Merge branch 'master' into dependabot/go_modules/github.com/go-logr/logr-1.2.2

Author: ciarams87

.github/workflows/ci.yml

@@ -8,6 +8,8 @@ on:
       - 'docs/**'
       - 'examples/**'
       - '**.md'
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
   pull_request:
     branches:
       - master
@@ -19,13 +21,14 @@ on:
       - 'docs/**'
       - 'examples/**'
       - '**.md'
-  create:
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+*'
 
 env:
   DOCKER_BUILDKIT: 1
 
+concurrency:
+  group: ${{ github.ref_name }}-ci
+  cancel-in-progress: true
+
 jobs:
 
   vars:
@@ -34,21 +37,15 @@ jobs:
     outputs:
       sha_short: ${{ steps.vars.outputs.sha }}
       go_version: ${{ steps.vars.outputs.go_version }}
-      git_tag: ${{ steps.vars.outputs.git_tag }}
       repo_name: ${{ steps.vars.outputs.repo }}
     steps:
-      - name: Cancel Previous Runs
-        uses: styfle/[email protected]
-        with:
-          access_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Checkout Repository
         uses: actions/checkout@v2
       - name: Output Variables
         id: vars
         run: |
           echo "::set-output name=sha::$(echo ${GITHUB_SHA} | cut -c1-7)"
           echo "::set-output name=go_version::$(grep "go 1." go.mod | cut -d " " -f 2)"
-          echo "::set-output name=git_tag::$(echo ${GITHUB_REF/refs\/tags\//} | tr -d v)"
           echo "::set-output name=repo::$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2)"
 
   binary:
@@ -96,23 +93,43 @@ jobs:
         with:
           path: ${{ github.workspace }}/bin/manager
           key: nginx-ingress-operator-${{ github.run_id }}-${{ github.run_number }}
+      - name: DockerHub Login
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name != 'pull_request'
       - name: Docker Buildx
         uses: docker/setup-buildx-action@v1
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: |
+            nginx/nginx-ingress-operator
+          tags: |
+            type=edge
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+          labels: |
+            org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
+            org.opencontainers.image.vendor=NGINX Inc <[email protected]>
       - name: Build Image
         uses: docker/build-push-action@v2
         with:
           context: '.'
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          tags: nginx/nginx-ingress-operator:${{ github.sha }}
-          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          load: ${{ github.event_name == 'pull_request' }}
+          push: ${{ github.event_name != 'pull_request' }}
           pull: true
-          load: true
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/[email protected].0
+        uses: aquasecurity/[email protected].1
         continue-on-error: true
         with:
-          image-ref: nginx/nginx-ingress-operator:${{ github.sha }}
+          image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
@@ -121,7 +138,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v1
         continue-on-error: true
         with:
-          sarif_file: 'trivy-result.sarif'
+          sarif_file: 'trivy-results.sarif'
       - name: Upload Scan Results
         uses: actions/upload-artifact@v2
         continue-on-error: true
@@ -130,46 +147,11 @@ jobs:
           path: 'trivy-results.sarif'
         if: always()
 
-  release-docker:
-    name: Release Image
-    runs-on: ubuntu-20.04
-    needs: [vars, build, unit-tests]
-    if:
-      github.repository == 'nginxinc/nginx-ingress-operator' &&
-      github.event_name == 'create' &&
-      contains(github.ref, 'refs/tags/')
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@v2
-      - name: Fetch Cached Artifacts
-        uses: actions/cache@v2
-        with:
-          path: ${{ github.workspace }}/build/_output/bin/nginx-ingress-operator
-          key: nginx-ingress-operator-${{ github.run_id }}-${{ github.run_number }}
-      - name: Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: DockerHub Login
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Push to Dockerhub
-        uses: docker/build-push-action@v2
-        with:
-          file: Dockerfile
-          context: '.'
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          tags: |
-            nginx/nginx-ingress-operator:latest
-            nginx/nginx-ingress-operator:${{ needs.vars.outputs.git_tag }}
-          push: true
-          pull: true
 
   notify:
     name: Notify
     runs-on: ubuntu-20.04
-    needs: [vars, release-docker]
+    needs: [vars, build]
     if: always() && github.ref == 'refs/heads/master'
     steps:
       - name: Workflow Status

.github/workflows/codeql-analysis.yml

@@ -9,6 +9,10 @@ on:
   schedule:
     - cron: '45 2 * * 4'
 
+concurrency:
+  group: ${{ github.ref_name }}-codeql
+  cancel-in-progress: true
+
 jobs:
   analyze:
     name: Analyze
@@ -23,10 +27,6 @@ jobs:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
-    - name: Cancel Previous Runs
-      uses: styfle/[email protected]
-      with:
-        access_token: ${{ secrets.GITHUB_TOKEN }}
     - name: Checkout repository
       uses: actions/checkout@v2
 

.github/workflows/dockerhub-description.yml

@@ -6,14 +6,15 @@ on:
     paths:
       - README.md
       - .github/workflows/dockerhub-description.yml
+
+concurrency:
+  group: ${{ github.ref_name }}-dockerhub-description
+  cancel-in-progress: true
+
 jobs:
   dockerHubDescription:
     runs-on: ubuntu-20.04
     steps:
-      - name: Cancel Previous Runs
-        uses: styfle/[email protected]
-        with:
-          access_token: ${{ secrets.GITHUB_TOKEN }}
       - uses: actions/checkout@v2
 
       - name: Modify readme for DockerHub

.github/workflows/fossa.yml

@@ -8,16 +8,16 @@ on:
       - '**.md'
       - 'LICENSE'
 
+concurrency:
+  group: ${{ github.ref_name }}-fossa
+  cancel-in-progress: true
+
 jobs:
 
   scan:
     name: Fossa
     runs-on: ubuntu-20.04
     steps:
-      - name: Cancel Previous Runs
-        uses: styfle/[email protected]
-        with:
-          access_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Checkout Repository
         uses: actions/checkout@v2
       - name: Scan

.github/workflows/lint.yml

@@ -17,6 +17,10 @@ defaults:
   run:
     shell: bash
 
+concurrency:
+  group: ${{ github.ref_name }}-lint
+  cancel-in-progress: true
+
 env:
   GOLANGCI_TIMEOUT: 10m0s
 
@@ -26,10 +30,6 @@ jobs:
     name: Lint
     runs-on: ubuntu-20.04
     steps:
-      - name: Cancel Previous Runs
-        uses: styfle/[email protected]
-        with:
-          access_token: ${{ secrets.GITHUB_TOKEN }}
       - name: Checkout Repository
         uses: actions/checkout@v2
       - name: Lint Code

Dockerfile

@@ -18,12 +18,20 @@ COPY controllers/ controllers/
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-s -w -X main.version=${VERSION}" -a -o manager main.go
 
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+ARG VERSION
 WORKDIR /
-COPY --from=builder --chown=65532:65532 /workspace/manager .
+COPY --from=builder /workspace/manager .
 COPY config/crd/kic ./config/crd/kic
-USER 65532:65532
+COPY LICENSE /licenses/
+
+LABEL name="NGINX Ingress Operator" \
+      vendor="NGINX Inc <[email protected]" \
+      version="v${VERSION}" \
+      release="1" \
+      summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers" \
+      description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
 
 ENTRYPOINT ["/manager"]
+
+USER 1001

Makefile

@@ -41,9 +41,7 @@ IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
 ENVTEST_K8S_VERSION = 1.22
 
-# Change DOCKERFILE tp openshift.Dockerfile to build Openshift image
 DOCKERFILE ?= Dockerfile
-RH_RBAC_IMAGE ?= registry.redhat.io/openshift4/ose-kube-rbac-proxy:v4.7
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -125,11 +123,6 @@ deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default | kubectl apply -f -
 
-openshift-deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
-	VAL="${RH_RBAC_IMAGE}" yq e '.spec.template.spec.containers[0].image = strenv(VAL)' -i config/default/manager_auth_proxy_patch.yaml
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	$(KUSTOMIZE) build config/default | kubectl apply -f -
-
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
 

api/v1alpha1/nginxingresscontroller_types.go

@@ -154,6 +154,12 @@ type NginxIngressControllerSpec struct {
 	// +nullable
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	AppProtect *AppProtect `json:"appProtect"`
+	// App Protect Dos support configuration.
+	// Requires enableCRDs set to true.
+	// +kubebuilder:validation:Optional
+	// +nullable
+	// +operator-sdk:csv:customresourcedefinitions:type=spec
+	AppProtectDos *AppProtectDos `json:"appProtectDos"`
 	// Timeout in milliseconds which the Ingress Controller will wait for a successful NGINX reload after a change or at the initial start.
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
@@ -268,15 +274,32 @@ type Prometheus struct {
 
 // AppProtect support configuration.
 type AppProtect struct {
-	// Enable App Protect.
+	// Enable App Protect WAF.
 	Enable bool `json:"enable"`
 }
 
+// AppProtectDos support configuration.
+type AppProtectDos struct {
+	// Enable App Protect Dos.
+	Enable bool `json:"enable"`
+	// Enable debug mode.
+	Debug bool `json:"debug"`
+	// Max number of ADMD instances.
+	MaxDaemons int `json:"maxDaemons"`
+	// Max number of nginx processes to support.
+	MaxWorkers int `json:"maxWorkers"`
+	// RAM memory size in MB.
+	Memory int `json:"memory"`
+}
+
 // Service defines the Service for the Ingress Controller.
 type Service struct {
 	// Specifies extra labels of the service.
 	// +kubebuilder:validation:Optional
 	ExtraLabels map[string]string `json:"extraLabels,omitempty"`
+	// Specifies extra annotations of the service.
+	// +kubebuilder:validation:Optional
+	ExtraAnnotations map[string]string `json:"extraAnnotations,omitempty"`
 }
 
 func init() {

api/v1alpha1/zz_generated.deepcopy.go

@@ -246,6 +246,11 @@ spec:
                       type: string
                     description: Specifies extra labels of the service.
                     type: object
+                  extraAnnotations:
+                    additionalProperties:
+                      type: string
+                    description: Specifies extra annotations of the service.
+                    type: object
                 type: object
               serviceType:
                 description: 'The type of the Service for the Ingress Controller.