Skip to content

Update pipeline to build and publish UBI images #3958

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 77 commits into from
Oct 2, 2025
Merged

Update pipeline to build and publish UBI images #3958

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
58d9674
Add initial Dockerfile to build NGINX OSS images based on ubi9-minimal
shaun-nx Sep 22, 2025
20d131e
Update repo files and use red hat registered ubi-minimal
shaun-nx Sep 22, 2025
3022205
Merge branch 'main' into feat/ubi-base-image
shaun-nx Sep 22, 2025
f154680
Get required UBI packages for NGINX and install agent
shaun-nx Sep 23, 2025
42c4cec
Merge branch 'main' into feat/ubi-base-image
shaun-nx Sep 23, 2025
b880fc7
Update entrypoint to find NGINX master process. Ensure `/tmp` is writ…
shaun-nx Sep 24, 2025
c46e928
Merge branch 'main' into feat/ubi-base-image
shaun-nx Sep 24, 2025
caaf91a
Build control plane from UBI base image. Move current Alpine dockerfi…
shaun-nx Sep 24, 2025
25cee52
Add Dockerfile to build NGINX Plus image based on ubi9-minimal
shaun-nx Sep 24, 2025
fd1498c
Fix eof errors
shaun-nx Sep 24, 2025
2e9bac0
Merge branch 'feat/openshift-support' into feat/ubi-base-image
shaun-nx Sep 24, 2025
85d8358
Move alpine base Dockerfiles back to build dir
shaun-nx Sep 25, 2025
0f03b47
Merge branch 'feat/openshift-support' into feat/ubi-base-image
shaun-nx Sep 25, 2025
d28416a
Fix merge conflict
shaun-nx Sep 25, 2025
523ebd1
Update labels
shaun-nx Sep 25, 2025
31750dd
Update lables for plus builds
shaun-nx Sep 25, 2025
7146752
Update lables to distinguish between OSS and Plus
shaun-nx Sep 25, 2025
e776ae1
Make NGINX Plus version configurable
shaun-nx Sep 25, 2025
0746604
Update pipeline to build and publish UBI images
shaun-nx Sep 25, 2025
31f0e52
Update UBI Dockerfile for NGINX Plus to use certs and keys from pipeline
shaun-nx Sep 25, 2025
cb75255
Ensure build_os is added as a suffix to our tags
shaun-nx Sep 25, 2025
c5e49a3
Update build/ubi/Dockerfile.nginx
shaun-nx Sep 25, 2025
bc7c10f
Update lables and remove BASE_IMAGE
shaun-nx Sep 25, 2025
1c76006
Merge branch 'feat/ubi-base-image' into feat/pipeline-ubi-builds
shaun-nx Sep 25, 2025
6eefb2e
Add suffix to all types in Docker meta build stage
shaun-nx Sep 25, 2025
cbcd7ca
Remove local reference to crt and key files
shaun-nx Sep 25, 2025
4924f3c
Merge branch 'feat/ubi-base-image' into feat/pipeline-ubi-builds
shaun-nx Sep 25, 2025
048c38c
Merge branch 'feat/openshift-support' into feat/ubi-base-image
shaun-nx Sep 26, 2025
d9155b2
Set permissions on required directories. Update lables
shaun-nx Sep 26, 2025
c2c0f47
Merge branch 'feat/ubi-base-image' into feat/pipeline-ubi-builds
shaun-nx Sep 26, 2025
5cb3854
Add build_os to conformance and functional test matrix. Update tags f…
shaun-nx Sep 26, 2025
a89cc6f
Ensure unique conformance profile name based on build os
shaun-nx Sep 26, 2025
d71f895
Fix pre-commit errors
shaun-nx Sep 26, 2025
0190c83
Update conformance profile output with additional inputs
shaun-nx Sep 26, 2025
c4c696f
Use ngf meta output in fonromance profile name
shaun-nx Sep 26, 2025
a418b6f
Update conformance test name
shaun-nx Sep 26, 2025
214d789
Ensure build os is passed to functional and conformance tests
shaun-nx Sep 26, 2025
42a3505
Use ngf-meta.output.version in place of build os
shaun-nx Sep 26, 2025
2636921
Move base dockerfiles back to root build dir
shaun-nx Sep 26, 2025
be670b0
Update .github/workflows/conformance.yml
shaun-nx Sep 26, 2025
c1cb9bc
Update .github/workflows/functional.yml
shaun-nx Sep 26, 2025
8f3d872
Update .github/workflows/conformance.yml
shaun-nx Sep 26, 2025
66ce6a2
Update .github/workflows/functional.yml
shaun-nx Sep 26, 2025
873d56f
Update .github/workflows/functional.yml
shaun-nx Sep 26, 2025
8f1a6f7
Update .github/workflows/functional.yml
shaun-nx Sep 26, 2025
168e2b0
Update Makefile
shaun-nx Sep 26, 2025
f653702
Merge branch 'feat/ubi-base-image' into feat/pipeline-ubi-builds
shaun-nx Sep 26, 2025
00dbbc6
Ensure subscription manage and shadowutils are removed
shaun-nx Sep 26, 2025
16e71b9
Merge branch 'feat/ubi-base-image' into feat/pipeline-ubi-builds
shaun-nx Sep 26, 2025
c08dfeb
Debug conformance test name
shaun-nx Sep 29, 2025
bf3f138
Add production-release as an input for functional tests
shaun-nx Sep 29, 2025
ff6a102
Update .github/workflows/functional.yml
shaun-nx Sep 29, 2025
a6a21aa
Add tag_suffix to workflow call for conformance and functional workflows
shaun-nx Sep 29, 2025
6aed809
Remove tag_suffix and updated build-os variable
shaun-nx Sep 29, 2025
99a75d6
Fix NFG docker meta
shaun-nx Sep 29, 2025
d424ca1
Fix tags and add BUILD_OS to build args
shaun-nx Sep 29, 2025
eb6991f
Revert makefile
shaun-nx Sep 29, 2025
d911c35
Eneusre right dockerfile is used at build stage
shaun-nx Sep 29, 2025
54c1fa1
Fix forward-slash placement
shaun-nx Sep 29, 2025
399d258
Merge branch 'feat/openshift-support' into feat/pipeline-ubi-builds
shaun-nx Sep 29, 2025
c1ee265
Update `cache-froma for functional and conformance tests
shaun-nx Sep 30, 2025
3207622
Temp - Remove build OS from functional test. Revert back to main for …
shaun-nx Sep 30, 2025
6350f68
Fix pre-commit error
shaun-nx Sep 30, 2025
5590673
Add repo secrets to functional and conformance tests
shaun-nx Sep 30, 2025
9f9cc89
Update `cache-from` and `cache-to` in `build.yml`
shaun-nx Sep 30, 2025
4962d4b
Fix build-os naming
shaun-nx Sep 30, 2025
f4b6cbd
re-add secrets to functional and conformance tests
shaun-nx Sep 30, 2025
07eb4c1
Update dockerfile path for functional tests
shaun-nx Sep 30, 2025
699d285
Remove build os from build args
shaun-nx Sep 30, 2025
4f9b51b
Remove secrets from build step
shaun-nx Oct 1, 2025
8e1bd2f
test: Update both UBI dockerfiles to use `redhat/ubi9` instead of `ub…
shaun-nx Oct 1, 2025
e78dac2
Revert back to ubi9 minimal. test install procps-ng iproute iputils c…
shaun-nx Oct 1, 2025
9f36704
Remove curl and corutils from install
shaun-nx Oct 1, 2025
cb5061b
Remove additioanl libraries
shaun-nx Oct 1, 2025
6a9b11d
Update main temaplte to use full path to otel module
shaun-nx Oct 1, 2025
481b00d
Fix unit test
shaun-nx Oct 1, 2025
867c5a0
Copy modules from `/usr/lib64/nginx/modules/` to `/usr/lib/nginx/modu…
shaun-nx Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 13 additions & 9 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
platforms:
required: true
type: string
build-os:
required: false
type: string
default: ''
image:
required: true
type: string
Expand Down Expand Up @@ -120,12 +124,12 @@ jobs:
flavor: |
latest=${{ (inputs.tag != '' && 'true') || 'auto' }}
tags: |
type=semver,pattern={{version}}
type=edge
type=schedule
type=ref,event=pr
type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && inputs.tag == '' }}
type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
labels: |
org.opencontainers.image.documentation=https://docs.nginx.com/nginx-gateway-fabric
org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
Expand All @@ -143,16 +147,16 @@ jobs:
- name: Build Docker Image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
file: ${{ inputs.build-os != '' && format('build/{0}/Dockerfile{1}', inputs.build-os, inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') || format('build/Dockerfile{0}', inputs.image == 'nginx' && '.nginx' || inputs.image == 'plus' && '.nginxplus' || '') }}
context: "."
target: ${{ inputs.image == 'ngf' && 'goreleaser' || '' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
push: ${{ !inputs.dry_run }}
platforms: ${{ inputs.platforms }}
cache-from: type=gha,scope=${{ inputs.image }}
cache-to: type=gha,scope=${{ inputs.image }},mode=max
cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
cache-to: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},mode=max
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
sbom: true
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,10 +234,12 @@ jobs:
matrix:
image: [ngf, nginx]
platforms: ["linux/arm64, linux/amd64"]
build-os: ["", ubi]
uses: ./.github/workflows/build.yml
with:
image: ${{ matrix.image }}
platforms: ${{ matrix.platforms }}
build-os: ${{ matrix.build-os }}
tag: ${{ inputs.release_version || '' }}
dry_run: ${{ inputs.dry_run || false}}
runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
Expand All @@ -252,9 +254,14 @@ jobs:
name: Build Plus images
needs: [vars, binary]
uses: ./.github/workflows/build.yml
strategy:
fail-fast: false
matrix:
build-os: ["", ubi]
with:
image: plus
platforms: "linux/arm64, linux/amd64"
build-os: ${{ matrix.build-os }}
tag: ${{ inputs.release_version || '' }}
dry_run: ${{ inputs.dry_run || false }}
runner: ${{ github.repository_owner == 'nginx' && (inputs.is_production_release || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && 'ubuntu-24.04-amd64' || 'ubuntu-24.04' }}
Expand All @@ -272,6 +279,7 @@ jobs:
fail-fast: false
matrix:
image: [nginx, plus]
build-os: ["", ubi]
k8s-version:
[
"${{ needs.vars.outputs.min_k8s_version }}",
Expand All @@ -281,6 +289,7 @@ jobs:
with:
image: ${{ matrix.image }}
k8s-version: ${{ matrix.k8s-version }}
build-os: ${{ matrix.build-os }}
secrets: inherit
permissions:
contents: read
Expand All @@ -292,6 +301,7 @@ jobs:
fail-fast: false
matrix:
image: [nginx, plus]
build-os: ["", ubi]
k8s-version:
[
"${{ needs.vars.outputs.min_k8s_version }}",
Expand All @@ -303,6 +313,7 @@ jobs:
image: ${{ matrix.image }}
k8s-version: ${{ matrix.k8s-version }}
enable-experimental: ${{ matrix.enable-experimental }}
build-os: ${{ matrix.build-os }}
production-release: ${{ inputs.is_production_release == true && (inputs.dry_run == false || inputs.dry_run == null) }}
release_version: ${{ inputs.release_version }}
secrets: inherit
Expand Down
34 changes: 19 additions & 15 deletions .github/workflows/conformance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ on:
image:
required: true
type: string
build-os:
required: false
type: string
default: ''
k8s-version:
required: true
type: string
Expand Down Expand Up @@ -75,12 +79,12 @@ jobs:
images: |
name=ghcr.io/nginx/nginx-gateway-fabric
tags: |
type=semver,pattern={{version}}
type=edge
type=schedule
type=ref,event=pr
type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }}
type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}

- name: NGINX Docker meta
id: nginx-meta
Expand All @@ -89,12 +93,12 @@ jobs:
images: |
name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
tags: |
type=semver,pattern={{version}}
type=edge
type=schedule
type=ref,event=pr
type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
type=raw,value={{inputs.release_version}},enable=${{ inputs.production-release && inputs.release_version != '' }}
type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') && !inputs.production-release }}
type=raw,value={{ inputs.release_version }},enable=${{ inputs.production-release && inputs.release_version != '' }},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}

- name: Build binary
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
Expand All @@ -119,11 +123,11 @@ jobs:
- name: Build NGINX Docker Image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}}
file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
tags: ${{ steps.nginx-meta.outputs.tags }}
context: "."
load: true
cache-from: type=gha,scope=${{ inputs.image }}
cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
pull: true
build-args: |
NJS_DIR=internal/controller/nginx/modules/src
Expand Down Expand Up @@ -178,7 +182,7 @@ jobs:
if: ${{ inputs.enable-experimental }}
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}
name: conformance-profile-${{ inputs.image }}-${{ inputs.k8s-version }}-${{ steps.ngf-meta.outputs.version }}
path: ./tests/conformance-profile.yaml

- name: Upload profile to release
Expand Down
30 changes: 17 additions & 13 deletions .github/workflows/functional.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,10 @@ on:
k8s-version:
required: true
type: string
build-os:
required: false
type: string
default: ''

defaults:
run:
Expand Down Expand Up @@ -61,11 +65,11 @@ jobs:
images: |
name=ghcr.io/nginx/nginx-gateway-fabric
tags: |
type=semver,pattern={{version}}
type=schedule
type=edge
type=ref,event=pr
type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }}

- name: NGINX Docker meta
id: nginx-meta
Expand All @@ -74,16 +78,16 @@ jobs:
images: |
name=ghcr.io/nginx/nginx-gateway-fabric/${{ inputs.image == 'plus' && 'nginx-plus' || inputs.image }}
tags: |
type=semver,pattern={{version}}
type=edge
type=schedule
type=ref,event=pr
type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
type=semver,pattern={{version}},suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=schedule,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=edge,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=pr,suffix=${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
type=ref,event=branch,suffix=-rc${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }},enable=${{ startsWith(github.ref, 'refs/heads/release') }}

- name: Build binary
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
version: v2.12.2 # renovate: datasource=github-tags depName=goreleaser/goreleaser
version: v2.12.3 # renovate: datasource=github-tags depName=goreleaser/goreleaser
args: build --single-target --snapshot --clean
env:
TELEMETRY_ENDPOINT: otel-collector-opentelemetry-collector.collector.svc.cluster.local:4317
Expand All @@ -103,11 +107,11 @@ jobs:
- name: Build NGINX Docker Image
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
file: build/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || ''}}
file: build${{ inputs.build-os != '' && format('/{0}', inputs.build-os) || '' }}/Dockerfile${{ inputs.image == 'nginx' && '.nginx' || '' }}${{ inputs.image == 'plus' && '.nginxplus' || '' }}
tags: ${{ steps.nginx-meta.outputs.tags }}
context: "."
load: true
cache-from: type=gha,scope=${{ inputs.image }}
cache-from: type=gha,scope=${{ inputs.image }}${{ inputs.build-os != '' && format('-{0}', inputs.build-os) || '' }}
pull: true
build-args: |
NJS_DIR=internal/controller/nginx/modules/src
Expand Down
2 changes: 1 addition & 1 deletion build/ubi/Dockerfile.nginx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \
# Forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
&& mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/
&& cp /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/

# Set proper permissions for nginx user
RUN chown -R 101:1001 /etc/nginx /var/cache/nginx
Expand Down
2 changes: 1 addition & 1 deletion build/ubi/Dockerfile.nginxplus
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ RUN mkdir -p /usr/lib/nginx/modules /var/run/nginx /usr/lib64/nginx/modules \
# Forward request and error logs to docker log collector
&& ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log \
&& mv /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/
&& cp /usr/lib64/nginx/modules/ngx_* /usr/lib/nginx/modules/

# Copy default html files to a writable location
RUN mkdir -p /etc/nginx/html \
Expand Down