From 4fd880763ed4d212fe0eddbae67dc9128dd4e575 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 14:09:22 +0000 Subject: [PATCH 01/13] build base images for OSS --- .github/workflows/build-base-images.yml | 105 ++++++++++++++++++++++++ .github/workflows/build-oss.yml | 2 - .github/workflows/build-plus.yml | 2 - build/Dockerfile | 66 ++++++++++++++- 4 files changed, 167 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/build-base-images.yml diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml new file mode 100644 index 0000000000..c12cd1acb9 --- /dev/null +++ b/.github/workflows/build-base-images.yml @@ -0,0 +1,105 @@ +name: Build Base Images + +on: + push: + branches: + - prebuild-base-images + workflow_dispatch: + inputs: + force: + description: "Force rebuild of base images" + required: false + default: "false" + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.ref_name }}-ci + cancel-in-progress: true + +permissions: + contents: read + id-token: write + +jobs: + checks: + name: Checks and variables + runs-on: ubuntu-22.04 + outputs: + docker_md5: ${{ steps.vars.outputs.docker_md5 }} + ic_version: ${{ steps.vars.outputs.ic_version }} + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Output Variables + id: vars + run: | + echo docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') >> $GITHUB_OUTPUT + source .github/data/version.txt + echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT + + build-oss: + name: Build OSS base images + runs-on: ubuntu-22.04 + needs: checks + strategy: + fail-fast: false + matrix: + image: [debian, alpine] + platforms: + ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] + include: + - image: ubi + platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + with: + context: "." + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss + flavor: | + suffix=${{ contains(matrix.image, 'debian') && '-debian' || '' }}${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }},onlatest=false + tags: | + type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha + cache-to: type=gha,mode=max + target: common + tags: ${{ steps.meta.outputs.tags }} + pull: true + push: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=${{ needs.checks.outputs.ic_version }} diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index f96b29d60e..4ed4626e83 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -124,8 +124,6 @@ jobs: type=raw,value=${{ steps.tag.outputs.short }},enable=${{ inputs.tag != '' }} labels: | org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes - org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller - org.opencontainers.image.vendor=NGINX Inc io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/README.md io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"kubernetes@nginx.com"}] diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 16ef0456b6..ef82af7788 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -142,8 +142,6 @@ jobs: type=semver,pattern={{major}}.{{minor}} labels: | org.opencontainers.image.description=NGINX Plus Ingress Controller for Kubernetes - org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller - org.opencontainers.image.vendor=NGINX Inc - name: NAP modules id: nap_modules diff --git a/build/Dockerfile b/build/Dockerfile index f2293b5fa9..d25f55f841 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -3,6 +3,7 @@ ARG BUILD_OS=debian ARG NGINX_PLUS_VERSION=R31 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive +ARG BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} ############################################# Base images containing libs for Opentracing and FIPS ############################################# @@ -347,10 +348,12 @@ ENTRYPOINT ["/nginx-ingress"] # 101 is nginx USER 101 -LABEL org.opencontainers.image.version="${IC_VERSION}" -LABEL org.nginx.kic.image.build.target="${TARGETPLATFORM}" -LABEL org.nginx.kic.image.build.os="${BUILD_OS}" -LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERSION}" +LABEL org.opencontainers.image.version="${IC_VERSION}" \ + org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller \ + org.opencontainers.image.vendor="NGINX Inc " \ + org.nginx.kic.image.build.target="${TARGETPLATFORM}" \ + org.nginx.kic.image.build.os="${BUILD_OS}" \ + org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERSION}" ############################################# Build nginx-ingress in golang container ############################################# @@ -392,6 +395,22 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_ USER 101 +############################################# Create image from pre-built base images with nginx-ingress built locally ############################################# +FROM ${BASE_IMG} as prebuilt + +LABEL org.nginx.kic.image.build.version="local" + +COPY --link --chown=101:0 nginx-ingress / +USER 0 +RUN --mount=type=bind,target=/tmp \ + [ -n nginx-plus.tmpl ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \ + /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \ + && chown -R 101:0 /*.tmpl \ + && chmod -R g=u /*.tmpl \ + setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress +USER 101 + + ############################################# Create image with nginx-ingress built by GoReleaser ############################################# FROM common AS goreleaser ARG TARGETARCH @@ -406,6 +425,25 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_ USER 101 +############################################# Create image with nginx-ingress built by GoReleaser ############################################# +FROM ${BASE_IMG} AS goreleaser-prebuilt +ARG TARGETARCH + +LABEL org.nginx.kic.image.build.version="goreleaser" + +COPY --link --chown=101:0 dist/kubernetes-ingress_linux_${TARGETARCH}*/nginx-ingress / +# root is required for `setcap` invocation +USER 0 +RUN --mount=type=bind,target=/tmp \ + [ -n nginx-plus.tmpl ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \ + /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \ + && chown -R 101:0 /*.tmpl \ + && chmod -R g=u /*.tmpl \ + setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress +# 101 is nginx, defined above +USER 101 + + ############################################# Create image with nginx-ingress built by GoReleaser for AWS Marketplace ############################################# FROM common AS aws ARG TARGETARCH @@ -421,6 +459,26 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_ USER 101 +############################################# Create image with nginx-ingress built by GoReleaser for AWS Marketplace ############################################# +FROM ${BASE_IMG} AS aws-prebuilt +ARG TARGETARCH +ARG NAP_MODULES_AWS + +LABEL org.nginx.kic.image.build.version="aws" + +COPY --link --chown=101:0 dist/aws*${NAP_MODULES_AWS}_linux_${TARGETARCH}*/nginx-ingress / +# root is required for `setcap` invocation +USER 0 +RUN --mount=type=bind,target=/tmp \ + [ -n nginx-plus.tmpl ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \ + /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \ + && chown -R 101:0 /*.tmpl \ + && chmod -R g=u /*.tmpl \ + setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress +# 101 is nginx, defined above +USER 101 + + ############################################# Create image with nginx-ingress extracted from image on Docker Hub ############################################# FROM nginx/nginx-ingress:${DOWNLOAD_TAG} as kic From b119aa8061f6a5151291411bd974146429f25663 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 14:13:32 +0000 Subject: [PATCH 02/13] add QEMU setup and remove unvalid context --- .github/workflows/build-base-images.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index c12cd1acb9..9d5f8cd214 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -62,6 +62,11 @@ jobs: - name: Docker Buildx uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 @@ -81,7 +86,6 @@ jobs: id: meta uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 with: - context: "." images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss flavor: | From 9fce8404c4365ad1cbee29d957a9718fb2ff1f15 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 14:33:38 +0000 Subject: [PATCH 03/13] add plus images --- .github/workflows/build-base-images.yml | 70 ++++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 9d5f8cd214..edecd1eb8a 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -89,7 +89,7 @@ jobs: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss flavor: | - suffix=${{ contains(matrix.image, 'debian') && '-debian' || '' }}${{ contains(matrix.image, 'ubi') && '-ubi' || '' }}${{ contains(matrix.image, 'alpine') && '-alpine' || '' }},onlatest=false + suffix=${{ matrix.image }},onlatest=false tags: | type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} @@ -107,3 +107,71 @@ jobs: build-args: | BUILD_OS=${{ matrix.image }} IC_VERSION=${{ needs.checks.outputs.ic_version }} + + build-plus: + name: Build OSS base images + runs-on: ubuntu-22.04 + needs: checks + strategy: + fail-fast: false + matrix: + image: [debian-plus, alpine-plus, alpine-plus-fips] + platforms: ["linux/arm64, linux/amd64"] + include: + - image: ubi-plus + platforms: "linux/arm64, linux/amd64, linux/s390x" + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + with: + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus + flavor: | + suffix=${{ matrix.image }},onlatest=false + tags: | + type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha + cache-to: type=gha,mode=max + target: common + tags: ${{ steps.meta.outputs.tags }} + pull: true + push: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=${{ needs.checks.outputs.ic_version }} + secrets: | + "nginx-repo.crt=${{ secrets.NGINX_CRT }}" + "nginx-repo.key=${{ secrets.NGINX_KEY }}" From a7f7cbec6674c94f4bfeb2a3473c1eb1a8cccedc Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 14:35:23 +0000 Subject: [PATCH 04/13] fix plus job name --- .github/workflows/build-base-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index edecd1eb8a..232eb6b24d 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -109,7 +109,7 @@ jobs: IC_VERSION=${{ needs.checks.outputs.ic_version }} build-plus: - name: Build OSS base images + name: Build Plus base images runs-on: ubuntu-22.04 needs: checks strategy: From e84c6d6a864d94d275de12434098f29f4f763546 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 14:37:22 +0000 Subject: [PATCH 05/13] fix image tag suffix --- .github/workflows/build-base-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 232eb6b24d..819ff3637f 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -89,7 +89,7 @@ jobs: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss flavor: | - suffix=${{ matrix.image }},onlatest=false + suffix=-${{ matrix.image }},onlatest=false tags: | type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} @@ -154,7 +154,7 @@ jobs: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus flavor: | - suffix=${{ matrix.image }},onlatest=false + suffix=-${{ matrix.image }},onlatest=false tags: | type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} From 992af4ae19b677d36cc105469fdc13f3d3f98f0e Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 14:58:36 +0000 Subject: [PATCH 06/13] add NAP base images --- .github/workflows/build-base-images.yml | 88 +++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 819ff3637f..08272bbc4f 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -175,3 +175,91 @@ jobs: secrets: | "nginx-repo.crt=${{ secrets.NGINX_CRT }}" "nginx-repo.key=${{ secrets.NGINX_KEY }}" + + build-plus-nap: + name: Build Plus NAP base images + runs-on: ubuntu-22.04 + needs: checks + strategy: + fail-fast: false + matrix: + image: [debian-plus-nap] + platforms: ["linux/amd64"] + nap_modules: [dos, waf, "waf,dos"] + include: + - image: ubi-9-plus-nap + platforms: "linux/amd64" + nap_modules: waf + - image: ubi-8-plus-nap + platforms: "linux/amd64" + nap_modules: dos + - image: ubi-8-plus-nap + platforms: "linux/amd64" + nap_modules: "waf,dos" + - image: alpine-plus-nap-waf-fips + platforms: "linux/amd64" + nap_modules: waf + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}" + echo "modules=${modules}" >> $GITHUB_OUTPUT + if: ${{ matrix.nap_modules != '' }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + with: + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus + flavor: | + suffix=-${{ matrix.image }}-${{ matrix.nap_modules }},onlatest=false + tags: | + type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha + cache-to: type=gha,mode=max + target: common + tags: ${{ steps.meta.outputs.tags }} + pull: true + push: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=${{ needs.checks.outputs.ic_version }} + NAP_MODULES=${{ matrix.nap_modules }} + secrets: | + "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}" + "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}" + ${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} From bb6f86ff93dca44e2199d28fc688f08dbff3820a Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 15:00:05 +0000 Subject: [PATCH 07/13] add NAP base images --- .github/workflows/build-base-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 08272bbc4f..cf696b96d2 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -240,7 +240,7 @@ jobs: images: | name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus flavor: | - suffix=-${{ matrix.image }}-${{ matrix.nap_modules }},onlatest=false + suffix=-${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},onlatest=false tags: | type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} From 3f95939d794608d740f0faafc2a95917fafac67d Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 15:55:50 +0000 Subject: [PATCH 08/13] change base image tag length --- .github/data/matrix-smoke.json | 2 +- .github/workflows/build-base-images.yml | 5 +++-- .github/workflows/ci.yml | 2 +- Makefile | 7 ++++++- build/Dockerfile | 2 +- 5 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/data/matrix-smoke.json b/.github/data/matrix-smoke.json index c229f539fd..dec0f1c3f8 100644 --- a/.github/data/matrix-smoke.json +++ b/.github/data/matrix-smoke.json @@ -97,7 +97,7 @@ }, { "label": "AP_WAF 2/4", - "image": "alpine-plus-nap-waf-fips", + "image": "alpine-plus-nap-fips", "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'" }, { diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index cf696b96d2..8c90a26b9c 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -37,7 +37,8 @@ jobs: - name: Output Variables id: vars run: | - echo docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }') >> $GITHUB_OUTPUT + docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }' | ) + echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT @@ -196,7 +197,7 @@ jobs: - image: ubi-8-plus-nap platforms: "linux/amd64" nap_modules: "waf,dos" - - image: alpine-plus-nap-waf-fips + - image: alpine-plus-nap-fips platforms: "linux/amd64" nap_modules: waf steps: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 929531cffe..dd69e8d54f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -497,7 +497,7 @@ jobs: target: aws platforms: "linux/amd64" nap_modules: "waf,dos" - - image: alpine-plus-nap-waf-fips + - image: alpine-plus-nap-fips target: goreleaser platforms: "linux/amd64" nap_modules: waf diff --git a/Makefile b/Makefile index 0da24455f8..d73c82c1d4 100644 --- a/Makefile +++ b/Makefile @@ -17,6 +17,7 @@ TARGET ?= local ## The target of the build. Possible valu override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) ## The options for the docker build command. For example, --pull ARCH ?= amd64 ## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets GOOS ?= linux ## The OS of the binary. For example linux, darwin +BASE_IMG ?= nginx/nginx-ingress:edge ## The tag of the image. For example, 2.0.0 # final docker build command DOCKER_CMD = docker build --platform linux/$(strip $(ARCH)) $(strip $(DOCKER_BUILD_OPTIONS)) --target $(strip $(TARGET)) -f build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) . @@ -124,12 +125,16 @@ alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alp .PHONY: alpine-image-nap-plus-fips alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-waf-fips + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips .PHONY: debian-image-plus debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus +.PHONY: prebuilt-image +prebuilt-image: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BASE_IMG=${BASE_IMG} + .PHONY: debian-image-nap-plus debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf diff --git a/build/Dockerfile b/build/Dockerfile index 06f233848b..8e6ce57de1 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -115,7 +115,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# -FROM alpine:3.17@sha256:6e94b5cda2d6fd57d85abf81e81dabaea97a5885f919da676cc19d3551da4061 as alpine-plus-nap-waf-fips +FROM alpine:3.17@sha256:6e94b5cda2d6fd57d85abf81e81dabaea97a5885f919da676cc19d3551da4061 as alpine-plus-nap-fips ARG NGINX_PLUS_VERSION RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ From dcc5f35935e5c4d81f649bc1769c6cf8713b74e8 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Mon, 29 Jan 2024 15:56:51 +0000 Subject: [PATCH 09/13] fix typo --- .github/workflows/build-base-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 8c90a26b9c..628d05db84 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -37,7 +37,7 @@ jobs: - name: Output Variables id: vars run: | - docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }' | ) + docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }' ) echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT source .github/data/version.txt echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT From 2accb0b53b5585bb06f544a955ab47bc5b7f7ca1 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Tue, 30 Jan 2024 11:25:21 +0000 Subject: [PATCH 10/13] add schedule --- .github/workflows/build-base-images.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 628d05db84..a4bb4df554 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -1,15 +1,14 @@ name: Build Base Images on: - push: - branches: - - prebuild-base-images workflow_dispatch: inputs: force: description: "Force rebuild of base images" required: false default: "false" + schedule: + - cron: "30 4 * * *" # run every day at 04:30 UTC defaults: run: From 9653ce0ad79d283ddc1002ae742729b3f45b2593 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Tue, 30 Jan 2024 11:27:46 +0000 Subject: [PATCH 11/13] change schedule to weekdays --- .github/workflows/build-base-images.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index a4bb4df554..7f421af33a 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -8,7 +8,7 @@ on: required: false default: "false" schedule: - - cron: "30 4 * * *" # run every day at 04:30 UTC + - cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC defaults: run: From a097f25ede62713a11cbd93509ece2b7ecd36978 Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Tue, 30 Jan 2024 11:29:46 +0000 Subject: [PATCH 12/13] remove changes for next PR --- Makefile | 5 ----- build/Dockerfile | 56 ------------------------------------------------ 2 files changed, 61 deletions(-) diff --git a/Makefile b/Makefile index d73c82c1d4..1f05f61909 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,6 @@ TARGET ?= local ## The target of the build. Possible valu override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) ## The options for the docker build command. For example, --pull ARCH ?= amd64 ## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets GOOS ?= linux ## The OS of the binary. For example linux, darwin -BASE_IMG ?= nginx/nginx-ingress:edge ## The tag of the image. For example, 2.0.0 # final docker build command DOCKER_CMD = docker build --platform linux/$(strip $(ARCH)) $(strip $(DOCKER_BUILD_OPTIONS)) --target $(strip $(TARGET)) -f build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) . @@ -131,10 +130,6 @@ alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus -.PHONY: prebuilt-image -prebuilt-image: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BASE_IMG=${BASE_IMG} - .PHONY: debian-image-nap-plus debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf diff --git a/build/Dockerfile b/build/Dockerfile index bc129ec4fa..88e25d3ee9 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -3,7 +3,6 @@ ARG BUILD_OS=debian ARG NGINX_PLUS_VERSION=R31 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive -ARG BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} ############################################# Base images containing libs for Opentracing and FIPS ############################################# @@ -395,22 +394,6 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_ USER 101 -############################################# Create image from pre-built base images with nginx-ingress built locally ############################################# -FROM ${BASE_IMG} as prebuilt - -LABEL org.nginx.kic.image.build.version="local" - -COPY --link --chown=101:0 nginx-ingress / -USER 0 -RUN --mount=type=bind,target=/tmp \ - [ -n nginx-plus.tmpl ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \ - /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \ - && chown -R 101:0 /*.tmpl \ - && chmod -R g=u /*.tmpl \ - setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -USER 101 - - ############################################# Create image with nginx-ingress built by GoReleaser ############################################# FROM common AS goreleaser ARG TARGETARCH @@ -425,25 +408,6 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_ USER 101 -############################################# Create image with nginx-ingress built by GoReleaser ############################################# -FROM ${BASE_IMG} AS goreleaser-prebuilt -ARG TARGETARCH - -LABEL org.nginx.kic.image.build.version="goreleaser" - -COPY --link --chown=101:0 dist/kubernetes-ingress_linux_${TARGETARCH}*/nginx-ingress / -# root is required for `setcap` invocation -USER 0 -RUN --mount=type=bind,target=/tmp \ - [ -n nginx-plus.tmpl ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \ - /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \ - && chown -R 101:0 /*.tmpl \ - && chmod -R g=u /*.tmpl \ - setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -# 101 is nginx, defined above -USER 101 - - ############################################# Create image with nginx-ingress built by GoReleaser for AWS Marketplace ############################################# FROM common AS aws ARG TARGETARCH @@ -459,26 +423,6 @@ RUN setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_ USER 101 -############################################# Create image with nginx-ingress built by GoReleaser for AWS Marketplace ############################################# -FROM ${BASE_IMG} AS aws-prebuilt -ARG TARGETARCH -ARG NAP_MODULES_AWS - -LABEL org.nginx.kic.image.build.version="aws" - -COPY --link --chown=101:0 dist/aws*${NAP_MODULES_AWS}_linux_${TARGETARCH}*/nginx-ingress / -# root is required for `setcap` invocation -USER 0 -RUN --mount=type=bind,target=/tmp \ - [ -n nginx-plus.tmpl ] && PLUS=-plus; cp -a /tmp/internal/configs/version1/nginx$PLUS.ingress.tmpl /tmp/internal/configs/version1/nginx$PLUS.tmpl \ - /tmp/internal/configs/version2/nginx$PLUS.virtualserver.tmpl /tmp/internal/configs/version2/nginx$PLUS.transportserver.tmpl / \ - && chown -R 101:0 /*.tmpl \ - && chmod -R g=u /*.tmpl \ - setcap 'cap_net_bind_service=+ep' /nginx-ingress && setcap -v 'cap_net_bind_service=+ep' /nginx-ingress -# 101 is nginx, defined above -USER 101 - - ############################################# Create image with nginx-ingress extracted from image on Docker Hub ############################################# FROM nginx/nginx-ingress:${DOWNLOAD_TAG} as kic From ac8897c034ff727b474a5c487cfbe73ea7202e5a Mon Sep 17 00:00:00 2001 From: Eoin O'Shaughnessy Date: Tue, 30 Jan 2024 11:31:17 +0000 Subject: [PATCH 13/13] remove redundant workflow input --- .github/workflows/build-base-images.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index 7f421af33a..8ce03775e8 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -2,11 +2,6 @@ name: Build Base Images on: workflow_dispatch: - inputs: - force: - description: "Force rebuild of base images" - required: false - default: "false" schedule: - cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC