Merge branch 'master' into deps/update-kind-version

docs/_vendor/modules.txt

@@ -1,2 +1,2 @@
-# gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3
+# gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7
 # github.com/jquery/jquery-dist v0.0.0-20210302171154-e786e3d9707f

docs/content/configuration/policy-resource.md

@@ -357,8 +357,6 @@ For `kubectl get` and similar commands, you can also use the short name `pol` in
 
 ### WAF
 
-> **Feature Status**: WAF is available as a preview feature[^1]: We might introduce some backward-incompatible changes to the resource definition. The feature is disabled by default. To enable it, set the [enable-preview-policies](/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-preview-policies) command-line argument of the Ingress Controller.
-
 > Note: This feature is only available in NGINX Plus with AppProtect.
 
 The WAF policy configures NGINX Plus to secure client requests using App Protect policies.

docs/go.mod

@@ -2,4 +2,4 @@ module github.com/nginxinc/kubernetes-ingress/docs
 
 go 1.15
 
-require gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3 // indirect
+require gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7 // indirect

docs/go.sum

@@ -10,3 +10,7 @@ gitlab.com/f5/nginx/controller/poc/f5-hugo v0.14.1-0.20211019184158-5e5bd366bfcd
 gitlab.com/f5/nginx/controller/poc/f5-hugo v0.14.1-0.20211019184158-5e5bd366bfcd/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc=
 gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3 h1:cDf5OAzX/6Qg2gbSJGAkMHHWOA1RDDigTKVBIGzR2Gw=
 gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.3/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc=
+gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.6 h1:jN+79xD+xUD3nDvZWoubwoUxzgI/G/e7RIf+K3kOPRQ=
+gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.6/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc=
+gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7 h1:O75I8D2xLjbQ5rYZAflXMcnEPFJ12YhLpyn5auO4EUI=
+gitlab.com/f5/nginx/controller/poc/f5-hugo v0.15.7/go.mod h1:G+e4mnMJBHCT04TKm3Bbnm5I5OGVoeLlmbaDFF3GPBc=

internal/configs/oidc/openid_connect.js

@@ -83,7 +83,8 @@ function auth(r) {
                         r.variables.session_jwt = tokenset.id_token; // Update key-value store
 
                         // Update refresh token (if we got a new one)
-                        if (r.variables.refresh_token != tokenset.refresh_token) {
+                        // 12.2021 - In rare cases the IdP does not include the refresh-token in the response. The rt will be undefined in this case.
+                        if (r.variables.refresh_token != tokenset.refresh_token && tokenset.refresh_token != undefined) {
                             r.log("OIDC replacing previous refresh token (" + r.variables.refresh_token + ") with new value: " + tokenset.refresh_token);
                             r.variables.refresh_token = tokenset.refresh_token; // Update key-value store
                         }

perf-tests/requirements.txt

@@ -8,4 +8,4 @@ certifi==2021.10.8
 urllib3==1.26.7
 pytest-html==3.1.1
 pytest-repeat==0.9.1
-locust==2.5.0
+locust==2.5.1

pkg/apis/configuration/validation/policy.go

@@ -84,10 +84,6 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab
 	}
 
 	if spec.WAF != nil {
-		if !enablePreviewPolicies {
-			allErrs = append(allErrs, field.Forbidden(fieldPath.Child("waf"),
-				"waf is a preview policy. Preview policies must be enabled to use via cli argument -enable-preview-policies"))
-		}
 		if !isPlus {
 			allErrs = append(allErrs, field.Forbidden(fieldPath.Child("waf"), "WAF is only supported in NGINX Plus"))
 		}

pkg/apis/configuration/validation/policy_test.go

@@ -71,6 +71,19 @@ func TestValidatePolicy(t *testing.T) {
 			enableAppProtect:      true,
 			msg:                   "use WAF(plus only) policy",
 		},
+		{
+			policy: &v1.Policy{
+				Spec: v1.PolicySpec{
+					WAF: &v1.WAF{
+						Enable: true,
+					},
+				},
+			},
+			isPlus:                true,
+			enablePreviewPolicies: false,
+			enableAppProtect:      true,
+			msg:                   "WAF policy with preview policies disabled",
+		},
 	}
 	for _, test := range tests {
 		err := ValidatePolicy(test.policy, test.isPlus, test.enablePreviewPolicies, test.enableAppProtect)
@@ -231,19 +244,6 @@ func TestValidatePolicyFails(t *testing.T) {
 			enablePreviewPolicies: true,
 			msg:                   "OIDC policy in OSS",
 		},
-		{
-			policy: &v1.Policy{
-				Spec: v1.PolicySpec{
-					WAF: &v1.WAF{
-						Enable: true,
-					},
-				},
-			},
-			isPlus:                true,
-			enablePreviewPolicies: false,
-			enableAppProtect:      true,
-			msg:                   "WAF policy with preview policies disabled",
-		},
 		{
 			policy: &v1.Policy{
 				Spec: v1.PolicySpec{

tests/data/ap-waf-grpc/virtual-server-route-waf.yaml

@@ -0,0 +1,17 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServerRoute
+metadata:
+  name: helloworld.greeter
+spec:
+  host: virtual-server.example.com
+  upstreams:
+  - name: grpc1
+    service: grpc1-svc
+    port: 50051
+    type: grpc
+  subroutes:
+  - path: "~* /helloworld.greeter/"
+    action:
+      pass: grpc1
+    policies:
+    - name: waf-policy

tests/data/ap-waf-grpc/vsr-virtual-server-spec.yaml

@@ -0,0 +1,11 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: virtual-server-route
+spec:
+  host: virtual-server.example.com
+  tls:
+    secret: virtual-server-tls-grpc-secret
+  routes:
+  - path: "~* /helloworld.greeter/"
+    route: helloworld.greeter

tests/data/appprotect/syslog.yaml

@@ -35,7 +35,7 @@ spec:
   ports:
   - port: 514
     targetPort: 514
-    protocol: UDP
+    protocol: TCP
   selector:
     app: syslog
 ---

tests/data/appprotect/syslog2.yaml

@@ -35,7 +35,7 @@ spec:
   ports:
   - port: 514
     targetPort: 514
-    protocol: UDP
+    protocol: TCP
   selector:
     app: syslog2
 ---

tests/suite/test_app_protect_waf_policies.py

@@ -137,7 +137,6 @@ def assert_valid_responses(response) -> None:
                     f"-enable-custom-resources",
                     f"-enable-leader-election=false",
                     f"-enable-app-protect",
-                    f"-enable-preview-policies",
                 ],
             },
             {"example": "ap-waf", "app_type": "simple",},
@@ -390,7 +389,6 @@ def test_ap_waf_policy_logs(
                     f"-enable-custom-resources",
                     f"-enable-leader-election=false",
                     f"-enable-app-protect",
-                    f"-enable-preview-policies",
                 ],
             },
             {"example": "virtual-server-route"},