Merge branch 'main' into chore/add-aws-build

.github/workflows/ci.yml

@@ -142,7 +142,7 @@ jobs:
       - name: Run Tests
         run: make cover
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v2
+        uses: codecov/codecov-action@v3
         with:
           files: ./coverage.txt
 

build/Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1.4
 ARG BUILD_OS=debian
 ARG NGINX_PLUS_VERSION=r26
 ARG DOWNLOAD_TAG=edge
@@ -9,8 +9,8 @@ FROM nginx:1.21.6 AS debian
 
 RUN apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \
-	# temp fix for CVE-2022-0891, CVE-2021-33574, CVE-2021-3997 and CVE-2022-23308
-	&& apt-get install -y libtiff5 libc6 libc-bin libxml2 libsystemd0 libudev1 \
+	# temp fix for CVE-2018-25032
+	&& apt-get install -y zlib1g \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& echo $NGINX_VERSION > nginx_version
 
@@ -46,8 +46,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \
 	apt-get update \
 	&& apt-get install --no-install-recommends --no-install-suggests -y ca-certificates gnupg curl apt-transport-https libcap2-bin \
-	# temp fix for CVE-2021-33574 and CVE-2021-3997
-	&& apt-get install -y libc6 libc-bin libsystemd0 libudev1 \
+	# temp fix for CVE-2018-25032
+	&& apt-get install -y zlib1g \
 	&& curl -fsSL https://cs.nginx.com/static/keys/nginx_signing.key | gpg --dearmor > /etc/apt/trusted.gpg.d/nginx_signing.gpg \
 	&& curl -fsSL -o /etc/apt/apt.conf.d/90pkgs-nginx https://cs.nginx.com/static/files/90pkgs-nginx \
 	&& DEBIAN_VERSION=$(awk -F '=' '/^VERSION_CODENAME=/ {print $2}' /etc/os-release) \
@@ -114,7 +114,7 @@ RUN dnf --nodocs install -y shadow-utils ca-certificates \
 	&& groupadd --system --gid 101 nginx \
 	&& useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx
 
-COPY --chown=nginx:0 LICENSE /licenses/
+COPY --link --chown=101:0 LICENSE /licenses/
 
 
 ############################################# Base image for UBI OSS #############################################
@@ -221,7 +221,7 @@ RUN --mount=target=/tmp [ -n "${BUILD_OS##*plus*}" ] && exit 0; mkdir -p etc/ngi
 
 # run only on nap waf build
 RUN --mount=target=/tmp [ -n "${NAP_MODULES##*waf*}" ] && exit 0; mkdir -p /etc/nginx/waf/nac-policies /etc/nginx/waf/nac-logconfs /etc/nginx/waf/nac-usersigs /var/log/app_protect /opt/app_protect \
-	&& chown -R nginx:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
+	&& chown -R 101:0 /etc/app_protect /usr/share/ts /var/log/app_protect/ /opt/app_protect/ /var/log/nginx/ \
 	&& touch /etc/nginx/waf/nac-usersigs/index.conf \
 	&& cp -a /tmp/build/log-default.json /etc/nginx
 
@@ -234,7 +234,7 @@ RUN --mount=target=/tmp mkdir -p /var/lib/nginx /etc/nginx/secrets /etc/nginx/st
 	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
 	&& [ -z "${BUILD_OS##*plus*}" ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \
 	/tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \
-	&& chown -R nginx:0 /etc/nginx /etc/nginx/secrets /var/cache/nginx /var/lib/nginx /*.tmpl \
+	&& chown -R 101:0 /etc/nginx /etc/nginx/secrets /var/cache/nginx /var/lib/nginx /*.tmpl \
 	&& rm -f /etc/nginx/conf.d/* /etc/apt/apt.conf.d/90pkgs-nginx /etc/apt/sources.list.d/nginx-plus.list
 
 # Uncomment the line below if you would like to add the default.pem to the image
@@ -245,7 +245,8 @@ EXPOSE 80 443
 
 STOPSIGNAL SIGTERM
 ENTRYPOINT ["/nginx-ingress"]
-USER nginx
+# 101 is nginx
+USER 101
 
 LABEL org.opencontainers.image.version="${IC_VERSION}"
 LABEL org.opencontainers.image.revision="${GIT_COMMIT}"
@@ -263,26 +264,26 @@ ARG DATE
 ARG TARGETARCH
 
 WORKDIR /go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/cmd/nginx-ingress
-COPY go.mod go.sum /go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/
-RUN go mod download
-COPY . /go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/
-RUN CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=$TARGETARCH go build -trimpath -ldflags "-s -w -X main.version=${IC_VERSION} -X main.commit=${GIT_COMMIT} -X main.date=${DATE}" -o /nginx-ingress
+RUN --mount=target=/go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/ --mount=type=cache,target=/root/.cache/go-build \
+	go mod download
+RUN --mount=target=/go/src/github.com/nginxinc/kubernetes-ingress/nginx-ingress/ --mount=type=cache,target=/root/.cache/go-build \
+	CGO_ENABLED=0 GO111MODULE=on GOOS=linux GOARCH=$TARGETARCH go build -trimpath -ldflags "-s -w -X main.version=${IC_VERSION} -X main.commit=${GIT_COMMIT} -X main.date=${DATE}" -o /nginx-ingress
 
 
 ############################################# Create image with nginx-ingress built in container #############################################
 FROM common AS container
 
 LABEL org.nginx.kic.image.build.version="container"
 
-COPY --chown=nginx:0 --from=builder /nginx-ingress /
+COPY --link --from=builder --chown=101:0 /nginx-ingress /
 
 
 ############################################# Create image with nginx-ingress built locally #############################################
 FROM common AS local
 
 LABEL org.nginx.kic.image.build.version="local"
 
-COPY --chown=nginx:0 ./nginx-ingress /
+COPY --link --chown=101:0 nginx-ingress /
 
 
 ############################################# Create image with nginx-ingress built by GoReleaser #############################################
@@ -292,7 +293,7 @@ ARG TARGETVARIANT
 
 LABEL org.nginx.kic.image.build.version="goreleaser"
 
-COPY --chown=nginx:0 ./dist/kubernetes-ingress_linux_$TARGETARCH${TARGETVARIANT:+_7}/nginx-ingress /
+COPY --link --chown=101:0 dist/kubernetes-ingress_linux_$TARGETARCH${TARGETVARIANT:+_7}/nginx-ingress /
 
 
 ############################################# Create image with nginx-ingress built by GoReleaser for AWS Marketplace #############################################
@@ -301,7 +302,7 @@ ARG TARGETARCH
 
 LABEL org.nginx.kic.image.build.version="aws"
 
-COPY --chown=nginx:0 ./dist/aws_linux_$TARGETARCH/nginx-ingress /
+COPY --link --chown=101:0 dist/aws_linux_$TARGETARCH/nginx-ingress /
 
 
 ############################################# Create image with nginx-ingress extracted from image on Docker Hub #############################################
@@ -311,4 +312,4 @@ FROM common as download
 
 LABEL org.nginx.kic.image.build.version="binaries"
 
-COPY --from=kic /nginx-ingress /
+COPY --link --from=kic --chown=101:0 /nginx-ingress /

deployments/common/crds/k8s.nginx.org_policies.yaml

@@ -43,7 +43,7 @@ spec:
               type: object
               properties:
                 accessControl:
-                  description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
+                  description: AccessControl defines an access policy based on the source IP of a request.
                   type: object
                   properties:
                     allow:
@@ -55,7 +55,7 @@ spec:
                       items:
                         type: string
                 egressMTLS:
-                  description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
+                  description: EgressMTLS defines an Egress MTLS policy.
                   type: object
                   properties:
                     ciphers:
@@ -79,7 +79,7 @@ spec:
                 ingressClassName:
                   type: string
                 ingressMTLS:
-                  description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
+                  description: IngressMTLS defines an Ingress MTLS policy.
                   type: object
                   properties:
                     clientCertSecret:
@@ -89,7 +89,7 @@ spec:
                     verifyDepth:
                       type: integer
                 jwt:
-                  description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
+                  description: JWTAuth holds JWT authentication configuration.
                   type: object
                   properties:
                     realm:
@@ -99,7 +99,7 @@ spec:
                     token:
                       type: string
                 oidc:
-                  description: OIDC defines an Open ID Connect policy.
+                  description: 'OIDC defines an Open ID Connect policy. policy status: preview'
                   type: object
                   properties:
                     authEndpoint:
@@ -117,7 +117,7 @@ spec:
                     tokenEndpoint:
                       type: string
                 rateLimit:
-                  description: 'RateLimit defines a rate limit policy. policy status: preview'
+                  description: RateLimit defines a rate limit policy.
                   type: object
                   properties:
                     burst:
@@ -139,7 +139,7 @@ spec:
                     zoneSize:
                       type: string
                 waf:
-                  description: 'WAF defines an WAF policy. policy status: preview'
+                  description: WAF defines an WAF policy.
                   type: object
                   properties:
                     apPolicy:

deployments/helm-chart/crds/k8s.nginx.org_policies.yaml

@@ -43,7 +43,7 @@ spec:
               type: object
               properties:
                 accessControl:
-                  description: 'AccessControl defines an access policy based on the source IP of a request. policy status: production-ready'
+                  description: AccessControl defines an access policy based on the source IP of a request.
                   type: object
                   properties:
                     allow:
@@ -55,7 +55,7 @@ spec:
                       items:
                         type: string
                 egressMTLS:
-                  description: 'EgressMTLS defines an Egress MTLS policy. policy status: preview'
+                  description: EgressMTLS defines an Egress MTLS policy.
                   type: object
                   properties:
                     ciphers:
@@ -79,7 +79,7 @@ spec:
                 ingressClassName:
                   type: string
                 ingressMTLS:
-                  description: 'IngressMTLS defines an Ingress MTLS policy. policy status: preview'
+                  description: IngressMTLS defines an Ingress MTLS policy.
                   type: object
                   properties:
                     clientCertSecret:
@@ -89,7 +89,7 @@ spec:
                     verifyDepth:
                       type: integer
                 jwt:
-                  description: 'JWTAuth holds JWT authentication configuration. policy status: preview'
+                  description: JWTAuth holds JWT authentication configuration.
                   type: object
                   properties:
                     realm:
@@ -99,7 +99,7 @@ spec:
                     token:
                       type: string
                 oidc:
-                  description: OIDC defines an Open ID Connect policy.
+                  description: 'OIDC defines an Open ID Connect policy. policy status: preview'
                   type: object
                   properties:
                     authEndpoint:
@@ -117,7 +117,7 @@ spec:
                     tokenEndpoint:
                       type: string
                 rateLimit:
-                  description: 'RateLimit defines a rate limit policy. policy status: preview'
+                  description: RateLimit defines a rate limit policy.
                   type: object
                   properties:
                     burst:
@@ -139,7 +139,7 @@ spec:
                     zoneSize:
                       type: string
                 waf:
-                  description: 'WAF defines an WAF policy. policy status: preview'
+                  description: WAF defines an WAF policy.
                   type: object
                   properties:
                     apPolicy:

docs/content/configuration/policy-resource.md

@@ -94,8 +94,6 @@ policies:
 
 ### RateLimit
 
-> **Feature Status**: Rate-Limiting is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 The rate limit policy configures NGINX to limit the processing rate of requests.
 
 For example, the following policy will limit all subsequent requests coming from a single IP address once a rate of 10 requests per second is exceeded:
@@ -136,8 +134,6 @@ When you reference more than one rate limit policy, the Ingress Controller will
 
 ### JWT
 
-> **Feature Status**: JWT is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 > Note: This feature is only available in NGINX Plus.
 
 The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens.
@@ -189,8 +185,6 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### IngressMTLS
 
-> **Feature Status**: IngressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 The IngressMTLS policy configures client certificate verification.
 
 For example, the following policy will verify a client certificate using the CA certificate specified in the `ingress-mtls-secret`:
@@ -243,8 +237,6 @@ In this example the Ingress Controller will use the configuration from the first
 
 ### EgressMTLS
 
-> **Feature Status**: EgressMTLS is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 The EgressMTLS policy configures upstreams authentication and certificate verification.
 
 For example, the following policy will use `egress-mtls-secret` to authenticate with the upstream application and `egress-trusted-ca-secret` to verify the certificate of the application:

docs/content/installation/installation-with-manifests.md

@@ -90,7 +90,7 @@ If you would like to use the TCP and UDP load balancing features of the Ingress
     $ kubectl apply -f common/crds/k8s.nginx.org_globalconfigurations.yaml
     ```
 
-> **Feature Status**: The TransportServer, GlobalConfiguration and Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default.
+> **Feature Status**: The Policy resources are available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default.
 
 ### Resources for NGINX App Protect
 

go.mod

@@ -3,8 +3,8 @@ module github.com/nginxinc/kubernetes-ingress
 go 1.18
 
 require (
-	github.com/aws/aws-sdk-go-v2/config v1.15.2
-	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.2
+	github.com/aws/aws-sdk-go-v2/config v1.15.3
+	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.3
 	github.com/golang-jwt/jwt/v4 v4.4.1
 	github.com/golang/glog v1.0.0
 	github.com/google/go-cmp v0.5.7
@@ -22,15 +22,15 @@ require (
 require (
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.16.1 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.11.1 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.16.2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.16.2 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.3 // indirect
 	github.com/aws/smithy-go v1.11.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect