Merge branch 'main' into tests/cel-clientsettingspolicies-timeout

Author: shaun-nx

.github/workflows/build.yml

@@ -56,7 +56,7 @@ jobs:
           platforms: arm64
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         if: ${{ github.event_name != 'pull_request' && ! contains(inputs.image, 'plus') }}
         with:
           registry: ghcr.io
@@ -73,7 +73,7 @@ jobs:
         if: ${{ github.event_name != 'pull_request' && contains(inputs.image, 'plus')}}
 
       - name: Login to NGINX Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: docker-mgmt.nginx.com
           username: ${{ steps.idtoken.outputs.id_token }}
@@ -90,7 +90,7 @@ jobs:
         if: ${{ github.event_name != 'pull_request' && contains(inputs.image, 'plus') }}
 
       - name: Login to GAR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: us-docker.pkg.dev
           username: oauth2accesstoken
@@ -163,7 +163,7 @@ jobs:
 
       - name: Scan SBOM
         id: scan
-        uses: anchore/scan-action@df395807f4554463d4455b8047cf58e37b6acaae # v6.5.0
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
         with:
           sbom: "sbom-${{ inputs.image }}.json"
           only-fixed: true

.github/workflows/ci.yml

@@ -296,7 +296,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/lint.yml

@@ -78,7 +78,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Lint Actions
-        uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2
+        uses: reviewdog/action-actionlint@50b75b9513baa71e6a1899a1ebaa9ac9851cf16c # v1.66.0
         with:
           actionlint_flags: -shellcheck ""
 

.github/workflows/nfr.yml

@@ -93,7 +93,7 @@ jobs:
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
       - name: Login to GAR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: us-docker.pkg.dev
           username: oauth2accesstoken
@@ -184,7 +184,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Download Artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           path: tests/results/
           merge-multiple: true

.github/workflows/update-docker-images.yml

@@ -59,7 +59,7 @@ jobs:
       needs-updating: ${{ steps.update.outputs.needs-updating }}
     steps:
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

charts/nginx-gateway-fabric/README.md

@@ -264,7 +264,7 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `certGenerator.ttlSecondsAfterFinished` | How long to wait after the cert generator job has finished before it is removed by the job controller. | int | `30` |
 | `clusterDomain` | The DNS cluster domain of your Kubernetes cluster. | string | `"cluster.local"` |
 | `gateways` | A list of Gateway objects. View https://gateway-api.sigs.k8s.io/reference/spec/#gateway for full Gateway reference. | list | `[]` |
-| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
+| `nginx` | The nginx section contains the configuration for all NGINX data plane deployments installed by the NGINX Gateway Fabric control plane. | object | `{"config":{},"container":{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]},"debug":false,"image":{"pullPolicy":"Always","repository":"ghcr.io/nginx/nginx-gateway-fabric/nginx","tag":"edge"},"imagePullSecret":"","imagePullSecrets":[],"kind":"deployment","nginxOneConsole":{"dataplaneKeySecretName":"","endpointHost":"agent.connect.nginx.com","endpointPort":443,"skipVerify":false},"plus":false,"pod":{},"replicas":1,"service":{"externalTrafficPolicy":"Local","loadBalancerClass":"","loadBalancerIP":"","loadBalancerSourceRanges":[],"nodePorts":[],"type":"LoadBalancer"},"usage":{"caSecretName":"","clientSSLSecretName":"","endpoint":"","resolver":"","secretName":"nplus-license","skipVerify":false}}` |
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.container` | The container configuration for the NGINX container. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{"hostPorts":[],"lifecycle":{},"readinessProbe":{},"resources":{},"volumeMounts":[]}` |
 | `nginx.container.hostPorts` | A list of HostPorts to expose on the host. This configuration allows containers to bind to a specific port on the host node, enabling external network traffic to reach the container directly through the host's IP address and port. Use this option when you need to expose container ports on the host for direct access, such as for debugging, legacy integrations, or when NodePort/LoadBalancer services are not suitable. Note: Using hostPort may have security and scheduling implications, as it ties pods to specific nodes and ports. | list | `[]` |
@@ -276,6 +276,11 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.imagePullSecret` | The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. The control plane will copy this secret into any namespace where NGINX is deployed. | string | `""` |
 | `nginx.imagePullSecrets` | A list of secret names containing docker registry credentials. Secrets must exist in the same namespace as the helm release. The control plane will copy these secrets into any namespace where NGINX is deployed. | list | `[]` |
 | `nginx.kind` | The kind of NGINX deployment. | string | `"deployment"` |
+| `nginx.nginxOneConsole` | Configuration for NGINX One Console. | object | `{"dataplaneKeySecretName":"","endpointHost":"agent.connect.nginx.com","endpointPort":443,"skipVerify":false}` |
+| `nginx.nginxOneConsole.dataplaneKeySecretName` | Name of the secret which holds the dataplane key that is required to authenticate with the NGINX One Console. Secret must exist in the same namespace that the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway). | string | `""` |
+| `nginx.nginxOneConsole.endpointHost` | The Endpoint host that the NGINX One Console telemetry metrics will be sent to. | string | `"agent.connect.nginx.com"` |
+| `nginx.nginxOneConsole.endpointPort` | The endpoint port that the NGINX One Console telemetry metrics will be sent to. | int | `443` |
+| `nginx.nginxOneConsole.skipVerify` | Skip TLS verification for NGINX One Console connections. | bool | `false` |
 | `nginx.plus` | Is NGINX Plus image being used. | bool | `false` |
 | `nginx.pod` | The pod configuration for the NGINX data plane pod. This is applied globally to all Gateways managed by this instance of NGINX Gateway Fabric. | object | `{}` |
 | `nginx.replicas` | The number of replicas of the NGINX Deployment. | int | `1` |

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -103,6 +103,18 @@ spec:
         {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints" }}
         - --nginx-scc={{ include "nginx-gateway.scc-name" . }}-nginx
         {{- end}}
+        {{- if .Values.nginx.nginxOneConsole.dataplaneKeySecretName }}
+        - --nginx-one-dataplane-key-secret={{ .Values.nginx.nginxOneConsole.dataplaneKeySecretName }}
+          {{- if .Values.nginx.nginxOneConsole.endpointHost }}
+        - --nginx-one-telemetry-endpoint-host={{ .Values.nginx.nginxOneConsole.endpointHost }}
+          {{- end }}
+          {{- if .Values.nginx.nginxOneConsole.endpointPort }}
+        - --nginx-one-telemetry-endpoint-port={{ .Values.nginx.nginxOneConsole.endpointPort }}
+          {{- end }}
+          {{- if .Values.nginx.nginxOneConsole.skipVerify }}
+        - --nginx-one-tls-skip-verify
+          {{- end }}
+        {{- end }}
         env:
         - name: POD_NAMESPACE
           valueFrom:

charts/nginx-gateway-fabric/values.schema.json

@@ -445,6 +445,44 @@
           "required": [],
           "title": "kind"
         },
+        "nginxOneConsole": {
+          "description": "Configuration for NGINX One Console.",
+          "properties": {
+            "dataplaneKeySecretName": {
+              "default": "",
+              "description": "Name of the secret which holds the dataplane key that is required to authenticate with the NGINX One Console.\nSecret must exist in the same namespace that the NGINX Gateway Fabric control plane is running in\n(default namespace: nginx-gateway).",
+              "required": [],
+              "title": "dataplaneKeySecretName",
+              "type": "string"
+            },
+            "endpointHost": {
+              "default": "agent.connect.nginx.com",
+              "description": "The Endpoint host that the NGINX One Console telemetry metrics will be sent to.",
+              "required": [],
+              "title": "endpointHost",
+              "type": "string"
+            },
+            "endpointPort": {
+              "default": 443,
+              "description": "The endpoint port that the NGINX One Console telemetry metrics will be sent to.",
+              "maximum": 65535,
+              "minimum": 1,
+              "required": [],
+              "title": "endpointPort",
+              "type": "integer"
+            },
+            "skipVerify": {
+              "default": false,
+              "description": "Skip TLS verification for NGINX One Console connections.",
+              "required": [],
+              "title": "skipVerify",
+              "type": "boolean"
+            }
+          },
+          "required": [],
+          "title": "nginxOneConsole",
+          "type": "object"
+        },
         "plus": {
           "default": false,
           "description": "Is NGINX Plus image being used.",

charts/nginx-gateway-fabric/values.yaml

@@ -212,6 +212,27 @@ nginx:
   # -- Is NGINX Plus image being used.
   plus: false
 
+  # -- Configuration for NGINX One Console.
+  nginxOneConsole:
+    # -- Name of the secret which holds the dataplane key that is required to authenticate with the NGINX One Console.
+    # Secret must exist in the same namespace that the NGINX Gateway Fabric control plane is running in
+    # (default namespace: nginx-gateway).
+    dataplaneKeySecretName: ""
+
+    # -- The Endpoint host that the NGINX One Console telemetry metrics will be sent to.
+    endpointHost: "agent.connect.nginx.com"
+
+    # @schema
+    # type: integer
+    # minimum: 1
+    # maximum: 65535
+    # @schema
+    # -- The endpoint port that the NGINX One Console telemetry metrics will be sent to.
+    endpointPort: 443
+
+    # -- Skip TLS verification for NGINX One Console connections.
+    skipVerify: false
+
   # -- The name of the secret containing docker registry credentials.
   # Secret must exist in the same namespace as the helm release. The control
   # plane will copy this secret into any namespace where NGINX is deployed.

cmd/gateway/commands.go

@@ -6,7 +6,6 @@ import (
 	"os"
 	"runtime/debug"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
@@ -38,8 +37,9 @@ const (
 		`The controller name must be of the form: DOMAIN/PATH. The controller's domain is '%s'`
 	plusFlag = "nginx-plus"
 
-	serverTLSSecret = "server-tls"
-	agentTLSSecret  = "agent-tls"
+	serverTLSSecret               = "server-tls"
+	agentTLSSecret                = "agent-tls"
+	nginxOneTelemetryEndpointHost = "agent.connect.nginx.com"
 )
 
 func createRootCommand() *cobra.Command {
@@ -58,27 +58,31 @@ func createRootCommand() *cobra.Command {
 func createControllerCommand() *cobra.Command {
 	// flag names
 	const (
-		configFlag                     = "config"
-		serviceFlag                    = "service"
-		agentTLSSecretFlag             = "agent-tls-secret"
-		metricsDisableFlag             = "metrics-disable"
-		metricsSecureFlag              = "metrics-secure-serving"
-		metricsPortFlag                = "metrics-port"
-		healthDisableFlag              = "health-disable"
-		healthPortFlag                 = "health-port"
-		leaderElectionDisableFlag      = "leader-election-disable"
-		leaderElectionLockNameFlag     = "leader-election-lock-name"
-		productTelemetryDisableFlag    = "product-telemetry-disable"
-		gwAPIExperimentalFlag          = "gateway-api-experimental-features"
-		nginxDockerSecretFlag          = "nginx-docker-secret" //nolint:gosec // not credentials
-		usageReportSecretFlag          = "usage-report-secret"
-		usageReportEndpointFlag        = "usage-report-endpoint"
-		usageReportResolverFlag        = "usage-report-resolver"
-		usageReportSkipVerifyFlag      = "usage-report-skip-verify"
-		usageReportClientSSLSecretFlag = "usage-report-client-ssl-secret" //nolint:gosec // not credentials
-		usageReportCASecretFlag        = "usage-report-ca-secret"         //nolint:gosec // not credentials
-		snippetsFiltersFlag            = "snippets-filters"
-		nginxSCCFlag                   = "nginx-scc"
+		configFlag                        = "config"
+		serviceFlag                       = "service"
+		agentTLSSecretFlag                = "agent-tls-secret"
+		nginxOneDataplaneKeySecretFlag    = "nginx-one-dataplane-key-secret" //nolint:gosec // not credentials
+		nginxOneTelemetryEndpointHostFlag = "nginx-one-telemetry-endpoint-host"
+		nginxOneTelemetryEndpointPortFlag = "nginx-one-telemetry-endpoint-port"
+		nginxOneTLSSkipVerifyFlag         = "nginx-one-tls-skip-verify"
+		metricsDisableFlag                = "metrics-disable"
+		metricsSecureFlag                 = "metrics-secure-serving"
+		metricsPortFlag                   = "metrics-port"
+		healthDisableFlag                 = "health-disable"
+		healthPortFlag                    = "health-port"
+		leaderElectionDisableFlag         = "leader-election-disable"
+		leaderElectionLockNameFlag        = "leader-election-lock-name"
+		productTelemetryDisableFlag       = "product-telemetry-disable"
+		gwAPIExperimentalFlag             = "gateway-api-experimental-features"
+		nginxDockerSecretFlag             = "nginx-docker-secret" //nolint:gosec // not credentials
+		usageReportSecretFlag             = "usage-report-secret"
+		usageReportEndpointFlag           = "usage-report-endpoint"
+		usageReportResolverFlag           = "usage-report-resolver"
+		usageReportSkipVerifyFlag         = "usage-report-skip-verify"
+		usageReportClientSSLSecretFlag    = "usage-report-client-ssl-secret" //nolint:gosec // not credentials
+		usageReportCASecretFlag           = "usage-report-ca-secret"         //nolint:gosec // not credentials
+		snippetsFiltersFlag               = "snippets-filters"
+		nginxSCCFlag                      = "nginx-scc"
 	)
 
 	// flag values
@@ -101,7 +105,19 @@ func createControllerCommand() *cobra.Command {
 			validator: validateResourceName,
 			value:     agentTLSSecret,
 		}
-		nginxSCCName = stringValidatingValue{
+		nginxOneConsoleDataplaneKeySecretName = stringValidatingValue{
+			validator: validateResourceName,
+		}
+		nginxOneConsoleTelemetryEndpointHost = stringValidatingValue{
+			validator: validateResourceName,
+			value:     nginxOneTelemetryEndpointHost,
+		}
+		nginxOneConsoleTelemetryEndpointPort = intValidatingValue{
+			validator: validateAnyPort,
+			value:     443,
+		}
+		nginxOneConsoleTLSSkipVerify bool
+		nginxSCCName                 = stringValidatingValue{
 			validator: validateResourceName,
 		}
 		disableMetrics    bool
@@ -257,6 +273,12 @@ func createControllerCommand() *cobra.Command {
 				NginxDockerSecretNames: nginxDockerSecrets.values,
 				AgentTLSSecretName:     agentTLSSecretName.value,
 				NGINXSCCName:           nginxSCCName.value,
+				NginxOneConsoleTelemetryConfig: config.NginxOneConsoleTelemetryConfig{
+					DataplaneKeySecretName: nginxOneConsoleDataplaneKeySecretName.value,
+					EndpointHost:           nginxOneConsoleTelemetryEndpointHost.value,
+					EndpointPort:           nginxOneConsoleTelemetryEndpointPort.value,
+					EndpointTLSSkipVerify:  nginxOneConsoleTLSSkipVerify,
+				},
 			}
 
 			if err := controller.StartManager(conf); err != nil {
@@ -304,6 +326,32 @@ func createControllerCommand() *cobra.Command {
 			`NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway).`,
 	)
 
+	cmd.Flags().Var(
+		&nginxOneConsoleDataplaneKeySecretName,
+		nginxOneDataplaneKeySecretFlag,
+		`The name of the Secret containing the NGINX One Console's dataplane key. Must exist in the same namespace that `+
+			`the NGINX Gateway Fabric control plane is running in (default namespace: nginx-gateway).`,
+	)
+
+	cmd.Flags().Var(
+		&nginxOneConsoleTelemetryEndpointHost,
+		nginxOneTelemetryEndpointHostFlag,
+		`The host of the NGINX One Console's telemetry endpoint.`,
+	)
+
+	cmd.Flags().Var(
+		&nginxOneConsoleTelemetryEndpointPort,
+		nginxOneTelemetryEndpointPortFlag,
+		`The port of the NGINX One Console's telemetry endpoint.`,
+	)
+
+	cmd.Flags().BoolVar(
+		&nginxOneConsoleTLSSkipVerify,
+		nginxOneTLSSkipVerifyFlag,
+		false,
+		"Disable client verification of the NGINX One Console's telemetry endpoint server certificate.",
+	)
+
 	cmd.Flags().BoolVar(
 		&disableMetrics,
 		metricsDisableFlag,
@@ -741,19 +789,13 @@ func createGatewayPodConfig(version, svcName string) (config.GatewayPodConfig, e
 		return config.GatewayPodConfig{}, err
 	}
 
-	// use image tag version if set, otherwise fall back to binary version
-	ngfVersion := version
-	if imageParts := strings.Split(image, ":"); len(imageParts) == 2 {
-		ngfVersion = imageParts[1]
-	}
-
 	c := config.GatewayPodConfig{
 		ServiceName:  svcName,
 		Namespace:    ns,
 		Name:         name,
 		UID:          podUID,
 		InstanceName: instance,
-		Version:      ngfVersion,
+		Version:      version,
 		Image:        image,
 	}