update docs to 3.6.0 & pipeline fixes for release

.github/config/config-plus-azure

@@ -6,6 +6,7 @@ export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-nap
 declare -a PLUS_TAG_POSTFIX_LIST=("")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("")
 declare -a ADDITIONAL_TAGS=()
 export PUBLISH_OSS=false

.github/config/config-plus-ecr

@@ -3,9 +3,10 @@ export TARGET_PLUS_IMAGE_PREFIX=nginx/nginx-plus-ingress
 export TARGET_NAP_WAF_IMAGE_PREFIX=nginx/nginx-plus-ingress-nap
 export TARGET_NAP_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos
 export TARGET_NAP_WAF_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos-nap
-declare -a PLUS_TAG_POSTFIX_LIST=("-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a PLUS_TAG_POSTFIX_LIST=("-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("-mktpl")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("-mktpl")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("-mktpl")
 declare -a ADDITIONAL_TAGS=()
 export PUBLISH_OSS=false

.github/config/config-plus-gcr-public

@@ -6,5 +6,6 @@ export TARGET_NAP_WAF_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-nap
 export TARGET_NAP_DOS_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-dos
 declare -a PLUS_TAG_POSTFIX_LIST=("")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
+declare -a NAP_DOS_TAG_POSTFIX_LIST=()
 declare -a ADDITIONAL_TAGS=(${ADDITIONAL_TAG})

.github/scripts/create-release-tarballs.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -ex
 
 directory=$1
 version=$2

.github/workflows/build-oss.yml

@@ -95,12 +95,16 @@ jobs:
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
-      - name: Check if images exist
-        id: images_exist
+      - name: Set base name variable
+        id: base_name
         run: |
           base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }}"
           echo "image=${base_image}" >> $GITHUB_OUTPUT
-          if docker manifest inspect ${base_image}; then
+
+      - name: Check if images exist
+        id: images_exist
+        run: |
+          if docker manifest inspect ${{ steps.base_name.outputs.image }}; then
             echo "base_exists=true" >> $GITHUB_OUTPUT
           fi
           if docker manifest inspect ${{ steps.meta.outputs.tags }}; then
@@ -125,7 +129,7 @@ jobs:
           context: "."
           cache-to: type=gha,scope=${{ inputs.image }},mode=max
           target: common
-          tags: ${{ steps.images_exist.outputs.image }}
+          tags: ${{ steps.base_name.outputs.image }}
           platforms: ${{ inputs.platforms }}
           pull: true
           push: true
@@ -138,7 +142,7 @@ jobs:
       - name: Debug values
         run: |
           echo "authenticated: ${{ inputs.authenticated }}"
-          echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}"
+          echo "base_exists: ${{ steps.images_exist.outputs.base_exists }}"
           echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}"
           echo "full-build: ${{ inputs.full-build }}"
 
@@ -170,7 +174,7 @@ jobs:
           provenance: false
           build-args: |
             BUILD_OS=${{ inputs.image }}
-            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image) }}
+            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_name.outputs.image) }}
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 

.github/workflows/build-plus.yml

@@ -100,12 +100,16 @@ jobs:
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
-      - name: Check if images exist
-        id: images_exist
+      - name: Set base name variable
+        id: base_name
         run: |
           base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}"
           echo "image=${base_image}" >> $GITHUB_OUTPUT
-          if docker manifest inspect ${base_image}; then
+
+      - name: Check if images exist
+        id: images_exist
+        run: |
+          if docker pull ${{ steps.base_name.outputs.image }}; then
             echo "base_exists=true" >> $GITHUB_OUTPUT
           fi
           if docker manifest inspect ${{ steps.meta.outputs.tags }}; then
@@ -130,7 +134,7 @@ jobs:
           context: "."
           cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max
           target: common
-          tags: ${{ steps.images_exist.outputs.image }}
+          tags: ${{ steps.base_name.outputs.image }}
           platforms: ${{ inputs.platforms }}
           pull: true
           push: true
@@ -180,7 +184,7 @@ jobs:
           provenance: false
           build-args: |
             BUILD_OS=${{ inputs.image }}
-            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image ) }}
+            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_name.outputs.image ) }}
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
             ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
             ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}

.github/workflows/publish-helm.yml

@@ -95,7 +95,7 @@ jobs:
           fetch-depth: 1
           token: ${{ secrets.NGINX_PAT }}
           path: helm-charts
-        if: ${{ inputs.nginx_helm_repo == 'true' }}
+        if: ${{ inputs.nginx_helm_repo }}
 
       - name: Push Helm Chart to Helm Charts Repository
         run: |
@@ -106,4 +106,4 @@ jobs:
           git -c user.name='NGINX Kubernetes Team' -c user.email='kubernetes@nginx.com' \
           commit -m "NGINX Ingress Controller - Release ${{ inputs.chart_version }}"
           git push -u origin master
-        if: ${{ inputs.nginx_helm_repo == 'true' }}
+        if: ${{ inputs.nginx_helm_repo }}

.github/workflows/release.yml

@@ -94,6 +94,8 @@ jobs:
 
       - name: Create new release Tag
         run: |
+          git config --global user.email "kubernetes@nginx.com"
+          git config --global user.name "NGINX Kubernetes Team"
           branch="${{ inputs.release_branch }}"
           tag="v${{ inputs.nic_version }}"
           if ! git rev-parse --verify refs/tags/${tag}; then
@@ -113,7 +115,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
 
   release-oss:
-    if: ${{ ! contains(inputs.skip_step, 'release-oss') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-oss') }}
     name: Release Docker OSS
     needs: [variables]
     uses: ./.github/workflows/oss-release.yml
@@ -134,7 +136,7 @@ jobs:
     secrets: inherit
 
   release-plus:
-    if: ${{ ! contains(inputs.skip_step, 'release-plus') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-plus') }}
     name: Release Docker Plus
     needs: [variables]
     uses: ./.github/workflows/plus-release.yml
@@ -154,7 +156,7 @@ jobs:
     secrets: inherit
 
   publish-helm-chart:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'publish-helm-chart') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'publish-helm-chart') }}
     name: Publish Helm Chart
     uses: ./.github/workflows/publish-helm.yml
     with:
@@ -168,7 +170,7 @@ jobs:
     secrets: inherit
 
   certify-openshift-images:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }}
     name: Certify OpenShift UBI images
     runs-on: ubuntu-22.04
     needs: [release-oss]
@@ -187,7 +189,7 @@ jobs:
           pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
 
   operator:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }}
     name: Trigger PR for Operator
     runs-on: ubuntu-22.04
     needs: [publish-helm-chart]
@@ -208,7 +210,7 @@ jobs:
             })
 
   gcp-marketplace:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'gcp-marketplace') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'gcp-marketplace') }}
     name: Trigger PR for GCP Marketplace
     runs-on: ubuntu-22.04
     needs: [publish-helm-chart]
@@ -229,7 +231,7 @@ jobs:
             })
 
   azure-marketplace:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }}
     name: Trigger CNAB Build for Azure Marketplace
     runs-on: ubuntu-22.04
     needs: [publish-helm-chart]
@@ -245,17 +247,20 @@ jobs:
               workflow_id: 'build-cnab.yml',
               ref: 'main',
               inputs: {
-                chart_version: '${{ inputs.chart_version }}'
-                ic_version: '${{ inputs.nic_version }}'
+                chart_version: '${{ inputs.chart_version }}',
+                ic_version: '${{ inputs.nic_version }}',
                 cnab_version: '${{ inputs.cnab_version }}'
               },
             })
 
   aws-marketplace:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'aws-marketplace') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'aws-marketplace') }}
     name: Publish to AWS Marketplace
     runs-on: ubuntu-22.04
     needs: [release-plus]
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -296,9 +301,12 @@ jobs:
     needs: [variables]
     permissions:
       contents: read
+      id-token: write # for cosign to sign artifacts
     steps:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ inputs.release_branch }}
 
       - name: Fetch Binary Artifacts from Cache
         uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
@@ -331,7 +339,7 @@ jobs:
         if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }}
 
   azure-upload:
-    if: ${{ ! contains(inputs.skip_step, 'azure-upload') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'azure-upload') }}
     name: Upload packages to Azure
     runs-on: ubuntu-22.04
     needs: [variables, binaries]
@@ -374,7 +382,7 @@ jobs:
             done
 
   github-release:
-    if: ${{ ! contains(inputs.skip_step, 'github-release') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'github-release') }}
     name: Publish release to GitHub
     runs-on: ubuntu-22.04
     needs: [variables, binaries, release-oss, release-plus, azure-upload]
@@ -400,7 +408,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # clobber overwrites existing assets of the same name
         run: |
-          if ! ${{ inputs.dry_run }}
+          if ! ${{ inputs.dry_run }}; then
             gh release upload --clobber v${{ inputs.nic_version }} \
               $(find ./tarballs -type f)
           else
@@ -414,13 +422,19 @@ jobs:
           milestone_number=$(gh api \
             -H "Accept: application/vnd.github.v3+json" \
             /repos/${{ github.repository }}/milestones \
-            | jq --arg version ${{ inputs.nic_version }} -r \
+            | jq --arg version "v${{ inputs.nic_version }}" -r \
             '.[] | select(.title == $version) | .number')
-          if ! ${{ inputs.dry_run }}
-            gh api --method PATCH -H "Accept: application/vnd.github.v3+json" \
-              /repos/${{ github.repository }}/milestones/${milestone_number} \
+          if [ -n "${milestone_number}" ]; then
+            if ! ${{ inputs.dry_run }}; then
+              gh api --method PATCH -H "Accept: application/vnd.github.v3+json" \
+                /repos/${{ github.repository }}/milestones/${milestone_number} \
+                -f "title=v${{ inputs.nic_version }}" \
+                -f "state=closed";
+            else
+              echo "Skipping closing Github Release milestone, DRY_RUN"
+            fi
           else
-            echo "Skipping closing Github Release milestone, DRY_RUN"
+            echo "Github Milestone not available, closed already."
           fi
 
       - name: Get Github release id
@@ -432,7 +446,7 @@ jobs:
             -H "Accept: application/vnd.github.v3+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
             /repos/${{ github.repository }}/releases \
-            | jq --arg version ${{ inputs.nic_version }} -r \
+            | jq --arg version "v${{ inputs.nic_version }}" -r \
             '.[] | select(.name == $version) | .id')
           echo "release_id=${release_id}" >> $GITHUB_OUTPUT
 
@@ -473,7 +487,7 @@ jobs:
         if: ${{ ! inputs.dry_run }}
 
   release-image-notification:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'release-image-notification') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'release-image-notification') }}
     name: Notify Slack channels about image release
     runs-on: ubuntu-22.04
     needs: [variables, binaries, release-oss, release-plus]

README.md

@@ -123,7 +123,7 @@ In the case of NGINX, the Ingress Controller is deployed in a pod along with the
 We publish NGINX Ingress Controller releases on GitHub. See our [releases
 page](https://github.com/nginxinc/kubernetes-ingress/releases).
 
-The latest stable release is [3.5.2](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.5.2). For production
+The latest stable release is [3.6.0](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.6.0). For production
 use, we recommend that you choose the latest stable release.
 
 The edge version is useful for experimenting with new features that are not yet published in a stable release. To use
@@ -143,7 +143,7 @@ your links to the correct versions:
 
 | Version | Description |  Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples |
 | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- |
-| Latest stable release | For production use | Use the 3.5.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.5.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
+| Latest stable release | For production use | Use the 3.6.0 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.6.0 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
 | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). |
 
 ## SBOM (Software Bill of Materials)

charts/nginx-ingress/Chart.yaml

@@ -5,10 +5,10 @@ appVersion: 3.7.0
 kubeVersion: ">= 1.23.0-0"
 type: application
 description: NGINX Ingress Controller
-icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png
+icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/charts/nginx-ingress/chart-icon.png
 home: https://github.com/nginxinc/kubernetes-ingress
 sources:
-  - https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress
+  - https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress
 keywords:
   - ingress
   - nginx