From 58d9674850294c0237f1a6dca5937c6f1da71bce Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 22 Sep 2025 09:42:08 +0100 Subject: [PATCH 01/19] Add initial Dockerfile to build NGINX OSS images based on ubi9-minimal --- Makefile | 3 +- build/ubi/Dockerfile.nginx | 50 ++++++++++++++++++++++++++++++++ build/ubi/Dockerfile.nginxplus | 5 ++++ build/ubi/repos/nginx-agent.repo | 6 ++++ build/ubi/repos/nginx.repo | 6 ++++ 5 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 build/ubi/Dockerfile.nginx create mode 100644 build/ubi/Dockerfile.nginxplus create mode 100644 build/ubi/repos/nginx-agent.repo create mode 100644 build/ubi/repos/nginx.repo diff --git a/Makefile b/Makefile index c794b3a9e2..7ca035810c 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,7 @@ NJS_DIR = internal/controller/nginx/modules/src KIND_CONFIG_FILE = $(SELF_DIR)config/cluster/kind-cluster.yaml NGINX_DOCKER_BUILD_PLUS_ARGS = --secret id=nginx-repo.crt,src=$(SELF_DIR)nginx-repo.crt --secret id=nginx-repo.key,src=$(SELF_DIR)nginx-repo.key BUILD_AGENT = local +BASE_IMAGE ?= nginx:1.29.1-alpine-otel PROD_TELEMETRY_ENDPOINT = oss.edge.df.f5.com:443 # the telemetry related variables below are also configured in goreleaser.yml @@ -52,7 +53,7 @@ PLUS_ENABLED ?= false PLUS_LICENSE_FILE ?= $(SELF_DIR)license.jwt PLUS_USAGE_ENDPOINT ?=## The N+ usage endpoint. For development, please set to the N1 staging endpoint. -override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) +override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) --build-arg BASE_IMAGE=$(BASE_IMAGE) .DEFAULT_GOAL := help diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx new file mode 100644 index 0000000000..a50d8a7afd --- /dev/null +++ b/build/ubi/Dockerfile.nginx @@ -0,0 +1,50 @@ +# syntax=docker/dockerfile:1.18 +FROM scratch AS nginx-files + +# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub +ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo +ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo + +FROM ubi9-minimal + +# renovate: datasource=github-tags depName=nginx/agent +ARG NGINX_AGENT_VERSION=v3.3.1 +ARG NJS_DIR +ARG NGINX_CONF_DIR +ARG BUILD_AGENT + +RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/tmp/nginx_signing.rsa.pub \ + --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ + --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ + && rpm --import /tmp/nginx_signing.rsa.pub + +RUN microdnf --nodocs install -y nginx \ + && microdnf --nodocs install -y nginx-module-njs nginx-module-otel nginx-module-image-filter nginx-module-xslt \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION}* + +RUN groupadd --system --gid 1001 nginx \ + && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ + && microdnf update -y \ + && microdnf --nodocs install -y shadow-utils subscription-manager \ + && microdnf clean all + +RUN mkdir -p /usr/lib/nginx/modules \ + # forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +COPY build/entrypoint.sh /agent/entrypoint.sh +COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf +COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf +COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf + +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx + +LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" + +USER 101:1001 + +ENTRYPOINT ["/agent/entrypoint.sh"] \ No newline at end of file diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus new file mode 100644 index 0000000000..6f14661890 --- /dev/null +++ b/build/ubi/Dockerfile.nginxplus @@ -0,0 +1,5 @@ +# syntax=docker/dockerfile:1.18 +FROM scratch AS nginx-files + +# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub diff --git a/build/ubi/repos/nginx-agent.repo b/build/ubi/repos/nginx-agent.repo new file mode 100644 index 0000000000..a65508b538 --- /dev/null +++ b/build/ubi/repos/nginx-agent.repo @@ -0,0 +1,6 @@ +[agent] +name=agent repo +baseurl=https://packages.nginx.org/nginx-agent/centos/9/\$basearch/ +gpgcheck=1 +enabled=1 +module_hotfixes=true \ No newline at end of file diff --git a/build/ubi/repos/nginx.repo b/build/ubi/repos/nginx.repo new file mode 100644 index 0000000000..07a428cc8c --- /dev/null +++ b/build/ubi/repos/nginx.repo @@ -0,0 +1,6 @@ +[nginx] +name=nginx repo +baseurl=https://packages.nginx.org/nginx/mainline/centos/9/\$basearch/ +gpgcheck=1 +enabled=1 +module_hotfixes=true \ No newline at end of file From 20d131e64f7b2482cf9fd588379d918ec800ffac Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 22 Sep 2025 10:36:43 +0100 Subject: [PATCH 02/19] Update repo files and use red hat registered ubi-minimal --- Makefile | 3 ++- build/ubi/Dockerfile.nginx | 24 +++++++++++------------- build/ubi/repos/agent.repo | 6 ++++++ build/ubi/repos/nginx-agent.repo | 6 ------ build/ubi/repos/nginx.repo | 4 ++-- 5 files changed, 21 insertions(+), 22 deletions(-) create mode 100644 build/ubi/repos/agent.repo delete mode 100644 build/ubi/repos/nginx-agent.repo diff --git a/Makefile b/Makefile index 7ca035810c..9dedbeb173 100644 --- a/Makefile +++ b/Makefile @@ -44,6 +44,7 @@ HELM_SCHEMA_VERSION = 0.18.1 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus +BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 TARGET ?= local## The target of the build. Possible values: local and container OUT_DIR ?= build/out## The folder where the binary will be stored @@ -91,7 +92,7 @@ build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for pr .PHONY: build-nginx-image build-nginx-image: check-for-docker ## Build the custom nginx image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-plus-image build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx plus image for production diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index a50d8a7afd..e3788104af 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -2,11 +2,12 @@ FROM scratch AS nginx-files # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 -ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub +ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM ubi9-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +# FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9 # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -14,20 +15,17 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/tmp/nginx_signing.rsa.pub \ - --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ +# c-ares is required by for nginx-module-otel. It is not available in ubi9-minimal by default +RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ - && rpm --import /tmp/nginx_signing.rsa.pub - -RUN microdnf --nodocs install -y nginx \ - && microdnf --nodocs install -y nginx-module-njs nginx-module-otel nginx-module-image-filter nginx-module-xslt \ - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION}* - -RUN groupadd --system --gid 1001 nginx \ - && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ - && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ + --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + rpm --import /tmp/nginx_signing.key \ && microdnf update -y \ && microdnf --nodocs install -y shadow-utils subscription-manager \ + # microdnf --enablerepo=appstream install -y c-ares \ + && microdnf --nodocs install -y nginx \ + && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ && microdnf clean all RUN mkdir -p /usr/lib/nginx/modules \ diff --git a/build/ubi/repos/agent.repo b/build/ubi/repos/agent.repo new file mode 100644 index 0000000000..36665b874b --- /dev/null +++ b/build/ubi/repos/agent.repo @@ -0,0 +1,6 @@ +[agent] +name=agent repo +baseurl=https://packages.nginx.org/nginx-agent/centos/9/$basearch/ +gpgcheck=1 +enabled=1 +module_hotfixes=true diff --git a/build/ubi/repos/nginx-agent.repo b/build/ubi/repos/nginx-agent.repo deleted file mode 100644 index a65508b538..0000000000 --- a/build/ubi/repos/nginx-agent.repo +++ /dev/null @@ -1,6 +0,0 @@ -[agent] -name=agent repo -baseurl=https://packages.nginx.org/nginx-agent/centos/9/\$basearch/ -gpgcheck=1 -enabled=1 -module_hotfixes=true \ No newline at end of file diff --git a/build/ubi/repos/nginx.repo b/build/ubi/repos/nginx.repo index 07a428cc8c..7c8e132faf 100644 --- a/build/ubi/repos/nginx.repo +++ b/build/ubi/repos/nginx.repo @@ -1,6 +1,6 @@ [nginx] name=nginx repo -baseurl=https://packages.nginx.org/nginx/mainline/centos/9/\$basearch/ +baseurl=https://packages.nginx.org/nginx/mainline/centos/9/$basearch/ gpgcheck=1 enabled=1 -module_hotfixes=true \ No newline at end of file +module_hotfixes=true From f154680dfeac6117dfdcd3ed8285438ced01de17 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 23 Sep 2025 11:31:01 +0100 Subject: [PATCH 03/19] Get required UBI packages for NGINX and install agent --- Makefile | 3 ++- build/entrypoint.sh | 7 ++++--- build/ubi/Dockerfile.nginx | 36 +++++++++++++++++++++++++++--------- 3 files changed, 33 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index 9dedbeb173..7a68305526 100644 --- a/Makefile +++ b/Makefile @@ -45,6 +45,7 @@ PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-g NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi +IMAGE_PULL_POLICY ?= Never## The image pull policy for the NGF and nginx images. Possible values: Always, Never, IfNotPresent TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 TARGET ?= local## The target of the build. Possible values: local and container OUT_DIR ?= build/out## The folder where the binary will be stored @@ -228,7 +229,7 @@ install-ngf-local-build-with-plus: check-for-plus-usage-endpoint build-images-wi .PHONY: helm-install-local helm-install-local: install-gateway-crds ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. - helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=Never --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=Never --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) + helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) || helm uninstall nginx-gateway -n nginx-gateway .PHONY: helm-install-local-with-plus helm-install-local-with-plus: check-for-plus-usage-endpoint install-gateway-crds ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 9e9552b338..dd07f169c9 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -41,11 +41,12 @@ nginx_pid=$! SECONDS=0 -while ! ps -ef | grep "nginx: master process" | grep -v grep; do - if ((SECONDS > 5)); then - echo "couldn't find nginx master process" +while ! curl localhost:80 -s -o /dev/null; do + if ((SECONDS > 10)); then + echo "nginx didn't start within 10 seconds" exit 1 fi + sleep 200 done # start nginx-agent, pass args diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index e3788104af..471a88cafb 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -6,8 +6,9 @@ ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signi ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo +FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS packages + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest -# FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9 # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -15,23 +16,40 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -# c-ares is required by for nginx-module-otel. It is not available in ubi9-minimal by default +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +# Prepare packages RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=packages,src=/,target=/ubi-bin/ \ rpm --import /tmp/nginx_signing.key \ && microdnf update -y \ && microdnf --nodocs install -y shadow-utils subscription-manager \ - # microdnf --enablerepo=appstream install -y c-ares \ + && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-installed \ + && microdnf --nodocs --setopt=install_weak_deps=0 install -y diffutils dnf \ + && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-new \ + && dnf install -y /ubi-bin/*.rpm \ + && dnf -q repoquery --resolve --requires --recursive --whatrequires nginx --queryformat "%{NAME}" > pkgs-nginx \ + && dnf --setopt=protected_packages= remove -y $(comm -13 pkgs-installed pkgs-new | comm -13 pkgs-nginx -) \ + && rm pkgs-installed pkgs-new pkgs-nginx \ && microdnf --nodocs install -y nginx \ && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \ - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ - && microdnf clean all + # && microdnf --enablerepo=appstream install -y c-ares \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v} + +# RUN rm /etc/yum.repos.d/nginx.repo \ +# && rm /etc/yum.repos.d/agent.repo \ +# && microdnf clean all +# Configure logs and directories RUN mkdir -p /usr/lib/nginx/modules \ - # forward request and error logs to docker log collector + && mkdir -p /usr/lib64/nginx/modules \ + && mkdir -p /var/run/nginx \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + # && ln -sf /usr/lib64/nginx/modules/ngx_http_js_module.so /usr/lib/nginx/modules/ngx_http_js_module.so \ + # && ln -sf /usr/lib64/nginx/modules/ngx_stream_js_module.so /usr/lib/nginx/modules/ngx_stream_js_module.so COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js @@ -39,10 +57,10 @@ COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -RUN chown -R 101:1001 /etc/nginx /var/cache/nginx +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/run/nginx /etc/nginx-agent/nginx-agent.conf LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" USER 101:1001 -ENTRYPOINT ["/agent/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["/agent/entrypoint.sh"] From b880fc743be6eae2d78e9bd390a9c3f033caed07 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 09:18:01 +0100 Subject: [PATCH 04/19] Update entrypoint to find NGINX master process. Ensure `/tmp` is writable by nginx user --- build/entrypoint.sh | 9 ++- build/ubi/Dockerfile.nginx | 79 ++++++++++++---------- internal/controller/provisioner/objects.go | 2 + 3 files changed, 50 insertions(+), 40 deletions(-) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index dd07f169c9..7dda63e9c2 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -40,13 +40,12 @@ fi nginx_pid=$! SECONDS=0 - -while ! curl localhost:80 -s -o /dev/null; do - if ((SECONDS > 10)); then - echo "nginx didn't start within 10 seconds" +while [[ ! -f /var/run/nginx.pid ]] && [[ ! -f /var/run/nginx/nginx.pid ]]; do + if (( SECONDS > 30 )); then + echo "couldn't find nginx master process" exit 1 fi - sleep 200 + sleep 1 done # start nginx-agent, pass args diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 471a88cafb..a77f54066c 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -1,14 +1,16 @@ # syntax=docker/dockerfile:1.18 FROM scratch AS nginx-files -# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +# Repository and key files for UBI-based builds ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS packages +FROM redhat/ubi9-minimal:9.6 AS ubi-minimal -FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages + +FROM ubi-minimal AS ubi-nginx # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -16,51 +18,58 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -# Prepare packages -RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ +LABEL name="NGINX Gateway Fabric NGINX" \ + maintainer="kubernetes@nginx.com" \ + vendor="NGINX Inc" \ + summary="NGINX for NGINX Gateway Fabric" \ + description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ + io.k8s.description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.openshift.tags="nginx,gateway,kubernetes,openshift" + +COPY --link --chown=101:1001 LICENSE /licenses/ + +# Install NGINX with OTEL support using the same approach as NGINX IC +RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ - --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ - --mount=type=bind,from=packages,src=/,target=/ubi-bin/ \ + --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ + # Import NGINX signing key rpm --import /tmp/nginx_signing.key \ - && microdnf update -y \ - && microdnf --nodocs install -y shadow-utils subscription-manager \ - && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-installed \ - && microdnf --nodocs --setopt=install_weak_deps=0 install -y diffutils dnf \ - && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-new \ - && dnf install -y /ubi-bin/*.rpm \ - && dnf -q repoquery --resolve --requires --recursive --whatrequires nginx --queryformat "%{NAME}" > pkgs-nginx \ - && dnf --setopt=protected_packages= remove -y $(comm -13 pkgs-installed pkgs-new | comm -13 pkgs-nginx -) \ - && rm pkgs-installed pkgs-new pkgs-nginx \ - && microdnf --nodocs install -y nginx \ - && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \ - # && microdnf --enablerepo=appstream install -y c-ares \ - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v} + # Install c-ares from the dependencies image (contains required libs) + && rpm -Uvh /ubi-bin/c-ares-*.rpm \ + # Create nginx user with consistent UID/GID + && groupadd -g 1001 nginx \ + && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ + # Install NGINX and modules including OTEL + && microdnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \ + # Install nginx-agent + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + # Clean up (only remove what we can) + && microdnf clean all \ + && rm -rf /var/cache/yum -# RUN rm /etc/yum.repos.d/nginx.repo \ -# && rm /etc/yum.repos.d/agent.repo \ -# && microdnf clean all - -# Configure logs and directories -RUN mkdir -p /usr/lib/nginx/modules \ - && mkdir -p /usr/lib64/nginx/modules \ - && mkdir -p /var/run/nginx \ +# Configure directories and logging +RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ + # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ - # && ln -sf /usr/lib64/nginx/modules/ngx_http_js_module.so /usr/lib/nginx/modules/ngx_http_js_module.so \ - # && ln -sf /usr/lib64/nginx/modules/ngx_stream_js_module.so /usr/lib/nginx/modules/ngx_stream_js_module.so + && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + # Set proper permissions for nginx user + && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx /tmp \ + && chmod 1777 /tmp +# Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/run/nginx /etc/nginx-agent/nginx-agent.conf - -LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" +# Set executable permissions +RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh +# Switch to non-root user USER 101:1001 ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go index 475a3e7319..caef41ce74 100644 --- a/internal/controller/provisioner/objects.go +++ b/internal/controller/provisioner/objects.go @@ -863,6 +863,7 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {MountPath: "/var/run/nginx", Name: "nginx-run"}, {MountPath: "/var/cache/nginx", Name: "nginx-cache"}, {MountPath: "/etc/nginx/includes", Name: "nginx-includes"}, + {MountPath: "/tmp", Name: "temp-dir"}, }, }, }, @@ -968,6 +969,7 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {Name: "nginx-run", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-cache", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-includes", VolumeSource: emptyDirVolumeSource}, + {Name: "temp-dir", VolumeSource: emptyDirVolumeSource}, { Name: "nginx-includes-bootstrap", VolumeSource: corev1.VolumeSource{ From caaf91aaef1eee2ecfa73ef26a7c88b895e66b25 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 11:06:56 +0100 Subject: [PATCH 05/19] Build control plane from UBI base image. Move current Alpine dockerfiles to `build/alpine` --- Makefile | 4 ++-- build/{ => alpine}/Dockerfile | 0 build/{ => alpine}/Dockerfile.nginx | 0 build/{ => alpine}/Dockerfile.nginxplus | 0 build/ubi/Dockerfile | 32 +++++++++++++++++++++++++ 5 files changed, 34 insertions(+), 2 deletions(-) rename build/{ => alpine}/Dockerfile (100%) rename build/{ => alpine}/Dockerfile.nginx (100%) rename build/{ => alpine}/Dockerfile.nginxplus (100%) create mode 100644 build/ubi/Dockerfile diff --git a/Makefile b/Makefile index 9ad33d3f1a..2d345a390a 100644 --- a/Makefile +++ b/Makefile @@ -86,7 +86,7 @@ build-prod-ngf-image: build-ngf-image ## Build the NGF docker image for producti .PHONY: build-ngf-image build-ngf-image: check-for-docker build ## Build the NGF docker image - docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-image build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for production @@ -100,7 +100,7 @@ build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx pl .PHONY: build-nginx-plus-image build-nginx-plus-image: check-for-docker ## Build the custom nginx plus image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: check-for-docker check-for-docker: ## Check if Docker is installed diff --git a/build/Dockerfile b/build/alpine/Dockerfile similarity index 100% rename from build/Dockerfile rename to build/alpine/Dockerfile diff --git a/build/Dockerfile.nginx b/build/alpine/Dockerfile.nginx similarity index 100% rename from build/Dockerfile.nginx rename to build/alpine/Dockerfile.nginx diff --git a/build/Dockerfile.nginxplus b/build/alpine/Dockerfile.nginxplus similarity index 100% rename from build/Dockerfile.nginxplus rename to build/alpine/Dockerfile.nginxplus diff --git a/build/ubi/Dockerfile b/build/ubi/Dockerfile new file mode 100644 index 0000000000..c9a98b4bab --- /dev/null +++ b/build/ubi/Dockerfile @@ -0,0 +1,32 @@ +# syntax=docker/dockerfile:1.18 +FROM golang:1.25 AS builder + +WORKDIR /go/src/github.com/nginx/nginx-gateway-fabric + +COPY go.mod go.sum /go/src/github.com/nginx/nginx-gateway-fabric/ +RUN go mod download + +COPY . /go/src/github.com/nginx/nginx-gateway-fabric +RUN make build + +FROM golang:1.25 AS ca-certs-provider + +FROM redhat/ubi9-minimal:9.6 AS ngf-ubi-minimal +# Install CA certificates (if not present) +RUN microdnf update && microdnf install -y ca-certificates && microdnf clean all +# Alternatively, copy from ca-certs-provider if you prefer: +# COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +USER 101:1001 +ARG BUILD_AGENT +ENV BUILD_AGENT=${BUILD_AGENT} +ENTRYPOINT [ "/usr/bin/gateway" ] + +FROM ngf-ubi-minimal AS container +COPY --from=builder /go/src/github.com/nginxinc/nginx-gateway-fabric/build/out/gateway /usr/bin/gateway + +FROM ngf-ubi-minimal AS local +COPY ./build/out/gateway /usr/bin/gateway + +FROM ngf-ubi-minimal AS goreleaser +ARG TARGETARCH +COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/gateway \ No newline at end of file From 25cee52fb179cef900afb325fc6f5cb4436f2da6 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 15:43:38 +0100 Subject: [PATCH 06/19] Add Dockerfile to build NGINX Plus image based on ubi9-minimal --- build/ubi/Dockerfile | 6 +- build/ubi/Dockerfile.nginx | 3 +- build/ubi/Dockerfile.nginxplus | 78 +++++++++++++++++++++- internal/controller/provisioner/objects.go | 2 - 4 files changed, 79 insertions(+), 10 deletions(-) diff --git a/build/ubi/Dockerfile b/build/ubi/Dockerfile index c9a98b4bab..6a3cf69657 100644 --- a/build/ubi/Dockerfile +++ b/build/ubi/Dockerfile @@ -12,10 +12,8 @@ RUN make build FROM golang:1.25 AS ca-certs-provider FROM redhat/ubi9-minimal:9.6 AS ngf-ubi-minimal -# Install CA certificates (if not present) -RUN microdnf update && microdnf install -y ca-certificates && microdnf clean all -# Alternatively, copy from ca-certs-provider if you prefer: -# COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +# CA certs are needed for telemetry report so that NGF can verify the server's certificate. +COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ USER 101:1001 ARG BUILD_AGENT ENV BUILD_AGENT=${BUILD_AGENT} diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index a77f54066c..4be64a7dda 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -56,8 +56,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ # Set proper permissions for nginx user - && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx /tmp \ - && chmod 1777 /tmp + && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx # Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 6f14661890..c01b70f560 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -1,5 +1,79 @@ # syntax=docker/dockerfile:1.18 FROM scratch AS nginx-files -# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 -ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub +# NGINX Plus repo and key files (must be provided at build time) +ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-plus.repo +ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key +ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo +ADD --link --chown=101:1001 nginx-repo.crt nginx-repo.crt +ADD --link --chown=101:1001 nginx-repo.key nginx-repo.key + +FROM redhat/ubi9-minimal:9.6 AS ubi-minimal + +FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages + +FROM ubi-minimal AS ubi-nginxplus + +# renovate: datasource=github-tags depName=nginx/agent +ARG NGINX_AGENT_VERSION=v3.3.1 +ARG NJS_DIR +ARG NGINX_CONF_DIR +ARG BUILD_AGENT + +LABEL name="NGINX Gateway Fabric NGINX Plus" \ + maintainer="kubernetes@nginx.com" \ + vendor="NGINX Inc" \ + summary="NGINX Plus for NGINX Gateway Fabric" \ + description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ + io.k8s.description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.openshift.tags="nginx-plus,gateway,kubernetes,openshift" + +COPY --link --chown=101:1001 LICENSE /licenses/ + +# Install NGINX Plus and modules +RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos.d/nginx-plus.repo \ + --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ + --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ + --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + # Install shadow-utils for useradd and subscription-manager for repo access + microdnf --nodocs install -y shadow-utils subscription-manager \ + && rpm --import /tmp/nginx_signing.key \ + # Install c-ares from the dependencies image (contains required libs) + && rpm -Uvh /ubi-bin/c-ares-*.rpm \ + # Create nginx user with consistent UID/GID + && groupadd -g 1001 nginx \ + && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ + # Install NGINX Plus and modules (njs, otel) + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel \ + # Install nginx-agent + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + # Clean up + && microdnf clean all \ + && rm -rf /var/cache/yum + +# Configure directories and logging +RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ + # Forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + # Set proper permissions for nginx user + && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx + +# Copy configuration files and scripts +COPY build/entrypoint.sh /agent/entrypoint.sh +COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf +COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf +COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf + +# Set executable permissions +RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh + +# Switch to non-root user +USER 101:1001 + +ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go index caef41ce74..475a3e7319 100644 --- a/internal/controller/provisioner/objects.go +++ b/internal/controller/provisioner/objects.go @@ -863,7 +863,6 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {MountPath: "/var/run/nginx", Name: "nginx-run"}, {MountPath: "/var/cache/nginx", Name: "nginx-cache"}, {MountPath: "/etc/nginx/includes", Name: "nginx-includes"}, - {MountPath: "/tmp", Name: "temp-dir"}, }, }, }, @@ -969,7 +968,6 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {Name: "nginx-run", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-cache", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-includes", VolumeSource: emptyDirVolumeSource}, - {Name: "temp-dir", VolumeSource: emptyDirVolumeSource}, { Name: "nginx-includes-bootstrap", VolumeSource: corev1.VolumeSource{ From fd1498cc270b8caf56aec049f83f7f7aaceb559b Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 15:59:48 +0100 Subject: [PATCH 07/19] Fix eof errors --- build/entrypoint.sh | 2 +- build/ubi/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 7dda63e9c2..3c05aebcd9 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -41,7 +41,7 @@ nginx_pid=$! SECONDS=0 while [[ ! -f /var/run/nginx.pid ]] && [[ ! -f /var/run/nginx/nginx.pid ]]; do - if (( SECONDS > 30 )); then + if ((SECONDS > 30)); then echo "couldn't find nginx master process" exit 1 fi diff --git a/build/ubi/Dockerfile b/build/ubi/Dockerfile index 6a3cf69657..81cc76e417 100644 --- a/build/ubi/Dockerfile +++ b/build/ubi/Dockerfile @@ -27,4 +27,4 @@ COPY ./build/out/gateway /usr/bin/gateway FROM ngf-ubi-minimal AS goreleaser ARG TARGETARCH -COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/gateway \ No newline at end of file +COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/gateway From 85d8358aefc4b47e508593de7c99ce89a1b42061 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 10:08:19 +0100 Subject: [PATCH 08/19] Move alpine base Dockerfiles back to build dir --- Makefile | 9 ++++----- build/{alpine => }/Dockerfile | 0 build/{alpine => }/Dockerfile.nginx | 0 build/{alpine => }/Dockerfile.nginxplus | 0 build/ubi/Dockerfile.nginx | 2 +- build/ubi/Dockerfile.nginxplus | 2 +- 6 files changed, 6 insertions(+), 7 deletions(-) rename build/{alpine => }/Dockerfile (100%) rename build/{alpine => }/Dockerfile.nginx (100%) rename build/{alpine => }/Dockerfile.nginxplus (100%) diff --git a/Makefile b/Makefile index 2d345a390a..5ba6dad8c9 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,6 @@ NJS_DIR = internal/controller/nginx/modules/src KIND_CONFIG_FILE = $(SELF_DIR)config/cluster/kind-cluster.yaml NGINX_DOCKER_BUILD_PLUS_ARGS = --secret id=nginx-repo.crt,src=$(SELF_DIR)nginx-repo.crt --secret id=nginx-repo.key,src=$(SELF_DIR)nginx-repo.key BUILD_AGENT = local -BASE_IMAGE ?= nginx:1.29.1-alpine-otel PROD_TELEMETRY_ENDPOINT = oss.edge.df.f5.com:443 # the telemetry related variables below are also configured in goreleaser.yml @@ -44,7 +43,7 @@ HELM_SCHEMA_VERSION = 0.18.1 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus -BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi +BUILD_OS ?= ## The OS of the nginx image. Possible values: alpine and ubi IMAGE_PULL_POLICY ?= Never## The image pull policy for the NGF and nginx images. Possible values: Always, Never, IfNotPresent TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 TARGET ?= local## The target of the build. Possible values: local and container @@ -86,21 +85,21 @@ build-prod-ngf-image: build-ngf-image ## Build the NGF docker image for producti .PHONY: build-ngf-image build-ngf-image: check-for-docker build ## Build the NGF docker image - docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-image build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for production .PHONY: build-nginx-image build-nginx-image: check-for-docker ## Build the custom nginx image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-plus-image build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx plus image for production .PHONY: build-nginx-plus-image build-nginx-plus-image: check-for-docker ## Build the custom nginx plus image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: check-for-docker check-for-docker: ## Check if Docker is installed diff --git a/build/alpine/Dockerfile b/build/Dockerfile similarity index 100% rename from build/alpine/Dockerfile rename to build/Dockerfile diff --git a/build/alpine/Dockerfile.nginx b/build/Dockerfile.nginx similarity index 100% rename from build/alpine/Dockerfile.nginx rename to build/Dockerfile.nginx diff --git a/build/alpine/Dockerfile.nginxplus b/build/Dockerfile.nginxplus similarity index 100% rename from build/alpine/Dockerfile.nginxplus rename to build/Dockerfile.nginxplus diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 4be64a7dda..27a7d7533b 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -54,7 +54,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ # Set proper permissions for nginx user && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index c01b70f560..ef708da129 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -59,7 +59,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ # Set proper permissions for nginx user && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx From d28416af8cbdda6f6054a396c9c9feb758c1b34e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 10:28:30 +0100 Subject: [PATCH 09/19] Fix merge conflict --- Makefile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Makefile b/Makefile index fa06e2a244..a559a7051a 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,6 @@ PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-g NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus BUILD_OS ?= ## The OS of the nginx image. Possible values: alpine and ubi -IMAGE_PULL_POLICY ?= Never## The image pull policy for the NGF and nginx images. Possible values: Always, Never, IfNotPresent NGINX_SERVICE_TYPE ?= NodePort## The type of the nginx service. Possible values: NodePort, LoadBalancer, ClusterIP PULL_POLICY ?= Never## The pull policy of the images. Possible values: Always, IfNotPresent, Never TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 @@ -230,11 +229,7 @@ install-ngf-local-build-with-plus: check-for-plus-usage-endpoint build-images-wi .PHONY: helm-install-local helm-install-local: install-gateway-crds ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. -<<<<<<< HEAD - helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) || helm uninstall nginx-gateway -n nginx-gateway -======= helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(PULL_POLICY) --set nginx.service.type=$(NGINX_SERVICE_TYPE) --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) ->>>>>>> feat/openshift-support .PHONY: helm-install-local-with-plus helm-install-local-with-plus: check-for-plus-usage-endpoint install-gateway-crds ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. From 523ebd1f8776836feeccf5dd93528eeba642f22b Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 10:59:34 +0100 Subject: [PATCH 10/19] Update labels --- build/ubi/Dockerfile.nginx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 27a7d7533b..f88d4cefa0 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -20,11 +20,11 @@ ARG BUILD_AGENT LABEL name="NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ - vendor="NGINX Inc" \ - summary="NGINX for NGINX Gateway Fabric" \ - description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + vendor="F5 NGINX Inc" \ + summary="F5 NGINX for NGINX Gateway Fabric" \ + description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From 31750dddda0cddf8f884e84c54d9cafa3232db4e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 11:00:08 +0100 Subject: [PATCH 11/19] Update lables for plus builds --- build/ubi/Dockerfile.nginxplus | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index ef708da129..f369764c48 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -20,14 +20,14 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="NGINX Gateway Fabric NGINX Plus" \ +LABEL name="NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ - vendor="NGINX Inc" \ - summary="NGINX Plus for NGINX Gateway Fabric" \ - description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + vendor="F5 NGINX Inc" \ + summary="F5 NGINX for NGINX Gateway Fabric" \ + description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ - io.openshift.tags="nginx-plus,gateway,kubernetes,openshift" + io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From 714675277bf3aa0e7f6608c2acbfb2c449e59e5c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 11:01:33 +0100 Subject: [PATCH 12/19] Update lables to distinguish between OSS and Plus --- build/ubi/Dockerfile.nginx | 2 +- build/ubi/Dockerfile.nginxplus | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index f88d4cefa0..f924ec472b 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -18,7 +18,7 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="NGINX Gateway Fabric NGINX" \ +LABEL name="F5 NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX Inc" \ summary="F5 NGINX for NGINX Gateway Fabric" \ diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index f369764c48..72b1d43802 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -20,13 +20,13 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="NGINX Gateway Fabric NGINX" \ +LABEL name="F5 NGINX Gateway Fabric NGINX Plus" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX Inc" \ - summary="F5 NGINX for NGINX Gateway Fabric" \ - description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + summary="F5 NGINX Plus for NGINX Gateway Fabric" \ + description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From e776ae16178f8c71decedf0645dadf3047cc2182 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 11:32:43 +0100 Subject: [PATCH 13/19] Make NGINX Plus version configurable --- build/ubi/Dockerfile.nginxplus | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 72b1d43802..54bd8719d5 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -12,7 +12,9 @@ FROM redhat/ubi9-minimal:9.6 AS ubi-minimal FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM ubi-minimal AS ubi-nginxplus +FROM ubi-minimal AS ubi-nginx-plus + +ARG NGINX_PLUS_VERSION=R35 # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -47,7 +49,8 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ # Install NGINX Plus and modules (njs, otel) - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel \ + && microdnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \ + && microdnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \ # Install nginx-agent && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up From c5e49a37d0e74fc839c3ad91e66f8a878c8a2276 Mon Sep 17 00:00:00 2001 From: Shaun Date: Thu, 25 Sep 2025 14:03:16 +0100 Subject: [PATCH 14/19] Update build/ubi/Dockerfile.nginx Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- build/ubi/Dockerfile.nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index f924ec472b..9040c568ee 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -20,7 +20,7 @@ ARG BUILD_AGENT LABEL name="F5 NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ - vendor="F5 NGINX Inc" \ + vendor="F5 NGINX" \ summary="F5 NGINX for NGINX Gateway Fabric" \ description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ From bc7c10f8419111075c5104324793d24e23f7f57a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 14:07:21 +0100 Subject: [PATCH 15/19] Update lables and remove BASE_IMAGE --- Makefile | 2 +- build/ubi/Dockerfile.nginx | 6 +++--- build/ubi/Dockerfile.nginxplus | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index a559a7051a..7b9b73ca2f 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ PLUS_ENABLED ?= false PLUS_LICENSE_FILE ?= $(SELF_DIR)license.jwt PLUS_USAGE_ENDPOINT ?=## The N+ usage endpoint. For development, please set to the N1 staging endpoint. -override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) --build-arg BASE_IMAGE=$(BASE_IMAGE) +override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) .DEFAULT_GOAL := help diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 9040c568ee..22feabb410 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -21,10 +21,10 @@ ARG BUILD_AGENT LABEL name="F5 NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX" \ - summary="F5 NGINX for NGINX Gateway Fabric" \ - description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + summary="NGINX Gateway Fabric" \ + description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 54bd8719d5..8cb920d8ad 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -24,11 +24,11 @@ ARG BUILD_AGENT LABEL name="F5 NGINX Gateway Fabric NGINX Plus" \ maintainer="kubernetes@nginx.com" \ - vendor="F5 NGINX Inc" \ - summary="F5 NGINX Plus for NGINX Gateway Fabric" \ - description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + vendor="F5 NGINX" \ + summary="NGINX Gateway Fabric" \ + description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From cbcd7ca1b3b0ed2b171f5ed14d0df0e45437d873 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 14:28:10 +0100 Subject: [PATCH 16/19] Remove local reference to crt and key files --- build/ubi/Dockerfile.nginxplus | 2 -- 1 file changed, 2 deletions(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 8cb920d8ad..cbb4a78c44 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -5,8 +5,6 @@ FROM scratch AS nginx-files ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-plus.repo ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -ADD --link --chown=101:1001 nginx-repo.crt nginx-repo.crt -ADD --link --chown=101:1001 nginx-repo.key nginx-repo.key FROM redhat/ubi9-minimal:9.6 AS ubi-minimal From d9155b204e31844394b170f52abf8f5bbddbb01e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 11:05:16 +0100 Subject: [PATCH 17/19] Set permissions on required directories. Update lables --- build/ubi/Dockerfile.nginx | 20 ++++++++------------ build/ubi/Dockerfile.nginxplus | 21 +++++++++++---------- 2 files changed, 19 insertions(+), 22 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 22feabb410..71adbb37e7 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -6,11 +6,9 @@ ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signi ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM redhat/ubi9-minimal:9.6 AS ubi-minimal - FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM ubi-minimal AS ubi-nginx +FROM redhat/ubi9-minimal:9.6 AS ubi-nginx # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -18,7 +16,7 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="F5 NGINX Gateway Fabric NGINX" \ +LABEL name="F5 NGINX Gateway Fabric NGINX OSS" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX" \ summary="NGINX Gateway Fabric" \ @@ -29,7 +27,7 @@ LABEL name="F5 NGINX Gateway Fabric NGINX" \ COPY --link --chown=101:1001 LICENSE /licenses/ -# Install NGINX with OTEL support using the same approach as NGINX IC +# Install NGINX with packages RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ @@ -54,20 +52,18 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ - # Set proper permissions for nginx user - && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + +# Set proper permissions for nginx user +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx # Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh -COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NJS_DIR}/ /usr/lib/nginx/modules/njs/ COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -# Set executable permissions -RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh - # Switch to non-root user USER 101:1001 diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index cbb4a78c44..30922e4b0d 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -6,11 +6,9 @@ ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx- ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM redhat/ubi9-minimal:9.6 AS ubi-minimal - FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM ubi-minimal AS ubi-nginx-plus +FROM redhat/ubi9-minimal:9.6 AS ubi-nginx-plus ARG NGINX_PLUS_VERSION=R35 @@ -52,6 +50,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos # Install nginx-agent && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up + # && microdnf remove -y shadow-utils subscription-manager \ && microdnf clean all \ && rm -rf /var/cache/yum @@ -60,20 +59,22 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ - # Set proper permissions for nginx user - && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + +# Copy default html files to a writable location +RUN mkdir -p /etc/nginx/html \ + && cp /usr/share/nginx/html/* /etc/nginx/html/ + +# Set proper permissions for nginx user +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx # Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh -COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NJS_DIR}/ /usr/lib/nginx/modules/njs/ COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -# Set executable permissions -RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh - # Switch to non-root user USER 101:1001 From 168e2b03b53c79ec4f34ba6461ed8fe52728a7a2 Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:48:44 +0100 Subject: [PATCH 18/19] Update Makefile Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7b9b73ca2f..1391c54abd 100644 --- a/Makefile +++ b/Makefile @@ -43,7 +43,7 @@ HELM_SCHEMA_VERSION = 0.18.1 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus -BUILD_OS ?= ## The OS of the nginx image. Possible values: alpine and ubi +BUILD_OS ?= ## The OS of the nginx image. Possible values: ubi and empty string, which defaults to alpine. NGINX_SERVICE_TYPE ?= NodePort## The type of the nginx service. Possible values: NodePort, LoadBalancer, ClusterIP PULL_POLICY ?= Never## The pull policy of the images. Possible values: Always, IfNotPresent, Never TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 From 00dbbc68245f13f05a834c36349669f94363f4df Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 16:52:10 +0100 Subject: [PATCH 19/19] Ensure subscription manage and shadowutils are removed --- build/ubi/Dockerfile.nginxplus | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 30922e4b0d..6224136c09 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -50,7 +50,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos # Install nginx-agent && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up - # && microdnf remove -y shadow-utils subscription-manager \ + && microdnf remove -y shadow-utils subscription-manager \ && microdnf clean all \ && rm -rf /var/cache/yum