From 2cfb5adeaaf455df309c193617012ebce8c0aaf4 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 2 Oct 2025 14:15:38 +0100 Subject: [PATCH 1/7] Pin NAP v4 --- Makefile | 6 +++--- build/Dockerfile | 6 +++--- cmd/nginx-ingress/main.go | 11 ++++++----- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 551a3ee220..8a1c1fb42e 100644 --- a/Makefile +++ b/Makefile @@ -4,9 +4,9 @@ GIT_TAG = $(shell git describe --exact-match --tags || echo untagged) VERSION = $(VER)-SNAPSHOT NGINX_OSS_VERSION ?= 1.29 NGINX_PLUS_VERSION ?= R35 -NAP_WAF_VERSION ?= 35+5.498 -NAP_WAF_COMMON_VERSION ?= 11.533 -NAP_WAF_PLUGIN_VERSION ?= 6.20.0 +NAP_WAF_VERSION ?= 35+5.527 +NAP_WAF_COMMON_VERSION ?= 11.559 +NAP_WAF_PLUGIN_VERSION ?= 6.23.0 NGINX_AGENT_VERSION ?= 3.3 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key diff --git a/build/Dockerfile b/build/Dockerfile index 1a5f883ba6..6962c783f9 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -2,9 +2,9 @@ ARG BUILD_OS=debian ARG NGINX_OSS_VERSION=1.29 ARG NGINX_PLUS_VERSION=R35 -ARG NAP_WAF_VERSION=35+5.498 -ARG NAP_WAF_COMMON_VERSION=11.533 -ARG NAP_WAF_PLUGIN_VERSION=6.20.0 +ARG NAP_WAF_VERSION=35+5.527 +ARG NAP_WAF_COMMON_VERSION=11.559 +ARG NAP_WAF_PLUGIN_VERSION=6.23.0 ARG NGINX_AGENT_VERSION=3.3 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 9b039002d2..4a57670da5 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -12,7 +12,6 @@ import ( "os/signal" "path/filepath" "reflect" - "regexp" "runtime" "strings" "syscall" @@ -146,10 +145,12 @@ func main() { if *appProtect { appProtectVersion = getAppProtectVersionInfo(ctx) - r := regexp.MustCompile("^5.*") - if r.MatchString(appProtectVersion) { - appProtectV5 = true - appProtectBundlePath = appProtectv5BundleFolder + for _, flag := range parsedFlags { + if strings.Contains(flag, "app-protect-enforcer-address") { + appProtectV5 = true + appProtectBundlePath = appProtectv5BundleFolder + break + } } } From 85c3a549c702bc529765f8d6480bff94dd666a72 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 2 Oct 2025 16:25:26 +0100 Subject: [PATCH 2/7] update NAP to 5.9.0 --- .github/workflows/regression.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- charts/nginx-ingress/values.schema.json | 20 ++++++++++---------- charts/nginx-ingress/values.yaml | 4 ++-- tests/settings.py | 2 +- webapp-with-waf.yaml | 0 6 files changed, 15 insertions(+), 15 deletions(-) create mode 100644 webapp-with-waf.yaml diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index dca2641d90..7252059449 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -275,7 +275,7 @@ jobs: - name: Generate WAF v5 tgz from JSON run: | - docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz + docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.9.0 -p /data/wafv5.json -o /data/wafv5.tgz if: ${{ contains(matrix.images.image, 'nap-v5')}} - name: Run Regression Tests diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 4ed8fb9205..184715ceeb 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -152,7 +152,7 @@ jobs: - name: Generate WAF v5 tgz from JSON run: | - docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.8.0 -p /data/wafv5.json -o /data/wafv5.tgz + docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.9.0 -p /data/wafv5.json -o /data/wafv5.tgz if: ${{ contains(inputs.image, 'nap-v5')}} - name: Run Smoke Tests diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 1fe9b4deb3..6159a95bea 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -350,10 +350,10 @@ }, "tag": { "type": "string", - "default": "5.8.0", + "default": "5.9.0", "title": "The tag of the App Protect WAF v5 Enforcer image", "examples": [ - "5.8.0" + "5.9.0" ] }, "digest": { @@ -389,7 +389,7 @@ "examples": [ { "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.8.0", + "tag": "5.9.0", "pullPolicy": "IfNotPresent" } ] @@ -422,10 +422,10 @@ }, "tag": { "type": "string", - "default": "5.8.0", + "default": "5.9.0", "title": "The tag of the App Protect WAF v5 Config Manager image", "examples": [ - "5.8.0" + "5.9.0" ] }, "digest": { @@ -461,7 +461,7 @@ "examples": [ { "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.8.0", + "tag": "5.9.0", "pullPolicy": "IfNotPresent" } ] @@ -2020,7 +2020,7 @@ "port": 50000, "image": { "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.8.0", + "tag": "5.9.0", "pullPolicy": "IfNotPresent" }, "securityContext": {} @@ -2028,7 +2028,7 @@ "configManager": { "image": { "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.8.0", + "tag": "5.9.0", "pullPolicy": "IfNotPresent" }, "securityContext": { @@ -2660,7 +2660,7 @@ "port": 50000, "image": { "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.8.0", + "tag": "5.9.0", "pullPolicy": "IfNotPresent" }, "securityContext": {} @@ -2668,7 +2668,7 @@ "configManager": { "image": { "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.8.0", + "tag": "5.9.0", "pullPolicy": "IfNotPresent" }, "securityContext": { diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index 8693a0517c..bd8c29892c 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -84,7 +84,7 @@ controller: repository: private-registry.nginx.com/nap/waf-enforcer ## The tag of the App Protect WAF v5 Enforcer image. - tag: "5.8.0" + tag: "5.9.0" ## The digest of the App Protect WAF v5 Enforcer image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" @@ -100,7 +100,7 @@ controller: repository: private-registry.nginx.com/nap/waf-config-mgr ## The tag of the App Protect WAF v5 Configuration Manager image. - tag: "5.8.0" + tag: "5.9.0" ## The digest of the App Protect WAF v5 Configuration Manager image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" diff --git a/tests/settings.py b/tests/settings.py index 585a7b86aa..335cbb80fa 100644 --- a/tests/settings.py +++ b/tests/settings.py @@ -33,4 +33,4 @@ # Nginx registry address to pull waf components from NGX_REG = "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr" # WAF component version to pull from above registry -WAF_V5_VERSION = "5.8.0" +WAF_V5_VERSION = "5.9.0" diff --git a/webapp-with-waf.yaml b/webapp-with-waf.yaml new file mode 100644 index 0000000000..e69de29bb2 From 91492c450a0ba663607cd8d5c996b3f445eaa4e9 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Thu, 2 Oct 2025 17:06:32 +0100 Subject: [PATCH 3/7] update data.json --- tests/data/modules/data.json | 40 ++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tests/data/modules/data.json b/tests/data/modules/data.json index ead2e1dfd2..e51122a66c 100644 --- a/tests/data/modules/data.json +++ b/tests/data/modules/data.json @@ -80,11 +80,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-attack-signatures", @@ -126,11 +126,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-module-plus", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-plugin", @@ -202,11 +202,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-attack-signatures", @@ -349,11 +349,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35.5.498" + "version": "35.5.527" }, { "name": "app-protect", - "version": "35.5.498" + "version": "35.5.527" }, { "name": "app-protect-attack-signatures", @@ -395,11 +395,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35.5.498" + "version": "35.5.527" }, { "name": "app-protect-module-plus", - "version": "35.5.498" + "version": "35.5.527" }, { "name": "app-protect-plugin", @@ -495,11 +495,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-attack-signatures", @@ -541,11 +541,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-module-plus", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-plugin", @@ -583,11 +583,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-attack-signatures", @@ -629,11 +629,11 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-module-plus", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-plugin", @@ -701,7 +701,7 @@ }, { "name": "nginx-plus-module-appprotect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "nginx-plus-module-appprotectdos", @@ -713,7 +713,7 @@ }, { "name": "app-protect", - "version": "35+5.498" + "version": "35+5.527" }, { "name": "app-protect-attack-signatures", From 9563a6cd880c45a180dda2b35d770456ef4f735b Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Fri, 3 Oct 2025 11:07:45 +0100 Subject: [PATCH 4/7] Fix data.json and add flag to pytest --- tests/data/modules/data.json | 8 ++++---- tests/suite/utils/resources_utils.py | 1 + webapp-with-waf.yaml | 0 3 files changed, 5 insertions(+), 4 deletions(-) delete mode 100644 webapp-with-waf.yaml diff --git a/tests/data/modules/data.json b/tests/data/modules/data.json index e51122a66c..9ed3defab0 100644 --- a/tests/data/modules/data.json +++ b/tests/data/modules/data.json @@ -134,7 +134,7 @@ }, { "name": "app-protect-plugin", - "version": "6.20.0" + "version": "6.23.0" }, { "name": "nginx-agent", @@ -403,7 +403,7 @@ }, { "name": "app-protect-plugin", - "version": "6.20.0" + "version": "6.23.0" } ], "system": "alpine", @@ -549,7 +549,7 @@ }, { "name": "app-protect-plugin", - "version": "6.20.0" + "version": "6.23.0" } ], "system": "ubi", @@ -637,7 +637,7 @@ }, { "name": "app-protect-plugin", - "version": "6.20.0" + "version": "6.23.0" } ], "system": "ubi", diff --git a/tests/suite/utils/resources_utils.py b/tests/suite/utils/resources_utils.py index e0cd22bb26..e07cf63bce 100644 --- a/tests/suite/utils/resources_utils.py +++ b/tests/suite/utils/resources_utils.py @@ -1414,6 +1414,7 @@ def create_ingress_controller_wafv5( [ f"-default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret", f"-enable-telemetry-reporting=false", + f"-app-protect-enforcer-address", ] ) diff --git a/webapp-with-waf.yaml b/webapp-with-waf.yaml deleted file mode 100644 index e69de29bb2..0000000000 From 544c920bb952172cfa9fe268400c174e84f03440 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Fri, 3 Oct 2025 12:35:15 +0100 Subject: [PATCH 5/7] change v5 check to check if file exists --- cmd/nginx-ingress/main.go | 13 ++++++++----- tests/suite/utils/resources_utils.py | 1 - 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index 4a57670da5..bc7885dd8d 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -145,12 +145,15 @@ func main() { if *appProtect { appProtectVersion = getAppProtectVersionInfo(ctx) - for _, flag := range parsedFlags { - if strings.Contains(flag, "app-protect-enforcer-address") { - appProtectV5 = true - appProtectBundlePath = appProtectv5BundleFolder - break + if _, err := os.Stat("/opt/app_protect/VERSION.common"); os.IsNotExist(err) { + appProtectV5 = true + appProtectBundlePath = appProtectv5BundleFolder + nl.Infof(l, "Detected WAF v5") + } else { + if err != nil { + nl.Warnf(l, "Cannot detect WAF version: %v, defaulting to WAF v4", err) } + nl.Infof(l, "Detected WAF v4") } } diff --git a/tests/suite/utils/resources_utils.py b/tests/suite/utils/resources_utils.py index e07cf63bce..e0cd22bb26 100644 --- a/tests/suite/utils/resources_utils.py +++ b/tests/suite/utils/resources_utils.py @@ -1414,7 +1414,6 @@ def create_ingress_controller_wafv5( [ f"-default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret", f"-enable-telemetry-reporting=false", - f"-app-protect-enforcer-address", ] ) From dfaea89c2bf3bfcf07a9f2864dd99e9ac5f8d2a5 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Fri, 3 Oct 2025 12:48:43 +0100 Subject: [PATCH 6/7] update snaps --- charts/tests/__snapshots__/helmunit_test.snap | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/tests/__snapshots__/helmunit_test.snap b/charts/tests/__snapshots__/helmunit_test.snap index 3d91c099a9..3a12a7696e 100755 --- a/charts/tests/__snapshots__/helmunit_test.snap +++ b/charts/tests/__snapshots__/helmunit_test.snap @@ -1936,7 +1936,7 @@ spec: - -weight-changes-dynamic-reload=false - name: waf-enforcer - image: my.private.reg/nap/waf-enforcer:5.8.0 + image: my.private.reg/nap/waf-enforcer:5.9.0 imagePullPolicy: "IfNotPresent" env: - name: ENFORCER_PORT @@ -1947,7 +1947,7 @@ spec: - name: app-protect-bd-config mountPath: /opt/app_protect/bd_config - name: waf-config-mgr - image: my.private.reg/nap/waf-config-mgr:5.8.0 + image: my.private.reg/nap/waf-config-mgr:5.9.0 imagePullPolicy: "IfNotPresent" securityContext: @@ -2519,7 +2519,7 @@ spec: - -agent-instance-group=app-protect-wafv5-agentv2-nginx-ingress-controller - name: waf-enforcer - image: my.private.reg/nap/waf-enforcer:5.8.0 + image: my.private.reg/nap/waf-enforcer:5.9.0 imagePullPolicy: "IfNotPresent" env: - name: ENFORCER_PORT @@ -2530,7 +2530,7 @@ spec: - name: app-protect-bd-config mountPath: /opt/app_protect/bd_config - name: waf-config-mgr - image: my.private.reg/nap/waf-config-mgr:5.8.0 + image: my.private.reg/nap/waf-config-mgr:5.9.0 imagePullPolicy: "IfNotPresent" securityContext: From 2105e27181462c3f37d547071082a154f4b03ee4 Mon Sep 17 00:00:00 2001 From: Alex Fenlon Date: Fri, 3 Oct 2025 15:46:14 +0100 Subject: [PATCH 7/7] address comments --- cmd/nginx-ingress/main.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index bc7885dd8d..9016e16c43 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -148,12 +148,6 @@ func main() { if _, err := os.Stat("/opt/app_protect/VERSION.common"); os.IsNotExist(err) { appProtectV5 = true appProtectBundlePath = appProtectv5BundleFolder - nl.Infof(l, "Detected WAF v5") - } else { - if err != nil { - nl.Warnf(l, "Cannot detect WAF version: %v, defaulting to WAF v4", err) - } - nl.Infof(l, "Detected WAF v4") } }