Skip to content

add nginx image version validation during agent connections #3928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 24, 2025
Merged

add nginx image version validation during agent connections #3928

merged 3 commits into from
Sep 24, 2025

Conversation

ciarams87
Copy link
Contributor

Proposed changes

Problem: During an NGF upgrade, the new version of the control plane will send a configuration to the old version of the nginx data plane, before the nginx data plane is updated to the new version. This can cause incompatibility issues for a brief amount of time, which could cause disruptions.

Solution: Implement version validation by ensuring the pod image matches the image in the current deployment/ daemonset spec to prevent configuration from being sent to nginx data plane pods still running the previous image version during upgrades.

Testing: Manually tested upgrading in a cluster and verified that we don't send config to pods still running the previous image version

Closes #3867

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Added nginx image version validation during agent connections to prevent newer config being sent to pods running previous image versions during upgrades

@ciarams87 ciarams87 marked this pull request as ready for review September 17, 2025 09:01
@ciarams87 ciarams87 requested a review from a team as a code owner September 17, 2025 09:01
@github-actions github-actions bot added the bug Something isn't working label Sep 17, 2025
@codecov Codecov
Copy link

codecov bot commented Sep 17, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 87.65432% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.79%. Comparing base (3e21104) to head (86734c1).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/controller/nginx/agent/command.go 75.60% 8 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3928      +/-   ##
==========================================
- Coverage   86.84%   86.79%   -0.06%     
==========================================
  Files         128      128              
  Lines       16559    16602      +43     
  Branches       62       62              
==========================================
+ Hits        14381    14410      +29     
- Misses       1998     2009      +11     
- Partials      180      183       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sjberman
sjberman reviewed Sep 17, 2025
View reviewed changes
@ciarams87 ciarams87 force-pushed the bug/mismatch-config branch 2 times, most recently from b591565 to 7b62325 Compare September 22, 2025 11:17
sjberman
sjberman reviewed Sep 22, 2025
View reviewed changes
sjberman
sjberman reviewed Sep 23, 2025
View reviewed changes
sjberman
sjberman reviewed Sep 23, 2025
View reviewed changes
bjee19
bjee19 reviewed Sep 23, 2025
View reviewed changes
@sjberman
Copy link
Collaborator

nit: since this is a bugfix, we don't need feat in the commit/PR title

salonichf5
salonichf5 approved these changes Sep 24, 2025
View reviewed changes
Copy link
Contributor

@salonichf5 salonichf5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@ciarams87 ciarams87 changed the title feat: add nginx image version validation during agent connections add nginx image version validation during agent connections Sep 24, 2025
@ciarams87 ciarams87 enabled auto-merge (squash) September 24, 2025 17:22
@ciarams87 ciarams87 merged commit 76184a9 into main Sep 24, 2025
44 checks passed
@ciarams87 ciarams87 deleted the bug/mismatch-config branch September 24, 2025 17:49
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Sep 24, 2025
salonichf5 pushed a commit that referenced this pull request Sep 24, 2025
@ciarams87 @salonichf5
Add nginx image version validation during agent connections (#3928)
40687f5 
Problem: During an NGF upgrade, the new version of the control plane will send a configuration to the old version of the nginx data plane, before the nginx data plane is updated to the new version. This can cause incompatibility issues for a brief amount of time, which could cause disruptions.

Solution: Implement version validation by ensuring the pod image matches the image in the current deployment/ daemonset spec to prevent configuration from being sent to nginx data plane pods still running the previous image version during upgrades.
@salonichf5 salonichf5 mentioned this pull request Sep 24, 2025
Merged
6 tasks
salonichf5 pushed a commit that referenced this pull request Sep 24, 2025
@ciarams87 @salonichf5
Add nginx image version validation during agent connections (#3928)
77b478d 
Problem: During an NGF upgrade, the new version of the control plane will send a configuration to the old version of the nginx data plane, before the nginx data plane is updated to the new version. This can cause incompatibility issues for a brief amount of time, which could cause disruptions.

Solution: Implement version validation by ensuring the pod image matches the image in the current deployment/ daemonset spec to prevent configuration from being sent to nginx data plane pods still running the previous image version during upgrades.
salonichf5 added a commit that referenced this pull request Sep 24, 2025
@salonichf5 @ciarams87
Add nginx image version validation during agent connections (#3928) (#…
936fc8e 
…3953)

Problem: During an NGF upgrade, the new version of the control plane will send a configuration to the old version of the nginx data plane, before the nginx data plane is updated to the new version. This can cause incompatibility issues for a brief amount of time, which could cause disruptions.

Solution: Implement version validation by ensuring the pod image matches the image in the current deployment/ daemonset spec to prevent configuration from being sent to nginx data plane pods still running the previous image version during upgrades.

Co-authored-by: Ciara Stacke <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjberman sjberman sjberman approved these changes

@bjee19 bjee19 bjee19 approved these changes

@salonichf5 salonichf5 salonichf5 approved these changes

Assignees

No one assigned

Labels

bug Something isn't working release-notes

Projects

NGINX Gateway Fabric
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Don't send nginx config when image versions mismatch

4 participants

@ciarams87 @sjberman @bjee19 @salonichf5