add license secret and mgmt config map for r33

.github/actions/smoke-tests/action.yaml

@@ -34,6 +34,9 @@ inputs:
   registry-token:
     description: JWT token for accessing container registry
     required: false
+  plus-jwt:
+    description: JWT for NGINX Plus
+    required: false
 
 outputs:
   test-results-name:
@@ -101,6 +104,7 @@ runs:
         --durations=10 \
         --show-ic-logs=yes \
         --ad-secret=${{ inputs.azure-ad-secret }} \
+        --plus-jwt=${{ inputs.plus-jwt }} \
         -m ${{ inputs.marker != '' && inputs.marker || '""' }}
       working-directory: ./tests
       shell: bash

.github/data/matrix-images-plus.json

@@ -18,7 +18,7 @@
     },
     {
       "image": "ubi-9-plus",
-      "platforms": "linux/arm64, linux/amd64, linux/s390x",
+      "platforms": "linux/arm64, linux/amd64",
       "target": "goreleaser"
     }
   ]

.github/workflows/regression.yml

@@ -262,7 +262,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.3.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.4.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(matrix.images.image, 'nap-v5')}}
 
       - name: Run Regression Tests
@@ -278,6 +278,7 @@ jobs:
           azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
           registry-token: ${{ steps.auth.outputs.access_token }}
           test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt', './tests/Dockerfile') || 'latest' }}"
+          plus-jwt: ${{ secrets.PLUS_JWT }}
 
       - name: Upload Test Results
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3

.github/workflows/setup-smoke.yml

@@ -149,7 +149,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.3.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.4.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(inputs.image, 'nap-v5')}}
 
       - name: Run Smoke Tests
@@ -165,6 +165,7 @@ jobs:
           azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
           registry-token: ${{ steps.auth.outputs.access_token }}
           test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ hashFiles('./tests/requirements.txt', './tests/Dockerfile') || 'latest' }}"
+          plus-jwt: ${{ secrets.PLUS_JWT }}
         if: ${{ steps.stable_exists.outputs.exists != 'true'  }}
 
       - name: Upload Test Results

.github/workflows/single-image-regression.yml

@@ -109,3 +109,4 @@ jobs:
           azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
           registry-token: ${{ steps.auth.outputs.access_token }}
           test-image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:${{ inputs.test-image-tag }}"
+          plus-jwt: ${{ secrets.PLUS_JWT }}

build/Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.6
 ARG BUILD_OS=debian
-ARG NGINX_PLUS_VERSION=R32
+ARG NGINX_PLUS_VERSION=R33
 ARG DOWNLOAD_TAG=edge
 ARG DEBIAN_FRONTEND=noninteractive
 ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG}
@@ -198,7 +198,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
 	&& cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \
 	&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
 	&& ldconfig /usr/local/lib/ \
-	&& apk add --no-cache app-protect-module-plus~=32.5.144 \
+	&& apk add --no-cache app-protect-module-plus~=33.5.210 \
 	&& sed -i -e '/nginx.com/d' /etc/apk/repositories \
 	&& nap-waf.sh \
 	&& if [ "${NGINX_AGENT}" = "true" ]; then \
@@ -279,7 +279,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& if [ "${NGINX_AGENT}" = "true" ]; then agent.sh; fi \
 	&& if [ -z "${NAP_MODULES##*dos*}" ]; then nap-dos.sh; fi
 
-############################################# Base image for Debian with NGINX Plus and App Protect WAFv5/DoS #############################################
+############################################# Base image for Debian with NGINX Plus and App Protect WAFv5 #############################################
 FROM debian-plus AS debian-plus-nap-v5
 ARG NAP_MODULES
 ARG NGINX_AGENT
@@ -300,7 +300,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& apt-get update \
 	&& if [ "${NGINX_AGENT}" = "true" ]; then apt-get install --no-install-recommends --no-install-suggests -y nginx-agent; fi \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
-	apt-get install --no-install-recommends --no-install-suggests -y app-protect-plugin=6.3.0* app-protect-module-plus=32+5.144* nginx-plus-module-appprotect=32+5.144*; \
+	apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=33+5.210*; \
 	rm -f /etc/apt/sources.list.d/app-protect.sources; \
 	nap-waf.sh; \
 	fi \
@@ -430,7 +430,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& if [ "${NGINX_AGENT}" = "true" ]; then microdnf --nodocs install -y nginx-agent; fi \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
 	cp /tmp/app-protect-9.repo /etc/yum.repos.d/app-protect-9.repo \
-	&& microdnf --nodocs install -y app-protect-module-plus-32+5.144* \
+	&& microdnf --nodocs install -y app-protect-module-plus-33+5.210* \
 	&& nap-waf.sh \
 	&& rm -f /etc/yum.repos.d/app-protect-9.repo; \
 	fi \
@@ -517,7 +517,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \
 	&& dnf --nodocs install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
-	dnf --nodocs install -y app-protect-module-plus-32+5.144*; \
+	dnf --nodocs install -y app-protect-module-plus-33+5.210*; \
 	fi \
 	&& subscription-manager unregister \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \

charts/nginx-ingress/templates/_helpers.tpl

@@ -112,6 +112,24 @@ Expand the name of the configmap used for NGINX Agent.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Expand the name of the mgmt configmap.
+*/}}
+{{- define "nginx-ingress.mgmtConfigName" -}}
+{{- if .Values.controller.mgmt.customConfigMap -}}
+{{ .Values.controller.mgmt.customConfigMap }}
+{{- else -}}
+{{- default (printf "%s-mgmt" (include "nginx-ingress.fullname" .)) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Expand license token secret name.
+*/}}
+{{- define "nginx-ingress.licenseTokenSecretName" -}}
+{{- .Values.controller.mgmt.licenseTokenSecretName -}}
+{{- end -}}
+
 {{/*
 Expand leader election lock name.
 */}}
@@ -226,6 +244,9 @@ Build the args for the service binary.
 - -app-protect-dos-memory={{ .Values.controller.appprotectdos.memory }}
 {{ end }}
 - -nginx-configmaps=$(POD_NAMESPACE)/{{ include "nginx-ingress.configName" . }}
+{{- if .Values.controller.nginxplus }}
+- -mgmt-configmap=$(POD_NAMESPACE)/{{ include "nginx-ingress.mgmtConfigName" . }}
+{{- end }}
 {{- if .Values.controller.defaultTLS.secret }}
 - -default-server-tls-secret={{ .Values.controller.defaultTLS.secret }}
 {{ else if and (.Values.controller.defaultTLS.cert) (.Values.controller.defaultTLS.key) }}
@@ -423,6 +444,8 @@ volumeMounts:
   env:
     - name: ENFORCER_PORT
       value: "{{ .Values.controller.appprotect.enforcer.port | default 50000 }}"
+    - name: ENFORCER_CONFIG_TIMEOUT
+      value: "0"
   volumeMounts:
     - name: app-protect-bd-config
       mountPath: /opt/app_protect/bd_config

charts/nginx-ingress/templates/controller-configmap.yaml

@@ -30,3 +30,22 @@ data:
   nginx-agent.conf: |-
 {{ include "nginx-ingress.agentConfiguration" . | indent 4 }}
 {{- end }}
+---
+{{- if and .Values.controller.nginxplus (eq (.Values.controller.mgmt.customConfigMap | default "") "") }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "nginx-ingress.mgmtConfigName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nginx-ingress.labels" . | nindent 4 }}
+{{- if .Values.controller.config.annotations }}
+  annotations:
+{{ toYaml .Values.controller.config.annotations | indent 4 }}
+{{- end }}
+data:
+  license-token-secret-name: {{ include "nginx-ingress.licenseTokenSecretName" . }}
+{{- if hasKey .Values.controller.mgmt "enforceInitialReport" }}
+  enforce-initial-report: {{ quote .Values.controller.mgmt.enforceInitialReport }}
+{{- end }}
+{{- end }}

charts/nginx-ingress/values.schema.json

@@ -94,6 +94,37 @@
             }
           ]
         },
+        "mgmt": {
+          "type": "object",
+          "default": {},
+          "title": "The mgmt block Schema",
+          "properties": {
+            "licenseTokenSecretName": {
+              "type": "string",
+              "default": "",
+              "title": "The licenseTokenSecretName Schema",
+              "examples": [
+                "nginx-plus-secret",
+                "license-token",
+                "license"
+              ]
+            },
+            "enforceInitialReport": {
+              "type": "boolean",
+              "default": false,
+              "title": "The enforceInitialReport Schema",
+              "examples": [
+                true,
+                false
+              ]
+            }
+          },
+          "examples": [
+            {
+              "licenseTokenSecretName": "license-token"
+            }
+          ]
+        },
         "nginxReloadTimeout": {
           "type": "integer",
           "default": 0,
@@ -208,10 +239,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.3.0",
+                      "default": "5.4.0",
                       "title": "The tag of the  App Protect WAF v5 Enforcer image",
                       "examples": [
-                        "5.3.0"
+                        "5.4.0"
                       ]
                     },
                     "digest": {
@@ -248,7 +279,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                      "tag": "5.3.0",
+                      "tag": "5.4.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -282,10 +313,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.3.0",
+                      "default": "5.4.0",
                       "title": "The tag of the  App Protect WAF v5 Config Manager image",
                       "examples": [
-                        "5.3.0"
+                        "5.4.0"
                       ]
                     },
                     "digest": {
@@ -322,7 +353,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                      "tag": "5.3.0",
+                      "tag": "5.4.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -1698,15 +1729,15 @@
               "port": 50000,
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                "tag": "5.3.0",
+                "tag": "5.4.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {}
             },
             "configManager": {
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                "tag": "5.3.0",
+                "tag": "5.4.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {
@@ -2312,15 +2343,15 @@
             "port": 50000,
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-enforcer",
-              "tag": "5.3.0",
+              "tag": "5.4.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {}
           },
           "configManager": {
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-              "tag": "5.3.0",
+              "tag": "5.4.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {

charts/nginx-ingress/values.yaml

@@ -14,6 +14,14 @@ controller:
   ## Deploys the Ingress Controller for NGINX Plus.
   nginxplus: false
 
+  ## Configures NGINX mgmt block for NGINX Plus
+  mgmt:
+    ## Secret name of license token for NGINX Plus
+    licenseTokenSecretName: "license-token" # required for NGINX Plus
+
+    ## Enables the 180-day grace period for sending the initial usage report
+    # enforceInitialReport: false
+
   ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start.
   nginxReloadTimeout: 60000
 
@@ -49,7 +57,7 @@ controller:
         repository: private-registry.nginx.com/nap/waf-enforcer
 
         ## The tag of the App Protect WAF v5 Enforcer image.
-        tag: "5.3.0"
+        tag: "5.4.0"
         ## The digest of the App Protect WAF v5 Enforcer image.
         ## If digest is specified it has precedence over tag and will be used instead
         # digest: "sha256:CHANGEME"
@@ -65,7 +73,7 @@ controller:
         repository: private-registry.nginx.com/nap/waf-config-mgr
 
         ## The tag of the App Protect WAF v5 Configuration Manager image.
-        tag: "5.3.0"
+        tag: "5.4.0"
         ## The digest of the App Protect WAF v5 Configuration Manager image.
         ## If digest is specified it has precedence over tag and will be used instead
         # digest: "sha256:CHANGEME"

cmd/nginx-ingress/flags.go

@@ -55,6 +55,11 @@
 	but the Ingress Controller is not able to fetch it from Kubernetes API, the Ingress Controller will fail to start.
 	Format: <namespace>/<name>`)
 
+	mgmtConfigMap = flag.String("mgmt-configmap", "",
+		`A ConfigMap resource for customizing NGINX configuration. If a ConfigMap is set,
+	but the Ingress Controller is not able to fetch it from Kubernetes API, the Ingress Controller will fail to start.
+	Format: <namespace>/<name>`)
+
 	nginxPlus = flag.Bool("nginx-plus", false, "Enable support for NGINX Plus")
 
 	appProtect = flag.Bool("enable-app-protect", false, "Enable support for NGINX App Protect. Requires -nginx-plus.")
@@ -258,6 +263,11 @@
 		*enableDynamicWeightChangesReload = false
 	}
 
+	if *mgmtConfigMap != "" && !*nginxPlus {
+		nl.Warn(l, "mgmt-configmap flag requires -nginx-plus, mgmt configmap will not be used")
+		*mgmtConfigMap = ""
+	}
+
 	mustValidateInitialChecks(ctx)
 	mustValidateWatchedNamespaces(ctx)
 	mustValidateFlags(ctx)
@@ -419,6 +429,10 @@
 	if *agent && !*appProtect {
 		nl.Fatal(l, "NGINX Agent is used to enable the Security Monitoring dashboard and requires NGINX App Protect to be enabled")
 	}
+
+	if *nginxPlus && *mgmtConfigMap == "" {
+		nl.Fatal(l, "NGINX Plus requires a mgmt ConfigMap to be set")
+	}
 }
 
 // validateNamespaceNames validates the namespaces are in the correct format