Merge branch 'main' into docs/proposals/observability-policy

.github/workflows/build.yml

@@ -152,7 +152,7 @@ jobs:
           fail-build: false
 
       - name: Upload scan result to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/ci.yml

@@ -73,7 +73,7 @@ jobs:
         run: make unit-test
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # v4.1.1
+        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
@@ -101,7 +101,7 @@ jobs:
         run: npm --prefix ${{ github.workspace }}/internal/mode/static/nginx/modules install-ci-test
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # v4.1.1
+        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 

.github/workflows/codeql-analysis.yml

@@ -44,7 +44,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/autobuild@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -76,6 +76,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/scorecards.yml

@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
         with:
           sarif_file: results.sarif

.yamllint.yaml

@@ -5,7 +5,7 @@ yaml-files:
 
 ignore:
   - deploy/helm-chart/templates/
-  - deploy/helm-chart/crds/
+  - config/crd/bases/
   - .github/workflows/
 
 rules:
@@ -30,7 +30,6 @@ rules:
     check-multi-line-strings: true
     ignore: |
       deploy/manifests/nginx-gateway.yaml
-      deploy/manifests/crds
   key-duplicates: enable
   key-ordering: disable
   line-length:
@@ -40,7 +39,6 @@ rules:
     ignore: |
       .github/
       deploy/manifests/nginx-gateway.yaml
-      deploy/manifests/crds
       tests/suite/manifests/longevity/cronjob.yaml
       .goreleaser.yml
   new-line-at-end-of-file: enable

Makefile

@@ -100,12 +100,10 @@ generate: ## Run go generate
 
 .PHONY: generate-crds
 generate-crds: ## Generate CRDs and Go types using kubebuilder
-	go run sigs.k8s.io/controller-tools/cmd/controller-gen crd paths=./apis/... output:crd:dir=deploy/helm-chart/crds
-	go run sigs.k8s.io/controller-tools/cmd/controller-gen object paths=./apis/...
+	go run sigs.k8s.io/controller-tools/cmd/controller-gen crd object paths=./apis/... output:crd:artifacts:config=config/crd/bases
 
 .PHONY: generate-manifests
 generate-manifests: ## Generate manifests using Helm.
-	cp $(CHART_DIR)/crds/* $(MANIFEST_DIR)/crds/
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-gateway.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginx.plus=true --set nginx.image.repository=$(NGINX_PLUS_PREFIX) -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-plus-gateway.yaml
 	helm template nginx-gateway $(CHART_DIR) $(HELM_TEMPLATE_COMMON_ARGS) $(HELM_TEMPLATE_EXTRA_ARGS_FOR_ALL_MANIFESTS_FILE) --set nginxGateway.gwAPIExperimentalFeatures.enable=true -n nginx-gateway | cat $(strip $(MANIFEST_DIR))/namespace.yaml - > $(strip $(MANIFEST_DIR))/nginx-gateway-experimental.yaml

apis/v1alpha1/clientsettingspolicy_types.go

@@ -0,0 +1,129 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2"
+)
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:categories=nginx-gateway-fabric,shortName=cspolicy
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
+// +kubebuilder:metadata:labels="gateway.networking.k8s.io/policy=inherited"
+
+// ClientSettingsPolicy is an Inherited Attached Policy. It provides a way to configure the behavior of the connection
+// between the client and NGINX Gateway Fabric.
+type ClientSettingsPolicy struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec defines the desired state of the ClientSettingsPolicy.
+	Spec ClientSettingsPolicySpec `json:"spec"`
+
+	// Status defines the state of the ClientSettingsPolicy.
+	Status gatewayv1alpha2.PolicyStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClientSettingsPolicyList contains a list of ClientSettingsPolicies.
+type ClientSettingsPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClientSettingsPolicy `json:"items"`
+}
+
+// ClientSettingsPolicySpec defines the desired state of ClientSettingsPolicy.
+type ClientSettingsPolicySpec struct {
+	// TargetRef identifies an API object to apply the policy to.
+	// Object must be in the same namespace as the policy.
+	//
+	// Support: Gateway, HTTPRoute
+	TargetRef gatewayv1alpha2.PolicyTargetReference `json:"targetRef"`
+
+	// Body defines the client request body settings.
+	//
+	// +optional
+	Body *ClientBody `json:"body,omitempty"`
+
+	// KeepAlive defines the keep-alive settings.
+	//
+	// +optional
+	KeepAlive *ClientKeepAlive `json:"keepAlive,omitempty"`
+}
+
+// ClientBody contains the settings for the client request body.
+type ClientBody struct {
+	// MaxSize sets the maximum allowed size of the client request body.
+	// If the size in a request exceeds the configured value,
+	// the 413 (Request Entity Too Large) error is returned to the client.
+	// Setting size to 0 disables checking of client request body size.
+	// Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size.
+	//
+	// +optional
+	MaxSize *Size `json:"maxSize,omitempty"`
+
+	// Timeout defines a timeout for reading client request body. The timeout is set only for a period between
+	// two successive read operations, not for the transmission of the whole request body.
+	// If a client does not transmit anything within this time, the request is terminated with the
+	// 408 (Request Time-out) error.
+	// Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_timeout.
+	//
+	// +optional
+	Timeout *Duration `json:"timeout,omitempty"`
+}
+
+// ClientKeepAlive defines the keep-alive settings for clients.
+type ClientKeepAlive struct {
+	// Requests sets the maximum number of requests that can be served through one keep-alive connection.
+	// After the maximum number of requests are made, the connection is closed. Closing connections periodically
+	// is necessary to free per-connection memory allocations. Therefore, using too high maximum number of requests
+	// is not recommended as it can lead to excessive memory usage.
+	// Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests.
+	//
+	// +optional
+	// +kubebuilder:validation:Minimum=0
+	Requests *int32 `json:"requests,omitempty"`
+
+	// Time defines the maximum time during which requests can be processed through one keep-alive connection.
+	// After this time is reached, the connection is closed following the subsequent request processing.
+	// Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_time.
+	//
+	// +optional
+	Time *Duration `json:"time,omitempty"`
+
+	// Timeout defines the keep-alive timeouts for clients.
+	//
+	// +optional
+	Timeout *ClientKeepAliveTimeout `json:"timeout,omitempty"`
+}
+
+// ClientKeepAliveTimeout defines the timeouts related to keep-alive client connections.
+// Default: Default: https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout.
+type ClientKeepAliveTimeout struct {
+	// Server sets the timeout during which a keep-alive client connection will stay open on the server side.
+	// Setting this value to 0 disables keep-alive client connections.
+	//
+	// +optional
+	Server *Duration `json:"server,omitempty"`
+
+	// Header sets the timeout in the "Keep-Alive: timeout=time" response header field.
+	//
+	// +optional
+	Header *Duration `json:"header,omitempty"`
+}
+
+// Duration is a string value representing a duration in time.
+// Duration can be specified in milliseconds (ms) or seconds (s) A value without a suffix is seconds.
+// Examples: 120s, 50ms.
+//
+// +kubebuilder:validation:Pattern=`^\d{1,4}(ms|s)?$`
+type Duration string
+
+// Size is a string value representing a size. Size can be specified in bytes, kilobytes (k), megabytes (m),
+// or gigabytes (g).
+// Examples: 1024, 8k, 1m.
+//
+// +kubebuilder:validation:Pattern=`^\d{1,4}(k|m|g)?$`
+type Size string

apis/v1alpha1/nginxgateway_types.go

@@ -5,6 +5,8 @@ import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
+// +kubebuilder:resource:categories=nginx-gateway-fabric
+// +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp`
 
 // NginxGateway represents the dynamic configuration for an NGINX Gateway Fabric control plane.
 type NginxGateway struct {

apis/v1alpha1/register.go

@@ -34,6 +34,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&NginxGateway{},
 		&NginxGatewayList{},
+		&ClientSettingsPolicy{},
+		&ClientSettingsPolicyList{},
 	)
 	// AddToGroupVersion allows the serialization of client types like ListOptions.
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)