diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag index 3273e6ffa..07e0e71be 100644 --- a/.github/config/config-gcr-retag +++ b/.github/config/config-gcr-retag @@ -1,7 +1,7 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-mktpl" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl") declare -a ADDITIONAL_TAGS=() diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release index e1c6d12e0..9cf8fb972 100644 --- a/.github/config/config-plus-gcr-release +++ b/.github/config/config-plus-gcr-release @@ -1,8 +1,8 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-mktpl") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips" "-mktpl") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl") declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}") export PUBLISH_OSS=false diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx index 546c63672..b7633a143 100644 --- a/.github/config/config-plus-nginx +++ b/.github/config/config-plus-nginx @@ -1,8 +1,8 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress" -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("") export PUBLISH_OSS=false diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json index b93c8404d..a391e9314 100644 --- a/.github/data/matrix-images-nap.json +++ b/.github/data/matrix-images-nap.json @@ -15,36 +15,6 @@ "waf,dos" ], "include": [ - { - "image": "ubi-8-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-8-plus-nap-v5", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "dos" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf,dos" - }, { "image": "alpine-plus-nap-fips", "target": "goreleaser", @@ -62,12 +32,6 @@ "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap-v5", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" } ] } diff --git a/.github/data/matrix-images-oss.json b/.github/data/matrix-images-oss.json index 237c3014f..7c94faf8e 100644 --- a/.github/data/matrix-images-oss.json +++ b/.github/data/matrix-images-oss.json @@ -5,11 +5,5 @@ ], "platforms": [ "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - ], - "include": [ - { - "image": "ubi", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - } ] } diff --git a/.github/data/matrix-images-plus.json b/.github/data/matrix-images-plus.json index ab1717d37..b74a88d67 100644 --- a/.github/data/matrix-images-plus.json +++ b/.github/data/matrix-images-plus.json @@ -15,11 +15,6 @@ "image": "debian-plus", "platforms": "linux/arm64, linux/amd64", "target": "aws" - }, - { - "image": "ubi-9-plus", - "platforms": "linux/arm64, linux/amd64", - "target": "goreleaser" } ] } diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index 1d780e7a7..b2d6f4a40 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -2,7 +2,7 @@ "images": [ { "label": "AP_WAF 1/4", - "image": "ubi-8-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "appprotect_waf_policies_allow", @@ -10,7 +10,7 @@ }, { "label": "AP_WAF 2/4", - "image": "ubi-9-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow and not appprotect_waf_policies_vsr'", @@ -58,7 +58,7 @@ }, { "label": "AP_DOS 3/3", - "image": "ubi-9-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "dos", "marker": "dos_learning", diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json index a15b9b893..52a9a7f45 100644 --- a/.github/data/matrix-smoke-oss.json +++ b/.github/data/matrix-smoke-oss.json @@ -72,7 +72,7 @@ }, { "label": "TS", - "image": "ubi", + "image": "debian", "type": "oss", "marker": "ts", "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json index 572d6e4d8..a67fa4add 100644 --- a/.github/data/matrix-smoke-plus.json +++ b/.github/data/matrix-smoke-plus.json @@ -65,14 +65,14 @@ }, { "label": "policies 1/2", - "image": "ubi-9-plus", + "image": "alpine-plus", "type": "plus", "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'", "platforms": "linux/arm64, linux/amd64, linux/s390x" }, { "label": "policies 2/2", - "image": "ubi-9-plus", + "image": "debian-plus", "type": "plus", "marker": "'policies_ac or policies_jwt or policies_mtls'", "platforms": "linux/arm64, linux/amd64, linux/s390x" diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json index b258b2c4c..22b2662e3 100644 --- a/.github/data/patch-images.json +++ b/.github/data/patch-images.json @@ -11,12 +11,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", "source_os": "debian", @@ -41,12 +35,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", "platforms": "linux/arm64, linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", - "platforms": "linux/arm64, linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", "source_os": "debian", @@ -59,18 +47,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", - "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", - "source_os": "ubi8", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", "source_os": "alpine-fips", @@ -83,18 +59,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", - "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", - "source_os": "ubi8", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", "source_os": "alpine-fips", @@ -113,12 +77,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", "source_os": "debian", @@ -130,11 +88,5 @@ "source_os": "mktpl", "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", - "platforms": "linux/amd64" } ] diff --git a/.github/scripts/copy-images.sh b/.github/scripts/copy-images.sh index bb3a2240e..ef8d7d037 100755 --- a/.github/scripts/copy-images.sh +++ b/.github/scripts/copy-images.sh @@ -46,12 +46,12 @@ TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap-v5/ TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"} TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"} -declare -a OSS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine") -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") +declare -a OSS_TAG_POSTFIX_LIST=("" "-alpine") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("") CONFIG_PATH=${CONFIG_PATH:-~/.nic-release/config} if [ -f "$CONFIG_PATH" ]; then diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 36c1b472d..b15d0c43c 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -61,7 +61,7 @@ jobs: uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Setup QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: platforms: arm,arm64,ppc64le,s390x @@ -92,7 +92,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." @@ -126,7 +126,7 @@ jobs: uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Setup QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: platforms: arm64,s390x @@ -157,7 +157,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." @@ -229,7 +229,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 9ba58cf79..f8391962d 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -113,7 +113,7 @@ jobs: if: ${{ inputs.authenticated && ! inputs.full-build }} - name: Setup QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: platforms: arm,arm64,ppc64le,s390x if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} @@ -123,7 +123,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Base Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." @@ -155,7 +155,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 id: build-push with: file: build/Dockerfile diff --git a/.github/workflows/build-ot-dependency.yml b/.github/workflows/build-ot-dependency.yml index ddefeec91..650a83e5b 100644 --- a/.github/workflows/build-ot-dependency.yml +++ b/.github/workflows/build-ot-dependency.yml @@ -50,7 +50,7 @@ jobs: echo "nginx_version=${nginx_version}" >> $GITHUB_OUTPUT - name: Setup QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: platforms: arm,arm64,ppc64le,s390x @@ -80,7 +80,7 @@ jobs: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: ./Dockerfile context: "." diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 17f3825b8..2f40720f3 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -120,7 +120,7 @@ jobs: if: ${{ inputs.authenticated && ! inputs.full-build }} - name: Setup QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: platforms: arm,arm64,ppc64le,s390x if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} @@ -130,7 +130,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Base Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." @@ -168,7 +168,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 id: build-push with: file: build/Dockerfile diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml index 629b2dfd0..a11e956b5 100644 --- a/.github/workflows/build-test-image.yml +++ b/.github/workflows/build-test-image.yml @@ -49,7 +49,7 @@ jobs: password: ${{ steps.auth.outputs.access_token }} - name: Build Test-Runner Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: tests/Dockerfile context: "." diff --git a/.github/workflows/build-ubi-dependency.yml b/.github/workflows/build-ubi-dependency.yml index 9d0c2b129..d9b3ce834 100644 --- a/.github/workflows/build-ubi-dependency.yml +++ b/.github/workflows/build-ubi-dependency.yml @@ -92,7 +92,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Setup QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: platforms: arm64,ppc64le,s390x @@ -118,7 +118,7 @@ jobs: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - name: Build and push - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: ./build/dependencies/Dockerfile.ubi context: "." diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b4996635b..d2a2f7948 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -443,7 +443,7 @@ jobs: if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Build Docker Image ${{ matrix.base-os }} - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." @@ -565,7 +565,7 @@ jobs: if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - name: Build Test-Runner Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: tests/Dockerfile context: "." diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 3cbbe1e0d..5706476c9 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -461,7 +461,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" @@ -550,7 +550,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" @@ -646,7 +646,7 @@ jobs: summary: true - name: Upload Scan Results to Github Artifacts - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}" path: "${{ steps.directory.outputs.directory }}/" diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml index 1195d03bd..b5c85f65e 100644 --- a/.github/workflows/lint-format.yml +++ b/.github/workflows/lint-format.yml @@ -63,7 +63,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: reviewdog/action-actionlint@534eb894142bcf31616e5436cbe4214641c58101 # v1.61.0 + - uses: reviewdog/action-actionlint@af17f9e3640ac863dbcc515d45f5f35d708d0faf # v1.62.0 with: actionlint_flags: -shellcheck "" diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml index 2b08e1824..765272ed5 100644 --- a/.github/workflows/patch-image.yml +++ b/.github/workflows/patch-image.yml @@ -50,7 +50,7 @@ jobs: uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 - name: Setup QEMU - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: platforms: arm,arm64,ppc64le,s390x @@ -70,7 +70,7 @@ jobs: password: ${{ steps.auth.outputs.access_token }} - name: Apply OS patches to Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index e908e7f1b..11007e931 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -284,7 +284,7 @@ jobs: plus-jwt: ${{ secrets.PLUS_JWT }} - name: Upload Test Results - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: ${{ steps.regression-tests.outputs.test-results-name }} path: ${{ steps.regression-tests.outputs.test-results-path }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0e87afaea..019f8d80f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -294,14 +294,14 @@ jobs: with: ref: ${{ inputs.release_branch }} - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - preflight_version: 1.11.1 + # - name: Certify UBI OSS images in quay + # uses: ./.github/actions/certify-openshift-image + # continue-on-error: true + # with: + # image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi + # project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} + # pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + # preflight_version: 1.11.1 operator: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }} @@ -404,7 +404,7 @@ jobs: role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }} - name: Publish to AWS Marketplace - uses: nginxinc/aws-marketplace-publish@108e752101152582ed409c5faed859a891e0d7aa # v1.0.7 + uses: nginxinc/aws-marketplace-publish@accf7b4c725796b744f2ee27acc2488d76f63d32 # v1.0.8 continue-on-error: true with: version: ${{ inputs.nic_version }} @@ -621,7 +621,7 @@ jobs: strategy: fail-fast: false matrix: - image: ["nginx/nginx-ingress:${{ inputs.nic_version }}", "nginx/nginx-ingress:${{ inputs.nic_version }}-ubi", "nginx/nginx-ingress:${{ inputs.nic_version }}-alpine"] + image: ["nginx/nginx-ingress:${{ inputs.nic_version }}", "nginx/nginx-ingress:${{ inputs.nic_version }}-alpine"] steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 442c2a97c..df42c6ae8 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index e4fbb5b14..a00f0895a 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -114,7 +114,7 @@ jobs: if: ${{ inputs.authenticated }} - name: Build Test-Runner Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: tests/Dockerfile context: "." @@ -126,7 +126,7 @@ jobs: if: ${{ ( !inputs.authenticated || steps.check-image.outcome == 'failure' ) }} - name: Build ${{ inputs.image }} Container - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 + uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0 with: file: build/Dockerfile context: "." @@ -169,7 +169,7 @@ jobs: if: ${{ steps.stable_exists.outputs.exists != 'true' }} - name: Upload Test Results - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: ${{ steps.smoke-tests.outputs.test-results-name }} path: ${{ steps.smoke-tests.outputs.test-results-path }} diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index fe65c8267..4aa4a6e18 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -177,12 +177,12 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - with: - image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - platforms: "" - preflight_version: 1.11.1 - submit: ${{ ! inputs.dry_run || true }} + # - name: Certify UBI OSS images in quay + # uses: ./.github/actions/certify-openshift-image + # with: + # image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi + # project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} + # pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + # platforms: "" + # preflight_version: 1.11.1 + # submit: ${{ ! inputs.dry_run || true }} diff --git a/.markdownlint-cli2.yaml b/.markdownlint-cli2.yaml index 80de28bc8..0634b2171 100644 --- a/.markdownlint-cli2.yaml +++ b/.markdownlint-cli2.yaml @@ -7,6 +7,12 @@ config: siblings_only: true line-length: false +# Hide the Finding: when markdownlint fixes files +noProgress: true + +# Hide the markdownlint-cli and markdownlint versions on each block +noBanner: true + # Define glob expressions to ignore ignores: - ".github/**" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d32bc6176..106ce7bff 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,7 +45,7 @@ repos: pass_filenames: false - repo: https://github.com/golangci/golangci-lint - rev: v1.62.2 + rev: v1.63.4 hooks: - id: golangci-lint args: [--new-from-patch=/tmp/diff.patch] @@ -87,12 +87,12 @@ repos: args: ["--schemafile", "charts/nginx-ingress/values.schema.json"] - repo: https://github.com/DavidAnson/markdownlint-cli2 - rev: v0.17.0 + rev: v0.17.1 hooks: - id: markdownlint-cli2 - repo: https://github.com/rhysd/actionlint - rev: v1.7.5 + rev: v1.7.6 hooks: - id: actionlint name: Lint GitHub Actions workflow files diff --git a/README.md b/README.md index bb233cfc9..e0ab2d9c1 100644 --- a/README.md +++ b/README.md @@ -24,23 +24,23 @@ This repo provides an implementation of an Ingress Controller for NGINX and NGIN We value community input and would love to see you at the next community call. At these calls, we discuss PRs by community members as well as issues, discussions and feature requests. -**Microsoft Teams Link**: [KIC - GitHub Issues Triage](https://teams.microsoft.com/l/meetup-join/19%3ameeting_OTRhZjFhMDMtZTQwOC00NDA4LWJiOGItZjhhMmE5NzgyMDY0%40thread.v2/0?context=%7b%22Tid%22%3a%22dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50%22%2c%22Oid%22%3a%22ea616cee-2e02-45f5-8e4c-c24967346491%22%7d) +**Microsoft Teams Link**: [NIC - GitHub Issues Triage](https://teams.microsoft.com/l/meetup-join/19%3ameeting_OTRhZjFhMDMtZTQwOC00NDA4LWJiOGItZjhhMmE5NzgyMDY0%40thread.v2/0?context=%7b%22Tid%22%3a%22dd3dfd2f-6a3b-40d1-9be0-bf8327d81c50%22%2c%22Oid%22%3a%22ea616cee-2e02-45f5-8e4c-c24967346491%22%7d) **Meeting ID:** `298 140 979 789` **Passcode:** `jpx5TM` **Slack**: Join our channel `#nginx-ingress-controller` on the [NGINX Community Slack](https://nginxcommunity.slack.com/channels/nginx-ingress-controller) for updates and discussions. -**When**: 15:00 GMT / [Convert to your timezone](https://dateful.com/convert/gmt?t=15), every other Monday. +**When**: 16:00 GMT / [Convert to your timezone](https://dateful.com/convert/gmt?t=16), every other Monday. | **Community Call Dates** | | ------------------------ | -| **2024-10-07** | -| **2024-10-21** | -| **2024-11-05** | -| **2024-11-18** | -| **2024-12-02** | -| **2024-12-16** | +| **2025-01-13** | +| **2025-01-27** | +| **2025-02-10** | +| **2025-02-24** | +| **2025-03-11** | +| **2025-03-24** | --- diff --git a/build/Dockerfile b/build/Dockerfile index 8101a5f55..e74f24d63 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -11,17 +11,17 @@ ARG PACKAGE_REPO=pkgs.nginx.com ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3@sha256:616b701245ec0605f928bb7dcb976eb4ccf678dbf2c7b375d30476b9f27bb1f8 AS opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3-alpine@sha256:8def19bba4dd54cebe1b209b565510514986497e6ed2e7423d852e6ef346dd62 AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3@sha256:a09090e9f424f206a79a816d37321db2eed349ae3bc20d16bc4cbba32eedfc17 AS opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3-alpine@sha256:339c91471fa9159987aa45ab81f00f147d49709819e207ccc0bc4d434ece2db9 AS alpine-opentracing-lib FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.3@sha256:4cda07664f09f16d780d1e803b9748c31489ea21c463bbcca50d9dcf26081a6f AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.17@sha256:67b69b49aff96e185be841e2b2ff2d8236551ea5c18002bffa4344798d803fd8 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.20@sha256:4c29e5c50b122354d9d4ba6b97cdf64647468e788b965fc0240ead541653454a AS alpine-fips-3.20 -FROM redhat/ubi9-minimal:9.5@sha256:daa61d6103e98bccf40d7a69a0d4f8786ec390e2204fd94f7cc49053e9949360 AS ubi-minimal -FROM golang:1.23-alpine@sha256:6c5c9590f169f77c8046e45c611d3b28fe477789acd8d3762d23d4744de69812 AS golang-builder +FROM redhat/ubi9-minimal:9.5@sha256:b87097994ed62fbf1de70bc75debe8dacf3ea6e00dd577d74503ef66452c59d6 AS ubi-minimal +FROM golang:1.23-alpine@sha256:c23339199a08b0e12032856908589a6d41a0dab141b8b3b21f156fc571a3f1d3 AS golang-builder ############################################# Base image for Alpine ############################################# -FROM nginx:1.27.3-alpine@sha256:41523187cf7d7a2f2677a80609d9caa14388bf5c1fbca9c410ba3de602aaaab4 AS alpine +FROM nginx:1.27.3-alpine@sha256:814a8e88df978ade80e584cc5b333144b9372a8e3c98872d07137dbf3b44d0e4 AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -31,7 +31,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.27.3@sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be AS debian +FROM nginx:1.27.3@sha256:42e917aaa1b5bb40dd0f6f7f4f857490ac7747d7ef73b391c774a41a8b994f15 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -102,7 +102,7 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################## -FROM alpine:3.20@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a AS alpine-plus +FROM alpine:3.20@sha256:31687a2fdd021f85955bf2d0c2682e9c0949827560e1db546358ea094f740f12 AS alpine-plus ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO @@ -207,7 +207,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:12-slim@sha256:1537a6a1cbc4b4fd401da800ee9480207e7dc1f23560c21259f681db56768f63 AS debian-plus +FROM debian:12-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb AS debian-plus ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} diff --git a/build/dependencies/Dockerfile.ubi b/build/dependencies/Dockerfile.ubi index ea1ec816c..2fb265c3f 100644 --- a/build/dependencies/Dockerfile.ubi +++ b/build/dependencies/Dockerfile.ubi @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1.8 -FROM nginx:1.27.3@sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be AS nginx +FROM nginx:1.27.3@sha256:42e917aaa1b5bb40dd0f6f7f4f857490ac7747d7ef73b391c774a41a8b994f15 AS nginx FROM redhat/ubi9:9.4@sha256:ee0b908e958a1822afc57e5d386d1ea128eebe492cb2e01b6903ee19c133ea75 AS rpm-build ARG NGINX diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go index 26ba224e0..0804ac796 100644 --- a/cmd/nginx-ingress/flags.go +++ b/cmd/nginx-ingress/flags.go @@ -9,6 +9,7 @@ import ( "regexp" "strings" + internalValidation "github.com/nginxinc/kubernetes-ingress/internal/validation" api_v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/util/validation" @@ -345,22 +346,22 @@ func mustValidateFlags(ctx context.Context) { nl.Fatalf(l, "Invalid value for leader-election-lock-name: %v", statusLockNameValidationError) } - statusPortValidationError := validatePort(*nginxStatusPort) + statusPortValidationError := internalValidation.ValidateUnprivilegedPort(*nginxStatusPort) if statusPortValidationError != nil { nl.Fatalf(l, "Invalid value for nginx-status-port: %v", statusPortValidationError) } - metricsPortValidationError := validatePort(*prometheusMetricsListenPort) + metricsPortValidationError := internalValidation.ValidateUnprivilegedPort(*prometheusMetricsListenPort) if metricsPortValidationError != nil { nl.Fatalf(l, "Invalid value for prometheus-metrics-listen-port: %v", metricsPortValidationError) } - readyStatusPortValidationError := validatePort(*readyStatusPort) + readyStatusPortValidationError := internalValidation.ValidateUnprivilegedPort(*readyStatusPort) if readyStatusPortValidationError != nil { nl.Fatalf(l, "Invalid value for ready-status-port: %v", readyStatusPortValidationError) } - healthProbePortValidationError := validatePort(*serviceInsightListenPort) + healthProbePortValidationError := internalValidation.ValidateUnprivilegedPort(*serviceInsightListenPort) if healthProbePortValidationError != nil { nl.Fatalf(l, "Invalid value for service-insight-listen-port: %v", metricsPortValidationError) } @@ -464,14 +465,6 @@ func validateResourceName(name string) error { return nil } -// validatePort makes sure a given port is inside the valid port range for its usage -func validatePort(port int) error { - if port < 1024 || port > 65535 { - return fmt.Errorf("port outside of valid port range [1024 - 65535]: %v", port) - } - return nil -} - // validateLogLevel makes sure a given logLevel is one of the allowed values func validateLogLevel(logLevel string) error { switch strings.ToLower(logLevel) { diff --git a/cmd/nginx-ingress/flags_test.go b/cmd/nginx-ingress/flags_test.go index eeb6c2b59..6021cea8b 100644 --- a/cmd/nginx-ingress/flags_test.go +++ b/cmd/nginx-ingress/flags_test.go @@ -7,24 +7,6 @@ import ( "testing" ) -func TestValidatePort(t *testing.T) { - badPorts := []int{80, 443, 1, 1023, 65536} - for _, badPort := range badPorts { - err := validatePort(badPort) - if err == nil { - t.Errorf("Expected error for port %v\n", badPort) - } - } - - goodPorts := []int{8080, 8081, 8082, 1024, 65535} - for _, goodPort := range goodPorts { - err := validatePort(goodPort) - if err != nil { - t.Errorf("Error for valid port: %v err: %v\n", goodPort, err) - } - } -} - func TestParseNginxStatusAllowCIDRs(t *testing.T) { badCIDRs := []struct { input string diff --git a/examples/shared-examples/nginx-plus-secret/README.md b/examples/shared-examples/nginx-plus-secret/README.md index 9e47f20f5..1a90ae77e 100644 --- a/examples/shared-examples/nginx-plus-secret/README.md +++ b/examples/shared-examples/nginx-plus-secret/README.md @@ -1,3 +1,3 @@ # NGINX Plus Secret -Refer to the [Create License Secret](https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/create-license-secret/) docs to download and create a License Secret +Refer to the [Create License Secret](https://docs.nginx.com/nginx-ingress-controller/installation/create-license-secret/) docs to download and create a License Secret diff --git a/go.mod b/go.mod index 44961ea43..f97ecb950 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/nginxinc/kubernetes-ingress go 1.23.4 require ( - github.com/aws/aws-sdk-go-v2/config v1.28.7 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.8 + github.com/aws/aws-sdk-go-v2/config v1.28.9 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.9 github.com/cert-manager/cert-manager v1.16.2 github.com/dlclark/regexp2 v1.11.4 github.com/gkampitakis/go-snaps v0.5.8 @@ -35,13 +35,13 @@ require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/BurntSushi/toml v1.4.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/aws/aws-sdk-go-v2 v1.32.7 // indirect + github.com/aws/aws-sdk-go-v2 v1.32.8 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.48 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.22 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.50 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 // indirect github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 // indirect github.com/aws/aws-sdk-go-v2/service/acm v1.30.6 // indirect @@ -55,7 +55,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 // indirect github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.5 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 // indirect github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 // indirect github.com/aws/aws-sdk-go-v2/service/kms v1.37.6 // indirect github.com/aws/aws-sdk-go-v2/service/lambda v1.69.0 // indirect @@ -66,9 +66,9 @@ require ( github.com/aws/aws-sdk-go-v2/service/sns v1.33.6 // indirect github.com/aws/aws-sdk-go-v2/service/sqs v1.37.1 // indirect github.com/aws/aws-sdk-go-v2/service/ssm v1.56.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.24.8 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.33.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.5 // indirect github.com/aws/smithy-go v1.22.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect diff --git a/go.sum b/go.sum index 3cf2a8207..bf0533806 100644 --- a/go.sum +++ b/go.sum @@ -11,22 +11,22 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/aws/aws-sdk-go-v2 v1.32.7 h1:ky5o35oENWi0JYWUZkB7WYvVPP+bcRF5/Iq7JWSb5Rw= -github.com/aws/aws-sdk-go-v2 v1.32.7/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= +github.com/aws/aws-sdk-go-v2 v1.32.8 h1:cZV+NUS/eGxKXMtmyhtYPJ7Z4YLoI/V8bkTdRZfYhGo= +github.com/aws/aws-sdk-go-v2 v1.32.8/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7/go.mod h1:QraP0UcVlQJsmHfioCrveWOC1nbiWUl3ej08h4mXWoc= -github.com/aws/aws-sdk-go-v2/config v1.28.7 h1:GduUnoTXlhkgnxTD93g1nv4tVPILbdNQOzav+Wpg7AE= -github.com/aws/aws-sdk-go-v2/config v1.28.7/go.mod h1:vZGX6GVkIE8uECSUHB6MWAUsd4ZcG2Yq/dMa4refR3M= -github.com/aws/aws-sdk-go-v2/credentials v1.17.48 h1:IYdLD1qTJ0zanRavulofmqut4afs45mOWEI+MzZtTfQ= -github.com/aws/aws-sdk-go-v2/credentials v1.17.48/go.mod h1:tOscxHN3CGmuX9idQ3+qbkzrjVIx32lqDSU1/0d/qXs= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.22 h1:kqOrpojG71DxJm/KDPO+Z/y1phm1JlC8/iT+5XRmAn8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.22/go.mod h1:NtSFajXVVL8TA2QNngagVZmUtXciyrHOt7xgz4faS/M= +github.com/aws/aws-sdk-go-v2/config v1.28.9 h1:7/P2J1MGkava+2c9Xlk7CTPTpGqFAOaM4874wJsGi4Q= +github.com/aws/aws-sdk-go-v2/config v1.28.9/go.mod h1:ce/HX8tHlIh4VTPaLz/aQIvA5+/rUghFy+nGMrXHQ9U= +github.com/aws/aws-sdk-go-v2/credentials v1.17.50 h1:63pBzfU7EG4RbMMVRv4Hgm34cIaPXICCnHojKdPbTR0= +github.com/aws/aws-sdk-go-v2/credentials v1.17.50/go.mod h1:m5ThO5y87w0fiAHBt9cYXS5BVsebOeJEFCGUQeZZYLw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23 h1:IBAoD/1d8A8/1aA8g4MBVtTRHhXRiNAgwdbo/xRM2DI= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.23/go.mod h1:vfENuCM7dofkgKpYzuzf1VT1UKkA/YL3qanfBn7HCaA= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41 h1:hqcxMc2g/MwwnRMod9n6Bd+t+9Nf7d5qRg7RaXKPd6o= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.41/go.mod h1:d1eH0VrttvPmrCraU68LOyNdu26zFxQFjrVSb5vdhog= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 h1:I/5wmGMffY4happ8NOCuIUEWGUvvFp5NSeQcXl9RHcI= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26/go.mod h1:FR8f4turZtNy6baO0KJ5FJUmXH/cSkI9fOngs0yl6mA= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 h1:zXFLuEuMMUOvEARXFUVJdfqZ4bvvSgdGRq/ATcrQxzM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26/go.mod h1:3o2Wpy0bogG1kyOPrgkXA8pgIfEEv0+m19O9D5+W8y8= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27 h1:jSJjSBzw8VDIbWv+mmvBSP8ezsztMYJGH+eKqi9AmNs= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.27/go.mod h1:/DAhLbFRgwhmvJdOfSm+WwikZrCuUJiA4WgJG0fTNSw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27 h1:l+X4K77Dui85pIj5foXDhPlnqcNRG2QUyvca300lXh8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.27/go.mod h1:KvZXSFEXm6x84yE8qffKvT3x8J5clWnVFXphpohhzJ8= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.24 h1:JX70yGKLj25+lMC5Yyh8wBtvB01GDilyRuJvXJ4piD0= @@ -53,16 +53,16 @@ github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5 h1:gvZOjQKPxFXy1ft github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.5/go.mod h1:DLWnfvIcm9IET/mmjdxeXbBKmTCm0ZB8p1za9BVteM8= github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.5 h1:3Y457U2eGukmjYjeHG6kanZpDzJADa2m0ADqnuePYVQ= github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.5/go.mod h1:CfwEHGkTjYZpkQ/5PvcbEtT7AJlG68KkEvmtwU8z3/U= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7 h1:8eUsivBQzZHqe/3FE+cqwfH+0p5Jo8PFM/QYQSmeZ+M= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7/go.mod h1:kLPQvGUmxn/fqiCrDeohwG33bq2pQpGeY62yRO6Nrh0= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8 h1:cWno7lefSH6Pp+mSznagKCgfDGeZRin66UvYUqAkyeA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.8/go.mod h1:tPD+VjU3ABTBoEJ3nctu5Nyg4P4yjqSH5bJGGkY4+XE= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5 h1:P1doBzv5VEg1ONxnJss1Kh5ZG/ewoIE4MQtKKc6Crgg= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.5/go.mod h1:NOP+euMW7W3Ukt28tAxPuoWao4rhhqJD3QEBk7oCg7w= github.com/aws/aws-sdk-go-v2/service/kms v1.37.6 h1:CZImQdb1QbU9sGgJ9IswhVkxAcjkkD1eQTMA1KHWk+E= github.com/aws/aws-sdk-go-v2/service/kms v1.37.6/go.mod h1:YJDdlK0zsyxVBxGU48AR/Mi8DMrGdc1E3Yij4fNrONA= github.com/aws/aws-sdk-go-v2/service/lambda v1.69.0 h1:BXt75frE/FYtAmEDBJRBa2HexOw+oAZWZl6QknZEFgg= github.com/aws/aws-sdk-go-v2/service/lambda v1.69.0/go.mod h1:guz2K3x4FKSdDaoeB+TPVgJNU9oj2gftbp5cR8ela1A= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.8 h1:A9pJ60b8AKwlXiSbznKBcDaBTA7jIaI6gHSDqQeAZOg= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.8/go.mod h1:/aDbp2jKTGdpJwFHuwQeypaIPlCjkxMqDVUB+7GizdU= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.9 h1:BFxVuvIbwUfMtV5P070K4K4mueEP50ww/NTsVDRDTbw= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.9/go.mod h1:7IsFsaR3omzkWprWJex8pGrbgiJulaKMoqHJCuHxdKU= github.com/aws/aws-sdk-go-v2/service/rds v1.91.0 h1:eqHz3Uih+gb0vLE5Cc4Xf733vOxsxDp6GFUUVQU4d7w= github.com/aws/aws-sdk-go-v2/service/rds v1.91.0/go.mod h1:h2jc7IleH3xHY7y+h8FH7WAZcz3IVLOB6/jXotIQ/qU= github.com/aws/aws-sdk-go-v2/service/route53 v1.46.2 h1:wmt05tPp/CaRZpPV5B4SaJ5TwkHKom07/BzHoLdkY1o= @@ -77,12 +77,12 @@ github.com/aws/aws-sdk-go-v2/service/sqs v1.37.1 h1:39WvSrVq9DD6UHkD+fx5x19P5KpR github.com/aws/aws-sdk-go-v2/service/sqs v1.37.1/go.mod h1:3gwPzC9LER/BTQdQZ3r6dUktb1rSjABF1D3Sr6nS7VU= github.com/aws/aws-sdk-go-v2/service/ssm v1.56.0 h1:mADKqoZaodipGgiZfuAjtlcr4IVBtXPZKVjkzUZCCYM= github.com/aws/aws-sdk-go-v2/service/ssm v1.56.0/go.mod h1:l9qF25TzH95FhcIak6e4vt79KE4I7M2Nf59eMUVjj6c= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.8 h1:CvuUmnXI7ebaUAhbJcDy9YQx8wHR69eZ9I7q5hszt/g= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.8/go.mod h1:XDeGv1opzwm8ubxddF0cgqkZWsyOtw4lr6dxwmb6YQg= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7 h1:F2rBfNAL5UyswqoeWv9zs74N/NanhK16ydHW1pahX6E= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7/go.mod h1:JfyQ0g2JG8+Krq0EuZNnRwX0mU0HrwY/tG6JNfcqh4k= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.3 h1:Xgv/hyNgvLda/M9l9qxXc4UFSgppnRczLxlMs5Ae/QY= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.3/go.mod h1:5Gn+d+VaaRgsjewpMvGazt0WfcFO+Md4wLOuBfGR9Bc= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.9 h1:YqtxripbjWb2QLyzRK9pByfEDvgg95gpC2AyDq4hFE8= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.9/go.mod h1:lV8iQpg6OLOfBnqbGMBKYjilBlf633qwHnBEiMSPoHY= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8 h1:6dBT1Lz8fK11m22R+AqfRsFn8320K0T5DTGxxOQBSMw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.8/go.mod h1:/kiBvRQXBc6xeJTYzhSdGvJ5vm1tjaDEjH+MSeRJnlY= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.5 h1:URp6kw3vHAnuU9pgP4K1SohwWLDzgtqA/qgeBfgBxn0= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.5/go.mod h1:+8h7PZb3yY5ftmVLD7ocEoE98hdc8PoKS0H3wfx1dlc= github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= diff --git a/internal/validation/validation.go b/internal/validation/validation.go index bfeaaef45..612b8d4ee 100644 --- a/internal/validation/validation.go +++ b/internal/validation/validation.go @@ -14,13 +14,17 @@ var ( ) // ValidatePort ensure port matches rfc6335 https://www.rfc-editor.org/rfc/rfc6335.html -func ValidatePort(value string) error { - port, err := strconv.Atoi(value) - if err != nil { - return fmt.Errorf("error parsing port number: %w", err) +func ValidatePort(value int) error { + if value > 65535 || value < 1 { + return fmt.Errorf("error parsing port: %d not a valid port number", value) } - if port > 65535 || port < 1 { - return fmt.Errorf("error parsing port: %v not a valid port number", port) + return nil +} + +// ValidateUnprivilegedPort ensure port is in the 1024-65535 range +func ValidateUnprivilegedPort(value int) error { + if value > 65535 || value < 1023 { + return fmt.Errorf("port outside of valid port range [1024 - 65535]: %d", value) } return nil } @@ -34,7 +38,11 @@ func ValidateHost(host string) error { if validIPRegex.MatchString(host) || validDNSRegex.MatchString(host) || validHostnameRegex.MatchString(host) { chunks := strings.Split(host, ":") if len(chunks) > 1 { - err := ValidatePort(chunks[1]) + port, err := strconv.Atoi(chunks[1]) + if err != nil { + return err + } + err = ValidatePort(port) if err != nil { return fmt.Errorf("invalid port: %w", err) } diff --git a/internal/validation/validation_test.go b/internal/validation/validation_test.go index 9ed4cf6b2..4322aece6 100644 --- a/internal/validation/validation_test.go +++ b/internal/validation/validation_test.go @@ -8,7 +8,7 @@ import ( func TestValidatePort_IsValidOnValidInput(t *testing.T) { t.Parallel() - ports := []string{"1", "65535"} + ports := []int{1, 65535} for _, p := range ports { if err := ValidatePort(p); err != nil { t.Error(err) @@ -16,20 +16,34 @@ func TestValidatePort_IsValidOnValidInput(t *testing.T) { } } -func TestValidatePort_ErrorsOnInvalidString(t *testing.T) { +func TestValidatePort_ErrorsOnInvalidRange(t *testing.T) { t.Parallel() - if err := ValidatePort(""); err == nil { - t.Error("want error, got nil") + ports := []int{0, -1, 65536} + for _, p := range ports { + if err := ValidatePort(p); err == nil { + t.Error("want error, got nil") + } } } -func TestValidatePort_ErrorsOnInvalidRange(t *testing.T) { +func TestValidateUnprivilegedPort_IsValidOnValidInput(t *testing.T) { t.Parallel() - ports := []string{"0", "-1", "65536"} + ports := []int{1024, 65535} for _, p := range ports { - if err := ValidatePort(p); err == nil { + if err := ValidateUnprivilegedPort(p); err != nil { + t.Error(err) + } + } +} + +func TestValidateUnprivilegedPort_ErrorsOnInvalidRange(t *testing.T) { + t.Parallel() + + ports := []int{0, -1, 80, 443, 65536} + for _, p := range ports { + if err := ValidateUnprivilegedPort(p); err == nil { t.Error("want error, got nil") } } diff --git a/pkg/apis/dos/validation/dos.go b/pkg/apis/dos/validation/dos.go index 9f3970fc3..523bc5e26 100644 --- a/pkg/apis/dos/validation/dos.go +++ b/pkg/apis/dos/validation/dos.go @@ -5,6 +5,7 @@ import ( "net" "net/url" "regexp" + "strconv" "strings" internalValidation "github.com/nginxinc/kubernetes-ingress/internal/validation" @@ -128,7 +129,11 @@ func validateAppProtectDosLogDest(dstAntn string) error { } if validIPRegex.MatchString(dstAntn) || validDNSRegex.MatchString(dstAntn) || validLocalhostRegex.MatchString(dstAntn) { chunks := strings.Split(dstAntn, ":") - err := internalValidation.ValidatePort(chunks[1]) + port, err := strconv.Atoi(chunks[1]) + if err != nil { + return err + } + err = internalValidation.ValidatePort(port) if err != nil { return fmt.Errorf("invalid log destination: %w", err) } diff --git a/site/content/configuration/policy-resource.md b/site/content/configuration/policy-resource.md index f5e400543..72fcece97 100644 --- a/site/content/configuration/policy-resource.md +++ b/site/content/configuration/policy-resource.md @@ -192,11 +192,14 @@ data: {{% table %}} |Field | Description | Type | Required | | ---| ---| ---| --- | +|``suppliedIn`` | `header` or `query`. | | Yes | |``suppliedIn.header`` | An array of headers that the API Key may appear in. | ``string[]`` | No | |``suppliedIn.query`` | An array of query params that the API Key may appear in. | ``string[]`` | No | |``clientSecret`` | The name of the Kubernetes secret that stores the API Key(s). It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/apikey``, and the API Key(s) must be stored in a key: val format where each key is a unique clientID and each value is a unique base64 encoded API Key | ``string`` | Yes | {{% /table %}} +{{}}An APIKey Policy must include a minimum of one of the `suppliedIn.header` or `suppliedIn.query` parameters. Both can also be supplied.{{}} + #### APIKey Merging Behavior A VirtualServer or VirtualServerRoute can be associated with only one API Key policy per route or subroute. However, it is possible to replace an API Key policy from a higher-level with a different policy defined on a more specific route. @@ -699,7 +702,7 @@ waf: |``securityLog.enable`` | Enables security log. | ``bool`` | No | |``securityLog.apLogConf`` | The [App Protect WAF log conf]({{< relref "installation/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No | |``securityLog.apLogBundle`` | The [App Protect WAF log bundle]({{< relref "installation/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No | -|``securityLog.logDest`` | The log destination for the security log. Accepted variables are ``syslog:server=:``, ``stderr``, ````. Default is ``"syslog:server=127.0.0.1:514"``. | ``string`` | No | +|``securityLog.logDest`` | The log destination for the security log. Only accepted variables are ``syslog:server=:``, ``stderr``, ````. | ``string`` | No | {{% /table %}} #### WAF Merging Behavior diff --git a/site/content/installation/integrations/app-protect-waf-v5/compile-waf-policies.md b/site/content/installation/integrations/app-protect-waf-v5/compile-waf-policies.md index fe0d6c4d4..3120c5423 100644 --- a/site/content/installation/integrations/app-protect-waf-v5/compile-waf-policies.md +++ b/site/content/installation/integrations/app-protect-waf-v5/compile-waf-policies.md @@ -25,7 +25,7 @@ The following steps describe how to use the NGINX Instance Manager API to create {{< tip >}} You can skip this step if you intend to use an existing security policy. {{< /tip >}} -Create a [new security policy](https://docs.nginx.com/nginx-instance-manager/app-protect/manage-waf-security-policies/#create-security-policy) using the API: this will require the use of a tool such as [`curl`](https://curl.se/) or [Postman](https://www.postman.com/) +Create a [new security policy](https://docs.nginx.com/nginx-instance-manager/nginx-app-protect/manage-waf-security-policies/#create-security-policy) using the API: this will require the use of a tool such as [`curl`](https://curl.se/) or [Postman](https://www.postman.com/) Create the file `simple-policy.json` with the contents below: diff --git a/site/content/releases.md b/site/content/releases.md index 7a90f4c48..12d7f5d5d 100644 --- a/site/content/releases.md +++ b/site/content/releases.md @@ -396,7 +396,7 @@ versions: 1.23-1.29. 26 Mar 2024 -NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/security-monitoring/). +NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/monitoring/security-monitoring/). When using NGINX Plus for two version [split rollouts](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#split), you can now control progressive rollouts of a new backend version without reloading NGINX using the [**-weight-changes-dynamic-reload**](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#-weight-changes-dynamic-reload) command line argument. diff --git a/tests/Dockerfile b/tests/Dockerfile index d600ac4bc..f8cb9223f 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.17.0 -FROM python:3.13@sha256:9255d1993f6d28b8a1cd611b108adbdfa38cb7ccc46ddde8ea7d734b6c845e32 +FROM python:3.13@sha256:cea505b81701dd9e46b8dde96eaa8054c4bd2035dbb660edeb7af947ed38a0ad RUN apt-get update \ && apt-get install -y curl git \