search

nginxinc / kubernetes-ingress

NGINX and NGINX Plus Ingress Controllers for Kubernetes
https://docs.nginx.com/nginx-ingress-controller
Apache License 2.0
4.62k stars 1.96k forks source link

Pin NAP WAF module #6000

Open oseoin opened 1 month ago

oseoin commented 1 month ago

New versions of the NAP module will potentially not be compatible with the pinned versions of enforcer/manager/compiler so we should pin to avoid incompatibilities when we are released images.

### UACs
- [x] Pin module version to match `waf-enforcer` and `waf-config-mgr` versions
- [x] Update documentation to make clear the need to re-complie bundles after each release
- [x] Add option to Dockerfile to set AppProtect version to stay consistent with `waf-enforcer` and `waf-config-mgr` versions
- [ ] https://github.com/nginxinc/kubernetes-ingress/issues/6221
github-actions[bot] commented 1 month ago

Hi @oseoin thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

danielnginx commented 1 month ago

Could we add the versions from WAF and DOS to the technical specifications?

vepatel commented 3 weeks ago 
 ~/nginx/kubernetes-ingress/charts/nginx-ingress on release-3.6 λ kubectl exec it test-release-nginx-ingress-controller-84899d55cd-wwcn4 -- bash

Defaulted container "nginx-ingress" out of: nginx-ingress, waf-enforcer, waf-config-mgr
nginx@test-release-nginx-ingress-controller-84899d55cd-wwcn4:/$ cat /opt/app_protect/RELEASE 
5.2.0
nginx@test-release-nginx-ingress-controller-84899d55cd-wwcn4:/$ cat /opt/app_protect/VERSION 
5.48.0
~/nginx/kubernetes-ingress/charts/nginx-ingress on release-3.6 λ kubectl logs test-release-nginx-ingress-controller-84899d55cd-wwcn4 
Defaulted container "nginx-ingress" out of: nginx-ingress, waf-enforcer, waf-config-mgr
NGINX Ingress Controller Version=debian-v5-3.6 Commit=b4467a97392290c686d72e419e9cb5032427e81f Date=2024-08-13T13:35:13Z DirtyState=true Arch=linux/amd64 Go=go1.22.5
I0813 14:10:34.435099       1 flags.go:321] Starting with flags: ["-nginx-plus=true" "-nginx-reload-timeout=60000" "-enable-app-protect=true" "-app-protect-enforcer-address=\"127.0.0.1:50000\"" "-enable-app-protect-dos=false" "-nginx-configmaps=default/test-release-nginx-ingress" "-ingress-class=nginx" "-health-status=false" "-health-status-uri=/nginx-health" "-nginx-debug=false" "-v=1" "-nginx-status=true" "-nginx-status-port=8080" "-nginx-status-allow-cidrs=127.0.0.1" "-report-ingress-status" "-external-service=test-release-nginx-ingress-controller" "-enable-leader-election=true" "-leader-election-lock-name=nginx-ingress-leader" "-enable-prometheus-metrics=true" "-prometheus-metrics-listen-port=9113" "-prometheus-tls-secret=" "-enable-service-insight=false" "-service-insight-listen-port=9114" "-service-insight-tls-secret=" "-enable-custom-resources=true" "-enable-snippets=false" "-include-year=false" "-disable-ipv6=false" "-enable-tls-passthrough=false" "-enable-cert-manager=false" "-enable-oidc=false" "-enable-external-dns=false" "-default-http-listener-port=80" "-default-https-listener-port=443" "-ready-status=true" "-ready-status-port=8081" "-enable-latency-metrics=false" "-ssl-dynamic-reload=true" "-enable-telemetry-reporting=true" "-weight-changes-dynamic-reload=false"]
I0813 14:10:34.446853       1 main.go:294] Kubernetes version: 1.29.6
I0813 14:10:34.457733       1 main.go:439] Using nginx version: nginx/1.25.5 (nginx-plus-r32)
I0813 14:10:34.457943       1 main.go:455] Using AppProtect Version 5.2.0
I0813 14:10:34.506612       1 main.go:863] Pod label updated: test-release-nginx-ingress-controller-84899d55cd-wwcn4
2024/08/13 14:10:34 [notice] 11#11: using the "epoll" event method
2024/08/13 14:10:34 [notice] 11#11: OpenSSL FIPS Mode is not enabled
2024/08/13 14:10:34 [notice] 11#11: nginx/1.25.5 (nginx-plus-r32)