5.2.0 (#72)

* 20240930-01 initial branch commit

* 20240930-02 dev

* 20241001-01 renamed NGINX One Cloud Console into NGINX One Console

* 20241001-01 renamed NGINX One Cloud Console into NGINX One Console

* 20241001-01 renamed NGINX One Cloud Console into NGINX One Console

* 20241024

* 20241121-01 - NGINX Plus R33 support added

* 20241121-02 - NGINX Plus R33 support added

* 20241121-03 - NGINX Plus R33 support added

* 20241122-01 - NGINX Plus R33 support added

.gitignore

@@ -20,9 +20,9 @@ Thumbs.db
 =======
 /.idea/
 /src/__pycache__/
-/src/v4_2/__pycache__/
 /src/v5_0/__pycache__/
 /src/v5_1/__pycache__/
+/src/v5_2/__pycache__/
 /contrib/devportal/redocly/src/__pycache__/
 /contrib/app-protect/src/__pycache__/
 /venv/

README.md

@@ -2,15 +2,15 @@
 
 [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
 
-This project provides a set of declarative REST API for [NGINX Instance Manager](https://docs.nginx.com/nginx-management-suite/nim/) and [NGINX One Cloud Console](https://docs.nginx.com/nginx-one/)
+This project provides a set of declarative REST API for [NGINX Instance Manager](https://docs.nginx.com/nginx-management-suite/nim/) and [NGINX One Console](https://docs.nginx.com/nginx-one/)
 
 It can be used to manage NGINX Plus configuration lifecycle and to create NGINX Plus configurations using JSON service definitions.
 
 GitOps integration is supported: source of truth is checked for updates (NGINX App Protect policies, TLS certificates, keys and chains/bundles, Swagger/OpenAPI definitions, snippets) and NGINX configurations are automatically kept in sync.
 
 Use cases include:
 
-- Integration with NGINX Instance Manager (instance group) and NGINX One Cloud Console (config sync group)
+- Integration with NGINX Instance Manager (instance group) and NGINX One Console (config sync group)
 - NGINX App Protect DevSecOps integration (NGINX Instance Manager only)
 - API Gateway deployments with automated Swagger / OpenAPI schema import
 - API Developer portals zero-touch deployment (redocly and backstage supported)
@@ -28,10 +28,12 @@ A **blog article** to automate NGINX API Gateway management from OpenAPI schemas
 
 ## Supported releases
 
-- NGINX Instance Manager 2.14+
-- NGINX One Cloud Console
-- NGINX Plus R30+
-- NGINX App Protect WAF 4 and 5
+- [NGINX Instance Manager 2.14+](https://docs.nginx.com/nginx-management-suite/nim/)
+- [NGINX One Console](https://docs.nginx.com/nginx-one/)
+- [NGINX Plus R30+](https://docs.nginx.com/nginx/)
+- NGINX App Protect WAF [4](https://docs.nginx.com/nginx-app-protect-waf/v4/) and [5](https://docs.nginx.com/nginx-app-protect-waf/v5/)
+
+**Note**: NGINX Plus R33 and above [require a valid license](https://docs.nginx.com/solutions/about-subscription-licenses/) and the `.output.license` section in the declarative JSON is required. See the [usage notes](/USAGE-v5.2.md) for further details. [Postman collection](/contrib/postman) examples are provided for R33.
 
 ## Architecture
 
@@ -44,7 +46,7 @@ stateDiagram-v2
     Client: REST Client
     Pipeline: CI/CD Pipeline
     NIM: NGINX Instance Manager
-    N1: NGINX One Cloud Console
+    N1: NGINX One Console
     AGENT1: NGINX Agent
     NGINX1: NGINX
     AGENT2: NGINX Agent
@@ -90,7 +92,7 @@ participant Source of Truth
 participant NGINX Declarative API Core
 participant Redis
 participant Developer Portal Service
-participant NGINX Instance Manager / NGINX One
+participant NGINX Instance Manager / NGINX One Console
 participant NGINX
 
 box NGINX Declarative API
@@ -135,7 +137,7 @@ end
 ## Output formats
 
 - [X] Output to NGINX Instance Manager 2.14+ imperative REST API (instance group)
-- [X] Output to NGINX One Cloud Console REST API (config sync group)
+- [X] Output to NGINX One Console REST API (config sync group)
 
 ## Supported features
 
@@ -145,9 +147,9 @@ See the [features list](/FEATURES.md)
 
 Usage details and JSON schema are available here:
 
-- [API v5.1](/USAGE-v5.1.md) - latest
-- [API v5.0](/USAGE-v5.0.md)
-- [API v4.2](/USAGE-v4.2.md) - deprecated
+- [API v5.2](/USAGE-v5.2.md) - latest - required for NGINX Plus R33+
+- [API v5.1](/USAGE-v5.1.md)
+- [API v5.0](/USAGE-v5.0.md) - deprecated
 
 A sample Postman collection and usage instructions can be found [here](/contrib/postman)
 

USAGE-v5.1.md

@@ -4,7 +4,7 @@ Version 5.1 supports:
 
 - [NGINX Instance Manager](https://docs.nginx.com/nginx-management-suite/nim/) 2.14+
 - [NGINX One Cloud Console](https://docs.nginx.com/nginx-one/)
-- [NGINX Plus](https://docs.nginx.com/nginx/) R30+
+- [NGINX Plus](https://docs.nginx.com/nginx/) R30, R31, R32
 - [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) 4 with precompiled [policy bundles](https://docs.nginx.com/nginx-app-protect-waf/v5/admin-guide/compiler/)
 
 The JSON schema is self explanatory. See also the [sample Postman collection](/contrib/postman) for usage examples

USAGE-v5.2.md

@@ -0,0 +1,64 @@
+# Usage for NGINX Declarative API v5.2
+
+Version 5.2 supports:
+
+- [NGINX Instance Manager](https://docs.nginx.com/nginx-management-suite/nim/) 2.14+. Version 2.18+ is required for NGINX R33 and above
+- [NGINX One Console](https://docs.nginx.com/nginx-one/)
+- [NGINX Plus](https://docs.nginx.com/nginx/) R31, R32, R33+
+- [NGINX App Protect WAF](https://docs.nginx.com/nginx-app-protect-waf/) 4 with precompiled [policy bundles](https://docs.nginx.com/nginx-app-protect-waf/v5/admin-guide/compiler/)
+
+The JSON schema is self explanatory. See also the [sample Postman collection](/contrib/postman) for usage examples
+
+- `.output.license` defines the JWT license to use for NGINX Plus R33+
+  - `.output.license.endpoint` the usage reporting endpoint (defaults to `product.connect.nginx.com`). NGINX Instance Manager address can be used here
+  - `.output.license.token` the JWT license token
+  - `.output.license.ssl_verify` set to `false` to trust all SSL certificates (not recommended). Useful for reporting to NGINX Instance Manager without a local PKI.
+  - `.output.license.grace_period` Set to 'true' to begin the 180-day reporting enforcement grace period. Reporting must begin or resume before the end of the grace period to ensure continued operation
+- `.output.type` defines how NGINX configuration will be returned:
+  - *nms* - NGINX configuration is published as a Staged Config to NGINX Instance Manager
+    - `.output.nms.url` the NGINX Instance Manager URL
+    - `.output.nms.username` the NGINX Instance Manager authentication username
+    - `.output.nms.password` the NGINX Instance Manager authentication password
+    - `.output.nms.instancegroup` the NGINX Instance Manager instance group to publish the configuration to
+    - `.output.nms.synctime` **optional**, used for GitOps autosync. When specified and the declaration includes HTTP(S) references to NGINX App Protect policies, TLS certificates/keys/chains, the HTTP(S) endpoints will be checked every `synctime` seconds and if external contents have changed, the updated configuration will automatically be published to NGINX Instance Manager
+    - `.output.nms.modules` an optional array of NGINX module names (ie. 'ngx_http_app_protect_module', 'ngx_http_js_module','ngx_stream_js_module')
+    - `.output.nms.certificates` an optional array of TLS certificates/keys/chains to be published
+      - `.output.nms.certificates[].type` the item type ('certificate', 'key', 'chain')
+      - `.output.nms.certificates[].name` the certificate/key/chain name with no path/extension (ie. 'test-application')
+      - `.output.nms.certificates[].contents` the content: this can be either base64-encoded or be a HTTP(S) URL that will be fetched dynamically from a source of truth
+    - `.output.nms.policies[]` an optional array of NGINX App Protect security policies
+      - `.output.nms.policies[].type` the policy type ('app_protect')
+      - `.output.nms.policies[].name` the policy name (ie. 'prod-policy')
+      - `.output.nms.policies[].active_tag` the policy tag to enable among all available versions (ie. 'v1')
+      - `.output.nms.policies[].versions[]` array with all available policy versions
+      - `.output.nms.policies[].versions[].tag` the policy version's tag name
+      - `.output.nms.policies[].versions[].displayName` the policy version's display name
+      - `.output.nms.policies[].versions[].description` the policy version's description
+      - `.output.nms.policies[].versions[].contents` this can be either base64-encoded or be a HTTP(S) URL that will be fetched dynamically from a source of truth
+  - *nginxone* - NGINX configuration is published to a NGINX One Console config sync group
+    - `.output.nginxone.url` the NGINX One Console URL
+    - `.output.nginxone.namespace` the NGINX One Console namespace
+    - `.output.nginxone.token` the authentication token
+    - `.output.nginxone.configsyncgroup` the NGINX One Console config sync group name
+    - `.output.nginxone.synctime` **optional**, used for GitOps autosync. When specified and the declaration includes HTTP(S) references to NGINX App Protect policies, TLS certificates/keys/chains, the HTTP(S) endpoints will be checked every `synctime` seconds and if external contents have changed, the updated configuration will automatically be published to NGINX One Cloud Console
+    - `.output.nginxone.modules` an optional array of NGINX module names (ie. 'ngx_http_app_protect_module', 'ngx_http_js_module','ngx_stream_js_module')
+    - `.output.nginxone.certificates` an optional array of TLS certificates/keys/chains to be published
+      - `.output.nginxone.certificates[].type` the item type ('certificate', 'key', 'chain')
+      - `.output.nginxone.certificates[].name` the certificate/key/chain name with no path/extension (ie. 'test-application')
+      - `.output.nginxone.certificates[].contents` the content: this can be either base64-encoded or be a HTTP(S) URL that will be fetched dynamically from a source of truth
+- `.declaration` describes the NGINX configuration to be created
+  - `.declaration.http[]` NGINX HTTP definitions
+  - `.declaration.layer4[]` NGINX TCP/UDP definitions
+  - `.declaration.resolvers[]` DNS resolvers definitions
+
+### API endpoints
+
+- `POST /v5.2/config/` - Publish a new declaration
+- `PATCH /v5.2/config/{config_uid}` - Update an existing declaration
+  - Per-HTTP server CRUD
+  - Per-HTTP upstream CRUD
+  - Per-Stream server CRUD
+  - Per-Stream upstream CRUD
+  - Per-NGINX App Protect WAF policy CRUD
+- `GET /v5.2/config/{config_uid}` - Retrieve an existing declaration
+- `DELETE /v5.2/config/{config_uid}` - Delete an existing declaration