diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index 9c0a8ddc27..697002aeaa 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -79,6 +79,7 @@ runs: -v ${{ github.workspace }}/tests:/workspace/tests \ -v ${{ github.workspace }}/deployments:/workspace/deployments \ -v ${{ github.workspace }}/config:/workspace/config \ + -v ${{ github.workspace }}/pyproject.toml:/workspace/pyproject.toml \ -v ${{ steps.k8s.outputs.test_output_path }}:${{ steps.k8s.outputs.test_output_path }} \ -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \ --context=kind-${{ github.run_id }} \ diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index c8c7efd308..e2c095f580 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -61,7 +61,7 @@ jobs: uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 with: platforms: arm,arm64,ppc64le,s390x @@ -92,7 +92,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." @@ -126,7 +126,7 @@ jobs: uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 with: platforms: arm64,s390x @@ -157,7 +157,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." @@ -227,7 +227,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 7e40a06396..dacd1f1c74 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -113,7 +113,7 @@ jobs: if: ${{ inputs.authenticated && ! inputs.full-build }} - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 with: platforms: arm,arm64,ppc64le,s390x if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} @@ -123,7 +123,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Base Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." @@ -155,7 +155,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 id: build-push with: file: build/Dockerfile diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 6f9e8da2af..a4f55cdb5b 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -118,7 +118,7 @@ jobs: if: ${{ inputs.authenticated && ! inputs.full-build }} - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 with: platforms: arm,arm64,ppc64le,s390x if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} @@ -128,7 +128,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Base Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." @@ -165,7 +165,7 @@ jobs: if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 id: build-push with: file: build/Dockerfile diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml index c3804857a0..b5e3a4515b 100644 --- a/.github/workflows/build-test-image.yml +++ b/.github/workflows/build-test-image.yml @@ -49,7 +49,7 @@ jobs: password: ${{ steps.auth.outputs.access_token }} - name: Build Test-Runner Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: tests/Dockerfile context: "." diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3dc8af5958..efa0fa93ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -439,7 +439,7 @@ jobs: if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Build Docker Image ${{ matrix.base-os }} - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." @@ -557,7 +557,7 @@ jobs: if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - name: Build Test-Runner Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: tests/Dockerfile context: "." diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 0d3b8874c1..cf324f5a29 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -70,7 +70,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -89,7 +89,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -102,6 +102,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index 2967283027..354ee451f1 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -427,7 +427,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -517,7 +517,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -607,7 +607,7 @@ jobs: overwrite: true - name: Upload Scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: sarif_file: "${{ steps.directory.outputs.directory }}/" @@ -616,13 +616,13 @@ jobs: runs-on: ubuntu-22.04 needs: [checks] permissions: - contents: read + contents: write steps: - name: Checkout Repository uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Create/Update Draft - uses: lucacome/draft-release@3ed3808cb75e4398e021a19a171ce62f4943f2f7 # v1.0.0 + uses: lucacome/draft-release@8a63d32c79a171ae6048e614a8988f0ac3ed56d4 # v1.1.0 id: release-notes with: minor-label: "enhancement" diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml index 20be01ebdd..2589877d09 100644 --- a/.github/workflows/patch-image.yml +++ b/.github/workflows/patch-image.yml @@ -50,7 +50,7 @@ jobs: uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 with: platforms: arm,arm64,ppc64le,s390x @@ -70,7 +70,7 @@ jobs: password: ${{ steps.auth.outputs.access_token }} - name: Apply OS patches to Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b437936556..6bcbf21608 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 + uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: sarif_file: results.sarif diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 1649577d8c..7215524947 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -112,7 +112,7 @@ jobs: if: ${{ inputs.authenticated }} - name: Build Test-Runner Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: tests/Dockerfile context: "." @@ -124,7 +124,7 @@ jobs: if: ${{ ( !inputs.authenticated || steps.check-image.outcome == 'failure' ) }} - name: Build ${{ inputs.image }} Container - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 with: file: build/Dockerfile context: "." diff --git a/build/Dockerfile b/build/Dockerfile index 05a8614340..ec4fdf9190 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -15,7 +15,7 @@ FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c763 FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal -FROM golang:1.22-alpine@sha256:ace6cc3fe58d0c7b12303c57afe6d6724851152df55e08057b43990b927ad5e8 AS golang-builder +FROM golang:1.22-alpine@sha256:8c9183f715b0b4eca05b8b3dbf59766aaedb41ec07477b132ee2891ac0110a07 AS golang-builder ############################################# Base image for Alpine ############################################# @@ -29,7 +29,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.27.0@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e AS debian +FROM nginx:1.27.0@sha256:67682bda769fae1ccf5183192b8daf37b64cae99c6c3302650f6f8bf5f0f95df AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -214,7 +214,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:12-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 AS debian-plus +FROM debian:12-slim@sha256:f528891ab1aa484bf7233dbcc84f3c806c3e427571d75510a9d74bb5ec535b33 AS debian-plus ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -427,7 +427,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF & DoS ############################################# -FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap +FROM redhat/ubi8@sha256:44d75007b39e0e1bbf1bcfd0721245add54c54c3f83903f8926fb4bef6827aa2 AS ubi-8-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -491,7 +491,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 ############################################# -FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap-v5 +FROM redhat/ubi8@sha256:44d75007b39e0e1bbf1bcfd0721245add54c54c3f83903f8926fb4bef6827aa2 AS ubi-8-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 07dac0529e..888e49fec3 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -46,13 +46,13 @@ "type": "object", "default": {}, "title": "The selectorLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "annotations": { "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "nginxplus": { "type": "boolean", @@ -168,7 +168,7 @@ "title": "Volumes for App Protect WAF v5", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" } }, "enforcer": { @@ -228,7 +228,7 @@ "title": "The pullPolicy for the App Protect WAF v5 Enforcer image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -257,7 +257,7 @@ "type": "object", "default": {}, "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" } } }, @@ -302,7 +302,7 @@ "title": "The pullPolicy for the App Protect WAF v5 Config Manager image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -340,7 +340,7 @@ } }, "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" } } } @@ -430,7 +430,7 @@ "^.*$": { "anyOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/hostPort" }, { "type": "boolean" @@ -446,7 +446,7 @@ "title": "The containerPort Schema", "patternProperties": { "^.*$": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort/properties/containerPort" } }, "additionalProperties": false @@ -455,7 +455,7 @@ "type": "string", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/dnsPolicy" }, { "enum": [ @@ -505,7 +505,7 @@ "title": "The customPorts to expose on the NGINX Ingress Controller pod", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerPort" }, "examples": [ [ @@ -560,7 +560,7 @@ "title": "The pullPolicy for the Ingress Controller image", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Container/properties/imagePullPolicy" }, { "enum": [ @@ -589,7 +589,7 @@ "type": "object", "default": {}, "title": "The lifecycle Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Lifecycle" }, "customConfigMap": { "type": "string", @@ -617,7 +617,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "entries": { "type": "object", @@ -704,43 +704,43 @@ "type": "object", "default": {}, "title": "The nodeSelector Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/nodeSelector" }, "terminationGracePeriodSeconds": { "type": "integer", "default": 30, "title": "The terminationGracePeriodSeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/terminationGracePeriodSeconds" }, "podSecurityContext": { "type": "object", "default": {}, "title": "The podSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSecurityContext" }, "securityContext": { "type": "object", "default": {}, "title": "The securityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "initContainerSecurityContext": { "type": "object", "default": {}, "title": "The initContainerSecurityContext Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.SecurityContext" }, "resources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "initContainerResources": { "type": "object", "default": {}, "title": "The resources Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ResourceRequirements" }, "tolerations": { "type": "array", @@ -748,20 +748,20 @@ "title": "The tolerations Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration" } }, "affinity": { "type": "object", "default": {}, "title": "The affinity Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Affinity" }, "topologySpreadConstraints": { "type": "object", "default": {}, "title": "The topologySpreadConstraints Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/topologySpreadConstraints" }, "env": { "type": "array", @@ -769,7 +769,7 @@ "title": "The env Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.EnvVar" } }, "volumes": { @@ -778,7 +778,7 @@ "title": "The volumes Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Volume" } }, "volumeMounts": { @@ -787,7 +787,7 @@ "title": "The volumeMounts Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.VolumeMount" } }, "initContainers": { @@ -796,14 +796,14 @@ "title": "The initContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "minReadySeconds": { "type": "integer", "default": 0, "title": "The minReadySeconds Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentSpec/properties/minReadySeconds" }, "strategy": { "type": "object", @@ -811,7 +811,7 @@ "title": "The strategy Schema", "allOf": [ { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.apps.v1.DeploymentStrategy" }, { "properties": { @@ -833,7 +833,7 @@ "title": "The extraContainers Schema", "items": { "type": "object", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Container" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Container" } }, "replicaCount": { @@ -1093,19 +1093,19 @@ "type": "string", "default": "", "title": "The type", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/type" }, "externalTrafficPolicy": { "type": "string", "default": "", "title": "The externalTrafficPolicy", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalTrafficPolicy" }, "annotations": { "type": "object", "default": {}, "title": "The annotations", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", @@ -1121,13 +1121,13 @@ "type": "string", "default": "", "title": "The loadBalancerIP", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/loadBalancerIP" }, "externalIPs": { "type": "array", "default": [], "title": "The externalIPs", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/externalIPs" }, "loadBalancerSourceRanges": { "type": "array", @@ -1142,13 +1142,13 @@ "type": "boolean", "default": false, "title": "The allocateLoadBalancerNodePorts Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/allocateLoadBalancerNodePorts" }, "ipFamilyPolicy": { "type": "string", "default": "", "title": "The ipFamilyPolicy Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilyPolicy", "examples": [ "" ] @@ -1157,7 +1157,7 @@ "type": "array", "default": [], "title": "The ipFamilies Schema", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServiceSpec/properties/ipFamilies" }, "httpPort": { "type": "object", @@ -1261,7 +1261,7 @@ "title": "The customPorts", "items": { "type": "object", - "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" + "ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.ServicePort" } } }, @@ -1303,7 +1303,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "name": { "type": "string", @@ -1448,7 +1448,7 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" } }, "examples": [ @@ -1472,13 +1472,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "extraLabels": { "type": "object", "default": {}, "title": "The extraLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } }, "examples": [ @@ -1492,7 +1492,7 @@ "type": "string", "default": "", "title": "The priorityClassName", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.PodSpec/properties/priorityClassName" }, "podDisruptionBudget": { "type": "object", @@ -1509,13 +1509,13 @@ "type": "object", "default": {}, "title": "The annotations Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/annotations" }, "minAvailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/minAvailable" }, "maxUnavailable": { - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec/properties/maxUnavailable" } }, "examples": [ @@ -1554,7 +1554,7 @@ "initialDelaySeconds": { "type": "integer", "default": 0, - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.api.core.v1.Probe/properties/initialDelaySeconds" } }, "examples": [ @@ -1876,7 +1876,7 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" } } }, @@ -1898,13 +1898,13 @@ "type": "object", "default": {}, "title": "The labels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta/properties/labels" }, "selectorMatchLabels": { "type": "object", "default": {}, "title": "The selectorMatchLabels Schema", - "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.0/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" + "$ref": "https://raw.githubusercontent.com/nginxinc/kubernetes-json-schema/master/v1.30.2/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector/properties/matchLabels" }, "endpoints": { "type": "array", diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 35e6be87f2..b640d33e4d 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -155,8 +155,6 @@ If the hashed keys match, the NGINX JavaScript (NJS) subrequest issues a 204 No It is possible to use the [errorPages](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#errorpage) property on a route, to change the default behaviour of 401 or 403 errors. -An API Key policy can be disabled on a route by adding the [location snippet](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#using-snippets) `auth_request off;` - At least one header or query param is required. The policy below configures NGINX Ingress Controller to require the API Key `password` in the header "my-header". diff --git a/docs/content/usage-reporting.md b/docs/content/usage-reporting.md index 85a61d4c12..a5fda9c72d 100644 --- a/docs/content/usage-reporting.md +++ b/docs/content/usage-reporting.md @@ -117,6 +117,10 @@ Download and save the deployment file [cluster-connector.yaml](https://raw.githu - `-nms-server-address` should be the address of the Usage Reporting API, which will be the combination of NGINX Management Suite server hostname and the URI `api/platform/v1` - `nms-basic-auth-secret` should be the namespace/name of the secret created in step 3: `nginx-cluster-connector/nms-basic-auth`. +{{< note >}} OpenShift requires a SecurityContextConstraints object for NGINX Cluster Connector. + +It can be created with the command `oc create -f scc.yaml`, using the file found in `shared-examples/` {{< /note >}} + For more information, read the [Command-line arguments](#command-line-arguments) section of this page. --- diff --git a/examples/custom-resources/api-key/README.md b/examples/custom-resources/api-key/README.md index 4a206afd02..c1ca8c0922 100644 --- a/examples/custom-resources/api-key/README.md +++ b/examples/custom-resources/api-key/README.md @@ -6,8 +6,7 @@ a web application, configure load balancing for it via a VirtualServer, and appl ## Prerequisites -1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) - instructions to deploy the Ingress Controller. In this example we will be using a snippet to turn the policy off on a specific path so ensure that the `enable-snippets` flag is set. +1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller. 1. Save the public IP address of the Ingress Controller into a shell variable: ```console @@ -105,18 +104,4 @@ URI: /coffee Request ID: 4feedb3265a0430a1f58831d016e846d ``` -If you attempt to access the /tea path, the request will be allowed without an API Key, because the auth_request directive is turned off for that path with a location snippet: - -```console -curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea -``` - -```text -Server address: 10.244.0.5:8080 -Server name: tea-596697966f-dmq7t -Date: 13/Jun/2024:13:16:46 +0000 -URI: /tea -Request ID: 26e6d7dd0272eca82f31f33bf90698c9 -``` - Additionally you can set [error pages](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#errorpage) to handle the 401 and 403 responses. diff --git a/examples/custom-resources/api-key/cafe-virtual-server.yaml b/examples/custom-resources/api-key/cafe-virtual-server.yaml index b523112eb6..032cb9bc46 100644 --- a/examples/custom-resources/api-key/cafe-virtual-server.yaml +++ b/examples/custom-resources/api-key/cafe-virtual-server.yaml @@ -12,15 +12,7 @@ spec: - name: coffee service: coffee-svc port: 80 - - name: tea - service: tea-svc - port: 80 routes: - path: /coffee action: pass: coffee - - path: /tea - location-snippets: | - auth_request off; - action: - pass: tea diff --git a/examples/custom-resources/api-key/cafe.yaml b/examples/custom-resources/api-key/cafe.yaml index f049e8bf29..6e0ea4614e 100644 --- a/examples/custom-resources/api-key/cafe.yaml +++ b/examples/custom-resources/api-key/cafe.yaml @@ -30,36 +30,3 @@ spec: name: http selector: app: coffee ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: tea -spec: - replicas: 1 - selector: - matchLabels: - app: tea - template: - metadata: - labels: - app: tea - spec: - containers: - - name: tea - image: nginxdemos/nginx-hello:plain-text - ports: - - containerPort: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: tea-svc -spec: - ports: - - port: 80 - targetPort: 8080 - protocol: TCP - name: http - selector: - app: tea diff --git a/examples/shared-examples/usage-reporting/cluster-connector.yaml b/examples/shared-examples/usage-reporting/cluster-connector.yaml index f51aba51cf..005d977ae3 100644 --- a/examples/shared-examples/usage-reporting/cluster-connector.yaml +++ b/examples/shared-examples/usage-reporting/cluster-connector.yaml @@ -14,65 +14,76 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: nginx-cluster-connector rules: - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - list - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - update - - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - list +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - security.openshift.io + verbs: + - create + - delete + - get + - use + resources: + - securitycontextconstraints + resourceNames: + - nginx-cluster-connector --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: nginx-cluster-connector subjects: - - kind: ServiceAccount - name: nginx-cluster-connector - namespace: nginx-cluster-connector +- kind: ServiceAccount + name: nginx-cluster-connector + namespace: nginx-cluster-connector roleRef: kind: ClusterRole name: nginx-cluster-connector @@ -95,8 +106,11 @@ spec: spec: serviceAccountName: nginx-cluster-connector automountServiceAccountToken: true + securityContext: + seccompProfile: + type: RuntimeDefault containers: - - image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.1.0 + - image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.2.0 imagePullPolicy: IfNotPresent name: nginx-cluster-connector resources: @@ -107,6 +121,7 @@ spec: # cpu: "1" # memory: "1Gi" securityContext: + allowPrivilegeEscalation: false runAsUser: 101 #nginx runAsNonRoot: true capabilities: diff --git a/examples/shared-examples/usage-reporting/scc.yaml b/examples/shared-examples/usage-reporting/scc.yaml new file mode 100644 index 0000000000..6f908c31eb --- /dev/null +++ b/examples/shared-examples/usage-reporting/scc.yaml @@ -0,0 +1,30 @@ +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: nginx-cluster-connector +allowPrivilegedContainer: false +runAsUser: + type: MustRunAs + uid: 101 +seLinuxContext: + type: MustRunAs +fsGroup: + type: MustRunAs +supplementalGroups: + type: MustRunAs +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowHostDirVolumePlugin: false +allowHostIPC: false +readOnlyRootFilesystem: false +seccompProfiles: +- runtime/default +volumes: + - secret +requiredDropCapabilities: + - ALL +users: + - 'system:serviceaccount:*:nginx-cluster-connector' +allowedCapabilities: + - NET_BIND_SERVICE diff --git a/go.mod b/go.mod index 7c7003264e..83e837e983 100644 --- a/go.mod +++ b/go.mod @@ -1,14 +1,14 @@ module github.com/nginxinc/kubernetes-ingress -go 1.22.4 +go 1.22.5 require ( - github.com/aws/aws-sdk-go-v2/config v1.27.22 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.0 + github.com/aws/aws-sdk-go-v2/config v1.27.23 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.1 github.com/cert-manager/cert-manager v1.15.1 github.com/dlclark/regexp2 v1.11.0 github.com/gkampitakis/go-snaps v0.5.4 - github.com/go-chi/chi/v5 v5.0.14 + github.com/go-chi/chi/v5 v5.1.0 github.com/golang-jwt/jwt/v4 v4.5.0 github.com/golang/glog v1.2.0 github.com/google/go-cmp v0.6.0 @@ -22,8 +22,8 @@ require ( github.com/prometheus/common v0.47.0 github.com/spiffe/go-spiffe/v2 v2.3.0 github.com/stretchr/testify v1.9.0 - go.opentelemetry.io/otel v1.27.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 + go.opentelemetry.io/otel v1.28.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 k8s.io/api v0.30.2 k8s.io/apimachinery v0.30.2 @@ -36,18 +36,18 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.22 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.1 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.23 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.22.0 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.0 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.30.0 // indirect - github.com/aws/smithy-go v1.20.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 // indirect + github.com/aws/smithy-go v1.20.3 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -110,11 +110,11 @@ require ( go.etcd.io/etcd/client/v3 v3.5.13 // indirect go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect - go.opentelemetry.io/otel/metric v1.27.0 // indirect - go.opentelemetry.io/otel/sdk v1.27.0 // indirect - go.opentelemetry.io/otel/trace v1.27.0 // indirect - go.opentelemetry.io/proto/otlp v1.2.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect + go.opentelemetry.io/otel/metric v1.28.0 // indirect + go.opentelemetry.io/otel/sdk v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/proto/otlp v1.3.1 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/crypto v0.24.0 // indirect @@ -127,8 +127,8 @@ require ( golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.5.0 // indirect golang.org/x/tools v0.22.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect google.golang.org/grpc v1.64.0 // indirect google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index ecae34b190..e9c72d2bc3 100644 --- a/go.sum +++ b/go.sum @@ -4,34 +4,34 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= -github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA= -github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= -github.com/aws/aws-sdk-go-v2/config v1.27.22 h1:TRkQVtpDINt+Na/ToU7iptyW6U0awAwJ24q4XN+59k8= -github.com/aws/aws-sdk-go-v2/config v1.27.22/go.mod h1:EYY3mVgFRUWkh6QNKH64MdyKs1YSUgatc0Zp3MDxi7c= -github.com/aws/aws-sdk-go-v2/credentials v1.17.22 h1:wu9kXQbbt64ul09v3ye4HYleAr4WiGV/uv69EXKDEr0= -github.com/aws/aws-sdk-go-v2/credentials v1.17.22/go.mod h1:pcvMtPcxJn3r2k6mZD9I0EcumLqPLA7V/0iCgOIlY+o= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 h1:FR+oWPFb/8qMVYMWN98bUZAGqPvLHiyqg1wqQGfUAXY= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8/go.mod h1:EgSKcHiuuakEIxJcKGzVNWh5srVAQ3jKaSrBGRYvM48= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM= +github.com/aws/aws-sdk-go-v2 v1.30.1 h1:4y/5Dvfrhd1MxRDD77SrfsDaj8kUkkljU7XE83NPV+o= +github.com/aws/aws-sdk-go-v2 v1.30.1/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc= +github.com/aws/aws-sdk-go-v2/config v1.27.23 h1:Cr/gJEa9NAS7CDAjbnB7tHYb3aLZI2gVggfmSAasDac= +github.com/aws/aws-sdk-go-v2/config v1.27.23/go.mod h1:WMMYHqLCFu5LH05mFOF5tsq1PGEMfKbu083VKqLCd0o= +github.com/aws/aws-sdk-go-v2/credentials v1.17.23 h1:G1CfmLVoO2TdQ8z9dW+JBc/r8+MqyPQhXCafNZcXVZo= +github.com/aws/aws-sdk-go-v2/credentials v1.17.23/go.mod h1:V/DvSURn6kKgcuKEk4qwSwb/fZ2d++FFARtWSbXnLqY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9 h1:Aznqksmd6Rfv2HQN9cpqIV/lQRMaIpJkLLaJ1ZI76no= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.9/go.mod h1:WQr3MY7AxGNxaqAtsDWn+fBxmd4XvLkzeqQ8P1VM0/w= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13 h1:5SAoZ4jYpGH4721ZNoS1znQrhOfZinOhc4XuTXx/nVc= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.13/go.mod h1:+rdA6ZLpaSeM7tSg/B0IEDinCIBJGmW8rKDFkYpP04g= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13 h1:WIijqeaAO7TYFLbhsZmi2rgLEAtWOC1LhxCAVTJlSKw= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.13/go.mod h1:i+kbfa76PQbWw/ULoWnp51EYVWH4ENln76fLQE3lXT8= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.0 h1:PNt0DbBM+46jcsRpzkEbtf+zGA/WN2znV095NGpzIdk= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.0/go.mod h1:FARw6qpTrHDbxBAJNEdwBzfMQYZj/kHYeEw2ww0V/HM= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.0 h1:lPIAPCRoJkmotLTU/9B6icUFlYDpEuWjKeL79XROv1M= -github.com/aws/aws-sdk-go-v2/service/sso v1.22.0/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.0 h1:/4r71ghx+hX9spr884cqXHPEmPzqH/J3K7fkE1yfcmw= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.0/go.mod h1:z0P8K+cBIsFXUr5rzo/psUeJ20XjPN0+Nn8067Nd+E4= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.0 h1:9ja34PaKybhCJjVKvxtDsUjbATUJGN+eF6QnO58u5cI= -github.com/aws/aws-sdk-go-v2/service/sts v1.30.0/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE= -github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= -github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15 h1:I9zMeF107l0rJrpnHpjEiiTSCKYAIw8mALiXcPsGBiA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.15/go.mod h1:9xWJ3Q/S6Ojusz1UIkfycgD1mGirJfLLKqq3LPT7WN8= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.1 h1:ILN/qZ5Pldk4G/9DSTcw1vG53suPPcv6zcVwy+G7RQY= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.1/go.mod h1:C89+u6tfAUJ16hNeGYbfSj3KeWkhyFOti+IjHtSTlZE= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.1 h1:p1GahKIjyMDZtiKoIn0/jAj/TkMzfzndDv5+zi2Mhgc= +github.com/aws/aws-sdk-go-v2/service/sso v1.22.1/go.mod h1:/vWdhoIoYA5hYoPZ6fm7Sv4d8701PiG5VKe8/pPJL60= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.1 h1:lCEv9f8f+zJ8kcFeAjRZsekLd/x5SAm96Cva+VbUdo8= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.1/go.mod h1:xyFHA4zGxgYkdD73VeezHt3vSKEG9EmFnGwoKlP00u4= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.1 h1:+woJ607dllHJQtsnJLi52ycuqHMwlW+Wqm2Ppsfp4nQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.30.1/go.mod h1:jiNR3JqT15Dm+QWq2SRgh0x0bCNSRP2L25+CqPNpJlQ= +github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE= +github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= @@ -75,8 +75,8 @@ github.com/gkampitakis/go-snaps v0.5.4/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bG github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM= github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-chi/chi/v5 v5.0.14 h1:PyEwo2Vudraa0x/Wl6eDRRW2NXBvekgfxyydcM0WGE0= -github.com/go-chi/chi/v5 v5.0.14/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw= +github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= @@ -282,20 +282,20 @@ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.5 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0/go.mod h1:27iA5uvhuRNmalO+iEUdVn5ZMj2qy10Mm+XRIpRmyuU= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc= -go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg= -go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0/go.mod h1:OQFyQVrDlbe+R7xrEyDr/2Wr67Ol0hRUgsfA+V5A95s= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ= -go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik= -go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak= -go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI= -go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A= -go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw= -go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4= -go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94= -go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A= +go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= +go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= +go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= +go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= +go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= +go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= +go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= +go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= @@ -389,10 +389,10 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda h1:wu/KJm9KJwpfHWhkkZGohVC6KRrc1oJNr4jwtQMOQXw= google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda/go.mod h1:g2LLCvCeCSir/JJSWosk19BR4NVxGqHUC6rxIRsd7Aw= -google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 h1:P8OJ/WCl/Xo4E4zoe4/bifHpSmmKwARqyqE4nW6J2GQ= -google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5/go.mod h1:RGnPtTG7r4i8sPlNyDeikXF99hMM+hN6QMm4ooG9g2g= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 h1:AgADTJarZTBqgjiUzRgfaBchgYB3/WFTC80GPwsMcRI= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= +google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0= +google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= diff --git a/internal/configs/version1/__snapshots__/template_test.snap b/internal/configs/version1/__snapshots__/template_test.snap index 6eb1b9216a..913e95100b 100644 --- a/internal/configs/version1/__snapshots__/template_test.snap +++ b/internal/configs/version1/__snapshots__/template_test.snap @@ -130,6 +130,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -156,7 +158,20 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos escape=json + '$remote_addr - $remote_user [$time_local]' + ' "$request" $status $body_bytes_sent ' + ' "$http_referer" "$http_user_agent"' + ; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -251,9 +266,6 @@ stream { include /etc/nginx/stream-conf.d/*.conf; } -mgmt { - usage_report interval=0s; -} --- @@ -293,6 +305,7 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + app_protect_enforcer_address enforcer.svc.local; access_log /dev/stdout main; sendfile on; @@ -530,6 +543,21 @@ server { set $resource_type "ingress"; set $resource_name "cafe-ingress"; set $resource_namespace "default"; + app_protect_enable on; + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + app_protect_security_log_enable on; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2; + + app_protect_dos_enable on; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/logConf.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log /var/log/dos log_dos if=$loggable; + app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30; + app_protect_dos_name "testdos"; if ($scheme = http) { @@ -610,6 +638,21 @@ server { set $resource_type "ingress"; set $resource_name "cafe-ingress"; set $resource_namespace "default"; + app_protect_enable on; + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + app_protect_security_log_enable on; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2; + + app_protect_dos_enable on; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/logConf.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log /var/log/dos log_dos if=$loggable; + app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30; + app_protect_dos_name "testdos"; if ($scheme = http) { @@ -2343,6 +2386,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -2369,7 +2414,20 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos escape=json + '$remote_addr - $remote_user [$time_local]' + ' "$request" $status $body_bytes_sent ' + ' "$http_referer" "$http_user_agent"' + ; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -2464,9 +2522,6 @@ stream { include /etc/nginx/stream-conf.d/*.conf; } -mgmt { - usage_report interval=0s; -} --- @@ -2480,6 +2535,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -2506,7 +2563,18 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, ' + 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' + 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -2618,6 +2686,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -2644,7 +2714,20 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos escape=json + '$remote_addr - $remote_user [$time_local]' + ' "$request" $status $body_bytes_sent ' + ' "$http_referer" "$http_user_agent"' + ; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -2739,9 +2822,6 @@ stream { include /etc/nginx/stream-conf.d/*.conf; } -mgmt { - usage_report interval=0s; -} --- diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index c62c8b71f1..da4f18a65b 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -75,7 +75,7 @@ http { {{range $i, $value := .AppProtectDosLogFormat -}} {{with $value}}'{{if $i}} {{end}}{{$value}}' {{end}}{{end}}; - {{- else -}} + {{- else }} log_format log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, ' 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index ef5c9f020e..19088a40e2 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -1751,6 +1751,22 @@ var ( LoginURL: "https://test.example.com/login", }, }, + AppProtectEnable: "on", + AppProtectPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", + AppProtectLogConfs: []string{ + "/etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514", + "/etc/nginx/waf/nac-logconfs/test_logconf2", + }, + AppProtectLogEnable: "on", + AppProtectDosEnable: "on", + AppProtectDosPolicyFile: "/test/policy.json", + AppProtectDosLogConfFile: "/test/logConf.json", + AppProtectDosLogEnable: true, + AppProtectDosMonitorURI: "/path/to/monitor", + AppProtectDosMonitorProtocol: "http1", + AppProtectDosMonitorTimeout: 30, + AppProtectDosName: "testdos", + AppProtectDosAccessLogDst: "/var/log/dos", }, }, Upstreams: []Upstream{testUpstream}, @@ -1982,29 +1998,46 @@ var ( } mainCfg = MainConfig{ - DefaultHTTPListenerPort: 80, - DefaultHTTPSListenerPort: 443, - ServerNamesHashMaxSize: "512", - ServerTokens: "off", - WorkerProcesses: "auto", - WorkerCPUAffinity: "auto", - WorkerShutdownTimeout: "1m", - WorkerConnections: "1024", - WorkerRlimitNofile: "65536", - LogFormat: []string{"$remote_addr", "$remote_user"}, - LogFormatEscaping: "default", - StreamSnippets: []string{"# comment"}, - StreamLogFormat: []string{"$remote_addr", "$remote_user"}, - StreamLogFormatEscaping: "none", - ResolverAddresses: []string{"example.com", "127.0.0.1"}, - ResolverIPV6: false, - ResolverValid: "10s", - ResolverTimeout: "15s", - KeepaliveTimeout: "65s", - KeepaliveRequests: 100, - VariablesHashBucketSize: 256, - VariablesHashMaxSize: 1024, - NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r30)"), + AppProtectLoadModule: true, + AppProtectV5LoadModule: false, + AppProtectV5EnforcerAddr: "", + AppProtectFailureModeAction: "pass", + AppProtectCompressedRequestsAction: "pass", + AppProtectCookieSeed: "ABCDEFGHIJKLMNOP", + AppProtectCPUThresholds: "high=low=100", + AppProtectPhysicalMemoryThresholds: "high=low=100", + AppProtectReconnectPeriod: "10", + AppProtectDosLoadModule: true, + AppProtectDosLogFormat: []string{ + "$remote_addr - $remote_user [$time_local]", + "\"$request\" $status $body_bytes_sent ", + "\"$http_referer\" \"$http_user_agent\"", + }, + AppProtectDosLogFormatEscaping: "json", + AppProtectDosArbFqdn: "arb.test.server.com", } mainCfgR31 = MainConfig{ @@ -2031,33 +2064,47 @@ var ( VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + AppProtectV5LoadModule: true, + AppProtectV5EnforcerAddr: "enforcer.svc.local", } mainCfgHTTP2On = MainConfig{ - DefaultHTTPListenerPort: 80, - DefaultHTTPSListenerPort: 443, - HTTP2: true, - ServerNamesHashMaxSize: "512", - ServerTokens: "off", - WorkerProcesses: "auto", - WorkerCPUAffinity: "auto", - WorkerShutdownTimeout: "1m", - WorkerConnections: "1024", - WorkerRlimitNofile: "65536", - LogFormat: []string{"$remote_addr", "$remote_user"}, - LogFormatEscaping: "default", - StreamSnippets: []string{"# comment"}, - StreamLogFormat: []string{"$remote_addr", "$remote_user"}, - StreamLogFormatEscaping: "none", - ResolverAddresses: []string{"example.com", "127.0.0.1"}, - ResolverIPV6: false, - ResolverValid: "10s", - ResolverTimeout: "15s", - KeepaliveTimeout: "65s", - KeepaliveRequests: 100, - VariablesHashBucketSize: 256, - VariablesHashMaxSize: 1024, - NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + HTTP2: true, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + AppProtectLoadModule: true, + AppProtectV5LoadModule: false, + AppProtectV5EnforcerAddr: "", + AppProtectFailureModeAction: "pass", + AppProtectCompressedRequestsAction: "pass", + AppProtectCookieSeed: "ABCDEFGHIJKLMNOP", + AppProtectCPUThresholds: "high=low=100", + AppProtectPhysicalMemoryThresholds: "high=low=100", + AppProtectReconnectPeriod: "10", + AppProtectDosLoadModule: true, + AppProtectDosLogFormat: []string{}, + AppProtectDosArbFqdn: "arb.test.server.com", } mainCfgCustomTLSPassthroughPort = MainConfig{ diff --git a/internal/configs/version2/__snapshots__/templates_test.snap b/internal/configs/version2/__snapshots__/templates_test.snap index c39644ec92..4fa5c98686 100644 --- a/internal/configs/version2/__snapshots__/templates_test.snap +++ b/internal/configs/version2/__snapshots__/templates_test.snap @@ -177,6 +177,15 @@ server { + app_protect_dos_enable on; + app_protect_dos_name "my-dos-coffee"; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/log.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log svc.dns.com:123 log_dos if=$loggable; + app_protect_dos_monitor uri=test.example.com protocol=http timeout=30; # server snippet location /split { rewrite ^ @split_0 last; @@ -609,6 +618,15 @@ server { + app_protect_dos_enable on; + app_protect_dos_name "my-dos-coffee"; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/log.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log svc.dns.com:123 log_dos if=$loggable; + app_protect_dos_monitor uri=test.example.com protocol=http timeout=30; # server snippet location /split { rewrite ^ @split_0 last; @@ -1976,6 +1994,7 @@ server { + app_protect_dos_enable on; # server snippet location /split { rewrite ^ @split_0 last; diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index b01bb5c38b..0e4f8ead22 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -694,6 +694,17 @@ func vsConfig() VirtualServerConfig { Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, + Dos: &Dos{ + Enable: "on", + Name: "my-dos-coffee", + ApDosMonitorURI: "test.example.com", + ApDosMonitorProtocol: "http", + ApDosAccessLogDest: "svc.dns.com:123", + ApDosPolicy: "/test/policy.json", + ApDosSecurityLogEnable: true, + ApDosLogConf: "/test/log.json", + ApDosMonitorTimeout: 30, + }, Snippets: []string{"# server snippet"}, InternalRedirectLocations: []InternalRedirectLocation{ { @@ -1394,6 +1405,9 @@ var ( Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, + Dos: &Dos{ + Enable: "on", + }, Snippets: []string{"# server snippet"}, InternalRedirectLocations: []InternalRedirectLocation{ { diff --git a/netlify.toml b/netlify.toml deleted file mode 100644 index a3ba287ccf..0000000000 --- a/netlify.toml +++ /dev/null @@ -1,42 +0,0 @@ -[build] - base = "docs/" - publish = "public" - command = "hugo --gc -b $DEPLOY_PRIME_URL/nginx-ingress-controller" - -[context.development] - command = "make all-dev" - -[context.staging] - command = "make all-staging" - -[context.production] - command = "make all" - -[context.deploy-preview] - command = "make deploy-preview" - -[context.branch-deploy] - command = "make deploy-preview" - -[[headers]] - for = "/*" - [headers.values] - Access-Control-Allow-Origin = "https://docs.nginx.com" - -[[redirects]] - from = "/" - to = "/nginx-ingress-controller/" - status = 301 - force = true - - -[[redirects]] - from = "/nginx-ingress-controller/robots.txt" - to = "https://docs.nginx.com/robots.txt" - status = 301 - force = true - -[[redirects]] - from = "/nginx-ingress-controller/*" - to = "/nginx-ingress-controller/404.html" - status = 404 diff --git a/tests/Dockerfile b/tests/Dockerfile index 1a99ab52d2..2304f35b69 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,11 +1,11 @@ # syntax=docker/dockerfile:1.5 # this is here so we can grab the latest version of kind and have dependabot keep it up to date -FROM kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a794b52890dd8bcd692e +FROM kindest/node:v1.30.2@sha256:ecfe5841b9bee4fe9690f49c118c33629fa345e3350a0c67a5a34482a99d6bba # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.15.1 -FROM python:3.12@sha256:fce9bc7648ef917a5ab67176cf1c7eb41b110452e259736144bc22f32f3aa622 +FROM python:3.12@sha256:d12b529fba98bcc93e2e2e837c0a60efaa6328775965a43c1b8161cfbd8f10f3 RUN apt-get update \ && apt-get install -y curl git \ diff --git a/tests/requirements.txt b/tests/requirements.txt index 15308bcec4..e5d77898e9 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -215,9 +215,9 @@ forcediphttpsadapter==1.1.0 \ --hash=sha256:0d224cf6e8e50eb788c9f5994a7afa6d389bac6dbe540b7dfd77a32590ad0153 \ --hash=sha256:5e7662ece61735585332d09b87d94fffe4752469d5c0d3feff48746e5d70744b # via -r requirements.txt -google-auth==2.30.0 \ - --hash=sha256:8df7da660f62757388b8a7f249df13549b3373f24388cb5d2f1dd91cc18180b5 \ - --hash=sha256:ab630a1320f6720909ad76a7dbdb6841cdf5c66b328d690027e4867bdfb16688 +google-auth==2.31.0 \ + --hash=sha256:042c4702efa9f7d3c48d3a69341c209381b125faa6dbf3ebe56bc7e40ae05c23 \ + --hash=sha256:87805c36970047247c8afe614d4e3af8eceafc1ebba0c679fe75ddd1d575e871 # via # -r requirements.txt # kubernetes @@ -437,18 +437,18 @@ pluggy==1.5.0 \ # via # -r requirements.txt # pytest -protobuf==5.27.1 \ - --hash=sha256:25236b69ab4ce1bec413fd4b68a15ef8141794427e0b4dc173e9d5d9dffc3bcd \ - --hash=sha256:39309898b912ca6febb0084ea912e976482834f401be35840a008da12d189340 \ - --hash=sha256:3adc15ec0ff35c5b2d0992f9345b04a540c1e73bfee3ff1643db43cc1d734333 \ - --hash=sha256:4ac7249a1530a2ed50e24201d6630125ced04b30619262f06224616e0030b6cf \ - --hash=sha256:4e38fc29d7df32e01a41cf118b5a968b1efd46b9c41ff515234e794011c78b17 \ - --hash=sha256:7a97b9c5aed86b9ca289eb5148df6c208ab5bb6906930590961e08f097258107 \ - --hash=sha256:917ed03c3eb8a2d51c3496359f5b53b4e4b7e40edfbdd3d3f34336e0eef6825a \ - --hash=sha256:df5e5b8e39b7d1c25b186ffdf9f44f40f810bbcc9d2b71d9d3156fee5a9adf15 \ - --hash=sha256:dfddb7537f789002cc4eb00752c92e67885badcc7005566f2c5de9d969d3282d \ - --hash=sha256:ee52874a9e69a30271649be88ecbe69d374232e8fd0b4e4b0aaaa87f429f1631 \ - --hash=sha256:f6abd0f69968792da7460d3c2cfa7d94fd74e1c21df321eb6345b963f9ec3d8d +protobuf==5.27.2 \ + --hash=sha256:0e341109c609749d501986b835f667c6e1e24531096cff9d34ae411595e26505 \ + --hash=sha256:176c12b1f1c880bf7a76d9f7c75822b6a2bc3db2d28baa4d300e8ce4cde7409b \ + --hash=sha256:354d84fac2b0d76062e9b3221f4abbbacdfd2a4d8af36bab0474f3a0bb30ab38 \ + --hash=sha256:4fadd8d83e1992eed0248bc50a4a6361dc31bcccc84388c54c86e530b7f58863 \ + --hash=sha256:54330f07e4949d09614707c48b06d1a22f8ffb5763c159efd5c0928326a91470 \ + --hash=sha256:610e700f02469c4a997e58e328cac6f305f649826853813177e6290416e846c6 \ + --hash=sha256:7fc3add9e6003e026da5fc9e59b131b8f22b428b991ccd53e2af8071687b4fce \ + --hash=sha256:9e8f199bf7f97bd7ecebffcae45ebf9527603549b2b562df0fbc6d4d688f14ca \ + --hash=sha256:a109916aaac42bff84702fb5187f3edadbc7c97fc2c99c5ff81dd15dcce0d1e5 \ + --hash=sha256:b848dbe1d57ed7c191dfc4ea64b8b004a3f9ece4bf4d0d80a367b76df20bf36e \ + --hash=sha256:f3ecdef226b9af856075f28227ff2c90ce3a594d092c39bee5513573f25e2714 # via # -r requirements.txt # grpcio-tools diff --git a/tests/suite/test_ac_policies_vsr.py b/tests/suite/test_ac_policies_vsr.py index ede342a830..3657a9c0d7 100644 --- a/tests/suite/test_ac_policies_vsr.py +++ b/tests/suite/test_ac_policies_vsr.py @@ -78,6 +78,7 @@ def restore_default_vsr(self, kube_apis, v_s_route_setup) -> None: ) wait_before_test() + @pytest.mark.flaky(max_runs=3) def test_deny_policy_vsr( self, kube_apis, diff --git a/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py b/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py index ec768d7ffd..3aaf094838 100644 --- a/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py +++ b/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py @@ -136,7 +136,7 @@ def fin(): indirect=["crd_ingress_controller", "vsr_weight_changes_dynamic_reload_many_splits_setup"], ) class TestVSRWeightChangesDynamicReloadManySplits: - + @pytest.mark.flaky(max_runs=3) def test_vsr_weight_changes_dynamic_reload_many_splits( self, kube_apis, crd_ingress_controller, vsr_weight_changes_dynamic_reload_many_splits_setup ) -> None: diff --git a/tests/suite/test_virtual_server_use_cluster_ip_reloads.py b/tests/suite/test_virtual_server_use_cluster_ip_reloads.py index 1512b57edf..248b6cb2db 100644 --- a/tests/suite/test_virtual_server_use_cluster_ip_reloads.py +++ b/tests/suite/test_virtual_server_use_cluster_ip_reloads.py @@ -23,6 +23,7 @@ indirect=True, ) class TestVSUseClusterIP: + @pytest.mark.flaky(max_runs=3) def test_use_cluster_ip_reloads( self, kube_apis, ingress_controller_endpoint, crd_ingress_controller, virtual_server_setup ):