From 157849e1d62ec6900539bf885a3c1994400c9031 Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 25 Sep 2024 15:49:28 +0100 Subject: [PATCH 1/3] alpine update --- build/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 1333390838..e425b0f938 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -101,8 +101,8 @@ RUN --mount=type=bind,from=nginx-files,src=patch-os.sh,target=/usr/local/bin/pat USER 101 -############################################# Base image for Alpine with NGINX Plus ############################################# -FROM alpine:3.20@sha256:e72ad0747b9dc266fca31fb004580d316b6ae5b0fdbbb65f17bbe371a5b24cff AS alpine-plus +############################################# Base image for Alpine with NGINX Plus ############################################## +FROM alpine:3.20@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d AS alpine-plus ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO From 7e5d7626f6728a22ccf40f813e61735b54f8eb3c Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 25 Sep 2024 16:08:15 +0100 Subject: [PATCH 2/3] update waf v5 version --- build/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/Dockerfile b/build/Dockerfile index e425b0f938..71a06df532 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -300,7 +300,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && apt-get update \ && if [ "${NGINX_AGENT}" = "true" ]; then apt-get install --no-install-recommends --no-install-suggests -y nginx-agent; fi \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ - apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=32+5.48*; \ + apt-get install --no-install-recommends --no-install-suggests -y app-protect-module-plus=32+5.144*; \ rm -f /etc/apt/sources.list.d/app-protect.sources; \ nap-waf.sh; \ fi \ From f57d35eb73680960459d1b1e6afb48fbad2b5a7b Mon Sep 17 00:00:00 2001 From: Paul Abel Date: Wed, 25 Sep 2024 17:08:59 +0100 Subject: [PATCH 3/3] update to waf 5.3.0 --- .github/workflows/regression.yml | 2 +- .github/workflows/setup-smoke.yml | 2 +- build/Dockerfile | 6 +++--- charts/nginx-ingress/values.schema.json | 12 ++++++------ charts/nginx-ingress/values.yaml | 4 ++-- .../installing-nic/installation-with-helm.md | 4 ++-- tests/settings.py | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/regression.yml b/.github/workflows/regression.yml index 986315586d..3aae12c64a 100644 --- a/.github/workflows/regression.yml +++ b/.github/workflows/regression.yml @@ -262,7 +262,7 @@ jobs: - name: Generate WAF v5 tgz from JSON run: | - docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.2.0 -p /data/wafv5.json -o /data/wafv5.tgz + docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.3.0 -p /data/wafv5.json -o /data/wafv5.tgz if: ${{ contains(matrix.images.image, 'nap-v5')}} - name: Run Regression Tests diff --git a/.github/workflows/setup-smoke.yml b/.github/workflows/setup-smoke.yml index 0489533f46..9e4e0c2a1c 100644 --- a/.github/workflows/setup-smoke.yml +++ b/.github/workflows/setup-smoke.yml @@ -149,7 +149,7 @@ jobs: - name: Generate WAF v5 tgz from JSON run: | - docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.2.0 -p /data/wafv5.json -o /data/wafv5.tgz + docker run --rm --user root -v /var/run/docker.sock:/var/run/docker.sock -v ${{ github.workspace }}/tests/data/ap-waf-v5:/data gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nap/waf-compiler:5.3.0 -p /data/wafv5.json -o /data/wafv5.tgz if: ${{ contains(inputs.image, 'nap-v5')}} - name: Run Smoke Tests diff --git a/build/Dockerfile b/build/Dockerfile index 71a06df532..4a866b60c9 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -198,7 +198,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ && cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig /usr/local/lib/ \ - && apk add --no-cache app-protect-module-plus~=32.5.48 \ + && apk add --no-cache app-protect-module-plus~=32.5.144 \ && sed -i -e '/nginx.com/d' /etc/apk/repositories \ && nap-waf.sh \ && if [ "${NGINX_AGENT}" = "true" ]; then \ @@ -430,7 +430,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && if [ "${NGINX_AGENT}" = "true" ]; then microdnf --nodocs install -y nginx-agent; fi \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ cp /tmp/app-protect-9.repo /etc/yum.repos.d/app-protect-9.repo \ - && microdnf --nodocs install -y app-protect-module-plus-32+5.48* \ + && microdnf --nodocs install -y app-protect-module-plus-32+5.144* \ && nap-waf.sh \ && rm -f /etc/yum.repos.d/app-protect-9.repo; \ fi \ @@ -517,7 +517,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && dnf config-manager --set-enabled codeready-builder-for-rhel-8-x86_64-rpms \ && dnf --nodocs install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ - dnf --nodocs install -y app-protect-module-plus-32+5.48*; \ + dnf --nodocs install -y app-protect-module-plus-32+5.144*; \ fi \ && subscription-manager unregister \ && if [ -z "${NAP_MODULES##*waf*}" ]; then \ diff --git a/charts/nginx-ingress/values.schema.json b/charts/nginx-ingress/values.schema.json index 423dd014c5..37297c6bbc 100644 --- a/charts/nginx-ingress/values.schema.json +++ b/charts/nginx-ingress/values.schema.json @@ -208,10 +208,10 @@ }, "tag": { "type": "string", - "default": "5.2.0", + "default": "5.3.0", "title": "The tag of the App Protect WAF v5 Enforcer image", "examples": [ - "5.2.0" + "5.3.0" ] }, "digest": { @@ -248,7 +248,7 @@ "examples": [ { "repository": "private-registry.nginx.com/nap/waf-enforcer", - "tag": "5.2.0", + "tag": "5.3.0", "pullPolicy": "IfNotPresent" } ] @@ -282,10 +282,10 @@ }, "tag": { "type": "string", - "default": "5.2.0", + "default": "5.3.0", "title": "The tag of the App Protect WAF v5 Config Manager image", "examples": [ - "5.2.0" + "5.3.0" ] }, "digest": { @@ -322,7 +322,7 @@ "examples": [ { "repository": "private-registry.nginx.com/nap/waf-config-mgr", - "tag": "5.2.0", + "tag": "5.3.0", "pullPolicy": "IfNotPresent" } ] diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index ebece1f3a6..c8892f0223 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -49,7 +49,7 @@ controller: repository: private-registry.nginx.com/nap/waf-enforcer ## The tag of the App Protect WAF v5 Enforcer image. - tag: "5.2.0" + tag: "5.3.0" ## The digest of the App Protect WAF v5 Enforcer image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" @@ -65,7 +65,7 @@ controller: repository: private-registry.nginx.com/nap/waf-config-mgr ## The tag of the App Protect WAF v5 Configuration Manager image. - tag: "5.2.0" + tag: "5.3.0" ## The digest of the App Protect WAF v5 Configuration Manager image. ## If digest is specified it has precedence over tag and will be used instead # digest: "sha256:CHANGEME" diff --git a/docs/content/installation/installing-nic/installation-with-helm.md b/docs/content/installation/installing-nic/installation-with-helm.md index a6a6fedee0..5c4511083b 100644 --- a/docs/content/installation/installing-nic/installation-with-helm.md +++ b/docs/content/installation/installing-nic/installation-with-helm.md @@ -405,12 +405,12 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.appprotect.enforcer.host** | Host that the App Protect WAF v5 Enforcer runs on. | "127.0.0.1" | | **controller.appprotect.enforcer.port** | Port that the App Protect WAF v5 Enforcer runs on. | 50000 | | **controller.appprotect.enforcer.image** | The image repository of the App Protect WAF v5 Enforcer. | private-registry.nginx.com/nap/waf-enforcer | -| **controller.appprotect.enforcer.tag** | The tag of the App Protect WAF v5 Enforcer. | "5.2.0" | +| **controller.appprotect.enforcer.tag** | The tag of the App Protect WAF v5 Enforcer. | "5.3.0" | | **controller.appprotect.enforcer.digest** | The digest of the App Protect WAF v5 Enforcer. Takes precedence over tag if set. | "" | | **controller.appprotect.enforcer.pullPolicy** | The pull policy for the App Protect WAF v5 Enforcer image. | IfNotPresent | | **controller.appprotect.enforcer.securityContext** | The security context for App Protect WAF v5 Enforcer container. | {} | | **controller.appprotect.configManager.image** | The image repository of the App Protect WAF v5 Configuration Manager. | private-registry.nginx.com/nap/waf-config-mgr | -| **controller.appprotect.configManager.tag** | The tag of the App Protect WAF v5 Configuration Manager. | "5.2.0" | +| **controller.appprotect.configManager.tag** | The tag of the App Protect WAF v5 Configuration Manager. | "5.3.0" | | **controller.appprotect.configManager.digest** | The digest of the App Protect WAF v5 Configuration Manager. Takes precedence over tag if set. | "" | | **controller.appprotect.configManager.pullPolicy** | The pull policy for the App Protect WAF v5 Configuration Manager image. | IfNotPresent | | **controller.appprotect.configManager.securityContext** | The security context for App Protect WAF v5 Configuration Manager container. | {"allowPrivilegeEscalation":false,"runAsUser":101,"runAsNonRoot":true,"capabilities":{"drop":["all"]}} | diff --git a/tests/settings.py b/tests/settings.py index 8c23605fc7..ce03b76491 100644 --- a/tests/settings.py +++ b/tests/settings.py @@ -33,4 +33,4 @@ # Nginx registry address to pull waf components from NGX_REG = "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr" # WAF component version to pull from above registry -WAF_V5_VERSION = "5.2.0" +WAF_V5_VERSION = "5.3.0"