Merge branch 'main' of github.com:nginx/nginx-gateway-fabric into feat/hostPort

Author: Gasoid

.github/CHANGELOG_TEMPLATE.md

@@ -32,6 +32,7 @@ COMPATIBILITY:
 - Gateway API version: ``
 - NGINX version: ``
 - NGINX Plus version: ``
+- NGINX Agent version: ``
 - Kubernetes version: ``
 
 CONTAINER IMAGES:

.github/workflows/build.yml

@@ -171,7 +171,7 @@ jobs:
           fail-build: false
 
       - name: Upload scan result to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         continue-on-error: true
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/ci.yml

@@ -149,7 +149,7 @@ jobs:
             .github/.cache/buster-for-binary
 
       - name: Create/Update Draft
-        uses: lucacome/draft-release@f15262dc3ac8c3efbf09a8ce5406cd0fc47aabb1 # v1.2.2
+        uses: lucacome/draft-release@38def8b74645796e9743b53e0f187d4a8915ea3e # v1.2.3
         with:
           minor-label: "enhancement"
           major-label: "change"

.github/workflows/codeql-analysis.yml

@@ -26,6 +26,6 @@ jobs:
       actions: read # for github/codeql-action/init to get workflow details
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/autobuild to send a status report
-    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@c903bfe6c668eaba362cde6a7882278bc1564401 # v0.1
+    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@a27656f8f9a8748085b434ebe007f5b572709aad # v0.2
     with:
-      requested_languages: go,javascript-typescript
+      requested_languages: go,javascript-typescript,actions

.github/workflows/lint.yml

@@ -114,7 +114,7 @@ jobs:
       - name: Set up chart-testing
         uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
-          version: 3.12.0 # renovate: datasource=github-tags depName=helm/chart-testing
+          version: 3.13.0 # renovate: datasource=github-tags depName=helm/chart-testing
 
       - name: Run chart-testing
         run: ct lint --print-config --config .ct.yaml

.github/workflows/mend.yml

@@ -31,8 +31,8 @@ permissions:
 
 jobs:
   mend:
-    if: ${{ github.event.repository.fork == false }}
-    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@c903bfe6c668eaba362cde6a7882278bc1564401 # v0.1
+    if: ${{ (github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false) || (github.event_name == 'push' && github.event.repository.fork == false) }}
+    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@a27656f8f9a8748085b434ebe007f5b572709aad # v0.2
     secrets: inherit
     with:
       product_name: nginx-gateway-fabric_${{ github.ref_name }}

.github/workflows/release-pr.yml

@@ -35,7 +35,7 @@ jobs:
 
       - name: Get Release Notes
         id: notes
-        uses: lucacome/draft-release@f15262dc3ac8c3efbf09a8ce5406cd0fc47aabb1 # v1.2.2
+        uses: lucacome/draft-release@38def8b74645796e9743b53e0f187d4a8915ea3e # v1.2.3
         with:
           config-path: .github/release-notes.yml
           dry-run: true

.github/workflows/scorecards.yml

@@ -34,7 +34,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
         with:
           sarif_file: results.sarif

.pre-commit-config.yaml

@@ -27,7 +27,7 @@ repos:
         exclude: (^examples/|^docs/|.*_test.go$)
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.26.0
+    rev: v8.27.2
     hooks:
       - id: gitleaks
 

CHANGELOG.md

@@ -4,6 +4,76 @@ This document includes a curated changelog for each release. We also publish a c
 a [GitHub release](https://github.com/nginx/nginx-gateway-fabric/releases), which, by contrast, is auto-generated
 and includes links to all PRs that went into the release.
 
+## Release 2.0.0
+
+_June 5, 2025_
+
+BREAKING CHANGES:
+
+[How to upgrade to 2.0.0](https://docs.nginx.com/nginx-gateway-fabric/install/upgrade-version/#upgrade-from-v1x-to-v2x).
+
+The following changes are breaking and require users to fully uninstall NGINX Gateway Fabric (including NGINX Gateway Fabric CRDs) before re-installing the new version. Gateway API resources (such as Gateway, HTTPRoute, etc) are unaffected and can be left alone. [3318](https://github.com/nginx/nginx-gateway-fabric/pull/3318)
+
+- Control plane and data plane have been separated into different Deployments. The control plane will provision an NGINX data plane Deployment and Service when a Gateway object is created.
+- NginxProxy CRD resource is now namespace-scoped (was cluster-scoped).
+- NginxProxy resource controls infrastructure fields for the NGINX Deployment and Service, such as replicas, loadBalancerIP, serviceType, etc. Users who want to set or update these fields must do so either at installation time through the helm chart (which sets them globally), or per Gateway. Updating these fields directly on a provisioned nginx Deployment or Service will not take effect. This does not apply to the the NGINX Gateway Fabric control plane Deployment.
+- Helm values structure has changed slightly to better support the separate Deployments.
+- `nginxGateway.replicaCount` Helm value has been renamed to `nginxGateway.replicas`.
+
+FEATURES:
+
+- Support for creating and deploying multiple Gateways. [3318](https://github.com/nginx/nginx-gateway-fabric/pull/3318)
+- NginxProxy resource can now additionally be attached to a Gateway, and will overwrite any settings that are attached at the GatewayClass level, for the Gateway that it's attached to. [3318](https://github.com/nginx/nginx-gateway-fabric/pull/3318)
+- Listener isolation supported for all routes. [3067](https://github.com/nginx/nginx-gateway-fabric/pull/3067)
+- Allow configuration of NGINX Plus API access. [3066](https://github.com/nginx/nginx-gateway-fabric/pull/3066)
+- Adds regex matching for headers and query params for HTTPRoutes and headers for GRPCRoutes. [3093](https://github.com/nginx/nginx-gateway-fabric/pull/3093)
+- Add support for request mirroring using the RequestMirror filter. [3066](https://github.com/nginx/nginx-gateway-fabric/pull/3306)
+- Adds support for Secrets to be used in BackendTLSPolicy for TLS certificates and CA certificates. [3084](https://github.com/nginx/nginx-gateway-fabric/pull/3084). Thanks to [porthorian](https://github.com/porthorian).
+
+BUG FIXES:
+
+- Fix an issue where default headers were still being set when overwritten by a user. [3249](https://github.com/nginx/nginx-gateway-fabric/pull/3249)
+- Add 503 status code when there are zero upstream endpoints. [3406](https://github.com/nginx/nginx-gateway-fabric/pull/3406)
+- Fixed bug that occurred when a route's ParentRef does not include a sectionName and the Gateway's listeners have duplicate hostnames. This would cause conflicts when the route tries to attach to all the listeners and falsely trigger validation checks around overlapping routes. [3418](https://github.com/nginx/nginx-gateway-fabric/pull/3418)
+
+DOCUMENTATION:
+
+- Migrated the documentation website into the [NGINX documentation repository](https://github.com/nginx/documentation). [3047](https://github.com/nginx/nginx-gateway-fabric/pull/3047)
+
+HELM CHART:
+
+- The version of the Helm chart is now 2.0.0
+- Helm values structure has changed slightly to better support the separate Deployments.
+- `nginxGateway.replicaCount` Helm value has been renamed to `nginxGateway.replicas`.
+- Add support for control plane Deployment labels. [3194](https://github.com/nginx/nginx-gateway-fabric/pull/3194). Thanks to [Butterneck](https://github.com/Butterneck).
+
+UPGRADE:
+
+- [Upgrade to 2.0.0](https://docs.nginx.com/nginx-gateway-fabric/install/upgrade-version/#upgrade-from-v1x-to-v2x)
+
+KNOWN ISSUES:
+
+- NGINX LoadBalancer Service IPFamily uses Kubernetes default (likely SingleStack IPv4) instead of matching the ipFamily set in the NginxProxy resource, which defaults to DualStack. [3473](https://github.com/nginx/nginx-gateway-fabric/issues/3473)
+
+DEPENDENCIES:
+
+- NGINX Plus was updated to R34. [3281](https://github.com/nginx/nginx-gateway-fabric/pull/3281)
+- Update to v1.3.0 of the Gateway API. [3348](https://github.com/nginx/nginx-gateway-fabric/pull/3348)
+
+COMPATIBILITY:
+
+- Gateway API version: `1.3.0`
+- NGINX version: `1.28.0`
+- NGINX Plus version: `R34`
+- NGINX Agent version: `v3.0.0`
+- Kubernetes version: `1.25+`
+
+CONTAINER IMAGES:
+
+- Control plane: `ghcr.io/nginx/nginx-gateway-fabric:2.0.0`
+- Data plane: `ghcr.io/nginx/nginx-gateway-fabric/nginx:2.0.0`
+- Data plane with NGINX Plus: `private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:2.0.0`
+
 ## Release 1.6.2
 
 _March 11, 2025_

CONTRIBUTING.md

@@ -32,7 +32,7 @@ Reserve GitHub issues for feature requests and bugs rather than general question
 
 ## Getting Started
 
-Follow our [Installation Instructions](https://docs.nginx.com/nginx-gateway-fabric/installation/) to get the NGINX Gateway Fabric up and running.
+Follow our [Installation Instructions](https://docs.nginx.com/nginx-gateway-fabric/install/) to get the NGINX Gateway Fabric up and running.
 
 ### Project Structure
 

Makefile

@@ -35,7 +35,7 @@ CONTROLLER_TOOLS_VERSION = v0.18.0
 # renovate: datasource=docker depName=node
 NODE_VERSION = 22
 # renovate: datasource=docker depName=quay.io/helmpack/chart-testing
-CHART_TESTING_VERSION = v3.12.0
+CHART_TESTING_VERSION = v3.13.0
 # renovate: datasource=github-tags depName=dadav/helm-schema
 HELM_SCHEMA_VERSION = 0.18.1
 

README.md

@@ -20,12 +20,14 @@ the [Gateway API Compatibility](https://docs.nginx.com/nginx-gateway-fabric/over
 
 Learn about our [design principles](/docs/developer/design-principles.md) and [architecture](https://docs.nginx.com/nginx-gateway-fabric/overview/gateway-architecture/).
 
+NGINX Gateway Fabric uses [NGINX Agent](https://github.com/nginx/agent) to configure NGINX.
+
 ## Getting Started
 
 1. [Get started using a kind cluster](https://docs.nginx.com/nginx-gateway-fabric/get-started/).
-2. [Install](https://docs.nginx.com/nginx-gateway-fabric/installation/) NGINX Gateway Fabric.
+2. [Install](https://docs.nginx.com/nginx-gateway-fabric/install/) NGINX Gateway Fabric.
 3. Deploy various [examples](examples).
-4. Read our [How-to guides](https://docs.nginx.com/nginx-gateway-fabric/how-to/).
+4. Follow instructions for common use cases such as [routing](https://docs.nginx.com/nginx-gateway-fabric/traffic-management/) and [securing](https://docs.nginx.com/nginx-gateway-fabric/traffic-security/) traffic, or [monitoring](https://docs.nginx.com/nginx-gateway-fabric//monitoring/) your cluster.
 
 You can find the comprehensive NGINX Gateway Fabric user documentation on the [NGINX Documentation](https://docs.nginx.com/nginx-gateway-fabric/) website.
 
@@ -34,7 +36,7 @@ You can find the comprehensive NGINX Gateway Fabric user documentation on the [N
 We publish NGINX Gateway Fabric releases on GitHub. See
 our [releases page](https://github.com/nginx/nginx-gateway-fabric/releases).
 
-The latest release is [1.6.2](https://github.com/nginx/nginx-gateway-fabric/releases/tag/v1.6.2).
+The latest release is [2.0.0](https://github.com/nginx/nginx-gateway-fabric/releases/tag/v2.0.0).
 
 The edge version is useful for experimenting with new features that are not yet published in a release. To use, choose
 the _edge_ version built from the [latest commit](https://github.com/nginx/nginx-gateway-fabric/commits/main)
@@ -45,7 +47,7 @@ to the correct versions:
 
 | Version        | Description                              | Installation Manifests                                                         | Documentation and Examples                                                                                                                                           |
 |----------------|------------------------------------------|--------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Latest release | For production use                       | [Manifests](https://github.com/nginx/nginx-gateway-fabric/tree/v1.6.2/deploy). | [Documentation](https://docs.nginx.com/nginx-gateway-fabric). [Examples](https://github.com/nginx/nginx-gateway-fabric/tree/v1.6.2/examples).                        |
+| Latest release | For production use                       | [Manifests](https://github.com/nginx/nginx-gateway-fabric/tree/v2.0.0/deploy). | [Documentation](https://docs.nginx.com/nginx-gateway-fabric). [Examples](https://github.com/nginx/nginx-gateway-fabric/tree/v2.0.0/examples).                        |
 | Edge           | For experimental use and latest features | [Manifests](https://github.com/nginx/nginx-gateway-fabric/tree/main/deploy).   | [Examples](https://github.com/nginx/nginx-gateway-fabric/tree/main/examples). |
 
 ### Versioning
@@ -64,19 +66,20 @@ the [Issue Lifecycle](ISSUE_LIFECYCLE.md) document for information on issue crea
 
 The following table lists the software versions NGINX Gateway Fabric supports.
 
-| NGINX Gateway Fabric | Gateway API | Kubernetes | NGINX OSS | NGINX Plus |
-|----------------------|-------------|------------|-----------|------------|
-| Edge                 | 1.3.0       | 1.25+      | 1.28.0    | R34        |
-| 1.6.2                | 1.2.1       | 1.25+      | 1.27.4    | R33        |
-| 1.6.1                | 1.2.1       | 1.25+      | 1.27.4    | R33        |
-| 1.6.0                | 1.2.1       | 1.25+      | 1.27.3    | R33        |
-| 1.5.1                | 1.2.0       | 1.25+      | 1.27.2    | R33        |
-| 1.5.0                | 1.2.0       | 1.25+      | 1.27.2    | R33        |
-| 1.4.0                | 1.1.0       | 1.25+      | 1.27.1    | R32        |
-| 1.3.0                | 1.1.0       | 1.25+      | 1.27.0    | R32        |
-| 1.2.0                | 1.0.0       | 1.23+      | 1.25.4    | R31        |
-| 1.1.0                | 1.0.0       | 1.23+      | 1.25.3    | n/a        |
-| 1.0.0                | 0.8.1       | 1.23+      | 1.25.2    | n/a        |
+| NGINX Gateway Fabric | Gateway API | Kubernetes | NGINX OSS | NGINX Plus | NGINX Agent |
+|----------------------|-------------|------------|-----------|------------|-------------|
+| Edge                 | 1.3.0       | 1.25+      | 1.28.0    | R34        | v3.0.0      |
+| 2.0.0                | 1.3.0       | 1.25+      | 1.28.0    | R34        | v3.0.0      |
+| 1.6.2                | 1.2.1       | 1.25+      | 1.27.4    | R33        | ---         |
+| 1.6.1                | 1.2.1       | 1.25+      | 1.27.4    | R33        | ---         |
+| 1.6.0                | 1.2.1       | 1.25+      | 1.27.3    | R33        | ---         |
+| 1.5.1                | 1.2.0       | 1.25+      | 1.27.2    | R33        | ---         |
+| 1.5.0                | 1.2.0       | 1.25+      | 1.27.2    | R33        | ---         |
+| 1.4.0                | 1.1.0       | 1.25+      | 1.27.1    | R32        | ---         |
+| 1.3.0                | 1.1.0       | 1.25+      | 1.27.0    | R32        | ---         |
+| 1.2.0                | 1.0.0       | 1.23+      | 1.25.4    | R31        | ---         |
+| 1.1.0                | 1.0.0       | 1.23+      | 1.25.3    | n/a        | ---         |
+| 1.0.0                | 0.8.1       | 1.23+      | 1.25.2    | n/a        | ---         |
 
 ## SBOM (Software Bill of Materials)
 
@@ -103,7 +106,7 @@ docker buildx imagetools inspect ghcr.io/nginx/nginx-gateway-fabric:edge --forma
 
 ## Troubleshooting
 
-For troubleshooting help, see the [Troubleshooting](https://docs.nginx.com/nginx-gateway-fabric/how-to/monitoring/troubleshooting/) document.
+For troubleshooting help, see the [Troubleshooting](https://docs.nginx.com/nginx-gateway-fabric/troubleshooting/) document.
 
 ## Contacts
 
@@ -133,4 +136,4 @@ Please read our [Contributing guide](CONTRIBUTING.md) if you'd like to contribut
 
 If your team needs dedicated support for NGINX Gateway Fabric in your environment, or you would like to leverage our [advanced NGINX Plus features](https://docs.nginx.com/nginx-gateway-fabric/overview/nginx-plus/), you can reach out [here](https://www.f5.com/content/f5-com/en_us/products/get-f5).
 
-To try NGINX Gateway Fabric with NGINX Plus, you can start your free [30-day trial](https://www.f5.com/trials), then follow the [installation guide](https://docs.nginx.com/nginx-gateway-fabric/installation/installing-ngf/helm/) for installing with NGINX Plus.
+To try NGINX Gateway Fabric with NGINX Plus, you can start your free [30-day trial](https://www.f5.com/trials), then follow the [installation guide](https://docs.nginx.com/nginx-gateway-fabric/install/helm/) for installing with NGINX Plus.

build/Dockerfile.nginx

@@ -1,39 +1,33 @@
 # syntax=docker/dockerfile:1.16
-# TODO(sberman): the commented out lines are for when we use the published agent release
-# FROM scratch AS nginx-files
+FROM scratch AS nginx-files
 
-# # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
-# ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
-
-FROM golang:alpine AS builder
-
-WORKDIR /tmp
-
-RUN apk add --no-cache git make \
-    && git clone https://github.com/nginx/agent.git \
-    && cd agent \
-    && git checkout 3dad26582af6c17e013302d08a4f1ed5d5504296 \
-    && make build
+# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 <local_file> <container_file>
+ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
 
 FROM nginx:1.28.0-alpine-otel
 
+# renovate: datasource=github-tags depName=nginx/agent extractVersion=^v?(?<version>.*)$
+ARG NGINX_AGENT_VERSION=3.0.0
 ARG NJS_DIR
 ARG NGINX_CONF_DIR
 ARG BUILD_AGENT
 
-# RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
-#     printf "%s\n" "http://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
-#     && apk add --no-cache nginx-agent
+RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
+    printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+    && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION}
 
 RUN apk add --no-cache libcap bash \
     && mkdir -p /usr/lib/nginx/modules \
     && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
     && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
     && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
     && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
-    && apk del libcap
-
-COPY --from=builder /tmp/agent/build/nginx-agent /usr/bin/nginx-agent
+    # Update packages for CVE-2025-32414 and CVE-2025-32415
+    && apk --no-cache upgrade libxml2 \
+    && apk del libcap \
+    # forward request and error logs to docker log collector
+    && ln -sf /dev/stdout /var/log/nginx/access.log \
+    && ln -sf /dev/stderr /var/log/nginx/error.log
 
 COPY build/entrypoint.sh /agent/entrypoint.sh
 COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js