Merge branch 'main' into deps/image-update-main-1372e619

nginx · Jan 9, 2025 · 66f6d7e · 66f6d7e
2 parents ed99171 + ed10de4
commit 66f6d7e
Show file tree

Hide file tree

Showing 12 changed files with 25 additions and 117 deletions.
diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag
@@ -1,7 +1,7 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl" "-alpine-fips")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-mktpl" "-alpine-fips")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl")
 declare -a ADDITIONAL_TAGS=()
diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release
@@ -1,8 +1,8 @@
 export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-mktpl")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips" "-mktpl")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl")
 declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}")
 export PUBLISH_OSS=false
diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx
@@ -1,8 +1,8 @@
 export TARGET_REGISTRY=docker-mgmt.nginx.com
 export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress"
-declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
-declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi")
+declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("")
 export PUBLISH_OSS=false
diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json
@@ -15,36 +15,6 @@
     "waf,dos"
   ],
   "include": [
-    {
-      "image": "ubi-8-plus-nap",
-      "target": "goreleaser",
-      "platforms": "linux/amd64",
-      "nap_modules": "waf"
-    },
-    {
-      "image": "ubi-8-plus-nap-v5",
-      "target": "goreleaser",
-      "platforms": "linux/amd64",
-      "nap_modules": "waf"
-    },
-    {
-      "image": "ubi-9-plus-nap",
-      "target": "goreleaser",
-      "platforms": "linux/amd64",
-      "nap_modules": "waf"
-    },
-    {
-      "image": "ubi-9-plus-nap",
-      "target": "goreleaser",
-      "platforms": "linux/amd64",
-      "nap_modules": "dos"
-    },
-    {
-      "image": "ubi-9-plus-nap",
-      "target": "goreleaser",
-      "platforms": "linux/amd64",
-      "nap_modules": "waf,dos"
-    },
     {
       "image": "alpine-plus-nap-fips",
       "target": "goreleaser",
@@ -62,12 +32,6 @@
       "target": "goreleaser",
       "platforms": "linux/amd64",
       "nap_modules": "waf"
-    },
-    {
-      "image": "ubi-9-plus-nap-v5",
-      "target": "goreleaser",
-      "platforms": "linux/amd64",
-      "nap_modules": "waf"
     }
   ]
 }
diff --git a/.github/data/matrix-images-oss.json b/.github/data/matrix-images-oss.json
@@ -5,11 +5,5 @@
   ],
   "platforms": [
     "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
-  ],
-  "include": [
-    {
-      "image": "ubi",
-      "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
-    }
   ]
 }
diff --git a/.github/data/matrix-images-plus.json b/.github/data/matrix-images-plus.json
@@ -15,11 +15,6 @@
       "image": "debian-plus",
       "platforms": "linux/arm64, linux/amd64",
       "target": "aws"
-    },
-    {
-      "image": "ubi-9-plus",
-      "platforms": "linux/arm64, linux/amd64",
-      "target": "goreleaser"
     }
   ]
 }
diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json
@@ -2,15 +2,15 @@
   "images": [
     {
       "label": "AP_WAF 1/4",
-      "image": "ubi-8-plus-nap",
+      "image": "debian-plus-nap",
       "type": "plus",
       "nap_modules": "waf",
       "marker": "appprotect_waf_policies_allow",
       "platforms": "linux/amd64"
     },
     {
       "label": "AP_WAF 2/4",
-      "image": "ubi-9-plus-nap",
+      "image": "debian-plus-nap",
       "type": "plus",
       "nap_modules": "waf",
       "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow and not appprotect_waf_policies_vsr'",
@@ -58,7 +58,7 @@
     },
     {
       "label": "AP_DOS 3/3",
-      "image": "ubi-9-plus-nap",
+      "image": "debian-plus-nap",
       "type": "plus",
       "nap_modules": "dos",
       "marker": "dos_learning",

diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json
@@ -72,7 +72,7 @@
     },
     {
       "label": "TS",
-      "image": "ubi",
+      "image": "debian",
       "type": "oss",
       "marker": "ts",
       "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"

diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json
@@ -65,14 +65,14 @@
     },
     {
       "label": "policies 1/2",
-      "image": "ubi-9-plus",
+      "image": "alpine-plus",
       "type": "plus",
       "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'",
       "platforms": "linux/arm64, linux/amd64, linux/s390x"
     },
     {
       "label": "policies 2/2",
-      "image": "ubi-9-plus",
+      "image": "debian-plus",
       "type": "plus",
       "marker": "'policies_ac or policies_jwt or policies_mtls'",
       "platforms": "linux/arm64, linux/amd64, linux/s390x"

diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json
@@ -11,12 +11,6 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress",
     "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
   },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress",
-    "source_os": "ubi",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress",
-    "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
-  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress",
     "source_os": "debian",
@@ -41,12 +35,6 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress",
     "platforms": "linux/arm64, linux/amd64"
   },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress",
-    "source_os": "ubi",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress",
-    "platforms": "linux/arm64, linux/amd64"
-  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress",
     "source_os": "debian",
@@ -59,18 +47,6 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress",
     "platforms": "linux/amd64"
   },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress",
-    "source_os": "ubi",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress",
-    "platforms": "linux/amd64"
-  },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress",
-    "source_os": "ubi8",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress",
-    "platforms": "linux/amd64"
-  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress",
     "source_os": "alpine-fips",
@@ -83,18 +59,6 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress",
     "platforms": "linux/amd64"
   },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress",
-    "source_os": "ubi",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress",
-    "platforms": "linux/amd64"
-  },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress",
-    "source_os": "ubi8",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress",
-    "platforms": "linux/amd64"
-  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress",
     "source_os": "alpine-fips",
@@ -113,12 +77,6 @@
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress",
     "platforms": "linux/amd64"
   },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress",
-    "source_os": "ubi",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress",
-    "platforms": "linux/amd64"
-  },
   {
     "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress",
     "source_os": "debian",
@@ -130,11 +88,5 @@
     "source_os": "mktpl",
     "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress",
     "platforms": "linux/amd64"
-  },
-  {
-    "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress",
-    "source_os": "ubi",
-    "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress",
-    "platforms": "linux/amd64"
   }
 ]
diff --git a/site/content/configuration/policy-resource.md b/site/content/configuration/policy-resource.md
@@ -192,11 +192,14 @@ data:
 {{% table %}}
 |Field | Description | Type | Required |
 | ---| ---| ---| --- |
+|``suppliedIn`` | `header` or `query`. | | Yes |
 |``suppliedIn.header`` | An array of headers that the API Key may appear in. | ``string[]`` | No |
 |``suppliedIn.query`` | An array of query params that the API Key may appear in. | ``string[]`` | No |
 |``clientSecret`` | The name of the Kubernetes secret that stores the API Key(s). It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/apikey``, and the API Key(s) must be stored in a key: val format where each key is a unique clientID and each value is a unique base64 encoded API Key  | ``string`` | Yes |
 {{% /table %}}
 
+{{<important>}}An APIKey Policy must include a minimum of one of the `suppliedIn.header` or `suppliedIn.query` parameters.  Both can also be supplied.{{</important>}}
+
 #### APIKey Merging Behavior
 
 A VirtualServer or VirtualServerRoute can be associated with only one API Key policy per route or subroute. However, it is possible to replace an API Key policy from a higher-level with a different policy defined on a more specific route.

diff --git a/site/content/releases.md b/site/content/releases.md
@@ -396,7 +396,7 @@ versions: 1.23-1.29.
 
 26 Mar 2024
 
-NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor.  Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller.  Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/security-monitoring/).
+NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor.  Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller.  Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/monitoring/security-monitoring/).
 
 When using NGINX Plus for two version [split rollouts](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#split), you can now control progressive rollouts of a new backend version without reloading NGINX using the [**-weight-changes-dynamic-reload**](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#-weight-changes-dynamic-reload) command line argument.