Add First Class OpenShift support

.github/workflows/build.yml

@@ -6,6 +6,10 @@ on:
       platforms:
         required: true
         type: string
+      build-os:
+        required: false
+        type: string
+        default: ''
       image:
         required: true
         type: string
@@ -116,16 +120,17 @@ jobs:
             name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
             name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/operator,enable=${{ inputs.image == 'operator' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}
           flavor: |
             latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
-            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
+            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           labels: |
             org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
             org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
@@ -143,16 +148,16 @@ jobs:
       - name: Build Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
+          file: ${{ inputs.image == 'operator' && 'operators/Dockerfile' || (inputs.build-os != '' && format('build/{0}/Dockerfile{1}', inputs.build-os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '')) }}
           context: "."
           target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
           push: ${{ !inputs.dry_run }}
           platforms: ${{ inputs.platforms }}
-          cache-from: type=gha,scope=${{ inputs.image }}
-          cache-to: type=gha,scope=${{ inputs.image }},mode=max
+          cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+          cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max
           pull: true
           no-cache: ${{ github.event_name != 'pull_request' }}
           sbom: true

.github/workflows/ci.yml

@@ -20,6 +20,10 @@ on:
         required: false
         type: string
         default: ''
+      operator_version:
+        required: false
+        type: string
+        default: ''
       dry_run:
         required: false
         type: boolean
@@ -350,10 +354,12 @@ jobs:
       matrix:
         image: [ngf, nginx]
         platforms: ["linux/arm64, linux/amd64"]
+        build-os: ["", ubi]
     uses: ./.github/workflows/build.yml
     with:
       image: ${{ matrix.image }}
       platforms: ${{ matrix.platforms }}
+      build-os: ${{ matrix.build-os }}
       tag: ${{ inputs.release_version || '' }}
       dry_run: ${{ inputs.dry_run || false}}
       runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
@@ -368,9 +374,14 @@ jobs:
     name: Build Plus images
     needs: [vars, binary]
     uses: ./.github/workflows/build.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        build-os: ["", ubi]
     with:
       image: plus
       platforms: "linux/arm64, linux/amd64"
+      build-os: ${{ matrix.build-os }}
       tag: ${{ inputs.release_version || '' }}
       dry_run: ${{ inputs.dry_run || false }}
       runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
@@ -381,13 +392,31 @@ jobs:
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
 
+  build-operator:
+    name: Build Operator images
+    needs: [vars, binary]
+    uses: ./.github/workflows/build.yml
+    with:
+      image: operator
+      platforms: "linux/arm64, linux/amd64"
+      tag: ${{ inputs.operator_version || '' }}
+      dry_run: ${{ inputs.dry_run || false }}
+      runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
+    permissions:
+      contents: read # for docker/build-push-action to read repo content
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      packages: write # for docker/build-push-action to push to GHCR
+      id-token: write # for docker/login to login to NGINX registry
+    secrets: inherit
+
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]
     strategy:
       fail-fast: false
       matrix:
         image: [nginx, plus]
+        build-os: ["", ubi]
         k8s-version:
           [
             "${{ needs.vars.outputs.min_k8s_version }}",
@@ -397,6 +426,7 @@ jobs:
     with:
       image: ${{ matrix.image }}
       k8s-version: ${{ matrix.k8s-version }}
+      build-os: ${{ matrix.build-os }}
     secrets: inherit
     permissions:
       contents: read
@@ -408,6 +438,7 @@ jobs:
       fail-fast: false
       matrix:
         image: [nginx, plus]
+        build-os: ["", ubi]
         k8s-version:
           [
             "${{ needs.vars.outputs.min_k8s_version }}",
@@ -419,6 +450,7 @@ jobs:
       image: ${{ matrix.image }}
       k8s-version: ${{ matrix.k8s-version }}
       enable-experimental: ${{ matrix.enable-experimental }}
+      build-os: ${{ matrix.build-os }}
       production-release: ${{ inputs.is_production_release == true && (inputs.dry_run == false || inputs.dry_run == null) }}
       release_version: ${{ inputs.release_version }}
     secrets: inherit

.github/workflows/conformance.yml

@@ -6,6 +6,10 @@ on:
       image:
         required: true
         type: string
+      build-os:
+        required: false
+        type: string
+        default: ''
       k8s-version:
         required: true
         type: string
@@ -75,12 +79,12 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
-            type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
+            type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
 
       - name: NGINX Docker meta
         id: nginx-meta
@@ -89,12 +93,12 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
-            type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
+            type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
 
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
@@ -119,11 +123,11 @@ jobs:
       - name: Build NGINX Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}}
+          file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
           tags: ${{ steps.nginx-meta.outputs.tags }}
           context: "."
           load: true
-          cache-from: type=gha,scope=${{ inputs.image }}
+          cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           pull: true
           build-args: |
             NJS_DIR=internal/controller/nginx/modules/src
@@ -178,7 +182,7 @@ jobs:
         if: ${{ inputs.enable-experimental }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}
+          name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}
           path: ./tests/conformance-profile.yaml
 
       - name: Upload profile to release

.github/workflows/functional.yml

@@ -9,6 +9,10 @@ on:
       k8s-version:
         required: true
         type: string
+      build-os:
+        required: false
+        type: string
+        default: ''
 
 defaults:
   run:
@@ -61,11 +65,11 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
           tags: |
-            type=semver,pattern={{version}}
-            type=schedule
-            type=edge
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }}
 
       - name: NGINX Docker meta
         id: nginx-meta
@@ -74,11 +78,11 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }}
 
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
@@ -103,11 +107,11 @@ jobs:
       - name: Build NGINX Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}}
+          file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
           tags: ${{ steps.nginx-meta.outputs.tags }}
           context: "."
           load: true
-          cache-from: type=gha,scope=${{ inputs.image }}
+          cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           pull: true
           build-args: |
             NJS_DIR=internal/controller/nginx/modules/src

.github/workflows/production-release.yml

@@ -7,6 +7,11 @@ on:
         description: 'Release version (e.g., v2.0.3)'
         required: true
         type: string
+      operator-version:
+        description: 'Operator release version (e.g., v1.0.0). Optional'
+        required: false
+        type: string
+        default: ''
       dry_run:
         description: 'If true, does a dry run of the production workflow'
         required: false
@@ -33,6 +38,7 @@ jobs:
           echo "Validating release from: ${GITHUB_REF}"
 
           INPUT_VERSION="${{ github.event.inputs.version }}"
+          INPUT_OPERATOR_VERSION="${{ github.event.inputs.operator-version }}"
 
           # Validate version format
           if [[ ! "${INPUT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -41,8 +47,17 @@ jobs:
           exit 1
           fi
 
+          # Validate version format if operator version is provided
+          if [[ -n "${INPUT_OPERATOR_VERSION}" && ! "${INPUT_OPERATOR_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "❌ Invalid operator version format: ${INPUT_OPERATOR_VERSION}"
+          echo "Expected format: v1.2.3"
+          exit 1
+          fi
+
+
           echo "✅ Valid release branch: ${GITHUB_REF}"
           echo "✅ Valid version format: ${INPUT_VERSION}"
+          [[ -n "${INPUT_OPERATOR_VERSION}" ]] && echo "✅ Valid operator version format: ${INPUT_OPERATOR_VERSION}"
 
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -62,7 +77,7 @@ jobs:
           git tag -a "${VERSION}" -m "Release ${VERSION}"
 
           if [[ "${{ inputs.dry_run }}" == "true" ]]; then
-          echo "DRY RUN: Would push tag ${VERSION}"
+          echo "DRY RUN: Would push tag ${VERSION} and operator tag ${{ github.event.inputs.operator-version || '' }}"
           git push --dry-run origin "${VERSION}"
           else
           git push origin "${VERSION}"
@@ -76,6 +91,7 @@ jobs:
     with:
       is_production_release: true
       release_version: ${{ github.event.inputs.version }}
+      operator_version: ${{ github.event.inputs.operator-version }}
       dry_run: ${{ github.event.inputs.dry_run }}
     secrets: inherit
     permissions:

.pre-commit-config.yaml

@@ -10,7 +10,6 @@ repos:
       - id: check-yaml
         args: [--allow-multiple-documents]
         exclude: (^charts/nginx-gateway-fabric/templates)
-      - id: check-added-large-files
       - id: check-merge-conflict
       - id: check-case-conflict
       - id: check-vcs-permalinks

.yamllint.yaml

@@ -27,6 +27,8 @@ rules:
     spaces: consistent
     indent-sequences: consistent
     check-multi-line-strings: true
+    ignore: |
+      operators/**/*
   key-duplicates: enable
   key-ordering: disable
   line-length:
@@ -38,6 +40,7 @@ rules:
       tests/suite/manifests/longevity/cronjob.yaml
       .goreleaser.yml
       charts/nginx-gateway-fabric/
+      operators/config/crd/bases/gateway.nginx.org_nginxgatewayfabrics.yaml
   new-line-at-end-of-file: enable
   new-lines: enable
   octal-values: disable