From 39ce03913c131a14f421c74ae89776c87523198b Mon Sep 17 00:00:00 2001 From: Qiao Han Date: Mon, 28 Oct 2024 14:34:58 +0800 Subject: [PATCH 1/2] chore: remove contents permisison from mirror job --- .github/workflows/mirror-image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/mirror-image.yml b/.github/workflows/mirror-image.yml index 99210c98c..1d9bc9fba 100644 --- a/.github/workflows/mirror-image.yml +++ b/.github/workflows/mirror-image.yml @@ -17,7 +17,6 @@ jobs: mirror: runs-on: ubuntu-latest permissions: - contents: read packages: write id-token: write steps: From 588b4735b69cd661c2cb91fc1189dd585f3d37c5 Mon Sep 17 00:00:00 2001 From: Qiao Han Date: Mon, 28 Oct 2024 14:34:19 +0800 Subject: [PATCH 2/2] fix(api): update kong image to address vulnerability --- internal/start/start.go | 18 +++++++++--------- internal/start/templates/custom_nginx.template | 9 ++++++++- pkg/config/constants.go | 2 +- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/internal/start/start.go b/internal/start/start.go index 72f34b8e7..d5dd82aa6 100644 --- a/internal/start/start.go +++ b/internal/start/start.go @@ -127,7 +127,7 @@ var ( //go:embed templates/custom_nginx.template nginxConfigEmbed string // Hardcoded configs which match nginxConfigEmbed - nginxEmailTemplateDir = "/home/kong/templates/email" + nginxEmailTemplateDir = "/etc/kong/templates/email" nginxTemplateServerPort = 8088 ) @@ -400,7 +400,7 @@ EOF Image: utils.Config.Api.KongImage, Env: []string{ "KONG_DATABASE=off", - "KONG_DECLARATIVE_CONFIG=/home/kong/kong.yml", + "KONG_DECLARATIVE_CONFIG=/etc/kong/kong.yml", "KONG_DNS_ORDER=LAST,A,CNAME", // https://github.com/supabase/cli/issues/14 "KONG_PLUGINS=request-transformer,cors", fmt.Sprintf("KONG_PORT_MAPS=%d:8000", utils.Config.Api.Port), @@ -411,14 +411,14 @@ EOF "KONG_NGINX_PROXY_PROXY_BUFFERS=64 160k", "KONG_NGINX_WORKER_PROCESSES=1", // Use modern TLS certificate - "KONG_SSL_CERT=/home/kong/localhost.crt", - "KONG_SSL_CERT_KEY=/home/kong/localhost.key", + "KONG_SSL_CERT=/etc/kong/localhost.crt", + "KONG_SSL_CERT_KEY=/etc/kong/localhost.key", }, - Entrypoint: []string{"sh", "-c", `cat <<'EOF' > /home/kong/kong.yml && \ -cat <<'EOF' > /home/kong/custom_nginx.template && \ -cat <<'EOF' > /home/kong/localhost.crt && \ -cat <<'EOF' > /home/kong/localhost.key && \ -./docker-entrypoint.sh kong docker-start --nginx-conf /home/kong/custom_nginx.template + Entrypoint: []string{"sh", "-c", `cat <<'EOF' > /etc/kong/kong.yml && \ +cat <<'EOF' > /etc/kong/custom_nginx.template && \ +cat <<'EOF' > /etc/kong/localhost.crt && \ +cat <<'EOF' > /etc/kong/localhost.key && \ +./docker-entrypoint.sh kong docker-start --nginx-conf /etc/kong/custom_nginx.template ` + kongConfigBuf.String() + ` EOF ` + nginxConfigEmbed + ` diff --git a/internal/start/templates/custom_nginx.template b/internal/start/templates/custom_nginx.template index e1417cc5b..7890e3dc0 100644 --- a/internal/start/templates/custom_nginx.template +++ b/internal/start/templates/custom_nginx.template @@ -4,7 +4,14 @@ error_log logs/error.log ${{LOG_LEVEL}}; # can be set by kong.conf daemon ${{NGINX_DAEMON}}; # can be set by kong.conf worker_processes ${{NGINX_WORKER_PROCESSES}}; # can be set by kong.conf +# https://github.com/Kong/kong/discussions/9548#discussioncomment-6174906 +lmdb_environment_path dbless.lmdb; +lmdb_map_size 128m; + events { + # Must be greater or equal to the default value of lua_max_pending_timers + # https://github.com/openresty/lua-nginx-module?tab=readme-ov-file#lua_max_pending_timers + worker_connections 1024; multi_accept on; } @@ -20,7 +27,7 @@ http { location /email { autoindex on; - root /home/kong/templates; + root /etc/kong/templates; } } diff --git a/pkg/config/constants.go b/pkg/config/constants.go index 0b2edfcf3..c8f506b68 100644 --- a/pkg/config/constants.go +++ b/pkg/config/constants.go @@ -6,7 +6,7 @@ const ( Pg15Image = "supabase/postgres:15.1.1.78" // Append to ServiceImages when adding new dependencies below // TODO: try https://github.com/axllent/mailpit - kongImage = "library/kong:2.8.1" + kongImage = "library/kong:3.8.0" inbucketImage = "inbucket/inbucket:3.0.3" postgrestImage = "postgrest/postgrest:v12.2.0" pgmetaImage = "supabase/postgres-meta:v0.84.2"