Merge branch 'main' into certs

Author: vepatel

.github/workflows/build-oss.yml

@@ -201,7 +201,7 @@ jobs:
 
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
-        uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0
+        uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}

.github/workflows/build-plus.yml

@@ -222,7 +222,7 @@ jobs:
 
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
-        uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0
+        uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}

.github/workflows/docs-build-push.yml

@@ -31,7 +31,7 @@ permissions:
 
 jobs:
   call-docs-build-push:
-    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@69843fb5d009e99750e50c23e90c23a899e4637e # v1.0.6
+    uses: nginxinc/docs-actions/.github/workflows/docs-build-push.yml@9c59fab05a8131f4d691ba6ea2b6a119f3ef832a # v1.0.7
     permissions:
       pull-requests: write # needed to write preview url comment to PR
       contents: read

.github/workflows/image-promotion.yml

@@ -449,7 +449,7 @@ jobs:
 
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
-        uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0
+        uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}
@@ -539,7 +539,7 @@ jobs:
 
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
-        uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0
+        uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}
@@ -636,7 +636,7 @@ jobs:
 
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
-        uses: docker/scout-action@cc6bf8dd03587425ef920278b3e2726ba8d791e8 # v1.14.0
+        uses: docker/scout-action@e1c0d589b972d5605e035bbf74ed95cfc306d597 # v1.15.0
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}

build/Dockerfile

@@ -11,8 +11,8 @@ ARG PACKAGE_REPO=pkgs.nginx.com
 
 
 ############################################# Base images containing libs for Opentracing and FIPS #############################################
-FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.2@sha256:8604f87032b5fadfc4701a29cd78463df30f4a7e02bc6956f4d257b935931d32 AS opentracing-lib
-FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.2-alpine@sha256:f5ada6e7e7b550cb6d8b20eb986f2c22e8ff32b846b4a8205e3ed11989bf27d4 AS alpine-opentracing-lib
+FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.2@sha256:4962146a8305c718c8cc66b99063640b04676d13f893498e5eab9a2e63816e2c AS opentracing-lib
+FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.2-alpine@sha256:28077c314babf7ebcbb8bc98d04067bad37eb0a2d03a3c1f74626a6f0caef775 AS alpine-opentracing-lib
 FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e2bd639b269ec54343ea66b7acbdb0eb67bed44383e1be937c483c451d AS ubi-ppc64le
 FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.17@sha256:67b69b49aff96e185be841e2b2ff2d8236551ea5c18002bffa4344798d803fd8 AS alpine-fips-3.17
 FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.20@sha256:4c29e5c50b122354d9d4ba6b97cdf64647468e788b965fc0240ead541653454a AS alpine-fips-3.20
@@ -31,7 +31,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 
 
 ############################################# Base image for Debian #############################################
-FROM nginx:1.27.2@sha256:d2eb56950b84efe34f966a2b92efb1a1a2ea53e7e93b94cdf45a27cf3cd47fc0 AS debian
+FROM nginx:1.27.2@sha256:28402db69fec7c17e179ea87882667f1e054391138f77ffaf0c3eb388efc3ffb AS debian
 
 RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
 	apt-get update \
@@ -207,7 +207,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
 
 
 ############################################# Base image for Debian with NGINX Plus #############################################
-FROM debian:12-slim@sha256:ad86386827b083b3d71139050b47ffb32bbd9559ea9b1345a739b14fec2d9ecf AS debian-plus
+FROM debian:12-slim@sha256:36e591f228bb9b99348f584e83f16e012c33ba5cad44ef5981a1d7c0a93eca22 AS debian-plus
 ARG NGINX_PLUS_VERSION
 
 ENV NGINX_VERSION=${NGINX_PLUS_VERSION}

examples/custom-resources/access-control/README.md

@@ -1,96 +1,3 @@
-# Access Control
+# Deploy a Policy for access control
 
-In this example, we deploy a web application; configure load balancing for it via a VirtualServer; and apply access
-control policies to deny and allow traffic from a specific subnet.
-
-## Prerequisites
-
-1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/)
-   instructions to deploy the Ingress Controller.
-1. Save the public IP address of the Ingress Controller into a shell variable:
-
-    ```console
-    IC_IP=XXX.YYY.ZZZ.III
-    ```
-
-1. Save the HTTP port of the Ingress Controller into a shell variable:
-
-    ```console
-    IC_HTTP_PORT=<port number>
-    ```
-
-## Step 1 - Deploy a Web Application
-
-Create the application deployment and service:
-
-```console
-kubectl apply -f webapp.yaml
-```
-
-## Step 2 - Deploy an Access Control Policy
-
-In this step, we create a policy with the name `webapp-policy` that denies requests from clients with an IP that belongs
-to the subnet `10.0.0.0/8`. This is the subnet that our test client in Steps 4 and 6 will belong to. Make sure to change
-the `deny` field of the `access-control-policy-deny.yaml` according to your environment (use the subnet of your
-machine).
-
-Create the policy:
-
-```console
-kubectl apply -f access-control-policy-deny.yaml
-```
-
-## Step 3 - Configure Load Balancing
-
-Create a VirtualServer resource for the web application:
-
-```console
-kubectl apply -f virtual-server.yaml
-```
-
-Note that the VirtualServer references the policy `webapp-policy` created in Step 2.
-
-## Step 4 - Test the Configuration
-
-Let's access the application:
-
-```console
-curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
-```
-
-```text
-<html>
-<head><title>403 Forbidden</title></head>
-<body>
-<center><h1>403 Forbidden</h1></center>
-</body>
-</html>
-```
-
-We got a 403 response from NGINX, which means that our policy successfully blocked our request.
-
-## Step 5 - Update the Policy
-
-In this step, we update the policy to allow requests from clients from the subnet `10.0.0.0/8`. Make sure to change the
-`allow` field of the `access-control-policy-allow.yaml` according to your environment.
-
-Update the policy:
-
-```console
-kubectl apply -f access-control-policy-allow.yaml
-```
-
-## Step 6 - Test the Configuration
-
-Let's access the application again:
-
-```console
-curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
-```
-
-```text
-Server address: 10.64.0.13:8080
-Server name: webapp-5cbbc7bd78-wf85w
-```
-
-In contrast with Step 4, we got a 200 response, which means that our updated policy successfully allowed our request.
+This is the example code used in the [Deploy a Policy for access control](https://docs.nginx.com/nginx-ingress-controller/configuration/access-control/) documentation.

examples/custom-resources/tls-passthrough/README.md

@@ -46,8 +46,9 @@ You can see how the Secure App is implemented in the `secure-app.yaml` file.
 
 1. Save the HTTPS port of the Ingress Controller where TLS Passthrough is enabled into a shell variable:
 
-    ```console
-    $ IC_HTTPS_PORT=<port number>
+```console
+IC_HTTPS_PORT=<port number>
+```
 
 1. Save the HTTPS port of the Ingress Controller into a shell variable:
 

examples/custom-resources/transport-server-sni/README.md

@@ -0,0 +1,110 @@
+# TransportServer SNI
+
+In this example we create two different TransportServers that listen on the same interface, which are distinguished by their Host field.
+The applications (a TCP echo server, and MongoDB) will be accessed via `ncat` and `mongosh`.
+The `ncat` binary is available via `nmap`. On mac/linux this can be installed via homebrew/linuxbrew with `brew install nmap`
+`mongosh` installation instructions are [available here](https://www.mongodb.com/docs/mongodb-shell/install/).
+
+## Create a GlobalConfiguration resource with the following listener
+
+```yaml
+listeners:
+    - name: tcp-listener
+      port: 7000 
+      protocol: TCP
+```
+
+## Add a custom port to the NGINX Ingress Controller pod with the Helm chart
+
+```yaml
+controller.customPorts:
+    - name: port
+      containerPort: 7000
+      protocol: TCP
+```
+
+## Add a custom port to the NGINX Ingress Controller service
+
+```yaml
+controller.service.customPorts:
+    - name: tcp-port 
+      port: 7000 
+      protocol: TCP
+      targetPort: 7000 
+```
+
+## Use `kubectl` to create the cafe-secret, and mongo-secret. These secrets are used for TLS in the TransportServers
+
+`kubectl apply -f cafe-secret.yaml`
+`kubectl apply -f mongo-secret.yaml`
+
+## Create the mongo and tcp echo example applications
+
+`kubectl apply -f mongo.yaml`
+`kubectl apply -f tcp-echo-server.yaml`
+
+## Wait until these are ready
+
+`kubectl get deploy -w`
+
+## Create the TransportServers for each application
+
+`kubectl apply -f cafe-transport-server.yaml`
+`kubectl apply -f mongo-transport-server.yaml`
+
+## Ensure they are in valid state
+
+`kubectl get ts`
+
+```shell
+NAME       STATE   REASON           AGE
+cafe-ts    Valid   AddedOrUpdated   2m
+mongo-ts   Valid   AddedOrUpdated   2m
+```
+
+## Set up /etc/hosts or DNS
+
+This example uses a local NGINX Ingress Controller instance, so the /etc/hosts file
+is being used to set cafe.example.com and mongo.example.com to localhost.
+In a production instance, the server names would be set at the DNS layer.
+`cat /etc/hosts`
+
+```shell
+...
+127.0.0.1 cafe.example.com
+127.0.0.1 mongo.example.com
+```
+
+## Expose port 7000 of the LoadBalancer service
+
+`kubectl port-forward svc/my-release-nginx-ingress-controller 7000:7000`
+
+## Use `ncat` to ping cafe.example.com on port 7000 with SSL
+
+`ncat --ssl cafe.example.com 7000`
+When you write a message you should receive the following response:
+
+```shell
+hi
+hi
+```
+
+Close the connection (CTRL+ c), then view the NGINX Ingress Controller logs.
+
+The request and response should both be 2 bytes.
+
+```shell
+127.0.0.1 [24/Sep/2024:15:48:58 +0000] TCP 200 3 3 2.702 "-
+```
+
+## Use mongosh to connect to the mongodb container through the TransportServer on port 7000
+
+`mongosh --host mongo.example.com --port 7000 --tls --tlsAllowInvalidCertificates`
+
+```shell
+test> show dbs
+admin   40.00 KiB
+config  60.00 KiB
+local   40.00 KiB
+test>
+```

examples/custom-resources/transport-server-sni/cafe-secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUY1ekNDQTgrZ0F3SUJBZ0lVR2dXT0JNTkR2TXNWOGY3OWc0MlpSZy9KaWc0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZSXhDekFKQmdOVkJBWVRBbGhZTVJJd0VBWURWUVFJREFsVGRHRjBaVTVoYldVeEVUQVBCZ05WQkFjTQpDRU5wZEhsT1lXMWxNUlF3RWdZRFZRUUtEQXREYjIxd1lXNTVUbUZ0WlRFYk1Ca0dBMVVFQ3d3U1EyOXRjR0Z1CmVWTmxZM1JwYjI1T1lXMWxNUmt3RndZRFZRUUREQkJqWVdabExtVjRZVzF3YkdVdVkyOXRNQjRYRFRJME1Ea3kKTXpFd01EUXdNVm9YRFRNME1Ea3lNVEV3TURRd01Wb3dnWUl4Q3pBSkJnTlZCQVlUQWxoWU1SSXdFQVlEVlFRSQpEQWxUZEdGMFpVNWhiV1V4RVRBUEJnTlZCQWNNQ0VOcGRIbE9ZVzFsTVJRd0VnWURWUVFLREF0RGIyMXdZVzU1ClRtRnRaVEViTUJrR0ExVUVDd3dTUTI5dGNHRnVlVk5sWTNScGIyNU9ZVzFsTVJrd0Z3WURWUVFEREJCallXWmwKTG1WNFlXMXdiR1V1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBbjkvZwpkMml5NEZyaGNtS3ZXQTVHZXFiS1c5WU1xeml6Vm4yRExkd215enkvS2FUdTdtUlkvUWRsTkxHaVhIM1NEa0FkCkhtZFJEK0Zob1ZHaWxoTjEzcTI0azdyRSt6dk1iMlRqdnBnMmVLYVd1dDBHaGQ3V3l3TnpIUU9WcWJCM2o2U2QKSE1sNlJKK25ERHo2Yi9adkRiNm9nQjBucUowZjBWN0tBMHFFalYxVld2dXI4YVZpVlVxK0tBOVMveEdJMHZSSwo2NE9BS2xIUUF4a2xGWWhheHVjcWRsS0owQlRXekE0Z0gzUTZlQi9CRjNOMTJDQjgrMVEzZG54bU5TVnpLbXp1CmJYdm1jK1RPUjg0V3ovemlaMTl1K3RuRHg2aklNajZZQXd2M0tzSVlYbmV1ZEgycUZKRG5FMmZwYjNnZzRxbm0KQnduY0ZlU1poY09nZWdnR1RmKzRTc3YwRUNuamNNdXhteTEwMTNwY0h1a2prTUNmVGJsUGZTU0NNS24rVnlGZQpUNzlSeUkxM3hmL0JXOSt0aTFad1IwYVpkWk5jV1R2Um53R1M1bWhnelJXclhRUmdJQlVVVjk2N3cxRVVONDJVCkE3ZjBVSzZlYks5bExBMnNZWmJJSWUrbllRY1d1OVRuNXo5YnVwK2w3aU5hUDYxWXdwWGdrUTFyNHlSamhMeUEKajVha1Z5VnROYzZmSWltaXlWV0Y1QzBaZnNIYzF3cUpLb2lXQzBtT1dyNEVRSVorRkY2WC9FRytSMmhodjZkQQpGcndpd3BHUE9kWkROQzNqNFBqVzVreWlYMlh2Vm1RWTUvbkxNdFpUaFF6VHpadG8zT3M4d1RsRjFyQlZkd05iCi9zNTh2dnlTQitsYk5Sd215TEErQVYvOGQ2L2VNcGZjS0ZyYU85OENBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUUKRktEejZlREZLaC93ZDVLTHpPMXpCMDR2UGVRSU1COEdBMVVkSXdRWU1CYUFGS0R6NmVERktoL3dkNUtMek8xegpCMDR2UGVRSU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFKQnd5WVlyCllXa3RvRGJPYlpHRUFXT0lEcjFTb3NWRDVIRXdkazV6ZTJuT05oQXFHVWszOHpUT3V1VVZRNk5lT1c1UWtML3oKVTFUa3dwUlNFNjFpbVZHOUdjYWY5ampkSjd5VGhsOGpmZXUyWTF4RHo1OUpmbWJ1WUo2SGE4ZmR4STAxQXZ3RgoxaERYY1ZEcTZoalhhb0pKMVZta1NiTEJPc1JXaGVzWGl1K3FiN3NSOUhlZmJmaTUxandQb2NFblE4YzNiWXF5CmpIRkwxS1JJekIyR2VYVGk2WngwN2lqcDZIeGJSQUFEWnBuRGN0blM1UVQvTGFoYklIZVNNTExMK21vdnUrSUgKTVgwQmtaYmJjRk94L3d2ZlN1SXdveEVXR1RjVGJIYnJGanVUUDRkalpPdFhybElSK1RJTmRiaFhaMm1XZVdHbgpRa0tkcyt4a3puNzNZbG9xZCtPZGZ2d1dJYXVFYktuaXdQUk01NHZqK0dnbndiWmZNWXpnY292cE5BYzZjMmlmCkNNdHlHWDBUREptSjRVWC9FaFFSYTArSURMbFZTMWc2Y3IxWmVQM1N1MWpkSnhBSFVwUjZwSVYrWGdsTENDdGYKQXdDUW9BUWtUeXkyb0Y1Z0hWOGVuc28zVE15cmI5R1NBWDF0UEdJL080L3VCRDBqRzQ4anZsZEI3dzZKbjdmSwoyS21DWnIwYlRDdU9vWnVuZHA3OHA2R1ozb3lVOXBxcTFTUmU0MTdjSlVuNzR3S05TTkd0U0xTNm9OZ3FQQ2h6Cm9ZTy9zK0NHL295c0JUcTBma2VBYXdMZ2oxVG9ybGNsaEt6M05uWUtLZmhDVFBLTDVVUFZLNjVXQ3V2djlSVWgKVUZvM2F2TnhhSmpWUEY4V0FVUnRZem82bXBadFRITm53ZkJTCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRQ2YzK0IzYUxMZ1d1RnkKWXE5WURrWjZwc3BiMWd5ck9MTldmWU10M0NiTFBMOHBwTzd1WkZqOUIyVTBzYUpjZmRJT1FCMGVaMUVQNFdHaApVYUtXRTNYZXJiaVR1c1Q3Tzh4dlpPTyttRFo0cHBhNjNRYUYzdGJMQTNNZEE1V3BzSGVQcEowY3lYcEVuNmNNClBQcHY5bThOdnFpQUhTZW9uUi9SWHNvRFNvU05YVlZhKzZ2eHBXSlZTcjRvRDFML0VZalM5RXJyZzRBcVVkQUQKR1NVVmlGckc1eXAyVW9uUUZOYk1EaUFmZERwNEg4RVhjM1hZSUh6N1ZEZDJmR1kxSlhNcWJPNXRlK1p6NU01SAp6aGJQL09KblgyNzYyY1BIcU1neVBwZ0RDL2Nxd2hoZWQ2NTBmYW9Va09jVForbHZlQ0RpcWVZSENkd1Y1Sm1GCnc2QjZDQVpOLzdoS3kvUVFLZU53eTdHYkxYVFhlbHdlNlNPUXdKOU51VTk5SklJd3FmNVhJVjVQdjFISWpYZkYKLzhGYjM2MkxWbkJIUnBsMWsxeFpPOUdmQVpMbWFHRE5GYXRkQkdBZ0ZSUlgzcnZEVVJRM2paUUR0L1JRcnA1cwpyMlVzRGF4aGxzZ2g3NmRoQnhhNzFPZm5QMXU2bjZYdUkxby9yVmpDbGVDUkRXdmpKR09FdklDUGxxUlhKVzAxCnpwOGlLYUxKVllYa0xSbCt3ZHpYQ29rcWlKWUxTWTVhdmdSQWhuNFVYcGY4UWI1SGFHRy9wMEFXdkNMQ2tZODUKMWtNMExlUGcrTmJtVEtKZlplOVdaQmpuK2NzeTFsT0ZETlBObTJqYzZ6ekJPVVhXc0ZWM0Exdit6bnkrL0pJSAo2VnMxSENiSXNENEJYL3gzcjk0eWw5d29XdG83M3dJREFRQUJBb0lDQUNkQmRZQmNlTytWNFIyUkZiVHRiR2paClkzN0JSRU1XblJKenB5NHZqR2NDOTMxbVBqVFM5dmJLUmhOMk9vT3pjVXlHZVovcGhvSDd1VmsvRGtrRFprSFQKTGlzNEJQNGJaTXRGWHBhQ0VYMzJpYlJBYVVXZHZlZ0RaTlNPK01TOXk5MjljY2FMd2pYdmJia1hqL2JGNytiVQpGZE8vVk9tV0N5WUJ2R0NxZjNtbW5UckY2U1pna1pDWDFiRkljZnluZFkwMjV0NkZYNGNFcDZyYkZidi95eXBqCndJMWxIdW0wOURrT2p0eXFVV0VGaXdnVEZiQ0g2YWhjdVhHaWdnWXl0K0NHOXRSelE5YlpLNzE5NFNRWTJBN0IKNUNJOExsSnNJeHdUT29naysvL0h3T3dSUHdqamdrdWllTnJPL1FhZDNKVkxXbXdJQTc1c2J6WGxIeFpYdWhReApFZTlTTVNaRE5JMGMvcGdDVXloL2h5Y3ZYWVJKb1dIMnZYTDYzL1EyRWJVVVZVcXpzcEpjV0xMbkhSSFdBQjZQCmtPb0FMeEs2M3lpQTU5KzREQ0ZZMGM0dXd4WHM5YnZlVWk5UUdxaUtoZkFaNmE3Ymh4ajNvRWIvRDZ0dWZKb1QKMnIxUXFKTlJ4N0RzMmJUc3J6SEgyYmVKR0R4bFJ4djdaNmdSTzdHd2lrU25veDlMcnY3YzMwUHp0WjZENXhwQwpoVHdmM0VpRWlrZ2pOM1FGd2RaUXVqV3RxWXQ1UWVGYUxpL2Q3VXZteFdZNWcrWTYyQnFkNnBpWFFJSlFVbDZUCmZmU0U2OEYvZWF6QnhPQm9INUMvWWcrd1kyVEpTb1BzK3NFUUtnYlNJTmRQNHU4N3FiQ056YWZ4WjFySTN1dmgKR3NZTWpSbm50c3RKamJXVEJkakJBb0lCQVFEZXpsY3dVNFJYbnhKVENSTjFQZUx1UHI2aXFnc09uY1lRRXNuTgpZemdwOXF6eC9SSTJodGZCYnN6TkM2RUZ3eDBDZy8wRnpRbVhqWEQ3VmhQS0UrOHBXMmQzNTg4YTBwU0xSbFBOCkprUnFxR2ovbzhIaEtmTGdCYy9BSGU3dkJEZG1UTXh1d0o1SmFmMWZ3OGtxNEJyRXROTi83SVF3MkNYcFNIK2MKSEhSZnBTM1JidDArbW9xK2RTRW1pU2h3UGgxL2FJbng4ZnBKbTFmaU1QdXhvYStzOXNUVmQ3Ky9GSjdIaWNZSApSQThQRHdQT2RMQ2loQlZFT3liSkduTlpaSFhYQTA4MThhNnpjdjU2aUM2VGZzSkhWZUg4a2Nma1IzblI4eTUvCkx2MnI1QzVaZWJlbW9ZaVhBTC9sVnZ0QUNGMXE3UW1zdlRkQ2R3R1lvaXBMbksvNUFvSUJBUUMzc1YvcFFOVlEKSjNsZExFem9OVUdBZWFwL0NNU2tuY0lUUXNnMUI3SDJHclIyR201VGNuVGE0SE5Rbmt3a2h3YUxyTUlmVDFXZAorMFVvR3M5ZXdyYkZERWtKR0MxQVd2RmFIREk3Q3NOYUFUM2FWYTE5R1ZRWFg2NnkrWEF2QXFTOXpOU25id0J0CnM5UDFFVURwMko1SGtyNlVLUHZjSnY3Q0MyR3J5emZaTy85MFpTTlFQUXdKMXFqZ2NNOUJpMlBYSkE0OENldnMKK3RvaGFqUWFIMStVY0VqNkQ0SHhoQ1RtcTBxM2YvdFNudk9iaTNOYklEWjNEWmR4ejVPelJSVmpLNWlSOGZDNQpzSVVKckxCSXRZeWpUeHAzTzROUmRFaHhzamdBZTZrSTV2dm95RVAvRFZwTFlQU0s3cFpoVjJ4YUpXUkZUUVZzCjhrKzZDbGduWGZDWEFvSUJBUUM5QjY4dFR3NHZFTVNKTW1BUnprbWovQlBkQ2d1TGdRd3pRdDEzcGNCV3lmUDgKOHNycS9BZzlFbllyV0x4cW1Sa1pzMFdPRUdFYzlXRnZ1NTNhaW9NVVFYcE5YcHgxazBkM3lsajY2b2FOUHdpbQpLeGNvbzJCdDlFQklMSjAwcUEwZ2UvUE4yeG53Q3o1dWF6dFhadjhPK0tPZ0d0Z2tZSjM1aUFyTU5jLzkvYlFiCnhjVnJnYzVJdkRNOThJd2dmbktrVDlzSkxGVSs4YzdrRnM3VDYrdVNBV01LQVNqclF1RmJSV1ovYjV5ZkdBd1EKc3l2UkZlSzlHcnBUVUYrZzdmeVVTVGlBK2VWUVZqWFZXNGk0bG9qWjRPRjBXWEtRR0p3Z0pnUEMzK2xVVnFtRQpQQ0kxKzBKWmFzZGtHaUhjTjd5YUpUVmFHc2F4V3lvOWh3Zi9VcFp4QW9JQkFDQ0hDem5ObmpoTVZTUlhsT0xGCmsyekJucHhTSENnZU8yQ1h3Y1lLTDh3cG5HMFJieG5kdWEyTWN6OENXTzlhN2FETUhhL1hwNHlMRXdydi9HcUcKUmtFTVZONkVabmJ2NDY4V01ScmRaQXhMRGYzY2tCVUg2Q2tmYTFzTDZuNllsRDE3eU9oQk1xMDZXNzBZcWdyKwpyY0IwenNTRG9WMnhsZ2tjWk5ZNzdRN05uZ1dwWnlCdFB2VjdDbnA3MzJkMjNGNGJaMTNnVCtPdDQvUm96d01WCkxTS200M1ZNUzdGTnVnOFNvKzlzZlQ5N0lCNGFDbnBIY1AyUjdaQmN0b1hYSk50anUrZVVGUkY4bllKQ0R4RkEKL0w5cVlZQmRqSHBmQWZrSUd2eVM2VExIWERJelREOGN5VEZ4NEx1OVZlbTB4bDRNSXY1V2pqQmxsQktZaEZXcwpQODhDZ2dFQkFKUjR5UUIrREtoRE1ZOGlHOXpYWUJpWmZ5MFI2c21oeEJycTREZWd4cElkajBydHUyMFNuWDdsCnN3YlZsN2NmdWRxUi9tVEhnZ1lYeGJSS3UxUXhmN3NHTW4zWVpRY1AxZDVJelFMOWZFQitidGJsdWY5VTB4NDIKUzM0U0l6Z25pd0hPQnN3M2ZLYm1Gbnc1dmtNd2RoemlBT1R0elRwcmU3ckdhaEpwZlk0eFRWWjZpK3pjQ1pCWgo0ZHhSTjlQWnBiQm4vNmJDTFY3S0I3ZmY0Uk04b3c3K1l4aHFFTFhxcnVQS2paMnRRSWs2M2hzZklMd0tiRWIrCkhEM2VLZEhNc2hhbXFXZzI0NnlORW5nQUZCQzhoVU5kQ0pmeUthUlhkSlV5eDhqcWlKM3ErdnpnNFBieUhqeW0KZEQzM2pVT2UwdHdoSWJxKytUaXZCa1ptSDBsSStnVT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+kind: Secret
+metadata:
+  creationTimestamp: null
+  name: cafe-secret
+type: kubernetes.io/tls

examples/custom-resources/transport-server-sni/cafe-transport-server.yaml

@@ -0,0 +1,17 @@
+apiVersion: k8s.nginx.org/v1
+kind: TransportServer
+metadata:
+  name: cafe-ts
+spec:
+  host: cafe.example.com
+  listener:
+    name: tcp-listener
+    protocol: TCP
+  tls:
+    secret: cafe-secret
+  upstreams:
+    - name: tcp-echo
+      service: tcp-echo-service
+      port: 7000
+  action:
+    pass: tcp-echo