Merge branch 'main' into dependabot/github_actions/actions-033e808f89

Author: jjngx

README.md

@@ -145,7 +145,7 @@ your links to the correct versions:
 
 | Version | Description |  Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples |
 | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- |
-| Latest stable release | For production use | Use the 3.7.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/build-ingress-controller-image/). | Use the 3.7.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/build-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.7.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.7.2/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
+| Latest stable release | For production use | Use the 3.7.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/build-ingress-controller-image/). | Use the 3.7.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/build-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.7.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.7.2/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
 | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/build-nginx-ingress-controller/). | [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/build-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/site/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). |
 
 ## SBOM (Software Bill of Materials)

build/scripts/common.sh

@@ -8,6 +8,7 @@ if [ -z "${BUILD_OS##*plus*}" ]; then
     cp -a /code/internal/configs/oidc/* /etc/nginx/oidc/
     mkdir -p /etc/nginx/state_files/
     mkdir -p /etc/nginx/reporting/
+    mkdir -p /etc/nginx/secrets/mgmt/
     PLUS=-plus
 fi
 

charts/nginx-ingress/templates/_helpers.tpl

@@ -116,8 +116,8 @@ Expand the name of the configmap used for NGINX Agent.
 Expand the name of the mgmt configmap.
 */}}
 {{- define "nginx-ingress.mgmtConfigName" -}}
-{{- if .Values.controller.mgmt.customConfigMap -}}
-{{ .Values.controller.mgmt.customConfigMap }}
+{{- if .Values.controller.mgmt.configMapName -}}
+{{ .Values.controller.mgmt.configMapName }}
 {{- else -}}
 {{- default (printf "%s-mgmt" (include "nginx-ingress.fullname" .)) -}}
 {{- end -}}
@@ -127,7 +127,11 @@ Expand the name of the mgmt configmap.
 Expand license token secret name.
 */}}
 {{- define "nginx-ingress.licenseTokenSecretName" -}}
+{{- if hasKey .Values.controller.mgmt "licenseTokenSecretName" -}}
 {{- .Values.controller.mgmt.licenseTokenSecretName -}}
+{{- else }}
+{{- fail "Error: When using Nginx Plus, 'controller.mgmt.licenseTokenSecretName' must be set." }}
+{{- end -}}
 {{- end -}}
 
 {{/*
@@ -393,7 +397,6 @@ volumeMounts:
 {{ include "nginx-ingress.volumeMountEntries" . }}
 {{- end -}}
 {{- end -}}
-
 {{- define "nginx-ingress.volumeMountEntries" -}}
 {{- if eq (include "nginx-ingress.readOnlyRootFilesystem" .) "true" }}
 - mountPath: /etc/nginx

charts/nginx-ingress/templates/controller-configmap.yaml

@@ -31,7 +31,7 @@ data:
 {{ include "nginx-ingress.agentConfiguration" . | indent 4 }}
 {{- end }}
 ---
-{{- if and .Values.controller.nginxplus (eq (.Values.controller.mgmt.customConfigMap | default "") "") }}
+{{- if .Values.controller.nginxplus }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -44,8 +44,36 @@ metadata:
 {{ toYaml .Values.controller.config.annotations | indent 4 }}
 {{- end }}
 data:
-  license-token-secret-name: {{ include "nginx-ingress.licenseTokenSecretName" . }}
+  license-token-secret-name: {{ required "When using Nginx Plus, 'controller.mgmt.licenseTokenSecretName' cannot be empty " (include "nginx-ingress.licenseTokenSecretName" . ) }}
+{{- if hasKey .Values.controller.mgmt "sslVerify" }}
+  ssl-verify: {{ quote .Values.controller.mgmt.sslVerify }}
+{{- end }}
 {{- if hasKey .Values.controller.mgmt "enforceInitialReport" }}
   enforce-initial-report: {{ quote .Values.controller.mgmt.enforceInitialReport }}
 {{- end }}
+{{- if hasKey .Values.controller.mgmt "usageReport" }}
+{{- if hasKey .Values.controller.mgmt.usageReport "endpoint" }}
+  usage-report-endpoint: {{ quote .Values.controller.mgmt.usageReport.endpoint }}
+{{- end }}
+{{- if hasKey .Values.controller.mgmt.usageReport "interval" }}
+  usage-report-interval: {{ quote .Values.controller.mgmt.usageReport.interval }}
+{{- end }}
+{{- end }}
+{{- if hasKey .Values.controller.mgmt "sslTrustedCertificateSecretName" }}
+  ssl-trusted-certificate-secret-name: {{ quote .Values.controller.mgmt.sslTrustedCertificateSecretName }}
+{{- end }}
+{{- if hasKey .Values.controller.mgmt "sslCertificateSecretName" }}
+  ssl-certificate-secret-name: {{ quote .Values.controller.mgmt.sslCertificateSecretName}}
+{{- end }}
+{{- if hasKey .Values.controller.mgmt "resolver" }}
+{{- if hasKey .Values.controller.mgmt.resolver "addresses" }}
+  resolver-addresses: {{ join "," .Values.controller.mgmt.resolver.addresses | quote }}
+{{- end }}
+{{- if hasKey .Values.controller.mgmt.resolver "ipv6" }}
+  resolver-ipv6: {{ quote .Values.controller.mgmt.resolver.ipv6 }}
+{{- end }}
+{{- if hasKey .Values.controller.mgmt.resolver "valid" }}
+  resolver-valid: {{ quote .Values.controller.mgmt.resolver.valid }}
+{{- end }}
+{{- end }}
 {{- end }}

charts/nginx-ingress/values.schema.json

@@ -109,6 +109,42 @@
                 "license"
               ]
             },
+            "sslCertificateSecretName": {
+              "type": "string",
+              "default": "",
+              "title": "The sslCertificateSecretName Schema",
+              "examples": [
+                "ssl-certificate"
+              ]
+            },
+            "usageReport": {
+              "type": "object",
+              "default": {},
+              "title": "The usageReport Schema",
+              "properties": {
+                "endpoint": {
+                  "type": "string",
+                  "title": "The endpoint of the usageReport",
+                  "default": "",
+                  "examples": [
+                    "",
+                    "product.connect.nginx.com",
+                    "nginx-mgmt.local"
+                  ]
+                },
+                "interval": {
+                  "type": "string",
+                  "pattern": "^[0-9]+[mhd]$",
+                  "default": "1h",
+                  "title": "The usage report interval Schema",
+                  "examples": [
+                    "1m",
+                    "1h",
+                    "24h"
+                  ]
+                }
+              }
+            },
             "enforceInitialReport": {
               "type": "boolean",
               "default": false,
@@ -117,6 +153,58 @@
                 true,
                 false
               ]
+            },
+            "sslVerify": {
+              "type": "boolean",
+              "default": true,
+              "title": "The sslVerify Schema",
+              "examples": [
+                true,
+                false
+              ]
+            },
+            "resolver": {
+              "type": "object",
+              "default": {},
+              "title": "The resolver Schema",
+              "properties": {
+                "addresses": {
+                  "type": "array",
+                  "default": [],
+                  "title": "List of resolver addresses/fqdns"
+                },
+                "valid": {
+                  "type": "string",
+                  "pattern": "^[0-9]+[smhdwMy]$",
+                  "title": "A valid nginx time",
+                  "examples": [
+                    "1m",
+                    "5d"
+                  ]
+                },
+                "ipv6": {
+                  "type": "boolean",
+                  "title": "turn on or off ipv6 support",
+                  "default": false
+                }
+              }
+            },
+            "sslTrustedCertificateSecretName": {
+              "type": "string",
+              "default": "ssl-trusted-cert",
+              "title": "The sslTrustedCertificateSecretName Schema",
+              "examples": [
+                "ssl-trusted-cert",
+                "certificate-secret"
+              ]
+            },
+            "configMapName": {
+              "type": "string",
+              "default": "",
+              "title": "The configMap Schema",
+              "examples": [
+                ""
+              ]
             }
           },
           "examples": [

charts/nginx-ingress/values.yaml

@@ -22,6 +22,31 @@ controller:
     ## Enables the 180-day grace period for sending the initial usage report
     # enforceInitialReport: false
 
+    # usageReport:
+    #   endpoint: "product.connect.nginx.com" # Endpoint for usage report
+    #   interval: 1h
+
+    ## Configures the ssl_verify directive in the mgmt block
+    # sslVerify: true
+
+    ## Configures the resolver directive in the mgmt block
+    # resolver:
+    #   ipv6: true
+    #   valid: 1s
+    #   addresses:
+    #     - kube-dns.kube-system.svc.cluster.local
+
+    ## Secret containing TLS client certificate
+    # sslCertificateSecretName: ssl-certificate # kubernetes.io/tls secret type
+
+    ## Secret containing trusted CA certificate
+    # sslTrustedCertificateSecretName: ssl-trusted-cert
+
+    # configMapName allows changing the name of the MGMT config map
+    # the name should not include a namespace
+    # configMapName: ""
+
+
   ## Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start.
   nginxReloadTimeout: 60000
 

cmd/nginx-ingress/main.go

@@ -153,6 +153,15 @@ func main() {
 		if err := processLicenseSecret(kubeClient, nginxManager, mgmtCfgParams, controllerNamespace); err != nil {
 			logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
 		}
+
+		if err := processTrustedCertSecret(kubeClient, nginxManager, mgmtCfgParams, controllerNamespace); err != nil {
+			logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
+		}
+
+		if err := processClientAuthSecret(kubeClient, nginxManager, mgmtCfgParams, controllerNamespace); err != nil {
+			logEventAndExit(ctx, eventRecorder, pod, secretErrorReason, err)
+		}
+
 	}
 
 	templateExecutor, templateExecutorV2 := createTemplateExecutors(ctx)
@@ -204,7 +213,7 @@ func main() {
 		AppProtectBundlePath:           appProtectBundlePath,
 	}
 
-	mustProcessNginxConfig(staticCfgParams, cfgParams, mgmtCfgParams, templateExecutor, nginxManager)
+	mustWriteNginxMainConfig(staticCfgParams, cfgParams, mgmtCfgParams, templateExecutor, nginxManager)
 
 	if *enableTLSPassthrough {
 		var emptyFile []byte
@@ -323,6 +332,44 @@ func main() {
 	}
 }
 
+func processClientAuthSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager, mgmtCfgParams *configs.MGMTConfigParams, controllerNamespace string) error {
+	if mgmtCfgParams.Secrets.ClientAuth == "" {
+		return nil
+	}
+
+	clientAuthSecretNsName := controllerNamespace + "/" + mgmtCfgParams.Secrets.ClientAuth
+
+	secret, err := getAndValidateSecret(kubeClient, clientAuthSecretNsName, api_v1.SecretTypeTLS)
+	if err != nil {
+		return fmt.Errorf("error trying to get the client auth secret %v: %w", clientAuthSecretNsName, err)
+	}
+
+	bytes := configs.GenerateCertAndKeyFileContent(secret)
+	nginxManager.CreateSecret(fmt.Sprintf("mgmt/%s", configs.ClientAuthCertSecretFileName), bytes, nginx.ReadWriteOnlyFileMode)
+	return nil
+}
+
+func processTrustedCertSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager, mgmtCfgParams *configs.MGMTConfigParams, controllerNamespace string) error {
+	if mgmtCfgParams.Secrets.TrustedCert == "" {
+		return nil
+	}
+
+	trustedCertSecretNsName := controllerNamespace + "/" + mgmtCfgParams.Secrets.TrustedCert
+
+	secret, err := getAndValidateSecret(kubeClient, trustedCertSecretNsName, secrets.SecretTypeCA)
+	if err != nil {
+		return fmt.Errorf("error trying to get the trusted cert secret %v: %w", trustedCertSecretNsName, err)
+	}
+
+	caBytes, crlBytes := configs.GenerateCAFileContent(secret)
+	nginxManager.CreateSecret(fmt.Sprintf("mgmt/%s", configs.CACrtKey), caBytes, nginx.ReadWriteOnlyFileMode)
+	if _, hasCRL := secret.Data[configs.CACrlKey]; hasCRL {
+		mgmtCfgParams.Secrets.TrustedCRL = secret.Name
+		nginxManager.CreateSecret(fmt.Sprintf("mgmt/%s", configs.CACrlKey), crlBytes, nginx.ReadWriteOnlyFileMode)
+	}
+	return nil
+}
+
 func mustCreateConfigAndKubeClient(ctx context.Context) (*rest.Config, *kubernetes.Clientset) {
 	l := nl.LoggerFromContext(ctx)
 	var config *rest.Config
@@ -666,9 +713,9 @@ func createGlobalConfigurationValidator() *cr_validation.GlobalConfigurationVali
 	return cr_validation.NewGlobalConfigurationValidator(forbiddenListenerPorts)
 }
 
-// mustProcessNginxConfig calls internally os.Exit
+// mustWriteNginxMainConfig calls internally os.Exit
 // if can't generate a valid NGINX config.
-func mustProcessNginxConfig(staticCfgParams *configs.StaticConfigParams, cfgParams *configs.ConfigParams, mgmtCfgParams *configs.MGMTConfigParams, templateExecutor *version1.TemplateExecutor, nginxManager nginx.Manager) {
+func mustWriteNginxMainConfig(staticCfgParams *configs.StaticConfigParams, cfgParams *configs.ConfigParams, mgmtCfgParams *configs.MGMTConfigParams, templateExecutor *version1.TemplateExecutor, nginxManager nginx.Manager) {
 	l := nl.LoggerFromContext(cfgParams.Context)
 	ngxConfig := configs.GenerateNginxMainConfig(staticCfgParams, cfgParams, mgmtCfgParams)
 	content, err := templateExecutor.ExecuteMainConfigTemplate(ngxConfig)
@@ -701,7 +748,6 @@ func getSocketClient(sockPath string) *http.Client {
 }
 
 // getAndValidateSecret gets and validates a secret.
-// nolint:unparam
 func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string, secretType api_v1.SecretType) (secret *api_v1.Secret, err error) {
 	ns, name, err := k8s.ParseNamespaceName(secretNsName)
 	if err != nil {
@@ -722,7 +768,13 @@ func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string,
 		if err != nil {
 			return nil, err
 		}
+	case secrets.SecretTypeCA:
+		err = secrets.ValidateCASecret(secret)
+		if err != nil {
+			return nil, err
+		}
 	}
+
 	return secret, nil
 }
 

examples/shared-examples/nginx-plus-secret/README.md

@@ -0,0 +1,3 @@
+# NGINX Plus Secret
+
+Refer to the [Create License Secret](https://docs.nginx.com/nginx-ingress-controller/installation/installing-nic/create-license-secret/) docs to download and create a License Secret

examples/shared-examples/nginx-plus-secret/configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-config-mgmt
+  namespace: nginx-ingress
+data:
+  license-token-secret-name: "license-token"

go.mod

@@ -1,10 +1,10 @@
 module github.com/nginxinc/kubernetes-ingress
 
-go 1.23.3
+go 1.23.4
 
 require (
-	github.com/aws/aws-sdk-go-v2/config v1.28.5
-	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.6
+	github.com/aws/aws-sdk-go-v2/config v1.28.6
+	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.7
 	github.com/cert-manager/cert-manager v1.16.2
 	github.com/dlclark/regexp2 v1.11.4
 	github.com/gkampitakis/go-snaps v0.5.7
@@ -35,17 +35,17 @@ require (
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/aws/aws-sdk-go v1.44.122 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.32.5 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.46 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.20 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.24 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.24 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.32.6 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.47 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.24.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 // indirect
 	github.com/aws/smithy-go v1.22.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect