configurable plus repo

.github/actions/smoke-tests/action.yaml

@@ -23,6 +23,9 @@ inputs:
   marker:
     description: Marker to use
     required: false
+  nginx-repo:
+    description: Nginx repo to use
+    default: pkgs.nginx.com
   nginx-key:
     description: Nginx key to use
     required: false
@@ -80,6 +83,7 @@ runs:
         build-args: |
           BUILD_OS=${{ inputs.image }}
           IC_VERSION=CI
+          PACKAGE_REPO=${{ inputs.nginx-repo }}
           ${{ steps.ingress-type.outputs.modules != '' && format('NAP_MODULES={0}', steps.ingress-type.outputs.modules) || '' }}
           ${{ contains(inputs.marker, 'appprotect') && 'DEBIAN_VERSION=buster-slim' || '' }}
         secrets: |

.github/workflows/build-plus.yml

@@ -24,6 +24,35 @@ on:
       build-cache:
         required: false
         type: boolean
+      nginx-repo:
+        description: Nginx repo to use for plus builds
+        required: true
+        type: string
+    secrets:
+      nginx-crt:
+        description: Nginx cert to use for plus builds
+        required: true
+      nginx-key:
+        description: Nginx key to use for plus builds
+        required: true
+      rhel-license:
+        description: The RHEL license to use for UBI builds
+        required: false
+      gcr-workload-identity:
+        description: The GCR Workload Identity to use when authenticating to Google Cloud
+        required: true
+      gcr-service-account:
+        description: The GCR Service Account to use when authenticating to Google Cloud
+        required: true
+      gcr-mkpl-workload-identity:
+        description: The GCR Marketplace Workload Identity to use when authenticating to Google Cloud
+        required: true
+      gcr-mkpl-service-account:
+        description: The GCR Marketplace Service Account to use when authenticating to Google Cloud
+        required: true
+      aws-role-mkpl:
+        description: The AWS Marketplace Role to assume when authenticating to AWS MarketPlace
+        required: true
 
 defaults:
   run:
@@ -65,8 +94,8 @@ jobs:
         uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
         with:
           token_format: access_token
-          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
-          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+          workload_identity_provider: ${{ secrets.gcr-workload-identity }}
+          service_account: ${{ secrets.gcr-service-account }}
         if: github.event_name != 'pull_request' && ! inputs.build-cache
 
       - name: Login to GCR
@@ -82,8 +111,8 @@ jobs:
         uses: google-github-actions/auth@a6e2e39c0a0331da29f7fd2c2a20a427e8d3ad1f # v2.1.1
         with:
           token_format: access_token
-          workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }}
-          service_account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }}
+          workload_identity_provider: ${{ secrets.gcr-mkpl-workload-identity }}
+          service_account: ${{ secrets.gcr-mkpl-service-account }}
         if: github.ref_type == 'tag' && ! contains(inputs.target, 'aws')
 
       - name: Login to GCR for Marketplace
@@ -98,7 +127,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: us-east-1
-          role-to-assume: ${{ secrets.AWS_ROLE_MARKETPLACE }}
+          role-to-assume: ${{ secrets.aws-role-mkpl }}
         if: github.ref_type == 'tag' && contains(inputs.target, 'aws')
 
       - name: Login to ECR
@@ -176,12 +205,13 @@ jobs:
           build-args: |
             BUILD_OS=${{ inputs.image }}
             IC_VERSION=${{ github.ref_type == 'tag' && steps.meta.outputs.version || 'CI' }}
+            PACKAGE_REPO=${{ inputs.nginx-repo }}
             ${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', inputs.nap_modules) || '' }}
             ${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
           secrets: |
-            "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
-            "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
-            ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
+            ${{ format('"nginx-repo.crt={0}"', secrets.nginx-crt) }}
+            ${{ format('"nginx-repo.key={0}"', secrets.nginx-key) }}
+            ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.rhel-license) || '' }}
 
       - name: AWS variables
         id: aws
@@ -233,10 +263,10 @@ jobs:
             ${{ inputs.nap_modules != '' && format('NAP_MODULES={0}', inputs.nap_modules) || '' }}
             ${{ steps.nap_modules.outputs.modules != '' && format('NAP_MODULES_AWS={0}', steps.nap_modules.outputs.modules) || '' }}
           secrets: |
-            "nginx-repo.crt=${{ inputs.nap_modules != '' && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}"
-            "nginx-repo.key=${{ inputs.nap_modules != '' && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}"
-            ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }}
-        if: ${{ ! inputs.build-cache }}
+            ${{ format('"nginx-repo.crt={0}"', secrets.nginx-crt) }}
+            ${{ format('"nginx-repo.key={0}"', secrets.nginx-key) }}
+            ${{ inputs.nap_modules != '' && contains(inputs.image, 'ubi') && format('"rhel_license={0}"', secrets.rhel-license) || '' }}
+          if: ${{ ! inputs.build-cache }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0

.github/workflows/ci.yml

@@ -252,8 +252,8 @@ jobs:
             BUILD_OS=${{ matrix.image }}
             IC_VERSION=CI
           secrets: |
-            ${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
-            ${{ contains(matrix.type, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
+            ${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_TEST_CRT) || '' }}
+            ${{ contains(matrix.type, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_TEST_KEY) || '' }}
 
       - name: Deploy Kubernetes
         id: k8s
@@ -381,8 +381,9 @@ jobs:
           image: ${{ matrix.images.image != '' && matrix.images.image || 'debian' }}
           marker: ${{ matrix.images.marker != '' && matrix.images.marker || '' }}
           k8s-version: ${{ matrix.k8s }}
-          nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}
-          nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}
+          nginx-repo: pkgs-test.nginx.com
+          nginx-crt: ${{ secrets.NGINX_TEST_CRT }}
+          nginx-key: ${{ secrets.NGINX_TEST_KEY }}
           azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
           gcr-workload-identity-secret: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
           gcr-service-account-secret: ${{ secrets.GCR_SERVICE_ACCOUNT }}
@@ -456,11 +457,20 @@ jobs:
       target: ${{ matrix.target }}
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       release-url: ${{ needs.release-notes.outputs.release-url }}
+      nginx-repo: pkgs-test.nginx.com
+    secrets:
+      nginx-crt: ${{ secrets.NGINX_TEST_CRT }}
+      nginx-key: ${{ secrets.NGINX_TEST_KEY }}
+      rhel-license: ${{ secrets.RHEL_LICENSE }}
+      gcr-workload-identity: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+      gcr-service-account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+      gcr-mkpl-workload-identity: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }}
+      gcr-mkpl-service-account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }}
+      aws-role-mkpl: ${{ secrets.AWS_ROLE_MARKETPLACE }}
     permissions:
       contents: read
       security-events: write
       id-token: write
-    secrets: inherit
 
   build-docker-nap:
     name: Build Docker NAP
@@ -501,7 +511,6 @@ jobs:
             target: goreleaser
             platforms: "linux/amd64"
             nap_modules: waf
-
     uses: ./.github/workflows/build-plus.yml
     with:
       platforms: ${{ matrix.platforms }}
@@ -510,11 +519,20 @@ jobs:
       go-md5: ${{ needs.checks.outputs.go_code_md5 }}
       nap_modules: ${{ matrix.nap_modules }}
       release-url: ${{ needs.release-notes.outputs.release-url }}
+      nginx-repo: pkgs-test.nginx.com
+    secrets:
+      nginx-crt: ${{ secrets.NGINX_TEST_CRT }}
+      nginx-key: ${{ secrets.NGINX_TEST_KEY }}
+      rhel-license: ${{ secrets.RHEL_LICENSE }}
+      gcr-workload-identity: ${{ secrets.GCR_WORKLOAD_IDENTITY }}
+      gcr-service-account: ${{ secrets.GCR_SERVICE_ACCOUNT }}
+      gcr-mkpl-workload-identity: ${{ secrets.GCR_WORKLOAD_IDENTITY_MKTPL }}
+      gcr-mkpl-service-account: ${{ secrets.GCR_SERVICE_ACCOUNT_MKTPL }}
+      aws-role-mkpl: ${{ secrets.AWS_ROLE_MARKETPLACE }}
     permissions:
       contents: read
       security-events: write
       id-token: write
-    secrets: inherit
 
   publish-helm:
     name: Package and Publish Helm Chart

Makefile

@@ -11,10 +11,11 @@ GO_LINKER_FLAGS_OPTIONS = -s -w
 GO_LINKER_FLAGS = $(GO_LINKER_FLAGS_OPTIONS) $(GO_LINKER_FLAGS_VARS)
 
 # variables that can be overridden by the user
+PLUS_REPO                     ?= "pkgs.nginx.com" ## The package repo to install nginx-plus from
 PREFIX                        ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress
 TAG                           ?= $(VERSION:v%=%) ## The tag of the image. For example, 2.0.0
 TARGET                        ?= local ## The target of the build. Possible values: local, container and download
-override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) ## The options for the docker build command. For example, --pull
+override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) --build-arg PACKAGE_REPO=$(PLUS_REPO) ## The options for the docker build command. For example, --pull
 ARCH                          ?= amd64 ## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets
 GOOS                          ?= linux ## The OS of the binary. For example linux, darwin
 

build/Dockerfile

@@ -3,6 +3,7 @@ ARG BUILD_OS=debian
 ARG NGINX_PLUS_VERSION=R31
 ARG DOWNLOAD_TAG=edge
 ARG DEBIAN_FRONTEND=noninteractive
+ARG PACKAGE_REPO=pkgs.nginx.com
 
 
 ############################################# Base images containing libs for Opentracing and FIPS #############################################
@@ -61,6 +62,7 @@ FROM scratch as nginx-files
 ARG IC_VERSION
 ARG BUILD_OS
 ARG NGINX_PLUS_VERSION
+ARG PACKAGE_REPO
 
 # the following links can be replaced with local files if needed, i.e. ADD --chown=101:0 <local_file> <container_file>
 ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-nginx
@@ -79,25 +81,27 @@ ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/m
 ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-dos-debian-11.repo nap-dos-11.sources
 ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/agent-debian-11.repo debian-agent-11.sources
 
-RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \
-	&& printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \
-	&& sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" *.sources \
-	&& sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo \
+RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::${PACKAGE_REPO}::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \
+    && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \
+	&& sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;${PACKAGE_REPO}/app-protect-security-updates;pkgs.nginx.com/app-protect-security-updates;g" *.sources \
+	&& sed -i -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" 90pkgs-nginx \
+	&& sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;${PACKAGE_REPO}/app-protect-security-updates;pkgs.nginx.com/app-protect-security-updates;g" *.repo \
 	&& echo HTTP_USER_AGENT="k8s-ic-$IC_VERSION${BUILD_OS##alpine-plus}-apk" > user_agent
 
 ADD --link --chown=101:0 https://cs.nginx.com/static/files/nginx-agent.repo nginx-agent.repo
 
 ############################################# Base image for Alpine with NGINX Plus #############################################
 FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as alpine-plus
 ARG NGINX_PLUS_VERSION
+ARG PACKAGE_REPO
 
 RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
 	--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 	--mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
 	--mount=type=bind,from=nginx-files,src=user_agent,target=/tmp/user_agent \
 	export $(cat /tmp/user_agent) \
-	&& printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
 	&& apk upgrade --no-cache -U \
 	&& apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \
 	&& cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \
@@ -118,17 +122,18 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \
 ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS #############################################
 FROM alpine:3.17@sha256:6e94b5cda2d6fd57d85abf81e81dabaea97a5885f919da676cc19d3551da4061 as alpine-plus-nap-fips
 ARG NGINX_PLUS_VERSION
+ARG PACKAGE_REPO
 
 RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \
 	--mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
 	--mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \
 	--mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \
 	--mount=type=bind,from=nginx-files,src=app-protect-security-updates.rsa.pub,target=/etc/apk/keys/app-protect-security-updates.rsa.pub \
 	--mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \
-	printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
-	&& printf "%s\n" "https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
-	&& printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
-	&& printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& printf "%s\n" "https://${PACKAGE_REPO}/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& printf "%s\n" "https://${PACKAGE_REPO}/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
+	&& printf "%s\n" "https://${PACKAGE_REPO}/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
 	&& apk upgrade --no-cache -U \
 	&& apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check nginx-agent \
 	&& mkdir -p /usr/ssl \