From d6510ac2699ff0c098aa37519d63a0aea097c08a Mon Sep 17 00:00:00 2001
From: Paul Abel <p.abel@f5.com>
Date: Tue, 9 Jan 2024 09:08:23 +0000
Subject: [PATCH 1/3] add alpine-fips-waf image

---
 .github/workflows/ci.yml |  2 +-
 Makefile                 |  4 ++++
 build/Dockerfile         | 30 ++++++++++++++++++++++++++++--
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fce59fd352..c0f399191e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -440,7 +440,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image: [debian-plus-nap]
+        image: [debian-plus-nap, ubi-plus-nap, alpine-nap-waf-plus-fips]
         platforms: ["linux/amd64"]
         target: [goreleaser, aws]
         nap_modules: [dos, waf, "waf,dos"]
diff --git a/Makefile b/Makefile
index 7a0649be14..d3479bb443 100644
--- a/Makefile
+++ b/Makefile
@@ -121,6 +121,10 @@ alpine-image-plus: build ## Create Docker image for Ingress Controller (Alpine w
 alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus and FIPS)
 	$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-fips
 
+.PHONY: alpine-image-nap-plus-fips
+alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS)
+	$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-nap-waf-plus-fips
+
 .PHONY: debian-image-plus
 debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus)
 	$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus
diff --git a/build/Dockerfile b/build/Dockerfile
index 6f178575b6..032abce7f9 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -8,7 +8,8 @@ ARG DEBIAN_FRONTEND=noninteractive
 ############################################# Base images containing libs for Opentracing and FIPS #############################################
 FROM opentracing/nginx-opentracing:nginx-1.25.3 as opentracing-lib
 FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine as alpine-opentracing-lib
-FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18 as alpine-fips
+FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17 as alpine-fips-3.17
+FROM ghcr.io/nginxinc/alpine-fips:0.1.2-alpine3.19 as alpine-fips-3.19
 
 
 ############################################# Base image for Alpine #############################################
@@ -66,6 +67,7 @@ ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-n
 ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.key nginx_signing.key
 ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub
 ADD --link --chown=101:0 https://cs.nginx.com/static/keys/app-protect-security-updates.key app-protect-security-updates.key
+ADD --link --chown=101:0 https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub app-protect-security-updates.rsa.pub
 ADD --link --chown=101:0 https://cs.nginx.com/static/files/nginx-plus-8.repo nginx-plus-8.repo
 ADD --link --chown=101:0 https://cs.nginx.com/static/files/plus-9.repo nginx-plus-9.repo
 ADD --link --chown=101:0 https://cs.nginx.com/static/files/app-protect-8.repo app-protect-8.repo
@@ -104,13 +106,37 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
 ############################################# Base image for Alpine with NGINX Plus and FIPS #############################################
 FROM alpine-plus as alpine-plus-fips
 
-RUN --mount=type=bind,from=alpine-fips,target=/tmp/fips/ \
+RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
 	mkdir -p /usr/ssl \
 	&& cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \
 	&& cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \
 	&& cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf
 
 
+############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS #############################################
+FROM alpine:3.17 as alpine-nap-waf-plus-fips
+ARG NGINX_PLUS_VERSION
+
+RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
+	--mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
+	--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
+	--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
+	--mount=type=bind,from=nginx-files,src=app-protect-security-updates.rsa.pub,target=/etc/apk/keys/app-protect-security-updates.rsa.pub \
+	--mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
+	printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& printf "%s\n" "https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& apk upgrade --no-cache -U \
+	&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check \
+	&& mkdir -p /usr/ssl \
+	&& cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \
+	&& cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \
+	&& cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \
+	&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
+	&& ldconfig /usr/local/lib/ \
+	&& apk add --no-cache app-protect app-protect-attack-signatures app-protect-threat-campaigns
+
+
 ############################################# Base image for Debian with NGINX Plus #############################################
 FROM debian:12-slim AS debian-plus
 

From d256468ca2a33a975889ffa0f59012d09110364b Mon Sep 17 00:00:00 2001
From: Paul Abel <p.abel@f5.com>
Date: Wed, 10 Jan 2024 17:00:46 +0000
Subject: [PATCH 2/3] remove duplicated ubi/fips images

---
 .github/workflows/ci.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c0f399191e..cbcf3d541c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -440,7 +440,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image: [debian-plus-nap, ubi-plus-nap, alpine-nap-waf-plus-fips]
+        image: [debian-plus-nap]
         platforms: ["linux/amd64"]
         target: [goreleaser, aws]
         nap_modules: [dos, waf, "waf,dos"]
@@ -469,6 +469,12 @@ jobs:
             target: aws
             platforms: "linux/amd64"
             nap_modules: "waf,dos"
+          - image: alpine-nap-waf-plus-fips
+            target: aws
+            platforms: "linux/amd64"
+          - image: alpine-nap-waf-plus-fips
+            target: goreleaser
+            platforms: "linux/amd64"
 
     uses: ./.github/workflows/build-plus.yml
     with:

From 651aa2099d2e9455bbccea99d84f537a330e41d4 Mon Sep 17 00:00:00 2001
From: Paul Abel <p.abel@f5.com>
Date: Thu, 11 Jan 2024 09:29:28 +0000
Subject: [PATCH 3/3] remove aws alpine-nap-waf-plus-fips

---
 .github/workflows/ci.yml | 6 ++----
 Makefile                 | 2 +-
 build/Dockerfile         | 2 +-
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cbcf3d541c..db5515613a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -469,12 +469,10 @@ jobs:
             target: aws
             platforms: "linux/amd64"
             nap_modules: "waf,dos"
-          - image: alpine-nap-waf-plus-fips
-            target: aws
-            platforms: "linux/amd64"
-          - image: alpine-nap-waf-plus-fips
+          - image: alpine-plus-nap-waf-fips
             target: goreleaser
             platforms: "linux/amd64"
+            nap_modules: waf
 
     uses: ./.github/workflows/build-plus.yml
     with:
diff --git a/Makefile b/Makefile
index d3479bb443..9589e65acc 100644
--- a/Makefile
+++ b/Makefile
@@ -123,7 +123,7 @@ alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alp
 
 .PHONY: alpine-image-nap-plus-fips
 alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS)
-	$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-nap-waf-plus-fips
+	$(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-waf-fips
 
 .PHONY: debian-image-plus
 debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus)
diff --git a/build/Dockerfile b/build/Dockerfile
index 032abce7f9..bfb911418f 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -114,7 +114,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
 
 
 ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS #############################################
-FROM alpine:3.17 as alpine-nap-waf-plus-fips
+FROM alpine:3.17 as alpine-plus-nap-waf-fips
 ARG NGINX_PLUS_VERSION
 
 RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \