From 58d9674850294c0237f1a6dca5937c6f1da71bce Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 22 Sep 2025 09:42:08 +0100 Subject: [PATCH 01/65] Add initial Dockerfile to build NGINX OSS images based on ubi9-minimal --- Makefile | 3 +- build/ubi/Dockerfile.nginx | 50 ++++++++++++++++++++++++++++++++ build/ubi/Dockerfile.nginxplus | 5 ++++ build/ubi/repos/nginx-agent.repo | 6 ++++ build/ubi/repos/nginx.repo | 6 ++++ 5 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 build/ubi/Dockerfile.nginx create mode 100644 build/ubi/Dockerfile.nginxplus create mode 100644 build/ubi/repos/nginx-agent.repo create mode 100644 build/ubi/repos/nginx.repo diff --git a/Makefile b/Makefile index c794b3a9e2..7ca035810c 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,7 @@ NJS_DIR = internal/controller/nginx/modules/src KIND_CONFIG_FILE = $(SELF_DIR)config/cluster/kind-cluster.yaml NGINX_DOCKER_BUILD_PLUS_ARGS = --secret id=nginx-repo.crt,src=$(SELF_DIR)nginx-repo.crt --secret id=nginx-repo.key,src=$(SELF_DIR)nginx-repo.key BUILD_AGENT = local +BASE_IMAGE ?= nginx:1.29.1-alpine-otel PROD_TELEMETRY_ENDPOINT = oss.edge.df.f5.com:443 # the telemetry related variables below are also configured in goreleaser.yml @@ -52,7 +53,7 @@ PLUS_ENABLED ?= false PLUS_LICENSE_FILE ?= $(SELF_DIR)license.jwt PLUS_USAGE_ENDPOINT ?=## The N+ usage endpoint. For development, please set to the N1 staging endpoint. -override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) +override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) --build-arg BASE_IMAGE=$(BASE_IMAGE) .DEFAULT_GOAL := help diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx new file mode 100644 index 0000000000..a50d8a7afd --- /dev/null +++ b/build/ubi/Dockerfile.nginx @@ -0,0 +1,50 @@ +# syntax=docker/dockerfile:1.18 +FROM scratch AS nginx-files + +# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub +ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo +ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo + +FROM ubi9-minimal + +# renovate: datasource=github-tags depName=nginx/agent +ARG NGINX_AGENT_VERSION=v3.3.1 +ARG NJS_DIR +ARG NGINX_CONF_DIR +ARG BUILD_AGENT + +RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/tmp/nginx_signing.rsa.pub \ + --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ + --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ + && rpm --import /tmp/nginx_signing.rsa.pub + +RUN microdnf --nodocs install -y nginx \ + && microdnf --nodocs install -y nginx-module-njs nginx-module-otel nginx-module-image-filter nginx-module-xslt \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION}* + +RUN groupadd --system --gid 1001 nginx \ + && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ + && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ + && microdnf update -y \ + && microdnf --nodocs install -y shadow-utils subscription-manager \ + && microdnf clean all + +RUN mkdir -p /usr/lib/nginx/modules \ + # forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +COPY build/entrypoint.sh /agent/entrypoint.sh +COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf +COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf +COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf + +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx + +LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" + +USER 101:1001 + +ENTRYPOINT ["/agent/entrypoint.sh"] \ No newline at end of file diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus new file mode 100644 index 0000000000..6f14661890 --- /dev/null +++ b/build/ubi/Dockerfile.nginxplus @@ -0,0 +1,5 @@ +# syntax=docker/dockerfile:1.18 +FROM scratch AS nginx-files + +# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub diff --git a/build/ubi/repos/nginx-agent.repo b/build/ubi/repos/nginx-agent.repo new file mode 100644 index 0000000000..a65508b538 --- /dev/null +++ b/build/ubi/repos/nginx-agent.repo @@ -0,0 +1,6 @@ +[agent] +name=agent repo +baseurl=https://packages.nginx.org/nginx-agent/centos/9/\$basearch/ +gpgcheck=1 +enabled=1 +module_hotfixes=true \ No newline at end of file diff --git a/build/ubi/repos/nginx.repo b/build/ubi/repos/nginx.repo new file mode 100644 index 0000000000..07a428cc8c --- /dev/null +++ b/build/ubi/repos/nginx.repo @@ -0,0 +1,6 @@ +[nginx] +name=nginx repo +baseurl=https://packages.nginx.org/nginx/mainline/centos/9/\$basearch/ +gpgcheck=1 +enabled=1 +module_hotfixes=true \ No newline at end of file From 20d131e64f7b2482cf9fd588379d918ec800ffac Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 22 Sep 2025 10:36:43 +0100 Subject: [PATCH 02/65] Update repo files and use red hat registered ubi-minimal --- Makefile | 3 ++- build/ubi/Dockerfile.nginx | 24 +++++++++++------------- build/ubi/repos/agent.repo | 6 ++++++ build/ubi/repos/nginx-agent.repo | 6 ------ build/ubi/repos/nginx.repo | 4 ++-- 5 files changed, 21 insertions(+), 22 deletions(-) create mode 100644 build/ubi/repos/agent.repo delete mode 100644 build/ubi/repos/nginx-agent.repo diff --git a/Makefile b/Makefile index 7ca035810c..9dedbeb173 100644 --- a/Makefile +++ b/Makefile @@ -44,6 +44,7 @@ HELM_SCHEMA_VERSION = 0.18.1 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus +BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 TARGET ?= local## The target of the build. Possible values: local and container OUT_DIR ?= build/out## The folder where the binary will be stored @@ -91,7 +92,7 @@ build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for pr .PHONY: build-nginx-image build-nginx-image: check-for-docker ## Build the custom nginx image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-plus-image build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx plus image for production diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index a50d8a7afd..e3788104af 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -2,11 +2,12 @@ FROM scratch AS nginx-files # the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 -ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub +ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM ubi9-minimal +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +# FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9 # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -14,20 +15,17 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/tmp/nginx_signing.rsa.pub \ - --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ +# c-ares is required by for nginx-module-otel. It is not available in ubi9-minimal by default +RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ - && rpm --import /tmp/nginx_signing.rsa.pub - -RUN microdnf --nodocs install -y nginx \ - && microdnf --nodocs install -y nginx-module-njs nginx-module-otel nginx-module-image-filter nginx-module-xslt \ - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION}* - -RUN groupadd --system --gid 1001 nginx \ - && useradd --system --gid nginx --no-create-home --home-dir /nonexistent --comment "nginx user" --shell /bin/false --uid 101 nginx \ - && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ + --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + rpm --import /tmp/nginx_signing.key \ && microdnf update -y \ && microdnf --nodocs install -y shadow-utils subscription-manager \ + # microdnf --enablerepo=appstream install -y c-ares \ + && microdnf --nodocs install -y nginx \ + && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ && microdnf clean all RUN mkdir -p /usr/lib/nginx/modules \ diff --git a/build/ubi/repos/agent.repo b/build/ubi/repos/agent.repo new file mode 100644 index 0000000000..36665b874b --- /dev/null +++ b/build/ubi/repos/agent.repo @@ -0,0 +1,6 @@ +[agent] +name=agent repo +baseurl=https://packages.nginx.org/nginx-agent/centos/9/$basearch/ +gpgcheck=1 +enabled=1 +module_hotfixes=true diff --git a/build/ubi/repos/nginx-agent.repo b/build/ubi/repos/nginx-agent.repo deleted file mode 100644 index a65508b538..0000000000 --- a/build/ubi/repos/nginx-agent.repo +++ /dev/null @@ -1,6 +0,0 @@ -[agent] -name=agent repo -baseurl=https://packages.nginx.org/nginx-agent/centos/9/\$basearch/ -gpgcheck=1 -enabled=1 -module_hotfixes=true \ No newline at end of file diff --git a/build/ubi/repos/nginx.repo b/build/ubi/repos/nginx.repo index 07a428cc8c..7c8e132faf 100644 --- a/build/ubi/repos/nginx.repo +++ b/build/ubi/repos/nginx.repo @@ -1,6 +1,6 @@ [nginx] name=nginx repo -baseurl=https://packages.nginx.org/nginx/mainline/centos/9/\$basearch/ +baseurl=https://packages.nginx.org/nginx/mainline/centos/9/$basearch/ gpgcheck=1 enabled=1 -module_hotfixes=true \ No newline at end of file +module_hotfixes=true From f154680dfeac6117dfdcd3ed8285438ced01de17 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 23 Sep 2025 11:31:01 +0100 Subject: [PATCH 03/65] Get required UBI packages for NGINX and install agent --- Makefile | 3 ++- build/entrypoint.sh | 7 ++++--- build/ubi/Dockerfile.nginx | 36 +++++++++++++++++++++++++++--------- 3 files changed, 33 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index 9dedbeb173..7a68305526 100644 --- a/Makefile +++ b/Makefile @@ -45,6 +45,7 @@ PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-g NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi +IMAGE_PULL_POLICY ?= Never## The image pull policy for the NGF and nginx images. Possible values: Always, Never, IfNotPresent TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 TARGET ?= local## The target of the build. Possible values: local and container OUT_DIR ?= build/out## The folder where the binary will be stored @@ -228,7 +229,7 @@ install-ngf-local-build-with-plus: check-for-plus-usage-endpoint build-images-wi .PHONY: helm-install-local helm-install-local: install-gateway-crds ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. - helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=Never --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=Never --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) + helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) || helm uninstall nginx-gateway -n nginx-gateway .PHONY: helm-install-local-with-plus helm-install-local-with-plus: check-for-plus-usage-endpoint install-gateway-crds ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 9e9552b338..dd07f169c9 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -41,11 +41,12 @@ nginx_pid=$! SECONDS=0 -while ! ps -ef | grep "nginx: master process" | grep -v grep; do - if ((SECONDS > 5)); then - echo "couldn't find nginx master process" +while ! curl localhost:80 -s -o /dev/null; do + if ((SECONDS > 10)); then + echo "nginx didn't start within 10 seconds" exit 1 fi + sleep 200 done # start nginx-agent, pass args diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index e3788104af..471a88cafb 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -6,8 +6,9 @@ ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signi ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo +FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS packages + FROM registry.access.redhat.com/ubi9/ubi-minimal:latest -# FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9 # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -15,23 +16,40 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -# c-ares is required by for nginx-module-otel. It is not available in ubi9-minimal by default +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +# Prepare packages RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=packages,src=/,target=/ubi-bin/ \ rpm --import /tmp/nginx_signing.key \ && microdnf update -y \ && microdnf --nodocs install -y shadow-utils subscription-manager \ - # microdnf --enablerepo=appstream install -y c-ares \ + && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-installed \ + && microdnf --nodocs --setopt=install_weak_deps=0 install -y diffutils dnf \ + && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-new \ + && dnf install -y /ubi-bin/*.rpm \ + && dnf -q repoquery --resolve --requires --recursive --whatrequires nginx --queryformat "%{NAME}" > pkgs-nginx \ + && dnf --setopt=protected_packages= remove -y $(comm -13 pkgs-installed pkgs-new | comm -13 pkgs-nginx -) \ + && rm pkgs-installed pkgs-new pkgs-nginx \ && microdnf --nodocs install -y nginx \ && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \ - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ - && microdnf clean all + # && microdnf --enablerepo=appstream install -y c-ares \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v} + +# RUN rm /etc/yum.repos.d/nginx.repo \ +# && rm /etc/yum.repos.d/agent.repo \ +# && microdnf clean all +# Configure logs and directories RUN mkdir -p /usr/lib/nginx/modules \ - # forward request and error logs to docker log collector + && mkdir -p /usr/lib64/nginx/modules \ + && mkdir -p /var/run/nginx \ && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + # && ln -sf /usr/lib64/nginx/modules/ngx_http_js_module.so /usr/lib/nginx/modules/ngx_http_js_module.so \ + # && ln -sf /usr/lib64/nginx/modules/ngx_stream_js_module.so /usr/lib/nginx/modules/ngx_stream_js_module.so COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js @@ -39,10 +57,10 @@ COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -RUN chown -R 101:1001 /etc/nginx /var/cache/nginx +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/run/nginx /etc/nginx-agent/nginx-agent.conf LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" USER 101:1001 -ENTRYPOINT ["/agent/entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["/agent/entrypoint.sh"] From b880fc743be6eae2d78e9bd390a9c3f033caed07 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 09:18:01 +0100 Subject: [PATCH 04/65] Update entrypoint to find NGINX master process. Ensure `/tmp` is writable by nginx user --- build/entrypoint.sh | 9 ++- build/ubi/Dockerfile.nginx | 79 ++++++++++++---------- internal/controller/provisioner/objects.go | 2 + 3 files changed, 50 insertions(+), 40 deletions(-) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index dd07f169c9..7dda63e9c2 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -40,13 +40,12 @@ fi nginx_pid=$! SECONDS=0 - -while ! curl localhost:80 -s -o /dev/null; do - if ((SECONDS > 10)); then - echo "nginx didn't start within 10 seconds" +while [[ ! -f /var/run/nginx.pid ]] && [[ ! -f /var/run/nginx/nginx.pid ]]; do + if (( SECONDS > 30 )); then + echo "couldn't find nginx master process" exit 1 fi - sleep 200 + sleep 1 done # start nginx-agent, pass args diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 471a88cafb..a77f54066c 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -1,14 +1,16 @@ # syntax=docker/dockerfile:1.18 FROM scratch AS nginx-files -# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +# Repository and key files for UBI-based builds ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS packages +FROM redhat/ubi9-minimal:9.6 AS ubi-minimal -FROM registry.access.redhat.com/ubi9/ubi-minimal:latest +FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages + +FROM ubi-minimal AS ubi-nginx # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -16,51 +18,58 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -# Prepare packages -RUN --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ +LABEL name="NGINX Gateway Fabric NGINX" \ + maintainer="kubernetes@nginx.com" \ + vendor="NGINX Inc" \ + summary="NGINX for NGINX Gateway Fabric" \ + description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ + io.k8s.description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.openshift.tags="nginx,gateway,kubernetes,openshift" + +COPY --link --chown=101:1001 LICENSE /licenses/ + +# Install NGINX with OTEL support using the same approach as NGINX IC +RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ - --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ - --mount=type=bind,from=packages,src=/,target=/ubi-bin/ \ + --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ + # Import NGINX signing key rpm --import /tmp/nginx_signing.key \ - && microdnf update -y \ - && microdnf --nodocs install -y shadow-utils subscription-manager \ - && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-installed \ - && microdnf --nodocs --setopt=install_weak_deps=0 install -y diffutils dnf \ - && rpm -qa --queryformat "%{NAME}\n" | sort > pkgs-new \ - && dnf install -y /ubi-bin/*.rpm \ - && dnf -q repoquery --resolve --requires --recursive --whatrequires nginx --queryformat "%{NAME}" > pkgs-nginx \ - && dnf --setopt=protected_packages= remove -y $(comm -13 pkgs-installed pkgs-new | comm -13 pkgs-nginx -) \ - && rm pkgs-installed pkgs-new pkgs-nginx \ - && microdnf --nodocs install -y nginx \ - && microdnf --nodocs install -y nginx-module-njs nginx-module-image-filter nginx-module-xslt \ - # && microdnf --enablerepo=appstream install -y c-ares \ - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v} + # Install c-ares from the dependencies image (contains required libs) + && rpm -Uvh /ubi-bin/c-ares-*.rpm \ + # Create nginx user with consistent UID/GID + && groupadd -g 1001 nginx \ + && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ + # Install NGINX and modules including OTEL + && microdnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \ + # Install nginx-agent + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + # Clean up (only remove what we can) + && microdnf clean all \ + && rm -rf /var/cache/yum -# RUN rm /etc/yum.repos.d/nginx.repo \ -# && rm /etc/yum.repos.d/agent.repo \ -# && microdnf clean all - -# Configure logs and directories -RUN mkdir -p /usr/lib/nginx/modules \ - && mkdir -p /usr/lib64/nginx/modules \ - && mkdir -p /var/run/nginx \ +# Configure directories and logging +RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ + # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ - # && ln -sf /usr/lib64/nginx/modules/ngx_http_js_module.so /usr/lib/nginx/modules/ngx_http_js_module.so \ - # && ln -sf /usr/lib64/nginx/modules/ngx_stream_js_module.so /usr/lib/nginx/modules/ngx_stream_js_module.so + && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + # Set proper permissions for nginx user + && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx /tmp \ + && chmod 1777 /tmp +# Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/run/nginx /etc/nginx-agent/nginx-agent.conf - -LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" +# Set executable permissions +RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh +# Switch to non-root user USER 101:1001 ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go index 475a3e7319..caef41ce74 100644 --- a/internal/controller/provisioner/objects.go +++ b/internal/controller/provisioner/objects.go @@ -863,6 +863,7 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {MountPath: "/var/run/nginx", Name: "nginx-run"}, {MountPath: "/var/cache/nginx", Name: "nginx-cache"}, {MountPath: "/etc/nginx/includes", Name: "nginx-includes"}, + {MountPath: "/tmp", Name: "temp-dir"}, }, }, }, @@ -968,6 +969,7 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {Name: "nginx-run", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-cache", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-includes", VolumeSource: emptyDirVolumeSource}, + {Name: "temp-dir", VolumeSource: emptyDirVolumeSource}, { Name: "nginx-includes-bootstrap", VolumeSource: corev1.VolumeSource{ From caaf91aaef1eee2ecfa73ef26a7c88b895e66b25 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 11:06:56 +0100 Subject: [PATCH 05/65] Build control plane from UBI base image. Move current Alpine dockerfiles to `build/alpine` --- Makefile | 4 ++-- build/{ => alpine}/Dockerfile | 0 build/{ => alpine}/Dockerfile.nginx | 0 build/{ => alpine}/Dockerfile.nginxplus | 0 build/ubi/Dockerfile | 32 +++++++++++++++++++++++++ 5 files changed, 34 insertions(+), 2 deletions(-) rename build/{ => alpine}/Dockerfile (100%) rename build/{ => alpine}/Dockerfile.nginx (100%) rename build/{ => alpine}/Dockerfile.nginxplus (100%) create mode 100644 build/ubi/Dockerfile diff --git a/Makefile b/Makefile index 9ad33d3f1a..2d345a390a 100644 --- a/Makefile +++ b/Makefile @@ -86,7 +86,7 @@ build-prod-ngf-image: build-ngf-image ## Build the NGF docker image for producti .PHONY: build-ngf-image build-ngf-image: check-for-docker build ## Build the NGF docker image - docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-image build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for production @@ -100,7 +100,7 @@ build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx pl .PHONY: build-nginx-plus-image build-nginx-plus-image: check-for-docker ## Build the custom nginx plus image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: check-for-docker check-for-docker: ## Check if Docker is installed diff --git a/build/Dockerfile b/build/alpine/Dockerfile similarity index 100% rename from build/Dockerfile rename to build/alpine/Dockerfile diff --git a/build/Dockerfile.nginx b/build/alpine/Dockerfile.nginx similarity index 100% rename from build/Dockerfile.nginx rename to build/alpine/Dockerfile.nginx diff --git a/build/Dockerfile.nginxplus b/build/alpine/Dockerfile.nginxplus similarity index 100% rename from build/Dockerfile.nginxplus rename to build/alpine/Dockerfile.nginxplus diff --git a/build/ubi/Dockerfile b/build/ubi/Dockerfile new file mode 100644 index 0000000000..c9a98b4bab --- /dev/null +++ b/build/ubi/Dockerfile @@ -0,0 +1,32 @@ +# syntax=docker/dockerfile:1.18 +FROM golang:1.25 AS builder + +WORKDIR /go/src/github.com/nginx/nginx-gateway-fabric + +COPY go.mod go.sum /go/src/github.com/nginx/nginx-gateway-fabric/ +RUN go mod download + +COPY . /go/src/github.com/nginx/nginx-gateway-fabric +RUN make build + +FROM golang:1.25 AS ca-certs-provider + +FROM redhat/ubi9-minimal:9.6 AS ngf-ubi-minimal +# Install CA certificates (if not present) +RUN microdnf update && microdnf install -y ca-certificates && microdnf clean all +# Alternatively, copy from ca-certs-provider if you prefer: +# COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +USER 101:1001 +ARG BUILD_AGENT +ENV BUILD_AGENT=${BUILD_AGENT} +ENTRYPOINT [ "/usr/bin/gateway" ] + +FROM ngf-ubi-minimal AS container +COPY --from=builder /go/src/github.com/nginxinc/nginx-gateway-fabric/build/out/gateway /usr/bin/gateway + +FROM ngf-ubi-minimal AS local +COPY ./build/out/gateway /usr/bin/gateway + +FROM ngf-ubi-minimal AS goreleaser +ARG TARGETARCH +COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/gateway \ No newline at end of file From 25cee52fb179cef900afb325fc6f5cb4436f2da6 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 15:43:38 +0100 Subject: [PATCH 06/65] Add Dockerfile to build NGINX Plus image based on ubi9-minimal --- build/ubi/Dockerfile | 6 +- build/ubi/Dockerfile.nginx | 3 +- build/ubi/Dockerfile.nginxplus | 78 +++++++++++++++++++++- internal/controller/provisioner/objects.go | 2 - 4 files changed, 79 insertions(+), 10 deletions(-) diff --git a/build/ubi/Dockerfile b/build/ubi/Dockerfile index c9a98b4bab..6a3cf69657 100644 --- a/build/ubi/Dockerfile +++ b/build/ubi/Dockerfile @@ -12,10 +12,8 @@ RUN make build FROM golang:1.25 AS ca-certs-provider FROM redhat/ubi9-minimal:9.6 AS ngf-ubi-minimal -# Install CA certificates (if not present) -RUN microdnf update && microdnf install -y ca-certificates && microdnf clean all -# Alternatively, copy from ca-certs-provider if you prefer: -# COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +# CA certs are needed for telemetry report so that NGF can verify the server's certificate. +COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ USER 101:1001 ARG BUILD_AGENT ENV BUILD_AGENT=${BUILD_AGENT} diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index a77f54066c..4be64a7dda 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -56,8 +56,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ && ln -sf /dev/stderr /var/log/nginx/error.log \ && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ # Set proper permissions for nginx user - && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx /tmp \ - && chmod 1777 /tmp + && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx # Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 6f14661890..c01b70f560 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -1,5 +1,79 @@ # syntax=docker/dockerfile:1.18 FROM scratch AS nginx-files -# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 -ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub +# NGINX Plus repo and key files (must be provided at build time) +ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-plus.repo +ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key +ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo +ADD --link --chown=101:1001 nginx-repo.crt nginx-repo.crt +ADD --link --chown=101:1001 nginx-repo.key nginx-repo.key + +FROM redhat/ubi9-minimal:9.6 AS ubi-minimal + +FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages + +FROM ubi-minimal AS ubi-nginxplus + +# renovate: datasource=github-tags depName=nginx/agent +ARG NGINX_AGENT_VERSION=v3.3.1 +ARG NJS_DIR +ARG NGINX_CONF_DIR +ARG BUILD_AGENT + +LABEL name="NGINX Gateway Fabric NGINX Plus" \ + maintainer="kubernetes@nginx.com" \ + vendor="NGINX Inc" \ + summary="NGINX Plus for NGINX Gateway Fabric" \ + description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ + io.k8s.description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.openshift.tags="nginx-plus,gateway,kubernetes,openshift" + +COPY --link --chown=101:1001 LICENSE /licenses/ + +# Install NGINX Plus and modules +RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos.d/nginx-plus.repo \ + --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ + --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ + --mount=type=bind,from=ubi9-packages,src=/,target=/ubi-bin/ \ + --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ + # Install shadow-utils for useradd and subscription-manager for repo access + microdnf --nodocs install -y shadow-utils subscription-manager \ + && rpm --import /tmp/nginx_signing.key \ + # Install c-ares from the dependencies image (contains required libs) + && rpm -Uvh /ubi-bin/c-ares-*.rpm \ + # Create nginx user with consistent UID/GID + && groupadd -g 1001 nginx \ + && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ + # Install NGINX Plus and modules (njs, otel) + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel \ + # Install nginx-agent + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + # Clean up + && microdnf clean all \ + && rm -rf /var/cache/yum + +# Configure directories and logging +RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ + # Forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log \ + && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + # Set proper permissions for nginx user + && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx + +# Copy configuration files and scripts +COPY build/entrypoint.sh /agent/entrypoint.sh +COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf +COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf +COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf + +# Set executable permissions +RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh + +# Switch to non-root user +USER 101:1001 + +ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go index caef41ce74..475a3e7319 100644 --- a/internal/controller/provisioner/objects.go +++ b/internal/controller/provisioner/objects.go @@ -863,7 +863,6 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {MountPath: "/var/run/nginx", Name: "nginx-run"}, {MountPath: "/var/cache/nginx", Name: "nginx-cache"}, {MountPath: "/etc/nginx/includes", Name: "nginx-includes"}, - {MountPath: "/tmp", Name: "temp-dir"}, }, }, }, @@ -969,7 +968,6 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( {Name: "nginx-run", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-cache", VolumeSource: emptyDirVolumeSource}, {Name: "nginx-includes", VolumeSource: emptyDirVolumeSource}, - {Name: "temp-dir", VolumeSource: emptyDirVolumeSource}, { Name: "nginx-includes-bootstrap", VolumeSource: corev1.VolumeSource{ From fd1498cc270b8caf56aec049f83f7f7aaceb559b Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 24 Sep 2025 15:59:48 +0100 Subject: [PATCH 07/65] Fix eof errors --- build/entrypoint.sh | 2 +- build/ubi/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/entrypoint.sh b/build/entrypoint.sh index 7dda63e9c2..3c05aebcd9 100755 --- a/build/entrypoint.sh +++ b/build/entrypoint.sh @@ -41,7 +41,7 @@ nginx_pid=$! SECONDS=0 while [[ ! -f /var/run/nginx.pid ]] && [[ ! -f /var/run/nginx/nginx.pid ]]; do - if (( SECONDS > 30 )); then + if ((SECONDS > 30)); then echo "couldn't find nginx master process" exit 1 fi diff --git a/build/ubi/Dockerfile b/build/ubi/Dockerfile index 6a3cf69657..81cc76e417 100644 --- a/build/ubi/Dockerfile +++ b/build/ubi/Dockerfile @@ -27,4 +27,4 @@ COPY ./build/out/gateway /usr/bin/gateway FROM ngf-ubi-minimal AS goreleaser ARG TARGETARCH -COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/gateway \ No newline at end of file +COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/gateway From 85d8358aefc4b47e508593de7c99ce89a1b42061 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 10:08:19 +0100 Subject: [PATCH 08/65] Move alpine base Dockerfiles back to build dir --- Makefile | 9 ++++----- build/{alpine => }/Dockerfile | 0 build/{alpine => }/Dockerfile.nginx | 0 build/{alpine => }/Dockerfile.nginxplus | 0 build/ubi/Dockerfile.nginx | 2 +- build/ubi/Dockerfile.nginxplus | 2 +- 6 files changed, 6 insertions(+), 7 deletions(-) rename build/{alpine => }/Dockerfile (100%) rename build/{alpine => }/Dockerfile.nginx (100%) rename build/{alpine => }/Dockerfile.nginxplus (100%) diff --git a/Makefile b/Makefile index 2d345a390a..5ba6dad8c9 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,6 @@ NJS_DIR = internal/controller/nginx/modules/src KIND_CONFIG_FILE = $(SELF_DIR)config/cluster/kind-cluster.yaml NGINX_DOCKER_BUILD_PLUS_ARGS = --secret id=nginx-repo.crt,src=$(SELF_DIR)nginx-repo.crt --secret id=nginx-repo.key,src=$(SELF_DIR)nginx-repo.key BUILD_AGENT = local -BASE_IMAGE ?= nginx:1.29.1-alpine-otel PROD_TELEMETRY_ENDPOINT = oss.edge.df.f5.com:443 # the telemetry related variables below are also configured in goreleaser.yml @@ -44,7 +43,7 @@ HELM_SCHEMA_VERSION = 0.18.1 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus -BUILD_OS ?= alpine## The OS of the nginx image. Possible values: alpine and ubi +BUILD_OS ?= ## The OS of the nginx image. Possible values: alpine and ubi IMAGE_PULL_POLICY ?= Never## The image pull policy for the NGF and nginx images. Possible values: Always, Never, IfNotPresent TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 TARGET ?= local## The target of the build. Possible values: local and container @@ -86,21 +85,21 @@ build-prod-ngf-image: build-ngf-image ## Build the NGF docker image for producti .PHONY: build-ngf-image build-ngf-image: check-for-docker build ## Build the NGF docker image - docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) --build-arg BUILD_AGENT=$(BUILD_AGENT) --target $(strip $(TARGET)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-image build-prod-nginx-image: build-nginx-image ## Build the custom nginx image for production .PHONY: build-nginx-image build-nginx-image: check-for-docker ## Build the custom nginx image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile.nginx -t $(strip $(NGINX_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: build-prod-nginx-plus-image build-prod-nginx-plus-image: build-nginx-plus-image ## Build the custom nginx plus image for production .PHONY: build-nginx-plus-image build-nginx-plus-image: check-for-docker ## Build the custom nginx plus image - docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/$(BUILD_OS)/Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) + docker build --platform linux/$(GOARCH) $(strip $(NGINX_DOCKER_BUILD_OPTIONS)) $(strip $(NGINX_DOCKER_BUILD_PLUS_ARGS)) -f $(SELF_DIR)build/$(if $(BUILD_OS),$(BUILD_OS)/)Dockerfile.nginxplus -t $(strip $(NGINX_PLUS_PREFIX)):$(strip $(TAG)) $(strip $(SELF_DIR)) .PHONY: check-for-docker check-for-docker: ## Check if Docker is installed diff --git a/build/alpine/Dockerfile b/build/Dockerfile similarity index 100% rename from build/alpine/Dockerfile rename to build/Dockerfile diff --git a/build/alpine/Dockerfile.nginx b/build/Dockerfile.nginx similarity index 100% rename from build/alpine/Dockerfile.nginx rename to build/Dockerfile.nginx diff --git a/build/alpine/Dockerfile.nginxplus b/build/Dockerfile.nginxplus similarity index 100% rename from build/alpine/Dockerfile.nginxplus rename to build/Dockerfile.nginxplus diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 4be64a7dda..27a7d7533b 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -54,7 +54,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ # Set proper permissions for nginx user && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index c01b70f560..ef708da129 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -59,7 +59,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && cp -r /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ # Set proper permissions for nginx user && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx From d28416af8cbdda6f6054a396c9c9feb758c1b34e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 10:28:30 +0100 Subject: [PATCH 09/65] Fix merge conflict --- Makefile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Makefile b/Makefile index fa06e2a244..a559a7051a 100644 --- a/Makefile +++ b/Makefile @@ -44,7 +44,6 @@ PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-g NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus BUILD_OS ?= ## The OS of the nginx image. Possible values: alpine and ubi -IMAGE_PULL_POLICY ?= Never## The image pull policy for the NGF and nginx images. Possible values: Always, Never, IfNotPresent NGINX_SERVICE_TYPE ?= NodePort## The type of the nginx service. Possible values: NodePort, LoadBalancer, ClusterIP PULL_POLICY ?= Never## The pull policy of the images. Possible values: Always, IfNotPresent, Never TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 @@ -230,11 +229,7 @@ install-ngf-local-build-with-plus: check-for-plus-usage-endpoint build-images-wi .PHONY: helm-install-local helm-install-local: install-gateway-crds ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. -<<<<<<< HEAD - helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginx.service.type=NodePort --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(IMAGE_PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) || helm uninstall nginx-gateway -n nginx-gateway -======= helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(PULL_POLICY) --set nginx.service.type=$(NGINX_SERVICE_TYPE) --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) ->>>>>>> feat/openshift-support .PHONY: helm-install-local-with-plus helm-install-local-with-plus: check-for-plus-usage-endpoint install-gateway-crds ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. From 523ebd1f8776836feeccf5dd93528eeba642f22b Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 10:59:34 +0100 Subject: [PATCH 10/65] Update labels --- build/ubi/Dockerfile.nginx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 27a7d7533b..f88d4cefa0 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -20,11 +20,11 @@ ARG BUILD_AGENT LABEL name="NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ - vendor="NGINX Inc" \ - summary="NGINX for NGINX Gateway Fabric" \ - description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + vendor="F5 NGINX Inc" \ + summary="F5 NGINX for NGINX Gateway Fabric" \ + description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From 31750dddda0cddf8f884e84c54d9cafa3232db4e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 11:00:08 +0100 Subject: [PATCH 11/65] Update lables for plus builds --- build/ubi/Dockerfile.nginxplus | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index ef708da129..f369764c48 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -20,14 +20,14 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="NGINX Gateway Fabric NGINX Plus" \ +LABEL name="NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ - vendor="NGINX Inc" \ - summary="NGINX Plus for NGINX Gateway Fabric" \ - description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + vendor="F5 NGINX Inc" \ + summary="F5 NGINX for NGINX Gateway Fabric" \ + description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ - io.openshift.tags="nginx-plus,gateway,kubernetes,openshift" + io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From 714675277bf3aa0e7f6608c2acbfb2c449e59e5c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 11:01:33 +0100 Subject: [PATCH 12/65] Update lables to distinguish between OSS and Plus --- build/ubi/Dockerfile.nginx | 2 +- build/ubi/Dockerfile.nginxplus | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index f88d4cefa0..f924ec472b 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -18,7 +18,7 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="NGINX Gateway Fabric NGINX" \ +LABEL name="F5 NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX Inc" \ summary="F5 NGINX for NGINX Gateway Fabric" \ diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index f369764c48..72b1d43802 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -20,13 +20,13 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="NGINX Gateway Fabric NGINX" \ +LABEL name="F5 NGINX Gateway Fabric NGINX Plus" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX Inc" \ - summary="F5 NGINX for NGINX Gateway Fabric" \ - description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + summary="F5 NGINX Plus for NGINX Gateway Fabric" \ + description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From e776ae16178f8c71decedf0645dadf3047cc2182 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 11:32:43 +0100 Subject: [PATCH 13/65] Make NGINX Plus version configurable --- build/ubi/Dockerfile.nginxplus | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 72b1d43802..54bd8719d5 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -12,7 +12,9 @@ FROM redhat/ubi9-minimal:9.6 AS ubi-minimal FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM ubi-minimal AS ubi-nginxplus +FROM ubi-minimal AS ubi-nginx-plus + +ARG NGINX_PLUS_VERSION=R35 # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -47,7 +49,8 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ # Install NGINX Plus and modules (njs, otel) - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-otel \ + && microdnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \ + && microdnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \ # Install nginx-agent && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up From 074660409980db2df9a8489221835599c8093290 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 12:08:24 +0100 Subject: [PATCH 14/65] Update pipeline to build and publish UBI images --- .github/workflows/build.yml | 7 ++++++- .github/workflows/ci.yml | 7 +++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a5deb48953..6d22029827 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,10 @@ on: platforms: required: true type: string + build_os: + required: false + type: string + default: '' image: required: true type: string @@ -143,7 +147,7 @@ jobs: - name: Build Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} + file: ${{ inputs.build_os != '' && format('build/{0}/Dockerfile{1}', inputs.build_os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') }} context: "." target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }} tags: ${{ steps.meta.outputs.tags }} @@ -161,6 +165,7 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha + BUILD_OS=${{ inputs.build_os }} secrets: | ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ba9cb95e26..a3552ec929 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -234,10 +234,12 @@ jobs: matrix: image: [ngf, nginx] platforms: ["linux/arm64, linux/amd64"] + build_os: ["", ubi] uses: ./.github/workflows/build.yml with: image: ${{ matrix.image }} platforms: ${{ matrix.platforms }} + build_os: ${{ matrix.build_os }} tag: ${{ inputs.release_version || '' }} dry_run: ${{ inputs.dry_run || false}} runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} @@ -252,9 +254,14 @@ jobs: name: Build Plus images needs: [vars, binary] uses: ./.github/workflows/build.yml + strategy: + fail-fast: false + matrix: + build_os: ["", ubi] with: image: plus platforms: "linux/arm64, linux/amd64" + build_os: ${{ matrix.build_os }} tag: ${{ inputs.release_version || '' }} dry_run: ${{ inputs.dry_run || false }} runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} From 31f0e522cdebc610d7846c261dc0852ea46fde4f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 13:54:53 +0100 Subject: [PATCH 15/65] Update UBI Dockerfile for NGINX Plus to use certs and keys from pipeline --- build/ubi/Dockerfile.nginxplus | 2 -- 1 file changed, 2 deletions(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 54bd8719d5..ccbdeb9c3f 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -5,8 +5,6 @@ FROM scratch AS nginx-files ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-plus.repo ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -ADD --link --chown=101:1001 nginx-repo.crt nginx-repo.crt -ADD --link --chown=101:1001 nginx-repo.key nginx-repo.key FROM redhat/ubi9-minimal:9.6 AS ubi-minimal From cb752555e74118a68587668b64b214f0e6e617db Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 13:58:04 +0100 Subject: [PATCH 16/65] Ensure build_os is added as a suffix to our tags --- .github/workflows/build.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6d22029827..f04e838461 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,12 +124,13 @@ jobs: flavor: | latest=${{ (inputs.tag != '' && 'true') || 'auto' }} tags: | - type=semver,pattern={{version}} - type=edge - type=schedule - type=ref,event=pr - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} - type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }} + type=semver,pattern={{version}}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=edge${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=schedule${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=pr${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + labels: | org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric org.opencontainers.image.vendor=NGINX Inc From c5e49a37d0e74fc839c3ad91e66f8a878c8a2276 Mon Sep 17 00:00:00 2001 From: Shaun Date: Thu, 25 Sep 2025 14:03:16 +0100 Subject: [PATCH 17/65] Update build/ubi/Dockerfile.nginx Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- build/ubi/Dockerfile.nginx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index f924ec472b..9040c568ee 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -20,7 +20,7 @@ ARG BUILD_AGENT LABEL name="F5 NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ - vendor="F5 NGINX Inc" \ + vendor="F5 NGINX" \ summary="F5 NGINX for NGINX Gateway Fabric" \ description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ From bc7c10f8419111075c5104324793d24e23f7f57a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 14:07:21 +0100 Subject: [PATCH 18/65] Update lables and remove BASE_IMAGE --- Makefile | 2 +- build/ubi/Dockerfile.nginx | 6 +++--- build/ubi/Dockerfile.nginxplus | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index a559a7051a..7b9b73ca2f 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ PLUS_ENABLED ?= false PLUS_LICENSE_FILE ?= $(SELF_DIR)license.jwt PLUS_USAGE_ENDPOINT ?=## The N+ usage endpoint. For development, please set to the N1 staging endpoint. -override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) --build-arg BASE_IMAGE=$(BASE_IMAGE) +override NGINX_DOCKER_BUILD_OPTIONS += --build-arg NJS_DIR=$(NJS_DIR) --build-arg NGINX_CONF_DIR=$(NGINX_CONF_DIR) --build-arg BUILD_AGENT=$(BUILD_AGENT) .DEFAULT_GOAL := help diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 9040c568ee..22feabb410 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -21,10 +21,10 @@ ARG BUILD_AGENT LABEL name="F5 NGINX Gateway Fabric NGINX" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX" \ - summary="F5 NGINX for NGINX Gateway Fabric" \ - description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + summary="NGINX Gateway Fabric" \ + description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="F5 NGINX data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 54bd8719d5..8cb920d8ad 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -24,11 +24,11 @@ ARG BUILD_AGENT LABEL name="F5 NGINX Gateway Fabric NGINX Plus" \ maintainer="kubernetes@nginx.com" \ - vendor="F5 NGINX Inc" \ - summary="F5 NGINX Plus for NGINX Gateway Fabric" \ - description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + vendor="F5 NGINX" \ + summary="NGINX Gateway Fabric" \ + description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ org.nginx.ngf.image.build.agent="${BUILD_AGENT}" \ - io.k8s.description="F5 NGINX Plus data plane for NGINX Gateway Fabric Gateway API implementation" \ + io.k8s.description="NGINX Gateway Fabric provides an implementation for the Gateway API using NGINX as the data plane." \ io.openshift.tags="nginx,gateway,kubernetes,openshift" COPY --link --chown=101:1001 LICENSE /licenses/ From 6eefb2ed7a3969f0c3eba4c77efa8f3b254488a8 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 14:11:58 +0100 Subject: [PATCH 19/65] Add suffix to all types in Docker meta build stage --- .github/workflows/build.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f04e838461..b9f4d9b610 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -124,13 +124,12 @@ jobs: flavor: | latest=${{ (inputs.tag != '' && 'true') || 'auto' }} tags: | - type=semver,pattern={{version}}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=edge${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=schedule${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=pr${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - + type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} labels: | org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric org.opencontainers.image.vendor=NGINX Inc From cbcd7ca1b3b0ed2b171f5ed14d0df0e45437d873 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 25 Sep 2025 14:28:10 +0100 Subject: [PATCH 20/65] Remove local reference to crt and key files --- build/ubi/Dockerfile.nginxplus | 2 -- 1 file changed, 2 deletions(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 8cb920d8ad..cbb4a78c44 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -5,8 +5,6 @@ FROM scratch AS nginx-files ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx-plus.repo ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -ADD --link --chown=101:1001 nginx-repo.crt nginx-repo.crt -ADD --link --chown=101:1001 nginx-repo.key nginx-repo.key FROM redhat/ubi9-minimal:9.6 AS ubi-minimal From d9155b204e31844394b170f52abf8f5bbddbb01e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 11:05:16 +0100 Subject: [PATCH 21/65] Set permissions on required directories. Update lables --- build/ubi/Dockerfile.nginx | 20 ++++++++------------ build/ubi/Dockerfile.nginxplus | 21 +++++++++++---------- 2 files changed, 19 insertions(+), 22 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 22feabb410..71adbb37e7 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -6,11 +6,9 @@ ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signi ADD --link --chown=101:1001 build/ubi/repos/nginx.repo nginx.repo ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM redhat/ubi9-minimal:9.6 AS ubi-minimal - FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM ubi-minimal AS ubi-nginx +FROM redhat/ubi9-minimal:9.6 AS ubi-nginx # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -18,7 +16,7 @@ ARG NJS_DIR ARG NGINX_CONF_DIR ARG BUILD_AGENT -LABEL name="F5 NGINX Gateway Fabric NGINX" \ +LABEL name="F5 NGINX Gateway Fabric NGINX OSS" \ maintainer="kubernetes@nginx.com" \ vendor="F5 NGINX" \ summary="NGINX Gateway Fabric" \ @@ -29,7 +27,7 @@ LABEL name="F5 NGINX Gateway Fabric NGINX" \ COPY --link --chown=101:1001 LICENSE /licenses/ -# Install NGINX with OTEL support using the same approach as NGINX IC +# Install NGINX with packages RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_signing.key \ --mount=type=bind,from=nginx-files,src=nginx.repo,target=/etc/yum.repos.d/nginx.repo \ --mount=type=bind,from=nginx-files,src=agent.repo,target=/etc/yum.repos.d/agent.repo \ @@ -54,20 +52,18 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ - # Set proper permissions for nginx user - && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + +# Set proper permissions for nginx user +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx # Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh -COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NJS_DIR}/ /usr/lib/nginx/modules/njs/ COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -# Set executable permissions -RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh - # Switch to non-root user USER 101:1001 diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index cbb4a78c44..30922e4b0d 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -6,11 +6,9 @@ ADD --link --chown=101:1001 https://cs.nginx.com/static/files/plus-9.repo nginx- ADD --link --chown=101:1001 https://nginx.org/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo -FROM redhat/ubi9-minimal:9.6 AS ubi-minimal - FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM ubi-minimal AS ubi-nginx-plus +FROM redhat/ubi9-minimal:9.6 AS ubi-nginx-plus ARG NGINX_PLUS_VERSION=R35 @@ -52,6 +50,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos # Install nginx-agent && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up + # && microdnf remove -y shadow-utils subscription-manager \ && microdnf clean all \ && rm -rf /var/cache/yum @@ -60,20 +59,22 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ \ - # Set proper permissions for nginx user - && chown -R 101:1001 /etc/nginx /var/cache/nginx /var/log/nginx /var/run/nginx + && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + +# Copy default html files to a writable location +RUN mkdir -p /etc/nginx/html \ + && cp /usr/share/nginx/html/* /etc/nginx/html/ + +# Set proper permissions for nginx user +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx # Copy configuration files and scripts COPY build/entrypoint.sh /agent/entrypoint.sh -COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NJS_DIR}/ /usr/lib/nginx/modules/njs/ COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf -# Set executable permissions -RUN chmod +x /agent/entrypoint.sh && chown 101:1001 /agent/entrypoint.sh - # Switch to non-root user USER 101:1001 From 5cb3854d654d6c156a8f7151c295689d1712f8f4 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 11:15:44 +0100 Subject: [PATCH 22/65] Add build_os to conformance and functional test matrix. Update tags for both workflows --- .github/workflows/ci.yml | 2 ++ .github/workflows/conformance.yml | 28 ++++++++++++++++------------ .github/workflows/functional.yml | 26 ++++++++++++++++---------- 3 files changed, 34 insertions(+), 22 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a3552ec929..65c03d2f31 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,6 +279,7 @@ jobs: fail-fast: false matrix: image: [nginx, plus] + build_os: ["", ubi] k8s-version: [ "${{ needs.vars.outputs.min_k8s_version }}", @@ -299,6 +300,7 @@ jobs: fail-fast: false matrix: image: [nginx, plus] + build_os: ["", ubi] k8s-version: [ "${{ needs.vars.outputs.min_k8s_version }}", diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index f8ce171f53..0636cef12a 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -6,6 +6,10 @@ on: image: required: true type: string + build_os: + required: false + type: string + default: '' k8s-version: required: true type: string @@ -75,12 +79,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}} - type=edge - type=schedule - type=ref,event=pr - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }} + type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: NGINX Docker meta id: nginx-meta @@ -89,12 +93,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}} - type=edge - type=schedule - type=ref,event=pr - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }} + type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 2bb06f09a4..c8c77bca9a 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -6,6 +6,10 @@ on: image: required: true type: string + build_os: + required: false + type: string + default: '' k8s-version: required: true type: string @@ -61,11 +65,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}} - type=schedule - type=edge - type=ref,event=pr - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: NGINX Docker meta id: nginx-meta @@ -74,11 +79,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}} - type=edge - type=schedule - type=ref,event=pr - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 From a89cc6f980e1a5865ef3580c76f694af932f6c94 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 11:48:52 +0100 Subject: [PATCH 23/65] Ensure unique conformance profile name based on build os --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 0636cef12a..74929f45b0 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -182,7 +182,7 @@ jobs: if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }} + name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} path: ./tests/conformance-profile.yaml - name: Upload profile to release From d71f8957d110a14f7bc007c3fdb1c398a6116684 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 11:50:03 +0100 Subject: [PATCH 24/65] Fix pre-commit errors --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 74929f45b0..a4dc1f582c 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -182,7 +182,7 @@ jobs: if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} path: ./tests/conformance-profile.yaml - name: Upload profile to release From 0190c838ca855e020e6f0f6f13ac897f653b9532 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 13:04:10 +0100 Subject: [PATCH 25/65] Update conformance profile output with additional inputs --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index a4dc1f582c..99ea602e2f 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -182,7 +182,7 @@ jobs: if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }-${{ inputs.enable-experimental }} path: ./tests/conformance-profile.yaml - name: Upload profile to release From c4c696f2ae1ff84f5c4fa730f61fe3d754c65732 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 13:14:47 +0100 Subject: [PATCH 26/65] Use ngf meta output in fonromance profile name --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 99ea602e2f..9c95d849cb 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -182,7 +182,7 @@ jobs: if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }-${{ inputs.enable-experimental }} + name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}-${{ inputs.enable-experimental }} path: ./tests/conformance-profile.yaml - name: Upload profile to release From a418b6fc108962b38a1a2ddda47a24f692f5dd5d Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 13:40:08 +0100 Subject: [PATCH 27/65] Update conformance test name --- .github/workflows/conformance.yml | 2 +- build/Dockerfile | 30 --------------------- build/Dockerfile.nginx | 37 -------------------------- build/Dockerfile.nginxplus | 43 ------------------------------- 4 files changed, 1 insertion(+), 111 deletions(-) delete mode 100644 build/Dockerfile delete mode 100644 build/Dockerfile.nginx delete mode 100644 build/Dockerfile.nginxplus diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 9c95d849cb..99ea602e2f 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -182,7 +182,7 @@ jobs: if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}-${{ inputs.enable-experimental }} + name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }-${{ inputs.enable-experimental }} path: ./tests/conformance-profile.yaml - name: Upload profile to release diff --git a/build/Dockerfile b/build/Dockerfile deleted file mode 100644 index 6e47d4d923..0000000000 --- a/build/Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -# syntax=docker/dockerfile:1.18 -FROM golang:1.25 AS builder - -WORKDIR /go/src/github.com/nginx/nginx-gateway-fabric - -COPY go.mod go.sum /go/src/github.com/nginx/nginx-gateway-fabric/ -RUN go mod download - -COPY . /go/src/github.com/nginx/nginx-gateway-fabric -RUN make build - -FROM golang:1.25 AS ca-certs-provider - -FROM scratch AS common -# CA certs are needed for telemetry report so that NGF can verify the server's certificate. -COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -USER 101:1001 -ARG BUILD_AGENT -ENV BUILD_AGENT=${BUILD_AGENT} -ENTRYPOINT [ "/usr/bin/gateway" ] - -FROM common AS container -COPY --from=builder /go/src/github.com/nginxinc/nginx-gateway-fabric/build/out/gateway /usr/bin/ - -FROM common AS local -COPY ./build/out/gateway /usr/bin/ - -FROM common AS goreleaser -ARG TARGETARCH -COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/ diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx deleted file mode 100644 index 378e8c909b..0000000000 --- a/build/Dockerfile.nginx +++ /dev/null @@ -1,37 +0,0 @@ -# syntax=docker/dockerfile:1.18 -FROM scratch AS nginx-files - -# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 -ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub - -FROM nginx:1.29.1-alpine-otel - -# renovate: datasource=github-tags depName=nginx/agent -ARG NGINX_AGENT_VERSION=v3.3.1 -ARG NJS_DIR -ARG NGINX_CONF_DIR -ARG BUILD_AGENT - -RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ - printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION#v} - -RUN apk add --no-cache bash \ - && mkdir -p /usr/lib/nginx/modules \ - # forward request and error logs to docker log collector - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log - -COPY build/entrypoint.sh /agent/entrypoint.sh -COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js -COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf -COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf -COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf - -RUN chown -R 101:1001 /etc/nginx /var/cache/nginx - -LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" - -USER 101:1001 - -ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/build/Dockerfile.nginxplus b/build/Dockerfile.nginxplus deleted file mode 100644 index b92dc19516..0000000000 --- a/build/Dockerfile.nginxplus +++ /dev/null @@ -1,43 +0,0 @@ -# syntax=docker/dockerfile:1.18 -FROM scratch AS nginx-files - -# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 -ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub - -FROM alpine:3.22 - -ARG NGINX_PLUS_VERSION=R35 -# renovate: datasource=github-tags depName=nginx/agent -ARG NGINX_AGENT_VERSION=v3.3.1 -ARG NJS_DIR -ARG NGINX_CONF_DIR -ARG BUILD_AGENT - -RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ - --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ - --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ - addgroup -g 1001 -S nginx \ - && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ - && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION#v} - -RUN apk add --no-cache bash \ - && mkdir -p /usr/lib/nginx/modules \ - # forward request and error logs to docker log collector - && ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log - -COPY build/entrypoint.sh /agent/entrypoint.sh -COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js -COPY ${NGINX_CONF_DIR}/nginx-plus.conf /etc/nginx/nginx.conf -COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf -COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf - -RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/lib/nginx - -USER 101:1001 - -LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" - -ENTRYPOINT ["/agent/entrypoint.sh"] From 214d789106bc84b9df738ccd15e498b74f3261e0 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 14:10:24 +0100 Subject: [PATCH 28/65] Ensure build os is passed to functional and conformance tests --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 65c03d2f31..a21a7b6cbf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -289,6 +289,7 @@ jobs: with: image: ${{ matrix.image }} k8s-version: ${{ matrix.k8s-version }} + build_os: ${{ matrix.build_os }} secrets: inherit permissions: contents: read @@ -312,6 +313,7 @@ jobs: image: ${{ matrix.image }} k8s-version: ${{ matrix.k8s-version }} enable-experimental: ${{ matrix.enable-experimental }} + build_os: ${{ matrix.build_os }} production-release: ${{ inputs.is_production_release == true && (inputs.dry_run == false || inputs.dry_run == null) }} release_version: ${{ inputs.release_version }} secrets: inherit From 42a35050827be7bf7997af539d9ee5e7a4fac7db Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 15:19:59 +0100 Subject: [PATCH 29/65] Use ngf-meta.output.version in place of build os --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 99ea602e2f..38213f55b1 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -182,7 +182,7 @@ jobs: if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: - name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }-${{ inputs.enable-experimental }} + name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }} path: ./tests/conformance-profile.yaml - name: Upload profile to release From 2636921896ce98cf30292d3b8be94ad4dc470a00 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 15:37:05 +0100 Subject: [PATCH 30/65] Move base dockerfiles back to root build dir --- build/Dockerfile | 30 ++++++++++++++++++++++++++ build/Dockerfile.nginx | 37 ++++++++++++++++++++++++++++++++ build/Dockerfile.nginxplus | 43 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 110 insertions(+) create mode 100644 build/Dockerfile create mode 100644 build/Dockerfile.nginx create mode 100644 build/Dockerfile.nginxplus diff --git a/build/Dockerfile b/build/Dockerfile new file mode 100644 index 0000000000..6e47d4d923 --- /dev/null +++ b/build/Dockerfile @@ -0,0 +1,30 @@ +# syntax=docker/dockerfile:1.18 +FROM golang:1.25 AS builder + +WORKDIR /go/src/github.com/nginx/nginx-gateway-fabric + +COPY go.mod go.sum /go/src/github.com/nginx/nginx-gateway-fabric/ +RUN go mod download + +COPY . /go/src/github.com/nginx/nginx-gateway-fabric +RUN make build + +FROM golang:1.25 AS ca-certs-provider + +FROM scratch AS common +# CA certs are needed for telemetry report so that NGF can verify the server's certificate. +COPY --from=ca-certs-provider --link /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +USER 101:1001 +ARG BUILD_AGENT +ENV BUILD_AGENT=${BUILD_AGENT} +ENTRYPOINT [ "/usr/bin/gateway" ] + +FROM common AS container +COPY --from=builder /go/src/github.com/nginxinc/nginx-gateway-fabric/build/out/gateway /usr/bin/ + +FROM common AS local +COPY ./build/out/gateway /usr/bin/ + +FROM common AS goreleaser +ARG TARGETARCH +COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/ diff --git a/build/Dockerfile.nginx b/build/Dockerfile.nginx new file mode 100644 index 0000000000..378e8c909b --- /dev/null +++ b/build/Dockerfile.nginx @@ -0,0 +1,37 @@ +# syntax=docker/dockerfile:1.18 +FROM scratch AS nginx-files + +# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub + +FROM nginx:1.29.1-alpine-otel + +# renovate: datasource=github-tags depName=nginx/agent +ARG NGINX_AGENT_VERSION=v3.3.1 +ARG NJS_DIR +ARG NGINX_CONF_DIR +ARG BUILD_AGENT + +RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION#v} + +RUN apk add --no-cache bash \ + && mkdir -p /usr/lib/nginx/modules \ + # forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +COPY build/entrypoint.sh /agent/entrypoint.sh +COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NGINX_CONF_DIR}/nginx.conf /etc/nginx/nginx.conf +COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf +COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf + +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx + +LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" + +USER 101:1001 + +ENTRYPOINT ["/agent/entrypoint.sh"] diff --git a/build/Dockerfile.nginxplus b/build/Dockerfile.nginxplus new file mode 100644 index 0000000000..b92dc19516 --- /dev/null +++ b/build/Dockerfile.nginxplus @@ -0,0 +1,43 @@ +# syntax=docker/dockerfile:1.18 +FROM scratch AS nginx-files + +# the following links can be replaced with local files if needed, i.e. ADD --chown=101:1001 +ADD --link --chown=101:1001 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub + +FROM alpine:3.22 + +ARG NGINX_PLUS_VERSION=R35 +# renovate: datasource=github-tags depName=nginx/agent +ARG NGINX_AGENT_VERSION=v3.3.1 +ARG NJS_DIR +ARG NGINX_CONF_DIR +ARG BUILD_AGENT + +RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ + --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + addgroup -g 1001 -S nginx \ + && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ + && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION#v} + +RUN apk add --no-cache bash \ + && mkdir -p /usr/lib/nginx/modules \ + # forward request and error logs to docker log collector + && ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +COPY build/entrypoint.sh /agent/entrypoint.sh +COPY ${NJS_DIR}/httpmatches.js /usr/lib/nginx/modules/njs/httpmatches.js +COPY ${NGINX_CONF_DIR}/nginx-plus.conf /etc/nginx/nginx.conf +COPY ${NGINX_CONF_DIR}/grpc-error-locations.conf /etc/nginx/grpc-error-locations.conf +COPY ${NGINX_CONF_DIR}/grpc-error-pages.conf /etc/nginx/grpc-error-pages.conf + +RUN chown -R 101:1001 /etc/nginx /var/cache/nginx /var/lib/nginx + +USER 101:1001 + +LABEL org.nginx.ngf.image.build.agent="${BUILD_AGENT}" + +ENTRYPOINT ["/agent/entrypoint.sh"] From be670b017f3dd3a73f7cdc74f13d089edf691997 Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:35:32 +0100 Subject: [PATCH 31/65] Update .github/workflows/conformance.yml Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 38213f55b1..3302c79dc5 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -97,7 +97,7 @@ jobs: type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: Build binary From c1cb9bcb4c2253979266981e7b797f2b7f766a6b Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:35:39 +0100 Subject: [PATCH 32/65] Update .github/workflows/functional.yml Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- .github/workflows/functional.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index c8c77bca9a..3a9e4877c7 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -69,7 +69,7 @@ jobs: type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: NGINX Docker meta From 8f3d872c70bed33bc3c45c32550ac3480d2de7eb Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:46:54 +0100 Subject: [PATCH 33/65] Update .github/workflows/conformance.yml Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 3302c79dc5..91024ef1f5 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -98,7 +98,7 @@ jobs: type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 From 66ce6a2c2010fc1bb3a62ded3b2b4fb21728bbd3 Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:47:08 +0100 Subject: [PATCH 34/65] Update .github/workflows/functional.yml Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- .github/workflows/functional.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 3a9e4877c7..09a52488aa 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -70,7 +70,7 @@ jobs: type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: NGINX Docker meta id: nginx-meta From 873d56f351b69c08dfb1dbd6b121f9fa10ca3c82 Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:47:15 +0100 Subject: [PATCH 35/65] Update .github/workflows/functional.yml Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- .github/workflows/functional.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 09a52488aa..19fdcc148b 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -84,7 +84,7 @@ jobs: type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} - type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 From 8f1a6f710b4d86b241638a95472ad9a8604a03f0 Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:47:22 +0100 Subject: [PATCH 36/65] Update .github/workflows/functional.yml Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- .github/workflows/functional.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 19fdcc148b..6ea7e73867 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -83,7 +83,7 @@ jobs: type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: Build binary From 168e2b03b53c79ec4f34ba6461ed8fe52728a7a2 Mon Sep 17 00:00:00 2001 From: Shaun Date: Fri, 26 Sep 2025 16:48:44 +0100 Subject: [PATCH 37/65] Update Makefile Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 7b9b73ca2f..1391c54abd 100644 --- a/Makefile +++ b/Makefile @@ -43,7 +43,7 @@ HELM_SCHEMA_VERSION = 0.18.1 PREFIX ?= nginx-gateway-fabric## The name of the NGF image. For example, nginx-gateway-fabric NGINX_PREFIX ?= $(PREFIX)/nginx## The name of the nginx image. For example: nginx-gateway-fabric/nginx NGINX_PLUS_PREFIX ?= $(PREFIX)/nginx-plus## The name of the nginx plus image. For example: nginx-gateway-fabric/nginx-plus -BUILD_OS ?= ## The OS of the nginx image. Possible values: alpine and ubi +BUILD_OS ?= ## The OS of the nginx image. Possible values: ubi and empty string, which defaults to alpine. NGINX_SERVICE_TYPE ?= NodePort## The type of the nginx service. Possible values: NodePort, LoadBalancer, ClusterIP PULL_POLICY ?= Never## The pull policy of the images. Possible values: Always, IfNotPresent, Never TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 1.1.0 From 00dbbc68245f13f05a834c36349669f94363f4df Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 26 Sep 2025 16:52:10 +0100 Subject: [PATCH 38/65] Ensure subscription manage and shadowutils are removed --- build/ubi/Dockerfile.nginxplus | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 30922e4b0d..6224136c09 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -50,7 +50,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos # Install nginx-agent && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up - # && microdnf remove -y shadow-utils subscription-manager \ + && microdnf remove -y shadow-utils subscription-manager \ && microdnf clean all \ && rm -rf /var/cache/yum From c08dfebb3a90f44efee93de0f9a8f1c9f41f7802 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 10:02:09 +0100 Subject: [PATCH 39/65] Debug conformance test name --- .github/workflows/conformance.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 91024ef1f5..a4575a6e69 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -178,6 +178,11 @@ jobs: if [ "${core_result}" == "failure" ] || [ "${extended_result}" == "failure" ]; then echo "Conformance test failed, see above for details." && exit 2; fi working-directory: ./tests + - name: Echo artifact name + if: ${{ inputs.enable-experimental }} + run: | + echo "Artifact name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}" + - name: Upload profile to GitHub if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 @@ -185,6 +190,7 @@ jobs: name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }} path: ./tests/conformance-profile.yaml + - name: Upload profile to release if: ${{ inputs.production-release && inputs.enable-experimental }} env: From bf3f1381e755368f6ba0a633d9c738129f446820 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 10:24:15 +0100 Subject: [PATCH 40/65] Add production-release as an input for functional tests --- .github/workflows/functional.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 6ea7e73867..de7b5d467f 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -13,6 +13,10 @@ on: k8s-version: required: true type: string + production-release: + required: false + type: boolean + default: false defaults: run: From ff6a102ede2a1b6a28d15bb06275f5bf06ad2ec9 Mon Sep 17 00:00:00 2001 From: Shaun Date: Mon, 29 Sep 2025 13:40:50 +0100 Subject: [PATCH 41/65] Update .github/workflows/functional.yml Co-authored-by: Ciara Stacke <18287516+ciarams87@users.noreply.github.com> --- .github/workflows/functional.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index de7b5d467f..6ce7aa6e93 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -87,7 +87,7 @@ jobs: type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} + type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - name: Build binary From a6a21aa3885a81bf84a1421fa6690ebe912d1b3e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 13:54:26 +0100 Subject: [PATCH 42/65] Add tag_suffix to workflow call for conformance and functional workflows --- .github/workflows/ci.yml | 2 ++ .github/workflows/conformance.yml | 28 ++++++++++++++++------------ .github/workflows/functional.yml | 30 ++++++++++++++---------------- 3 files changed, 32 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a21a7b6cbf..573772a6bf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -290,6 +290,7 @@ jobs: image: ${{ matrix.image }} k8s-version: ${{ matrix.k8s-version }} build_os: ${{ matrix.build_os }} + tag_suffix: ${{ matrix.build_os != '' && format('-{0}', matrix.build_os) || '' }} secrets: inherit permissions: contents: read @@ -314,6 +315,7 @@ jobs: k8s-version: ${{ matrix.k8s-version }} enable-experimental: ${{ matrix.enable-experimental }} build_os: ${{ matrix.build_os }} + tag_suffix: ${{ matrix.build_os != '' && format('-{0}', matrix.build_os) || '' }} production-release: ${{ inputs.is_production_release == true && (inputs.dry_run == false || inputs.dry_run == null) }} release_version: ${{ inputs.release_version }} secrets: inherit diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index a4575a6e69..96061a1932 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -10,6 +10,10 @@ on: required: false type: string default: '' + tag_suffix: + required: false + type: string + default: '' k8s-version: required: true type: string @@ -79,12 +83,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} - type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} + type=edge,suffix=${{ inputs.tag_suffix }} + type=schedule,suffix=${{ inputs.tag_suffix }} + type=ref,event=pr,suffix=${{ inputs.tag_suffix }} + type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} + type=raw,value={{ inputs.release_version }},enable={{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.tag_suffix }} - name: NGINX Docker meta id: nginx-meta @@ -93,12 +97,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} + type=edge,suffix=${{ inputs.tag_suffix }} + type=schedule,suffix=${{ inputs.tag_suffix }} + type=ref,event=pr,suffix=${{ inputs.tag_suffix }} + type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} + type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.tag_suffix }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 6ce7aa6e93..5f10d27760 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -10,13 +10,13 @@ on: required: false type: string default: '' + tag_suffix: + required: false + type: string + default: '' k8s-version: required: true type: string - production-release: - required: false - type: boolean - default: false defaults: run: @@ -69,12 +69,11 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} + type=schedule,suffix=${{ inputs.tag_suffix }} + type=edge,suffix=${{ inputs.tag_suffix }} + type=ref,event=pr,suffix=${{ inputs.tag_suffix }} + type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - name: NGINX Docker meta id: nginx-meta @@ -83,12 +82,11 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') - type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} + type=edge,suffix=${{ inputs.tag_suffix }} + type=schedule,suffix=${{ inputs.tag_suffix }} + type=ref,event=pr,suffix=${{ inputs.tag_suffix }} + type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 From 6aed80992278877f6b0350b68b64d90091fa11c1 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 14:14:51 +0100 Subject: [PATCH 43/65] Remove tag_suffix and updated build-os variable --- .github/workflows/ci.yml | 10 ++++------ .github/workflows/conformance.yml | 30 +++++++++++++----------------- .github/workflows/functional.yml | 26 +++++++++++--------------- 3 files changed, 28 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 573772a6bf..93c89a1771 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,7 +279,7 @@ jobs: fail-fast: false matrix: image: [nginx, plus] - build_os: ["", ubi] + build-os: ["", ubi] k8s-version: [ "${{ needs.vars.outputs.min_k8s_version }}", @@ -289,8 +289,7 @@ jobs: with: image: ${{ matrix.image }} k8s-version: ${{ matrix.k8s-version }} - build_os: ${{ matrix.build_os }} - tag_suffix: ${{ matrix.build_os != '' && format('-{0}', matrix.build_os) || '' }} + build-os: ${{ matrix.build-os }} secrets: inherit permissions: contents: read @@ -302,7 +301,7 @@ jobs: fail-fast: false matrix: image: [nginx, plus] - build_os: ["", ubi] + build-os: ["", ubi] k8s-version: [ "${{ needs.vars.outputs.min_k8s_version }}", @@ -314,8 +313,7 @@ jobs: image: ${{ matrix.image }} k8s-version: ${{ matrix.k8s-version }} enable-experimental: ${{ matrix.enable-experimental }} - build_os: ${{ matrix.build_os }} - tag_suffix: ${{ matrix.build_os != '' && format('-{0}', matrix.build_os) || '' }} + build-os: ${{ matrix.build-os }} production-release: ${{ inputs.is_production_release == true && (inputs.dry_run == false || inputs.dry_run == null) }} release_version: ${{ inputs.release_version }} secrets: inherit diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 96061a1932..178cc21243 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -6,11 +6,7 @@ on: image: required: true type: string - build_os: - required: false - type: string - default: '' - tag_suffix: + build-os: required: false type: string default: '' @@ -83,12 +79,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} - type=edge,suffix=${{ inputs.tag_suffix }} - type=schedule,suffix=${{ inputs.tag_suffix }} - type=ref,event=pr,suffix=${{ inputs.tag_suffix }} - type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{ inputs.release_version }},enable={{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.tag_suffix }} + type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} && !inputs.production-release }} + type=raw,value={{ inputs.release_version }},enable={{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - name: NGINX Docker meta id: nginx-meta @@ -97,12 +93,12 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} - type=edge,suffix=${{ inputs.tag_suffix }} - type=schedule,suffix=${{ inputs.tag_suffix }} - type=ref,event=pr,suffix=${{ inputs.tag_suffix }} - type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.tag_suffix }} + type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} + type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 5f10d27760..0d33e26e40 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -6,11 +6,7 @@ on: image: required: true type: string - build_os: - required: false - type: string - default: '' - tag_suffix: + build-os: required: false type: string default: '' @@ -69,11 +65,11 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} - type=schedule,suffix=${{ inputs.tag_suffix }} - type=edge,suffix=${{ inputs.tag_suffix }} - type=ref,event=pr,suffix=${{ inputs.tag_suffix }} - type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} + type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }} - name: NGINX Docker meta id: nginx-meta @@ -82,11 +78,11 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}},suffix=${{ inputs.tag_suffix }} - type=edge,suffix=${{ inputs.tag_suffix }} - type=schedule,suffix=${{ inputs.tag_suffix }} - type=ref,event=pr,suffix=${{ inputs.tag_suffix }} - type=ref,event=branch,suffix=-rc${{ inputs.tag_suffix }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} + type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 From 99a75d6c80d1551d31b23280cf97633dc6091758 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 14:35:29 +0100 Subject: [PATCH 44/65] Fix NFG docker meta --- .github/workflows/conformance.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 178cc21243..70bc55ac42 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -83,7 +83,7 @@ jobs: type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} && !inputs.production-release }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} type=raw,value={{ inputs.release_version }},enable={{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - name: NGINX Docker meta From d424ca136ae15e61713c252377ff9aa4aa847e59 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 15:48:34 +0100 Subject: [PATCH 45/65] Fix tags and add BUILD_OS to build args --- .github/workflows/conformance.yml | 5 +++-- .github/workflows/functional.yml | 1 + Makefile | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 70bc55ac42..37f61c6000 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -84,7 +84,7 @@ jobs: type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{ inputs.release_version }},enable={{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - name: NGINX Docker meta id: nginx-meta @@ -98,7 +98,7 @@ jobs: type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }} - type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 @@ -133,6 +133,7 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha + BUILD_OS=${{ inputs.build-os }} - name: Update Go Modules if: ${{ github.event_name == 'schedule' }} diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 0d33e26e40..bce02af764 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -117,6 +117,7 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha + BUILD_OS=${{ inputs.build-os }} - name: Setup license file for plus if: ${{ inputs.image == 'plus' }} diff --git a/Makefile b/Makefile index 1391c54abd..96a83314e2 100644 --- a/Makefile +++ b/Makefile @@ -228,11 +228,11 @@ install-ngf-local-build: build-images load-images helm-install-local ## Install install-ngf-local-build-with-plus: check-for-plus-usage-endpoint build-images-with-plus load-images-with-plus helm-install-local-with-plus ## Install NGF with NGINX Plus from local build on configured kind cluster. .PHONY: helm-install-local -helm-install-local: install-gateway-crds ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. +helm-install-local: ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(PULL_POLICY) --set nginx.service.type=$(NGINX_SERVICE_TYPE) --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) .PHONY: helm-install-local-with-plus -helm-install-local-with-plus: check-for-plus-usage-endpoint install-gateway-crds ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. +helm-install-local-with-plus: check-for-plus-usage-endpoint ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. kubectl create namespace nginx-gateway || true kubectl -n nginx-gateway create secret generic nplus-license --from-file $(PLUS_LICENSE_FILE) || true helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PLUS_PREFIX) --wait --set nginxGateway.image.pullPolicy=$(PULL_POLICY) --set nginx.service.type=$(NGINX_SERVICE_TYPE) --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway --set nginx.plus=true --set nginx.usage.endpoint=$(PLUS_USAGE_ENDPOINT) $(HELM_PARAMETERS) From eb6991f5686e650ee166bfb14a8143aa58785ee2 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 15:54:42 +0100 Subject: [PATCH 46/65] Revert makefile --- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 96a83314e2..1391c54abd 100644 --- a/Makefile +++ b/Makefile @@ -228,11 +228,11 @@ install-ngf-local-build: build-images load-images helm-install-local ## Install install-ngf-local-build-with-plus: check-for-plus-usage-endpoint build-images-with-plus load-images-with-plus helm-install-local-with-plus ## Install NGF with NGINX Plus from local build on configured kind cluster. .PHONY: helm-install-local -helm-install-local: ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. +helm-install-local: install-gateway-crds ## Helm install NGF on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build. helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PREFIX) --create-namespace --wait --set nginxGateway.image.pullPolicy=$(PULL_POLICY) --set nginx.service.type=$(NGINX_SERVICE_TYPE) --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway $(HELM_PARAMETERS) .PHONY: helm-install-local-with-plus -helm-install-local-with-plus: check-for-plus-usage-endpoint ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. +helm-install-local-with-plus: check-for-plus-usage-endpoint install-gateway-crds ## Helm install NGF with NGINX Plus on configured kind cluster with local images. To build, load, and install with helm run make install-ngf-local-build-with-plus. kubectl create namespace nginx-gateway || true kubectl -n nginx-gateway create secret generic nplus-license --from-file $(PLUS_LICENSE_FILE) || true helm install nginx-gateway $(CHART_DIR) --set nginx.image.repository=$(NGINX_PLUS_PREFIX) --wait --set nginxGateway.image.pullPolicy=$(PULL_POLICY) --set nginx.service.type=$(NGINX_SERVICE_TYPE) --set nginxGateway.image.repository=$(PREFIX) --set nginxGateway.image.tag=$(TAG) --set nginx.image.tag=$(TAG) --set nginx.image.pullPolicy=$(PULL_POLICY) --set nginxGateway.gwAPIExperimentalFeatures.enable=$(ENABLE_EXPERIMENTAL) -n nginx-gateway --set nginx.plus=true --set nginx.usage.endpoint=$(PLUS_USAGE_ENDPOINT) $(HELM_PARAMETERS) From d911c35e232cbc46dbb7e0644793d4362efcaf3b Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 16:10:51 +0100 Subject: [PATCH 47/65] Eneusre right dockerfile is used at build stage --- .github/workflows/conformance.yml | 3 +-- .github/workflows/functional.yml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 37f61c6000..b910e94484 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -123,7 +123,7 @@ jobs: - name: Build NGINX Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}} + file: build/${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true @@ -133,7 +133,6 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - BUILD_OS=${{ inputs.build-os }} - name: Update Go Modules if: ${{ github.event_name == 'schedule' }} diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index bce02af764..bd8d16300d 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -107,7 +107,7 @@ jobs: - name: Build NGINX Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}} + file: build/${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true @@ -117,7 +117,6 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - BUILD_OS=${{ inputs.build-os }} - name: Setup license file for plus if: ${{ inputs.image == 'plus' }} From 54c1fa147d828dee0d0b14bce7c2068050cdae3a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 29 Sep 2025 16:25:47 +0100 Subject: [PATCH 48/65] Fix forward-slash placement --- .github/workflows/conformance.yml | 2 +- .github/workflows/functional.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index b910e94484..84ffb97faf 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -123,7 +123,7 @@ jobs: - name: Build NGINX Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: build/${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} + file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index bd8d16300d..e1247c409a 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -107,7 +107,7 @@ jobs: - name: Build NGINX Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: build/${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} + file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true From c1ee265dbff169f12910fce2c956b815b135d9ab Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 10:26:32 +0100 Subject: [PATCH 49/65] Update `cache-froma for functional and conformance tests --- .github/workflows/conformance.yml | 2 +- .github/workflows/functional.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 84ffb97faf..720f178b30 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -127,7 +127,7 @@ jobs: tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true - cache-from: type=gha,scope=${{ inputs.image }} + cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} pull: true build-args: | NJS_DIR=internal/controller/nginx/modules/src diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index e1247c409a..4415a13e5a 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -111,7 +111,7 @@ jobs: tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true - cache-from: type=gha,scope=${{ inputs.image }} + cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} pull: true build-args: | NJS_DIR=internal/controller/nginx/modules/src From 320762297cf6d485b13b1f41037940d44803515c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 10:49:30 +0100 Subject: [PATCH 50/65] Temp - Remove build OS from functional test. Revert back to main for debugging --- .github/workflows/ci.yml | 4 ++-- .github/workflows/functional.yml | 32 ++++++++++++++------------------ 2 files changed, 16 insertions(+), 20 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 93c89a1771..d3dbd94ec5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,7 +279,7 @@ jobs: fail-fast: false matrix: image: [nginx, plus] - build-os: ["", ubi] + # build-os: ["", ubi] k8s-version: [ "${{ needs.vars.outputs.min_k8s_version }}", @@ -289,7 +289,7 @@ jobs: with: image: ${{ matrix.image }} k8s-version: ${{ matrix.k8s-version }} - build-os: ${{ matrix.build-os }} + # build-os: ${{ matrix.build-os }} secrets: inherit permissions: contents: read diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 4415a13e5a..89193ff7bf 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -6,10 +6,6 @@ on: image: required: true type: string - build-os: - required: false - type: string - default: '' k8s-version: required: true type: string @@ -65,11 +61,11 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }} + type=semver,pattern={{version}} + type=schedule + type=edge + type=ref,event=pr + type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} - name: NGINX Docker meta id: nginx-meta @@ -78,16 +74,16 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }} + type=semver,pattern={{version}} + type=edge + type=schedule + type=ref,event=pr + type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 with: - version: v2.12.2 # renovate: datasource=github-tags depName=goreleaser/goreleaser + version: v2.12.3 # renovate: datasource=github-tags depName=goreleaser/goreleaser args: build --single-target --snapshot --clean env: TELEMETRY_ENDPOINT: otel-collector-opentelemetry-collector.collector.svc.cluster.local:4317 @@ -107,11 +103,11 @@ jobs: - name: Build NGINX Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} + file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}} tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true - cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + cache-from: type=gha,scope=${{ inputs.image }} pull: true build-args: | NJS_DIR=internal/controller/nginx/modules/src @@ -157,4 +153,4 @@ jobs: ngf_prefix=ghcr.io/nginx/nginx-gateway-fabric ngf_tag=${{ steps.ngf-meta.outputs.version }} make test${{ inputs.image == 'plus' && '-with-plus' || ''}} PREFIX=${ngf_prefix} TAG=${ngf_tag} GW_SERVICE_TYPE=LoadBalancer CLUSTER_NAME=${{ github.run_id }} CI=true - working-directory: ./tests + working-directory: ./tests \ No newline at end of file From 6350f6865db2b9ea247f41e3f1a2a96573726fa4 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 11:01:59 +0100 Subject: [PATCH 51/65] Fix pre-commit error --- .github/workflows/functional.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 89193ff7bf..23fc9b32eb 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -153,4 +153,4 @@ jobs: ngf_prefix=ghcr.io/nginx/nginx-gateway-fabric ngf_tag=${{ steps.ngf-meta.outputs.version }} make test${{ inputs.image == 'plus' && '-with-plus' || ''}} PREFIX=${ngf_prefix} TAG=${ngf_tag} GW_SERVICE_TYPE=LoadBalancer CLUSTER_NAME=${{ github.run_id }} CI=true - working-directory: ./tests \ No newline at end of file + working-directory: ./tests From 55906734dbab7755dfc5eae3ace22cdd2007599f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 11:23:37 +0100 Subject: [PATCH 52/65] Add repo secrets to functional and conformance tests --- .github/workflows/ci.yml | 4 ++-- .github/workflows/conformance.yml | 3 +++ .github/workflows/functional.yml | 29 ++++++++++++++++++----------- 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d3dbd94ec5..93c89a1771 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -279,7 +279,7 @@ jobs: fail-fast: false matrix: image: [nginx, plus] - # build-os: ["", ubi] + build-os: ["", ubi] k8s-version: [ "${{ needs.vars.outputs.min_k8s_version }}", @@ -289,7 +289,7 @@ jobs: with: image: ${{ matrix.image }} k8s-version: ${{ matrix.k8s-version }} - # build-os: ${{ matrix.build-os }} + build-os: ${{ matrix.build-os }} secrets: inherit permissions: contents: read diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 720f178b30..6f2c9a2972 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -133,6 +133,9 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha + secrets: | + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Update Go Modules if: ${{ github.event_name == 'schedule' }} diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 23fc9b32eb..42076721cc 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -9,6 +9,10 @@ on: k8s-version: required: true type: string + build-os: + required: false + type: string + default: '' defaults: run: @@ -61,11 +65,11 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric tags: | - type=semver,pattern={{version}} - type=schedule - type=edge - type=ref,event=pr - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }} - name: NGINX Docker meta id: nginx-meta @@ -74,11 +78,11 @@ jobs: images: | name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }} tags: | - type=semver,pattern={{version}} - type=edge - type=schedule - type=ref,event=pr - type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} + type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }} - name: Build binary uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 @@ -107,12 +111,15 @@ jobs: tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true - cache-from: type=gha,scope=${{ inputs.image }} + cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} pull: true build-args: | NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha + secrets: | + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Setup license file for plus if: ${{ inputs.image == 'plus' }} From 9f9cc89e4ba1434af3ee78d65450f070aa6db874 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 14:05:40 +0100 Subject: [PATCH 53/65] Update `cache-from` and `cache-to` in `build.yml` --- .github/workflows/build.yml | 22 +++++++++++----------- .github/workflows/conformance.yml | 3 --- .github/workflows/functional.yml | 3 --- 3 files changed, 11 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b9f4d9b610..9c625cda9e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,7 +6,7 @@ on: platforms: required: true type: string - build_os: + build-os: required: false type: string default: '' @@ -124,12 +124,12 @@ jobs: flavor: | latest=${{ (inputs.tag != '' && 'true') || 'auto' }} tags: | - type=semver,pattern={{version}},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=edge,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=schedule,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=pr,suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} - type=ref,event=branch,suffix=-rc${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} - type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build_os != '' && format('-{0}', inputs.build_os) || '' }} + type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }} + type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} labels: | org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric org.opencontainers.image.vendor=NGINX Inc @@ -147,7 +147,7 @@ jobs: - name: Build Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: ${{ inputs.build_os != '' && format('build/{0}/Dockerfile{1}', inputs.build_os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') }} + file: ${{ inputs.build-os != '' && format('build/{0}/Dockerfile{1}', inputs.build-os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') }} context: "." target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }} tags: ${{ steps.meta.outputs.tags }} @@ -155,8 +155,8 @@ jobs: annotations: ${{ steps.meta.outputs.annotations }} push: ${{ !inputs.dry_run }} platforms: ${{ inputs.platforms }} - cache-from: type=gha,scope=${{ inputs.image }} - cache-to: type=gha,scope=${{ inputs.image }},mode=max + cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }} + cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max pull: true no-cache: ${{ github.event_name != 'pull_request' }} sbom: true @@ -165,7 +165,7 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - BUILD_OS=${{ inputs.build_os }} + build-os=${{ inputs.build-os }} secrets: | ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 6f2c9a2972..720f178b30 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -133,9 +133,6 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - secrets: | - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Update Go Modules if: ${{ github.event_name == 'schedule' }} diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 42076721cc..ea836b385c 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -117,9 +117,6 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - secrets: | - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Setup license file for plus if: ${{ inputs.image == 'plus' }} From 4962d4b4fa78f475f87ed9e1b0fc12871e6fe96d Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 14:08:47 +0100 Subject: [PATCH 54/65] Fix build-os naming --- .github/workflows/ci.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 93c89a1771..44b0e7c163 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -234,12 +234,12 @@ jobs: matrix: image: [ngf, nginx] platforms: ["linux/arm64, linux/amd64"] - build_os: ["", ubi] + build-os: ["", ubi] uses: ./.github/workflows/build.yml with: image: ${{ matrix.image }} platforms: ${{ matrix.platforms }} - build_os: ${{ matrix.build_os }} + build-os: ${{ matrix.build-os }} tag: ${{ inputs.release_version || '' }} dry_run: ${{ inputs.dry_run || false}} runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} @@ -257,11 +257,11 @@ jobs: strategy: fail-fast: false matrix: - build_os: ["", ubi] + build-os: ["", ubi] with: image: plus platforms: "linux/arm64, linux/amd64" - build_os: ${{ matrix.build_os }} + build-os: ${{ matrix.build-os }} tag: ${{ inputs.release_version || '' }} dry_run: ${{ inputs.dry_run || false }} runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }} From f4b6cbd00ad3609a5e8cc4ddb18e9c718d456091 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 15:34:07 +0100 Subject: [PATCH 55/65] re-add secrets to functional and conformance tests --- .github/workflows/conformance.yml | 3 +++ .github/workflows/functional.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 720f178b30..6f2c9a2972 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -133,6 +133,9 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha + secrets: | + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Update Go Modules if: ${{ github.event_name == 'schedule' }} diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index ea836b385c..42076721cc 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -117,6 +117,9 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha + secrets: | + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} + ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Setup license file for plus if: ${{ inputs.image == 'plus' }} From 07eb4c1246bff4a36555f1dc717a7244e66dc8b3 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 15:51:36 +0100 Subject: [PATCH 56/65] Update dockerfile path for functional tests --- .github/workflows/functional.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 42076721cc..5e24dd37b8 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -107,7 +107,7 @@ jobs: - name: Build NGINX Docker Image uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: - file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}} + file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }} tags: ${{ steps.nginx-meta.outputs.tags }} context: "." load: true From 699d285843c3eb3074915fbdce9858bc13982fa3 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 30 Sep 2025 16:26:27 +0100 Subject: [PATCH 57/65] Remove build os from build args --- .github/workflows/build.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9c625cda9e..3b718c61f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -165,7 +165,6 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - build-os=${{ inputs.build-os }} secrets: | ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} From 4f9b51b50f854478aa76cf53e04ea7843df8e922 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 08:43:06 +0100 Subject: [PATCH 58/65] Remove secrets from build step --- .github/workflows/conformance.yml | 9 --------- .github/workflows/functional.yml | 3 --- 2 files changed, 12 deletions(-) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 6f2c9a2972..92dcad608c 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -133,9 +133,6 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - secrets: | - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Update Go Modules if: ${{ github.event_name == 'schedule' }} @@ -181,11 +178,6 @@ jobs: if [ "${core_result}" == "failure" ] || [ "${extended_result}" == "failure" ]; then echo "Conformance test failed, see above for details." && exit 2; fi working-directory: ./tests - - name: Echo artifact name - if: ${{ inputs.enable-experimental }} - run: | - echo "Artifact name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}" - - name: Upload profile to GitHub if: ${{ inputs.enable-experimental }} uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 @@ -193,7 +185,6 @@ jobs: name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }} path: ./tests/conformance-profile.yaml - - name: Upload profile to release if: ${{ inputs.production-release && inputs.enable-experimental }} env: diff --git a/.github/workflows/functional.yml b/.github/workflows/functional.yml index 5e24dd37b8..bba8fb758f 100644 --- a/.github/workflows/functional.yml +++ b/.github/workflows/functional.yml @@ -117,9 +117,6 @@ jobs: NJS_DIR=internal/controller/nginx/modules/src NGINX_CONF_DIR=internal/controller/nginx/conf BUILD_AGENT=gha - secrets: | - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }} - ${{ contains(inputs.image, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }} - name: Setup license file for plus if: ${{ inputs.image == 'plus' }} From 8e1bd2f25978104b87419a44f4bab8d2724d0184 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 09:21:29 +0100 Subject: [PATCH 59/65] test: Update both UBI dockerfiles to use `redhat/ubi9` instead of `ubi9-minimal` --- build/ubi/Dockerfile.nginx | 8 ++++---- build/ubi/Dockerfile.nginxplus | 14 +++++++------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 71adbb37e7..9298db169f 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -8,7 +8,7 @@ ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM redhat/ubi9-minimal:9.6 AS ubi-nginx +FROM redhat/ubi9:9.6 AS ubi-nginx # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -40,11 +40,11 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ # Install NGINX and modules including OTEL - && microdnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \ + && dnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \ # Install nginx-agent - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + && dnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up (only remove what we can) - && microdnf clean all \ + && dnf clean all \ && rm -rf /var/cache/yum # Configure directories and logging diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 6224136c09..2039596282 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -8,7 +8,7 @@ ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM redhat/ubi9-minimal:9.6 AS ubi-nginx-plus +FROM redhat/ubi9:9.6 AS ubi-nginx-plus ARG NGINX_PLUS_VERSION=R35 @@ -37,7 +37,7 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ # Install shadow-utils for useradd and subscription-manager for repo access - microdnf --nodocs install -y shadow-utils subscription-manager \ + dnf --nodocs install -y shadow-utils subscription-manager \ && rpm --import /tmp/nginx_signing.key \ # Install c-ares from the dependencies image (contains required libs) && rpm -Uvh /ubi-bin/c-ares-*.rpm \ @@ -45,13 +45,13 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ # Install NGINX Plus and modules (njs, otel) - && microdnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \ - && microdnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \ + && dnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \ + && dnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \ # Install nginx-agent - && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + && dnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up - && microdnf remove -y shadow-utils subscription-manager \ - && microdnf clean all \ + && dnf remove -y shadow-utils subscription-manager \ + && dnf clean all \ && rm -rf /var/cache/yum # Configure directories and logging From e78dac22be1da28a8d7817e6790dc63cf0acec08 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 10:20:46 +0100 Subject: [PATCH 60/65] Revert back to ubi9 minimal. test install procps-ng iproute iputils coreutils which and curl --- build/ubi/Dockerfile.nginx | 9 +++++---- build/ubi/Dockerfile.nginxplus | 15 ++++++++------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 9298db169f..baf27d8a80 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -8,7 +8,7 @@ ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM redhat/ubi9:9.6 AS ubi-nginx +FROM redhat/ubi9-minimal:9.6 AS ubi-nginx # renovate: datasource=github-tags depName=nginx/agent ARG NGINX_AGENT_VERSION=v3.3.1 @@ -36,15 +36,16 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s rpm --import /tmp/nginx_signing.key \ # Install c-ares from the dependencies image (contains required libs) && rpm -Uvh /ubi-bin/c-ares-*.rpm \ + && microdnf --nodocs install -y procps-ng iproute iputils coreutils which curl \ # Create nginx user with consistent UID/GID && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ # Install NGINX and modules including OTEL - && dnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \ + && microdnf --nodocs install -y nginx nginx-module-njs nginx-module-otel \ # Install nginx-agent - && dnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up (only remove what we can) - && dnf clean all \ + && microdnf clean all \ && rm -rf /var/cache/yum # Configure directories and logging diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 2039596282..2c6634d91e 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -8,7 +8,7 @@ ADD --link --chown=101:1001 build/ubi/repos/agent.repo agent.repo FROM ghcr.io/nginx/dependencies/nginx-ubi:ubi9@sha256:01a32246761b9bbe47a6a29bcd8ca6e9b6e331b3bdfa372d8987b622276f7025 AS ubi9-packages -FROM redhat/ubi9:9.6 AS ubi-nginx-plus +FROM redhat/ubi9-minimal:9.6 AS ubi-nginx-plus ARG NGINX_PLUS_VERSION=R35 @@ -37,7 +37,8 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ # Install shadow-utils for useradd and subscription-manager for repo access - dnf --nodocs install -y shadow-utils subscription-manager \ + microdnf --nodocs install -y shadow-utils subscription-manager \ + && microdnf --nodocs install -y procps-ng iproute iputils coreutils which curl \ && rpm --import /tmp/nginx_signing.key \ # Install c-ares from the dependencies image (contains required libs) && rpm -Uvh /ubi-bin/c-ares-*.rpm \ @@ -45,13 +46,13 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ # Install NGINX Plus and modules (njs, otel) - && dnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \ - && dnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \ + && microdnf --nodocs install -y nginx-plus-${NGINX_PLUS_VERSION,,} \ + && microdnf --nodocs install -y nginx-plus-module-njs-${NGINX_PLUS_VERSION,,} nginx-plus-module-otel-${NGINX_PLUS_VERSION,,} \ # Install nginx-agent - && dnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ + && microdnf --nodocs install -y nginx-agent-${NGINX_AGENT_VERSION#v}* \ # Clean up - && dnf remove -y shadow-utils subscription-manager \ - && dnf clean all \ + && microdnf remove -y shadow-utils subscription-manager \ + && microdnf clean all \ && rm -rf /var/cache/yum # Configure directories and logging From 9f3670471eb3952b278d2b4f2759543aae98c21b Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 10:35:19 +0100 Subject: [PATCH 61/65] Remove curl and corutils from install --- build/ubi/Dockerfile.nginx | 3 ++- build/ubi/Dockerfile.nginxplus | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index baf27d8a80..ece51989fa 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -36,7 +36,8 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s rpm --import /tmp/nginx_signing.key \ # Install c-ares from the dependencies image (contains required libs) && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y procps-ng iproute iputils coreutils which curl \ + && microdnf --nodocs install -y pcre pcre2 \ + && microdnf --nodocs install -y procps-ng iproute iputils which \ # Create nginx user with consistent UID/GID && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 2c6634d91e..91d1b0d13f 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -38,7 +38,8 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ # Install shadow-utils for useradd and subscription-manager for repo access microdnf --nodocs install -y shadow-utils subscription-manager \ - && microdnf --nodocs install -y procps-ng iproute iputils coreutils which curl \ + && microdnf --nodocs install -y pcre pcre2 \ + && microdnf --nodocs install -y procps-ng iproute iputils which \ && rpm --import /tmp/nginx_signing.key \ # Install c-ares from the dependencies image (contains required libs) && rpm -Uvh /ubi-bin/c-ares-*.rpm \ From cb5061b38d569731888961fc2fd2b6a55a36057a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 11:07:36 +0100 Subject: [PATCH 62/65] Remove additioanl libraries --- build/ubi/Dockerfile.nginx | 2 -- build/ubi/Dockerfile.nginxplus | 2 -- 2 files changed, 4 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index ece51989fa..71adbb37e7 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -36,8 +36,6 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.key,target=/tmp/nginx_s rpm --import /tmp/nginx_signing.key \ # Install c-ares from the dependencies image (contains required libs) && rpm -Uvh /ubi-bin/c-ares-*.rpm \ - && microdnf --nodocs install -y pcre pcre2 \ - && microdnf --nodocs install -y procps-ng iproute iputils which \ # Create nginx user with consistent UID/GID && groupadd -g 1001 nginx \ && useradd -r -u 101 -g nginx -s /sbin/nologin -d /var/cache/nginx nginx \ diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 91d1b0d13f..6224136c09 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -38,8 +38,6 @@ RUN --mount=type=bind,from=nginx-files,src=nginx-plus.repo,target=/etc/yum.repos --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ # Install shadow-utils for useradd and subscription-manager for repo access microdnf --nodocs install -y shadow-utils subscription-manager \ - && microdnf --nodocs install -y pcre pcre2 \ - && microdnf --nodocs install -y procps-ng iproute iputils which \ && rpm --import /tmp/nginx_signing.key \ # Install c-ares from the dependencies image (contains required libs) && rpm -Uvh /ubi-bin/c-ares-*.rpm \ From 6a9b11d85b6b63bf42f4dbd9eeb2c3a2d3ad4a9a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 14:01:35 +0100 Subject: [PATCH 63/65] Update main temaplte to use full path to otel module --- internal/controller/nginx/config/main_config_template.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/controller/nginx/config/main_config_template.go b/internal/controller/nginx/config/main_config_template.go index 21f6a28abd..57a44f1efe 100644 --- a/internal/controller/nginx/config/main_config_template.go +++ b/internal/controller/nginx/config/main_config_template.go @@ -2,7 +2,7 @@ package config const mainConfigTemplateText = ` {{ if .Conf.Telemetry.Endpoint -}} -load_module modules/ngx_otel_module.so; +load_module /usr/lib/nginx/modules/ngx_otel_module.so; {{ end -}} error_log stderr {{ .Conf.Logging.ErrorLevel }}; From 481b00d6d5b87dca2512bbf960cf95779b6edd40 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 14:43:43 +0100 Subject: [PATCH 64/65] Fix unit test --- internal/controller/nginx/config/generator_test.go | 2 +- internal/controller/nginx/config/main_config_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/controller/nginx/config/generator_test.go b/internal/controller/nginx/config/generator_test.go index c77b22cb99..634f52436d 100644 --- a/internal/controller/nginx/config/generator_test.go +++ b/internal/controller/nginx/config/generator_test.go @@ -232,7 +232,7 @@ func TestGenerate(t *testing.T) { g.Expect(files[9].Meta.Name).To(Equal("/etc/nginx/main-includes/main.conf")) mainConfStr := string(files[9].Contents) - g.Expect(mainConfStr).To(ContainSubstring("load_module modules/ngx_otel_module.so;")) + g.Expect(mainConfStr).To(ContainSubstring("load_module /usr/lib/nginx/modules/ngx_otel_module.so;")) g.Expect(mainConfStr).To(ContainSubstring("include /etc/nginx/includes/main_snippet1.conf;")) g.Expect(mainConfStr).To(ContainSubstring("include /etc/nginx/includes/main_snippet2.conf;")) diff --git a/internal/controller/nginx/config/main_config_test.go b/internal/controller/nginx/config/main_config_test.go index 132084afa7..f702948dd0 100644 --- a/internal/controller/nginx/config/main_config_test.go +++ b/internal/controller/nginx/config/main_config_test.go @@ -20,7 +20,7 @@ func TestExecuteMainConfig_Telemetry(t *testing.T) { Endpoint: "endpoint", }, } - loadModuleDirective := "load_module modules/ngx_otel_module.so;" + loadModuleDirective := "load_module /usr/lib/nginx/modules/ngx_otel_module.so;" tests := []struct { name string From 867c5a0f14b9567c68efe6f5ffe5c4b7ab20c5b4 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 1 Oct 2025 15:42:50 +0100 Subject: [PATCH 65/65] Copy modules from `/usr/lib64/nginx/modules/` to `/usr/lib/nginx/modules/` --- build/ubi/Dockerfile.nginx | 2 +- build/ubi/Dockerfile.nginxplus | 2 +- internal/controller/nginx/config/generator_test.go | 2 +- internal/controller/nginx/config/main_config_template.go | 2 +- internal/controller/nginx/config/main_config_test.go | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/build/ubi/Dockerfile.nginx b/build/ubi/Dockerfile.nginx index 71adbb37e7..6f2829f6d3 100644 --- a/build/ubi/Dockerfile.nginx +++ b/build/ubi/Dockerfile.nginx @@ -52,7 +52,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + && cp /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ # Set proper permissions for nginx user RUN chown -R 101:1001 /etc/nginx /var/cache/nginx diff --git a/build/ubi/Dockerfile.nginxplus b/build/ubi/Dockerfile.nginxplus index 6224136c09..c61d3d0ae8 100644 --- a/build/ubi/Dockerfile.nginxplus +++ b/build/ubi/Dockerfile.nginxplus @@ -59,7 +59,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \ # Forward request and error logs to docker log collector && ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log \ - && mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ + && cp /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/ # Copy default html files to a writable location RUN mkdir -p /etc/nginx/html \ diff --git a/internal/controller/nginx/config/generator_test.go b/internal/controller/nginx/config/generator_test.go index 634f52436d..c77b22cb99 100644 --- a/internal/controller/nginx/config/generator_test.go +++ b/internal/controller/nginx/config/generator_test.go @@ -232,7 +232,7 @@ func TestGenerate(t *testing.T) { g.Expect(files[9].Meta.Name).To(Equal("/etc/nginx/main-includes/main.conf")) mainConfStr := string(files[9].Contents) - g.Expect(mainConfStr).To(ContainSubstring("load_module /usr/lib/nginx/modules/ngx_otel_module.so;")) + g.Expect(mainConfStr).To(ContainSubstring("load_module modules/ngx_otel_module.so;")) g.Expect(mainConfStr).To(ContainSubstring("include /etc/nginx/includes/main_snippet1.conf;")) g.Expect(mainConfStr).To(ContainSubstring("include /etc/nginx/includes/main_snippet2.conf;")) diff --git a/internal/controller/nginx/config/main_config_template.go b/internal/controller/nginx/config/main_config_template.go index 57a44f1efe..21f6a28abd 100644 --- a/internal/controller/nginx/config/main_config_template.go +++ b/internal/controller/nginx/config/main_config_template.go @@ -2,7 +2,7 @@ package config const mainConfigTemplateText = ` {{ if .Conf.Telemetry.Endpoint -}} -load_module /usr/lib/nginx/modules/ngx_otel_module.so; +load_module modules/ngx_otel_module.so; {{ end -}} error_log stderr {{ .Conf.Logging.ErrorLevel }}; diff --git a/internal/controller/nginx/config/main_config_test.go b/internal/controller/nginx/config/main_config_test.go index f702948dd0..132084afa7 100644 --- a/internal/controller/nginx/config/main_config_test.go +++ b/internal/controller/nginx/config/main_config_test.go @@ -20,7 +20,7 @@ func TestExecuteMainConfig_Telemetry(t *testing.T) { Endpoint: "endpoint", }, } - loadModuleDirective := "load_module /usr/lib/nginx/modules/ngx_otel_module.so;" + loadModuleDirective := "load_module modules/ngx_otel_module.so;" tests := []struct { name string