Merge branch 'main' into test/fix-foreign-upstream-test-failing

Author: haywoodsh

.github/workflows/build-base-images.yml

@@ -100,7 +100,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: |
             name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss
@@ -195,7 +195,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: |
             name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus
@@ -305,7 +305,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: |
             name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus

.github/workflows/build-oss.yml

@@ -126,7 +126,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           context: workflow
           images: |

.github/workflows/build-plus.yml

@@ -155,7 +155,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: |
             name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(inputs.nap-modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap-modules, 'waf') && '-nap' || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress

.github/workflows/build-ubi-dependency.yml

@@ -52,7 +52,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: |
             name=${{ env.IMAGE_NAME }},enable=true

.github/workflows/image-promotion.yml

@@ -349,7 +349,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           context: workflow
           images: |
@@ -465,7 +465,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           context: workflow
           images: |
@@ -588,7 +588,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           context: workflow
           images: |

Makefile

@@ -3,13 +3,13 @@ VER = $(shell grep IC_VERSION .github/data/version.txt | cut -d '=' -f 2)
 GIT_TAG = $(shell git describe --exact-match --tags || echo untagged)
 VERSION = $(VER)-SNAPSHOT
 # renovate: datasource=docker depName=nginx/nginx
-NGINX_OSS_VERSION             ?= 1.29.1
+NGINX_OSS_VERSION             ?= 1.29.3
 NGINX_PLUS_VERSION            ?= R35
 NAP_WAF_VERSION               ?= 35+5.527
 NAP_WAF_COMMON_VERSION        ?= 11.559
 NAP_WAF_PLUGIN_VERSION        ?= 6.23.0
 NAP_AGENT_VERSION             ?= 2
-NGINX_AGENT_VERSION           ?= 3.3
+NGINX_AGENT_VERSION           ?= 3.5
 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key
 
 # Variables that can be overridden
@@ -25,7 +25,7 @@ TELEMETRY_ENDPOINT            ?= oss.edge.df.f5.com:443
 # renovate: datasource=docker depName=golangci/golangci-lint
 GOLANGCI_LINT_VERSION         ?= v2.6.2 ## The version of golangci-lint to use
 # renovate: datasource=go depName=golang.org/x/tools
-GOIMPORTS_VERSION             ?= v0.38.0 ## The version of goimports to use
+GOIMPORTS_VERSION             ?= v0.39.0 ## The version of goimports to use
 # renovate: datasource=go depName=mvdan.cc/gofumpt
 GOFUMPT_VERSION               ?= v0.9.2 ## The version of gofumpt to use
 

build/Dockerfile

@@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:1.20
 ARG BUILD_OS=debian
 # renovate: datasource=docker depName=nginx/nginx
-ARG NGINX_OSS_VERSION=1.29.1
+ARG NGINX_OSS_VERSION=1.29.3
 ARG NGINX_PLUS_VERSION=R35
 ARG NAP_WAF_VERSION=35+5.527
 ARG NAP_WAF_COMMON_VERSION=11.559
 ARG NAP_WAF_PLUGIN_VERSION=6.23.0
-ARG NGINX_AGENT_VERSION=3.3
+ARG NGINX_AGENT_VERSION=3.5
 ARG NAP_AGENT_VERSION=2
 ARG DOWNLOAD_TAG=edge
 ARG DEBIAN_FRONTEND=noninteractive
@@ -16,7 +16,7 @@ ARG PACKAGE_REPO=pkgs.nginx.com
 
 
 ############################################# Base images containing libs for FIPS #############################################
-FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi8@sha256:fa931e9868a709aa995197c6d115344d0d2bbf2b0bde01643fbc2fe9cf33ad0c AS ubi8-packages
+FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi8@sha256:c896e532dd9cbb57407aeff5895fb02d64a33a93deaa748512f38b46ebb960f2 AS ubi8-packages
 FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:cd8693e02cd22ad05d1c5c57f7dd7ccfcf3cca23fac158381a760ff6f4d0f292 AS ubi9-packages
 FROM ghcr.io/nginx/alpine-fips:0.4.0-alpine3.19@sha256:0b400b81b5f403d69535a54839296ae35ced374eb1bb04db5b4282f380fef09a AS alpine-fips-3.19
 FROM ghcr.io/nginx/alpine-fips:0.4.0-alpine3.22@sha256:61ed75f252bde7da1e6db33d2709456e87478280dfae3d11084f94c361e9f329 AS alpine-fips-3.22
@@ -88,7 +88,7 @@ USER 101
 
 
 ############################################# Base image for Alpine #############################################
-FROM nginx:1.29.1-alpine3.22@sha256:42a516af16b852e33b7682d5ef8acbd5d13fe08fecadc7ed98605ba5e3b26ab8 AS alpine
+FROM nginx:1.29.3-alpine3.22@sha256:b3c656d55d7ad751196f21b7fd2e8d4da9cb430e32f646adcf92441b72f82b14 AS alpine
 ARG PACKAGE_REPO
 ARG NGINX_OSS_VERSION
 ARG NGINX_AGENT_VERSION
@@ -107,7 +107,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk
 
 
 ############################################# Base image for Debian #############################################
-FROM nginx:1.29.1@sha256:8adbdcb969e2676478ee2c7ad333956f0c8e0e4c5a7463f4611d7a2e7a7ff5dc AS debian
+FROM nginx:1.29.3@sha256:553f64aecdc31b5bf944521731cd70e35da4faed96b2b7548a3d8e2598c52a42 AS debian
 ARG NGINX_OSS_VERSION
 ARG NGINX_AGENT_VERSION
 
@@ -512,7 +512,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 
 
 ############################################# Base image for UBI8 with NGINX Plus and App Protect WAF #############################################
-FROM redhat/ubi8@sha256:7d7ca86d832d1dc7aba4583414475c15686291b1c2cf75fe63ca03526c3b89ae AS ubi-8-plus-nap
+FROM redhat/ubi8@sha256:a444712276a635c9312d83a4ff7c6ee7f2ce08eeb5bd9ca291b5fdba257a5e63 AS ubi-8-plus-nap
 ARG NGINX_PLUS_VERSION
 ARG NAP_WAF_VERSION
 ARG BUILD_OS
@@ -553,7 +553,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 
 
 ############################################# Base image for UBI8 with NGINX Plus and App Protect WAFv5  #############################################
-FROM redhat/ubi8@sha256:7d7ca86d832d1dc7aba4583414475c15686291b1c2cf75fe63ca03526c3b89ae AS ubi-8-plus-nap-v5
+FROM redhat/ubi8@sha256:a444712276a635c9312d83a4ff7c6ee7f2ce08eeb5bd9ca291b5fdba257a5e63 AS ubi-8-plus-nap-v5
 ARG NGINX_PLUS_VERSION
 ARG NAP_WAF_VERSION
 ARG NAP_AGENT_VERSION

build/dependencies/Dockerfile.ubi8

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.20
-FROM redhat/ubi8@sha256:7d7ca86d832d1dc7aba4583414475c15686291b1c2cf75fe63ca03526c3b89ae AS rpm-build
+FROM redhat/ubi8@sha256:a444712276a635c9312d83a4ff7c6ee7f2ce08eeb5bd9ca291b5fdba257a5e63 AS rpm-build
 RUN mkdir -p /rpms/ \
     && dnf install rpm-build gcc make cmake -y \
     && rpmbuild --rebuild --nodebuginfo https://mirror.stream.centos.org/9-stream/BaseOS/source/tree/Packages/c-ares-1.19.1-1.el9.src.rpm \

charts/nginx-ingress/templates/NOTES.txt

@@ -1,13 +1,13 @@
 NGINX Ingress Controller {{ .Chart.AppVersion }} has been installed.
 
-For release notes for this version please see: https://docs.nginx.com/nginx-ingress-controller/releases/
+For release notes, see: https://docs.nginx.com/nginx-ingress-controller/changelog/
 
-Installation and upgrade instructions: https://docs.nginx.com/nginx-ingress-controller/install/helm/
+For Helm installation instructions, see: https://docs.nginx.com/nginx-ingress-controller/install/helm/
 
 {{ if .Release.IsUpgrade -}}
 If you are upgrading from a version of the chart that uses older Custom Resource Definitions (CRD) it is necessary to manually upgrade the CRDs as this is not managed by Helm.
 To update to the latest version of the CRDs:
   $ kubectl apply -f https://raw.githubusercontent.com/nginx/kubernetes-ingress/v{{ .Chart.AppVersion }}/deploy/crds.yaml
 
-More details on upgrading the CRDs: https://docs.nginx.com/nginx-ingress-controller/install/helm#upgrading-the-crds
+For more details on upgrading the CRDs, see: https://docs.nginx.com/nginx-ingress-controller/install/upgrade/#upgrade-nginx-ingress-controller-crds
 {{- end -}}

config/crd/bases/k8s.nginx.org_policies.yaml

@@ -140,6 +140,29 @@ spec:
                     x-kubernetes-validations:
                     - message: 'allowed methods must be one of: GET, HEAD, POST'
                       rule: self.all(method, method in ['GET', 'HEAD', 'POST'])
+                  cacheBackgroundUpdate:
+                    default: false
+                    description: |-
+                      CacheBackgroundUpdate allows starting a background subrequest to update an expired cache item (proxy_cache_background_update).
+                      A stale cached response is returned to the client while the cache is being updated.
+                    type: boolean
+                  cacheKey:
+                    description: |-
+                      CacheKey defines a key for caching (proxy_cache_key).
+                      By default, close to "$scheme$proxy_host$uri$is_args$args".
+                      Must not contain command execution patterns: $(, `, ;, &&, ||
+                    maxLength: 1024
+                    type: string
+                    x-kubernetes-validations:
+                    - message: 'cache key must not contain command execution patterns:
+                        $(, `, ;, &&, ||'
+                      rule: '!self.contains(''$('') && !self.contains(''`'') && !self.contains('';'')
+                        && !self.contains(''&&'') && !self.contains(''||'')'
+                  cacheMinUses:
+                    description: CacheMinUses sets the number of requests after which
+                      the response will be cached (proxy_cache_min_uses).
+                    minimum: 1
+                    type: integer
                   cachePurgeAllow:
                     description: |-
                       CachePurgeAllow defines IP addresses or CIDR blocks allowed to purge cache.
@@ -149,6 +172,20 @@ spec:
                     items:
                       type: string
                     type: array
+                  cacheRevalidate:
+                    default: false
+                    description: |-
+                      CacheRevalidate enables revalidation of expired cache items using conditional requests (proxy_cache_revalidate).
+                      Uses "If-Modified-Since" and "If-None-Match" header fields.
+                    type: boolean
+                  cacheUseStale:
+                    description: |-
+                      CacheUseStale determines in which cases a stale cached response can be used (proxy_cache_use_stale).
+                      Valid parameters: error, timeout, invalid_header, updating, http_500, http_502, http_503, http_504, http_403, http_404, http_429, off.
+                    items:
+                      type: string
+                    maxItems: 11
+                    type: array
                   cacheZoneName:
                     description: |-
                       CacheZoneName defines the name of the cache zone. Must start with a lowercase letter,
@@ -159,9 +196,34 @@ spec:
                   cacheZoneSize:
                     description: |-
                       CacheZoneSize defines the size of the cache zone. Must be a number followed by a size unit:
-                      'k' for kilobytes, 'm' for megabytes, or 'g' for gigabytes.
+                      'k' or 'K' for kilobytes, 'm' or 'M' for megabytes, or 'g' or 'G' for gigabytes.
                       Examples: "10m", "1g", "512k".
-                    pattern: ^[0-9]+[kmg]$
+                    pattern: ^[0-9]+[kmgKMG]$
+                    type: string
+                  conditions:
+                    description: Conditions defines when responses should not be cached
+                      or taken from cache.
+                    properties:
+                      bypass:
+                        description: |-
+                          Bypass defines conditions under which the response will not be taken from a cache (proxy_cache_bypass).
+                          If at least one value of the string parameters is not empty and is not equal to "0" then the response will not be taken from the cache.
+                        items:
+                          type: string
+                        type: array
+                      noCache:
+                        description: |-
+                          NoCache defines conditions under which the response will not be saved to a cache (proxy_no_cache).
+                          If at least one value of the string parameters is not empty and is not equal to "0" then the response will not be saved.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  inactive:
+                    description: |-
+                      Inactive sets the time after which cached data that are not accessed get removed from the cache (inactive parameter).
+                      By default, inactive is set to 10 minutes.
+                    pattern: ^[0-9]+[smhd]$
                     type: string
                   levels:
                     description: |-
@@ -172,6 +234,67 @@ spec:
                       Invalid: "3:1", "1:3", "1:2:3".
                     pattern: ^[12](?::[12]){0,2}$
                     type: string
+                  lock:
+                    description: Lock configures cache locking to prevent multiple
+                      identical requests from populating the same cache element simultaneously.
+                    properties:
+                      age:
+                        description: |-
+                          Age sets the maximum time a cache lock can be held (proxy_cache_lock_age).
+                          If the last request passed to the proxied server for populating a new cache element has not completed for the specified time, one more request may be passed.
+                        pattern: ^[0-9]+[smhd]$
+                        type: string
+                      enable:
+                        default: false
+                        description: |-
+                          Enable sets whether cache locking is enabled (proxy_cache_lock).
+                          When enabled, only one request at a time will be allowed to populate a new cache element according to the proxy_cache_key.
+                        type: boolean
+                      timeout:
+                        description: |-
+                          Timeout sets a timeout for proxy_cache_lock.
+                          When the time expires, the request will be passed to the proxied server, however, the response will not be cached.
+                        pattern: ^[0-9]+[smhd]$
+                        type: string
+                    type: object
+                    x-kubernetes-validations:
+                    - message: timeout or age require enable=true
+                      rule: (!has(self.timeout) && !has(self.age)) || self.enable
+                  manager:
+                    description: Manager configures the cache manager process parameters
+                      (manager_files, manager_sleep, manager_threshold).
+                    properties:
+                      files:
+                        description: |-
+                          Files sets the maximum number of files that will be deleted in one iteration by the cache manager.
+                          During one iteration no more than manager_files items are deleted (by default, 100).
+                        minimum: 1
+                        type: integer
+                      sleep:
+                        description: |-
+                          Sleep sets the pause between cache manager iterations.
+                          Between iterations, a pause configured by manager_sleep (by default, 50 milliseconds) is made.
+                        pattern: ^[0-9]+[mu]?s$
+                        type: string
+                      threshold:
+                        description: |-
+                          Threshold sets the maximum duration of one cache manager iteration.
+                          The duration of one iteration is limited by manager_threshold (by default, 200 milliseconds).
+                        pattern: ^[0-9]+[mu]?s$
+                        type: string
+                    type: object
+                  maxSize:
+                    description: |-
+                      MaxSize sets the maximum cache size (max_size parameter).
+                      When the size is exceeded, the cache manager removes the least recently used data.
+                    pattern: ^[0-9]+[kmgKMG]$
+                    type: string
+                  minFree:
+                    description: |-
+                      MinFree sets the minimum amount of free space required on the file system with cache (min_free parameter).
+                      When there is not enough free space, the cache manager removes the least recently used data.
+                    pattern: ^[0-9]+[kmgKMG]$
+                    type: string
                   overrideUpstreamCache:
                     default: false
                     description: |-
@@ -188,6 +311,13 @@ spec:
                       Examples: "30s", "5m", "1h", "2d".
                     pattern: ^[0-9]+[smhd]$
                     type: string
+                  useTempPath:
+                    default: false
+                    description: |-
+                      UseTempPath controls whether temporary files and the cache are put on different file systems (use_temp_path parameter).
+                      If set to false, temporary files will be put directly in the cache directory (use_temp_path=off).
+                      Default: false (use_temp_path=off, which puts temp files directly in cache directory for better performance).
+                    type: boolean
                 required:
                 - cacheZoneName
                 - cacheZoneSize