Add First Class OpenShift support (#4001)

Problem: As a cluster operator managing traffic for an OpenShift cluster
I want easily deploy NGF as my Gateway API implementation from the Operator Hub
So that it is easier for me to try out and use NGF for my OpenShift environment.

Solution: Add UBI based images and an Operator so we can begin the RedHat Operator Certification process and get NGF into the RedHat Certified OperatorHub

Author: ciarams87

.github/workflows/build.yml

@@ -6,6 +6,10 @@ on:
       platforms:
         required: true
         type: string
+      build-os:
+        required: false
+        type: string
+        default: ''
       image:
         required: true
         type: string
@@ -116,16 +120,17 @@ jobs:
             name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/nginx,enable=${{ inputs.image == 'nginx' && github.event_name != 'pull_request' }}
             name=docker-mgmt.nginx.com/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
             name=us-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/nginx-gateway-fabric/nginx-plus,enable=${{ inputs.image == 'plus' && github.event_name != 'pull_request' }}
+            name=ghcr.io/${{ github.repository_owner }}/nginx-gateway-fabric/operator,enable=${{ inputs.image == 'operator' && github.event_name != 'pull_request' }}
             name=localhost:5000/nginx-gateway-fabric/${{ inputs.image }}
           flavor: |
             latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
-            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
+            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           labels: |
             org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
             org.opencontainers.image.vendor=NGINX Inc <[email protected]>
@@ -143,16 +148,16 @@ jobs:
       - name: Build Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
+          file: ${{ inputs.image == 'operator' && 'operators/Dockerfile' || (inputs.build-os != '' && format('build/{0}/Dockerfile{1}', inputs.build-os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '')) }}
           context: "."
           target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
           push: ${{ !inputs.dry_run }}
           platforms: ${{ inputs.platforms }}
-          cache-from: type=gha,scope=${{ inputs.image }}
-          cache-to: type=gha,scope=${{ inputs.image }},mode=max
+          cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+          cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max
           pull: true
           no-cache: ${{ github.event_name != 'pull_request' }}
           sbom: true

.github/workflows/ci.yml

@@ -20,6 +20,10 @@ on:
         required: false
         type: string
         default: ''
+      operator_version:
+        required: false
+        type: string
+        default: ''
       dry_run:
         required: false
         type: boolean
@@ -350,10 +354,12 @@ jobs:
       matrix:
         image: [ngf, nginx]
         platforms: ["linux/arm64, linux/amd64"]
+        build-os: ["", ubi]
     uses: ./.github/workflows/build.yml
     with:
       image: ${{ matrix.image }}
       platforms: ${{ matrix.platforms }}
+      build-os: ${{ matrix.build-os }}
       tag: ${{ inputs.release_version || '' }}
       dry_run: ${{ inputs.dry_run || false}}
       runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
@@ -368,9 +374,14 @@ jobs:
     name: Build Plus images
     needs: [vars, binary]
     uses: ./.github/workflows/build.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        build-os: ["", ubi]
     with:
       image: plus
       platforms: "linux/arm64, linux/amd64"
+      build-os: ${{ matrix.build-os }}
       tag: ${{ inputs.release_version || '' }}
       dry_run: ${{ inputs.dry_run || false }}
       runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
@@ -381,13 +392,31 @@ jobs:
       id-token: write # for docker/login to login to NGINX registry
     secrets: inherit
 
+  build-operator:
+    name: Build Operator images
+    needs: [vars, binary]
+    uses: ./.github/workflows/build.yml
+    with:
+      image: operator
+      platforms: "linux/arm64, linux/amd64"
+      tag: ${{ inputs.operator_version || '' }}
+      dry_run: ${{ inputs.dry_run || false }}
+      runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
+    permissions:
+      contents: read # for docker/build-push-action to read repo content
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      packages: write # for docker/build-push-action to push to GHCR
+      id-token: write # for docker/login to login to NGINX registry
+    secrets: inherit
+
   functional-tests:
     name: Functional tests
     needs: [vars, build-oss, build-plus]
     strategy:
       fail-fast: false
       matrix:
         image: [nginx, plus]
+        build-os: ["", ubi]
         k8s-version:
           [
             "${{ needs.vars.outputs.min_k8s_version }}",
@@ -397,6 +426,7 @@ jobs:
     with:
       image: ${{ matrix.image }}
       k8s-version: ${{ matrix.k8s-version }}
+      build-os: ${{ matrix.build-os }}
     secrets: inherit
     permissions:
       contents: read
@@ -408,6 +438,7 @@ jobs:
       fail-fast: false
       matrix:
         image: [nginx, plus]
+        build-os: ["", ubi]
         k8s-version:
           [
             "${{ needs.vars.outputs.min_k8s_version }}",
@@ -419,6 +450,7 @@ jobs:
       image: ${{ matrix.image }}
       k8s-version: ${{ matrix.k8s-version }}
       enable-experimental: ${{ matrix.enable-experimental }}
+      build-os: ${{ matrix.build-os }}
       production-release: ${{ inputs.is_production_release == true && (inputs.dry_run == false || inputs.dry_run == null) }}
       release_version: ${{ inputs.release_version }}
     secrets: inherit

.github/workflows/conformance.yml

@@ -6,6 +6,10 @@ on:
       image:
         required: true
         type: string
+      build-os:
+        required: false
+        type: string
+        default: ''
       k8s-version:
         required: true
         type: string
@@ -75,12 +79,12 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
-            type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
+            type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
 
       - name: NGINX Docker meta
         id: nginx-meta
@@ -89,12 +93,12 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
-            type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
+            type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
 
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
@@ -119,11 +123,11 @@ jobs:
       - name: Build NGINX Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}}
+          file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
           tags: ${{ steps.nginx-meta.outputs.tags }}
           context: "."
           load: true
-          cache-from: type=gha,scope=${{ inputs.image }}
+          cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           pull: true
           build-args: |
             NJS_DIR=internal/controller/nginx/modules/src
@@ -178,7 +182,7 @@ jobs:
         if: ${{ inputs.enable-experimental }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}
+          name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}
           path: ./tests/conformance-profile.yaml
 
       - name: Upload profile to release

.github/workflows/functional.yml

@@ -9,6 +9,10 @@ on:
       k8s-version:
         required: true
         type: string
+      build-os:
+        required: false
+        type: string
+        default: ''
 
 defaults:
   run:
@@ -61,11 +65,11 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric
           tags: |
-            type=semver,pattern={{version}}
-            type=schedule
-            type=edge
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }}
 
       - name: NGINX Docker meta
         id: nginx-meta
@@ -74,11 +78,11 @@ jobs:
           images: |
             name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
           tags: |
-            type=semver,pattern={{version}}
-            type=edge
-            type=schedule
-            type=ref,event=pr
-            type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
+            type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
+            type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }}
 
       - name: Build binary
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
@@ -103,11 +107,11 @@ jobs:
       - name: Build NGINX Docker Image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}}
+          file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
           tags: ${{ steps.nginx-meta.outputs.tags }}
           context: "."
           load: true
-          cache-from: type=gha,scope=${{ inputs.image }}
+          cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
           pull: true
           build-args: |
             NJS_DIR=internal/controller/nginx/modules/src

.github/workflows/production-release.yml

@@ -7,6 +7,11 @@ on:
         description: 'Release version (e.g., v2.0.3)'
         required: true
         type: string
+      operator-version:
+        description: 'Operator release version (e.g., v1.0.0). Optional'
+        required: false
+        type: string
+        default: ''
       dry_run:
         description: 'If true, does a dry run of the production workflow'
         required: false
@@ -33,6 +38,7 @@ jobs:
           echo "Validating release from: ${GITHUB_REF}"
 
           INPUT_VERSION="${{ github.event.inputs.version }}"
+          INPUT_OPERATOR_VERSION="${{ github.event.inputs.operator-version }}"
 
           # Validate version format
           if [[ ! "${INPUT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
@@ -41,8 +47,17 @@ jobs:
           exit 1
           fi
 
+          # Validate version format if operator version is provided
+          if [[ -n "${INPUT_OPERATOR_VERSION}" && ! "${INPUT_OPERATOR_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "❌ Invalid operator version format: ${INPUT_OPERATOR_VERSION}"
+          echo "Expected format: v1.2.3"
+          exit 1
+          fi
+
+
           echo "✅ Valid release branch: ${GITHUB_REF}"
           echo "✅ Valid version format: ${INPUT_VERSION}"
+          [[ -n "${INPUT_OPERATOR_VERSION}" ]] && echo "✅ Valid operator version format: ${INPUT_OPERATOR_VERSION}"
 
       - name: Checkout Repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -62,7 +77,7 @@ jobs:
           git tag -a "${VERSION}" -m "Release ${VERSION}"
 
           if [[ "${{ inputs.dry_run }}" == "true" ]]; then
-          echo "DRY RUN: Would push tag ${VERSION}"
+          echo "DRY RUN: Would push tag ${VERSION} and operator tag ${{ github.event.inputs.operator-version || '' }}"
           git push --dry-run origin "${VERSION}"
           else
           git push origin "${VERSION}"
@@ -76,6 +91,7 @@ jobs:
     with:
       is_production_release: true
       release_version: ${{ github.event.inputs.version }}
+      operator_version: ${{ github.event.inputs.operator-version }}
       dry_run: ${{ github.event.inputs.dry_run }}
     secrets: inherit
     permissions:

.pre-commit-config.yaml

@@ -10,7 +10,6 @@ repos:
       - id: check-yaml
         args: [--allow-multiple-documents]
         exclude: (^charts/nginx-gateway-fabric/templates)
-      - id: check-added-large-files
       - id: check-merge-conflict
       - id: check-case-conflict
       - id: check-vcs-permalinks

.yamllint.yaml

@@ -27,6 +27,8 @@ rules:
     spaces: consistent
     indent-sequences: consistent
     check-multi-line-strings: true
+    ignore: |
+      operators/**/*
   key-duplicates: enable
   key-ordering: disable
   line-length:
@@ -38,6 +40,7 @@ rules:
       tests/suite/manifests/longevity/cronjob.yaml
       .goreleaser.yml
       charts/nginx-gateway-fabric/
+      operators/config/crd/bases/gateway.nginx.org_nginxgatewayfabrics.yaml
   new-line-at-end-of-file: enable
   new-lines: enable
   octal-values: disable