Replace hardcoded keys

.github/actions/smoke-tests/action.yaml

@@ -82,7 +82,7 @@ runs:
         -v "/var/run/docker.sock:/var/run/docker.sock" \
         -v ~/.docker:/root/.docker \
         -v ${{ github.workspace }}/tests:/workspace/tests \
-        -v ${{ github.workspace }}/examples/common-secrets:/workspace/examples/common-secrets \
+        -v ${{ github.workspace }}/common-secrets:/workspace/common-secrets \
         -v ${{ github.workspace }}/deployments:/workspace/deployments \
         -v ${{ github.workspace }}/charts:/workspace/charts \
         -v ${{ github.workspace }}/config:/workspace/config \

.github/workflows/ci.yml

@@ -316,6 +316,10 @@ jobs:
           chmod 600 $HOME/.netrc
         if: ${{ inputs.force || (needs.checks.outputs.binary_cache_hit != 'true' && needs.checks.outputs.forked_workflow != 'true') }}
 
+      - name: Generate secrets for tests
+        run: |
+          make secrets
+
       - name: Run Tests
         run: make cover
         if: ${{ needs.checks.outputs.binary_cache_hit != 'true' && (inputs.run_tests && inputs.run_tests || true) }}

.github/workflows/lint-format.yml

@@ -51,6 +51,10 @@ jobs:
         with:
           go-version-file: go.mod
 
+      - name: Generate secrets for linting
+        run: |
+          make secrets
+
       - name: Lint Code
         uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:

.github/workflows/setup-smoke.yml

@@ -54,6 +54,10 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
+      - name: Generate Secrets for tests
+        run: |
+          make secrets
+
       - name: Set image variables
         id: image_details
         run: |

.gitignore

@@ -64,3 +64,245 @@ package.json
 # kind kube-config
 kube-local
 venv/
+
+# AUTO GENERATED SECTION BY CERTGEN (hack/secrets-gen/gitignore-gen.go), DO NOT EDIT BELOW
+
+# TLS Certificate secrets
+common-secrets/tls-secret.yaml
+examples/custom-resources/api-key/cafe-secret.yaml
+examples/custom-resources/backup-directive/transport-server/app-tls-secret.yaml
+examples/custom-resources/backup-directive/virtual-server/cafe-secret.yaml
+examples/custom-resources/basic-auth/cafe-secret.yaml
+examples/custom-resources/basic-configuration/cafe-secret.yaml
+examples/custom-resources/cache-policy/cafe-secret.yaml
+examples/custom-resources/cross-namespace-configuration/cafe-secret.yaml
+examples/custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml
+examples/custom-resources/custom-listeners/cafe-secret.yaml
+examples/custom-resources/external-dns/cafe-secret.yaml
+examples/custom-resources/externalname-services/transport-server/app-tls-secret.yaml
+examples/custom-resources/foreign-namespace-upstreams/cafe-secret.yaml
+examples/custom-resources/grpc-upstreams/greeter-secret.yaml
+examples/custom-resources/ingress-mtls/tls-secret.yaml
+examples/custom-resources/jwks/tls-secret.yaml
+examples/custom-resources/oidc-fclo/tls-secret.yaml
+examples/custom-resources/oidc/tls-secret.yaml
+examples/custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml
+examples/custom-resources/service-insight/service-insight-secret.yaml
+examples/custom-resources/tls-passthrough/app-tls-secret.yaml
+examples/custom-resources/transport-server-sni/cafe-secret.yaml
+examples/custom-resources/transport-server-sni/mongo-secret.yaml
+examples/ingress-resources/app-protect-dos/webapp-secret.yaml
+examples/ingress-resources/app-protect-waf/cafe-secret.yaml
+examples/ingress-resources/basic-auth/cafe-secret.yaml
+examples/ingress-resources/complete-example/cafe-secret.yaml
+examples/ingress-resources/mergeable-ingress-types/cafe-secret.yaml
+examples/ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml
+examples/ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml
+examples/ingress-resources/rate-limit/cafe-secret.yaml
+examples/ingress-resources/security-monitoring/cafe-secret.yaml
+tests/data/dos/tls-secret.yaml
+tests/data/hsts/mergeable-tls/tls-secret.yaml
+tests/data/hsts/standard-tls/tls-secret.yaml
+tests/data/ingress-mtls/secret/tls-secret.yaml
+tests/data/smoke/smoke-secret.yaml
+tests/data/upgrade-test-resources/secret.yaml
+tests/data/virtual-server-certmanager/tls-secret.yaml
+tests/data/virtual-server-grpc/tls-secret.yaml
+tests/data/virtual-server-route-grpc/tls-secret.yaml
+tests/data/watch-secret-namespace/tls-secret.yaml
+common-secrets/appprotect-secret.yaml
+tests/data/appprotect/appprotect-secret.yaml
+common-secrets/tls-secret-gb.yaml
+tests/data/tls/new-tls-secret.yaml
+tests/data/virtual-server-tls/new-tls-secret.yaml
+common-secrets/tls-secret-default.yaml
+examples/shared-examples/default-server-secret/default-server-secret.yaml
+tests/data/common/default-server-secret.yaml
+common-secrets/tls-secret-grpc.yaml
+tests/data/common/app/secure/secret/grpc-secret.yaml
+common-secrets/tls-secret-default-gb.yaml
+tests/data/default-server/new-tls-secret.yaml
+common-secrets/tls-secret-invalid.yaml
+tests/data/default-server/invalid-tls-secret.yaml
+common-secrets/tls-secret-us.yaml
+tests/data/tls/tls-secret.yaml
+tests/data/virtual-server-tls/tls-secret.yaml
+tests/data/prometheus/secret.yaml
+common-secrets/tls-secret-invalid-type-some.yaml
+tests/data/tls/invalid-tls-secret.yaml
+common-secrets/tls-secret-invalid-type-broken.yaml
+tests/data/wildcard-tls-secret/invalid-wildcard-tls-secret.yaml
+common-secrets/wildcard-tls-secret.yaml
+tests/data/wildcard-tls-secret/wildcard-tls-secret.yaml
+common-secrets/wildcard-tls-secret-gb.yaml
+tests/data/wildcard-tls-secret/gb-wildcard-tls-secret.yaml
+common-secrets/vs-tls-secret.yaml
+tests/data/ap-waf-grpc/tls-secret.yaml
+common-secrets/app-tls-secret.yaml
+tests/data/common/app/secure/app-tls-secret.yaml
+tests/data/transport-server-tls-passthrough/standard/secure-app-secret.yaml
+tests/data/transport-server-backup-service/standard/secure-app-secret.yaml
+common-secrets/tls-secret-tcp-lb-cafe.yaml
+tests/data/transport-server-tcp-load-balance/new-tls-secret.yaml
+common-secrets/kic-tls-secret.yaml
+tests/data/transport-server-tcp-load-balance/tcp-tls-secret.yaml
+common-secrets/tls-secret-test.yaml
+tests/data/service-insight/secret.yaml
+common-secrets/invalid-tls-secret-sometype.yaml
+tests/data/virtual-server-tls/invalid-tls-secret.yaml
+common-secrets/cafe-secret.yaml
+tests/data/transport-server-with-host/cafe-secret.yaml
+common-secrets/ca-key-pair.yaml
+tests/data/virtual-server-certmanager/issuer-secret.yaml
+
+# mTLS Bundle Certificate secrets
+common-secrets/test-egress-mtls-secret.yaml
+common-secrets/test-secure-app-tls-secret.yaml
+common-secrets/test-egress-mtls-secret-crl.yaml
+common-secrets/test-egress-tls-client-secret.yaml
+tests/data/egress-mtls/secret/egress-mtls-secret.yaml
+tests/data/egress-mtls/secret/egress-mtls-secret-crl.yaml
+tests/data/egress-mtls/secret/tls-secret.yaml
+tests/data/common/app/secure-ca/app-tls-secret.yaml
+common-secrets/example-egress-trusted-ca-secret.yaml
+common-secrets/example-secure-app-tls-secret.yaml
+common-secrets/example-egress-trusted-ca-secret-crl.yaml
+common-secrets/example-egress-mtls-client-secret.yaml
+examples/custom-resources/egress-mtls/egress-trusted-ca-secret.yaml
+examples/custom-resources/egress-mtls/egress-trusted-ca-secret-crl.yaml
+examples/custom-resources/egress-mtls/egress-mtls-secret.yaml
+examples/custom-resources/egress-mtls/secure-app-tls-secret.yaml
+common-secrets/keycloak-ca-secret.yaml
+common-secrets/keycloak-tls-secret.yaml
+common-secrets/keycloak-ca-secret-crl.yaml
+examples/custom-resources/oidc/keycloak-ca-secret.yaml
+examples/custom-resources/oidc/keycloak-ca-secret-crl.yaml
+tests/data/oidc/keycloak-ca-secret.yaml
+tests/data/oidc/keycloak-ca-secret-crl.yaml
+examples/custom-resources/oidc/keycloak-tls-secret.yaml
+tests/data/oidc/keycloak-tls-secret.yaml
+
+# TLS Certificate secrets
+common-secrets/cafe-passwd-basic-auth-secret.yaml
+examples/ingress-resources/basic-auth/cafe-passwd.yaml
+examples/custom-resources/basic-auth/cafe-passwd.yaml
+common-secrets/auth-basic-master-htpasswd-basic-auth-secret.yaml
+tests/data/auth-basic-auth-mergeable/auth-basic-master-secret.yaml
+common-secrets/auth-basic-master-htpasswd-basic-auth-secret-updated.yaml
+tests/data/auth-basic-auth-mergeable/auth-basic-master-secret-updated.yaml
+common-secrets/auth-basic-minion-htpasswd-basic-auth-secret.yaml
+tests/data/auth-basic-auth-mergeable/auth-basic-minion-secret.yaml
+common-secrets/auth-basic-minion-htpasswd-basic-auth-secret-updated.yaml
+tests/data/auth-basic-auth-mergeable/auth-basic-minion-secret-updated.yaml
+common-secrets/auth-basic-policy-htpasswd-secret-invalid.yaml
+tests/data/auth-basic-policy/secret/htpasswd-secret-invalid.yaml
+common-secrets/auth-basic-policy-htpasswd-secret-empty.yaml
+tests/data/auth-basic-policy/secret/htpasswd-secret-valid-empty.yaml
+common-secrets/auth-basic-policy-htpasswd-secret-valid.yaml
+tests/data/auth-basic-policy/secret/htpasswd-secret-valid.yaml
+common-secrets/auth-basic-secrets-htpasswd-secret.yaml
+tests/data/auth-basic-secrets/auth-basic-secret.yaml
+common-secrets/auth-basic-secrets-htpasswd-secret-updated.yaml
+tests/data/auth-basic-secrets/auth-basic-secret-updated.yaml
+common-secrets/auth-basic-secrets-htpasswd-secret-invalid.yaml
+tests/data/auth-basic-secrets/auth-basic-secret-invalid.yaml
+
+# Jwks secrets
+common-secrets/example-jwt-jwks-secret.yaml
+examples/custom-resources/jwt/jwk-secret.yaml
+common-secrets/tests-jwt-master-jwk.yaml
+tests/data/jwt-auth-mergeable/jwt-master-secret.yaml
+common-secrets/tests-jwt-master-jwk-updated.yaml
+tests/data/jwt-auth-mergeable/jwt-master-secret-updated.yaml
+common-secrets/tests-jwt-minion-jwk.yaml
+tests/data/jwt-auth-mergeable/jwt-minion-secret.yaml
+common-secrets/tests-jwt-minion-jwk-updated.yaml
+tests/data/jwt-auth-mergeable/jwt-minion-secret-updated.yaml
+common-secrets/tests-jwt-policy-invalid-jwk.yaml
+tests/data/jwt-policy/secret/jwk-secret-invalid.yaml
+common-secrets/tests-jwt-policy-valid-jwk.yaml
+tests/data/jwt-policy/secret/jwk-secret-valid.yaml
+common-secrets/tests-jwt-secret-invalid-jwk.yaml
+tests/data/jwt-secrets/jwt-secret-invalid.yaml
+common-secrets/tests-jwt-secret-valid-jwk.yaml
+tests/data/jwt-secrets/jwt-secret.yaml
+common-secrets/tests-jwt-secret-updated-jwk.yaml
+tests/data/jwt-secrets/jwt-secret-updated.yaml
+
+# Jwt secrets
+common-secrets/fantastic-jwt-token.yaml
+examples/custom-resources/jwt/token.jwt
+examples/custom-resources/rate-limit-jwt-claim/token.jwt
+examples/ingress-resources/jwt-secret-policy/token.jwt
+tests/data/jwt-auth-mergeable/tokens/jwt-auth-master-token.jwt
+tests/data/jwt-policy/token.jwt
+tests/data/jwt-secrets/tokens/jwt-secrets-token.jwt
+common-secrets/awesome-jwt-token.yaml
+tests/data/jwt-auth-mergeable/tokens/jwt-auth-minion-token.jwt
+common-secrets/invalid-jwt-token.yaml
+tests/data/jwt-policy/invalid-token.jwt
+common-secrets/basic-jwt-token.yaml
+examples/custom-resources/rate-limit-tiered-jwt-claim/basic-token.jwt
+common-secrets/premium-jwt-token.yaml
+examples/custom-resources/rate-limit-tiered-jwt-claim/premium-token.jwt
+common-secrets/default-jwt-token.yaml
+examples/custom-resources/rate-limit-tiered-jwt-claim/default-token.jwt
+
+# API Key secrets
+common-secrets/apikey-secret-1.yaml
+tests/data/apikey-auth-policy/secret/apikey-secret-1.yaml
+common-secrets/apikey-secret-server.yaml
+tests/data/apikey-auth-policy/secret/apikey-secret-server.yaml
+common-secrets/apikey-secret-route.yaml
+tests/data/apikey-auth-policy/secret/apikey-secret-route.yaml
+common-secrets/api-key-secret-test.yaml
+tests/data/rate-limit/policies/api-key-secret.yaml
+common-secrets/api-key-secret-example.yaml
+examples/custom-resources/api-key/api-key-secret.yaml
+common-secrets/api-key-secret.yaml
+examples/custom-resources/rate-limit-tiered-apikey/api-key-secret.yaml
+common-secrets/api-key-client-secret-2.yaml
+tests/data/apikey-auth-policy/secret/apikey-secret-2.yaml
+
+# Ingress mTLS Certificate secrets
+common-secrets/ingress-mtls-secret.yaml
+tests/data/ingress-mtls/secret/ingress-mtls-secret.yaml
+common-secrets/ingress-mtls-secret-crl.yaml
+common-secrets/ingress-mtls-webapp-crl.pem
+tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml
+tests/data/ingress-mtls/client-auth/crl/webapp.crl
+common-secrets/ingress-mtls-secret-client.yaml
+tests/data/ingress-mtls/secret/tls-secret.yaml
+common-secrets/ingress-mtls-valid-client-cert.pem
+tests/data/ingress-mtls/client-auth/valid/client-cert.pem
+common-secrets/ingress-mtls-valid-client-key.pem
+tests/data/ingress-mtls/client-auth/valid/client-key.pem
+common-secrets/ingress-mtls-invalid-client-cert.pem
+tests/data/ingress-mtls/client-auth/invalid/client-cert.pem
+common-secrets/ingress-mtls-invalid-client-key.pem
+tests/data/ingress-mtls/client-auth/invalid/client-key.pem
+common-secrets/ingress-mtls-not-revoked-client.pem
+tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem
+common-secrets/ingress-mtls-not-revoked-client-key.pem
+tests/data/ingress-mtls/client-auth/not-revoked/client-key.pem
+common-secrets/ingress-mtls-revoked-client-cert.pem
+tests/data/ingress-mtls/client-auth/revoked/client-cert.pem
+common-secrets/ingress-mtls-revoked-client-key.pem
+tests/data/ingress-mtls/client-auth/revoked/client-key.pem
+
+# Management ConfigMap Keys Bundle secrets
+common-secrets/mgmt-cm-ssl-cert.yaml
+common-secrets/mgmt-cm-ssl-trusted-cert.yaml
+tests/data/mgmt-configmap-keys/ssl-cert.yaml
+tests/data/mgmt-configmap-keys/ssl-trusted-cert.yaml
+
+# Certificates and keys generated for embedding into the
+# `internal/k8s/secrets` package.
+
+internal/k8s/secrets/embeds-ca.crt
+internal/k8s/secrets/embeds-ca.key
+internal/k8s/secrets/embeds-empty-ca.crt
+internal/k8s/secrets/embeds-empty-ca.key
+
+
+# END CERTGEN SECTION. YOU MAY EDIT BELOW

Makefile

@@ -12,13 +12,19 @@ NAP_AGENT_VERSION             ?= 2
 NGINX_AGENT_VERSION           ?= 3.6
 PLUS_ARGS = --build-arg NGINX_PLUS_VERSION=$(NGINX_PLUS_VERSION) --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key
 
+# Variables that can be overridden
+
 # renovate: datasource=github-releases depName=dominikh/go-tools
 STATICCHECK_VERSION ?= 2025.1.1
 
 # renovate: datasource=github-releases depName=golang/vuln
 GOVULNCHECK_VERSION ?= v1.1.4
 
-# Variables that can be overridden
+GO_DOCKER_IMAGE_NAME    ?= golang
+# renovate: datasource=docker depName=golang versioning=docker
+GO_DOCKER_IMAGE_VERSION ?= 1.25.4-trixie
+GO_DOCKER_IMAGE         ?= $(GO_DOCKER_IMAGE_NAME):$(GO_DOCKER_IMAGE_VERSION)
+
 REGISTRY                      ?= ## The registry where the image is located.
 PREFIX                        ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress
 TAG                           ?= $(VERSION:v%=%) ## The tag of the image. For example, 2.0.0
@@ -284,3 +290,19 @@ update-crd-docs: ## Update CRD markdown documentation from YAML definitions
 	@echo "Generating CRD documentation..."
 	@go run hack/generate-crd-docs.go -crd-dir config/crd/bases -output-dir docs/crd
 	@echo "CRD documentation updated successfully!"
+
+.PHONY: secrets
+secrets: ## Create just in time TLS certificates etc needed for tests and examples
+ifeq (, $(shell command -v go))
+	@docker run --rm -v .:/workspace/kubernetes-ingress -w /workspace/kubernetes-ingress ${GO_DOCKER_IMAGE} make secrets
+else
+	@make -C hack/secrets-gen ignore
+endif
+
+.PHONY: secrets-clean
+secrets-clean: ## Clean just in time TLS certificates etc. needed for tests and examples
+ifeq (, $(shell command -v go))
+	@docker run --rm -v .:/workspace/kubernetes-ingress -w /workspace/kubernetes-ingress ${GO_DOCKER_IMAGE} make secrets-clean
+else
+	@make -C hack/secrets-gen clean
+endif

examples/.gitignore

@@ -0,0 +1,39 @@
+common-secrets/*.yaml
+custom-resources/api-key/cafe-secret.yaml
+custom-resources/backup-directive/transport-server/app-tls-secret.yaml
+custom-resources/backup-directive/virtual-server/cafe-secret.yaml
+custom-resources/basic-auth/cafe-passwd.yaml
+custom-resources/basic-auth/cafe-secret.yaml
+custom-resources/basic-configuration/cafe-secret.yaml
+custom-resources/cache-policy/cafe-secret.yaml
+custom-resources/cross-namespace-configuration/cafe-secret.yaml
+custom-resources/custom-ip-listeners/virtualserver/cafe-secret.yaml
+custom-resources/custom-listeners/cafe-secret.yaml
+custom-resources/egress-mtls/egress-mtls-secret.yaml
+custom-resources/egress-mtls/egress-trusted-ca-secret.yaml
+custom-resources/egress-mtls/secure-app-tls-secret.yaml
+custom-resources/external-dns/cafe-secret.yaml
+custom-resources/externalname-services/transport-server/app-tls-secret.yaml
+custom-resources/foreign-namespace-upstreams/cafe-secret.yaml
+custom-resources/grpc-upstreams/greeter-secret.yaml
+custom-resources/ingress-mtls/tls-secret.yaml
+custom-resources/jwks/tls-secret.yaml
+custom-resources/jwt/jwk-secret.yaml
+custom-resources/oidc-fclo/tls-secret.yaml
+custom-resources/oidc/tls-secret.yaml
+custom-resources/rate-limit-tiered-jwt-claim/cafe-secret.yaml
+custom-resources/service-insight/service-insight-secret.yaml
+custom-resources/tls-passthrough/app-tls-secret.yaml
+custom-resources/transport-server-sni/cafe-secret.yaml
+custom-resources/transport-server-sni/mongo-secret.yaml
+ingress-resources/app-protect-dos/webapp-secret.yaml
+ingress-resources/app-protect-waf/cafe-secret.yaml
+ingress-resources/basic-auth/cafe-passwd.yaml
+ingress-resources/basic-auth/cafe-secret.yaml
+ingress-resources/complete-example/cafe-secret.yaml
+ingress-resources/mergeable-ingress-types/cafe-secret.yaml
+ingress-resources/proxy-set-headers/mergeable-ingress/cafe-secret.yaml
+ingress-resources/proxy-set-headers/standard-ingress/cafe-secret.yaml
+ingress-resources/rate-limit/cafe-secret.yaml
+ingress-resources/security-monitoring/cafe-secret.yaml
+shared-examples/default-server-secret/default-server-secret.yaml