Merge branch 'main' into docs/prom-grafana

.github/workflows/build.yml

@@ -40,7 +40,7 @@ jobs:
           ref: ${{ inputs.tag != '' && format('refs/tags/v{0}', inputs.tag) || github.ref }}
 
       - name: Fetch Cached Artifacts
-        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: ${{ github.workspace }}/dist
           key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
@@ -151,7 +151,7 @@ jobs:
           fail-build: false
 
       - name: Upload scan result to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/ci.yml

@@ -90,8 +90,15 @@ jobs:
       - name: Setup Node.js Environment
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: 18
-      - run: npm --prefix ${{ github.workspace }}/internal/mode/static/nginx/modules install-ci-test
+          node-version-file: .nvmrc
+
+      - name: Run tests
+        run: npm --prefix ${{ github.workspace }}/internal/mode/static/nginx/modules install-ci-test
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
 
   binary:
     name: Build Binary
@@ -125,7 +132,7 @@ jobs:
         if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
 
       - name: Download Syft
-        uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
+        uses: anchore/sbom-action/download-syft@9fece9e20048ca9590af301449208b2b8861333b # v0.15.9
         if: github.ref_type == 'tag'
 
       - name: Install Cosign
@@ -146,7 +153,7 @@ jobs:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }}
 
       - name: Cache Artifacts
-        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: ${{ github.workspace }}/dist
           key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}
@@ -160,7 +167,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Fetch Cached Artifacts
-        uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
+        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
         with:
           path: ${{ github.workspace }}/dist
           key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }}

.github/workflows/codeql-analysis.yml

@@ -44,7 +44,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -76,6 +76,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/lint.yml

@@ -6,6 +6,10 @@ on:
       - main
   pull_request:
 
+defaults:
+  run:
+    shell: bash
+
 concurrency:
   group: ${{ github.ref_name }}-lint
   cancel-in-progress: true
@@ -43,6 +47,11 @@ jobs:
         run: |
           echo "version=$(jq -r .devDependencies.prettier ${{ github.workspace }}/internal/mode/static/nginx/modules/package.json)" >> $GITHUB_OUTPUT
 
+      - name: Setup Node.js Environment
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version-file: .nvmrc
+
       - name: Run Prettier on NJS code
         id: prettier-run
         uses: rutajdash/prettier-cli-action@d42c4325a3b344f3bd4be482bc34de521998d557 # v1.0.2

.github/workflows/nfr.yml

@@ -0,0 +1,179 @@
+name: Non Functional Testing
+
+on:
+  workflow_dispatch:
+    inputs:
+      test_label:
+        description: NFR test to run. Choose between performance, upgrade, or all
+        required: true
+        default: all
+        type: choice
+        options: [performance, upgrade, all]
+      version:
+        description: Version of NGF under test
+        required: true
+        default: edge
+      image_tag:
+        description: Tag of the NGF and NGINX Docker images
+        required: true
+        default: edge
+      nginx_plus:
+        description: Run tests with NGINX Plus
+        required: false
+        default: false
+        type: boolean
+
+defaults:
+  run:
+    shell: bash
+
+concurrency:
+  group: ${{ github.ref_name }}-nfr
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  setup-and-run-tests:
+    name: Setup and Run NFR Tests
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: write # needed for opening PR with the results files
+      pull-requests: write # needed for opening PR with the results files
+      id-token: write # needed for authenticating to GCP
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - name: Setup Golang Environment
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version: stable
+
+    - name: Set GOPATH
+      run: echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
+
+    - name: Docker Buildx
+      if: ${{ inputs.nginx_plus == true }}
+      uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0
+
+    - name: NGINX Docker meta
+      id: nginx-meta
+      if: ${{ inputs.nginx_plus == true }}
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+      with:
+        images: |
+          name=gcr.io/${{ secrets.GCP_PROJECT_ID }}/ngf-nfr/nginx-gateway-fabric/nginx-plus
+        tags: |
+          type=raw,value=${{ inputs.image_tag }}
+
+    - name: Authenticate to Google Cloud
+      id: auth
+      uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
+      with:
+        token_format: access_token
+        workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY }}
+        service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+    - name: Set up Cloud SDK
+      uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
+      with:
+        project_id: ${{ secrets.GCP_PROJECT_ID }}
+        install_components: kubectl
+
+    - name: Login to GCR
+      if: ${{ inputs.nginx_plus == true }}
+      run: gcloud auth configure-docker gcr.io -q
+
+    - name: Build NGINX Plus Docker Image
+      if: ${{ inputs.nginx_plus == true }}
+      uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+      with:
+        file: build/Dockerfile.nginxplus
+        tags: ${{ steps.nginx-meta.outputs.tags }}
+        context: "."
+        platforms: linux/amd64
+        provenance: false
+        pull: true
+        push: true
+        build-args: |
+          NJS_DIR=internal/mode/static/nginx/modules/src
+          NGINX_CONF_DIR=internal/mode/static/nginx/conf
+          BUILD_AGENT=gha
+        secrets: |
+          ${{ format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) }}
+          ${{ format('"nginx-repo.key={0}"', secrets.NGINX_KEY) }}
+
+    - name: Setup dotenv file
+      working-directory: ./tests/scripts
+      run: |
+        echo "RESOURCE_NAME=nfr-tests-${{ github.run_id }}" >> vars.env
+        echo "TAG=${{ inputs.image_tag }}" >> vars.env
+        echo "PREFIX=ghcr.io/nginxinc/nginx-gateway-fabric" >> vars.env
+        echo "NGINX_PREFIX=ghcr.io/nginxinc/nginx-gateway-fabric/nginx" >> vars.env
+        echo "NGINX_PLUS_PREFIX=gcr.io/${{ secrets.GCP_PROJECT_ID }}/ngf-nfr/nginx-gateway-fabric/nginx-plus" >> vars.env
+        echo "GKE_CLUSTER_NAME=nfr-tests-${{ github.run_id }}" >> vars.env
+        echo "GKE_CLUSTER_ZONE=us-east1-b" >> vars.env
+        echo "GKE_CLUSTER_REGION=us-east1" >> vars.env
+        echo "GKE_PROJECT=${{ secrets.GCP_PROJECT_ID }}" >> vars.env
+        echo "GKE_SVC_ACCOUNT=${{ secrets.GCP_SERVICE_ACCOUNT }}" >> vars.env
+        echo "GKE_NODES_SERVICE_ACCOUNT=${{ secrets.GKE_NODES_SERVICE_ACCOUNT }}" >> vars.env
+        echo "IMAGE=projects/debian-cloud/global/images/debian-11-bullseye-v20240213" >> vars.env
+        echo "NETWORK_TAGS=nfr-tests-${{ github.run_id }}" >> vars.env
+        echo "NGF_REPO=nginxinc" >> vars.env
+        echo "NGF_BRANCH=${{ github.ref_name }}" >> vars.env
+        echo "SOURCE_IP_RANGE=$(curl -sS -4 icanhazip.com)/32" >> vars.env
+        echo "ADD_VM_IP_AUTH_NETWORKS=true" >> vars.env
+        echo "PLUS_ENABLED=${{ inputs.nginx_plus }}" >> vars.env
+        echo "GINKGO_LABEL=" >> vars.env
+        echo "NGF_VERSION=${{ inputs.version }}" >> vars.env
+
+    - name: Create GKE cluster
+      working-directory: ./tests
+      run:
+        make create-gke-cluster CI=true
+
+    - name: Create and setup VM
+      working-directory: ./tests
+      run:
+        make create-and-setup-vm
+
+    - name: Run Tests
+      working-directory: ./tests
+      run: |
+        if ${{ inputs.test_label != 'all' }}; then
+          sed -i '/^GINKGO_LABEL=/s/=.*/="${{ inputs.test_label }}"/' "scripts/vars.env" && make run-tests-on-vm;
+        else
+          make run-tests-on-vm;
+        fi
+
+    - name: Cleanup
+      working-directory: ./tests
+      if: always()
+      run: |
+        bash scripts/cleanup-vm.sh true
+        make delete-gke-cluster
+        rm -rf scripts/vars.env
+
+    - name: Open a PR with the results
+      uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc # v6.0.1
+      with:
+        commit-message: NFR Test Results for NGF version ${{ inputs.version }}
+        author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>
+        branch: tests/nfr-tests-${{ inputs.version }}
+        delete-branch: true
+        title: NFR Test Results for NGF version ${{ inputs.version }}
+        add-paths: |
+          tests/results/
+        body: |
+          Update with NFR test results for NGF version ${{ inputs.version }}
+          - Auto-generated by the NFR tests workflow run ${{ github.run_id }}
+          - Tests ran using Docker image tag ${{ inputs.image_tag }}
+          - ${{ inputs.test_label }} test(s) ran
+          - NGINX Plus enabled: ${{ inputs.nginx_plus }}
+        labels: |
+          tests
+        assignees: ${{ github.actor }}
+        draft: true

.github/workflows/scorecards.yml

@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           sarif_file: results.sarif

.gitignore

@@ -48,3 +48,6 @@ internal/mode/static/nginx/modules/coverage
 
 # Dotenv files
 **/*.env
+
+# Credential files
+**/gha-creds-*.json

.goreleaser.yml

@@ -15,7 +15,7 @@ builds:
     asmflags:
       - all=-trimpath={{.Env.GOPATH}}
     ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X main.telemetryReportPeriod=24h
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X main.telemetryReportPeriod=24h -X main.telemetryEndpointInsecure=false
     main: ./cmd/gateway/
     binary: gateway
 

.nvmrc

@@ -0,0 +1 @@
+20

.pre-commit-config.yaml

@@ -5,7 +5,7 @@ repos:
     rev: v4.5.0
     hooks:
       - id: trailing-whitespace
-        exclude: (^tests/results/)
+        exclude: (^tests/results/|\.avdl$|_generated.go$)
       - id: end-of-file-fixer
       - id: check-yaml
         args: [--allow-multiple-documents]