diff --git a/.github/actions/smoke-tests/action.yaml b/.github/actions/smoke-tests/action.yaml index e0a02ca534..9c0a8ddc27 100644 --- a/.github/actions/smoke-tests/action.yaml +++ b/.github/actions/smoke-tests/action.yaml @@ -25,6 +25,9 @@ inputs: marker: description: Marker to use required: false + label: + description: Label for test + required: false azure-ad-secret: description: Azure Active Directory secret for JWKs required: false @@ -32,7 +35,10 @@ inputs: outputs: test-results-name: description: Test results name - value: tests-${{ steps.k8s.outputs.cluster }} + value: ${{ steps.k8s.outputs.test_name }} + test-results-path: + description: Test results full path + value: ${{ steps.k8s.outputs.test_output_path }} runs: using: composite @@ -42,12 +48,20 @@ runs: run: | make -f tests/Makefile create-kind-cluster K8S_CLUSTER_NAME=${{ github.run_id }} K8S_CLUSTER_VERSION=${{ inputs.k8s-version }} K8S_TIMEOUT=${{ inputs.k8s-timeout }} make -f tests/Makefile image-load REGISTRY="" PREFIX=${{ inputs.image-name }} TAG=${{ inputs.tag }} K8S_CLUSTER_NAME=${{ github.run_id }} - marker="${{ inputs.marker }}" - nospaces="${marker// /_}" - sanitized_marker="${nospaces//\'/}" - name="${sanitized_marker:-${{ inputs.k8s-version }}}" - echo "cluster_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane)" >> $GITHUB_OUTPUT - echo "cluster=$(echo nginx-${{ inputs.image-type }}-$name)" >> $GITHUB_OUTPUT + label="${{ inputs.label }}" + nospaces="${label// /_}" + noslash="${nospaces//\//_}" + sanitized_marker="${noslash//\'/}" + name="${sanitized_marker}-${{ inputs.k8s-version }}" + cluster_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane) + test_name=tests-nginx-${{ inputs.image-type }}-${name}.html + test_output_path=${{ github.workspace }}/tests/${test_name} + echo "cluster_ip=${cluster_ip}" >> $GITHUB_OUTPUT + echo "test_name=${test_name}" >> $GITHUB_OUTPUT + echo "test_output_path=${test_output_path}" >> $GITHUB_OUTPUT + echo "Output:" + echo " cluster_ip=${cluster_ip}" + echo " test_output_path=${test_output_path}" shell: bash - name: Setup Kubeconfig @@ -56,21 +70,23 @@ runs: shell: bash - name: Run Smoke Tests + id: smoke-tests run: | - touch tests-${{ steps.k8s.outputs.cluster }}.html + touch ${{ steps.k8s.outputs.test_output_path }} docker run --rm \ --name test-runner-${{ github.run_id }} \ --network=kind \ -v ${{ github.workspace }}/tests:/workspace/tests \ -v ${{ github.workspace }}/deployments:/workspace/deployments \ -v ${{ github.workspace }}/config:/workspace/config \ + -v ${{ steps.k8s.outputs.test_output_path }}:${{ steps.k8s.outputs.test_output_path }} \ -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \ --context=kind-${{ github.run_id }} \ --image=${{ inputs.image-name }}:${{ inputs.tag }} \ --image-pull-policy=Never \ --ic-type=nginx${{ contains(inputs.image-type, 'plus') && '-plus' || '' }}-ingress \ --service=nodeport --node-ip=${{ steps.k8s.outputs.cluster_ip }} \ - --html=tests-${{ steps.k8s.outputs.cluster }}.html \ + --html=${{ steps.k8s.outputs.test_output_path }} \ --self-contained-html \ --durations=10 \ --show-ic-logs=yes \ diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json new file mode 100644 index 0000000000..47da890cd9 --- /dev/null +++ b/.github/data/matrix-images-nap.json @@ -0,0 +1,85 @@ +{ + "image": [ + "debian-plus-nap" + ], + "platforms": [ + "linux/amd64" + ], + "target": [ + "goreleaser", + "aws" + ], + "nap_modules": [ + "dos", + "waf", + "waf,dos" + ], + "include": [ + { + "image": "ubi-9-plus-nap", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, + { + "image": "ubi-8-plus-nap", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "dos" + }, + { + "image": "ubi-8-plus-nap", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf,dos" + }, + { + "image": "ubi-9-plus-nap", + "target": "aws", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, + { + "image": "ubi-8-plus-nap", + "target": "aws", + "platforms": "linux/amd64", + "nap_modules": "dos" + }, + { + "image": "ubi-8-plus-nap", + "target": "aws", + "platforms": "linux/amd64", + "nap_modules": "waf,dos" + }, + { + "image": "alpine-plus-nap-fips", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, + { + "image": "alpine-plus-nap-v5-fips", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, + { + "image": "debian-plus-nap-v5", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, + { + "image": "ubi-9-plus-nap-v5", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + }, + { + "image": "ubi-8-plus-nap-v5", + "target": "goreleaser", + "platforms": "linux/amd64", + "nap_modules": "waf" + } + ] +} diff --git a/.github/data/matrix-images-oss.json b/.github/data/matrix-images-oss.json new file mode 100644 index 0000000000..237c3014fb --- /dev/null +++ b/.github/data/matrix-images-oss.json @@ -0,0 +1,15 @@ +{ + "image": [ + "debian", + "alpine" + ], + "platforms": [ + "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + ], + "include": [ + { + "image": "ubi", + "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + } + ] +} diff --git a/.github/data/matrix-images-plus.json b/.github/data/matrix-images-plus.json new file mode 100644 index 0000000000..f9f02f865d --- /dev/null +++ b/.github/data/matrix-images-plus.json @@ -0,0 +1,21 @@ +{ + "image": [ + "debian-plus", + "alpine-plus", + "alpine-plus-fips" + ], + "platforms": [ + "linux/arm64, linux/amd64" + ], + "target": [ + "goreleaser", + "aws" + ], + "include": [ + { + "image": "ubi-plus", + "platforms": "linux/arm64, linux/amd64, linux/s390x", + "target": "goreleaser" + } + ] +} diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json new file mode 100644 index 0000000000..26b70227a1 --- /dev/null +++ b/.github/data/matrix-smoke-nap.json @@ -0,0 +1,53 @@ +{ + "images": [ + { + "label": "AP_WAF 1/4", + "image": "ubi-9-plus-nap", + "type": "plus", + "nap_modules": "waf", + "marker": "appprotect_waf_policies_allow", + "platforms": "linux/amd64" + }, + { + "label": "AP_WAF 2/4", + "image": "alpine-plus-nap-fips", + "type": "plus", + "nap_modules": "waf", + "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'", + "platforms": "linux/amd64" + }, + { + "label": "AP_WAF 3/4", + "image": "debian-plus-nap", + "type": "plus", + "nap_modules": "waf", + "marker": "appprotect_waf_policies_grpc", + "platforms": "linux/amd64" + }, + { + "label": "AP_WAF 4/4", + "image": "debian-plus-nap", + "type": "plus", + "nap_modules": "waf", + "marker": "'appprotect_watch or appprotect_batch or appprotect_integration'", + "platforms": "linux/amd64" + }, + { + "label": "AP_DOS", + "image": "debian-plus-nap", + "type": "plus", + "nap_modules": "dos", + "marker": "'dos and not dos_learning'", + "platforms": "linux/amd64" + }, + { + "label": "AP_DOS_Learning", + "image": "ubi-8-plus-nap", + "type": "plus", + "nap_modules": "dos", + "marker": "dos_learning", + "platforms": "linux/amd64" + } + ], + "k8s": [] +} diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json new file mode 100644 index 0000000000..a6965bfedd --- /dev/null +++ b/.github/data/matrix-smoke-oss.json @@ -0,0 +1,68 @@ +{ + "images": [ + { + "label": "ingresses 1/2", + "image": "debian", + "type": "oss", + "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "ingresses 2/2", + "image": "debian", + "type": "oss", + "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VSR", + "image": "alpine", + "type": "oss", + "marker": "vsr", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "policies 1/2", + "image": "alpine", + "type": "oss", + "marker": "'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "policies 2/2", + "image": "alpine", + "type": "oss", + "marker": "'policies_rl or policies_ac or policies_jwt or policies_mtls'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VS 1/3", + "image": "debian", + "type": "oss", + "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VS 2/3", + "image": "debian", + "type": "oss", + "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "VS 3/3", + "image": "debian", + "type": "oss", + "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", + "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + }, + { + "label": "TS", + "image": "ubi", + "type": "oss", + "marker": "ts", + "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + } + ], + "k8s": [] +} diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json new file mode 100644 index 0000000000..228a92b1cc --- /dev/null +++ b/.github/data/matrix-smoke-plus.json @@ -0,0 +1,68 @@ +{ + "images": [ + { + "label": "VS 1/3", + "image": "debian-plus", + "type": "plus", + "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "VS 2/3", + "image": "debian-plus", + "type": "plus", + "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "VS 3/3", + "image": "debian-plus", + "type": "plus", + "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "TS", + "image": "debian-plus", + "type": "plus", + "marker": "ts", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "ingresses 1/2", + "image": "alpine-plus", + "type": "plus", + "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "ingresses 2/2", + "image": "alpine-plus", + "type": "plus", + "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "VSR", + "image": "alpine-plus", + "type": "plus", + "marker": "vsr", + "platforms": "linux/arm64, linux/amd64" + }, + { + "label": "policies 1/2", + "image": "ubi-plus", + "type": "plus", + "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'", + "platforms": "linux/arm64, linux/amd64, linux/s390x" + }, + { + "label": "policies 2/2", + "image": "ubi-plus", + "type": "plus", + "marker": "'policies_ac or policies_jwt or policies_mtls'", + "platforms": "linux/arm64, linux/amd64, linux/s390x" + } + ], + "k8s": [] +} diff --git a/.github/data/matrix-smoke.json b/.github/data/matrix-smoke.json deleted file mode 100644 index 332475089b..0000000000 --- a/.github/data/matrix-smoke.json +++ /dev/null @@ -1,179 +0,0 @@ -{ - "images": [ - { - "label": "ingresses 1/2", - "image": "debian", - "type": "oss", - "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "ingresses 2/2", - "image": "debian", - "type": "oss", - "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VSR", - "image": "alpine", - "type": "oss", - "marker": "vsr", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "policies 1/2", - "image": "alpine", - "type": "oss", - "marker": "'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "policies 2/2", - "image": "alpine", - "type": "oss", - "marker": "'policies_rl or policies_ac or policies_jwt or policies_mtls'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 1/3", - "image": "debian", - "type": "oss", - "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 2/3", - "image": "debian", - "type": "oss", - "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 3/3", - "image": "debian", - "type": "oss", - "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", - "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "TS", - "image": "ubi", - "type": "oss", - "marker": "ts", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, - { - "label": "VS 1/3", - "image": "debian-plus", - "type": "plus", - "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "VS 2/3", - "image": "debian-plus", - "type": "plus", - "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "VS 3/3", - "image": "debian-plus", - "type": "plus", - "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "TS", - "image": "debian-plus", - "type": "plus", - "marker": "ts", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "ingresses 1/2", - "image": "alpine-plus", - "type": "plus", - "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "ingresses 2/2", - "image": "alpine-plus", - "type": "plus", - "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "VSR", - "image": "alpine-plus", - "type": "plus", - "marker": "vsr", - "platforms": "linux/arm64, linux/amd64" - }, - { - "label": "policies 1/2", - "image": "ubi-plus", - "type": "plus", - "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'", - "platforms": "linux/arm64, linux/amd64, linux/s390x" - }, - { - "label": "policies 2/2", - "image": "ubi-plus", - "type": "plus", - "marker": "'policies_ac or policies_jwt or policies_mtls'", - "platforms": "linux/arm64, linux/amd64, linux/s390x" - }, - { - "label": "AP_WAF 1/4", - "image": "ubi-9-plus-nap", - "type": "plus", - "nap_modules": "waf", - "marker": "appprotect_waf_policies_allow", - "platforms": "linux/amd64" - }, - { - "label": "AP_WAF 2/4", - "image": "alpine-plus-nap-fips", - "type": "plus", - "nap_modules": "waf", - "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'", - "platforms": "linux/amd64" - }, - { - "label": "AP_WAF 3/4", - "image": "debian-plus-nap", - "type": "plus", - "nap_modules": "waf", - "marker": "appprotect_waf_policies_grpc", - "platforms": "linux/amd64" - }, - { - "label": "AP_WAF 4/4", - "image": "debian-plus-nap", - "type": "plus", - "nap_modules": "waf", - "marker": "'appprotect_watch or appprotect_batch or appprotect_integration'", - "platforms": "linux/amd64" - }, - { - "label": "AP_DOS", - "image": "debian-plus-nap", - "type": "plus", - "nap_modules": "dos", - "marker": "'dos and not dos_learning'", - "platforms": "linux/amd64" - }, - { - "label": "AP_DOS_Learning", - "image": "ubi-8-plus-nap", - "type": "plus", - "nap_modules": "dos", - "marker": "dos_learning", - "platforms": "linux/amd64" - } - ], - "k8s": [] -} diff --git a/.github/scripts/variables.sh b/.github/scripts/variables.sh index 726ed04d8b..5742c99cf9 100755 --- a/.github/scripts/variables.sh +++ b/.github/scripts/variables.sh @@ -51,11 +51,11 @@ case $INPUT in ;; build_tag) - echo "build_tag=$(get_build_tag)" + echo "build_tag=t-$(get_build_tag)" ;; stable_tag) - echo "stable_tag=$(get_stable_tag)" + echo "stable_tag=s-$(get_stable_tag)" ;; *) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 095fce75c6..1490969a10 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -25,9 +25,12 @@ jobs: outputs: docker_md5: ${{ steps.vars.outputs.docker_md5 }} ic_version: ${{ steps.vars.outputs.ic_version }} + image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }} + image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }} + image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Output Variables id: vars @@ -35,6 +38,9 @@ jobs: ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT + echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT build-oss: @@ -46,16 +52,10 @@ jobs: pull-requests: write # for scout report strategy: fail-fast: false - matrix: - image: [debian, alpine] - platforms: - ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] - include: - - image: ubi - platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -92,7 +92,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: build/Dockerfile context: "." @@ -116,15 +116,10 @@ jobs: pull-requests: write # for scout report strategy: fail-fast: false - matrix: - image: [debian-plus, alpine-plus, alpine-plus-fips] - platforms: ["linux/arm64, linux/amd64"] - include: - - image: ubi-plus - platforms: "linux/arm64, linux/amd64, linux/s390x" + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -161,7 +156,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: build/Dockerfile context: "." @@ -188,42 +183,10 @@ jobs: pull-requests: write # for scout report strategy: fail-fast: false - matrix: - image: [debian-plus-nap] - platforms: ["linux/amd64"] - nap_modules: [dos, waf, "waf,dos"] - include: - - image: ubi-9-plus-nap - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: alpine-plus-nap-fips - platforms: "linux/amd64" - nap_modules: waf - - image: alpine-plus-nap-v5-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: debian-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-9-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -262,7 +225,7 @@ jobs: type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} - name: Build Base Container - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: build/Dockerfile context: "." diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index ef4e34a801..afde1eb656 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -53,18 +53,9 @@ jobs: image_digest: ${{ steps.build-push.outputs.digest }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.branch }} - fetch-depth: 0 - - - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - with: - platforms: arm,arm64,ppc64le,s390x - - - name: Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Authenticate to Google Cloud id: auth @@ -104,24 +95,37 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Check if base images exist - id: base_exists + - name: Check if images exist + id: images_exist run: | base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }}" echo "image=${base_image}" >> $GITHUB_OUTPUT if docker manifest inspect ${base_image}; then - echo "exists=true" >> $GITHUB_OUTPUT + echo "base_exists=true" >> $GITHUB_OUTPUT + fi + if docker manifest inspect ${{ steps.meta.outputs.tags }}; then + echo "target_exists=true" >> $GITHUB_OUTPUT fi if: ${{ inputs.authenticated && ! inputs.full-build }} + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + + - name: Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + - name: Build Base Container - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: build/Dockerfile context: "." cache-to: type=gha,scope=${{ inputs.image }},mode=max target: common - tags: ${{ steps.base_exists.outputs.image }} + tags: ${{ steps.images_exist.outputs.image }} platforms: ${{ inputs.platforms }} pull: true push: true @@ -129,23 +133,14 @@ jobs: build-args: | BUILD_OS=${{ inputs.image }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} - if: ${{ inputs.authenticated && steps.base_exists.outputs.exists != 'true' }} - - - name: Check if target image exists - id: target_exists - run: | - if docker pull ${{ steps.meta.outputs.tags }}; then - echo "exists=true" >> $GITHUB_OUTPUT - fi - if: ${{ inputs.authenticated && ! inputs.full-build }} + if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }} - name: Debug values run: | echo "authenticated: ${{ inputs.authenticated }}" - echo "base_exists: ${{ steps.base_exists.outputs.exists }}" - echo "target_exists: ${{ steps.target_exists.outputs.exists }}" + echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}" + echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}" echo "full-build: ${{ inputs.full-build }}" - echo "all: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}" - name: Fetch Cached Artifacts uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 @@ -153,10 +148,10 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ inputs.go-md5 }} fail-on-cache-miss: true - if: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 id: build-push with: file: build/Dockerfile @@ -175,16 +170,16 @@ jobs: provenance: false build-args: | BUILD_OS=${{ inputs.image }} - ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image) }} + ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image) }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} - if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Make directory for security scan results run: | mkdir -p "${{ inputs.image }}-results/" - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 continue-on-error: true with: image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }} @@ -202,7 +197,7 @@ jobs: - name: Run Docker Scout vulnerability scanner id: docker-scout - uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 continue-on-error: true with: command: cves,recommendations @@ -215,7 +210,7 @@ jobs: summary: true if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - - name: Upload Scan Results to the cache + - name: Upload Scan Results to Github Artifacts uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 continue-on-error: true with: diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 2724f1226e..342a6e07fd 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -55,18 +55,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.branch }} - fetch-depth: 0 - - - name: Setup QEMU - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 - with: - platforms: arm64,s390x - - - name: Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - name: Authenticate to Google Cloud id: auth @@ -109,24 +100,37 @@ jobs: env: DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Check if base images exist - id: base_exists + - name: Check if images exist + id: images_exist run: | base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}" echo "image=${base_image}" >> $GITHUB_OUTPUT - if docker pull ${base_image}; then - echo "exists=true" >> $GITHUB_OUTPUT + if docker manifest inspect ${base_image}; then + echo "base_exists=true" >> $GITHUB_OUTPUT + fi + if docker manifest inspect ${{ steps.meta.outputs.tags }}; then + echo "target_exists=true" >> $GITHUB_OUTPUT fi if: ${{ inputs.authenticated && ! inputs.full-build }} + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + + - name: Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + - name: Build Base Container - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: build/Dockerfile context: "." cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max target: common - tags: ${{ steps.base_exists.outputs.image }} + tags: ${{ steps.images_exist.outputs.image }} platforms: ${{ inputs.platforms }} pull: true push: true @@ -139,23 +143,14 @@ jobs: "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ inputs.nap-modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ inputs.authenticated && steps.base_exists.outputs.exists != 'true' }} - - - name: Check if target image exists - id: target_exists - run: | - if docker pull ${{ steps.meta.outputs.tags }}; then - echo "exists=true" >> $GITHUB_OUTPUT - fi - if: ${{ inputs.authenticated && ! inputs.full-build }} + if: ${{ inputs.authenticated && steps.images_exist.outputs.base_exists != 'true' }} - name: Debug values run: | echo "authenticated: ${{ inputs.authenticated }}" - echo "base_exists: ${{ steps.base_exists.outputs.exists }}" - echo "target_exists: ${{ steps.target_exists.outputs.exists }}" + echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}" + echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}" echo "full-build: ${{ inputs.full-build }}" - echo "all: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }}" - name: Fetch Cached Artifacts uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 @@ -163,10 +158,10 @@ jobs: path: ${{ github.workspace }}/dist key: nginx-ingress-${{ inputs.go-md5 }} fail-on-cache-miss: true - if: ${{ inputs.authenticated || steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Docker image - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 id: build-push with: file: build/Dockerfile @@ -185,7 +180,7 @@ jobs: provenance: false build-args: | BUILD_OS=${{ inputs.image }} - ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_exists.outputs.image ) }} + ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image ) }} IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }} ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }} ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }} @@ -194,7 +189,7 @@ jobs: "nginx-repo.crt=${{ inputs.nap-modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}" "nginx-repo.key=${{ inputs.nap-modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}" ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ steps.base_exists.outputs.exists != 'true' || steps.target_exists.outputs.exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Make directory for security scan results run: | @@ -208,7 +203,7 @@ jobs: if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 continue-on-error: true with: image-ref: ${{ steps.scan-tag.outputs.tag }} @@ -226,7 +221,7 @@ jobs: - name: Run Docker Scout vulnerability scanner id: docker-scout - uses: docker/scout-action@5dae9c7571dd0f3de81f5b501240c593c13c3eb6 # v1.9.3 + uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 continue-on-error: true with: command: cves,recommendations diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml index 106b1c0fa7..e51a9ad662 100644 --- a/.github/workflows/build-test-image.yml +++ b/.github/workflows/build-test-image.yml @@ -28,7 +28,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -49,7 +49,7 @@ jobs: password: ${{ steps.auth.outputs.access_token }} - name: Build Test-Runner Container - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: tests/Dockerfile context: "." diff --git a/.github/workflows/cache-update.yml b/.github/workflows/cache-update.yml index 55f3fbde22..9e12b59f56 100644 --- a/.github/workflows/cache-update.yml +++ b/.github/workflows/cache-update.yml @@ -21,16 +21,21 @@ jobs: outputs: go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} docker_md5: ${{ steps.vars.outputs.docker_md5 }} + image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }} + image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }} + image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Output Variables id: vars run: | ./.github/scripts/variables.sh go_code_md5 >> $GITHUB_OUTPUT ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT - source .github/data/version.txt + echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT build-docker: @@ -38,13 +43,7 @@ jobs: needs: [checks] strategy: fail-fast: false - matrix: - image: [debian, alpine] - platforms: - ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] - include: - - image: ubi - platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} uses: ./.github/workflows/build-oss.yml with: platforms: ${{ matrix.platforms }} @@ -68,14 +67,7 @@ jobs: needs: [checks] strategy: fail-fast: false - matrix: - image: [debian-plus, alpine-plus, alpine-plus-fips] - platforms: ["linux/arm64, linux/amd64"] - target: [goreleaser, aws] - include: - - image: ubi-plus - platforms: "linux/arm64, linux/amd64, linux/s390x" - target: goreleaser + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} @@ -98,56 +90,7 @@ jobs: needs: [checks] strategy: fail-fast: false - matrix: - image: [debian-plus-nap] - platforms: ["linux/amd64"] - target: [goreleaser, aws] - nap_modules: [dos, waf, "waf,dos"] - include: - - image: ubi-9-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: ubi-9-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: alpine-plus-nap-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: alpine-plus-nap-v5-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: debian-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-9-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml index bd95907be2..154021590c 100644 --- a/.github/workflows/cherry-pick.yml +++ b/.github/workflows/cherry-pick.yml @@ -15,10 +15,10 @@ jobs: pull-requests: write runs-on: ubuntu-22.04 name: Cherry pick into release branch - if: ${{ contains(github.event.pull_request.labels.*.name, 'dependencies') && github.event.pull_request.merged == true }} + if: ${{ (contains(github.event.pull_request.labels.*.name, 'dependencies') || contains(github.event.pull_request.labels.*.name, 'needs cherry pick')) && github.event.pull_request.merged == true }} steps: - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 token: ${{ secrets.NGINX_PAT }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bc3f1dd8fa..dfda4599cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,7 +35,6 @@ jobs: outputs: docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }} k8s_latest: ${{ steps.vars.outputs.k8s_latest }} - latest_kindest_node_versions: ${{ steps.vars.outputs.latest_kindest_node_versions }} go_path: ${{ steps.vars.outputs.go_path }} go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} @@ -46,9 +45,13 @@ jobs: stable_tag: ${{ steps.vars.outputs.stable_tag }} forked_workflow: ${{ steps.vars.outputs.forked_workflow }} stable_image_exists: ${{ steps.stable_exists.outputs.exists }} + additional_tag: ${{ steps.vars.outputs.additional_tag }} + image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }} + image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }} + image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 @@ -82,19 +85,6 @@ jobs: | sed 's/^.\{1\}//' \ | tr -d '\n') echo "k8s_latest=$kindest_latest" >> $GITHUB_OUTPUT - kindest_versions=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags" \ - | grep -o '"name": *"[^"]*' \ - | grep -o '[^"]*$' \ - | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ - | sort -rV \ - | awk -F. '!seen[$1"."$2]++' \ - | head -n 7 \ - | sort -V \ - | sed 's/v//g' \ - | sed 's/$//' \ - | sed 's/, $//' \ - | jq -R -s -c 'split("\n")[:-1]') - echo "latest_kindest_node_versions=$kindest_versions" >> $GITHUB_OUTPUT echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT @@ -104,6 +94,16 @@ jobs: ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT ./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT + ref=${{ github.ref_name }} + if [[ $ref =~ merge ]]; then + additional_tag="pr-${ref%*/merge}" + else + additional_tag="${ref//\//-}" + fi + echo "additional_tag=${additional_tag}" >> $GITHUB_OUTPUT + echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT - name: Fetch Cached Binary Artifacts @@ -114,21 +114,9 @@ jobs: key: nginx-ingress-${{ steps.vars.outputs.go_code_md5 }} lookup-only: true - - name: Check if go.mod and go.sum are up to date - run: go mod tidy && git diff --exit-code -- go.mod go.sum - - - name: Check if CRDs changed - run: make update-crds && git diff --name-only --exit-code config/crd/bases - - - name: Check if Codegen changed - run: | - cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress - make update-codegen && git diff --name-only --exit-code pkg/** - cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress - - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} @@ -136,7 +124,7 @@ jobs: if: ${{ steps.vars.outputs.forked_workflow == 'false' }} - name: Login to GCR - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: gcr.io username: oauth2accesstoken @@ -155,7 +143,6 @@ jobs: run: | echo docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }} echo k8s_latest: ${{ steps.vars.outputs.k8s_latest }} - echo latest_kindest_node_versions: ${{ steps.vars.outputs.latest_kindest_node_versions }} echo go_path: ${{ steps.vars.outputs.go_path }} echo go_code_md5: ${{ steps.vars.outputs.go_code_md5 }} echo binary_cache_hit: ${{ steps.binary-cache.outputs.cache-hit }} @@ -166,6 +153,31 @@ jobs: echo stable_tag: ${{ steps.vars.outputs.stable_tag }} echo forked_workflow: ${{ steps.vars.outputs.forked_workflow }} echo stable_image_exists: ${{ steps.stable_exists.outputs.exists }} + echo additional_tag: ${{ steps.vars.outputs.additional_tag }} + echo 'image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }}' + echo 'image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }}' + echo 'image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }}' + + verify-codegen: + name: Verify generated code + runs-on: ubuntu-22.04 + permissions: + contents: read + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Check if go.mod and go.sum are up to date + run: go mod tidy && git diff --exit-code -- go.mod go.sum + + - name: Check if CRDs changed + run: make update-crds && git diff --name-only --exit-code config/crd/bases + + - name: Check if Codegen changed + run: | + cd ../.. && mkdir -p github.com/nginxinc && mv kubernetes-ingress/kubernetes-ingress github.com/nginxinc/ && cd github.com/nginxinc/kubernetes-ingress + make update-codegen && git diff --name-only --exit-code pkg/** + cd ../../.. && mv github.com/nginxinc/kubernetes-ingress kubernetes-ingress/kubernetes-ingress unit-tests: name: Unit Tests @@ -173,7 +185,7 @@ jobs: needs: checks steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Golang Environment uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 @@ -186,7 +198,7 @@ jobs: if: ${{ needs.checks.outputs.binary_cache_hit != 'true' }} - name: Upload coverage to Codecov - uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1 + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 with: files: ./coverage.txt token: ${{ secrets.CODECOV_TOKEN }} # required @@ -195,14 +207,14 @@ jobs: release-notes: name: Release Notes runs-on: ubuntu-22.04 - needs: [checks, unit-tests] + needs: [checks, unit-tests, verify-codegen] outputs: release-url: ${{ steps.release-notes.outputs.release-url }} permissions: contents: write # for lucacome/draft-release steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 @@ -232,14 +244,14 @@ jobs: binaries: name: Build Binaries runs-on: ubuntu-22.04 - needs: [checks, unit-tests] + needs: [checks, unit-tests, verify-codegen] permissions: contents: write # for goreleaser/goreleaser-action to manage releases id-token: write # for goreleaser/goreleaser-action to sign artifacts issues: write # for goreleaser/goreleaser-action to close milestone steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 @@ -280,13 +292,7 @@ jobs: needs: [binaries, checks] strategy: fail-fast: false - matrix: - image: [debian, alpine] - platforms: - ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] - include: - - image: ubi - platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} uses: ./.github/workflows/build-oss.yml with: platforms: ${{ matrix.platforms }} @@ -311,14 +317,7 @@ jobs: needs: [binaries, checks] strategy: fail-fast: false - matrix: - image: [debian-plus, alpine-plus, alpine-plus-fips] - platforms: ["linux/arm64, linux/amd64"] - target: [goreleaser, aws] - include: - - image: ubi-plus - platforms: "linux/arm64, linux/amd64, linux/s390x" - target: goreleaser + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} @@ -342,56 +341,7 @@ jobs: needs: [binaries, checks] strategy: fail-fast: false - matrix: - image: [debian-plus-nap] - platforms: ["linux/amd64"] - target: [goreleaser, aws] - nap_modules: [dos, waf, "waf,dos"] - include: - - image: ubi-9-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: ubi-9-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: alpine-plus-nap-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: alpine-plus-nap-v5-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: debian-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-9-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} @@ -411,6 +361,20 @@ jobs: pull-requests: write # for scout report secrets: inherit + tag-target: + name: Tag untested image with PR number + needs: [checks, build-docker, build-docker-plus, build-docker-nap] + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.build_tag }} + target_tag: ${{ needs.checks.outputs.additional_tag }} + dry_run: false + secrets: inherit + if: ${{ inputs.force || (needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.stable_image_exists != 'true' && needs.checks.outputs.docs_only == 'false') }} + helm-tests: if: ${{ needs.checks.outputs.docs_only != 'true' }} name: Helm Tests ${{ matrix.base-os }} @@ -433,7 +397,7 @@ jobs: id-token: write steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: auth @@ -473,11 +437,11 @@ jobs: if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Docker Buildx - uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - name: Build Docker Image ${{ matrix.base-os }} - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: build/Dockerfile context: "." @@ -553,14 +517,18 @@ jobs: contents: read id-token: write outputs: - matrix: ${{ steps.set-matrix.outputs.matrix }} + matrix_oss: ${{ steps.set-matrix.outputs.matrix_oss }} + matrix_plus: ${{ steps.set-matrix.outputs.matrix_plus }} + matrix_nap: ${{ steps.set-matrix.outputs.matrix_nap }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: set-matrix run: | - echo "matrix=$(cat .github/data/matrix-smoke.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT + echo "matrix_oss=$(cat .github/data/matrix-smoke-oss.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT + echo "matrix_plus=$(cat .github/data/matrix-smoke-plus.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT + echo "matrix_nap=$(cat .github/data/matrix-smoke-nap.json | jq -c --arg latest "${{ needs.checks.outputs.k8s_latest }}" '.k8s += [$latest]')" >> $GITHUB_OUTPUT - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -591,7 +559,7 @@ jobs: if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - name: Build Test-Runner Container - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: tests/Dockerfile context: "." @@ -602,143 +570,90 @@ jobs: load: false if: ${{ steps.check-image.outcome == 'failure' && needs.checks.outputs.docs_only == 'false' }} - smoke-tests: + smoke-tests-oss: if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }} name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} smoke tests - runs-on: ubuntu-22.04 needs: - checks - setup-matrix - build-docker - - build-docker-plus - - build-docker-nap strategy: fail-fast: false - matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix) }} + matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix_oss) }} permissions: contents: read id-token: write - steps: - - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - - name: Set image variables - id: image_details - run: | - echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.images.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.images.nap_modules, 'waf') && '-nap' || '' }}/nginx${{ contains(matrix.images.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT - echo "build_tag=${{ needs.checks.outputs.build_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT - echo "stable_tag=${{ needs.checks.outputs.stable_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 - with: - token_format: access_token - workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} - service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: Login to GCR - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 - with: - registry: gcr.io - username: oauth2accesstoken - password: ${{ steps.auth.outputs.access_token }} - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: Check if stable image exists - id: stable_exists - run: | - if docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.stable_tag }}; then - echo "exists=true" >> $GITHUB_OUTPUT - fi - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: NAP modules - id: nap_modules - run: | - [[ "${{ matrix.images.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.images.nap_modules }}" - echo "modules=${modules}" >> $GITHUB_OUTPUT - if: ${{ matrix.images.nap_modules }} - - - name: Pull build image - run: | - docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }} - if: ${{ needs.checks.outputs.forked_workflow == 'false' && steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} - - - name: Fetch Cached Artifacts - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 - with: - path: ${{ github.workspace }}/dist - key: nginx-ingress-${{ needs.checks.outputs.go_code_md5 }} - fail-on-cache-miss: true - if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} - - - name: Check if test image exists - id: check-image - run: | - docker manifest inspect "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - shell: bash - continue-on-error: true - if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }} - - - name: Build Test-Runner Container - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 - with: - file: tests/Dockerfile - context: "." - cache-from: type=gha,scope=test-runner - tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - pull: true - push: ${{ needs.checks.outputs.forked_workflow == 'false' }} - load: ${{ needs.checks.outputs.forked_workflow == 'true' }} - if: ${{ ( needs.checks.outputs.forked_workflow == 'true' || steps.check-image.outcome == 'failure' ) && needs.checks.outputs.docs_only == 'false' }} - - - name: Build ${{ matrix.images.image }} Container - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 - with: - file: build/Dockerfile - context: "." - cache-from: type=gha,scope=${{ matrix.images.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} - cache-to: type=gha,scope=${{ matrix.images.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max - target: goreleaser - tags: "${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }}" - load: true - pull: true - build-args: | - BUILD_OS=${{ matrix.images.image }} - IC_VERSION=CI - ${{ contains(matrix.images.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} - ${{ contains(matrix.images.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} - secrets: | - ${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} - ${{ contains(matrix.images.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }} - ${{ contains(matrix.images.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} - if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }} + uses: ./.github/workflows/setup-smoke.yml + secrets: inherit + with: + image: ${{ matrix.images.image }} + target: ${{ matrix.images.target }} + nap-modules: ${{ matrix.images.nap_modules }} + marker: ${{ matrix.images.marker }} + label: ${{ matrix.images.label }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + build-tag: ${{ needs.checks.outputs.build_tag }} + stable-tag: ${{ needs.checks.outputs.stable_tag }} + authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} + k8s-version: ${{ matrix.k8s }} - - name: Run Smoke Tests - id: smoke-tests - uses: ./.github/actions/smoke-tests - with: - image-type: ${{ matrix.images.image }} - image-name: ${{ steps.image_details.outputs.name }} - tag: ${{ steps.image_details.outputs.build_tag }} - marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} - k8s-version: ${{ matrix.k8s }} - azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} - test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" - if: ${{ steps.stable_exists.outputs.exists != 'true' && needs.checks.outputs.docs_only == 'false' }} + smoke-tests-plus: + if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }} + name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} smoke tests + needs: + - checks + - setup-matrix + - build-docker-plus + strategy: + fail-fast: false + matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix_plus) }} + permissions: + contents: read + id-token: write + uses: ./.github/workflows/setup-smoke.yml + secrets: inherit + with: + image: ${{ matrix.images.image }} + target: ${{ matrix.images.target }} + nap-modules: ${{ matrix.images.nap_modules }} + marker: ${{ matrix.images.marker }} + label: ${{ matrix.images.label }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + build-tag: ${{ needs.checks.outputs.build_tag }} + stable-tag: ${{ needs.checks.outputs.stable_tag }} + authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} + k8s-version: ${{ matrix.k8s }} - - name: Upload Test Results - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 - with: - name: ${{ steps.smoke-tests.outputs.test-results-name }}-${{ matrix.k8s }} - path: ${{ github.workspace }}/tests/${{ steps.smoke-tests.outputs.test-results-name }}-${{ matrix.k8s }}.html - if: always() + smoke-tests-nap: + if: ${{ inputs.force || needs.checks.outputs.docs_only != 'true' }} + name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} smoke tests + needs: + - checks + - setup-matrix + - build-docker-nap + strategy: + fail-fast: false + matrix: ${{ fromJSON(needs.setup-matrix.outputs.matrix_nap) }} + permissions: + contents: read + id-token: write + uses: ./.github/workflows/setup-smoke.yml + secrets: inherit + with: + image: ${{ matrix.images.image }} + target: ${{ matrix.images.target }} + nap-modules: ${{ matrix.images.nap_modules }} + marker: ${{ matrix.images.marker }} + label: ${{ matrix.images.label }} + go-md5: ${{ needs.checks.outputs.go_code_md5 }} + build-tag: ${{ needs.checks.outputs.build_tag }} + stable-tag: ${{ needs.checks.outputs.stable_tag }} + authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }} + k8s-version: ${{ matrix.k8s }} tag-stable: name: Tag tested image as stable - needs: [checks, smoke-tests] + needs: [checks, smoke-tests-oss, smoke-tests-plus, smoke-tests-nap] permissions: contents: read # To checkout repository id-token: write # To sign into Google Container Registry @@ -754,15 +669,23 @@ jobs: if: ${{ always() }} runs-on: ubuntu-22.04 name: Final CI Results - needs: [tag-stable, smoke-tests] + needs: [tag-stable, smoke-tests-oss, smoke-tests-plus, smoke-tests-nap] steps: - run: | tagResult="${{ needs.tag-stable.result }}" - smokeResult="${{ needs.smoke-tests.result }}" + smokeOSSResult="${{ needs.smoke-tests-oss.result }}" + smokePlusResult="${{ needs.smoke-tests-plus.result }}" + smokeNAPResult="${{ needs.smoke-tests-nap.result }}" if [[ $tagResult != "success" && $tagResult != "skipped" ]]; then exit 1 fi - if [[ $smokeResult != "success" && $smokeResult != "skipped" ]]; then + if [[ $smokeOSSResult != "success" && $smokeOSSResult != "skipped" ]]; then + exit 1 + fi + if [[ $smokePlusResult != "success" && $smokePlusResult != "skipped" ]]; then + exit 1 + fi + if [[ $smokeNAPResult != "success" && $smokeNAPResult != "skipped" ]]; then exit 1 fi diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 29163d9c43..0d3b8874c1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -28,7 +28,7 @@ jobs: docs_only: ${{ github.event.pull_request && steps.docs.outputs.docs_only == 'true' }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 @@ -66,11 +66,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -89,7 +89,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -102,6 +102,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index 8888381256..36724c9b22 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -38,7 +38,7 @@ jobs: contents: write steps: - name: Checkout NIC repo - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.source_branch }} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml new file mode 100644 index 0000000000..00cf5b0db1 --- /dev/null +++ b/.github/workflows/dependabot-auto-merge.yml @@ -0,0 +1,23 @@ +name: Dependabot auto-merge +on: pull_request_target + +permissions: + contents: read + +jobs: + dependabot: + runs-on: ubuntu-22.04 + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + permissions: + pull-requests: write + contents: write + steps: + - name: Dependabot metadata + id: dependabot-metadata + uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 + + - name: Enable auto-merge for Dependabot PRs + run: gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{ secrets.NGINX_PAT }} diff --git a/.github/workflows/dependabot-hugo.yml b/.github/workflows/dependabot-hugo.yml index 78b71bf67c..ea4ae2d385 100644 --- a/.github/workflows/dependabot-hugo.yml +++ b/.github/workflows/dependabot-hugo.yml @@ -26,7 +26,7 @@ jobs: uses: dependabot/fetch-metadata@5e5f99653a5b510e8555840e80cbf1514ad4af38 # v2.1.0 - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 if: ${{ steps.dependabot-metadata.outputs.package-ecosystem == 'go_modules' && contains(steps.dependabot-metadata.outputs.dependency-names, 'hugo') }} with: ref: ${{ github.head_ref }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index eb19218f8c..be3e775f06 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -21,7 +21,7 @@ jobs: pull-requests: write # for actions/dependency-review-action to post comments steps: - name: "Checkout Repository" - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: "Dependency Review" uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index e93f6eb638..a4634a72a2 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-22.04 if: ${{ github.event.repository.fork == false }} steps: - - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Modify readme for DockerHub run: | diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index e1478fc64f..f97e05b2b3 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -23,7 +23,7 @@ jobs: if: ${{ github.event.repository.fork == false }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Scan uses: fossas/fossa-action@47ef11b1e1e3812e88dae436ccbd2d0cbd1adab0 # v1.3.3 diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml index d94862b9c0..34f4771b82 100644 --- a/.github/workflows/image-promotion.yml +++ b/.github/workflows/image-promotion.yml @@ -41,12 +41,15 @@ jobs: build_tag: ${{ steps.vars.outputs.build_tag }} stable_tag: ${{ steps.vars.outputs.stable_tag }} stable_image_exists: ${{ steps.stable_exists.outputs.exists }} + image_matrix_oss: ${{ steps.vars.outputs.image_matrix_oss }} + image_matrix_plus: ${{ steps.vars.outputs.image_matrix_plus }} + image_matrix_nap: ${{ steps.vars.outputs.image_matrix_nap }} steps: - name: Checkout Repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Golang Environment - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version-file: go.mod @@ -61,6 +64,9 @@ jobs: ./.github/scripts/variables.sh docker_md5 >> $GITHUB_OUTPUT ./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT + echo "image_matrix_oss=$(cat .github/data/matrix-images-oss.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_plus=$(cat .github/data/matrix-images-plus.json | jq -c)" >> $GITHUB_OUTPUT + echo "image_matrix_nap=$(cat .github/data/matrix-images-nap.json | jq -c)" >> $GITHUB_OUTPUT - name: Fetch Cached Binary Artifacts id: binary-cache @@ -72,14 +78,14 @@ jobs: - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2 + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 with: token_format: access_token workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} - name: Login to GCR - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 with: registry: gcr.io username: oauth2accesstoken @@ -112,7 +118,7 @@ jobs: contents: read steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Golang Environment uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 @@ -152,13 +158,7 @@ jobs: needs: [checks, binaries] strategy: fail-fast: false - matrix: - image: [debian, alpine] - platforms: - ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] - include: - - image: ubi - platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} uses: ./.github/workflows/build-oss.yml with: platforms: ${{ matrix.platforms }} @@ -183,14 +183,7 @@ jobs: needs: [checks, binaries] strategy: fail-fast: false - matrix: - image: [debian-plus, alpine-plus, alpine-plus-fips] - platforms: ["linux/arm64, linux/amd64"] - target: [goreleaser, aws] - include: - - image: ubi-plus - platforms: "linux/arm64, linux/amd64, linux/s390x" - target: goreleaser + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }} uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} @@ -216,56 +209,7 @@ jobs: needs: [checks, binaries] strategy: fail-fast: false - matrix: - image: [debian-plus-nap] - platforms: ["linux/amd64"] - target: [goreleaser, aws] - nap_modules: [dos, waf, "waf,dos"] - include: - - image: ubi-9-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: goreleaser - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: ubi-9-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: dos - - image: ubi-8-plus-nap - target: aws - platforms: "linux/amd64" - nap_modules: "waf,dos" - - image: alpine-plus-nap-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: alpine-plus-nap-v5-fips - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: debian-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-9-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf - - image: ubi-8-plus-nap-v5 - target: goreleaser - platforms: "linux/amd64" - nap_modules: waf + matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }} uses: ./.github/workflows/build-plus.yml with: platforms: ${{ matrix.platforms }} @@ -385,7 +329,7 @@ jobs: needs: [release-oss] steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index a086abc154..b9665d47f5 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml index 98f81ded95..a3bea5f7c3 100644 --- a/.github/workflows/lint-format.yml +++ b/.github/workflows/lint-format.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Golang Environment uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 @@ -44,7 +44,7 @@ jobs: pull-requests: read # for golangci-lint-action steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Golang Environment uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 @@ -61,9 +61,9 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: reviewdog/action-actionlint@fd627997c9688c2f39e13917aed23873c031b834 # v1.48.0 + - uses: reviewdog/action-actionlint@2927e858b45218240af952feb1d702cf6365f39a # v1.50.0 with: actionlint_flags: -shellcheck "" @@ -72,7 +72,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Lint chart run: helm lint charts/nginx-ingress @@ -82,7 +82,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8 # v16.0.0 with: diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml index f51cff0bb6..9881f969a5 100644 --- a/.github/workflows/mend.yml +++ b/.github/workflows/mend.yml @@ -24,7 +24,7 @@ jobs: if: ${{ github.event.repository.fork == false }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Download agent run: curl -fsSLJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar diff --git a/.github/workflows/oss-release.yml b/.github/workflows/oss-release.yml index 6822e3a586..70ea3d00c8 100644 --- a/.github/workflows/oss-release.yml +++ b/.github/workflows/oss-release.yml @@ -77,7 +77,7 @@ jobs: if: ${{ inputs.gcr_release_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth @@ -116,7 +116,7 @@ jobs: if: ${{ inputs.ecr_public_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth @@ -166,7 +166,7 @@ jobs: if: ${{ inputs.dockerhub_public_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth @@ -211,7 +211,7 @@ jobs: if: ${{ inputs.quay_public_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth @@ -258,7 +258,7 @@ jobs: if: ${{ inputs.github_public_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml index 48d1438ada..de4d8467ef 100644 --- a/.github/workflows/patch-image.yml +++ b/.github/workflows/patch-image.yml @@ -44,7 +44,7 @@ jobs: id-token: write steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 @@ -70,7 +70,7 @@ jobs: password: ${{ steps.auth.outputs.access_token }} - name: Apply OS patches to Container - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: file: build/Dockerfile context: "." diff --git a/.github/workflows/plus-release.yml b/.github/workflows/plus-release.yml index f1399c75f8..86bf63d7bc 100644 --- a/.github/workflows/plus-release.yml +++ b/.github/workflows/plus-release.yml @@ -77,7 +77,7 @@ jobs: if: ${{ inputs.gcr_release_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth @@ -116,7 +116,7 @@ jobs: if: ${{ inputs.nginx_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth @@ -170,7 +170,7 @@ jobs: if: ${{ inputs.gcr_mktpl_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-priv-auth @@ -212,7 +212,7 @@ jobs: if: ${{ inputs.ecr_mktpl_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth @@ -259,7 +259,7 @@ jobs: if: ${{ inputs.az_mktpl_registry }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 1f745e0d93..22b2e62cdf 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -58,7 +58,7 @@ jobs: packages: write # for helm to push to GHCR steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: refs/heads/${{ inputs.branch }} path: kic @@ -89,7 +89,7 @@ jobs: helm push ${{ steps.package.outputs.path }} oci://registry-1.docker.io/nginxcharts - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: repository: nginxinc/helm-charts fetch-depth: 1 diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml new file mode 100644 index 0000000000..34782a4232 --- /dev/null +++ b/.github/workflows/regression.yml @@ -0,0 +1,309 @@ +name: Run Regression tests +run-name: Run NIC Regression workflow, triggered from ${{ github.event_name }} by @${{ github.actor }} + +on: + schedule: + - cron: 00 03 * * * + workflow_dispatch: + inputs: + branch: + type: string + description: "Branch to run regression workflow on" + default: main + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.ref_name }}-regression + cancel-in-progress: true + +permissions: + contents: read + +jobs: + checks: + name: Checks and variables + runs-on: ubuntu-22.04 + permissions: + contents: read + id-token: write + outputs: + k8s_latest: ${{ steps.vars.outputs.k8s_latest }} + latest_kindest_node_versions: ${{ steps.vars.outputs.latest_kindest_node_versions }} + stable_tag: ${{ steps.vars.outputs.stable_tag }} + branch: ${{ steps.vars.outputs.branch }} + steps: + - name: Checkout Repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ inputs.branch && inputs.branch || github.event.repository.default_branch }} + + - name: Output Variables + id: vars + run: | + kindest_latest=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags" \ + | grep -o '"name": *"[^"]*' \ + | grep -o '[^"]*$' \ + | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ + | sort -rV \ + | head -n 1 \ + | sed 's/^.\{1\}//' \ + | tr -d '\n') + echo "k8s_latest=$kindest_latest" >> $GITHUB_OUTPUT + kindest_versions=$(curl -s "https://hub.docker.com/v2/repositories/kindest/node/tags" \ + | grep -o '"name": *"[^"]*' \ + | grep -o '[^"]*$' \ + | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' \ + | sort -rV \ + | awk -F. '!seen[$1"."$2]++' \ + | head -n 7 \ + | sort -V \ + | sed 's/v//g' \ + | sed 's/$//' \ + | sed 's/, $//' \ + | jq -R -s -c 'split("\n")[:-1]') + echo "latest_kindest_node_versions=$kindest_versions" >> $GITHUB_OUTPUT + source .github/data/version.txt + ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT + branch=${{ github.event.repository.default_branch }} + if [ -n "${{ inputs.branch }}" ]; then + branch=${{ inputs.branch }} + fi + echo "branch=${branch}" >> $GITHUB_OUTPUT + + - name: Output variables + run: | + echo k8s_latest: ${{ steps.vars.outputs.k8s_latest }} + echo latest_kindest_node_versions: ${{ steps.vars.outputs.latest_kindest_node_versions }} + echo stable_tag: ${{ steps.vars.outputs.stable_tag }} + echo branch: ${{ steps.vars.outputs.branch }} + + helm-tests: + name: Helm Tests ${{ matrix.base-os }} + runs-on: ubuntu-22.04 + needs: [checks] + strategy: + fail-fast: false + matrix: + include: + - base-os: debian + image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress + tag: ${{ needs.checks.outputs.stable_tag }} + type: oss + - base-os: debian-plus + image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress + tag: ${{ needs.checks.outputs.stable_tag }} + type: plus + permissions: + contents: read + id-token: write + steps: + - name: Checkout Repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ needs.checks.outputs.branch }} + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Pull build image + run: | + docker pull ${{ matrix.image }}:${{ matrix.tag }} + + - name: Deploy Kubernetes + id: k8s + run: | + kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ needs.checks.outputs.k8s_latest }} --wait 75s + kind load docker-image "${{ matrix.image }}:${{ matrix.tag }}" --name ${{ github.run_id }} + + - name: Install Chart + run: > + helm install + ${{ matrix.type }} + . + --set controller.image.repository=${{ matrix.image }} + --set controller.image.tag=${{ matrix.tag }} + --set controller.service.type=NodePort + --set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }} + --set controller.telemetryReporting.enable=false + --wait + working-directory: ${{ github.workspace }}/charts/nginx-ingress + + - name: Expose Test Ingresses + run: | + kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 & + + - name: Test HTTP + run: | + counter=0 + max_attempts=5 + until [ $(curl --write-out %{http_code} -s --output /dev/null http://localhost:8080) -eq 404 ]; do + if [ ${counter} -eq ${max_attempts} ]; then + exit 1 + fi + printf '.'; counter=$(($counter+1)); sleep 5; + done + + - name: Test HTTPS + run: | + counter=0 + max_attempts=5 + until [ $(curl --write-out %{http_code} -ks --output /dev/null https://localhost:8443) -eq 000 ]; do + if [ ${counter} -eq ${max_attempts} ]; then + exit 1 + fi + printf '.'; counter=$(($counter+1)); sleep 5; + done + + setup-regression-matrix: + name: Setup Matrix for Smoke Tests + runs-on: ubuntu-22.04 + needs: [checks] + permissions: + contents: read + id-token: write + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Checkout Repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ needs.checks.outputs.branch }} + + - id: set-matrix + run: | + echo "matrix=$(cat .github/data/matrix-regression.json | jq -c --argjson latest '${{ needs.checks.outputs.latest_kindest_node_versions }}' '.k8s += $latest'))" >> $GITHUB_OUTPUT + + regression-tests: + name: ${{ matrix.images.label }} ${{ matrix.images.image }} ${{ matrix.k8s }} regression tests + runs-on: ubuntu-22.04 + needs: [checks, setup-regression-matrix] + strategy: + fail-fast: false + matrix: ${{ fromJSON(needs.setup-regression-matrix.outputs.matrix) }} + permissions: + contents: read + id-token: write + steps: + - name: Checkout Repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + ref: ${{ needs.checks.outputs.branch }} + + - name: Set image variables + id: image_details + run: | + echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.images.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.images.nap_modules, 'waf') && '-nap' || '' }}/nginx${{ contains(matrix.images.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT + echo "tag=${{ needs.checks.outputs.stable_tag }}${{ contains(matrix.images.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.images.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.images.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.images.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.images.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.images.nap_modules }}" + echo "modules=${modules}" >> $GITHUB_OUTPUT + if: ${{ matrix.images.nap_modules }} + + - name: Pull build image + run: | + docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.tag }} + + - name: Run Regression Tests + id: regression-tests + uses: ./.github/actions/smoke-tests + with: + image-type: ${{ matrix.images.image }} + image-name: ${{ steps.image_details.outputs.name }} + tag: ${{ steps.image_details.outputs.tag }} + marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }} + k8s-version: ${{ matrix.k8s }} + label: ${{ matrix.images.label }} + azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + + - name: Upload Test Results + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: ${{ steps.regression-tests.outputs.test-results-name }} + path: ${{ steps.regression-tests.outputs.test-results-path }} + if: always() + + tag-stable: + name: Tag tested image as nightly + needs: [checks, regression-tests] + permissions: + contents: read # To checkout repository + id-token: write # To sign into Google Container Registry + uses: ./.github/workflows/retag-images.yml + with: + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: nightly + dry_run: false + secrets: inherit + + release-oss: + # pushes nightly images to docker hub + name: Release Docker OSS + needs: [checks, regression-tests] + uses: ./.github/workflows/oss-release.yml + with: + gcr_release_registry: false + ecr_public_registry: true + dockerhub_public_registry: true + quay_public_registry: true + github_public_registry: true + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "nightly" + dry_run: false + permissions: + contents: read + id-token: write + packages: write + secrets: inherit + + release-plus: + # pushes plus nightly images to nginx registry + name: Release Docker Plus + needs: [checks, regression-tests] + uses: ./.github/workflows/plus-release.yml + with: + nginx_registry: true + gcr_release_registry: false + gcr_mktpl_registry: false + ecr_mktpl_registry: false + az_mktpl_registry: false + source_tag: ${{ needs.checks.outputs.stable_tag }} + target_tag: "nightly" + dry_run: false + permissions: + contents: read + id-token: write + secrets: inherit diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml index 0c6ce07165..7f9b0bdf50 100644 --- a/.github/workflows/release-pr.yml +++ b/.github/workflows/release-pr.yml @@ -49,7 +49,7 @@ jobs: echo "branch=release-$version" >> $GITHUB_OUTPUT - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ steps.branch.outputs.branch }} token: ${{ secrets.NGINX_PAT }} @@ -60,7 +60,7 @@ jobs: .github/scripts/release-notes-update.sh ${{ github.event.inputs.new_version }} ${{ github.event.inputs.new_helm_version }} "${{ github.event.inputs.k8s_versions }}" "${{ github.event.inputs.release_date }}" - name: Create Pull Request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.NGINX_PAT }} commit-message: Release ${{ github.event.inputs.new_version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3f683b334c..f2a2e99601 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -54,7 +54,7 @@ jobs: binary_cache_sign_hit: ${{ steps.binary-cache-sign.outputs.cache-hit }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 ref: ${{ inputs.release_branch }} @@ -87,7 +87,7 @@ jobs: contents: write steps: - name: Checkout NIC repo - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.release_branch }} fetch-depth: 0 @@ -174,7 +174,7 @@ jobs: needs: [release-oss] steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.release_branch }} @@ -270,7 +270,7 @@ jobs: product_id: AWS_NAP_WAF_DOS_PRODUCT_ID steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.release_branch }} @@ -298,7 +298,7 @@ jobs: contents: read steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Fetch Binary Artifacts from Cache uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 @@ -340,7 +340,7 @@ jobs: contents: read steps: - name: Checkout Repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.release_branch }} @@ -384,7 +384,7 @@ jobs: actions: read # for slack notification steps: - name: Checkout Repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.release_branch }} @@ -486,7 +486,7 @@ jobs: image: ["nginx/nginx-ingress:${{ inputs.nic_version }}", "nginx/nginx-ingress:${{ inputs.nic_version }}-ubi", "nginx/nginx-ingress:${{ inputs.nic_version }}-alpine"] steps: - name: Checkout Repository - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.release_branch }} diff --git a/.github/workflows/retag-images.yml b/.github/workflows/retag-images.yml index fefb9fc358..9e27bd1369 100644 --- a/.github/workflows/retag-images.yml +++ b/.github/workflows/retag-images.yml @@ -40,7 +40,7 @@ jobs: id-token: write steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Authenticate to Google Cloud id: gcr-auth diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 9ef12bab55..b437936556 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -29,7 +29,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: sarif_file: results.sarif diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml new file mode 100644 index 0000000000..8298c9c019 --- /dev/null +++ b/.github/workflows/setup-smoke.yml @@ -0,0 +1,167 @@ +name: Setup Smoke tests + +on: + workflow_call: + inputs: + image: + required: true + type: string + target: + required: true + type: string + nap-modules: + required: true + type: string + marker: + required: true + type: string + label: + required: true + type: string + go-md5: + required: true + type: string + build-tag: + required: true + type: string + stable-tag: + required: true + type: string + authenticated: + required: true + type: boolean + k8s-version: + required: true + type: string + +defaults: + run: + shell: bash + +permissions: + contents: read + +jobs: + setup-smoke: + permissions: + contents: read # for docker/build-push-action to read repo content + id-token: write # for OIDC login to GCR + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set image variables + id: image_details + run: | + echo "name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap-modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap-modules, 'waf') && '-nap' || '' }}/nginx${{ contains(inputs.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT + echo "build_tag=${{ inputs.build-tag }}${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + echo "stable_tag=${{ inputs.stable-tag }}${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}}" >> $GITHUB_OUTPUT + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + if: ${{ inputs.authenticated }} + + - name: Login to GCR + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + if: ${{ inputs.authenticated }} + + - name: Check if stable image exists + id: stable_exists + run: | + if docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.stable_tag }}; then + echo "exists=true" >> $GITHUB_OUTPUT + fi + if: ${{ inputs.authenticated }} + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ inputs.nap-modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ inputs.nap-modules }}" + echo "modules=${modules}" >> $GITHUB_OUTPUT + if: ${{ inputs.nap-modules }} + + - name: Pull build image + run: | + docker pull ${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }} + if: ${{ inputs.authenticated && steps.stable_exists.outputs.exists != 'true' }} + + - name: Fetch Cached Artifacts + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 + with: + path: ${{ github.workspace }}/dist + key: nginx-ingress-${{ inputs.go-md5 }} + fail-on-cache-miss: true + if: ${{ !inputs.authenticated }} + + - name: Check if test image exists + id: check-image + run: | + docker manifest inspect "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + shell: bash + continue-on-error: true + if: ${{ inputs.authenticated }} + + - name: Build Test-Runner Container + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 + with: + file: tests/Dockerfile + context: "." + cache-from: type=gha,scope=test-runner + tags: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + pull: true + push: ${{ inputs.authenticated }} + load: ${{ !inputs.authenticated }} + if: ${{ ( !inputs.authenticated || steps.check-image.outcome == 'failure' ) }} + + - name: Build ${{ inputs.image }} Container + uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }} + cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max + target: goreleaser + tags: "${{ steps.image_details.outputs.name }}:${{ steps.image_details.outputs.build_tag }}" + load: true + pull: true + build-args: | + BUILD_OS=${{ inputs.image }} + IC_VERSION=CI + ${{ contains(inputs.image, 'nap') && format('NAP_MODULES={0}', steps.nap_modules.outputs.modules) || '' }} + ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }} + secrets: | + ${{ contains(inputs.image, 'nap') && format('"nginx-repo.crt={0}"', secrets.NGINX_AP_CRT) || format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }} + ${{ contains(inputs.image, 'nap') && format('"nginx-repo.key={0}"', secrets.NGINX_AP_KEY) || format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }} + ${{ contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} + if: ${{ !inputs.authenticated }} + + - name: Run Smoke Tests + id: smoke-tests + uses: ./.github/actions/smoke-tests + with: + image-type: ${{ inputs.image }} + image-name: ${{ steps.image_details.outputs.name }} + tag: ${{ steps.image_details.outputs.build_tag }} + marker: ${{ inputs.marker != '' && inputs.marker || '' }} + label: ${{ inputs.label }} + k8s-version: ${{ inputs.k8s-version }} + azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }} + test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt') || 'latest' }}" + if: ${{ steps.stable_exists.outputs.exists != 'true' }} + + - name: Upload Test Results + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: ${{ steps.smoke-tests.outputs.test-results-name }} + path: ${{ steps.smoke-tests.outputs.test-results-path }} + if: always() diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index a33c95bc18..62be001ad9 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -33,7 +33,7 @@ jobs: date: ${{ steps.kic.outputs.date }} steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 @@ -341,7 +341,7 @@ jobs: needs: [variables, release-oss-public] steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Certify UBI OSS images in quay uses: ./.github/actions/certify-openshift-image diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml index 603c2afd15..ee75c7f302 100644 --- a/.github/workflows/update-docker-sha.yml +++ b/.github/workflows/update-docker-sha.yml @@ -49,7 +49,7 @@ jobs: needs: [vars] steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ needs.vars.outputs.source_branch }} @@ -73,7 +73,7 @@ jobs: echo $GITHUB_OUTPUT - name: Create Pull Request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.NGINX_PAT }} commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }} diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index 102045956f..1e7185f372 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -32,7 +32,7 @@ jobs: actions: read # for 8398a7/action-slack steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: refs/tags/v${{ inputs.tag }} diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 3a8a49fdc3..d913c23450 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout Repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: ref: ${{ inputs.source_branch }} @@ -48,7 +48,7 @@ jobs: CHART_VERSION: ${{ inputs.helm_chart_version }} - name: Create Pull Request - uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.NGINX_PAT }} commit-message: Version Bump for ${{ github.event.inputs.ic_version }} diff --git a/build/Dockerfile b/build/Dockerfile index 55017d3635..c0f45b1ed9 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -10,16 +10,16 @@ ARG WAF_VERSION=v4 ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0@sha256:d9f6f930b7bfcc026785aca49fdb96fbecdc517ebbdb893f6393ac78b247c8fb as opentracing-lib -FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c76384a775316c541995b145d4cef86d529934951319fd127f4d4fdb9ef7 as alpine-opentracing-lib -FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 as alpine-fips-3.17 -FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc as alpine-fips-3.19 +FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0@sha256:d9f6f930b7bfcc026785aca49fdb96fbecdc517ebbdb893f6393ac78b247c8fb AS opentracing-lib +FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c76384a775316c541995b145d4cef86d529934951319fd127f4d4fdb9ef7 AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17 +FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal -FROM golang:1.22-alpine@sha256:6522f0ca555a7b14c46a2c9f50b86604a234cdc72452bf6a268cae6461d9000b as golang-builder +FROM golang:1.22-alpine@sha256:32c85006b1edf29c097514e0c81a33334aa1450685a885c10657ec756dbb7703 AS golang-builder ############################################# Base image for Alpine ############################################# -FROM nginx:1.27.0-alpine@sha256:69f8c2c72671490607f52122be2af27d4fc09657ff57e42045801aa93d2090f7 AS alpine +FROM nginx:1.27.0-alpine@sha256:d68d230c2c7f0b28c7e5f17ed66d521deeba23aa467568202af72f7f7f61cd94 AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -40,7 +40,7 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for UBI ############################################# -FROM nginxcontrib/nginx:1.27.0-ubi@sha256:69de271d650f3cb14c74fd8c3982db76b3efb940811c69a92f9f387bc3d6131a AS ubi +FROM nginxcontrib/nginx:1.27.0-ubi@sha256:5547fe1036d63cc9dfdc3aba1cfc822dbb42dbf63ec68e32bcf363e0b1653fc4 AS ubi ARG IC_VERSION LABEL name="NGINX Ingress Controller" \ @@ -57,7 +57,7 @@ COPY --link --chown=101:0 LICENSE /licenses/ ############################################# NGINX files for NGINX Plus ############################################# -FROM scratch as nginx-files +FROM scratch AS nginx-files ARG IC_VERSION ARG BUILD_OS ARG NGINX_PLUS_VERSION @@ -97,7 +97,7 @@ ADD --link --chown=101:0 --chmod=0755 build/scripts/agent.sh agent.sh ############################################# Patch Image ############################################# -FROM ${IMAGE_NAME} as patched +FROM ${IMAGE_NAME} AS patched ARG IMAGE_NAME ARG IC_VERSION @@ -112,7 +112,7 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as alpine-plus +FROM alpine:3.19@sha256:af4785ccdbcd5cde71bfd5b93eabd34250b98651f19fe218c91de6c8d10e21c5 AS alpine-plus ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -131,7 +131,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ ############################################# Base image for Alpine with NGINX Plus and FIPS ############################################# -FROM alpine-plus as alpine-plus-fips +FROM alpine-plus AS alpine-plus-fips ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} @@ -144,7 +144,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# -FROM alpine:3.17@sha256:53cf9478b76f4c8fae126acbdfb79bed6e69e628faff572ebe4a029d3d247d98 as alpine-plus-nap-fips +FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -180,7 +180,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAFv5 and FIPS ############################################# -FROM alpine:3.17@sha256:53cf9478b76f4c8fae126acbdfb79bed6e69e628faff572ebe4a029d3d247d98 as alpine-plus-nap-v5-fips +FROM alpine:3.17@sha256:a6063e988bcd597b4f1f7cfd4ec38402b02edd0c79250f00c9e14dc1e94bebbc AS alpine-plus-nap-v5-fips ARG NGINX_PLUS_VERSION ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -242,7 +242,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for Debian with NGINX Plus and App Protect WAF/DoS ############################################# -FROM debian-plus as debian-plus-nap +FROM debian-plus AS debian-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -286,7 +286,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && if [ -z "${NAP_MODULES##*dos*}" ]; then nap-dos.sh; fi ############################################# Base image for Debian with NGINX Plus and App Protect WAFv5/DoS ############################################# -FROM debian-plus as debian-plus-nap-v5 +FROM debian-plus AS debian-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -338,7 +338,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF ############################################# -FROM ubi-minimal as ubi-9-plus-nap +FROM ubi-minimal AS ubi-9-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -382,7 +382,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 ############################################# -FROM ubi-minimal as ubi-9-plus-nap-v5 +FROM ubi-minimal AS ubi-9-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -427,7 +427,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAF & DoS ############################################# -FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d as ubi-8-plus-nap +FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -491,7 +491,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Base image for UBI with NGINX Plus and App Protect WAFv5 ############################################# -FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d as ubi-8-plus-nap-v5 +FROM redhat/ubi8@sha256:143123d85045df426c5bbafc6863659880ebe276eb02c77ee868b88d08dbd05d AS ubi-8-plus-nap-v5 ARG NAP_MODULES ARG NGINX_AGENT ARG NGINX_PLUS_VERSION @@ -539,7 +539,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ############################################# Create common files, permissions and setcap ############################################# -FROM ${BUILD_OS} as common +FROM ${BUILD_OS} AS common ARG BUILD_OS ARG IC_VERSION @@ -773,9 +773,9 @@ USER 101 ############################################# Create image with nginx-ingress extracted from image on Docker Hub ############################################# -FROM nginx/nginx-ingress:${DOWNLOAD_TAG} as kic +FROM nginx/nginx-ingress:${DOWNLOAD_TAG} AS kic -FROM common as download +FROM common AS download LABEL org.nginx.kic.image.build.version="binaries" diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index d911d2f818..f646199045 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -736,7 +736,14 @@ func createPlusAndLatencyCollectors( streamServerZoneVariableLabels := []string{"resource_type", "resource_name", "resource_namespace"} variableLabelNames := nginxCollector.NewVariableLabelNames(upstreamServerVariableLabels, serverZoneVariableLabels, upstreamServerPeerVariableLabelNames, streamUpstreamServerVariableLabels, streamServerZoneVariableLabels, streamUpstreamServerPeerVariableLabelNames, nil, nil) - promlogConfig := &promlog.Config{} + infoLevel := new(promlog.AllowedLevel) + err := infoLevel.Set("info") + if err != nil { + glog.Error("Error setting prometheus exporter log level") + } + promlogConfig := &promlog.Config{ + Level: infoLevel, + } logger := promlog.New(promlogConfig) plusCollector = nginxCollector.NewNginxPlusCollector(plusClient, "nginx_ingress_nginxplus", variableLabelNames, constLabels, logger) go metrics.RunPrometheusListenerForNginxPlus(*prometheusMetricsListenPort, plusCollector, registry, prometheusSecret) diff --git a/go.mod b/go.mod index d86596d3c3..10d2d30e3b 100644 --- a/go.mod +++ b/go.mod @@ -3,24 +3,24 @@ module github.com/nginxinc/kubernetes-ingress go 1.22.4 require ( - github.com/aws/aws-sdk-go-v2/config v1.27.18 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.21.10 + github.com/aws/aws-sdk-go-v2/config v1.27.21 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.22.1 github.com/cert-manager/cert-manager v1.15.0 github.com/dlclark/regexp2 v1.11.0 github.com/gkampitakis/go-snaps v0.5.4 - github.com/go-chi/chi/v5 v5.0.12 + github.com/go-chi/chi/v5 v5.0.13 github.com/golang-jwt/jwt/v4 v4.5.0 github.com/golang/glog v1.2.0 github.com/google/go-cmp v0.6.0 github.com/jinzhu/copier v0.4.0 github.com/kr/pretty v0.3.1 - github.com/nginxinc/nginx-plus-go-client v1.2.0 + github.com/nginxinc/nginx-plus-go-client v1.2.1 github.com/nginxinc/nginx-prometheus-exporter v1.1.2 github.com/nginxinc/nginx-service-mesh v1.7.0 github.com/nginxinc/telemetry-exporter v0.1.0 github.com/prometheus/client_golang v1.18.0 github.com/prometheus/common v0.47.0 - github.com/spiffe/go-spiffe/v2 v2.2.0 + github.com/spiffe/go-spiffe/v2 v2.3.0 github.com/stretchr/testify v1.9.0 go.opentelemetry.io/otel v1.27.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 @@ -35,18 +35,18 @@ require ( require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect - github.com/Microsoft/go-winio v0.6.1 // indirect - github.com/aws/aws-sdk-go-v2 v1.27.2 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.18 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 // indirect + github.com/Microsoft/go-winio v0.6.2 // indirect + github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.21 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 // indirect github.com/aws/smithy-go v1.20.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect @@ -130,7 +130,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect google.golang.org/grpc v1.64.0 // indirect - google.golang.org/protobuf v1.34.1 // indirect + google.golang.org/protobuf v1.34.2 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index 5f3a1b0a0d..7c66bc7b12 100644 --- a/go.sum +++ b/go.sum @@ -1,35 +1,35 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= -github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= +github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= -github.com/aws/aws-sdk-go-v2 v1.27.2 h1:pLsTXqX93rimAOZG2FIYraDQstZaaGVVN4tNw65v0h8= -github.com/aws/aws-sdk-go-v2 v1.27.2/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= -github.com/aws/aws-sdk-go-v2/config v1.27.18 h1:wFvAnwOKKe7QAyIxziwSKjmer9JBMH1vzIL6W+fYuKk= -github.com/aws/aws-sdk-go-v2/config v1.27.18/go.mod h1:0xz6cgdX55+kmppvPm2IaKzIXOheGJhAufacPJaXZ7c= -github.com/aws/aws-sdk-go-v2/credentials v1.17.18 h1:D/ALDWqK4JdY3OFgA2thcPO1c9aYTT5STS/CvnkqY1c= -github.com/aws/aws-sdk-go-v2/credentials v1.17.18/go.mod h1:JuitCWq+F5QGUrmMPsk945rop6bB57jdscu+Glozdnc= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5 h1:dDgptDO9dxeFkXy+tEgVkzSClHZje/6JkPW5aZyEvrQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.5/go.mod h1:gjvE2KBUgUQhcv89jqxrIxH9GaKs1JbZzWejj/DaHGA= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9 h1:cy8ahBJuhtM8GTTSyOkfy6WVPV1IE+SS5/wfXUYuulw= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.9/go.mod h1:CZBXGLaJnEZI6EVNcPd7a6B5IC5cA/GkRWtu9fp3S6Y= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9 h1:A4SYk07ef04+vxZToz9LWvAXl9LW0NClpPpMsi31cz0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.9/go.mod h1:5jJcHuwDagxN+ErjQ3PU3ocf6Ylc/p9x+BLO/+X4iXw= +github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA= +github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM= +github.com/aws/aws-sdk-go-v2/config v1.27.21 h1:yPX3pjGCe2hJsetlmGNB4Mngu7UPmvWPzzWCv1+boeM= +github.com/aws/aws-sdk-go-v2/config v1.27.21/go.mod h1:4XtlEU6DzNai8RMbjSF5MgGZtYvrhBP/aKZcRtZAVdM= +github.com/aws/aws-sdk-go-v2/credentials v1.17.21 h1:pjAqgzfgFhTv5grc7xPHtXCAaMapzmwA7aU+c/SZQGw= +github.com/aws/aws-sdk-go-v2/credentials v1.17.21/go.mod h1:nhK6PtBlfHTUDVmBLr1dg+WHCOCK+1Fu/WQyVHPsgNQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 h1:FR+oWPFb/8qMVYMWN98bUZAGqPvLHiyqg1wqQGfUAXY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8/go.mod h1:EgSKcHiuuakEIxJcKGzVNWh5srVAQ3jKaSrBGRYvM48= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11 h1:o4T+fKxA3gTMcluBNZZXE9DNaMkJuUL1O3mffCUjoJo= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.11/go.mod h1:84oZdJ+VjuJKs9v1UTC9NaodRZRseOXCTgku+vQJWR8= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.21.10 h1:ScjyYTUx0mHcW6ThHCdHIIsih1jpSLdQ2Q8rf7jthCY= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.21.10/go.mod h1:7Ob1csQEzlr5jqJ+Mzp4NeuNRtqFUlWxkjX91Isty0g= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.11 h1:gEYM2GSpr4YNWc6hCd5nod4+d4kd9vWIAWrmGuLdlMw= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.11/go.mod h1:gVvwPdPNYehHSP9Rs7q27U1EU+3Or2ZpXvzAYJNh63w= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5 h1:iXjh3uaH3vsVcnyZX7MqCoCfcyxIrVE9iOQruRaWPrQ= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.5/go.mod h1:5ZXesEuy/QcO0WUnt+4sDkxhdXRHTu2yG0uCSH8B6os= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.12 h1:M/1u4HBpwLuMtjlxuI2y6HoVLzF5e2mfxHCg7ZVMYmk= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.12/go.mod h1:kcfd+eTdEi/40FIbLq4Hif3XMXnl5b/+t/KTfLt9xIk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.22.1 h1:cUDTQYv1AapRcYi7bmSO990q9t3+C6KXcjZxdNexgMs= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.22.1/go.mod h1:FARw6qpTrHDbxBAJNEdwBzfMQYZj/kHYeEw2ww0V/HM= +github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 h1:sd0BsnAvLH8gsp2e3cbaIr+9D7T1xugueQ7V/zUAsS4= +github.com/aws/aws-sdk-go-v2/service/sso v1.21.1/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 h1:1uEFNNskK/I1KoZ9Q8wJxMz5V9jyBlsiaNrM7vA3YUQ= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1/go.mod h1:z0P8K+cBIsFXUr5rzo/psUeJ20XjPN0+Nn8067Nd+E4= +github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0= +github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE= github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q= github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -75,8 +75,8 @@ github.com/gkampitakis/go-snaps v0.5.4/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bG github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM= github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= -github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s= -github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/chi/v5 v5.0.13 h1:JlH2F2M8qnwl0N1+JFFzlX9TlKJYas3aPXdiuTmJL+w= +github.com/go-chi/chi/v5 v5.0.13/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU= @@ -189,8 +189,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/nginxinc/glog v1.1.2 h1:zyoZXhCoYvNMJq4qMsKislUCGyJ4eU2gNl3Nt7cjESg= github.com/nginxinc/glog v1.1.2/go.mod h1:Q2FpGp/qFhJEVnuC88BVfbLDPmio9aHYUj4al6w0138= -github.com/nginxinc/nginx-plus-go-client v1.2.0 h1:NVfRsHbMJ7lOhkqMG52uvODiDBhQZNp20c0tV2lU3wg= -github.com/nginxinc/nginx-plus-go-client v1.2.0/go.mod h1:n8OFLzrJulJ2fur28Cwa1Qp5DZNS2VicLV+Adt30LQ4= +github.com/nginxinc/nginx-plus-go-client v1.2.1 h1:65L9xgPDNbEbd23FTTCcaZ2qF9TX5/Z6vkkEl7RKiVo= +github.com/nginxinc/nginx-plus-go-client v1.2.1/go.mod h1:n8OFLzrJulJ2fur28Cwa1Qp5DZNS2VicLV+Adt30LQ4= github.com/nginxinc/nginx-prometheus-exporter v1.1.2 h1:X2Oe/TOvOF4Ef/2mw72xj2BEWG+7Fud0PRngJlIy9GI= github.com/nginxinc/nginx-prometheus-exporter v1.1.2/go.mod h1:A1Fy5uLQonVGmwLC5xNxBX+vPFgYzBOvPjNRs8msT0k= github.com/nginxinc/nginx-service-mesh v1.7.0 h1:oxKr+Jdbxkos10VTy5xF2UHCcmfIhqWNlsOK/zPnZDM= @@ -231,8 +231,8 @@ github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY= -github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU= +github.com/spiffe/go-spiffe/v2 v2.3.0 h1:g2jYNb/PDMB8I7mBGL2Zuq/Ur6hUhoroxGQFyD6tTj8= +github.com/spiffe/go-spiffe/v2 v2.3.0/go.mod h1:Oxsaio7DBgSNqhAO9i/9tLClaVlfRok7zvJnTV8ZyIY= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -395,8 +395,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 h1: google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= -google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= -google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= +google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= diff --git a/internal/metrics/listener.go b/internal/metrics/listener.go index 4f247eca1e..65e3e2b4e4 100644 --- a/internal/metrics/listener.go +++ b/internal/metrics/listener.go @@ -26,7 +26,15 @@ func NewNginxMetricsClient(httpClient *http.Client) *prometheusClient.NginxClien // RunPrometheusListenerForNginx runs an http server to expose Prometheus metrics for NGINX func RunPrometheusListenerForNginx(port int, client *prometheusClient.NginxClient, registry *prometheus.Registry, constLabels map[string]string, prometheusSecret *v1.Secret) { - promlogConfig := &promlog.Config{} + infoLevel := new(promlog.AllowedLevel) + err := infoLevel.Set("info") + if err != nil { + glog.Error("Error setting prometheus exporter log level") + } + promlogConfig := &promlog.Config{ + Level: infoLevel, + } + logger := promlog.New(promlogConfig) registry.MustRegister(nginxCollector.NewNginxCollector(client, "nginx_ingress_nginx", constLabels, logger)) runServer(strconv.Itoa(port), registry, prometheusSecret) diff --git a/tests/requirements.txt b/tests/requirements.txt index a51cf4484d..15308bcec4 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -594,9 +594,9 @@ six==1.16.0 \ # kubernetes # pytest-profiling # python-dateutil -urllib3==2.2.1 \ - --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \ - --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19 +urllib3==2.2.2 \ + --hash=sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472 \ + --hash=sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168 # via # -r requirements.txt # kubernetes