From b6bb43a4b379403e0972f354b6ca40bdc060833e Mon Sep 17 00:00:00 2001 From: oseoin Date: Wed, 24 Jul 2024 12:00:04 +0100 Subject: [PATCH 1/5] Align OSS and Plus UBI images (#6008) --- build/Dockerfile | 66 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 45 insertions(+), 21 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 43140e8843..d9e075747e 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -10,8 +10,9 @@ ARG WAF_VERSION=v4 ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0@sha256:ae23c9404255938311d526fa70122beedfa60b59f44c8353c685fa9b59f13b69 AS opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0-alpine@sha256:7c04bb8065fdaa69ade0c9d12ede21ddc661cfaf87e32baa922ac1ebf3e8b8e7 AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0@sha256:1a77df60fd641db9e6a9323c8a484f642eb0e276df06104b592ecfd515bc1aef AS opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0-alpine@sha256:8e582e8cac837ad71372fbe1d80ab4d9894fa9dd9d3ad61163ebe87403b6b9db AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.0@sha256:760ed8cff8e0ae835b1873400673d95642e39420e42a02379e0619545008bc07 AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19 FROM redhat/ubi9-minimal@sha256:104cf11d890aeb7dd5728b7d7732e175a0e4018f1bb00d2faebcc8f6bf29bd52 AS ubi-minimal @@ -39,25 +40,8 @@ RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ && ldconfig -############################################# Base image for UBI ############################################# -FROM nginxcontrib/nginx:1.27.0-ubi@sha256:1a077f6c3027d13404cc51b806b3308fe93dea63c1f42fec6885f5f509444e54 AS ubi -ARG IC_VERSION - -LABEL name="NGINX Ingress Controller" \ - maintainer="kubernetes@nginx.com" \ - vendor="NGINX Inc" \ - version="${IC_VERSION}" \ - release="1" \ - summary="The Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ - description="The Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ - io.k8s.description="NGINX Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ - io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift" - -COPY --link --chown=101:0 LICENSE /licenses/ - - -############################################# NGINX files for NGINX Plus ############################################# -FROM scratch as nginx-files +############################################# NGINX files ############################################# +FROM scratch AS nginx-files ARG IC_VERSION ARG BUILD_OS ARG NGINX_PLUS_VERSION @@ -316,6 +300,46 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode fi +############################################# Base image for UBI ############################################# +FROM ubi-minimal AS ubi +ARG IC_VERSION + +LABEL name="NGINX Ingress Controller" \ + maintainer="kubernetes@nginx.com" \ + vendor="NGINX Inc" \ + version="${IC_VERSION}" \ + release="1" \ + summary="The Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ + description="The Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ + io.k8s.description="NGINX Ingress Controller is an application that runs in a cluster and configures an HTTP load balancer according to Ingress resources." \ + io.openshift.tags="nginx,ingress-controller,ingress,controller,kubernetes,openshift" + +COPY --link --chown=101:0 LICENSE /licenses/ + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=nginx-files,src=ubi-setup.sh,target=/usr/local/bin/ubi-setup.sh \ + --mount=type=bind,from=nginx-files,src=ubi-clean.sh,target=/usr/local/bin/ubi-clean.sh \ + --mount=type=bind,from=ubi-ppc64le,src=/,target=/ubi-bin/ \ + ubi-setup.sh; \ + if [ $(uname -p) != ppc64le ]; then \ + printf "%s\n" "[nginx]" "name=nginx repo" \ + "baseurl=https://nginx.org/packages/mainline/centos/9/\$basearch/" \ + "gpgcheck=1" "enabled=1" "module_hotfixes=true" > /etc/yum.repos.d/nginx.repo \ + && microdnf --nodocs install -y nginx nginx-module-njs nginx-module-image-filter nginx-module-xslt \ + && rm /etc/yum.repos.d/nginx.repo; \ + else \ + rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-installed \ + && microdnf --nodocs --setopt=install_weak_deps=0 install -y diffutils dnf \ + && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-new \ + && dnf install -y /ubi-bin/*.rpm \ + && dnf -q repoquery --resolve --requires --recursive --whatrequires nginx --queryformat "%{NAME}" > pkgs-nginx \ + && dnf --setopt=protected_packages= remove -y $(comm -13 pkgs-installed pkgs-new | comm -13 pkgs-nginx -) \ + && rm pkgs-installed pkgs-new pkgs-nginx; \ + fi \ + && ubi-clean.sh + + ############################################# Base image for UBI with NGINX Plus ############################################# FROM ubi-minimal AS ubi-plus ARG NGINX_PLUS_VERSION From b240c428f1ee9d4523e77b60719f6cbaf52a1b9d Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 16 Aug 2024 09:46:52 +0100 Subject: [PATCH 2/5] update nginx to 1.27.1 (#6218) --- build/Dockerfile | 4 +-- build/dependencies/Dockerfile.ubi-ppc64le | 35 +++++++++++++++++++++ docs/content/technical-specifications.md | 10 +++--- examples/custom-resources/api-key/README.md | 2 +- 4 files changed, 43 insertions(+), 8 deletions(-) create mode 100644 build/dependencies/Dockerfile.ubi-ppc64le diff --git a/build/Dockerfile b/build/Dockerfile index d9e075747e..e9fbac81ad 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -20,7 +20,7 @@ FROM golang:1.22-alpine@sha256:1a478681b671001b7f029f94b5016aed984a23ad99c707f6a ############################################# Base image for Alpine ############################################# -FROM nginx:1.27.0-alpine@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9 AS alpine +FROM nginx:1.27.1-alpine@sha256:c04c18adc2a407740a397c8407c011fc6c90026a9b65cceddef7ae5484360158 AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -30,7 +30,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.27.0@sha256:98f8ec75657d21b924fe4f69b6b9bff2f6550ea48838af479d8894a852000e40 AS debian +FROM nginx:1.27.1@sha256:1540e37eebb9abc5afa4256de1bade6542d50bf69b61b1dd855cb7804aaaf444 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le new file mode 100644 index 0000000000..97f5171410 --- /dev/null +++ b/build/dependencies/Dockerfile.ubi-ppc64le @@ -0,0 +1,35 @@ +# syntax=docker/dockerfile:1.8 +FROM nginx:1.27.1@sha256:1540e37eebb9abc5afa4256de1bade6542d50bf69b61b1dd855cb7804aaaf444 AS nginx + +FROM redhat/ubi9:9.4@sha256:081c96d1b1c7cd1855722d01f1ca53360510443737b1eb33284c6c4c330e537c AS rpm-build +ARG NGINX +ARG NJS +ENV NGINX_VERSION ${NGINX} +ENV NJS_VERSION ${NJS} + + +RUN mkdir -p /nginx/; \ + # only build for ppc64le but make multiarch image for mounting + [ $(uname -p) != ppc64le ] && exit 0; \ + rpm --import https://nginx.org/keys/nginx_signing.key \ + && MINOR_VERSION=$(echo ${NGINX_VERSION} | cut -d '.' -f 2) \ + && if [ $(( $MINOR_VERSION % 2)) -eq 0 ]; then echo mainline=""; else mainline="mainline/"; fi \ + && printf "%s\n" "[nginx]" "name=nginx src repo" \ + "baseurl=https://nginx.org/packages/${mainline}centos/9/SRPMS" \ + "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \ + && dnf install rpm-build gcc make dnf-plugins-core which -y \ + && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ + && nginxPackages=" \ + nginx-${NGINX_VERSION} \ + nginx-module-xslt-${NGINX_VERSION} \ + nginx-module-image-filter-${NGINX_VERSION} \ + nginx-module-njs-${NGINX_VERSION}+${NJS_VERSION} \ + " \ + && dnf config-manager --set-enabled ubi-9-codeready-builder \ + && dnf download --source ${nginxPackages} \ + && dnf builddep -y --srpm nginx*.rpm \ + && rpmbuild --rebuild --nodebuginfo nginx*.rpm \ + && cp /root/rpmbuild/RPMS/$(arch)/* /nginx/ + +FROM scratch AS final +COPY --link --from=rpm-build /nginx / diff --git a/docs/content/technical-specifications.md b/docs/content/technical-specifications.md index adf04b06d9..601830f93e 100644 --- a/docs/content/technical-specifications.md +++ b/docs/content/technical-specifications.md @@ -28,7 +28,7 @@ We test NGINX Ingress Controller on a range of Kubernetes platforms for each rel {{< bootstrap-table "table table-bordered table-striped table-responsive" >}} | NIC Version | Supported Kubernetes Version | NIC Helm Chart Version | NIC Operator Version | NGINX / NGINX Plus version | | --- | --- | --- | --- | --- | -| {{< nic-version >}} | 1.25 - 1.30 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.27.0 / R32 | +| {{< nic-version >}} | 1.25 - 1.30 | {{< nic-helm-version >}} | {{< nic-operator-version >}} | 1.27.1 / R32 | | 3.5.2 | 1.23 - 1.30 | 1.2.2 | 2.2.2 | 1.27.0 / R32 | | 3.4.3 | 1.23 - 1.29 | 1.1.3 | 2.1.2 | 1.25.4 / R31 P1 | | 3.3.2 | 1.22 - 1.28 | 1.0.2 | 2.0.2 | 1.25.3 / R30 | @@ -54,14 +54,14 @@ We provide the following Docker images, which include NGINX or NGINX Plus bundle ### Images with NGINX -_All images include NGINX 1.27.0._ +_All images include NGINX 1.27.1._ {{< bootstrap-table "table table-bordered table-responsive" >}} |
Name
|
Base image
|
Third-party modules
| DockerHub image | Architectures | | ---| --- | --- | --- | --- | -|Alpine-based image | ``nginx:1.27.0-alpine``,
based on on ``alpine:3.19`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Debian-based image | ``nginx:1.27.0``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:{{< nic-version >}}`` | arm/v7
arm64
amd64
ppc64le
s390x | -|Ubi-based image | ``nginxcontrib/nginx:1.27.0-ubi``,
based on on ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64
ppc64le
s390x | +|Alpine-based image | ``nginx:1.27.1-alpine``,
based on on ``alpine:3.20`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:{{< nic-version >}}-alpine`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Debian-based image | ``nginx:1.27.1``,
based on on ``debian:12-slim`` | NGINX OpenTracing module

OpenTracing library

OpenTracing tracers for Jaeger

Zipkin and Datadog | ``nginx/nginx-ingress:{{< nic-version >}}`` | arm/v7
arm64
amd64
ppc64le
s390x | +|Ubi-based image | ``redhat/ubi9-minimal`` | | ``nginx/nginx-ingress:{{< nic-version >}}-ubi`` | arm64
amd64
ppc64le
s390x | {{% /bootstrap-table %}} --- diff --git a/examples/custom-resources/api-key/README.md b/examples/custom-resources/api-key/README.md index c1ca8c0922..ba3093f07e 100644 --- a/examples/custom-resources/api-key/README.md +++ b/examples/custom-resources/api-key/README.md @@ -85,7 +85,7 @@ curl -k --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP -H "X-header-name: wron 403 Forbidden

403 Forbidden

-
nginx/1.27.0
+
nginx/1.27.1
``` From 242a583e73a86b77e765204b5c7a258577ef974e Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Aug 2024 12:18:12 +0100 Subject: [PATCH 3/5] remove unused file --- build/dependencies/Dockerfile.ubi-ppc64le | 35 ----------------------- 1 file changed, 35 deletions(-) delete mode 100644 build/dependencies/Dockerfile.ubi-ppc64le diff --git a/build/dependencies/Dockerfile.ubi-ppc64le b/build/dependencies/Dockerfile.ubi-ppc64le deleted file mode 100644 index 97f5171410..0000000000 --- a/build/dependencies/Dockerfile.ubi-ppc64le +++ /dev/null @@ -1,35 +0,0 @@ -# syntax=docker/dockerfile:1.8 -FROM nginx:1.27.1@sha256:1540e37eebb9abc5afa4256de1bade6542d50bf69b61b1dd855cb7804aaaf444 AS nginx - -FROM redhat/ubi9:9.4@sha256:081c96d1b1c7cd1855722d01f1ca53360510443737b1eb33284c6c4c330e537c AS rpm-build -ARG NGINX -ARG NJS -ENV NGINX_VERSION ${NGINX} -ENV NJS_VERSION ${NJS} - - -RUN mkdir -p /nginx/; \ - # only build for ppc64le but make multiarch image for mounting - [ $(uname -p) != ppc64le ] && exit 0; \ - rpm --import https://nginx.org/keys/nginx_signing.key \ - && MINOR_VERSION=$(echo ${NGINX_VERSION} | cut -d '.' -f 2) \ - && if [ $(( $MINOR_VERSION % 2)) -eq 0 ]; then echo mainline=""; else mainline="mainline/"; fi \ - && printf "%s\n" "[nginx]" "name=nginx src repo" \ - "baseurl=https://nginx.org/packages/${mainline}centos/9/SRPMS" \ - "gpgcheck=1" "enabled=1" "module_hotfixes=true" >> /etc/yum.repos.d/nginx.repo \ - && dnf install rpm-build gcc make dnf-plugins-core which -y \ - && dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \ - && nginxPackages=" \ - nginx-${NGINX_VERSION} \ - nginx-module-xslt-${NGINX_VERSION} \ - nginx-module-image-filter-${NGINX_VERSION} \ - nginx-module-njs-${NGINX_VERSION}+${NJS_VERSION} \ - " \ - && dnf config-manager --set-enabled ubi-9-codeready-builder \ - && dnf download --source ${nginxPackages} \ - && dnf builddep -y --srpm nginx*.rpm \ - && rpmbuild --rebuild --nodebuginfo nginx*.rpm \ - && cp /root/rpmbuild/RPMS/$(arch)/* /nginx/ - -FROM scratch AS final -COPY --link --from=rpm-build /nginx / From b63754cf514e5ff5de86c13179e6182cd502a4fd Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 16 Aug 2024 13:36:54 +0100 Subject: [PATCH 4/5] update nic build dependencies to nginx 1.27.1 (#6224) --- build/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index e9fbac81ad..1f4d7a1186 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -10,9 +10,9 @@ ARG WAF_VERSION=v4 ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0@sha256:1a77df60fd641db9e6a9323c8a484f642eb0e276df06104b592ecfd515bc1aef AS opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.0-alpine@sha256:8e582e8cac837ad71372fbe1d80ab4d9894fa9dd9d3ad61163ebe87403b6b9db AS alpine-opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.0@sha256:760ed8cff8e0ae835b1873400673d95642e39420e42a02379e0619545008bc07 AS ubi-ppc64le +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1@sha256:68d5e10f4aeca7fcd4ceea163f57c6d43a7de8c83bfd75436ab07cf6073df886 AS opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.1-alpine@sha256:e78f115f9031f2dd5b1d93ec67174d7e37b4d5a4e225657a04622df443db6d38 AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.1@sha256:0bab61e2bd639b269ec54343ea66b7acbdb0eb67bed44383e1be937c483c451d AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17@sha256:f00b3f266422feaaac7b733b46903bd19eb1cd1caa6991131576f5f767db76f8 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.0-alpine3.19@sha256:1744ae3a8e795daf771f3f7df33b83160981545abb1f1597338e2769d06aa1cc AS alpine-fips-3.19 FROM redhat/ubi9-minimal@sha256:104cf11d890aeb7dd5728b7d7732e175a0e4018f1bb00d2faebcc8f6bf29bd52 AS ubi-minimal From b446d069dcc2d5f4b4065de866f689c8ac516e5a Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Fri, 16 Aug 2024 14:16:46 +0100 Subject: [PATCH 5/5] add ubi scripts to docker build --- build/Dockerfile | 2 ++ build/scripts/ubi-clean.sh | 6 ++++++ build/scripts/ubi-setup.sh | 8 ++++++++ 3 files changed, 16 insertions(+) create mode 100755 build/scripts/ubi-clean.sh create mode 100755 build/scripts/ubi-setup.sh diff --git a/build/Dockerfile b/build/Dockerfile index 004b534be3..f85878a2ea 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -78,6 +78,8 @@ ADD --link --chown=101:0 --chmod=0755 build/scripts/common.sh common.sh ADD --link --chown=101:0 --chmod=0755 build/scripts/nap-waf.sh nap-waf.sh ADD --link --chown=101:0 --chmod=0755 build/scripts/nap-dos.sh nap-dos.sh ADD --link --chown=101:0 --chmod=0755 build/scripts/agent.sh agent.sh +ADD --link --chown=101:0 --chmod=0755 build/scripts/ubi-setup.sh ubi-setup.sh +ADD --link --chown=101:0 --chmod=0755 build/scripts/ubi-clean.sh ubi-clean.sh ############################################# Patch Image ############################################# diff --git a/build/scripts/ubi-clean.sh b/build/scripts/ubi-clean.sh new file mode 100755 index 0000000000..babdf0a121 --- /dev/null +++ b/build/scripts/ubi-clean.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +set -e + +microdnf remove -y shadow-utils subscription-manager +microdnf clean all && rm -rf /var/cache/dnf diff --git a/build/scripts/ubi-setup.sh b/build/scripts/ubi-setup.sh new file mode 100755 index 0000000000..72e3716369 --- /dev/null +++ b/build/scripts/ubi-setup.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +set -e + +microdnf --nodocs install -y shadow-utils subscription-manager +groupadd --system --gid 101 nginx +useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx +rpm --import /tmp/nginx_signing.key