Merge branch 'main' into alpine-fips-bump

.github/config/config-plus-nginx

@@ -1,8 +1,8 @@
 export TARGET_REGISTRY=docker-mgmt.nginx.com
 export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")

.github/data/matrix-smoke-nap.json

@@ -10,7 +10,7 @@
     },
     {
       "label": "AP_WAF 2/4",
-      "image": "alpine-plus-nap-fips",
+      "image": "ubi-9-plus-nap",
       "type": "plus",
       "nap_modules": "waf",
       "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'",

.github/workflows/update-docker-images.yml

@@ -105,11 +105,6 @@ jobs:
             image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress
             target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
             platforms: "linux/arm64, linux/amd64"
-          - tag: ${{ needs.variables.outputs.tag }}-alpine-fips
-            target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-alpine-fips"
-            image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress
-            target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
-            platforms: "linux/arm64, linux/amd64"
           - tag: ${{ needs.variables.outputs.tag }}-mktpl
             target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-mktpl"
             image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress
@@ -120,11 +115,6 @@ jobs:
             image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress
             target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
             platforms: "linux/arm64, linux/amd64"
-          - tag: ${{ needs.variables.outputs.tag }}-alpine-mktpl-fips
-            target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-alpine-mktpl-fips"
-            image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress
-            target_image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
-            platforms: "linux/arm64, linux/amd64"
           - tag: ${{ needs.variables.outputs.tag }}-ubi
             target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi"
             image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress
@@ -170,11 +160,6 @@ jobs:
             image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress"
             target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress"
             platforms: "linux/amd64"
-          - tag: "${{ needs.variables.outputs.tag }}-alpine-fips"
-            target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-alpine-fips"
-            image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress"
-            target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress"
-            platforms: "linux/amd64"
           - tag: "${{ needs.variables.outputs.tag }}"
             target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
             image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress"
@@ -185,11 +170,6 @@ jobs:
             image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress"
             target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress"
             platforms: "linux/amd64"
-          - tag: "${{ needs.variables.outputs.tag }}-alpine-fips"
-            target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-alpine-fips"
-            image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress"
-            target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress"
-            platforms: "linux/amd64"
           - tag: "${{ needs.variables.outputs.tag }}"
             target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
             image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress"

build/Dockerfile

@@ -214,7 +214,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
 
 
 ############################################# Base image for Debian with NGINX Plus #############################################
-FROM debian:12-slim@sha256:67f3931ad8cb1967beec602d8c0506af1e37e8d73c2a0b38b181ec5d8560d395 AS debian-plus
+FROM debian:12-slim@sha256:d0ee556a990d3a6973c1ac08dcde8a972bd2cd1cadf5e91566aaed6684db35dd AS debian-plus
 ARG NGINX_PLUS_VERSION
 
 ENV NGINX_VERSION=${NGINX_PLUS_VERSION}

config/crd/bases/k8s.nginx.org_policies.yaml

@@ -87,9 +87,7 @@ spec:
                     type: object
                 type: object
               basicAuth:
-                description: |-
-                  BasicAuth holds HTTP Basic authentication configuration
-                  policy status: preview
+                description: BasicAuth holds HTTP Basic authentication configuration
                 properties:
                   realm:
                     type: string

deploy/crds.yaml

@@ -289,9 +289,7 @@ spec:
                     type: object
                 type: object
               basicAuth:
-                description: |-
-                  BasicAuth holds HTTP Basic authentication configuration
-                  policy status: preview
+                description: BasicAuth holds HTTP Basic authentication configuration
                 properties:
                   realm:
                     type: string

docs/content/configuration/global-configuration/command-line-arguments.md

@@ -57,15 +57,6 @@ Enables custom resources.
 
 Default `true`.
 
-<a name="cmdoption-enable-preview-policies"></a>
-
----
-
-### -enable-preview-policies
-
-Enables preview policies. This flag is deprecated. To enable OIDC Policies please use [-enable-oidc](#cmdoption-enable-oidc) instead.
-
-Default `false`.
 
 <a name="cmdoption-enable-oidc"></a>
 

docs/content/configuration/global-configuration/configmap-resource.md

@@ -191,6 +191,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 |*main-template* | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
 |*ingress-template* | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
 |*virtualserver-template* | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
+|*transportserver-template* | Sets the NGINX configuration template for a TransportServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
 {{</bootstrap-table>}}
 
 ---

examples/shared-examples/custom-templates/README.md

@@ -7,6 +7,7 @@ via the following keys:
 - `main-template` - Sets the main NGINX configuration template.
 - `ingress-template` - Sets the Ingress NGINX configuration template for an Ingress resource.
 - `virtualserver-template` - Sets the NGINX configuration template for an VirtualServer resource.
+- `transportserver-template` - Sets the NGINX configuration template for a TransportServer resource.
 
 ## Example
 
@@ -35,6 +36,12 @@ data:
     ...
     }
     {{ end }}
+  transportserver-template: |
+    {{- range $u := .Upstreams }}
+    upstream {{ $u.Name }} {
+        zone {{ $u.Name }} 256k;
+    ...
+    }
 ```
 
 **Notes:**

internal/configs/config_params.go

@@ -99,9 +99,10 @@ type ConfigParams struct {
 	MainServerSSLPreferServerCiphers bool
 	MainServerSSLProtocols           string
 
-	IngressTemplate       *string
-	VirtualServerTemplate *string
-	MainTemplate          *string
+	IngressTemplate         *string
+	VirtualServerTemplate   *string
+	MainTemplate            *string
+	TransportServerTemplate *string
 
 	JWTKey      string
 	JWTLoginURL string

internal/configs/configmaps.go

@@ -345,6 +345,10 @@ func ParseConfigMap(cfgm *v1.ConfigMap, nginxPlus bool, hasAppProtect bool, hasA
 		cfgParams.VirtualServerTemplate = &virtualServerTemplate
 	}
 
+	if transportServerTemplate, exists := cfgm.Data["transportserver-template"]; exists {
+		cfgParams.TransportServerTemplate = &transportServerTemplate
+	}
+
 	if mainStreamSnippets, exists := GetMapKeyAsStringSlice(cfgm.Data, "stream-snippets", cfgm, "\n"); exists {
 		cfgParams.MainStreamSnippets = mainStreamSnippets
 	}

internal/configs/configurator.go

@@ -1319,6 +1319,13 @@ func (cnf *Configurator) UpdateConfig(cfgParams *ConfigParams, resources Extende
 		}
 	}
 
+	if cfgParams.TransportServerTemplate != nil {
+		err := cnf.templateExecutorV2.UpdateTransportServerTemplate(cfgParams.TransportServerTemplate)
+		if err != nil {
+			return allWarnings, fmt.Errorf("error when parsing the TransportServer template: %w", err)
+		}
+	}
+
 	mainCfg := GenerateNginxMainConfig(cnf.staticCfgParams, cfgParams)
 	mainCfgContent, err := cnf.templateExecutor.ExecuteMainConfigTemplate(mainCfg)
 	if err != nil {

internal/configs/version1/__snapshots__/template_test.snap

@@ -130,6 +130,8 @@ daemon off;
 
 error_log  stderr ;
 pid        /var/lib/nginx/nginx.pid;
+load_module modules/ngx_http_app_protect_module.so;
+load_module modules/ngx_http_app_protect_dos_module.so;
 load_module modules/ngx_fips_check_module.so;
 
 load_module modules/ngx_http_js_module.so;
@@ -156,7 +158,20 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
+    log_format  log_dos escape=json 
+                    '$remote_addr - $remote_user [$time_local]'
+                    ' "$request" $status $body_bytes_sent '
+                    ' "$http_referer" "$http_user_agent"'
+                    ;
+    app_protect_dos_arb_fqdn arb.test.server.com;
     access_log  /dev/stdout  main;
+    app_protect_failure_mode_action pass;
+    app_protect_compressed_requests_action pass;
+    app_protect_cookie_seed ABCDEFGHIJKLMNOP;
+    app_protect_cpu_thresholds high=low=100;
+    app_protect_physical_memory_util_thresholds high=low=100;
+    app_protect_reconnect_period_seconds 10;
+    include /etc/nginx/waf/nac-usersigs/index.conf;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -251,9 +266,6 @@ stream {
 
     include /etc/nginx/stream-conf.d/*.conf;
 }
-mgmt {
-    usage_report interval=0s;
-}
 
 ---
 
@@ -293,6 +305,7 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
+    app_protect_enforcer_address enforcer.svc.local;
     access_log  /dev/stdout  main;
 
     sendfile        on;
@@ -530,6 +543,21 @@ server {
     set $resource_type "ingress";
     set $resource_name "cafe-ingress";
     set $resource_namespace "default";
+    app_protect_enable on;
+    app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm;
+    app_protect_security_log_enable on;
+    app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514;
+    app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2;
+    
+    app_protect_dos_enable on;
+    app_protect_dos_policy_file /test/policy.json;
+    app_protect_dos_security_log_enable on;
+    app_protect_dos_security_log /test/logConf.json;
+    set $loggable '0';
+    # app-protect-dos module will set it to '1'  if a request doesn't pass the rate limit
+    access_log /var/log/dos log_dos if=$loggable;
+    app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30;
+    app_protect_dos_name "testdos";
 
     
     if ($scheme = http) {
@@ -610,6 +638,21 @@ server {
     set $resource_type "ingress";
     set $resource_name "cafe-ingress";
     set $resource_namespace "default";
+    app_protect_enable on;
+    app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm;
+    app_protect_security_log_enable on;
+    app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514;
+    app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2;
+    
+    app_protect_dos_enable on;
+    app_protect_dos_policy_file /test/policy.json;
+    app_protect_dos_security_log_enable on;
+    app_protect_dos_security_log /test/logConf.json;
+    set $loggable '0';
+    # app-protect-dos module will set it to '1'  if a request doesn't pass the rate limit
+    access_log /var/log/dos log_dos if=$loggable;
+    app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30;
+    app_protect_dos_name "testdos";
 
     
     if ($scheme = http) {
@@ -2343,6 +2386,8 @@ daemon off;
 
 error_log  stderr ;
 pid        /var/lib/nginx/nginx.pid;
+load_module modules/ngx_http_app_protect_module.so;
+load_module modules/ngx_http_app_protect_dos_module.so;
 load_module modules/ngx_fips_check_module.so;
 
 load_module modules/ngx_http_js_module.so;
@@ -2369,7 +2414,20 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
+    log_format  log_dos escape=json 
+                    '$remote_addr - $remote_user [$time_local]'
+                    ' "$request" $status $body_bytes_sent '
+                    ' "$http_referer" "$http_user_agent"'
+                    ;
+    app_protect_dos_arb_fqdn arb.test.server.com;
     access_log  /dev/stdout  main;
+    app_protect_failure_mode_action pass;
+    app_protect_compressed_requests_action pass;
+    app_protect_cookie_seed ABCDEFGHIJKLMNOP;
+    app_protect_cpu_thresholds high=low=100;
+    app_protect_physical_memory_util_thresholds high=low=100;
+    app_protect_reconnect_period_seconds 10;
+    include /etc/nginx/waf/nac-usersigs/index.conf;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -2464,9 +2522,6 @@ stream {
 
     include /etc/nginx/stream-conf.d/*.conf;
 }
-mgmt {
-    usage_report interval=0s;
-}
 
 ---
 
@@ -2480,6 +2535,8 @@ daemon off;
 
 error_log  stderr ;
 pid        /var/lib/nginx/nginx.pid;
+load_module modules/ngx_http_app_protect_module.so;
+load_module modules/ngx_http_app_protect_dos_module.so;
 load_module modules/ngx_fips_check_module.so;
 
 load_module modules/ngx_http_js_module.so;
@@ -2506,7 +2563,18 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
+    log_format  log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, '
+                        'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, '
+                        'ip_tls=$remote_addr:$app_protect_dos_tls_fp, ';
+    app_protect_dos_arb_fqdn arb.test.server.com;
     access_log  /dev/stdout  main;
+    app_protect_failure_mode_action pass;
+    app_protect_compressed_requests_action pass;
+    app_protect_cookie_seed ABCDEFGHIJKLMNOP;
+    app_protect_cpu_thresholds high=low=100;
+    app_protect_physical_memory_util_thresholds high=low=100;
+    app_protect_reconnect_period_seconds 10;
+    include /etc/nginx/waf/nac-usersigs/index.conf;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -2618,6 +2686,8 @@ daemon off;
 
 error_log  stderr ;
 pid        /var/lib/nginx/nginx.pid;
+load_module modules/ngx_http_app_protect_module.so;
+load_module modules/ngx_http_app_protect_dos_module.so;
 load_module modules/ngx_fips_check_module.so;
 
 load_module modules/ngx_http_js_module.so;
@@ -2644,7 +2714,20 @@ http {
         default $upstream_trailer_grpc_status;
         '' $sent_http_grpc_status;
     }
+    log_format  log_dos escape=json 
+                    '$remote_addr - $remote_user [$time_local]'
+                    ' "$request" $status $body_bytes_sent '
+                    ' "$http_referer" "$http_user_agent"'
+                    ;
+    app_protect_dos_arb_fqdn arb.test.server.com;
     access_log  /dev/stdout  main;
+    app_protect_failure_mode_action pass;
+    app_protect_compressed_requests_action pass;
+    app_protect_cookie_seed ABCDEFGHIJKLMNOP;
+    app_protect_cpu_thresholds high=low=100;
+    app_protect_physical_memory_util_thresholds high=low=100;
+    app_protect_reconnect_period_seconds 10;
+    include /etc/nginx/waf/nac-usersigs/index.conf;
 
     sendfile        on;
     #tcp_nopush     on;
@@ -2739,9 +2822,6 @@ stream {
 
     include /etc/nginx/stream-conf.d/*.conf;
 }
-mgmt {
-    usage_report interval=0s;
-}
 
 ---
 

internal/configs/version1/nginx-plus.tmpl

@@ -75,7 +75,7 @@ http {
                     {{range $i, $value := .AppProtectDosLogFormat -}}
                     {{with $value}}'{{if $i}} {{end}}{{$value}}'
                     {{end}}{{end}};
-    {{- else -}}
+    {{- else }}
     log_format  log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, '
                         'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, '
                         'ip_tls=$remote_addr:$app_protect_dos_tls_fp, ';