Merge branch 'main' into mrajagopal-issue-4837

Signed-off-by: Madhu Rajagopal <[email protected]>
nginxinc · Jun 17, 2024 · 2a273f8 · 2a273f8
2 parents 61f3a2c + 8752533
commit 2a273f8
Show file tree

Hide file tree

Showing 169 changed files with 6,065 additions and 2,877 deletions.
diff --git a/.github/actions/install-skopeo/action.yml b/.github/actions/install-skopeo/action.yml
diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml
@@ -62,6 +62,8 @@ runs:
         --name test-runner-${{ github.run_id }} \
         --network=kind \
         -v ${{ github.workspace }}/tests:/workspace/tests \
+        -v ${{ github.workspace }}/deployments:/workspace/deployments \
+        -v ${{ github.workspace }}/config:/workspace/config \
         -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \
         --context=kind-${{ github.run_id }} \
         --image=${{ inputs.image-name }}:${{ inputs.tag }} \

diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release
@@ -1,6 +1,7 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
 declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl" "-alpine-fips")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl" "-ubi-mktpl")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")

diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx
@@ -2,6 +2,7 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com
 export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
 declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")

diff --git a/.github/data/matrix-regression.json b/.github/data/matrix-regression.json
@@ -5,12 +5,14 @@
       "label": "regression",
       "image": "debian",
       "type": "oss",
+      "marker": "'not upgrade'",
       "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
     },
     {
       "label": "regression",
       "image": "debian-plus",
       "type": "plus",
+      "marker": "'not upgrade'",
       "platforms": "linux/arm64, linux/amd64"
     }
   ]

diff --git a/.github/scripts/copy-images.sh b/.github/scripts/copy-images.sh
@@ -2,6 +2,14 @@
 
 set -eo pipefail
 
+# shellcheck disable=SC2155
+export ROOTDIR=$(git rev-parse --show-toplevel || echo ".")
+
+SKOPEO_BIN=skopeo
+if [ -n "$CI" ]; then
+    SKOPEO_BIN="docker run --rm -v $HOME/.docker/config.json:/tmp/auth.json $(grep skopeo "${ROOTDIR}/tests/Dockerfile" | grep FROM | cut -d ' ' -f 2)"
+fi
+
 ## Setup inputs
 
 SOURCE_TAG=${SOURCE_TAG:-stable}
@@ -28,17 +36,20 @@ TARGET_OSS_IMAGE_PREFIX=${TARGET_OSS_IMAGE_PREFIX:-"nginx-ic/nginx-ingress"}
 
 SOURCE_PLUS_IMAGE_PREFIX=${SOURCE_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
 SOURCE_NAP_WAF_IMAGE_PREFIX=${SOURCE_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
+SOURCE_NAP_WAFV5_IMAGE_PREFIX=${SOURCE_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap-v5/nginx-plus-ingress"}
 SOURCE_NAP_DOS_IMAGE_PREFIX=${SOURCE_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
 SOURCE_NAP_WAF_DOS_IMAGE_PREFIX=${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
 
 TARGET_PLUS_IMAGE_PREFIX=${TARGET_PLUS_IMAGE_PREFIX:-"nginx-ic/nginx-plus-ingress"}
 TARGET_NAP_WAF_IMAGE_PREFIX=${TARGET_NAP_WAF_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
+TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap/nginx-plus-ingress"}
 TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"}
 TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"}
 
 declare -a OSS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine")
 declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
@@ -83,7 +94,7 @@ if $PUBLISH_OSS; then
         new_tag=${TARGET_REGISTRY}/${TARGET_OSS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
         echo "  Pushing image OSS ${new_tag}..."
         if ! $DRY_RUN; then
-            skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+            ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
         fi
         for tag in "${ADDITIONAL_TAGS[@]}"; do
             if [ -z "${tag}" ]; then
@@ -92,7 +103,7 @@ if $PUBLISH_OSS; then
             additional_tag=${TARGET_REGISTRY}/${TARGET_OSS_IMAGE_PREFIX}:${tag}${postfix}
             echo "  Pushing image OSS ${additional_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
             fi
         done
     done
@@ -105,12 +116,12 @@ if $PUBLISH_PLUS; then
         image=${SOURCE_REGISTRY}/${SOURCE_PLUS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_PLUS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image Plus ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -119,7 +130,7 @@ if $PUBLISH_PLUS; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_PLUS_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image Plus ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi
@@ -133,12 +144,12 @@ if $PUBLISH_WAF; then
         image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAF_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image NAP WAF ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -147,7 +158,30 @@ if $PUBLISH_WAF; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image NAP WAF ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                fi
+            done
+        fi
+    done
+    for postfix in "${NAP_WAFV5_TAG_POSTFIX_LIST[@]}"; do
+        image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAFV5_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
+        echo "Processing image ${image}"
+        new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+            echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
+        else
+            echo "  Pushing image NAP WAFV5 ${new_tag}..."
+            if ! $DRY_RUN; then
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+            fi
+            for tag in "${ADDITIONAL_TAGS[@]}"; do
+                if [ -z "${tag}" ]; then
+                    continue
+                fi
+                additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAFV5_IMAGE_PREFIX}:${tag}${postfix}
+                echo "  Pushing image NAP WAFV5 ${additional_tag}..."
+                if ! $DRY_RUN; then
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi
@@ -161,12 +195,12 @@ if $PUBLISH_DOS; then
         image=${SOURCE_REGISTRY}/${SOURCE_NAP_DOS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_NAP_DOS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image NAP DOS ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -175,7 +209,7 @@ if $PUBLISH_DOS; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_DOS_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image NAP DOS ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi
@@ -189,12 +223,12 @@ if $PUBLISH_WAF_DOS; then
         image=${SOURCE_REGISTRY}/${SOURCE_NAP_WAF_DOS_IMAGE_PREFIX}:${SOURCE_TAG}${postfix}
         echo "Processing image ${image}"
         new_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_DOS_IMAGE_PREFIX}:${TARGET_TAG}${postfix}
-        if $IS_IMMUTABLE && skopeo --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
+        if $IS_IMMUTABLE && ${SKOPEO_BIN} --override-os linux --override-arch amd64 inspect docker://${new_tag} > /dev/null 2>&1; then
             echo "  ECR is immutable & tag ${new_tag} already exists, skipping."
         else
             echo "  Pushing image NAP WAF/DOS ${new_tag}..."
             if ! $DRY_RUN; then
-                skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
+                ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${new_tag}
             fi
             for tag in "${ADDITIONAL_TAGS[@]}"; do
                 if [ -z "${tag}" ]; then
@@ -203,7 +237,7 @@ if $PUBLISH_WAF_DOS; then
                 additional_tag=${TARGET_REGISTRY}/${TARGET_NAP_WAF_DOS_IMAGE_PREFIX}:${tag}${postfix}
                 echo "  Pushing image NAP WAF/DOS ${additional_tag}..."
                 if ! $DRY_RUN; then
-                    skopeo copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
+                    ${SKOPEO_BIN} copy --retry-times 5 ${ARCH_OPTS} ${SOURCE_OPTS} ${TARGET_OPTS} docker://${image} docker://${additional_tag}
                 fi
             done
         fi

diff --git a/.github/scripts/create-release-tarballs.sh b/.github/scripts/create-release-tarballs.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+set -e
+
+directory=$1
+version=$2
+tarball_dir=${TARBALL_DIR:-tarballs}
+releases=$(find "${directory}" -mindepth 1 -type d)
+syft_binary=${SYFT_BIN:-"syft"}
+cosign_binary=${COSIGN_BIN:-"cosign"}
+
+if [ ! -d "${tarball_dir}" ]; then
+    mkdir "${tarball_dir}"
+fi
+
+for i in ${releases}; do
+    # fix for v1 in kubernetes-ingress_linux_amd64_v1
+    if [[ ${i} =~ v1 ]]; then
+        mv "${i}" "${i%*_v1}"
+        i=${i%*_v1}
+    fi
+
+    if [[ ${i} =~ aws ]]; then
+        continue
+    fi
+    product_name=$(basename "${i}" | cut -d '_' -f 1)
+    product_arch=$(echo "${i}" | cut -d '_' -f 2-)
+    product_release="${product_name}_${version}_${product_arch}"
+    # shellcheck disable=SC2086
+    tarball_name="${tarball_dir}/${product_release}.tar.gz"
+    cp -r "${i}" "${directory}/${product_release}"
+    cp README.md LICENSE CHANGELOG.md "${directory}/${product_release}"
+
+    tar -czf "${tarball_name}" "${directory}/${product_release}"
+    ${syft_binary} scan file:"${directory}/${product_release}/nginx-ingress" -o spdx-json > "${tarball_name}.spdx.json"
+    pushd "${tarball_dir}"
+    sha256sum "${product_release}.tar.gz" >> "${product_name}_${version}_checksums.txt"
+    sha256sum "${product_release}.tar.gz.spdx.json" >> "${product_name}_${version}_checksums.txt"
+    popd
+done
+
+checksum_file=$(ls "${tarball_dir}"/*_checksums.txt )
+${cosign_binary} sign-blob "${checksum_file}" --output-signature="${checksum_file}.sig" --output-certificate="${checksum_file}.pem" -y
diff --git a/.github/scripts/docker-updater.sh b/.github/scripts/docker-updater.sh
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+
+SCRIPT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd -P)"
+DOCKER_FILE=${SCRIPT_ROOT}/build/Dockerfile
+exclude_strings=""
+
+# Parse command line arguments
+while [[ $# -gt 0 ]]; do
+    key="$1"
+    case $key in
+        --exclude)
+            exclude_strings="$2"
+            shift
+            shift
+            ;;
+        *)
+            DOCKER_FILE="$1"
+            shift
+            ;;
+    esac
+done
+
+# Check if the file exists
+if [ ! -f "$DOCKER_FILE" ]; then
+    echo "File $DOCKER_FILE does not exist."
+    exit 1
+fi
+
+function contains_excluded() {
+    local line="$1"
+    local exclude="$2"
+    local IFS=','
+    local excluded=($exclude)
+    for word in "${excluded[@]}"; do
+        if [[ "$line" == *"$word"* ]]; then
+            return 0
+        fi
+    done
+    return 1
+}
+
+function check_sha() {
+    image_sha="$1"
+    image=$(echo "$image_sha" | cut -d '@' -f1)
+    tag_sha=$(echo "$image_sha" | cut -d '@' -f2)
+
+    docker pull -q "$image" > /dev/null
+    latest_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "$image")
+    latest_sha=$(echo "$latest_digest" | cut -d '@' -f2)
+
+    if [ "$tag_sha" = "$latest_sha" ]; then
+        echo "The provided SHA256 hash is the latest for $image"
+    else
+        echo "> A newer version of $image is available:"
+        echo "> - $image@$tag_sha"
+        echo "> + $image@$latest_sha"
+        echo "> updating $DOCKER_FILE"
+        sed -i -e "s/$tag_sha/$latest_sha/g" "$DOCKER_FILE"
+    fi
+}
+if [ -n "$exclude_strings" ]; then
+    echo "excluding images containing one of: '$exclude_strings'"
+fi
+while IFS= read -r line; do
+    if [[ $line =~ ^FROM\ (.+@.+) ]]; then
+        image=$(echo "${BASH_REMATCH[1]}" | awk '{print $1}')
+        if [ -n "$exclude_strings" ] && contains_excluded "$line" "$exclude_strings"; then
+            echo "Skipping $image"
+            continue
+        fi
+        check_sha "$image"
+    fi
+done < "$DOCKER_FILE"