Merge branch 'main' into dependabot/github_actions/actions/checkout-4…

….0.0

.github/workflows/update-docker-images.yml

@@ -85,7 +85,7 @@ jobs:
         uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
           platforms: arm64
 
@@ -123,7 +123,7 @@ jobs:
             NGINX_CONF_DIR=internal/mode/static/nginx/conf
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0
         continue-on-error: true
         with:
           image-ref: ghcr.io/nginxinc/nginx-kubernetes-gateway/nginx:${{ needs.variables.outputs.nkg_tag }}
@@ -132,13 +132,13 @@ jobs:
           ignore-unfixed: "true"
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/upload-sarif@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7
         continue-on-error: true
         with:
           sarif_file: trivy-results-nginx-kubernetes-gateway-nginx
 
       - name: Upload Scan Results
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         continue-on-error: true
         with:
           name: trivy-results-nginx-kubernetes-gateway-nginx

README.md

@@ -107,6 +107,10 @@ can run the following command:
 docker buildx imagetools inspect ghcr.io/nginxinc/nginx-kubernetes-gateway:edge --format '{{ json (index .SBOM "linux/amd64").SPDX }}' | grype
 ```
 
+## Troubleshooting
+
+For troubleshooting help, see the [Troubleshooting](/docs/troubleshooting.md) document.
+
 ## Contacts
 
 We’d like to hear your feedback! If you experience issues with our Gateway Controller, please [open a bug][bug] in

deploy/helm-chart/templates/deployment.yaml

@@ -72,7 +72,7 @@ spec:
           periodSeconds: 1
         {{- end }}
         securityContext:
-          allowPrivilegeEscalation: false
+          allowPrivilegeEscalation: {{ .Values.nginxGateway.securityContext.allowPrivilegeEscalation }}
           capabilities:
             add:
             - KILL

deploy/helm-chart/values.yaml

@@ -30,6 +30,10 @@ nginxGateway:
     tag: edge
     pullPolicy: Always
 
+  securityContext:
+    ## Some environments may need this set to true in order for the control plane to successfully reload NGINX.
+    allowPrivilegeEscalation: false
+
 nginx:
   ## The NGINX image to use
   image:

docs/README.md

@@ -18,6 +18,7 @@ yourself.
 - [CLI Help](cli-help.md): Describes the commands available in the `gateway` binary of `nginx-kubernetes-gateway`
 container.
 - [Monitoring](monitoring.md): Information on monitoring NGINX Kubernetes Gateway using Prometheus metrics.
+- [Troubleshooting](troubleshooting.md): Troubleshooting guide for common or known issues.
 
 ### Directories
 

docs/troubleshooting.md

@@ -0,0 +1,11 @@
+# Troubleshooting
+
+This document contains common or known issues and how to troubleshoot them.
+
+## failed to reload NGINX: failed to send the HUP signal to NGINX main: operation not permitted
+
+Depending on your environment's configuration, the control plane may not have the proper permissions to reload
+NGINX. If NGINX configuration is not applied and you see the above error in the `nginx-gateway` logs, you will need
+to set `allowPrivilegeEscalation` to `true`. If using Helm, you can set the
+`nginxGateway.securityContext.allowPrivilegeEscalation` value.
+If using the manifests directly, you can update this field under the `nginx-gateway` container's `securityContext`.