From c718c3ea95fc739d1fd31722f5fba0a645fae0a0 Mon Sep 17 00:00:00 2001
From: nginx-bot <68849795+nginx-bot@users.noreply.github.com>
Date: Mon, 24 Jun 2024 01:18:53 -0700
Subject: [PATCH 01/37] Docker image update d41d8cd9 (#5822)

---
 build/Dockerfile | 6 +++---
 tests/Dockerfile | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/build/Dockerfile b/build/Dockerfile
index c0f45b1ed9..a1cfc7422f 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -15,11 +15,11 @@ FROM ghcr.io/nginxinc/k8s-common:nginx-opentracing-1.27.0-alpine@sha256:5dc5c763
 FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17
 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19
 FROM redhat/ubi9-minimal@sha256:a7d837b00520a32502ada85ae339e33510cdfdbc8d2ddf460cc838e12ec5fa5a AS ubi-minimal
-FROM golang:1.22-alpine@sha256:32c85006b1edf29c097514e0c81a33334aa1450685a885c10657ec756dbb7703 AS golang-builder
+FROM golang:1.22-alpine@sha256:ace6cc3fe58d0c7b12303c57afe6d6724851152df55e08057b43990b927ad5e8 AS golang-builder
 
 
 ############################################# Base image for Alpine #############################################
-FROM nginx:1.27.0-alpine@sha256:d68d230c2c7f0b28c7e5f17ed66d521deeba23aa467568202af72f7f7f61cd94 AS alpine
+FROM nginx:1.27.0-alpine@sha256:a45ee5d042aaa9e81e013f97ae40c3dda26fbe98f22b6251acdf28e579560d55 AS alpine
 
 RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 	apk add --no-cache libcap libstdc++ \
@@ -29,7 +29,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 
 
 ############################################# Base image for Debian #############################################
-FROM nginx:1.27.0@sha256:56b388b0d79c738f4cf51bbaf184a14fab19337f4819ceb2cae7d94100262de8 AS debian
+FROM nginx:1.27.0@sha256:9c367186df9a6b18c6735357b8eb7f407347e84aea09beb184961cb83543d46e AS debian
 
 RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \
 	apt-get update \
diff --git a/tests/Dockerfile b/tests/Dockerfile
index 57bffe74b5..c89a54f505 100644
--- a/tests/Dockerfile
+++ b/tests/Dockerfile
@@ -5,7 +5,7 @@ FROM kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a79
 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date
 FROM quay.io/skopeo/stable:v1.15.1
 
-FROM python:3.12@sha256:4584ea46d313a10e849eb7c5ef36be14773418233516ceaa9e52a8ff7d5e35a5
+FROM python:3.12@sha256:f6d04873f0a67146854270e5f6513ed5e0165557c1b10689f1a20e9e65c8fe8e
 
 RUN apt-get update \
 	&& apt-get install -y curl git \

From 5b1978c6a0cba10377a31d3514c737256fe6696e Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Mon, 24 Jun 2024 09:55:05 +0100
Subject: [PATCH 02/37] Run Trivy & DockerScout on main & release branches
 (#5818)

---
 .github/workflows/build-plus.yml      |   1 -
 .github/workflows/image-promotion.yml | 272 ++++++++++++++++++++++++++
 2 files changed, 272 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index 342a6e07fd..86c8b912b9 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -49,7 +49,6 @@ jobs:
   build:
     permissions:
       contents: read # for docker/build-push-action to read repo content
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       id-token: write # for OIDC login to AWS
       pull-requests: write # for scout report
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml
index 34f4771b82..43476412d7 100644
--- a/.github/workflows/image-promotion.yml
+++ b/.github/workflows/image-promotion.yml
@@ -5,6 +5,8 @@ name: Image Promotion
 # - tag edge for main workflows
 # - tag release branch name for release branch workflows
 # - release edge images & helm charts for edge
+# - run Trivy & dockerscout scans for main & release branch images
+#   & upload results to Github security & Github Artifacts
 
 on:
   push:
@@ -338,3 +340,273 @@ jobs:
           image: quay.io/nginx/nginx-ingress:edge-ubi
           project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }}
           pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
+
+  scan-docker-oss:
+    name: Scan Docker OSS
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    if: ${{ !cancelled() && !failure() }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Make directory for security scan results
+        id: directory
+        run: |
+          directory=${{ matrix.image }}-${{ matrix.target }}-results
+          echo "directory=${directory}" >> $GITHUB_OUTPUT
+          mkdir -p "${directory}"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          context: workflow
+          images: |
+            name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress
+          flavor: |
+            suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}
+          tags: |
+            type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: "sarif"
+          output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
+          ignore-unfixed: "true"
+
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
+        with:
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+
+      - name: Upload Scan Results to Github Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
+          path: "${{ steps.directory.outputs.directory }}/"
+          overwrite: true
+
+      - name: Upload Scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: "${{ steps.directory.outputs.directory }}/"
+
+  scan-docker-plus:
+    name: Scan Docker Plus
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    if: ${{ !cancelled() && !failure() }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_plus ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Make directory for security scan results
+        id: directory
+        run: |
+          directory=${{ matrix.image }}-${{ matrix.target }}-results
+          echo "directory=${directory}" >> $GITHUB_OUTPUT
+          mkdir -p "${directory}"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          context: workflow
+          images: |
+            name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress
+          flavor: |
+            suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
+          tags: |
+            type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: "sarif"
+          output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
+          ignore-unfixed: "true"
+
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
+        with:
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+
+      - name: Upload Scan Results to Github Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
+          path: "${{ steps.directory.outputs.directory }}/"
+          overwrite: true
+
+      - name: Upload Scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: "${{ steps.directory.outputs.directory }}/"
+
+  scan-docker-nap:
+    name: Scan Docker Plus + NAP WAF/DOS
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    if: ${{ !cancelled() && !failure() }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_nap ) }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Make directory for security scan results
+        id: directory
+        run: |
+          directory=${{ matrix.image }}-${{ matrix.target }}-results
+          echo "directory=${directory}" >> $GITHUB_OUTPUT
+          mkdir -p "${directory}"
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
+        with:
+          context: workflow
+          images: |
+            name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic${{ contains(matrix.nap_modules, 'dos') && '-dos' || '' }}${{ contains(matrix.nap_modules, 'waf') && '-nap' || '' }}${{ contains(matrix.image, 'v5') && '-v5' || '' }}/nginx-plus-ingress
+          flavor: |
+            suffix=${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }}${{ contains(matrix.target, 'aws') && '-mktpl' || '' }}${{ contains(matrix.image, 'fips') && '-fips' || ''}}
+          tags: |
+            type=raw,value=${{ github.ref_name == github.event.repository.default_branch && 'edge' || github.ref_name }}
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3
+        with:
+          token_format: access_token
+          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+
+      - name: Login to GCR
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: gcr.io
+          username: oauth2accesstoken
+          password: ${{ steps.auth.outputs.access_token }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
+        continue-on-error: true
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: "sarif"
+          output: "${{ steps.directory.outputs.directory }}/trivy.sarif"
+          ignore-unfixed: "true"
+
+      - name: DockerHub Login for Docker Scount
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run Docker Scout vulnerability scanner
+        id: docker-scout
+        uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
+        with:
+          command: cves,recommendations
+          image: ${{ steps.meta.outputs.tags }}
+          ignore-base: true
+          only-fixed: true
+          sarif-file: "${{ steps.directory.outputs.directory }}/scout.sarif"
+          write-comment: false
+          github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
+          summary: true
+
+      - name: Upload Scan Results to Github Artifacts
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: "${{ github.ref_name }}-${{ steps.directory.outputs.directory }}"
+          path: "${{ steps.directory.outputs.directory }}/"
+          overwrite: true
+
+      - name: Upload Scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: "${{ steps.directory.outputs.directory }}/"

From 1d33ebfcc8a52e84cc7064ad659274a620c1967b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 09:01:30 +0000
Subject: [PATCH 03/37] Bump nginx from `d68d230` to `5c0c227` in /build
 (#5819)

Bumps nginx from `d68d230` to `5c0c227`.

---
updated-dependencies:
- dependency-name: nginx
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Paul Abel <p.abel@f5.com>

From 379e30b291dbd6a793653b88905ab734448af5b1 Mon Sep 17 00:00:00 2001
From: oseoin <oseoin@users.noreply.github.com>
Date: Mon, 24 Jun 2024 10:41:27 +0100
Subject: [PATCH 04/37] Skip upload test results on skipped tests (#5827)

---
 .github/workflows/setup-smoke.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
index 8298c9c019..0fddf00ef9 100644
--- a/.github/workflows/setup-smoke.yml
+++ b/.github/workflows/setup-smoke.yml
@@ -164,4 +164,4 @@ jobs:
         with:
           name: ${{ steps.smoke-tests.outputs.test-results-name }}
           path: ${{ steps.smoke-tests.outputs.test-results-path }}
-        if: always()
+        if: ${{ success() || failure() }}

From 7d217f0654b17a878c618295019abbe8d36fae17 Mon Sep 17 00:00:00 2001
From: oseoin <oseoin@users.noreply.github.com>
Date: Mon, 24 Jun 2024 11:21:27 +0100
Subject: [PATCH 05/37] Change test upload logic to match test run logic
 (#5829)

---
 .github/workflows/setup-smoke.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
index 0fddf00ef9..229cb79efa 100644
--- a/.github/workflows/setup-smoke.yml
+++ b/.github/workflows/setup-smoke.yml
@@ -164,4 +164,4 @@ jobs:
         with:
           name: ${{ steps.smoke-tests.outputs.test-results-name }}
           path: ${{ steps.smoke-tests.outputs.test-results-path }}
-        if: ${{ success() || failure() }}
+        if: ${{ !cancelled() && steps.stable_exists.outputs.exists != 'true' }}

From 5f56fe0f9d1a3ea0a022f60b63325ca44902d767 Mon Sep 17 00:00:00 2001
From: oseoin <oseoin@users.noreply.github.com>
Date: Mon, 24 Jun 2024 11:51:53 +0100
Subject: [PATCH 06/37] Fix branch prefix for docker sha updates (#5830)

---
 .github/workflows/update-docker-sha.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml
index ee75c7f302..7d1a5c4213 100644
--- a/.github/workflows/update-docker-sha.yml
+++ b/.github/workflows/update-docker-sha.yml
@@ -6,12 +6,12 @@ on:
       source_branch:
         required: true
         type: string
-        default: 'main'
+        default: "main"
       excludes:
         description: Comma separated list of strings to exclude images from the update
         required: false
         type: string
-        default: ''
+        default: ""
       dry_run:
         type: boolean
         default: false
@@ -78,7 +78,7 @@ jobs:
           token: ${{ secrets.NGINX_PAT }}
           commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }}
           title: Docker image update ${{ steps.update_images.outputs.docker_md5 }}
-          branch: chore/image-update-${{ needs.vars.outputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }}
+          branch: deps/image-update-${{ needs.vars.outputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }}
           author: nginx-bot <integrations@nginx.com>
           labels: |
             dependencies

From 30832505bf1a955112b177d7348e76147acd438e Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Mon, 24 Jun 2024 12:20:55 +0100
Subject: [PATCH 07/37] add permissions to update released images (#5831)

---
 .github/workflows/update-docker-images.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml
index 62be001ad9..926973f2e4 100644
--- a/.github/workflows/update-docker-images.yml
+++ b/.github/workflows/update-docker-images.yml
@@ -244,6 +244,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
+      packages: write
     secrets: inherit
 
   release-oss-public:

From bc13ff7ed676296c26fb454140e005d627896463 Mon Sep 17 00:00:00 2001
From: nginx-bot <68849795+nginx-bot@users.noreply.github.com>
Date: Mon, 24 Jun 2024 05:35:57 -0700
Subject: [PATCH 08/37] Version Bump for 3.7.0 (#5828)

Co-authored-by: oseoin <oseoin@users.noreply.github.com>
---
 .github/data/version.txt        | 4 ++--
 charts/nginx-ingress/Chart.yaml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/data/version.txt b/.github/data/version.txt
index ad7d39021e..c7de7c8366 100644
--- a/.github/data/version.txt
+++ b/.github/data/version.txt
@@ -1,2 +1,2 @@
-IC_VERSION=3.6.0
-HELM_CHART_VERSION=1.3.0
+IC_VERSION=3.7.0
+HELM_CHART_VERSION=1.4.0
diff --git a/charts/nginx-ingress/Chart.yaml b/charts/nginx-ingress/Chart.yaml
index d17ff02b8d..66c5315c79 100644
--- a/charts/nginx-ingress/Chart.yaml
+++ b/charts/nginx-ingress/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: nginx-ingress
-version: 1.3.0
-appVersion: 3.6.0
+version: 1.4.0
+appVersion: 3.7.0
 kubeVersion: ">= 1.23.0-0"
 type: application
 description: NGINX Ingress Controller

From 5247156330bb575361282ac292f5cd2ea597c849 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 13:13:44 +0000
Subject: [PATCH 09/37] Bump the go group with 1 update (#5821)

Bumps the go group with 1 update: [github.com/go-chi/chi/v5](https://github.com/go-chi/chi).

Updates `github.com/go-chi/chi/v5` from 5.0.13 to 5.0.14
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-chi/chi/compare/v5.0.13...v5.0.14)

---
updated-dependencies:
- dependency-name: github.com/go-chi/chi/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: oseoin <oseoin@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 10d2d30e3b..0f35d09aec 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/cert-manager/cert-manager v1.15.0
 	github.com/dlclark/regexp2 v1.11.0
 	github.com/gkampitakis/go-snaps v0.5.4
-	github.com/go-chi/chi/v5 v5.0.13
+	github.com/go-chi/chi/v5 v5.0.14
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/golang/glog v1.2.0
 	github.com/google/go-cmp v0.6.0
diff --git a/go.sum b/go.sum
index 7c66bc7b12..8e57d3c6b1 100644
--- a/go.sum
+++ b/go.sum
@@ -75,8 +75,8 @@ github.com/gkampitakis/go-snaps v0.5.4/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bG
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-asn1-ber/asn1-ber v1.5.6 h1:CYsqysemXfEaQbyrLJmdsCRuufHoLa3P/gGWGl5TDrM=
 github.com/go-asn1-ber/asn1-ber v1.5.6/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-chi/chi/v5 v5.0.13 h1:JlH2F2M8qnwl0N1+JFFzlX9TlKJYas3aPXdiuTmJL+w=
-github.com/go-chi/chi/v5 v5.0.13/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.0.14 h1:PyEwo2Vudraa0x/Wl6eDRRW2NXBvekgfxyydcM0WGE0=
+github.com/go-chi/chi/v5 v5.0.14/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
 github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=

From 7164119d42b5d8ab9d1bbc3813e7200f37acd5c7 Mon Sep 17 00:00:00 2001
From: oseoin <oseoin@users.noreply.github.com>
Date: Mon, 24 Jun 2024 15:07:48 +0100
Subject: [PATCH 10/37] Forked workflow build (#5835)

---
 .github/workflows/build-oss.yml  | 1 +
 .github/workflows/build-plus.yml | 1 +
 .github/workflows/ci.yml         | 6 +++---
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index afde1eb656..2fddf9d092 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -56,6 +56,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ inputs.branch }}
+          fetch-depth: 0
 
       - name: Authenticate to Google Cloud
         id: auth
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index 86c8b912b9..e271a77bab 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -57,6 +57,7 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ inputs.branch }}
+          fetch-depth: 0
 
       - name: Authenticate to Google Cloud
         id: auth
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dfda4599cb..6687f0273e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -302,7 +302,7 @@ jobs:
       authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}
       full-build: ${{ inputs.force && inputs.force || false }}
       tag: ${{ needs.checks.outputs.build_tag }}
-      branch: ${{ github.head_ref && github.head_ref || github.ref }}
+      branch: ${{ (github.head_ref && needs.checks.outputs.forked_workflow != 'true') && github.head_ref || github.ref }}
     permissions:
       contents: read
       actions: read
@@ -325,7 +325,7 @@ jobs:
       target: ${{ matrix.target }}
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
-      branch: ${{ github.head_ref && github.head_ref || github.ref }}
+      branch: ${{ (github.head_ref && needs.checks.outputs.forked_workflow != 'true') && github.head_ref || github.ref }}
       tag: ${{ needs.checks.outputs.build_tag }}
       authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}
       full-build: ${{ inputs.force && inputs.force || false }}
@@ -349,7 +349,7 @@ jobs:
       target: ${{ matrix.target }}
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       base-image-md5: ${{ needs.checks.outputs.docker_md5 }}
-      branch: ${{ github.head_ref && github.head_ref || github.ref }}
+      branch: ${{ (github.head_ref && needs.checks.outputs.forked_workflow != 'true') && github.head_ref || github.ref }}
       tag: ${{ needs.checks.outputs.build_tag }}
       nap-modules: ${{ matrix.nap_modules }}
       authenticated: ${{ needs.checks.outputs.forked_workflow != 'true' }}

From f31bb5cc43544508cfb2fc333711b85406180a20 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Jun 2024 14:54:15 +0000
Subject: [PATCH 11/37] Bump the actions group across 1 directory with 5
 updates (#5825)

Bumps the actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4.1.6` | `4.1.7` |
| [docker/build-push-action](https://github.com/docker/build-push-action) | `6.0.2` | `6.1.0` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.24.7` | `3.25.10` |
| [reviewdog/action-actionlint](https://github.com/reviewdog/action-actionlint) | `1.50.0` | `1.51.0` |
| [nginxinc/aws-marketplace-publish](https://github.com/nginxinc/aws-marketplace-publish) | `1.0.3` | `1.0.4` |



Updates `actions/checkout` from 4.1.6 to 4.1.7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4.1.6...692973e3d937129bcbf40652eb9f2f61becf3332)

Updates `docker/build-push-action` from 6.0.2 to 6.1.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/f6010ea70151369b06f0194be1051fbbdff851b2...31159d49c0d4756269a0940a750801a1ea5d7003)

Updates `github/codeql-action` from 3.24.7 to 3.25.10
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3.24.7...23acc5c183826b7a8a97bce3cecc52db901f8251)

Updates `reviewdog/action-actionlint` from 1.50.0 to 1.51.0
- [Release notes](https://github.com/reviewdog/action-actionlint/releases)
- [Commits](https://github.com/reviewdog/action-actionlint/compare/2927e858b45218240af952feb1d702cf6365f39a...afad3b6ab835e5611bda8c8193377e2d5c21413d)

Updates `nginxinc/aws-marketplace-publish` from 1.0.3 to 1.0.4
- [Release notes](https://github.com/nginxinc/aws-marketplace-publish/releases)
- [Commits](https://github.com/nginxinc/aws-marketplace-publish/compare/be512a7ae9666098bc4429a1afa27a11be6a3995...9f178512e8e7658fe4aab73d1dac15f3f86fb7b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: reviewdog/action-actionlint
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: nginxinc/aws-marketplace-publish
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jakub Jarosz <99677300+jjngx@users.noreply.github.com>
Co-authored-by: Venktesh Shivam Patel <ve.patel@f5.com>
Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Co-authored-by: oseoin <oseoin@users.noreply.github.com>
---
 .github/workflows/build-base-images.yml | 6 +++---
 .github/workflows/build-oss.yml         | 4 ++--
 .github/workflows/build-plus.yml        | 4 ++--
 .github/workflows/build-test-image.yml  | 2 +-
 .github/workflows/ci.yml                | 4 ++--
 .github/workflows/image-promotion.yml   | 6 +++---
 .github/workflows/lint-format.yml       | 2 +-
 .github/workflows/patch-image.yml       | 2 +-
 .github/workflows/regression.yml        | 8 ++++----
 .github/workflows/release.yml           | 2 +-
 .github/workflows/setup-smoke.yml       | 4 ++--
 11 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
index 1490969a10..a19a86772d 100644
--- a/.github/workflows/build-base-images.yml
+++ b/.github/workflows/build-base-images.yml
@@ -92,7 +92,7 @@ jobs:
             type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."
@@ -156,7 +156,7 @@ jobs:
             type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."
@@ -225,7 +225,7 @@ jobs:
             type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."
diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index 2fddf9d092..80c998bb4b 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -120,7 +120,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."
@@ -152,7 +152,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Docker image
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         id: build-push
         with:
           file: build/Dockerfile
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index e271a77bab..638ec738e2 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -124,7 +124,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."
@@ -161,7 +161,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Docker image
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         id: build-push
         with:
           file: build/Dockerfile
diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml
index e51a9ad662..d3fbab8bcd 100644
--- a/.github/workflows/build-test-image.yml
+++ b/.github/workflows/build-test-image.yml
@@ -49,7 +49,7 @@ jobs:
           password: ${{ steps.auth.outputs.access_token }}
 
       - name: Build Test-Runner Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: tests/Dockerfile
           context: "."
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6687f0273e..cc2fc330f6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -441,7 +441,7 @@ jobs:
         if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
 
       - name: Build Docker Image ${{ matrix.base-os }}
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."
@@ -559,7 +559,7 @@ jobs:
         if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
 
       - name: Build Test-Runner Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: tests/Dockerfile
           context: "."
diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml
index 43476412d7..1ae86669e6 100644
--- a/.github/workflows/image-promotion.yml
+++ b/.github/workflows/image-promotion.yml
@@ -427,7 +427,7 @@ jobs:
           overwrite: true
 
       - name: Upload Scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: "${{ steps.directory.outputs.directory }}/"
 
@@ -517,7 +517,7 @@ jobs:
           overwrite: true
 
       - name: Upload Scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: "${{ steps.directory.outputs.directory }}/"
 
@@ -607,6 +607,6 @@ jobs:
           overwrite: true
 
       - name: Upload Scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: "${{ steps.directory.outputs.directory }}/"
diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml
index a3bea5f7c3..8cb01057e0 100644
--- a/.github/workflows/lint-format.yml
+++ b/.github/workflows/lint-format.yml
@@ -63,7 +63,7 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: reviewdog/action-actionlint@2927e858b45218240af952feb1d702cf6365f39a # v1.50.0
+      - uses: reviewdog/action-actionlint@afad3b6ab835e5611bda8c8193377e2d5c21413d # v1.51.0
         with:
           actionlint_flags: -shellcheck ""
 
diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml
index de4d8467ef..d110b229da 100644
--- a/.github/workflows/patch-image.yml
+++ b/.github/workflows/patch-image.yml
@@ -70,7 +70,7 @@ jobs:
           password: ${{ steps.auth.outputs.access_token }}
 
       - name: Apply OS patches to Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
index 34782a4232..19038d92aa 100644
--- a/.github/workflows/regression.yml
+++ b/.github/workflows/regression.yml
@@ -36,7 +36,7 @@ jobs:
       branch: ${{ steps.vars.outputs.branch }}
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ inputs.branch && inputs.branch || github.event.repository.default_branch }}
 
@@ -101,7 +101,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ needs.checks.outputs.branch }}
 
@@ -180,7 +180,7 @@ jobs:
       matrix: ${{ steps.set-matrix.outputs.matrix }}
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ needs.checks.outputs.branch }}
 
@@ -200,7 +200,7 @@ jobs:
       id-token: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           ref: ${{ needs.checks.outputs.branch }}
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f2a2e99601..3a55fa1d53 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -275,7 +275,7 @@ jobs:
           ref: ${{ inputs.release_branch }}
 
       - name: Publish to AWS Marketplace
-        uses: nginxinc/aws-marketplace-publish@be512a7ae9666098bc4429a1afa27a11be6a3995 # v1.0.3
+        uses: nginxinc/aws-marketplace-publish@9f178512e8e7658fe4aab73d1dac15f3f86fb7b4 # v1.0.4
         continue-on-error: true
         with:
           version: ${{ inputs.nic_version }}
diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
index 229cb79efa..4d4855e97d 100644
--- a/.github/workflows/setup-smoke.yml
+++ b/.github/workflows/setup-smoke.yml
@@ -112,7 +112,7 @@ jobs:
         if: ${{ inputs.authenticated  }}
 
       - name: Build Test-Runner Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: tests/Dockerfile
           context: "."
@@ -124,7 +124,7 @@ jobs:
         if: ${{ ( !inputs.authenticated || steps.check-image.outcome == 'failure' )  }}
 
       - name: Build ${{ inputs.image }} Container
-        uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
+        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
         with:
           file: build/Dockerfile
           context: "."

From b9f41901ecc833d8d313d14c95e5b1b83e6bb23b Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Tue, 25 Jun 2024 08:54:40 +0100
Subject: [PATCH 12/37] Add actionlint pre commit plugin (#5839)

---
 .github/workflows/build-oss.yml |  1 -
 .github/workflows/ci.yml        |  5 +----
 .pre-commit-config.yaml         | 12 ++++++++++++
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index 80c998bb4b..f155469d6a 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -44,7 +44,6 @@ jobs:
     runs-on: ubuntu-22.04
     permissions:
       contents: read # for docker/build-push-action to read repo content
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
       id-token: write # for OIDC login to GCR
       packages: write # for docker/build-push-action to push to GHCR
       pull-requests: write # for scout report
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cc2fc330f6..fdd6cdba4f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -306,7 +306,6 @@ jobs:
     permissions:
       contents: read
       actions: read
-      security-events: write
       id-token: write
       packages: write
       pull-requests: write # for scout report
@@ -331,7 +330,6 @@ jobs:
       full-build: ${{ inputs.force && inputs.force || false }}
     permissions:
       contents: read
-      security-events: write
       id-token: write
       pull-requests: write # for scout report
     secrets: inherit
@@ -356,8 +354,7 @@ jobs:
       full-build: ${{ inputs.force && inputs.force || false }}
     permissions:
       contents: read
-      security-events: write
-      id-token: write
+      id-token: write # gcr login
       pull-requests: write # for scout report
     secrets: inherit
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 829e8a3dfd..612316ee66 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -77,5 +77,17 @@ repos:
     hooks:
       - id: markdownlint-cli2
 
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.1
+    hooks:
+      - id: actionlint
+        name: Lint GitHub Actions workflow files
+        description: Runs actionlint to lint GitHub Actions workflow files
+        language: golang
+        types: ["yaml"]
+        files: ^\.github/workflows/
+        entry: actionlint
+        args: ["-shellcheck",""]
+
 ci:
   skip: [golang-diff, golangci-lint, check-jsonschema, markdownlint-cli2]

From a37af7395b31490383c0759b4e4a2f5fa5e82fe2 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Tue, 25 Jun 2024 09:08:41 +0100
Subject: [PATCH 13/37] [pre-commit.ci] pre-commit autoupdate (#5841)

---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 612316ee66..ac364e6dc1 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -64,7 +64,7 @@ repos:
       - id: black
 
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.28.5
+    rev: 0.28.6
     hooks:
       - id: check-jsonschema
         name: "Check Helm Chart JSON Schema"

From 7f2e66c9a7451aa74b4692ba1b5adb900951e022 Mon Sep 17 00:00:00 2001
From: Jakub Jarosz <99677300+jjngx@users.noreply.github.com>
Date: Tue, 25 Jun 2024 10:00:45 +0100
Subject: [PATCH 14/37] WAF v5 docs update (#5719)

---
 .../building-nginx-ingress-controller.md      |   3 +
 .../integrations/app-protect-dos/_index.md    |   2 +-
 .../integrations/app-protect-waf-v5/_index.md |   8 +
 .../app-protect-waf-v5/configuration.md       | 184 +++++++++
 .../app-protect-waf-v5/installation.md        | 349 ++++++++++++++++++
 .../troubleshooting-app-protect-waf.md        |  30 +-
 .../integrations/f5-ingresslink.md            |   2 +-
 .../installation/integrations/opentracing.md  |   2 +-
 .../pulling-ingress-controller-image.md       |  32 ++
 docs/content/overview/about.md                |   2 +-
 docs/go.mod                                   |   2 +-
 docs/go.sum                                   |   6 +-
 .../service-insight/README.md                 |   4 +-
 13 files changed, 601 insertions(+), 25 deletions(-)
 create mode 100644 docs/content/installation/integrations/app-protect-waf-v5/_index.md
 create mode 100644 docs/content/installation/integrations/app-protect-waf-v5/configuration.md
 create mode 100644 docs/content/installation/integrations/app-protect-waf-v5/installation.md

diff --git a/docs/content/installation/building-nginx-ingress-controller.md b/docs/content/installation/building-nginx-ingress-controller.md
index 09160100ba..5adfd012de 100644
--- a/docs/content/installation/building-nginx-ingress-controller.md
+++ b/docs/content/installation/building-nginx-ingress-controller.md
@@ -143,14 +143,17 @@ Key targets include:
 | _alpine-image_                | Builds an Alpine-based image with NGINX.                                                                                                                                                                     |
 | _alpine-image-plus_           | Builds an Alpine-based image with NGINX Plus.                                                                                                                                                                |
 | _alpine-image-plus-fips_      | Builds an Alpine-based image with NGINX Plus and FIPS.                                                                                                                                                       |
+| _alpine-image-nap-v5-plus-fips_      | Builds an Alpine-based image with NGINX Plus, the [NGINX App Protect WAF v5](/nginx-app-protect/) module and FIPS.                                                                                                                                                       |
 | _debian-image_                | Builds a Debian-based image with NGINX.                                                                                                                                                                      |
 | _debian-image-plus_           | Builds a Debian-based image with NGINX Plus.                                                                                                                                                                 |
 | _debian-image-nap-plus_       | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect/) module.                                                                                                     |
+| _debian-image-nap-v5-plus_       | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect/) module.                                                                                                     |
 | _debian-image-dos-plus_       | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module.                                                                                                 |
 | _debian-image-nap-dos-plus_   | Builds a Debian-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect/) and [NGINX App Protect DoS](/nginx-app-protect-dos/) modules.                                                      |
 | _ubi-image_                   | Builds a UBI-based image with NGINX for [OpenShift](https://www.openshift.com/) clusters.                                                                                                                    |
 | _ubi-image-plus_              | Builds a UBI-based image with NGINX Plus for [OpenShift](https://www.openshift.com/) clusters.                                                                                                               |
 | _ubi-image-nap-plus_          | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF](/nginx-app-protect/) module for [OpenShift](https://www.openshift.com/) clusters.                                                   |
+| _ubi-image-nap-v5-plus_          | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect/) module for [OpenShift](https://www.openshift.com/) clusters.                                                   |
 | _ubi-image-dos-plus_          | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module for [OpenShift](https://www.openshift.com/) clusters.                                               |
 | _ubi-image-nap-dos-plus_      | <p>Builds a UBI-based image with NGINX Plus, [NGINX App Protect WAF](/nginx-app-protect/) and the [NGINX App Protect DoS](/nginx-app-protect-dos/) module for [OpenShift](https://www.openshift.com/) clusters.</p> <p> **Important**: Save your RHEL organization and activation keys in a file named _rhel_license_ at the project root.</p> <p> For instance:</p> <pre>RHEL_ORGANIZATION=1111111<br />RHEL_ACTIVATION_KEY=your-key</pre>|
 {{</bootstrap-table>}}
diff --git a/docs/content/installation/integrations/app-protect-dos/_index.md b/docs/content/installation/integrations/app-protect-dos/_index.md
index 2cd1a1fd30..6f26859961 100644
--- a/docs/content/installation/integrations/app-protect-dos/_index.md
+++ b/docs/content/installation/integrations/app-protect-dos/_index.md
@@ -1,7 +1,7 @@
 ---
 title: NGINX App Protect DoS
 description: Learn how to use NGINX Ingress Controller for Kubernetes with NGINX App Protect DoS.
-weight: 200
+weight: 300
 menu:
   docs:
     parent: Integrations
diff --git a/docs/content/installation/integrations/app-protect-waf-v5/_index.md b/docs/content/installation/integrations/app-protect-waf-v5/_index.md
new file mode 100644
index 0000000000..01bf182df7
--- /dev/null
+++ b/docs/content/installation/integrations/app-protect-waf-v5/_index.md
@@ -0,0 +1,8 @@
+---
+title: NGINX App Protect WAF v5
+description: Learn how to use NGINX Ingress Controller for Kubernetes with NGINX App Protect version 5.
+weight: 200
+menu:
+  docs:
+    parent: NGINX Ingress Controller
+---
diff --git a/docs/content/installation/integrations/app-protect-waf-v5/configuration.md b/docs/content/installation/integrations/app-protect-waf-v5/configuration.md
new file mode 100644
index 0000000000..ca6c53ac12
--- /dev/null
+++ b/docs/content/installation/integrations/app-protect-waf-v5/configuration.md
@@ -0,0 +1,184 @@
+---
+docs: DOCS-000
+title: Configuration
+toc: true
+weight: 200
+---
+
+
+## Overview
+
+This document explains how to use F5 NGINX Ingress Controller to configure [NGINX App Protect WAF v5](https://docs.nginx.com/nginx-app-protect-waf/v5/).
+
+{{< note >}} Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-waf-v5) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf-v5).{{< /note >}}
+
+
+## Global Configuration
+
+NGINX Ingress Controller has global configuration parameters that match those in NGINX App Protect WAF. They are found in the [ConfigMap resource]({{< relref "configuration/global-configuration/configmap-resource.md#modules" >}}): the NGINX App Protect WAF parameters are prefixed with `app-protect*`.
+
+## Enable NGINX App Protect WAF v5
+
+NGINX App Protect WAF can be enabled and configured for custom resources (VirtualServer, VirtualServerRoute) or Ingress resources.
+
+- For custom resources, you need to create a Policy Custom Resource referencing a policy bundle, then add it to the VirtualServer definition. Additional detail can be found in the [Policy Resource documentation]({{< relref "configuration/policy-resource.md#waf" >}}).
+- For Ingress resources, apply the [`app-protect` annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations.md#app-protect" >}}) to each desired resource.
+
+
+
+## NGINX App Protect WAF Bundles {#waf-bundles}
+
+You define App Protect WAF bundles for VirtualServer custom resources by creating policy bundles and putting them on a mounted volume accessible from NGINX Ingress Controller.
+
+Before applying a policy, a WAF policy bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`.
+
+{{< note >}} NGINX Ingress Controller supports `securityLogs` for policy bundles. Log bundles must also be copied to a volume mounted to `/etc/app_protect/bundles`. {{< /note >}}
+
+This example shows how a policy is configured by referencing a generated WAF Policy Bundle:
+
+
+```yaml
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: <policy_name>
+spec:
+  waf:
+    enable: true
+    apBundle: "<policy_bundle_name>.tgz"
+```
+
+This example shows the same policy as above but with a log bundle used for security log configuration:
+
+
+```yaml
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: <policy_name>
+spec:
+  waf:
+    enable: true
+    apBundle: "<policy_bundle_name>.tgz"
+    securityLogs:
+    - enable: true
+      apLogBundle: "<log_bundle_name>.tgz"
+      logDest: "syslog:server=syslog-svc.default:514"
+```
+
+## Configuration in NGINX Plus Ingress Controller using Virtual Server Resource
+
+This example shows how to deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF v5, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource.
+
+{{< note >}} You can find the files for this example on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-waf/app-protect-waf-v5).{{< /note >}}
+
+## Prerequisites
+
+1. Follow the installation [instructions]({{< relref "installation/integrations/app-protect-waf-v5/installation.md" >}}) to deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF version 5.
+
+2. Save the public IP address of NGINX Ingress Controller into a shell variable:
+
+   ```shell
+    IC_IP=XXX.YYY.ZZZ.III
+   ```
+
+3. Save the HTTP port of NGINX Ingress Controller into a shell variable:
+
+   ```shell
+    IC_HTTP_PORT=<port number>
+   ```
+
+### Step 1. Deploy a Web Application
+
+Create the application deployment and service:
+
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf-v5/webapp.yaml
+  ```
+
+### Step 2. Create the Syslog Service
+
+Create the syslog service and pod for the NGINX App Protect WAF security logs:
+
+
+   ```shell
+   kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf-v5/syslog.yaml
+   ```
+
+### Step 3 - Deploy the WAF Policy
+
+
+{{< note >}} Configuration settings in the Policy resource enable WAF protection by configuring NGINX App Protect WAF with the log configuration created in the previous step. The policy bundle referenced as `your_policy_bundle_name.tgz` need to be created and placed in the `/etc/app_protect/bundles` volume first.{{</ note >}}
+
+Create and deploy the WAF policy.
+
+ ```shell
+  kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf-v5/waf.yaml
+ ```
+
+  
+### Step 4 - Configure Load Balancing
+
+
+{{< note >}} VirtualServer references the `waf-policy` created in Step 3.{{</ note >}}
+
+1. Create the VirtualServer Resource:
+
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf-v5/virtual-server.yaml
+    ```
+
+
+### Step 5 - Test the Application
+
+To access the application, curl the coffee and the tea services. We'll use the `--resolve` option to set the Host header of a request with `webapp.example.com`
+
+1. Send a request to the application:
+
+  ```shell
+  curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/
+  ```
+
+  ```shell
+  Server address: 10.12.0.18:80
+  Server name: webapp-7586895968-r26zn
+  ```
+
+1. Try to send a request with a suspicious URL:
+
+  ```shell
+  curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/<script>"
+  ```
+ 
+  ```shell  
+  <html><head><title>Request Rejected</title></head><body>
+  ```
+
+1.  Check the security logs in the syslog pod:
+
+  ```shell
+  kubectl exec -it <SYSLOG_POD> -- cat /var/log/messages
+  ```
+
+### Example VirtualServer configuration
+
+The GitHub repository has a full [VirtualServer example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf-v5/webapp.yaml).
+
+```yaml
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: webapp
+spec:
+  host: webapp.example.com
+  policies:
+  - name: waf-policy
+  upstreams:
+  - name: webapp
+    service: webapp-svc
+    port: 80
+  routes:
+  - path: /
+    action:
+      pass: webapp
+```
diff --git a/docs/content/installation/integrations/app-protect-waf-v5/installation.md b/docs/content/installation/integrations/app-protect-waf-v5/installation.md
new file mode 100644
index 0000000000..1ef976b855
--- /dev/null
+++ b/docs/content/installation/integrations/app-protect-waf-v5/installation.md
@@ -0,0 +1,349 @@
+---
+docs: DOCS-000
+doctypes:
+   - ''
+title: Build NGINX Ingress Controller with NGINX App Protect WAF v5
+toc: true
+weight: 100
+---
+
+This document explains how to build a F5 NGINX Ingress Controller image with F5 NGINX App Protect WAF v5 from source code.
+
+{{<call-out "tip" "Pre-built image alternatives" >}} If you'd rather not build your own NGINX Ingress Controller image, see the [pre-built image options](#pre-built-images) at the end of this guide.{{</call-out>}}
+
+## Before you start
+
+- To use NGINX App Protect WAF with NGINX Ingress Controller, you must have NGINX Plus.
+
+## Prepare the environment
+
+Get your system ready for building and pushing the NGINX Ingress Controller image with NGINX App Protect WAF v5.
+
+1. Sign in to your private registry. Replace `<my-docker-registry>` with the path to your own private registry.
+
+    ```shell
+    docker login <my-docker-registry>
+    ```
+
+1. Pull the WAF Config Manager image:
+
+    ```shell
+    docker pull private-registry.nginx.com/nap/waf-config-mgr:<image-tag>
+    ```
+
+1. Pull the WAF Enforcer Docker image
+
+    ```shell
+    docker pull private-registry.nginx.com/nap/waf-enforcer:<image-tag>
+    ```
+
+1. Clone the NGINX Ingress Controller repository:
+
+    ```console
+    git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.6.0
+    cd kubernetes-ingress
+    ```
+
+---
+
+## Build the image
+
+Follow these steps to build the NGINX Controller Image with NGINX App Protect WAF v5.
+
+1. Place your NGINX Plus license files (_nginx-repo.crt_ and _nginx-repo.key_) in the project's root folder. To verify they're in place, run:
+
+    ```shell
+    ls nginx-repo.*
+    ```
+
+   You should see:
+
+    ```shell
+    nginx-repo.crt  nginx-repo.key
+    ```
+
+2. Build the image. Replace `<makefile target>` with your chosen build option and `<my-docker-registry>` with your private registry's path. Refer to the [Makefile targets](#makefile-targets) table below for the list of build options.
+
+    ```shell
+    make <makefile target> PREFIX=<my-docker-registry>/nginx-plus-ingress TARGET=download
+    ```
+
+   For example, to build a Debian-based image with NGINX Plus and NGINX App Protect WAF v5, run:
+
+    ```shell
+    make debian-image-nap-v5-plus PREFIX=<my-docker-registry>/nginx-plus-ingress TARGET=download
+    ```
+
+   **What to expect**: The image is built and tagged with a version number, which is derived from the `VERSION` variable in the [_Makefile_]({{< relref "installation/building-nginx-ingress-controller.md#makefile-details" >}}). This version number is used for tracking and deployment purposes.
+
+{{<note>}} In the event a patch of NGINX Plus is released, make sure to rebuild your image to get the latest version. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--pull --no-cache"` to the make command. {{</note>}}
+
+### Makefile targets {#makefile-targets}
+
+Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF v5 and FIPS)
+
+{{<bootstrap-table "table table-striped table-bordered">}}
+| Makefile Target           | Description                                                       | Compatible Systems  |
+|---------------------------|-------------------------------------------------------------------|---------------------|
+| **alpine-image-nap-v5-plus-fips** | Builds a Alpine-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect-waf-v5/) module with FIPS. | Alpine  |
+| **debian-image-nap-v5-plus** | Builds a Debian-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect-waf-v5/) module. | Debian  |
+| **ubi-image-nap-v5-plus**    | Builds a UBI-based image with NGINX Plus and the [NGINX App Protect WAF v5](/nginx-app-protect-waf-v5/) module. | OpenShift |
+| **ubi-image-nap-dos-v5-plus** | Builds a UBI-based image with NGINX Plus, [NGINX App Protect WAF v5](/nginx-app-protect-waf-v5/), and [NGINX App Protect DoS](/nginx-app-protect-dos/). | OpenShift |
+{{</bootstrap-table>}}
+
+<br>
+
+{{<see-also>}} For the complete list of _Makefile_ targets and customizable variables, see the [Building NGINX Ingress Controller]({{< relref "installation/building-nginx-ingress-controller.md#makefile-details" >}}) guide. {{</see-also>}}
+
+If you intend to use [external references](/nginx-app-protect-waf/v5/configuration/#external-references) in NGINX App Protect WAF policies, you may want to provide a custom CA certificate to authenticate with the hosting server.
+
+To do so, place the `*.crt` file in the build folder and uncomment the lines following this comment:
+`#Uncomment the lines below if you want to install a custom CA certificate`
+
+{{<warning>}} External references are deprecated in NGINX Ingress Controller and will not be supported in future releases. {{</warning>}}
+
+---
+
+## Push the images to your private registry
+
+Once you've successfully pulled the WAF v5 manager and enforcer images and built the NGINX Ingress Controller image with NGINX App Protect WAF v5, the next step is to upload them to your private Docker registry. This makes the image available for deployment to your Kubernetes cluster.
+
+To upload the image, run the following command. If you're using a custom tag, add `TAG=your-tag` to the end of the command. Replace `<my-docker-registry>` with your private registry's path.
+
+```shell
+make push PREFIX=<my-docker-registry>/nginx-plus-ingress
+```
+
+To upload the WAF config manager and enforcer images run the following commands:
+
+```shell
+docker push <my-docker-registry>/waf-config-mgr:<your-tag>
+```
+
+```shell
+docker push <my-docker-registry>/waf-enforcer:<your-tag>
+```
+
+---
+
+{{< include "installation/create-custom-resources.md" >}}
+
+
+## Deploy NGINX Ingress Controller {#deploy-ingress-controller}
+
+{{< important >}} NGINX Ingress Controller with the AppProtect WAF v5 module works only with policy bundles. You need to modify the Deployment or DaemonSet file to include volumes, volume mounts and two WAF 5 docker images: `waf-config-mgr` and `waf-enforcer`.
+
+NGINX Ingress Controller **requires** the volume mount path to be `/etc/app_protect/bundles`. {{< /important >}}
+
+{{<tabs name="deploy-nic">}}
+
+{{%tab name="With Helm"%}}
+
+Below are examples of a `PersistentVolume` and `PersistentVolumeClaim` that you can reference in your Helm values:
+
+```yaml
+...
+volumes:
+- name: <volume_name>
+persistentVolumeClaim:
+    claimName: <claim_name>
+...
+```
+
+Add volume mounts to the `containers` section:
+
+```yaml
+...
+volumeMounts:
+- name: <volume_mount_name>
+    mountPath: /etc/app_protect/bundles
+...
+```
+
+### Enabling WAF v5
+
+Start by setting `controller.appprotect.enable` to `true` in your Helm values. This will the standard App Protect WAF fetatures.
+Afterwords, set `controller.approtect.v5` to `true`.
+This ensures that both the `waf-enforcer` and `waf-config-mgr` containers are deployed alongside the NGINX Ingress Controller containers.
+These two additional containers are required when using App Protect WAF v5.
+
+Your Helm values should look something like this:
+
+```yaml
+controller:
+  ...
+  ## Support for App Protect WAF
+  appprotect:
+    ## Enable the App Protect WAF module in the Ingress Controller.
+    enable: true
+    ## Enables App Protect WAF v5.
+    v5: true
+```
+
+
+### Configuring volumes
+
+Whether you have created a new `PersistentVolume` and `PersistentVolumeClaim`, or you are referencing an existing `PersistentVolumeClaim`, update the `app-protect-bundles` volume to reference your `PersistentVolumeClaim`.
+
+Example helm values:
+
+```yaml
+...
+controller:
+  ...
+  appprotect:
+  ...
+   volumes:
+   - name: app-protect-bundles
+     persistentVolumeClaim:
+        claimName: <my_claim_name>
+...
+```
+
+{{< note >}}
+By default, `emptyDir` mounts are used.
+Bundles that are added to these kind of volume mounts will **NOT** persist across pod restarts.
+
+Example default volumes:
+```yaml
+...
+controller:
+  ...
+  appprotect:
+  ...
+   volumes:
+   - name: app-protect-bundles
+     emptyDir: {}
+...
+```
+{{< /note >}}
+
+{{%/tab%}}
+
+{{%tab name="With Manifest"%}}
+
+You have two options for deploying NGINX Ingress Controller:
+
+- **Deployment**. Choose this method for the flexibility to dynamically change the number of NGINX Ingress Controller replicas.
+- **DaemonSet**. Choose this method if you want NGINX Ingress Controller to run on all nodes or a subset of nodes.
+
+---
+
+### Set up role-based access control (RBAC) {#set-up-rbac}
+
+{{<call-out "important" "Admin access required" >}}To complete these steps you need admin access to your cluster. Refer to to your Kubernetes platform's documentation to set up admin access. For Google Kubernetes Engine (GKE), you can refer to their [Role-Based Access Control guide](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).{{</call-out>}}
+
+1. Create a namespace and a service account:
+
+    ```shell
+    kubectl apply -f deployments/common/ns-and-sa.yaml
+    ```
+
+2. Create a cluster role and binding for the service account:
+
+    ```shell
+    kubectl apply -f deployments/rbac/rbac.yaml
+    ```
+
+---
+
+### Volumes and VolumeMounts
+
+Add a `volumes` section to deployment template spec:
+
+```yaml
+...
+volumes:
+- name: <volume_name>
+persistentVolumeClaim:
+    claimName: <claim_name>
+...
+```
+
+Add volume mounts to the `containers` section:
+
+```yaml
+...
+volumeMounts:
+- name: <volume_mount_name>
+    mountPath: /etc/app_protect/bundles
+...
+```
+
+### WAF Config Manager and WAF Enforcer
+
+Add `waf-config-mgr` image to the `containers` section:
+
+```yaml
+...
+- name: waf-config-mgr
+  image: private-registry.nginx.com/nap/waf-config-mgr:<version-tag>
+  imagePullPolicy: IfNotPresent
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - all
+  volumeMounts:
+    - name: app-protect-bd-config
+      mountPath: /opt/app_protect/bd_config
+    - name: app-protect-config
+      mountPath: /opt/app_protect/config
+    - name: app-protect-bundles
+      mountPath: /etc/app_protect/bundles
+...
+```
+
+Add `waf-enforcer` image to the `containers` section:
+
+```yaml
+...
+- name: waf-enforcer
+  image: private-registry.nginx.com/nap/waf-enforcer:<version-tag>
+  imagePullPolicy: IfNotPresent
+  env:
+    - name: ENFORCER_PORT
+      value: "50000"
+  volumeMounts:
+    - name: app-protect-bd-config
+      mountPath: /opt/app_protect/bd_config
+...
+```
+
+### Using a Deployment
+
+{{< include "installation/manifests/deployment.md" >}}
+
+### Using a DaemonSet
+
+{{< include "installation/manifests/daemonset.md" >}}
+
+---
+
+### Enable NGINX App Protect WAF module
+
+To enable the NGINX App Protect DoS Module:
+
+- Add the `enable-app-protect` [command-line argument]({{< relref "configuration/global-configuration/command-line-arguments.md#cmdoption-enable-app-protect" >}}) to your Deployment or DaemonSet file.
+
+{{%/tab%}}
+
+{{</tabs>}}
+
+---
+
+## Confirm NGINX Ingress Controller is running
+
+{{< include "installation/manifests/verify-pods-are-running.md" >}}
+
+For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf-v5/configuration.md" >}}) and the NGINX Ingress Controller with App Protect version 5 example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-waf/app-protect-waf-v5) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf-v5" >}}).
+
+---
+
+## Alternatives to building your own image {#pre-built-images}
+
+If you prefer not to build your own NGINX Ingress Controller image, you can use pre-built images. Here are your options:
+
+- Download the image using your NGINX Ingress Controller subscription certificate and key. See the [Getting the F5 Registry NGINX Ingress Controller Image]({{< relref "installation/nic-images/pulling-ingress-controller-image.md" >}}) guide.
+- Use your NGINX Ingress Controller subscription JWT token to get the image: Instructions are in [Getting the NGINX Ingress Controller Image with JWT]({{< relref "installation/nic-images/using-the-jwt-token-docker-secret.md" >}}).
+- Download the WAF 
diff --git a/docs/content/installation/integrations/app-protect-waf/troubleshooting-app-protect-waf.md b/docs/content/installation/integrations/app-protect-waf/troubleshooting-app-protect-waf.md
index dc9d238715..f005c9ebf0 100644
--- a/docs/content/installation/integrations/app-protect-waf/troubleshooting-app-protect-waf.md
+++ b/docs/content/installation/integrations/app-protect-waf/troubleshooting-app-protect-waf.md
@@ -1,5 +1,5 @@
 ---
-docs: DOCS-1460
+docs: DOCS-0000
 doctypes:
 - ''
 title: Troubleshooting NGINX App Protect WAF
@@ -7,25 +7,26 @@ toc: true
 weight: 300
 ---
 
-This document describes how to troubleshoot problems when using NGINX Ingress Controller and the NGINX App Protect WAF module.
+This document describes how to troubleshoot problems when using NGINX Ingress Controller and the NGINX App Protect WAF module version 5.
 
 For general troubleshooting of NGINX Ingress Controller, check the general [troubleshooting]({{< relref "troubleshooting/troubleshoot-common" >}}) documentation.
 
-{{< see-also >}} You can find more troubleshooting tips in the NGINX App Protect WAF [troubleshooting guide](/nginx-app-protect/v4/troubleshooting/) {{< /see-also >}}.
+{{< see-also >}} You can find more troubleshooting tips in the NGINX App Protect WAF [troubleshooting guide](/nginx-app-protect/v5/troubleshooting/) {{< /see-also >}}.
 
 ## Potential problems
 
-The table below categorizes some potential problems with the Ingress Controller when App Protect WAF module is enabled. It suggests how to troubleshoot those problems, using one or more methods from the next section.
+The table below categorizes some potential problems with NGINX Ingress Controller when App Protect WAF module is enabled. It suggests how to troubleshoot those problems, using one or more methods from the next section.
 
 {{% table %}}
 |Problem area | Symptom | Troubleshooting method | Common cause |
 | ---| ---| ---| --- |
-|Start. | The Ingress Controller fails to start. | Check the logs. | Misconfigured APLogConf or APPolicy. |
-|APLogConf, APPolicy or Ingress Resource. | The configuration is not applied. | Check the events of the APLogConf, APPolicy and Ingress Resource, check the logs, replace the policy. | APLogConf or APPolicy is invalid. |
-|NGINX. | The Ingress Controller NGINX verification timeouts while starting for the first time or while reloading after a change. | Check the logs for ``Unable to fetch version: X`` message. Check the Availability of APPolicy External References. | Too many Ingress Resources with App Protect enabled. Check the `NGINX fails to start/reload section <#nginx-fails-to-start-or-reload>`_ of the Known Issues. |
+|Start. | The Ingress Controller fails to start. | Check the logs. | Misconfigured policy bundle. |
+|Start | The configuration is not applied. | Check if a policy bundle is compiled using version of the compiler running in NGINX Ingress Controller. | Policy bundle is invalid. |
+|Start | The configuration is not applied. | Check if bundle is present in a volume. | Policy bundle is not present in the mounted volume. |
+|APLogConf, Policy or Ingress Resource. | The configuration is not applied. | Check the events of the APLogConf, Policy and Ingress Resource, check the logs, replace the policy bundle. | Policy bundle is invalid. |
 {{% /table %}}
 
-## Troubleshooting Methods
+## Troubleshooting methods
 
 ### Check NGINX Ingress Controller and App Protect logs
 
@@ -75,9 +76,10 @@ Events:
 
 The events section has a *Normal* event with the *AddedOrUpdated reason*, indicating the policy was successfully accepted.
 
-### Replace the Policy
+### Replace the policy
+
+{{< note >}} This method only applies if using [external references](/nginx-app-protect/v4/configuration/#external-references) {{< /note >}}
 
-NOTE: This method only applies if using [external references](/nginx-app-protect/v4/configuration/#external-references)
 If items on the external reference change but the spec of the APPolicy remains unchanged (even when re-applying the policy), Kubernetes will not detect the update.
 In this case you can force-replace the resource. This will remove the resource and add it again, triggering a reload. For example:
 
@@ -87,9 +89,9 @@ kubectl replace appolicy -f your-policy-manifest.yaml --force
 
 ### Check the availability of APPolicy external references
 
-NOTE: This method only applies if you're using [external references](/nginx-app-protect/v4/configuration/#external-references) in NGINX App Protect policies.
+{{< note >}} This method only applies if you're using [external references](/nginx-app-protect/v4/configuration/#external-references) in NGINX App Protect policies. {{< /note >}}
 
-To check what servers host the external references of a policy:
+To check which servers host the external references of a policy:
 
 ```shell
 kubectl get appolicy mypolicy -o jsonpath='{.items[*].spec.policy.*.link}' | tr ' ' '\n'
@@ -112,13 +114,13 @@ When using NGINX Ingress Controller with the App Protect WAF module, the followi
 
 When you make a change that requires NGINX to apply a new configuration, NGINX Ingress Controller reloads NGINX automatically. Without the App Protect WAF module enabled, usual reload times are around 150ms. If App Protect WAF module is enabled and is being used by any number of Ingress Resources, these reloads might take a few seconds instead.
 
-### NGINX Configuration Skew
+### NGINX configuration drift
 
 If you are running more than one instance of NGINX Ingress Controller, the extended reload time may cause the NGINX configuration of your instances to be out of sync. This can occur because there is no order imposed on how NGINX Ingress Controller processes the Kubernetes Resources. The configurations will be the same after all instances have completed the reload.
 
 In order to reduce these inconsistencies, we advise that you do not apply changes to multiple resources handled by NGINX Ingress Controller at the same time.
 
-### NGINX Fails to Start or Reload
+### NGINX fails to start or reload
 
 The first time NGINX Ingress Controller starts, or whenever there is a change that requires reloading NGINX, NGINX Ingress Controller will verify if the reload was successful. The timeout for this verification is normally 4 seconds. When App Protect is enabled, this timeout increases to 20 seconds.
 
diff --git a/docs/content/installation/integrations/f5-ingresslink.md b/docs/content/installation/integrations/f5-ingresslink.md
index 7a3a710a10..dec6e79ec5 100644
--- a/docs/content/installation/integrations/f5-ingresslink.md
+++ b/docs/content/installation/integrations/f5-ingresslink.md
@@ -4,7 +4,7 @@ doctypes:
 - concept
 title: F5 BIG-IP
 toc: true
-weight: 300
+weight: 400
 ---
 
 Learn how to use NGINX Ingress Controller with F5 IngressLink to configure your F5 BIG-IP device.
diff --git a/docs/content/installation/integrations/opentracing.md b/docs/content/installation/integrations/opentracing.md
index 241e70626c..2d10ff1fdf 100644
--- a/docs/content/installation/integrations/opentracing.md
+++ b/docs/content/installation/integrations/opentracing.md
@@ -4,7 +4,7 @@ doctypes:
 - ''
 title: OpenTracing
 toc: true
-weight: 400
+weight: 500
 ---
 
 Learn how to use OpenTracing with NGINX Ingress Controller.
diff --git a/docs/content/installation/nic-images/pulling-ingress-controller-image.md b/docs/content/installation/nic-images/pulling-ingress-controller-image.md
index f997dc02c3..05ecce9e8f 100644
--- a/docs/content/installation/nic-images/pulling-ingress-controller-image.md
+++ b/docs/content/installation/nic-images/pulling-ingress-controller-image.md
@@ -54,6 +54,21 @@ To pull an image, follow these steps. Replace `<version-tag>` with the specific
    docker pull private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:<version-tag>
    ```
 
+- For NGINX Plus Ingress Controller with NGINX App Protect WAF v5, run:
+
+   ```shell
+   docker pull private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:<version-tag>
+   ```
+
+   ```shell
+   docker pull private-registry.nginx.com/nap/waf-config-mgr:<waf-version-tag>
+   ```
+
+   ```shell
+   docker pull private-registry.nginx.com/nap/waf-enforcer:<waf-version-tag>
+   ```
+
+
 - For NGINX Plus Ingress Controller with NGINX App Protect DoS, run:
 
    ```shell
@@ -128,6 +143,23 @@ After pulling the image, tag it and upload it to your private registry.
       docker push <my-docker-registry>/nginx-ic-nap/nginx-plus-ingress:<version-tag>
       ```
 
+      - For NGINX Controller with NGINX App Protect WAF v5, run:
+
+      ```shell
+      docker tag private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:<version-tag> <my-docker-registry>/nginx-ic-nap/nginx-plus-ingress:<version-tag>
+      docker push <my-docker-registry>/nginx-ic-nap/nginx-plus-ingress:<version-tag>
+      ```
+
+      ```shell
+      docker tag private-registry.nginx.com/nap/waf-config-mgr:<waf-version-tag> <my-docker-registry>/nap/waf-config-mgr:<waf-version-tag>
+      docker push <my-docker-registry>/nap/waf-config-mgr:<waf-version-tag>
+      ```
+
+      ```shell
+      docker tag private-registry.nginx.com/nap/waf-enforcer:<waf-version-tag> <my-docker-registry>/nap/waf-enforcer:<waf-version-tag>
+      docker push <my-docker-registry>/nap/waf-enforcer:<waf-version-tag>
+      ```
+
    - For NGINX Controller with NGINX App Protect DoS, run:
 
       ```shell
diff --git a/docs/content/overview/about.md b/docs/content/overview/about.md
index c282a69bd3..51415a7a82 100644
--- a/docs/content/overview/about.md
+++ b/docs/content/overview/about.md
@@ -14,4 +14,4 @@ NGINX Ingress Controller is an [Ingress Controller]({{< relref "glossary.md#ingr
 
 NGINX Ingress Controller supports the [VirtualServer and VirtualServerRoute resources]({{< relref "configuration/virtualserver-and-virtualserverroute-resources">}}) as alternatives to Ingress, enabling traffic splitting and advanced content-based routing. It also supports TCP, UDP and TLS Passthrough load balancing using [TransportServer resources]({{< relref "configuration/transportserver-resource">}}).
 
-To learn more about NGINX Ingress Controller, please read the [The design of NGINX Ingress Controller]({{< relref "overview/design.nd">}}) and [Extensibility with NGINX Plus]({{< relref "overview/nginx-plus.md">}}) topics.
+To learn more about NGINX Ingress Controller, please read the [The design of NGINX Ingress Controller]({{< relref "overview/design.md">}}) and [Extensibility with NGINX Plus]({{< relref "overview/nginx-plus.md">}}) topics.
diff --git a/docs/go.mod b/docs/go.mod
index c00ee80586..48a8895f7f 100644
--- a/docs/go.mod
+++ b/docs/go.mod
@@ -2,4 +2,4 @@ module github.com/nginxinc/kubernetes-ingress/docs
 
 go 1.19
 
-require github.com/nginxinc/nginx-hugo-theme v0.40.0 // indirect
+require github.com/nginxinc/nginx-hugo-theme v0.41.8 // indirect
diff --git a/docs/go.sum b/docs/go.sum
index b62d2cb4d4..93628509d3 100644
--- a/docs/go.sum
+++ b/docs/go.sum
@@ -1,4 +1,2 @@
-github.com/nginxinc/nginx-hugo-theme v0.38.1 h1:1dCP7tzeJTy0HOekaMn6glSAoCtD9bk3q9Xs4ZmPynU=
-github.com/nginxinc/nginx-hugo-theme v0.38.1/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M=
-github.com/nginxinc/nginx-hugo-theme v0.40.0 h1:YP0I0+bRKcJ5WEb1s/OWcnlcvNvIcKscagJkCzsa+Vs=
-github.com/nginxinc/nginx-hugo-theme v0.40.0/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M=
+github.com/nginxinc/nginx-hugo-theme v0.41.8 h1:l9Lsl9NMaTmNCSMa/W9sdqwhlKFxfb+6ue6w6+bsMC0=
+github.com/nginxinc/nginx-hugo-theme v0.41.8/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M=
diff --git a/examples/custom-resources/service-insight/README.md b/examples/custom-resources/service-insight/README.md
index 12a8a12271..fc79df3e0b 100644
--- a/examples/custom-resources/service-insight/README.md
+++ b/examples/custom-resources/service-insight/README.md
@@ -32,7 +32,7 @@ spec:
       securityContext:
       ...
       containers:
-      - image: nginx-plus-ingress:3.5.1
+      - image: nginx-plus-ingress:3.6.0
         imagePullPolicy: IfNotPresent
         name: nginx-plus-ingress
         ports:
@@ -321,7 +321,7 @@ spec:
       securityContext:
       ...
       containers:
-      - image: nginx-plus-ingress:3.5.1
+      - image: nginx-plus-ingress:3.6.0
         imagePullPolicy: IfNotPresent
         name: nginx-plus-ingress
         ports:

From 0521df425f25b26de3bccc5572fdac235db9b8cf Mon Sep 17 00:00:00 2001
From: Venktesh Shivam Patel <ve.patel@f5.com>
Date: Tue, 25 Jun 2024 10:26:19 +0100
Subject: [PATCH 15/37] fix v5 path (#5847)

---
 .../nic-images/pulling-ingress-controller-image.md            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/content/installation/nic-images/pulling-ingress-controller-image.md b/docs/content/installation/nic-images/pulling-ingress-controller-image.md
index 05ecce9e8f..a83e109217 100644
--- a/docs/content/installation/nic-images/pulling-ingress-controller-image.md
+++ b/docs/content/installation/nic-images/pulling-ingress-controller-image.md
@@ -57,7 +57,7 @@ To pull an image, follow these steps. Replace `<version-tag>` with the specific
 - For NGINX Plus Ingress Controller with NGINX App Protect WAF v5, run:
 
    ```shell
-   docker pull private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:<version-tag>
+   docker pull private-registry.nginx.com/nginx-ic-nap-v5/nginx-plus-ingress:<version-tag>
    ```
 
    ```shell
@@ -146,7 +146,7 @@ After pulling the image, tag it and upload it to your private registry.
       - For NGINX Controller with NGINX App Protect WAF v5, run:
 
       ```shell
-      docker tag private-registry.nginx.com/nginx-ic-nap/nginx-plus-ingress:<version-tag> <my-docker-registry>/nginx-ic-nap/nginx-plus-ingress:<version-tag>
+      docker tag private-registry.nginx.com/nginx-ic-nap-v5/nginx-plus-ingress:<version-tag> <my-docker-registry>/nginx-ic-nap/nginx-plus-ingress:<version-tag>
       docker push <my-docker-registry>/nginx-ic-nap/nginx-plus-ingress:<version-tag>
       ```
 

From df72b9caeb543542feb57b926804953bb52e54ae Mon Sep 17 00:00:00 2001
From: oseoin <oseoin@users.noreply.github.com>
Date: Tue, 25 Jun 2024 10:59:48 +0100
Subject: [PATCH 16/37] Fix build arg for templates (#5844)

---
 build/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/build/Dockerfile b/build/Dockerfile
index a1cfc7422f..05a8614340 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -664,6 +664,7 @@ ENTRYPOINT ["/dlv"]
 
 ############################################# Create image with nginx-ingress built locally & using prebuilt base image #############################################
 FROM ${PREBUILT_BASE_IMG} AS local-prebuilt
+ARG BUILD_OS
 
 LABEL org.nginx.kic.image.build.version="local"
 
@@ -711,6 +712,7 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_
 ############################################# Create image with nginx-ingress built by GoReleaser & using prebuilt base image #############################################
 FROM ${PREBUILT_BASE_IMG} AS goreleaser-prebuilt
 ARG TARGETARCH
+ARG BUILD_OS
 
 LABEL org.nginx.kic.image.build.version="goreleaser"
 
@@ -760,6 +762,7 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_
 FROM ${PREBUILT_BASE_IMG} AS aws-prebuilt
 ARG TARGETARCH
 ARG NAP_MODULES_AWS
+ARG BUILD_OS
 
 LABEL org.nginx.kic.image.build.version="aws"
 

From dec3524b7007b2b4bcba2c1eee1f76e24939ad62 Mon Sep 17 00:00:00 2001
From: Jim Ryan <j.ryan@f5.com>
Date: Tue, 25 Jun 2024 12:32:55 +0100
Subject: [PATCH 17/37] fix api key policy undefined routes (#5838)

* fix api key policy undefined routes

* add template test

* update docs
---
 examples/custom-resources/api-key/README.md   |  12 +-
 .../__snapshots__/templates_test.snap         | 440 ++++++++++++++++++
 .../version2/nginx-plus.virtualserver.tmpl    |   1 +
 .../configs/version2/nginx.virtualserver.tmpl |   1 +
 internal/configs/version2/templates_test.go   |  25 +
 tests/suite/test_apikey_auth_policies.py      |  45 ++
 6 files changed, 518 insertions(+), 6 deletions(-)

diff --git a/examples/custom-resources/api-key/README.md b/examples/custom-resources/api-key/README.md
index c57b9c4d62..4a206afd02 100644
--- a/examples/custom-resources/api-key/README.md
+++ b/examples/custom-resources/api-key/README.md
@@ -17,7 +17,7 @@ a web application, configure load balancing for it via a VirtualServer, and appl
 1. Save the HTTP port of the Ingress Controller into a shell variable:
 
     ```console
-    IC_HTTP_PORT=<port number>
+    IC_HTTPS_PORT=<port number>
     ```
 
 ## Step 1 - Deploy a Web Application
@@ -25,7 +25,7 @@ a web application, configure load balancing for it via a VirtualServer, and appl
 Create the application deployment and service:
 
 ```console
-kubectl apply -f cafe.yaml
+kubectl apply -f cafe.yaml -f cafe-secret.yaml
 ```
 
 ## Step 2 - Deploy the API Key Auth Secret
@@ -62,7 +62,7 @@ Note that the VirtualServer references the policy `api-key-policy` created in St
 If you attempt to access the application without providing a valid API Key in a expected header or query param for that VirtualServer:
 
 ```console
-curl --resolve cafe.example.com:$IC_HTTP_PORT:$IC_IP http://cafe.example.com:$IC_HTTP_PORT/
+curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/
 ```
 
 ```text
@@ -78,7 +78,7 @@ curl --resolve cafe.example.com:$IC_HTTP_PORT:$IC_IP http://cafe.example.com:$IC
 If you attempt to access the application providing an incorrect API Key in an expected header or query param for that VirtualServer:
 
 ```console
-curl --resolve cafe.example.com:$IC_HTTP_PORT:$IC_IP -H "X-header-name: wrongpassword" http://cafe.example.com:$IC_HTTP_PORT/coffee
+curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP -H "X-header-name: wrongpassword" https://cafe.example.com:$IC_HTTPS_PORT/coffee
 ```
 
 ```text
@@ -94,7 +94,7 @@ curl --resolve cafe.example.com:$IC_HTTP_PORT:$IC_IP -H "X-header-name: wrongpas
 If you provide a valid API Key in an a header or query defined in the policy, your request will succeed:
 
 ```console
-curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP -H "X-header-name: password" https://cafe.example.com:$IC_HTTPS_PORT/coffee 
+curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP -H "X-header-name: password" https://cafe.example.com:$IC_HTTPS_PORT/coffee 
 ```
 
 ```text
@@ -108,7 +108,7 @@ Request ID: 4feedb3265a0430a1f58831d016e846d
 If you attempt to access the /tea path, the request will be allowed without an API Key, because the auth_request directive is turned off for that path with a location snippet:
 
 ```console
-curl --resolve cafe.example.com:$IC_HTTP_PORT:$IC_IP http://cafe.example.com:$IC_HTTP_PORT/tea
+curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea
 ```
 
 ```text
diff --git a/internal/configs/version2/__snapshots__/templates_test.snap b/internal/configs/version2/__snapshots__/templates_test.snap
index ff2b738552..60c9946a63 100644
--- a/internal/configs/version2/__snapshots__/templates_test.snap
+++ b/internal/configs/version2/__snapshots__/templates_test.snap
@@ -80,6 +80,446 @@ server {
 
 ---
 
+[TestExecuteVirtualServerTemplateWithAPIKeyPolicyNGINXPlus - 1]
+
+upstream test-upstream {
+    zone test-upstream 256k;
+    random;
+    server 10.0.0.20:8001 max_fails=4 fail_timeout=10s slow_start=10s max_conns=31;
+    keepalive 32;
+    queue 10 timeout=60s;
+    sticky cookie test expires=25s path=/tea;
+
+    ntlm;
+}
+
+upstream coffee-v1 {
+    zone coffee-v1 256k;
+    server 10.0.0.31:8001 max_fails=8 fail_timeout=15s max_conns=2;
+
+    
+}
+
+upstream coffee-v2 {
+    zone coffee-v2 256k;
+    server 10.0.0.32:8001 max_fails=12 fail_timeout=20s max_conns=4;
+
+    
+}
+
+split_clients $request_id $split_0 {
+    50% @loc0;
+    50% @loc1;
+}
+map $match_0_0 $match {
+    ~^1 @match_loc_0;
+    default @match_loc_default;
+}
+map $http_x_version $match_0_0 {
+    v2 1;
+    default 0;
+}
+# HTTP snippet
+limit_req_zone $url zone=pol_rl_test_test_test:10m rate=10r/s;
+
+server {
+    listen 80 proxy_protocol;
+    listen [::]:80 proxy_protocol;
+
+
+    server_name example.com;
+    status_zone example.com;
+    set $resource_type "virtualserver";
+    set $resource_name "";
+    set $resource_namespace "";
+    listen 443 ssl proxy_protocol;
+    listen [::]:443 ssl proxy_protocol;
+
+    http2 on;
+    ssl_certificate cafe-secret.pem;
+    ssl_certificate_key cafe-secret.pem;
+    ssl_client_certificate ingress-mtls-secret;
+    ssl_verify_client on;
+    ssl_verify_depth 2;
+    if ($scheme = 'http') {
+        return 301 https://$host$request_uri;
+    }
+
+    server_tokens "off";
+    set_real_ip_from 0.0.0.0/0;
+    real_ip_header X-Real-IP;
+    real_ip_recursive on;
+    allow 127.0.0.1;
+    deny all;
+    deny 127.0.0.1;
+    allow all;
+    limit_req_log_level error;
+    limit_req_status 503;
+    limit_req zone=pol_rl_test_test_test burst=5
+         delay=10;
+    auth_jwt "My Api";
+    auth_jwt_key_file jwk-secret;
+    js_var $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+    js_var $apikey_auth_local_map "vs-default-cafe-apikey-policy";
+    js_var $apikey_auth_token $apikey_auth_hash;
+    auth_request /_validate_apikey_njs;
+    app_protect_enable on;
+        
+    app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm;
+        
+
+        
+
+        
+    app_protect_security_log_enable on;
+        
+    app_protect_security_log /etc/nginx/waf/nac-logconfs/default-logconf;
+        
+        
+    
+    # server snippet
+    location /split {
+        rewrite ^ @split_0 last;
+    }
+    location /coffee {
+        rewrite ^ @match last;
+    }
+    location @hc-coffee {
+        
+        proxy_connect_timeout ;
+        proxy_read_timeout ;
+        proxy_send_timeout ;
+        proxy_pass http://coffee-v2;
+        health_check uri=/ port=50 interval=5s jitter=0s
+            fails=1 passes=1
+             mandatory persistent
+             keepalive_time=;
+    }
+    location @hc-tea {
+        
+        grpc_connect_timeout ;
+        grpc_read_timeout ;
+        grpc_send_timeout ;
+        grpc_pass grpc://tea-v3;
+        health_check port=50 interval=5s jitter=0s
+            fails=1 passes=1
+            
+             type=grpc grpc_status=12
+             grpc_service=tea-servicev2 keepalive_time=;
+    }
+    location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_0 {
+        
+        default_type "application/json";
+        
+        
+        # status code is ignored here, using 0
+        return 0 "Hello World";
+    }
+    
+    location @vs_cafe_cafe_vsr_tea_tea_tea__tea_error_page_1 {
+        
+        
+        add_header Set-Cookie "cookie1=test" always;
+        
+        add_header Set-Cookie "cookie2=test; Secure" always;
+        
+        # status code is ignored here, using 0
+        return 0 "Hello World";
+    }
+    
+
+    
+    location @return_0 {
+        default_type "text/html";
+        
+        # status code is ignored here, using 0
+        return 0 "Hello!";
+    }
+    
+
+    
+    location / {
+        set $service "";
+        status_zone "";
+        internal;
+        # location snippet
+        allow 127.0.0.1;
+        deny all;
+        deny 127.0.0.1;
+        allow all;
+        limit_req zone=loc_pol_rl_test_test_test
+            ;
+
+        
+        proxy_ssl_certificate egress-mtls-secret.pem;
+        proxy_ssl_certificate_key egress-mtls-secret.pem;
+            
+        proxy_ssl_trusted_certificate trusted-cert.pem;
+        proxy_ssl_verify on;
+        proxy_ssl_verify_depth 1;
+        proxy_ssl_protocols TLSv1.3;
+        proxy_ssl_ciphers DEFAULT;
+        proxy_ssl_session_reuse on;
+        proxy_ssl_server_name on;
+        proxy_ssl_name ;
+        set $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+        set $default_connection_header close;
+        rewrite $request_uri $request_uri;
+        rewrite $request_uri $request_uri;
+        proxy_connect_timeout 30s;
+        proxy_read_timeout 31s;
+        proxy_send_timeout 32s;
+        client_max_body_size 1m;
+        proxy_max_temp_file_size 1024m;
+
+        proxy_buffering on;
+        proxy_buffers 8 4k;
+        proxy_buffer_size 4k;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $vs_connection_header;
+        proxy_pass_request_headers off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_hide_header Header;
+        proxy_pass_header Host;
+        proxy_ignore_headers Cache;
+        add_header Header-Name "Header Value" always;
+        proxy_pass http://test-upstream$request_uri;
+        proxy_next_upstream error timeout;
+        proxy_next_upstream_timeout 5s;
+        proxy_next_upstream_tries 0;
+    }
+    location @loc0 {
+        set $service "";
+        status_zone "";
+
+        
+        set $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+        error_page 400 500 =200 "@error_page_1";
+        error_page 500  "@error_page_2";
+        proxy_intercept_errors on;
+        set $default_connection_header close;
+        proxy_connect_timeout 30s;
+        proxy_read_timeout 31s;
+        proxy_send_timeout 32s;
+        client_max_body_size 1m;
+
+        proxy_buffering off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $vs_connection_header;
+        proxy_pass_request_headers off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://coffee-v1;
+        proxy_next_upstream error timeout;
+        proxy_next_upstream_timeout 5s;
+        proxy_next_upstream_tries 0;
+    }
+    location @loc1 {
+        set $service "";
+        status_zone "";
+
+        
+        set $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+        set $default_connection_header close;
+        proxy_connect_timeout 30s;
+        proxy_read_timeout 31s;
+        proxy_send_timeout 32s;
+        client_max_body_size 1m;
+
+        proxy_buffering off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $vs_connection_header;
+        proxy_pass_request_headers off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://coffee-v2;
+        proxy_next_upstream error timeout;
+        proxy_next_upstream_timeout 5s;
+        proxy_next_upstream_tries 0;
+    }
+    location @loc2 {
+        set $service "";
+        status_zone "";
+
+        
+        set $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+        error_page 400 = @grpc_internal;
+        error_page 401 = @grpc_unauthenticated;
+        error_page 403 = @grpc_permission_denied;
+        error_page 404 = @grpc_unimplemented;
+        error_page 429 = @grpc_unavailable;
+        error_page 502 = @grpc_unavailable;
+        error_page 503 = @grpc_unavailable;
+        error_page 504 = @grpc_unavailable;
+        error_page 405 = @grpc_internal;
+        error_page 408 = @grpc_deadline_exceeded;
+        error_page 413 = @grpc_resource_exhausted;
+        error_page 414 = @grpc_resource_exhausted;
+        error_page 415 = @grpc_internal;
+        error_page 426 = @grpc_internal;
+        error_page 495 = @grpc_unauthenticated;
+        error_page 496 = @grpc_unauthenticated;
+        error_page 497 = @grpc_internal;
+        error_page 500 = @grpc_internal;
+        error_page 501 = @grpc_internal;
+        set $default_connection_header close;
+        grpc_connect_timeout 30s;
+        grpc_read_timeout 31s;
+        grpc_send_timeout 32s;
+        client_max_body_size 1m;
+
+        proxy_buffering off;
+        grpc_set_header X-Real-IP $remote_addr;
+        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        grpc_set_header X-Forwarded-Host $host;
+        grpc_set_header X-Forwarded-Port $server_port;
+        grpc_set_header X-Forwarded-Proto $scheme;
+        grpc_pass grpc://coffee-v3;
+        grpc_next_upstream ;
+        grpc_next_upstream_timeout ;
+        grpc_next_upstream_tries 0;
+    }
+    location @match_loc_0 {
+        set $service "";
+        status_zone "";
+
+        
+        set $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+        set $default_connection_header close;
+        proxy_connect_timeout 30s;
+        proxy_read_timeout 31s;
+        proxy_send_timeout 32s;
+        client_max_body_size 1m;
+
+        proxy_buffering off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $vs_connection_header;
+        proxy_pass_request_headers off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://coffee-v2;
+        proxy_next_upstream error timeout;
+        proxy_next_upstream_timeout 5s;
+        proxy_next_upstream_tries 0;
+    }
+    location @match_loc_default {
+        set $service "";
+        status_zone "";
+
+        
+        set $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+        set $default_connection_header close;
+        proxy_connect_timeout 30s;
+        proxy_read_timeout 31s;
+        proxy_send_timeout 32s;
+        client_max_body_size 1m;
+
+        proxy_buffering off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $vs_connection_header;
+        proxy_pass_request_headers off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://coffee-v1;
+        proxy_next_upstream error timeout;
+        proxy_next_upstream_timeout 5s;
+        proxy_next_upstream_tries 0;
+    }
+    location /return {
+        set $service "";
+        status_zone "";
+
+        
+        set $header_query_value "${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}";
+        error_page 418 =200 "@return_0";
+        proxy_intercept_errors on;
+        proxy_pass http://unix:/var/lib/nginx/nginx-418-server.sock;
+        set $default_connection_header close;
+    }
+        
+    location @grpc_deadline_exceeded {
+        default_type application/grpc;
+        add_header content-type application/grpc;
+        add_header grpc-status 4;
+        add_header grpc-message 'deadline exceeded';
+        return 204;
+    }
+
+    location @grpc_permission_denied {
+        default_type application/grpc;
+        add_header content-type application/grpc;
+        add_header grpc-status 7;
+        add_header grpc-message 'permission denied';
+        return 204;
+    }
+
+    location @grpc_resource_exhausted {
+        default_type application/grpc;
+        add_header content-type application/grpc;
+        add_header grpc-status 8;
+        add_header grpc-message 'resource exhausted';
+        return 204;
+    }
+
+    location @grpc_unimplemented {
+        default_type application/grpc;
+        add_header content-type application/grpc;
+        add_header grpc-status 12;
+        add_header grpc-message unimplemented;
+        return 204;
+    }
+
+    location @grpc_internal {
+        default_type application/grpc;
+        add_header content-type application/grpc;
+        add_header grpc-status 13;
+        add_header grpc-message 'internal error';
+        return 204;
+    }
+
+    location @grpc_unavailable {
+        default_type application/grpc;
+        add_header content-type application/grpc;
+        add_header grpc-status 14;
+        add_header grpc-message unavailable;
+        return 204;
+    }
+
+    location @grpc_unauthenticated {
+        default_type application/grpc;
+        add_header content-type application/grpc;
+        add_header grpc-status 16;
+        add_header grpc-message unauthenticated;
+        return 204;
+    }
+
+        
+    
+}
+
+---
+
 [TestExecuteVirtualServerTemplateWithBackupServerNGINXPlus - 1]
 
 upstream test-upstream {
diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl
index 0715915457..cdd8eea60e 100644
--- a/internal/configs/version2/nginx-plus.virtualserver.tmpl
+++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl
@@ -253,6 +253,7 @@ server {
     {{- end }}
 
     {{- with $s.APIKey}}
+    js_var $header_query_value {{ makeHeaderQueryValue $s.APIKey | printf }};
     js_var $apikey_auth_local_map "{{ .MapName}}";
     js_var $apikey_auth_token $apikey_auth_hash;
     auth_request /_validate_apikey_njs;
diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl
index 3baf6eaec9..d1153170db 100644
--- a/internal/configs/version2/nginx.virtualserver.tmpl
+++ b/internal/configs/version2/nginx.virtualserver.tmpl
@@ -156,6 +156,7 @@ server {
     {{- end }}
 
     {{- with $s.APIKey}}
+    js_var $header_query_value {{ makeHeaderQueryValue $s.APIKey | printf }};
     js_var $apikey_auth_local_map "{{ .MapName}}";
     js_var $apikey_auth_token $apikey_auth_hash;
     auth_request /_validate_apikey_njs;
diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go
index b9860be9be..adadc78cca 100644
--- a/internal/configs/version2/templates_test.go
+++ b/internal/configs/version2/templates_test.go
@@ -526,6 +526,31 @@ func TestExecuteVirtualServerTemplateWithBackupServerNGINXPlus(t *testing.T) {
 	t.Log(string(got))
 }
 
+func TestExecuteVirtualServerTemplateWithAPIKeyPolicyNGINXPlus(t *testing.T) {
+	t.Parallel()
+
+	vscfg := vsConfig()
+	vscfg.Server.APIKey = &APIKey{
+		Header:  []string{"X-header-name", "other-header"},
+		Query:   []string{"myQuery", "myOtherQuery"},
+		MapName: "vs-default-cafe-apikey-policy",
+	}
+
+	e := newTmplExecutorNGINXPlus(t)
+	got, err := e.ExecuteVirtualServerTemplate(&vscfg)
+	if err != nil {
+		t.Error(err)
+	}
+
+	want := "js_var $header_query_value \"${http_x_header_name}${http_other_header}${arg_myQuery}${arg_myOtherQuery}\";"
+
+	if !bytes.Contains(got, []byte(want)) {
+		t.Errorf("want %q in generated template", want)
+	}
+	snaps.MatchSnapshot(t, string(got))
+	t.Log(string(got))
+}
+
 func vsConfig() VirtualServerConfig {
 	return VirtualServerConfig{
 		LimitReqZones: []LimitReqZone{
diff --git a/tests/suite/test_apikey_auth_policies.py b/tests/suite/test_apikey_auth_policies.py
index cd84e56634..d8def87914 100644
--- a/tests/suite/test_apikey_auth_policies.py
+++ b/tests/suite/test_apikey_auth_policies.py
@@ -112,6 +112,18 @@ def test_apikey_auth_policy_vs(self, kube_apis, crd_ingress_controller, virtual_
         wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
         wait_before_test()
 
+        # /undefined path (is not a route defined in the VirtualServer)
+        undefined_without_auth_headers = {"host": host}
+        undefined_with_wrong_auth_header = {"host": host, apikey_policy_details.headers[0]: "wrongpassword"}
+        undefined_with_auth_headers = {"host": host, apikey_policy_details.headers[0]: apikey_policy_details.apikeys[0]}
+        undefined_path = (
+            f"http://{virtual_server_setup.public_endpoint.public_ip}"
+            f":{virtual_server_setup.public_endpoint.port}/undefined"
+        )
+        undefined_resp_no_auth_header = requests.get(undefined_path, headers=undefined_without_auth_headers)
+        undefined_resp_with_wrong_auth_header = requests.get(undefined_path, headers=undefined_with_wrong_auth_header)
+        undefined_resp_with_auth_header = requests.get(undefined_path, headers=undefined_with_auth_headers)
+
         # /no-auth path
         no_auth_headers = {"host": host}
         no_auth_path = (
@@ -221,6 +233,15 @@ def test_apikey_auth_policy_vs(self, kube_apis, crd_ingress_controller, virtual_
             virtual_server_setup.namespace,
         )
 
+        # /undefined (without an auth header)
+        assert undefined_resp_no_auth_header.status_code == 401
+
+        # /undefined (with wrong password in header)
+        assert undefined_resp_with_wrong_auth_header.status_code == 403
+
+        # /undefined (with an auth header)
+        assert undefined_resp_with_auth_header.status_code == 404
+
         # /no-auth (snippet to turn off auth_request on this route)
         assert no_auth_resp.status_code == 200
 
@@ -302,6 +323,21 @@ def test_apikey_auth_policy_vs_and_vsr(
         wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
         wait_before_test(5)
 
+        # /undefined path (is not a route defined in the VirtualServer)
+        undefined_without_auth_headers = {"host": host}
+        undefined_with_wrong_auth_header = {"host": host, apikey_policy_details_server.headers[0]: "wrongpassword"}
+        undefined_with_auth_headers = {
+            "host": host,
+            apikey_policy_details_server.headers[0]: apikey_policy_details_server.apikeys[0],
+        }
+        undefined_path = (
+            f"http://{virtual_server_setup.public_endpoint.public_ip}"
+            f":{virtual_server_setup.public_endpoint.port}/undefined"
+        )
+        undefined_resp_no_auth_header = requests.get(undefined_path, headers=undefined_without_auth_headers)
+        undefined_resp_with_wrong_auth_header = requests.get(undefined_path, headers=undefined_with_wrong_auth_header)
+        undefined_resp_with_auth_header = requests.get(undefined_path, headers=undefined_with_auth_headers)
+
         # /no-auth path
         no_auth_path_server = (
             f"http://{virtual_server_setup.public_endpoint.public_ip}"
@@ -409,6 +445,15 @@ def test_apikey_auth_policy_vs_and_vsr(
             virtual_server_setup.namespace,
         )
 
+        # /undefined (without an auth header)
+        assert undefined_resp_no_auth_header.status_code == 401
+
+        # /undefined (with wrong password in header)
+        assert undefined_resp_with_wrong_auth_header.status_code == 403
+
+        # /undefined (with an auth header)
+        assert undefined_resp_with_auth_header.status_code == 404
+
         # /no-auth (snippet to turn off auth_request on this route)
         assert no_auth_server_resp.status_code == 200
 

From 18a7c1247dedfd0178fcc022d4e7e69555043bb1 Mon Sep 17 00:00:00 2001
From: Venktesh Shivam Patel <ve.patel@f5.com>
Date: Tue, 25 Jun 2024 13:10:11 +0100
Subject: [PATCH 18/37] check for non 50x 404 response (#5851)

---
 tests/suite/test_ac_policies_vsr.py  | 14 +++++++++++++-
 tests/suite/utils/resources_utils.py |  2 +-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/tests/suite/test_ac_policies_vsr.py b/tests/suite/test_ac_policies_vsr.py
index d725021f59..ede342a830 100644
--- a/tests/suite/test_ac_policies_vsr.py
+++ b/tests/suite/test_ac_policies_vsr.py
@@ -3,7 +3,7 @@
 from settings import DEPLOYMENTS, TEST_DATA
 from suite.utils.custom_resources_utils import read_custom_resource
 from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy
-from suite.utils.resources_utils import replace_configmap_from_yaml, wait_before_test
+from suite.utils.resources_utils import ensure_response_from_backend, replace_configmap_from_yaml, wait_before_test
 from suite.utils.vs_vsr_resources_utils import patch_v_s_route_from_yaml, patch_virtual_server_from_yaml
 
 std_cm_src = f"{DEPLOYMENTS}/common/nginx-config.yaml"
@@ -91,6 +91,12 @@ def test_deny_policy_vsr(
         Test if ip (10.0.0.1) block-listing is working (policy specified in vsr subroute): default(no policy) -> deny
         """
         req_url = f"http://{v_s_route_setup.public_endpoint.public_ip}:{v_s_route_setup.public_endpoint.port}"
+        ensure_response_from_backend(
+            f"{req_url}{v_s_route_setup.route_m.paths[0]}",
+            v_s_route_setup.vs_host,
+            additional_headers={"X-Real-IP": "10.0.0.1"},
+            check404=True,
+        )
         resp = requests.get(
             f"{req_url}{v_s_route_setup.route_m.paths[0]}",
             headers={"host": v_s_route_setup.vs_host, "X-Real-IP": "10.0.0.1"},
@@ -107,6 +113,12 @@ def test_deny_policy_vsr(
             v_s_route_setup.route_m.namespace,
         )
         wait_before_test()
+        ensure_response_from_backend(
+            f"{req_url}{v_s_route_setup.route_m.paths[0]}",
+            v_s_route_setup.vs_host,
+            additional_headers={"X-Real-IP": "10.0.0.1"},
+            check404=True,
+        )
         policy_info = read_custom_resource(
             kube_apis.custom_objects, v_s_route_setup.route_m.namespace, "policies", pol_name
         )
diff --git a/tests/suite/utils/resources_utils.py b/tests/suite/utils/resources_utils.py
index 1fb0cb0133..da43707e95 100644
--- a/tests/suite/utils/resources_utils.py
+++ b/tests/suite/utils/resources_utils.py
@@ -1595,7 +1595,7 @@ def ensure_response_from_backend(req_url, host, additional_headers=None, check40
             if resp.status_code != 502 and resp.status_code != 504:
                 print(f"After {_} retries at 1 second interval, got non 502|504 response. Continue with tests...")
                 return
-            time.sleep(1)
+            wait_before_test()
         pytest.fail(f"Keep getting 502|504 from {req_url} after 60 seconds. Exiting...")
 
 

From 1196c8c9368438ba192e3e7c66c554dbd72de9f3 Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Tue, 25 Jun 2024 13:47:16 +0100
Subject: [PATCH 19/37] remove sarif artifact upload for images in feature
 branches (#5850)

---
 .github/workflows/build-oss.yml  | 11 +----------
 .github/workflows/build-plus.yml | 11 +----------
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index f155469d6a..f06a819290 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -177,10 +177,10 @@ jobs:
       - name: Make directory for security scan results
         run: |
           mkdir -p "${{ inputs.image }}-results/"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
-        continue-on-error: true
         with:
           image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
           format: "sarif"
@@ -198,7 +198,6 @@ jobs:
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
         uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
-        continue-on-error: true
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}
@@ -209,11 +208,3 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
           summary: true
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
-
-      - name: Upload Scan Results to Github Artifacts
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
-        continue-on-error: true
-        with:
-          name: "${{ inputs.image }}-results"
-          path: "${{ inputs.image }}-results/"
-        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index 638ec738e2..75aa787dbe 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -194,6 +194,7 @@ jobs:
       - name: Make directory for security scan results
         run: |
           mkdir -p "${{ inputs.image }}-results/"
+        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Extract image name for Scans
         id: scan-tag
@@ -204,7 +205,6 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
-        continue-on-error: true
         with:
           image-ref: ${{ steps.scan-tag.outputs.tag }}
           format: "sarif"
@@ -222,7 +222,6 @@ jobs:
       - name: Run Docker Scout vulnerability scanner
         id: docker-scout
         uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
-        continue-on-error: true
         with:
           command: cves,recommendations
           image: ${{ steps.scan-tag.outputs.tag }}
@@ -233,11 +232,3 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
           summary: true
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
-
-      - name: Upload Scan Results
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
-        continue-on-error: true
-        with:
-          name: "${{ inputs.image }}-results"
-          path: "${{ inputs.image }}-results/"
-        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}

From e7f4885a6b63ad7b8b65fd2113797a383e361cc7 Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Tue, 25 Jun 2024 14:26:39 +0100
Subject: [PATCH 20/37] ensure example versions are updated (#5853)

---
 .github/scripts/release-version-update.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/scripts/release-version-update.sh b/.github/scripts/release-version-update.sh
index 208e6c4f42..7ca0ef19f1 100755
--- a/.github/scripts/release-version-update.sh
+++ b/.github/scripts/release-version-update.sh
@@ -6,6 +6,7 @@ ROOTDIR=$(git rev-parse --show-toplevel || echo ".")
 TMPDIR=/tmp
 HELM_CHART_PATH="${ROOTDIR}/charts/nginx-ingress"
 DEPLOYMENT_PATH="${ROOTDIR}/deployments"
+EXAMPLES_PATH="${ROOTDIR}/examples"
 DEBUG=${DEBUG:-"false"}
 
 DOCS_TO_UPDATE_FOLDER=${ROOTDIR}/docs/content
@@ -120,3 +121,19 @@ for i in ${docs_files}; do
         exit 2
     fi
 done
+
+# update examples with new versions
+example_files=$(find "${EXAMPLES_PATH}" -type f -name "*.md")
+for i in ${example_files}; do
+    if [ "${DEBUG}" != "false" ]; then
+        echo "Processing ${i}"
+    fi
+    file_name=$(basename "${i}")
+    mv "${i}" "${TMPDIR}/${file_name}"
+    cat "${TMPDIR}/${file_name}" | sed -e "$regex_ic" | sed -e "$regex_helm" > "${i}"
+    if [ $? -ne 0 ]; then
+        echo "ERROR: failed processing ${i}"
+        mv "${TMPDIR}/${file_name}" "${i}"
+        exit 2
+    fi
+done

From e342d53db1e10d9587804600bf91c58822be730e Mon Sep 17 00:00:00 2001
From: Jim Ryan <j.ryan@f5.com>
Date: Tue, 25 Jun 2024 15:14:58 +0100
Subject: [PATCH 21/37] change telemetry to telemetryReporting in docs (#5855)

change telemetry to telemetryReporting
---
 docs/content/overview/product-telemetry.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/content/overview/product-telemetry.md b/docs/content/overview/product-telemetry.md
index 28489cfeec..39c92802c2 100644
--- a/docs/content/overview/product-telemetry.md
+++ b/docs/content/overview/product-telemetry.md
@@ -66,12 +66,12 @@ Product telemetry can be disabled when installing NGINX Ingress Controller.
 
 ### Helm
 
-When installing or upgrading NGINX Ingress Controller with Helm, set the `controller.telemetry.enable` option to `false`.
+When installing or upgrading NGINX Ingress Controller with Helm, set the `controller.telemetryReporting.enable` option to `false`.
 
 This can be set directly in the `values.yaml` file, or using the `--set` option
 
 ```shell
-helm upgrade --install ... --set controller.telemetry.enable=false
+helm upgrade --install ... --set controller.telemetryReporting.enable=false
 ```
 
 ---

From 01dade185b75a9f64222fcf530a28214d79f083a Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Wed, 26 Jun 2024 09:18:42 +0100
Subject: [PATCH 22/37] add permissions for gcr login to base image build
 (#5860)

---
 .github/workflows/build-base-images.yml |  4 +++-
 .github/workflows/build-oss.yml         |  6 +++---
 .github/workflows/build-plus.yml        | 15 ++++-----------
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
index a19a86772d..66fd1aa2d0 100644
--- a/.github/workflows/build-base-images.yml
+++ b/.github/workflows/build-base-images.yml
@@ -16,7 +16,6 @@ concurrency:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   checks:
@@ -50,6 +49,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write # for scout report
+      id-token: write
     strategy:
       fail-fast: false
       matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
@@ -113,6 +113,7 @@ jobs:
     needs: checks
     permissions:
       contents: read
+      id-token: write
       pull-requests: write # for scout report
     strategy:
       fail-fast: false
@@ -180,6 +181,7 @@ jobs:
     needs: checks
     permissions:
       contents: read
+      id-token: write
       pull-requests: write # for scout report
     strategy:
       fail-fast: false
diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index f06a819290..67d350c78e 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -112,11 +112,11 @@ jobs:
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
           platforms: arm,arm64,ppc64le,s390x
-        if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
-        if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container
         uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
@@ -182,7 +182,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
         with:
-          image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
+          image-ref: ${{ steps.meta.outputs.tags }}
           format: "sarif"
           output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index 75aa787dbe..fb5eb86337 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -117,11 +117,11 @@ jobs:
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         with:
           platforms: arm,arm64,ppc64le,s390x
-        if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Docker Buildx
         uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
-        if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container
         uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
@@ -196,17 +196,10 @@ jobs:
           mkdir -p "${{ inputs.image }}-results/"
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
-      - name: Extract image name for Scans
-        id: scan-tag
-        run: |
-          tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
-          echo "tag=$tag" >> $GITHUB_OUTPUT
-        if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
-
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
         with:
-          image-ref: ${{ steps.scan-tag.outputs.tag }}
+          image-ref: ${{ steps.meta.outputs.tags }}
           format: "sarif"
           output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
@@ -224,7 +217,7 @@ jobs:
         uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
         with:
           command: cves,recommendations
-          image: ${{ steps.scan-tag.outputs.tag }}
+          image: ${{ steps.meta.outputs.tags }}
           ignore-base: true
           only-fixed: true
           sarif-file: "${{ inputs.image }}-results/scout.sarif"

From 21e29e5b8e27ffe1043af146b3773a723879bea0 Mon Sep 17 00:00:00 2001
From: Jim Ryan <j.ryan@f5.com>
Date: Wed, 26 Jun 2024 16:35:08 +0100
Subject: [PATCH 23/37] Chore/python clean up, and unused variable check to pre
 commit (#5866)

* delete obscured function

* autopep8

* remove unsed imports

* remove unused variables

* add autoflake

* fix pre commit

* remove used vars via pre commit

* remove unused variables and presumably pure function calls

* remove unused calls
---
 .pre-commit-config.yaml                       |  7 +++
 perf-tests/suite/ap_request_perf.py           |  2 +-
 perf-tests/suite/test_ap_reload_perf.py       |  8 +--
 perf-tests/suite/test_vs_perf.py              |  3 --
 tests/suite/fixtures/ic_fixtures.py           |  5 +-
 tests/suite/grpc/helloworld_pb2.py            | 18 +++----
 tests/suite/grpc/helloworld_pb2_grpc.py       | 49 ++++++++++---------
 tests/suite/test_annotations.py               |  3 --
 tests/suite/test_app_protect_integration.py   |  2 +-
 tests/suite/test_app_protect_waf_policies.py  |  2 +-
 .../test_app_protect_waf_policies_grpc.py     |  2 +-
 tests/suite/test_build_info.py                |  2 +-
 tests/suite/test_default_server.py            |  2 +-
 tests/suite/test_egress_mtls.py               |  9 +---
 tests/suite/test_jwt_policies_jwksuri.py      |  2 -
 tests/suite/test_jwt_policies_jwksuri_vsr.py  |  1 -
 tests/suite/test_multiple_ns_perf.py          |  2 +-
 tests/suite/test_rl_ingress.py                |  5 +-
 tests/suite/test_rl_policies.py               |  8 +--
 .../test_transport_server_backup_service.py   |  6 +--
 .../test_transport_server_service_insight.py  |  8 +--
 tests/suite/test_upgrade_resources.py         | 12 ++---
 tests/suite/test_use_cluster_ip.py            |  5 +-
 tests/suite/test_v_s_route_grpc.py            |  2 +-
 ...v_s_route_weight_changes_dynamic_reload.py |  2 -
 ...ight_changes_dynamic_reload_many_splits.py |  3 --
 .../test_virtual_server_configmap_keys.py     |  1 -
 .../suite/test_virtual_server_error_pages.py  |  2 -
 tests/suite/test_virtual_server_grpc.py       |  2 +-
 tests/suite/test_virtual_server_mixed_grpc.py |  2 +-
 ...t_virtual_server_use_cluster_ip_reloads.py |  7 +--
 tests/suite/test_virtual_server_validation.py |  6 +--
 ...al_server_weight_changes_without_reload.py |  1 -
 tests/suite/test_watch_secret_namespace.py    |  3 +-
 tests/suite/utils/resources_utils.py          | 26 ----------
 tests/suite/utils/ssl_utils.py                |  1 -
 36 files changed, 67 insertions(+), 154 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index ac364e6dc1..fe80a00f45 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -63,6 +63,13 @@ repos:
     hooks:
       - id: black
 
+  - repo: https://github.com/PyCQA/autoflake
+    rev: v2.3.1
+    hooks:
+      - id: autoflake
+        files: tests/.*\.py$
+        args: ['--in-place', '--remove-all-unused-imports', '--remove-unused-variable']
+
   - repo: https://github.com/python-jsonschema/check-jsonschema
     rev: 0.28.6
     hooks:
diff --git a/perf-tests/suite/ap_request_perf.py b/perf-tests/suite/ap_request_perf.py
index 1f421bcfb3..76dc8c5d17 100644
--- a/perf-tests/suite/ap_request_perf.py
+++ b/perf-tests/suite/ap_request_perf.py
@@ -1,7 +1,7 @@
 import os
 
 import yaml
-from locust import HttpUser, TaskSet, task
+from locust import HttpUser, task
 
 host = ""
 
diff --git a/perf-tests/suite/test_ap_reload_perf.py b/perf-tests/suite/test_ap_reload_perf.py
index da237299ea..7cf8e55c91 100644
--- a/perf-tests/suite/test_ap_reload_perf.py
+++ b/perf-tests/suite/test_ap_reload_perf.py
@@ -1,5 +1,4 @@
 import json
-import logging
 import os
 import re
 import subprocess
@@ -9,7 +8,7 @@
 import requests
 import yaml
 from kubernetes.client import V1ContainerPort
-from settings import DEPLOYMENTS, TEST_DATA
+from settings import TEST_DATA
 from suite.utils.ap_resources_utils import (
     create_ap_logconf_from_yaml,
     create_ap_policy_from_yaml,
@@ -25,14 +24,9 @@
     delete_items_from_yaml,
     ensure_connection_to_public_endpoint,
     ensure_response_from_backend,
-    get_events,
-    get_file_contents,
-    get_first_pod_name,
-    get_ingress_nginx_template_conf,
     get_resource_metrics,
     replace_ingress_with_ap_annotations,
     wait_before_test,
-    wait_for_event_increment,
     wait_until_all_pods_are_ready,
 )
 from suite.utils.yaml_utils import get_first_ingress_host_from_yaml
diff --git a/perf-tests/suite/test_vs_perf.py b/perf-tests/suite/test_vs_perf.py
index b3b30b4fc2..080f082f12 100644
--- a/perf-tests/suite/test_vs_perf.py
+++ b/perf-tests/suite/test_vs_perf.py
@@ -1,7 +1,4 @@
 import json
-import re
-import subprocess
-from datetime import datetime
 
 import pytest
 import requests
diff --git a/tests/suite/fixtures/ic_fixtures.py b/tests/suite/fixtures/ic_fixtures.py
index e3627fa4f2..e75f1ede87 100644
--- a/tests/suite/fixtures/ic_fixtures.py
+++ b/tests/suite/fixtures/ic_fixtures.py
@@ -102,7 +102,7 @@ def crd_ingress_controller(
             ingress_controller_endpoint.port,
             ingress_controller_endpoint.port_ssl,
         )
-    except ApiException as ex:
+    except ApiException:
         # Finalizer method doesn't start if fixture creation was incomplete, ensure clean up here
         print("Restore the ClusterRole:")
         patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml")
@@ -267,7 +267,6 @@ def crd_ingress_controller_with_dos(
 
         print("------------------------- Create syslog svc -----------------------")
         src_syslog_yaml = f"{TEST_DATA}/dos/dos-syslog.yaml"
-        log_loc = f"/var/log/messages"
         create_items_from_yaml(kube_apis, src_syslog_yaml, namespace)
         before = time.time()
         wait_until_all_pods_are_ready(kube_apis.v1, namespace)
@@ -397,7 +396,7 @@ def crd_ingress_controller_with_ed(
             ingress_controller_prerequisites.namespace,
             cm_source,
         )
-    except ApiException as ex:
+    except ApiException:
         # Finalizer method doesn't start if fixture creation was incomplete, ensure clean up here
         print("Restore the ClusterRole:")
         patch_rbac(kube_apis.rbac_v1, f"{DEPLOYMENTS}/rbac/rbac.yaml")
diff --git a/tests/suite/grpc/helloworld_pb2.py b/tests/suite/grpc/helloworld_pb2.py
index d4f06bf557..3786c43e43 100644
--- a/tests/suite/grpc/helloworld_pb2.py
+++ b/tests/suite/grpc/helloworld_pb2.py
@@ -11,20 +11,18 @@
 _sym_db = _symbol_database.Default()
 
 
-
-
 DESCRIPTOR = _descriptor_pool.Default().AddSerializedFile(b'\n\x10helloworld.proto\x12\nhelloworld\"\x1c\n\x0cHelloRequest\x12\x0c\n\x04name\x18\x01 \x01(\t\"\x1d\n\nHelloReply\x12\x0f\n\x07message\x18\x01 \x01(\t2I\n\x07Greeter\x12>\n\x08SayHello\x12\x18.helloworld.HelloRequest\x1a\x16.helloworld.HelloReply\"\x00\x42g\n\x1bio.grpc.examples.helloworldB\x0fHelloWorldProtoP\x01Z5google.golang.org/grpc/examples/helloworld/helloworldb\x06proto3')
 
 _builder.BuildMessageAndEnumDescriptors(DESCRIPTOR, globals())
 _builder.BuildTopDescriptorsAndMessages(DESCRIPTOR, 'helloworld_pb2', globals())
 if _descriptor._USE_C_DESCRIPTORS == False:
 
-  DESCRIPTOR._options = None
-  DESCRIPTOR._serialized_options = b'\n\033io.grpc.examples.helloworldB\017HelloWorldProtoP\001Z5google.golang.org/grpc/examples/helloworld/helloworld'
-  _HELLOREQUEST._serialized_start=32
-  _HELLOREQUEST._serialized_end=60
-  _HELLOREPLY._serialized_start=62
-  _HELLOREPLY._serialized_end=91
-  _GREETER._serialized_start=93
-  _GREETER._serialized_end=166
+    DESCRIPTOR._options = None
+    DESCRIPTOR._serialized_options = b'\n\033io.grpc.examples.helloworldB\017HelloWorldProtoP\001Z5google.golang.org/grpc/examples/helloworld/helloworld'
+    _HELLOREQUEST._serialized_start = 32
+    _HELLOREQUEST._serialized_end = 60
+    _HELLOREPLY._serialized_start = 62
+    _HELLOREPLY._serialized_end = 91
+    _GREETER._serialized_start = 93
+    _GREETER._serialized_end = 166
 # @@protoc_insertion_point(module_scope)
diff --git a/tests/suite/grpc/helloworld_pb2_grpc.py b/tests/suite/grpc/helloworld_pb2_grpc.py
index 47c186976e..211498fd18 100644
--- a/tests/suite/grpc/helloworld_pb2_grpc.py
+++ b/tests/suite/grpc/helloworld_pb2_grpc.py
@@ -16,10 +16,10 @@ def __init__(self, channel):
             channel: A grpc.Channel.
         """
         self.SayHello = channel.unary_unary(
-                '/helloworld.Greeter/SayHello',
-                request_serializer=helloworld__pb2.HelloRequest.SerializeToString,
-                response_deserializer=helloworld__pb2.HelloReply.FromString,
-                )
+            '/helloworld.Greeter/SayHello',
+            request_serializer=helloworld__pb2.HelloRequest.SerializeToString,
+            response_deserializer=helloworld__pb2.HelloReply.FromString,
+        )
 
 
 class GreeterServicer(object):
@@ -36,35 +36,36 @@ def SayHello(self, request, context):
 
 def add_GreeterServicer_to_server(servicer, server):
     rpc_method_handlers = {
-            'SayHello': grpc.unary_unary_rpc_method_handler(
-                    servicer.SayHello,
-                    request_deserializer=helloworld__pb2.HelloRequest.FromString,
-                    response_serializer=helloworld__pb2.HelloReply.SerializeToString,
-            ),
+        'SayHello': grpc.unary_unary_rpc_method_handler(
+            servicer.SayHello,
+            request_deserializer=helloworld__pb2.HelloRequest.FromString,
+            response_serializer=helloworld__pb2.HelloReply.SerializeToString,
+        ),
     }
     generic_handler = grpc.method_handlers_generic_handler(
-            'helloworld.Greeter', rpc_method_handlers)
+        'helloworld.Greeter', rpc_method_handlers)
     server.add_generic_rpc_handlers((generic_handler,))
 
-
  # This class is part of an EXPERIMENTAL API.
+
+
 class Greeter(object):
     """The greeting service definition.
     """
 
     @staticmethod
     def SayHello(request,
-            target,
-            options=(),
-            channel_credentials=None,
-            call_credentials=None,
-            insecure=False,
-            compression=None,
-            wait_for_ready=None,
-            timeout=None,
-            metadata=None):
+                 target,
+                 options=(),
+                 channel_credentials=None,
+                 call_credentials=None,
+                 insecure=False,
+                 compression=None,
+                 wait_for_ready=None,
+                 timeout=None,
+                 metadata=None):
         return grpc.experimental.unary_unary(request, target, '/helloworld.Greeter/SayHello',
-            helloworld__pb2.HelloRequest.SerializeToString,
-            helloworld__pb2.HelloReply.FromString,
-            options, channel_credentials,
-            insecure, call_credentials, compression, wait_for_ready, timeout, metadata)
+                                             helloworld__pb2.HelloRequest.SerializeToString,
+                                             helloworld__pb2.HelloReply.FromString,
+                                             options, channel_credentials,
+                                             insecure, call_credentials, compression, wait_for_ready, timeout, metadata)
diff --git a/tests/suite/test_annotations.py b/tests/suite/test_annotations.py
index f222998816..8517e9aa2f 100644
--- a/tests/suite/test_annotations.py
+++ b/tests/suite/test_annotations.py
@@ -565,8 +565,6 @@ def test_standard_ingress(
         expected_strings,
         unexpected_strings,
     ):
-        initial_events = get_events(kube_apis.v1, annotations_setup.namespace)
-        initial_count = get_event_count(annotations_setup.ingress_event_text, initial_events)
         print("Case 8: standard ingress")
         replace_ingresses_from_yaml(kube_apis.networking_v1, annotations_setup.namespace, yaml_file)
         wait_before_test(1)
@@ -577,7 +575,6 @@ def test_standard_ingress(
             annotations_setup.ingress_pod_name,
             ingress_controller_prerequisites.namespace,
         )
-        new_events = get_events(kube_apis.v1, annotations_setup.namespace)
         for _ in expected_strings:
             assert _ in result_conf
         for _ in unexpected_strings:
diff --git a/tests/suite/test_app_protect_integration.py b/tests/suite/test_app_protect_integration.py
index 03368cc04d..028e82f65b 100644
--- a/tests/suite/test_app_protect_integration.py
+++ b/tests/suite/test_app_protect_integration.py
@@ -1,7 +1,7 @@
 import pytest
 import requests
 import yaml
-from settings import CRDS, DEPLOYMENTS, TEST_DATA
+from settings import CRDS, TEST_DATA
 from suite.utils.ap_resources_utils import (
     create_ap_logconf_from_yaml,
     create_ap_policy_from_yaml,
diff --git a/tests/suite/test_app_protect_waf_policies.py b/tests/suite/test_app_protect_waf_policies.py
index b826f6e1ab..a1904721ed 100644
--- a/tests/suite/test_app_protect_waf_policies.py
+++ b/tests/suite/test_app_protect_waf_policies.py
@@ -177,7 +177,7 @@ def test_ap_waf_policy_block(
                 "syslog:server=127.0.0.1:514",
             )
         elif waf == waf_pol_default_src:
-            pol_name = create_policy_from_yaml(kube_apis.custom_objects, waf, test_namespace)
+            create_policy_from_yaml(kube_apis.custom_objects, waf, test_namespace)
         else:
             pytest.fail(f"Invalid argument")
 
diff --git a/tests/suite/test_app_protect_waf_policies_grpc.py b/tests/suite/test_app_protect_waf_policies_grpc.py
index f8659be971..1c92237ed0 100644
--- a/tests/suite/test_app_protect_waf_policies_grpc.py
+++ b/tests/suite/test_app_protect_waf_policies_grpc.py
@@ -78,7 +78,7 @@ def appprotect_setup(
         elif vs_or_vsr == "vsr":
             (src_pol_name, vsr_ns, vs_host, vs_name, vsr) = ap_vsr_setup(kube_apis, test_namespace, policy_method)
         wait_before_test(120)
-    except Exception as ex:
+    except Exception:
         cleanup(kube_apis, ingress_controller_prerequisites, src_pol_name, test_namespace, vs_or_vsr, vs_name, vsr)
 
     def fin():
diff --git a/tests/suite/test_build_info.py b/tests/suite/test_build_info.py
index 41359e04b5..436a83d247 100644
--- a/tests/suite/test_build_info.py
+++ b/tests/suite/test_build_info.py
@@ -50,7 +50,7 @@ def send_build_info(self, kube_apis, ingress_controller_prerequisites) -> str:
         try:
             _info = _log[_log.find("Version") :].strip()
             logging.info(f"Version and GitCommit info: {_info}")
-        except Exception as e:
+        except Exception:
             logging.exception(f"Tag labels not found")
 
         return _info
diff --git a/tests/suite/test_default_server.py b/tests/suite/test_default_server.py
index 31e5da5814..34e0761e04 100644
--- a/tests/suite/test_default_server.py
+++ b/tests/suite/test_default_server.py
@@ -3,7 +3,7 @@
 import pytest
 import requests
 from requests.exceptions import ConnectionError
-from settings import BASEDIR, DEPLOYMENTS, TEST_DATA
+from settings import TEST_DATA
 from suite.utils.resources_utils import (
     create_secret_from_yaml,
     delete_secret,
diff --git a/tests/suite/test_egress_mtls.py b/tests/suite/test_egress_mtls.py
index 474ae8cb38..f5ea880883 100644
--- a/tests/suite/test_egress_mtls.py
+++ b/tests/suite/test_egress_mtls.py
@@ -1,16 +1,9 @@
 import pytest
-import requests
 from settings import TEST_DATA
 from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy
 from suite.utils.resources_utils import create_secret_from_yaml, delete_secret, wait_before_test
 from suite.utils.ssl_utils import create_sni_session
-from suite.utils.vs_vsr_resources_utils import (
-    delete_and_create_vs_from_yaml,
-    patch_v_s_route_from_yaml,
-    patch_virtual_server_from_yaml,
-    read_vs,
-    read_vsr,
-)
+from suite.utils.vs_vsr_resources_utils import delete_and_create_vs_from_yaml, patch_virtual_server_from_yaml, read_vs
 
 std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml"
 std_vsr_src = f"{TEST_DATA}/virtual-server-route/route-multiple.yaml"
diff --git a/tests/suite/test_jwt_policies_jwksuri.py b/tests/suite/test_jwt_policies_jwksuri.py
index 94df4bec19..ffd1e3bb68 100644
--- a/tests/suite/test_jwt_policies_jwksuri.py
+++ b/tests/suite/test_jwt_policies_jwksuri.py
@@ -1,4 +1,3 @@
-import time
 from unittest import mock
 
 import pytest
@@ -10,7 +9,6 @@
     create_virtual_server_from_yaml,
     delete_and_create_vs_from_yaml,
     delete_virtual_server,
-    patch_v_s_route_from_yaml,
 )
 
 std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml"
diff --git a/tests/suite/test_jwt_policies_jwksuri_vsr.py b/tests/suite/test_jwt_policies_jwksuri_vsr.py
index 8a4d78deab..df912efdac 100644
--- a/tests/suite/test_jwt_policies_jwksuri_vsr.py
+++ b/tests/suite/test_jwt_policies_jwksuri_vsr.py
@@ -1,4 +1,3 @@
-import time
 from unittest import mock
 
 import pytest
diff --git a/tests/suite/test_multiple_ns_perf.py b/tests/suite/test_multiple_ns_perf.py
index cba889c5ba..4ac14f774e 100644
--- a/tests/suite/test_multiple_ns_perf.py
+++ b/tests/suite/test_multiple_ns_perf.py
@@ -51,7 +51,7 @@ def ingress_ns_setup(
         watched_namespace = create_namespace_with_name_from_yaml(kube_apis.v1, f"ns-{i}", f"{TEST_DATA}/common/ns.yaml")
         multi_ns = multi_ns + f"{watched_namespace},"
         create_example_app(kube_apis, "simple", watched_namespace)
-        secret_name = create_secret_from_yaml(kube_apis.v1, watched_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
+        create_secret_from_yaml(kube_apis.v1, watched_namespace, f"{TEST_DATA}/smoke/smoke-secret.yaml")
         with open(manifest) as f:
             doc = yaml.safe_load(f)
             doc["metadata"]["name"] = f"smoke-ingress-{i}"
diff --git a/tests/suite/test_rl_ingress.py b/tests/suite/test_rl_ingress.py
index 4ca5142991..da578dceee 100644
--- a/tests/suite/test_rl_ingress.py
+++ b/tests/suite/test_rl_ingress.py
@@ -2,11 +2,8 @@
 
 import pytest
 import requests
-import yaml
-from kubernetes.client import NetworkingV1Api
-from settings import DEPLOYMENTS, TEST_DATA
+from settings import TEST_DATA
 from suite.fixtures.fixtures import PublicEndpoint
-from suite.utils.custom_assertions import assert_event_count_increased
 from suite.utils.resources_utils import (
     are_all_pods_in_ready_state,
     create_example_app,
diff --git a/tests/suite/test_rl_policies.py b/tests/suite/test_rl_policies.py
index ec3a2fec89..bc167d7ff2 100644
--- a/tests/suite/test_rl_policies.py
+++ b/tests/suite/test_rl_policies.py
@@ -5,13 +5,7 @@
 from settings import TEST_DATA
 from suite.utils.custom_resources_utils import read_custom_resource
 from suite.utils.policy_resources_utils import create_policy_from_yaml, delete_policy
-from suite.utils.resources_utils import (
-    get_first_pod_name,
-    get_pod_list,
-    get_vs_nginx_template_conf,
-    scale_deployment,
-    wait_before_test,
-)
+from suite.utils.resources_utils import get_pod_list, get_vs_nginx_template_conf, scale_deployment, wait_before_test
 from suite.utils.vs_vsr_resources_utils import (
     create_virtual_server_from_yaml,
     delete_virtual_server,
diff --git a/tests/suite/test_transport_server_backup_service.py b/tests/suite/test_transport_server_backup_service.py
index fc598aa46f..e2b9ae925d 100644
--- a/tests/suite/test_transport_server_backup_service.py
+++ b/tests/suite/test_transport_server_backup_service.py
@@ -1,9 +1,7 @@
-from pprint import pprint
-
 import pytest
-from settings import DEPLOYMENTS, TEST_DATA
+from settings import TEST_DATA
 from suite.fixtures.fixtures import PublicEndpoint
-from suite.utils.custom_resources_utils import create_ts_from_yaml, delete_ts, patch_ts_from_yaml, read_ts
+from suite.utils.custom_resources_utils import create_ts_from_yaml, delete_ts, patch_ts_from_yaml
 from suite.utils.resources_utils import (
     create_configmap_from_yaml,
     create_items_from_yaml,
diff --git a/tests/suite/test_transport_server_service_insight.py b/tests/suite/test_transport_server_service_insight.py
index 96cde1cdc1..5b41f93a76 100644
--- a/tests/suite/test_transport_server_service_insight.py
+++ b/tests/suite/test_transport_server_service_insight.py
@@ -1,24 +1,20 @@
-from pprint import pprint
 from unittest import mock
 
 import pytest
 import requests
-from settings import DEPLOYMENTS, TEST_DATA
+from settings import TEST_DATA
 from suite.fixtures.fixtures import PublicEndpoint
-from suite.utils.custom_resources_utils import create_ts_from_yaml, delete_ts, read_ts
+from suite.utils.custom_resources_utils import create_ts_from_yaml, delete_ts
 from suite.utils.resources_utils import (
     create_items_from_yaml,
     create_secret_from_yaml,
     delete_items_from_yaml,
     delete_secret,
     get_first_pod_name,
-    get_nginx_template_conf,
-    replace_configmap_from_yaml,
     wait_before_test,
     wait_until_all_pods_are_ready,
 )
 from suite.utils.ssl_utils import create_sni_session
-from suite.utils.vs_vsr_resources_utils import create_virtual_server_from_yaml, delete_virtual_server, read_vs
 from suite.utils.yaml_utils import get_first_host_from_yaml
 
 
diff --git a/tests/suite/test_upgrade_resources.py b/tests/suite/test_upgrade_resources.py
index b17ec2c6fb..ac2c4cecf3 100644
--- a/tests/suite/test_upgrade_resources.py
+++ b/tests/suite/test_upgrade_resources.py
@@ -3,15 +3,9 @@
 
 import pytest
 import yaml
-from settings import DEPLOYMENTS, TEST_DATA
-from suite.utils.custom_resources_utils import create_resource_from_manifest, read_custom_resource
-from suite.utils.resources_utils import (
-    create_ingress,
-    create_items_from_yaml,
-    create_namespace,
-    delete_namespace,
-    wait_before_test,
-)
+from settings import TEST_DATA
+from suite.utils.custom_resources_utils import create_resource_from_manifest
+from suite.utils.resources_utils import create_ingress, create_items_from_yaml, create_namespace, delete_namespace
 from suite.utils.vs_vsr_resources_utils import create_virtual_server
 
 tcp_deployment = f"{TEST_DATA}/upgrade-test-resources/tcp-deployment.yaml"
diff --git a/tests/suite/test_use_cluster_ip.py b/tests/suite/test_use_cluster_ip.py
index fcadc1d4b9..c0bf886623 100644
--- a/tests/suite/test_use_cluster_ip.py
+++ b/tests/suite/test_use_cluster_ip.py
@@ -3,17 +3,14 @@
 from suite.utils.resources_utils import (
     create_example_app,
     create_ingress_from_yaml,
-    create_secret_from_yaml,
     delete_common_app,
     delete_items_from_yaml,
-    delete_secret,
     ensure_connection_to_public_endpoint,
     get_reload_count,
-    replace_secret,
     scale_deployment,
     wait_before_test,
 )
-from suite.utils.yaml_utils import get_first_ingress_host_from_yaml, get_name_from_yaml
+from suite.utils.yaml_utils import get_first_ingress_host_from_yaml
 
 from tests.suite.utils.custom_assertions import assert_pods_scaled_to_count
 
diff --git a/tests/suite/test_v_s_route_grpc.py b/tests/suite/test_v_s_route_grpc.py
index f30f26d3ae..4a864d8305 100644
--- a/tests/suite/test_v_s_route_grpc.py
+++ b/tests/suite/test_v_s_route_grpc.py
@@ -42,7 +42,7 @@ def backend_setup(request, kube_apis, ingress_controller_prerequisites, test_nam
         app_name = request.param.get("app_type")
         create_example_app(kube_apis, app_name, test_namespace)
         wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
-    except Exception as ex:
+    except Exception:
         print("Failed to complete setup, cleaning up..")
         replace_configmap_from_yaml(
             kube_apis.v1,
diff --git a/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py b/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py
index 3b5d3d3cf0..971ac7f2c7 100644
--- a/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py
+++ b/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py
@@ -1,6 +1,5 @@
 import pytest
 import requests
-import yaml
 from settings import TEST_DATA
 from suite.fixtures.custom_resource_fixtures import VirtualServerRoute
 from suite.utils.resources_utils import (
@@ -13,7 +12,6 @@
     wait_until_all_pods_are_ready,
 )
 from suite.utils.yaml_utils import get_first_host_from_yaml, get_paths_from_vsr_yaml, get_route_namespace_from_vs_yaml
-from yaml.loader import Loader
 
 from tests.suite.utils.custom_assertions import wait_and_assert_status_code
 from tests.suite.utils.vs_vsr_resources_utils import (
diff --git a/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py b/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py
index 8275fd9557..620d7d305d 100644
--- a/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py
+++ b/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py
@@ -1,6 +1,5 @@
 import pytest
 import requests
-import yaml
 from settings import TEST_DATA
 from suite.fixtures.custom_resource_fixtures import VirtualServerRoute
 from suite.utils.resources_utils import (
@@ -8,14 +7,12 @@
     create_namespace_with_name_from_yaml,
     delete_namespace,
     ensure_response_from_backend,
-    get_reload_count,
     replace_configmap,
     replace_configmap_from_yaml,
     wait_before_test,
     wait_until_all_pods_are_ready,
 )
 from suite.utils.yaml_utils import get_first_host_from_yaml, get_paths_from_vsr_yaml, get_route_namespace_from_vs_yaml
-from yaml.loader import Loader
 
 from tests.suite.utils.custom_assertions import wait_and_assert_status_code
 from tests.suite.utils.vs_vsr_resources_utils import (
diff --git a/tests/suite/test_virtual_server_configmap_keys.py b/tests/suite/test_virtual_server_configmap_keys.py
index 1fe9ceb276..e41ad43211 100644
--- a/tests/suite/test_virtual_server_configmap_keys.py
+++ b/tests/suite/test_virtual_server_configmap_keys.py
@@ -362,7 +362,6 @@ def test_ssl_keys(
         virtual_server_setup,
         clean_up,
     ):
-        ic_pods_amount = get_pods_amount(kube_apis.v1, ingress_controller_prerequisites.namespace)
         ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace)
         initial_list = get_events(kube_apis.v1, virtual_server_setup.namespace)
 
diff --git a/tests/suite/test_virtual_server_error_pages.py b/tests/suite/test_virtual_server_error_pages.py
index 046130a53c..b44b30f498 100644
--- a/tests/suite/test_virtual_server_error_pages.py
+++ b/tests/suite/test_virtual_server_error_pages.py
@@ -1,6 +1,4 @@
 import json
-from unittest import mock
-from unittest.mock import Mock
 
 import pytest
 import requests
diff --git a/tests/suite/test_virtual_server_grpc.py b/tests/suite/test_virtual_server_grpc.py
index 4de034df57..4f879db770 100644
--- a/tests/suite/test_virtual_server_grpc.py
+++ b/tests/suite/test_virtual_server_grpc.py
@@ -52,7 +52,7 @@ def backend_setup(request, kube_apis, ingress_controller_prerequisites, test_nam
         app_name = request.param.get("app_type")
         create_example_app(kube_apis, app_name, test_namespace)
         wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
-    except Exception as ex:
+    except Exception:
         print("Failed to complete setup, cleaning up..")
         delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
         replace_configmap_from_yaml(
diff --git a/tests/suite/test_virtual_server_mixed_grpc.py b/tests/suite/test_virtual_server_mixed_grpc.py
index 7abf320f31..c13b6b122e 100644
--- a/tests/suite/test_virtual_server_mixed_grpc.py
+++ b/tests/suite/test_virtual_server_mixed_grpc.py
@@ -47,7 +47,7 @@ def backend_setup(request, kube_apis, ingress_controller_prerequisites, test_nam
         app_name = request.param.get("app_type")
         create_example_app(kube_apis, app_name, test_namespace)
         wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
-    except Exception as ex:
+    except Exception:
         print("Failed to complete setup, cleaning up..")
         delete_items_from_yaml(kube_apis, src_sec_yaml, test_namespace)
         replace_configmap_from_yaml(
diff --git a/tests/suite/test_virtual_server_use_cluster_ip_reloads.py b/tests/suite/test_virtual_server_use_cluster_ip_reloads.py
index 9937f9c2a2..97d9fcf6f1 100644
--- a/tests/suite/test_virtual_server_use_cluster_ip_reloads.py
+++ b/tests/suite/test_virtual_server_use_cluster_ip_reloads.py
@@ -1,10 +1,5 @@
 import pytest
-from suite.utils.resources_utils import (
-    get_reload_count,
-    scale_deployment,
-    wait_before_test,
-    wait_until_all_pods_are_ready,
-)
+from suite.utils.resources_utils import get_reload_count, scale_deployment, wait_until_all_pods_are_ready
 
 from tests.suite.utils.custom_assertions import assert_pods_scaled_to_count
 
diff --git a/tests/suite/test_virtual_server_validation.py b/tests/suite/test_virtual_server_validation.py
index 4e18e1ceb2..8ce3597d9a 100644
--- a/tests/suite/test_virtual_server_validation.py
+++ b/tests/suite/test_virtual_server_validation.py
@@ -1,7 +1,7 @@
 import pytest
 from settings import TEST_DATA
 from suite.utils.custom_assertions import assert_vs_conf_exists, assert_vs_conf_not_exists, wait_and_assert_status_code
-from suite.utils.resources_utils import get_events, get_first_pod_name, get_pods_amount, wait_before_test
+from suite.utils.resources_utils import get_events, get_first_pod_name, wait_before_test
 from suite.utils.vs_vsr_resources_utils import (
     create_virtual_server_from_yaml,
     delete_virtual_server,
@@ -50,11 +50,9 @@ class TestVirtualServerValidation:
     def test_virtual_server_behavior(
         self, kube_apis, cli_arguments, ingress_controller_prerequisites, crd_ingress_controller, virtual_server_setup
     ):
-        ic_pods_amount = get_pods_amount(kube_apis.v1, ingress_controller_prerequisites.namespace)
         ic_pod_name = get_first_pod_name(kube_apis.v1, ingress_controller_prerequisites.namespace)
 
         print("Step 1: initial check")
-        step_1_list = get_events(kube_apis.v1, virtual_server_setup.namespace)
         assert_vs_conf_exists(kube_apis, ic_pod_name, ingress_controller_prerequisites.namespace, virtual_server_setup)
         assert_response_200(virtual_server_setup)
 
@@ -66,7 +64,6 @@ def test_virtual_server_behavior(
             virtual_server_setup.namespace,
         )
         wait_before_test(1)
-        step_2_list = get_events(kube_apis.v1, virtual_server_setup.namespace)
         assert_vs_conf_not_exists(
             kube_apis, ic_pod_name, ingress_controller_prerequisites.namespace, virtual_server_setup
         )
@@ -107,7 +104,6 @@ def test_virtual_server_behavior(
             virtual_server_setup.namespace,
         )
         wait_before_test(1)
-        step_5_list = get_events(kube_apis.v1, virtual_server_setup.namespace)
         assert_vs_conf_not_exists(
             kube_apis, ic_pod_name, ingress_controller_prerequisites.namespace, virtual_server_setup
         )
diff --git a/tests/suite/test_virtual_server_weight_changes_without_reload.py b/tests/suite/test_virtual_server_weight_changes_without_reload.py
index a7a84f7f78..5cab204b42 100644
--- a/tests/suite/test_virtual_server_weight_changes_without_reload.py
+++ b/tests/suite/test_virtual_server_weight_changes_without_reload.py
@@ -1,6 +1,5 @@
 import pytest
 import requests
-import yaml
 from settings import TEST_DATA
 from suite.utils.custom_assertions import wait_and_assert_status_code
 from suite.utils.resources_utils import ensure_response_from_backend, get_reload_count, wait_before_test
diff --git a/tests/suite/test_watch_secret_namespace.py b/tests/suite/test_watch_secret_namespace.py
index fd775b2663..86d21998f6 100644
--- a/tests/suite/test_watch_secret_namespace.py
+++ b/tests/suite/test_watch_secret_namespace.py
@@ -2,9 +2,8 @@
 
 import pytest
 import requests
-from kubernetes.client.rest import ApiException
 from settings import TEST_DATA
-from suite.utils.resources_utils import create_secret_from_yaml, ensure_response_from_backend, wait_before_test
+from suite.utils.resources_utils import create_secret_from_yaml, wait_before_test
 from suite.utils.ssl_utils import create_sni_session
 
 
diff --git a/tests/suite/utils/resources_utils.py b/tests/suite/utils/resources_utils.py
index da43707e95..88c7403229 100644
--- a/tests/suite/utils/resources_utils.py
+++ b/tests/suite/utils/resources_utils.py
@@ -938,32 +938,6 @@ def get_file_contents(v1: CoreV1Api, file_path, pod_name, pod_namespace, print_l
     return result_conf
 
 
-def clear_file_contents(v1: CoreV1Api, file_path, pod_name, pod_namespace) -> str:
-    """
-    Execute 'truncate -s 0 file_path' command in a pod.
-
-    :param v1: CoreV1Api
-    :param pod_name: pod name
-    :param pod_namespace: pod namespace
-    :param file_path: an absolute path to a file in the pod
-    :return: str
-    """
-    command = ["truncate", "-s", "0", file_path]
-    resp = stream(
-        v1.connect_get_namespaced_pod_exec,
-        pod_name,
-        pod_namespace,
-        command=command,
-        stderr=True,
-        stdin=False,
-        stdout=True,
-        tty=False,
-    )
-    result_conf = str(resp)
-
-    return result_conf
-
-
 def nginx_reload(v1: CoreV1Api, pod_name, pod_namespace) -> str:
     """
     Execute 'nginx -s reload' command in a pod.
diff --git a/tests/suite/utils/ssl_utils.py b/tests/suite/utils/ssl_utils.py
index e99fc640c2..feedfa5730 100644
--- a/tests/suite/utils/ssl_utils.py
+++ b/tests/suite/utils/ssl_utils.py
@@ -2,7 +2,6 @@
 
 import socket
 import ssl
-from urllib.parse import urlparse
 
 import OpenSSL
 import requests

From d4fbd00ebc4dca662b7a114745d223c097cc38fc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 27 Jun 2024 09:33:44 +0100
Subject: [PATCH 24/37] Bump docker/build-push-action from 6.1.0 to 6.2.0 in
 the actions group (#5871)

Bumps the actions group with 1 update: [docker/build-push-action](https://github.com/docker/build-push-action).


Updates `docker/build-push-action` from 6.1.0 to 6.2.0
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](https://github.com/docker/build-push-action/compare/31159d49c0d4756269a0940a750801a1ea5d7003...15560696de535e4014efeff63c48f16952e52dd1)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/build-base-images.yml | 6 +++---
 .github/workflows/build-oss.yml         | 4 ++--
 .github/workflows/build-plus.yml        | 4 ++--
 .github/workflows/build-test-image.yml  | 2 +-
 .github/workflows/ci.yml                | 4 ++--
 .github/workflows/patch-image.yml       | 2 +-
 .github/workflows/setup-smoke.yml       | 4 ++--
 7 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
index 66fd1aa2d0..c8c7efd308 100644
--- a/.github/workflows/build-base-images.yml
+++ b/.github/workflows/build-base-images.yml
@@ -92,7 +92,7 @@ jobs:
             type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."
@@ -157,7 +157,7 @@ jobs:
             type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."
@@ -227,7 +227,7 @@ jobs:
             type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."
diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index 67d350c78e..36ca2b37b3 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -119,7 +119,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."
@@ -151,7 +151,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Docker image
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         id: build-push
         with:
           file: build/Dockerfile
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index fb5eb86337..45796e9d88 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -124,7 +124,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Base Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."
@@ -161,7 +161,7 @@ jobs:
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
       - name: Build Docker image
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         id: build-push
         with:
           file: build/Dockerfile
diff --git a/.github/workflows/build-test-image.yml b/.github/workflows/build-test-image.yml
index d3fbab8bcd..c3804857a0 100644
--- a/.github/workflows/build-test-image.yml
+++ b/.github/workflows/build-test-image.yml
@@ -49,7 +49,7 @@ jobs:
           password: ${{ steps.auth.outputs.access_token }}
 
       - name: Build Test-Runner Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: tests/Dockerfile
           context: "."
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fdd6cdba4f..268a50f54f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -438,7 +438,7 @@ jobs:
         if: ${{ needs.checks.outputs.forked_workflow == 'true' && needs.checks.outputs.docs_only == 'false' }}
 
       - name: Build Docker Image ${{ matrix.base-os }}
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."
@@ -556,7 +556,7 @@ jobs:
         if: ${{ needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.docs_only == 'false' }}
 
       - name: Build Test-Runner Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: tests/Dockerfile
           context: "."
diff --git a/.github/workflows/patch-image.yml b/.github/workflows/patch-image.yml
index d110b229da..20be01ebdd 100644
--- a/.github/workflows/patch-image.yml
+++ b/.github/workflows/patch-image.yml
@@ -70,7 +70,7 @@ jobs:
           password: ${{ steps.auth.outputs.access_token }}
 
       - name: Apply OS patches to Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."
diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml
index 4d4855e97d..1649577d8c 100644
--- a/.github/workflows/setup-smoke.yml
+++ b/.github/workflows/setup-smoke.yml
@@ -112,7 +112,7 @@ jobs:
         if: ${{ inputs.authenticated  }}
 
       - name: Build Test-Runner Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: tests/Dockerfile
           context: "."
@@ -124,7 +124,7 @@ jobs:
         if: ${{ ( !inputs.authenticated || steps.check-image.outcome == 'failure' )  }}
 
       - name: Build ${{ inputs.image }} Container
-        uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
+        uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6.2.0
         with:
           file: build/Dockerfile
           context: "."

From fd481829d4b949c772e1e56944ed5d16e2459974 Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Thu, 27 Jun 2024 11:23:21 +0100
Subject: [PATCH 25/37] update docs to 3.6.0 & pipeline fixes for release
 (#5874)

---
 .github/config/config-plus-azure              |  1 +
 .github/config/config-plus-ecr                |  9 ++--
 .github/config/config-plus-gcr-public         |  3 +-
 .github/scripts/create-release-tarballs.sh    |  2 +-
 .github/workflows/build-oss.yml               | 16 +++---
 .github/workflows/build-plus.yml              | 14 +++--
 .github/workflows/publish-helm.yml            |  4 +-
 .github/workflows/release.yml                 | 54 ++++++++++++-------
 README.md                                     |  4 +-
 charts/nginx-ingress/Chart.yaml               |  4 +-
 charts/nginx-ingress/README.md                | 20 +++----
 charts/nginx-ingress/values-icp.yaml          |  2 +-
 charts/nginx-ingress/values-plus.yaml         |  2 +-
 charts/nginx-ingress/values.schema.json       | 10 ++--
 charts/nginx-ingress/values.yaml              |  2 +-
 deployments/daemon-set/nginx-ingress.yaml     |  4 +-
 .../daemon-set/nginx-plus-ingress.yaml        |  4 +-
 deployments/deployment/nginx-ingress.yaml     |  4 +-
 .../deployment/nginx-plus-ingress.yaml        |  4 +-
 .../configuration/configuration-examples.md   |  4 +-
 .../configmap-resource.md                     | 16 +++---
 .../global-configuration/custom-templates.md  |  2 +-
 .../host-and-listener-collisions.md           |  2 +-
 ...advanced-configuration-with-annotations.md | 40 +++++++-------
 .../ingress-resources/basic-configuration.md  |  2 +-
 .../cross-namespace-configuration.md          |  4 +-
 .../ingress-resources/custom-annotations.md   |  4 +-
 docs/content/configuration/policy-resource.md |  4 +-
 docs/content/configuration/security.md        |  6 +--
 .../configuration/transportserver-resource.md |  2 +-
 ...server-and-virtualserverroute-resources.md |  6 +--
 .../installation/create-custom-resources.md   |  2 +-
 .../building-nginx-ingress-controller.md      |  4 +-
 .../installing-nic/installation-with-helm.md  | 20 +++----
 .../installation-with-manifests.md            | 14 ++---
 .../installation-with-operator.md             |  2 +-
 .../app-protect-dos/configuration.md          |  2 +-
 .../app-protect-dos/installation.md           |  8 +--
 .../app-protect-waf/configuration.md          | 24 ++++-----
 .../app-protect-waf/installation.md           |  6 +--
 .../pulling-ingress-controller-image.md       | 22 ++++----
 .../using-the-jwt-token-docker-secret.md      | 24 ++++-----
 .../content/overview/controller-comparison.md |  4 +-
 docs/content/overview/nginx-plus.md           |  6 +--
 docs/content/releases.md                      | 49 +++++++++++++++++
 docs/content/technical-specifications.md      | 42 ++++++++-------
 .../troubleshooting/troubleshoot-common.md    |  2 +-
 docs/content/tutorials/custom-listen-ports.md |  2 +-
 .../content/tutorials/nginx-dynamic-module.md |  2 +-
 .../tutorials/oidc-custom-configuration.md    |  2 +-
 docs/content/tutorials/security-monitoring.md |  6 +--
 ...rtual-server-with-custom-listener-ports.md |  2 +-
 docs/content/usage-reporting.md               |  2 +-
 53 files changed, 290 insertions(+), 212 deletions(-)

diff --git a/.github/config/config-plus-azure b/.github/config/config-plus-azure
index bcccd67e77..69bf43c703 100644
--- a/.github/config/config-plus-azure
+++ b/.github/config/config-plus-azure
@@ -6,6 +6,7 @@ export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="marketplaceimages/nginx-plus-ingress-nap
 declare -a PLUS_TAG_POSTFIX_LIST=("")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
 declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
 declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("")
 declare -a ADDITIONAL_TAGS=()
 export PUBLISH_OSS=false
diff --git a/.github/config/config-plus-ecr b/.github/config/config-plus-ecr
index 452fa6f124..a59a460a1a 100644
--- a/.github/config/config-plus-ecr
+++ b/.github/config/config-plus-ecr
@@ -3,9 +3,10 @@ export TARGET_PLUS_IMAGE_PREFIX=nginx/nginx-plus-ingress
 export TARGET_NAP_WAF_IMAGE_PREFIX=nginx/nginx-plus-ingress-nap
 export TARGET_NAP_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos
 export TARGET_NAP_WAF_DOS_IMAGE_PREFIX=nginx/nginx-plus-ingress-dos-nap
-declare -a PLUS_TAG_POSTFIX_LIST=("-mktpl" "-alpine-mktpl" "-alpine-mktpl-fips")
-declare -a NAP_WAF_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
-declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("-mktpl" "-ubi-mktpl")
+declare -a PLUS_TAG_POSTFIX_LIST=("-mktpl")
+declare -a NAP_WAF_TAG_POSTFIX_LIST=("-mktpl")
+declare -a NAP_DOS_TAG_POSTFIX_LIST=("-mktpl")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
+declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("-mktpl")
 declare -a ADDITIONAL_TAGS=()
 export PUBLISH_OSS=false
diff --git a/.github/config/config-plus-gcr-public b/.github/config/config-plus-gcr-public
index f508554928..71cee5dc28 100644
--- a/.github/config/config-plus-gcr-public
+++ b/.github/config/config-plus-gcr-public
@@ -6,5 +6,6 @@ export TARGET_NAP_WAF_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-nap
 export TARGET_NAP_DOS_IMAGE_PREFIX=nginxinc/nginx-plus-ingress-dos
 declare -a PLUS_TAG_POSTFIX_LIST=("")
 declare -a NAP_WAF_TAG_POSTFIX_LIST=("")
-declare -a NAP_DOS_TAG_POSTFIX_LIST=("")
+declare -a NAP_WAFV5_TAG_POSTFIX_LIST=()
+declare -a NAP_DOS_TAG_POSTFIX_LIST=()
 declare -a ADDITIONAL_TAGS=(${ADDITIONAL_TAG})
diff --git a/.github/scripts/create-release-tarballs.sh b/.github/scripts/create-release-tarballs.sh
index 4954c4dfe5..11dd8b6581 100755
--- a/.github/scripts/create-release-tarballs.sh
+++ b/.github/scripts/create-release-tarballs.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-set -e
+set -ex
 
 directory=$1
 version=$2
diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
index 36ca2b37b3..7e40a06396 100644
--- a/.github/workflows/build-oss.yml
+++ b/.github/workflows/build-oss.yml
@@ -95,12 +95,16 @@ jobs:
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
-      - name: Check if images exist
-        id: images_exist
+      - name: Set base name variable
+        id: base_name
         run: |
           base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss:${{ inputs.base-image-md5 }}-${{ inputs.image }}"
           echo "image=${base_image}" >> $GITHUB_OUTPUT
-          if docker manifest inspect ${base_image}; then
+
+      - name: Check if images exist
+        id: images_exist
+        run: |
+          if docker manifest inspect ${{ steps.base_name.outputs.image }}; then
             echo "base_exists=true" >> $GITHUB_OUTPUT
           fi
           if docker manifest inspect ${{ steps.meta.outputs.tags }}; then
@@ -125,7 +129,7 @@ jobs:
           context: "."
           cache-to: type=gha,scope=${{ inputs.image }},mode=max
           target: common
-          tags: ${{ steps.images_exist.outputs.image }}
+          tags: ${{ steps.base_name.outputs.image }}
           platforms: ${{ inputs.platforms }}
           pull: true
           push: true
@@ -138,7 +142,7 @@ jobs:
       - name: Debug values
         run: |
           echo "authenticated: ${{ inputs.authenticated }}"
-          echo "images_exist: ${{ steps.images_exist.outputs.base_exists }}"
+          echo "base_exists: ${{ steps.images_exist.outputs.base_exists }}"
           echo "target_exists: ${{ steps.images_exist.outputs.target_exists }}"
           echo "full-build: ${{ inputs.full-build }}"
 
@@ -170,7 +174,7 @@ jobs:
           provenance: false
           build-args: |
             BUILD_OS=${{ inputs.image }}
-            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image) }}
+            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_name.outputs.image) }}
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
         if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
 
diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
index 45796e9d88..6f9e8da2af 100644
--- a/.github/workflows/build-plus.yml
+++ b/.github/workflows/build-plus.yml
@@ -100,12 +100,16 @@ jobs:
         env:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
-      - name: Check if images exist
-        id: images_exist
+      - name: Set base name variable
+        id: base_name
         run: |
           base_image="gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus:${{ inputs.base-image-md5 }}-${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }}${{ contains(inputs.image, 'v5') && '-v5' || '' }}"
           echo "image=${base_image}" >> $GITHUB_OUTPUT
-          if docker manifest inspect ${base_image}; then
+
+      - name: Check if images exist
+        id: images_exist
+        run: |
+          if docker pull ${{ steps.base_name.outputs.image }}; then
             echo "base_exists=true" >> $GITHUB_OUTPUT
           fi
           if docker manifest inspect ${{ steps.meta.outputs.tags }}; then
@@ -130,7 +134,7 @@ jobs:
           context: "."
           cache-to: type=gha,scope=${{ inputs.image }}${{ steps.nap_modules.outputs.name != '' && format('-{0}', steps.nap_modules.outputs.name) || '' }},mode=max
           target: common
-          tags: ${{ steps.images_exist.outputs.image }}
+          tags: ${{ steps.base_name.outputs.image }}
           platforms: ${{ inputs.platforms }}
           pull: true
           push: true
@@ -180,7 +184,7 @@ jobs:
           provenance: false
           build-args: |
             BUILD_OS=${{ inputs.image }}
-            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.images_exist.outputs.image ) }}
+            ${{ inputs.authenticated && format('PREBUILT_BASE_IMG={0}', steps.base_name.outputs.image ) }}
             IC_VERSION=${{ inputs.ic-version && inputs.ic-version || steps.meta.outputs.version }}
             ${{ inputs.nap-modules != '' && format('NAP_MODULES={0}', steps.nap_modules.outputs.name) || '' }}
             ${{ (contains(inputs.target, 'aws') && inputs.nap-modules != '') && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml
index 22b2e62cdf..1e8835acb5 100644
--- a/.github/workflows/publish-helm.yml
+++ b/.github/workflows/publish-helm.yml
@@ -95,7 +95,7 @@ jobs:
           fetch-depth: 1
           token: ${{ secrets.NGINX_PAT }}
           path: helm-charts
-        if: ${{ inputs.nginx_helm_repo == 'true' }}
+        if: ${{ inputs.nginx_helm_repo }}
 
       - name: Push Helm Chart to Helm Charts Repository
         run: |
@@ -106,4 +106,4 @@ jobs:
           git -c user.name='NGINX Kubernetes Team' -c user.email='kubernetes@nginx.com' \
           commit -m "NGINX Ingress Controller - Release ${{ inputs.chart_version }}"
           git push -u origin master
-        if: ${{ inputs.nginx_helm_repo == 'true' }}
+        if: ${{ inputs.nginx_helm_repo }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3a55fa1d53..c0930366cb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -94,6 +94,8 @@ jobs:
 
       - name: Create new release Tag
         run: |
+          git config --global user.email "kubernetes@nginx.com"
+          git config --global user.name "NGINX Kubernetes Team"
           branch="${{ inputs.release_branch }}"
           tag="v${{ inputs.nic_version }}"
           if ! git rev-parse --verify refs/tags/${tag}; then
@@ -113,7 +115,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
 
   release-oss:
-    if: ${{ ! contains(inputs.skip_step, 'release-oss') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-oss') }}
     name: Release Docker OSS
     needs: [variables]
     uses: ./.github/workflows/oss-release.yml
@@ -134,7 +136,7 @@ jobs:
     secrets: inherit
 
   release-plus:
-    if: ${{ ! contains(inputs.skip_step, 'release-plus') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'release-plus') }}
     name: Release Docker Plus
     needs: [variables]
     uses: ./.github/workflows/plus-release.yml
@@ -154,7 +156,7 @@ jobs:
     secrets: inherit
 
   publish-helm-chart:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'publish-helm-chart') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'publish-helm-chart') }}
     name: Publish Helm Chart
     uses: ./.github/workflows/publish-helm.yml
     with:
@@ -168,7 +170,7 @@ jobs:
     secrets: inherit
 
   certify-openshift-images:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'certify-openshift-images') }}
     name: Certify OpenShift UBI images
     runs-on: ubuntu-22.04
     needs: [release-oss]
@@ -187,7 +189,7 @@ jobs:
           pyxis_token: ${{ secrets.PYXIS_API_TOKEN }}
 
   operator:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }}
     name: Trigger PR for Operator
     runs-on: ubuntu-22.04
     needs: [publish-helm-chart]
@@ -208,7 +210,7 @@ jobs:
             })
 
   gcp-marketplace:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'gcp-marketplace') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'gcp-marketplace') }}
     name: Trigger PR for GCP Marketplace
     runs-on: ubuntu-22.04
     needs: [publish-helm-chart]
@@ -229,7 +231,7 @@ jobs:
             })
 
   azure-marketplace:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }}
     name: Trigger CNAB Build for Azure Marketplace
     runs-on: ubuntu-22.04
     needs: [publish-helm-chart]
@@ -245,17 +247,20 @@ jobs:
               workflow_id: 'build-cnab.yml',
               ref: 'main',
               inputs: {
-                chart_version: '${{ inputs.chart_version }}'
-                ic_version: '${{ inputs.nic_version }}'
+                chart_version: '${{ inputs.chart_version }}',
+                ic_version: '${{ inputs.nic_version }}',
                 cnab_version: '${{ inputs.cnab_version }}'
               },
             })
 
   aws-marketplace:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'aws-marketplace') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'aws-marketplace') }}
     name: Publish to AWS Marketplace
     runs-on: ubuntu-22.04
     needs: [release-plus]
+    permissions:
+      contents: read
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -296,9 +301,12 @@ jobs:
     needs: [variables]
     permissions:
       contents: read
+      id-token: write # for cosign to sign artifacts
     steps:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ inputs.release_branch }}
 
       - name: Fetch Binary Artifacts from Cache
         uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
@@ -331,7 +339,7 @@ jobs:
         if: ${{ needs.variables.outputs.binary_cache_sign_hit != 'true' }}
 
   azure-upload:
-    if: ${{ ! contains(inputs.skip_step, 'azure-upload') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'azure-upload') }}
     name: Upload packages to Azure
     runs-on: ubuntu-22.04
     needs: [variables, binaries]
@@ -374,7 +382,7 @@ jobs:
             done
 
   github-release:
-    if: ${{ ! contains(inputs.skip_step, 'github-release') }}
+    if: ${{ ! cancelled() && ! failure() && ! contains(inputs.skip_step, 'github-release') }}
     name: Publish release to GitHub
     runs-on: ubuntu-22.04
     needs: [variables, binaries, release-oss, release-plus, azure-upload]
@@ -400,7 +408,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # clobber overwrites existing assets of the same name
         run: |
-          if ! ${{ inputs.dry_run }}
+          if ! ${{ inputs.dry_run }}; then
             gh release upload --clobber v${{ inputs.nic_version }} \
               $(find ./tarballs -type f)
           else
@@ -414,13 +422,19 @@ jobs:
           milestone_number=$(gh api \
             -H "Accept: application/vnd.github.v3+json" \
             /repos/${{ github.repository }}/milestones \
-            | jq --arg version ${{ inputs.nic_version }} -r \
+            | jq --arg version "v${{ inputs.nic_version }}" -r \
             '.[] | select(.title == $version) | .number')
-          if ! ${{ inputs.dry_run }}
-            gh api --method PATCH -H "Accept: application/vnd.github.v3+json" \
-              /repos/${{ github.repository }}/milestones/${milestone_number} \
+          if [ -n "${milestone_number}" ]; then
+            if ! ${{ inputs.dry_run }}; then
+              gh api --method PATCH -H "Accept: application/vnd.github.v3+json" \
+                /repos/${{ github.repository }}/milestones/${milestone_number} \
+                -f "title=v${{ inputs.nic_version }}" \
+                -f "state=closed";
+            else
+              echo "Skipping closing Github Release milestone, DRY_RUN"
+            fi
           else
-            echo "Skipping closing Github Release milestone, DRY_RUN"
+            echo "Github Milestone not available, closed already."
           fi
 
       - name: Get Github release id
@@ -432,7 +446,7 @@ jobs:
             -H "Accept: application/vnd.github.v3+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
             /repos/${{ github.repository }}/releases \
-            | jq --arg version ${{ inputs.nic_version }} -r \
+            | jq --arg version "v${{ inputs.nic_version }}" -r \
             '.[] | select(.name == $version) | .id')
           echo "release_id=${release_id}" >> $GITHUB_OUTPUT
 
@@ -473,7 +487,7 @@ jobs:
         if: ${{ ! inputs.dry_run }}
 
   release-image-notification:
-    if: ${{ ! inputs.dry_run && ! contains(inputs.skip_step, 'release-image-notification') }}
+    if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'release-image-notification') }}
     name: Notify Slack channels about image release
     runs-on: ubuntu-22.04
     needs: [variables, binaries, release-oss, release-plus]
diff --git a/README.md b/README.md
index 448ab25d8a..e58d4a8a9b 100644
--- a/README.md
+++ b/README.md
@@ -123,7 +123,7 @@ In the case of NGINX, the Ingress Controller is deployed in a pod along with the
 We publish NGINX Ingress Controller releases on GitHub. See our [releases
 page](https://github.com/nginxinc/kubernetes-ingress/releases).
 
-The latest stable release is [3.5.2](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.5.2). For production
+The latest stable release is [3.6.0](https://github.com/nginxinc/kubernetes-ingress/releases/tag/v3.6.0). For production
 use, we recommend that you choose the latest stable release.
 
 The edge version is useful for experimenting with new features that are not yet published in a stable release. To use
@@ -143,7 +143,7 @@ your links to the correct versions:
 
 | Version | Description |  Image for NGINX | Image for NGINX Plus | Installation Manifests and Helm Chart | Documentation and Examples |
 | ------- | ----------- | --------------- | -------------------- | ---------------------------------------| -------------------------- |
-| Latest stable release | For production use | Use the 3.5.2 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.5.2 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
+| Latest stable release | For production use | Use the 3.6.0 images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-ingress-controller-image/). | Use the 3.6.0 images from the [F5 Container Registry](https://docs.nginx.com/nginx-ingress-controller/installation/pulling-ingress-controller-image/) or the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE) or [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress). | [Documentation](https://docs.nginx.com/nginx-ingress-controller/). [Examples](https://docs.nginx.com/nginx-ingress-controller/configuration/configuration-examples/). |
 | Edge/Nightly | For testing and experimenting | Use the edge or nightly images from [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress) or [build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Build your own image](https://docs.nginx.com/nginx-ingress-controller/installation/building-nginx-ingress-controller/). | [Manifests](https://github.com/nginxinc/kubernetes-ingress/tree/main/deployments). [Helm chart](https://github.com/nginxinc/kubernetes-ingress/tree/main/charts/nginx-ingress). | [Documentation](https://github.com/nginxinc/kubernetes-ingress/tree/main/docs/content). [Examples](https://github.com/nginxinc/kubernetes-ingress/tree/main/examples). |
 
 ## SBOM (Software Bill of Materials)
diff --git a/charts/nginx-ingress/Chart.yaml b/charts/nginx-ingress/Chart.yaml
index 66c5315c79..7f1d8d8a1a 100644
--- a/charts/nginx-ingress/Chart.yaml
+++ b/charts/nginx-ingress/Chart.yaml
@@ -5,10 +5,10 @@ appVersion: 3.7.0
 kubeVersion: ">= 1.23.0-0"
 type: application
 description: NGINX Ingress Controller
-icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png
+icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/charts/nginx-ingress/chart-icon.png
 home: https://github.com/nginxinc/kubernetes-ingress
 sources:
-  - https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress
+  - https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/charts/nginx-ingress
 keywords:
   - ingress
   - nginx
diff --git a/charts/nginx-ingress/README.md b/charts/nginx-ingress/README.md
index 7e44b0933c..36ecbbdd5f 100644
--- a/charts/nginx-ingress/README.md
+++ b/charts/nginx-ingress/README.md
@@ -51,10 +51,10 @@ kubectl apply -f crds/
 Alternatively, CRDs can be upgraded without pulling the chart by running:
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml
+kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml
 ```
 
-In the above command, `v3.5.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
+In the above command, `v3.6.0` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
 
 > **Note**
 >
@@ -87,14 +87,14 @@ To install the chart with the release name my-release (my-release is the name th
 For NGINX:
 
 ```console
-helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
+helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0
 ```
 
 For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry
 `myregistry.example.com`)
 
 ```console
-helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
+helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
 ```
 
 This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to
@@ -109,7 +109,7 @@ CRDs](#upgrading-the-crds).
 To upgrade the release `my-release`:
 
 ```console
-helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
+helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0
 ```
 
 ### Uninstalling the Chart
@@ -150,7 +150,7 @@ upgrading/deleting the CRDs.
 1. Pull the chart sources:
 
     ```console
-    helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.2
+    helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.3.0
     ```
 
 2. Change your working directory to nginx-ingress:
@@ -236,7 +236,7 @@ The steps you should follow depend on the Helm release name:
     Selector:               app=nginx-ingress-nginx-ingress
     ```
 
-2. Checkout the latest available tag using `git checkout v3.5.2`
+2. Checkout the latest available tag using `git checkout v3.6.0`
 
 3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
 
@@ -288,7 +288,7 @@ reviewing its events:
     Selector:               app=<helm_release_name>-nginx-ingress
     ```
 
-2. Checkout the latest available tag using `git checkout v3.5.2`
+2. Checkout the latest available tag using `git checkout v3.6.0`
 
 3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
 
@@ -355,7 +355,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.logLevel` | The log level of the Ingress Controller. | 1 |
 |`controller.image.digest` | The image digest of the Ingress Controller. | None |
 |`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress |
-|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.2 |
+|`controller.image.tag` | The tag of the Ingress Controller image. | 3.6.0 |
 |`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent |
 |`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} |
 |`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" |
@@ -386,7 +386,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 |`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
 |`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 |
 |`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
-|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.2, do not set the value to false. | true |
+|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.6.0, do not set the value to false. | true |
 |`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false |
 |`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" |
 |`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" |
diff --git a/charts/nginx-ingress/values-icp.yaml b/charts/nginx-ingress/values-icp.yaml
index 404bbe6f67..d973006e66 100644
--- a/charts/nginx-ingress/values-icp.yaml
+++ b/charts/nginx-ingress/values-icp.yaml
@@ -4,7 +4,7 @@ controller:
   nginxplus: true
   image:
     repository: mycluster.icp:8500/kube-system/nginx-plus-ingress
-    tag: "3.5.2"
+    tag: "3.6.0"
   nodeSelector:
     beta.kubernetes.io/arch: "amd64"
     proxy: true
diff --git a/charts/nginx-ingress/values-plus.yaml b/charts/nginx-ingress/values-plus.yaml
index c5d24f9aaa..f51a2347cb 100644
--- a/charts/nginx-ingress/values-plus.yaml
+++ b/charts/nginx-ingress/values-plus.yaml
@@ -3,4 +3,4 @@ controller:
   nginxplus: true
   image:
     repository: nginx-plus-ingress
-    tag: "3.5.2"
+    tag: "3.6.0"
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
index 2b344695a2..6c53cfe6b7 100644
--- a/charts/nginx-ingress/values.schema.json
+++ b/charts/nginx-ingress/values.schema.json
@@ -540,10 +540,10 @@
             },
             "tag": {
               "type": "string",
-              "default": "3.5.2",
+              "default": "3.6.0",
               "title": "The tag of the Ingress Controller image",
               "examples": [
-                "3.5.2"
+                "3.6.0"
               ]
             },
             "digest": {
@@ -580,7 +580,7 @@
           "examples": [
             {
               "repository": "nginx/nginx-ingress",
-              "tag": "3.5.2",
+              "tag": "3.6.0",
               "pullPolicy": "IfNotPresent"
             }
           ]
@@ -1670,7 +1670,7 @@
           "customPorts": [],
           "image": {
             "repository": "nginx/nginx-ingress",
-            "tag": "3.5.2",
+            "tag": "3.6.0",
             "digest": "",
             "pullPolicy": "IfNotPresent"
           },
@@ -2211,7 +2211,7 @@
         "customPorts": [],
         "image": {
           "repository": "nginx/nginx-ingress",
-          "tag": "3.5.2",
+          "tag": "3.6.0",
           "digest": "",
           "pullPolicy": "IfNotPresent"
         },
diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
index f7201bb285..a3b888ab4c 100644
--- a/charts/nginx-ingress/values.yaml
+++ b/charts/nginx-ingress/values.yaml
@@ -134,7 +134,7 @@ controller:
     repository: nginx/nginx-ingress
 
     ## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag.
-    # tag: "3.5.2"
+    # tag: "3.6.0"
     ## The digest of the Ingress Controller image.
     ## If digest is specified it has precedence over tag and will be used instead
     # digest: "sha256:CHANGEME"
diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml
index 2f462e449f..74bb3f1d0d 100644
--- a/deployments/daemon-set/nginx-ingress.yaml
+++ b/deployments/daemon-set/nginx-ingress.yaml
@@ -32,7 +32,7 @@ spec:
 #      - name: nginx-log
 #        emptyDir: {}
       containers:
-      - image: nginx/nginx-ingress:3.5.2
+      - image: nginx/nginx-ingress:3.6.0
         imagePullPolicy: IfNotPresent
         name: nginx-ingress
         ports:
@@ -96,7 +96,7 @@ spec:
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
 #      initContainers:
-#      - image: nginx/nginx-ingress:3.5.2
+#      - image: nginx/nginx-ingress:3.6.0
 #        imagePullPolicy: IfNotPresent
 #        name: init-nginx-ingress
 #        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml
index a769154900..71c244585b 100644
--- a/deployments/daemon-set/nginx-plus-ingress.yaml
+++ b/deployments/daemon-set/nginx-plus-ingress.yaml
@@ -32,7 +32,7 @@ spec:
 #      - name: nginx-log
 #        emptyDir: {}
       containers:
-      - image: nginx-plus-ingress:3.5.2
+      - image: nginx-plus-ingress:3.6.0
         imagePullPolicy: IfNotPresent
         name: nginx-plus-ingress
         ports:
@@ -99,7 +99,7 @@ spec:
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
 #      initContainers:
-#      - image: nginx/nginx-ingress:3.5.2
+#      - image: nginx/nginx-ingress:3.6.0
 #        imagePullPolicy: IfNotPresent
 #        name: init-nginx-ingress
 #        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml
index 2a1469b812..5169f1db7b 100644
--- a/deployments/deployment/nginx-ingress.yaml
+++ b/deployments/deployment/nginx-ingress.yaml
@@ -33,7 +33,7 @@ spec:
 #      - name: nginx-log
 #        emptyDir: {}
       containers:
-      - image: nginx/nginx-ingress:3.5.2
+      - image: nginx/nginx-ingress:3.6.0
         imagePullPolicy: IfNotPresent
         name: nginx-ingress
         ports:
@@ -97,7 +97,7 @@ spec:
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
 #      initContainers:
-#      - image: nginx/nginx-ingress:3.5.2
+#      - image: nginx/nginx-ingress:3.6.0
 #        imagePullPolicy: IfNotPresent
 #        name: init-nginx-ingress
 #        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml
index 74f7e3b560..6868cb3497 100644
--- a/deployments/deployment/nginx-plus-ingress.yaml
+++ b/deployments/deployment/nginx-plus-ingress.yaml
@@ -33,7 +33,7 @@ spec:
 #      - name: nginx-log
 #        emptyDir: {}
       containers:
-      - image: nginx-plus-ingress:3.5.2
+      - image: nginx-plus-ingress:3.6.0
         imagePullPolicy: IfNotPresent
         name: nginx-plus-ingress
         ports:
@@ -103,7 +103,7 @@ spec:
          #- -enable-service-insight
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
 #      initContainers:
-#      - image: nginx/nginx-ingress:3.5.2
+#      - image: nginx/nginx-ingress:3.6.0
 #        imagePullPolicy: IfNotPresent
 #        name: init-nginx-ingress
 #        command: ['cp', '-vdR', '/etc/nginx/.', '/mnt/etc']
diff --git a/docs/content/configuration/configuration-examples.md b/docs/content/configuration/configuration-examples.md
index aa65bacad6..799ae26014 100644
--- a/docs/content/configuration/configuration-examples.md
+++ b/docs/content/configuration/configuration-examples.md
@@ -9,5 +9,5 @@ weight: 400
 
 Our [GitHub repo](https://github.com/nginxinc/kubernetes-ingress) includes a number of configuration examples:
 
-- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources.
-- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations.
+- [*Examples of Custom Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources) show how to advanced NGINX features by using VirtualServer, VirtualServerRoute, TransportServer and Policy Custom Resources.
+- [*Examples of Ingress Resources*](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources) show how to use advanced NGINX features in Ingress resources with annotations.
diff --git a/docs/content/configuration/global-configuration/configmap-resource.md b/docs/content/configuration/global-configuration/configmap-resource.md
index 8eedab536e..74bbfdb89d 100644
--- a/docs/content/configuration/global-configuration/configmap-resource.md
+++ b/docs/content/configuration/global-configuration/configmap-resource.md
@@ -95,10 +95,10 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 |*server-names-hash-max-size* | Sets the value of the [server_names_hash_max_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_names_hash_max_size) directive. | *1024* |  |
 |*map-hash-bucket-size* | Sets the value of the [map_hash_bucket_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_bucket_size) directive.| *256* |  |
 |*map-hash-max-size* | Sets the value of the [map_hash_max_size](http://nginx.org/en/docs/http/ngx_http_map_module.html#map_hash_max_size) directive. | *2048* |  |
-|*resolver-addresses* | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, *kube-dns.kube-system.svc.cluster.local* ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/externalname-services). |
-|*resolver-ipv6* | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | *True* | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/externalname-services). |
-|*resolver-valid* | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/externalname-services). |
-|*resolver-timeout* | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | *30s* | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/externalname-services). |
+|*resolver-addresses* | Sets the value of the [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver) addresses. Note: If you use a DNS name (for example, *kube-dns.kube-system.svc.cluster.local* ) as a resolver address, NGINX Plus will resolve it using the system resolver during the start and on every configuration reload. If the name cannot be resolved or the DNS server doesn't respond, NGINX Plus will fail to start or reload. To avoid this, we recommend using IP addresses as resolver addresses instead of DNS names. Supported in NGINX Plus only. | N/A | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/externalname-services). |
+|*resolver-ipv6* | Enables IPv6 resolution in the resolver. Supported in NGINX Plus only. | *True* | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/externalname-services). |
+|*resolver-valid* | Sets the time NGINX caches the resolved DNS records. Supported in NGINX Plus only. | TTL value of a DNS record | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/externalname-services). |
+|*resolver-timeout* | Sets the [resolver_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver_timeout) for name resolution. Supported in NGINX Plus only. | *30s* | [Support for Type ExternalName Services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/externalname-services). |
 |*keepalive-timeout* | Sets the value of the [keepalive_timeout](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) directive. | *75s* |  |
 |*keepalive-requests* | Sets the value of the [keepalive_requests](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_requests) directive. | *1000* |  |
 |*variables-hash-bucket-size* | Sets the value of the [variables_hash_bucket_size](https://nginx.org/en/docs/http/ngx_http_core_module.html#variables_hash_bucket_size) directive. | *256* |  |
@@ -115,9 +115,9 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 |*error-log-level* | Sets the global [error log level](https://nginx.org/en/docs/ngx_core_module.html#error_log) for NGINX. | *notice* |  |
 |*access-log-off* | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log). | *False* |  |
 |*default-server-access-log-off* | Disables the [access log](https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log) for the default server. If access log is disabled globally (*access-log-off: "True"*), then the default server access log is always disabled. | *False* |  |
-|*log-format* | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/shared-examples/custom-log-format). |
+|*log-format* | Sets the custom [log format](https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format) for HTTP and HTTPS traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/internal/configs/version1/nginx.tmpl) for the access log. | [Custom Log Format](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/shared-examples/custom-log-format). |
 |*log-format-escaping* | Sets the characters escaping for the variables of the log format. Supported values: *json* (JSON escaping), *default* (the default escaping) *none* (disables escaping). | *default* |  |
-|*stream-log-format* | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/internal/configs/version1/nginx.tmpl). |  |
+|*stream-log-format* | Sets the custom [log format](https://nginx.org/en/docs/stream/ngx_stream_log_module.html#log_format) for TCP, UDP, and TLS Passthrough traffic. For convenience, it is possible to define the log format across multiple lines (each line separated by *\n*). In that case, the Ingress Controller will replace every *\n* character with a space character. All *'* characters must be escaped. | See the [template file](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/internal/configs/version1/nginx.tmpl). |  |
 |*stream-log-format-escaping* | Sets the characters escaping for the variables of the stream log format. Supported values: *json* (JSON escaping), *default* (the default escaping) *none* (disables escaping). | *default* |  |
 {{</bootstrap-table>}}
 
@@ -159,7 +159,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 |ConfigMap Key | Description | Default | Example |
 | ---| ---| ---| --- |
 |*http2* | Enables HTTP/2 in servers with SSL enabled. | *False* |  |
-|*proxy-protocol* | Enables PROXY Protocol for incoming connections. | *False* | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/shared-examples/proxy-protocol). |
+|*proxy-protocol* | Enables PROXY Protocol for incoming connections. | *False* | [Proxy Protocol](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/shared-examples/proxy-protocol). |
 {{</bootstrap-table>}}
 
 ---
@@ -187,7 +187,7 @@ For more information, view the [VirtualServer and VirtualServerRoute resources](
 |*http-snippets* | Sets a custom snippet in http context. | N/A |  |
 |*location-snippets* | Sets a custom snippet in location context. | N/A |  |
 |*server-snippets* | Sets a custom snippet in server context. | N/A |  |
-|*stream-snippets* | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/tcp-udp). |
+|*stream-snippets* | Sets a custom snippet in stream context. | N/A | [Support for TCP/UDP Load Balancing](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/tcp-udp). |
 |*main-template* | Sets the main NGINX configuration template. | By default the template is read from the file in the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
 |*ingress-template* | Sets the NGINX configuration template for an Ingress resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
 |*virtualserver-template* | Sets the NGINX configuration template for an VirtualServer resource. | By default the template is read from the file on the container. | [Custom Templates](/nginx-ingress-controller/configuration/global-configuration/custom-templates). |
diff --git a/docs/content/configuration/global-configuration/custom-templates.md b/docs/content/configuration/global-configuration/custom-templates.md
index 60c391c578..db1846283a 100644
--- a/docs/content/configuration/global-configuration/custom-templates.md
+++ b/docs/content/configuration/global-configuration/custom-templates.md
@@ -8,4 +8,4 @@ weight: 500
 ---
 
 
-F5 NGINX Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/shared-examples/custom-templates).
+F5 NGINX Ingress Controller uses templates to generate NGINX configuration for Ingress resources, VirtualServer resources and the main NGINX configuration file. You can customize the templates and apply them via the ConfigMap. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/shared-examples/custom-templates).
diff --git a/docs/content/configuration/host-and-listener-collisions.md b/docs/content/configuration/host-and-listener-collisions.md
index 052d60291f..f48899608b 100644
--- a/docs/content/configuration/host-and-listener-collisions.md
+++ b/docs/content/configuration/host-and-listener-collisions.md
@@ -102,7 +102,7 @@ It is possible to merge configuration for multiple Ingress resources for the sam
 
 The [Cross-namespace configuration]({{< relref "configuration/ingress-resources/cross-namespace-configuration.md">}}) topic has more information.
 
-It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/cross-namespace-configuration) on GitHub.
+It is *not* possible to merge the configurations for multiple VirtualServer resources for the same host. However, you can split the VirtualServers into multiple VirtualServerRoute resources, which a single VirtualServer can then reference. See the [corresponding example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/cross-namespace-configuration) on GitHub.
 
 It is *not* possible to merge configuration for multiple TransportServer resources.
 
diff --git a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md
index 778f8105e9..4381fba84f 100644
--- a/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md
+++ b/docs/content/configuration/ingress-resources/advanced-configuration-with-annotations.md
@@ -110,7 +110,7 @@ The table below summarizes the available annotations.
 | *nginx.org/proxy-buffer-size* | *proxy-buffer-size* | Sets the value of the [proxy_buffer_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) and [grpc_buffer_size](https://nginx.org/en/docs/http/ngx_http_grpc_module.html#grpc_buffer_size) directives. | Depends on the platform. |  |
 | *nginx.org/proxy-max-temp-file-size* | *proxy-max-temp-file-size* | Sets the value of the  [proxy_max_temp_file_size](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_max_temp_file_size) directive. | *1024m* |  |
 | *nginx.org/server-tokens* | *server-tokens* | Enables or disables the [server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens) directive. Additionally, with the NGINX Plus, you can specify a custom string value, including the empty string value, which disables the emission of the “Server” field. | *True* |  |
-| *nginx.org/path-regex* | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions.   | N/A |  [path-regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/path-regex) |
+| *nginx.org/path-regex* | N/A | Enables regular expression modifiers for Ingress path parameter. This translates to the NGINX [location](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) directive. You can specify one of these values: "case_sensitive", "case_insensitive", or "exact". The annotation is applied to the entire Ingress resource and its paths. While using Master and Minion Ingresses i.e. Mergeable Ingresses, this annotation can be specified on Minion types. The `path-regex` annotation specified on Master is ignored, and has no effect on paths defined on Minions.   | N/A |  [path-regex](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/path-regex) |
 {{</bootstrap-table>}}
 
 ### Request URI/Header Manipulation
@@ -120,7 +120,7 @@ The table below summarizes the available annotations.
 | ---| ---| ---| ---| --- |
 | *nginx.org/proxy-hide-headers* | *proxy-hide-headers* | Sets the value of one or more  [proxy_hide_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_hide_header) directives. Example: ``"nginx.org/proxy-hide-headers": "header-a,header-b"* | N/A |  |
 | *nginx.org/proxy-pass-headers* | *proxy-pass-headers* | Sets the value of one or more   [proxy_pass_header](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_header) directives. Example: ``"nginx.org/proxy-pass-headers": "header-a,header-b"* | N/A |  |
-| *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/rewrites) |
+| *nginx.org/rewrites* | N/A | Configures URI rewriting using [proxy_pass](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass) directive. | N/A | [rewrites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/rewrites) |
 {{</bootstrap-table>}}
 
 ### Auth and SSL/TLS
@@ -136,10 +136,10 @@ The table below summarizes the available annotations.
 | *nginx.org/hsts-behind-proxy* | *hsts-behind-proxy* | Enables HSTS based on the value of the ``http_x_forwarded_proto* request header. Should only be used when TLS termination is configured in a load balancer (proxy) in front of NGINX Ingress Controller. Note: to control redirection from HTTP to HTTPS configure the ``nginx.org/redirect-to-https* annotation. | *False* |  |
 | *nginx.org/basic-auth-secret* | N/A | Specifies a Secret resource with a user list for HTTP Basic authentication. | N/A | |
 | *nginx.org/basic-auth-realm* | N/A | Specifies a realm. | N/A | |
-| *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/jwt). |
-| *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/jwt). |
-| *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization* header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/jwt). |
-| *nginx.com/jwt-login-url* | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/jwt). |
+| *nginx.com/jwt-key* | N/A | Specifies a Secret resource with keys for validating JSON Web Tokens (JWTs). | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/jwt). |
+| *nginx.com/jwt-realm* | N/A | Specifies a realm. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/jwt). |
+| *nginx.com/jwt-token* | N/A | Specifies a variable that contains a JSON Web Token. | By default, a JWT is expected in the ``Authorization* header as a Bearer Token. | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/jwt). |
+| *nginx.com/jwt-login-url* | N/A | Specifies a URL to which a client is redirected in case of an invalid or missing JWT. | N/A | [Support for JSON Web Tokens (JWTs)](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/jwt). |
 {{</bootstrap-table>}}
 
 ### Listeners
@@ -157,19 +157,19 @@ The table below summarizes the available annotations.
 |Annotation | ConfigMap Key | Description | Default | Example |
 | ---| ---| ---| ---| --- |
 | *nginx.org/lb-method* | *lb-method* | Sets the [load balancing method](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#choosing-a-load-balancing-method). To use the round-robin method, specify ``"round_robin"``. | *"random two least_conn"* |  |
-| *nginx.org/ssl-services* | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [ssl-services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/ssl-services) |
-| *nginx.org/grpc-services* | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2* ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [grpc-services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/grpc-services) |
-| *nginx.org/websocket-services* | N/A | Enables WebSocket for services. | N/A | [websocket](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/websocket) |
+| *nginx.org/ssl-services* | N/A | Enables HTTPS or gRPC over SSL when connecting to the endpoints of services. | N/A | [ssl-services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/ssl-services) |
+| *nginx.org/grpc-services* | N/A | Enables gRPC for services. Note: requires HTTP/2 (see ``http2* ConfigMap key); only works for Ingresses with TLS termination enabled. | N/A | [grpc-services](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/grpc-services) |
+| *nginx.org/websocket-services* | N/A | Enables WebSocket for services. | N/A | [websocket](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/websocket) |
 | *nginx.org/max-fails* | *max-fails* | Sets the value of the [max_fails](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_fails) parameter of the ``server* directive. | *1* |  |
 | *nginx.org/max-conns* | N\A | Sets the value of the [max_conns](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#max_conns) parameter of the ``server* directive. | *0* |  |
 | *nginx.org/upstream-zone-size* | *upstream-zone-size* | Sets the size of the shared memory [zone](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#zone) for upstreams. For NGINX, the special value 0 disables the shared memory zones. For NGINX Plus, shared memory zones are required and cannot be disabled. The special value 0 will be ignored. | *256K* |  |
 | *nginx.org/fail-timeout* | *fail-timeout* | Sets the value of the [fail_timeout](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout) parameter of the ``server* directive. | *10s* |  |
-| *nginx.com/sticky-cookie-services* | N/A | Configures session persistence. | N/A | [session-persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/session-persistence) |
+| *nginx.com/sticky-cookie-services* | N/A | Configures session persistence. | N/A | [session-persistence](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/session-persistence) |
 | *nginx.org/keepalive* | *keepalive* | Sets the value of the [keepalive](https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive) directive. Note that ``proxy_set_header Connection "";* is added to the generated configuration when the value > 0. | *0* |  |
-| *nginx.com/health-checks* | N/A | Enables active health checks. | *False* | [health-checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/health-checks) |
-| *nginx.com/health-checks-mandatory* | N/A | Configures active health checks as mandatory. | *False* | [health-checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/health-checks) |
-| *nginx.com/health-checks-mandatory-queue* | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | *0* | [health-checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/health-checks) |
-| *nginx.com/slow-start* | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/health-checks). | *"0s"* |  |
+| *nginx.com/health-checks* | N/A | Enables active health checks. | *False* | [health-checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/health-checks) |
+| *nginx.com/health-checks-mandatory* | N/A | Configures active health checks as mandatory. | *False* | [health-checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/health-checks) |
+| *nginx.com/health-checks-mandatory-queue* | N/A | When active health checks are mandatory, creates a queue where incoming requests are temporarily stored while NGINX Plus is checking the health of the endpoints after a configuration reload. | *0* | [health-checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/health-checks) |
+| *nginx.com/slow-start* | N/A | Sets the upstream server [slow-start period](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/#server-slow-start). By default, slow-start is activated after a server becomes [available](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#passive-health-checks) or [healthy](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-health-check/#active-health-checks). To enable slow-start for newly-added servers, configure [mandatory active health checks](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/health-checks). | *"0s"* |  |
 | *nginx.org/use-cluster-ip* | N/A | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method* and ``next-upstream``) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP.   | *False* |  |
 {{</bootstrap-table>}}
 
@@ -206,11 +206,11 @@ The table below summarizes the available annotations.
 {{<bootstrap-table "table table-striped table-bordered table-responsive">}}
 |Annotation | ConfigMap Key | Description | Default | Example |
 | ---| ---| ---| ---| --- |
-| *appprotect.f5.com/app-protect-policy* | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable* is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-waf) |
-| *appprotect.f5.com/app-protect-enable* | N/A | Enable App Protect for the Ingress Resource. | *False* | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-waf) |
-| *appprotect.f5.com/app-protect-security-log-enable* | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | *False* | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-waf) |
-| *appprotect.f5.com/app-protect-security-log* | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the  default is used which is:  filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-waf) |
-| *appprotect.f5.com/app-protect-security-log-destination* | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list.  Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | *syslog:server=localhost:514* | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-waf) |
+| *appprotect.f5.com/app-protect-policy* | N/A | The name of the App Protect Policy for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace of the Ingress Resource is used. If not specified but ``appprotect.f5.com/app-protect-enable* is true, a default policy id applied. If the referenced policy resource does not exist, or policy is invalid, this annotation will be ignored, and the default policy will be applied. | N/A | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf) |
+| *appprotect.f5.com/app-protect-enable* | N/A | Enable App Protect for the Ingress Resource. | *False* | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf) |
+| *appprotect.f5.com/app-protect-security-log-enable* | N/A | Enable the [security log](/nginx-app-protect/troubleshooting/#app-protect-logging-overview) for App Protect. | *False* | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf) |
+| *appprotect.f5.com/app-protect-security-log* | N/A | The App Protect log configuration for the Ingress Resource. Format is ``namespace/name``. If no namespace is specified, the same namespace as the Ingress Resource is used. If not specified the  default is used which is:  filter: ``illegal``, format: ``default``. Multiple configurations can be specified in a comma separated list. Both log configurations and destinations list (see below) must be of equal length. Configs and destinations are paired by the list indices. | N/A | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf) |
+| *appprotect.f5.com/app-protect-security-log-destination* | N/A | The destination of the security log. For more information check the [DESTINATION argument](/nginx-app-protect/troubleshooting/#app-protect-logging-overview). Multiple destinations can be specified in a comma-separated list.  Both log configurations and destinations list (see above) must be of equal length. Configs and destinations are paired by the list indices. | *syslog:server=localhost:514* | [app-protect-waf](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf) |
 {{</bootstrap-table>}}
 
 ### App Protect DoS
@@ -220,5 +220,5 @@ The table below summarizes the available annotations.
 {{<bootstrap-table "table table-striped table-bordered table-responsive">}}
 |Annotation | ConfigMap Key | Description | Default | Example |
 | ---| ---| ---| ---| --- |
-| *appprotectdos.f5.com/app-protect-dos-resource* | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource]({{< relref "installation/integrations/app-protect-dos/dos-protected.md" >}}). | N/A | [app-protect-dos](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-dos) |
+| *appprotectdos.f5.com/app-protect-dos-resource* | N/A | Enable App Protect DoS for the Ingress Resource by specifying a [DosProtectedResource]({{< relref "installation/integrations/app-protect-dos/dos-protected.md" >}}). | N/A | [app-protect-dos](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-dos) |
 {{</bootstrap-table>}}
diff --git a/docs/content/configuration/ingress-resources/basic-configuration.md b/docs/content/configuration/ingress-resources/basic-configuration.md
index c22fa376c4..28d3d41f64 100644
--- a/docs/content/configuration/ingress-resources/basic-configuration.md
+++ b/docs/content/configuration/ingress-resources/basic-configuration.md
@@ -53,7 +53,7 @@ Here is a breakdown of what this Ingress resource definition means:
 
 To learn more about the Ingress resource, view [the official Kubernetes documentation for Ingress resources](https://kubernetes.io/docs/concepts/services-networking/ingress/).
 
-{{< note >}} For complete instructions on deploying Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/complete-example) in the GitHub repository. {{< /note >}}
+{{< note >}} For complete instructions on deploying Ingress and Secret resources in the cluster, see the [complete example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/complete-example) in the GitHub repository. {{< /note >}}
 
 
 ## New features available in Kubernetes 1.18
diff --git a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md
index 49a62416c3..a4710c8c2a 100644
--- a/docs/content/configuration/ingress-resources/cross-namespace-configuration.md
+++ b/docs/content/configuration/ingress-resources/cross-namespace-configuration.md
@@ -9,6 +9,6 @@ weight: 500
 
 This topic explains how to spread Ingress configuration across different namespaces in F5 NGINX Ingress Controller.
 
-You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo.
+You can spread the Ingress configuration for a common host across multiple Ingress resources using Mergeable Ingress resources. Such resources can belong to the *same* or *different* namespaces. This enables easier management when using a large number of paths. See the [Mergeable Ingress Resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/mergeable-ingress-types) example in our GitHub repo.
 
-As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo.
+As an alternative to Mergeable Ingress resources, you can use [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) for cross-namespace configuration. See the [Cross-Namespace Configuration](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/cross-namespace-configuration) example in our GitHub repo.
diff --git a/docs/content/configuration/ingress-resources/custom-annotations.md b/docs/content/configuration/ingress-resources/custom-annotations.md
index bed0785cf8..28b2f87f66 100644
--- a/docs/content/configuration/ingress-resources/custom-annotations.md
+++ b/docs/content/configuration/ingress-resources/custom-annotations.md
@@ -21,7 +21,7 @@ Custom annotations allow you to add an annotation for an NGINX feature that is n
 
 ## Usage
 
-The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/internal/configs/version1/nginx-plus.ingress.tmpl).
+The Ingress Controller generates NGINX configuration for Ingress resources by executing a configuration template. See [NGINX template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/internal/configs/version1/nginx.ingress.tmpl) or [NGINX Plus template](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/internal/configs/version1/nginx-plus.ingress.tmpl).
 
 To support custom annotations, the template has access to the information about the Ingress resource - its *name*, *namespace* and *annotations*. It is possible to check if a particular annotation present in the Ingress resource and conditionally insert NGINX configuration directives at multiple NGINX contexts - `http`, `server`, `location` or `upstream`. Additionally, you can get the value that is set to the annotation.
 
@@ -143,4 +143,4 @@ deny all;
 
 ## Example
 
-See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/examples/ingress-resources/custom-annotations).
+See the [custom annotations example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/examples/ingress-resources/custom-annotations).
diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md
index 755ea8798f..35e6be87f2 100644
--- a/docs/content/configuration/policy-resource.md
+++ b/docs/content/configuration/policy-resource.md
@@ -11,7 +11,7 @@ The Policy resource allows you to configure features like access control and rat
 
 The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
 
-This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/examples/custom-resources/access-control).
+This document is the reference documentation for the Policy resource. An example of a Policy for access control is available in our [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/examples/custom-resources/access-control).
 
 ## Prerequisites
 
@@ -538,7 +538,7 @@ NGINX Plus will pass the ID of an authenticated user to the backend in the HTTP
 #### Prerequisites
 
 In order to use OIDC, you need to enable [zone synchronization](https://docs.nginx.com/nginx/admin-guide/high-availability/zone_sync/). If you don't set up zone synchronization, NGINX Plus will fail to reload.
-You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver).
+You also need to configure a resolver, which NGINX Plus will use to resolve the IDP authorization endpoint. You can find an example configuration [in our GitHub repository](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/examples/custom-resources/oidc#step-7---configure-nginx-plus-zone-synchronization-and-resolver).
 
 > **Note**: The configuration in the example doesn't enable TLS and the synchronization between the replica happens in clear text. This could lead to the exposure of tokens.
 
diff --git a/docs/content/configuration/security.md b/docs/content/configuration/security.md
index 5a869a1840..86e189bfc3 100644
--- a/docs/content/configuration/security.md
+++ b/docs/content/configuration/security.md
@@ -7,7 +7,7 @@ toc: true
 weight: 300
 ---
 
-F5 NGINX Ingress Controller follows Kubernetes best practices: this page outlines configuration specific to NGINX Ingress Controller you may require, including links to examples in the [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples).
+F5 NGINX Ingress Controller follows Kubernetes best practices: this page outlines configuration specific to NGINX Ingress Controller you may require, including links to examples in the [GitHub repository](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples).
 
 For general guidance, we recommend the official Kubernetes documentation for [Securing a Cluster](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/). 
 
@@ -19,8 +19,8 @@ Kubernetes uses [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/r
 
 NGINX Ingress Controller requires RBAC to configure a [ServiceUser](https://kubernetes.io/docs/concepts/security/service-accounts/#default-service-accounts), and provides least privilege access in its standard deployment configurations:
 
-- [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/deployments/rbac/rbac.yaml)
-- [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/deployments/rbac/rbac.yaml)
+- [Helm](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/deployments/rbac/rbac.yaml)
+- [Manifests](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/deployments/rbac/rbac.yaml)
 
 By default, the ServiceAccount has access to all Secret resources in the cluster.
 
diff --git a/docs/content/configuration/transportserver-resource.md b/docs/content/configuration/transportserver-resource.md
index 8257f87f93..c16087142c 100644
--- a/docs/content/configuration/transportserver-resource.md
+++ b/docs/content/configuration/transportserver-resource.md
@@ -11,7 +11,7 @@ This document is reference material for the TransportServer resource used by F5
 
 The TransportServer resource allows you to configure TCP, UDP, and TLS Passthrough load balancing. The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
 
-The GitHub repository has [examples of the resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources) for specific use cases.
+The GitHub repository has [examples of the resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources) for specific use cases.
 
 ## Prerequisites
 
diff --git a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md
index 10de579463..bc5631cd8e 100644
--- a/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md
+++ b/docs/content/configuration/virtualserver-and-virtualserverroute-resources.md
@@ -13,7 +13,7 @@ VirtualServer and VirtualServerRoute resources are load balancing configurations
 
 They enable use cases not supported with the Ingress resource, such as traffic splitting and advanced content-based routing. The resources are implemented as [Custom Resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
 
-The GitHub repository has [examples of the resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources) for specific use cases.
+The GitHub repository has [examples of the resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources) for specific use cases.
 
 ---
 
@@ -350,7 +350,7 @@ tls:
 |Field | Description | Type | Required |
 | ---| ---| ---| --- |
 |``name`` | The name of the upstream. Must be a valid DNS label as defined in RFC 1035. For example, ``hello`` and ``upstream-123`` are valid. The name must be unique among all upstreams of the resource. | ``string`` | Yes |
-|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes |
+|``service`` | The name of a [service](https://kubernetes.io/docs/concepts/services-networking/service/). The service must belong to the same namespace as the resource. If the service doesn't exist, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. For NGINX Plus only, services of type [ExternalName](https://kubernetes.io/docs/concepts/services-networking/service/#externalname) are also supported (check the [prerequisites](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/externalname-services#prerequisites) ). | ``string`` | Yes |
 |``subselector`` | Selects the pods within the service using label keys and values. By default, all pods of the service are selected. Note: the specified labels are expected to be present in the pods when they are created. If the pod labels are updated, NGINX Ingress Controller will not see that change until the number of the pods is changed. | ``map[string]string`` | No |
 |``use-cluster-ip`` | Enables using the Cluster IP and port of the service instead of the default behavior of using the IP and port of the pods. When this field is enabled, the fields that configure NGINX behavior related to multiple upstream servers (like ``lb-method`` and ``next-upstream``) will have no effect, as NGINX Ingress Controller will configure NGINX with only one upstream server that will match the service Cluster IP. | ``boolean`` | No |
 |``port`` | The port of the service. If the service doesn't define that port, NGINX will assume the service has zero endpoints and return a ``502`` response for requests for this upstream. The port must fall into the range ``1..65535``. | ``uint16`` | Yes |
@@ -659,7 +659,7 @@ proxy:
 |``upstream`` | The name of the upstream which the requests will be proxied to. The upstream with that name must be defined in the resource. | ``string`` | Yes |
 |``requestHeaders`` | The request headers modifications. | [action.Proxy.RequestHeaders](#actionproxyrequestheaders) | No |
 |``responseHeaders`` | The response headers modifications. | [action.Proxy.ResponseHeaders](#actionproxyresponseheaders) | No |
-|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/rewrites) example. | ``string`` | No |
+|``rewritePath`` | The rewritten URI. If the route path is a regular expression -- starts with `~` -- the `rewritePath` can include capture groups with ``$1-9``. For example `$1` for the first group, and so on. For more information, check the [rewrite](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/rewrites) example. | ``string`` | No |
 {{</bootstrap-table>}}
 
 ### Action.Proxy.RequestHeaders
diff --git a/docs/content/includes/installation/create-custom-resources.md b/docs/content/includes/installation/create-custom-resources.md
index 2cab3793a1..fee3bb1d83 100644
--- a/docs/content/includes/installation/create-custom-resources.md
+++ b/docs/content/includes/installation/create-custom-resources.md
@@ -23,7 +23,7 @@ This single YAML file creates CRDs for the following resources:
 - [GlobalConfiguration]({{< relref "configuration/global-configuration/globalconfiguration-resource.md" >}})
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml
+kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml
 ```
 
 {{%/tab%}}
diff --git a/docs/content/installation/building-nginx-ingress-controller.md b/docs/content/installation/building-nginx-ingress-controller.md
index 5adfd012de..fc48b5191d 100644
--- a/docs/content/installation/building-nginx-ingress-controller.md
+++ b/docs/content/installation/building-nginx-ingress-controller.md
@@ -43,10 +43,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag
     cd kubernetes-ingress
     ```
 
-    For instance if you want to clone version v3.5.2, the commands to run would be:
+    For instance if you want to clone version v3.6.0, the commands to run would be:
 
     ```shell
-    git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.5.2
+    git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.6.0
     cd kubernetes-ingress
     ```
 
diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md
index 8958b1331b..e2db6ae54d 100644
--- a/docs/content/installation/installing-nic/installation-with-helm.md
+++ b/docs/content/installation/installing-nic/installation-with-helm.md
@@ -39,10 +39,10 @@ kubectl apply -f crds/
 Alternatively, CRDs can be upgraded without pulling the chart by running:
 
 ```console
-kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml
+kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml
 ```
 
-In the above command, `v3.5.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
+In the above command, `v3.6.0` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
 
 {{<note>}}The following warning is expected and can be ignored: `Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply`.
 
@@ -68,13 +68,13 @@ To install the chart with the release name my-release (my-release is the name th
 - For NGINX:
 
     ```shell
-    helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
+    helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0
     ```
 
 - For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry `myregistry.example.com`)
 
     ```shell
-    helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
+    helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
     ```
 
 This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to use Docker Hub, you can replace `ghcr.io/nginxinc/charts/nginx-ingress` with `registry-1.docker.io/nginxcharts/nginx-ingress`.
@@ -86,7 +86,7 @@ Helm does not upgrade the CRDs during a release upgrade. Before you upgrade a re
 To upgrade the release `my-release`:
 
 ```shell
-helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
+helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0
 ```
 
 ### Uninstalling the Chart
@@ -123,7 +123,7 @@ This step is required if you're installing the chart using its sources. Addition
 1. Pull the chart sources:
 
     ```shell
-    helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.2
+    helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.3.0
     ```
 
 2. Change your working directory to nginx-ingress:
@@ -204,7 +204,7 @@ The steps you should follow depend on the Helm release name:
     Selector: app=nginx-ingress-nginx-ingress
     ```
 
-2. Checkout the latest available tag using `git checkout v3.5.2`
+2. Checkout the latest available tag using `git checkout v3.6.0`
 
 3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
 
@@ -249,7 +249,7 @@ The steps you should follow depend on the Helm release name:
     Selector: app=<helm_release_name>-nginx-ingress
     ```
 
-2. Checkout the latest available tag using `git checkout v3.5.2`
+2. Checkout the latest available tag using `git checkout v3.6.0`
 
 3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
 
@@ -312,7 +312,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.logLevel** | The log level of the Ingress Controller. | 1 |
 | **controller.image.digest** | The image digest of the Ingress Controller. | None |
 | **controller.image.repository** | The image repository of the Ingress Controller. | nginx/nginx-ingress |
-| **controller.image.tag** | The tag of the Ingress Controller image. | 3.5.2 |
+| **controller.image.tag** | The tag of the Ingress Controller image. | 3.6.0 |
 | **controller.image.pullPolicy** | The pull policy for the Ingress Controller image. | IfNotPresent |
 | **controller.lifecycle** | The lifecycle of the Ingress Controller pods. | {} |
 | **controller.customConfigMap** | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" |
@@ -343,7 +343,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
 | **controller.initContainerResources** | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
 | **controller.replicaCount** | The number of replicas of the Ingress Controller deployment. | 1 |
 | **controller.ingressClass.name** | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
-| **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.2, do not set the value to false. | true |
+| **controller.ingressClass.create** | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.6.0, do not set the value to false. | true |
 | **controller.ingressClass.setAsDefaultIngress** | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`.  | false |
 | **controller.watchNamespace** | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" |
 | **controller.watchNamespaceLabel** | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" |
diff --git a/docs/content/installation/installing-nic/installation-with-manifests.md b/docs/content/installation/installing-nic/installation-with-manifests.md
index b782d222b3..58b1c408af 100644
--- a/docs/content/installation/installing-nic/installation-with-manifests.md
+++ b/docs/content/installation/installing-nic/installation-with-manifests.md
@@ -33,7 +33,7 @@ Clone the NGINX Ingress Controller repository using the command shown below, and
 git clone https://github.com/nginxinc/kubernetes-ingress.git --branch <version_number>
 ```
 
-For example, if you want to use version 3.5.2, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.5.2`.
+For example, if you want to use version 3.6.0, the command would be `git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.6.0`.
 
 This guide assumes you are using the latest release.
 
@@ -74,7 +74,7 @@ To use App Protect DoS, install the App Protect DoS Arbitrator using the provide
 1. Create CRDs for [VirtualServer and VirtualServerRoute]({{< relref "configuration/virtualserver-and-virtualserverroute-resources.md" >}}), [TransportServer]({{< relref "configuration/transportserver-resource.md" >}}), [Policy]({{< relref "configuration/policy-resource.md" >}}) and [GlobalConfiguration]({{< relref "configuration/global-configuration/globalconfiguration-resource.md" >}}):
 
     ```shell
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml
     ```
 
 ### Optional custom resource definitions
@@ -82,13 +82,13 @@ To use App Protect DoS, install the App Protect DoS Arbitrator using the provide
 1. For the NGINX App Protect WAF module, create CRDs for `APPolicy`, `APLogConf` and `APUserSig`:
 
     ```shell
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds-nap-waf.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds-nap-waf.yaml
     ```
 
 2. For the NGINX App Protect DoS module, create CRDs for `APDosPolicy`, `APDosLogConf` and `DosProtectedResource`:
 
     ```shell
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds-nap-dos.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds-nap-dos.yaml
     ```
 
 {{%/tab%}}
@@ -267,17 +267,17 @@ Connect to ports 80 and 443 using the IP address of any node in the cluster wher
 
    1. Delete core custom resource definitions:
     ```shell
-    kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml
+    kubectl delete -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds.yaml
     ```
    2. Delete custom resource definitions for the NGINX App Protect WAF module:
 
    ```shell
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds-nap-waf.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds-nap-waf.yaml
     ```
 
    3. Delete custom resource definitions for the NGINX App Protect DoS module:
    ```shell
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds-nap-dos.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds-nap-dos.yaml
     ```
    {{%/tab%}}
 
diff --git a/docs/content/installation/installing-nic/installation-with-operator.md b/docs/content/installation/installing-nic/installation-with-operator.md
index 0adf78f158..9476666738 100644
--- a/docs/content/installation/installing-nic/installation-with-operator.md
+++ b/docs/content/installation/installing-nic/installation-with-operator.md
@@ -40,7 +40,7 @@ spec:
     image:
       pullPolicy: IfNotPresent
       repository: nginx/nginx-ingress
-      tag: 3.5.2-ubi
+      tag: 3.6.0-ubi
     ingressClass:
       name: nginx
     kind: deployment
diff --git a/docs/content/installation/integrations/app-protect-dos/configuration.md b/docs/content/installation/integrations/app-protect-dos/configuration.md
index 6221659af5..25c493fdf3 100644
--- a/docs/content/installation/integrations/app-protect-dos/configuration.md
+++ b/docs/content/installation/integrations/app-protect-dos/configuration.md
@@ -7,7 +7,7 @@ toc: true
 weight: 200
 ---
 
-> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-dos).
+> Check out the complete [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-dos).
 
 ## App Protect DoS Configuration
 
diff --git a/docs/content/installation/integrations/app-protect-dos/installation.md b/docs/content/installation/integrations/app-protect-dos/installation.md
index f653865680..a08c86293a 100644
--- a/docs/content/installation/integrations/app-protect-dos/installation.md
+++ b/docs/content/installation/integrations/app-protect-dos/installation.md
@@ -34,10 +34,10 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag
     cd kubernetes-ingress
     ```
 
-    For instance if you want to clone version v3.5.2, the commands to run would be:
+    For instance if you want to clone version v3.6.0, the commands to run would be:
 
     ```shell
-    git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.5.2
+    git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.6.0
     cd kubernetes-ingress/deployments
     ```
 
@@ -135,7 +135,7 @@ This single YAML file creates CRDs for the following resources:
 - `DosProtectedResource`
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds-nap-dos.yaml
+kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds-nap-dos.yaml
 ```
 
 {{%/tab%}}
@@ -216,7 +216,7 @@ To enable the NGINX App Protect DoS Module:
 
 {{< include "installation/manifests/verify-pods-are-running.md" >}}
 
-For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-dos).
+For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-dos/configuration.md" >}}),the [NGINX Ingress Controller with App Protect DoS example for VirtualServer](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-dos) and the [NGINX Ingress Controller with App Protect DoS example for Ingress](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-dos).
 
 ---
 
diff --git a/docs/content/installation/integrations/app-protect-waf/configuration.md b/docs/content/installation/integrations/app-protect-waf/configuration.md
index df2d1c6d6f..f23a25bfda 100644
--- a/docs/content/installation/integrations/app-protect-waf/configuration.md
+++ b/docs/content/installation/integrations/app-protect-waf/configuration.md
@@ -9,7 +9,7 @@ weight: 200
 
 This document explains how to use F5 NGINX Ingress Controller to configure NGINX App Protect WAF.
 
-{{< note >}} Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-waf).{{< /note >}}
+{{< note >}} Check out the complete NGINX Ingress Controller with NGINX App Protect WAF example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf).{{< /note >}}
 
 
 ## Global Configuration
@@ -286,8 +286,8 @@ These are the typical steps to deploy an OpenAPI protection Policy in NGINX Ingr
 3. Make other custom changes if needed (e.g. enable Data Guard protection).
 4. Use a tool to convert the result to YAML. There are many, for example: [`yq` utility](https://github.com/mikefarah/yq).
 5. Add the YAML properties to create an `APPolicy` Custom Resource putting the policy itself (as in step 4) within the `spec` property of the Custom Resource. Refer to the [NGINX App Protect Policies](#nginx-app-protect-waf-policies) section above.
-6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/examples/custom-resources/app-protect-waf/waf.yaml).
-7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.5.2/examples/custom-resources/app-protect-waf/virtual-server.yaml).
+6. Create a `Policy` object which references the `APPolicy` Custom Resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/examples/custom-resources/app-protect-waf/waf.yaml).
+7. Finally, attach the `Policy` object to a `VirtualServer` resource as in [this example](https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.0/examples/custom-resources/app-protect-waf/virtual-server.yaml).
 
 {{< note >}} You need to make sure that the server where the resource files are located is available while you are compiling your policy. {{< /note >}}
 
@@ -422,7 +422,7 @@ The `link` option is also available in the `openApiFileReference` property and i
 
 In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App Protect WAF, deploy a simple web application, and then configure load balancing and WAF protection for that application using the VirtualServer resource.
 
-{{< note >}} You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/app-protect-waf).{{< /note >}}
+{{< note >}} You can find the example, and the files referenced, on [GitHub](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-waf).{{< /note >}}
 
 ## Prerequisites
 
@@ -444,7 +444,7 @@ In this example we deploy NGINX Ingress Controller with NGINX Plus and NGINX App
 Create the application deployment and service:
 
   ```console
-  kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/webapp.yaml
+  kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/webapp.yaml
   ```
 
 ### Step 2. Deploy the AP Policy
@@ -452,15 +452,15 @@ Create the application deployment and service:
 1. Create the syslog service and pod for the NGINX App Protect WAF security logs:
 
    ```console
-   kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/syslog.yaml
+   kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/syslog.yaml
    ```
 
 2. Create the User-Defined Signature, WAF policy, and log configuration:
 
     ```console
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/ap-logconf.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/ap-apple-uds.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/ap-dataguard-alarm-policy.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/ap-logconf.yaml
     ```
 
 ### Step 3 - Deploy the WAF Policy
@@ -468,7 +468,7 @@ Create the application deployment and service:
 Create the WAF policy
 
  ```console
-  kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/waf.yaml
+  kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/waf.yaml
  ```
 
   Note the NGINX App Protect WAF configuration settings in the Policy resource. They enable WAF protection by configuring NGINX App Protect WAF with the policy and log configuration created in the previous step.
@@ -478,7 +478,7 @@ Create the WAF policy
 1. Create the VirtualServer Resource:
 
     ```console
-    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/virtual-server.yaml
+    kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/virtual-server.yaml
     ```
 
 Note that the VirtualServer references the policy waf-policy created in Step 3.
@@ -525,7 +525,7 @@ To access the application, curl the coffee and the tea services. We'll use the -
 
 ### Configuration Example of Virtual Server
 
-Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/custom-resources/app-protect-waf/webapp.yaml).
+Refer to GitHub repo for [Virtual Server example](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/custom-resources/app-protect-waf/webapp.yaml).
 
 ```yaml
 apiVersion: k8s.nginx.org/v1
diff --git a/docs/content/installation/integrations/app-protect-waf/installation.md b/docs/content/installation/integrations/app-protect-waf/installation.md
index 5f48967649..8981bc5e2b 100644
--- a/docs/content/installation/integrations/app-protect-waf/installation.md
+++ b/docs/content/installation/integrations/app-protect-waf/installation.md
@@ -28,7 +28,7 @@ Get your system ready for building and pushing the NGINX Ingress Controller imag
 1. Clone the NGINX Ingress Controller repository:
 
     ```console
-    git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.5.2
+    git clone https://github.com/nginxinc/kubernetes-ingress.git --branch v3.6.0
     cd kubernetes-ingress
     ```
 
@@ -131,7 +131,7 @@ This single YAML file creates CRDs for the following resources:
 - `APUserSig`
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds-nap-waf.yaml
+kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/deploy/crds-nap-waf.yaml
 ```
 
 {{%/tab%}}
@@ -209,7 +209,7 @@ To enable the NGINX App Protect DoS Module:
 
 {{< include "installation/manifests/verify-pods-are-running.md" >}}
 
-For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/app-protect-waf" >}}).
+For more information, see the [Configuration guide]({{< relref "installation/integrations/app-protect-waf/configuration.md" >}}) and the NGINX Ingress Controller with App Protect example resources on GitHub [for VirtualServer resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/app-protect-waf) and [for Ingress resources](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/app-protect-waf" >}}).
 
 ---
 
diff --git a/docs/content/installation/nic-images/pulling-ingress-controller-image.md b/docs/content/installation/nic-images/pulling-ingress-controller-image.md
index a83e109217..c3e71b2879 100644
--- a/docs/content/installation/nic-images/pulling-ingress-controller-image.md
+++ b/docs/content/installation/nic-images/pulling-ingress-controller-image.md
@@ -40,7 +40,7 @@ The steps provided are for Linux. For Mac or Windows, consult the [Docker for Ma
 
 Next, pull the image you need from `private-registry.nginx.com`. To find the correct image, consult the [Tech Specs guide]({{< relref "technical-specifications#images-with-nginx-plus" >}}).
 
-To pull an image, follow these steps. Replace `<version-tag>` with the specific version you need, for example, `3.5.2`.
+To pull an image, follow these steps. Replace `<version-tag>` with the specific version you need, for example, `3.6.0`.
 
 - For NGINX Plus Ingress Controller, run:
 
@@ -88,10 +88,10 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic/nginx-plus-ingress/tags/li
 {
   "name": "nginx-ic/nginx-plus-ingress",
   "tags": [
-    "3.5.2-alpine",
-    "3.5.2-alpine-fips",
-    "3.5.2-ubi",
-    "3.5.2"
+    "3.6.0-alpine",
+    "3.6.0-alpine-fips",
+    "3.6.0-ubi",
+    "3.6.0"
   ]
 }
 
@@ -99,9 +99,9 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-nap/nginx-plus-ingress/tag
 {
   "name": "nginx-ic-nap/nginx-plus-ingress",
   "tags": [
-    "3.5.2-alpine-fips",
-    "3.5.2-ubi",
-    "3.5.2"
+    "3.6.0-alpine-fips",
+    "3.6.0-ubi",
+    "3.6.0"
   ]
 }
 
@@ -109,8 +109,8 @@ $ curl https://private-registry.nginx.com/v2/nginx-ic-dos/nginx-plus-ingress/tag
 {
   "name": "nginx-ic-dos/nginx-plus-ingress",
   "tags": [
-    "3.5.2-ubi",
-    "3.5.2"
+    "3.6.0-ubi",
+    "3.6.0"
   ]
 }
 ```
@@ -127,7 +127,7 @@ After pulling the image, tag it and upload it to your private registry.
    docker login <my-docker-registry>
    ```
 
-1. Tag and push the image. Replace `<my-docker-registry>` with your registry's path and `<version-tag>` with the version you're using, for example `3.5.2`:
+1. Tag and push the image. Replace `<my-docker-registry>` with your registry's path and `<version-tag>` with the version you're using, for example `3.6.0`:
 
    - For NGINX Plus Ingress Controller, run:
 
diff --git a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md
index 50b0681778..576fe07bdc 100644
--- a/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md
+++ b/docs/content/installation/nic-images/using-the-jwt-token-docker-secret.md
@@ -77,7 +77,7 @@ spec:
     seccompProfile:
       type: RuntimeDefault
   containers:
-  - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.5.2
+  - image: private-registry.nginx.com/nginx-ic/nginx-plus-ingress:3.6.0
     imagePullPolicy: IfNotPresent
     name: nginx-plus-ingress
 ```
@@ -117,7 +117,7 @@ The [Installation with Helm ]({{< relref "installation/installing-nic/installati
     repository: private-registry.nginx.com/nginx-ic/nginx-plus-ingress
 
     ## The version tag
-    tag: 3.5.2
+    tag: 3.6.0
 
     serviceAccount:
         ## The annotations of the service account of the Ingress Controller pods.
@@ -149,7 +149,7 @@ If the namespace does not exist, `--create-namespace` will create it. Using `-f
 If you want to install NGINX Ingress Controller using the charts method, the following is an example of using the command line to pass the required arguments using the `set` parameter.
 
 ```shell
-helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.5.2 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred
+helm install my-release -n nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.3.0 --set controller.image.repository=private-registry.nginx.com/nginx-ic/nginx-plus-ingress --set controller.image.tag=3.6.0 --set controller.nginxplus=true --set controller.serviceAccount.imagePullSecretName=regcred
 ```
 You can also use the certificate and key from the MyF5 portal and the Docker registry API to list the available image tags for the repositories, for example:
 
@@ -159,10 +159,10 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg
    {
     "name": "nginx-ic/nginx-plus-ingress",
     "tags": [
-        "3.5.2-alpine",
-        "3.5.2-alpine-fips",
-        "3.5.2-ubi",
-        "3.5.2"
+        "3.6.0-alpine",
+        "3.6.0-alpine-fips",
+        "3.6.0-ubi",
+        "3.6.0"
     ]
     }
 
@@ -170,9 +170,9 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg
    {
     "name": "nginx-ic-nap/nginx-plus-ingress",
     "tags": [
-        "3.5.2-alpine-fips",
-        "3.5.2-ubi",
-        "3.5.2"
+        "3.6.0-alpine-fips",
+        "3.6.0-ubi",
+        "3.6.0"
     ]
     }
 
@@ -180,8 +180,8 @@ You can also use the certificate and key from the MyF5 portal and the Docker reg
    {
     "name": "nginx-ic-dos/nginx-plus-ingress",
     "tags": [
-        "3.5.2-ubi",
-        "3.5.2"
+        "3.6.0-ubi",
+        "3.6.0"
     ]
     }
 ```
diff --git a/docs/content/overview/controller-comparison.md b/docs/content/overview/controller-comparison.md
index 7fd95d1cf5..536a75fdac 100644
--- a/docs/content/overview/controller-comparison.md
+++ b/docs/content/overview/controller-comparison.md
@@ -28,11 +28,11 @@ The table below summarizes the key difference between nginxinc/kubernetes-ingres
 | NGINX version | [Custom](https://github.com/kubernetes/ingress-nginx/tree/main/images/nginx) NGINX build that includes several third-party modules | NGINX official mainline [build](https://github.com/nginxinc/docker-nginx) | NGINX Plus |
 | Commercial support | N/A | N/A | Included |
 | **Load balancing configuration via the Ingress resource** |
-| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/mergeable-ingress-types) |
+| Merging Ingress rules with the same host | Supported | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/mergeable-ingress-types) | Supported via [Mergeable Ingresses](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/mergeable-ingress-types) |
 | HTTP load balancing extensions - Annotations | See the [supported annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/) | See the [supported annotations](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/)|
 | HTTP load balancing extensions -- ConfigMap | See the [supported ConfigMap keys](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) | See the [supported ConfigMap keys](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) |
 | TCP/UDP | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources |
-| Websocket  | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/websocket) |
+| Websocket  | Supported | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/websocket) | Supported via an [annotation](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/websocket) |
 | TCP SSL Passthrough | Supported via a ConfigMap | Supported via custom resources | Supported via custom resources |
 | JWT validation | Not supported | Not supported | Supported |
 | Session persistence | Supported via a third-party module | Not supported | Supported |
diff --git a/docs/content/overview/nginx-plus.md b/docs/content/overview/nginx-plus.md
index 1aa0d61fe6..8901ed2d15 100644
--- a/docs/content/overview/nginx-plus.md
+++ b/docs/content/overview/nginx-plus.md
@@ -16,9 +16,9 @@ NGINX Ingress Controller works with [NGINX](https://nginx.org/) as well as [NGIN
 
 - _Real-time metrics_: Metrics for NGINX Plus and application performance are available through the API or the [NGINX Status Page]({{< relref "logging-and-monitoring/status-page">}}). These metrics can also be exported to [Prometheus]({{< relref "logging-and-monitoring/prometheus">}}).
 - _Additional load balancing methods_: The `least_time` and `random two least_time` methods and their derivatives become available. The NGINX [`ngx_http_upstream_module` documentation](https://nginx.org/en/docs/http/ngx_http_upstream_module.html) has the complete list of load balancing methods.
-- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/session-persistence) examples.
-- _Active health checks_:  See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/health-checks) examples.
-- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/jwt) examples.
+- _Session persistence_: The *sticky cookie* method becomes available. See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/session-persistence) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/session-persistence) examples.
+- _Active health checks_:  See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/health-checks) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/health-checks) examples.
+- _JWT validation_: See the [Ingress Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/jwt) and [Custom Resource](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/jwt) examples.
 
 For a comprehensive guide of NGINX Plus features available with Ingress resources, see the [ConfigMap]({{< relref "configuration/global-configuration/configmap-resource">}}) and [Annotations]({{< relref "configuration/ingress-resources/advanced-configuration-with-annotations">}}) documentation.
 
diff --git a/docs/content/releases.md b/docs/content/releases.md
index c8948259db..070b01cbb5 100644
--- a/docs/content/releases.md
+++ b/docs/content/releases.md
@@ -6,6 +6,55 @@ doctypes:
 title: Releases
 toc: true
 weight: 2100
+---
+## 3.6.0
+
+25 Jun 2024
+
+Added support for the latest generation of NGINX App Protect Web Application Firewall, v5. NGINX Ingress Controller will continue to support the NGINX App Protect v4 family to allow customers to implement new Policy Bundle workflow at their own pace.
+NGINX App Protect WAF v5 does not accept the JSON based policies, instead requiring users to compile a Policy Bundle outside of the NGINX Ingress Controller pod. Policy bundles contain a combination of custom Policy, signatures, and campaigns. Bundles can be compiled using either App Protect [compiler](https://docs.nginx.com/nginx-app-protect-waf/v5/admin-guide/compiler/), or [NGINX Instance Manager](https://docs.nginx.com/nginx-management-suite/nim/how-to/app-protect/manage-waf-security-policies/#list-security-policy-bundles).  Learn more here, https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf-v5/.
+
+With this release, NGINX Ingress Controller is implementing a new image maintenance policy. Container images for subscribed users will be updated on a regular basis in-between releases to reduce the CVE vulnerabilities.
+Customers can observe the 3.6.x tag when listing images in the registry and select the latest image to update to for the current release.
+
+### <i class="fa-solid fa-rocket"></i> Features
+- [5698](https://github.com/nginxinc/kubernetes-ingress/pull/5698), [5771](https://github.com/nginxinc/kubernetes-ingress/pull/5771) & [5784](https://github.com/nginxinc/kubernetes-ingress/pull/5784) Add support for F5 NGINX AppProtect WAF v5
+- [5580](https://github.com/nginxinc/kubernetes-ingress/pull/5580) & [5752](https://github.com/nginxinc/kubernetes-ingress/pull/5752) Add APIKey Authentication policy
+- [5205](https://github.com/nginxinc/kubernetes-ingress/pull/5205) Preserve valid listeners when invalid listeners are present in GlobalConfiguration
+- [5366](https://github.com/nginxinc/kubernetes-ingress/pull/5366) Add proxy-set-headers annotation for ingress
+- [5406](https://github.com/nginxinc/kubernetes-ingress/pull/5406), [5408](https://github.com/nginxinc/kubernetes-ingress/pull/5408), [5418](https://github.com/nginxinc/kubernetes-ingress/pull/5418), [5404](https://github.com/nginxinc/kubernetes-ingress/pull/5404) & [5415](https://github.com/nginxinc/kubernetes-ingress/pull/5415) Add additional telemetry data
+
+### <i class="fa-solid fa-bug-slash"></i> Fixes
+- [5350](https://github.com/nginxinc/kubernetes-ingress/pull/5350) Fix ap-waf flag in error message
+- [5318](https://github.com/nginxinc/kubernetes-ingress/pull/5318) Don't reload when `use-cluster-ip` endpoints update, and change the ingress `use-cluster-ip` implementation to use the cluster ip instead of the fqdn
+- [5375](https://github.com/nginxinc/kubernetes-ingress/pull/5375) Fix status for invalid vs and vsr, for weight changes dynamic reload
+
+### <i class="fa-solid fa-box"></i> Helm Chart
+- [5313](https://github.com/nginxinc/kubernetes-ingress/pull/5313) Update helm flag in docs for enableWeightChangesDynamicReload
+
+### <i class="fa-solid fa-upload"></i> Dependencies
+- [5693](https://github.com/nginxinc/kubernetes-ingress/pull/5693) Bump Go version to v1.22.4
+- [5368](https://github.com/nginxinc/kubernetes-ingress/pull/5368), [5331](https://github.com/nginxinc/kubernetes-ingress/pull/5331) & [5423](https://github.com/nginxinc/kubernetes-ingress/pull/5423) Bump the go dependencies
+- [5298](https://github.com/nginxinc/kubernetes-ingress/pull/5298), [5344](https://github.com/nginxinc/kubernetes-ingress/pull/5344), [5345](https://github.com/nginxinc/kubernetes-ingress/pull/5345),[5371](https://github.com/nginxinc/kubernetes-ingress/pull/5371), [5378](https://github.com/nginxinc/kubernetes-ingress/pull/5378), [5379](https://github.com/nginxinc/kubernetes-ingress/pull/5379), [5398](https://github.com/nginxinc/kubernetes-ingress/pull/5398), [5397](https://github.com/nginxinc/kubernetes-ingress/pull/5397), [5399](https://github.com/nginxinc/kubernetes-ingress/pull/5399) & [5400](https://github.com/nginxinc/kubernetes-ingress/pull/5400) Bump base Docker images
+
+### <i class="fa-solid fa-download"></i> Upgrade
+
+- For NGINX, use the 3.6.0 images from our
+[DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name=3.6.0),
+[GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress),
+[Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
+- For NGINX Plus, use the 3.6.0 images from the F5 Container registry,
+the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE),
+the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking)
+or build your own image using the 3.6.0 source code
+- For Helm, use version 1.3.0 of the chart.
+
+### <i class="fa-solid fa-life-ring"></i> Supported Platforms
+
+We will provide technical support for NGINX Ingress Controller on any Kubernetes platform that is currently supported by
+its provider and that passes the Kubernetes conformance tests. This release was fully tested on the following Kubernetes
+versions: 1.25-1.30.
+
 ---
 ## 3.5.2
 
diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md
index 525b64936c..1c0c5b1ca4 100644
--- a/docs/content/technical-specifications.md
+++ b/docs/content/technical-specifications.md
@@ -28,6 +28,7 @@ We test NGINX Ingress Controller on a range of Kubernetes platforms for each rel
 {{< bootstrap-table "table table-bordered table-striped table-responsive" >}}
 | NIC Version | Supported Kubernetes Version | NIC Helm Chart Version | NIC Operator Version | NGINX / NGINX Plus version |
 | --- | --- | --- | --- | --- |
+| 3.6.0 | 1.30 - 1.25 | 1.3.0 | 2.3.0 | 1.27.0 / R32 |
 | 3.5.2 | 1.30 - 1.23 | 1.2.2 | 2.2.2 | 1.27.0 / R32 |
 | 3.4.3 | 1.29 - 1.23 | 1.1.3 | 2.1.2 | 1.25.4 / R31 P1 |
 | 3.3.2 | 1.28 - 1.22 | 1.0.2 | 2.0.2 | 1.25.3 / R30 |
@@ -58,16 +59,16 @@ _All images include NGINX 1.27.0._
 {{< bootstrap-table "table table-bordered table-responsive" >}}
 |<div style="width:200px">Name</div> | <div style="width:100px">Base image</div> | <div style="width:200px">Third-party modules</div> | DockerHub image | Architectures |
 | ---| --- | --- | --- | --- |
-|Alpine-based image | ``nginx:1.27.0-alpine``,<br>based on on ``alpine:3.19`` | NGINX OpenTracing module<br><br>OpenTracing library<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | ``nginx/nginx-ingress:3.5.2-alpine`` | arm/v7<br>arm64<br>amd64<br>ppc64le<br>s390x |
-|Debian-based image | ``nginx:1.27.0``,<br>based on on ``debian:12-slim`` | NGINX OpenTracing module<br><br>OpenTracing library<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | ``nginx/nginx-ingress:3.5.2`` | arm/v7<br>arm64<br>amd64<br>ppc64le<br>s390x |
-|Ubi-based image | ``nginxcontrib/nginx:1.27.0-ubi``,<br>based on on ``redhat/ubi9-minimal`` |  | ``nginx/nginx-ingress:3.5.2-ubi`` | arm64<br>amd64<br>ppc64le<br>s390x |
+|Alpine-based image | ``nginx:1.27.0-alpine``,<br>based on on ``alpine:3.19`` | NGINX OpenTracing module<br><br>OpenTracing library<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | ``nginx/nginx-ingress:3.6.0-alpine`` | arm/v7<br>arm64<br>amd64<br>ppc64le<br>s390x |
+|Debian-based image | ``nginx:1.27.0``,<br>based on on ``debian:12-slim`` | NGINX OpenTracing module<br><br>OpenTracing library<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | ``nginx/nginx-ingress:3.6.0`` | arm/v7<br>arm64<br>amd64<br>ppc64le<br>s390x |
+|Ubi-based image | ``nginxcontrib/nginx:1.27.0-ubi``,<br>based on on ``redhat/ubi9-minimal`` |  | ``nginx/nginx-ingress:3.6.0-ubi`` | arm64<br>amd64<br>ppc64le<br>s390x |
 {{% /bootstrap-table %}}
 
 ---
 
 ### Images with NGINX Plus
 
-_NGINX Plus images include NGINX Plus R31._
+_NGINX Plus images include NGINX Plus R32._
 
 ---
 
@@ -78,17 +79,20 @@ NGINX Plus images are available through the F5 Container registry `private-regis
 {{< bootstrap-table "table table-striped table-bordered table-responsive" >}}
 |<div style="width:200px">Name</div> | <div style="width:100px">Base image</div> | <div style="width:200px">Third-party modules</div> | F5 Container Registry Image | Architectures |
 | ---| ---| --- | --- | --- |
-|Alpine-based image | ``alpine:3.19`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.5.2-alpine` | arm64<br>amd64 |
-|Alpine-based image with FIPS inside | ``alpine:3.19`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.5.2-alpine-fips` | arm64<br>amd64 |
-|Alpine-based image with NGINX App Protect WAF & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:3.5.2-alpine-fips` | arm64<br>amd64 |
-|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.5.2` | arm64<br>amd64 |
-|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.5.2` | amd64 |
-|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.5.2` | amd64 |
-|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.5.2` | amd64 |
-|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.5.2-ubi` | arm64<br>amd64<br>s390x |
-|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi9`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.5.2-ubi` | amd64 |
-|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.5.2-ubi` | amd64 |
-|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS<br><br>NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.5.2-ubi` | amd64 |
+|Alpine-based image | ``alpine:3.19`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.6.0-alpine` | arm64<br>amd64 |
+|Alpine-based image with FIPS inside | ``alpine:3.19`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic/nginx-plus-ingress:3.6.0-alpine-fips` | arm64<br>amd64 |
+|Alpine-based image with NGINX App Protect WAF & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic-nap/nginx-plus-ingress:3.6.0-alpine-fips` | arm64<br>amd64 |
+|Alpine-based image with NGINX App Protect WAF v5 & FIPS inside | ``alpine:3.17`` | NGINX App Protect WAF v5<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog<br><br>FIPS module and OpenSSL configuration | `nginx-ic-nap-v5/nginx-plus-ingress:3.6.0-alpine-fips` | arm64<br>amd64 |
+|Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic/nginx-plus-ingress:3.6.0` | arm64<br>amd64 |
+|Debian-based image with NGINX App Protect WAF | ``debian:12-slim`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-nap/nginx-plus-ingress:3.6.0` | amd64 |
+|Debian-based image with NGINX App Protect WAF v5 | ``debian:12-slim`` | NGINX App Protect WAF v5<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-nap-v5/nginx-plus-ingress:3.6.0` | amd64 |
+|Debian-based image with NGINX App Protect DoS | ``debian:12-slim`` | NGINX App Protect DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-dos/nginx-plus-ingress:3.6.0` | amd64 |
+|Debian-based image with NGINX App Protect WAF and DoS | ``debian:12-slim`` | NGINX App Protect WAF and DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | `nginx-ic-nap-dos/nginx-plus-ingress:3.6.0` | amd64 |
+|Ubi-based image | ``redhat/ubi9-minimal`` | NGINX Plus JavaScript module | `nginx-ic/nginx-plus-ingress:3.6.0-ubi` | arm64<br>amd64<br>s390x |
+|Ubi-based image with NGINX App Protect WAF | ``redhat/ubi9`` | NGINX App Protect WAF and NGINX Plus JavaScript module | `nginx-ic-nap/nginx-plus-ingress:3.6.0-ubi` | amd64 |
+|Ubi-based image with NGINX App Protect WAF v5 | ``redhat/ubi9`` | NGINX App Protect WAF v5 and NGINX Plus JavaScript module | `nginx-ic-nap-v5/nginx-plus-ingress:3.6.0-ubi` | amd64 |
+|Ubi-based image with NGINX App Protect DoS | ``redhat/ubi8`` | NGINX App Protect DoS and NGINX Plus JavaScript module | `nginx-ic-dos/nginx-plus-ingress:3.6.0-ubi` | amd64 |
+|Ubi-based image with NGINX App Protect WAF and DoS | ``redhat/ubi8`` | NGINX App Protect WAF and DoS<br><br>NGINX Plus JavaScript module | `nginx-ic-nap-dos/nginx-plus-ingress:3.6.0-ubi` | amd64 |
 {{% /bootstrap-table %}}
 
 ---
@@ -103,9 +107,9 @@ View the [Use the AWS Marketplace Ingress Controller image]({{< relref "/install
 |<div style="width:200px">Name</div> | <div style="width:100px">Base image</div> | <div style="width:200px">Third-party modules</div> | AWS Marketplace Link | Architectures |
 | ---| ---| --- | --- | --- |
 |Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller](https://aws.amazon.com/marketplace/pp/prodview-fx3faxl7zqeau) | amd64 |
-|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller with F5 NGINX App Protect WAF](https://aws.amazon.com/marketplace/pp/prodview-vnrnxbf6u3nra) | amd64 |
-|Debian-based image with NGINX App Protect DoS | ``debian:11-slim`` | NGINX App Protect DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller with F5 NGINX App Protect WAF and DoS](https://aws.amazon.com/marketplace/pp/prodview-yltaqwzwrnhco) | amd64 |
-|Debian-based image with NGINX App Protect WAF and DoS | ``debian:11-slim`` | NGINX App Protect WAF and DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller with F5 NGINX App Protect DoS](https://aws.amazon.com/marketplace/pp/prodview-sghjw2csktega) | amd64 |
+|Debian-based image with NGINX App Protect WAF | ``debian:12-slim`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller with F5 NGINX App Protect WAF](https://aws.amazon.com/marketplace/pp/prodview-vnrnxbf6u3nra) | amd64 |
+|Debian-based image with NGINX App Protect DoS | ``debian:12-slim`` | NGINX App Protect DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller with F5 NGINX App Protect WAF and DoS](https://aws.amazon.com/marketplace/pp/prodview-yltaqwzwrnhco) | amd64 |
+|Debian-based image with NGINX App Protect WAF and DoS | ``debian:12-slim`` | NGINX App Protect WAF and DoS<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller with F5 NGINX App Protect DoS](https://aws.amazon.com/marketplace/pp/prodview-sghjw2csktega) | amd64 |
 {{% /bootstrap-table %}}
 
 ---
@@ -119,7 +123,7 @@ View the [Use the GCP Marketplace NGINX Ingress Controller image]({{< relref "/i
 |<div style="width:200px">Name</div> | <div style="width:100px">Base image</div> | <div style="width:200px">Third-party modules</div> | GCP Marketplace Link | Architectures |
 | ---| ---| --- | --- | --- |
 |Debian-based image | ``debian:12-slim`` | NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller](https://console.cloud.google.com/marketplace/product/f5-7626-networks-public/nginx-ingress-plus) | amd64 |
-|Debian-based image with NGINX App Protect WAF | ``debian:11-slim`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller w/ F5 NGINX App Protect WAF](https://console.cloud.google.com/marketplace/product/f5-7626-networks-public/nginx-ingress-plus-nap) | amd64 |
+|Debian-based image with NGINX App Protect WAF | ``debian:12-slim`` | NGINX App Protect WAF<br><br>NGINX Plus JavaScript and OpenTracing modules<br><br>OpenTracing tracers for Jaeger<br><br>Zipkin and Datadog | [F5 NGINX Ingress Controller w/ F5 NGINX App Protect WAF](https://console.cloud.google.com/marketplace/product/f5-7626-networks-public/nginx-ingress-plus-nap) | amd64 |
 {{% /bootstrap-table %}}
 
 #### **Microsoft Azure Marketplace**
diff --git a/docs/content/troubleshooting/troubleshoot-common.md b/docs/content/troubleshooting/troubleshoot-common.md
index bb37bd247f..e601af990c 100644
--- a/docs/content/troubleshooting/troubleshoot-common.md
+++ b/docs/content/troubleshooting/troubleshoot-common.md
@@ -148,7 +148,7 @@ controller:
   nginxplus: plus
   image:
     repository: nginx/nginx-ingress
-    tag: 3.5.2
+    tag: 3.6.0
   # NGINX Configmap
   config:
     entries:
diff --git a/docs/content/tutorials/custom-listen-ports.md b/docs/content/tutorials/custom-listen-ports.md
index bf9db72e21..940e225bb2 100644
--- a/docs/content/tutorials/custom-listen-ports.md
+++ b/docs/content/tutorials/custom-listen-ports.md
@@ -87,7 +87,7 @@ spec:
     spec:
       serviceAccountName: nginx-ingress
       containers:
-      - image: nginx/nginx-ingress:3.5.2
+      - image: nginx/nginx-ingress:3.6.0
         imagePullPolicy: IfNotPresent
         name: nginx-ingress
         ports:
diff --git a/docs/content/tutorials/nginx-dynamic-module.md b/docs/content/tutorials/nginx-dynamic-module.md
index bf422f9354..6269b714c6 100644
--- a/docs/content/tutorials/nginx-dynamic-module.md
+++ b/docs/content/tutorials/nginx-dynamic-module.md
@@ -35,7 +35,7 @@ Once you have cloned the repository, edit the `Dockerfile` located in the `build
 In this example, we add the `Headers-more` dynamic module to the NGINX Ingress Controller image. We choose the `debian-plus` operating system: modify the entry for the system you are using.
 
 ```docker
-FROM debian:11-slim AS debian-plus
+FROM debian:12-slim AS debian-plus
 ARG IC_VERSION
 ARG NGINX_PLUS_VERSION
 ARG BUILD_OS
diff --git a/docs/content/tutorials/oidc-custom-configuration.md b/docs/content/tutorials/oidc-custom-configuration.md
index f0ff9a993e..6780d1a3e0 100644
--- a/docs/content/tutorials/oidc-custom-configuration.md
+++ b/docs/content/tutorials/oidc-custom-configuration.md
@@ -27,7 +27,7 @@ Run the below command to generate a ConfigMap with the contents of the `oidc.con
 **NOTE** The ConfigMap must be deployed in the same `namespace` as the F5 NGINX Ingress Controller.
 
 ```console
-kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/internal/configs/oidc/oidc.conf)"
+kubectl create configmap oidc-config-map --from-literal=oidc.conf="$(curl -k https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/internal/configs/oidc/oidc.conf)"
 ```
 
 Use the `kubectl describe` command to confirm the contents of the ConfigMap are correct.
diff --git a/docs/content/tutorials/security-monitoring.md b/docs/content/tutorials/security-monitoring.md
index a321c7ec36..c666166a5b 100644
--- a/docs/content/tutorials/security-monitoring.md
+++ b/docs/content/tutorials/security-monitoring.md
@@ -12,7 +12,7 @@ This document explains how to use NGINX Ingress Controller to configure NGINX Ag
 
 This guide assumes that you have an installation of NGINX Instance Manager with [NGINX Security Monitoring](https://docs.nginx.com/nginx-management-suite/installation/vm-bare-metal/install-security-monitoring/) which is reachable from the Kubernetes cluster on which NGINX Ingress Controller is deployed.
 
-If you use custom container images, NGINX Agent must be installed along with NGINX App Protect WAF. See the [Dockerfile](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/build/Dockerfile) for examples of how to install NGINX Agent or the [NGINX Agent installation documentation](https://docs.nginx.com/nginx-agent/installation-upgrade/) for more information.
+If you use custom container images, NGINX Agent must be installed along with NGINX App Protect WAF. See the [Dockerfile](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/build/Dockerfile) for examples of how to install NGINX Agent or the [NGINX Agent installation documentation](https://docs.nginx.com/nginx-agent/installation-upgrade/) for more information.
 
 ## Deploying NGINX Ingress Controller with NGINX Agent configuration
 
@@ -89,7 +89,7 @@ Once NGINX Ingress Controller is installed the pods will be visible in the NGINX
 
 NGINX Agent runs a syslog listener which NGINX App Protect WAF can be configured to send logs to, which will then allow NGINX Agent to send metrics to NGINX Security Monitoring. The following examples show how to configure NGINX App Protect WAF to log to NGINX Agent.
 
-- [Custom Resources example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/security-monitoring)
-- [Ingress Resources example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/ingress-resources/security-monitoring)
+- [Custom Resources example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/security-monitoring)
+- [Ingress Resources example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/ingress-resources/security-monitoring)
 
 {{< note >}} Modifying the APLogConf in the examples may result in the Security Monitoring integration not working, as NGINX Agent expects a specific log format.{{< /note >}}
diff --git a/docs/content/tutorials/virtual-server-with-custom-listener-ports.md b/docs/content/tutorials/virtual-server-with-custom-listener-ports.md
index 4b3a64fe54..fa482daacc 100644
--- a/docs/content/tutorials/virtual-server-with-custom-listener-ports.md
+++ b/docs/content/tutorials/virtual-server-with-custom-listener-ports.md
@@ -115,7 +115,7 @@ kubectl apply -f nginx-configuration.yaml
 {{</tabs>}}
 
 ## Deploying VirtualServer with custom listeners
-Deploy the [custom listeners](https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/examples/custom-resources/custom-listeners) resources from the repository examples. It includes all required resources, including VirtualServer.
+Deploy the [custom listeners](https://github.com/nginxinc/kubernetes-ingress/tree/v3.6.0/examples/custom-resources/custom-listeners) resources from the repository examples. It includes all required resources, including VirtualServer.
 
 Below is a snippet of the VirtualServer resource that will be deployed:
 
diff --git a/docs/content/usage-reporting.md b/docs/content/usage-reporting.md
index ce23bc7c3b..85a61d4c12 100644
--- a/docs/content/usage-reporting.md
+++ b/docs/content/usage-reporting.md
@@ -106,7 +106,7 @@ kubectl apply -f nms-basic-auth.yaml
 
 If you need to update the basic-auth credentials for NGINX Management Suite in the future, update the `username` and `password` fields, and apply the changes by running the command again. Usage Reporting will automatically detect the changes, using the new username and password without redeployment.
 
-Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file:
+Download and save the deployment file [cluster-connector.yaml](https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.6.0/examples/shared-examples/usage-reporting/cluster-connector.yaml). Edit the following under the `args` section and then save the file:
 
 ```yaml
     args:

From 8290370071b72e897da2044e39e4a6e3fbd32fc4 Mon Sep 17 00:00:00 2001
From: oseoin <oseoin@users.noreply.github.com>
Date: Thu, 27 Jun 2024 11:52:23 +0100
Subject: [PATCH 26/37] Exclude files from stable tag which don't impact build
 or test (#5875)

---
 .github/scripts/exclude_ci_files.txt | 45 ++++++++++++++++++++++++++++
 .github/scripts/variables.sh         | 10 ++++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 .github/scripts/exclude_ci_files.txt

diff --git a/.github/scripts/exclude_ci_files.txt b/.github/scripts/exclude_ci_files.txt
new file mode 100644
index 0000000000..f012ba28c3
--- /dev/null
+++ b/.github/scripts/exclude_ci_files.txt
@@ -0,0 +1,45 @@
+.github/actionlint.yaml
+.github/dependabot.yml
+.github/labeler.yml
+.github/PULL_REQUEST_TEMPLATE.md
+.github/release.yml
+.github/actions/certify-openshift-image/action.yml
+.github/config/config-oss-*
+.github/config/config-plus-*
+.github/data/matrix-regression.json
+.github/ISSUE_TEMPLATE/*
+.github/scripts/create-release-tarballs.sh
+.github/scripts/docker-updater.sh
+.github/scripts/release-notes-update.sh
+.github/scripts/release-version-update.sh
+.github/workflows/build-base-images.yml
+.github/workflows/build-test-image.yml
+.github/workflows/cache-update.yml
+.github/workflows/cherry-pick.yml
+.github/workflows/codeql-analysis.yml
+.github/workflows/create-release-branch.yml
+.github/workflows/dependabot-auto-merge.yml
+.github/workflows/dependabot-hugo.yml
+.github/workflows/dependency-review.yml
+.github/workflows/dockerhub-description.yml
+.github/workflows/fossa.yml
+.github/workflows/image-promotion.yml
+.github/workflows/issues.yaml
+.github/workflows/labeler.yml
+.github/workflows/lint-format.yml
+.github/workflows/mend.yml
+.github/workflows/notifications.yml
+.github/workflows/oss-release.yml
+.github/workflows/patch-image.yml
+.github/workflows/plus-release.yml
+.github/workflows/publish-helm.yml
+.github/workflows/regression.yml
+.github/workflows/release-pr.yml
+.github/workflows/release.yml
+.github/workflows/retag-images.yml
+.github/workflows/scorecards.yml
+.github/workflows/stale.yml
+.github/workflows/update-docker-images.yml
+.github/workflows/update-docker-sha.yml
+.github/workflows/updates-notification.yml
+.github/workflows/version-bump.yml
diff --git a/.github/scripts/variables.sh b/.github/scripts/variables.sh
index 5742c99cf9..f4a1d60850 100755
--- a/.github/scripts/variables.sh
+++ b/.github/scripts/variables.sh
@@ -30,7 +30,15 @@ get_chart_md5() {
 }
 
 get_actions_md5() {
-  find .github -type f -exec md5sum {} + | LC_ALL=C sort  | md5sum | awk '{ print $1 }'
+  exclude_list="$(dirname $0)/exclude_ci_files.txt"
+  find_command="find .github -type f -not -path '${exclude_list}'"
+  while IFS= read -r file
+  do
+    find_command+=" -not -path '$file'"
+  done < "$exclude_list"
+
+  find_command+=" -exec md5sum {} +"
+  eval "$find_command" | LC_ALL=C sort  | md5sum | awk '{ print $1 }'
 }
 
 get_build_tag() {

From cca44b2f2eace201c51bf19c3b26ba2c0b5a80a3 Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Thu, 27 Jun 2024 12:22:09 +0100
Subject: [PATCH 27/37] add run-name to ci & update docker sha workflows
 (#5876)

---
 .github/workflows/ci.yml                | 1 +
 .github/workflows/update-docker-sha.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 268a50f54f..20ed2ec438 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,5 @@
 name: CI
+run-name: CI on "${{ github.head_ref && github.head_ref || github.ref }}" by @${{ github.actor }}
 
 on:
   pull_request:
diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml
index 7d1a5c4213..98c8ad8061 100644
--- a/.github/workflows/update-docker-sha.yml
+++ b/.github/workflows/update-docker-sha.yml
@@ -1,4 +1,5 @@
 name: "Update pinned container SHAs"
+run-name: Update pinned container SHAs, triggered from ${{ github.event_name }} by @${{ github.actor }}
 
 on:
   workflow_dispatch:

From 0ee025faa523f017f0b68c11d494090b9064265d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 27 Jun 2024 13:17:58 +0000
Subject: [PATCH 28/37] Bump the go group with 1 update (#5870)

Bumps the go group with 1 update: [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager).

Updates `github.com/cert-manager/cert-manager` from 1.15.0 to 1.15.1
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](https://github.com/cert-manager/cert-manager/compare/v1.15.0...v1.15.1)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 0f35d09aec..c721b4d25f 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.22.4
 require (
 	github.com/aws/aws-sdk-go-v2/config v1.27.21
 	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.22.1
-	github.com/cert-manager/cert-manager v1.15.0
+	github.com/cert-manager/cert-manager v1.15.1
 	github.com/dlclark/regexp2 v1.11.0
 	github.com/gkampitakis/go-snaps v0.5.4
 	github.com/go-chi/chi/v5 v5.0.14
diff --git a/go.sum b/go.sum
index 8e57d3c6b1..00d8bfc6ab 100644
--- a/go.sum
+++ b/go.sum
@@ -38,8 +38,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cert-manager/cert-manager v1.15.0 h1:xVL8tzdQECMypoYQa9rv4DLjkn2pJXJLTqH4JUsxfko=
-github.com/cert-manager/cert-manager v1.15.0/go.mod h1:Vxq6yNKAbgQeMtzu5gqU8n0vXDiZcGTa5LDyCJRbmXE=
+github.com/cert-manager/cert-manager v1.15.1 h1:HSG4k2GlJ2YgTLkZfQzrArNaQpM9+ehDDg550IxAD94=
+github.com/cert-manager/cert-manager v1.15.1/go.mod h1:p98JoGv3J9JhdKU9ngsj2EhWGI6/GlU7kpjWu5lf2js=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=

From a991a936e1ac6b005877ae313dd1017978b08059 Mon Sep 17 00:00:00 2001
From: harsha-mangena <44197358+harsha-mangena@users.noreply.github.com>
Date: Thu, 27 Jun 2024 12:58:30 -0400
Subject: [PATCH 29/37] [removes] `include-year` and `includeYear` flag (#5817)

* - refer https://github.com/nginxinc/kubernetes-ingress/issues/5776
- commented deprecated include-year and IncludeYear

* removed commented code

* - made `includeYear` flag as `true` by default.
- removed commented code.

* - addressed comments

* recommit - yaml

* removed include-year arg

Signed-off-by: harsha-mangena <44197358+harsha-mangena@users.noreply.github.com>

* removed include-year arg

Signed-off-by: harsha-mangena <44197358+harsha-mangena@users.noreply.github.com>

* removed include-year arg

Signed-off-by: harsha-mangena <44197358+harsha-mangena@users.noreply.github.com>

* removed include-year arg

Signed-off-by: harsha-mangena <44197358+harsha-mangena@users.noreply.github.com>

---------

Signed-off-by: harsha-mangena <44197358+harsha-mangena@users.noreply.github.com>
Co-authored-by: Jim Ryan <j.ryan@f5.com>
---
 charts/nginx-ingress/templates/_helpers.tpl            |  1 -
 charts/nginx-ingress/values.schema.json                | 10 ----------
 charts/nginx-ingress/values.yaml                       |  3 ---
 cmd/nginx-ingress/flags.go                             |  6 +-----
 deployments/daemon-set/nginx-ingress.yaml              |  1 -
 deployments/daemon-set/nginx-plus-ingress.yaml         |  1 -
 deployments/deployment/nginx-ingress.yaml              |  1 -
 deployments/deployment/nginx-plus-ingress.yaml         |  1 -
 .../global-configuration/command-line-arguments.md     | 10 ----------
 9 files changed, 1 insertion(+), 33 deletions(-)

diff --git a/charts/nginx-ingress/templates/_helpers.tpl b/charts/nginx-ingress/templates/_helpers.tpl
index 051cd17b0d..301c64d51e 100644
--- a/charts/nginx-ingress/templates/_helpers.tpl
+++ b/charts/nginx-ingress/templates/_helpers.tpl
@@ -277,7 +277,6 @@ Build the args for the service binary.
 - -service-insight-tls-secret={{ .Values.serviceInsight.secret }}
 - -enable-custom-resources={{ .Values.controller.enableCustomResources }}
 - -enable-snippets={{ .Values.controller.enableSnippets }}
-- -include-year={{ .Values.controller.includeYear }}
 - -disable-ipv6={{ .Values.controller.disableIPV6 }}
 {{- if .Values.controller.enableCustomResources }}
 - -enable-tls-passthrough={{ .Values.controller.enableTLSPassthrough }}
diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json
index 6c53cfe6b7..07dac0529e 100644
--- a/charts/nginx-ingress/values.schema.json
+++ b/charts/nginx-ingress/values.schema.json
@@ -908,14 +908,6 @@
             false
           ]
         },
-        "includeYear": {
-          "type": "boolean",
-          "default": false,
-          "title": "The includeYear",
-          "examples": [
-            false
-          ]
-        },
         "enableTLSPassthrough": {
           "type": "boolean",
           "default": false,
@@ -1728,7 +1720,6 @@
           "watchNamespace": "",
           "enableCustomResources": true,
           "enableOIDC": false,
-          "includeYear": false,
           "enableTLSPassthrough": false,
           "tlsPassthroughPort": 443,
           "enableCertManager": false,
@@ -2262,7 +2253,6 @@
         "watchNamespace": "",
         "enableCustomResources": true,
         "enableOIDC": false,
-        "includeYear": false,
         "enableTLSPassthrough": false,
         "enableCertManager": false,
         "enableExternalDNS": false,
diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml
index a3b888ab4c..dd639aa00d 100644
--- a/charts/nginx-ingress/values.yaml
+++ b/charts/nginx-ingress/values.yaml
@@ -343,9 +343,6 @@ controller:
   ## Enable OIDC policies.
   enableOIDC: false
 
-  ## Include year in log header. This parameter will be removed in release 3.7 and the year will be included by default.
-  includeYear: false
-
   ## Enable TLS Passthrough on port 443. Requires controller.enableCustomResources.
   enableTLSPassthrough: false
 
diff --git a/cmd/nginx-ingress/flags.go b/cmd/nginx-ingress/flags.go
index d36381974e..548523f493 100644
--- a/cmd/nginx-ingress/flags.go
+++ b/cmd/nginx-ingress/flags.go
@@ -6,7 +6,6 @@ import (
 	"net"
 	"os"
 	"regexp"
-	"strconv"
 	"strings"
 
 	"github.com/golang/glog"
@@ -198,9 +197,6 @@ var (
 	enableExternalDNS = flag.Bool("enable-external-dns", false,
 		"Enable external-dns controller for VirtualServer resources. Requires -enable-custom-resources")
 
-	includeYearInLogs = flag.Bool("include-year", false,
-		"Option to include the year in the log header")
-
 	disableIPV6 = flag.Bool("disable-ipv6", false,
 		`Disable IPV6 listeners explicitly for nodes that do not support the IPV6 stack`)
 
@@ -305,7 +301,7 @@ func initialChecks() {
 		glog.Fatalf("Error setting logtostderr to true: %v", err)
 	}
 
-	err = flag.Lookup("include_year").Value.Set(strconv.FormatBool(*includeYearInLogs))
+	err = flag.Lookup("include_year").Value.Set("true")
 	if err != nil {
 		glog.Fatalf("Error setting include_year flag: %v", err)
 	}
diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml
index 74bb3f1d0d..6a4e85907b 100644
--- a/deployments/daemon-set/nginx-ingress.yaml
+++ b/deployments/daemon-set/nginx-ingress.yaml
@@ -91,7 +91,6 @@ spec:
           - -report-ingress-status
           - -external-service=nginx-ingress
          #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
-         #- -include-year
          #- -v=3 # Enables extensive logging. Useful for troubleshooting.
          #- -enable-prometheus-metrics
          #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml
index 71c244585b..4f885b24e6 100644
--- a/deployments/daemon-set/nginx-plus-ingress.yaml
+++ b/deployments/daemon-set/nginx-plus-ingress.yaml
@@ -92,7 +92,6 @@ spec:
           - -report-ingress-status
           - -external-service=nginx-ingress
          #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
-         #- -include-year
          #- -enable-app-protect
          #- -enable-app-protect-dos
          #- -v=3 # Enables extensive logging. Useful for troubleshooting.
diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml
index 5169f1db7b..04f5c4fa49 100644
--- a/deployments/deployment/nginx-ingress.yaml
+++ b/deployments/deployment/nginx-ingress.yaml
@@ -90,7 +90,6 @@ spec:
           - -report-ingress-status
           - -external-service=nginx-ingress
          #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
-         #- -include-year
          #- -enable-cert-manager
          #- -enable-external-dns
          #- -v=3 # Enables extensive logging. Useful for troubleshooting.
diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml
index 6868cb3497..4b2e2151c6 100644
--- a/deployments/deployment/nginx-plus-ingress.yaml
+++ b/deployments/deployment/nginx-plus-ingress.yaml
@@ -93,7 +93,6 @@ spec:
           - -report-ingress-status
           - -external-service=nginx-ingress
          #- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
-         #- -include-year
          #- -enable-cert-manager
          #- -enable-external-dns
          #- -enable-app-protect
diff --git a/docs/content/configuration/global-configuration/command-line-arguments.md b/docs/content/configuration/global-configuration/command-line-arguments.md
index 377ea9ea6b..eb3f96c3bc 100644
--- a/docs/content/configuration/global-configuration/command-line-arguments.md
+++ b/docs/content/configuration/global-configuration/command-line-arguments.md
@@ -81,16 +81,6 @@ Default `false`.
 
 ---
 
-### -include-year
-
-Adds year to log headers.
-
-Default `false`.
-
-{{< note >}} This flag will be removed in release 3.7 and the year will be included by default. {{< /note >}}
-
----
-
 ### -enable-leader-election
 
 Enables Leader election to avoid multiple replicas of the controller reporting the status of Ingress, VirtualServer and VirtualServerRoute resources -- only one replica will report status.

From 7f2cc9018c5ede60db93e73ec8113e735698a0f4 Mon Sep 17 00:00:00 2001
From: nginx-bot <68849795+nginx-bot@users.noreply.github.com>
Date: Fri, 28 Jun 2024 01:36:00 -0700
Subject: [PATCH 30/37] Docker image update d41d8cd9 (#5881)

---
 tests/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/Dockerfile b/tests/Dockerfile
index c89a54f505..1a99ab52d2 100644
--- a/tests/Dockerfile
+++ b/tests/Dockerfile
@@ -5,7 +5,7 @@ FROM kindest/node:v1.30.0@sha256:047357ac0cfea04663786a612ba1eaba9702bef25227a79
 # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date
 FROM quay.io/skopeo/stable:v1.15.1
 
-FROM python:3.12@sha256:f6d04873f0a67146854270e5f6513ed5e0165557c1b10689f1a20e9e65c8fe8e
+FROM python:3.12@sha256:fce9bc7648ef917a5ab67176cf1c7eb41b110452e259736144bc22f32f3aa622
 
 RUN apt-get update \
 	&& apt-get install -y curl git \

From 0ed7ce098b405e6ff554ea88173335c3b0e31225 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 28 Jun 2024 09:18:19 +0000
Subject: [PATCH 31/37] Bump the go group with 2 updates (#5880)

Bumps the go group with 2 updates: [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/marketplacemetering](https://github.com/aws/aws-sdk-go-v2).

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.27.21 to 1.27.22
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.21...config/v1.27.22)

Updates `github.com/aws/aws-sdk-go-v2/service/marketplacemetering` from 1.22.1 to 1.23.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.22.1...v1.23.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/aws/aws-sdk-go-v2/service/marketplacemetering
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
---
 go.mod | 12 ++++++------
 go.sum | 24 ++++++++++++------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/go.mod b/go.mod
index c721b4d25f..7c7003264e 100644
--- a/go.mod
+++ b/go.mod
@@ -3,8 +3,8 @@ module github.com/nginxinc/kubernetes-ingress
 go 1.22.4
 
 require (
-	github.com/aws/aws-sdk-go-v2/config v1.27.21
-	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.22.1
+	github.com/aws/aws-sdk-go-v2/config v1.27.22
+	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.0
 	github.com/cert-manager/cert-manager v1.15.1
 	github.com/dlclark/regexp2 v1.11.0
 	github.com/gkampitakis/go-snaps v0.5.4
@@ -37,16 +37,16 @@ require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.21 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.22 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.0 // indirect
 	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
diff --git a/go.sum b/go.sum
index 00d8bfc6ab..ecae34b190 100644
--- a/go.sum
+++ b/go.sum
@@ -6,10 +6,10 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA=
 github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
-github.com/aws/aws-sdk-go-v2/config v1.27.21 h1:yPX3pjGCe2hJsetlmGNB4Mngu7UPmvWPzzWCv1+boeM=
-github.com/aws/aws-sdk-go-v2/config v1.27.21/go.mod h1:4XtlEU6DzNai8RMbjSF5MgGZtYvrhBP/aKZcRtZAVdM=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.21 h1:pjAqgzfgFhTv5grc7xPHtXCAaMapzmwA7aU+c/SZQGw=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.21/go.mod h1:nhK6PtBlfHTUDVmBLr1dg+WHCOCK+1Fu/WQyVHPsgNQ=
+github.com/aws/aws-sdk-go-v2/config v1.27.22 h1:TRkQVtpDINt+Na/ToU7iptyW6U0awAwJ24q4XN+59k8=
+github.com/aws/aws-sdk-go-v2/config v1.27.22/go.mod h1:EYY3mVgFRUWkh6QNKH64MdyKs1YSUgatc0Zp3MDxi7c=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.22 h1:wu9kXQbbt64ul09v3ye4HYleAr4WiGV/uv69EXKDEr0=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.22/go.mod h1:pcvMtPcxJn3r2k6mZD9I0EcumLqPLA7V/0iCgOIlY+o=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8 h1:FR+oWPFb/8qMVYMWN98bUZAGqPvLHiyqg1wqQGfUAXY=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.8/go.mod h1:EgSKcHiuuakEIxJcKGzVNWh5srVAQ3jKaSrBGRYvM48=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw=
@@ -22,14 +22,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1x
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI=
-github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.22.1 h1:cUDTQYv1AapRcYi7bmSO990q9t3+C6KXcjZxdNexgMs=
-github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.22.1/go.mod h1:FARw6qpTrHDbxBAJNEdwBzfMQYZj/kHYeEw2ww0V/HM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.21.1 h1:sd0BsnAvLH8gsp2e3cbaIr+9D7T1xugueQ7V/zUAsS4=
-github.com/aws/aws-sdk-go-v2/service/sso v1.21.1/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1 h1:1uEFNNskK/I1KoZ9Q8wJxMz5V9jyBlsiaNrM7vA3YUQ=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.25.1/go.mod h1:z0P8K+cBIsFXUr5rzo/psUeJ20XjPN0+Nn8067Nd+E4=
-github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE=
+github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.0 h1:PNt0DbBM+46jcsRpzkEbtf+zGA/WN2znV095NGpzIdk=
+github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.23.0/go.mod h1:FARw6qpTrHDbxBAJNEdwBzfMQYZj/kHYeEw2ww0V/HM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.0 h1:lPIAPCRoJkmotLTU/9B6icUFlYDpEuWjKeL79XROv1M=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.0/go.mod h1:lcQG/MmxydijbeTOp04hIuJwXGWPZGI3bwdFDGRTv14=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.0 h1:/4r71ghx+hX9spr884cqXHPEmPzqH/J3K7fkE1yfcmw=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.0/go.mod h1:z0P8K+cBIsFXUr5rzo/psUeJ20XjPN0+Nn8067Nd+E4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.0 h1:9ja34PaKybhCJjVKvxtDsUjbATUJGN+eF6QnO58u5cI=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.0/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE=
 github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
 github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=

From 7eb500c8629649ae52a5aa9e22476c528deea6f8 Mon Sep 17 00:00:00 2001
From: Jim Ryan <j.ryan@f5.com>
Date: Fri, 28 Jun 2024 13:56:14 +0100
Subject: [PATCH 32/37] Split VSR matrix in 3 (#5883)

* Split VSR matrix in 3

* fix quotes

* simplify marker
---
 .github/data/matrix-smoke-oss.json             | 18 ++++++++++++++++--
 .github/data/matrix-smoke-plus.json            | 18 ++++++++++++++++--
 tests/suite/test_rewrites.py                   |  1 +
 tests/suite/test_v_s_route.py                  |  3 +++
 tests/suite/test_v_s_route_advanced_routing.py |  1 +
 tests/suite/test_v_s_route_api.py              |  1 +
 tests/suite/test_v_s_route_canned_responses.py |  1 +
 tests/suite/test_v_s_route_error_pages.py      |  1 +
 tests/suite/test_v_s_route_externalname.py     |  1 +
 tests/suite/test_v_s_route_focused_canary.py   |  1 +
 tests/suite/test_v_s_route_grpc.py             |  1 +
 tests/suite/test_v_s_route_redirects.py        |  1 +
 tests/suite/test_v_s_route_regexp_location.py  |  2 ++
 tests/suite/test_v_s_route_split_traffic.py    |  1 +
 tests/suite/test_v_s_route_status.py           |  1 +
 tests/suite/test_v_s_route_upstream_options.py |  3 +++
 tests/suite/test_v_s_route_upstream_tls.py     |  1 +
 ..._v_s_route_weight_changes_dynamic_reload.py |  1 +
 ...eight_changes_dynamic_reload_many_splits.py |  1 +
 tests/suite/test_watch_secret_namespace.py     |  2 ++
 20 files changed, 56 insertions(+), 4 deletions(-)

diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json
index a6965bfedd..1c042f20fd 100644
--- a/.github/data/matrix-smoke-oss.json
+++ b/.github/data/matrix-smoke-oss.json
@@ -15,10 +15,24 @@
       "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
     },
     {
-      "label": "VSR",
+      "label": "VSR 1/3",
       "image": "alpine",
       "type": "oss",
-      "marker": "vsr",
+      "marker": "'vsr and not vsr_upstream and not vsr_grpc and not vsr_status and not vsr_canary and not vsr_routing and not vsr_api and not vsr_redirects and not vsr_rewrite and not vsr_canned and not vsr_basic'",
+      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+    },
+    {
+      "label": "VSR 2/3",
+      "image": "alpine",
+      "type": "oss",
+      "marker": "'vsr_basic or vsr_canned or vsr_rewrite or vsr_redirects or vsr_upstream'",
+      "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
+    },
+    {
+      "label": "VSR 3/3",
+      "image": "alpine",
+      "type": "oss",
+      "marker": "'vsr_api or vsr_routing or vsr_canary or vsr_status or vsr_grpc'",
       "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
     },
     {
diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json
index 228a92b1cc..ac29f33c7d 100644
--- a/.github/data/matrix-smoke-plus.json
+++ b/.github/data/matrix-smoke-plus.json
@@ -43,10 +43,24 @@
       "platforms": "linux/arm64, linux/amd64"
     },
     {
-      "label": "VSR",
+      "label": "VSR 1/3",
       "image": "alpine-plus",
       "type": "plus",
-      "marker": "vsr",
+      "marker": "'vsr and not vsr_upstream and not vsr_grpc and not vsr_status and not vsr_canary and not vsr_routing and not vsr_api and not vsr_redirects and not vsr_rewrite and not vsr_canned and not vsr_basic'",
+      "platforms": "linux/arm64, linux/amd64"
+    },
+    {
+      "label": "VSR 2/3",
+      "image": "alpine-plus",
+      "type": "plus",
+      "marker": "'vsr_basic or vsr_canned or vsr_rewrite or vsr_redirects or vsr_upstream'",
+      "platforms": "linux/arm64, linux/amd64"
+    },
+    {
+      "label": "VSR 3/3",
+      "image": "alpine-plus",
+      "type": "plus",
+      "marker": "'vsr_api or vsr_routing or vsr_canary or vsr_status or vsr_grpc'",
       "platforms": "linux/arm64, linux/amd64"
     },
     {
diff --git a/tests/suite/test_rewrites.py b/tests/suite/test_rewrites.py
index a91d14ce03..eee14bdcf2 100644
--- a/tests/suite/test_rewrites.py
+++ b/tests/suite/test_rewrites.py
@@ -112,6 +112,7 @@ def test_vs_rewrite(self, vs_rewrites_setup, path, args, cookies, expected):
         assert f"URI: {expected}\nRequest" in resp.text
 
     @pytest.mark.vsr
+    @pytest.mark.vsr_rewrite
     @pytest.mark.parametrize("path,args,cookies,expected", test_data)
     def test_vsr_rewrite(self, vsr_rewrites_setup, path, args, cookies, expected):
         """
diff --git a/tests/suite/test_v_s_route.py b/tests/suite/test_v_s_route.py
index 4b28ea0e26..d5684df622 100644
--- a/tests/suite/test_v_s_route.py
+++ b/tests/suite/test_v_s_route.py
@@ -49,6 +49,7 @@ def assert_locations_not_in_config(config, paths):
 
 @pytest.mark.smoke
 @pytest.mark.vsr
+@pytest.mark.vsr_basic
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [({"type": "complete", "extra_args": [f"-enable-custom-resources"]}, {"example": "virtual-server-route"})],
@@ -267,6 +268,7 @@ def test_responses_and_events_in_flow(
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_basic
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [({"type": "complete", "extra_args": [f"-enable-custom-resources"]}, {"example": "virtual-server-route"})],
@@ -369,6 +371,7 @@ def test_openapi_validation_flow(
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_basic
 @pytest.mark.flaky(max_runs=3)
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
diff --git a/tests/suite/test_v_s_route_advanced_routing.py b/tests/suite/test_v_s_route_advanced_routing.py
index 5405b3823e..b656ede340 100644
--- a/tests/suite/test_v_s_route_advanced_routing.py
+++ b/tests/suite/test_v_s_route_advanced_routing.py
@@ -107,6 +107,7 @@ def fin():
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_routing
 @pytest.mark.parametrize(
     "crd_ingress_controller, vsr_adv_routing_setup",
     [
diff --git a/tests/suite/test_v_s_route_api.py b/tests/suite/test_v_s_route_api.py
index 97703b6cc3..82e9a1a5ff 100644
--- a/tests/suite/test_v_s_route_api.py
+++ b/tests/suite/test_v_s_route_api.py
@@ -8,6 +8,7 @@
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_api
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
diff --git a/tests/suite/test_v_s_route_canned_responses.py b/tests/suite/test_v_s_route_canned_responses.py
index ab3b87d01a..221314cf06 100644
--- a/tests/suite/test_v_s_route_canned_responses.py
+++ b/tests/suite/test_v_s_route_canned_responses.py
@@ -15,6 +15,7 @@
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_canned
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
diff --git a/tests/suite/test_v_s_route_error_pages.py b/tests/suite/test_v_s_route_error_pages.py
index cf5d28d132..14b4d1947b 100644
--- a/tests/suite/test_v_s_route_error_pages.py
+++ b/tests/suite/test_v_s_route_error_pages.py
@@ -14,6 +14,7 @@
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_error_pages
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
diff --git a/tests/suite/test_v_s_route_externalname.py b/tests/suite/test_v_s_route_externalname.py
index 305d853501..a363e17d5b 100644
--- a/tests/suite/test_v_s_route_externalname.py
+++ b/tests/suite/test_v_s_route_externalname.py
@@ -129,6 +129,7 @@ def fin():
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_external_name
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.parametrize(
     "crd_ingress_controller, vsr_externalname_setup",
diff --git a/tests/suite/test_v_s_route_focused_canary.py b/tests/suite/test_v_s_route_focused_canary.py
index 5da845b4cd..f4ff31eec6 100644
--- a/tests/suite/test_v_s_route_focused_canary.py
+++ b/tests/suite/test_v_s_route_focused_canary.py
@@ -116,6 +116,7 @@ def fin():
 
 @pytest.mark.flaky(max_runs=3)
 @pytest.mark.vsr
+@pytest.mark.vsr_canary
 @pytest.mark.parametrize(
     "crd_ingress_controller, vsr_canary_setup",
     [
diff --git a/tests/suite/test_v_s_route_grpc.py b/tests/suite/test_v_s_route_grpc.py
index 4a864d8305..247de0e17b 100644
--- a/tests/suite/test_v_s_route_grpc.py
+++ b/tests/suite/test_v_s_route_grpc.py
@@ -68,6 +68,7 @@ def fin():
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_grpc
 @pytest.mark.smoke
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
diff --git a/tests/suite/test_v_s_route_redirects.py b/tests/suite/test_v_s_route_redirects.py
index 5ca73c6b80..f05f496065 100644
--- a/tests/suite/test_v_s_route_redirects.py
+++ b/tests/suite/test_v_s_route_redirects.py
@@ -13,6 +13,7 @@
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_redirects
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
diff --git a/tests/suite/test_v_s_route_regexp_location.py b/tests/suite/test_v_s_route_regexp_location.py
index f867fb12c1..aad6535b37 100644
--- a/tests/suite/test_v_s_route_regexp_location.py
+++ b/tests/suite/test_v_s_route_regexp_location.py
@@ -21,6 +21,7 @@
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_regexes
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
@@ -214,6 +215,7 @@ def vsr_regexp_setup(
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_regexes
 @pytest.mark.parametrize(
     "crd_ingress_controller, vsr_regexp_setup",
     [
diff --git a/tests/suite/test_v_s_route_split_traffic.py b/tests/suite/test_v_s_route_split_traffic.py
index 0d6b6a14f0..9c39afcdfd 100644
--- a/tests/suite/test_v_s_route_split_traffic.py
+++ b/tests/suite/test_v_s_route_split_traffic.py
@@ -40,6 +40,7 @@ def get_upstreams_of_splitting(file) -> []:
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_splits
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
diff --git a/tests/suite/test_v_s_route_status.py b/tests/suite/test_v_s_route_status.py
index e762899368..e917e547b4 100644
--- a/tests/suite/test_v_s_route_status.py
+++ b/tests/suite/test_v_s_route_status.py
@@ -11,6 +11,7 @@
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_status
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
diff --git a/tests/suite/test_v_s_route_upstream_options.py b/tests/suite/test_v_s_route_upstream_options.py
index 88bf20b200..c922a16122 100644
--- a/tests/suite/test_v_s_route_upstream_options.py
+++ b/tests/suite/test_v_s_route_upstream_options.py
@@ -26,6 +26,7 @@
     indirect=True,
 )
 @pytest.mark.vsr
+@pytest.mark.vsr_upstream
 class TestVSRouteUpstreamOptions:
     def test_nginx_config_upstreams_defaults(
         self, kube_apis, ingress_controller_prerequisites, crd_ingress_controller, v_s_route_setup, v_s_route_app_setup
@@ -393,6 +394,7 @@ def test_v_s_r_overrides_config_map(
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_upstream
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
@@ -544,6 +546,7 @@ def test_openapi_validation_flow(
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_upstream
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
diff --git a/tests/suite/test_v_s_route_upstream_tls.py b/tests/suite/test_v_s_route_upstream_tls.py
index a368c419f7..8b39efc0de 100644
--- a/tests/suite/test_v_s_route_upstream_tls.py
+++ b/tests/suite/test_v_s_route_upstream_tls.py
@@ -60,6 +60,7 @@ def fin():
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_upstream
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
diff --git a/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py b/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py
index 971ac7f2c7..c31efb0fc3 100644
--- a/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py
+++ b/tests/suite/test_v_s_route_weight_changes_dynamic_reload.py
@@ -92,6 +92,7 @@ def fin():
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_splits
 @pytest.mark.smok
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.parametrize(
diff --git a/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py b/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py
index 620d7d305d..a0fd285570 100644
--- a/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py
+++ b/tests/suite/test_v_s_route_weight_changes_dynamic_reload_many_splits.py
@@ -114,6 +114,7 @@ def fin():
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_splits
 @pytest.mark.smok
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.parametrize(
diff --git a/tests/suite/test_watch_secret_namespace.py b/tests/suite/test_watch_secret_namespace.py
index 86d21998f6..479f0cfa70 100644
--- a/tests/suite/test_watch_secret_namespace.py
+++ b/tests/suite/test_watch_secret_namespace.py
@@ -8,6 +8,7 @@
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_secrets
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [
@@ -62,6 +63,7 @@ def test_responses(
 
 
 @pytest.mark.vsr
+@pytest.mark.vsr_secrets
 @pytest.mark.parametrize(
     "crd_ingress_controller, v_s_route_setup",
     [

From 77cc604ce0b55d44171be264f635b12bf91c7cbc Mon Sep 17 00:00:00 2001
From: Shaun <s.odonovan@f5.com>
Date: Fri, 28 Jun 2024 15:06:41 +0100
Subject: [PATCH 33/37] Add default telemetry endpoint (#5885)

---
 internal/k8s/controller.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/k8s/controller.go b/internal/k8s/controller.go
index 6d8f49bfb3..6968dfb9e5 100644
--- a/internal/k8s/controller.go
+++ b/internal/k8s/controller.go
@@ -354,8 +354,12 @@ func NewLoadBalancerController(input NewLoadBalancerControllerInput) *LoadBalanc
 
 	// NIC Telemetry Reporting
 	if input.EnableTelemetryReporting {
+		// Default endpoint
 		exporterCfg := telemetry.ExporterCfg{
-			Endpoint: input.TelemetryReportingEndpoint,
+			Endpoint: "oss.edge.df.f5.com:443",
+		}
+		if input.TelemetryReportingEndpoint != "" {
+			exporterCfg.Endpoint = input.TelemetryReportingEndpoint
 		}
 
 		exporter, err := telemetry.NewExporter(exporterCfg)

From 715141ee648045afd34d990b2aefbce1bc3d7b17 Mon Sep 17 00:00:00 2001
From: Jim Ryan <j.ryan@f5.com>
Date: Fri, 28 Jun 2024 15:46:26 +0100
Subject: [PATCH 34/37] Move some python tests from vs1 to vs2 (#5888)

more tests from vs1 to vs2
---
 .github/data/matrix-smoke-oss.json                        | 4 ++--
 .github/data/matrix-smoke-plus.json                       | 4 ++--
 tests/suite/test_virtual_server_api.py                    | 1 +
 tests/suite/test_virtual_server_backup_service.py         | 1 +
 tests/suite/test_virtual_server_configmap_keys.py         | 2 ++
 tests/suite/test_virtual_server_focused_canary.py         | 1 +
 tests/suite/test_virtual_server_upstream_options.py       | 3 +++
 tests/suite/test_virtual_server_use_cluster_ip_reloads.py | 1 +
 8 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json
index 1c042f20fd..a15b9b8937 100644
--- a/.github/data/matrix-smoke-oss.json
+++ b/.github/data/matrix-smoke-oss.json
@@ -53,14 +53,14 @@
       "label": "VS 1/3",
       "image": "debian",
       "type": "oss",
-      "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'",
+      "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager and not vs_api and not vs_backup and not vs_use_cluster_ip and not vs_canary and not vs_upstream and not vs_config_map'",
       "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
     },
     {
       "label": "VS 2/3",
       "image": "debian",
       "type": "oss",
-      "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'",
+      "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns or vs_api or vs_backup or vs_use_cluster_ip or vs_canary or vs_upstream or vs_config_map'",
       "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"
     },
     {
diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json
index ac29f33c7d..476e796a7f 100644
--- a/.github/data/matrix-smoke-plus.json
+++ b/.github/data/matrix-smoke-plus.json
@@ -4,14 +4,14 @@
       "label": "VS 1/3",
       "image": "debian-plus",
       "type": "plus",
-      "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager'",
+      "marker": "'vs and not vs_ipv6 and not vs_rewrite and not vs_responses and not vs_grpc and not vs_redirects and not vs_externalname and not vs_externaldns and not vs_certmanager and not vs_api and not vs_backup and not vs_use_cluster_ip and not vs_canary and not vs_upstream and not vs_config_map'",
       "platforms": "linux/arm64, linux/amd64"
     },
     {
       "label": "VS 2/3",
       "image": "debian-plus",
       "type": "plus",
-      "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns'",
+      "marker": "'vs_grpc or vs_redirects or vs_externalname or vs_externaldns or vs_api or vs_backup or vs_use_cluster_ip or vs_canary or vs_upstream or vs_config_map'",
       "platforms": "linux/arm64, linux/amd64"
     },
     {
diff --git a/tests/suite/test_virtual_server_api.py b/tests/suite/test_virtual_server_api.py
index de097e258f..ca615e19d2 100644
--- a/tests/suite/test_virtual_server_api.py
+++ b/tests/suite/test_virtual_server_api.py
@@ -8,6 +8,7 @@
 
 
 @pytest.mark.vs
+@pytest.mark.vs_api
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
diff --git a/tests/suite/test_virtual_server_backup_service.py b/tests/suite/test_virtual_server_backup_service.py
index 7469ddcb85..e081491e0d 100644
--- a/tests/suite/test_virtual_server_backup_service.py
+++ b/tests/suite/test_virtual_server_backup_service.py
@@ -105,6 +105,7 @@ def fin():
 
 
 @pytest.mark.vs
+@pytest.mark.vs_backup
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.skip(reason="issue with VS config")
 @pytest.mark.parametrize(
diff --git a/tests/suite/test_virtual_server_configmap_keys.py b/tests/suite/test_virtual_server_configmap_keys.py
index e41ad43211..36e0860553 100644
--- a/tests/suite/test_virtual_server_configmap_keys.py
+++ b/tests/suite/test_virtual_server_configmap_keys.py
@@ -149,6 +149,7 @@ def fin():
 
 
 @pytest.mark.vs
+@pytest.mark.vs_config_map
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
     [
@@ -342,6 +343,7 @@ def test_keys_in_main_config(
 
 
 @pytest.mark.vs
+@pytest.mark.vs_config_map
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
     [
diff --git a/tests/suite/test_virtual_server_focused_canary.py b/tests/suite/test_virtual_server_focused_canary.py
index 261e8424c5..5a7afdae92 100644
--- a/tests/suite/test_virtual_server_focused_canary.py
+++ b/tests/suite/test_virtual_server_focused_canary.py
@@ -38,6 +38,7 @@ def get_upstreams_of_splitting(file) -> []:
 
 
 @pytest.mark.vs
+@pytest.mark.vs_canary
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
     [
diff --git a/tests/suite/test_virtual_server_upstream_options.py b/tests/suite/test_virtual_server_upstream_options.py
index 29049153a2..2d932c942d 100644
--- a/tests/suite/test_virtual_server_upstream_options.py
+++ b/tests/suite/test_virtual_server_upstream_options.py
@@ -20,6 +20,7 @@
 
 
 @pytest.mark.vs
+@pytest.mark.vs_upstream
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
     [
@@ -354,6 +355,7 @@ def test_v_s_overrides_config_map(
 
 
 @pytest.mark.vs
+@pytest.mark.vs_upstream
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
     [
@@ -471,6 +473,7 @@ def test_openapi_validation_flow(
 
 
 @pytest.mark.vs
+@pytest.mark.vs_upstream
 @pytest.mark.skip_for_nginx_oss
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
diff --git a/tests/suite/test_virtual_server_use_cluster_ip_reloads.py b/tests/suite/test_virtual_server_use_cluster_ip_reloads.py
index 97d9fcf6f1..1512b57edf 100644
--- a/tests/suite/test_virtual_server_use_cluster_ip_reloads.py
+++ b/tests/suite/test_virtual_server_use_cluster_ip_reloads.py
@@ -5,6 +5,7 @@
 
 
 @pytest.mark.vs
+@pytest.mark.vs_use_cluster_ip
 @pytest.mark.parametrize(
     "crd_ingress_controller, virtual_server_setup",
     [

From f593b0c206156cb7275d486971ffbfccf4eacb14 Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Mon, 1 Jul 2024 10:16:31 +0100
Subject: [PATCH 35/37] add nap-v5 images to image patch workflow (#5894)

---
 .github/workflows/update-docker-images.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml
index 926973f2e4..dd0a1641af 100644
--- a/.github/workflows/update-docker-images.yml
+++ b/.github/workflows/update-docker-images.yml
@@ -175,6 +175,21 @@ jobs:
             image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress"
             target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress"
             platforms: "linux/amd64"
+          - tag: "${{ needs.variables.outputs.tag }}"
+            target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
+            image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress"
+            target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress"
+            platforms: "linux/amd64"
+          - tag: "${{ needs.variables.outputs.tag }}-ubi"
+            target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-ubi"
+            image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress"
+            target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress"
+            platforms: "linux/amd64"
+          - tag: "${{ needs.variables.outputs.tag }}-alpine-fips"
+            target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}-alpine-fips"
+            image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress"
+            target_image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress"
+            platforms: "linux/amd64"
           - tag: "${{ needs.variables.outputs.tag }}"
             target_tag: "${{ needs.variables.outputs.tag }}-${{ needs.variables.outputs.date }}"
             image: "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress"

From ee25a83d52edbc86cde5e3816ca51d5c02c90564 Mon Sep 17 00:00:00 2001
From: oseoin <oseoin@users.noreply.github.com>
Date: Mon, 1 Jul 2024 11:20:00 +0100
Subject: [PATCH 36/37] Change always references to not cancelled (#5898)

---
 .github/workflows/ci.yml         | 2 +-
 .github/workflows/regression.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 20ed2ec438..3dc8af5958 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -664,7 +664,7 @@ jobs:
     if: ${{ inputs.force || (needs.checks.outputs.forked_workflow == 'false' && needs.checks.outputs.stable_image_exists != 'true' && needs.checks.outputs.docs_only == 'false') }}
 
   tag-results:
-    if: ${{ always() }}
+    if: ${{ !cancelled() }}
     runs-on: ubuntu-22.04
     name: Final CI Results
     needs: [tag-stable, smoke-tests-oss, smoke-tests-plus, smoke-tests-nap]
diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml
index 19038d92aa..da115aa654 100644
--- a/.github/workflows/regression.yml
+++ b/.github/workflows/regression.yml
@@ -254,7 +254,7 @@ jobs:
         with:
           name: ${{ steps.regression-tests.outputs.test-results-name }}
           path: ${{ steps.regression-tests.outputs.test-results-path }}
-        if: always()
+        if: ${{ !cancelled() }}
 
   tag-stable:
     name: Tag tested image as nightly

From 3630ec01938e138c4c579246d31048a64756d9f5 Mon Sep 17 00:00:00 2001
From: Paul Abel <128620221+pdabelf5@users.noreply.github.com>
Date: Mon, 1 Jul 2024 11:29:21 +0100
Subject: [PATCH 37/37] ensure release draft occurs (#5900)

Co-authored-by: oseoin <oseoin@users.noreply.github.com>
---
 .github/workflows/image-promotion.yml | 33 +++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/.github/workflows/image-promotion.yml b/.github/workflows/image-promotion.yml
index 1ae86669e6..2967283027 100644
--- a/.github/workflows/image-promotion.yml
+++ b/.github/workflows/image-promotion.yml
@@ -610,3 +610,36 @@ jobs:
         uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: "${{ steps.directory.outputs.directory }}/"
+
+  update-release-draft:
+    name: Update Release Draft
+    runs-on: ubuntu-22.04
+    needs: [checks]
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Create/Update Draft
+        uses: lucacome/draft-release@3ed3808cb75e4398e021a19a171ce62f4943f2f7 # v1.0.0
+        id: release-notes
+        with:
+          minor-label: "enhancement"
+          major-label: "change"
+          publish: false
+          collapse-after: 50
+          variables: |
+            helm-chart=${{ needs.checks.outputs.chart_version }}
+          notes-footer: |
+            ## Upgrade
+            - For NGINX, use the {{version}} images from our [DockerHub](https://hub.docker.com/r/nginx/nginx-ingress/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/kubernetes-ingress/pkgs/container/kubernetes-ingress), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-ingress) or [Quay.io](https://quay.io/repository/nginx/nginx-ingress).
+            - For NGINX Plus, use the {{version}} images from the F5 Container registry, the [AWS Marketplace](https://aws.amazon.com/marketplace/search/?CREATOR=741df81b-dfdc-4d36-b8da-945ea66b522c&FULFILLMENT_OPTION_TYPE=CONTAINER&filters=CREATOR%2CFULFILLMENT_OPTION_TYPE), the [GCP Marketplace](https://console.cloud.google.com/marketplace/browse?filter=partner:F5,%20Inc.&filter=solution-type:k8s&filter=category:networking), [Azure Marketplace](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/category/containers?page=1&search=f5&subcategories=container-apps) or build your own image using the {{version}} source code.
+            - For Helm, use version {{helm-chart}} of the chart.
+
+            ## Resources
+            - Documentation -- https://docs.nginx.com/nginx-ingress-controller/
+            - Configuration examples -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/examples
+            - Helm Chart -- https://github.com/nginxinc/kubernetes-ingress/tree/{{version}}/deployments/helm-chart
+            - Operator -- https://github.com/nginxinc/nginx-ingress-helm-operator
+        if: ${{ github.event_name == 'push' && contains(github.ref_name, 'release-') }}