Images: Remove NGINX v1.21.

kubernetes · Oct 1, 2024 · 5ad97d6 · 5ad97d6
1 parent fe6e276
commit 5ad97d6
Show file tree

Hide file tree

Showing 64 changed files with 242 additions and 1,914 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -9,7 +9,7 @@ on:
       - 'deploy/**'
       - '**.md'
       - 'images/**' # Images changes should be tested on their own workflow
-      - '!images/nginx-1.25/**'
+      - '!images/nginx/**'
 
   push:
     branches:
@@ -68,7 +68,7 @@ jobs:
               - 'NGINX_BASE'
             baseimage:
               - 'NGINX_BASE'
-              - 'images/nginx-1.25/**'
+              - 'images/nginx/**'
             docs:
               - '**/*.md'
 
@@ -164,8 +164,8 @@ jobs:
         if: |
           needs.changes.outputs.baseimage == 'true'
         run: |
-            export TAG=$(cat images/nginx-1.25/TAG)
-            cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx-1.25:${TAG} .
+            export TAG=$(cat images/nginx/TAG)
+            cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --load -t registry.k8s.io/ingress-nginx/nginx:${TAG} .
 
       - name: Build images
         env:
@@ -174,8 +174,8 @@ jobs:
           REGISTRY: ingress-controller
         run: |
           echo "building images..."
-          export TAGNGINX=$(cat images/nginx-1.25/TAG)
-          make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx-1.25:${TAGNGINX} clean-image build image image-chroot
+          export TAGNGINX=$(cat images/nginx/TAG)
+          make BASE_IMAGE=registry.k8s.io/ingress-nginx/nginx:${TAGNGINX} clean-image build image image-chroot
           make -C test/e2e-image image
 
           echo "creating images cache..."

diff --git a/.github/workflows/images.yaml b/.github/workflows/images.yaml
@@ -36,7 +36,6 @@ jobs:
       kube-webhook-certgen: ${{ steps.filter.outputs.kube-webhook-certgen }}
       ext-auth-example-authsvc: ${{ steps.filter.outputs.ext-auth-example-authsvc }}
       nginx: ${{ steps.filter.outputs.nginx }}
-      nginx125: ${{ steps.filter.outputs.nginx125 }}
       opentelemetry: ${{ steps.filter.outputs.opentelemetry }}
 
     steps:
@@ -67,8 +66,6 @@ jobs:
               - 'images/nginx/**'
             opentelemetry:
               - 'images/opentelemetry/**'
-            nginx125:
-              - 'images/nginx-1.25/TAG'
 
   #### TODO: Make the below jobs 'less dumb' and use the job name as parameter (the github.job context does not work here)
   cfssl:
@@ -183,14 +180,14 @@ jobs:
       run: |
         cd images/opentelemetry && make NGINX_VERSION=${{ matrix.nginx }} build
 
-  nginx125:
+  nginx:
     permissions:
       contents: write
       packages: write
     runs-on: ubuntu-latest
     needs: changes
     if: |
-      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx125 == 'true')
+      (github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.nginx == 'true')
     env:
       PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/s390x
     steps:
@@ -211,5 +208,5 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: build-image
         run: |
-          export TAG=$(cat images/nginx-1.25/TAG)
-          cd images/nginx-1.25/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx-1.25:${TAG} .
+          export TAG=$(cat images/nginx/TAG)
+          cd images/nginx/rootfs && docker buildx build --platform=${{ env.PLATFORMS }} --push -t ingressnginx/nginx:${TAG} .
diff --git a/images/nginx-1.25/Makefile b/images/nginx-1.25/Makefile
diff --git a/images/nginx-1.25/README.md b/images/nginx-1.25/README.md
diff --git a/images/nginx-1.25/TAG b/images/nginx-1.25/TAG
diff --git a/images/nginx-1.25/cloudbuild.yaml b/images/nginx-1.25/cloudbuild.yaml
diff --git a/images/nginx-1.25/rootfs/Dockerfile b/images/nginx-1.25/rootfs/Dockerfile
diff --git a/images/nginx/Makefile b/images/nginx/Makefile
@@ -1,4 +1,4 @@
-# Copyright 2017 The Kubernetes Authors. All rights reserved.
+# Copyright 2024 The Kubernetes Authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,7 +22,7 @@ INIT_BUILDX=$(DIR)/../../hack/init-buildx.sh
 
 # 0.0.0 shouldn't clobber any released builds
 SHORT_SHA ?=$(shell git rev-parse --short HEAD)
-TAG ?=v$(shell date +%Y%m%d)-$(SHORT_SHA)
+TAG ?=$(shell cat TAG)
 
 REGISTRY ?= gcr.io/k8s-staging-ingress-nginx
 

diff --git a/images/nginx/README.md b/images/nginx/README.md
@@ -1,27 +1,47 @@
-NGINX base image using [alpine](https://www.alpinelinux.org/)
+NGINX base image
 
-This custom image contains:
+### HTTP/3 Support
 
-- [nginx-http-auth-digest](https://github.com/atomx/nginx-http-auth-digest)
-- [ngx_http_substitutions_filter_module](https://github.com/yaoweibin/ngx_http_substitutions_filter_module)
-- [OpenTelemetry-CPP](https://github.com/open-telemetry/opentelemetry-cpp)
-- [OpenTelemetry-CPP-Nginx](https://github.com/open-telemetry/opentelemetry-cpp-contrib/tree/main/instrumentation/nginx)
-- [nginx-opentracing](https://github.com/opentracing-contrib/nginx-opentracing)
-- [opentracing-cpp](https://github.com/opentracing/opentracing-cpp)
-- [zipkin-cpp-opentracing](https://github.com/rnburn/zipkin-cpp-opentracing)
-- [dd-opentracing-cpp](https://github.com/DataDog/dd-opentracing-cpp)
-- [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) (only supported in x86_64)
-- [brotli](https://github.com/google/brotli)
-- [geoip2](https://github.com/leev/ngx_http_geoip2_module)
+**HTTP/3 support is experimental and under development**
 
-**How to use this image:**
-This image provides a default configuration file with no backend servers.
+[HTTP/3](https://datatracker.ietf.org/doc/html/rfc9114)\
+[QUIC](https://datatracker.ietf.org/doc/html/rfc9000)
 
-_Using docker_
+[According to the documentation, NGINX 1.25.0 or higher supports HTTP/3:](https://nginx.org/en/docs/quic.html)
 
-NGINX base image we use is defined in NGINX_BASE file at the root of the project 
+> Support for QUIC and HTTP/3 protocols is available since 1.25.0.
 
-```console
-docker run -v /some/nginx.conf:/etc/nginx/nginx.conf:ro $(cat ../../NGINX_BASE)
-```
+But this requires adding a new flag during the build:
 
+> When configuring nginx, it is possible to enable QUIC and HTTP/3 using the --with-http_v3_module configuration parameter.
+
+[We have added this flag](https://github.com/kubernetes/ingress-nginx/pull/11470), but it is not enough to use HTTP/3 in ingress-nginx, this is the first step.
+
+The next steps will be:
+
+1. **Waiting for OpenSSL 3.4.**\
+    The main problem is, that we still use OpenSSL (3.x) and it does not support the important mechanism of TLS 1.3 - [early_data](https://datatracker.ietf.org/doc/html/rfc8446#section-2.3):
+
+    > Otherwise, the OpenSSL compatibility layer will be used that does not support early data.
+    
+    [And although another part of the documentation says that the directive is supported with OpenSSL:](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data)
+
+    > The directive is supported when using OpenSSL 1.1.1 or higher.
+    
+    But this is incomplete support, because OpenSSL does not support this feature, and [it has only client side support:](https://github.com/openssl/openssl)
+
+    > ... the QUIC (currently client side only) version 1 protocol
+   
+    [And also there are some issues even with client side](https://github.com/openssl/openssl/discussions/23339)
+
+    Due to this, we currently have incomplete HTTP/3 support, without important security and performance features.\
+    But the good news is that [OpenSSL plans to add server-side support in 3.4](https://github.com/openssl/web/blob/master/roadmap.md):
+
+    > Server-side QUIC support
+    
+    [Overview of SSL libraries(HAProxy Documentation)](https://github.com/haproxy/wiki/wiki/SSL-Libraries-Support-Status#tldr)  
+
+2. **Adding [parameters](https://nginx.org/en/docs/http/ngx_http_v3_module.html) to the configmap to configure HTTP/3 and quic(enableHTTP3, enableHTTP/0.9, maxCurrentStream, and so on).**
+3. **Adding options to the nginx config template(`listen 443 quic` to server blocks and `add_header Alt-Svc 'h3=":8443"; ma=86400';` to location blocks).**
+4. **Opening the https port for UDP in the container(because QUIC uses UDP).**
+5. **Adding tests.**
diff --git a/images/nginx/TAG b/images/nginx/TAG
@@ -1 +1 @@
-v1.0.0
+v0.0.12
diff --git a/images/nginx/rootfs/Dockerfile b/images/nginx/rootfs/Dockerfile
@@ -1,4 +1,4 @@
-# Copyright 2015 The Kubernetes Authors. All rights reserved.
+# Copyright 2024 The Kubernetes Authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,11 +29,10 @@ ENV LUA_PATH="/usr/local/share/luajit-2.1.0-beta3/?.lua;/usr/local/share/lua/5.1
 ENV LUA_CPATH="/usr/local/lib/lua/?/?.so;/usr/local/lib/lua/?.so;;"
 
 COPY --from=builder /usr/local /usr/local
+COPY --from=builder /usr/lib/libopentelemetry* /usr/local/lib
 COPY --from=builder /opt /opt
 COPY --from=builder /etc/nginx /etc/nginx
 
-LABEL org.opencontainers.image.source=https://github.com/kubernetes/ingress-nginx
-
 RUN apk update \
   && apk upgrade \
   && apk add -U --no-cache \
@@ -50,6 +49,8 @@ RUN apk update \
   yaml-cpp \
   dumb-init \
   tzdata \
+  grpc-cpp \
+  libprotobuf \
   && ln -s /usr/local/nginx/sbin/nginx /sbin/nginx \
   && adduser -S -D -H -u 101 -h /usr/local/nginx \
   -s /sbin/nologin -G www-data -g www-data www-data \