Merge branch 'main' into main

Signed-off-by: Vincent Devillers <vdevillers76@gmail.com>

.codecov.yml

@@ -2,10 +2,15 @@ coverage:
   status:
     project:
       default:
+        informational: true
         target: auto
         threshold: 0%
     patch:
       default:
+        informational: true
         target: auto
         threshold: 0%
     changes: false
+ignore:
+  - "pkg/client"
+  - "**/*generated*.go"

.fossa.yml

@@ -4,4 +4,4 @@ targets:
     - type: setuptools
 paths:
   exclude:
-    - docs
+    - site

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -0,0 +1,82 @@
+name: Bug Report
+description: File a bug report.
+title: "[Bug]: "
+labels: ["bug", "needs triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: dropdown
+    id: version
+    attributes:
+      label: Version
+      description: What version of our F5 NGINX Ingress Controller are you running?
+      options:
+        - edge
+        - 3.7.0
+        - 3.6.2
+        - 3.6.1
+        - 3.6.0
+        - 3.5.2
+        - 3.5.1
+        - 3.5.0
+        - 3.4.3
+        - 3.4.2
+        - 3.4.1
+        - 3.4.0
+        - 3.3.2
+        - 3.3.1
+        - 3.3.0
+        - 3.2.1
+        - 3.2.0
+        - 3.1.1
+        - 3.1.0
+        - 3.0.2
+        - 3.0.1
+        - 3.0.0
+        - 2.4.2
+        - 2.4.1
+        - 2.4.0
+        - 2.3.1
+        - 2.3.0
+        - 2.2.2
+        - 2.2.1
+        - 2.2.0
+        - 2.1.2
+        - 2.1.1
+        - 2.1.0
+        - 2.0.3
+        - 2.0.2
+        - 2.0.1
+        - 2.0.0
+      default: 0
+    validations:
+      required: true
+  - type: dropdown
+    id: platform
+    attributes:
+      label: What Kubernetes platforms are you running on?
+      options:
+        - Kind
+        - Minikube
+        - Rancher
+        - EKS Amazon
+        - AKS Azure
+        - GKE Google Cloud
+        - Openshift
+        - Other
+      default: 0
+    validations:
+      required: true
+  - type: textarea
+    id: steps-to-reproduce
+    attributes:
+      label: Steps to reproduce
+      description: These steps will help us best reproduce the issue and come to a resolution.
+      placeholder: |
+        1. Deploy x to '...' using some.yaml
+        2. View logs on '....'
+        3. See error
+    validations:
+      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,7 +1,10 @@
 ### Proposed changes
-Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue here in this description (not in the title of the PR).
+
+Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to
+that issue here in this description (not in the title of the PR).
 
 ### Checklist
+
 Before creating a PR, run through this checklist and mark each as complete.
 
 - [ ] I have read the [CONTRIBUTING](https://github.com/nginxinc/kubernetes-ingress/blob/main/CONTRIBUTING.md) doc

.github/actionlint.yaml

@@ -0,0 +1,8 @@
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels:
+    - kic-plus
+# Configuration variables in array of strings defined in your repository or
+# organization. `null` means disabling configuration variables check.
+# Empty array means no configuration variable is allowed.
+config-variables: null

.github/actions/certify-openshift-image/action.yml

@@ -0,0 +1,61 @@
+name: Certify Openshift Image
+description: This action will attempt to certify an image for use in Openshift
+
+inputs:
+  image:
+    description: The image manifest to certify in the format <registry>/<repository>:<tag>
+    required: true
+  project_id:
+    description: The certification project id
+    required: true
+  pyxis_token:
+    description: The Pyxis API Token
+    required: true
+  preflight_version:
+    description: The version of the preflight utility to install
+    required: false
+    default: 1.9.1
+  platforms:
+    description: A comma separated list of architectures in the image manifest to certify
+    required: false
+    default: "amd64,arm64,ppc64le,s390x"
+  submit:
+    description: Submit results to Redhat PYAXIS
+    required: false
+    default: true
+
+outputs:
+  result:
+    description: Did the certification succeed?
+    value: ${{ steps.result.outputs.result == 0 && true || false }}
+
+runs:
+  using: composite
+  steps:
+    - name: Install openshift-preflight
+      run: |
+        curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/${{ inputs.preflight_version }}/preflight-linux-amd64 --output preflight
+        chmod +x preflight
+      shell: bash
+
+    - name: Certify Images
+      id: result
+      run: |
+        result=0
+        if [ -z "${{ inputs.platforms }}" ]; then
+          # list of platforms passed
+          IFS=',' read -ra arch_list <<< "${{ inputs.platforms }}"
+          for arch in "${arch_list[@]}"; do
+              architecture=("${arch#*/}")
+              ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} --platform $architecture ${{ inputs.submit && '--submit' || '' }}
+              if [ $? -ne 0 ]; then
+                result=1
+              fi
+          done
+        else
+          # no platforms passed, this is either a manifest or a single platform image
+          ./preflight check container ${{ inputs.image }} --pyxis-api-token ${{ inputs.pyxis_token }} --certification-project-id ${{ inputs.project_id }} ${{ inputs.submit && '--submit' || '' }}
+          result=$?
+        fi
+        echo "result=$result" >> $GITHUB_OUTPUT
+      shell: bash

.github/actions/smoke-tests/action.yaml

@@ -1,4 +1,3 @@
-
 name: Run Smoke Tests
 description: Run Smoke Tests for the project
 
@@ -10,110 +9,102 @@ inputs:
     description: Timeout to use
     default: 75s
     required: false
-  image:
-    description: Docker image to use
-    default: debian
+  image-type:
+    description: Image type to test
+    required: true
+  image-name:
+    description: Docker image name to test
+    required: true
+  tag:
+    description: Docker image tag to test
+    required: true
+  test-image:
+    description: Test Docker image to use
+    default: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/test-runner:latest
     required: false
   marker:
     description: Marker to use
     required: false
-  nginx-key:
-    description: Nginx key to use
+  label:
+    description: Label for test
+    required: false
+  azure-ad-secret:
+    description: Azure Active Directory secret for JWKs
+    required: false
+  registry-token:
+    description: JWT token for accessing container registry
     required: false
-  nginx-crt:
-    description: Nginx cert to use
+  plus-jwt:
+    description: JWT for NGINX Plus
     required: false
 
 outputs:
   test-results-name:
     description: Test results name
-    value: tests-${{ steps.k8s.outputs.cluster }}
+    value: ${{ steps.k8s.outputs.test_name }}
+  test-results-path:
+    description: Test results full path
+    value: ${{ steps.k8s.outputs.test_output_path }}
 
 runs:
   using: composite
   steps:
-    - name: Fetch Cached Artifacts
-      uses: actions/cache@v3
-      with:
-        path: ${{ github.workspace }}/dist
-        key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}-single
-
-    - name: Ingress type
-      id: ingress-type
-      run: |
-        echo "name=nginx${{ contains(inputs.image, 'plus') && '-plus' || '' }}-ingress" >> $GITHUB_OUTPUT
-        echo "tag=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }}-${{ github.sha }}" >> $GITHUB_OUTPUT
-        echo "modules=${{ contains(inputs.marker, 'appprotect') && 'waf' || '' }}${{ contains(inputs.marker, 'dos') && 'dos' || '' }}" >> $GITHUB_OUTPUT
-      shell: bash
-
-    - name: Docker Buildx
-      uses: docker/setup-buildx-action@v2
-
-    - name: Build ${{ inputs.image }} Container
-      uses: docker/build-push-action@v3
-      with:
-        file: build/Dockerfile
-        context: '.'
-        cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }}
-        cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.marker, 'dos') && '-dos' || '' }}${{ contains(inputs.marker, 'appprotect') && '-nap' || '' }},mode=max
-        target: goreleaser
-        tags: 'docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }}'
-        load: true
-        pull: true
-        build-args: |
-          BUILD_OS=${{ inputs.image }}
-          IC_VERSION=CI
-          ${{ steps.ingress-type.outputs.modules != '' && format('NAP_MODULES={0}', steps.ingress-type.outputs.modules) || '' }}
-          ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
-        secrets: |
-          ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', inputs.nginx-crt) || '' }}
-          ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', inputs.nginx-key) || '' }}
-
-    - name: Build Test-Runner Container
-      uses: docker/build-push-action@v3
-      with:
-        file: tests/docker/Dockerfile
-        context: '.'
-        cache-from: type=gha,scope=test-runner
-        cache-to: type=gha,scope=test-runner,mode=max
-        tags: test-runner:${{ github.sha }}
-        pull: true
-        load: true
-
     - name: Deploy Kubernetes
       id: k8s
       run: |
-        kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ inputs.k8s-version }} --config ${{ github.workspace }}/tests/ci-files/ci-kind-config.yaml --kubeconfig kube-${{ github.run_id }} --wait ${{ inputs.k8s-timeout }}
-        kind load docker-image docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }} --name ${{ github.run_id }}
-        marker="${{ inputs.marker }}"
-        sanitized_marker="${marker// /_}"
-        name="${sanitized_marker:-${{ inputs.k8s-version }}}"
-        echo "cluster_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane)" >> $GITHUB_OUTPUT
-        echo "cluster=$(echo nginx-${{ inputs.image }}-$name)" >> $GITHUB_OUTPUT
+        make -f tests/Makefile create-kind-cluster K8S_CLUSTER_NAME=${{ github.run_id }} K8S_CLUSTER_VERSION=${{ inputs.k8s-version }} K8S_TIMEOUT=${{ inputs.k8s-timeout }}
+        make -f tests/Makefile image-load REGISTRY="" PREFIX=${{ inputs.image-name }} TAG=${{ inputs.tag }} K8S_CLUSTER_NAME=${{ github.run_id }}
+        label="${{ inputs.label }}"
+        nospaces="${label// /_}"
+        noslash="${nospaces//\//_}"
+        sanitized_marker="${noslash//\'/}"
+        name="${sanitized_marker}-${{ inputs.k8s-version }}"
+        cluster_ip=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${{ github.run_id }}-control-plane)
+        test_name=tests-nginx-${{ inputs.image-type }}-${name}.html
+        test_output_path=${{ github.workspace }}/tests/${test_name}
+        echo "cluster_ip=${cluster_ip}" >> $GITHUB_OUTPUT
+        echo "test_name=${test_name}" >> $GITHUB_OUTPUT
+        echo "test_output_path=${test_output_path}" >> $GITHUB_OUTPUT
+        echo "Output:"
+        echo "  cluster_ip=${cluster_ip}"
+        echo "  test_output_path=${test_output_path}"
       shell: bash
 
     - name: Setup Kubeconfig
       run: |
-        sed -i 's|server:.*|server: https://${{ steps.k8s.outputs.cluster_ip }}:6443|' kube-${{ github.run_id }}
+        sed -i 's|server:.*|server: https://${{ steps.k8s.outputs.cluster_ip }}:6443|' ~/.kube/kind/config
       shell: bash
 
     - name: Run Smoke Tests
+      id: smoke-tests
       run: |
-        touch tests-${{ steps.k8s.outputs.cluster }}.html
+        touch ${{ steps.k8s.outputs.test_output_path }}
         docker run --rm \
         --name test-runner-${{ github.run_id }} \
         --network=kind \
-        -v ${{ github.workspace }}/tests/tests-${{ steps.k8s.outputs.cluster }}.html:/workspace/tests/tests-${{ steps.k8s.outputs.cluster }}.html \
-        -v ${{ github.workspace }}/kube-${{ github.run_id }}:/root/.kube/config test-runner:${{ github.sha }} \
+        -v "/var/run/docker.sock:/var/run/docker.sock" \
+        -v ~/.docker:/root/.docker \
+        -v ${{ github.workspace }}/tests:/workspace/tests \
+        -v ${{ github.workspace }}/examples/common-secrets:/workspace/examples/common-secrets \
+        -v ${{ github.workspace }}/deployments:/workspace/deployments \
+        -v ${{ github.workspace }}/charts:/workspace/charts \
+        -v ${{ github.workspace }}/config:/workspace/config \
+        -v ${{ github.workspace }}/pyproject.toml:/workspace/pyproject.toml \
+        -v ${{ steps.k8s.outputs.test_output_path }}:${{ steps.k8s.outputs.test_output_path }} \
+        -v ~/.kube/kind/config:/root/.kube/config ${{ inputs.test-image }} \
+        --docker-registry-user=oauth2accesstoken \
+        --docker-registry-token=${{ inputs.registry-token }} \
         --context=kind-${{ github.run_id }} \
-        --image=docker.io/nginx/${{ steps.ingress-type.outputs.name }}:${{ steps.ingress-type.outputs.tag }} \
+        --image=${{ inputs.image-name }}:${{ inputs.tag }} \
         --image-pull-policy=Never \
-        --ic-type=${{ steps.ingress-type.outputs.name }} \
+        --ic-type=nginx${{ contains(inputs.image-type, 'plus') && '-plus' || '' }}-ingress \
         --service=nodeport --node-ip=${{ steps.k8s.outputs.cluster_ip }} \
-        --html=tests-${{ steps.k8s.outputs.cluster }}.html \
+        --html=${{ steps.k8s.outputs.test_output_path }} \
         --self-contained-html \
         --durations=10 \
         --show-ic-logs=yes \
+        --ad-secret=${{ inputs.azure-ad-secret }} \
+        --plus-jwt=${{ inputs.plus-jwt }} \
         -m ${{ inputs.marker != '' && inputs.marker || '""' }}
       working-directory: ./tests
       shell: bash