Merge branch 'main' into feat/hostPort

Author: Gasoid

.github/workflows/build.yml

@@ -171,7 +171,7 @@ jobs:
           fail-build: false
 
       - name: Upload scan result to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/ci.yml

@@ -165,7 +165,7 @@ jobs:
         if: github.ref_type == 'tag'
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3 # v3.9.0
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
         if: github.ref_type == 'tag'
 
       - name: Build binary

.github/workflows/scorecards.yml

@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           sarif_file: results.sarif

.pre-commit-config.yaml

@@ -32,7 +32,7 @@ repos:
       - id: gitleaks
 
   - repo: https://github.com/rbubley/mirrors-prettier
-    rev: v3.5.3
+    rev: v3.6.2
     hooks:
       - id: prettier
         types:

README.md

@@ -68,7 +68,7 @@ The following table lists the software versions NGINX Gateway Fabric supports.
 
 | NGINX Gateway Fabric | Gateway API | Kubernetes | NGINX OSS | NGINX Plus | NGINX Agent |
 |----------------------|-------------|------------|-----------|------------|-------------|
-| Edge                 | 1.3.0       | 1.25+      | 1.28.0    | R34        | v3.0.2      |
+| Edge                 | 1.3.0       | 1.25+      | 1.28.0    | R34        | v3.0.3      |
 | 2.0.1                | 1.3.0       | 1.25+      | 1.28.0    | R34        | v3.0.1      |
 | 2.0.0                | 1.3.0       | 1.25+      | 1.28.0    | R34        | v3.0.0      |
 | 1.6.2                | 1.2.1       | 1.25+      | 1.27.4    | R33        | ---         |

build/Dockerfile.nginx

@@ -7,7 +7,7 @@ ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.p
 FROM nginx:1.28.0-alpine-otel
 
 # renovate: datasource=github-tags depName=nginx/agent
-ARG NGINX_AGENT_VERSION=v3.0.2
+ARG NGINX_AGENT_VERSION=v3.0.3
 ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT

build/Dockerfile.nginxplus

@@ -8,7 +8,7 @@ FROM alpine:3.21
 
 ARG NGINX_PLUS_VERSION=R34
 # renovate: datasource=github-tags depName=nginx/agent
-ARG NGINX_AGENT_VERSION=v3.0.2
+ARG NGINX_AGENT_VERSION=v3.0.3
 ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/go-logr/logr v1.4.3
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
-	github.com/nginx/agent/v3 v3.0.2
+	github.com/nginx/agent/v3 v3.0.3
 	github.com/nginx/telemetry-exporter v0.1.4
 	github.com/onsi/ginkgo/v2 v2.23.4
 	github.com/onsi/gomega v1.37.0

go.sum

@@ -137,8 +137,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/nginx/agent/v3 v3.0.2 h1:beO5qFeAVWOiZDkYRyElctbhnjz+g3JDsH2yKZjoRjY=
-github.com/nginx/agent/v3 v3.0.2/go.mod h1:O/31aKtii/mpiZmFGMcTNDoLtKzwTyTXOBMSRkMaPvs=
+github.com/nginx/agent/v3 v3.0.3 h1:m/CJEVsOZwcMXwtck/AIhWVzhSMLjxi7sLUX6s54zjA=
+github.com/nginx/agent/v3 v3.0.3/go.mod h1:r1ANR0lvPk6rabs5WbZTcnLBwkzpEFEPILyC2kLEeig=
 github.com/nginx/telemetry-exporter v0.1.4 h1:3ikgKlyz/O57oaBLkxCInMjr74AhGTKr9rHdRAkkl/w=
 github.com/nginx/telemetry-exporter v0.1.4/go.mod h1:bl6qmsxgk4a9D0X8R5E3sUNXN2iECPEK1JNbRLhN5C4=
 github.com/nginxinc/nginx-plus-go-client/v2 v2.0.1 h1:5VVK38bnELMDWnwfF6dSv57ResXh9AUzeDa72ENj94o=

internal/controller/manager.go

@@ -440,7 +440,7 @@ func registerControllers(
 			objectType: &apiv1.Service{},
 			name:       "user-service", // unique controller names are needed and we have multiple Service ctlrs
 			options: []controller.Option{
-				controller.WithK8sPredicate(predicate.ServicePortsChangedPredicate{}),
+				controller.WithK8sPredicate(predicate.ServiceChangedPredicate{}),
 			},
 		},
 		{

internal/controller/nginx/modules/package-lock.json

@@ -11,7 +11,7 @@
   },
   "devDependencies": {
     "@vitest/coverage-v8": "^3.2.4",
-    "prettier": "3.6.0",
+    "prettier": "3.6.2",
     "vitest": "^3.2.4"
   },
   "type": "module"

internal/controller/nginx/modules/package.json

@@ -107,6 +107,18 @@ const (
 	// has an overlapping hostname:port/path combination with another Route.
 	PolicyReasonTargetConflict v1alpha2.PolicyConditionReason = "TargetConflict"
 
+	// ClientSettingsPolicyAffected is used with the "PolicyAffected" condition when a
+	// ClientSettingsPolicy is applied to a Gateway, HTTPRoute, or GRPCRoute.
+	ClientSettingsPolicyAffected v1alpha2.PolicyConditionType = "ClientSettingsPolicyAffected"
+
+	// ObservabilityPolicyAffected is used with the "PolicyAffected" condition when an
+	// ObservabilityPolicy is applied to a HTTPRoute, or GRPCRoute.
+	ObservabilityPolicyAffected v1alpha2.PolicyConditionType = "ObservabilityPolicyAffected"
+
+	// PolicyAffectedReason is used with the "PolicyAffected" condition when a
+	// ObservabilityPolicy or ClientSettingsPolicy is applied to Gateways or Routes.
+	PolicyAffectedReason v1alpha2.PolicyConditionReason = "PolicyAffected"
+
 	// GatewayResolvedRefs condition indicates whether the controller was able to resolve the
 	// parametersRef on the Gateway.
 	GatewayResolvedRefs v1.GatewayConditionType = "ResolvedRefs"
@@ -185,6 +197,19 @@ func ConvertConditions(
 	return apiConds
 }
 
+// HasMatchingCondition checks if the given condition matches any of the existing conditions.
+func HasMatchingCondition(existingConditions []Condition, cond Condition) bool {
+	for _, existing := range existingConditions {
+		if existing.Type == cond.Type &&
+			existing.Status == cond.Status &&
+			existing.Reason == cond.Reason &&
+			existing.Message == cond.Message {
+			return true
+		}
+	}
+	return false
+}
+
 // NewDefaultGatewayClassConditions returns Conditions that indicate that the GatewayClass is accepted and that the
 // Gateway API CRD versions are supported.
 func NewDefaultGatewayClassConditions() []Condition {
@@ -398,6 +423,17 @@ func NewRouteBackendRefUnsupportedValue(msg string) Condition {
 	}
 }
 
+// NewRouteBackendRefUnsupportedProtocol returns a Condition that indicates that the Route has a backendRef with
+// an unsupported protocol.
+func NewRouteBackendRefUnsupportedProtocol(msg string) Condition {
+	return Condition{
+		Type:    string(v1.RouteConditionResolvedRefs),
+		Status:  metav1.ConditionFalse,
+		Reason:  string(v1.RouteReasonUnsupportedProtocol),
+		Message: msg,
+	}
+}
+
 // NewRouteInvalidGateway returns a Condition that indicates that the Route is not Accepted because the Gateway it
 // references is invalid.
 func NewRouteInvalidGateway() Condition {
@@ -940,3 +976,25 @@ func NewSnippetsFilterAccepted() Condition {
 		Message: "SnippetsFilter is accepted",
 	}
 }
+
+// NewObservabilityPolicyAffected returns a Condition that indicates that an ObservabilityPolicy
+// is applied to the resource.
+func NewObservabilityPolicyAffected() Condition {
+	return Condition{
+		Type:    string(ObservabilityPolicyAffected),
+		Status:  metav1.ConditionTrue,
+		Reason:  string(PolicyAffectedReason),
+		Message: "ObservabilityPolicy is applied to the resource",
+	}
+}
+
+// NewClientSettingsPolicyAffected returns a Condition that indicates that a ClientSettingsPolicy
+// is applied to the resource.
+func NewClientSettingsPolicyAffected() Condition {
+	return Condition{
+		Type:    string(ClientSettingsPolicyAffected),
+		Status:  metav1.ConditionTrue,
+		Reason:  string(PolicyAffectedReason),
+		Message: "ClientSettingsPolicy is applied to the resource",
+	}
+}

internal/controller/state/conditions/conditions.go

@@ -105,3 +105,43 @@ func TestConvertConditions(t *testing.T) {
 	result := ConvertConditions(conds, generation, time)
 	g.Expect(result).Should(Equal(expected))
 }
+
+func TestHasMatchingCondition(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		condition Condition
+		name      string
+		conds     []Condition
+		expected  bool
+	}{
+		{
+			name:      "no conditions in the list",
+			conds:     nil,
+			condition: NewClientSettingsPolicyAffected(),
+			expected:  false,
+		},
+		{
+			name:      "condition matches existing condition",
+			conds:     []Condition{NewClientSettingsPolicyAffected()},
+			condition: NewClientSettingsPolicyAffected(),
+			expected:  true,
+		},
+		{
+			name:      "condition does not match existing condition",
+			conds:     []Condition{NewClientSettingsPolicyAffected()},
+			condition: NewObservabilityPolicyAffected(),
+			expected:  false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			g := NewWithT(t)
+
+			result := HasMatchingCondition(test.conds, test.condition)
+			g.Expect(result).To(Equal(test.expected))
+		})
+	}
+}

internal/controller/state/conditions/conditions_test.go

@@ -17,6 +17,12 @@ import (
 	"github.com/nginx/nginx-gateway-fabric/internal/framework/helpers"
 )
 
+const (
+	AppProtocolTypeH2C string = "kubernetes.io/h2c"
+	AppProtocolTypeWS  string = "kubernetes.io/ws"
+	AppProtocolTypeWSS string = "kubernetes.io/wss"
+)
+
 // BackendRef is an internal representation of a backendRef in an HTTP/GRPC/TLSRoute.
 type BackendRef struct {
 	// BackendTLSPolicy is the BackendTLSPolicy of the Service which is referenced by the backendRef.
@@ -200,6 +206,23 @@ func createBackendRef(
 		return backendRef, append(conds, conditions.NewRouteBackendRefUnsupportedValue(err.Error()))
 	}
 
+	if svcPort.AppProtocol != nil {
+		err = validateRouteBackendRefAppProtocol(route.RouteType, *svcPort.AppProtocol, backendTLSPolicy)
+		if err != nil {
+			backendRef := BackendRef{
+				SvcNsName:          svcNsName,
+				BackendTLSPolicy:   backendTLSPolicy,
+				ServicePort:        svcPort,
+				Weight:             weight,
+				Valid:              false,
+				IsMirrorBackend:    ref.MirrorBackendIdx != nil,
+				InvalidForGateways: invalidForGateways,
+			}
+
+			return backendRef, append(conds, conditions.NewRouteBackendRefUnsupportedProtocol(err.Error()))
+		}
+	}
+
 	backendRef := BackendRef{
 		SvcNsName:          svcNsName,
 		BackendTLSPolicy:   backendTLSPolicy,
@@ -414,6 +437,56 @@ func validateBackendRef(
 	return true, conditions.Condition{}
 }
 
+// validateRouteBackendRefAppProtocol checks if a given RouteType supports sending traffic to a service AppProtocol.
+// Returns nil if true or AppProtocol is not a Kubernetes Standard Application Protocol.
+func validateRouteBackendRefAppProtocol(
+	routeType RouteType,
+	appProtocol string,
+	backendTLSPolicy *BackendTLSPolicy,
+) error {
+	err := fmt.Errorf(
+		"route type %s does not support service port appProtocol %s",
+		routeType,
+		appProtocol,
+	)
+
+	// Currently we only support recognition of the Kubernetes Standard Application Protocols defined in KEP-3726.
+	switch appProtocol {
+	case AppProtocolTypeH2C:
+		if routeType == RouteTypeGRPC {
+			return nil
+		}
+
+		if routeType == RouteTypeHTTP {
+			return fmt.Errorf("%w; nginx does not support proxying to upstreams with http2 or h2c", err)
+		}
+
+		return err
+	case AppProtocolTypeWS:
+		if routeType == RouteTypeHTTP {
+			return nil
+		}
+
+		return err
+	case AppProtocolTypeWSS:
+		if routeType == RouteTypeHTTP {
+			if backendTLSPolicy != nil {
+				return nil
+			}
+
+			return fmt.Errorf("%w; missing corresponding BackendTLSPolicy", err)
+		}
+
+		if routeType == RouteTypeTLS {
+			return nil
+		}
+
+		return err
+	}
+
+	return nil
+}
+
 func validateWeight(weight int32) error {
 	const (
 		minWeight = 0