Mostly fix lint issues

Author: bjee19

charts/nginx-gateway-fabric/README.md

@@ -264,7 +264,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` |
 | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` |
-| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","nginxOneConsole":{"dataplaneKeySecretName":"","endpointHost":"product.connect.nginx.com","endpointPort":443,"tlsSkipVerify":false},"plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
+| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","nginxOneConsole":{"dataplaneKeySecretName":"","endpointHost":"agent.connect.nginx.com","endpointPort":443,"tlsSkipVerify":false},"plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.container` | The container configuration for the NGINX container. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]}` |
 | `nginx.container.hostPorts` | A list of HostPorts to expose on the host. This configuration allows containers to bind to a specific port on the host node, enabling external network traffic to reach the container directly through the host's IP address and port. Use this option when you need to expose container ports on the host for direct access, such as for debugging, legacy integrations, or when NodePort/LoadBalancer services are not suitable. Note: Using hostPort may have security and scheduling implications, as it ties pods to specific nodes and ports. | list | `[]` |
@@ -276,6 +276,10 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.imagePullSecret` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. The control plane will copy this secret into any namespace where NGINX is deployed. | string | `""` |
 | `nginx.imagePullSecrets` | A list of secret names containing docker registry credentials. Secrets must exist in the same namespace as the helm release. The control plane will copy these secrets into any namespace where NGINX is deployed. | list | `[]` |
 | `nginx.kind` | The kind of NGINX deployment. | string | `"deployment"` |
+| `nginx.nginxOneConsole` | Configuration for NGINX One Console. | object | `{"dataplaneKeySecretName":"","endpointHost":"agent.connect.nginx.com","endpointPort":443,"tlsSkipVerify":false}` |
+| `nginx.nginxOneConsole.endpointHost` | The Endpoint host that the NGINX One Console telemetry metrics will be sent to. | string | `"agent.connect.nginx.com"` |
+| `nginx.nginxOneConsole.endpointPort` | The endpoint port that the NGINX One Console telemetry metrics will be sent to. | int | `443` |
+| `nginx.nginxOneConsole.tlsSkipVerify` | Skip TLS verification for NGINX One Console connections. | bool | `false` |
 | `nginx.plus` | Is NGINX Plus image being used. | bool | `false` |
 | `nginx.pod` | The pod configuration for the NGINX data plane pod. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.replicas` | The number of replicas of the NGINX Deployment. | int | `1` |

charts/nginx-gateway-fabric/values.schema.json

@@ -450,28 +450,28 @@
           "properties": {
             "dataplaneKeySecretName": {
               "default": "",
-              "description": "Name of the secret which holds the dataplane key that is required to authenticate with the NGINX One Console.",
+              "description": "Name of the secret which holds the dataplane key that is required to authenticate with the NGINX One Console.\nSecret must exist in the same namespace that the NGINX Gateway Fabric control plane is running in\n(default namespace: nginx-gateway).",
               "required": [],
               "title": "dataplaneKeySecretName",
               "type": "string"
             },
             "endpointHost": {
-              "default": "product.connect.nginx.com",
-              "description": "The Endpoint host that the NGINX One Console telemetry metrics will be sent to. ",
+              "default": "agent.connect.nginx.com",
+              "description": "The Endpoint host that the NGINX One Console telemetry metrics will be sent to.",
               "required": [],
               "title": "endpointHost",
               "type": "string"
             },
             "endpointPort": {
               "default": 443,
-              "description": "The endpoint port that the  NGINX One Console telemetry metrics will be sent to.",
+              "description": "The endpoint port that the NGINX One Console telemetry metrics will be sent to.",
               "required": [],
               "title": "endpointPort",
               "type": "integer"
             },
             "tlsSkipVerify": {
               "default": false,
-              "description": "NGINX One Console configuration specifying tls skip verify.",
+              "description": "Skip TLS verification for NGINX One Console connections.",
               "required": [],
               "title": "tlsSkipVerify",
               "type": "boolean"

charts/nginx-gateway-fabric/values.yaml

@@ -212,18 +212,20 @@ nginx:
   # -- Is NGINX Plus image being used.
   plus: false
 
-  # Configuration for NGINX One Console.
+  # -- Configuration for NGINX One Console.
   nginxOneConsole:
     # Name of the secret which holds the dataplane key that is required to authenticate with the NGINX One Console.
+    # Secret must exist in the same namespace that the NGINX Gateway Fabric control plane is running in
+    # (default namespace: nginx-gateway).
     dataplaneKeySecretName: ""
 
-    # The Endpoint host that the NGINX One Console telemetry metrics will be sent to. 
-    endpointHost: "product.connect.nginx.com"
+    # -- The Endpoint host that the NGINX One Console telemetry metrics will be sent to.
+    endpointHost: "agent.connect.nginx.com"
 
-    # The endpoint port that the  NGINX One Console telemetry metrics will be sent to.
+    # -- The endpoint port that the NGINX One Console telemetry metrics will be sent to.
     endpointPort: 443
 
-    # NGINX One Console configuration specifying tls skip verify.
+    # -- Skip TLS verification for NGINX One Console connections.
     tlsSkipVerify: false
 
   # -- The name of the secret containing docker registry credentials.

cmd/gateway/commands.go

@@ -60,7 +60,7 @@ func createControllerCommand() *cobra.Command {
 		configFlag                               = "config"
 		serviceFlag                              = "service"
 		agentTLSSecretFlag                       = "agent-tls-secret"
-		nginxOneConsoleDataplaneKeySecretFlag    = "nginx-one-console-dataplane-key-secret"
+		nginxOneConsoleDataplaneKeySecretFlag    = "nginx-one-console-dataplane-key-secret" //nolint:gosec // not credentials
 		nginxOneConsoleTelemetryEndpointHostFlag = "nginx-one-console-telemetry-endpoint-host"
 		nginxOneConsoleTelemetryEndpointPortFlag = "nginx-one-console-telemetry-endpoint-port"
 		nginxOneConsoleTLSSkipVerifyFlag         = "nginx-one-console-tls-skip-verify"
@@ -109,10 +109,10 @@ func createControllerCommand() *cobra.Command {
 		}
 		nginxOneConsoleTelemetryEndpointHost = stringValidatingValue{
 			validator: validateResourceName,
-			value:     "product.connect.nginx.com",
+			value:     "agent.connect.nginx.com",
 		}
 		nginxOneConsoleTelemetryEndpointPort = intValidatingValue{
-			validator: validateProtocolPort,
+			validator: validateAnyPort,
 			value:     443,
 		}
 		nginxOneConsoleTLSSkipVerify bool

cmd/gateway/commands_test.go

@@ -459,17 +459,18 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 			args: []string{
 				"--nginx-one-console-telemetry-endpoint-host=!@#$",
 			},
-			wantErr:           true,
-			expectedErrPrefix: `invalid argument "!@#$" for "--nginx-one-console-telemetry-endpoint-host" flag: invalid format: `,
+			wantErr: true,
+			expectedErrPrefix: `invalid argument "!@#$" for "--nginx-one-console-telemetry-endpoint-host" ` +
+				`flag: invalid format: `,
 		},
 		{
 			name: "nginx-one-console-telemetry-endpoint-port is invalid type",
 			args: []string{
 				"--nginx-one-console-telemetry-endpoint-port=invalid", // not an int
 			},
 			wantErr: true,
-			expectedErrPrefix: `invalid argument "invalid" for "--nginx-one-console-telemetry-endpoint-port" flag: failed to parse int value:` +
-				` strconv.ParseInt: parsing "invalid": invalid syntax`,
+			expectedErrPrefix: `invalid argument "invalid" for "--nginx-one-console-telemetry-endpoint-port" ` +
+				`flag: failed to parse int value: strconv.ParseInt: parsing "invalid": invalid syntax`,
 		},
 		{
 			name: "nginx-one-console-telemetry-endpoint-port is outside of range",
@@ -482,8 +483,8 @@ func TestControllerCmdFlagValidation(t *testing.T) {
 		},
 		{
 			name: "nginx-one-console-tls-skip-verify is not a bool",
-			expectedErrPrefix: `invalid argument "not-a-bool" for "--nginx-one-console-tls-skip-verify" flag: strconv.ParseBool:` +
-				` parsing "not-a-bool": invalid syntax`,
+			expectedErrPrefix: `invalid argument "not-a-bool" for "--nginx-one-console-tls-skip-verify" flag:` +
+				`strconv.ParseBool: parsing "not-a-bool": invalid syntax`,
 			args: []string{
 				"--nginx-one-console-tls-skip-verify=not-a-bool",
 			},

cmd/gateway/validation.go

@@ -157,8 +157,9 @@ func validatePort(port int) error {
 	return nil
 }
 
-// validateProtocolPort makes sure a given port is inside the valid port range for its usage. This also includes well known ports.
-func validateProtocolPort(port int) error {
+// validateAnyPort makes sure a given port is inside the valid range for all ports.
+// This includes protected ports (1-1023) and unprivileged ports (1024-65535).
+func validateAnyPort(port int) error {
 	if port < 1 || port > 65535 {
 		return fmt.Errorf("port outside of valid port range [1 - 65535]: %v", port)
 	}

cmd/gateway/validation_test.go

@@ -443,7 +443,7 @@ func TestProtocolPort(t *testing.T) {
 			t.Parallel()
 			g := NewWithT(t)
 
-			err := validateProtocolPort(tc.port)
+			err := validateAnyPort(tc.port)
 			if !tc.expErr {
 				g.Expect(err).ToNot(HaveOccurred())
 			} else {

internal/controller/config/config.go

@@ -12,38 +12,38 @@ const DefaultNginxMetricsPort = int32(9113)
 type Config struct {
 	// AtomicLevel is an atomically changeable, dynamic logging level.
 	AtomicLevel zap.AtomicLevel
-	// UsageReportConfig specifies the NGINX Plus usage reporting configuration.
-	UsageReportConfig UsageReportConfig
-	// ImageSource is the source of the NGINX Gateway image.
-	ImageSource string
-	// Flags contains the NGF command-line flag names and values.
-	Flags Flags
 	// GatewayPodConfig contains information about this Pod.
 	GatewayPodConfig GatewayPodConfig
 	// Logger is the Zap Logger used by all components.
 	Logger logr.Logger
-	// GatewayCtlrName is the name of this controller.
-	GatewayCtlrName string
+	// NGINXSCCName is the name of the SecurityContextConstraints for the NGINX Pods. Only applicable in OpenShift.
+	NGINXSCCName string
 	// ConfigName is the name of the NginxGateway resource for this controller.
 	ConfigName string
-	// GatewayClassName is the name of the GatewayClass resource that the Gateway will use.
-	GatewayClassName string
 	// AgentTLSSecretName is the name of the TLS Secret used by NGINX Agent to communicate with the control plane.
 	AgentTLSSecretName string
-	// NGINXSCCName is the name of the SecurityContextConstraints for the NGINX Pods. Only applicable in OpenShift.
-	NGINXSCCName string
-	// NginxDockerSecretNames are the names of any Docker registry Secrets for the NGINX container.
-	NginxDockerSecretNames []string
+	// GatewayClassName is the name of the GatewayClass resource that the Gateway will use.
+	GatewayClassName string
+	// ImageSource is the source of the NGINX Gateway image.
+	ImageSource string
+	// GatewayCtlrName is the name of this controller.
+	GatewayCtlrName string
+	// UsageReportConfig specifies the NGINX Plus usage reporting configuration.
+	UsageReportConfig UsageReportConfig
+	// Flags contains the NGF command-line flag names and values.
+	Flags Flags
 	// LeaderElection contains the configuration for leader election.
 	LeaderElection LeaderElectionConfig
+	// NginxDockerSecretNames are the names of any Docker registry Secrets for the NGINX container.
+	NginxDockerSecretNames []string
+	// NginxOneConsoleTelemetryConfig contains the configuration for NGINX One Console telemetry.
+	NginxOneConsoleTelemetryConfig NginxOneConsoleTelemetryConfig
 	// ProductTelemetryConfig contains the configuration for collecting product telemetry.
 	ProductTelemetryConfig ProductTelemetryConfig
-	// MetricsConfig specifies the metrics config.
-	MetricsConfig MetricsConfig
 	// HealthConfig specifies the health probe config.
 	HealthConfig HealthConfig
-	// NginxOneConsoleTelemetryConfig contains the configuration for NGINX One Console telemetry.
-	NginxOneConsoleTelemetryConfig NginxOneConsoleTelemetryConfig
+	// MetricsConfig specifies the metrics config.
+	MetricsConfig MetricsConfig
 	// Plus indicates whether NGINX Plus is being used.
 	Plus bool
 	// ExperimentalFeatures indicates if experimental features are enabled.

internal/controller/manager.go

@@ -218,19 +218,19 @@ func StartManager(cfg config.Config) error {
 		ctx,
 		mgr,
 		provisioner.Config{
-			DeploymentStore:        nginxUpdater.NginxDeployments,
-			StatusQueue:            statusQueue,
-			Logger:                 cfg.Logger.WithName("provisioner"),
-			EventRecorder:          recorder,
-			GatewayPodConfig:       &cfg.GatewayPodConfig,
-			GCName:                 cfg.GatewayClassName,
-			AgentTLSSecretName:     cfg.AgentTLSSecretName,
-			NGINXSCCName:           cfg.NGINXSCCName,
-			Plus:                   cfg.Plus,
-			NginxDockerSecretNames: cfg.NginxDockerSecretNames,
-			PlusUsageConfig:        &cfg.UsageReportConfig,
-			AgentLabels:            agentLabels,
-			NginxOneConsoleTelemetryConfig:   cfg.NginxOneConsoleTelemetryConfig,
+			DeploymentStore:                nginxUpdater.NginxDeployments,
+			StatusQueue:                    statusQueue,
+			Logger:                         cfg.Logger.WithName("provisioner"),
+			EventRecorder:                  recorder,
+			GatewayPodConfig:               &cfg.GatewayPodConfig,
+			GCName:                         cfg.GatewayClassName,
+			AgentTLSSecretName:             cfg.AgentTLSSecretName,
+			NGINXSCCName:                   cfg.NGINXSCCName,
+			Plus:                           cfg.Plus,
+			NginxDockerSecretNames:         cfg.NginxDockerSecretNames,
+			PlusUsageConfig:                &cfg.UsageReportConfig,
+			AgentLabels:                    agentLabels,
+			NginxOneConsoleTelemetryConfig: cfg.NginxOneConsoleTelemetryConfig,
 		},
 	)
 	if err != nil {

internal/controller/provisioner/objects.go

@@ -74,7 +74,10 @@ func (p *NginxProvisioner) buildNginxResourceObjects(
 
 	var dataplaneKeySecretName string
 	if p.cfg.NginxOneConsoleTelemetryConfig.DataplaneKeySecretName != "" {
-		dataplaneKeySecretName = controller.CreateNginxResourceName(resourceName, p.cfg.NginxOneConsoleTelemetryConfig.DataplaneKeySecretName)
+		dataplaneKeySecretName = controller.CreateNginxResourceName(
+			resourceName,
+			p.cfg.NginxOneConsoleTelemetryConfig.DataplaneKeySecretName,
+		)
 	}
 
 	// map key is the new name, value is the original name