From 421e70984c89699d2512bd8c6f20e35a7e9d8347 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 3 May 2024 11:13:08 +0100 Subject: [PATCH 01/13] Update NAP build stages to install the latest version of AppProtect --- build/Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index bf522c6417..b36237b51c 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -140,7 +140,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ && cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig /usr/local/lib/ \ - && apk add --no-cache app-protect=~31.4.815 app-protect-attack-signatures app-protect-threat-campaigns + && apk add --no-cache app-protect app-protect-attack-signatures app-protect-threat-campaigns ############################################# Base image for Debian with NGINX Plus ############################################# @@ -200,7 +200,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode ## end of duplicated code && if [ -z "${NGINX_AGENT##true}" ]; then apt-get install --no-install-recommends --no-install-suggests -y nginx-agent; fi \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ - apt-get install --no-install-recommends --no-install-suggests -y app-protect=31+4.815* app-protect-engine=10.624* app-protect-common=10.624* app-protect-compiler=10.624* app-protect-plugin=5.24* nginx-plus-module-appprotect=31+4.815* app-protect-attack-signatures app-protect-threat-campaigns; \ + apt-get install --no-install-recommends --no-install-suggests -y app-protect app-protect-attack-signatures app-protect-threat-campaigns; \ fi \ && if [ -z "${NAP_MODULES##*dos*}" ]; then \ apt-get install --no-install-recommends --no-install-suggests -y app-protect-dos; \ @@ -276,7 +276,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && dnf --nodocs install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ && rpm --import /tmp/app-protect-security-updates.key \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ - dnf --nodocs install -y app-protect-31+4.815* app-protect-attack-signatures app-protect-threat-campaigns; \ + dnf --nodocs install -y app-protect app-protect-attack-signatures app-protect-threat-campaigns; \ fi \ # fix for CVEs && dnf upgrade -y curl ncurses \ @@ -324,7 +324,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && dnf --nodocs install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ && rpm --import /tmp/app-protect-security-updates.key \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ - dnf --nodocs install -y app-protect-31+4.815* app-protect-attack-signatures app-protect-threat-campaigns; \ + dnf --nodocs install -y app-protect app-protect-attack-signatures app-protect-threat-campaigns; \ fi \ && if [ -z "${NAP_MODULES##*dos*}" ]; then \ dnf --nodocs install -y app-protect-dos; \ From c33a0dd0222f50290a8106880a632f585b3a791c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 May 2024 13:42:43 +0100 Subject: [PATCH 02/13] Update debian-nap-plus build stage to pull from pkgs-test repo --- build/Dockerfile | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index 746c702a93..340e5bacaf 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,6 +1,7 @@ # syntax=docker/dockerfile:1.6 ARG BUILD_OS=debian ARG NGINX_PLUS_VERSION=R31 +ARG NGINX_PLUS_PREVIEW_VERSION=R32 ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -76,8 +77,18 @@ ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/m ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-dos-debian-11.repo nap-dos-11.sources ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/agent-debian-11.repo debian-agent-11.sources +# Repos for `pkgs-test`. +# Debian 11 & 12 +ADD --link --chown=101:0 https://raw.githubusercontent.com/shaun-nx/k8s-common/nginx-r32-test-repo/files/pkgs-test/debian/plus-debian-11.repo debian-plus-11-test.sources +ADD --link --chown=101:0 https://raw.githubusercontent.com/shaun-nx/k8s-common/nginx-r32-test-repo/files/pkgs-test/debian/plus-debian-12.repo debian-plus-12-test.sources + +# Alpine + +# UBI + RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \ && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \ +# && sed -i -e "s;%VERSION%;${NGINX_PLUS_PREVIEW_VERSION};g" *-test.sources \ && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" *.sources \ && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo \ && echo HTTP_USER_AGENT="k8s-ic-$IC_VERSION${BUILD_OS##alpine-plus}-apk" > user_agent @@ -186,7 +197,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ - --mount=type=bind,from=nginx-files,src=debian-plus-11.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \ + --mount=type=bind,from=nginx-files,src=debian-plus-11-test.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \ --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/tmp/app-protect.sources \ --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/tmp/app-protect-dos.sources \ --mount=type=bind,from=nginx-files,src=debian-agent-11.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \ From a2a9340c66209a6ff1178b101a65df1b73360c59 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 17 May 2024 15:28:16 +0100 Subject: [PATCH 03/13] Udpate makefile and dockerfile to configure nginx package repo --- Makefile | 3 ++- build/Dockerfile | 26 +++++++++----------------- 2 files changed, 11 insertions(+), 18 deletions(-) diff --git a/Makefile b/Makefile index c44a581c90..4ad57c5738 100644 --- a/Makefile +++ b/Makefile @@ -5,10 +5,11 @@ VERSION = $(VER)-SNAPSHOT PLUS_ARGS = --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # Variables that can be overridden +PLUS_REPO ?= "pkgs.nginx.com" ## The package repo to install nginx-plus from PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress TAG ?= $(VERSION:v%=%) ## The tag of the image. For example, 2.0.0 TARGET ?= local ## The target of the build. Possible values: local, container and download -override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) ## The options for the docker build command. For example, --pull +override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) --build-arg PACKAGE_REPO=$(PLUS_REPO) ## The options for the docker build command. For example, --pull ARCH ?= amd64 ## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets GOOS ?= linux ## The OS of the binary. For example linux, darwin NGINX_AGENT ?= true diff --git a/build/Dockerfile b/build/Dockerfile index f76642c9ad..8d23ba7ab7 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.6 ARG BUILD_OS=debian -ARG NGINX_PLUS_VERSION=R31 -ARG NGINX_PLUS_PREVIEW_VERSION=R32 +ARG NGINX_PLUS_VERSION=R32 +ARG PACKAGE_REPO=pkgs.nginx.com ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -59,6 +59,7 @@ FROM scratch as nginx-files ARG IC_VERSION ARG BUILD_OS ARG NGINX_PLUS_VERSION +ARG PACKAGE_REPO # the following links can be replaced with local files if needed, i.e. ADD --chown=101:0 ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-nginx @@ -77,20 +78,11 @@ ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/m ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-dos-debian-11.repo nap-dos-11.sources ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/agent-debian-11.repo debian-agent-11.sources -# Repos for `pkgs-test`. -# Debian 11 & 12 -ADD --link --chown=101:0 https://raw.githubusercontent.com/shaun-nx/k8s-common/nginx-r32-test-repo/files/pkgs-test/debian/plus-debian-11.repo debian-plus-11-test.sources -ADD --link --chown=101:0 https://raw.githubusercontent.com/shaun-nx/k8s-common/nginx-r32-test-repo/files/pkgs-test/debian/plus-debian-12.repo debian-plus-12-test.sources - -# Alpine - -# UBI - -RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \ - && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \ -# && sed -i -e "s;%VERSION%;${NGINX_PLUS_PREVIEW_VERSION};g" *-test.sources \ - && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" *.sources \ - && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo \ +RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::${PACKAGE_REPO}::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \ + && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \ + && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;pkgs.nginx.com/app-protect-security-updates;${PACKAGE_REPO}/app-protect-security-updates;g" *.sources \ + && sed -i -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" 90pkgs-nginx \ + && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;pkgs.nginx.com/app-protect-security-updates;${PACKAGE_REPO}/app-protect-security-updates;g" *.repo \ && echo HTTP_USER_AGENT="k8s-ic-$IC_VERSION${BUILD_OS##alpine-plus}-apk" > user_agent ADD --link --chown=101:0 https://cs.nginx.com/static/files/nginx-agent.repo nginx-agent.repo @@ -197,7 +189,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.key,target=/tmp/app-protect-security-updates.key \ --mount=type=bind,from=nginx-files,src=90pkgs-nginx,target=/etc/apt/apt.conf.d/90pkgs-nginx \ - --mount=type=bind,from=nginx-files,src=debian-plus-11-test.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \ + --mount=type=bind,from=nginx-files,src=debian-plus-11.sources,target=/etc/apt/sources.list.d/nginx-plus.sources \ --mount=type=bind,from=nginx-files,src=nap-waf-11.sources,target=/tmp/app-protect.sources \ --mount=type=bind,from=nginx-files,src=nap-dos-11.sources,target=/tmp/app-protect-dos.sources \ --mount=type=bind,from=nginx-files,src=debian-agent-11.sources,target=/etc/apt/sources.list.d/nginx-agent.sources \ From c6accd0de82f8eba7af8eff1228e1bd1470df599 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 23 May 2024 12:08:50 +0100 Subject: [PATCH 04/13] Ensure all packages come from `pkgs-test` --- Makefile | 2 +- build/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index bc15370538..a5087d0b93 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ VERSION = $(VER)-SNAPSHOT PLUS_ARGS = --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # Variables that can be overridden -PLUS_REPO ?= "pkgs.nginx.com" ## The package repo to install nginx-plus from +PLUS_REPO ?= "pkgs-test.nginx.com" ## The package repo to install nginx-plus from PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress TAG ?= $(VERSION:v%=%) ## The tag of the image. For example, 2.0.0 TARGET ?= local ## The target of the build. Possible values: local, container and download diff --git a/build/Dockerfile b/build/Dockerfile index 4750ed1cbf..aa11c98eee 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1.6 ARG BUILD_OS=debian ARG NGINX_PLUS_VERSION=R32 -ARG PACKAGE_REPO=pkgs.nginx.com +ARG PACKAGE_REPO=pkgs-test.nginx.com ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} From aec8d817e3df99b193b00f4ddb71b9c34c2be241 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 24 May 2024 10:31:11 +0100 Subject: [PATCH 05/13] Pull packages from both pkgs.nginx.com and pkgs-test.nginx.com --- build/Dockerfile | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index aa11c98eee..5bc49db015 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -62,7 +62,8 @@ ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO # the following links can be replaced with local files if needed, i.e. ADD --chown=101:0 -ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-nginx +#ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-nginx +ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/cc2dfc721ccfc428799c0c2a4fa0d7edb86b97eb/files/90pkgs-test-nginx 90pkgs-nginx ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub ADD --link --chown=101:0 https://cs.nginx.com/static/keys/app-protect-security-updates.key app-protect-security-updates.key @@ -80,9 +81,9 @@ ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/m RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::${PACKAGE_REPO}::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \ && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \ - && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;pkgs.nginx.com/app-protect-security-updates;${PACKAGE_REPO}/app-protect-security-updates;g" *.sources \ - && sed -i -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" 90pkgs-nginx \ - && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;pkgs.nginx.com/app-protect-security-updates;${PACKAGE_REPO}/app-protect-security-updates;g" *.repo \ + && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;${PACKAGE_REPO}/app-protect-security-updates;pkgs.nginx.com/app-protect-security-updates;g" *.sources \ +# && sed -i -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" 90pkgs-nginx \ + && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;${PACKAGE_REPO}/app-protect-security-updates;pkgs.nginx.com/app-protect-security-updates;g" *.repo \ && echo HTTP_USER_AGENT="k8s-ic-$IC_VERSION${BUILD_OS##alpine-plus}-apk" > user_agent ADD --link --chown=101:0 https://cs.nginx.com/static/files/nginx-agent.repo nginx-agent.repo @@ -106,6 +107,7 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################# FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as alpine-plus ARG NGINX_PLUS_VERSION +ARG PACKAGE_REPO RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ @@ -113,7 +115,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ --mount=type=bind,from=nginx-files,src=user_agent,target=/tmp/user_agent \ export $(cat /tmp/user_agent) \ - && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig /usr/local/lib/ \ @@ -133,6 +135,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# FROM alpine:3.17@sha256:53cf9478b76f4c8fae126acbdfb79bed6e69e628faff572ebe4a029d3d247d98 as alpine-plus-nap-fips ARG NGINX_PLUS_VERSION +ARG PACKAGE_REPO RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ @@ -140,8 +143,8 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.rsa.pub,target=/etc/apk/keys/app-protect-security-updates.rsa.pub \ --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ - printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && printf "%s\n" "https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && printf "%s\n" "https://${PACKAGE_REPO}/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check \ From 0e9988f8f8575c2ad1894b9422b459c012af85e1 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 24 May 2024 11:04:10 +0100 Subject: [PATCH 06/13] ci test --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 561636f29a..eb50e70d8f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -118,6 +118,11 @@ jobs: ./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT + echo "---------------------" + echo ${{secrets.NGINX_CRT}} > /tmp/nginx.crt + openssl x509 -in /tmp/nginx.crt -text -noout + echo "---------------------" + - name: Fetch Cached Binary Artifacts id: binary-cache From 9a4b5424bf7bf245c3a05cb4c654e8af61b37299 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 24 May 2024 10:04:37 +0000 Subject: [PATCH 07/13] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index eb50e70d8f..a7245a95a1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -122,7 +122,7 @@ jobs: echo ${{secrets.NGINX_CRT}} > /tmp/nginx.crt openssl x509 -in /tmp/nginx.crt -text -noout echo "---------------------" - + - name: Fetch Cached Binary Artifacts id: binary-cache From e03c49dafe6dbf20fa6bf9d5bcd123a58d28e79c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 24 May 2024 11:08:24 +0100 Subject: [PATCH 08/13] debug line --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a7245a95a1..42e7ca3c54 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -120,6 +120,7 @@ jobs: cat $GITHUB_OUTPUT echo "---------------------" echo ${{secrets.NGINX_CRT}} > /tmp/nginx.crt + echo "file made" openssl x509 -in /tmp/nginx.crt -text -noout echo "---------------------" From dddcf8fe5c2d25ba9b815436e2a92c315ae1125a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 24 May 2024 11:10:47 +0100 Subject: [PATCH 09/13] format crt --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 42e7ca3c54..3520985704 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -119,7 +119,7 @@ jobs: ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT echo "---------------------" - echo ${{secrets.NGINX_CRT}} > /tmp/nginx.crt + echo ${{format('"{0}"', secrets.NGINX_CRT)}} > /tmp/nginx.crt echo "file made" openssl x509 -in /tmp/nginx.crt -text -noout echo "---------------------" From a210ff9d6e328fc8ec274ecfdd1f595e79ebb51f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 24 May 2024 15:41:33 +0100 Subject: [PATCH 10/13] curl test --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3520985704..f915474c14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -123,6 +123,9 @@ jobs: echo "file made" openssl x509 -in /tmp/nginx.crt -text -noout echo "---------------------" + echo "doing curl" + curl --key ~/nginx-repo.key --cert ~/nginx-repo.crt https://pkgs-test.nginx.com/app-protect/ + echo "---------------------" - name: Fetch Cached Binary Artifacts From d5fcbdcef78540b0204bfd5a2a892388da5d3c3e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 29 May 2024 16:38:21 +0100 Subject: [PATCH 11/13] Remove pkgs-test --- .github/workflows/ci.yml | 8 -------- Makefile | 3 +-- build/Dockerfile | 19 +++++++------------ 3 files changed, 8 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f915474c14..46c011cc8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -118,14 +118,6 @@ jobs: ./.github/scripts/variables.sh build_tag >> $GITHUB_OUTPUT ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT - echo "---------------------" - echo ${{format('"{0}"', secrets.NGINX_CRT)}} > /tmp/nginx.crt - echo "file made" - openssl x509 -in /tmp/nginx.crt -text -noout - echo "---------------------" - echo "doing curl" - curl --key ~/nginx-repo.key --cert ~/nginx-repo.crt https://pkgs-test.nginx.com/app-protect/ - echo "---------------------" - name: Fetch Cached Binary Artifacts diff --git a/Makefile b/Makefile index a5087d0b93..94468a59ab 100644 --- a/Makefile +++ b/Makefile @@ -5,11 +5,10 @@ VERSION = $(VER)-SNAPSHOT PLUS_ARGS = --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # Variables that can be overridden -PLUS_REPO ?= "pkgs-test.nginx.com" ## The package repo to install nginx-plus from PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress TAG ?= $(VERSION:v%=%) ## The tag of the image. For example, 2.0.0 TARGET ?= local ## The target of the build. Possible values: local, container and download -override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) --build-arg PACKAGE_REPO=$(PLUS_REPO) ## The options for the docker build command. For example, --pull +override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) ## The options for the docker build command. For example, --pull ARCH ?= amd64 ## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets GOOS ?= linux ## The OS of the binary. For example linux, darwin NGINX_AGENT ?= true diff --git a/build/Dockerfile b/build/Dockerfile index f8a2dbd11c..b66147cc62 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,7 +1,6 @@ # syntax=docker/dockerfile:1.6 ARG BUILD_OS=debian ARG NGINX_PLUS_VERSION=R32 -ARG PACKAGE_REPO=pkgs-test.nginx.com ARG DOWNLOAD_TAG=edge ARG DEBIAN_FRONTEND=noninteractive ARG PREBUILT_BASE_IMG=nginx/nginx-ingress:${DOWNLOAD_TAG} @@ -60,7 +59,6 @@ FROM scratch as nginx-files ARG IC_VERSION ARG BUILD_OS ARG NGINX_PLUS_VERSION -ARG PACKAGE_REPO # the following links can be replaced with local files if needed, i.e. ADD --chown=101:0 #ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-nginx @@ -80,11 +78,10 @@ ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/m ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/nap-dos-debian-11.repo nap-dos-11.sources ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/main/files/agent-debian-11.repo debian-agent-11.sources -RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::${PACKAGE_REPO}::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \ - && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \ - && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;${PACKAGE_REPO}/app-protect-security-updates;pkgs.nginx.com/app-protect-security-updates;g" *.sources \ -# && sed -i -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" 90pkgs-nginx \ - && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" -e "s;pkgs.nginx.com;${PACKAGE_REPO};g" -e "s;${PACKAGE_REPO}/app-protect-security-updates;pkgs.nginx.com/app-protect-security-updates;g" *.repo \ +RUN --mount=from=busybox:musl,src=/bin/,dst=/bin/ printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt;" >> 90pkgs-nginx \ + && printf "%s\n" "user_agent=k8s-ic-$IC_VERSION${BUILD_OS##ubi*plus}-dnf" | tee -a nginx-plus-*.repo \ + && sed -i -e "s;%VERSION%;${NGINX_PLUS_VERSION};g" *.sources \ + && sed -i -e "y/0/1/" -e "1,8s;/centos;/${NGINX_PLUS_VERSION}/centos;" *.repo \ && echo HTTP_USER_AGENT="k8s-ic-$IC_VERSION${BUILD_OS##alpine-plus}-apk" > user_agent ADD --link --chown=101:0 https://cs.nginx.com/static/files/nginx-agent.repo nginx-agent.repo @@ -108,7 +105,6 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################# FROM alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b as alpine-plus ARG NGINX_PLUS_VERSION -ARG PACKAGE_REPO RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ @@ -116,7 +112,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ --mount=type=bind,from=nginx-files,src=user_agent,target=/tmp/user_agent \ export $(cat /tmp/user_agent) \ - && printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig /usr/local/lib/ \ @@ -136,7 +132,6 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# FROM alpine:3.17@sha256:53cf9478b76f4c8fae126acbdfb79bed6e69e628faff572ebe4a029d3d247d98 as alpine-plus-nap-fips ARG NGINX_PLUS_VERSION -ARG PACKAGE_REPO RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ @@ -144,8 +139,8 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ --mount=type=bind,from=nginx-files,src=app-protect-security-updates.rsa.pub,target=/etc/apk/keys/app-protect-security-updates.rsa.pub \ --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ - printf "%s\n" "https://${PACKAGE_REPO}/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && printf "%s\n" "https://${PACKAGE_REPO}/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && printf "%s\n" "https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check \ From 3d9f9f51008dbed5117ba82875a95a3360c341b2 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 29 May 2024 16:39:47 +0100 Subject: [PATCH 12/13] Remove newline --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46c011cc8e..561636f29a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -119,7 +119,6 @@ jobs: ./.github/scripts/variables.sh stable_tag >> $GITHUB_OUTPUT cat $GITHUB_OUTPUT - - name: Fetch Cached Binary Artifacts id: binary-cache uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 From 22e938b09311bf547eae74786850ebb198d8bea5 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 29 May 2024 16:40:20 +0100 Subject: [PATCH 13/13] Revert 90pkgs-nginx --- build/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index b66147cc62..9de9c00b16 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -61,8 +61,7 @@ ARG BUILD_OS ARG NGINX_PLUS_VERSION # the following links can be replaced with local files if needed, i.e. ADD --chown=101:0 -#ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-nginx -ADD --link --chown=101:0 https://raw.githubusercontent.com/nginxinc/k8s-common/cc2dfc721ccfc428799c0c2a4fa0d7edb86b97eb/files/90pkgs-test-nginx 90pkgs-nginx +ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-nginx ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub ADD --link --chown=101:0 https://cs.nginx.com/static/keys/app-protect-security-updates.key app-protect-security-updates.key