Merge branch 'nginxinc:main' into master

.github/actionlint.yaml

@@ -0,0 +1,8 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels:
+    - kic-plus
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: null

.github/actions/certify-openshift-image/action.yml

@@ -0,0 +1,57 @@
+name: Certify Openshift Image
+description: This action will attempt to certify an image for use in Openshift
+
+inputs:
+  image:
+    description: The image manifest to certify in the format <registry>/<repository>:<tag>
+    required: true
+  project_id:
+    description: The certification project id
+    required: true
+  pyxis_token:
+    description: The Pyxis API Token
+    required: true
+  preflight_version:
+    description: The version of the preflight utility to install
+    required: false
+    default: 1.9.1
+  platforms:
+    description: A comma separated list of architectures in the image manifest to certify
+    required: false
+    default: ""
+
+outputs:
+  result:
+    description: Did the certification succeed?
+    value: ${{ steps.result.outputs.result == 0 && true || false }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install openshift-preflight
+      run: |
+        curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/${{ inputs.preflight_version }}/preflight-linux-amd64 --output preflight
+        chmod +x preflight
+      shell: bash
+
+    - name: Certify Images
+      id: result
+      run: |
+        result=0
+        if [ -z "${{ inputs.platforms }}" ]; then
+          # list of platforms passed
+          IFS=',' read -ra arch_list <<< "${{ inputs.platforms }}"
+          for arch in "${arch_list[@]}"; do
+              architecture=("${arch#*/}")
+              ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --platform $architecture --submit
+              if [ $? -ne 0 ]; then
+                result=1
+              fi
+          done
+        else
+          # no platforms passed, this is either a manifest or a single platform image
+          ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --submit
+          result=$?
+        fi
+        echo "result=$result" >> $GITHUB_OUTPUT
+      shell: bash

.github/actions/install-skopeo/action.yml

@@ -0,0 +1,33 @@
+name: Install Skopeo
+description: Install Skopeo from source on ubuntu runner
+
+inputs:
+  version:
+    description: The Skopeo version to install
+    default: v1.14.2
+    required: false
+  repo:
+    description: The Skopeo repository
+    default: github.com/containers/skopeo
+    required: false
+
+outputs:
+  result:
+    description: Did the installation succeed?
+    value: ${{ steps.result.outputs.result == 0 && true || false }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install Skopeo
+      id: result
+      run: |
+          sudo apt-get -y update
+          sudo apt install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config go-md2man
+          sudo mkdir -p $GOPATH/src/${{ inputs.repo }}
+          sudo git clone --depth 1 -b ${{ inputs.version }} https://${{ inputs.repo }} $GOPATH/src/${{ inputs.repo }}
+          pushd $GOPATH/src/${{ inputs.repo }} && sudo make install
+          popd
+          skopeo --version
+          echo "result=$?" >> $GITHUB_OUTPUT
+      shell: bash

.github/actions/smoke-tests/action.yaml

@@ -2,51 +2,32 @@ name: Run Smoke Tests
 description: Run Smoke Tests for the project
 
 inputs:
-  go-md5:
-    required: true
-    type: string
-  base-image-md5:
-    required: true
-    type: string
   k8s-version:
     description: Kubernetes version to use
     required: false
   k8s-timeout:
     description: Timeout to use
     default: 75s
     required: false
-  image:
-    description: Docker image to use
-    default: debian
-    required: false
+  image-type:
+    description: Image type to test
+    required: true
+  image-name:
+    description: Docker image name to test
+    required: true
+  tag:
+    description: Docker image tag to test
+    required: true
   test-image:
     description: Test Docker image to use
     default: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:latest
     required: false
   marker:
     description: Marker to use
     required: false
-  nginx-key:
-    description: Nginx key to use
-    required: false
-  nginx-crt:
-    description: Nginx cert to use
-    required: false
   azure-ad-secret:
     description: Azure Active Directory secret for JWKs
     required: false
-  rhel-license:
-    description: RHEL license for UBI builds
-    required: false
-  gcr-workload-identity-secret:
-    description: Google Workflow Identity secret
-    required: false
-  gcr-service-account-secret:
-    description: Google Service Account secret
-    required: false
-  forked-workflow:
-    description: Does this workflow full access to repo resources?
-    required: false
 
 outputs:
   test-results-name:
@@ -56,90 +37,24 @@ outputs:
 runs:
   using: composite
   steps:
-    - name: Fetch Cached Artifacts
-      uses: actions/cache@v3
-      with:
-        path: ${{ github.workspace }}/dist
-        key: nginx-ingress-${{ inputs.go-md5 }}
-
-    - name: Ingress type
-      id: ingress-type
-      run: |
-        echo "name=nginx${{ contains(inputs.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT
-        echo "tag=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }}-${{ github.sha }}" >> $GITHUB_OUTPUT
-        echo "modules=${{ contains(inputs.marker, 'appprotect') && 'waf' || '' }}${{ contains(inputs.marker, 'dos') && 'dos' || '' }}" >> $GITHUB_OUTPUT
-      shell: bash
-
-    - name: Docker Buildx
-      uses: docker/setup-buildx-action@v2
-
-    - name: Authenticate to Google Cloud
-      id: auth
-      uses: google-github-actions/auth@v2
-      with:
-        token_format: access_token
-        workload_identity_provider: ${{ inputs.gcr-workload-identity-secret }}
-        service_account: ${{ inputs.gcr-service-account-secret }}
-      if: ${{ ! inputs.forked-workflow }}
-
-    - name: Login to GCR
-      uses: docker/login-action@v3
-      with:
-        registry: gcr.io
-        username: oauth2accesstoken
-        password: ${{ steps.auth.outputs.access_token }}
-      if: ${{ ! inputs.forked-workflow }}
-
-    - name: Build ${{ inputs.image }} Container
-      uses: docker/build-push-action@v3
-      with:
-        file: build/Dockerfile
-        context: "."
-        cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }}
-        target: goreleaser${{ inputs.forked-workflow && '' || '-prebuilt' }}
-        tags: "docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }}"
-        load: true
-        pull: true
-        build-args: |
-          BUILD_OS=${{ inputs.image }}
-          PREBUILT_BASE_IMG=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/${{ contains(inputs.image, 'plus') && 'plus' || 'oss' }}:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ contains(inputs.marker, 'appprotect') && '-waf' || '' }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}
-          IC_VERSION=CI
-          ${{ steps.ingress-type.outputs.modules != '' && format('NAP_MODULES={0}', steps.ingress-type.outputs.modules) || '' }}
-          ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
-        secrets: |
-          ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', inputs.nginx-crt) || '' }}
-          ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', inputs.nginx-key) || '' }}
-          ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', inputs.rhel-license) || '' }}
-
     - name: Deploy Kubernetes
       id: k8s
       run: |
         make -f tests/Makefile create-kind-cluster K8S_CLUSTER_NAME=${{ github.run_id }} K8S_CLUSTER_VERSION=${{ inputs.k8s-version }} K8S_TIMEOUT=${{ inputs.k8s-timeout }}
-        make -f tests/Makefile image-load PREFIX=nginx/${{ steps.ingress-type.outputs.name }} TAG=${{ steps.ingress-type.outputs.tag }} K8S_CLUSTER_NAME=${{ github.run_id }}
+        make -f tests/Makefile image-load REGISTRY="" PREFIX=${{ inputs.image-name }} TAG=${{ inputs.tag }} K8S_CLUSTER_NAME=${{ github.run_id }}
         marker="${{ inputs.marker }}"
         nospaces="${marker// /_}"
         sanitized_marker="${nospaces//\'/}"
         name="${sanitized_marker:-${{ inputs.k8s-version }}}"
         echo "cluster_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane)" >> $GITHUB_OUTPUT
-        echo "cluster=$(echo nginx-${{ inputs.image }}-$name)" >> $GITHUB_OUTPUT
+        echo "cluster=$(echo nginx-${{ inputs.image-type }}-$name)" >> $GITHUB_OUTPUT
       shell: bash
 
     - name: Setup Kubeconfig
       run: |
         sed -i 's|server:.*|server: https://${{ steps.k8s.outputs.cluster_ip }}:6443|' ~/.kube/kind/config
       shell: bash
 
-    - name: Build Test-Runner Container
-      uses: docker/build-push-action@v3
-      with:
-        file: tests/Dockerfile
-        context: "."
-        cache-from: type=gha,scope=test-runner
-        tags: ${{ inputs.test-image }}
-        pull: true
-        load: true
-      if: ${{ inputs.forked-workflow }}
-
     - name: Run Smoke Tests
       run: |
         touch tests-${{ steps.k8s.outputs.cluster }}.html
@@ -149,9 +64,9 @@ runs:
         -v ${{ github.workspace }}/tests:/workspace/tests \
         -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \
         --context=kind-${{ github.run_id }} \
-        --image=docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }} \
+        --image=${{ inputs.image-name }}:${{ inputs.tag }} \
         --image-pull-policy=Never \
-        --ic-type=${{ steps.ingress-type.outputs.name }} \
+        --ic-type=nginx${{ contains(inputs.image-type, 'plus') && '-plus' || '' }}-ingress \
         --service=nodeport --node-ip=${{ steps.k8s.outputs.cluster_ip }} \
         --html=tests-${{ steps.k8s.outputs.cluster }}.html \
         --self-contained-html \

.github/config/config-gcr-retag

@@ -0,0 +1,6 @@
+export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a ADDITIONAL_TAGS=()

.github/config/config-oss-dockerhub

@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=docker.io
+export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false

.github/config/config-oss-ecr

@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=public.ecr.aws
+export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false

.github/config/config-oss-gcr-release

@@ -0,0 +1,6 @@
+export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false

.github/config/config-oss-github

@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=ghcr.io
+export TARGET_OSS_IMAGE_PREFIX="nginxinc/kubernetes-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false

.github/config/config-oss-quay

@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=quay.io
+export TARGET_OSS_IMAGE_PREFIX="nginx/nginx-ingress"
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_PLUS=false
+export PUBLISH_WAF=false
+export PUBLISH_DOS=false
+export PUBLISH_WAF_DOS=false

.github/config/config-plus-azure

@@ -0,0 +1,11 @@
+export TARGET_REGISTRY=nginxmktpl.azurecr.io
+export TARGET_PLUS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress"
+export TARGET_NAP_WAF_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-nap"
+export TARGET_NAP_DOS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-dos"
+export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-nap-dos"
+declare -a PLUS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("")
+declare -a ADDITIONAL_TAGS=()
+export PUBLISH_OSS=false

.github/config/config-plus-ecr

@@ -0,0 +1,11 @@
+export TARGET_REGISTRY=709825985650.dkr.ecr.us-east-1.amazonaws.com
+export TARGET_PLUS_IMAGE_PREFIX=nginx/nginx-plus-ingress
+export TARGET_NAP_WAF_IMAGE_PREFIX=nginx/nginx-plus-ingress-nap
+export TARGET_NAP_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos
+export TARGET_NAP_WAF_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos-nap
+declare -a PLUS_TAG_POSTFIX_LIST=("-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a ADDITIONAL_TAGS=()
+export PUBLISH_OSS=false

.github/config/config-plus-gcr-public

@@ -0,0 +1,10 @@
+export PUBLISH_OSS=false
+export PUBLISH_WAF_DOS=false
+export TARGET_REGISTRY=gcr.io/f5-7626-networks-public
+export TARGET_PLUS_IMAGE_PREFIX=nginxinc/nginx-plus-ingress
+export TARGET_NAP_WAF_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-nap
+export TARGET_NAP_DOS_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-dos
+declare -a PLUS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a ADDITIONAL_TAGS=(${ADDITIONAL_TAG})

.github/config/config-plus-gcr-release

@@ -0,0 +1,7 @@
+export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_OSS=false

.github/config/config-plus-nginx

@@ -0,0 +1,8 @@
+export TARGET_REGISTRY=docker-mgmt.nginx.com
+export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
+export PUBLISH_OSS=false

.github/data/matrix-regression.json

@@ -5,12 +5,14 @@
       "label": "regression",
       "image": "debian",
       "type": "oss",
+      "marker": "'not upgrade'",
       "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
     },
     {
       "label": "regression",
       "image": "debian-plus",
       "type": "plus",
+      "marker": "'not upgrade'",
       "platforms": "linux/arm64, linux/amd64"
     }
   ]

.github/data/version.txt

@@ -1,2 +1,2 @@
-IC_VERSION=3.5.0
-HELM_CHART_VERSION=1.2.0
+IC_VERSION=3.6.0
+HELM_CHART_VERSION=1.3.0