From 02e19401141422d373486f486f30881b9698db25 Mon Sep 17 00:00:00 2001 From: Venktesh Shivam Patel Date: Tue, 7 Jan 2025 15:42:19 +0000 Subject: [PATCH 1/7] update policy waf docs (#7076) --- site/content/configuration/policy-resource.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/configuration/policy-resource.md b/site/content/configuration/policy-resource.md index f5e4005432..21e2e3393d 100644 --- a/site/content/configuration/policy-resource.md +++ b/site/content/configuration/policy-resource.md @@ -699,7 +699,7 @@ waf: |``securityLog.enable`` | Enables security log. | ``bool`` | No | |``securityLog.apLogConf`` | The [App Protect WAF log conf]({{< relref "installation/integrations/app-protect-waf/configuration.md#waf-logs" >}}) resource. Accepts an optional namespace. Only works with ``apPolicy``. | ``string`` | No | |``securityLog.apLogBundle`` | The [App Protect WAF log bundle]({{< relref "installation/integrations/app-protect-waf/configuration.md#waf-bundles" >}}) resource. Only works with ``apBundle``. | ``string`` | No | -|``securityLog.logDest`` | The log destination for the security log. Accepted variables are ``syslog:server=:``, ``stderr``, ````. Default is ``"syslog:server=127.0.0.1:514"``. | ``string`` | No | +|``securityLog.logDest`` | The log destination for the security log. Only accepted variables are ``syslog:server=:``, ``stderr``, ````. | ``string`` | No | {{% /table %}} #### WAF Merging Behavior From 29f4f7b3b550f8e2da0529ae0e62401caac4bc8f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:50:34 +0000 Subject: [PATCH 2/7] [pre-commit.ci] pre-commit autoupdate (#7072) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d32bc61766..106ce7bff0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,7 +45,7 @@ repos: pass_filenames: false - repo: https://github.com/golangci/golangci-lint - rev: v1.62.2 + rev: v1.63.4 hooks: - id: golangci-lint args: [--new-from-patch=/tmp/diff.patch] @@ -87,12 +87,12 @@ repos: args: ["--schemafile", "charts/nginx-ingress/values.schema.json"] - repo: https://github.com/DavidAnson/markdownlint-cli2 - rev: v0.17.0 + rev: v0.17.1 hooks: - id: markdownlint-cli2 - repo: https://github.com/rhysd/actionlint - rev: v1.7.5 + rev: v1.7.6 hooks: - id: actionlint name: Lint GitHub Actions workflow files From 22a6f8c14959e17dbafb6b9ad76899d297a78dee Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 8 Jan 2025 16:33:04 +0000 Subject: [PATCH 3/7] update APIKey suppliedIn docs (#7084) --- site/content/configuration/policy-resource.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site/content/configuration/policy-resource.md b/site/content/configuration/policy-resource.md index 21e2e3393d..72fcece970 100644 --- a/site/content/configuration/policy-resource.md +++ b/site/content/configuration/policy-resource.md @@ -192,11 +192,14 @@ data: {{% table %}} |Field | Description | Type | Required | | ---| ---| ---| --- | +|``suppliedIn`` | `header` or `query`. | | Yes | |``suppliedIn.header`` | An array of headers that the API Key may appear in. | ``string[]`` | No | |``suppliedIn.query`` | An array of query params that the API Key may appear in. | ``string[]`` | No | |``clientSecret`` | The name of the Kubernetes secret that stores the API Key(s). It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/apikey``, and the API Key(s) must be stored in a key: val format where each key is a unique clientID and each value is a unique base64 encoded API Key | ``string`` | Yes | {{% /table %}} +{{}}An APIKey Policy must include a minimum of one of the `suppliedIn.header` or `suppliedIn.query` parameters. Both can also be supplied.{{}} + #### APIKey Merging Behavior A VirtualServer or VirtualServerRoute can be associated with only one API Key policy per route or subroute. However, it is possible to replace an API Key policy from a higher-level with a different policy defined on a more specific route. From 0333d6252182c86e855711969666ebd0611b64b6 Mon Sep 17 00:00:00 2001 From: nginx-aoife <50101789+nginx-aoife@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:44:28 +0000 Subject: [PATCH 4/7] Fix broken link to NIM Security Monitoring (#7094) Update releases.md Fix broken link to NIM Security Monitoring Signed-off-by: nginx-aoife <50101789+nginx-aoife@users.noreply.github.com> --- site/content/releases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/releases.md b/site/content/releases.md index 7a90f4c48b..12d7f5d5d8 100644 --- a/site/content/releases.md +++ b/site/content/releases.md @@ -396,7 +396,7 @@ versions: 1.23-1.29. 26 Mar 2024 -NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/security-monitoring/). +NGINX Ingress Controller and NGINX App Protect WAF users can can now view violations through NGINX Instance Manager Security Monitor. Security Monitor can be used to build Policy bundles, reducing reload time impacts on NGINX Ingress Controller. Read more information in [NGINX App Protect WAF Bundles](https://docs.nginx.com/nginx-ingress-controller/installation/integrations/app-protect-waf/configuration/#waf-bundles) and [Security Monitoring](https://docs.nginx.com/nginx-instance-manager/monitoring/security-monitoring/). When using NGINX Plus for two version [split rollouts](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#split), you can now control progressive rollouts of a new backend version without reloading NGINX using the [**-weight-changes-dynamic-reload**](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#-weight-changes-dynamic-reload) command line argument. From ed10de4f895035dce10b060927fda22e15f7325b Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Thu, 9 Jan 2025 16:37:28 +0000 Subject: [PATCH 5/7] remove ubi images from CI (#7093) --- .github/config/config-gcr-retag | 10 +++--- .github/config/config-plus-gcr-release | 10 +++--- .github/config/config-plus-nginx | 10 +++--- .github/data/matrix-images-nap.json | 36 ------------------- .github/data/matrix-images-oss.json | 6 ---- .github/data/matrix-images-plus.json | 5 --- .github/data/matrix-smoke-nap.json | 6 ++-- .github/data/matrix-smoke-oss.json | 2 +- .github/data/matrix-smoke-plus.json | 4 +-- .github/data/patch-images.json | 48 -------------------------- 10 files changed, 21 insertions(+), 116 deletions(-) diff --git a/.github/config/config-gcr-retag b/.github/config/config-gcr-retag index 3273e6ffaf..07e0e71beb 100644 --- a/.github/config/config-gcr-retag +++ b/.github/config/config-gcr-retag @@ -1,7 +1,7 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-mktpl" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-mktpl" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl") declare -a ADDITIONAL_TAGS=() diff --git a/.github/config/config-plus-gcr-release b/.github/config/config-plus-gcr-release index e1c6d12e01..9cf8fb9723 100644 --- a/.github/config/config-plus-gcr-release +++ b/.github/config/config-plus-gcr-release @@ -1,8 +1,8 @@ export TARGET_REGISTRY=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips" "-mktpl") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips" "-mktpl") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips" "-ubi8") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi" "-mktpl") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips" "-mktpl") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips" "-mktpl") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-mktpl") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-mktpl") declare -a ADDITIONAL_TAGS=("latest" "${ADDITIONAL_TAG}") export PUBLISH_OSS=false diff --git a/.github/config/config-plus-nginx b/.github/config/config-plus-nginx index 546c636721..b7633a1434 100644 --- a/.github/config/config-plus-nginx +++ b/.github/config/config-plus-nginx @@ -1,8 +1,8 @@ export TARGET_REGISTRY=docker-mgmt.nginx.com export TARGET_NAP_WAF_DOS_IMAGE_PREFIX="nginx-ic-nap-dos/nginx-plus-ingress" -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-ubi8" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("") export PUBLISH_OSS=false diff --git a/.github/data/matrix-images-nap.json b/.github/data/matrix-images-nap.json index b93c8404d3..a391e9314b 100644 --- a/.github/data/matrix-images-nap.json +++ b/.github/data/matrix-images-nap.json @@ -15,36 +15,6 @@ "waf,dos" ], "include": [ - { - "image": "ubi-8-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-8-plus-nap-v5", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "dos" - }, - { - "image": "ubi-9-plus-nap", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf,dos" - }, { "image": "alpine-plus-nap-fips", "target": "goreleaser", @@ -62,12 +32,6 @@ "target": "goreleaser", "platforms": "linux/amd64", "nap_modules": "waf" - }, - { - "image": "ubi-9-plus-nap-v5", - "target": "goreleaser", - "platforms": "linux/amd64", - "nap_modules": "waf" } ] } diff --git a/.github/data/matrix-images-oss.json b/.github/data/matrix-images-oss.json index 237c3014fb..7c94faf8e3 100644 --- a/.github/data/matrix-images-oss.json +++ b/.github/data/matrix-images-oss.json @@ -5,11 +5,5 @@ ], "platforms": [ "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - ], - "include": [ - { - "image": "ubi", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - } ] } diff --git a/.github/data/matrix-images-plus.json b/.github/data/matrix-images-plus.json index ab1717d37d..b74a88d670 100644 --- a/.github/data/matrix-images-plus.json +++ b/.github/data/matrix-images-plus.json @@ -15,11 +15,6 @@ "image": "debian-plus", "platforms": "linux/arm64, linux/amd64", "target": "aws" - }, - { - "image": "ubi-9-plus", - "platforms": "linux/arm64, linux/amd64", - "target": "goreleaser" } ] } diff --git a/.github/data/matrix-smoke-nap.json b/.github/data/matrix-smoke-nap.json index 1d780e7a7d..b2d6f4a400 100644 --- a/.github/data/matrix-smoke-nap.json +++ b/.github/data/matrix-smoke-nap.json @@ -2,7 +2,7 @@ "images": [ { "label": "AP_WAF 1/4", - "image": "ubi-8-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "appprotect_waf_policies_allow", @@ -10,7 +10,7 @@ }, { "label": "AP_WAF 2/4", - "image": "ubi-9-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "waf", "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow and not appprotect_waf_policies_vsr'", @@ -58,7 +58,7 @@ }, { "label": "AP_DOS 3/3", - "image": "ubi-9-plus-nap", + "image": "debian-plus-nap", "type": "plus", "nap_modules": "dos", "marker": "dos_learning", diff --git a/.github/data/matrix-smoke-oss.json b/.github/data/matrix-smoke-oss.json index a15b9b8937..52a9a7f456 100644 --- a/.github/data/matrix-smoke-oss.json +++ b/.github/data/matrix-smoke-oss.json @@ -72,7 +72,7 @@ }, { "label": "TS", - "image": "ubi", + "image": "debian", "type": "oss", "marker": "ts", "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" diff --git a/.github/data/matrix-smoke-plus.json b/.github/data/matrix-smoke-plus.json index 572d6e4d8a..a67fa4addb 100644 --- a/.github/data/matrix-smoke-plus.json +++ b/.github/data/matrix-smoke-plus.json @@ -65,14 +65,14 @@ }, { "label": "policies 1/2", - "image": "ubi-9-plus", + "image": "alpine-plus", "type": "plus", "marker": "'policies and not policies_ac and not policies_jwt and not policies_mtls'", "platforms": "linux/arm64, linux/amd64, linux/s390x" }, { "label": "policies 2/2", - "image": "ubi-9-plus", + "image": "debian-plus", "type": "plus", "marker": "'policies_ac or policies_jwt or policies_mtls'", "platforms": "linux/arm64, linux/amd64, linux/s390x" diff --git a/.github/data/patch-images.json b/.github/data/patch-images.json index b258b2c4ce..22b2662e35 100644 --- a/.github/data/patch-images.json +++ b/.github/data/patch-images.json @@ -11,12 +11,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", "platforms": "linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-ingress", - "platforms": "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", "source_os": "debian", @@ -41,12 +35,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", "platforms": "linux/arm64, linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic/nginx-plus-ingress", - "platforms": "linux/arm64, linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", "source_os": "debian", @@ -59,18 +47,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", - "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", - "source_os": "ubi8", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap/nginx-plus-ingress", "source_os": "alpine-fips", @@ -83,18 +59,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", - "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", - "source_os": "ubi8", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-nap-v5/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-nap-v5/nginx-plus-ingress", "source_os": "alpine-fips", @@ -113,12 +77,6 @@ "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", "platforms": "linux/amd64" }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos/nginx-plus-ingress", - "platforms": "linux/amd64" - }, { "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", "source_os": "debian", @@ -130,11 +88,5 @@ "source_os": "mktpl", "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", "platforms": "linux/amd64" - }, - { - "source_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic-dos-nap/nginx-plus-ingress", - "source_os": "ubi", - "target_image": "gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-dos-nap/nginx-plus-ingress", - "platforms": "linux/amd64" } ] From c5583200e0f4bfd91269fa969f5e02d302341afa Mon Sep 17 00:00:00 2001 From: nginx-bot <68849795+nginx-bot@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:08:39 -0800 Subject: [PATCH 6/7] Docker image update 1372e619 (#7080) Update docker images 1372e619 Co-authored-by: Paul Abel <128620221+pdabelf5@users.noreply.github.com> --- build/Dockerfile | 14 +++++++------- build/dependencies/Dockerfile.ubi | 2 +- tests/Dockerfile | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 4c65d7750a..744a4e1d2a 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -11,17 +11,17 @@ ARG PACKAGE_REPO=pkgs.nginx.com ############################################# Base images containing libs for Opentracing and FIPS ############################################# -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3@sha256:3ee7fff68aadd6fc12fe8b61c82d245779e72b4f62ed91fe0776a45f1222be9f AS opentracing-lib -FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3-alpine@sha256:6cf6bdc28e19adc7dce2cee109348a4883ddef215b8b855ea4e00614a7094e65 AS alpine-opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3@sha256:a09090e9f424f206a79a816d37321db2eed349ae3bc20d16bc4cbba32eedfc17 AS opentracing-lib +FROM ghcr.io/nginxinc/dependencies/nginx-ot:nginx-1.27.3-alpine@sha256:339c91471fa9159987aa45ab81f00f147d49709819e207ccc0bc4d434ece2db9 AS alpine-opentracing-lib FROM ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le:nginx-1.27.3@sha256:4cda07664f09f16d780d1e803b9748c31489ea21c463bbcca50d9dcf26081a6f AS ubi-ppc64le FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.17@sha256:67b69b49aff96e185be841e2b2ff2d8236551ea5c18002bffa4344798d803fd8 AS alpine-fips-3.17 FROM ghcr.io/nginxinc/alpine-fips:0.2.3-alpine3.20@sha256:4c29e5c50b122354d9d4ba6b97cdf64647468e788b965fc0240ead541653454a AS alpine-fips-3.20 FROM redhat/ubi9-minimal:9.5@sha256:daa61d6103e98bccf40d7a69a0d4f8786ec390e2204fd94f7cc49053e9949360 AS ubi-minimal -FROM golang:1.23-alpine@sha256:6c5c9590f169f77c8046e45c611d3b28fe477789acd8d3762d23d4744de69812 AS golang-builder +FROM golang:1.23-alpine@sha256:13aaa4b92fd4dc81683816b4b62041442e9f685deeb848897ce78c5e2fb03af7 AS golang-builder ############################################# Base image for Alpine ############################################# -FROM nginx:1.27.3-alpine@sha256:41523187cf7d7a2f2677a80609d9caa14388bf5c1fbca9c410ba3de602aaaab4 AS alpine +FROM nginx:1.27.3-alpine@sha256:4efa432b751239898e576a2178702fb156fc483f6d456e0ad5899b3bf5c0445a AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ @@ -31,7 +31,7 @@ RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ ############################################# Base image for Debian ############################################# -FROM nginx:1.27.3@sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be AS debian +FROM nginx:1.27.3@sha256:42e917aaa1b5bb40dd0f6f7f4f857490ac7747d7ef73b391c774a41a8b994f15 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ @@ -102,7 +102,7 @@ USER 101 ############################################# Base image for Alpine with NGINX Plus ############################################## -FROM alpine:3.20@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a AS alpine-plus +FROM alpine:3.20@sha256:780405de0f7cf99f985dd5a4f04dfc5aae71509d89505c1ba48a88d95a0ceb7f AS alpine-plus ARG NGINX_PLUS_VERSION ARG PACKAGE_REPO @@ -207,7 +207,7 @@ RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ ############################################# Base image for Debian with NGINX Plus ############################################# -FROM debian:12-slim@sha256:1537a6a1cbc4b4fd401da800ee9480207e7dc1f23560c21259f681db56768f63 AS debian-plus +FROM debian:12-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb AS debian-plus ARG NGINX_PLUS_VERSION ENV NGINX_VERSION=${NGINX_PLUS_VERSION} diff --git a/build/dependencies/Dockerfile.ubi b/build/dependencies/Dockerfile.ubi index ea1ec816c5..2fb265c3fa 100644 --- a/build/dependencies/Dockerfile.ubi +++ b/build/dependencies/Dockerfile.ubi @@ -1,5 +1,5 @@ # syntax=docker/dockerfile:1.8 -FROM nginx:1.27.3@sha256:fb197595ebe76b9c0c14ab68159fd3c08bd067ec62300583543f0ebda353b5be AS nginx +FROM nginx:1.27.3@sha256:42e917aaa1b5bb40dd0f6f7f4f857490ac7747d7ef73b391c774a41a8b994f15 AS nginx FROM redhat/ubi9:9.4@sha256:ee0b908e958a1822afc57e5d386d1ea128eebe492cb2e01b6903ee19c133ea75 AS rpm-build ARG NGINX diff --git a/tests/Dockerfile b/tests/Dockerfile index d600ac4bcb..f8cb9223fa 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -5,7 +5,7 @@ FROM kindest/node:v1.32.0@sha256:c48c62eac5da28cdadcf560d1d8616cfa6783b58f0d94cf # this is here so we can grab the latest version of skopeo and have dependabot keep it up to date FROM quay.io/skopeo/stable:v1.17.0 -FROM python:3.13@sha256:9255d1993f6d28b8a1cd611b108adbdfa38cb7ccc46ddde8ea7d734b6c845e32 +FROM python:3.13@sha256:cea505b81701dd9e46b8dde96eaa8054c4bd2035dbb660edeb7af947ed38a0ad RUN apt-get update \ && apt-get install -y curl git \ From f523300f93a3c6a68084a509cece03911fa9afd9 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 10 Jan 2025 12:21:07 +0000 Subject: [PATCH 7/7] remove additional ubi config (#7104) --- .github/scripts/copy-images.sh | 12 ++++++------ .github/workflows/release.yml | 18 +++++++++--------- .github/workflows/update-docker-images.yml | 18 +++++++++--------- 3 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/scripts/copy-images.sh b/.github/scripts/copy-images.sh index bb3a2240ea..ef8d7d0375 100755 --- a/.github/scripts/copy-images.sh +++ b/.github/scripts/copy-images.sh @@ -46,12 +46,12 @@ TARGET_NAP_WAFV5_IMAGE_PREFIX=${TARGET_NAP_WAFV5_IMAGE_PREFIX:-"nginx-ic-nap-v5/ TARGET_NAP_DOS_IMAGE_PREFIX=${TARGET_NAP_DOS_IMAGE_PREFIX:-"nginx-ic-dos/nginx-plus-ingress"} TARGET_NAP_WAF_DOS_IMAGE_PREFIX=${TARGET_NAP_WAF_DOS_IMAGE_PREFIX:-"nginx-ic-dos-nap/nginx-plus-ingress"} -declare -a OSS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine") -declare -a PLUS_TAG_POSTFIX_LIST=("" "-ubi" "-alpine" "-alpine-fips") -declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips") -declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-ubi" "-alpine-fips") -declare -a NAP_DOS_TAG_POSTFIX_LIST=("" "-ubi") -declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("" "-ubi") +declare -a OSS_TAG_POSTFIX_LIST=("" "-alpine") +declare -a PLUS_TAG_POSTFIX_LIST=("" "-alpine" "-alpine-fips") +declare -a NAP_WAF_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_WAFV5_TAG_POSTFIX_LIST=("" "-alpine-fips") +declare -a NAP_DOS_TAG_POSTFIX_LIST=("") +declare -a NAP_WAF_DOS_TAG_POSTFIX_LIST=("") CONFIG_PATH=${CONFIG_PATH:-~/.nic-release/config} if [ -f "$CONFIG_PATH" ]; then diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0e87afaea1..d17617d5ac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -294,14 +294,14 @@ jobs: with: ref: ${{ inputs.release_branch }} - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - continue-on-error: true - with: - image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - preflight_version: 1.11.1 + # - name: Certify UBI OSS images in quay + # uses: ./.github/actions/certify-openshift-image + # continue-on-error: true + # with: + # image: quay.io/nginx/nginx-ingress:${{ inputs.nic_version }}-ubi + # project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} + # pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + # preflight_version: 1.11.1 operator: if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'operator') && !contains(inputs.skip_step, 'publish-helm-chart') }} @@ -621,7 +621,7 @@ jobs: strategy: fail-fast: false matrix: - image: ["nginx/nginx-ingress:${{ inputs.nic_version }}", "nginx/nginx-ingress:${{ inputs.nic_version }}-ubi", "nginx/nginx-ingress:${{ inputs.nic_version }}-alpine"] + image: ["nginx/nginx-ingress:${{ inputs.nic_version }}", "nginx/nginx-ingress:${{ inputs.nic_version }}-alpine"] steps: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/update-docker-images.yml b/.github/workflows/update-docker-images.yml index fe65c8267e..4aa4a6e183 100644 --- a/.github/workflows/update-docker-images.yml +++ b/.github/workflows/update-docker-images.yml @@ -177,12 +177,12 @@ jobs: - name: Checkout Repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Certify UBI OSS images in quay - uses: ./.github/actions/certify-openshift-image - with: - image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi - project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} - pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} - platforms: "" - preflight_version: 1.11.1 - submit: ${{ ! inputs.dry_run || true }} + # - name: Certify UBI OSS images in quay + # uses: ./.github/actions/certify-openshift-image + # with: + # image: quay.io/nginx/nginx-ingress:${{ needs.variables.outputs.tag }}-ubi + # project_id: ${{ secrets.CERTIFICATION_PROJECT_ID }} + # pyxis_token: ${{ secrets.PYXIS_API_TOKEN }} + # platforms: "" + # preflight_version: 1.11.1 + # submit: ${{ ! inputs.dry_run || true }}