Merge branch 'main' into chore/allow-easier-nap-agent-updates

Signed-off-by: AlexFenlon <[email protected]>

Author: AlexFenlon

.github/actions/smoke-tests/action.yaml

@@ -52,7 +52,7 @@ runs:
     - name: Deploy Kubernetes
       id: k8s
       run: |
-        make -f tests/Makefile create-kind-cluster K8S_CLUSTER_NAME=${{ github.run_id }} K8S_CLUSTER_VERSION=${{ inputs.k8s-version }} K8S_TIMEOUT=${{ inputs.k8s-timeout }}
+        make -f tests/Makefile create-kind-cluster K8S_CLUSTER_NAME=${{ github.run_id }} K8S_CLUSTER_VERSION=v${{ inputs.k8s-version }} K8S_TIMEOUT=${{ inputs.k8s-timeout }}
         make -f tests/Makefile image-load REGISTRY="" PREFIX=${{ inputs.image-name }} TAG=${{ inputs.tag }} K8S_CLUSTER_NAME=${{ github.run_id }}
         label="${{ inputs.label }}"
         nospaces="${label// /_}"

.github/scripts/binary-json.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+path=${1:-dist/}
+project=${2:-kubernetes-ingress}
+binary_name=${3:-nginx-ingress}
+
+if [ -z "$path" ] || [ -z "$project" ]; then
+  echo "Usage: $0 <path> <project>"
+  exit 1
+fi
+
+
+json='[]'
+for bin in $(find "$path" -type f -name "$binary_name"); do
+  dir=$(basename "$(dirname $bin)")
+  if [[ "$dir" =~ ${project}_([a-zA-Z0-9]+)_([a-zA-Z0-9]+) ]]; then
+    os="${BASH_REMATCH[1]}"
+    arch="${BASH_REMATCH[2]}"
+    digest=$(sha256sum "$bin" | cut -d' ' -f1)
+    json=$(echo "$json" | jq -c --arg path "$bin" --arg os "$os" --arg arch "$arch" --arg digest "$digest" '. += [{"path": $path, "os": $os, "arch": $arch, "digest": $digest}]')
+  fi
+done
+echo "$json"

.github/scripts/requirements.txt

@@ -4,9 +4,9 @@
 #
 #    pip-compile --generate-hashes --output-file=requirements.txt requirements.in
 #
-certifi==2025.6.15 \
-    --hash=sha256:2e0c7ce7cb5d8f8634ca55d2ba7e6ec2689a2fd6537d8dec1296a477a4910057 \
-    --hash=sha256:d747aa5a8b9bbbb1bb8c22bb13e22bd1f18e9796defa16bab421f7f7a317323b
+certifi==2025.8.3 \
+    --hash=sha256:e564105f78ded564e3ae7c923924435e1daa7463faeab5bb932bc53ffae63407 \
+    --hash=sha256:f6c12493cfb1b06ba2ff328595af9350c65d6644968e5d3a2ffd78699af217a5
     # via requests
 cffi==1.17.1 \
     --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \
@@ -304,9 +304,9 @@ markupsafe==3.0.2 \
     --hash=sha256:f8b3d067f2e40fe93e1ccdd6b2e1d16c43140e76f02fb1319a05cf2b79d99430 \
     --hash=sha256:fcabf5ff6eea076f859677f5f0b6b5c1a51e70a376b0579e0eadef8db48c6b50
     # via jinja2
-pycparser==2.22 \
-    --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \
-    --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc
+pycparser==2.23 \
+    --hash=sha256:78816d4f24add8f10a06d6f05b4d424ad9e96cfebf68a4ddc99c65c0720d00c2 \
+    --hash=sha256:e5c6e8d3fbad53479cab09ac03729e0a9faf2bee3db8208a550daf5af81a5934
     # via cffi
 pygithub==2.6.1 \
     --hash=sha256:6f2fa6d076ccae475f9fc392cc6cdbd54db985d4f69b8833a28397de75ed6ca3 \

.github/workflows/build-artifacts.yml

@@ -58,6 +58,8 @@ jobs:
     permissions:
       contents: read
       id-token: write
+    outputs:
+      json: ${{ steps.nic_binaries.outputs.json }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -100,13 +102,94 @@ jobs:
           GORELEASER_CURRENT_TAG: "v${{ inputs.ic-version }}"
         if: ${{ inputs.force }}
 
+      - name: Extract NGINX Ingress Controller binary info
+        id: nic_binaries
+        run: |
+          echo "json=$(.github/scripts/binary-json.sh ${{ github.workspace }}/dist ${{ github.event.repository.name }} "nginx-ingress")" >> $GITHUB_OUTPUT
+        if: ${{ inputs.force }}
+
       - name: Store Artifacts in Cache
         uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: ${{ github.workspace }}/dist
           key: nginx-ingress-${{ inputs.go-md5 }}
         if: ${{ inputs.force }}
 
+  generate-assertion-doc:
+    if: ${{ github.event_name != 'pull_request' }}
+    name: Assertion Doc ${{ matrix.nic.arch }}
+    needs: [binaries]
+    runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: read
+      id-token: write # for compliance-rules action to sign assertion doc
+    strategy:
+      fail-fast: false
+      matrix:
+        nic: ${{ fromJSON( needs.binaries.outputs.json ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ inputs.branch }}
+
+      - name: Setup Golang Environment
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: go.mod
+
+      - name: Setup netrc
+        run: |
+          cat <<EOF > $HOME/.netrc
+          machine azr.artifactory.f5net.com
+              login ${{ secrets.ARTIFACTORY_USER }}
+              password ${{ secrets.ARTIFACTORY_TOKEN }}
+          EOF
+          chmod 600 $HOME/.netrc
+
+      - name: Fetch Cached Artifacts
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ${{ github.workspace }}/dist
+          key: nginx-ingress-${{ inputs.go-md5 }}
+          fail-on-cache-miss: true
+
+      - name: List packages in Go binary
+        id: godeps
+        env:
+          GOPATH: ${{ inputs.go-path }}
+          GOPROXY: ${{ inputs.go-proxy }}
+        run: |
+          go version -m ${{ matrix.nic.path }} > go_version_out_${{ github.run_id }}_${{ github.run_number }}.txt
+          echo "go_version_out=$(find -type f -name "go_version_out*.txt" | head -n 1)" >> $GITHUB_OUTPUT
+          echo "artifact_digest=$(openssl dgst -sha256 -r ${{ matrix.nic.path }} | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT
+          cat $GITHUB_OUTPUT
+
+      - name: Generate Assertion Document
+        id: assertiondoc
+        uses: nginxinc/compliance-rules/.github/actions/assertion@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          artifact-name: "${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_number }}_${{ matrix.nic.os }}_${{ matrix.nic.arch }}"
+          artifact-digest: ${{ steps.godeps.outputs.artifact_digest }}
+          build-type: "github.com"
+          builder-id: "github"
+          builder-version: v0.1.0
+          started-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
+          finished-on: ${{ github.event.head_commit.timestamp || github.event.created_at }}
+          invocation-id: ${{ github.run_id }}.${{ github.run_number }}.${{ github.run_attempt }}
+          artifactory-user: ${{ secrets.ARTIFACTORY_USER }}
+          artifactory-api-token: ${{ secrets.ARTIFACTORY_TOKEN }}
+          artifactory-url: ${{ secrets.ARTIFACTORY_URL }}
+          artifactory-repo: 'f5-nginx-go-local-approved-dependency'
+          assertion-doc-file: assertion_${{ github.event.repository.name }}_${{ github.sha }}_${{ github.run_id }}_${{ github.run_number }}_${{ matrix.nic.os }}_${{ matrix.nic.arch }}.json
+          build-content-path: ${{ steps.godeps.outputs.go_version_out }}
+
+      - name: Sign and Store Assertion Document
+        id: sign
+        uses: nginxinc/compliance-rules/.github/actions/sign@83e452166aaf0ad8f07caf91a4f1f903b3dea1e6 # v0.3.0
+        with:
+          assertion-doc: ${{ steps.assertiondoc.outputs.assertion-document-path }}
+
   build-docker:
     name: Build Docker OSS
     needs: [binaries]

.github/workflows/regression.yml

@@ -275,7 +275,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.9.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(matrix.images.image, 'nap-v5')}}
 
       - name: Run Regression Tests

.github/workflows/scorecards.yml

@@ -34,7 +34,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif

.github/workflows/setup-smoke.yml

@@ -152,7 +152,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.9.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(inputs.image, 'nap-v5')}}
 
       - name: Run Smoke Tests

Makefile

@@ -4,9 +4,9 @@ GIT_TAG = $(shell git describe --exact-match --tags || echo untagged)
 VERSION = $(VER)-SNAPSHOT
 NGINX_OSS_VERSION             ?= 1.29
 NGINX_PLUS_VERSION            ?= R35
-NAP_WAF_VERSION               ?= 35+5.498
-NAP_WAF_COMMON_VERSION        ?= 11.533
-NAP_WAF_PLUGIN_VERSION        ?= 6.20.0
+NAP_WAF_VERSION               ?= 35+5.527
+NAP_WAF_COMMON_VERSION        ?= 11.559
+NAP_WAF_PLUGIN_VERSION        ?= 6.23.0
 NAP_AGENT_VERSION             ?= 2
 NGINX_AGENT_VERSION           ?= 3.3
 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key

build/Dockerfile

@@ -2,9 +2,9 @@
 ARG BUILD_OS=debian
 ARG NGINX_OSS_VERSION=1.29
 ARG NGINX_PLUS_VERSION=R35
-ARG NAP_WAF_VERSION=35+5.498
-ARG NAP_WAF_COMMON_VERSION=11.533
-ARG NAP_WAF_PLUGIN_VERSION=6.20.0
+ARG NAP_WAF_VERSION=35+5.527
+ARG NAP_WAF_COMMON_VERSION=11.559
+ARG NAP_WAF_PLUGIN_VERSION=6.23.0
 ARG NGINX_AGENT_VERSION=3.3
 ARG NAP_AGENT_VERSION=2
 ARG DOWNLOAD_TAG=edge

charts/nginx-ingress/values.schema.json

@@ -350,10 +350,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.8.0",
+                      "default": "5.9.0",
                       "title": "The tag of the  App Protect WAF v5 Enforcer image",
                       "examples": [
-                        "5.8.0"
+                        "5.9.0"
                       ]
                     },
                     "digest": {
@@ -389,7 +389,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                      "tag": "5.8.0",
+                      "tag": "5.9.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -422,10 +422,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.8.0",
+                      "default": "5.9.0",
                       "title": "The tag of the  App Protect WAF v5 Config Manager image",
                       "examples": [
-                        "5.8.0"
+                        "5.9.0"
                       ]
                     },
                     "digest": {
@@ -461,7 +461,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                      "tag": "5.8.0",
+                      "tag": "5.9.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -2020,15 +2020,15 @@
               "port": 50000,
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                "tag": "5.8.0",
+                "tag": "5.9.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {}
             },
             "configManager": {
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                "tag": "5.8.0",
+                "tag": "5.9.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {
@@ -2660,15 +2660,15 @@
             "port": 50000,
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-enforcer",
-              "tag": "5.8.0",
+              "tag": "5.9.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {}
           },
           "configManager": {
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-              "tag": "5.8.0",
+              "tag": "5.9.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {