Merge branch 'main' into dependabot/pip/tests/protobuf-4.25.0

.github/workflows/build-plus.yml

@@ -48,7 +48,7 @@ jobs:
       - name: Setup QEMU
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
-          platforms: arm64
+          platforms: arm64,s390x
         if: github.event_name != 'pull_request'
 
       - name: Docker Buildx
@@ -171,7 +171,7 @@ jobs:
             This is the official implementation of NGINX Ingress Controller (based on NGINX Plus) from NGINX.
           usage-instructions: |
             This container requires Kubernetes and can be deployed to EKS.
-            Review the installation instructions https://docs.nginx.com/nginx-ingress-controller/installation/ and utilize the deployment resources available https://github.com/nginxinc/kubernetes-ingress/tree/main/deploy
+            Review the installation instructions https://docs.nginx.com/nginx-ingress-controller/installation/ and utilize the deployment resources available https://github.com/nginxinc/kubernetes-ingress/tree/master/deployments
             Use this image instead of building your own.
         if: ${{ github.ref_type == 'tag' && contains(inputs.target, 'aws') }}
 

.github/workflows/release-pr.yml

@@ -39,22 +39,29 @@ jobs:
           DOCS_TO_UPDATE_FOLDER=docs/content
 
           FILES_TO_UPDATE_IC_VERSION=(
-            README.md
-            charts/nginx-ingress/Chart.yaml
-            charts/nginx-ingress/README.md
-            charts/nginx-ingress/values.yaml
+              README.md
+              deployments/daemon-set/nginx-ingress.yaml
+              deployments/daemon-set/nginx-plus-ingress.yaml
+              deployments/deployment/nginx-ingress.yaml
+              deployments/deployment/nginx-plus-ingress.yaml
+              deployments/helm-chart/Chart.yaml
+              deployments/helm-chart/README.md
+              deployments/helm-chart/values-icp.yaml
+              deployments/helm-chart/values-nsm.yaml
+              deployments/helm-chart/values-plus.yaml
+              deployments/helm-chart/values.yaml
           )
 
           FILE_TO_UPDATE_HELM_CHART_VERSION=(
-            charts/nginx-ingress/Chart.yaml
-            charts/nginx-ingress/README.md
+              deployments/helm-chart/Chart.yaml
+              deployments/helm-chart/README.md
           )
 
           ic_version=${{ github.event.inputs.version }}
           helm_chart_version=${{ github.event.inputs.helm_version }}
 
-          current_ic_version=$(yq '.appVersion' <charts/nginx-ingress/Chart.yaml)
-          current_helm_chart_version=$(yq '.version' <charts/nginx-ingress/Chart.yaml)
+          current_ic_version=$(yq '.appVersion' <deployments/helm-chart/Chart.yaml)
+          current_helm_chart_version=$(yq '.version' <deployments/helm-chart/Chart.yaml)
 
           sed -i "s/$current_ic_version/$ic_version/g" ${FILES_TO_UPDATE_IC_VERSION[*]}
           sed -i "s/$current_helm_chart_version/$helm_chart_version/g" ${FILE_TO_UPDATE_HELM_CHART_VERSION[*]}

CONTRIBUTING.md

@@ -42,8 +42,7 @@ Read the [documentation](https://github.com/nginxinc/kubernetes-ingress/tree/mai
   - The internal code is found at `internal/`
   - Build files for Docker are found at `build/`
   - CI files are found at `.github/workflows/`
-  - Deployment yaml files are found at `deploy/`
-  - Helm files are found at `charts/`
+  - Deployment yaml files, and Helm files are found at `deployments/`
   - We use [Go modules](https://github.com/golang/go/wiki/Modules) for managing dependencies.
 
 ## Contributing

Makefile

@@ -69,10 +69,6 @@ update-crds: ## Update CRDs
 	kustomize build config/crd/app-protect-dos --load-restrictor='LoadRestrictionsNone' >deploy/crds-nap-dos.yaml
 	kustomize build config/crd/app-protect-waf --load-restrictor='LoadRestrictionsNone' >deploy/crds-nap-waf.yaml
 
-.PHONY: generate-manifests
-generate-manifests: ## Generate manifests
-	./hack/generate-manifests.sh
-
 .PHONY: certificate-and-key
 certificate-and-key: ## Create default cert and key
 	./build/generate_default_cert_and_key.sh

README.md

@@ -119,7 +119,7 @@ your links to the correct versions:
 | Version | Description |  Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples |
 | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- |
 | Latest stable release | For production use | Use the 3.3.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.3.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.3.2/deployments/helm-chart). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
-| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deploy). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). |
+| Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Build your own image](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content/installation/building-ingress-controller-image.md). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). |
 
 ## SBOM (Software Bill of Materials)
 

build/Dockerfile

@@ -237,8 +237,8 @@ RUN --mount=type=bind,target=/tmp [ -n "${BUILD_OS##*plus*}" ] && exit 0; mkdir
 
 # run only on nap waf build
 RUN --mount=type=bind,target=/tmp [ -n "${NAP_MODULES##*waf*}" ] && exit 0; mkdir -p /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /var/log/app_protect /opt/app_protect \
-	&& chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
-	&& chmod -R g=u /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
+	&& chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ \
+	&& chmod -R g=u /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ \
 	&& touch /etc/nginx/waf/nac-usersigs/index.conf \
 	&& cp -a /tmp/build/log-default.json /etc/nginx
 
@@ -251,8 +251,8 @@ RUN --mount=type=bind,target=/tmp mkdir -p /var/lib/nginx /etc/nginx/secrets /et
 	&& setcap -v 'cap_net_bind_service=+eip' /usr/sbin/nginx 'cap_net_bind_service=+eip' /usr/sbin/nginx-debug \
 	&& [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \
 	/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
-	&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \
-	&& chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /*.tmpl \
+	&& chown -R 101:0 /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \
+	&& chmod -R g=u /etc/nginx /var/cache/nginx /var/lib/nginx /var/log/nginx /*.tmpl \
 	&& rm -f /etc/nginx/conf.d/*
 
 # Uncomment the line below if you would like to add the default.pem to the image

charts/nginx-ingress/README.md

@@ -78,14 +78,14 @@ To install the chart with the release name my-release (my-release is the name th
 For NGINX:
 
 ```console
-helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2
+helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2
 ```
 
 For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry
 `myregistry.example.com`)
 
 ```console
-helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
+helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
 ```
 
 This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to
@@ -100,15 +100,15 @@ CRDs](#upgrading-the-crds).
 To upgrade the release `my-release`:
 
 ```console
-helm upgrade my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2
+helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.2
 ```
 
 ### Uninstalling the Chart
 
 To uninstall/delete the release `my-release`:
 
 ```console
-helm uninstall my-release -n nginx-ingress
+helm uninstall my-release
 ```
 
 The command removes all the Kubernetes components associated with the release and deletes the release.
@@ -123,7 +123,7 @@ version is built from the `main` branch of the NGINX Ingress Controller reposito
 by specifying the `--version` flag with the value `0.0.0-edge`:
 
 ```console
-helm install my-release -n nginx-ingress --create-namespace oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge
+helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 0.0.0-edge
 ```
 
 > **Warning**
@@ -157,13 +157,13 @@ To install the chart with the release name my-release (my-release is the name th
 For NGINX:
 
 ```console
-helm install my-release -n nginx-ingress --create-namespace .
+helm install my-release .
 ```
 
 For NGINX Plus:
 
 ```console
-helm install my-release -f values-plus.yaml -n nginx-ingress --create-namespace .
+helm install my-release -f values-plus.yaml .
 ```
 
 The command deploys the Ingress Controller in your Kubernetes cluster in the default configuration. The configuration
@@ -177,15 +177,15 @@ CRDs](#upgrading-the-crds).
 To upgrade the release `my-release`:
 
 ```console
-helm upgrade my-release -n nginx-ingress .
+helm upgrade my-release .
 ```
 
 ### Uninstalling the Chart
 
 To uninstall/delete the release `my-release`:
 
 ```console
-helm uninstall my-release -n nginx-ingress
+helm uninstall my-release
 ```
 
 The command removes all the Kubernetes components associated with the release and deletes the release.
@@ -379,8 +379,8 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.watchSecretNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources of type Secret. If this arg is not configured, the Ingress Controller watches the same namespaces for all resources. See `controller.watchNamespace` and `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchSecretNamespace="default\,nginx-ingress"`. | "" |
 |`controller.enableCustomResources` | Enable the custom resources. | true |
 |`controller.enableOIDC` | Enable OIDC policies. | false |
-|`controller.enableTLSPassthrough` | Enable TLS Passthrough on port 443. Requires `controller.enableCustomResources`. | false |
-|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`. | 443 |
+|`controller.enableTLSPassthrough` | Enable TLS Passthrough on default port 443. Requires `controller.enableCustomResources`. | false |
+|`controller.tlsPassThroughPort` | Set the port for the TLS Passthrough. Requires `controller.enableCustomResources` and `controller.enableTLSPassthrough`.  | 443 |
 |`controller.enableCertManager` | Enable x509 automated certificate management for VirtualServer resources using cert-manager (cert-manager.io). Requires `controller.enableCustomResources`. | false |
 |`controller.enableExternalDNS` | Enable integration with ExternalDNS for configuring public DNS entries for VirtualServer resources using [ExternalDNS](https://github.com/kubernetes-sigs/external-dns). Requires `controller.enableCustomResources`. | false |
 |`controller.globalConfiguration.create` | Creates the GlobalConfiguration custom resource. Requires `controller.enableCustomResources`. | false |

charts/nginx-ingress/templates/controller-daemonset.yaml

@@ -230,9 +230,9 @@ spec:
           - -disable-ipv6={{ .Values.controller.disableIPV6 }}
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
-{{- if .Values.controller.enableTLSPassthrough }}
+{{ if .Values.controller.enableTLSPassthrough }}
           - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }}
-{{- end }}
+{{ end }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}
           - -enable-external-dns={{ .Values.controller.enableExternalDNS }}

charts/nginx-ingress/templates/controller-deployment.yaml

@@ -173,14 +173,14 @@ spec:
           - -enable-app-protect={{ .Values.controller.appprotect.enable }}
 {{- if and .Values.controller.appprotect.enable .Values.controller.appprotect.logLevel }}
           - -app-protect-log-level={{ .Values.controller.appprotect.logLevel }}
-{{- end }}
+{{ end }}
           - -enable-app-protect-dos={{ .Values.controller.appprotectdos.enable }}
 {{- if .Values.controller.appprotectdos.enable }}
           - -app-protect-dos-debug={{ .Values.controller.appprotectdos.debug }}
           - -app-protect-dos-max-daemons={{ .Values.controller.appprotectdos.maxDaemons }}
           - -app-protect-dos-max-workers={{ .Values.controller.appprotectdos.maxWorkers }}
           - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }}
-{{- end }}
+{{ end }}
           - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }}
 {{- if .Values.controller.defaultTLS.secret }}
           - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }}
@@ -237,9 +237,9 @@ spec:
           - -disable-ipv6={{ .Values.controller.disableIPV6 }}
 {{- if .Values.controller.enableCustomResources }}
           - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
-{{- if .Values.controller.enableTLSPassthrough }}
+{{ if .Values.controller.enableTLSPassthrough }}
           - -tls-passthrough-port={{ .Values.controller.tlsPassthroughPort }}
-{{- end }}
+{{ end }}
           - -enable-cert-manager={{ .Values.controller.enableCertManager }}
           - -enable-oidc={{ .Values.controller.enableOIDC }}
           - -enable-external-dns={{ .Values.controller.enableExternalDNS }}

charts/nginx-ingress/values-nsm.yaml

@@ -0,0 +1,6 @@
+controller:
+  name: controller
+  enableLatencyMetrics: true
+nginxServiceMesh:
+  enable: true
+  enableEgress: true

charts/nginx-ingress/values.yaml

@@ -211,7 +211,7 @@ controller:
     ## The number of Ingress Controller pods that can be unavailable. This is a mutually exclusive setting with "minAvailable".
     # maxUnavailable: 1
 
-  ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value.
+    ## Strategy used to replace old Pods by new ones. .spec.strategy.type can be "Recreate" or "RollingUpdate" for Deployments, and "OnDelete" or "RollingUpdate" for Daemonsets. "RollingUpdate" is the default value.
   strategy: {}
 
   ## Extra containers for the Ingress Controller pods.
@@ -275,7 +275,7 @@ controller:
     create: false
 
     ## The spec of the GlobalConfiguration for defining the global configuration parameters of the Ingress Controller.
-    spec: {}
+    spec: {} ## Ensure both curly brackets are removed when adding listeners in YAML format.
     # listeners:
     # - name: dns-udp
     #   port: 5353
@@ -380,7 +380,7 @@ controller:
 
     ## The name of the service account of the Ingress Controller pods. Used for RBAC.
     ## Autogenerated if not set or set to "".
-    name: nginx-ingress
+    # name: nginx-ingress
 
     ## The name of the secret containing docker registry credentials.
     ## Secret must exist in the same namespace as the helm release.