Merge branch 'main' into add-nginx-reload-complete-check

Author: aphralG

.github/workflows/ci.yml

@@ -20,9 +20,27 @@ permissions:
 
 env:
   NFPM_VERSION: 'v2.35.3'
-  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev"
+  GOPROXY: "direct"
 
 jobs:
+  proxy-sanity-check:
+    name: Proxy Sanity Check
+    runs-on: ubuntu-22.04
+    if: ${{ !github.event.pull_request.head.repo.fork }}
+    env:
+      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev"
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+            fetch-tags: 'true'
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+            go-version-file: 'go.mod'
+            cache: false
+      - name: run goproxy-sanity-check
+        run: |
+          make build
+
   lint:
     name: Lint
     runs-on: ubuntu-22.04
@@ -36,9 +54,12 @@ jobs:
         run: make install-tools
       - name: run lint
         run: make lint
+
   unit-test:
       name: Unit Tests
       runs-on: ubuntu-22.04
+      permissions:
+        contents: write
       steps:
           - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
           - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
@@ -52,9 +73,10 @@ jobs:
             with:
               config: ./.testcoverage.yaml
               ## when token is not specified (value '') this feature is turned off
-              git-token: ${{ github.ref_name == 'v3' && secrets.GITHUB_TOKEN || '' }}
+              git-token: ${{ github.ref_name == 'main' && secrets.GITHUB_TOKEN || '' }}
               ## name of orphaned branch where badges are stored
               git-branch: badges
+
   race-condition-test:
       name: Unit tests with race condition detection
       runs-on: ubuntu-22.04
@@ -66,11 +88,14 @@ jobs:
                 cache: false
           - name: Run unit tests with race condition detection
             run: make race-condition-test
+
   build-unsigned-snapshot:
       name: Build Unsigned Snapshot
       runs-on: ubuntu-22.04
       steps:
           - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+            with:
+              fetch-tags: 'true'
           - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
             with:
                 go-version-file: 'go.mod'
@@ -232,15 +257,17 @@ jobs:
           benchmark-data-dir-path: ""
           # Set auto-push to false since GitHub API token is not given
           auto-push: false
-          alert-threshold: '125%'
+          alert-threshold: '150%'
           gh-pages-branch: "benchmark-results"
           fail-on-alert: true
       - name: Push benchmark result
-        if:  ${{ success() && github.ref_name == 'v3'}}
+        if:  ${{ success() && github.ref_name == 'main'}}
         run: git push 'https://github-actions:${{ secrets.GITHUB_TOKEN }}@github.com/nginx/agent.git' benchmark-results:benchmark-results
   load-tests:
     name: Load Tests
     if: ${{ !github.event.pull_request.head.repo.fork && !startsWith(github.ref_name, 'dependabot/') }}
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     needs: build-unsigned-snapshot
 
@@ -303,10 +330,10 @@ jobs:
           benchmark-data-dir-path: ""
           # Set auto-push to false since GitHub API token is not given
           auto-push: false
-          alert-threshold: '175%'
+          alert-threshold: '150%'
           gh-pages-branch: "benchmark-results"
           fail-on-alert: true
 
       - name: Push load test result
-        if:  ${{ success() && github.ref_name == 'v3'}}
+        if:  ${{ success() && github.ref_name == 'main' }}
         run: git push 'https://github-actions:${{ secrets.GITHUB_TOKEN }}@github.com/nginx/agent.git' benchmark-results:benchmark-results

.github/workflows/release-branch.yml

@@ -42,7 +42,7 @@ on:
 
 env:
   NFPM_VERSION: 'v2.35.3'
-  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
+  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-dev"
 
 defaults:
   run:
@@ -304,10 +304,10 @@ jobs:
           script: |
             const { repo, owner } = context.repo;
             const result = await github.rest.pulls.create({
-              title: 'Merge ${{ github.ref_name }} back into main',
+              title: 'Merge ${{ inputs.releaseBranch }} back into main',
               owner,
               repo,
-              head: '${{ github.ref_name }}',
+              head: '${{ inputs.releaseBranch }}',
               base: 'main',
               body: [
                 'This PR is auto-generated by the release workflow.'

Makefile

@@ -48,7 +48,10 @@ MANIFEST_DIR	?= /var/lib/nginx-agent
 DIRS            = $(BUILD_DIR) $(TEST_BUILD_DIR) $(BUILD_DIR)/$(DOCS_DIR) $(BUILD_DIR)/$(DOCS_DIR)/$(PROTO_DIR)
 $(shell mkdir -p $(DIRS))
 
-VERSION 		?= "v3.0.0"
+VERSION ?= $(shell git describe --match "v[0-9]*" --abbrev=0 --tags)
+ifeq ($(strip $(VERSION)),)
+	VERSION := $(shell curl https://api.github.com/repos/nginx/agent/releases/latest -s | jq .name -r)
+endif
 COMMIT  		= $(shell git rev-parse --short HEAD)
 DATE    		= $(shell date +%F_%H-%M-%S)
 LDFLAGS 		= "-s -w -X main.version=$(VERSION) -X main.commit=$(COMMIT) -X main.date=$(DATE)"
@@ -104,7 +107,6 @@ include Makefile.containers
 include Makefile.packaging
 
 .PHONY: help clean no-local-changes build lint format unit-test integration-test run dev run-mock-management-grpc-server generate generate-mocks local-apk-package local-deb-package local-rpm-package
-
 help: ## Show help message
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\033[36m\033[0m\n"} /^[$$()% 0-9a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-24s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 

Makefile.packaging

@@ -9,7 +9,7 @@ AZURE_PACKAGES_DIR  := ./build/azure/packages
 BINARY_PATH         := $(BUILD_DIR)/$(BINARY_NAME)
 GPG_PUBLIC_KEY      := .key
 PACKAGE_BUILD       ?= 1
-PACKAGE_VERSION     := $(shell git describe --match "v[0-9]*" --abbrev=0 --tags)
+PACKAGE_VERSION     ?= $(shell echo ${VERSION} | tr -d 'v')
 TARBALL_NAME        := $(PACKAGE_PREFIX).tar.gz
 
 DEB_DISTROS         ?= ubuntu-plucky-25.04 ubuntu-noble-24.04 ubuntu-jammy-22.04 ubuntu-focal-20.04 debian-bookworm-12 debian-bullseye-11
@@ -35,7 +35,7 @@ $(PACKAGES_DIR):
 	@mkdir -p $(PACKAGES_DIR)/deb && mkdir -p $(PACKAGES_DIR)/rpm && mkdir -p $(PACKAGES_DIR)/apk
 
 .PHONY: package
-package: $(PACKAGES_DIR) #### Create final packages for all supported distros
+package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported distros
 	# Create deb packages
 	@for arch in $(DEB_ARCHS); do \
 		GOWORK=off CGO_ENABLED=0 GOARCH=$${arch} GOOS=linux go build -pgo=auto -ldflags=${LDFLAGS} -o $(BINARY_PATH) $(PROJECT_DIR)/$(PROJECT_FILE); \
@@ -111,7 +111,7 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros
 	find $(PACKAGES_DIR)/apk ;\
 
 	# Create tarball containing all packages
-	cd $(PACKAGES_DIR) && tar -czvf "./$(TARBALL_NAME)" * && cd ../.. && cp "${PACKAGES_DIR}/$(TARBALL_NAME)"; \
+	cd $(PACKAGES_DIR) && tar -czvf "./$(TARBALL_NAME)" * && cd ../..; \
 
 .PHONY: gpg-key
 gpg-key: ## Generate GPG public key

internal/collector/otel_collector_plugin.go

@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net"
 	"os"
 	"strings"
 	"sync"
@@ -46,11 +47,12 @@ const (
 type (
 	// Collector The OTel collector plugin start an embedded OTel collector for metrics collection in the OTel format.
 	Collector struct {
-		service types.CollectorInterface
-		cancel  context.CancelFunc
-		config  *config.Config
-		mu      *sync.Mutex
-		stopped bool
+		service                 types.CollectorInterface
+		config                  *config.Config
+		mu                      *sync.Mutex
+		cancel                  context.CancelFunc
+		previousNAPSysLogServer string
+		stopped                 bool
 	}
 )
 
@@ -86,10 +88,11 @@ func NewCollector(conf *config.Config) (*Collector, error) {
 	}
 
 	return &Collector{
-		config:  conf,
-		service: oTelCollector,
-		stopped: true,
-		mu:      &sync.Mutex{},
+		config:                  conf,
+		service:                 oTelCollector,
+		stopped:                 true,
+		mu:                      &sync.Mutex{},
+		previousNAPSysLogServer: "",
 	}, nil
 }
 
@@ -550,10 +553,12 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(nginxConfigContext *mo
 		oc.config.Collector.Receivers.TcplogReceivers = make(map[string]*config.TcplogReceiver)
 	}
 
-	if nginxConfigContext.NAPSysLogServer != "" {
-		if !oc.doesTcplogReceiverAlreadyExist(nginxConfigContext.NAPSysLogServer) {
+	napSysLogServer := oc.findAvailableSyslogServers(nginxConfigContext.NAPSysLogServers)
+
+	if napSysLogServer != "" {
+		if !oc.doesTcplogReceiverAlreadyExist(napSysLogServer) {
 			oc.config.Collector.Receivers.TcplogReceivers["nginx_app_protect"] = &config.TcplogReceiver{
-				ListenAddress: nginxConfigContext.NAPSysLogServer,
+				ListenAddress: napSysLogServer,
 				Operators: []config.Operator{
 					// regex captures the priority number from the log line
 					{
@@ -606,13 +611,13 @@ func (oc *Collector) updateNginxAppProtectTcplogReceivers(nginxConfigContext *mo
 		}
 	}
 
-	tcplogReceiverDeleted := oc.areNapReceiversDeleted(nginxConfigContext)
+	tcplogReceiverDeleted := oc.areNapReceiversDeleted(napSysLogServer)
 
 	return newTcplogReceiverAdded || tcplogReceiverDeleted
 }
 
-func (oc *Collector) areNapReceiversDeleted(nginxConfigContext *model.NginxConfigContext) bool {
-	listenAddressesToBeDeleted := oc.configDeletedNapReceivers(nginxConfigContext)
+func (oc *Collector) areNapReceiversDeleted(napSysLogServer string) bool {
+	listenAddressesToBeDeleted := oc.configDeletedNapReceivers(napSysLogServer)
 	if len(listenAddressesToBeDeleted) != 0 {
 		delete(oc.config.Collector.Receivers.TcplogReceivers, "nginx_app_protect")
 		return true
@@ -621,17 +626,17 @@ func (oc *Collector) areNapReceiversDeleted(nginxConfigContext *model.NginxConfi
 	return false
 }
 
-func (oc *Collector) configDeletedNapReceivers(nginxConfigContext *model.NginxConfigContext) map[string]bool {
+func (oc *Collector) configDeletedNapReceivers(napSysLogServer string) map[string]bool {
 	elements := make(map[string]bool)
 
 	for _, tcplogReceiver := range oc.config.Collector.Receivers.TcplogReceivers {
 		elements[tcplogReceiver.ListenAddress] = true
 	}
 
-	if nginxConfigContext.NAPSysLogServer != "" {
+	if napSysLogServer != "" {
 		addressesToDelete := make(map[string]bool)
-		if !elements[nginxConfigContext.NAPSysLogServer] {
-			addressesToDelete[nginxConfigContext.NAPSysLogServer] = true
+		if !elements[napSysLogServer] {
+			addressesToDelete[napSysLogServer] = true
 		}
 
 		return addressesToDelete
@@ -675,6 +680,39 @@ func (oc *Collector) updateResourceAttributes(
 	return actionUpdated
 }
 
+func (oc *Collector) findAvailableSyslogServers(napSyslogServers []string) string {
+	napSyslogServersMap := make(map[string]bool)
+	for _, server := range napSyslogServers {
+		napSyslogServersMap[server] = true
+	}
+
+	if oc.previousNAPSysLogServer != "" {
+		if _, ok := napSyslogServersMap[oc.previousNAPSysLogServer]; ok {
+			return oc.previousNAPSysLogServer
+		}
+	}
+
+	for _, napSyslogServer := range napSyslogServers {
+		ln, err := net.Listen("tcp", napSyslogServer)
+		if err != nil {
+			slog.Debug("NAP syslog server is not reachable", "address", napSyslogServer,
+				"error", err)
+
+			continue
+		}
+		closeError := ln.Close()
+		if closeError != nil {
+			slog.Debug("Failed to close syslog server", "address", napSyslogServer, "error", closeError)
+		}
+
+		slog.Debug("Found valid NAP syslog server", "address", napSyslogServer)
+
+		return napSyslogServer
+	}
+
+	return ""
+}
+
 func isOSSReceiverChanged(nginxReceiver config.NginxReceiver, nginxConfigContext *model.NginxConfigContext) bool {
 	return nginxReceiver.StubStatus.URL != nginxConfigContext.StubStatus.URL ||
 		len(nginxReceiver.AccessLogs) != len(nginxConfigContext.AccessLogs)