Merge branch 'release-3.6' into cherry-pick-release-3.6-6a7bcd08c69b8…

…ba95f741df1e49601148e5a89c3

docs/content/configuration/policy-resource.md

@@ -155,8 +155,6 @@ If the hashed keys match, the NGINX JavaScript (NJS) subrequest issues a 204 No
 
 It is possible to use the [errorPages](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#errorpage) property on a route, to change the default behaviour of 401 or 403 errors.
 
-An API Key policy can be disabled on a route by adding the [location snippet](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#using-snippets) `auth_request off;`
-
 At least one header or query param is required.
 
 The policy below configures NGINX Ingress Controller to require the API Key `password` in the header "my-header".

docs/content/usage-reporting.md

@@ -117,6 +117,10 @@ Download and save the deployment file [cluster-connector.yaml](https://raw.githu
 - `-nms-server-address` should be the address of the Usage Reporting API, which will be the combination of NGINX Management Suite server hostname and the URI `api/platform/v1`
 - `nms-basic-auth-secret` should be the namespace/name of the secret created in step 3: `nginx-cluster-connector/nms-basic-auth`.
 
+{{< note >}}  OpenShift requires a SecurityContextConstraints object for NGINX Cluster Connector. 
+
+It can be created with the command `oc create -f scc.yaml`, using the file found in `shared-examples/` {{< /note >}}
+
 For more information, read the [Command-line arguments](#command-line-arguments) section of this page.
 
 ---

examples/custom-resources/api-key/README.md

@@ -6,8 +6,7 @@ a web application, configure load balancing for it via a VirtualServer, and appl
 
 ## Prerequisites
 
-1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/)
-   instructions to deploy the Ingress Controller. In this example we will be using a snippet to turn the policy off on a specific path so ensure that the `enable-snippets` flag is set.
+1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller.
 1. Save the public IP address of the Ingress Controller into a shell variable:
 
     ```console
@@ -105,18 +104,4 @@ URI: /coffee
 Request ID: 4feedb3265a0430a1f58831d016e846d
 ```
 
-If you attempt to access the /tea path, the request will be allowed without an API Key, because the auth_request directive is turned off for that path with a location snippet:
-
-```console
-curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea
-```
-
-```text
-Server address: 10.244.0.5:8080
-Server name: tea-596697966f-dmq7t
-Date: 13/Jun/2024:13:16:46 +0000
-URI: /tea
-Request ID: 26e6d7dd0272eca82f31f33bf90698c9
-```
-
 Additionally you can set [error pages](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#errorpage) to handle the 401 and 403 responses.

examples/custom-resources/api-key/cafe-virtual-server.yaml

@@ -12,15 +12,7 @@ spec:
   - name: coffee
     service: coffee-svc
     port: 80
-  - name: tea
-    service: tea-svc
-    port: 80
   routes:
   - path: /coffee
     action:
       pass: coffee
-  - path: /tea
-    location-snippets: |
-      auth_request off;
-    action:
-      pass: tea

examples/custom-resources/api-key/cafe.yaml

@@ -30,36 +30,3 @@ spec:
     name: http
   selector:
     app: coffee
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: tea
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: tea
-  template:
-    metadata:
-      labels:
-        app: tea
-    spec:
-      containers:
-      - name: tea
-        image: nginxdemos/nginx-hello:plain-text
-        ports:
-        - containerPort: 8080
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: tea-svc
-spec:
-  ports:
-  - port: 80
-    targetPort: 8080
-    protocol: TCP
-    name: http
-  selector:
-    app: tea

examples/shared-examples/usage-reporting/cluster-connector.yaml

@@ -14,65 +14,76 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: nginx-cluster-connector
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
-      - list
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - get
-      - list
-      - watch
-      - update
-      - create
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - list
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - create
+- apiGroups:
+  - security.openshift.io
+  verbs:
+  - create
+  - delete
+  - get
+  - use
+  resources:
+  - securitycontextconstraints
+  resourceNames:
+  - nginx-cluster-connector
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: nginx-cluster-connector
 subjects:
-  - kind: ServiceAccount
-    name: nginx-cluster-connector
-    namespace: nginx-cluster-connector
+- kind: ServiceAccount
+  name: nginx-cluster-connector
+  namespace: nginx-cluster-connector
 roleRef:
   kind: ClusterRole
   name: nginx-cluster-connector
@@ -95,8 +106,11 @@ spec:
     spec:
       serviceAccountName: nginx-cluster-connector
       automountServiceAccountToken: true
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
-        - image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.1.0
+        - image: docker-registry.nginx.com/cluster-connector/cluster-connector:0.2.0
           imagePullPolicy: IfNotPresent
           name: nginx-cluster-connector
           resources:
@@ -107,6 +121,7 @@ spec:
             #  cpu: "1"
             #  memory: "1Gi"
           securityContext:
+            allowPrivilegeEscalation: false
             runAsUser: 101 #nginx
             runAsNonRoot: true
             capabilities:

examples/shared-examples/usage-reporting/scc.yaml

@@ -0,0 +1,30 @@
+kind: SecurityContextConstraints
+apiVersion: security.openshift.io/v1
+metadata:
+  name: nginx-cluster-connector
+allowPrivilegedContainer: false
+runAsUser:
+  type: MustRunAs
+  uid: 101
+seLinuxContext:
+  type: MustRunAs
+fsGroup:
+  type: MustRunAs
+supplementalGroups:
+  type: MustRunAs
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+readOnlyRootFilesystem: false
+seccompProfiles:
+- runtime/default
+volumes:
+ - secret
+requiredDropCapabilities:
+ - ALL
+users:
+ - 'system:serviceaccount:*:nginx-cluster-connector'
+allowedCapabilities:
+  - NET_BIND_SERVICE