-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build and use custom nginx container #934
Build and use custom nginx container #934
Conversation
ed493bd
to
63968da
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The conformance CI file needs to be updated with the new container, as the conformance tests aren't running, but otherwise looks great! 🚀
Thanks! Just updated the conformance CI file and the tests are now passing. Not sure if there's a better way to build and reference the two images so LMK what you think! |
3bbf0c6
to
ea56a00
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a couple of suggestion for the CI, mostly about making it more compact, but the most important one is the cache, we need to use two different scopes for the containers.
Let me know if I can help making the changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉 🚀
ee5772c
to
ef3bc13
Compare
Problem: PR #934 did not remove the njs-modules ConfigMap and they are some lingering references to it. Solution: Remove the njs modules ConfigMap and remove references.
Problem: The architecture doc still mentions the init container even though it was removed in #934 Solution: Remove the init container from the architecture doc.
Replace the publicly available nginx image with a custom nginx image. Problem: Using the publicly available nginx image requires users to create ConfigMaps for the nginx.conf file and the njs module and mount them to the NKG Pod as volumes. This pattern is not extensible and adds extra steps for developers and users. Additionally, an init container is required in order to set up the nginx config environment. Solution: Build and use a custom nginx container. The nginx.conf and njs module are now baked into the nginx image. This eliminates the need for ConfigMaps. The config directories /etc/nginx/conf.d and /etc/nginx/secrets are created as volumes and mounted to the Pod with a group ID 1001. This allows the control plane to write to the directories and nginx to read from them. Both the nginx and nginx-gateway processes run under group ID 1001 but have different user IDs (101 and 102). The nginx container runs as user 101 instead of root and runs with the minimum set of capabilities.
Problem: PR nginx#934 did not remove the njs-modules ConfigMap and they are some lingering references to it. Solution: Remove the njs modules ConfigMap and remove references.
Problem: The architecture doc still mentions the init container even though it was removed in nginx#934 Solution: Remove the init container from the architecture doc.
Proposed changes
Replace the publicly available nginx image with a custom nginx image.
Problem: Using the publicly available nginx image requires users to create ConfigMaps for the
nginx.conf
file and the njs module and mount them to the NKG Pod as volumes. This pattern is not extensible and adds extra steps for developers and users. Additionally, an init container is required in order to set up the nginx config environment.Solution: Build and use a custom nginx container. The
nginx.conf
and njs module are now baked into the nginx image. This eliminates the need for ConfigMaps. The config directories/etc/nginx/conf.d
and/etc/nginx/secrets
are created as volumes and mounted to the Pod with a group ID 1001. This allows the control plane to write to the directories and nginx to read from them. Both the nginx and nginx-gateway processes run under group ID 1001 but have different user IDs (101 and 102). The nginx container now runs as user 101 instead of root.Testing: Verified conformance tests pass and that the directory permissions are correct:
Closes #798
Checklist
Before creating a PR, run through this checklist and mark each as complete.