Merge branch 'nginxinc:main' into test/add-runtime-manager-tests

Author: miledxz

.github/workflows/build.yml

@@ -87,7 +87,7 @@ jobs:
           images: |
             name=ghcr.io/nginxinc/nginx-gateway-fabric,enable=${{ inputs.image == 'ngf' && github.event_name != 'pull_request' }}
             name=ghcr.io/nginxinc/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
-            name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'nginx-plus' && github.event_name != 'pull_request' }}
+            name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}
           flavor: |
             latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
@@ -100,13 +100,21 @@ jobs:
           labels: |
             org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
             org.opencontainers.image.vendor=NGINX Inc <[email protected]>
+          annotations: |
+            org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
+            org.opencontainers.image.vendor=NGINX Inc <[email protected]>
+            io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/nginx-gateway-fabric/main/README.md
+            io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-gateway-fabric/images/icons/NGINX-product-icon.svg
+            io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"[email protected]"}]
+            io.artifacthub.package.license=Apache-2.0
+            io.artifacthub.package.keywords=kubernetes,gateway,nginx
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
       - name: Build Docker Image
         uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'nginx-plus' && '.nginxplus' || '' }}
+          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
           context: "."
           target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -119,7 +127,7 @@ jobs:
           pull: true
           no-cache: ${{ github.event_name != 'pull_request' }}
           sbom: true
-          provenance: true
+          provenance: mode=max
           build-args: |
             NJS_DIR=internal/mode/static/nginx/modules/src
             NGINX_CONF_DIR=internal/mode/static/nginx/conf
@@ -128,9 +136,10 @@ jobs:
             ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
             ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
 
-      - name: Inspect SBOM
+      - name: Inspect SBOM and output manifest
         run: |
           docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom-${{ inputs.image }}.json
+          docker buildx imagetools inspect localhost:5000/nginx-gateway-fabric/${{ inputs.image }}:${{ steps.meta.outputs.version }} --raw
 
       - name: Scan SBOM
         id: scan
@@ -145,11 +154,15 @@ jobs:
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+        if: always()
 
       - name: Upload Scan Results
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         continue-on-error: true
         with:
-          name: scan-results-${{ inputs.image }}.sarif
-          path: ${{ steps.scan.outputs.sarif }}
+          name: scan-results-${{ inputs.image }}
+          path: |
+            ${{ steps.scan.outputs.sarif }}
+            *.json
+            !sbom-plus.json
         if: always()

.github/workflows/ci.yml

@@ -108,7 +108,7 @@ jobs:
           go-version: stable
 
       - name: Create/Update Draft
-        uses: lucacome/draft-release@52f02d1a69b61568e54ab5cf86ce91503bac4066 # v1.0.2
+        uses: lucacome/draft-release@a98777f0bae0a6815cc1df77ebe48ca70e7cb970 # v1.0.3
         with:
           minor-label: "enhancement"
           major-label: "change"
@@ -246,7 +246,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image: [ngf, nginx, nginx-plus]
+        image: [ngf, nginx, plus]
         platforms: ["linux/arm64, linux/amd64"]
     uses: ./.github/workflows/build.yml
     with:

.github/workflows/lint.yml

@@ -27,7 +27,7 @@ jobs:
           go-version: stable
 
       - name: Lint Code
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
+        uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0
         with:
           args: --timeout 10m0s
 

.pre-commit-config.yaml

@@ -36,7 +36,7 @@ repos:
           - javascript
 
   - repo: https://github.com/golangci/golangci-lint
-    rev: v1.55.2
+    rev: v1.56.1
     hooks:
       - id: golangci-lint-full
 
@@ -50,7 +50,7 @@ repos:
   # Rules are in .yamllint.yaml file
   # See https://yamllint.readthedocs.io/en/stable/rules.html# for rule descriptions
   - repo: https://github.com/adrienverge/yamllint.git
-    rev: v1.33.0
+    rev: v1.34.0
     hooks:
       - id: yamllint
 

Makefile

@@ -81,14 +81,18 @@ generate-crds: ## Generate CRDs and Go types using kubebuilder
 	go run sigs.k8s.io/controller-tools/cmd/controller-gen object paths=./apis/...
 
 .PHONY: generate-manifests
-generate-manifests: ## Generate manifests using Helm.
+generate-manifests: generate-manifests-plus ## Generate manifests using Helm.
 	cp $(CHART_DIR)/crds/* $(MANIFEST_DIR)/crds/
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-gateway.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set metrics.enable=false -n nginx-gateway -s templates/deployment.yaml > conformance/provisioner/static-deployment.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.annotations.'service\.beta\.kubernetes\.io\/aws-load-balancer-type'="nlb" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/loadbalancer-aws-nlb.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) --set service.type=NodePort --set service.externalTrafficPolicy="" -n nginx-gateway -s templates/service.yaml > $(strip $(MANIFEST_DIR))/service/nodeport.yaml
 
+.PHONY: generate-manifests-plus
+generate-manifests-plus: ## Generate manifests using Helm for NGINX Plus.
+	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway.yaml
+
 .PHONY: crds-release-file
 crds-release-file: ## Generate combined crds file for releases
 	scripts/combine-crds.sh

README.md

@@ -18,7 +18,7 @@ Learn about our [design principles](/docs/developer/design-principles.md) and [a
 
 1. [Quick Start on a kind cluster](https://docs.nginx.com/nginx-gateway-fabric/installation/running-on-kind/).
 2. [Install](https://docs.nginx.com/nginx-gateway-fabric/installation/) NGINX Gateway Fabric.
-3. [Build](https://docs.nginx.com/nginx-gateway-fabric/installation/building-the-images/) an NGINX Gateway Fabric container image from source or use a pre-built image
+3. [Build](https://docs.nginx.com/nginx-gateway-fabric/installation/ngf-images/building-the-images/) an NGINX Gateway Fabric container image from source or use a pre-built image
    available
    on [GitHub Container Registry](https://github.com/nginxinc/nginx-gateway-fabric/pkgs/container/nginx-gateway-fabric).
 4. Deploy various [examples](examples).

build/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.6
-FROM golang:1.21 as builder
+FROM golang:1.22 as builder
 
 WORKDIR /go/src/github.com/nginxinc/nginx-gateway-fabric
 

build/Dockerfile.nginx

@@ -5,10 +5,12 @@ ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT
 
-RUN apk update && apk upgrade && apk add --no-cache libcap \
+RUN apk add --no-cache libcap \
     && mkdir -p /var/lib/nginx /usr/lib/nginx/modules \
     && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
     && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    # Update packages for CVE-2023-52425
+    && apk --no-cache upgrade libexpat \
     && apk del libcap
 
 COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js

cmd/gateway/commands.go

@@ -33,7 +33,7 @@ func createRootCommand() *cobra.Command {
 		Use:           "gateway",
 		SilenceUsage:  true,
 		SilenceErrors: true,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			return cmd.Help()
 		},
 	}
@@ -100,7 +100,7 @@ func createStaticModeCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "static-mode",
 		Short: "Configure NGINX in the scope of a single Gateway resource",
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			atom := zap.NewAtomicLevel()
 
 			logger := ctlrZap.New(ctlrZap.Level(atom))
@@ -153,6 +153,7 @@ func createStaticModeCommand() *cobra.Command {
 					PodIP:       podIP,
 					ServiceName: serviceName.value,
 					Namespace:   namespace,
+					Name:        podName,
 				},
 				HealthConfig: config.HealthConfig{
 					Enabled: !disableHealth,
@@ -301,7 +302,7 @@ func createProvisionerModeCommand() *cobra.Command {
 		Use:    "provisioner-mode",
 		Short:  "Provision a static-mode NGINX Gateway Fabric Deployment per Gateway resource",
 		Hidden: true,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(_ *cobra.Command, _ []string) error {
 			logger := ctlrZap.New()
 			logger.Info(
 				"Starting NGINX Gateway Fabric Provisioner",
@@ -348,7 +349,7 @@ func createSleepCommand() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "sleep",
 		Short: "Sleep for specified duration and exit",
-		Run: func(cmd *cobra.Command, args []string) {
+		Run: func(_ *cobra.Command, _ []string) {
 			// It is expected that this command is run from lifecycle hook.
 			// Because logs from hooks are not visible in the container logs, we don't log here at all.
 			time.Sleep(duration)

cmd/gateway/commands_test.go

@@ -22,7 +22,7 @@ func testFlag(t *testing.T, cmd *cobra.Command, test flagTestCase) {
 	cmd.SetErr(io.Discard)
 
 	// override RunE to avoid executing the command
-	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+	cmd.RunE = func(_ *cobra.Command, _ []string) error {
 		return nil
 	}
 

conformance/tests/Dockerfile

@@ -2,7 +2,7 @@
 # this is here so we can grab the latest version of kind and have dependabot keep it up to date
 FROM kindest/node:v1.29.1
 
-FROM golang:1.21
+FROM golang:1.22
 
 WORKDIR /go/src/github.com/nginxinc/nginx-gateway-fabric/conformance/tests/
 

deploy/helm-chart/templates/rbac.yaml

@@ -7,6 +7,17 @@ metadata:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
     {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+  {{- if or .Values.serviceAccount.imagePullSecret .Values.serviceAccount.imagePullSecrets }}
+  imagePullSecrets:
+    {{- if .Values.serviceAccount.imagePullSecret }}
+    - name: {{ .Values.serviceAccount.imagePullSecret}}
+    {{- end }}
+    {{- if .Values.serviceAccount.imagePullSecrets }}
+    {{- range .Values.serviceAccount.imagePullSecrets }}
+    - name: {{ . }}
+    {{- end }}
+    {{- end }}
+  {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -21,19 +32,36 @@ rules:
   - namespaces
   - services
   - secrets
-  # FIXME(bjee19): make nodes permission dependent on telemetry being enabled.
-  # https://github.com/nginxinc/nginx-gateway-fabric/issues/1317.
-  - nodes
   verbs:
   - list
   - watch
+# FIXME(bjee19): make nodes, pods, replicasets permission dependent on telemetry being enabled.
+# https://github.com/nginxinc/nginx-gateway-fabric/issues/1317.
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
   - patch
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
 - apiGroups:
   - discovery.k8s.io
   resources:

deploy/helm-chart/values.yaml

@@ -85,6 +85,14 @@ serviceAccount:
   ## Autogenerated if not set or set to "".
   # name: nginx-gateway
 
+  ## The name of the secret containing docker registry credentials.
+  ## Secret must exist in the same namespace as the helm release.
+  imagePullSecret: ""
+
+  ## A list of secret names containing docker registry credentials.
+  ## Secrets must exist in the same namespace as the helm release.
+  imagePullSecrets: []
+
 service:
   ## Creates a service to expose the NGINX Gateway Fabric pods.
   create: true

deploy/manifests/nginx-gateway.yaml

@@ -32,19 +32,36 @@ rules:
   - namespaces
   - services
   - secrets
-  # FIXME(bjee19): make nodes permission dependent on telemetry being enabled.
-  # https://github.com/nginxinc/nginx-gateway-fabric/issues/1317.
-  - nodes
   verbs:
   - list
   - watch
+# FIXME(bjee19): make nodes, pods, replicasets permission dependent on telemetry being enabled.
+# https://github.com/nginxinc/nginx-gateway-fabric/issues/1317.
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
 - apiGroups:
   - ""
   resources:
   - events
   verbs:
   - create
   - patch
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
 - apiGroups:
   - discovery.k8s.io
   resources: