs: echo $GITHUB_OUTPUT - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 id: pr with: token: ${{ secrets.NGINX_PAT }} diff --git a/.github/workflows/update-kubernetes-version.yml b/.github/workflows/update-kubernetes-version.yml index 5f68bd8964..0d2793bb73 100644 --- a/.github/workflows/update-kubernetes-version.yml +++ b/.github/workflows/update-kubernetes-version.yml @@ -43,7 +43,7 @@ jobs: if: ${{ steps.search.outputs.found == 'false' }} - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 with: token: ${{ secrets.NGINX_PAT }} commit-message: update kubernetes version to ${{ steps.k8s-version.outputs.version }} in helm schema diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 342601cb56..6b986d14f7 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -48,7 +48,7 @@ jobs: CHART_VERSION: ${{ inputs.helm_chart_version }} - name: Create Pull Request - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 + uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 with: token: ${{ secrets.NGINX_PAT }} commit-message: Version Bump for ${{ github.event.inputs.ic_version }} From ccd88fd8e82441db942573070be6f00e9f4ac5de Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Tue, 3 Sep 2024 15:26:11 +0000 Subject: [PATCH 37/83] Fix NAP WAF v5 example link, minor style issues (#6294) One of the links in the NGINX App Protect V5 configuration document is broken. This commit fixes the link, and also makes some other changes so the document is more closely in line with contemporary standards. --- .../app-protect-waf-v5/configuration.md | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/docs/content/installation/integrations/app-protect-waf-v5/configuration.md b/docs/content/installation/integrations/app-protect-waf-v5/configuration.md index f706a6fe86..d9d3123318 100644 --- a/docs/content/installation/integrations/app-protect-waf-v5/configuration.md +++ b/docs/content/installation/integrations/app-protect-waf-v5/configuration.md @@ -5,15 +5,15 @@ toc: true weight: 200 --- - ## Overview This document explains how to use F5 NGINX Ingress Controller to configure [NGINX App Protect WAF v5](https://docs.nginx.com/nginx-app-protect-waf/v5/). -{{< note >}} Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5). F5 recommends to re-compile your NGINX AppProtect WAF Policy Bundles with each release of NGINX Ingress Controller. This will ensure your Policies remain compatible and are compiled with the latest Attack Signatures, Bot Signatures, and Threat Campaigns.{{< /note >}} +{{< note >}} There are complete NGINX Ingress Controller with NGINX App Protect WAF [example resources on GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5). +F5 recommends recompiling your NGINX AppProtect WAF Policy Bundles with each release of NGINX Ingress Controller. This ensures Policies remain compatible and are compiled with the latest attack signatures, bot signatures, and Ttreat campaigns.{{< /note >}} -## Global Configuration +## Global configuration NGINX Ingress Controller has global configuration parameters that match those in NGINX App Protect WAF. They are found in the [ConfigMap resource]({{< relref "configuration/global-configuration/configmap-resource.md#modules" >}}): the NGINX App Protect WAF parameters are prefixed with `app-protect*`. @@ -22,9 +22,9 @@ NGINX Ingress Controller has global configuration parameters that match those in NGINX App Protect WAF v5 can be enabled and configured for custom resources only(VirtualServer, VirtualServerRoute). You need to create a Policy Custom Resource referencing a policy bundle, then add it to the VirtualServer/VirtualServerRoute definition. Additional detail can be found in the [Policy Resource documentation]({{< relref "configuration/policy-resource.md#waf" >}}). -## NGINX App Protect WAF Bundles {#waf-bundles} +## NGINX App Protect WAF Bundles -You define App Protect WAF bundles for VirtualServer custom resources by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller. +App Protect WAF bundles for VirtualServer custom resources are defined by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller. Before applying a policy, a WAF policy bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`. @@ -32,7 +32,6 @@ Before applying a policy, a WAF policy bundle must be created, then copied to a This example shows how a policy is configured by referencing a generated WAF Policy Bundle: - ```yaml apiVersion: k8s.nginx.org/v1 kind: Policy @@ -46,7 +45,6 @@ spec: This example shows the same policy as above but with a log bundle used for security log configuration: - ```yaml apiVersion: k8s.nginx.org/v1 kind: Policy @@ -62,13 +60,13 @@ spec: logDest: "syslog:server=syslog-svc.default:514" ``` -## Configuration in NGINX Plus Ingress Controller using Virtual Server Resource +## Configure NGINX Plus Ingress Controller using Virtual Server resources This example shows how to deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF v5, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource. -{{< note >}} You can find the files for this example on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-waf/app-protect-waf-v5).{{< /note >}} +{{< note >}} You can find the files for this example on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5).{{< /note >}} -## Prerequisites +### Prerequisites 1. Follow the installation [instructions]({{< relref "installation/integrations/app-protect-waf-v5/installation.md" >}}) to deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF version 5. @@ -84,7 +82,7 @@ This example shows how to deploy NGINX Ingress Controller with NGINX Plus and NG IC_HTTP_PORT= ``` -### Step 1. Deploy a Web Application +### Deploy a web application Create the application deployment and service: @@ -92,7 +90,7 @@ Create the application deployment and service: kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5/webapp.yaml ``` -### Step 2. Create the Syslog Service +### Create the Syslog service Create the syslog service and pod for the NGINX App Protect WAF security logs: @@ -101,7 +99,7 @@ Create the syslog service and pod for the NGINX App Protect WAF security logs: kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5/syslog.yaml ``` -### Step 3 - Deploy the WAF Policy +### Deploy the WAF Policy {{< note >}} Configuration settings in the Policy resource enable WAF protection by configuring NGINX App Protect WAF with the log configuration created in the previous step. The policy bundle referenced as `your_policy_bundle_name.tgz` need to be created and placed in the `/etc/app_protect/bundles` volume first.{{}} @@ -113,8 +111,7 @@ Create and deploy the WAF policy. ``` -### Step 4 - Configure Load Balancing - +### Configure load balancing {{< note >}} VirtualServer references the `waf-policy` created in Step 3.{{}} @@ -125,9 +122,9 @@ Create and deploy the WAF policy. ``` -### Step 5 - Test the Application +### Test the application -To access the application, curl the coffee and the tea services. We'll use the `--resolve` option to set the Host header of a request with `webapp.example.com` +To access the application, curl the coffee and the tea services. Use the `--resolve` option to set the Host header of a request with `webapp.example.com` 1. Send a request to the application: @@ -156,7 +153,7 @@ To access the application, curl the coffee and the tea services. We'll use the ` kubectl exec -it -- cat /var/log/messages ``` -### Example VirtualServer configuration +## Example VirtualServer configuration The GitHub repository has a full [VirtualServer example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v{{< nic-version >}}/examples/custom-resources/app-protect-waf-v5/webapp.yaml). From 8b07f97040c728ba28bdccb6cd873736261e5d8e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 09:20:57 +0100 Subject: [PATCH 38/83] Bump skopeo/stable from v1.16.0 to v1.16.1 in /tests in the docker-tests group (#6340) Bump skopeo/stable in /tests in the docker-tests group Bumps the docker-tests group in /tests with 1 update: [skopeo/stable](https://github.com/containers/image_build). Updates `skopeo/stable` from v1.16.0 to v1.16.1 - [Commits](https://github.com/containers/image_build/commits) --- updated-dependencies: - dependency-name: skopeo/stable dependency-type: direct:production dependency-group: docker-tests ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Dockerfile b/tests/Dockerfile index 213ca2bad0..3c0f307c54 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -3,7 +3,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7325357a1ac94ba865 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date -FROM quay.io/skopeo/stable:v1.16.0 +FROM quay.io/skopeo/stable:v1.16.1 FROM python:3.12@sha256:e3d5b6f95ce66923b5e48a06ee5755abb097de96a8617c3f2f7d431d48e63d35 From 61783246209039eb7ccd51baf99c2270f758c1af Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 4 Sep 2024 09:49:49 +0100 Subject: [PATCH 39/83] refactor GlobalConfiguration controller (#6327) --- internal/k8s/controller.go | 123 ------------------- internal/k8s/global_configuration.go | 171 +++++++++++++++++++++++++++ internal/k8s/handlers.go | 34 ------ 3 files changed, 171 insertions(+), 157 deletions(-) create mode 100644 internal/k8s/global_configuration.go diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 7f62e608d6..75ea80636e 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -565,20 +565,6 @@ func (nsi *namespacedInformer) addPolicyHandler(handlers cache.ResourceEventHand nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -func (lbc *LoadBalancerController) addGlobalConfigurationHandler(handlers cache.ResourceEventHandlerFuncs, namespace string, name string) { - lbc.globalConfigurationLister, lbc.globalConfigurationController = cache.NewInformer( - cache.NewListWatchFromClient( - lbc.confClient.K8sV1().RESTClient(), - "globalconfigurations", - namespace, - fields.Set{"metadata.name": name}.AsSelector()), - &conf_v1.GlobalConfiguration{}, - lbc.resync, - handlers, - ) - lbc.cacheSyncs = append(lbc.cacheSyncs, lbc.globalConfigurationController.HasSynced) -} - func (nsi *namespacedInformer) addTransportServerHandler(handlers cache.ResourceEventHandlerFuncs) { informer := nsi.confSharedInformerFactory.K8s().V1().TransportServers().Informer() informer.AddEventHandler(handlers) @@ -1362,55 +1348,6 @@ func (lbc *LoadBalancerController) syncTransportServer(task task) { lbc.processProblems(problems) } -func (lbc *LoadBalancerController) syncGlobalConfiguration(task task) { - key := task.Key - obj, gcExists, err := lbc.globalConfigurationLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - var changes []ResourceChange - var problems []ConfigurationProblem - var validationErr error - - if !gcExists { - glog.V(2).Infof("Deleting GlobalConfiguration: %v\n", key) - - changes, problems = lbc.configuration.DeleteGlobalConfiguration() - } else { - glog.V(2).Infof("Adding or Updating GlobalConfiguration: %v\n", key) - - gc := obj.(*conf_v1.GlobalConfiguration) - changes, problems, validationErr = lbc.configuration.AddOrUpdateGlobalConfiguration(gc) - } - - updateErr := lbc.processChangesFromGlobalConfiguration(changes) - - if gcExists { - eventTitle := "Updated" - eventType := api_v1.EventTypeNormal - eventMessage := fmt.Sprintf("GlobalConfiguration %s was added or updated", key) - - if validationErr != nil { - eventTitle = "AddedOrUpdatedWithError" - eventType = api_v1.EventTypeWarning - eventMessage = fmt.Sprintf("GlobalConfiguration %s is updated with errors: %v", key, validationErr) - } - - if updateErr != nil { - eventTitle += "WithError" - eventType = api_v1.EventTypeWarning - eventMessage = fmt.Sprintf("%s; with reload error: %v", eventMessage, updateErr) - } - - gc := obj.(*conf_v1.GlobalConfiguration) - lbc.recorder.Eventf(gc, eventType, eventTitle, eventMessage) - } - - lbc.processProblems(problems) -} - func (lbc *LoadBalancerController) syncVirtualServer(task task) { key := task.Key var obj interface{} @@ -1581,66 +1518,6 @@ func (lbc *LoadBalancerController) processChanges(changes []ResourceChange) { } } -// processChangesFromGlobalConfiguration processes changes that come from updates to the GlobalConfiguration resource. -// Such changes need to be processed at once to prevent any inconsistencies in the generated NGINX config. -func (lbc *LoadBalancerController) processChangesFromGlobalConfiguration(changes []ResourceChange) error { - var updatedTSExes []*configs.TransportServerEx - var updatedVSExes []*configs.VirtualServerEx - var deletedTSKeys []string - var deletedVSKeys []string - - var updatedResources []Resource - - for _, c := range changes { - switch impl := c.Resource.(type) { - case *VirtualServerConfiguration: - if c.Op == AddOrUpdate { - vsEx := lbc.createVirtualServerEx(impl.VirtualServer, impl.VirtualServerRoutes) - - updatedVSExes = append(updatedVSExes, vsEx) - updatedResources = append(updatedResources, impl) - } else if c.Op == Delete { - key := getResourceKey(&impl.VirtualServer.ObjectMeta) - - deletedVSKeys = append(deletedVSKeys, key) - } - case *TransportServerConfiguration: - if c.Op == AddOrUpdate { - tsEx := lbc.createTransportServerEx(impl.TransportServer, impl.ListenerPort) - - updatedTSExes = append(updatedTSExes, tsEx) - updatedResources = append(updatedResources, impl) - } else if c.Op == Delete { - key := getResourceKey(&impl.TransportServer.ObjectMeta) - - deletedTSKeys = append(deletedTSKeys, key) - } - } - } - - var updateErr error - - if len(updatedTSExes) > 0 || len(deletedTSKeys) > 0 { - tsUpdateErrs := lbc.configurator.UpdateTransportServers(updatedTSExes, deletedTSKeys) - - if len(tsUpdateErrs) > 0 { - updateErr = fmt.Errorf("errors received from updating TransportServers after GlobalConfiguration change: %v", tsUpdateErrs) - } - } - - if len(updatedVSExes) > 0 || len(deletedVSKeys) > 0 { - vsUpdateErrs := lbc.configurator.UpdateVirtualServers(updatedVSExes, deletedVSKeys) - - if len(vsUpdateErrs) > 0 { - updateErr = fmt.Errorf("errors received from updating VirtualSrvers after GlobalConfiguration change: %v", vsUpdateErrs) - } - } - - lbc.updateResourcesStatusAndEvents(updatedResources, configs.Warnings{}, updateErr) - - return updateErr -} - func (lbc *LoadBalancerController) updateTransportServerStatusAndEventsOnDelete(tsConfig *TransportServerConfiguration, changeError string, deleteErr error) { eventType := api_v1.EventTypeWarning eventTitle := "Rejected" diff --git a/internal/k8s/global_configuration.go b/internal/k8s/global_configuration.go new file mode 100644 index 0000000000..0541022c51 --- /dev/null +++ b/internal/k8s/global_configuration.go @@ -0,0 +1,171 @@ +package k8s + +import ( + "fmt" + "reflect" + + "github.com/golang/glog" + "github.com/nginxinc/kubernetes-ingress/internal/configs" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" + api_v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/fields" + "k8s.io/client-go/tools/cache" +) + +func createGlobalConfigurationHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + gc := obj.(*conf_v1.GlobalConfiguration) + glog.V(3).Infof("Adding GlobalConfiguration: %v", gc.Name) + lbc.AddSyncQueue(gc) + }, + DeleteFunc: func(obj interface{}) { + gc, isGc := obj.(*conf_v1.GlobalConfiguration) + if !isGc { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + gc, ok = deletedState.Obj.(*conf_v1.GlobalConfiguration) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-GlobalConfiguration object: %v", deletedState.Obj) + return + } + } + glog.V(3).Infof("Removing GlobalConfiguration: %v", gc.Name) + lbc.AddSyncQueue(gc) + }, + UpdateFunc: func(old, cur interface{}) { + curGc := cur.(*conf_v1.GlobalConfiguration) + if !reflect.DeepEqual(old, cur) { + glog.V(3).Infof("GlobalConfiguration %v changed, syncing", curGc.Name) + lbc.AddSyncQueue(curGc) + } + }, + } +} + +func (lbc *LoadBalancerController) addGlobalConfigurationHandler(handlers cache.ResourceEventHandlerFuncs, namespace string, name string) { + options := cache.InformerOptions{ + ListerWatcher: cache.NewListWatchFromClient( + lbc.confClient.K8sV1().RESTClient(), + "globalconfigurations", + namespace, + fields.Set{"metadata.name": name}.AsSelector()), + ObjectType: &conf_v1.GlobalConfiguration{}, + ResyncPeriod: lbc.resync, + Handler: handlers, + } + lbc.globalConfigurationLister, lbc.globalConfigurationController = cache.NewInformerWithOptions(options) + lbc.cacheSyncs = append(lbc.cacheSyncs, lbc.globalConfigurationController.HasSynced) +} + +func (lbc *LoadBalancerController) syncGlobalConfiguration(task task) { + key := task.Key + obj, gcExists, err := lbc.globalConfigurationLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + var changes []ResourceChange + var problems []ConfigurationProblem + var validationErr error + + if !gcExists { + glog.V(2).Infof("Deleting GlobalConfiguration: %v\n", key) + + changes, problems = lbc.configuration.DeleteGlobalConfiguration() + } else { + glog.V(2).Infof("Adding or Updating GlobalConfiguration: %v\n", key) + + gc := obj.(*conf_v1.GlobalConfiguration) + changes, problems, validationErr = lbc.configuration.AddOrUpdateGlobalConfiguration(gc) + } + + updateErr := lbc.processChangesFromGlobalConfiguration(changes) + + if gcExists { + eventTitle := "Updated" + eventType := api_v1.EventTypeNormal + eventMessage := fmt.Sprintf("GlobalConfiguration %s was added or updated", key) + + if validationErr != nil { + eventTitle = "AddedOrUpdatedWithError" + eventType = api_v1.EventTypeWarning + eventMessage = fmt.Sprintf("GlobalConfiguration %s is updated with errors: %v", key, validationErr) + } + + if updateErr != nil { + eventTitle += "WithError" + eventType = api_v1.EventTypeWarning + eventMessage = fmt.Sprintf("%s; with reload error: %v", eventMessage, updateErr) + } + + gc := obj.(*conf_v1.GlobalConfiguration) + lbc.recorder.Eventf(gc, eventType, eventTitle, eventMessage) + } + + lbc.processProblems(problems) +} + +// processChangesFromGlobalConfiguration processes changes that come from updates to the GlobalConfiguration resource. +// Such changes need to be processed at once to prevent any inconsistencies in the generated NGINX config. +func (lbc *LoadBalancerController) processChangesFromGlobalConfiguration(changes []ResourceChange) error { + var updatedTSExes []*configs.TransportServerEx + var updatedVSExes []*configs.VirtualServerEx + var deletedTSKeys []string + var deletedVSKeys []string + + var updatedResources []Resource + + for _, c := range changes { + switch impl := c.Resource.(type) { + case *VirtualServerConfiguration: + if c.Op == AddOrUpdate { + vsEx := lbc.createVirtualServerEx(impl.VirtualServer, impl.VirtualServerRoutes) + + updatedVSExes = append(updatedVSExes, vsEx) + updatedResources = append(updatedResources, impl) + } else if c.Op == Delete { + key := getResourceKey(&impl.VirtualServer.ObjectMeta) + + deletedVSKeys = append(deletedVSKeys, key) + } + case *TransportServerConfiguration: + if c.Op == AddOrUpdate { + tsEx := lbc.createTransportServerEx(impl.TransportServer, impl.ListenerPort) + + updatedTSExes = append(updatedTSExes, tsEx) + updatedResources = append(updatedResources, impl) + } else if c.Op == Delete { + key := getResourceKey(&impl.TransportServer.ObjectMeta) + + deletedTSKeys = append(deletedTSKeys, key) + } + } + } + + var updateErr error + + if len(updatedTSExes) > 0 || len(deletedTSKeys) > 0 { + tsUpdateErrs := lbc.configurator.UpdateTransportServers(updatedTSExes, deletedTSKeys) + + if len(tsUpdateErrs) > 0 { + updateErr = fmt.Errorf("errors received from updating TransportServers after GlobalConfiguration change: %v", tsUpdateErrs) + } + } + + if len(updatedVSExes) > 0 || len(deletedVSKeys) > 0 { + vsUpdateErrs := lbc.configurator.UpdateVirtualServers(updatedVSExes, deletedVSKeys) + + if len(vsUpdateErrs) > 0 { + updateErr = fmt.Errorf("errors received from updating VirtualSrvers after GlobalConfiguration change: %v", vsUpdateErrs) + } + } + + lbc.updateResourcesStatusAndEvents(updatedResources, configs.Warnings{}, updateErr) + + return updateErr +} diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index 8589f1f7bf..b55c006bf7 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -326,40 +326,6 @@ func createVirtualServerRouteHandlers(lbc *LoadBalancerController) cache.Resourc } } -func createGlobalConfigurationHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - gc := obj.(*conf_v1.GlobalConfiguration) - glog.V(3).Infof("Adding GlobalConfiguration: %v", gc.Name) - lbc.AddSyncQueue(gc) - }, - DeleteFunc: func(obj interface{}) { - gc, isGc := obj.(*conf_v1.GlobalConfiguration) - if !isGc { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - gc, ok = deletedState.Obj.(*conf_v1.GlobalConfiguration) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-GlobalConfiguration object: %v", deletedState.Obj) - return - } - } - glog.V(3).Infof("Removing GlobalConfiguration: %v", gc.Name) - lbc.AddSyncQueue(gc) - }, - UpdateFunc: func(old, cur interface{}) { - curGc := cur.(*conf_v1.GlobalConfiguration) - if !reflect.DeepEqual(old, cur) { - glog.V(3).Infof("GlobalConfiguration %v changed, syncing", curGc.Name) - lbc.AddSyncQueue(curGc) - } - }, - } -} - func createTransportServerHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { return cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { From f1d8dc061f1826cf92e40f89fbd459009afc1fb1 Mon Sep 17 00:00:00 2001 From: Alan Dooley Date: Wed, 4 Sep 2024 09:18:42 +0000 Subject: [PATCH 40/83] Update documentation Makefile and README (#6339) This commit updates the documentation Makefile and README, reflecting changes to it across NGINX's open source repositories for consistency. It removes unnecessary targets: Netlify is no longer used, nor was the Makefile used for Netlify for quite some time. The guidance for Makefile targets in the README is updated accordingly, as well formatting instructions for how we use Hugo contemporaneously. --- docs/Makefile | 50 ++++++++++++-------------------------------------- docs/README.md | 33 ++++++++++++++++----------------- 2 files changed, 28 insertions(+), 55 deletions(-) diff --git a/docs/Makefile b/docs/Makefile index b0d647edc4..d46833e92a 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -1,28 +1,22 @@ HUGO?=hugo -# the officially recommended unofficial docker image HUGO_IMG?=hugomods/hugo:0.115.3 THEME_MODULE = github.com/nginxinc/nginx-hugo-theme -## Pulls the current theme version from the Netlify settings THEME_VERSION = 0.41.14 -NETLIFY_DEPLOY_URL = ${DEPLOY_PRIME_URL} -# if there's no local hugo, fallback to docker ifeq (, $(shell ${HUGO} version 2> /dev/null)) ifeq (, $(shell docker version 2> /dev/null)) $(error Docker and Hugo are not installed. Hugo (<0.91) or Docker are required to build the local preview.) else - HUGO=docker run --rm -it -v ${CURDIR}:/src -p 1313:1313 ${HUGO_IMG} hugo + HUGO=docker run --rm -it -v ${CURDIR}:/src -p 1313:1313 ${HUGO_IMG} hugo --bind 0.0.0.0 -p 1313 endif endif MARKDOWNLINT?=markdownlint MARKDOWNLINT_IMG?=ghcr.io/igorshubovych/markdownlint-cli:latest -# if there's no local markdownlint, fallback to docker ifeq (, $(shell ${MARKDOWNLINT} version 2> /dev/null)) ifeq (, $(shell docker version 2> /dev/null)) -ifneq (, $(shell $(NETLIFY) "true")) $(error Docker and markdownlint are not installed. markdownlint or Docker are required to lint.) endif else @@ -32,10 +26,9 @@ endif MARKDOWNLINKCHECK?=markdown-link-check MARKDOWNLINKCHECK_IMG?=ghcr.io/tcort/markdown-link-check:stable -# if there's no local markdown-link-check, fallback to docker + ifeq (, $(shell ${MARKDOWNLINKCHECK} --version 2> /dev/null)) ifeq (, $(shell docker version 2> /dev/null)) -ifneq (, $(shell $(NETLIFY) "true")) $(error Docker and markdown-link-check are not installed. markdown-link-check or Docker are required to check links.) endif else @@ -43,49 +36,30 @@ else endif endif -.PHONY: all all-staging all-dev all-local clean hugo-mod build-production build-staging build-dev docs-drafts docs deploy-preview - -all: hugo-mod build-production - -all-staging: hugo-mod build-staging - -all-dev: hugo-mod build-dev - -all-local: clean hugo-mod build-production +.PHONY: docs docs-draft docs-local clean hugo-get hugo-tidy lint-markdown link-check docs: ${HUGO} -clean: - if [[ -d ${PWD}/public ]] ; then rm -rf ${PWD}/public && echo "Removed public directory" ; else echo "Did not find a public directory to remove" ; fi - watch: ${HUGO} --bind 0.0.0.0 -p 1313 server --disableFastRender -watch-drafts: +drafts: ${HUGO} --bind 0.0.0.0 -p 1313 server -D --disableFastRender -link-check: - ${MARKDOWNLINKCHECK} $(shell find content -name '*.md') - -lint-markdown: - ${MARKDOWNLINT} -c .markdownlint.json -- content +clean: + [ -d "public" ] && rm -rf "public" -# Commands used by Netlify CI -hugo-mod: +hugo-get: hugo mod get $(THEME_MODULE)@v$(THEME_VERSION) hugo-tidy: hugo mod tidy -build-production: - hugo --gc -e production +hugo-update: hugo-get hugo-tidy -build-staging: - hugo --gc -e staging - -build-dev: - hugo --gc -e development +lint-markdown: + ${MARKDOWNLINT} -c .markdownlint.yaml -- content -deploy-preview: hugo-mod - hugo --gc -b ${NETLIFY_DEPLOY_URL}/nginx-ingress-controller/ +link-check: + ${MARKDOWNLINKCHECK} $(shell find content -name '*.md') diff --git a/docs/README.md b/docs/README.md index 41b345b769..033f0033e1 100644 --- a/docs/README.md +++ b/docs/README.md @@ -30,30 +30,29 @@ To work on documentation, create a feature branch in a forked repository then ta The documentation is published from the latest public release branch. If your changes require immediate publication, create a pull request to cherry-pick changes from `main` to the public release branch. -## Developing documentation locally +## Develop documentation locally -To build the documentation locally, run the `make` command inside this `/site/` directory: +To build the documentation locally, use the `make` command in the documentation folder with these targets: ```text -make docs - Builds the documentation set with the output as the '/public' directory -make clean - Removes the local '/public/' directory -make watch - Starts a local Hugo server for live previews -make watch-drafts - Starts a local Hugo server for live previews, including documentation marked with 'draft: true' -make link-check - Check for any broken links in the documentation -make lint-markdown - Runs markdownlint to identify possible markdown formatting issues +make docs - Builds the documentation +make watch - Runs a local Hugo server to automatically preview changes +make drafts - Runs a local Hugo server, and displays documentation marked as drafts +make clean - Removes the output 'public' directory created by Hugo +make hugo-get - Updates the go module file with the latest version of the theme +make hugo-tidy - Removes unnecessary dependencies from the go module file +make hugo-update - Runs the hugo-get and hugo-tidy targets in sequence +make lint-markdown - Runs markdownlint on the content folder +make link-check - Runs markdown-link-check on all Markdown files ``` -The `watch` options automatically reload the Hugo server, allowing you to view updates as you work. - -> **Note**: The documentation uses build environments to control the baseURL used for things like internal references and static resources. The configuration for each environment can be found in the `config` directory. When running Hugo you can specify the environment and baseURL, but it's unnecessary. - ## Adding new documentation -### Using Hugo to generate a new documentation file +### Generate a new documentation file using Hugo -To create a new documentation file with the pre-configured Hugo front-matter for the task template, run the following command inside this `/site` directory: +To create a new documentation file containing the pre-configured Hugo front-matter with the task template, **run the following command in the documentation directory**: -`hugo new /.md` +`hugo new /.` For example: @@ -61,7 +60,7 @@ For example: hugo new getting-started/install.md ``` -The default template (task) should be used for most pages. For other content templates, you can use the `--kind` flag: +The default template -- task -- should be used for most documentation. To create documentation using the other content templates, you can use the `--kind` flag: ```shell hugo new tutorials/deploy.md --kind tutorial @@ -119,7 +118,7 @@ Use the `img` [shortcode](#using-hugo-shortcodes) to add images into your docume ### Using Hugo shortcodes -[Hugo shortcodes](/docs/themes/f5-hugo/layouts/shortcodes/) are used to format callouts, add images, and reuse content across different pages. +[Hugo shortcodes](https://github.com/nginxinc/nginx-hugo-theme/tree/main/layouts/shortcodes) are used to format callouts, add images, and reuse content across different pages. For example, to use the `note` callout: From 15475e04bfc75beb1ccbf9a7715419c238453517 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Sep 2024 09:45:55 +0000 Subject: [PATCH 41/83] Bump cryptography from 43.0.0 to 43.0.1 in /tests in the pip group (#6341) Bumps the pip group in /tests with 1 update: [cryptography](https://github.com/pyca/cryptography). Updates `cryptography` from 43.0.0 to 43.0.1 - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](https://github.com/pyca/cryptography/compare/43.0.0...43.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- tests/requirements.txt | 56 +++++++++++++++++++++--------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/tests/requirements.txt b/tests/requirements.txt index a38452786d..235c00c58e 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -186,34 +186,34 @@ charset-normalizer==3.3.2 \ # via # -r requirements.txt # requests -cryptography==43.0.0 \ - --hash=sha256:0663585d02f76929792470451a5ba64424acc3cd5227b03921dab0e2f27b1709 \ - --hash=sha256:08a24a7070b2b6804c1940ff0f910ff728932a9d0e80e7814234269f9d46d069 \ - --hash=sha256:232ce02943a579095a339ac4b390fbbe97f5b5d5d107f8a08260ea2768be8cc2 \ - --hash=sha256:2905ccf93a8a2a416f3ec01b1a7911c3fe4073ef35640e7ee5296754e30b762b \ - --hash=sha256:299d3da8e00b7e2b54bb02ef58d73cd5f55fb31f33ebbf33bd00d9aa6807df7e \ - --hash=sha256:2c6d112bf61c5ef44042c253e4859b3cbbb50df2f78fa8fae6747a7814484a70 \ - --hash=sha256:31e44a986ceccec3d0498e16f3d27b2ee5fdf69ce2ab89b52eaad1d2f33d8778 \ - --hash=sha256:3d9a1eca329405219b605fac09ecfc09ac09e595d6def650a437523fcd08dd22 \ - --hash=sha256:3dcdedae5c7710b9f97ac6bba7e1052b95c7083c9d0e9df96e02a1932e777895 \ - --hash=sha256:47ca71115e545954e6c1d207dd13461ab81f4eccfcb1345eac874828b5e3eaaf \ - --hash=sha256:4a997df8c1c2aae1e1e5ac49c2e4f610ad037fc5a3aadc7b64e39dea42249431 \ - --hash=sha256:51956cf8730665e2bdf8ddb8da0056f699c1a5715648c1b0144670c1ba00b48f \ - --hash=sha256:5bcb8a5620008a8034d39bce21dc3e23735dfdb6a33a06974739bfa04f853947 \ - --hash=sha256:64c3f16e2a4fc51c0d06af28441881f98c5d91009b8caaff40cf3548089e9c74 \ - --hash=sha256:6e2b11c55d260d03a8cf29ac9b5e0608d35f08077d8c087be96287f43af3ccdc \ - --hash=sha256:7b3f5fe74a5ca32d4d0f302ffe6680fcc5c28f8ef0dc0ae8f40c0f3a1b4fca66 \ - --hash=sha256:844b6d608374e7d08f4f6e6f9f7b951f9256db41421917dfb2d003dde4cd6b66 \ - --hash=sha256:9a8d6802e0825767476f62aafed40532bd435e8a5f7d23bd8b4f5fd04cc80ecf \ - --hash=sha256:aae4d918f6b180a8ab8bf6511a419473d107df4dbb4225c7b48c5c9602c38c7f \ - --hash=sha256:ac1955ce000cb29ab40def14fd1bbfa7af2017cca696ee696925615cafd0dce5 \ - --hash=sha256:b88075ada2d51aa9f18283532c9f60e72170041bba88d7f37e49cbb10275299e \ - --hash=sha256:cb013933d4c127349b3948aa8aaf2f12c0353ad0eccd715ca789c8a0f671646f \ - --hash=sha256:cc70b4b581f28d0a254d006f26949245e3657d40d8857066c2ae22a61222ef55 \ - --hash=sha256:e9c5266c432a1e23738d178e51c2c7a5e2ddf790f248be939448c0ba2021f9d1 \ - --hash=sha256:ea9e57f8ea880eeea38ab5abf9fbe39f923544d7884228ec67d666abd60f5a47 \ - --hash=sha256:ee0c405832ade84d4de74b9029bedb7b31200600fa524d218fc29bfa371e97f5 \ - --hash=sha256:fdcb265de28585de5b859ae13e3846a8e805268a823a12a4da2597f1f5afc9f0 +cryptography==43.0.1 \ + --hash=sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494 \ + --hash=sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806 \ + --hash=sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d \ + --hash=sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062 \ + --hash=sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2 \ + --hash=sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4 \ + --hash=sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1 \ + --hash=sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85 \ + --hash=sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84 \ + --hash=sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042 \ + --hash=sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d \ + --hash=sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962 \ + --hash=sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2 \ + --hash=sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa \ + --hash=sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d \ + --hash=sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365 \ + --hash=sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96 \ + --hash=sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47 \ + --hash=sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d \ + --hash=sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d \ + --hash=sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c \ + --hash=sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb \ + --hash=sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277 \ + --hash=sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172 \ + --hash=sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034 \ + --hash=sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a \ + --hash=sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289 # via # -r requirements.txt # pyopenssl From d711d318c31044c93cd69a98b6154d0a76aedb08 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Date: Wed, 4 Sep 2024 11:49:00 +0100 Subject: [PATCH 42/83] Bump Go version to v1.23 (#6337) --- .github/workflows/ci.yml | 5 +++++ go.mod | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e00338c5b6..d8ab687882 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -168,6 +168,11 @@ jobs: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup Golang Environment + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod + - name: Check if go.mod and go.sum are up to date run: go mod tidy && git diff --exit-code -- go.mod go.sum diff --git a/go.mod b/go.mod index bc6c0ef81b..56166932c0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/nginxinc/kubernetes-ingress -go 1.22.5 +go 1.23 require ( github.com/aws/aws-sdk-go-v2/config v1.27.31 From 27fb090122f1184d8919446b986d330983d48efc Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Wed, 4 Sep 2024 16:30:29 +0100 Subject: [PATCH 43/83] remove extra endifs (#6352) --- docs/Makefile | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/Makefile b/docs/Makefile index d46833e92a..287f63ea2c 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -22,7 +22,6 @@ endif else MARKDOWNLINT=docker run --rm -i -v ${CURDIR}:/src --workdir /src ${MARKDOWNLINT_IMG} endif -endif MARKDOWNLINKCHECK?=markdown-link-check MARKDOWNLINKCHECK_IMG?=ghcr.io/tcort/markdown-link-check:stable @@ -34,7 +33,6 @@ endif else MARKDOWNLINKCHECK=docker run --rm -it -v ${CURDIR}:/site --workdir /site ${MARKDOWNLINKCHECK_IMG} endif -endif .PHONY: docs docs-draft docs-local clean hugo-get hugo-tidy lint-markdown link-check From d0e56e9e5c9b4919ef49d9f2579fa9813acf38f0 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Wed, 4 Sep 2024 17:00:49 +0100 Subject: [PATCH 44/83] update go version format (#6350) --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 56166932c0..9c028b8abd 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/nginxinc/kubernetes-ingress -go 1.23 +go 1.23.0 require ( github.com/aws/aws-sdk-go-v2/config v1.27.31 From 90a52a002a2d04c7590b5d17e06b3d38ed6f28b3 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 4 Sep 2024 17:35:32 +0100 Subject: [PATCH 45/83] move mounted code to fix /tmp file permissions (#6354) --- build/Dockerfile | 2 +- build/scripts/common.sh | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 6ac97c9751..4c63fc4748 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -538,7 +538,7 @@ ARG NAP_MODULES=none ENV BUILD_OS=${BUILD_OS} -RUN --mount=type=bind,target=/tmp \ +RUN --mount=type=bind,target=/code \ --mount=type=bind,from=nginx-files,src=common.sh,target=/usr/local/bin/common.sh \ --mount=type=bind,from=nginx-files,src=patch-os.sh,target=/usr/local/bin/patch-os.sh \ patch-os.sh \ diff --git a/build/scripts/common.sh b/build/scripts/common.sh index 0fe5559b72..ccae70f7bb 100755 --- a/build/scripts/common.sh +++ b/build/scripts/common.sh @@ -5,20 +5,20 @@ set -e PLUS="" if [ -z "${BUILD_OS##*plus*}" ]; then mkdir -p /etc/nginx/oidc/ - cp -a /tmp/internal/configs/oidc/* /etc/nginx/oidc/ + cp -a /code/internal/configs/oidc/* /etc/nginx/oidc/ mkdir -p /etc/nginx/state_files/ PLUS=-plus fi -mkdir -p /etc/nginx/njs/ && cp -a /tmp/internal/configs/njs/* /etc/nginx/njs/ +mkdir -p /etc/nginx/njs/ && cp -a /code/internal/configs/njs/* /etc/nginx/njs/ mkdir -p /var/lib/nginx /etc/nginx/secrets /etc/nginx/stream-conf.d setcap 'cap_net_bind_service=+eip' /usr/sbin/nginx 'cap_net_bind_service=+eip' /usr/sbin/nginx-debug setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx 'cap_net_bind_service=+eip' /usr/sbin/nginx-debug -cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl \ - /tmp/internal/configs/version1/nginx$PLUS.tmpl \ - /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl \ - /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl \ +cp -a /code/internal/configs/version1/nginx$PLUS.ingress.tmpl \ + /code/internal/configs/version1/nginx$PLUS.tmpl \ + /code/internal/configs/version2/nginx$PLUS.virtualserver.tmpl \ + /code/internal/configs/version2/nginx$PLUS.transportserver.tmpl \ / chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl From 44683e85c90f29c370b5b92627e8104f70e351af Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 4 Sep 2024 18:15:31 +0100 Subject: [PATCH 46/83] refactor Leader controller (#6349) --- internal/k8s/controller.go | 39 ----------------------------------- internal/k8s/leader.go | 42 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 39 deletions(-) diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 75ea80636e..5b02fd301f 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -493,15 +493,6 @@ func (lbc *LoadBalancerController) newNamespacedInformer(ns string) *namespacedI return nsi } -// addLeaderHandler adds the handler for leader election to the controller -func (lbc *LoadBalancerController) addLeaderHandler(leaderHandler leaderelection.LeaderCallbacks) { - var err error - lbc.leaderElector, err = newLeaderElector(lbc.client, leaderHandler, lbc.controllerNamespace, lbc.leaderElectionLockName) - if err != nil { - glog.V(3).Infof("Error starting LeaderElection: %v", err) - } -} - // AddSyncQueue enqueues the provided item on the sync queue func (lbc *LoadBalancerController) AddSyncQueue(item interface{}) { lbc.syncQueue.Enqueue(item) @@ -2295,36 +2286,6 @@ func (lbc *LoadBalancerController) updateVirtualServerRoutesStatusFromEvents() e return nil } -func (lbc *LoadBalancerController) updatePoliciesStatus() error { - var allErrs []error - for _, nsi := range lbc.namespacedInformers { - for _, obj := range nsi.policyLister.List() { - pol := obj.(*conf_v1.Policy) - - err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) - if err != nil { - msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err) - err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg) - if err != nil { - allErrs = append(allErrs, err) - } - } else { - msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name) - err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg) - if err != nil { - allErrs = append(allErrs, err) - } - } - } - } - - if len(allErrs) != 0 { - return fmt.Errorf("not all Policies statuses were updated: %v", allErrs) - } - - return nil -} - func (lbc *LoadBalancerController) updateTransportServersStatusFromEvents() error { var allErrs []error for _, nsi := range lbc.namespacedInformers { diff --git a/internal/k8s/leader.go b/internal/k8s/leader.go index 7d3cf5ae45..49945311f2 100644 --- a/internal/k8s/leader.go +++ b/internal/k8s/leader.go @@ -2,10 +2,13 @@ package k8s import ( "context" + "fmt" "os" "time" "github.com/golang/glog" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" + "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/validation" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -102,3 +105,42 @@ func createLeaderHandler(lbc *LoadBalancerController) leaderelection.LeaderCallb }, } } + +// addLeaderHandler adds the handler for leader election to the controller +func (lbc *LoadBalancerController) addLeaderHandler(leaderHandler leaderelection.LeaderCallbacks) { + var err error + lbc.leaderElector, err = newLeaderElector(lbc.client, leaderHandler, lbc.controllerNamespace, lbc.leaderElectionLockName) + if err != nil { + glog.V(3).Infof("Error starting LeaderElection: %v", err) + } +} + +func (lbc *LoadBalancerController) updatePoliciesStatus() error { + var allErrs []error + for _, nsi := range lbc.namespacedInformers { + for _, obj := range nsi.policyLister.List() { + pol := obj.(*conf_v1.Policy) + + err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) + if err != nil { + msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err) + err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg) + if err != nil { + allErrs = append(allErrs, err) + } + } else { + msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name) + err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg) + if err != nil { + allErrs = append(allErrs, err) + } + } + } + } + + if len(allErrs) != 0 { + return fmt.Errorf("not all Policies statuses were updated: %v", allErrs) + } + + return nil +} From ffd4974fb3f6b0bcf9efbdda85c4671305e5ba68 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 4 Sep 2024 19:01:43 +0100 Subject: [PATCH 47/83] refactor IngressLink controller (#6348) --- internal/k8s/controller.go | 72 -------------------- internal/k8s/handlers.go | 42 ------------ internal/k8s/ingress_link.go | 124 +++++++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+), 114 deletions(-) create mode 100644 internal/k8s/ingress_link.go diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 5b02fd301f..a66429a757 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -564,22 +564,6 @@ func (nsi *namespacedInformer) addTransportServerHandler(handlers cache.Resource nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -func (lbc *LoadBalancerController) addIngressLinkHandler(handlers cache.ResourceEventHandlerFuncs, name string) { - optionsModifier := func(options *meta_v1.ListOptions) { - options.FieldSelector = fields.Set{"metadata.name": name}.String() - } - - informer := dynamicinformer.NewFilteredDynamicInformer(lbc.dynClient, ingressLinkGVR, lbc.controllerNamespace, lbc.resync, - cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, optionsModifier) - - informer.Informer().AddEventHandlerWithResyncPeriod(handlers, lbc.resync) - - lbc.ingressLinkInformer = informer.Informer() - lbc.ingressLinkLister = informer.Informer().GetStore() - - lbc.cacheSyncs = append(lbc.cacheSyncs, lbc.ingressLinkInformer.HasSynced) -} - func (lbc *LoadBalancerController) addNamespaceHandler(handlers cache.ResourceEventHandlerFuncs, nsLabel string) { optionsModifier := func(options *meta_v1.ListOptions) { options.LabelSelector = nsLabel @@ -1196,62 +1180,6 @@ func (lbc *LoadBalancerController) cleanupUnwatchedNamespacedResources(nsi *name nsi.stop() } -func (lbc *LoadBalancerController) syncIngressLink(task task) { - key := task.Key - glog.V(2).Infof("Adding, Updating or Deleting IngressLink: %v", key) - - obj, exists, err := lbc.ingressLinkLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - if !exists { - // IngressLink got removed - lbc.statusUpdater.ClearStatusFromIngressLink() - } else { - // IngressLink is added or updated - link := obj.(*unstructured.Unstructured) - - // spec.virtualServerAddress contains the IP of the BIG-IP device - ip, found, err := unstructured.NestedString(link.Object, "spec", "virtualServerAddress") - if err != nil { - glog.Errorf("Failed to get virtualServerAddress from IngressLink %s: %v", key, err) - lbc.statusUpdater.ClearStatusFromIngressLink() - } else if !found { - glog.Errorf("virtualServerAddress is not found in IngressLink %s", key) - lbc.statusUpdater.ClearStatusFromIngressLink() - } else if ip == "" { - glog.Warningf("IngressLink %s has the empty virtualServerAddress field", key) - lbc.statusUpdater.ClearStatusFromIngressLink() - } else { - lbc.statusUpdater.SaveStatusFromIngressLink(ip) - } - } - - if lbc.reportStatusEnabled() { - ingresses := lbc.configuration.GetResourcesWithFilter(resourceFilter{Ingresses: true}) - - glog.V(3).Infof("Updating status for %v Ingresses", len(ingresses)) - - err := lbc.statusUpdater.UpdateExternalEndpointsForResources(ingresses) - if err != nil { - glog.Errorf("Error updating ingress status in syncIngressLink: %v", err) - } - } - - if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() { - virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true}) - - glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers)) - - err := lbc.statusUpdater.UpdateExternalEndpointsForResources(virtualServers) - if err != nil { - glog.V(3).Infof("Error updating VirtualServer/VirtualServerRoute status in syncIngressLink: %v", err) - } - } -} - func (lbc *LoadBalancerController) syncPolicy(task task) { key := task.Key var obj interface{} diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index b55c006bf7..93ad7de8a6 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -395,48 +395,6 @@ func createPolicyHandlers(lbc *LoadBalancerController) cache.ResourceEventHandle } } -func createIngressLinkHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - link := obj.(*unstructured.Unstructured) - glog.V(3).Infof("Adding IngressLink: %v", link.GetName()) - lbc.AddSyncQueue(link) - }, - DeleteFunc: func(obj interface{}) { - link, isUnstructured := obj.(*unstructured.Unstructured) - - if !isUnstructured { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - link, ok = deletedState.Obj.(*unstructured.Unstructured) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Unstructured object: %v", deletedState.Obj) - return - } - } - - glog.V(3).Infof("Removing IngressLink: %v", link.GetName()) - lbc.AddSyncQueue(link) - }, - UpdateFunc: func(old, cur interface{}) { - oldLink := old.(*unstructured.Unstructured) - curLink := cur.(*unstructured.Unstructured) - different, err := areResourcesDifferent(oldLink, curLink) - if err != nil { - glog.V(3).Infof("Error when comparing IngressLinks: %v", err) - lbc.AddSyncQueue(curLink) - } - if different { - glog.V(3).Infof("IngressLink %v changed, syncing", oldLink.GetName()) - lbc.AddSyncQueue(curLink) - } - }, - } -} - // areResourcesDifferent returns true if the resources are different based on their spec. func areResourcesDifferent(oldresource, resource *unstructured.Unstructured) (bool, error) { oldSpec, found, err := unstructured.NestedMap(oldresource.Object, "spec") diff --git a/internal/k8s/ingress_link.go b/internal/k8s/ingress_link.go new file mode 100644 index 0000000000..b380fb17b9 --- /dev/null +++ b/internal/k8s/ingress_link.go @@ -0,0 +1,124 @@ +package k8s + +import ( + "github.com/golang/glog" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/fields" + "k8s.io/client-go/dynamic/dynamicinformer" + "k8s.io/client-go/tools/cache" +) + +func createIngressLinkHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + link := obj.(*unstructured.Unstructured) + glog.V(3).Infof("Adding IngressLink: %v", link.GetName()) + lbc.AddSyncQueue(link) + }, + DeleteFunc: func(obj interface{}) { + link, isUnstructured := obj.(*unstructured.Unstructured) + + if !isUnstructured { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + link, ok = deletedState.Obj.(*unstructured.Unstructured) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Unstructured object: %v", deletedState.Obj) + return + } + } + + glog.V(3).Infof("Removing IngressLink: %v", link.GetName()) + lbc.AddSyncQueue(link) + }, + UpdateFunc: func(old, cur interface{}) { + oldLink := old.(*unstructured.Unstructured) + curLink := cur.(*unstructured.Unstructured) + different, err := areResourcesDifferent(oldLink, curLink) + if err != nil { + glog.V(3).Infof("Error when comparing IngressLinks: %v", err) + lbc.AddSyncQueue(curLink) + } + if different { + glog.V(3).Infof("IngressLink %v changed, syncing", oldLink.GetName()) + lbc.AddSyncQueue(curLink) + } + }, + } +} + +func (lbc *LoadBalancerController) addIngressLinkHandler(handlers cache.ResourceEventHandlerFuncs, name string) { + optionsModifier := func(options *meta_v1.ListOptions) { + options.FieldSelector = fields.Set{"metadata.name": name}.String() + } + + informer := dynamicinformer.NewFilteredDynamicInformer(lbc.dynClient, ingressLinkGVR, lbc.controllerNamespace, lbc.resync, + cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, optionsModifier) + + informer.Informer().AddEventHandlerWithResyncPeriod(handlers, lbc.resync) //nolint:errcheck,gosec + + lbc.ingressLinkInformer = informer.Informer() + lbc.ingressLinkLister = informer.Informer().GetStore() + + lbc.cacheSyncs = append(lbc.cacheSyncs, lbc.ingressLinkInformer.HasSynced) +} + +func (lbc *LoadBalancerController) syncIngressLink(task task) { + key := task.Key + glog.V(2).Infof("Adding, Updating or Deleting IngressLink: %v", key) + + obj, exists, err := lbc.ingressLinkLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + if !exists { + // IngressLink got removed + lbc.statusUpdater.ClearStatusFromIngressLink() + } else { + // IngressLink is added or updated + link := obj.(*unstructured.Unstructured) + + // spec.virtualServerAddress contains the IP of the BIG-IP device + ip, found, err := unstructured.NestedString(link.Object, "spec", "virtualServerAddress") + if err != nil { + glog.Errorf("Failed to get virtualServerAddress from IngressLink %s: %v", key, err) + lbc.statusUpdater.ClearStatusFromIngressLink() + } else if !found { + glog.Errorf("virtualServerAddress is not found in IngressLink %s", key) + lbc.statusUpdater.ClearStatusFromIngressLink() + } else if ip == "" { + glog.Warningf("IngressLink %s has the empty virtualServerAddress field", key) + lbc.statusUpdater.ClearStatusFromIngressLink() + } else { + lbc.statusUpdater.SaveStatusFromIngressLink(ip) + } + } + + if lbc.reportStatusEnabled() { + ingresses := lbc.configuration.GetResourcesWithFilter(resourceFilter{Ingresses: true}) + + glog.V(3).Infof("Updating status for %v Ingresses", len(ingresses)) + + err := lbc.statusUpdater.UpdateExternalEndpointsForResources(ingresses) + if err != nil { + glog.Errorf("Error updating ingress status in syncIngressLink: %v", err) + } + } + + if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() { + virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true}) + + glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers)) + + err := lbc.statusUpdater.UpdateExternalEndpointsForResources(virtualServers) + if err != nil { + glog.V(3).Infof("Error updating VirtualServer/VirtualServerRoute status in syncIngressLink: %v", err) + } + } +} From 903d3c702526823dc00756760d75a2572668fe17 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Thu, 5 Sep 2024 00:34:29 -0700 Subject: [PATCH 48/83] Docker image update 7f09d79f (#6359) Update docker images 7f09d79f --- build/Dockerfile | 4 ++-- build/dependencies/Dockerfile.ubi-ppc64le | 2 +- tests/Dockerfile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 4c63fc4748..b3885473da 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -16,7 +16,7 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:cfc4ec96e FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e2bd639b269ec54343ea66b7acbdb0eb67bed44383e1be937c483c451d AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 -FROM redhat/ubi9-minimal@sha256:104cf11d890aeb7dd5728b7d7732e175a0e4018f1bb00d2faebcc8f6bf29bd52 AS ubi-minimal +FROM redhat/ubi9-minimal@sha256:f182b500ff167918ca1010595311cf162464f3aa1cab755383d38be61b4d30aa AS ubi-minimal FROM golang:1.22-alpine@sha256:1a478681b671001b7f029f94b5016aed984a23ad99c707f6a0ab6563860ae2f3 AS golang-builder @@ -207,7 +207,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:12-slim@sha256:2ccc7e39b0a6f504d252f807da1fc4b5bcd838e83e4dec3e2f57b2a4a64e7214 AS debian-plus +FROM debian:12-slim@sha256:a629e796d77a7b2ff82186ed15d01a493801c020eed5ce6adaa2704356f15a1c AS debian-plus ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le index 59e28fc956..d29c3ee9b1 100644 --- a/build/dependencies/Dockerfile.ubi-ppc64le +++ b/build/dependencies/Dockerfile.ubi-ppc64le @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.8 FROM nginx:1.27.1@sha256:1540e37eebb9abc5afa4256de1bade6542d50bf69b61b1dd855cb7804aaaf444 AS nginx -FROM redhat/ubi9:9.4@sha256:9e6a89ab2a9224712391c77fab2ab01009e387aff42854826427aaf18b98b1ff AS rpm-build +FROM redhat/ubi9:9.4@sha256:9460515b85f2a75278f2043438583c1c377c44bf100178bb653a6c8658304ac7 AS rpm-build ARG NGINX ARG NJS ENV NGINX_VERSION ${NGINX} diff --git a/tests/Dockerfile b/tests/Dockerfile index 3c0f307c54..18c7d7e58f 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.16.1 -FROM python:3.12@sha256:e3d5b6f95ce66923b5e48a06ee5755abb097de96a8617c3f2f7d431d48e63d35 +FROM python:3.12@sha256:29e0ed4d7724b123e55f6e95b5ab03226843848386fbc4ba590a3918beb2981e RUN apt-get update \ && apt-get install -y curl git \ From 75cfc6f3b1e10c5cadcea40dd160ca429478ef1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Sep 2024 12:39:09 +0000 Subject: [PATCH 49/83] Bump the go group with 2 updates (#6358) Bumps the go group with 2 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/marketplacemetering](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.31 to 1.27.32 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.31...config/v1.27.32) Updates `github.com/aws/aws-sdk-go-v2/service/marketplacemetering` from 1.23.4 to 1.23.5 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.23.4...v1.23.5) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/marketplacemetering dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Co-authored-by: Alex Fenlon --- go.mod | 22 +++++++++++----------- go.sum | 44 ++++++++++++++++++++++---------------------- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/go.mod b/go.mod index 9c028b8abd..b4b7b1c388 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/nginxinc/kubernetes-ingress go 1.23.0 require ( - github.com/aws/aws-sdk-go-v2/config v1.27.31 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.4 + github.com/aws/aws-sdk-go-v2/config v1.27.32 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.5 github.com/cert-manager/cert-manager v1.15.3 github.com/dlclark/regexp2 v1.11.4 github.com/gkampitakis/go-snaps v0.5.7 @@ -36,17 +36,17 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/aws/aws-sdk-go-v2 v1.30.4 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.30 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.31 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.6 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.6 // indirect github.com/aws/smithy-go v1.20.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect diff --git a/go.sum b/go.sum index ac9248ea7e..8a4baebba7 100644 --- a/go.sum +++ b/go.sum @@ -4,32 +4,32 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= -github.com/aws/aws-sdk-go-v2 v1.30.4 h1:frhcagrVNrzmT95RJImMHgabt99vkXGslubDaDagTk8= -github.com/aws/aws-sdk-go-v2 v1.30.4/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= -github.com/aws/aws-sdk-go-v2/config v1.27.31 h1:kxBoRsjhT3pq0cKthgj6RU6bXTm/2SgdoUMyrVw0rAI= -github.com/aws/aws-sdk-go-v2/config v1.27.31/go.mod h1:z04nZdSWFPaDwK3DdJOG2r+scLQzMYuJeW0CujEm9FM= -github.com/aws/aws-sdk-go-v2/credentials v1.17.30 h1:aau/oYFtibVovr2rDt8FHlU17BTicFEMAi29V1U+L5Q= -github.com/aws/aws-sdk-go-v2/credentials v1.17.30/go.mod h1:BPJ/yXV92ZVq6G8uYvbU0gSl8q94UB63nMT5ctNO38g= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12 h1:yjwoSyDZF8Jth+mUk5lSPJCkMC0lMy6FaCD51jm6ayE= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.12/go.mod h1:fuR57fAgMk7ot3WcNQfb6rSEn+SUffl7ri+aa8uKysI= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16 h1:TNyt/+X43KJ9IJJMjKfa3bNTiZbUP7DeCxfbTROESwY= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.16/go.mod h1:2DwJF39FlNAUiX5pAc0UNeiz16lK2t7IaFcm0LFHEgc= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16 h1:jYfy8UPmd+6kJW5YhY0L1/KftReOGxI/4NtVSTh9O/I= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.16/go.mod h1:7ZfEPZxkW42Afq4uQB8H2E2e6ebh6mXTueEpYzjCzcs= +github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g= +github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= +github.com/aws/aws-sdk-go-v2/config v1.27.32 h1:jnAMVTJTpAQlePCUUlnXnllHEMGVWmvUJOiGjgtS9S0= +github.com/aws/aws-sdk-go-v2/config v1.27.32/go.mod h1:JibtzKJoXT0M/MhoYL6qfCk7nm/MppwukDFZtdgVRoY= +github.com/aws/aws-sdk-go-v2/credentials v1.17.31 h1:jtyfcOfgoqWA2hW/E8sFbwdfgwD3APnF9CLCKE8dTyw= +github.com/aws/aws-sdk-go-v2/credentials v1.17.31/go.mod h1:RSgY5lfCfw+FoyKWtOpLolPlfQVdDBQWTUniAaE+NKY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17/go.mod h1:Dh5zzJYMtxfIjYW+/evjQ8uj2OyR/ve2KROHGHlSFqE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 h1:Mqr/V5gvrhA2gvgnF42Zh5iMiQNcOYthFYwCyrnuWlc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17/go.mod h1:aLJpZlCmjE+V+KtN1q1uyZkfnUWpQGpbsn89XPKyzfU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbLPPHEmf9DgMGw51jMj77VfGPAN2Kv4cfhlfgI= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18 h1:tJ5RnkHCiSH0jyd6gROjlJtNwov0eGYNz8s8nFcR0jQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.18/go.mod h1:++NHzT+nAF7ZPrHPsA+ENvsXkOO8wEu+C6RXltAG4/c= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.4 h1:I9yxA99P3rbkzhv8iDykQcel7n03PmlK8GO6NDpOkj0= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.4/go.mod h1:YAiuhtKyLLPdouuDXeFWh4nrDrMqwQqukNvDSyhltbU= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.5 h1:zCsFCKvbj25i7p1u94imVoO447I/sFv8qq+lGJhRN0c= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.5/go.mod h1:ZeDX1SnKsVlejeuz41GiajjZpRSWR7/42q/EyA/QEiM= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5 h1:SKvPgvdvmiTWoi0GAJ7AsJfOz3ngVkD/ERbs5pUnHNI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.5/go.mod h1:20sz31hv/WsPa3HhU3hfrIet2kxM4Pe0r20eBZ20Tac= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.5 h1:OMsEmCyz2i89XwRwPouAJvhj81wINh+4UK+k/0Yo/q8= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.5/go.mod h1:vmSqFK+BVIwVpDAGZB3CoCXHzurt4qBE8lf+I/kRTh0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.5 h1:y1dOSUhBRvUWkE99L5Xm+wFMT1LfBoXyrjrcNIASbH4= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.5/go.mod h1:ck+HLSlQVYL8LIth8IrZ5qPQ4KTletB/O+WWqW8gtjQ= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.6 h1:o++HUDXlbrTl4PSal3YHtdErQxB8mDGAtkKNXBWPfIU= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.6/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.6 h1:yCHcQCOwTfIsc8DoEhM3qXPxD+j8CbI6t1K3dNzsWV0= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.6/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.6 h1:TrQadF7GcqvQ63kgwEcjlrVc2Fa0wpgLT0xtc73uAd8= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.6/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o= github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4= github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= From c1e29062e31cfe39f9fa81d322fc96e27617140b Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 5 Sep 2024 16:33:20 +0100 Subject: [PATCH 50/83] Add `ip` as an option to listeners for `VirtualServer` (#6180) --- .../controller-globalconfiguration.yaml | 2 +- charts/nginx-ingress/values.schema.json | 16 + .../k8s.nginx.org_globalconfigurations.yaml | 4 + deploy/crds.yaml | 4 + .../globalconfiguration-resource.md | 8 + .../virtualserver/README.md | 237 ++ .../virtualserver/cafe-secret.yaml | 8 + .../virtualserver/cafe-virtual-server.yaml | 25 + .../virtualserver/cafe.yaml | 65 + .../virtualserver/global-configuration.yaml | 18 + .../__snapshots__/templates_test.snap | 2124 ++++++++++++++++- internal/configs/version2/http.go | 4 + internal/configs/version2/template_helper.go | 55 +- .../configs/version2/template_helper_test.go | 205 ++ internal/configs/version2/templates_test.go | 486 ++++ internal/configs/virtualserver.go | 8 + internal/configs/virtualserver_test.go | 219 ++ internal/k8s/configuration.go | 34 +- internal/k8s/controller.go | 4 + pkg/apis/configuration/v1/types.go | 2 + .../validation/globalconfiguration.go | 135 +- .../validation/globalconfiguration_test.go | 203 ++ ...n-http-https-ipv4ip-http-https-ipv6ip.yaml | 24 + ...onfiguration-http-ipv4ip-https-ipv6ip.yaml | 22 + ...test_virtual_server_custom_ip_listeners.py | 221 ++ 25 files changed, 4058 insertions(+), 75 deletions(-) create mode 100644 examples/custom-resources/custom-ip-listeners/virtualserver/README.md create mode 100644 examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml create mode 100644 examples/custom-resources/custom-ip-listeners/virtualserver/cafe-virtual-server.yaml create mode 100644 examples/custom-resources/custom-ip-listeners/virtualserver/cafe.yaml create mode 100644 examples/custom-resources/custom-ip-listeners/virtualserver/global-configuration.yaml create mode 100644 tests/data/virtual-server-custom-listeners/global-configuration-http-https-ipv4ip-http-https-ipv6ip.yaml create mode 100644 tests/data/virtual-server-custom-listeners/global-configuration-http-ipv4ip-https-ipv6ip.yaml create mode 100644 tests/suite/test_virtual_server_custom_ip_listeners.py diff --git a/charts/nginx-ingress/templates/controller-globalconfiguration.yaml b/charts/nginx-ingress/templates/controller-globalconfiguration.yaml index 9039ab0440..939923f2e0 100644 --- a/charts/nginx-ingress/templates/controller-globalconfiguration.yaml +++ b/charts/nginx-ingress/templates/controller-globalconfiguration.yaml @@ -1,5 +1,5 @@ {{ if .Values.controller.globalConfiguration.create }} -apiVersion: k8s.nginx.org/v1alpha1 +apiVersion: k8s.nginx.org/v1 kind: GlobalConfiguration metadata: name: {{ include "nginx-ingress.controller.fullname" . }} diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 30264314e4..4679145193 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -994,6 +994,22 @@ "examples": [ "dns-tcp" ] + }, + "ipv4ip": { + "type": "string", + "default": "", + "title": "The ipv4 ip", + "examples": [ + "127.0.0.1" + ] + }, + "ipv6ip": { + "type": "string", + "default": "", + "title": "The ipv6 ip", + "examples": [ + "::1" + ] } } } diff --git a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml index b70d87debe..f9dcaa94cc 100644 --- a/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml +++ b/config/crd/bases/k8s.nginx.org_globalconfigurations.yaml @@ -46,6 +46,10 @@ spec: items: description: Listener defines a listener. properties: + ipv4: + type: string + ipv6: + type: string name: type: string port: diff --git a/deploy/crds.yaml b/deploy/crds.yaml index 411e32c025..3f81160c15 100644 --- a/deploy/crds.yaml +++ b/deploy/crds.yaml @@ -142,6 +142,10 @@ spec: items: description: Listener defines a listener. properties: + ipv4: + type: string + ipv6: + type: string name: type: string port: diff --git a/docs/content/configuration/global-configuration/globalconfiguration-resource.md b/docs/content/configuration/global-configuration/globalconfiguration-resource.md index 130b3f577f..66cf33aa27 100644 --- a/docs/content/configuration/global-configuration/globalconfiguration-resource.md +++ b/docs/content/configuration/global-configuration/globalconfiguration-resource.md @@ -74,6 +74,9 @@ The `listeners:` key defines a listener (a combination of a protocol and a port) | *port* | The port of the listener. The port must fall into the range ``1..65535`` with the following exceptions: ``80``, ``443``, the [status port](/nginx-ingress-controller/logging-and-monitoring/status-page), the [Prometheus metrics port](/nginx-ingress-controller/logging-and-monitoring/prometheus). Among all listeners, only a single combination of a port-protocol is allowed. | *int* | Yes | | *protocol* | The protocol of the listener. Supported values: ``TCP``, ``UDP`` and ``HTTP``. | *string* | Yes | | *ssl* | Configures the listener with SSL. This is currently only supported for ``HTTP`` listeners. Default value is ``false`` | *bool* | No | +| *ipv4* | Specifies the IPv4 address to listen on. This is currently only supported for ``HTTP`` or ``HTTPS`` listeners. | *string* | No | +| *ipv6* | Specifies the IPv6 address to listen on. This is currently only supported for ``HTTP`` or ``HTTPS`` listeners. | *string* | No | + {{}} --- @@ -173,3 +176,8 @@ Events: ``` The events section includes a Warning event with the AddedOrUpdatedWithError reason. + + +## Using IPV4 and IPV6 Addresses with GlobalConfiguration + +You can customize the IPv4 and IPv6 Address listeners in the global configuration and apply them to your VirtualServer resources. See the corresponding example [here](https://github.com/nginxinc/kubernetes-ingress/tree/v{{< nic-version >}}/examples/custom-resources/custom-ip-listeners/virtualserver/) diff --git a/examples/custom-resources/custom-ip-listeners/virtualserver/README.md b/examples/custom-resources/custom-ip-listeners/virtualserver/README.md new file mode 100644 index 0000000000..07e0c8d1e8 --- /dev/null +++ b/examples/custom-resources/custom-ip-listeners/virtualserver/README.md @@ -0,0 +1,237 @@ +# Custom IPv4 and IPv6 Address Listeners + +In this example, we will configure a VirtualServer resource with custom IPv4 and IPv6 Address using HTTP/HTTPS listeners. +This will allow IPv4 and/or IPv6 address using HTTP and/or HTTPS based requests to be made on non-default ports using separate IPs. + +## Prerequisites + +1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) + instructions to deploy the Ingress Controller with custom resources enabled. +2. Ensure the Ingress Controller is configured with the `-global-configuration` argument: + + ```console + args: + - -global-configuration=$(POD_NAMESPACE)/nginx-configuration + ``` + +3. If you have a NodePort or Loadbalancer service deployed, ensure they are updated to include the custom listener ports. +Example YAML for a LoadBalancer: + + ```yaml + apiVersion: v1 + kind: Service + metadata: + name: nginx-ingress + namespace: nginx-ingress + spec: + type: LoadBalancer + ports: + - port: 8083 + targetPort: 8083 + protocol: TCP + name: ip-listener-1-http + - port: 8443 + targetPort: 8443 + protocol: TCP + name: ip-listener-2-https + selector: + app: nginx-ingress + ``` + +**Note:** + +- **No Updates for GC:** If a GlobalConfiguration resource already exists, delete the previous one before applying the new configuration. +- **Single Replica:** Only one replica is allowed when using this configuration. + +## Step 1 - Deploy the GlobalConfiguration resource + +Similar to how listeners are configured in our [custom-listeners](../../custom-listeners) examples, +here we deploy a GlobalConfiguration resource with the listeners we want to use in our VirtualServer. + + ```yaml +apiVersion: k8s.nginx.org/v1 +kind: GlobalConfiguration +metadata: + name: nginx-configuration + namespace: nginx-ingress +spec: + listeners: + - name: ip-listener-1-http + port: 8083 + protocol: HTTP + ipv4: 127.0.0.1 + - name: ip-listener-2-https + port: 8443 + protocol: HTTP + ipv4: 127.0.0.2 + ipv6: ::1 + ssl: true + ``` + + ```console + kubectl create -f global-configuration.yaml + ``` + +## Step 2 - Deploy the Cafe Application + +Create the coffee and the tea deployments and services: + + ```console + kubectl create -f cafe.yaml + ``` + +## Step 3 - Deploy the VirtualServer with custom listeners + +The VirtualServer in this example is set to use the listeners defined in the GlobalConfiguration resource +that was deployed in Step 1. Below is the yaml of this example VirtualServer: + + ```yaml + apiVersion: k8s.nginx.org/v1 + kind: VirtualServer + metadata: + name: cafe + spec: + listener: + http: ip-listener-1-http + https: ip-listener-2-https + host: cafe.example.com + tls: + secret: cafe-secret + upstreams: + - name: tea + service: tea-svc + port: 80 + - name: coffee + service: coffee-svc + port: 80 + routes: + - path: /tea + action: + pass: tea + - path: /coffee + action: + pass: coffee + ``` + +1. Create the secret with the TLS certificate and key: + + ```console + kubectl create -f cafe-secret.yaml + ``` + +2. Create the VirtualServer resource: + + ```console + kubectl create -f cafe-virtual-server.yaml + ``` + +## Step 4 - Test the Configuration + +1. Check that the configuration has been successfully applied by inspecting the events of the VirtualServer and the GlobalConfiguration: + + ```console + kubectl describe virtualserver cafe + ``` + + Below you will see the events as well as the new `Listeners` field + + ```console + . . . + Spec: + Host: cafe.example.com + Listener: + Http: ip-listener-1-http + Https: ip-listener-2-https + . . . + Routes: + . . . + Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal AddedOrUpdated 2s nginx-ingress-controller Configuration for default/cafe was added or updated + ``` + + ```console + kubectl describe globalconfiguration nginx-configuration -n nginx-ingress + ``` + + ```console + . . . + Spec: + Listeners: + ipv4: 127.0.0.1 + Name: ip-listener-1-http + Port: 8083 + Protocol: HTTP + ipv4: 127.0.0.2 + ipv6: ::1 + Name: ip-listener-2-https + Port: 8443 + Protocol: HTTP + Ssl: true + Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal Updated 14s nginx-ingress-controller GlobalConfiguration nginx-ingress/nginx-configuration was added or updated + ``` + +2. Since the deployed VirtualServer is using ports `8083` and `8443` in this example. you can see that the specific ips and ports +are set and listening by using the below commands: + + Access the NGINX Pod: + + ```console + kubectl get pods -n nginx-ingress + ``` + + ```text + NAME READY STATUS RESTARTS AGE + nginx-ingress-65cd79bb8f-crst4 1/1 Running 0 97s + ``` + + ```console + kubectl debug -it nginx-ingress-65cd79bb8f-crst4 --image=busybox:1.28 --target=nginx-ingress + ``` + + ```console + / # netstat -tulpn + Active Internet connections (only servers) + Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name + tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN - + tcp 0 0 127.0.0.1:8083 0.0.0.0:* LISTEN - + tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN - + tcp 0 0 127.0.0.2:8443 0.0.0.0:* LISTEN - + tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - + tcp 0 0 :::8081 :::* LISTEN - + tcp 0 0 :::8080 :::* LISTEN - + tcp 0 0 :::8083 :::* LISTEN - + tcp 0 0 ::1:8443 :::* LISTEN - + tcp 0 0 :::443 :::* LISTEN - + tcp 0 0 :::80 :::* LISTEN - + tcp 0 0 :::9113 :::* LISTEN - + ``` + + We can see here that the two IPv4s (`127.0.0.1:8083` and `127.0.0.2:8443`) and the one IPv6 (`::1:8443`) that are set and listening. + +3. Examine the NGINX config using the following command: + + ```console + kubectl exec -it nginx-ingress-65cd79bb8f-crst4 -n nginx-ingress -- cat /etc/nginx/conf.d/vs_default_cafe.conf + ``` + + ```console + ... + server { + listen 127.0.0.1:8083; + listen [::]:8083; + + + server_name cafe.example.com; + + set $resource_type "virtualserver"; + set $resource_name "cafe"; + set $resource_namespace "default"; + listen 127.0.0.2:8443 ssl; + listen [::1]:8443 ssl; + ... + ``` diff --git a/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml b/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml new file mode 100644 index 0000000000..8f9fd84855 --- /dev/null +++ b/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cafe-secret +type: kubernetes.io/tls +data: + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURMakNDQWhZQ0NRREFPRjl0THNhWFdqQU5CZ2txaGtpRzl3MEJBUXNGQURCYU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhJVEFmQmdOVkJBb01HRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MApaREViTUJrR0ExVUVBd3dTWTJGbVpTNWxlR0Z0Y0d4bExtTnZiU0FnTUI0WERURTRNRGt4TWpFMk1UVXpOVm9YCkRUSXpNRGt4TVRFMk1UVXpOVm93V0RFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ01Ba05CTVNFd0h3WUQKVlFRS0RCaEpiblJsY201bGRDQlhhV1JuYVhSeklGQjBlU0JNZEdReEdUQVhCZ05WQkFNTUVHTmhabVV1WlhoaApiWEJzWlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDcDZLbjdzeTgxCnAwanVKL2N5ayt2Q0FtbHNmanRGTTJtdVpOSzBLdGVjcUcyZmpXUWI1NXhRMVlGQTJYT1N3SEFZdlNkd0kyaloKcnVXOHFYWENMMnJiNENaQ0Z4d3BWRUNyY3hkam0zdGVWaVJYVnNZSW1tSkhQUFN5UWdwaW9iczl4N0RsTGM2SQpCQTBaalVPeWwwUHFHOVNKZXhNVjczV0lJYTVyRFZTRjJyNGtTa2JBajREY2o3TFhlRmxWWEgySTVYd1hDcHRDCm42N0pDZzQyZitrOHdnemNSVnA4WFprWldaVmp3cTlSVUtEWG1GQjJZeU4xWEVXZFowZXdSdUtZVUpsc202OTIKc2tPcktRajB2a29QbjQxRUUvK1RhVkVwcUxUUm9VWTNyemc3RGtkemZkQml6Rk8yZHNQTkZ4MkNXMGpYa05MdgpLbzI1Q1pyT2hYQUhBZ01CQUFFd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLSEZDY3lPalp2b0hzd1VCTWRMClJkSEliMzgzcFdGeW5acS9MdVVvdnNWQTU4QjBDZzdCRWZ5NXZXVlZycTVSSWt2NGxaODFOMjl4MjFkMUpINnIKalNuUXgrRFhDTy9USkVWNWxTQ1VwSUd6RVVZYVVQZ1J5anNNL05VZENKOHVIVmhaSitTNkZBK0NuT0Q5cm4yaQpaQmVQQ0k1ckh3RVh3bm5sOHl3aWozdnZRNXpISXV5QmdsV3IvUXl1aTlmalBwd1dVdlVtNG52NVNNRzl6Q1Y3ClBwdXd2dWF0cWpPMTIwOEJqZkUvY1pISWc4SHc5bXZXOXg5QytJUU1JTURFN2IvZzZPY0s3TEdUTHdsRnh2QTgKN1dqRWVxdW5heUlwaE1oS1JYVmYxTjM0OWVOOThFejM4Zk9USFRQYmRKakZBL1BjQytHeW1lK2lHdDVPUWRGaAp5UkU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWVpcCs3TXZOYWRJN2lmM01wUHJ3Z0pwYkg0N1JUTnBybVRTdENyWG5LaHRuNDFrCkcrZWNVTldCUU5semtzQndHTDBuY0NObzJhN2x2S2wxd2k5cTIrQW1RaGNjS1ZSQXEzTVhZNXQ3WGxZa1YxYkcKQ0pwaVJ6ejBza0lLWXFHN1BjZXc1UzNPaUFRTkdZMURzcGRENmh2VWlYc1RGZTkxaUNHdWF3MVVoZHErSkVwRwp3SStBM0kreTEzaFpWVng5aU9WOEZ3cWJRcCt1eVFvT05uL3BQTUlNM0VWYWZGMlpHVm1WWThLdlVWQ2cxNWhRCmRtTWpkVnhGbldkSHNFYmltRkNaYkp1dmRySkRxeWtJOUw1S0Q1K05SQlAvazJsUkthaTAwYUZHTjY4NE93NUgKYzMzUVlzeFR0bmJEelJjZGdsdEkxNURTN3lxTnVRbWF6b1Z3QndJREFRQUJBb0lCQVFDUFNkU1luUXRTUHlxbApGZlZGcFRPc29PWVJoZjhzSStpYkZ4SU91UmF1V2VoaEp4ZG01Uk9ScEF6bUNMeUw1VmhqdEptZTIyM2dMcncyCk45OUVqVUtiL1ZPbVp1RHNCYzZvQ0Y2UU5SNThkejhjbk9SVGV3Y290c0pSMXBuMWhobG5SNUhxSkpCSmFzazEKWkVuVVFmY1hackw5NGxvOUpIM0UrVXFqbzFGRnM4eHhFOHdvUEJxalpzVjdwUlVaZ0MzTGh4bndMU0V4eUZvNApjeGI5U09HNU9tQUpvelN0Rm9RMkdKT2VzOHJKNXFmZHZ5dGdnOXhiTGFRTC94MGtwUTYyQm9GTUJEZHFPZVBXCktmUDV6WjYvMDcvdnBqNDh5QTFRMzJQem9idWJzQkxkM0tjbjMyamZtMUU3cHJ0V2wrSmVPRmlPem5CUUZKYk4KNHFQVlJ6NWhBb0dCQU50V3l4aE5DU0x1NFArWGdLeWNrbGpKNkY1NjY4Zk5qNUN6Z0ZScUowOXpuMFRsc05ybwpGVExaY3hEcW5SM0hQWU00MkpFUmgySi9xREZaeW5SUW8zY2czb2VpdlVkQlZHWTgrRkkxVzBxZHViL0w5K3l1CmVkT1pUUTVYbUdHcDZyNmpleHltY0ppbS9Pc0IzWm5ZT3BPcmxEN1NQbUJ2ek5MazRNRjZneGJYQW9HQkFNWk8KMHA2SGJCbWNQMHRqRlhmY0tFNzdJbUxtMHNBRzR1SG9VeDBlUGovMnFyblRuT0JCTkU0TXZnRHVUSnp5K2NhVQprOFJxbWRIQ2JIelRlNmZ6WXEvOWl0OHNaNzdLVk4xcWtiSWN1YytSVHhBOW5OaDFUanNSbmU3NFowajFGQ0xrCmhIY3FIMHJpN1BZU0tIVEU4RnZGQ3haWWRidUI4NENtWmlodnhicFJBb0dBSWJqcWFNWVBUWXVrbENkYTVTNzkKWVNGSjFKelplMUtqYS8vdER3MXpGY2dWQ0thMzFqQXdjaXowZi9sU1JxM0hTMUdHR21lemhQVlRpcUxmZVpxYwpSMGlLYmhnYk9jVlZrSkozSzB5QXlLd1BUdW14S0haNnpJbVpTMGMwYW0rUlk5WUdxNVQ3WXJ6cHpjZnZwaU9VCmZmZTNSeUZUN2NmQ21mb09oREN0enVrQ2dZQjMwb0xDMVJMRk9ycW40M3ZDUzUxemM1em9ZNDR1QnpzcHd3WU4KVHd2UC9FeFdNZjNWSnJEakJDSCtULzZzeXNlUGJKRUltbHpNK0l3eXRGcEFOZmlJWEV0LzQ4WGY2ME54OGdXTQp1SHl4Wlp4L05LdER3MFY4dlgxUE9ucTJBNWVpS2ErOGpSQVJZS0pMWU5kZkR1d29seHZHNmJaaGtQaS80RXRUCjNZMThzUUtCZ0h0S2JrKzdsTkpWZXN3WEU1Y1VHNkVEVXNEZS8yVWE3ZlhwN0ZjanFCRW9hcDFMU3crNlRYcDAKWmdybUtFOEFSek00NytFSkhVdmlpcS9udXBFMTVnMGtKVzNzeWhwVTl6WkxPN2x0QjBLSWtPOVpSY21Vam84UQpjcExsSE1BcWJMSjhXWUdKQ2toaVd4eWFsNmhZVHlXWTRjVmtDMHh0VGwvaFVFOUllTktvCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== diff --git a/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-virtual-server.yaml b/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-virtual-server.yaml new file mode 100644 index 0000000000..08f940d406 --- /dev/null +++ b/examples/custom-resources/custom-ip-listeners/virtualserver/cafe-virtual-server.yaml @@ -0,0 +1,25 @@ +apiVersion: k8s.nginx.org/v1 +kind: VirtualServer +metadata: + name: cafe +spec: + listener: + http: ip-listener-1-http + https: ip-listener-2-https + host: cafe.example.com + tls: + secret: cafe-secret + upstreams: + - name: tea + service: tea-svc + port: 80 + - name: coffee + service: coffee-svc + port: 80 + routes: + - path: /tea + action: + pass: tea + - path: /coffee + action: + pass: coffee diff --git a/examples/custom-resources/custom-ip-listeners/virtualserver/cafe.yaml b/examples/custom-resources/custom-ip-listeners/virtualserver/cafe.yaml new file mode 100644 index 0000000000..eebdd58535 --- /dev/null +++ b/examples/custom-resources/custom-ip-listeners/virtualserver/cafe.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coffee +spec: + replicas: 2 + selector: + matchLabels: + app: coffee + template: + metadata: + labels: + app: coffee + spec: + containers: + - name: coffee + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: coffee-svc +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: ip + selector: + app: coffee +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tea +spec: + replicas: 1 + selector: + matchLabels: + app: tea + template: + metadata: + labels: + app: tea + spec: + containers: + - name: tea + image: nginxdemos/nginx-hello:plain-text + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: tea-svc +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http + selector: + app: tea diff --git a/examples/custom-resources/custom-ip-listeners/virtualserver/global-configuration.yaml b/examples/custom-resources/custom-ip-listeners/virtualserver/global-configuration.yaml new file mode 100644 index 0000000000..361e6a742a --- /dev/null +++ b/examples/custom-resources/custom-ip-listeners/virtualserver/global-configuration.yaml @@ -0,0 +1,18 @@ +apiVersion: k8s.nginx.org/v1 +kind: GlobalConfiguration +metadata: + name: nginx-configuration + namespace: nginx-ingress +spec: + listeners: + - name: ip-listener-1-http + port: 8083 + protocol: HTTP + ipv4: 127.0.0.1 + ipv6: ::1 + - name: ip-listener-2-https + port: 8443 + protocol: HTTP + ipv4: 127.0.0.2 + ipv6: ::1 + ssl: true diff --git a/internal/configs/version2/__snapshots__/templates_test.snap b/internal/configs/version2/__snapshots__/templates_test.snap index 23e822183e..2f66b55e17 100644 --- a/internal/configs/version2/__snapshots__/templates_test.snap +++ b/internal/configs/version2/__snapshots__/templates_test.snap @@ -3119,7 +3119,7 @@ server { --- -[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPOnly - 1] +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPIPV4Only - 1] upstream test-upstream { zone test-upstream 256k; @@ -3162,7 +3162,7 @@ map $http_x_version $match_0_0 { limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; server { - listen 8082 proxy_protocol; + listen 127.0.0.1:8082 proxy_protocol; listen [::]:8082 proxy_protocol; @@ -3541,7 +3541,7 @@ server { --- -[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSOnly - 1] +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPIPV6Only - 1] upstream test-upstream { zone test-upstream 256k; @@ -3584,15 +3584,2127 @@ map $http_x_version $match_0_0 { limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; server { - + listen 8082 proxy_protocol; + listen [::1]:8082 proxy_protocol; + server_name example.com; status_zone example.com; set $resource_type "virtualserver"; set $resource_name ""; set $resource_namespace ""; - listen 8443 ssl proxy_protocol; - listen [::]:8443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s fails=1 passes=1 mandatory persistent keepalive_time=60s; + + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s fails=1 passes=1 type=grpc grpc_status=12 grpc_service=tea-servicev2; + + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPOnly - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 8082 proxy_protocol; + listen [::]:8082 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s fails=1 passes=1 mandatory persistent keepalive_time=60s; + + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s fails=1 passes=1 type=grpc grpc_status=12 grpc_service=tea-servicev2; + + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSIPV4Only - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 127.0.0.2:8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s fails=1 passes=1 mandatory persistent keepalive_time=60s; + + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s fails=1 passes=1 type=grpc grpc_status=12 grpc_service=tea-servicev2; + + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSIPV6Only - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 8443 ssl proxy_protocol; + listen [::2]:8443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s fails=1 passes=1 mandatory persistent keepalive_time=60s; + + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s fails=1 passes=1 type=grpc grpc_status=12 grpc_service=tea-servicev2; + + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSOnly - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 8443 ssl proxy_protocol; + listen [::]:8443 ssl proxy_protocol; + + http2 on; + ssl_certificate cafe-secret.pem; + ssl_certificate_key cafe-secret.pem; + ssl_client_certificate ingress-mtls-secret; + ssl_verify_client on; + ssl_verify_depth 2; + if ($scheme = 'http') { + return 301 https://$host$request_uri; + } + + server_tokens "off"; + set_real_ip_from 0.0.0.0/0; + real_ip_header X-Real-IP; + real_ip_recursive on; + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req_log_level error; + limit_req_status 503; + limit_req zone=pol_rl_test_test_test burst=5 + delay=10; + auth_jwt "My Api"; + auth_jwt_key_file jwk-secret; + app_protect_enable on; + + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + + + + + + app_protect_security_log_enable on; + + app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf; + + + + # server snippet + location /split { + rewrite ^ @split_0 last; + } + location /coffee { + rewrite ^ @match last; + } + location @hc-coffee { + + proxy_connect_timeout ; + proxy_read_timeout ; + proxy_send_timeout ; + proxy_pass http://coffee-v2; + health_check uri=/ port=50 interval=5s jitter=0s fails=1 passes=1 mandatory persistent keepalive_time=60s; + + } + location @hc-tea { + + grpc_connect_timeout ; + grpc_read_timeout ; + grpc_send_timeout ; + grpc_pass grpc://tea-v3; + health_check port=50 interval=5s jitter=0s fails=1 passes=1 type=grpc grpc_status=12 grpc_service=tea-servicev2; + + } + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 { + + default_type "application/json"; + + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 { + + + add_header Set-Cookie "cookie1=test" always; + + add_header Set-Cookie "cookie2=test; Secure" always; + + # status code is ignored here, using 0 + return 0 "Hello World"; + } + + + + location @return_0 { + default_type "text/html"; + + # status code is ignored here, using 0 + return 0 "Hello!"; + } + + + + location / { + set $service ""; + status_zone ""; + internal; + # location snippet + allow 127.0.0.1; + deny all; + deny 127.0.0.1; + allow all; + limit_req zone=loc_pol_rl_test_test_test + ; + + + proxy_ssl_certificate egress-mtls-secret.pem; + proxy_ssl_certificate_key egress-mtls-secret.pem; + + proxy_ssl_trusted_certificate trusted-cert.pem; + proxy_ssl_verify on; + proxy_ssl_verify_depth 1; + proxy_ssl_protocols TLSv1.3; + proxy_ssl_ciphers DEFAULT; + proxy_ssl_session_reuse on; + proxy_ssl_server_name on; + proxy_ssl_name ; + set $default_connection_header close; + rewrite $request_uri $request_uri; + rewrite $request_uri $request_uri; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + proxy_max_temp_file_size 1024m; + + proxy_buffering on; + proxy_buffers 8 4k; + proxy_buffer_size 4k; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_hide_header Header; + proxy_pass_header Host; + proxy_ignore_headers Cache; + add_header Header-Name "Header Value" always; + proxy_pass http://test-upstream$request_uri; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc0 { + set $service ""; + status_zone ""; + + + error_page 400 500 =200 "@error_page_1"; + error_page 500 "@error_page_2"; + proxy_intercept_errors on; + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc1 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @loc2 { + set $service ""; + status_zone ""; + + + error_page 400 = @grpc_internal; + error_page 401 = @grpc_unauthenticated; + error_page 403 = @grpc_permission_denied; + error_page 404 = @grpc_unimplemented; + error_page 429 = @grpc_unavailable; + error_page 502 = @grpc_unavailable; + error_page 503 = @grpc_unavailable; + error_page 504 = @grpc_unavailable; + error_page 405 = @grpc_internal; + error_page 408 = @grpc_deadline_exceeded; + error_page 413 = @grpc_resource_exhausted; + error_page 414 = @grpc_resource_exhausted; + error_page 415 = @grpc_internal; + error_page 426 = @grpc_internal; + error_page 495 = @grpc_unauthenticated; + error_page 496 = @grpc_unauthenticated; + error_page 497 = @grpc_internal; + error_page 500 = @grpc_internal; + error_page 501 = @grpc_internal; + set $default_connection_header close; + grpc_connect_timeout 30s; + grpc_read_timeout 31s; + grpc_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + grpc_set_header X-Real-IP $remote_addr; + grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + grpc_set_header X-Forwarded-Host $host; + grpc_set_header X-Forwarded-Port $server_port; + grpc_set_header X-Forwarded-Proto $scheme; + grpc_pass grpc://coffee-v3; + grpc_next_upstream ; + grpc_next_upstream_timeout ; + grpc_next_upstream_tries 0; + } + location @match_loc_0 { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v2; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location @match_loc_default { + set $service ""; + status_zone ""; + + + set $default_connection_header close; + proxy_connect_timeout 30s; + proxy_read_timeout 31s; + proxy_send_timeout 32s; + client_max_body_size 1m; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $vs_connection_header; + proxy_pass_request_headers off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://coffee-v1; + proxy_next_upstream error timeout; + proxy_next_upstream_timeout 5s; + proxy_next_upstream_tries 0; + } + location /return { + set $service ""; + status_zone ""; + + + error_page 418 =200 "@return_0"; + proxy_intercept_errors on; + proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock; + set $default_connection_header close; + } + + location @grpc_deadline_exceeded { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 4; + add_header grpc-message 'deadline exceeded'; + return 204; + } + + location @grpc_permission_denied { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 7; + add_header grpc-message 'permission denied'; + return 204; + } + + location @grpc_resource_exhausted { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 8; + add_header grpc-message 'resource exhausted'; + return 204; + } + + location @grpc_unimplemented { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 12; + add_header grpc-message unimplemented; + return 204; + } + + location @grpc_internal { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 13; + add_header grpc-message 'internal error'; + return 204; + } + + location @grpc_unavailable { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 14; + add_header grpc-message unavailable; + return 204; + } + + location @grpc_unauthenticated { + default_type application/grpc; + add_header content-type application/grpc; + add_header grpc-status 16; + add_header grpc-message unauthenticated; + return 204; + } + + + +} + +--- + +[TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerIP - 1] + +upstream test-upstream { + zone test-upstream 256k; + random; + server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31; + keepalive 32; + queue 10 timeout=60s; + sticky cookie test expires=25s path=/tea; + + ntlm; +} + +upstream coffee-v1 { + zone coffee-v1 256k; + server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2; + + +} + +upstream coffee-v2 { + zone coffee-v2 256k; + server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4; + + +} + +split_clients $request_id $split_0 { + 50% @loc0; + 50% @loc1; +} +map $match_0_0 $match { + ~^1 @match_loc_0; + default @match_loc_default; +} +map $http_x_version $match_0_0 { + v2 1; + default 0; +} +# HTTP snippet +limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s; + +server { + listen 127.0.0.1:8082 proxy_protocol; + listen [::1]:8082 proxy_protocol; + + + server_name example.com; + status_zone example.com; + set $resource_type "virtualserver"; + set $resource_name ""; + set $resource_namespace ""; + listen 127.0.0.2:8443 ssl proxy_protocol; + listen [::2]:8443 ssl proxy_protocol; http2 on; ssl_certificate cafe-secret.pem; diff --git a/internal/configs/version2/http.go b/internal/configs/version2/http.go index 00ba221451..254554319e 100644 --- a/internal/configs/version2/http.go +++ b/internal/configs/version2/http.go @@ -57,6 +57,10 @@ type Server struct { ServerName string StatusZone string CustomListeners bool + HTTPIPv4 string + HTTPIPv6 string + HTTPSIPv4 string + HTTPSIPv6 string HTTPPort int HTTPSPort int ProxyProtocol bool diff --git a/internal/configs/version2/template_helper.go b/internal/configs/version2/template_helper.go index 9669fb802e..b81ad28978 100644 --- a/internal/configs/version2/template_helper.go +++ b/internal/configs/version2/template_helper.go @@ -16,10 +16,10 @@ const ( https ) -type listenerType int +type ipType int const ( - ipv4 listenerType = iota + ipv4 ipType = iota ipv6 ) @@ -53,29 +53,32 @@ func makeListener(listenerType protocol, s Server) string { } func buildDefaultListenerDirectives(listenerType protocol, s Server) string { - var directives string port := getDefaultPort(listenerType) - - directives += buildListenDirective(port, s.ProxyProtocol, ipv4) - - if !s.DisableIPV6 { - directives += spacing - directives += buildListenDirective(port, s.ProxyProtocol, ipv6) - } - - return directives + return buildListenerDirectives(listenerType, s, port) } func buildCustomListenerDirectives(listenerType protocol, s Server) string { - var directives string - if (listenerType == http && s.HTTPPort > 0) || (listenerType == https && s.HTTPSPort > 0) { port := getCustomPort(listenerType, s) - directives += buildListenDirective(port, s.ProxyProtocol, ipv4) + return buildListenerDirectives(listenerType, s, port) + } + return "" +} +func buildListenerDirectives(listenerType protocol, s Server, port string) string { + var directives string + + if listenerType == http { + directives += buildListenDirective(s.HTTPIPv4, port, s.ProxyProtocol, ipv4) if !s.DisableIPV6 { directives += spacing - directives += buildListenDirective(port, s.ProxyProtocol, ipv6) + directives += buildListenDirective(s.HTTPIPv6, port, s.ProxyProtocol, ipv6) + } + } else { + directives += buildListenDirective(s.HTTPSIPv4, port, s.ProxyProtocol, ipv4) + if !s.DisableIPV6 { + directives += spacing + directives += buildListenDirective(s.HTTPSIPv6, port, s.ProxyProtocol, ipv6) } } @@ -96,14 +99,22 @@ func getCustomPort(listenerType protocol, s Server) string { return strconv.Itoa(s.HTTPSPort) + " ssl" } -func buildListenDirective(port string, proxyProtocol bool, listenType listenerType) string { +func buildListenDirective(ip string, port string, proxyProtocol bool, ipType ipType) string { base := "listen" var directive string - if listenType == ipv6 { - directive = base + " [::]:" + port + if ipType == ipv6 { + if ip != "" { + directive = fmt.Sprintf("%s [%s]:%s", base, ip, port) + } else { + directive = fmt.Sprintf("%s [::]:%s", base, port) + } } else { - directive = base + " " + port + if ip != "" { + directive = fmt.Sprintf("%s %s:%s", base, ip, port) + } else { + directive = fmt.Sprintf("%s %s", base, port) + } } if proxyProtocol { @@ -114,11 +125,11 @@ func buildListenDirective(port string, proxyProtocol bool, listenType listenerTy return directive } -func buildTransportListenDirective(listenType listenerType, port string, ssl *StreamSSL, udp bool) string { +func buildTransportListenDirective(ipType ipType, port string, ssl *StreamSSL, udp bool) string { base := "listen" var directive string - if listenType == ipv6 { + if ipType == ipv6 { directive = base + " [::]:" + port } else { directive = base + " " + port diff --git a/internal/configs/version2/template_helper_test.go b/internal/configs/version2/template_helper_test.go index a79fd47bc4..de394cd8ce 100644 --- a/internal/configs/version2/template_helper_test.go +++ b/internal/configs/version2/template_helper_test.go @@ -268,6 +268,211 @@ func TestMakeHTTPSListener(t *testing.T) { } } +func TestMakeHTTPListenerAndHTTPSListenerWithCustomIPs(t *testing.T) { + t.Parallel() + + testCases := []struct { + server Server + expected string + }{ + {server: Server{ + CustomListeners: true, + DisableIPV6: true, + ProxyProtocol: false, + HTTPPort: 80, + HTTPIPv4: "192.168.0.2", + }, expected: "listen 192.168.0.2:80;\n"}, + {server: Server{ + CustomListeners: true, + DisableIPV6: false, + ProxyProtocol: false, + HTTPPort: 80, + HTTPIPv4: "192.168.1.2", + }, expected: "listen 192.168.1.2:80;\n listen [::]:80;\n"}, + {server: Server{ + CustomListeners: true, + HTTPPort: 81, + HTTPIPv4: "192.168.0.5", + DisableIPV6: true, + ProxyProtocol: false, + }, expected: "listen 192.168.0.5:81;\n"}, + {server: Server{ + CustomListeners: true, + HTTPPort: 81, + DisableIPV6: false, + ProxyProtocol: false, + HTTPIPv4: "192.168.1.5", + }, expected: "listen 192.168.1.5:81;\n listen [::]:81;\n"}, + } + + for _, tc := range testCases { + got := makeHTTPListener(tc.server) + if got != tc.expected { + t.Errorf("Function generated wrong config, got %v but expected %v.", got, tc.expected) + } + } +} + +func TestMakeHTTPListenerWithCustomIPV4(t *testing.T) { + t.Parallel() + + testCases := []struct { + server Server + expected string + }{ + {server: Server{ + CustomListeners: true, + DisableIPV6: false, + ProxyProtocol: false, + HTTPSPort: 0, + HTTPPort: 80, + HTTPIPv4: "192.168.0.2", + }, expected: "listen 192.168.0.2:80;\n listen [::]:80;\n"}, + {server: Server{ + CustomListeners: true, + HTTPSPort: 0, + HTTPPort: 81, + HTTPIPv4: "192.168.0.5", + DisableIPV6: false, + ProxyProtocol: false, + }, expected: "listen 192.168.0.5:81;\n listen [::]:81;\n"}, + {server: Server{ + CustomListeners: true, + DisableIPV6: true, + ProxyProtocol: false, + HTTPPort: 81, + HTTPIPv4: "192.168.0.2", + }, expected: "listen 192.168.0.2:81;\n"}, + {server: Server{ + CustomListeners: true, + HTTPPort: 82, + HTTPIPv4: "192.168.0.5", + DisableIPV6: true, + ProxyProtocol: false, + }, expected: "listen 192.168.0.5:82;\n"}, + } + + for _, tc := range testCases { + got := makeHTTPListener(tc.server) + if got != tc.expected { + t.Errorf("Function generated wrong config, got %v but expected %v.", got, tc.expected) + } + } +} + +func TestMakeHTTPSListenerWithCustomIPV4(t *testing.T) { + t.Parallel() + + testCases := []struct { + server Server + expected string + }{ + {server: Server{ + CustomListeners: true, + ProxyProtocol: false, + DisableIPV6: true, + HTTPSPort: 80, + HTTPSIPv4: "192.168.0.2", + }, expected: "listen 192.168.0.2:80 ssl;\n"}, + {server: Server{ + CustomListeners: true, + DisableIPV6: true, + HTTPSPort: 81, + HTTPSIPv4: "192.168.0.5", + ProxyProtocol: false, + }, expected: "listen 192.168.0.5:81 ssl;\n"}, + } + + for _, tc := range testCases { + got := makeHTTPSListener(tc.server) + if got != tc.expected { + t.Errorf("Function generated wrong config, got %v but expected %v.", got, tc.expected) + } + } +} + +func TestMakeHTTPListenerWithCustomIPV6(t *testing.T) { + t.Parallel() + + testCases := []struct { + server Server + expected string + }{ + {server: Server{ + CustomListeners: true, + ProxyProtocol: false, + HTTPPort: 80, + HTTPIPv6: "::1", + }, expected: "listen 80;\n listen [::1]:80;\n"}, + {server: Server{ + CustomListeners: true, + ProxyProtocol: false, + HTTPPort: 81, + HTTPIPv6: "::1", + }, expected: "listen 81;\n listen [::1]:81;\n"}, + {server: Server{ + CustomListeners: true, + HTTPPort: 81, + HTTPIPv6: "::2", + ProxyProtocol: false, + }, expected: "listen 81;\n listen [::2]:81;\n"}, + {server: Server{ + CustomListeners: true, + HTTPPort: 81, + ProxyProtocol: false, + HTTPIPv6: "::3", + }, expected: "listen 81;\n listen [::3]:81;\n"}, + } + + for _, tc := range testCases { + got := makeHTTPListener(tc.server) + if got != tc.expected { + t.Errorf("Function generated wrong config, got %v but expected %v.", got, tc.expected) + } + } +} + +func TestMakeHTTPSListenerWithCustomIPV6(t *testing.T) { + t.Parallel() + + testCases := []struct { + server Server + expected string + }{ + {server: Server{ + CustomListeners: true, + ProxyProtocol: false, + HTTPSPort: 81, + HTTPSIPv6: "::1", + }, expected: "listen 81 ssl;\n listen [::1]:81 ssl;\n"}, + {server: Server{ + CustomListeners: true, + ProxyProtocol: false, + HTTPSPort: 82, + HTTPSIPv6: "::1", + }, expected: "listen 82 ssl;\n listen [::1]:82 ssl;\n"}, + {server: Server{ + CustomListeners: true, + HTTPSPort: 83, + HTTPSIPv6: "::2", + ProxyProtocol: false, + }, expected: "listen 83 ssl;\n listen [::2]:83 ssl;\n"}, + {server: Server{ + CustomListeners: true, + HTTPSPort: 84, + ProxyProtocol: false, + HTTPSIPv6: "::3", + }, expected: "listen 84 ssl;\n listen [::3]:84 ssl;\n"}, + } + + for _, tc := range testCases { + got := makeHTTPSListener(tc.server) + if got != tc.expected { + t.Errorf("Function generated wrong config, got %v but expected %v.", got, tc.expected) + } + } +} + func TestMakeTransportListener(t *testing.T) { t.Parallel() diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index 811bb4c6c4..9b31c52133 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -129,6 +129,136 @@ func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListener(t *testi t.Log(string(got)) } +func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerIP(t *testing.T) { + t.Parallel() + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&virtualServerCfgWithCustomListenerIP) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 127.0.0.1:8082", + "listen [::1]:8082", + "listen 127.0.0.2:8443 ssl", + "listen [::2]:8443 ssl", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + snaps.MatchSnapshot(t, string(got)) + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPIPV4Only(t *testing.T) { + t.Parallel() + vsCfg := virtualServerCfgWithCustomListenerIP + + vsCfg.Server.HTTPIPv6 = "" + vsCfg.Server.HTTPSIPv6 = "" + vsCfg.Server.HTTPSIPv4 = "" + vsCfg.Server.HTTPSPort = 0 + + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&vsCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 127.0.0.1:8082", + "listen [::]:8082", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + snaps.MatchSnapshot(t, string(got)) + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPIPV6Only(t *testing.T) { + t.Parallel() + vsCfg := virtualServerCfgWithCustomListenerIP + + vsCfg.Server.HTTPIPv4 = "" + vsCfg.Server.HTTPSIPv6 = "" + vsCfg.Server.HTTPSIPv4 = "" + vsCfg.Server.HTTPSPort = 0 + + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&vsCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 8082", + "listen [::1]:8082", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + snaps.MatchSnapshot(t, string(got)) + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSIPV4Only(t *testing.T) { + t.Parallel() + vsCfg := virtualServerCfgWithCustomListenerIP + + vsCfg.Server.HTTPIPv6 = "" + vsCfg.Server.HTTPSIPv6 = "" + vsCfg.Server.HTTPIPv4 = "" + vsCfg.Server.HTTPPort = 0 + + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&vsCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 127.0.0.2:8443 ssl", + "listen [::]:8443 ssl", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + snaps.MatchSnapshot(t, string(got)) + t.Log(string(got)) +} + +func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPSIPV6Only(t *testing.T) { + t.Parallel() + vsCfg := virtualServerCfgWithCustomListenerIP + + vsCfg.Server.HTTPIPv6 = "" + vsCfg.Server.HTTPIPv4 = "" + vsCfg.Server.HTTPSIPv4 = "" + vsCfg.Server.HTTPPort = 0 + + executor := newTmplExecutorNGINXPlus(t) + got, err := executor.ExecuteVirtualServerTemplate(&vsCfg) + if err != nil { + t.Error(err) + } + wantStrings := []string{ + "listen 8443 ssl", + "listen [::2]:8443 ssl", + } + for _, want := range wantStrings { + if !bytes.Contains(got, []byte(want)) { + t.Errorf("want `%s` in generated template", want) + } + } + snaps.MatchSnapshot(t, string(got)) + t.Log(string(got)) +} + func TestExecuteVirtualServerTemplate_RendersTemplateWithCustomListenerHTTPOnly(t *testing.T) { t.Parallel() executor := newTmplExecutorNGINXPlus(t) @@ -3997,6 +4127,362 @@ var ( }, } + virtualServerCfgWithCustomListenerIP = VirtualServerConfig{ + LimitReqZones: []LimitReqZone{ + { + ZoneName: "pol_rl_test_test_test", Rate: "10r/s", ZoneSize: "10m", Key: "$url", + }, + }, + Upstreams: []Upstream{ + { + Name: "test-upstream", + Servers: []UpstreamServer{ + { + Address: "10.0.0.20:8001", + }, + }, + LBMethod: "random", + Keepalive: 32, + MaxFails: 4, + FailTimeout: "10s", + MaxConns: 31, + SlowStart: "10s", + UpstreamZoneSize: "256k", + Queue: &Queue{Size: 10, Timeout: "60s"}, + SessionCookie: &SessionCookie{Enable: true, Name: "test", Path: "/tea", Expires: "25s"}, + NTLM: true, + }, + { + Name: "coffee-v1", + Servers: []UpstreamServer{ + { + Address: "10.0.0.31:8001", + }, + }, + MaxFails: 8, + FailTimeout: "15s", + MaxConns: 2, + UpstreamZoneSize: "256k", + }, + { + Name: "coffee-v2", + Servers: []UpstreamServer{ + { + Address: "10.0.0.32:8001", + }, + }, + MaxFails: 12, + FailTimeout: "20s", + MaxConns: 4, + UpstreamZoneSize: "256k", + }, + }, + SplitClients: []SplitClient{ + { + Source: "$request_id", + Variable: "$split_0", + Distributions: []Distribution{ + { + Weight: "50%", + Value: "@loc0", + }, + { + Weight: "50%", + Value: "@loc1", + }, + }, + }, + }, + Maps: []Map{ + { + Source: "$match_0_0", + Variable: "$match", + Parameters: []Parameter{ + { + Value: "~^1", + Result: "@match_loc_0", + }, + { + Value: "default", + Result: "@match_loc_default", + }, + }, + }, + { + Source: "$http_x_version", + Variable: "$match_0_0", + Parameters: []Parameter{ + { + Value: "v2", + Result: "1", + }, + { + Value: "default", + Result: "0", + }, + }, + }, + }, + HTTPSnippets: []string{"# HTTP snippet"}, + Server: Server{ + ServerName: "example.com", + StatusZone: "example.com", + ProxyProtocol: true, + SSL: &SSL{ + HTTP2: true, + Certificate: "cafe-secret.pem", + CertificateKey: "cafe-secret.pem", + }, + TLSRedirect: &TLSRedirect{ + BasedOn: "$scheme", + Code: 301, + }, + CustomListeners: true, + HTTPPort: 8082, + HTTPSPort: 8443, + HTTPIPv4: "127.0.0.1", + HTTPIPv6: "::1", + HTTPSIPv4: "127.0.0.2", + HTTPSIPv6: "::2", + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Allow: []string{"127.0.0.1"}, + Deny: []string{"127.0.0.1"}, + LimitReqs: []LimitReq{ + { + ZoneName: "pol_rl_test_test_test", + Delay: 10, + Burst: 5, + }, + }, + LimitReqOptions: LimitReqOptions{ + LogLevel: "error", + RejectCode: 503, + }, + JWTAuth: &JWTAuth{ + Realm: "My Api", + Secret: "jwk-secret", + }, + IngressMTLS: &IngressMTLS{ + ClientCert: "ingress-mtls-secret", + VerifyClient: "on", + VerifyDepth: 2, + }, + WAF: &WAF{ + ApPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", + ApSecurityLogEnable: true, + Enable: "on", + ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, + }, + Snippets: []string{"# server snippet"}, + InternalRedirectLocations: []InternalRedirectLocation{ + { + Path: "/split", + Destination: "@split_0", + }, + { + Path: "/coffee", + Destination: "@match", + }, + }, + HealthChecks: []HealthCheck{ + { + Name: "coffee", + URI: "/", + Interval: "5s", + Jitter: "0s", + Fails: 1, + Passes: 1, + Port: 50, + ProxyPass: "http://coffee-v2", + Mandatory: true, + Persistent: true, + KeepaliveTime: "60s", + IsGRPC: false, + }, + { + Name: "tea", + Interval: "5s", + Jitter: "0s", + Fails: 1, + Passes: 1, + Port: 50, + ProxyPass: "http://tea-v2", + GRPCPass: "grpc://tea-v3", + GRPCStatus: createPointerFromInt(12), + GRPCService: "tea-servicev2", + IsGRPC: true, + }, + }, + Locations: []Location{ + { + Path: "/", + Snippets: []string{"# location snippet"}, + Allow: []string{"127.0.0.1"}, + Deny: []string{"127.0.0.1"}, + LimitReqs: []LimitReq{ + { + ZoneName: "loc_pol_rl_test_test_test", + }, + }, + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyBuffering: true, + ProxyBuffers: "8 4k", + ProxyBufferSize: "4k", + ProxyMaxTempFileSize: "1024m", + ProxyPass: "http://test-upstream", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + Internal: true, + ProxyPassRequestHeaders: false, + ProxyPassHeaders: []string{"Host"}, + ProxyPassRewrite: "$request_uri", + ProxyHideHeaders: []string{"Header"}, + ProxyIgnoreHeaders: "Cache", + Rewrites: []string{"$request_uri $request_uri", "$request_uri $request_uri"}, + AddHeaders: []AddHeader{ + { + Header: Header{ + Name: "Header-Name", + Value: "Header Value", + }, + Always: true, + }, + }, + EgressMTLS: &EgressMTLS{ + Certificate: "egress-mtls-secret.pem", + CertificateKey: "egress-mtls-secret.pem", + VerifyServer: true, + VerifyDepth: 1, + Ciphers: "DEFAULT", + Protocols: "TLSv1.3", + TrustedCert: "trusted-cert.pem", + SessionReuse: true, + ServerName: true, + }, + }, + { + Path: "@loc0", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v1", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + ProxyInterceptErrors: true, + ErrorPages: []ErrorPage{ + { + Name: "@error_page_1", + Codes: "400 500", + ResponseCode: 200, + }, + { + Name: "@error_page_2", + Codes: "500", + ResponseCode: 0, + }, + }, + }, + { + Path: "@loc1", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "@loc2", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + GRPCPass: "grpc://coffee-v3", + }, + { + Path: "@match_loc_0", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v2", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "@match_loc_default", + ProxyConnectTimeout: "30s", + ProxyReadTimeout: "31s", + ProxySendTimeout: "32s", + ClientMaxBodySize: "1m", + ProxyPass: "http://coffee-v1", + ProxyNextUpstream: "error timeout", + ProxyNextUpstreamTimeout: "5s", + }, + { + Path: "/return", + ProxyInterceptErrors: true, + ErrorPages: []ErrorPage{ + { + Name: "@return_0", + Codes: "418", + ResponseCode: 200, + }, + }, + InternalProxyPass: "http://unix:/var/lib/nginx/nginx-418-server.sock", + }, + }, + ErrorPageLocations: []ErrorPageLocation{ + { + Name: "@vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0", + DefaultType: "application/json", + Return: &Return{ + Code: 200, + Text: "Hello World", + }, + Headers: nil, + }, + { + Name: "@vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1", + DefaultType: "", + Return: &Return{ + Code: 200, + Text: "Hello World", + }, + Headers: []Header{ + { + Name: "Set-Cookie", + Value: "cookie1=test", + }, + { + Name: "Set-Cookie", + Value: "cookie2=test; Secure", + }, + }, + }, + }, + ReturnLocations: []ReturnLocation{ + { + Name: "@return_0", + DefaultType: "text/html", + Return: Return{ + Code: 200, + Text: "Hello!", + }, + }, + }, + }, + } + virtualServerCfgWithCustomListenerHTTPOnly = VirtualServerConfig{ LimitReqZones: []LimitReqZone{ { diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 23facedcbf..86bc6cdd99 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -87,6 +87,10 @@ type VirtualServerEx struct { VirtualServer *conf_v1.VirtualServer HTTPPort int HTTPSPort int + HTTPIPv4 string + HTTPIPv6 string + HTTPSIPv4 string + HTTPSIPv6 string Endpoints map[string][]string VirtualServerRoutes []*conf_v1.VirtualServerRoute ExternalNameSvcs map[string]bool @@ -835,6 +839,10 @@ func (vsc *virtualServerConfigurator) GenerateVirtualServerConfig( StatusZone: vsEx.VirtualServer.Spec.Host, HTTPPort: vsEx.HTTPPort, HTTPSPort: vsEx.HTTPSPort, + HTTPIPv4: vsEx.HTTPIPv4, + HTTPIPv6: vsEx.HTTPIPv6, + HTTPSIPv4: vsEx.HTTPSIPv4, + HTTPSIPv6: vsEx.HTTPSIPv6, CustomListeners: useCustomListeners, ProxyProtocol: vsc.cfgParams.ProxyProtocol, SSL: sslConfig, diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index db53b48bdb..bb1741cbda 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -3025,6 +3025,165 @@ func TestGenerateVirtualServerConfigWithCustomHttpsListener(t *testing.T) { } } +func TestGenerateVirtualServerConfigWithCustomHttpAndHttpsIPListeners(t *testing.T) { + t.Parallel() + + expected := version2.VirtualServerConfig{ + Upstreams: nil, + HTTPSnippets: []string{}, + LimitReqZones: []version2.LimitReqZone{}, + Server: version2.Server{ + ServerName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Spec.Host, + StatusZone: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.Spec.Host, + VSNamespace: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPAndHTTPSIPListeners.VirtualServer.ObjectMeta.Name, + DisableIPV6: false, + HTTPPort: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPPort, + HTTPSPort: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPSPort, + HTTPIPv4: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPIPv4, + HTTPIPv6: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPIPv6, + HTTPSIPv4: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPSIPv4, + HTTPSIPv6: virtualServerExWithCustomHTTPAndHTTPSIPListeners.HTTPSIPv6, + CustomListeners: true, + ProxyProtocol: true, + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Snippets: []string{"# server snippet"}, + Locations: nil, + }, + } + + vsc := newVirtualServerConfigurator( + &baseCfgParams, + false, + false, + &StaticConfigParams{DisableIPV6: false}, + false, + &fakeBV, + ) + + result, warnings := vsc.GenerateVirtualServerConfig( + &virtualServerExWithCustomHTTPAndHTTPSIPListeners, + nil, + nil) + + if diff := cmp.Diff(expected, result); diff != "" { + t.Errorf("GenerateVirtualServerConfig() mismatch (-want +got):\n%s", diff) + } + + if len(warnings) != 0 { + t.Errorf("GenerateVirtualServerConfig returned warnings: %v", vsc.warnings) + } +} + +func TestGenerateVirtualServerConfigWithCustomHttpIPListener(t *testing.T) { + t.Parallel() + + expected := version2.VirtualServerConfig{ + Upstreams: nil, + HTTPSnippets: []string{}, + LimitReqZones: []version2.LimitReqZone{}, + Server: version2.Server{ + ServerName: virtualServerExWithCustomHTTPIPListener.VirtualServer.Spec.Host, + StatusZone: virtualServerExWithCustomHTTPIPListener.VirtualServer.Spec.Host, + VSNamespace: virtualServerExWithCustomHTTPIPListener.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPIPListener.VirtualServer.ObjectMeta.Name, + DisableIPV6: false, + HTTPPort: virtualServerExWithCustomHTTPIPListener.HTTPPort, + HTTPSPort: virtualServerExWithCustomHTTPIPListener.HTTPSPort, + HTTPIPv4: virtualServerExWithCustomHTTPIPListener.HTTPIPv4, + HTTPIPv6: virtualServerExWithCustomHTTPIPListener.HTTPIPv6, + HTTPSIPv4: virtualServerExWithCustomHTTPIPListener.HTTPSIPv4, + HTTPSIPv6: virtualServerExWithCustomHTTPIPListener.HTTPSIPv6, + CustomListeners: true, + ProxyProtocol: true, + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Snippets: []string{"# server snippet"}, + Locations: nil, + }, + } + + vsc := newVirtualServerConfigurator( + &baseCfgParams, + false, + false, + &StaticConfigParams{DisableIPV6: false}, + false, + &fakeBV, + ) + + result, warnings := vsc.GenerateVirtualServerConfig( + &virtualServerExWithCustomHTTPIPListener, + nil, + nil) + + if diff := cmp.Diff(expected, result); diff != "" { + t.Errorf("GenerateVirtualServerConfig() mismatch (-want +got):\n%s", diff) + } + + if len(warnings) != 0 { + t.Errorf("GenerateVirtualServerConfig returned warnings: %v", vsc.warnings) + } +} + +func TestGenerateVirtualServerConfigWithCustomHttpsIPListener(t *testing.T) { + t.Parallel() + + expected := version2.VirtualServerConfig{ + Upstreams: nil, + HTTPSnippets: []string{}, + LimitReqZones: []version2.LimitReqZone{}, + Server: version2.Server{ + ServerName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Spec.Host, + StatusZone: virtualServerExWithCustomHTTPSIPListener.VirtualServer.Spec.Host, + VSNamespace: virtualServerExWithCustomHTTPSIPListener.VirtualServer.ObjectMeta.Namespace, + VSName: virtualServerExWithCustomHTTPSIPListener.VirtualServer.ObjectMeta.Name, + DisableIPV6: false, + HTTPPort: virtualServerExWithCustomHTTPSIPListener.HTTPPort, + HTTPSPort: virtualServerExWithCustomHTTPSIPListener.HTTPSPort, + HTTPIPv4: virtualServerExWithCustomHTTPSIPListener.HTTPIPv4, + HTTPIPv6: virtualServerExWithCustomHTTPSIPListener.HTTPIPv6, + HTTPSIPv4: virtualServerExWithCustomHTTPSIPListener.HTTPSIPv4, + HTTPSIPv6: virtualServerExWithCustomHTTPSIPListener.HTTPSIPv6, + CustomListeners: true, + ProxyProtocol: true, + ServerTokens: "off", + SetRealIPFrom: []string{"0.0.0.0/0"}, + RealIPHeader: "X-Real-IP", + RealIPRecursive: true, + Snippets: []string{"# server snippet"}, + Locations: nil, + }, + } + + vsc := newVirtualServerConfigurator( + &baseCfgParams, + false, + false, + &StaticConfigParams{DisableIPV6: false}, + false, + &fakeBV, + ) + + result, warnings := vsc.GenerateVirtualServerConfig( + &virtualServerExWithCustomHTTPSIPListener, + nil, + nil) + + if diff := cmp.Diff(expected, result); diff != "" { + t.Errorf("GenerateVirtualServerConfig() mismatch (-want +got):\n%s", diff) + } + + if len(warnings) != 0 { + t.Errorf("GenerateVirtualServerConfig returned warnings: %v", vsc.warnings) + } +} + func TestGenerateVirtualServerConfigWithNilListener(t *testing.T) { t.Parallel() @@ -15543,6 +15702,66 @@ var ( }, } + virtualServerExWithCustomHTTPAndHTTPSIPListeners = VirtualServerEx{ + HTTPPort: 8083, + HTTPSPort: 8443, + HTTPIPv4: "192.168.0.2", + HTTPIPv6: "::1", + HTTPSIPv4: "192.168.0.6", + HTTPSIPv6: "::2", + + VirtualServer: &conf_v1.VirtualServer{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "cafe", + Namespace: "default", + }, + Spec: conf_v1.VirtualServerSpec{ + Host: "cafe.example.com", + Listener: &conf_v1.VirtualServerListener{ + HTTP: "http-8083", + HTTPS: "https-8443", + }, + }, + }, + } + + virtualServerExWithCustomHTTPIPListener = VirtualServerEx{ + HTTPPort: 8083, + HTTPIPv4: "192.168.0.2", + HTTPIPv6: "::1", + + VirtualServer: &conf_v1.VirtualServer{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "cafe", + Namespace: "default", + }, + Spec: conf_v1.VirtualServerSpec{ + Host: "cafe.example.com", + Listener: &conf_v1.VirtualServerListener{ + HTTP: "http-8083", + }, + }, + }, + } + + virtualServerExWithCustomHTTPSIPListener = VirtualServerEx{ + HTTPSPort: 8443, + HTTPSIPv4: "192.168.0.6", + HTTPSIPv6: "::2", + VirtualServer: &conf_v1.VirtualServer{ + ObjectMeta: meta_v1.ObjectMeta{ + Name: "cafe", + Namespace: "default", + }, + Spec: conf_v1.VirtualServerSpec{ + Host: "cafe.example.com", + Listener: &conf_v1.VirtualServerListener{ + HTTPS: "https-8443", + }, + }, + }, + } + virtualServerExWithNilListener = VirtualServerEx{ VirtualServer: &conf_v1.VirtualServer{ ObjectMeta: meta_v1.ObjectMeta{ diff --git a/internal/k8s/configuration.go b/internal/k8s/configuration.go index f4d9bb05a3..950460566e 100644 --- a/internal/k8s/configuration.go +++ b/internal/k8s/configuration.go @@ -200,6 +200,10 @@ type VirtualServerConfiguration struct { Warnings []string HTTPPort int HTTPSPort int + HTTPIPv4 string + HTTPIPv6 string + HTTPSIPv4 string + HTTPSIPv6 string } // NewVirtualServerConfiguration creates a VirtualServerConfiguration. @@ -813,19 +817,20 @@ func (c *Configuration) buildListenersAndTSConfigurations() (newListeners map[st func (c *Configuration) buildListenersForVSConfiguration(vsc *VirtualServerConfiguration) { vs := vsc.VirtualServer - if vs.Spec.Listener != nil && c.globalConfiguration != nil { - if gcListener, ok := c.listenerMap[vs.Spec.Listener.HTTP]; ok { - if gcListener.Protocol == conf_v1.HTTPProtocol && !gcListener.Ssl { - vsc.HTTPPort = gcListener.Port - } - } + if vs.Spec.Listener == nil || c.globalConfiguration == nil { + return + } - if gcListener, ok := c.listenerMap[vs.Spec.Listener.HTTPS]; ok { - if gcListener.Protocol == conf_v1.HTTPProtocol && gcListener.Ssl { - vsc.HTTPSPort = gcListener.Port - } + assignListener := func(listenerName string, isSSL bool, port *int, ipv4 *string, ipv6 *string) { + if gcListener, ok := c.listenerMap[listenerName]; ok && gcListener.Protocol == conf_v1.HTTPProtocol && gcListener.Ssl == isSSL { + *port = gcListener.Port + *ipv4 = gcListener.IPv4IP + *ipv6 = gcListener.IPv6IP } } + + assignListener(vs.Spec.Listener.HTTP, false, &vsc.HTTPPort, &vsc.HTTPIPv4, &vsc.HTTPIPv6) + assignListener(vs.Spec.Listener.HTTPS, true, &vsc.HTTPSPort, &vsc.HTTPSIPv4, &vsc.HTTPSIPv6) } // GetResources returns all configuration resources. @@ -1783,6 +1788,15 @@ func detectChangesInHosts(oldHosts map[string]Resource, newHosts map[string]Reso if newVsc.HTTPPort != oldVsc.HTTPPort || newVsc.HTTPSPort != oldVsc.HTTPSPort { updatedHosts = append(updatedHosts, h) } + + if newVsc.HTTPIPv4 != oldVsc.HTTPIPv4 { + updatedHosts = append(updatedHosts, h) + } + + if newVsc.HTTPIPv6 != oldVsc.HTTPIPv6 { + updatedHosts = append(updatedHosts, h) + } + } return removedHosts, updatedHosts, addedHosts diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index a66429a757..09bd5eb6f5 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -2499,6 +2499,10 @@ func (lbc *LoadBalancerController) createVirtualServerEx(virtualServer *conf_v1. if vsc, ok := resource.(*VirtualServerConfiguration); ok { virtualServerEx.HTTPPort = vsc.HTTPPort virtualServerEx.HTTPSPort = vsc.HTTPSPort + virtualServerEx.HTTPIPv4 = vsc.HTTPIPv4 + virtualServerEx.HTTPIPv6 = vsc.HTTPIPv6 + virtualServerEx.HTTPSIPv4 = vsc.HTTPSIPv4 + virtualServerEx.HTTPSIPv6 = vsc.HTTPSIPv6 } if virtualServer.Spec.TLS != nil && virtualServer.Spec.TLS.Secret != "" { diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 6048882121..76c5261980 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -411,6 +411,8 @@ type GlobalConfigurationSpec struct { type Listener struct { Name string `json:"name"` Port int `json:"port"` + IPv4IP string `json:"ipv4"` + IPv6IP string `json:"ipv6"` Protocol string `json:"protocol"` Ssl bool `json:"ssl"` } diff --git a/pkg/apis/configuration/validation/globalconfiguration.go b/pkg/apis/configuration/validation/globalconfiguration.go index daf7579320..689fa625ef 100644 --- a/pkg/apis/configuration/validation/globalconfiguration.go +++ b/pkg/apis/configuration/validation/globalconfiguration.go @@ -11,6 +11,13 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" ) +type ipType int + +const ( + ipv4 ipType = iota + ipv6 +) + var allowedProtocols = map[string]bool{ "TCP": true, "UDP": true, @@ -45,54 +52,94 @@ func (gcv *GlobalConfigurationValidator) getValidListeners(listeners []conf_v1.L allErrs := field.ErrorList{} listenerNames := sets.Set[string]{} - portProtocolCombinations := sets.Set[string]{} - - portProtocolMap := make(map[int]string) + ipv4PortProtocolCombinations := make(map[string]map[int]string) // map[IP]map[Port]Protocol + ipv6PortProtocolCombinations := make(map[string]map[int]string) var validListeners []conf_v1.Listener for i, l := range listeners { idxPath := fieldPath.Index(i) - portProtocolKey := generatePortProtocolKey(l.Port, l.Protocol) listenerErrs := gcv.validateListener(l, idxPath) if len(listenerErrs) > 0 { allErrs = append(allErrs, listenerErrs...) - } else if listenerNames.Has(l.Name) { - allErrs = append(allErrs, field.Duplicate(idxPath.Child("name"), l.Name)) - } else if portProtocolCombinations.Has(portProtocolKey) { - msg := fmt.Sprintf("Listener %s: Duplicated port/protocol combination %s", l.Name, portProtocolKey) - allErrs = append(allErrs, field.Duplicate(fieldPath, msg)) - } else if protocol, ok := portProtocolMap[l.Port]; ok { - var msg string - switch protocol { - case "HTTP": - if l.Protocol == "TCP" || l.Protocol == "UDP" { - msg = fmt.Sprintf( - "Listener %s with protocol %s can't use port %d. Port is taken by an HTTP listener", - l.Name, l.Protocol, l.Port) - allErrs = append(allErrs, field.Forbidden(fieldPath, msg)) - } else { - validListeners = append(validListeners, l) - } - case "TCP", "UDP": - if l.Protocol == "HTTP" { - msg = fmt.Sprintf( - "Listener %s with protocol %s can't use port %d. Port is taken by TCP or UDP listener", - l.Name, l.Protocol, l.Port) - allErrs = append(allErrs, field.Forbidden(fieldPath, msg)) - } else { - validListeners = append(validListeners, l) - } - } - } else { - listenerNames.Insert(l.Name) - portProtocolCombinations.Insert(portProtocolKey) - portProtocolMap[l.Port] = l.Protocol - validListeners = append(validListeners, l) + continue + } + + if err := gcv.checkForDuplicateName(listenerNames, l, idxPath); err != nil { + allErrs = append(allErrs, err) + continue + } + + if err := gcv.checkIPPortProtocolConflicts(ipv4PortProtocolCombinations, ipv4, l, fieldPath); err != nil { + allErrs = append(allErrs, err) + continue + } + + if err := gcv.checkIPPortProtocolConflicts(ipv6PortProtocolCombinations, ipv6, l, fieldPath); err != nil { + allErrs = append(allErrs, err) + continue } + + gcv.updatePortProtocolCombinations(ipv4PortProtocolCombinations, ipv4, l) + gcv.updatePortProtocolCombinations(ipv6PortProtocolCombinations, ipv6, l) + + validListeners = append(validListeners, l) } return validListeners, allErrs } +// checkForDuplicateName checks if the listener name is unique. +func (gcv *GlobalConfigurationValidator) checkForDuplicateName(listenerNames sets.Set[string], listener conf_v1.Listener, idxPath *field.Path) *field.Error { + if listenerNames.Has(listener.Name) { + return field.Duplicate(idxPath.Child("name"), listener.Name) + } + listenerNames.Insert(listener.Name) + return nil +} + +// checkIPPortProtocolConflicts ensures no duplicate or conflicting port/protocol combinations exist. +func (gcv *GlobalConfigurationValidator) checkIPPortProtocolConflicts(combinations map[string]map[int]string, ipType ipType, listener conf_v1.Listener, fieldPath *field.Path) *field.Error { + ip := getIP(ipType, listener) + + if combinations[ip] == nil { + combinations[ip] = make(map[int]string) // map[ip]map[port]protocol + } + + existingProtocol, exists := combinations[ip][listener.Port] + if exists { + if existingProtocol == listener.Protocol { + return field.Duplicate(fieldPath, fmt.Sprintf("Listener %s: Duplicated port/protocol combination %d/%s", listener.Name, listener.Port, listener.Protocol)) + } else if listener.Protocol == "HTTP" || existingProtocol == "HTTP" { + return field.Invalid(fieldPath.Child("port"), listener.Port, fmt.Sprintf("Listener %s: Port %d is used with a different protocol (current: %s, new: %s)", listener.Name, listener.Port, existingProtocol, listener.Protocol)) + } + } + + return nil +} + +// updatePortProtocolCombinations updates the port/protocol combinations map with the given listener's details for both IPv4 and IPv6. +func (gcv *GlobalConfigurationValidator) updatePortProtocolCombinations(combinations map[string]map[int]string, ipType ipType, listener conf_v1.Listener) { + ip := getIP(ipType, listener) + + if combinations[ip] == nil { + combinations[ip] = make(map[int]string) + } + combinations[ip][listener.Port] = listener.Protocol +} + +// getIP returns the appropriate IP address for the given ipType and listener. +func getIP(ipType ipType, listener conf_v1.Listener) string { + if ipType == ipv4 { + if listener.IPv4IP == "" { + return "0.0.0.0" + } + return listener.IPv4IP + } + if listener.IPv6IP == "" { + return "::" + } + return listener.IPv6IP +} + func generatePortProtocolKey(port int, protocol string) string { return fmt.Sprintf("%d/%s", port, protocol) } @@ -101,6 +148,8 @@ func (gcv *GlobalConfigurationValidator) validateListener(listener conf_v1.Liste allErrs := validateGlobalConfigurationListenerName(listener.Name, fieldPath.Child("name")) allErrs = append(allErrs, gcv.validateListenerPort(listener.Name, listener.Port, fieldPath.Child("port"))...) allErrs = append(allErrs, validateListenerProtocol(listener.Protocol, fieldPath.Child("protocol"))...) + allErrs = append(allErrs, validateListenerIPv4IP(listener.IPv4IP, fieldPath.Child("ipv4ip"))...) + allErrs = append(allErrs, validateListenerIPv6IP(listener.IPv6IP, fieldPath.Child("ipv6ip"))...) return allErrs } @@ -136,6 +185,20 @@ func validateListenerProtocol(protocol string, fieldPath *field.Path) field.Erro } } +func validateListenerIPv4IP(ipv4ip string, fieldPath *field.Path) field.ErrorList { + if ipv4ip != "" { + return validation.IsValidIPv4Address(fieldPath, ipv4ip) + } + return field.ErrorList{} +} + +func validateListenerIPv6IP(ipv6ip string, fieldPath *field.Path) field.ErrorList { + if ipv6ip != "" { + return validation.IsValidIPv6Address(fieldPath, ipv6ip) + } + return field.ErrorList{} +} + func getProtocolsFromMap(p map[string]bool) []string { var keys []string diff --git a/pkg/apis/configuration/validation/globalconfiguration_test.go b/pkg/apis/configuration/validation/globalconfiguration_test.go index de3a3af458..709967db71 100644 --- a/pkg/apis/configuration/validation/globalconfiguration_test.go +++ b/pkg/apis/configuration/validation/globalconfiguration_test.go @@ -74,6 +74,13 @@ func TestValidateListeners(t *testing.T) { Port: 53, Protocol: "UDP", }, + { + Name: "test-listener-ip", + IPv4IP: "127.0.0.1", + IPv6IP: "::1", + Port: 8080, + Protocol: "HTTP", + }, } gcv := createGlobalConfigurationValidator() @@ -84,6 +91,202 @@ func TestValidateListeners(t *testing.T) { } } +func TestValidateListeners_FailsOnInvalidIP(t *testing.T) { + t.Parallel() + + testCases := []struct { + name string + listeners []conf_v1.Listener + }{ + { + name: "Invalid IPv4 IP", + listeners: []conf_v1.Listener{ + {Name: "test-listener-1", IPv4IP: "267.0.0.1", Port: 8082, Protocol: "HTTP"}, + }, + }, + { + name: "Invalid IPv4 IP with missing octet", + listeners: []conf_v1.Listener{ + {Name: "test-listener-2", IPv4IP: "127.0.0", Port: 8080, Protocol: "HTTP"}, + }, + }, + { + name: "Invalid IPv6 IP", + listeners: []conf_v1.Listener{ + {Name: "test-listener-3", IPv6IP: "1200::AB00::1234", Port: 8080, Protocol: "HTTP"}, + }, + }, + { + name: "Valid and invalid IPs", + listeners: []conf_v1.Listener{ + {Name: "test-listener-4", IPv4IP: "192.168.1.1", IPv6IP: "2001:0db1234123123", Port: 8080, Protocol: "HTTP"}, + {Name: "test-listener-5", IPv4IP: "256.256.256.256", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8081, Protocol: "HTTP"}, + }, + }, + { + name: "Valid IPv4 and Invalid IPv6", + listeners: []conf_v1.Listener{ + {Name: "test-listener-6", IPv4IP: "192.168.1.1", IPv6IP: "2001::85a3::8a2e:370:7334", Port: 8080, Protocol: "HTTP"}, + }, + }, + { + name: "Invalid IPv4 and Valid IPv6", + listeners: []conf_v1.Listener{ + {Name: "test-listener-8", IPv4IP: "300.168.1.1", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "HTTP"}, + }, + }, + } + + gcv := createGlobalConfigurationValidator() + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + _, allErrs := gcv.getValidListeners(tc.listeners, field.NewPath("listeners")) + if len(allErrs) == 0 { + t.Errorf("Expected errors for invalid IPs, but got none") + } else { + for _, err := range allErrs { + t.Logf("Caught expected error: %v", err) + } + } + }) + } +} + +func TestValidateListeners_FailsOnPortProtocolConflictsSameIP(t *testing.T) { + t.Parallel() + + testCases := []struct { + name string + listeners []conf_v1.Listener + }{ + { + name: "Same port used with the same protocol", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "192.168.1.1", IPv6IP: "::1", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv4IP: "192.168.1.1", IPv6IP: "::1", Port: 8080, Protocol: "HTTP"}, + }, + }, + { + name: "Same port used with different protocols", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "192.168.1.1", IPv6IP: "::1", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv4IP: "192.168.1.1", Port: 8080, Protocol: "TCP"}, + }, + }, + { + name: "Same port used with the same protocol (IPv6)", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "192.168.1.1", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "HTTP"}, + }, + }, + { + name: "Same port used with different protocols (IPv6)", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv4IP: "192.168.1.1", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "TCP"}, + }, + }, + } + + gcv := createGlobalConfigurationValidator() + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + _, allErrs := gcv.getValidListeners(tc.listeners, field.NewPath("listeners")) + if len(allErrs) == 0 { + t.Errorf("Expected errors for port/protocol conflicts, but got none") + } else { + for _, err := range allErrs { + t.Logf("Caught expected error: %v", err) + } + } + }) + } +} + +func TestValidateListeners_PassesOnValidIPListeners(t *testing.T) { + t.Parallel() + + testCases := []struct { + name string + listeners []conf_v1.Listener + }{ + { + name: "Different Ports and IPs", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "192.168.1.1", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv4IP: "192.168.1.2", IPv6IP: "::1", Port: 9090, Protocol: "HTTP"}, + }, + }, + { + name: "Same IPs, Same Protocol and Different Port", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "192.168.1.1", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv4IP: "192.168.1.1", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 9090, Protocol: "HTTP"}, + }, + }, + { + name: "Different Types of IPs", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "192.168.1.1", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 8080, Protocol: "HTTP"}, + }, + }, + } + + gcv := createGlobalConfigurationValidator() + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + _, allErrs := gcv.getValidListeners(tc.listeners, field.NewPath("listeners")) + if len(allErrs) != 0 { + t.Errorf("Unexpected errors for valid listeners: %v", allErrs) + } + }) + } +} + +func TestValidateListeners_FailsOnMixedInvalidIPs(t *testing.T) { + t.Parallel() + + testCases := []struct { + name string + listeners []conf_v1.Listener + }{ + { + name: "Valid IPv4 and Invalid IPv6", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "192.168.1.1", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv6IP: "2001::85a3::8a2e:370:7334", Port: 9090, Protocol: "TCP"}, + }, + }, + { + name: "Invalid IPv4 and Valid IPv6", + listeners: []conf_v1.Listener{ + {Name: "listener-1", IPv4IP: "300.168.1.1", Port: 8080, Protocol: "HTTP"}, + {Name: "listener-2", IPv6IP: "2001:0db8:85a3:0000:0000:8a2e:0370:7334", Port: 9090, Protocol: "TCP"}, + }, + }, + } + + gcv := createGlobalConfigurationValidator() + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + _, allErrs := gcv.getValidListeners(tc.listeners, field.NewPath("listeners")) + if len(allErrs) == 0 { + t.Errorf("Expected errors for mixed invalid IPs, but got none") + } else { + for _, err := range allErrs { + t.Logf("Caught expected error: %v", err) + } + } + }) + } +} + func TestValidateListenersFails(t *testing.T) { t.Parallel() tests := []struct { diff --git a/tests/data/virtual-server-custom-listeners/global-configuration-http-https-ipv4ip-http-https-ipv6ip.yaml b/tests/data/virtual-server-custom-listeners/global-configuration-http-https-ipv4ip-http-https-ipv6ip.yaml new file mode 100644 index 0000000000..26ea0bf9b6 --- /dev/null +++ b/tests/data/virtual-server-custom-listeners/global-configuration-http-https-ipv4ip-http-https-ipv6ip.yaml @@ -0,0 +1,24 @@ +apiVersion: k8s.nginx.org/v1 +kind: GlobalConfiguration +metadata: + name: nginx-configuration + namespace: nginx-ingress +spec: + listeners: + - name: dns-udp + port: 5353 + protocol: UDP + - name: dns-tcp + port: 5353 + protocol: TCP + - name: http-8085 + port: 8085 + protocol: HTTP + ipv4: 127.0.0.1 + ipv6: ::1 + - name: https-8445 + port: 8445 + protocol: HTTP + ipv4: 127.0.0.2 + ipv6: ::1 + ssl: true diff --git a/tests/data/virtual-server-custom-listeners/global-configuration-http-ipv4ip-https-ipv6ip.yaml b/tests/data/virtual-server-custom-listeners/global-configuration-http-ipv4ip-https-ipv6ip.yaml new file mode 100644 index 0000000000..1b98231c50 --- /dev/null +++ b/tests/data/virtual-server-custom-listeners/global-configuration-http-ipv4ip-https-ipv6ip.yaml @@ -0,0 +1,22 @@ +apiVersion: k8s.nginx.org/v1 +kind: GlobalConfiguration +metadata: + name: nginx-configuration + namespace: nginx-ingress +spec: + listeners: + - name: dns-udp + port: 5353 + protocol: UDP + - name: dns-tcp + port: 5353 + protocol: TCP + - name: http-8085 + port: 8085 + protocol: HTTP + ipv4: 127.0.0.1 + - name: https-8445 + port: 8445 + protocol: HTTP + ipv6: ::1 + ssl: true diff --git a/tests/suite/test_virtual_server_custom_ip_listeners.py b/tests/suite/test_virtual_server_custom_ip_listeners.py new file mode 100644 index 0000000000..93ba1fde29 --- /dev/null +++ b/tests/suite/test_virtual_server_custom_ip_listeners.py @@ -0,0 +1,221 @@ +from typing import List, TypedDict + +import pytest +import requests +from settings import TEST_DATA +from suite.utils.custom_resources_utils import create_gc_from_yaml, delete_gc +from suite.utils.resources_utils import ( + create_secret_from_yaml, + delete_secret, + get_events_for_object, + get_first_pod_name, + wait_before_test, +) +from suite.utils.vs_vsr_resources_utils import get_vs_nginx_template_conf, patch_virtual_server_from_yaml, read_vs + + +def make_request(url, host): + return requests.get( + url, + headers={"host": host}, + allow_redirects=False, + verify=False, + ) + + +def restore_default_vs(kube_apis, virtual_server_setup) -> None: + """ + Function to revert VS deployment to valid state. + """ + patch_src = f"{TEST_DATA}/virtual-server-status/standard/virtual-server.yaml" + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + patch_src, + virtual_server_setup.namespace, + ) + wait_before_test() + + +@pytest.mark.vs +@pytest.mark.parametrize( + "crd_ingress_controller, virtual_server_setup", + [ + ( + { + "type": "complete", + "extra_args": [ + f"-global-configuration=nginx-ingress/nginx-configuration", + f"-enable-leader-election=false", + f"-enable-prometheus-metrics=true", + ], + }, + { + "example": "virtual-server-custom-listeners", + "app_type": "simple", + }, + ) + ], + indirect=True, +) +class TestVirtualServerCustomListeners: + TestSetup = TypedDict( + "TestSetup", + { + "gc_yaml": str, + "vs_yaml": str, + "http_listener_in_config": bool, + "https_listener_in_config": bool, + "expected_response_codes": List[int], # responses from requests to port 80, 443, 8085, 8445 + "expected_http_listener_ipv4ip": str, + "expected_https_listener_ipv4ip": str, + "expected_http_listener_ipv6ip": str, + "expected_https_listener_ipv6ip": str, + "expected_vs_error_msg": str, + "expected_gc_error_msg": str, + }, + ) + + @pytest.mark.parametrize( + "test_setup", + [ + { + "gc_yaml": "global-configuration-http-https-ipv4ip-http-https-ipv6ip", + "vs_yaml": "virtual-server", + "http_listener_in_config": True, + "https_listener_in_config": True, + "expected_response_codes": [200, 200], + "expected_http_listener_ipv4ip": "127.0.0.1", + "expected_https_listener_ipv4ip": "127.0.0.2", + "expected_http_listener_ipv6ip": "::1", + "expected_https_listener_ipv6ip": "::1", + "expected_vs_error_msg": "", + "expected_gc_error_msg": "", + }, + { + "gc_yaml": "global-configuration-http-ipv4ip-https-ipv6ip", + "vs_yaml": "virtual-server", + "http_listener_in_config": True, + "https_listener_in_config": True, + "expected_response_codes": [200, 200], + "expected_http_listener_ipv4ip": "127.0.0.1", + "expected_https_listener_ipv4ip": "", + "expected_http_listener_ipv6ip": "", + "expected_https_listener_ipv6ip": "::1", + "expected_vs_error_msg": "", + "expected_gc_error_msg": "", + }, + ], + ids=[ + "http-https-ipv4ip-http-https-ipv6ip", + "http-ipv4ip-https-ipv6ip", + ], + ) + def test_custom_listeners_update( + self, + kube_apis, + ingress_controller_prerequisites, + crd_ingress_controller, + virtual_server_setup, + test_setup: TestSetup, + ) -> None: + print("\nStep 1: Create GC resource") + secret_name = create_secret_from_yaml( + kube_apis.v1, virtual_server_setup.namespace, f"{TEST_DATA}/virtual-server-tls/tls-secret.yaml" + ) + if test_setup["gc_yaml"]: + global_config_file = f"{TEST_DATA}/virtual-server-custom-listeners/{test_setup['gc_yaml']}.yaml" + gc_resource = create_gc_from_yaml(kube_apis.custom_objects, global_config_file, "nginx-ingress") + + print("\nStep 2: Create VS with custom listeners") + vs_custom_listeners = f"{TEST_DATA}/virtual-server-custom-listeners/{test_setup['vs_yaml']}.yaml" + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + vs_custom_listeners, + virtual_server_setup.namespace, + ) + print("IP Listeners Detected - Waiting 30 Extra Seconds Required") + wait_before_test(30) + + print("\nStep 3: Test generated VS configs") + ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace) + vs_config = get_vs_nginx_template_conf( + kube_apis.v1, + virtual_server_setup.namespace, + virtual_server_setup.vs_name, + ic_pod_name, + ingress_controller_prerequisites.namespace, + ) + + print(vs_config) + + if "http_listener_in_config" in test_setup and test_setup["http_listener_in_config"]: + if "expected_http_listener_ipv4ip" in test_setup and test_setup["expected_http_listener_ipv4ip"]: + assert f"listen {test_setup['expected_http_listener_ipv4ip']}:8085;" in vs_config + else: + assert "listen 8085;" in vs_config + + if "expected_http_listener_ipv6ip" in test_setup and test_setup["expected_http_listener_ipv6ip"]: + assert f"listen [{test_setup['expected_http_listener_ipv6ip']}]:8085;" in vs_config + else: + assert "listen [::]:8085;" in vs_config + else: + assert "listen 8085;" not in vs_config + assert "listen [::]:8085;" not in vs_config + + if "https_listener_in_config" in test_setup and test_setup["https_listener_in_config"]: + if "expected_https_listener_ipv4ip" in test_setup and test_setup["expected_https_listener_ipv4ip"]: + assert f"listen {test_setup['expected_https_listener_ipv4ip']}:8445 ssl;" in vs_config + else: + assert "listen 8445 ssl;" in vs_config + + if "expected_https_listener_ipv6ip" in test_setup and test_setup["expected_https_listener_ipv6ip"]: + assert f"listen [{test_setup['expected_https_listener_ipv6ip']}]:8445 ssl;" in vs_config + else: + assert "listen [::]:8445 ssl;" in vs_config + else: + assert "listen 8445 ssl;" not in vs_config + assert "listen [::]:8445 ssl;" not in vs_config + + assert "listen 80;" not in vs_config + assert "listen [::]:80;" not in vs_config + assert "listen 443 ssl;" not in vs_config + assert "listen [::]:443 ssl;" not in vs_config + + print("\nStep 4: Test Kubernetes VirtualServer warning events") + if test_setup["expected_vs_error_msg"]: + response = read_vs(kube_apis.custom_objects, virtual_server_setup.namespace, virtual_server_setup.vs_name) + print(response) + assert ( + response["status"]["reason"] == "AddedOrUpdatedWithWarning" + and response["status"]["state"] == "Warning" + and test_setup["expected_vs_error_msg"] in response["status"]["message"] + ) + + print("\nStep 5: Test Kubernetes GlobalConfiguration warning events") + if test_setup["gc_yaml"]: + gc_events = get_events_for_object(kube_apis.v1, "nginx-ingress", "nginx-configuration") + gc_event_latest = gc_events[-1] + print(gc_event_latest) + if test_setup["expected_gc_error_msg"]: + assert ( + gc_event_latest.reason == "AddedOrUpdatedWithError" + and gc_event_latest.type == "Warning" + and test_setup["expected_gc_error_msg"] in gc_event_latest.message + ) + else: + assert ( + gc_event_latest.reason == "Updated" + and gc_event_latest.type == "Normal" + and "GlobalConfiguration nginx-ingress/nginx-configuration was added or updated" + in gc_event_latest.message + ) + + print("\nStep 6: Restore test environments") + delete_secret(kube_apis.v1, secret_name, virtual_server_setup.namespace) + restore_default_vs(kube_apis, virtual_server_setup) + if test_setup["gc_yaml"]: + delete_gc(kube_apis.custom_objects, gc_resource, "nginx-ingress") + print(f"deleted GC : {gc_resource}") + wait_before_test(10) From 475fc9c78e04f25167504cebbcae97b8991c1601 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 08:51:53 +0100 Subject: [PATCH 51/83] Bump the go group with 3 updates (#6364) Bumps the go group with 3 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/service/marketplacemetering](https://github.com/aws/aws-sdk-go-v2) and [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang). Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.32 to 1.27.33 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.32...config/v1.27.33) Updates `github.com/aws/aws-sdk-go-v2/service/marketplacemetering` from 1.23.5 to 1.23.6 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.23.5...service/ram/v1.23.6) Updates `github.com/prometheus/client_golang` from 1.20.2 to 1.20.3 - [Release notes](https://github.com/prometheus/client_golang/releases) - [Changelog](https://github.com/prometheus/client_golang/blob/v1.20.3/CHANGELOG.md) - [Commits](https://github.com/prometheus/client_golang/compare/v1.20.2...v1.20.3) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/aws/aws-sdk-go-v2/service/marketplacemetering dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: github.com/prometheus/client_golang dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 14 +++++++------- go.sum | 28 ++++++++++++++-------------- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index b4b7b1c388..3938e985b6 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/nginxinc/kubernetes-ingress go 1.23.0 require ( - github.com/aws/aws-sdk-go-v2/config v1.27.32 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.5 + github.com/aws/aws-sdk-go-v2/config v1.27.33 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.6 github.com/cert-manager/cert-manager v1.15.3 github.com/dlclark/regexp2 v1.11.4 github.com/gkampitakis/go-snaps v0.5.7 @@ -19,7 +19,7 @@ require ( github.com/nginxinc/nginx-prometheus-exporter v1.3.0 github.com/nginxinc/nginx-service-mesh v1.7.0 github.com/nginxinc/telemetry-exporter v0.1.1 - github.com/prometheus/client_golang v1.20.2 + github.com/prometheus/client_golang v1.20.3 github.com/spiffe/go-spiffe/v2 v2.3.0 github.com/stretchr/testify v1.9.0 go.opentelemetry.io/otel v1.29.0 @@ -37,16 +37,16 @@ require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.31 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.22.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.30.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect github.com/aws/smithy-go v1.20.4 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect diff --git a/go.sum b/go.sum index 8a4baebba7..8111179b89 100644 --- a/go.sum +++ b/go.sum @@ -6,10 +6,10 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g= github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0= -github.com/aws/aws-sdk-go-v2/config v1.27.32 h1:jnAMVTJTpAQlePCUUlnXnllHEMGVWmvUJOiGjgtS9S0= -github.com/aws/aws-sdk-go-v2/config v1.27.32/go.mod h1:JibtzKJoXT0M/MhoYL6qfCk7nm/MppwukDFZtdgVRoY= -github.com/aws/aws-sdk-go-v2/credentials v1.17.31 h1:jtyfcOfgoqWA2hW/E8sFbwdfgwD3APnF9CLCKE8dTyw= -github.com/aws/aws-sdk-go-v2/credentials v1.17.31/go.mod h1:RSgY5lfCfw+FoyKWtOpLolPlfQVdDBQWTUniAaE+NKY= +github.com/aws/aws-sdk-go-v2/config v1.27.33 h1:Nof9o/MsmH4oa0s2q9a0k7tMz5x/Yj5k06lDODWz3BU= +github.com/aws/aws-sdk-go-v2/config v1.27.33/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks= +github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I= +github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ= @@ -22,14 +22,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 h1:KypMCbL github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4/go.mod h1:Vz1JQXliGcQktFTN/LN6uGppAIRoLBR2bMvIMP0gOjc= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsdzgl7ZL2KlXiUAoJnI/VxfHCvDFr2QDFj6u4= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.5 h1:y1dOSUhBRvUWkE99L5Xm+wFMT1LfBoXyrjrcNIASbH4= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.5/go.mod h1:ck+HLSlQVYL8LIth8IrZ5qPQ4KTletB/O+WWqW8gtjQ= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.6 h1:o++HUDXlbrTl4PSal3YHtdErQxB8mDGAtkKNXBWPfIU= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.6/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.6 h1:yCHcQCOwTfIsc8DoEhM3qXPxD+j8CbI6t1K3dNzsWV0= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.6/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.6 h1:TrQadF7GcqvQ63kgwEcjlrVc2Fa0wpgLT0xtc73uAd8= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.6/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.6 h1:4ZL1yFmgCUTksVdHa71xao4X8ii5k6KtD93Fr08p1NU= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.6/go.mod h1:ck+HLSlQVYL8LIth8IrZ5qPQ4KTletB/O+WWqW8gtjQ= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o= github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4= github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -214,8 +214,8 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.20.2 h1:5ctymQzZlyOON1666svgwn3s6IKWgfbjsejTMiXIyjg= -github.com/prometheus/client_golang v1.20.2/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= +github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4= +github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= From fc9419e34fe2679f3bbe4a1945b8d497182911b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 08:03:37 +0000 Subject: [PATCH 52/83] Bump the actions group across 1 directory with 2 updates (#6363) Bumps the actions group with 2 updates in the / directory: [nginxinc/docs-actions](https://github.com/nginxinc/docs-actions) and [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request). Updates `nginxinc/docs-actions` from 1.0.3 to 1.0.4 - [Release notes](https://github.com/nginxinc/docs-actions/releases) - [Commits](https://github.com/nginxinc/docs-actions/compare/a733e84a262f8d5d885bfc8eac80bc85928da322...d20def4d420028a71f99863011c6de7325c4013e) Updates `peter-evans/create-pull-request` from 7.0.0 to 7.0.1 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/4320041ed380b20e97d388d56a7fb4f9b8c20e79...8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20) --- updated-dependencies: - dependency-name: nginxinc/docs-actions dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Fenlon --- .github/workflows/docs-build-push.yml | 2 +- .github/workflows/release-pr.yml | 2 +- .github/workflows/update-docker-sha.yml | 2 +- .github/workflows/update-kubernetes-version.yml | 2 +- .github/workflows/version-bump.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docs-build-push.yml b/.github/workflows/docs-build-push.yml index 8c7c5a2f61..6b7f089e31 100644 --- a/.github/workflows/docs-build-push.yml +++ b/.github/workflows/docs-build-push.yml @@ -43,7 +43,7 @@ jobs: echo forked_workflow: ${{ steps.vars.outputs.forked_workflow }} call-docs-build-push: - uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@a733e84a262f8d5d885bfc8eac80bc85928da322 # v1.0.3 + uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@d20def4d420028a71f99863011c6de7325c4013e # v1.0.4 permissions: pull-requests: write # needed to write preview url comment to PR contents: read diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 7e8254bf30..abd408d65d 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -70,7 +70,7 @@ jobs: .github/scripts/release-notes-update.sh ${{ github.event.inputs.new_version }} ${{ github.event.inputs.new_helm_version }} "${{ github.event.inputs.k8s_versions }}" "${{ github.event.inputs.release_date }}" - name: Create Pull Request - uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 + uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 with: token: ${{ secrets.NGINX_PAT }} commit-message: Release ${{ github.event.inputs.new_version }} diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index c03c439f05..f9ea36e92a 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -75,7 +75,7 @@ jobs: echo $GITHUB_OUTPUT - name: Create Pull Request - uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 + uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 id: pr with: token: ${{ secrets.NGINX_PAT }} diff --git a/.github/workflows/update-kubernetes-version.yml b/.github/workflows/update-kubernetes-version.yml index 0d2793bb73..a563b89420 100644 --- a/.github/workflows/update-kubernetes-version.yml +++ b/.github/workflows/update-kubernetes-version.yml @@ -43,7 +43,7 @@ jobs: if: ${{ steps.search.outputs.found == 'false' }} - name: Create Pull Request - uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 + uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 with: token: ${{ secrets.NGINX_PAT }} commit-message: update kubernetes version to ${{ steps.k8s-version.outputs.version }} in helm schema diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 6b986d14f7..04c98b7515 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -48,7 +48,7 @@ jobs: CHART_VERSION: ${{ inputs.helm_chart_version }} - name: Create Pull Request - uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79 # v7.0.0 + uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 with: token: ${{ secrets.NGINX_PAT }} commit-message: Version Bump for ${{ github.event.inputs.ic_version }} From 7c58667dbf14b0f5cd9e48bebaa560af124c7c20 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Fri, 6 Sep 2024 02:02:35 -0700 Subject: [PATCH 53/83] Docker image update 5d590d50 (#6365) Update docker images 5d590d50 Co-authored-by: Alex Fenlon --- build/Dockerfile | 4 ++-- build/dependencies/Dockerfile.ubi-ppc64le | 2 +- tests/Dockerfile | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index b3885473da..4e90fd369a 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -17,7 +17,7 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 FROM redhat/ubi9-minimal@sha256:f182b500ff167918ca1010595311cf162464f3aa1cab755383d38be61b4d30aa AS ubi-minimal -FROM golang:1.22-alpine@sha256:1a478681b671001b7f029f94b5016aed984a23ad99c707f6a0ab6563860ae2f3 AS golang-builder +FROM golang:1.22-alpine@sha256:c02e4518720baaa7657c2b3845452778cf83cf828accf2b5c7afef31ccb8073a AS golang-builder ############################################# Base image for Alpine ############################################# @@ -31,7 +31,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.27.1@sha256:1540e37eebb9abc5afa4256de1bade6542d50bf69b61b1dd855cb7804aaaf444 AS debian +FROM nginx:1.27.1@sha256:135fbc7ed19c8f644ddf678e68292e678696908451dad7ee2fd4e0cf861f4b6f AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le index d29c3ee9b1..e23ebb690d 100644 --- a/build/dependencies/Dockerfile.ubi-ppc64le +++ b/build/dependencies/Dockerfile.ubi-ppc64le @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1.8 -FROM nginx:1.27.1@sha256:1540e37eebb9abc5afa4256de1bade6542d50bf69b61b1dd855cb7804aaaf444 AS nginx +FROM nginx:1.27.1@sha256:135fbc7ed19c8f644ddf678e68292e678696908451dad7ee2fd4e0cf861f4b6f AS nginx FROM redhat/ubi9:9.4@sha256:9460515b85f2a75278f2043438583c1c377c44bf100178bb653a6c8658304ac7 AS rpm-build ARG NGINX diff --git a/tests/Dockerfile b/tests/Dockerfile index 18c7d7e58f..bd38d0ed49 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.16.1 -FROM python:3.12@sha256:29e0ed4d7724b123e55f6e95b5ab03226843848386fbc4ba590a3918beb2981e +FROM python:3.12@sha256:b7552a9f6cb77632e9ec6f714ed9846fb43bd32d17a7ad82bccac88f5e2cd333 RUN apt-get update \ && apt-get install -y curl git \ From a83b7bec542f287943fd9a3c959509bff5151647 Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Fri, 6 Sep 2024 12:32:40 +0100 Subject: [PATCH 54/83] update go version (#6368) --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 3938e985b6..4d8a6e24c3 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/nginxinc/kubernetes-ingress -go 1.23.0 +go 1.23.1 require ( github.com/aws/aws-sdk-go-v2/config v1.27.33 From 66cb364482055c867ab1b7da38275b86044a03f5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 9 Sep 2024 09:16:16 +0100 Subject: [PATCH 55/83] Bump docker/scout-action from 1.13.0 to 1.14.0 in the actions group (#6370) Bumps the actions group with 1 update: [docker/scout-action](https://github.com/docker/scout-action). Updates `docker/scout-action` from 1.13.0 to 1.14.0 - [Release notes](https://github.com/docker/scout-action/releases) - [Commits](https://github.com/docker/scout-action/compare/e71a6e518e912cc9094cb8c89e29bb0dcef01668...cc6bf8dd03587425ef920278b3e2726ba8d791e8) --- updated-dependencies: - dependency-name: docker/scout-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-oss.yml | 2 +- .github/workflows/build-plus.yml | 2 +- .github/workflows/image-promotion.yml | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 0c83326f9c..e42fa316cb 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -201,7 +201,7 @@ jobs: - name: Run Docker Scout vulnerability scanner id: docker-scout - uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 # v1.13.0 + uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0 with: command: cves,recommendations image: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 093f631d0b..1b34a5e336 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -222,7 +222,7 @@ jobs: - name: Run Docker Scout vulnerability scanner id: docker-scout - uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 # v1.13.0 + uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0 with: command: cves,recommendations image: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 8b65e9e132..9fd3ecd2ab 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -449,7 +449,7 @@ jobs: - name: Run Docker Scout vulnerability scanner id: docker-scout - uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 # v1.13.0 + uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0 with: command: cves,recommendations image: ${{ steps.meta.outputs.tags }} @@ -539,7 +539,7 @@ jobs: - name: Run Docker Scout vulnerability scanner id: docker-scout - uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 # v1.13.0 + uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0 with: command: cves,recommendations image: ${{ steps.meta.outputs.tags }} @@ -636,7 +636,7 @@ jobs: - name: Run Docker Scout vulnerability scanner id: docker-scout - uses: docker/scout-action@e71a6e518e912cc9094cb8c89e29bb0dcef01668 # v1.13.0 + uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0 with: command: cves,recommendations image: ${{ steps.meta.outputs.tags }} From 2b212ba0308a45447b816ee0b71022c7cc3b4b1b Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Mon, 9 Sep 2024 09:49:22 +0100 Subject: [PATCH 56/83] Reduce cyclomatic complexity in controller.go (#6373) reduce cyclomatic complexity --- internal/k8s/controller.go | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 09bd5eb6f5..0efc7dff96 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -3015,6 +3015,19 @@ func findPoliciesForSecret(policies []*conf_v1.Policy, secretNamespace string, s return res } +func (lbc *LoadBalancerController) getTransportServerBackupEndpointsAndKey(transportServer *conf_v1.TransportServer, u conf_v1.TransportServerUpstream, externalNameSvcs map[string]bool) ([]string, string) { + backupEndpointsKey := configs.GenerateEndpointsKey(transportServer.Namespace, u.Backup, nil, *u.BackupPort) + backupEndps, external, err := lbc.getEndpointsForUpstream(transportServer.Namespace, u.Backup, *u.BackupPort) + if err != nil { + glog.Warningf("Error getting Endpoints for Upstream %v: %v", u.Name, err) + } + if err == nil && external { + externalNameSvcs[configs.GenerateExternalNameSvcKey(transportServer.Namespace, u.Backup)] = true + } + bendps := getIPAddressesFromEndpoints(backupEndps) + return bendps, backupEndpointsKey +} + func (lbc *LoadBalancerController) createTransportServerEx(transportServer *conf_v1.TransportServer, listenerPort int) *configs.TransportServerEx { endpoints := make(map[string][]string) externalNameSvcs := make(map[string]bool) @@ -3042,17 +3055,8 @@ func (lbc *LoadBalancerController) createTransportServerEx(transportServer *conf } } - // If backup defined on Upstream retrieve its external name and port. if u.Backup != "" && u.BackupPort != nil { - backupEndpointsKey := configs.GenerateEndpointsKey(transportServer.Namespace, u.Backup, nil, *u.BackupPort) - backupEndps, external, err := lbc.getEndpointsForUpstream(transportServer.Namespace, u.Backup, *u.BackupPort) - if err != nil { - glog.Warningf("Error getting Endpoints for Upstream %v: %v", u.Name, err) - } - if err == nil && external { - externalNameSvcs[configs.GenerateExternalNameSvcKey(transportServer.Namespace, u.Backup)] = true - } - bendps := getIPAddressesFromEndpoints(backupEndps) + bendps, backupEndpointsKey := lbc.getTransportServerBackupEndpointsAndKey(transportServer, u, externalNameSvcs) endpoints[backupEndpointsKey] = bendps } } From 79223d93d2f2cc8d4a32dc519df3cbe6d3560682 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Mon, 9 Sep 2024 03:03:23 -0700 Subject: [PATCH 57/83] Docker image update ac1e3d05 (#6371) Update docker images ac1e3d05 Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- build/Dockerfile | 10 +++++----- tests/Dockerfile | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 4e90fd369a..f07a3be4ee 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -17,11 +17,11 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 FROM redhat/ubi9-minimal@sha256:f182b500ff167918ca1010595311cf162464f3aa1cab755383d38be61b4d30aa AS ubi-minimal -FROM golang:1.22-alpine@sha256:c02e4518720baaa7657c2b3845452778cf83cf828accf2b5c7afef31ccb8073a AS golang-builder +FROM golang:1.22-alpine@sha256:48eab5e3505d8c8b42a06fe5f1cf4c346c167cc6a89e772f31cb9e5c301dcf60 AS golang-builder ############################################# Base image for Alpine ############################################# -FROM nginx:1.27.1-alpine@sha256:c04c18adc2a407740a397c8407c011fc6c90026a9b65cceddef7ae5484360158 AS alpine +FROM nginx:1.27.1-alpine@sha256:a5127daff3d6f4606be3100a252419bfa84fd6ee5cd74d0feaca1a5068f97dcf AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -102,7 +102,7 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.20@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS alpine-plus +FROM alpine:3.20@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d AS alpine-plus ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO @@ -135,7 +135,7 @@ RUN --mount=type=bind,from=alpine-fips-3.20,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# -FROM alpine:3.17@sha256:ef813b2faa3dd1a37f9ef6ca98347b72cd0f55e4ab29fb90946f1b853bf032d9 AS alpine-plus-nap-fips +FROM alpine:3.17@sha256:3451da08fc6ef554a100da3e2df5ac6d598c82f2a774d5f6ed465c3d80cd163a AS alpine-plus-nap-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -172,7 +172,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAFv5 and FIPS ############################################# -FROM alpine:3.17@sha256:ef813b2faa3dd1a37f9ef6ca98347b72cd0f55e4ab29fb90946f1b853bf032d9 AS alpine-plus-nap-v5-fips +FROM alpine:3.17@sha256:3451da08fc6ef554a100da3e2df5ac6d598c82f2a774d5f6ed465c3d80cd163a AS alpine-plus-nap-v5-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION diff --git a/tests/Dockerfile b/tests/Dockerfile index bd38d0ed49..91772f1c69 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.16.1 -FROM python:3.12@sha256:b7552a9f6cb77632e9ec6f714ed9846fb43bd32d17a7ad82bccac88f5e2cd333 +FROM python:3.12@sha256:11aa4b620c15f855f66f02a7f3c1cd9cf843cc10f3edbcf158e5ebcd98d1f549 RUN apt-get update \ && apt-get install -y curl git \ From 5a319da010055c5dde8b60123b9247aa28649b3f Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Mon, 9 Sep 2024 16:49:49 +0100 Subject: [PATCH 58/83] Listener directive refactor (#6377) --- internal/configs/version2/template_helper.go | 116 ++++++++++++------- 1 file changed, 77 insertions(+), 39 deletions(-) diff --git a/internal/configs/version2/template_helper.go b/internal/configs/version2/template_helper.go index b81ad28978..65b674f679 100644 --- a/internal/configs/version2/template_helper.go +++ b/internal/configs/version2/template_helper.go @@ -23,6 +23,15 @@ const ( ipv6 ) +type listen struct { + ipAddress string + port string + tls bool + proxyProtocol bool + udp bool + ipType ipType +} + const spacing = " " func headerListToCIMap(headers []Header) map[string]string { @@ -69,16 +78,44 @@ func buildListenerDirectives(listenerType protocol, s Server, port string) strin var directives string if listenerType == http { - directives += buildListenDirective(s.HTTPIPv4, port, s.ProxyProtocol, ipv4) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPIPv4, + port: port, + tls: false, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv4, + }) if !s.DisableIPV6 { directives += spacing - directives += buildListenDirective(s.HTTPIPv6, port, s.ProxyProtocol, ipv6) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPIPv6, + port: port, + tls: false, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv6, + }) } } else { - directives += buildListenDirective(s.HTTPSIPv4, port, s.ProxyProtocol, ipv4) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPSIPv4, + port: port, + tls: true, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv4, + }) if !s.DisableIPV6 { directives += spacing - directives += buildListenDirective(s.HTTPSIPv6, port, s.ProxyProtocol, ipv6) + directives += buildListenDirective(listen{ + ipAddress: s.HTTPSIPv6, + port: port, + tls: true, + proxyProtocol: s.ProxyProtocol, + udp: false, + ipType: ipv6, + }) } } @@ -86,60 +123,47 @@ func buildListenerDirectives(listenerType protocol, s Server, port string) strin } func getDefaultPort(listenerType protocol) string { - if listenerType == http { - return "80" + s := Server{ + HTTPPort: 80, + HTTPSPort: 443, } - return "443 ssl" + + return getCustomPort(listenerType, s) } func getCustomPort(listenerType protocol, s Server) string { if listenerType == http { return strconv.Itoa(s.HTTPPort) } - return strconv.Itoa(s.HTTPSPort) + " ssl" + return strconv.Itoa(s.HTTPSPort) } -func buildListenDirective(ip string, port string, proxyProtocol bool, ipType ipType) string { +func buildListenDirective(l listen) string { base := "listen" var directive string - if ipType == ipv6 { - if ip != "" { - directive = fmt.Sprintf("%s [%s]:%s", base, ip, port) - } else { - directive = fmt.Sprintf("%s [::]:%s", base, port) - } - } else { - if ip != "" { - directive = fmt.Sprintf("%s %s:%s", base, ip, port) - } else { - directive = fmt.Sprintf("%s %s", base, port) + if l.ipType == ipv6 { + if l.ipAddress == "" { + l.ipAddress = "::" } + l.ipAddress = fmt.Sprintf("[%s]", l.ipAddress) } - if proxyProtocol { - directive += " proxy_protocol" - } - - directive += ";\n" - return directive -} - -func buildTransportListenDirective(ipType ipType, port string, ssl *StreamSSL, udp bool) string { - base := "listen" - var directive string - - if ipType == ipv6 { - directive = base + " [::]:" + port + if l.ipAddress != "" { + directive = fmt.Sprintf("%s %s:%s", base, l.ipAddress, l.port) } else { - directive = base + " " + port + directive = fmt.Sprintf("%s %s", base, l.port) } - if ssl.Enabled { + if l.tls { directive += " ssl" } - if udp { + if l.proxyProtocol { + directive += " proxy_protocol" + } + + if l.udp { directive += " udp" } @@ -159,11 +183,25 @@ func makeTransportListener(s StreamServer) string { var directives string port := strconv.Itoa(s.Port) - directives += buildTransportListenDirective(ipv4, port, s.SSL, s.UDP) + directives += buildListenDirective(listen{ + ipAddress: "", + port: port, + tls: s.SSL.Enabled, + proxyProtocol: false, + udp: s.UDP, + ipType: ipv4, + }) if !s.DisableIPV6 { directives += spacing - directives += buildTransportListenDirective(ipv6, port, s.SSL, s.UDP) + directives += buildListenDirective(listen{ + ipAddress: "", + port: port, + tls: s.SSL.Enabled, + proxyProtocol: false, + udp: s.UDP, + ipType: ipv6, + }) } return directives From da69775b2666b0a8c90339dce42f2e8302e245a2 Mon Sep 17 00:00:00 2001 From: Jack Hickey <133868041+nginx-jack@users.noreply.github.com> Date: Mon, 9 Sep 2024 23:29:48 +0100 Subject: [PATCH 59/83] Update docs-actions (#6351) This PR updates the docs-actions version. It removes the check for forked workflows, as the docs-actions now has that check built in. This version of the docs-actions also includes auto-deploy support. Usage can be seen in the caller example. https://github.com/nginxinc/docs-actions/tree/v1.0.4?tab=readme-ov-file#caller-example Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Co-authored-by: Venktesh Shivam Patel Co-authored-by: Haywood Shannon <5781935+haywoodsh@users.noreply.github.com> --- .github/workflows/docs-build-push.yml | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/.github/workflows/docs-build-push.yml b/.github/workflows/docs-build-push.yml index 6b7f089e31..57d90bbbd2 100644 --- a/.github/workflows/docs-build-push.yml +++ b/.github/workflows/docs-build-push.yml @@ -22,32 +22,11 @@ permissions: contents: read jobs: - checks: - name: Checks and variables - runs-on: ubuntu-24.04 - permissions: - contents: read - outputs: - forked_workflow: ${{ steps.vars.outputs.forked_workflow }} - steps: - - name: Checkout Repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: Set Variables - id: vars - run: | - echo "forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || github.repository != 'nginxinc/kubernetes-ingress' }}" >> $GITHUB_OUTPUT - - - name: Output variables - run: | - echo forked_workflow: ${{ steps.vars.outputs.forked_workflow }} - call-docs-build-push: uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@d20def4d420028a71f99863011c6de7325c4013e # v1.0.4 permissions: pull-requests: write # needed to write preview url comment to PR contents: read - needs: [checks] with: production_url_path: "/nginx-ingress-controller" preview_url_path: "/previews/nginx-ingress-controller" @@ -58,4 +37,3 @@ jobs: secrets: AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS_DOCS }} AZURE_KEY_VAULT: ${{ secrets.AZURE_KEY_VAULT_DOCS }} - if: ${{ needs.checks.outputs.forked_workflow == 'false' }} From bc43dd81d18a6014b7218845a6d716838df7f452 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Tue, 10 Sep 2024 01:14:19 -0700 Subject: [PATCH 60/83] Docker image update 018156f5 (#6382) Update docker images 018156f5 --- build/Dockerfile | 4 ++-- tests/Dockerfile | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index f07a3be4ee..e968d79105 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -11,8 +11,8 @@ ARG PACKAGE_REPO=pkgs.nginx.com ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1@sha256:df790013503caa036b0a0f620ede777216412441adba6326ab7f6e10896264d7 AS opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:cfc4ec96e5cac0a9890db1e200332534d0086575e69b43e0744c11541976bd5e AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1@sha256:f600b13a2733a86e06ce944c50b3d61f6d9304c1e7a09d2c50ab4772a8951237 AS opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:04ced4219f2c14b80195c4e415b296fbbefaff967476f16f1cb9e3a36398ddca AS alpine-opentracing-lib FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e2bd639b269ec54343ea66b7acbdb0eb67bed44383e1be937c483c451d AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 diff --git a/tests/Dockerfile b/tests/Dockerfile index 91772f1c69..45fab31233 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.16.1 -FROM python:3.12@sha256:11aa4b620c15f855f66f02a7f3c1cd9cf843cc10f3edbcf158e5ebcd98d1f549 +FROM python:3.12@sha256:fcad5ffb670a9f1edc5cc232b2b321e617aaaae1a22c54242964178e408e0057 RUN apt-get update \ && apt-get install -y curl git \ From 5662194386add53088275e2dc946619967a8390c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 08:17:59 +0000 Subject: [PATCH 61/83] [pre-commit.ci] pre-commit autoupdate (#6381) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/golangci/golangci-lint: v1.60.3 → v1.61.0](https://github.com/golangci/golangci-lint/compare/v1.60.3...v1.61.0) - [github.com/DavidAnson/markdownlint-cli2: v0.13.0 → v0.14.0](https://github.com/DavidAnson/markdownlint-cli2/compare/v0.13.0...v0.14.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e8e785c539..b56a9112a1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -44,7 +44,7 @@ repos: pass_filenames: false - repo: https://github.com/golangci/golangci-lint - rev: v1.60.3 + rev: v1.61.0 hooks: - id: golangci-lint args: [--new-from-patch=/tmp/diff.patch] @@ -86,7 +86,7 @@ repos: args: ["--schemafile", "charts/nginx-ingress/values.schema.json"] - repo: https://github.com/DavidAnson/markdownlint-cli2 - rev: v0.13.0 + rev: v0.14.0 hooks: - id: markdownlint-cli2 From 194cd1f2d0d56c345126c6850acc923e7c3ab0b1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 10 Sep 2024 08:46:04 +0000 Subject: [PATCH 62/83] Bump the python group in /tests with 2 updates (#6380) Bumps the python group in /tests with 2 updates: [cffi](https://github.com/python-cffi/cffi) and [more-itertools](https://github.com/more-itertools/more-itertools). Updates `cffi` from 1.17.0 to 1.17.1 - [Release notes](https://github.com/python-cffi/cffi/releases) - [Commits](https://github.com/python-cffi/cffi/compare/v1.17.0...v1.17.1) Updates `more-itertools` from 10.4.0 to 10.5.0 - [Release notes](https://github.com/more-itertools/more-itertools/releases) - [Commits](https://github.com/more-itertools/more-itertools/compare/v10.4.0...v10.5.0) --- updated-dependencies: - dependency-name: cffi dependency-type: direct:production update-type: version-update:semver-patch dependency-group: python - dependency-name: more-itertools dependency-type: direct:production update-type: version-update:semver-minor dependency-group: python ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> --- tests/requirements.txt | 142 ++++++++++++++++++++--------------------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/tests/requirements.txt b/tests/requirements.txt index 235c00c58e..22ee11f3f7 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -21,74 +21,74 @@ certifi==2024.8.30 \ # -r requirements.txt # kubernetes # requests -cffi==1.17.0 \ - --hash=sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f \ - --hash=sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab \ - --hash=sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499 \ - --hash=sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058 \ - --hash=sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693 \ - --hash=sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb \ - --hash=sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377 \ - --hash=sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885 \ - --hash=sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2 \ - --hash=sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401 \ - --hash=sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4 \ - --hash=sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b \ - --hash=sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59 \ - --hash=sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f \ - --hash=sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c \ - --hash=sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555 \ - --hash=sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa \ - --hash=sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424 \ - --hash=sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb \ - --hash=sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2 \ - --hash=sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8 \ - --hash=sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e \ - --hash=sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9 \ - --hash=sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82 \ - --hash=sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828 \ - --hash=sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759 \ - --hash=sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc \ - --hash=sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118 \ - --hash=sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf \ - --hash=sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932 \ - --hash=sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a \ - --hash=sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29 \ - --hash=sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206 \ - --hash=sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2 \ - --hash=sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c \ - --hash=sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c \ - --hash=sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0 \ - --hash=sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a \ - --hash=sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195 \ - --hash=sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6 \ - --hash=sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9 \ - --hash=sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc \ - --hash=sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb \ - --hash=sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0 \ - --hash=sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7 \ - --hash=sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb \ - --hash=sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a \ - --hash=sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492 \ - --hash=sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720 \ - --hash=sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42 \ - --hash=sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7 \ - --hash=sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d \ - --hash=sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d \ - --hash=sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb \ - --hash=sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4 \ - --hash=sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2 \ - --hash=sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b \ - --hash=sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8 \ - --hash=sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e \ - --hash=sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204 \ - --hash=sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3 \ - --hash=sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150 \ - --hash=sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4 \ - --hash=sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76 \ - --hash=sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e \ - --hash=sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb \ - --hash=sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91 +cffi==1.17.1 \ + --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ + --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ + --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ + --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ + --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ + --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ + --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ + --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ + --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ + --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ + --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ + --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ + --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ + --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ + --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ + --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ + --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ + --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ + --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ + --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ + --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ + --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ + --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ + --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ + --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ + --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ + --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ + --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ + --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ + --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ + --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ + --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ + --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ + --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ + --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ + --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ + --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ + --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ + --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ + --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ + --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ + --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ + --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ + --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ + --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ + --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ + --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ + --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ + --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ + --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ + --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ + --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ + --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ + --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ + --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ + --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ + --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ + --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ + --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ + --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ + --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ + --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ + --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ + --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ + --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ + --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ + --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b # via # -r requirements.txt # cryptography @@ -423,9 +423,9 @@ mock==5.1.0 \ --hash=sha256:18c694e5ae8a208cdb3d2c20a993ca1a7b0efa258c247a1e565150f477f83744 \ --hash=sha256:5e96aad5ccda4718e0a229ed94b2024df75cc2d55575ba5762d31f5767b8767d # via -r requirements.txt -more-itertools==10.4.0 \ - --hash=sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27 \ - --hash=sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923 +more-itertools==10.5.0 \ + --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \ + --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6 # via -r requirements.txt oauthlib==3.2.2 \ --hash=sha256:8139f29aac13e25d502680e9e19963e83f16838d48a0d71c287fe40e7067fbca \ From 53b27f7ae00fed9e4b5eb7ebbd414318776daaf2 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Tue, 10 Sep 2024 02:57:26 -0700 Subject: [PATCH 63/83] Add CLA bot workflow (#6383) --- .github/scripts/exclude_ci_files.txt | 1 + .github/workflows/f5-cla.yml | 51 ++++++++++++++++++++++++++++ CONTRIBUTING.md | 9 +++++ 3 files changed, 61 insertions(+) create mode 100644 .github/workflows/f5-cla.yml diff --git a/.github/scripts/exclude_ci_files.txt b/.github/scripts/exclude_ci_files.txt index 49573813ef..8d9cf9407a 100644 --- a/.github/scripts/exclude_ci_files.txt +++ b/.github/scripts/exclude_ci_files.txt @@ -26,6 +26,7 @@ .github/workflows/dependency-review.yml .github/workflows/dockerhub-description.yml .github/workflows/docs-build-push.yml +.github/workflows/f5-cla.yml .github/workflows/fossa.yml .github/workflows/image-promotion.yml .github/workflows/issues.yaml diff --git a/.github/workflows/f5-cla.yml b/.github/workflows/f5-cla.yml new file mode 100644 index 0000000000..de0dbc8a55 --- /dev/null +++ b/.github/workflows/f5-cla.yml @@ -0,0 +1,51 @@ +name: F5 CLA + +on: + issue_comment: + types: + - created + pull_request_target: + types: + - opened + - synchronize + - reopened + +concurrency: + group: ${{ github.ref_name }}-cla + +permissions: + contents: read + +jobs: + f5-cla: + name: F5 CLA + runs-on: ubuntu-22.04 + permissions: + actions: write + contents: read + pull-requests: write + statuses: write + steps: + - name: Run F5 Contributor License Agreement (CLA) assistant + if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target' + uses: contributor-assistant/github-action@f41946747f85d28e9a738f4f38dbcc74b69c7e0e # v2.5.1 + with: + # Any pull request targeting the following branch will trigger a CLA check. + branch: "main" + # Path to the CLA document. + path-to-document: "https://github.com/f5/.github/blob/main/CLA/cla-markdown.md" + # Custom CLA messages. + custom-notsigned-prcomment: "🎉 Thank you for your contribution! It appears you have not yet signed the F5 Contributor License Agreement (CLA), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md) and reply on a new comment with the following text to agree:" + custom-pr-sign-comment: "I have hereby read the F5 CLA and agree to its terms" + custom-allsigned-prcomment: "✅ All required contributors have signed the F5 CLA for this PR. Thank you!" + # Remote repository storing CLA signatures. + remote-organization-name: "f5" + remote-repository-name: "f5-cla-data" + path-to-signatures: "signatures/beta/signatures.json" + # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA. + allowlist: bot* + # Do not lock PRs after a merge. + lock-pullrequest-aftermerge: false + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 1835e29992..1421d95385 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -74,6 +74,15 @@ fill in the template as provided. type of issue it is (bug, feature request, etc) and to determine the milestone. Please see the [Issue Lifecycle](ISSUE_LIFECYCLE.md) document for more information. +### F5 Contributor License Agreement (CLA) + +F5 requires all external contributors to agree to the terms of the F5 CLA (available [here](https://github.com/f5/.github/blob/main/CLA/cla-markdown.md)) +before any of their changes can be incorporated into an F5 Open Source repository. + +If you have not yet agreed to the F5 CLA terms and submit a PR to this repository, a bot will prompt you to view and +agree to the F5 CLA. You will have to agree to the F5 CLA terms through a comment in the PR before any of your changes +can be merged. Your agreement signature will be safely stored by F5 and no longer be required in future PRs. + ## Style Guides ### Git Style Guide From 890af8e2848ff4d713d29958ae3fd9446aa348ec Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:06:04 +0100 Subject: [PATCH 64/83] refactor TransportServer controller (#6389) --- internal/k8s/controller.go | 219 ------------------------- internal/k8s/handlers.go | 34 ---- internal/k8s/transport_server.go | 269 +++++++++++++++++++++++++++++++ 3 files changed, 269 insertions(+), 253 deletions(-) create mode 100644 internal/k8s/transport_server.go diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 0efc7dff96..8ab2b3f67b 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -556,14 +556,6 @@ func (nsi *namespacedInformer) addPolicyHandler(handlers cache.ResourceEventHand nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -func (nsi *namespacedInformer) addTransportServerHandler(handlers cache.ResourceEventHandlerFuncs) { - informer := nsi.confSharedInformerFactory.K8s().V1().TransportServers().Informer() - informer.AddEventHandler(handlers) - nsi.transportServerLister = informer.GetStore() - - nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) -} - func (lbc *LoadBalancerController) addNamespaceHandler(handlers cache.ResourceEventHandlerFuncs, nsLabel string) { optionsModifier := func(options *meta_v1.ListOptions) { options.LabelSelector = nsLabel @@ -1238,35 +1230,6 @@ func (lbc *LoadBalancerController) syncPolicy(task task) { // Note: updating the status of a policy based on a reload is not needed. } -func (lbc *LoadBalancerController) syncTransportServer(task task) { - key := task.Key - var obj interface{} - var tsExists bool - var err error - - ns, _, _ := cache.SplitMetaNamespaceKey(key) - obj, tsExists, err = lbc.getNamespacedInformer(ns).transportServerLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - var changes []ResourceChange - var problems []ConfigurationProblem - - if !tsExists { - glog.V(2).Infof("Deleting TransportServer: %v\n", key) - changes, problems = lbc.configuration.DeleteTransportServer(key) - } else { - glog.V(2).Infof("Adding or Updating TransportServer: %v\n", key) - ts := obj.(*conf_v1.TransportServer) - changes, problems = lbc.configuration.AddOrUpdateTransportServer(ts) - } - - lbc.processChanges(changes) - lbc.processProblems(problems) -} - func (lbc *LoadBalancerController) syncVirtualServer(task task) { key := task.Key var obj interface{} @@ -1437,45 +1400,6 @@ func (lbc *LoadBalancerController) processChanges(changes []ResourceChange) { } } -func (lbc *LoadBalancerController) updateTransportServerStatusAndEventsOnDelete(tsConfig *TransportServerConfiguration, changeError string, deleteErr error) { - eventType := api_v1.EventTypeWarning - eventTitle := "Rejected" - eventWarningMessage := "" - var state string - - // TransportServer either became invalid or lost its host or listener - if changeError != "" { - state = conf_v1.StateInvalid - eventWarningMessage = fmt.Sprintf("with error: %s", changeError) - } else if len(tsConfig.Warnings) > 0 { - state = conf_v1.StateWarning - eventWarningMessage = fmt.Sprintf("with warning(s): %s", formatWarningMessages(tsConfig.Warnings)) - } - - // we don't need to report anything if eventWarningMessage is empty - // in that case, the resource was deleted because its class became incorrect - // (some other Ingress Controller will handle it) - - if eventWarningMessage != "" { - if deleteErr != nil { - eventType = api_v1.EventTypeWarning - eventTitle = "RejectedWithError" - eventWarningMessage = fmt.Sprintf("%s; but was not applied: %v", eventWarningMessage, deleteErr) - state = conf_v1.StateInvalid - } - - msg := fmt.Sprintf("TransportServer %s was rejected %s", getResourceKey(&tsConfig.TransportServer.ObjectMeta), eventWarningMessage) - lbc.recorder.Eventf(tsConfig.TransportServer, eventType, eventTitle, msg) - - if lbc.reportCustomResourceStatusEnabled() { - err := lbc.statusUpdater.UpdateTransportServerStatus(tsConfig.TransportServer, state, eventTitle, msg) - if err != nil { - glog.Errorf("Error when updating the status for TransportServer %v/%v: %v", tsConfig.TransportServer.Namespace, tsConfig.TransportServer.Name, err) - } - } - } -} - // UpdateVirtualServerStatusAndEventsOnDelete updates the virtual server status and events func (lbc *LoadBalancerController) UpdateVirtualServerStatusAndEventsOnDelete(vsConfig *VirtualServerConfiguration, changeError string, deleteErr error) { eventType := api_v1.EventTypeWarning @@ -1688,44 +1612,6 @@ func (lbc *LoadBalancerController) updateRegularIngressStatusAndEvents(ingConfig } } -func (lbc *LoadBalancerController) updateTransportServerStatusAndEvents(tsConfig *TransportServerConfiguration, warnings configs.Warnings, operationErr error) { - eventTitle := "AddedOrUpdated" - eventType := api_v1.EventTypeNormal - eventWarningMessage := "" - state := conf_v1.StateValid - - if len(tsConfig.Warnings) > 0 { - eventType = api_v1.EventTypeWarning - eventTitle = "AddedOrUpdatedWithWarning" - eventWarningMessage = fmt.Sprintf("with warning(s): %s", formatWarningMessages(tsConfig.Warnings)) - state = conf_v1.StateWarning - } - - if messages, ok := warnings[tsConfig.TransportServer]; ok { - eventType = api_v1.EventTypeWarning - eventTitle = "AddedOrUpdatedWithWarning" - eventWarningMessage = fmt.Sprintf("with warning(s): %s", formatWarningMessages(messages)) - state = conf_v1.StateWarning - } - - if operationErr != nil { - eventType = api_v1.EventTypeWarning - eventTitle = "AddedOrUpdatedWithError" - eventWarningMessage = fmt.Sprintf("%s; but was not applied: %v", eventWarningMessage, operationErr) - state = conf_v1.StateInvalid - } - - msg := fmt.Sprintf("Configuration for %v was added or updated %s", getResourceKey(&tsConfig.TransportServer.ObjectMeta), eventWarningMessage) - lbc.recorder.Eventf(tsConfig.TransportServer, eventType, eventTitle, msg) - - if lbc.reportCustomResourceStatusEnabled() { - err := lbc.statusUpdater.UpdateTransportServerStatus(tsConfig.TransportServer, state, eventTitle, msg) - if err != nil { - glog.Errorf("Error when updating the status for TransportServer %v/%v: %v", tsConfig.TransportServer.Namespace, tsConfig.TransportServer.Name, err) - } - } -} - func (lbc *LoadBalancerController) updateVirtualServerStatusAndEvents(vsConfig *VirtualServerConfiguration, warnings configs.Warnings, operationErr error) { eventType := api_v1.EventTypeNormal eventTitle := "AddedOrUpdated" @@ -1870,15 +1756,6 @@ func (lbc *LoadBalancerController) updateVirtualServerMetrics() { lbc.metricsCollector.SetVirtualServerRoutes(vsrCount) } -func (lbc *LoadBalancerController) updateTransportServerMetrics() { - if !lbc.areCustomResourcesEnabled { - return - } - - metrics := lbc.configuration.GetTransportServerMetrics() - lbc.metricsCollector.SetTransportServers(metrics.TotalTLSPassthrough, metrics.TotalTCP, metrics.TotalUDP) -} - func (lbc *LoadBalancerController) syncService(task task) { key := task.Key @@ -2214,45 +2091,6 @@ func (lbc *LoadBalancerController) updateVirtualServerRoutesStatusFromEvents() e return nil } -func (lbc *LoadBalancerController) updateTransportServersStatusFromEvents() error { - var allErrs []error - for _, nsi := range lbc.namespacedInformers { - for _, obj := range nsi.transportServerLister.List() { - ts := obj.(*conf_v1.TransportServer) - - events, err := lbc.client.CoreV1().Events(ts.Namespace).List(context.TODO(), - meta_v1.ListOptions{FieldSelector: fmt.Sprintf("involvedObject.name=%v,involvedObject.uid=%v", ts.Name, ts.UID)}) - if err != nil { - allErrs = append(allErrs, fmt.Errorf("error trying to get events for TransportServer %v/%v: %w", ts.Namespace, ts.Name, err)) - break - } - - if len(events.Items) == 0 { - continue - } - - var timestamp time.Time - var latestEvent api_v1.Event - for _, event := range events.Items { - if event.CreationTimestamp.After(timestamp) { - latestEvent = event - } - } - - err = lbc.statusUpdater.UpdateTransportServerStatus(ts, getStatusFromEventTitle(latestEvent.Reason), latestEvent.Reason, latestEvent.Message) - if err != nil { - allErrs = append(allErrs, err) - } - } - } - - if len(allErrs) > 0 { - return fmt.Errorf("not all TransportServers statuses were updated: %v", allErrs) - } - - return nil -} - func getIPAddressesFromEndpoints(endpoints []podEndpoint) []string { var endps []string for _, ep := range endpoints { @@ -3028,63 +2866,6 @@ func (lbc *LoadBalancerController) getTransportServerBackupEndpointsAndKey(trans return bendps, backupEndpointsKey } -func (lbc *LoadBalancerController) createTransportServerEx(transportServer *conf_v1.TransportServer, listenerPort int) *configs.TransportServerEx { - endpoints := make(map[string][]string) - externalNameSvcs := make(map[string]bool) - podsByIP := make(map[string]string) - disableIPV6 := lbc.configuration.isIPV6Disabled - - for _, u := range transportServer.Spec.Upstreams { - podEndps, external, err := lbc.getEndpointsForUpstream(transportServer.Namespace, u.Service, uint16(u.Port)) - if err == nil && external && lbc.isNginxPlus { - externalNameSvcs[configs.GenerateExternalNameSvcKey(transportServer.Namespace, u.Service)] = true - } - if err != nil { - glog.Warningf("Error getting Endpoints for Upstream %v: %v", u.Name, err) - } - - // subselector is not supported yet in TransportServer upstreams. That's why we pass "nil" here - endpointsKey := configs.GenerateEndpointsKey(transportServer.Namespace, u.Service, nil, uint16(u.Port)) - - endps := getIPAddressesFromEndpoints(podEndps) - endpoints[endpointsKey] = endps - - if lbc.isNginxPlus && lbc.isPrometheusEnabled { - for _, endpoint := range podEndps { - podsByIP[endpoint.Address] = endpoint.PodName - } - } - - if u.Backup != "" && u.BackupPort != nil { - bendps, backupEndpointsKey := lbc.getTransportServerBackupEndpointsAndKey(transportServer, u, externalNameSvcs) - endpoints[backupEndpointsKey] = bendps - } - } - - scrtRefs := make(map[string]*secrets.SecretReference) - - if transportServer.Spec.TLS != nil && transportServer.Spec.TLS.Secret != "" { - scrtKey := transportServer.Namespace + "/" + transportServer.Spec.TLS.Secret - - scrtRef := lbc.secretStore.GetSecret(scrtKey) - if scrtRef.Error != nil { - glog.Warningf("Error trying to get the secret %v for TransportServer %v: %v", scrtKey, transportServer.Name, scrtRef.Error) - } - - scrtRefs[scrtKey] = scrtRef - } - - return &configs.TransportServerEx{ - ListenerPort: listenerPort, - TransportServer: transportServer, - Endpoints: endpoints, - PodsByIP: podsByIP, - ExternalNameSvcs: externalNameSvcs, - DisableIPV6: disableIPV6, - SecretRefs: scrtRefs, - } -} - func (lbc *LoadBalancerController) getEndpointsForUpstream(namespace string, upstreamService string, upstreamPort uint16) (endps []podEndpoint, isExternal bool, err error) { svc, err := lbc.getServiceForUpstream(namespace, upstreamService, upstreamPort) if err != nil { diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index 93ad7de8a6..6156ccc8c8 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -326,40 +326,6 @@ func createVirtualServerRouteHandlers(lbc *LoadBalancerController) cache.Resourc } } -func createTransportServerHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - ts := obj.(*conf_v1.TransportServer) - glog.V(3).Infof("Adding TransportServer: %v", ts.Name) - lbc.AddSyncQueue(ts) - }, - DeleteFunc: func(obj interface{}) { - ts, isTs := obj.(*conf_v1.TransportServer) - if !isTs { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - ts, ok = deletedState.Obj.(*conf_v1.TransportServer) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-TransportServer object: %v", deletedState.Obj) - return - } - } - glog.V(3).Infof("Removing TransportServer: %v", ts.Name) - lbc.AddSyncQueue(ts) - }, - UpdateFunc: func(old, cur interface{}) { - curTs := cur.(*conf_v1.TransportServer) - if !reflect.DeepEqual(old, cur) { - glog.V(3).Infof("TransportServer %v changed, syncing", curTs.Name) - lbc.AddSyncQueue(curTs) - } - }, - } -} - func createPolicyHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { return cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { diff --git a/internal/k8s/transport_server.go b/internal/k8s/transport_server.go new file mode 100644 index 0000000000..946a635acc --- /dev/null +++ b/internal/k8s/transport_server.go @@ -0,0 +1,269 @@ +package k8s + +import ( + "context" + "fmt" + "reflect" + "time" + + "github.com/golang/glog" + "github.com/nginxinc/kubernetes-ingress/internal/configs" + "github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" + api_v1 "k8s.io/api/core/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/tools/cache" +) + +func createTransportServerHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + ts := obj.(*conf_v1.TransportServer) + glog.V(3).Infof("Adding TransportServer: %v", ts.Name) + lbc.AddSyncQueue(ts) + }, + DeleteFunc: func(obj interface{}) { + ts, isTs := obj.(*conf_v1.TransportServer) + if !isTs { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + ts, ok = deletedState.Obj.(*conf_v1.TransportServer) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-TransportServer object: %v", deletedState.Obj) + return + } + } + glog.V(3).Infof("Removing TransportServer: %v", ts.Name) + lbc.AddSyncQueue(ts) + }, + UpdateFunc: func(old, cur interface{}) { + curTs := cur.(*conf_v1.TransportServer) + if !reflect.DeepEqual(old, cur) { + glog.V(3).Infof("TransportServer %v changed, syncing", curTs.Name) + lbc.AddSyncQueue(curTs) + } + }, + } +} + +func (nsi *namespacedInformer) addTransportServerHandler(handlers cache.ResourceEventHandlerFuncs) { + informer := nsi.confSharedInformerFactory.K8s().V1().TransportServers().Informer() + informer.AddEventHandler(handlers) //nolint:errcheck,gosec + nsi.transportServerLister = informer.GetStore() + + nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) +} + +func (lbc *LoadBalancerController) syncTransportServer(task task) { + key := task.Key + var obj interface{} + var tsExists bool + var err error + + ns, _, _ := cache.SplitMetaNamespaceKey(key) + obj, tsExists, err = lbc.getNamespacedInformer(ns).transportServerLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + var changes []ResourceChange + var problems []ConfigurationProblem + + if !tsExists { + glog.V(2).Infof("Deleting TransportServer: %v\n", key) + changes, problems = lbc.configuration.DeleteTransportServer(key) + } else { + glog.V(2).Infof("Adding or Updating TransportServer: %v\n", key) + ts := obj.(*conf_v1.TransportServer) + changes, problems = lbc.configuration.AddOrUpdateTransportServer(ts) + } + + lbc.processChanges(changes) + lbc.processProblems(problems) +} + +func (lbc *LoadBalancerController) updateTransportServerStatusAndEventsOnDelete(tsConfig *TransportServerConfiguration, changeError string, deleteErr error) { + eventType := api_v1.EventTypeWarning + eventTitle := "Rejected" + eventWarningMessage := "" + var state string + + // TransportServer either became invalid or lost its host or listener + if changeError != "" { + state = conf_v1.StateInvalid + eventWarningMessage = fmt.Sprintf("with error: %s", changeError) + } else if len(tsConfig.Warnings) > 0 { + state = conf_v1.StateWarning + eventWarningMessage = fmt.Sprintf("with warning(s): %s", formatWarningMessages(tsConfig.Warnings)) + } + + // we don't need to report anything if eventWarningMessage is empty + // in that case, the resource was deleted because its class became incorrect + // (some other Ingress Controller will handle it) + + if eventWarningMessage != "" { + if deleteErr != nil { + eventType = api_v1.EventTypeWarning + eventTitle = "RejectedWithError" + eventWarningMessage = fmt.Sprintf("%s; but was not applied: %v", eventWarningMessage, deleteErr) + state = conf_v1.StateInvalid + } + + msg := fmt.Sprintf("TransportServer %s was rejected %s", getResourceKey(&tsConfig.TransportServer.ObjectMeta), eventWarningMessage) + lbc.recorder.Eventf(tsConfig.TransportServer, eventType, eventTitle, msg) + + if lbc.reportCustomResourceStatusEnabled() { + err := lbc.statusUpdater.UpdateTransportServerStatus(tsConfig.TransportServer, state, eventTitle, msg) + if err != nil { + glog.Errorf("Error when updating the status for TransportServer %v/%v: %v", tsConfig.TransportServer.Namespace, tsConfig.TransportServer.Name, err) + } + } + } +} + +func (lbc *LoadBalancerController) updateTransportServerStatusAndEvents(tsConfig *TransportServerConfiguration, warnings configs.Warnings, operationErr error) { + eventTitle := "AddedOrUpdated" + eventType := api_v1.EventTypeNormal + eventWarningMessage := "" + state := conf_v1.StateValid + + if len(tsConfig.Warnings) > 0 { + eventType = api_v1.EventTypeWarning + eventTitle = "AddedOrUpdatedWithWarning" + eventWarningMessage = fmt.Sprintf("with warning(s): %s", formatWarningMessages(tsConfig.Warnings)) + state = conf_v1.StateWarning + } + + if messages, ok := warnings[tsConfig.TransportServer]; ok { + eventType = api_v1.EventTypeWarning + eventTitle = "AddedOrUpdatedWithWarning" + eventWarningMessage = fmt.Sprintf("with warning(s): %s", formatWarningMessages(messages)) + state = conf_v1.StateWarning + } + + if operationErr != nil { + eventType = api_v1.EventTypeWarning + eventTitle = "AddedOrUpdatedWithError" + eventWarningMessage = fmt.Sprintf("%s; but was not applied: %v", eventWarningMessage, operationErr) + state = conf_v1.StateInvalid + } + + msg := fmt.Sprintf("Configuration for %v was added or updated %s", getResourceKey(&tsConfig.TransportServer.ObjectMeta), eventWarningMessage) + lbc.recorder.Eventf(tsConfig.TransportServer, eventType, eventTitle, msg) + + if lbc.reportCustomResourceStatusEnabled() { + err := lbc.statusUpdater.UpdateTransportServerStatus(tsConfig.TransportServer, state, eventTitle, msg) + if err != nil { + glog.Errorf("Error when updating the status for TransportServer %v/%v: %v", tsConfig.TransportServer.Namespace, tsConfig.TransportServer.Name, err) + } + } +} + +func (lbc *LoadBalancerController) updateTransportServersStatusFromEvents() error { + var allErrs []error + for _, nsi := range lbc.namespacedInformers { + for _, obj := range nsi.transportServerLister.List() { + ts := obj.(*conf_v1.TransportServer) + + events, err := lbc.client.CoreV1().Events(ts.Namespace).List(context.TODO(), + meta_v1.ListOptions{FieldSelector: fmt.Sprintf("involvedObject.name=%v,involvedObject.uid=%v", ts.Name, ts.UID)}) + if err != nil { + allErrs = append(allErrs, fmt.Errorf("error trying to get events for TransportServer %v/%v: %w", ts.Namespace, ts.Name, err)) + break + } + + if len(events.Items) == 0 { + continue + } + + var timestamp time.Time + var latestEvent api_v1.Event + for _, event := range events.Items { + if event.CreationTimestamp.After(timestamp) { + latestEvent = event + } + } + + err = lbc.statusUpdater.UpdateTransportServerStatus(ts, getStatusFromEventTitle(latestEvent.Reason), latestEvent.Reason, latestEvent.Message) + if err != nil { + allErrs = append(allErrs, err) + } + } + } + + if len(allErrs) > 0 { + return fmt.Errorf("not all TransportServers statuses were updated: %v", allErrs) + } + + return nil +} + +func (lbc *LoadBalancerController) createTransportServerEx(transportServer *conf_v1.TransportServer, listenerPort int) *configs.TransportServerEx { + endpoints := make(map[string][]string) + externalNameSvcs := make(map[string]bool) + podsByIP := make(map[string]string) + disableIPV6 := lbc.configuration.isIPV6Disabled + + for _, u := range transportServer.Spec.Upstreams { + podEndps, external, err := lbc.getEndpointsForUpstream(transportServer.Namespace, u.Service, uint16(u.Port)) //nolint:gosec + if err == nil && external && lbc.isNginxPlus { + externalNameSvcs[configs.GenerateExternalNameSvcKey(transportServer.Namespace, u.Service)] = true + } + if err != nil { + glog.Warningf("Error getting Endpoints for Upstream %v: %v", u.Name, err) + } + + // subselector is not supported yet in TransportServer upstreams. That's why we pass "nil" here + endpointsKey := configs.GenerateEndpointsKey(transportServer.Namespace, u.Service, nil, uint16(u.Port)) //nolint:gosec + + endps := getIPAddressesFromEndpoints(podEndps) + endpoints[endpointsKey] = endps + + if lbc.isNginxPlus && lbc.isPrometheusEnabled { + for _, endpoint := range podEndps { + podsByIP[endpoint.Address] = endpoint.PodName + } + } + + if u.Backup != "" && u.BackupPort != nil { + bendps, backupEndpointsKey := lbc.getTransportServerBackupEndpointsAndKey(transportServer, u, externalNameSvcs) + endpoints[backupEndpointsKey] = bendps + } + } + + scrtRefs := make(map[string]*secrets.SecretReference) + + if transportServer.Spec.TLS != nil && transportServer.Spec.TLS.Secret != "" { + scrtKey := transportServer.Namespace + "/" + transportServer.Spec.TLS.Secret + + scrtRef := lbc.secretStore.GetSecret(scrtKey) + if scrtRef.Error != nil { + glog.Warningf("Error trying to get the secret %v for TransportServer %v: %v", scrtKey, transportServer.Name, scrtRef.Error) + } + + scrtRefs[scrtKey] = scrtRef + } + + return &configs.TransportServerEx{ + ListenerPort: listenerPort, + TransportServer: transportServer, + Endpoints: endpoints, + PodsByIP: podsByIP, + ExternalNameSvcs: externalNameSvcs, + DisableIPV6: disableIPV6, + SecretRefs: scrtRefs, + } +} + +func (lbc *LoadBalancerController) updateTransportServerMetrics() { + if !lbc.areCustomResourcesEnabled { + return + } + + metrics := lbc.configuration.GetTransportServerMetrics() + lbc.metricsCollector.SetTransportServers(metrics.TotalTLSPassthrough, metrics.TotalTCP, metrics.TotalUDP) +} From 7c62ede4c6dd5a2ff423246c9a33fb45e2c87d8f Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Tue, 10 Sep 2024 15:40:49 +0100 Subject: [PATCH 65/83] refactor Policy controller (#6388) --- internal/k8s/controller.go | 66 ---------------------- internal/k8s/handlers.go | 35 ------------ internal/k8s/policy.go | 113 +++++++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 101 deletions(-) create mode 100644 internal/k8s/policy.go diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 8ab2b3f67b..6436c397d6 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -548,14 +548,6 @@ func (nsi *namespacedInformer) addVirtualServerRouteHandler(handlers cache.Resou nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -func (nsi *namespacedInformer) addPolicyHandler(handlers cache.ResourceEventHandlerFuncs) { - informer := nsi.confSharedInformerFactory.K8s().V1().Policies().Informer() - informer.AddEventHandler(handlers) - nsi.policyLister = informer.GetStore() - - nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) -} - func (lbc *LoadBalancerController) addNamespaceHandler(handlers cache.ResourceEventHandlerFuncs, nsLabel string) { optionsModifier := func(options *meta_v1.ListOptions) { options.LabelSelector = nsLabel @@ -1172,64 +1164,6 @@ func (lbc *LoadBalancerController) cleanupUnwatchedNamespacedResources(nsi *name nsi.stop() } -func (lbc *LoadBalancerController) syncPolicy(task task) { - key := task.Key - var obj interface{} - var polExists bool - var err error - - ns, _, _ := cache.SplitMetaNamespaceKey(key) - obj, polExists, err = lbc.getNamespacedInformer(ns).policyLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - glog.V(2).Infof("Adding, Updating or Deleting Policy: %v\n", key) - - if polExists && lbc.HasCorrectIngressClass(obj) { - pol := obj.(*conf_v1.Policy) - err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) - if err != nil { - msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err) - lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", msg) - - if lbc.reportCustomResourceStatusEnabled() { - err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg) - if err != nil { - glog.V(3).Infof("Failed to update policy %s status: %v", key, err) - } - } - } else { - msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name) - lbc.recorder.Eventf(pol, api_v1.EventTypeNormal, "AddedOrUpdated", msg) - - if lbc.reportCustomResourceStatusEnabled() { - err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg) - if err != nil { - glog.V(3).Infof("Failed to update policy %s status: %v", key, err) - } - } - } - } - - // it is safe to ignore the error - namespace, name, _ := ParseNamespaceName(key) - - resources := lbc.configuration.FindResourcesForPolicy(namespace, name) - resourceExes := lbc.createExtendedResources(resources) - - // Only VirtualServers support policies - if len(resourceExes.VirtualServerExes) == 0 { - return - } - - warnings, updateErr := lbc.configurator.AddOrUpdateVirtualServers(resourceExes.VirtualServerExes) - lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) - - // Note: updating the status of a policy based on a reload is not needed. -} - func (lbc *LoadBalancerController) syncVirtualServer(task task) { key := task.Key var obj interface{} diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index 6156ccc8c8..bbec1a41b1 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -326,41 +326,6 @@ func createVirtualServerRouteHandlers(lbc *LoadBalancerController) cache.Resourc } } -func createPolicyHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - pol := obj.(*conf_v1.Policy) - glog.V(3).Infof("Adding Policy: %v", pol.Name) - lbc.AddSyncQueue(pol) - }, - DeleteFunc: func(obj interface{}) { - pol, isPol := obj.(*conf_v1.Policy) - if !isPol { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - pol, ok = deletedState.Obj.(*conf_v1.Policy) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Policy object: %v", deletedState.Obj) - return - } - } - glog.V(3).Infof("Removing Policy: %v", pol.Name) - lbc.AddSyncQueue(pol) - }, - UpdateFunc: func(old, cur interface{}) { - curPol := cur.(*conf_v1.Policy) - oldPol := old.(*conf_v1.Policy) - if !reflect.DeepEqual(oldPol.Spec, curPol.Spec) { - glog.V(3).Infof("Policy %v changed, syncing", curPol.Name) - lbc.AddSyncQueue(curPol) - } - }, - } -} - // areResourcesDifferent returns true if the resources are different based on their spec. func areResourcesDifferent(oldresource, resource *unstructured.Unstructured) (bool, error) { oldSpec, found, err := unstructured.NestedMap(oldresource.Object, "spec") diff --git a/internal/k8s/policy.go b/internal/k8s/policy.go new file mode 100644 index 0000000000..8da715b703 --- /dev/null +++ b/internal/k8s/policy.go @@ -0,0 +1,113 @@ +package k8s + +import ( + "fmt" + "reflect" + + "github.com/golang/glog" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" + "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/validation" + api_v1 "k8s.io/api/core/v1" + "k8s.io/client-go/tools/cache" +) + +func createPolicyHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + pol := obj.(*conf_v1.Policy) + glog.V(3).Infof("Adding Policy: %v", pol.Name) + lbc.AddSyncQueue(pol) + }, + DeleteFunc: func(obj interface{}) { + pol, isPol := obj.(*conf_v1.Policy) + if !isPol { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + pol, ok = deletedState.Obj.(*conf_v1.Policy) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Policy object: %v", deletedState.Obj) + return + } + } + glog.V(3).Infof("Removing Policy: %v", pol.Name) + lbc.AddSyncQueue(pol) + }, + UpdateFunc: func(old, cur interface{}) { + curPol := cur.(*conf_v1.Policy) + oldPol := old.(*conf_v1.Policy) + if !reflect.DeepEqual(oldPol.Spec, curPol.Spec) { + glog.V(3).Infof("Policy %v changed, syncing", curPol.Name) + lbc.AddSyncQueue(curPol) + } + }, + } +} + +func (nsi *namespacedInformer) addPolicyHandler(handlers cache.ResourceEventHandlerFuncs) { + informer := nsi.confSharedInformerFactory.K8s().V1().Policies().Informer() + informer.AddEventHandler(handlers) //nolint:errcheck,gosec + nsi.policyLister = informer.GetStore() + + nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) +} + +func (lbc *LoadBalancerController) syncPolicy(task task) { + key := task.Key + var obj interface{} + var polExists bool + var err error + + ns, _, _ := cache.SplitMetaNamespaceKey(key) + obj, polExists, err = lbc.getNamespacedInformer(ns).policyLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + glog.V(2).Infof("Adding, Updating or Deleting Policy: %v\n", key) + + if polExists && lbc.HasCorrectIngressClass(obj) { + pol := obj.(*conf_v1.Policy) + err := validation.ValidatePolicy(pol, lbc.isNginxPlus, lbc.enableOIDC, lbc.appProtectEnabled) + if err != nil { + msg := fmt.Sprintf("Policy %v/%v is invalid and was rejected: %v", pol.Namespace, pol.Name, err) + lbc.recorder.Eventf(pol, api_v1.EventTypeWarning, "Rejected", msg) + + if lbc.reportCustomResourceStatusEnabled() { + err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateInvalid, "Rejected", msg) + if err != nil { + glog.V(3).Infof("Failed to update policy %s status: %v", key, err) + } + } + } else { + msg := fmt.Sprintf("Policy %v/%v was added or updated", pol.Namespace, pol.Name) + lbc.recorder.Eventf(pol, api_v1.EventTypeNormal, "AddedOrUpdated", msg) + + if lbc.reportCustomResourceStatusEnabled() { + err = lbc.statusUpdater.UpdatePolicyStatus(pol, conf_v1.StateValid, "AddedOrUpdated", msg) + if err != nil { + glog.V(3).Infof("Failed to update policy %s status: %v", key, err) + } + } + } + } + + // it is safe to ignore the error + namespace, name, _ := ParseNamespaceName(key) + + resources := lbc.configuration.FindResourcesForPolicy(namespace, name) + resourceExes := lbc.createExtendedResources(resources) + + // Only VirtualServers support policies + if len(resourceExes.VirtualServerExes) == 0 { + return + } + + warnings, updateErr := lbc.configurator.AddOrUpdateVirtualServers(resourceExes.VirtualServerExes) + lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) + + // Note: updating the status of a policy based on a reload is not needed. +} From e3e0b33b0b0eb971f75ea6432c70e4a7f8e53bdc Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Tue, 10 Sep 2024 16:13:18 +0100 Subject: [PATCH 66/83] Add make docs to code gen (#6360) * test fail make docs * remove make docs build failure * remove -it * make docs ci * add some_docs output * remove extra newline --------- Co-authored-by: Venktesh Shivam Patel Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> --- .github/workflows/ci.yml | 15 +++++++++++++++ docs/Makefile | 6 ++++++ 2 files changed, 21 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d8ab687882..fa9a665c50 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,7 @@ jobs: id-token: write outputs: docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }} + some_docs: ${{ github.event.pull_request && steps.docs.outputs.some_docs == 'true' }} k8s_latest: ${{ steps.vars.outputs.k8s_latest }} go_path: ${{ steps.vars.outputs.go_path }} go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} @@ -60,12 +61,21 @@ jobs: id: docs run: | files=$(git diff --name-only HEAD^ | egrep -v "^docs/" | egrep -v "^examples/" | egrep -v "^README.md") + docs_files=$(git diff --name-only HEAD^ | grep "^docs/") if [ -z "$files" ]; then echo "docs_only=true" >> $GITHUB_OUTPUT else echo "docs_only=false" >> $GITHUB_OUTPUT fi + + if [ -n "$docs_files" ]; then + echo "some_docs=true" >> $GITHUB_OUTPUT + else + echo "some_docs=false" >> $GITHUB_OUTPUT + fi + echo $files + echo $docs_files cat $GITHUB_OUTPUT shell: bash --noprofile --norc -o pipefail {0} @@ -164,6 +174,7 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: read + needs: checks steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -193,6 +204,10 @@ jobs: export PATH=$PATH:$(go env GOPATH)/bin make telemetry-schema && git diff --name-only --exit-code internal/telemetry + - name: Check if make docs builds + if: ${{ needs.checks.outputs.some_docs == 'true' }} + run: cd docs && make docs-ci + unit-tests: name: Unit Tests runs-on: ubuntu-24.04 diff --git a/docs/Makefile b/docs/Makefile index 287f63ea2c..b4179ed26d 100644 --- a/docs/Makefile +++ b/docs/Makefile @@ -12,6 +12,8 @@ else endif endif +HUGO_CI=docker run --rm -v ${CURDIR}:/src ${HUGO_IMG} hugo + MARKDOWNLINT?=markdownlint MARKDOWNLINT_IMG?=ghcr.io/igorshubovych/markdownlint-cli:latest @@ -39,6 +41,9 @@ endif docs: ${HUGO} +docs-ci: + ${HUGO_CI} + watch: ${HUGO} --bind 0.0.0.0 -p 1313 server --disableFastRender @@ -46,6 +51,7 @@ drafts: ${HUGO} --bind 0.0.0.0 -p 1313 server -D --disableFastRender clean: + hugo mod clean [ -d "public" ] && rm -rf "public" hugo-get: From e6b9db38623cbb9369fed3cbca72daede50e9a16 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Date: Tue, 10 Sep 2024 17:20:18 +0100 Subject: [PATCH 67/83] Create unique lease obj for each NIC installed via Helm (#6372) --- .../nginx-ingress/templates/controller-lease.yaml | 13 +++++++++++++ charts/nginx-ingress/templates/controller-role.yaml | 2 +- charts/nginx-ingress/values.yaml | 3 ++- 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 charts/nginx-ingress/templates/controller-lease.yaml diff --git a/charts/nginx-ingress/templates/controller-lease.yaml b/charts/nginx-ingress/templates/controller-lease.yaml new file mode 100644 index 0000000000..960f61cea0 --- /dev/null +++ b/charts/nginx-ingress/templates/controller-lease.yaml @@ -0,0 +1,13 @@ +{{ if .Values.controller.reportIngressStatus.enableLeaderElection }} +apiVersion: coordination.k8s.io/v1 +kind: Lease +metadata: + name: {{ include "nginx-ingress.leaderElectionName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nginx-ingress.labels" . | nindent 4 }} +{{- if .Values.controller.reportIngressStatus.annotations }} + annotations +{{ toYaml .Values.controller.reportIngressStatus.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/nginx-ingress/templates/controller-role.yaml b/charts/nginx-ingress/templates/controller-role.yaml index e902381775..cb75d99cc3 100644 --- a/charts/nginx-ingress/templates/controller-role.yaml +++ b/charts/nginx-ingress/templates/controller-role.yaml @@ -43,7 +43,7 @@ rules: resources: - leases resourceNames: - - {{ .Values.controller.reportIngressStatus.leaderElectionLockName }} + - {{ include "nginx-ingress.leaderElectionName" . }} verbs: - get - update diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 002102bfb1..ebece1f3a6 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -496,7 +496,8 @@ controller: enableLeaderElection: true ## Specifies the name to be used as the lock for leader election. controller.reportIngressStatus.enableLeaderElection must be set to true. - leaderElectionLockName: "nginx-ingress-leader" + ## The default is autogenerated. + leaderElectionLockName: "" ## The annotations of the leader election configmap. annotations: {} From 200d074f825e6b8da2f3ae0f93a09f23baf93de8 Mon Sep 17 00:00:00 2001 From: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Date: Wed, 11 Sep 2024 14:48:49 +0100 Subject: [PATCH 68/83] Use Go v1.23 alpine as golang_builder (#6392) --- build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index e968d79105..918c27e268 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -17,7 +17,7 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 FROM redhat/ubi9-minimal@sha256:f182b500ff167918ca1010595311cf162464f3aa1cab755383d38be61b4d30aa AS ubi-minimal -FROM golang:1.22-alpine@sha256:48eab5e3505d8c8b42a06fe5f1cf4c346c167cc6a89e772f31cb9e5c301dcf60 AS golang-builder +FROM golang:1.23-alpine@sha256:49bbb517cfa9eee677e1e7897f7cf9cfdbcf49e05f61984a2789136de359f9bd AS golang-builder ############################################# Base image for Alpine ############################################# From cc7e4669286e2ad93fcc8f0e517d4b3658d61f97 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 11 Sep 2024 15:43:28 +0100 Subject: [PATCH 69/83] don't publish images we don't update on the Marketplace (#6393) --- .github/workflows/update-docker-images.yml | 25 +++------------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index 30af2d5b61..402312a1c1 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -123,8 +123,8 @@ jobs: packages: write secrets: inherit - release-plus-nginx-gcr: - name: Publish Docker Plus ${{ matrix.tag }} to NGINX & GCR Marketplace registries + release-plus-nginx: + name: Publish Docker Plus ${{ matrix.tag }} to NGINX registry needs: [variables, patch-images] strategy: fail-fast: false @@ -138,7 +138,7 @@ jobs: with: nginx_registry: true gcr_release_registry: false - gcr_mktpl_registry: true + gcr_mktpl_registry: false ecr_mktpl_registry: false az_mktpl_registry: false source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" @@ -150,25 +150,6 @@ jobs: id-token: write secrets: inherit - release-plus-azure-ecr-marketplace: - name: Publish Docker Plus ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to Azure & ECR Marketplace registries - needs: [variables, patch-images] - uses: ./.github/workflows/plus-release.yml - with: - nginx_registry: false - gcr_release_registry: false - gcr_mktpl_registry: false - ecr_mktpl_registry: true - az_mktpl_registry: true - source_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}" - branch: "release-${{ needs.variables.outputs.short_tag }}" - dry_run: ${{ inputs.dry_run || false }} - permissions: - contents: read - id-token: write - secrets: inherit - release-plus-internal: name: Publish Docker Plus ${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }} to internal release Registries needs: [variables, patch-images] From 20e0b7b01cdd35751169517352c827ce0463a607 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 09:05:29 +0100 Subject: [PATCH 70/83] Bump the go group with 2 updates (#6397) Bumps the go group with 2 updates: [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) and [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc](https://github.com/open-telemetry/opentelemetry-go). Updates `go.opentelemetry.io/otel` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) Updates `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc` from 1.29.0 to 1.30.0 - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.29.0...v1.30.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go - dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 28 ++++++++++++++-------------- go.sum | 56 ++++++++++++++++++++++++++++---------------------------- 2 files changed, 42 insertions(+), 42 deletions(-) diff --git a/go.mod b/go.mod index 4d8a6e24c3..795b295415 100644 --- a/go.mod +++ b/go.mod @@ -22,8 +22,8 @@ require ( github.com/prometheus/client_golang v1.20.3 github.com/spiffe/go-spiffe/v2 v2.3.0 github.com/stretchr/testify v1.9.0 - go.opentelemetry.io/otel v1.29.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0 + go.opentelemetry.io/otel v1.30.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 k8s.io/api v0.31.0 k8s.io/apimachinery v0.31.0 @@ -113,26 +113,26 @@ require ( go.etcd.io/etcd/client/v3 v3.5.14 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 // indirect - go.opentelemetry.io/otel/metric v1.29.0 // indirect - go.opentelemetry.io/otel/sdk v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/sdk v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.26.0 // indirect + golang.org/x/crypto v0.27.0 // indirect golang.org/x/mod v0.20.0 // indirect - golang.org/x/net v0.28.0 // indirect + golang.org/x/net v0.29.0 // indirect golang.org/x/oauth2 v0.22.0 // indirect golang.org/x/sync v0.8.0 // indirect - golang.org/x/sys v0.24.0 // indirect - golang.org/x/term v0.23.0 // indirect - golang.org/x/text v0.17.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/text v0.18.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.24.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd // indirect - google.golang.org/grpc v1.65.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect + google.golang.org/grpc v1.66.1 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 8111179b89..eabdd4e5a8 100644 --- a/go.sum +++ b/go.sum @@ -287,18 +287,18 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 h1:dIIDULZJpgdiHz5tXrTgKIMLkus6jEFa7x5SOKcyR7E= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0/go.mod h1:jlRVBe7+Z1wyxFSUs48L6OBQZ5JwH2Hg/Vbl+t9rAgI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0 h1:nSiV3s7wiCam610XcLbYOmMfJxB9gO4uK3Xgv5gmTgg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.29.0/go.mod h1:hKn/e/Nmd19/x1gvIHwtOwVWM+VhuITSWip3JUDghj0= -go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= -go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= -go.opentelemetry.io/otel/sdk v1.29.0 h1:vkqKjk7gwhS8VaWb0POZKmIEDimRCMsopNYnriHyryo= -go.opentelemetry.io/otel/sdk v1.29.0/go.mod h1:pM8Dx5WKnvxLCb+8lG1PRNIDxu9g9b9g59Qr7hfAAok= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0 h1:lsInsfvhVIfOI6qHVyysXMNDnjO9Npvl7tlDPJFBVd4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.30.0/go.mod h1:KQsVNh4OjgjTG0G6EiNi1jVpnaeeKsKMRwbLN+f1+8M= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 h1:m0yTiGDLUvVYaTFbAvCkVYIYcvwKt3G7OLoN77NUs/8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0/go.mod h1:wBQbT4UekBfegL2nx0Xk1vBcnzyBPsIVm9hRG4fYcr4= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/sdk v1.30.0 h1:cHdik6irO49R5IysVhdn8oaiR9m8XluDaJAs4DfOrYE= +go.opentelemetry.io/otel/sdk v1.30.0/go.mod h1:p14X4Ok8S+sygzblytT1nqG98QG2KYKv++HE0LY/mhg= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -314,8 +314,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw= -golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= @@ -336,8 +336,8 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE= -golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= golang.org/x/oauth2 v0.22.0 h1:BzDx2FehcG7jJwgWLELCdmLuxk2i+x9UDpSiss2u0ZA= golang.org/x/oauth2 v0.22.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -360,24 +360,24 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg= -golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.23.0 h1:F6D4vR+EHoL9/sWAWgAR1H2DcHr4PareCbAaCo1RpuU= -golang.org/x/term v0.23.0/go.mod h1:DgV24QBUrK6jhZXl+20l6UWznPlwAHm1Q1mGHtydmSk= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc= -golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -394,12 +394,12 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda/go.mod h1:g2LLCvCeCSir/JJSWosk19BR4NVxGqHUC6rxIRsd7Aw= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd h1:BBOTEWLuuEGQy9n1y9MhVJ9Qt0BDu21X8qZs71/uPZo= -google.golang.org/genproto/googleapis/api v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:fO8wJzT2zbQbAjbIoos1285VfEIYKDDY+Dt+WpTkh6g= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd h1:6TEm2ZxXoQmFWFlt1vNxvVOa1Q0dXFQD1m/rYjXmS0E= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240822170219-fc7c04adadcd/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc= +google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.66.1 h1:hO5qAXR19+/Z44hmvIM4dQFMSYX9XcWsByfoxutBpAM= +google.golang.org/grpc v1.66.1/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 4d99680a10fdb2b4bf09f46db693040f055dbcc0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 08:58:03 +0000 Subject: [PATCH 71/83] Bump DavidAnson/markdownlint-cli2-action from 16.0.0 to 17.0.0 in the actions group (#6398) Bump DavidAnson/markdownlint-cli2-action in the actions group Bumps the actions group with 1 update: [DavidAnson/markdownlint-cli2-action](https://github.com/davidanson/markdownlint-cli2-action). Updates `DavidAnson/markdownlint-cli2-action` from 16.0.0 to 17.0.0 - [Release notes](https://github.com/davidanson/markdownlint-cli2-action/releases) - [Commits](https://github.com/davidanson/markdownlint-cli2-action/compare/b4c9feab76d8025d1e83c653fa3990936df0e6c8...db43aef879112c3119a410d69f66701e0d530809) --- updated-dependencies: - dependency-name: DavidAnson/markdownlint-cli2-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- .github/workflows/lint-format.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml index 327f76d390..d1b5e2303f 100644 --- a/.github/workflows/lint-format.yml +++ b/.github/workflows/lint-format.yml @@ -84,7 +84,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16.0.0 + - uses: DavidAnson/markdownlint-cli2-action@db43aef879112c3119a410d69f66701e0d530809 # v17.0.0 with: config: .markdownlint-cli2.yaml globs: "**/*.md" From 0998e06acdef9eb1e5fd7b4bc690e2b1d1f71b6a Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 12 Sep 2024 10:32:07 +0100 Subject: [PATCH 72/83] add 1.25 to regression (#6402) --- .github/workflows/regression.yml | 2 +- docs/content/technical-specifications.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index e88814404f..8c0e1e7af9 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -58,7 +58,7 @@ jobs: | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ | sort -rV \ | awk -F. '!seen[$1"."$2]++' \ - | head -n 5 \ + | head -n 7 \ | sort -V \ | sed 's/v//g' \ | sed 's/$//' \ diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index 5112d7d6c3..592ef0b9f0 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -28,7 +28,7 @@ We test NGINX Ingress Controller on a range of Kubernetes platforms for each rel {{< bootstrap-table "table table-bordered table-striped table-responsive" >}} | NIC Version | Supported Kubernetes Version | NIC Helm Chart Version | NIC Operator Version | NGINX / NGINX Plus version | | --- | --- | --- | --- | --- | -| {{< nic-version >}} | 1.26 - 1.31 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.27.1 / R32 | +| {{< nic-version >}} | 1.25 - 1.31 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.27.1 / R32 | | 3.5.2 | 1.23 - 1.30 | 1.2.2 | 2.2.2 | 1.27.0 / R32 | | 3.4.3 | 1.23 - 1.29 | 1.1.3 | 2.1.2 | 1.25.4 / R31 P1 | | 3.3.2 | 1.22 - 1.28 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | From 0102bf5da256066b5fcf49cb2f6a090cc0d3fb7a Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 12 Sep 2024 10:48:04 +0100 Subject: [PATCH 73/83] move Namespace Controller to it's own file (#6396) --- internal/k8s/controller.go | 72 ---------------------- internal/k8s/handlers.go | 34 ----------- internal/k8s/namespace.go | 118 +++++++++++++++++++++++++++++++++++++ 3 files changed, 118 insertions(+), 106 deletions(-) create mode 100644 internal/k8s/namespace.go diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index 6436c397d6..c4241fcc79 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -548,18 +548,6 @@ func (nsi *namespacedInformer) addVirtualServerRouteHandler(handlers cache.Resou nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -func (lbc *LoadBalancerController) addNamespaceHandler(handlers cache.ResourceEventHandlerFuncs, nsLabel string) { - optionsModifier := func(options *meta_v1.ListOptions) { - options.LabelSelector = nsLabel - } - nsInformer := informers.NewSharedInformerFactoryWithOptions(lbc.client, lbc.resync, informers.WithTweakListOptions(optionsModifier)).Core().V1().Namespaces().Informer() - nsInformer.AddEventHandler(handlers) - lbc.namespaceLabeledLister = nsInformer.GetStore() - lbc.namespaceWatcherController = nsInformer - - lbc.cacheSyncs = append(lbc.cacheSyncs, nsInformer.HasSynced) -} - // Run starts the loadbalancer controller func (lbc *LoadBalancerController) Run() { lbc.ctx, lbc.cancel = context.WithCancel(context.Background()) @@ -1015,66 +1003,6 @@ func (lbc *LoadBalancerController) sync(task task) { } } -func (lbc *LoadBalancerController) syncNamespace(task task) { - key := task.Key - // process namespace and add to / remove from watched namespace list - _, exists, err := lbc.namespaceLabeledLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - if !exists { - // Check if change is because of a new label, or because of a deleted namespace - ns, _ := lbc.client.CoreV1().Namespaces().Get(context.TODO(), key, meta_v1.GetOptions{}) - - if ns != nil && ns.Status.Phase == api_v1.NamespaceActive { - // namespace still exists - glog.Infof("Removing Configuration for Unwatched Namespace: %v", key) - // Watched label for namespace was removed - // delete any now unwatched namespaced informer groups if required - nsi := lbc.getNamespacedInformer(key) - if nsi != nil { - lbc.cleanupUnwatchedNamespacedResources(nsi) - delete(lbc.namespacedInformers, key) - } - } else { - glog.Infof("Deleting Watchers for Deleted Namespace: %v", key) - nsi := lbc.getNamespacedInformer(key) - if nsi != nil { - lbc.removeNamespacedInformer(nsi, key) - } - } - if lbc.certManagerController != nil { - lbc.certManagerController.RemoveNamespacedInformer(key) - } - if lbc.externalDNSController != nil { - lbc.externalDNSController.RemoveNamespacedInformer(key) - } - } else { - // check if informer group already exists - // if not create new namespaced informer group - // update cert-manager informer group if required - // update external-dns informer group if required - glog.V(3).Infof("Adding or Updating Watched Namespace: %v", key) - nsi := lbc.getNamespacedInformer(key) - if nsi == nil { - glog.Infof("Adding New Watched Namespace: %v", key) - nsi = lbc.newNamespacedInformer(key) - nsi.start() - } - if lbc.certManagerController != nil { - lbc.certManagerController.AddNewNamespacedInformer(key) - } - if lbc.externalDNSController != nil { - lbc.externalDNSController.AddNewNamespacedInformer(key) - } - if !cache.WaitForCacheSync(nsi.stopCh, nsi.cacheSyncs...) { - return - } - } -} - func (lbc *LoadBalancerController) removeNamespacedInformer(nsi *namespacedInformer, key string) { nsi.lock.Lock() defer nsi.lock.Unlock() diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index bbec1a41b1..19df28450a 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -349,40 +349,6 @@ func areResourcesDifferent(oldresource, resource *unstructured.Unstructured) (bo return !eq, nil } -// createNamespaceHandlers builds the handler funcs for namespaces -func createNamespaceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - ns := obj.(*v1.Namespace) - glog.V(3).Infof("Adding Namespace to list of watched Namespaces: %v", ns.Name) - lbc.AddSyncQueue(obj) - }, - DeleteFunc: func(obj interface{}) { - ns, isNs := obj.(*v1.Namespace) - if !isNs { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - ns, ok = deletedState.Obj.(*v1.Namespace) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Namespace object: %v", deletedState.Obj) - return - } - } - glog.V(3).Infof("Removing Namespace from list of watched Namespaces: %v", ns.Name) - lbc.AddSyncQueue(obj) - }, - UpdateFunc: func(old, cur interface{}) { - if !reflect.DeepEqual(old, cur) { - glog.V(3).Infof("Namespace %v changed, syncing", cur.(*v1.Namespace).Name) - lbc.AddSyncQueue(cur) - } - }, - } -} - func zeroOutVirtualServerSplitWeights(vs *conf_v1.VirtualServer) { for _, route := range vs.Spec.Routes { for _, match := range route.Matches { diff --git a/internal/k8s/namespace.go b/internal/k8s/namespace.go new file mode 100644 index 0000000000..f1b81e6436 --- /dev/null +++ b/internal/k8s/namespace.go @@ -0,0 +1,118 @@ +package k8s + +import ( + "context" + "reflect" + + "github.com/golang/glog" + api_v1 "k8s.io/api/core/v1" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/informers" + "k8s.io/client-go/tools/cache" +) + +// createNamespaceHandlers builds the handler funcs for namespaces +func createNamespaceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + ns := obj.(*api_v1.Namespace) + glog.V(3).Infof("Adding Namespace to list of watched Namespaces: %v", ns.Name) + lbc.AddSyncQueue(obj) + }, + DeleteFunc: func(obj interface{}) { + ns, isNs := obj.(*api_v1.Namespace) + if !isNs { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + ns, ok = deletedState.Obj.(*api_v1.Namespace) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Namespace object: %v", deletedState.Obj) + return + } + } + glog.V(3).Infof("Removing Namespace from list of watched Namespaces: %v", ns.Name) + lbc.AddSyncQueue(obj) + }, + UpdateFunc: func(old, cur interface{}) { + if !reflect.DeepEqual(old, cur) { + glog.V(3).Infof("Namespace %v changed, syncing", cur.(*api_v1.Namespace).Name) + lbc.AddSyncQueue(cur) + } + }, + } +} + +func (lbc *LoadBalancerController) addNamespaceHandler(handlers cache.ResourceEventHandlerFuncs, nsLabel string) { + optionsModifier := func(options *meta_v1.ListOptions) { + options.LabelSelector = nsLabel + } + nsInformer := informers.NewSharedInformerFactoryWithOptions(lbc.client, lbc.resync, informers.WithTweakListOptions(optionsModifier)).Core().V1().Namespaces().Informer() + nsInformer.AddEventHandler(handlers) //nolint:errcheck,gosec + lbc.namespaceLabeledLister = nsInformer.GetStore() + lbc.namespaceWatcherController = nsInformer + + lbc.cacheSyncs = append(lbc.cacheSyncs, nsInformer.HasSynced) +} + +func (lbc *LoadBalancerController) syncNamespace(task task) { + key := task.Key + // process namespace and add to / remove from watched namespace list + _, exists, err := lbc.namespaceLabeledLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + if !exists { + // Check if change is because of a new label, or because of a deleted namespace + ns, _ := lbc.client.CoreV1().Namespaces().Get(context.TODO(), key, meta_v1.GetOptions{}) + + if ns != nil && ns.Status.Phase == api_v1.NamespaceActive { + // namespace still exists + glog.Infof("Removing Configuration for Unwatched Namespace: %v", key) + // Watched label for namespace was removed + // delete any now unwatched namespaced informer groups if required + nsi := lbc.getNamespacedInformer(key) + if nsi != nil { + lbc.cleanupUnwatchedNamespacedResources(nsi) + delete(lbc.namespacedInformers, key) + } + } else { + glog.Infof("Deleting Watchers for Deleted Namespace: %v", key) + nsi := lbc.getNamespacedInformer(key) + if nsi != nil { + lbc.removeNamespacedInformer(nsi, key) + } + } + if lbc.certManagerController != nil { + lbc.certManagerController.RemoveNamespacedInformer(key) + } + if lbc.externalDNSController != nil { + lbc.externalDNSController.RemoveNamespacedInformer(key) + } + } else { + // check if informer group already exists + // if not create new namespaced informer group + // update cert-manager informer group if required + // update external-dns informer group if required + glog.V(3).Infof("Adding or Updating Watched Namespace: %v", key) + nsi := lbc.getNamespacedInformer(key) + if nsi == nil { + glog.Infof("Adding New Watched Namespace: %v", key) + nsi = lbc.newNamespacedInformer(key) + nsi.start() + } + if lbc.certManagerController != nil { + lbc.certManagerController.AddNewNamespacedInformer(key) + } + if lbc.externalDNSController != nil { + lbc.externalDNSController.AddNewNamespacedInformer(key) + } + if !cache.WaitForCacheSync(nsi.stopCh, nsi.cacheSyncs...) { + return + } + } +} From edd145a07c1fc2b2e1e0d83267f52ea9a3fe8fef Mon Sep 17 00:00:00 2001 From: Jim Ryan Date: Thu, 12 Sep 2024 11:09:00 +0100 Subject: [PATCH 74/83] update readme community call dates and badge (#6404) * update readme community call dates and badge * add event=schedule to badge --- README.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 0a62fdd902..9322b4aea9 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ [![OpenSSFScorecard](https://api.securityscorecards.dev/projects/github.com/nginxinc/kubernetes-ingress/badge)](https://api.securityscorecards.dev/projects/github.com/nginxinc/kubernetes-ingress) -[![Regression](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/regression.yml/badge.svg)](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/regression.yml) +[![Regression](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/regression.yml/badge.svg?event=schedule)](https://github.com/nginxinc/kubernetes-ingress/actions/workflows/regression.yml?query=event%3Aschedule) [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Fkubernetes-ingress.svg?type=shield)](https://app.fossa.com/projects/custom%2B5618%2Fgithub.com%2Fnginxinc%2Fkubernetes-ingress?ref=badge_shield) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Go Report Card](https://goreportcard.com/badge/github.com/nginxinc/kubernetes-ingress)](https://goreportcard.com/report/github.com/nginxinc/kubernetes-ingress) @@ -29,14 +29,13 @@ We value community input and would love to see you at the next community call. A **Slack**: Join our channel `#nginx-ingress-controller` on the [NGINX Community Slack](https://nginxcommunity.slack.com/channels/nginx-ingress-controller) for updates and discussions. **When**: 15:00 GMT / [Convert to your timezone](https://dateful.com/convert/gmt?t=15), every other Monday. -| **Community Call Dates** | Notes | -| ------------------------ | ---------------------------- | -| **2024-07-15** | | -| **2024-07-29** | | -| **2024-08-12** | | -| **2024-08-26** | | -| **2024-09-09** | | -| **2024-09-23** | | +| **Community Call Dates** | +| ------------------------ | +| **2024-09-23** | +| **2024-10-07** | +| **2024-10-21** | +| **2024-11-04** | +| **2024-11-18** | --- NGINX Ingress Controller works with both NGINX and NGINX Plus and supports the standard Ingress features - content-based From 351703641810c95ab2f1c6813b378f0ccd37e2d2 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Thu, 12 Sep 2024 03:36:30 -0700 Subject: [PATCH 75/83] Docker image update 6aa37ee4 (#6391) Update docker images 6aa37ee4 Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> --- build/Dockerfile | 6 +++--- build/dependencies/Dockerfile.ubi-ppc64le | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 918c27e268..a64c78d244 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -16,7 +16,7 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:04ced4219 FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e2bd639b269ec54343ea66b7acbdb0eb67bed44383e1be937c483c451d AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 -FROM redhat/ubi9-minimal@sha256:f182b500ff167918ca1010595311cf162464f3aa1cab755383d38be61b4d30aa AS ubi-minimal +FROM redhat/ubi9-minimal@sha256:1b6d711648229a1c987f39cfdfccaebe2bd92d0b5d8caa5dbaa5234a9278a0b2 AS ubi-minimal FROM golang:1.23-alpine@sha256:49bbb517cfa9eee677e1e7897f7cf9cfdbcf49e05f61984a2789136de359f9bd AS golang-builder @@ -439,7 +439,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI8 with NGINX Plus and App Protect WAF ############################################# -FROM redhat/ubi8@sha256:d5e2d1ddf34b573673581940f1341c7b3301ff8efde28f17100b31a3df7d94b6 AS ubi-8-plus-nap +FROM redhat/ubi8@sha256:fbfce63673a271ecb857faac4412442fe7aeb3a84f564d16a790ca7b5c8b7105 AS ubi-8-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -484,7 +484,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI8 with NGINX Plus and App Protect WAFv5 ############################################# -FROM redhat/ubi8@sha256:d5e2d1ddf34b573673581940f1341c7b3301ff8efde28f17100b31a3df7d94b6 AS ubi-8-plus-nap-v5 +FROM redhat/ubi8@sha256:fbfce63673a271ecb857faac4412442fe7aeb3a84f564d16a790ca7b5c8b7105 AS ubi-8-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le index e23ebb690d..67076ddc06 100644 --- a/build/dependencies/Dockerfile.ubi-ppc64le +++ b/build/dependencies/Dockerfile.ubi-ppc64le @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.8 FROM nginx:1.27.1@sha256:135fbc7ed19c8f644ddf678e68292e678696908451dad7ee2fd4e0cf861f4b6f AS nginx -FROM redhat/ubi9:9.4@sha256:9460515b85f2a75278f2043438583c1c377c44bf100178bb653a6c8658304ac7 AS rpm-build +FROM redhat/ubi9:9.4@sha256:7575b6e3cc492f856daf8c43f30692d8f5fcd5b7077806dba4bac436ad0a84e8 AS rpm-build ARG NGINX ARG NJS ENV NGINX_VERSION ${NGINX} From f6f0aaa6c362fd80e753ab256418f85b4178afdf Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 12 Sep 2024 12:23:04 +0100 Subject: [PATCH 76/83] refactor Service Controller to it's own file (#6395) --- internal/k8s/controller.go | 82 -------------- internal/k8s/handlers.go | 104 ------------------ internal/k8s/handlers_test.go | 151 -------------------------- internal/k8s/service.go | 196 ++++++++++++++++++++++++++++++++++ internal/k8s/service_test.go | 157 +++++++++++++++++++++++++++ 5 files changed, 353 insertions(+), 337 deletions(-) create mode 100644 internal/k8s/service.go create mode 100644 internal/k8s/service_test.go diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go index c4241fcc79..e6f01ccd36 100644 --- a/internal/k8s/controller.go +++ b/internal/k8s/controller.go @@ -507,15 +507,6 @@ func (nsi *namespacedInformer) addSecretHandler(handlers cache.ResourceEventHand nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) } -// addServiceHandler adds the handler for services to the controller -func (nsi *namespacedInformer) addServiceHandler(handlers cache.ResourceEventHandlerFuncs) { - informer := nsi.sharedInformerFactory.Core().V1().Services().Informer() - informer.AddEventHandler(handlers) - nsi.svcLister = informer.GetStore() - - nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) -} - // addIngressHandler adds the handler for ingresses to the controller func (nsi *namespacedInformer) addIngressHandler(handlers cache.ResourceEventHandlerFuncs) { informer := nsi.sharedInformerFactory.Networking().V1().Ingresses().Informer() @@ -1618,79 +1609,6 @@ func (lbc *LoadBalancerController) updateVirtualServerMetrics() { lbc.metricsCollector.SetVirtualServerRoutes(vsrCount) } -func (lbc *LoadBalancerController) syncService(task task) { - key := task.Key - - var obj interface{} - var exists bool - var err error - - ns, _, _ := cache.SplitMetaNamespaceKey(key) - obj, exists, err = lbc.getNamespacedInformer(ns).svcLister.GetByKey(key) - if err != nil { - lbc.syncQueue.Requeue(task, err) - return - } - - // First case: the service is the external service for the Ingress Controller - // In that case we need to update the statuses of all resources - - if lbc.IsExternalServiceKeyForStatus(key) { - glog.V(3).Infof("Syncing service %v", key) - - if !exists { - // service got removed - lbc.statusUpdater.ClearStatusFromExternalService() - } else { - // service added or updated - lbc.statusUpdater.SaveStatusFromExternalService(obj.(*api_v1.Service)) - } - - if lbc.reportStatusEnabled() { - ingresses := lbc.configuration.GetResourcesWithFilter(resourceFilter{Ingresses: true}) - - glog.V(3).Infof("Updating status for %v Ingresses", len(ingresses)) - - err := lbc.statusUpdater.UpdateExternalEndpointsForResources(ingresses) - if err != nil { - glog.Errorf("error updating ingress status in syncService: %v", err) - } - } - - if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() { - virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true}) - - glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers)) - - err := lbc.statusUpdater.UpdateExternalEndpointsForResources(virtualServers) - if err != nil { - glog.V(3).Infof("error updating VirtualServer/VirtualServerRoute status in syncService: %v", err) - } - } - - // we don't return here because technically the same service could be used in the second case - } - - // Second case: the service is referenced by some resources in the cluster - - // it is safe to ignore the error - namespace, name, _ := ParseNamespaceName(key) - - resources := lbc.configuration.FindResourcesForService(namespace, name) - - if len(resources) == 0 { - return - } - glog.V(3).Infof("Syncing service %v", key) - - glog.V(3).Infof("Updating %v resources", len(resources)) - - resourceExes := lbc.createExtendedResources(resources) - - warnings, updateErr := lbc.configurator.AddOrUpdateResources(resourceExes, true) - lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) -} - // IsExternalServiceForStatus matches the service specified by the external-service cli arg func (lbc *LoadBalancerController) IsExternalServiceForStatus(svc *api_v1.Service) bool { return lbc.statusUpdater.namespace == svc.Namespace && lbc.statusUpdater.externalServiceName == svc.Name diff --git a/internal/k8s/handlers.go b/internal/k8s/handlers.go index 19df28450a..ff79b38c8c 100644 --- a/internal/k8s/handlers.go +++ b/internal/k8s/handlers.go @@ -3,7 +3,6 @@ package k8s import ( "fmt" "reflect" - "sort" "github.com/jinzhu/copier" @@ -103,109 +102,6 @@ func createSecretHandlers(lbc *LoadBalancerController) cache.ResourceEventHandle } } -// createServiceHandlers builds the handler funcs for services. -// -// In the update handlers below we catch two cases: -// (1) the service is the external service -// (2) the service had a change like a change of the port field of a service port (for such a change Kubernetes doesn't -// update the corresponding endpoints resource, that we monitor as well) -// or a change of the externalName field of an ExternalName service. -// -// In both cases we enqueue the service to be processed by syncService -func createServiceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { - return cache.ResourceEventHandlerFuncs{ - AddFunc: func(obj interface{}) { - svc := obj.(*v1.Service) - - glog.V(3).Infof("Adding service: %v", svc.Name) - lbc.AddSyncQueue(svc) - }, - DeleteFunc: func(obj interface{}) { - svc, isSvc := obj.(*v1.Service) - if !isSvc { - deletedState, ok := obj.(cache.DeletedFinalStateUnknown) - if !ok { - glog.V(3).Infof("Error received unexpected object: %v", obj) - return - } - svc, ok = deletedState.Obj.(*v1.Service) - if !ok { - glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Service object: %v", deletedState.Obj) - return - } - } - - glog.V(3).Infof("Removing service: %v", svc.Name) - lbc.AddSyncQueue(svc) - }, - UpdateFunc: func(old, cur interface{}) { - if !reflect.DeepEqual(old, cur) { - curSvc := cur.(*v1.Service) - if lbc.IsExternalServiceForStatus(curSvc) { - lbc.AddSyncQueue(curSvc) - return - } - oldSvc := old.(*v1.Service) - if hasServiceChanges(oldSvc, curSvc) { - glog.V(3).Infof("Service %v changed, syncing", curSvc.Name) - lbc.AddSyncQueue(curSvc) - } - } - }, - } -} - -type portSort []v1.ServicePort - -func (a portSort) Len() int { - return len(a) -} - -func (a portSort) Swap(i, j int) { - a[i], a[j] = a[j], a[i] -} - -func (a portSort) Less(i, j int) bool { - if a[i].Name == a[j].Name { - return a[i].Port < a[j].Port - } - return a[i].Name < a[j].Name -} - -// hasServicedChanged checks if the service has changed based on custom rules we define (eg. port). -func hasServiceChanges(oldSvc, curSvc *v1.Service) bool { - if hasServicePortChanges(oldSvc.Spec.Ports, curSvc.Spec.Ports) { - return true - } - if hasServiceExternalNameChanges(oldSvc, curSvc) { - return true - } - return false -} - -// hasServiceExternalNameChanges only compares Service.Spec.Externalname for Type ExternalName services. -func hasServiceExternalNameChanges(oldSvc, curSvc *v1.Service) bool { - return curSvc.Spec.Type == v1.ServiceTypeExternalName && oldSvc.Spec.ExternalName != curSvc.Spec.ExternalName -} - -// hasServicePortChanges only compares ServicePort.Name and .Port. -func hasServicePortChanges(oldServicePorts []v1.ServicePort, curServicePorts []v1.ServicePort) bool { - if len(oldServicePorts) != len(curServicePorts) { - return true - } - - sort.Sort(portSort(oldServicePorts)) - sort.Sort(portSort(curServicePorts)) - - for i := range oldServicePorts { - if oldServicePorts[i].Port != curServicePorts[i].Port || - oldServicePorts[i].Name != curServicePorts[i].Name { - return true - } - } - return false -} - func createVirtualServerHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { return cache.ResourceEventHandlerFuncs{ AddFunc: func(obj interface{}) { diff --git a/internal/k8s/handlers_test.go b/internal/k8s/handlers_test.go index ca80341cb8..c06e27aa32 100644 --- a/internal/k8s/handlers_test.go +++ b/internal/k8s/handlers_test.go @@ -4,160 +4,9 @@ import ( "errors" "testing" - v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/util/intstr" ) -func TestHasServicePortChanges(t *testing.T) { - t.Parallel() - cases := []struct { - a []v1.ServicePort - b []v1.ServicePort - result bool - reason string - }{ - { - []v1.ServicePort{}, - []v1.ServicePort{}, - false, - "Empty should report no changes", - }, - { - []v1.ServicePort{{ - Port: 80, - }}, - []v1.ServicePort{{ - Port: 8080, - }}, - true, - "Different Ports", - }, - { - []v1.ServicePort{{ - Port: 80, - }}, - []v1.ServicePort{{ - Port: 80, - }}, - false, - "Same Ports", - }, - { - []v1.ServicePort{{ - Name: "asdf", - Port: 80, - }}, - []v1.ServicePort{{ - Name: "asdf", - Port: 80, - }}, - false, - "Same Port and Name", - }, - { - []v1.ServicePort{{ - Name: "foo", - Port: 80, - }}, - []v1.ServicePort{{ - Name: "bar", - Port: 80, - }}, - true, - "Different Name same Port", - }, - { - []v1.ServicePort{{ - Name: "foo", - Port: 8080, - }}, - []v1.ServicePort{{ - Name: "bar", - Port: 80, - }}, - true, - "Different Name different Port", - }, - { - []v1.ServicePort{{ - Name: "foo", - }}, - []v1.ServicePort{{ - Name: "fooo", - }}, - true, - "Very similar Name", - }, - { - []v1.ServicePort{{ - Name: "asdf", - Port: 80, - TargetPort: intstr.IntOrString{ - IntVal: 80, - }, - }}, - []v1.ServicePort{{ - Name: "asdf", - Port: 80, - TargetPort: intstr.IntOrString{ - IntVal: 8080, - }, - }}, - false, - "TargetPort should be ignored", - }, - { - []v1.ServicePort{{ - Name: "foo", - }, { - Name: "bar", - }}, - []v1.ServicePort{{ - Name: "foo", - }, { - Name: "bar", - }}, - false, - "Multiple same names", - }, - { - []v1.ServicePort{{ - Name: "foo", - }, { - Name: "bar", - }}, - []v1.ServicePort{{ - Name: "foo", - }, { - Name: "bars", - }}, - true, - "Multiple different names", - }, - { - []v1.ServicePort{{ - Name: "foo", - }, { - Port: 80, - }}, - []v1.ServicePort{{ - Port: 80, - }, { - Name: "foo", - }}, - false, - "Some names some ports", - }, - } - - for _, c := range cases { - if c.result != hasServicePortChanges(c.a, c.b) { - t.Errorf("hasServicePortChanges returned %v, but expected %v for %q case", c.result, !c.result, c.reason) - } - } -} - func TestAreResourcesDifferent(t *testing.T) { t.Parallel() tests := []struct { diff --git a/internal/k8s/service.go b/internal/k8s/service.go new file mode 100644 index 0000000000..e8432f8e42 --- /dev/null +++ b/internal/k8s/service.go @@ -0,0 +1,196 @@ +package k8s + +import ( + "reflect" + "sort" + + "github.com/golang/glog" + api_v1 "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" + "k8s.io/client-go/tools/cache" +) + +// createServiceHandlers builds the handler funcs for services. +// +// In the update handlers below we catch two cases: +// (1) the service is the external service +// (2) the service had a change like a change of the port field of a service port (for such a change Kubernetes doesn't +// update the corresponding endpoints resource, that we monitor as well) +// or a change of the externalName field of an ExternalName service. +// +// In both cases we enqueue the service to be processed by syncService +func createServiceHandlers(lbc *LoadBalancerController) cache.ResourceEventHandlerFuncs { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + svc := obj.(*v1.Service) + + glog.V(3).Infof("Adding service: %v", svc.Name) + lbc.AddSyncQueue(svc) + }, + DeleteFunc: func(obj interface{}) { + svc, isSvc := obj.(*v1.Service) + if !isSvc { + deletedState, ok := obj.(cache.DeletedFinalStateUnknown) + if !ok { + glog.V(3).Infof("Error received unexpected object: %v", obj) + return + } + svc, ok = deletedState.Obj.(*v1.Service) + if !ok { + glog.V(3).Infof("Error DeletedFinalStateUnknown contained non-Service object: %v", deletedState.Obj) + return + } + } + + glog.V(3).Infof("Removing service: %v", svc.Name) + lbc.AddSyncQueue(svc) + }, + UpdateFunc: func(old, cur interface{}) { + if !reflect.DeepEqual(old, cur) { + curSvc := cur.(*v1.Service) + if lbc.IsExternalServiceForStatus(curSvc) { + lbc.AddSyncQueue(curSvc) + return + } + oldSvc := old.(*v1.Service) + if hasServiceChanges(oldSvc, curSvc) { + glog.V(3).Infof("Service %v changed, syncing", curSvc.Name) + lbc.AddSyncQueue(curSvc) + } + } + }, + } +} + +// hasServicedChanged checks if the service has changed based on custom rules we define (eg. port). +func hasServiceChanges(oldSvc, curSvc *v1.Service) bool { + if hasServicePortChanges(oldSvc.Spec.Ports, curSvc.Spec.Ports) { + return true + } + if hasServiceExternalNameChanges(oldSvc, curSvc) { + return true + } + return false +} + +// hasServiceExternalNameChanges only compares Service.Spec.Externalname for Type ExternalName services. +func hasServiceExternalNameChanges(oldSvc, curSvc *v1.Service) bool { + return curSvc.Spec.Type == v1.ServiceTypeExternalName && oldSvc.Spec.ExternalName != curSvc.Spec.ExternalName +} + +// hasServicePortChanges only compares ServicePort.Name and .Port. +func hasServicePortChanges(oldServicePorts []v1.ServicePort, curServicePorts []v1.ServicePort) bool { + if len(oldServicePorts) != len(curServicePorts) { + return true + } + + sort.Sort(portSort(oldServicePorts)) + sort.Sort(portSort(curServicePorts)) + + for i := range oldServicePorts { + if oldServicePorts[i].Port != curServicePorts[i].Port || + oldServicePorts[i].Name != curServicePorts[i].Name { + return true + } + } + return false +} + +type portSort []v1.ServicePort + +func (a portSort) Len() int { + return len(a) +} + +func (a portSort) Swap(i, j int) { + a[i], a[j] = a[j], a[i] +} + +func (a portSort) Less(i, j int) bool { + if a[i].Name == a[j].Name { + return a[i].Port < a[j].Port + } + return a[i].Name < a[j].Name +} + +// addServiceHandler adds the handler for services to the controller +func (nsi *namespacedInformer) addServiceHandler(handlers cache.ResourceEventHandlerFuncs) { + informer := nsi.sharedInformerFactory.Core().V1().Services().Informer() + informer.AddEventHandler(handlers) //nolint:errcheck,gosec + nsi.svcLister = informer.GetStore() + + nsi.cacheSyncs = append(nsi.cacheSyncs, informer.HasSynced) +} + +func (lbc *LoadBalancerController) syncService(task task) { + key := task.Key + + var obj interface{} + var exists bool + var err error + + ns, _, _ := cache.SplitMetaNamespaceKey(key) + obj, exists, err = lbc.getNamespacedInformer(ns).svcLister.GetByKey(key) + if err != nil { + lbc.syncQueue.Requeue(task, err) + return + } + + // First case: the service is the external service for the Ingress Controller + // In that case we need to update the statuses of all resources + + if lbc.IsExternalServiceKeyForStatus(key) { + glog.V(3).Infof("Syncing service %v", key) + + if !exists { + // service got removed + lbc.statusUpdater.ClearStatusFromExternalService() + } else { + // service added or updated + lbc.statusUpdater.SaveStatusFromExternalService(obj.(*api_v1.Service)) + } + + if lbc.reportStatusEnabled() { + ingresses := lbc.configuration.GetResourcesWithFilter(resourceFilter{Ingresses: true}) + + glog.V(3).Infof("Updating status for %v Ingresses", len(ingresses)) + + err := lbc.statusUpdater.UpdateExternalEndpointsForResources(ingresses) + if err != nil { + glog.Errorf("error updating ingress status in syncService: %v", err) + } + } + + if lbc.areCustomResourcesEnabled && lbc.reportCustomResourceStatusEnabled() { + virtualServers := lbc.configuration.GetResourcesWithFilter(resourceFilter{VirtualServers: true}) + + glog.V(3).Infof("Updating status for %v VirtualServers", len(virtualServers)) + + err := lbc.statusUpdater.UpdateExternalEndpointsForResources(virtualServers) + if err != nil { + glog.V(3).Infof("error updating VirtualServer/VirtualServerRoute status in syncService: %v", err) + } + } + + // we don't return here because technically the same service could be used in the second case + } + + // Second case: the service is referenced by some resources in the cluster + + // it is safe to ignore the error + namespace, name, _ := ParseNamespaceName(key) + + resources := lbc.configuration.FindResourcesForService(namespace, name) + + if len(resources) == 0 { + return + } + glog.V(3).Infof("Syncing service %v", key) + + glog.V(3).Infof("Updating %v resources", len(resources)) + + resourceExes := lbc.createExtendedResources(resources) + + warnings, updateErr := lbc.configurator.AddOrUpdateResources(resourceExes, true) + lbc.updateResourcesStatusAndEvents(resources, warnings, updateErr) +} diff --git a/internal/k8s/service_test.go b/internal/k8s/service_test.go new file mode 100644 index 0000000000..dcaaecf70c --- /dev/null +++ b/internal/k8s/service_test.go @@ -0,0 +1,157 @@ +package k8s + +import ( + "testing" + + v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func TestHasServicePortChanges(t *testing.T) { + t.Parallel() + cases := []struct { + a []v1.ServicePort + b []v1.ServicePort + result bool + reason string + }{ + { + []v1.ServicePort{}, + []v1.ServicePort{}, + false, + "Empty should report no changes", + }, + { + []v1.ServicePort{{ + Port: 80, + }}, + []v1.ServicePort{{ + Port: 8080, + }}, + true, + "Different Ports", + }, + { + []v1.ServicePort{{ + Port: 80, + }}, + []v1.ServicePort{{ + Port: 80, + }}, + false, + "Same Ports", + }, + { + []v1.ServicePort{{ + Name: "asdf", + Port: 80, + }}, + []v1.ServicePort{{ + Name: "asdf", + Port: 80, + }}, + false, + "Same Port and Name", + }, + { + []v1.ServicePort{{ + Name: "foo", + Port: 80, + }}, + []v1.ServicePort{{ + Name: "bar", + Port: 80, + }}, + true, + "Different Name same Port", + }, + { + []v1.ServicePort{{ + Name: "foo", + Port: 8080, + }}, + []v1.ServicePort{{ + Name: "bar", + Port: 80, + }}, + true, + "Different Name different Port", + }, + { + []v1.ServicePort{{ + Name: "foo", + }}, + []v1.ServicePort{{ + Name: "fooo", + }}, + true, + "Very similar Name", + }, + { + []v1.ServicePort{{ + Name: "asdf", + Port: 80, + TargetPort: intstr.IntOrString{ + IntVal: 80, + }, + }}, + []v1.ServicePort{{ + Name: "asdf", + Port: 80, + TargetPort: intstr.IntOrString{ + IntVal: 8080, + }, + }}, + false, + "TargetPort should be ignored", + }, + { + []v1.ServicePort{{ + Name: "foo", + }, { + Name: "bar", + }}, + []v1.ServicePort{{ + Name: "foo", + }, { + Name: "bar", + }}, + false, + "Multiple same names", + }, + { + []v1.ServicePort{{ + Name: "foo", + }, { + Name: "bar", + }}, + []v1.ServicePort{{ + Name: "foo", + }, { + Name: "bars", + }}, + true, + "Multiple different names", + }, + { + []v1.ServicePort{{ + Name: "foo", + }, { + Port: 80, + }}, + []v1.ServicePort{{ + Port: 80, + }, { + Name: "foo", + }}, + false, + "Some names some ports", + }, + } + + for _, c := range cases { + if c.result != hasServicePortChanges(c.a, c.b) { + t.Errorf("hasServicePortChanges returned %v, but expected %v for %q case", c.result, !c.result, c.reason) + } + } +} From 45d3f46da501c94962e2fb9d977120d3b3d014ec Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Thu, 12 Sep 2024 18:17:32 +0100 Subject: [PATCH 77/83] update waf v5 docs (#6407) --- .../app-protect-waf-v5/installation.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/content/installation/integrations/app-protect-waf-v5/installation.md b/docs/content/installation/integrations/app-protect-waf-v5/installation.md index 5bb896d148..9ff9cc5c06 100644 --- a/docs/content/installation/integrations/app-protect-waf-v5/installation.md +++ b/docs/content/installation/integrations/app-protect-waf-v5/installation.md @@ -310,6 +310,25 @@ Add `waf-enforcer` image to the `containers` section: ... ``` +### Update NIC container in deployment or daemonset + +Add `volumeMounts` as below: + +```yaml +... +- image: : + imagePullPolicy: IfNotPresent + name: nginx-plus-ingress + volumeMounts: + - name: app-protect-bd-config + mountPath: /opt/app_protect/bd_config + - name: app-protect-config + mountPath: /opt/app_protect/config + - name: app-protect-bundles + mountPath: /etc/app_protect/bundles +... +``` + ### Using a Deployment {{< include "installation/manifests/deployment.md" >}} From ceaa21ad319f1d8230095d4030975ce0d4064c66 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Fri, 13 Sep 2024 01:31:40 -0700 Subject: [PATCH 78/83] Docker image update 4e319f5e (#6413) Update docker images 4e319f5e --- build/Dockerfile | 2 +- tests/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index a64c78d244..0a7267dbd4 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -17,7 +17,7 @@ FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.17@sha256:0dcd9149b66a6b35c1253b7662c8ed7ef0e0172ceae893a82058c30668799bf2 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.2-alpine3.20@sha256:0ddcfb906a5dc931336db5ba6e0d09d5f77cc48c67e3781aba66a0a27dc14605 AS alpine-fips-3.20 FROM redhat/ubi9-minimal@sha256:1b6d711648229a1c987f39cfdfccaebe2bd92d0b5d8caa5dbaa5234a9278a0b2 AS ubi-minimal -FROM golang:1.23-alpine@sha256:49bbb517cfa9eee677e1e7897f7cf9cfdbcf49e05f61984a2789136de359f9bd AS golang-builder +FROM golang:1.23-alpine@sha256:ac67716dd016429be8d4c2c53a248d7bcdf06d34127d3dc451bda6aa5a87bc06 AS golang-builder ############################################# Base image for Alpine ############################################# diff --git a/tests/Dockerfile b/tests/Dockerfile index 45fab31233..befb15eebc 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.16.1 -FROM python:3.12@sha256:fcad5ffb670a9f1edc5cc232b2b321e617aaaae1a22c54242964178e408e0057 +FROM python:3.12@sha256:4c3ced72a5b1cf46e72dfddc1eb308740a8f94c4acd8c80334799361e520e91b RUN apt-get update \ && apt-get install -y curl git \ From 06d5e448a33239db8c1b6b96f43cb5cd8c0b9bdf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 09:15:12 +0000 Subject: [PATCH 79/83] Bump peter-evans/create-pull-request from 7.0.1 to 7.0.2 in the actions group (#6411) Bump peter-evans/create-pull-request in the actions group Bumps the actions group with 1 update: [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request). Updates `peter-evans/create-pull-request` from 7.0.1 to 7.0.2 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20...d121e62763d8cc35b5fb1710e887d6e69a52d3a4) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- .github/workflows/release-pr.yml | 2 +- .github/workflows/update-docker-sha.yml | 2 +- .github/workflows/update-kubernetes-version.yml | 2 +- .github/workflows/version-bump.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index abd408d65d..591557ddec 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -70,7 +70,7 @@ jobs: .github/scripts/release-notes-update.sh ${{ github.event.inputs.new_version }} ${{ github.event.inputs.new_helm_version }} "${{ github.event.inputs.k8s_versions }}" "${{ github.event.inputs.release_date }}" - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 + uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 with: token: ${{ secrets.NGINX_PAT }} commit-message: Release ${{ github.event.inputs.new_version }} diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index f9ea36e92a..ecc3581bef 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -75,7 +75,7 @@ jobs: echo $GITHUB_OUTPUT - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 + uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 id: pr with: token: ${{ secrets.NGINX_PAT }} diff --git a/.github/workflows/update-kubernetes-version.yml b/.github/workflows/update-kubernetes-version.yml index a563b89420..9f2dacb2c5 100644 --- a/.github/workflows/update-kubernetes-version.yml +++ b/.github/workflows/update-kubernetes-version.yml @@ -43,7 +43,7 @@ jobs: if: ${{ steps.search.outputs.found == 'false' }} - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 + uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 with: token: ${{ secrets.NGINX_PAT }} commit-message: update kubernetes version to ${{ steps.k8s-version.outputs.version }} in helm schema diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 04c98b7515..825954385e 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -48,7 +48,7 @@ jobs: CHART_VERSION: ${{ inputs.helm_chart_version }} - name: Create Pull Request - uses: peter-evans/create-pull-request@8867c4aba1b742c39f8d0ba35429c2dfa4b6cb20 # v7.0.1 + uses: peter-evans/create-pull-request@d121e62763d8cc35b5fb1710e887d6e69a52d3a4 # v7.0.2 with: token: ${{ secrets.NGINX_PAT }} commit-message: Version Bump for ${{ github.event.inputs.ic_version }} From 0432a95efca8f22fc71125e56035604eecfc5f9d Mon Sep 17 00:00:00 2001 From: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Date: Fri, 13 Sep 2024 10:49:19 +0100 Subject: [PATCH 80/83] Fix issues reported by staticcheck (#6415) --- internal/certmanager/sync_test.go | 2 +- .../certmanager/test_files/context_builder.go | 4 ++-- internal/configs/virtualserver_test.go | 20 +++++++++---------- internal/externaldns/sync_test.go | 4 ++-- .../appprotect/app_protect_configuration.go | 15 +++++++------- internal/k8s/validation.go | 2 +- pkg/apis/configuration/validation/common.go | 3 ++- 7 files changed, 26 insertions(+), 24 deletions(-) diff --git a/internal/certmanager/sync_test.go b/internal/certmanager/sync_test.go index b3b662fd14..0fb827ad29 100644 --- a/internal/certmanager/sync_test.go +++ b/internal/certmanager/sync_test.go @@ -519,7 +519,7 @@ func TestSync(t *testing.T) { t.Errorf("Not all expected reactors were called: %v", err) } if err := b.AllActionsExecuted(); err != nil { - t.Errorf(err.Error()) + t.Error(err.Error()) } } } diff --git a/internal/certmanager/test_files/context_builder.go b/internal/certmanager/test_files/context_builder.go index b055b288fd..461a3e17a3 100644 --- a/internal/certmanager/test_files/context_builder.go +++ b/internal/certmanager/test_files/context_builder.go @@ -174,10 +174,10 @@ func (b *Builder) CheckAndFinish(args ...interface{}) { b.T.Errorf("Not all expected reactors were called: %v", err) } if err := b.AllActionsExecuted(); err != nil { - b.T.Errorf(err.Error()) + b.T.Error(err.Error()) } if err := b.AllEventsCalled(); err != nil { - b.T.Errorf(err.Error()) + b.T.Error(err.Error()) } // resync listers before running checks diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index bb1741cbda..664aeaa06e 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -1479,7 +1479,7 @@ func TestGenerateVirtualServerConfigWithBackupForNGINXPlus(t *testing.T) { got, warnings := vsc.GenerateVirtualServerConfig(&virtualServerEx, nil, nil) if !cmp.Equal(want, got) { - t.Errorf(cmp.Diff(want, got)) + t.Error(cmp.Diff(want, got)) } if len(warnings) != 0 { t.Errorf("GenerateVirtualServerConfig returned warnings: %v", vsc.warnings) @@ -1786,7 +1786,7 @@ func TestGenerateVirtualServerConfig_DoesNotGenerateBackupOnMissingBackupNameFor got, warnings := vsc.GenerateVirtualServerConfig(&virtualServerEx, nil, nil) if !cmp.Equal(want, got) { - t.Errorf(cmp.Diff(want, got)) + t.Error(cmp.Diff(want, got)) } if len(warnings) != 0 { t.Errorf("GenerateVirtualServerConfig returned warnings: %v", vsc.warnings) @@ -2092,7 +2092,7 @@ func TestGenerateVirtualServerConfig_DoesNotGenerateBackupOnMissingBackupPortFor got, warnings := vsc.GenerateVirtualServerConfig(&virtualServerEx, nil, nil) if !cmp.Equal(want, got) { - t.Errorf(cmp.Diff(want, got)) + t.Error(cmp.Diff(want, got)) } if len(warnings) != 0 { t.Errorf("GenerateVirtualServerConfig returned warnings: %v", vsc.warnings) @@ -2396,7 +2396,7 @@ func TestGenerateVirtualServerConfig_DoesNotGenerateBackupOnMissingBackupPortAnd got, warnings := vsc.GenerateVirtualServerConfig(&virtualServerEx, nil, nil) if !cmp.Equal(want, got) { - t.Errorf(cmp.Diff(want, got)) + t.Error(cmp.Diff(want, got)) } if len(warnings) != 0 { t.Errorf("GenerateVirtualServerConfig returned warnings: %v", vsc.warnings) @@ -6347,19 +6347,19 @@ func TestGenerateVirtualServerConfigAPIKeyClientMaps(t *testing.T) { }) if !cmp.Equal(tc.expectedSpecAPIKey, vsConf.Server.APIKey) { - t.Errorf(cmp.Diff(tc.expectedSpecAPIKey, vsConf.Server.APIKey)) + t.Error(cmp.Diff(tc.expectedSpecAPIKey, vsConf.Server.APIKey)) } if !cmp.Equal(tc.expectedRoute1APIKey, vsConf.Server.Locations[0].APIKey) { - t.Errorf(cmp.Diff(tc.expectedRoute1APIKey, vsConf.Server.Locations[0].APIKey)) + t.Error(cmp.Diff(tc.expectedRoute1APIKey, vsConf.Server.Locations[0].APIKey)) } if !cmp.Equal(tc.expectedRoute2APIKey, vsConf.Server.Locations[1].APIKey) { - t.Errorf(cmp.Diff(tc.expectedRoute2APIKey, vsConf.Server.Locations[1].APIKey)) + t.Error(cmp.Diff(tc.expectedRoute2APIKey, vsConf.Server.Locations[1].APIKey)) } if !cmp.Equal(tc.expectedMapList, vsConf.Maps) { - t.Errorf(cmp.Diff(tc.expectedMapList, vsConf.Maps)) + t.Error(cmp.Diff(tc.expectedMapList, vsConf.Maps)) } if len(warnings) != 0 { @@ -7161,7 +7161,7 @@ func TestGeneratePolicies(t *testing.T) { result.BundleValidator = nil if !cmp.Equal(tc.expected, result) { - t.Errorf(cmp.Diff(tc.expected, result)) + t.Error(cmp.Diff(tc.expected, result)) } if len(vsc.warnings) > 0 { t.Errorf("generatePolicies() returned unexpected warnings %v for the case of %s", vsc.warnings, tc.msg) @@ -15803,7 +15803,7 @@ func TestRFC1123ToSnake(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { if !cmp.Equal(rfc1123ToSnake(tt.input), tt.expected) { - t.Errorf(cmp.Diff(rfc1123ToSnake(tt.input), tt.expected)) + t.Error(cmp.Diff(rfc1123ToSnake(tt.input), tt.expected)) } }) } diff --git a/internal/externaldns/sync_test.go b/internal/externaldns/sync_test.go index 812e4a2e66..666d1c52cb 100644 --- a/internal/externaldns/sync_test.go +++ b/internal/externaldns/sync_test.go @@ -82,10 +82,10 @@ func TestGetValidTargets(t *testing.T) { t.Fatal(err) } if !cmp.Equal(tc.wantTargets, targets) { - t.Errorf(cmp.Diff(tc.wantTargets, targets)) + t.Error(cmp.Diff(tc.wantTargets, targets)) } if recordType != tc.wantRecord { - t.Errorf(cmp.Diff(tc.wantRecord, recordType)) + t.Error(cmp.Diff(tc.wantRecord, recordType)) } }) } diff --git a/internal/k8s/appprotect/app_protect_configuration.go b/internal/k8s/appprotect/app_protect_configuration.go index 304ffeae10..97142f8d10 100644 --- a/internal/k8s/appprotect/app_protect_configuration.go +++ b/internal/k8s/appprotect/app_protect_configuration.go @@ -1,6 +1,7 @@ package appprotect import ( + "errors" "fmt" "sort" "time" @@ -208,14 +209,14 @@ func createAppProtectPolicyEx(policyObj *unstructured.Unstructured) (*PolicyEx, err := validation.ValidateAppProtectPolicy(policyObj) if err != nil { errMsg := fmt.Sprintf("Error validating policy %s: %v", policyObj.GetName(), err) - return &PolicyEx{Obj: policyObj, IsValid: false, ErrorMsg: failedValidationErrorMsg}, fmt.Errorf(errMsg) + return &PolicyEx{Obj: policyObj, IsValid: false, ErrorMsg: failedValidationErrorMsg}, errors.New(errMsg) } sigReqs := []SignatureReq{} // Check if policy has signature requirement (revision timestamp) and map them to tags list, found, err := unstructured.NestedSlice(policyObj.Object, "spec", "policy", "signature-requirements") if err != nil { errMsg := fmt.Sprintf("Error retrieving Signature requirements from %s: %v", policyObj.GetName(), err) - return &PolicyEx{Obj: policyObj, IsValid: false, ErrorMsg: failedValidationErrorMsg}, fmt.Errorf(errMsg) + return &PolicyEx{Obj: policyObj, IsValid: false, ErrorMsg: failedValidationErrorMsg}, errors.New(errMsg) } if found { for _, req := range list { @@ -224,7 +225,7 @@ func createAppProtectPolicyEx(policyObj *unstructured.Unstructured) (*PolicyEx, timeReq, err := buildRevTimes(requirement) if err != nil { errMsg := fmt.Sprintf("Error creating time requirements from %s: %v", policyObj.GetName(), err) - return &PolicyEx{Obj: policyObj, IsValid: false, ErrorMsg: invalidTimestampErrorMsg}, fmt.Errorf(errMsg) + return &PolicyEx{Obj: policyObj, IsValid: false, ErrorMsg: invalidTimestampErrorMsg}, errors.New(errMsg) } sigReqs = append(sigReqs, SignatureReq{Tag: reqTag.(string), RevTimes: &timeReq}) } @@ -243,7 +244,7 @@ func buildRevTimes(requirement map[string]interface{}) (RevTimes, error) { minRevTime, err := time.Parse(timeLayout, minRev.(string)) if err != nil { errMsg := fmt.Sprintf("Error Parsing time from minRevisionDatetime %v", err) - return timeReq, fmt.Errorf(errMsg) + return timeReq, errors.New(errMsg) } timeReq.MinRevTime = &minRevTime } @@ -251,7 +252,7 @@ func buildRevTimes(requirement map[string]interface{}) (RevTimes, error) { maxRevTime, err := time.Parse(timeLayout, maxRev.(string)) if err != nil { errMsg := fmt.Sprintf("Error Parsing time from maxRevisionDatetime %v", err) - return timeReq, fmt.Errorf(errMsg) + return timeReq, errors.New(errMsg) } timeReq.MaxRevTime = &maxRevTime } @@ -278,7 +279,7 @@ func createAppProtectUserSigEx(userSigObj *unstructured.Unstructured) (*UserSigE err := validation.ValidateAppProtectUserSig(userSigObj) if err != nil { errMsg := failedValidationErrorMsg - return &UserSigEx{Obj: userSigObj, IsValid: false, Tag: sTag, ErrorMsg: errMsg}, fmt.Errorf(errMsg) + return &UserSigEx{Obj: userSigObj, IsValid: false, Tag: sTag, ErrorMsg: errMsg}, errors.New(errMsg) } // Previous validation ensures there will be no errors tag, found, _ := unstructured.NestedString(userSigObj.Object, "spec", "tag") @@ -290,7 +291,7 @@ func createAppProtectUserSigEx(userSigObj *unstructured.Unstructured) (*UserSigE revTime, err := time.Parse(timeLayout, revTimeString) if err != nil { errMsg := invalidTimestampErrorMsg - return &UserSigEx{Obj: userSigObj, IsValid: false, ErrorMsg: errMsg}, fmt.Errorf(errMsg) + return &UserSigEx{Obj: userSigObj, IsValid: false, ErrorMsg: errMsg}, errors.New(errMsg) } return &UserSigEx{ Obj: userSigObj, diff --git a/internal/k8s/validation.go b/internal/k8s/validation.go index 153677c983..b7324f8bc7 100644 --- a/internal/k8s/validation.go +++ b/internal/k8s/validation.go @@ -968,7 +968,7 @@ var escapedStringsFmtRegexp = regexp.MustCompile("^" + escapedStringsFmt + "$") func ValidateEscapedString(body string, examples ...string) error { if !escapedStringsFmtRegexp.MatchString(body) { msg := validation.RegexError(escapedStringsErrMsg, escapedStringsFmt, examples...) - return fmt.Errorf(msg) + return errors.New(msg) } return nil } diff --git a/pkg/apis/configuration/validation/common.go b/pkg/apis/configuration/validation/common.go index b66fcdaaa4..d93837c58a 100644 --- a/pkg/apis/configuration/validation/common.go +++ b/pkg/apis/configuration/validation/common.go @@ -1,6 +1,7 @@ package validation import ( + "errors" "fmt" "regexp" "strings" @@ -21,7 +22,7 @@ var escapedStringsFmtRegexp = regexp.MustCompile("^" + escapedStringsFmt + "$") func ValidateEscapedString(body string, examples ...string) error { if !escapedStringsFmtRegexp.MatchString(body) { msg := validation.RegexError(escapedStringsErrMsg, escapedStringsFmt, examples...) - return fmt.Errorf(msg) + return errors.New(msg) } return nil } From 105b2fe3802dc40cd976d15451f98df54f919653 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 10:19:51 +0000 Subject: [PATCH 81/83] Bump the go group with 4 updates (#6412) Bumps the go group with 4 updates: [k8s.io/api](https://github.com/kubernetes/api), [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery), [k8s.io/client-go](https://github.com/kubernetes/client-go) and [k8s.io/code-generator](https://github.com/kubernetes/code-generator). Updates `k8s.io/api` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/api/compare/v0.31.0...v0.31.1) Updates `k8s.io/apimachinery` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.31.0...v0.31.1) Updates `k8s.io/client-go` from 0.31.0 to 0.31.1 - [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes/client-go/compare/v0.31.0...v0.31.1) Updates `k8s.io/code-generator` from 0.31.0 to 0.31.1 - [Commits](https://github.com/kubernetes/code-generator/compare/v0.31.0...v0.31.1) --- updated-dependencies: - dependency-name: k8s.io/api dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: k8s.io/apimachinery dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: k8s.io/client-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go - dependency-name: k8s.io/code-generator dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 16 ++++++++-------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 795b295415..5f4e70b5fa 100644 --- a/go.mod +++ b/go.mod @@ -25,10 +25,10 @@ require ( go.opentelemetry.io/otel v1.30.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.30.0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 - k8s.io/api v0.31.0 - k8s.io/apimachinery v0.31.0 - k8s.io/client-go v0.31.0 - k8s.io/code-generator v0.31.0 + k8s.io/api v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/client-go v0.31.1 + k8s.io/code-generator v0.31.1 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 sigs.k8s.io/controller-tools v0.16.2 ) diff --git a/go.sum b/go.sum index eabdd4e5a8..2d480599d4 100644 --- a/go.sum +++ b/go.sum @@ -420,18 +420,18 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.31.0 h1:b9LiSjR2ym/SzTOlfMHm1tr7/21aD7fSkqgD/CVJBCo= -k8s.io/api v0.31.0/go.mod h1:0YiFF+JfFxMM6+1hQei8FY8M7s1Mth+z/q7eF1aJkTE= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= k8s.io/apiextensions-apiserver v0.31.0 h1:fZgCVhGwsclj3qCw1buVXCV6khjRzKC5eCFt24kyLSk= k8s.io/apiextensions-apiserver v0.31.0/go.mod h1:b9aMDEYaEe5sdK+1T0KU78ApR/5ZVp4i56VacZYEHxk= -k8s.io/apimachinery v0.31.0 h1:m9jOiSr3FoSSL5WO9bjm1n6B9KROYYgNZOb4tyZ1lBc= -k8s.io/apimachinery v0.31.0/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= k8s.io/apiserver v0.31.0 h1:p+2dgJjy+bk+B1Csz+mc2wl5gHwvNkC9QJV+w55LVrY= k8s.io/apiserver v0.31.0/go.mod h1:KI9ox5Yu902iBnnyMmy7ajonhKnkeZYJhTZ/YI+WEMk= -k8s.io/client-go v0.31.0 h1:QqEJzNjbN2Yv1H79SsS+SWnXkBgVu4Pj3CJQgbx0gI8= -k8s.io/client-go v0.31.0/go.mod h1:Y9wvC76g4fLjmU0BA+rV+h2cncoadjvjjkkIGoTLcGU= -k8s.io/code-generator v0.31.0 h1:w607nrMi1KeDKB3/F/J4lIoOgAwc+gV9ZKew4XRfMp8= -k8s.io/code-generator v0.31.0/go.mod h1:84y4w3es8rOJOUUP1rLsIiGlO1JuEaPFXQPA9e/K6U0= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/code-generator v0.31.1 h1:GvkRZEP2g2UnB2QKT2Dgc/kYxIkDxCHENv2Q1itioVs= +k8s.io/code-generator v0.31.1/go.mod h1:oL2ky46L48osNqqZAeOcWWy0S5BXj50vVdwOtTefqIs= k8s.io/component-base v0.31.0 h1:/KIzGM5EvPNQcYgwq5NwoQBaOlVFrghoVGr8lG6vNRs= k8s.io/component-base v0.31.0/go.mod h1:TYVuzI1QmN4L5ItVdMSXKvH7/DtvIuas5/mm8YT3rTo= k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70 h1:NGrVE502P0s0/1hudf8zjgwki1X/TByhmAoILTarmzo= From d8f09ae9786748f2c2123ea99f35cae5a35d3047 Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Fri, 13 Sep 2024 03:54:31 -0700 Subject: [PATCH 82/83] Docker image update e762b16f (#6399) update python to latest Co-authored-by: Paul Abel Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> --- tests/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Dockerfile b/tests/Dockerfile index befb15eebc..436e868eff 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.31.0@sha256:53df588e04085fd41ae12de0c3fe4c72f7013bba32a20e7 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.16.1 -FROM python:3.12@sha256:4c3ced72a5b1cf46e72dfddc1eb308740a8f94c4acd8c80334799361e520e91b +FROM python:3.12@sha256:7859853e7607927aa1d1b1a5a2f9e580ac90c2b66feeb1b77da97fed03b1ccbe RUN apt-get update \ && apt-get install -y curl git \ From 8ffe0987e9a4bdb4237b54ea06ee9da4dd55afdb Mon Sep 17 00:00:00 2001 From: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Date: Fri, 13 Sep 2024 13:00:10 +0100 Subject: [PATCH 83/83] Remove double imports (#6416) --- internal/k8s/configmap.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/internal/k8s/configmap.go b/internal/k8s/configmap.go index 676e7a7569..11431a1fbe 100644 --- a/internal/k8s/configmap.go +++ b/internal/k8s/configmap.go @@ -4,7 +4,6 @@ import ( "reflect" "github.com/golang/glog" - api_v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/client-go/tools/cache" @@ -59,7 +58,7 @@ func (lbc *LoadBalancerController) addConfigMapHandler(handlers cache.ResourceEv "configmaps", namespace, fields.Everything()), - ObjectType: &api_v1.ConfigMap{}, + ObjectType: &v1.ConfigMap{}, ResyncPeriod: lbc.resync, Handler: handlers, } @@ -77,7 +76,7 @@ func (lbc *LoadBalancerController) syncConfigMap(task task) { return } if configExists { - lbc.configMap = obj.(*api_v1.ConfigMap) + lbc.configMap = obj.(*v1.ConfigMap) externalStatusAddress, exists := lbc.configMap.Data["external-status-address"] if exists { lbc.statusUpdater.SaveStatusFromExternalStatus(externalStatusAddress)