Merge branch 'main' into feat/hostPort

Gasoid · web-flow · commit 7997f8d26397 · 2025-07-04T16:10:01.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -163,7 +163,7 @@ jobs:
 
       - name: Scan SBOM
         id: scan
-        uses: anchore/scan-action@be7a22da4f22dde446c4c4c099887ff5b256526c # v6.3.0
+        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
         with:
           sbom: "sbom-${{ inputs.image }}.json"
           only-fixed: true
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -161,7 +161,7 @@ jobs:
         if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }}
 
       - name: Download Syft
-        uses: anchore/sbom-action/download-syft@9246b90769f852b3a8921f330c59e0b3f439d6e9 # v0.20.1
+        uses: anchore/sbom-action/download-syft@cee1b8e05ae5b2593a75e197229729eabaa9f8ec # v0.20.2
         if: github.ref_type == 'tag'
 
       - name: Install Cosign
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -40,7 +40,7 @@ jobs:
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           working-directory: ${{ matrix.directory }}
-          version: v2.1.6 # renovate: datasource=github-tags depName=golangci/golangci-lint
+          version: v2.2.1 # renovate: datasource=github-tags depName=golangci/golangci-lint
 
   njs-lint:
     name: NJS Lint
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -39,7 +39,7 @@ repos:
           - javascript
 
   - repo: https://github.com/golangci/golangci-lint
-    rev: v2.1.6
+    rev: v2.2.1
     hooks:
       - id: golangci-lint-full
         name: golangci-lint-root
diff --git a/Makefile b/Makefile
@@ -23,7 +23,7 @@ GO_LINKER_FLAGS = $(GO_LINKER_FLAGS_OPTIMIZATIONS) $(GO_LINKER_FlAGS_VARS)
 
 # tools versions
 # renovate: datasource=github-tags depName=golangci/golangci-lint
-GOLANGCI_LINT_VERSION = v2.1.6
+GOLANGCI_LINT_VERSION = v2.2.1
 # renovate: datasource=docker depName=kindest/node
 KIND_K8S_VERSION = v1.33.1
 # renovate: datasource=github-tags depName=norwoodj/helm-docs
@@ -126,7 +126,7 @@ generate-crds: ## Generate CRDs and Go types using kubebuilder
 
 .PHONY: install-crds
 install-crds: ## Install CRDs
-	kubectl kustomize $(SELF_DIR)config/crd | kubectl apply -f -
+	kubectl kustomize $(SELF_DIR)config/crd | kubectl apply --server-side -f -
 
 .PHONY: install-gateway-crds
 install-gateway-crds: ## Install Gateway API CRDs
diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx
@@ -16,15 +16,10 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk
     printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION#v}
 
-RUN apk add --no-cache libcap bash \
+RUN apk add --no-cache bash \
     && mkdir -p /usr/lib/nginx/modules \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
     # Update packages for CVE-2025-32414 and CVE-2025-32415
     && apk --no-cache upgrade libxml2 \
-    && apk del libcap \
     # forward request and error logs to docker log collector
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log
diff --git a/build/Dockerfile.nginxplus b/build/Dockerfile.nginxplus
@@ -22,13 +22,8 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
     && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION#v}
 
-RUN apk add --no-cache libcap bash \
+RUN apk add --no-cache bash \
     && mkdir -p /usr/lib/nginx/modules \
-	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
-    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
-    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
-    && apk del libcap \
     # forward request and error logs to docker log collector
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log
diff --git a/charts/nginx-gateway-fabric/README.md b/charts/nginx-gateway-fabric/README.md
@@ -139,7 +139,7 @@ Helm does not upgrade the NGINX Gateway Fabric CRDs during a release upgrade. Be
 must [pull the chart](#pulling-the-chart) from GitHub and run the following command to upgrade the CRDs:
 
 ```shell
-kubectl apply -f crds/
+kubectl apply --server-side -f crds/
 ```
 
 The following warning is expected and can be ignored:
diff --git a/charts/nginx-gateway-fabric/README.md.gotmpl b/charts/nginx-gateway-fabric/README.md.gotmpl
@@ -137,7 +137,7 @@ Helm does not upgrade the NGINX Gateway Fabric CRDs during a release upgrade. Be
 must [pull the chart](#pulling-the-chart) from GitHub and run the following command to upgrade the CRDs:
 
 ```shell
-kubectl apply -f crds/
+kubectl apply --server-side -f crds/
 ```
 
 The following warning is expected and can be ignored:
diff --git a/charts/nginx-gateway-fabric/templates/deployment.yaml b/charts/nginx-gateway-fabric/templates/deployment.yaml
@@ -35,6 +35,7 @@ spec:
         {{- end }}
       {{- end }}
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/charts/nginx-gateway-fabric/templates/scc.yaml b/charts/nginx-gateway-fabric/templates/scc.yaml
@@ -44,6 +44,7 @@ metadata:
   name: {{ include "nginx-gateway.scc-name" . }}-nginx
   labels:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
+allowPrivilegeEscalation: false
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
@@ -69,8 +70,6 @@ seLinuxContext:
   type: MustRunAs
 seccompProfiles:
 - runtime/default
-allowedCapabilities:
-- NET_BIND_SERVICE
 requiredDropCapabilities:
 - ALL
 volumes:
diff --git a/charts/nginx-gateway-fabric/templates/serviceaccount.yaml b/charts/nginx-gateway-fabric/templates/serviceaccount.yaml
@@ -7,6 +7,7 @@ metadata:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
     {{- toYaml .Values.nginxGateway.serviceAccount.annotations | nindent 4 }}
+automountServiceAccountToken: false
 {{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
 imagePullSecrets:
   {{- if .Values.nginxGateway.serviceAccount.imagePullSecret }}
diff --git a/charts/nginx-gateway-fabric/values.yaml b/charts/nginx-gateway-fabric/values.yaml
@@ -5,8 +5,6 @@ clusterDomain: cluster.local
 
 # -- The nginxGateway section contains configuration for the NGINX Gateway Fabric control plane deployment.
 nginxGateway:
-  # FIXME(lucacome): https://github.com/nginx/nginx-gateway-fabric/issues/2490
-
   # @schema
   # const: deployment
   # @schema
@@ -396,9 +394,9 @@ nginx:
     # -- The topology spread constraints for the NGINX data plane pod.
     # topologySpreadConstraints: []
 
-    # -- extraVolumes for the NGINX data plane pod. Use in conjunction with
-    # nginx.container.extraVolumeMounts mount additional volumes to the container.
-    # extraVolumes: []
+    # -- The volumes for the NGINX data plane pod. Use in conjunction with
+    # nginx.container.volumeMounts mount additional volumes to the container.
+    # volumes: []
 
   # -- The container configuration for the NGINX container. This is applied globally to all Gateways managed by this
   # instance of NGINX Gateway Fabric.
@@ -435,8 +433,8 @@ nginx:
     # -- The lifecycle of the NGINX container.
     lifecycle: {}
 
-    # -- extraVolumeMounts are the additional volume mounts for the NGINX container.
-    extraVolumeMounts: []
+    # -- volumeMounts are the additional volume mounts for the NGINX container.
+    # volumeMounts: []
 
   # -- The service configuration for the NGINX data plane. This is applied globally to all Gateways managed by this
   # instance of NGINX Gateway Fabric.
diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -256,6 +257,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -256,6 +257,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -273,6 +274,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
@@ -527,9 +529,8 @@ allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
+allowPrivilegeEscalation: false
 allowPrivilegedContainer: false
-allowedCapabilities:
-- NET_BIND_SERVICE
 apiVersion: security.openshift.io/v1
 fsGroup:
   ranges:
diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -254,6 +255,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml
@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -254,6 +255,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller
diff --git a/docs/developer/quickstart.md b/docs/developer/quickstart.md
@@ -201,7 +201,7 @@ This will build the docker images `nginx-gateway-fabric:<your-user>` and `nginx-
      If the only change is the image repository and tag, you can update the `kustomization.yaml` file in `deploy/` with the desired values and deployment mainifest and run the following commands:
 
      ```shell
-      kubectl apply -f deploy/crds.yaml
+      kubectl apply --server-side -f deploy/crds.yaml
       kubectl kustomize deploy | kubectl apply -f -
      ```
 
diff --git a/internal/controller/nginx/modules/package-lock.json b/internal/controller/nginx/modules/package-lock.json
diff --git a/internal/controller/nginx/types/types.go b/internal/controller/nginx/types/types.go
diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go
diff --git a/internal/controller/state/dataplane/configuration.go b/internal/controller/state/dataplane/configuration.go
diff --git a/internal/controller/state/dataplane/configuration_test.go b/internal/controller/state/dataplane/configuration_test.go
diff --git a/internal/controller/state/graph/gateway.go b/internal/controller/state/graph/gateway.go
diff --git a/internal/controller/state/graph/gateway_test.go b/internal/controller/state/graph/gateway_test.go
diff --git a/internal/framework/types/types.go b/internal/framework/types/types.go
