Merge branch 'main' into workflow-release-updater

Author: sean-breen

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ permissions:
 
 env:
   NFPM_VERSION: 'v2.35.3'
-  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev"
+  GOPROXY: "direct"
 
 jobs:
   proxy-sanity-check:

.github/workflows/release-branch.yml

@@ -96,7 +96,7 @@ jobs:
           ref: ${{ inputs.releaseBranch }}
 
       - name: Setup Node Environment
-        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
 
       - name: Create Draft Release
         if: ${{ needs.vars.outputs.github_release == 'true' }}

.github/workflows/scorecards.yml

@@ -55,6 +55,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9
         with:
           sarif_file: results.sarif

go.mod

@@ -613,7 +613,7 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(
 		oc.config.Collector.Receivers.TcplogReceivers = make(map[string]*config.TcplogReceiver)
 	}
 
-	napSysLogServer := oc.findAvailableSyslogServers(ctx, nginxConfigContext.NAPSysLogServers)
+	napSysLogServer := oc.findAvailableSyslogServer(ctx, nginxConfigContext.NAPSysLogServer)
 
 	if napSysLogServer != "" {
 		if !oc.doesTcplogReceiverAlreadyExist(napSysLogServer) {
@@ -746,40 +746,29 @@ func (oc *Collector) updateResourceAttributes(
 	return actionUpdated
 }
 
-func (oc *Collector) findAvailableSyslogServers(ctx context.Context, napSyslogServers []string) string {
-	napSyslogServersMap := make(map[string]bool)
-	for _, server := range napSyslogServers {
-		napSyslogServersMap[server] = true
-	}
-
-	if oc.previousNAPSysLogServer != "" {
-		if _, ok := napSyslogServersMap[oc.previousNAPSysLogServer]; ok {
-			return oc.previousNAPSysLogServer
-		}
+func (oc *Collector) findAvailableSyslogServer(ctx context.Context, napSyslogServer string) string {
+	if oc.previousNAPSysLogServer != "" &&
+		normaliseAddress(oc.previousNAPSysLogServer) == normaliseAddress(napSyslogServer) {
+		return napSyslogServer
 	}
 
-	for _, napSyslogServer := range napSyslogServers {
-		listenConfig := &net.ListenConfig{}
-		ln, err := listenConfig.Listen(ctx, "tcp", napSyslogServer)
-		if err != nil {
-			slog.DebugContext(ctx, "NAP syslog server is not reachable", "address", napSyslogServer,
-				"error", err)
-
-			continue
-		}
-		closeError := ln.Close()
-		if closeError != nil {
-			slog.DebugContext(ctx, "Failed to close syslog server", "address", napSyslogServer, "error", closeError)
-		}
-
-		slog.DebugContext(ctx, "Found valid NAP syslog server", "address", napSyslogServer)
+	listenConfig := &net.ListenConfig{}
+	ln, err := listenConfig.Listen(ctx, "tcp", napSyslogServer)
+	if err != nil {
+		slog.DebugContext(ctx, "NAP syslog server is not reachable", "address", napSyslogServer,
+			"error", err)
 
-		oc.previousNAPSysLogServer = napSyslogServer
+		return ""
+	}
 
-		return napSyslogServer
+	closeError := ln.Close()
+	if closeError != nil {
+		slog.DebugContext(ctx, "Failed to close syslog server", "address", napSyslogServer, "error", closeError)
 	}
 
-	return ""
+	oc.previousNAPSysLogServer = napSyslogServer
+
+	return napSyslogServer
 }
 
 func isOSSReceiverChanged(nginxReceiver config.NginxReceiver, nginxConfigContext *model.NginxConfigContext) bool {
@@ -865,3 +854,16 @@ func setProxyWithBasicAuth(ctx context.Context, proxy *config.Proxy, parsedProxy
 	proxyURL := parsedProxyURL.String()
 	setProxyEnvs(ctx, proxyURL, "Setting Proxy with basic auth")
 }
+
+func normaliseAddress(address string) string {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return address
+	}
+
+	if host == "localhost" {
+		host = "127.0.0.1"
+	}
+
+	return net.JoinHostPort(host, port)
+}

go.sum

@@ -753,7 +753,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 	require.NoError(t, err)
 
 	nginxConfigContext := &model.NginxConfigContext{
-		NAPSysLogServers: []string{"localhost:15632"},
+		NAPSysLogServer: "localhost:15632",
 	}
 
 	assert.Empty(t, conf.Collector.Receivers.TcplogReceivers)
@@ -786,7 +786,7 @@ func TestCollector_updateNginxAppProtectTcplogReceivers(t *testing.T) {
 	t.Run("Test 4: NewCollector tcplogReceiver added and deleted another", func(tt *testing.T) {
 		tcplogReceiverDeleted := collector.updateNginxAppProtectTcplogReceivers(ctx,
 			&model.NginxConfigContext{
-				NAPSysLogServers: []string{"localhost:1555"},
+				NAPSysLogServer: "localhost:1555",
 			},
 		)
 
@@ -939,49 +939,49 @@ func TestCollector_findAvailableSyslogServers(t *testing.T) {
 		name                    string
 		expectedSyslogServer    string
 		previousNAPSysLogServer string
-		syslogServers           []string
+		syslogServers           string
 		portInUse               bool
 	}{
 		{
 			name:                    "Test 1: port available",
 			expectedSyslogServer:    "localhost:15632",
 			previousNAPSysLogServer: "",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               false,
 		},
 		{
 			name:                    "Test 2: port in use",
 			expectedSyslogServer:    "",
 			previousNAPSysLogServer: "",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               true,
 		},
 		{
 			name:                    "Test 3: syslog server already configured",
 			expectedSyslogServer:    "localhost:15632",
 			previousNAPSysLogServer: "localhost:15632",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               false,
 		},
 		{
 			name:                    "Test 4: new syslog server",
 			expectedSyslogServer:    "localhost:15632",
 			previousNAPSysLogServer: "localhost:1122",
-			syslogServers:           []string{"localhost:15632"},
+			syslogServers:           "localhost:15632",
 			portInUse:               false,
 		},
 		{
-			name:                    "Test 5: port in use find next server",
+			name:                    "Test 6: port hasn't changed",
 			expectedSyslogServer:    "localhost:1122",
-			previousNAPSysLogServer: "",
-			syslogServers:           []string{"localhost:15632", "localhost:1122"},
+			previousNAPSysLogServer: "localhost:1122",
+			syslogServers:           "localhost:1122",
 			portInUse:               true,
 		},
 		{
-			name:                    "Test 6: port hasn't changed",
+			name:                    "Test 7: port hasn't changed, but is now localhost",
 			expectedSyslogServer:    "localhost:1122",
-			previousNAPSysLogServer: "localhost:1122",
-			syslogServers:           []string{"localhost:1122"},
+			previousNAPSysLogServer: "127.0.0.1:1122",
+			syslogServers:           "localhost:1122",
 			portInUse:               true,
 		},
 	}
@@ -994,12 +994,12 @@ func TestCollector_findAvailableSyslogServers(t *testing.T) {
 
 			if test.portInUse {
 				listenConfig := &net.ListenConfig{}
-				ln, listenError := listenConfig.Listen(ctx, "tcp", "localhost:15632")
+				ln, listenError := listenConfig.Listen(ctx, "tcp", test.syslogServers)
 				require.NoError(t, listenError)
 				defer ln.Close()
 			}
 
-			actual := collector.findAvailableSyslogServers(ctx, test.syslogServers)
+			actual := collector.findAvailableSyslogServer(ctx, test.syslogServers)
 			assert.Equal(tt, test.expectedSyslogServer, actual)
 		})
 	}

internal/collector/otel_collector_plugin.go

@@ -46,7 +46,8 @@ const (
 
 	// Regular expression to match invalid characters in paths.
 	// It matches whitespace, control characters, non-printable characters, and specific Unicode characters.
-	regexInvalidPath = "\\s|[[:cntrl:]]|[[:space:]]|[[^:print:]]|ㅤ|\\.\\.|\\*"
+	regexInvalidPath  = "\\s|[[:cntrl:]]|[[:space:]]|[[^:print:]]|ㅤ|\\.\\.|\\*"
+	regexLabelPattern = "^[a-zA-Z0-9]([a-zA-Z0-9-_]{0,254}[a-zA-Z0-9])?$"
 )
 
 var viperInstance = viper.NewWithOptions(viper.KeyDelimiter(KeyDelimiter))
@@ -63,6 +64,40 @@ func Execute(ctx context.Context) error {
 func Init(version, commit string) {
 	setVersion(version, commit)
 	registerFlags()
+	checkDeprecatedEnvVars()
+}
+
+func checkDeprecatedEnvVars() {
+	allViperKeys := make(map[string]struct{})
+	for _, key := range viperInstance.AllKeys() {
+		allViperKeys[key] = struct{}{}
+	}
+
+	const v3Prefix = EnvPrefix + KeyDelimiter
+
+	for _, env := range os.Environ() {
+		parts := strings.SplitN(env, "=", KeyValueNumber)
+		if len(parts) != KeyValueNumber {
+			continue
+		}
+		envKey := parts[0]
+
+		if !strings.HasPrefix(envKey, v3Prefix) {
+			continue
+		}
+
+		viperKey := strings.TrimPrefix(envKey, v3Prefix)
+
+		viperKey = strings.ToLower(viperKey)
+
+		if _, exists := allViperKeys[viperKey]; !exists {
+			slog.Warn("Detected deprecated or unknown environment variables. "+
+				"Please update to use the latest environment variables. For more information, visit "+
+				"https://docs.nginx.com/nginx-one/agent/configure-instances/configuration-overview/.",
+				"deprecated_env_var", envKey,
+			)
+		}
+	}
 }
 
 func RegisterConfigFile() error {
@@ -122,6 +157,7 @@ func ResolveConfig() (*Config, error) {
 		Features:           viperInstance.GetStringSlice(FeaturesKey),
 		Labels:             resolveLabels(),
 		LibDir:             viperInstance.GetString(LibDirPathKey),
+		SyslogServer:       resolveSyslogServer(),
 	}
 
 	defaultCollector(collector, config)
@@ -427,6 +463,12 @@ func registerFlags() {
 		"A comma-separated list of features enabled for the agent.",
 	)
 
+	fs.String(
+		SyslogServerPort,
+		DefSyslogServerPort,
+		"The port Agent will start the syslog server on for logs collection",
+	)
+
 	registerCommonFlags(fs)
 	registerCommandFlags(fs)
 	registerAuxiliaryCommandFlags(fs)
@@ -586,6 +628,12 @@ func registerClientFlags(fs *flag.FlagSet) {
 		DefMaxFileSize,
 		"Max file size in bytes.",
 	)
+
+	fs.Int(
+		ClientGRPCMaxParallelFileOperationsKey,
+		DefMaxParallelFileOperations,
+		"Maximum number of file downloads or uploads performed in parallel",
+	)
 }
 
 func registerCommandFlags(fs *flag.FlagSet) {
@@ -912,6 +960,12 @@ func resolveLog() *Log {
 	}
 }
 
+func resolveSyslogServer() *SyslogServer {
+	return &SyslogServer{
+		Port: viperInstance.GetString(SyslogServerPort),
+	}
+}
+
 func resolveLabels() map[string]interface{} {
 	input := viperInstance.GetStringMapString(LabelsRootKey)
 
@@ -946,7 +1000,9 @@ func resolveLabels() map[string]interface{} {
 			result[trimmedKey] = parseJSON(trimmedValue)
 
 		default: // String
-			result[trimmedKey] = trimmedValue
+			if validateLabel(trimmedValue) {
+				result[trimmedKey] = trimmedValue
+			}
 		}
 	}
 
@@ -955,6 +1011,19 @@ func resolveLabels() map[string]interface{} {
 	return result
 }
 
+func validateLabel(labelValue string) bool {
+	const maxLength = 256
+	labelPattern := regexp.MustCompile(regexLabelPattern)
+	if len(labelValue) > maxLength || !labelPattern.MatchString(labelValue) {
+		slog.Warn("Label value contains unsupported character or exceed maximum length of 256 characters ",
+			"label_value", labelValue)
+
+		return false
+	}
+
+	return true
+}
+
 func resolveEnvironmentVariableLabels() map[string]string {
 	envLabels := make(map[string]string)
 	envInput := viperInstance.GetString(LabelsRootKey)
@@ -1037,11 +1106,12 @@ func resolveClient() *Client {
 				Time:                viperInstance.GetDuration(ClientKeepAliveTimeKey),
 				PermitWithoutStream: viperInstance.GetBool(ClientKeepAlivePermitWithoutStreamKey),
 			},
-			MaxMessageSize:        viperInstance.GetInt(ClientGRPCMaxMessageSizeKey),
-			MaxMessageReceiveSize: viperInstance.GetInt(ClientGRPCMaxMessageReceiveSizeKey),
-			MaxMessageSendSize:    viperInstance.GetInt(ClientGRPCMaxMessageSendSizeKey),
-			MaxFileSize:           viperInstance.GetUint32(ClientGRPCMaxFileSizeKey),
-			FileChunkSize:         viperInstance.GetUint32(ClientGRPCFileChunkSizeKey),
+			MaxMessageSize:            viperInstance.GetInt(ClientGRPCMaxMessageSizeKey),
+			MaxMessageReceiveSize:     viperInstance.GetInt(ClientGRPCMaxMessageReceiveSizeKey),
+			MaxMessageSendSize:        viperInstance.GetInt(ClientGRPCMaxMessageSendSizeKey),
+			MaxFileSize:               viperInstance.GetUint32(ClientGRPCMaxFileSizeKey),
+			FileChunkSize:             viperInstance.GetUint32(ClientGRPCFileChunkSizeKey),
+			MaxParallelFileOperations: viperInstance.GetInt(ClientGRPCMaxParallelFileOperationsKey),
 		},
 		Backoff: &BackOff{
 			InitialInterval:     viperInstance.GetDuration(ClientBackoffInitialIntervalKey),