bump kong to 1.2

kong/Dockerfile

@@ -1,32 +1,32 @@
 FROM alpine:3.6
 
-ENV KONG_VERSION 0.14.1
-ENV KONG_SHA256 e29937c5117ac2debcffe0d0016996dd5f0c516ef628f1edc029138715981387
+ENV KONG_VERSION 1.2.0
+ENV KONG_SHA256 049c63c930b14d8049ebd028794b690b52600c580be8fe129dac11062b8e2568
 
-RUN apk update \
-    && apk add git \
-    && apk add musl-dev \
-    && apk add gcc \
-    && apk add pcre-dev \
-    && apk add --virtual .build-deps wget tar ca-certificates \
-    && apk add libgcc openssl pcre perl \
-    && wget -O kong.tar.gz "https://bintray.com/kong/kong-community-edition-alpine-tar/download_file?file_path=kong-community-edition-$KONG_VERSION.apk.tar.gz" \
-    && echo "$KONG_SHA256 *kong.tar.gz" | sha256sum -c - \
-    && tar -xzf kong.tar.gz -C /tmp \
-    && rm -f kong.tar.gz \
-    && cp -R /tmp/usr / \
-    && rm -rf /tmp/usr \
-    && apk del .build-deps \
-    && rm -rf /var/cache/apk/* \
-    && luarocks install kong-plugin-mithril \
-    && apk del git gcc musl-dev pcre-dev
+RUN adduser -Su 1337 kong \
+	&& mkdir -p "/usr/local/kong" \
+	&& apk add --no-cache --virtual .build-deps wget tar ca-certificates \
+	&& apk add --no-cache libgcc openssl pcre perl tzdata curl libcap su-exec \
+	&& wget -O kong.tar.gz "https://bintray.com/kong/kong-alpine-tar/download_file?file_path=kong-$KONG_VERSION.apk.tar.gz" \
+	&& echo "$KONG_SHA256 *kong.tar.gz" | sha256sum -c - \
+	&& tar -xzf kong.tar.gz -C /tmp \
+	&& rm -f kong.tar.gz \
+	&& cp -R /tmp/usr / \
+	&& rm -rf /tmp/usr \
+	&& cp -R /tmp/etc / \
+	&& rm -rf /tmp/etc \
+	&& apk del .build-deps \
+	&& chown -R kong:0 /usr/local/kong \
+	&& chmod -R g=u /usr/local/kong \
+    && /usr/local/bin/luarocks install kong-plugin-mithril 0.3.5-1
 
 COPY custom_nginx.template /nginx.conf
 COPY docker-entrypoint.sh /docker-entrypoint.sh
+
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 EXPOSE 8000 8443 8001 8444
 
-STOPSIGNAL SIGTERM
+STOPSIGNAL SIGQUIT
 
 CMD ["kong", "docker-start"]

kong/custom_nginx.template

@@ -14,7 +14,7 @@ events {
 http {
     charset UTF-8;
 
-    error_log syslog:server=kong-hf.mashape.com:61828 error;
+    error_log syslog:server=kong-hf.konghq.com:61828 error;
 
     error_log /dev/stderr notice;
 
@@ -36,7 +36,9 @@ http {
     lua_max_pending_timers 16384;
     lua_shared_dict kong                5m;
     lua_shared_dict kong_db_cache       128m;
-    lua_shared_dict kong_db_cache_miss 12m;
+    lua_shared_dict kong_db_cache_2     128m;
+    lua_shared_dict kong_db_cache_miss   12m;
+    lua_shared_dict kong_db_cache_miss_2 12m;
     lua_shared_dict kong_locks          8m;
     lua_shared_dict kong_process_events 5m;
     lua_shared_dict kong_cluster_events 5m;
@@ -97,7 +99,7 @@ http {
         client_body_timeout 30;
         ssl_certificate /usr/local/kong/ssl/kong-default.crt;
         ssl_certificate_key /usr/local/kong/ssl/kong-default.key;
-        ssl_protocols TLSv1.1 TLSv1.2;
+        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
         ssl_certificate_by_lua_block {
             Kong.ssl_certificate()
         }
@@ -119,6 +121,7 @@ http {
             default_type                     '';
 
             set $ctx_ref                     '';
+            set $upstream_te                 '';
             set $upstream_x_consumer_id      '';
             set $upstream_x_client_id        '';
             set $upstream_x_mis_client_id    '';
@@ -141,6 +144,7 @@ http {
             }
 
             proxy_http_version 1.1;
+            proxy_set_header   TE                $upstream_te;
             proxy_set_header   Host              $upstream_host;
             proxy_set_header   Upgrade           $upstream_upgrade;
             proxy_set_header   Connection        $upstream_connection;
@@ -192,13 +196,22 @@ http {
     server {
         server_name kong_admin;
         listen 0.0.0.0:8001;
+        listen 0.0.0.0:8444 ssl;
 
         access_log /dev/stdout;
         error_log /dev/stderr notice;
 
         client_max_body_size 10m;
         client_body_buffer_size 10m;
 
+        ssl_certificate /usr/local/kong/ssl/admin-kong-default.crt;
+        ssl_certificate_key /usr/local/kong/ssl/admin-kong-default.key;
+        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
 
         # injected nginx_admin_* directives
 

kong/docker-entrypoint.sh

@@ -3,16 +3,38 @@ set -e
 
 export KONG_NGINX_DAEMON=off
 
+has_transparent() {
+  echo "$1" | grep -E "[^\s,]+\s+transparent\b" >/dev/null
+}
+
 if [[ "$1" == "kong" ]]; then
   PREFIX=${KONG_PREFIX:=/usr/local/kong}
-  mkdir -p $PREFIX
 
   if [[ "$2" == "docker-start" ]]; then
-    kong prepare -p $PREFIX
+    shift 2
+    kong prepare -p "$PREFIX" "$@"
+
+    # workaround for https://github.com/moby/moby/issues/31243
+    chmod o+w /proc/self/fd/1 || true
+    chmod o+w /proc/self/fd/2 || true
 
-    exec /usr/local/openresty/nginx/sbin/nginx \
-      -p $PREFIX \
-      -c "/nginx.conf"
+    if [ "$(id -u)" != "0" ]; then
+      exec /usr/local/openresty/nginx/sbin/nginx \
+        -p "$PREFIX" \
+        -c /nginx.conf
+    else
+      if [ ! -z ${SET_CAP_NET_RAW} ] \
+          || has_transparent "$KONG_STREAM_LISTEN" \
+          || has_transparent "$KONG_PROXY_LISTEN" \
+          || has_transparent "$KONG_ADMIN_LISTEN";
+      then
+        setcap cap_net_raw=+ep /usr/local/openresty/nginx/sbin/nginx
+      fi
+      chown -R kong:0 /usr/local/kong
+      exec su-exec kong /usr/local/openresty/nginx/sbin/nginx \
+        -p "$PREFIX" \
+        -c /nginx.conf
+    fi
   fi
 fi