Add OpenTelemetry support

.github/data/matrix-smoke-nap.json

@@ -5,7 +5,7 @@
       "image": "ubi-8-plus-nap",
       "type": "plus",
       "nap_modules": "waf",
-      "marker": "appprotect_waf_policies_allow",
+      "marker": "'appprotect_waf_policies_allow or otel'",
       "platforms": "linux/amd64"
     },
     {
@@ -21,23 +21,23 @@
       "image": "alpine-plus-nap-fips",
       "type": "plus",
       "nap_modules": "waf",
-      "marker": "appprotect_waf_policies_grpc",
+      "marker": "'appprotect_waf_policies_grpc or otel'",
       "platforms": "linux/amd64"
     },
     {
       "label": "AP_WAF 4/4",
       "image": "debian-plus-nap",
       "type": "plus",
       "nap_modules": "waf",
-      "marker": "'appprotect_watch or appprotect_batch or appprotect_integration or appprotect_waf_policies_vsr'",
+      "marker": "'appprotect_watch or appprotect_batch or appprotect_integration or appprotect_waf_policies_vsr or otel'",
       "platforms": "linux/amd64"
     },
     {
       "label": "AP_WAF_V5 1/1",
       "image": "debian-plus-nap-v5",
       "type": "plus",
       "nap_modules": "waf",
-      "marker": "appprotect_waf_v5",
+      "marker": "'appprotect_waf_v5 or otel'",
       "platforms": "linux/amd64"
     },
     {
@@ -61,7 +61,7 @@
       "image": "ubi-9-plus-nap",
       "type": "plus",
       "nap_modules": "dos",
-      "marker": "dos_learning",
+      "marker": "'dos_learning or otel'",
       "platforms": "linux/amd64"
     },
     {

.github/data/matrix-smoke-oss.json

@@ -5,77 +5,77 @@
       "image": "debian",
       "type": "oss",
       "marker": "'ingresses and not annotations and not basic_auth and not hsts and not watch_namespace and not wildcard_tls'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "ingresses 2/2",
       "image": "debian",
       "type": "oss",
       "marker": "'annotations or basic_auth or hsts or watch_namespace or wildcard_tls'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "VSR 1/3",
       "image": "alpine",
       "type": "oss",
       "marker": "'vsr and not vsr_upstream and not vsr_grpc and not vsr_status and not vsr_canary and not vsr_routing and not vsr_api and not vsr_redirects and not vsr_rewrite and not vsr_canned and not vsr_basic'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "VSR 2/3",
       "image": "alpine",
       "type": "oss",
       "marker": "'vsr_basic or vsr_canned or vsr_rewrite or vsr_redirects or vsr_upstream'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "VSR 3/3",
       "image": "alpine",
       "type": "oss",
       "marker": "'vsr_api or vsr_routing or vsr_canary or vsr_status or vsr_grpc'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "policies 1/2",
       "image": "alpine",
       "type": "oss",
       "marker": "'policies and not policies_rl and not policies_ac and not policies_jwt and not policies_mtls'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "policies 2/2",
       "image": "alpine",
       "type": "oss",
-      "marker": "'policies_rl or policies_ac or policies_jwt or policies_mtls'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "marker": "'policies_rl or policies_ac or policies_jwt or policies_mtls or otel'",
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "VS 1/3",
       "image": "debian",
       "type": "oss",
       "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager and not vs_api and not vs_backup and not vs_use_cluster_ip and not vs_canary and not vs_upstream and not vs_config_map'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "VS 2/3",
       "image": "debian",
       "type": "oss",
       "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns or vs_api or vs_backup or vs_use_cluster_ip or vs_canary or vs_upstream or vs_config_map'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "VS 3/3",
       "image": "debian",
       "type": "oss",
-      "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager'",
-      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "marker": "'vs_responses or vs_ipv6 or vs_rewrite or vs_certmanager or otel'",
+      "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "TS",
       "image": "ubi",
       "type": "oss",
-      "marker": "ts",
-      "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+      "marker": "'ts or otel'",
+      "platforms": "linux/arm64, linux/amd64"
     }
   ],
   "k8s": []

.github/data/matrix-smoke-plus.json

@@ -25,7 +25,7 @@
       "label": "TS",
       "image": "debian-plus",
       "type": "plus",
-      "marker": "ts",
+      "marker": "'ts or otel'",
       "platforms": "linux/arm64, linux/amd64"
     },
     {
@@ -60,7 +60,7 @@
       "label": "VSR 3/3",
       "image": "alpine-plus",
       "type": "plus",
-      "marker": "'vsr_api or vsr_routing or vsr_canary or vsr_status or vsr_grpc'",
+      "marker": "'vsr_api or vsr_routing or vsr_canary or vsr_status or vsr_grpc or otel'",
       "platforms": "linux/arm64, linux/amd64"
     },
     {
@@ -74,7 +74,7 @@
       "label": "policies 2/3",
       "image": "ubi-9-plus",
       "type": "plus",
-      "marker": "'policies_ac or policies_jwt or policies_mtls'",
+      "marker": "'policies_ac or policies_jwt or policies_mtls or otel'",
       "platforms": "linux/arm64, linux/amd64, linux/s390x"
     },
     {

.github/workflows/build-ubi-dependency.yml

@@ -1,92 +1,36 @@
-name: Build UBI ppc64le Dependency
+name: Build UBI c-ares Dependency
 
 on:
   push:
     branches:
       - main
     paths:
-      - build/dependencies/Dockerfile.ubi
+      - build/dependencies/Dockerfile.ubi8
+      - build/dependencies/Dockerfile.ubi9
+      - .github/workflows/build-ubi-dependency.yml
   workflow_dispatch:
-    inputs:
-      nginx_version:
-        type: string
-        description: "NGINX Version to build for"
-        required: false
-      force:
-        type: boolean
-        description: "Force rebuild"
-        required: false
-        default: false
 
 env:
-  IMAGE_NAME: ghcr.io/nginx/dependencies/nginx-ubi-ppc64le
+  IMAGE_NAME: ghcr.io/nginx/dependencies/nginx-ubi
 
 concurrency:
-  group: ${{ github.ref_name }}-ubi-ppc64le-build
+  group: ${{ github.ref_name }}-ubi-build
   cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
-  checks:
-    name: Check versions
-    runs-on: ubuntu-22.04
-    permissions:
-      packages: read
-      contents: read
-    strategy:
-      fail-fast: false
-    outputs:
-      nginx_version: ${{ steps.var.outputs.nginx_version }}
-      njs_version: ${{ steps.var.outputs.njs_version }}
-      target_exists: ${{ steps.var.outputs.target_image_exists }}
-    steps:
-      - name: Checkout Repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Output Variables
-        id: var
-        run: |
-          if [ -n "${{ inputs.nginx_version }}" ]; then
-            nginx_v=${{ inputs.nginx_version }}
-          else
-            nginx_v=$(grep -m1 'FROM nginx:' <build/dependencies/Dockerfile.ubi | cut -d '@' -f1 | awk -F'[: ]' '{print $3}')
-          fi
-          target_image=${{ env.IMAGE_NAME }}:nginx-${nginx_v}
-          if docker manifest inspect ${target_image}; then
-            target_image_exists=true
-          else
-            target_image_exists=false
-          fi
-          docker pull nginx:$nginx_v || exit 1
-          njs=$(docker run nginx:$nginx_v env | grep NJS_VERSION | cut -d= -f2)
-          echo "> Outputs -------------------------------"
-          echo "NJS_VERSION=$njs"
-          echo "nginx_version=${nginx_v}"
-          echo "njs_version=${njs}"
-          echo "target_image_exists=${target_image_exists}"
-          echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT
-          echo "njs_version=${njs}" >> $GITHUB_OUTPUT
-          echo "target_image_exists=${target_image_exists}" >> $GITHUB_OUTPUT
-
   build-binaries:
     name: Build Binary Container Image
-    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }}
-    needs: checks
     runs-on: ubuntu-22.04
     permissions:
       packages: write
       contents: read
     strategy:
       fail-fast: false
+      matrix:
+        tag: ["ubi8", "ubi9"]
     steps:
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -113,28 +57,23 @@ jobs:
           images: |
             name=${{ env.IMAGE_NAME }},enable=true
           tags: |
-            type=raw,value=nginx-${{ needs.checks.outputs.nginx_version }},enable=true
+            type=raw,value=${{ matrix.tag }},enable=true
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
       - name: Build and push
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          file: ./build/dependencies/Dockerfile.ubi
+          file: ./build/dependencies/Dockerfile.${{ matrix.tag }}
           context: "."
           pull: true
           push: true
-          # build multi-arch so that it can be mounted from any image
-          # even though only ppc64le will contain binaries
           platforms: "linux/amd64,linux/arm64"
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
-          cache-from: type=gha,scope=nginx-ubi-ppc64le
-          cache-to: type=gha,scope=nginx-ubi-ppc64le,mode=max
+          cache-from: type=gha,scope=nginx-${{ matrix.tag }}
+          cache-to: type=gha,scope=nginx-${{ matrix.tag }},mode=max
           target: final
           sbom: false
           provenance: mode=max
-          build-args: |
-            NGINX=${{ needs.checks.outputs.nginx_version }}
-            NJS=${{ needs.checks.outputs.njs_version }}

.github/workflows/update-docker-sha.yml

@@ -62,7 +62,8 @@ jobs:
             ARGS="--exclude ${{ github.event.inputs.excludes }}"
           fi
           .github/scripts/docker-updater.sh ./build/Dockerfile $ARGS
-          .github/scripts/docker-updater.sh ./build/dependencies/Dockerfile.ubi $ARGS
+          .github/scripts/docker-updater.sh ./build/dependencies/Dockerfile.ubi8 $ARGS
+          .github/scripts/docker-updater.sh ./build/dependencies/Dockerfile.ubi9 $ARGS
           .github/scripts/docker-updater.sh ./tests/Dockerfile $ARGS
           files=$(git diff --name-only)
           if [[ $files == *"Dockerfile"* ]]; then