From 22a6f8c14959e17dbafb6b9ad76899d297a78dee Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 8 Jan 2025 16:33:04 +0000 Subject: [PATCH 1/3] update APIKey suppliedIn docs (#7084) --- site/content/configuration/policy-resource.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/content/configuration/policy-resource.md b/site/content/configuration/policy-resource.md index 21e2e3393..72fcece97 100644 --- a/site/content/configuration/policy-resource.md +++ b/site/content/configuration/policy-resource.md @@ -192,11 +192,14 @@ data: {{% table %}} |Field | Description | Type | Required | | ---| ---| ---| --- | +|``suppliedIn`` | `header` or `query`. | | Yes | |``suppliedIn.header`` | An array of headers that the API Key may appear in. | ``string[]`` | No | |``suppliedIn.query`` | An array of query params that the API Key may appear in. | ``string[]`` | No | |``clientSecret`` | The name of the Kubernetes secret that stores the API Key(s). It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/apikey``, and the API Key(s) must be stored in a key: val format where each key is a unique clientID and each value is a unique base64 encoded API Key | ``string`` | Yes | {{% /table %}} +{{}}An APIKey Policy must include a minimum of one of the `suppliedIn.header` or `suppliedIn.query` parameters. Both can also be supplied.{{}} + #### APIKey Merging Behavior A VirtualServer or VirtualServerRoute can be associated with only one API Key policy per route or subroute. However, it is possible to replace an API Key policy from a higher-level with a different policy defined on a more specific route. From 0333d6252182c86e855711969666ebd0611b64b6 Mon Sep 17 00:00:00 2001 From: nginx-aoife <50101789+nginx-aoife@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:44:28 +0000 Subject: [PATCH 2/3] Fix broken link to NIM Security Monitoring (#7094) Update releases.md Fix broken link to NIM Security Monitoring Signed-off-by: nginx-aoife <50101789+nginx-aoife@users.noreply.github.com> --- site/content/releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/releases.md b/site/content/releases.md index 7a90f4c48..12d7f5d5d 100644 --- a/site/content/releases.md +++ b/site/content/releases.md @@ -396,7 +396,7 @@ versions: 1.23-1.29. 26 Mar 2024 -NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/security-monitoring/). +NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/monitoring/security-monitoring/). When using NGINX Plus for two version [split rollouts](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#split), you can now control progressive rollouts of a new backend version without reloading NGINX using the [**-weight-changes-dynamic-reload**](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#-weight-changes-dynamic-reload) command line argument. From ed10de4f895035dce10b060927fda22e15f7325b Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 9 Jan 2025 16:37:28 +0000 Subject: [PATCH 3/3] remove ubi images from CI (#7093) --- .github/config/config-gcr-retag | 10 +++--- .github/config/config-plus-gcr-release | 10 +++--- .github/config/config-plus-nginx | 10 +++--- .github/data/matrix-images-nap.json | 36 ------------------- .github/data/matrix-images-oss.json | 6 ---- .github/data/matrix-images-plus.json | 5 --- .github/data/matrix-smoke-nap.json | 6 ++-- .github/data/matrix-smoke-oss.json | 2 +- .github/data/matrix-smoke-plus.json | 4 +-- .github/data/patch-images.json | 48 -------------------------- 10 files changed, 21 insertions(+), 116 deletions(-) diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag index 3273e6ffa..07e0e71be 100644 --- a/.github/config/config-gcr-retag +++ b/.github/config/config-gcr-retag @@ -1,7 +1,7 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-mktpl" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl") declare -a ADDITIONAL_TAGS=() diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release index e1c6d12e0..9cf8fb972 100644 --- a/.github/config/config-plus-gcr-release +++ b/.github/config/config-plus-gcr-release @@ -1,8 +1,8 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-mktpl") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips" "-mktpl") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl") declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}") export PUBLISH_OSS=false diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx index 546c63672..b7633a143 100644 --- a/.github/config/config-plus-nginx +++ b/.github/config/config-plus-nginx @@ -1,8 +1,8 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress" -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("") export PUBLISH_OSS=false diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json index b93c8404d..a391e9314 100644 --- a/.github/data/matrix-images-nap.json +++ b/.github/data/matrix-images-nap.json @@ -15,36 +15,6 @@ "waf,dos" ], "include": [ - { - "image": "ubi-8-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-8-plus-nap-v5", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "dos" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf,dos" - }, { "image": "alpine-plus-nap-fips", "target": "goreleaser", @@ -62,12 +32,6 @@ "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap-v5", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" } ] } diff --git a/.github/data/matrix-images-oss.json b/.github/data/matrix-images-oss.json index 237c3014f..7c94faf8e 100644 --- a/.github/data/matrix-images-oss.json +++ b/.github/data/matrix-images-oss.json @@ -5,11 +5,5 @@ ], "platforms": [ "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - ], - "include": [ - { - "image": "ubi", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - } ] } diff --git a/.github/data/matrix-images-plus.json b/.github/data/matrix-images-plus.json index ab1717d37..b74a88d67 100644 --- a/.github/data/matrix-images-plus.json +++ b/.github/data/matrix-images-plus.json @@ -15,11 +15,6 @@ "image": "debian-plus", "platforms": "linux/arm64, linux/amd64", "target": "aws" - }, - { - "image": "ubi-9-plus", - "platforms": "linux/arm64, linux/amd64", - "target": "goreleaser" } ] } diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index 1d780e7a7..b2d6f4a40 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -2,7 +2,7 @@ "images": [ { "label": "AP_WAF 1/4", - "image": "ubi-8-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "appprotect_waf_policies_allow", @@ -10,7 +10,7 @@ }, { "label": "AP_WAF 2/4", - "image": "ubi-9-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow and not appprotect_waf_policies_vsr'", @@ -58,7 +58,7 @@ }, { "label": "AP_DOS 3/3", - "image": "ubi-9-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "dos", "marker": "dos_learning", diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json index a15b9b893..52a9a7f45 100644 --- a/.github/data/matrix-smoke-oss.json +++ b/.github/data/matrix-smoke-oss.json @@ -72,7 +72,7 @@ }, { "label": "TS", - "image": "ubi", + "image": "debian", "type": "oss", "marker": "ts", "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json index 572d6e4d8..a67fa4add 100644 --- a/.github/data/matrix-smoke-plus.json +++ b/.github/data/matrix-smoke-plus.json @@ -65,14 +65,14 @@ }, { "label": "policies 1/2", - "image": "ubi-9-plus", + "image": "alpine-plus", "type": "plus", "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'", "platforms": "linux/arm64, linux/amd64, linux/s390x" }, { "label": "policies 2/2", - "image": "ubi-9-plus", + "image": "debian-plus", "type": "plus", "marker": "'policies_ac or policies_jwt or policies_mtls'", "platforms": "linux/arm64, linux/amd64, linux/s390x" diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json index b258b2c4c..22b2662e3 100644 --- a/.github/data/patch-images.json +++ b/.github/data/patch-images.json @@ -11,12 +11,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", "source_os": "debian", @@ -41,12 +35,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", "platforms": "linux/arm64, linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", - "platforms": "linux/arm64, linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", "source_os": "debian", @@ -59,18 +47,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", - "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", - "source_os": "ubi8", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", "source_os": "alpine-fips", @@ -83,18 +59,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", - "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", - "source_os": "ubi8", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", "source_os": "alpine-fips", @@ -113,12 +77,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", "source_os": "debian", @@ -130,11 +88,5 @@ "source_os": "mktpl", "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", - "platforms": "linux/amd64" } ]