From c36ae9b8c76a52df3e4d21a6f6f9e6a296080902 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Tue, 18 May 2021 11:41:15 -0700 Subject: [PATCH 1/3] Update NGINX Plus to R24 --- build/Dockerfile | 56 +++++++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 29 deletions(-) diff --git a/build/Dockerfile b/build/Dockerfile index 93dbe9be3a..4f253f4dd1 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,5 +1,6 @@ # syntax=docker/dockerfile:1.2 ARG BUILD_OS=debian +ARG NGINX_PLUS_VERSION=r24 ############################################# Base image for Debian ############################################# FROM nginx:1.21.0 AS debian @@ -33,8 +34,7 @@ COPY --chown=nginx:0 internal/configs/oidc/* /etc/nginx/oidc/ ############################################# Base image for Debian with NGINX Plus ############################################# FROM debian:buster-slim AS debian-plus ARG IC_VERSION -ENV NGINX_PLUS_VERSION 23-1~buster -ENV NGINX_NJS_VERSION 23+0.5.0-1~buster +ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ @@ -46,9 +46,10 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && gpg --no-default-keyring --keyring nginx_keyring.gpg --export > /etc/apt/trusted.gpg.d/nginx_signing.gpg \ && wget -P /etc/apt/apt.conf.d https://cs.nginx.com/static/files/90pkgs-nginx \ && echo "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION-apt\";" >> /etc/apt/apt.conf.d/90pkgs-nginx \ - && printf "deb https://pkgs.nginx.com/plus/debian buster nginx-plus\n" > /etc/apt/sources.list.d/nginx-plus.list \ - && apt-get update && apt-get install --no-install-recommends --no-install-suggests -y \ - nginx-plus=${NGINX_PLUS_VERSION} nginx-plus-module-njs=${NGINX_NJS_VERSION} \ + && printf "%s\n" "deb https://pkgs.nginx.com/plus/debian buster nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + nginx-plus-${NGINX_PLUS_VERSION} nginx-plus-module-njs-${NGINX_PLUS_VERSION} \ && apt-get purge --auto-remove -y apt-transport-https gnupg wget \ && rm -rf /var/lib/apt/lists/* @@ -58,13 +59,7 @@ COPY --chown=nginx:0 internal/configs/oidc/* /etc/nginx/oidc/ ############################################# Base image for Debian with NGINX Plus and App Protect ############################################# FROM debian-plus as debian-plus-nap ARG IC_VERSION - -ENV APPPROTECT_MODULE_VERSION 23+3.462.0-1~buster -ENV APPPROTECT_PLUGIN_VERSION 3.462.0-1~buster -ENV APPPROTECT_ENGINE_VERSION 6.53.1-1~buster -ENV APPPROTECT_COMPILER_VERSION 6.53.1-1~buster -ENV APPPROTECT_SIG_VERSION 2021.02.26-1~buster -ENV APPPROTECT_THREAT_CAMPAIGNS_VERSION 2021.03.02-1~buster +ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ @@ -76,16 +71,21 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && gpg --no-default-keyring --keyring app_protect_keyring.gpg --export > /etc/apt/trusted.gpg.d/nginx_app_signing.gpg \ && sed -i '$ d' /etc/apt/apt.conf.d/90pkgs-nginx \ && echo "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION-nap-$APPPROTECT_MODULE_VERSION-apt\";" >> /etc/apt/apt.conf.d/90pkgs-nginx \ - && printf "deb https://pkgs.nginx.com/app-protect/debian buster nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-app-protect.list \ - && printf "deb https://pkgs.nginx.com/app-protect-security-updates/debian buster nginx-plus\n" | tee -a /etc/apt/sources.list.d/nginx-app-protect.list \ - && apt-get update && apt-get install --no-install-recommends --no-install-suggests -y \ - nginx-plus-module-appprotect=$APPPROTECT_MODULE_VERSION \ - app-protect-plugin=$APPPROTECT_PLUGIN_VERSION \ - app-protect-engine=$APPPROTECT_ENGINE_VERSION \ - app-protect-compiler=$APPPROTECT_COMPILER_VERSION \ - app-protect=$APPPROTECT_MODULE_VERSION \ - && apt-get install -y app-protect-attack-signatures${APPPROTECT_SIG_VERSION:+=$APPPROTECT_SIG_VERSION} \ - && apt-get install -y app-protect-threat-campaigns${APPPROTECT_THREAT_CAMPAIGNS_VERSION:+=$APPPROTECT_THREAT_CAMPAIGNS_VERSION} \ + && printf "%s\n" "deb https://pkgs.nginx.com/app-protect/debian buster nginx-plus" \ + "deb https://pkgs.nginx.com/app-protect-security-updates/debian buster nginx-plus" > /etc/apt/sources.list.d/nginx-app-protect.list \ + && apt-get update \ + # searching apt-cache for the latest version of NAP packages compatible with the $NGINX_PLUS_VERSION + && module_version=$(apt-cache showpkg nginx-plus-module-appprotect | awk -v ver="nginx-plus-$NGINX_PLUS_VERSION" '{ if ($6 == ver) {print $1; exit}}') \ + engine_version=$(apt-cache showpkg app-protect | awk -v ver="$module_version" '{ if ($1 == ver && $3 == "nginx-plus-module-appprotect") {print substr($NF, 1, length($NF)-1); exit}}') \ + plugin=$(apt-cache showpkg nginx-plus-module-appprotect | awk -v ver="nginx-plus-$NGINX_PLUS_VERSION" '{ if ($6 == ver) {print substr($NF, 1, length($NF)-1); exit}}') \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + nginx-plus-module-appprotect=${module_version} \ + app-protect-plugin=${plugin} \ + app-protect-engine=${engine_version} \ + app-protect-compiler=${engine_version} \ + app-protect=${module_version} \ + && apt-get install -y app-protect-attack-signatures \ + && apt-get install -y app-protect-threat-campaigns \ && apt-get purge --auto-remove -y apt-transport-https gnupg wget \ && rm -rf /var/lib/apt/lists/* \ && rm /etc/apt/sources.list.d/nginx-app-protect.list @@ -144,8 +144,7 @@ RUN rpm --import https://nginx.org/keys/nginx_signing.key \ ############################################# Base image for UBI with NGINX Plus ############################################# FROM ubi-base AS ubi-plus - -ENV NGINX_PLUS_VERSION r23 +ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ @@ -223,14 +222,13 @@ RUN ldconfig ############################################# Build image for Opentracing with NGINX Plus ############################################# FROM debian-plus as opentracing-plus - -ENV NGINX_OPENTRACING_MODULE_VERSION 23+0.9.0-1~buster +ARG NGINX_PLUS_VERSION RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode=0644 \ --mount=type=secret,id=nginx-repo.key,dst=/etc/ssl/nginx/nginx-repo.key,mode=0644 \ - apt-get update && \ - apt-get install --no-install-recommends --no-install-suggests -y nginx-plus-module-opentracing=${NGINX_OPENTRACING_MODULE_VERSION} && \ - rm -rf /var/lib/apt/lists/* + apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-plus-module-opentracing-${NGINX_PLUS_VERSION} \ + && rm -rf /var/lib/apt/lists/* COPY --from=tracer-downloader /usr/local/lib/libjaegertracing_plugin.so /usr/local/lib/libjaegertracing_plugin.so From 67d94cd3524a25c4b2e71e6300f6e83daf515b4f Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Tue, 25 May 2021 17:08:08 -0700 Subject: [PATCH 2/3] add docs --- docs-web/installation/building-ingress-controller-image.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs-web/installation/building-ingress-controller-image.md b/docs-web/installation/building-ingress-controller-image.md index af35d7de36..27e678d905 100644 --- a/docs-web/installation/building-ingress-controller-image.md +++ b/docs-web/installation/building-ingress-controller-image.md @@ -55,6 +55,8 @@ We build the image using the make utility and the provided `Makefile`. Let’s c As a result, the image **myregistry.example.com/nginx-plus-ingress:1.11.3** is built. Note that the tag `1.11.3` comes from the `VERSION` variable, defined in the Makefile. + **Note**: In the event of a patch version of NGINX Plus being [released](/nginx/releases/), make sure to rebuild your image to get the latest version. If your system is caching the Docker layers, add `DOCKER_BUILD_OPTIONS="--no-cache"` to the `make` command. + 1. Push the image: ``` $ make push PREFIX=myregistry.example.com/nginx-ingress From 9a8a0842771c36aa1481aa6a004498da045d82a9 Mon Sep 17 00:00:00 2001 From: Luca Comellini Date: Wed, 26 May 2021 12:17:37 -0700 Subject: [PATCH 3/3] update docs --- docs-web/app-protect/installation.md | 2 ++ docs-web/installation/building-ingress-controller-image.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/docs-web/app-protect/installation.md b/docs-web/app-protect/installation.md index 4bd1ed3f8a..8985ba7c29 100644 --- a/docs-web/app-protect/installation.md +++ b/docs-web/app-protect/installation.md @@ -23,6 +23,8 @@ Take the steps below to create the Docker image that you'll use to deploy NGINX In order to do so, place the `*.crt` file in the build folder and uncomment the lines that follow this comment: `#Uncomment the lines below if you want to install a custom CA certificate` + **Note**: In the event of a patch version of NGINX Plus being [released](/nginx/releases/), make sure to rebuild your image to get the latest version. The Dockerfile will use the latest available version of the [Attack Signatures](/nginx-app-protect/configuration/#attack-signatures) and [Threat Campaigns](/nginx-app-protect/configuration/#threat-campaigns) packages at the time of build. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--no-cache"` to the `make` command. + - [Push the image to your local Docker registry](/nginx-ingress-controller/installation/building-ingress-controller-image/#building-the-image-and-pushing-it-to-the-private-registry). ## Install the Ingress Controller diff --git a/docs-web/installation/building-ingress-controller-image.md b/docs-web/installation/building-ingress-controller-image.md index 27e678d905..94a965522f 100644 --- a/docs-web/installation/building-ingress-controller-image.md +++ b/docs-web/installation/building-ingress-controller-image.md @@ -55,7 +55,7 @@ We build the image using the make utility and the provided `Makefile`. Let’s c As a result, the image **myregistry.example.com/nginx-plus-ingress:1.11.3** is built. Note that the tag `1.11.3` comes from the `VERSION` variable, defined in the Makefile. - **Note**: In the event of a patch version of NGINX Plus being [released](/nginx/releases/), make sure to rebuild your image to get the latest version. If your system is caching the Docker layers, add `DOCKER_BUILD_OPTIONS="--no-cache"` to the `make` command. + **Note**: In the event of a patch version of NGINX Plus being [released](/nginx/releases/), make sure to rebuild your image to get the latest version. If your system is caching the Docker layers and not updating the packages, add `DOCKER_BUILD_OPTIONS="--no-cache"` to the `make` command. 1. Push the image: ```