update NGINX Plus to R34 and App Protect to 4.14 & 5.6 (#7597)

pdabelf5 · web-flow · commit 45d963195910 · 2025-04-03T12:59:12.000+01:00
* update NGINX Plus to R34 and App Protect to 4.14 & 5.6 * Revert "temporarily disable builds failing for NAP WAF v4 on UBI (#7606)"
diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag
@@ -1,7 +1,7 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
 declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-mktpl" "-alpine-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl" "-alpine-fips")
 declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
 declare -a ADDITIONAL_TAGS=()
diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release
@@ -1,8 +1,8 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
 declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips" "-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-mktpl")
 declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
 export PUBLISH_OSS=false
diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx
@@ -1,8 +1,8 @@
 export TARGET_REGISTRY=docker-mgmt.nginx.com
 export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
 declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
 declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
 export PUBLISH_OSS=false
diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json
@@ -15,18 +15,36 @@
     "waf,dos"
   ],
   "include": [
+    {
+      "image": "ubi-8-plus-nap",
+      "target": "goreleaser",
+      "platforms": "linux/amd64",
+      "nap_modules": "waf"
+    },
     {
       "image": "ubi-8-plus-nap-v5",
       "target": "goreleaser",
       "platforms": "linux/amd64",
       "nap_modules": "waf"
     },
+    {
+      "image": "ubi-9-plus-nap",
+      "target": "goreleaser",
+      "platforms": "linux/amd64",
+      "nap_modules": "waf"
+    },
     {
       "image": "ubi-9-plus-nap",
       "target": "goreleaser",
       "platforms": "linux/amd64",
       "nap_modules": "dos"
     },
+    {
+      "image": "ubi-9-plus-nap",
+      "target": "goreleaser",
+      "platforms": "linux/amd64",
+      "nap_modules": "waf,dos"
+    },
     {
       "image": "alpine-plus-nap-fips",
       "target": "goreleaser",
diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json
@@ -2,15 +2,15 @@
   "images": [
     {
       "label": "AP_WAF 1/4",
-      "image": "debian-plus-nap",
+      "image": "ubi-8-plus-nap",
       "type": "plus",
       "nap_modules": "waf",
       "marker": "appprotect_waf_policies_allow",
       "platforms": "linux/amd64"
     },
     {
       "label": "AP_WAF 2/4",
-      "image": "debian-plus-nap",
+      "image": "ubi-9-plus-nap",
       "type": "plus",
       "nap_modules": "waf",
       "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow and not appprotect_waf_policies_vsr'",
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
@@ -265,7 +265,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.5.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.6.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(matrix.images.image, 'nap-v5')}}
 
       - name: Run Regression Tests
diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
@@ -149,7 +149,7 @@ jobs:
 
       - name: Generate WAF v5 tgz from JSON
         run: |
-          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.5.0 -p /data/wafv5.json -o /data/wafv5.tgz
+          docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.6.0 -p /data/wafv5.json -o /data/wafv5.tgz
         if: ${{ contains(inputs.image, 'nap-v5')}}
 
       - name: Run Smoke Tests
diff --git a/Makefile b/Makefile
@@ -2,7 +2,7 @@
 VER = $(shell grep IC_VERSION .github/data/version.txt | cut -d '=' -f 2)
 GIT_TAG = $(shell git describe --exact-match --tags || echo untagged)
 VERSION = $(VER)-SNAPSHOT
-NGINX_PLUS_VERSION ?= R33
+NGINX_PLUS_VERSION ?= R34
 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key
 
 # Variables that can be overridden
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1.6
 ARG BUILD_OS=debian
-ARG NGINX_PLUS_VERSION=R33
+ARG NGINX_PLUS_VERSION=R34
 ARG DOWNLOAD_TAG=edge
 ARG DEBIAN_FRONTEND=noninteractive
 ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG}
@@ -206,7 +206,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
 	&& mkdir -p /etc/nginx/reporting/ \
 	&& cp -av /tmp/nginx/reporting/tracking.info /etc/nginx/reporting/tracking.info \
 	&& ldconfig /usr/local/lib/ \
-	&& apk add --no-cache app-protect-module-plus~=33.5.264 \
+	&& apk add --no-cache app-protect-module-plus~=34.5.342 \
 	&& sed -i -e '/nginx.com/d' /etc/apk/repositories \
 	&& nap-waf.sh \
 	&& if [ "${NGINX_AGENT}" = "true" ]; then \
@@ -312,7 +312,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& apt-get update \
 	&& if [ "${NGINX_AGENT}" = "true" ]; then apt-get install --no-install-recommends --no-install-suggests -y nginx-agent; fi \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
-	apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=33+5.264* nginx-plus-module-appprotect=33+5.264* app-protect-plugin=6.9.0*; \
+	apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=34+5.342* nginx-plus-module-appprotect=34+5.342* app-protect-plugin=6.12.0*; \
 	rm -f /etc/apt/sources.list.d/app-protect.sources; \
 	nap-waf.sh; \
 	fi \
@@ -448,7 +448,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& if [ "${NGINX_AGENT}" = "true" ]; then microdnf --nodocs install -y nginx-agent; fi \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
 	cp /tmp/app-protect-9.repo /etc/yum.repos.d/app-protect-9.repo \
-	&& microdnf --nodocs install -y app-protect-module-plus-33+5.264* \
+	&& microdnf --nodocs install -y app-protect-module-plus-34+5.342* \
 	&& nap-waf.sh \
 	&& rm -f /etc/yum.repos.d/app-protect-9.repo; \
 	fi \
@@ -539,7 +539,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode
 	&& dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \
 	&& dnf --nodocs install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
-	dnf --nodocs install -y app-protect-module-plus-33+5.264*; \
+	dnf --nodocs install -y app-protect-module-plus-34+5.342*; \
 	fi \
 	&& subscription-manager unregister \
 	&& if [ -z "${NAP_MODULES##*waf*}" ]; then \
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
@@ -327,10 +327,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.5.0",
+                      "default": "5.6.0",
                       "title": "The tag of the  App Protect WAF v5 Enforcer image",
                       "examples": [
-                        "5.5.0"
+                        "5.6.0"
                       ]
                     },
                     "digest": {
@@ -367,7 +367,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                      "tag": "5.5.0",
+                      "tag": "5.6.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -401,10 +401,10 @@
                     },
                     "tag": {
                       "type": "string",
-                      "default": "5.5.0",
+                      "default": "5.6.0",
                       "title": "The tag of the  App Protect WAF v5 Config Manager image",
                       "examples": [
-                        "5.5.0"
+                        "5.6.0"
                       ]
                     },
                     "digest": {
@@ -441,7 +441,7 @@
                   "examples": [
                     {
                       "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                      "tag": "5.5.0",
+                      "tag": "5.6.0",
                       "pullPolicy": "IfNotPresent"
                     }
                   ]
@@ -1837,15 +1837,15 @@
               "port": 50000,
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-enforcer",
-                "tag": "5.5.0",
+                "tag": "5.6.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {}
             },
             "configManager": {
               "image": {
                 "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-                "tag": "5.5.0",
+                "tag": "5.6.0",
                 "pullPolicy": "IfNotPresent"
               },
               "securityContext": {
@@ -2451,15 +2451,15 @@
             "port": 50000,
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-enforcer",
-              "tag": "5.5.0",
+              "tag": "5.6.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {}
           },
           "configManager": {
             "image": {
               "repository": "private-registry.nginx.com/nap/waf-config-mgr",
-              "tag": "5.5.0",
+              "tag": "5.6.0",
               "pullPolicy": "IfNotPresent"
             },
             "securityContext": {
diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
@@ -82,7 +82,7 @@ controller:
         repository: private-registry.nginx.com/nap/waf-enforcer
 
         ## The tag of the App Protect WAF v5 Enforcer image.
-        tag: "5.5.0"
+        tag: "5.6.0"
         ## The digest of the App Protect WAF v5 Enforcer image.
         ## If digest is specified it has precedence over tag and will be used instead
         # digest: "sha256:CHANGEME"
@@ -98,7 +98,7 @@ controller:
         repository: private-registry.nginx.com/nap/waf-config-mgr
 
         ## The tag of the App Protect WAF v5 Configuration Manager image.
-        tag: "5.5.0"
+        tag: "5.6.0"
         ## The digest of the App Protect WAF v5 Configuration Manager image.
         ## If digest is specified it has precedence over tag and will be used instead
         # digest: "sha256:CHANGEME"
diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap
@@ -1472,7 +1472,7 @@ spec:
           - -weight-changes-dynamic-reload=false
       
       - name: waf-enforcer
-        image: my.private.reg/nap/waf-enforcer:5.5.0
+        image: my.private.reg/nap/waf-enforcer:5.6.0
         imagePullPolicy: "IfNotPresent"
         env:
           - name: ENFORCER_PORT
@@ -1483,7 +1483,7 @@ spec:
           - name: app-protect-bd-config
             mountPath: /opt/app_protect/bd_config
       - name: waf-config-mgr
-        image: my.private.reg/nap/waf-config-mgr:5.5.0
+        image: my.private.reg/nap/waf-config-mgr:5.6.0
         imagePullPolicy: "IfNotPresent"
         securityContext:
       
diff --git a/site/content/installation/installing-nic/installation-with-helm.md b/site/content/installation/installing-nic/installation-with-helm.md
@@ -423,12 +423,12 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.appprotect.enforcer.host** | Host that the App Protect WAF v5 Enforcer runs on. | "127.0.0.1" |
 | **controller.appprotect.enforcer.port** | Port that the App Protect WAF v5 Enforcer runs on. | 50000 |
 | **controller.appprotect.enforcer.image.repository** | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer |
-| **controller.appprotect.enforcer.image.tag** | The tag of the App Protect WAF v5 Enforcer. | "5.5.0" |
+| **controller.appprotect.enforcer.image.tag** | The tag of the App Protect WAF v5 Enforcer. | "5.6.0" |
 | **controller.appprotect.enforcer.image.digest** | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "" |
 | **controller.appprotect.enforcer.image.pullPolicy** | The pull policy for the App Protect WAF v5 Enforcer image. | IfNotPresent |
 | **controller.appprotect.enforcer.securityContext** | The security context for App Protect WAF v5 Enforcer container. | {} |
 | **controller.appprotect.configManager.image.repository** | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr |
-| **controller.appprotect.configManager.image.tag** | The tag of the App Protect WAF v5 Configuration Manager. | "5.5.0" |
+| **controller.appprotect.configManager.image.tag** | The tag of the App Protect WAF v5 Configuration Manager. | "5.6.0" |
 | **controller.appprotect.configManager.image.digest** | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "" |
 | **controller.appprotect.configManager.image.pullPolicy** | The pull policy for the App Protect WAF v5 Configuration Manager image. | IfNotPresent |
 | **controller.appprotect.configManager.securityContext** | The security context for App Protect WAF v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} |
diff --git a/site/content/installation/integrations/app-protect-waf-v5/installation.md b/site/content/installation/integrations/app-protect-waf-v5/installation.md
@@ -507,7 +507,8 @@ If you prefer not to build your own NGINX Ingress Controller image, you can use
 {{< bootstrap-table "table table-bordered table-striped table-responsive" >}}
 | NIC Version | App Protect WAFv5 Version | Config Manager | Enforcer |
 | --- | --- | --- | --- |
-| {{< nic-version >}} | 33_5.264 | 5.5.0 | 5.5.0 |
+| {{< nic-version >}} | 33_5.342 | 5.6.0 | 5.6.0 |
+| 4.0.1 | 33_5.264 | 5.5.0 | 5.5.0 |
 | 3.7.2 | 32_5.144 | 5.3.0 | 5.3.0 |
 | 3.6.2 | 32_5.48 | 5.2.0 | 5.2.0 |
 {{% /bootstrap-table %}}
diff --git a/site/content/technical-specifications.md b/site/content/technical-specifications.md
@@ -28,7 +28,8 @@ We test NGINX Ingress Controller on a range of Kubernetes platforms for each rel
 {{< bootstrap-table "table table-bordered table-striped table-responsive" >}}
 | NIC Version | Supported Kubernetes Version | NIC Helm Chart Version | NIC Operator Version | NGINX / NGINX Plus version |
 | --- | --- | --- | --- | --- |
-| {{< nic-version >}} | 1.25 - 1.32 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.27.4 / R33 P2 |
+| {{< nic-version >}} | 1.25 - 1.32 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.27.4 / R34 |
+| 4.0.1 | 1.25 - 1.32 | 2.0.1 | 3.0.1 | 1.27.4 / R33 P2 |
 | 3.7.2 | 1.25 - 1.31 | 1.4.2 | 2.4.2 | 1.27.2 / R32 P1 |
 | 3.6.2 | 1.25 - 1.31 | 1.3.2 | 2.3.2 | 1.27.1 / R32 P1 |
 | 3.5.2 | 1.23 - 1.30 | 1.2.2 | 2.2.2 | 1.27.0 / R32 |
@@ -61,7 +62,7 @@ _All images include NGINX 1.27.4._
 
 ### Images with NGINX Plus
 
-_NGINX Plus images include NGINX Plus R33._
+_NGINX Plus images include NGINX Plus R34._
 
 ---
 
diff --git a/tests/settings.py b/tests/settings.py
@@ -33,4 +33,4 @@
 # Nginx registry address to pull waf components from
 NGX_REG = "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr"
 # WAF component version to pull from above registry
-WAF_V5_VERSION = "5.5.0"
+WAF_V5_VERSION = "5.6.0"
