diff --git a/.github/labeler.yml b/.github/labeler.yml index 336e4b6192..ffbc8e3bc6 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,25 +1,29 @@ +change: + - head-branch: ['^change/'] + enhancement: -- branch: ['feature/**', 'feat/**', 'enhancement/**', 'enh/**'] + - head-branch: ['^feature/', '^feat/', '^enhancement/', '^enh/'] bug: -- branch: ['fix/**', 'bug/**'] + - head-branch: ['^fix/', '^bug/'] chore: -- branch: ['chore/**'] + - head-branch: ['^chore/'] tests: -- branch: ['tests/**', 'test/**'] -- tests/**/* -- perf-tests/**/* + - any: + - head-branch: ['^tests/', '^test/'] + - changed-files: ['tests/**/*', 'perf-tests/**/*'] + - all: + - changed-files: ['!tests/requirements.txt', '!perf-tests/requirements.txt'] documentation: -- branch: ['docs/**', 'doc/**'] -- '**/*.md' + - head-branch: ['^docs/', '^doc/'] + - changed-files: '**/*.md' dependencies: -- branch: ['deps/**', 'dep/**', 'dependabot/**'] -- go.mod -- go.sum + - head-branch: ['^deps/', '^dep/', '^dependabot/', 'pre-commit-ci-update-config'] + - changed-files: ['go.mod', 'go.sum'] helm_chart: -- deployments/helm-chart/**/* + - changed-files: ['deployments/helm-chart/**/*'] diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 12cb9c75f8..a1f376ff07 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -110,7 +110,7 @@ jobs: tags: | type=edge type=ref,event=pr - type=schedule + type=schedule,enable=${{ inputs.tag == '' }} type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }} @@ -157,7 +157,7 @@ jobs: ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 continue-on-error: true with: sarif_file: "trivy-results-${{ inputs.image }}.sarif" diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 75f2b4d699..a7bb599c92 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -20,17 +20,17 @@ defaults: run: shell: bash -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: build: - permissions: - contents: read # for docker/build-push-action to read repo content - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - id-token: write # for OIDC login to AWS - runs-on: ubuntu-22.04 - steps: + permissions: + contents: read # for docker/build-push-action to read repo content + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + id-token: write # for OIDC login to AWS + runs-on: ubuntu-22.04 + steps: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: @@ -90,7 +90,7 @@ jobs: name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/release/nginx-ic${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }}/nginx-plus-ingress,enable=${{ startsWith(github.ref, 'refs/tags/') }} name=709825985650.dkr.ecr.us-east-1.amazonaws.com/nginx/nginx-plus-ingress${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},enable=${{ startsWith(github.ref, 'refs/tags/') && contains(inputs.target, 'aws') }} flavor: | - suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }},onlatest=true + suffix=${{ contains(inputs.image, 'ubi') && '-ubi' || '' }}${{ contains(inputs.image, 'alpine') && '-alpine' || '' }}${{ contains(inputs.target, 'aws') && '-mktpl' || '' }}${{ contains(inputs.image, 'fips') && '-fips' || ''}},onlatest=true latest=${{ contains(inputs.target, 'aws') && 'false' || 'auto' }} tags: | type=edge @@ -119,7 +119,7 @@ jobs: uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile - context: '.' + context: "." cache-from: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }} cache-to: type=gha,scope=${{ inputs.image }}${{ contains(inputs.nap_modules, 'dos') && '-dos' || '' }}${{ contains(inputs.nap_modules, 'waf') && '-nap' || '' }},mode=max target: ${{ inputs.target }} @@ -146,7 +146,7 @@ jobs: uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 with: file: build/Dockerfile - context: '.' + context: "." cache-from: type=gha,scope=${{ inputs.image }} target: ${{ inputs.target }} tags: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }} @@ -166,20 +166,20 @@ jobs: continue-on-error: true with: image-ref: docker.io/${{ inputs.image }}:${{ steps.meta.outputs.version }} - format: 'sarif' - output: 'trivy-results-${{ inputs.image }}.sarif' - ignore-unfixed: 'true' + format: "sarif" + output: "trivy-results-${{ inputs.image }}.sarif" + ignore-unfixed: "true" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 continue-on-error: true with: - sarif_file: 'trivy-results-${{ inputs.image }}.sarif' + sarif_file: "trivy-results-${{ inputs.image }}.sarif" - name: Upload Scan Results uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 continue-on-error: true with: - name: 'trivy-results-${{ inputs.image }}.sarif' - path: 'trivy-results-${{ inputs.image }}.sarif' + name: "trivy-results-${{ inputs.image }}.sarif" + path: "trivy-results-${{ inputs.image }}.sarif" if: always() diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 11cfd3ce22..aa83a66328 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -327,7 +327,7 @@ jobs: strategy: fail-fast: false matrix: - image: [debian-plus, alpine-plus] + image: [debian-plus, alpine-plus, alpine-plus-fips] platforms: ["linux/arm64, linux/amd64"] target: [goreleaser, aws] include: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4bd1c457d7..a4309ebd87 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,63 +2,66 @@ name: "CodeQL" on: push: - branches: [ main, release-* ] + branches: + - main + - release-* pull_request: # The branches below must be a subset of the branches above - branches: [ main ] + branches: + - main schedule: - - cron: '36 6 * * 4' # run every Thursday at 06:36 UTC + - cron: "36 6 * * 4" # run every Thursday at 06:36 UTC concurrency: group: ${{ github.ref_name }}-codeql cancel-in-progress: true -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: analyze: permissions: - actions: read # for github/codeql-action/init to get workflow details - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/autobuild to send a status report + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest strategy: fail-fast: false matrix: - language: [ 'go', 'python' ] + language: ["go", "python"] steps: - - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language - #- run: | - # make bootstrap - # make release + #- run: | + # make bootstrap + # make release - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 608cd83339..495e427ac3 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,7 +2,7 @@ name: "Pull Request Labeler" on: - pull_request_target -permissions: # added using https://github.com/step-security/secure-workflows +permissions: contents: read jobs: @@ -10,8 +10,8 @@ jobs: permissions: contents: read pull-requests: write - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - - uses: joshdales/labeler@7b1327b4c44a8794dfc7573d60637cd60ce4b697 # if https://github.com/actions/labeler/pull/203 is merged, use the official action actions/labeler - with: - repo-token: "${{ secrets.GITHUB_TOKEN }}" + - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 4b19f86e80..3ed9608cf7 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -3,9 +3,10 @@ on: # Only the default branch is supported. branch_protection_rule: schedule: - - cron: '43 20 * * 0' # run every Sunday at 20:43 UTC + - cron: "43 20 * * 0" # run every Sunday at 20:43 UTC push: - branches: [ "main" ] + branches: + - main # Declare default permissions as read only. permissions: read-all @@ -53,6 +54,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 + uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 with: sarif_file: results.sarif diff --git a/.github/workflows/updates-notification.yml b/.github/workflows/updates-notification.yml index 84e4c2e58d..db97bd5236 100644 --- a/.github/workflows/updates-notification.yml +++ b/.github/workflows/updates-notification.yml @@ -25,7 +25,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: - ref: ${{ inputs.tag }} + ref: refs/tags/v${{ inputs.tag }} - name: Get variables for Slack id: slack run: | diff --git a/Makefile b/Makefile index 393798dcdb..b2690ff275 100644 --- a/Makefile +++ b/Makefile @@ -1,16 +1,14 @@ # variables that should not be overridden by the user -GIT_COMMIT = $(shell git rev-parse HEAD || echo unknown) -GIT_COMMIT_SHORT = $(shell echo ${GIT_COMMIT} | cut -c1-7) GIT_TAG = $(shell git describe --tags --abbrev=0 || echo untagged) -VERSION = $(GIT_TAG)-SNAPSHOT-$(GIT_COMMIT_SHORT) +VERSION = $(GIT_TAG)-SNAPSHOT PLUS_ARGS = --secret id=nginx-repo.crt,src=nginx-repo.crt --secret id=nginx-repo.key,src=nginx-repo.key # variables that can be overridden by the user -PREFIX ?= nginx/nginx-ingress## The name of the image. For example, nginx/nginx-ingress -TAG ?= $(VERSION:v%=%)## The tag of the image. For example, 2.0.0 -TARGET ?= local## The target of the build. Possible values: local, container and download -override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) --build-arg GIT_COMMIT=$(GIT_COMMIT)## The options for the docker build command. For example, --pull. -ARCH ?= amd64## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets. +PREFIX ?= nginx/nginx-ingress ## The name of the image. For example, nginx/nginx-ingress +TAG ?= $(VERSION:v%=%) ## The tag of the image. For example, 2.0.0 +TARGET ?= local ## The target of the build. Possible values: local, container and download +override DOCKER_BUILD_OPTIONS += --build-arg IC_VERSION=$(VERSION) ## The options for the docker build command. For example, --pull +ARCH ?= amd64 ## The architecture of the image or binary. For example: amd64, arm64, ppc64le, s390x. Not all architectures are supported for all targets # final docker build command DOCKER_CMD = docker build --platform linux/$(ARCH) $(strip $(DOCKER_BUILD_OPTIONS)) --target $(strip $(TARGET)) -f build/Dockerfile -t $(strip $(PREFIX)):$(strip $(TAG)) . @@ -22,7 +20,7 @@ export DOCKER_BUILDKIT = 1 .PHONY: help help: Makefile ## Display this help @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "; printf "Usage:\n\n make \033[36m\033[0m [VARIABLE=value...]\n\nTargets:\n\n"}; {printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' - @grep -E '^(override )?[a-zA-Z_-]+ \??\+?= .*?## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*?## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' + @grep -E '^(override )?[a-zA-Z_-]+ \??\+?= .*? ## .*$$' $< | sort | awk 'BEGIN {FS = " \\??\\+?= .*? ## "; printf "\nVariables:\n\n"}; {gsub(/override /, "", $$1); printf " \033[36m%-30s\033[0m %s\n", $$1, $$2}' .PHONY: all all: test lint verify-codegen update-crds debian-image @@ -85,7 +83,7 @@ endif .PHONY: download-binary-docker download-binary-docker: ## Download Docker image from which to extract Ingress Controller binary, TARGET=download is required ifeq (${TARGET},download) -DOWNLOAD_TAG := $(shell ./hack/docker.sh $(GIT_COMMIT) $(GIT_TAG)) +DOWNLOAD_TAG := $(shell ./hack/docker.sh $(GIT_TAG)) ifeq ($(DOWNLOAD_TAG),fail) $(error unable to build with TARGET=download, this function is only available when building from a git tag or from the latest commit matching the edge image) endif @@ -109,20 +107,24 @@ alpine-image: build ## Create Docker image for Ingress Controller (Alpine) alpine-image-plus: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus +.PHONY: alpine-image-plus-fips +alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus and FIPS) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-fips + .PHONY: debian-image-plus debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus .PHONY: debian-image-nap-plus -debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and App Protect WAF) +debian-image-nap-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect WAF) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf .PHONY: debian-image-dos-plus -debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and App Protect DoS) +debian-image-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus and NGINX App Protect DoS) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=dos .PHONY: debian-image-nap-dos-plus -debian-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, App Protect WAF and DoS) +debian-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus, NGINX App Protect WAF and DoS) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus-nap --build-arg NAP_MODULES=waf,dos .PHONY: ubi-image @@ -134,30 +136,17 @@ ubi-image-plus: build ## Create Docker image for Ingress Controller (UBI with NG $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=ubi-plus .PHONY: ubi-image-nap-plus -ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and App Protect WAF) +ubi-image-nap-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect WAF) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg NAP_MODULES=waf .PHONY: ubi-image-dos-plus -ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and App Protect DoS) +ubi-image-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus and NGINX App Protect DoS) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg NAP_MODULES=dos .PHONY: ubi-image-nap-dos-plus -ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, App Protect WAF and DoS) +ubi-image-nap-dos-plus: build ## Create Docker image for Ingress Controller (UBI with NGINX Plus, NGINX App Protect WAF and DoS) $(DOCKER_CMD) $(PLUS_ARGS) --secret id=rhel_license,src=rhel_license --build-arg BUILD_OS=ubi-plus-nap --build-arg NAP_MODULES=waf,dos -.PHONY: openshift-image openshift-image-plus openshift-image-nap-plus openshift-image-dos-plus openshift-image-nap-dos-plus -openshift-image openshift-image-plus openshift-image-nap-plus openshift-image-dos-plus openshift-image-nap-dos-plus: - @printf "\033[0;31mWarning\033[0m: The target $(filter openshift-%,$(MAKECMDGOALS)) was renamed to $(subst openshift,ubi,$(filter openshift-%,$(MAKECMDGOALS))) and will be removed in a future release.\n" - @$(MAKE) $(subst openshift,ubi,$(MAKECMDGOALS)) $(MAKEFLAGS) - -.PHONY: alpine-image-opentracing -alpine-image-opentracing: - @echo "OpenTracing is now included in all Alpine based images" - -.PHONY: debian-image-opentracing debian-image-opentracing-plus -debian-image-opentracing debian-image-opentracing-plus: - @echo "OpenTracing is now included in all Debian based images" - .PHONY: all-images ## Create all the Docker images for Ingress Controller all-images: alpine-image alpine-image-plus debian-image debian-image-plus debian-image-nap-plus debian-image-dos-plus debian-image-nap-dos-plus ubi-image ubi-image-plus ubi-image-nap-plus ubi-image-dos-plus ubi-image-nap-dos-plus diff --git a/build/Dockerfile b/build/Dockerfile index cb5e5f8fa9..c914d97c2d 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -5,8 +5,8 @@ ARG DOWNLOAD_TAG=edge ############################################# Base images containing libs for Opentracing ############################################# -FROM opentracing/nginx-opentracing:nginx-1.25.0 as opentracing-lib -FROM opentracing/nginx-opentracing:nginx-1.25.0-alpine as alpine-opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.1 as opentracing-lib +FROM opentracing/nginx-opentracing:nginx-1.25.1-alpine as alpine-opentracing-lib ############################################# Base image for Debian ############################################# @@ -15,8 +15,6 @@ FROM nginx:1.25.1 AS debian RUN --mount=type=bind,from=opentracing-lib,target=/tmp/ot/ \ apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y libcap2-bin \ - # temp fix for CVE-2022-3821, CVE-2022-29458, CVE-2023-28484 and CVE-2022-44617 - && apt-get install ncurses-base ncurses-bin libudev1 libsystemd0 libtinfo6 libxml2 libxpm4 \ && rm -rf /var/lib/apt/lists/* \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ @@ -28,8 +26,8 @@ FROM nginx:1.25.1-alpine AS alpine RUN --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ apk add --no-cache libcap libstdc++ \ - # temp fix for CVE-2023-1255 and CVE-2023-28484 - && apk upgrade --no-cache libcrypto3 libssl3 libxml2 \ + # temp fix for CVE-2023-3138 + && apk upgrade --no-cache libx11 \ && cp -av /tmp/ot/usr/local/lib/libopentracing.so* /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && cp -av /tmp/ot/usr/lib/nginx/modules/ngx_http_opentracing_module.so /usr/lib/nginx/modules/ \ && ldconfig /usr/local/lib/ @@ -44,13 +42,21 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ wget -nv -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub \ && printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ - && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcap libcurl \ - # temp fix for CVE-2023-1255 - && apk upgrade --no-cache libcrypto3 libssl3 \ + && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap libcurl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig /usr/local/lib/ +############################################# Base image for Alpine with NGINX Plus and FIPS ############################################# +FROM alpine-plus as alpine-plus-fips + +RUN --mount=type=bind,from=ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17,target=/tmp/fips/ \ + mkdir -p /usr/ssl \ + && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ + && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ + && cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf + + ############################################# Base image for Debian with NGINX Plus ############################################# FROM debian:11-slim AS debian-plus ARG IC_VERSION @@ -69,9 +75,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && printf "%s\n" "Acquire::https::pkgs.nginx.com::User-Agent \"k8s-ic-$IC_VERSION${BUILD_OS##debian-plus}-apt\";" >> /etc/apt/apt.conf.d/90pkgs-nginx \ && printf "%s\n" "deb https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/debian ${DEBIAN_VERSION} nginx-plus" > /etc/apt/sources.list.d/nginx-plus.list \ && apt-get update \ - && apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing libcap2-bin libcurl4 \ - # temp fix for CVE-2022-3821 and CVE-2022-29458 - && apt-get install ncurses-base ncurses-bin libudev1 libsystemd0 \ + && apt-get install --no-install-recommends --no-install-suggests -y nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check libcap2-bin libcurl4 \ && apt-get purge --auto-remove -y apt-transport-https gnupg curl \ && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ && ldconfig \ @@ -139,7 +143,7 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \ && curl -fsSL "https://cs.nginx.com/static/files/plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \ && sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \ - && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs \ + && microdnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \ && microdnf remove -y shadow-utils \ && microdnf clean all @@ -160,7 +164,9 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/ssl/nginx/nginx-repo.crt,mode && rpm --import https://cs.nginx.com/static/keys/nginx_signing.key \ && curl -fsSL "https://cs.nginx.com/static/files/nginx-plus-$(grep -E -o '[0-9]+\.[0-9]+' /etc/redhat-release | cut -d"." -f1).repo" | tr 0 1 > /etc/yum.repos.d/nginx-plus.repo \ && sed -i "0,/centos/s;;${NGINX_PLUS_VERSION}/centos;" /etc/yum.repos.d/nginx-plus.repo \ - && dnf --nodocs install -y nginx-plus nginx-plus-module-njs \ + && dnf --nodocs install -y nginx-plus nginx-plus-module-njs nginx-plus-module-fips-check \ + # temp fix for CVE-2023-24329 + && dnf upgrade -y platform-python \ ## end of duplicated code && sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py \ && subscription-manager register --org=${RHEL_ORGANIZATION} --activationkey=${RHEL_ACTIVATION_KEY} || true \ @@ -191,7 +197,6 @@ FROM ${BUILD_OS} as common ARG BUILD_OS ARG IC_VERSION -ARG GIT_COMMIT ARG TARGETPLATFORM ARG NAP_MODULES=none @@ -228,7 +233,6 @@ ENTRYPOINT ["/nginx-ingress"] USER 101 LABEL org.opencontainers.image.version="${IC_VERSION}" -LABEL org.opencontainers.image.revision="${GIT_COMMIT}" LABEL org.nginx.kic.image.build.target="${TARGETPLATFORM}" LABEL org.nginx.kic.image.build.os="${BUILD_OS}" LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERSION}" diff --git a/go.mod b/go.mod index 30edca1f3e..690a542a52 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/prometheus/client_golang v1.16.0 github.com/spiffe/go-spiffe/v2 v2.1.6 github.com/stretchr/testify v1.8.4 - golang.org/x/exp v0.0.0-20230105000112-eab7a2c85304 + golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 k8s.io/api v0.27.3 k8s.io/apimachinery v0.27.3 k8s.io/client-go v0.27.3 diff --git a/go.sum b/go.sum index 54e5435cf5..41b077db1b 100644 --- a/go.sum +++ b/go.sum @@ -411,8 +411,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230105000112-eab7a2c85304 h1:YUqj+XKtfrn3kXjFIiZ8jwKROD7ioAOOHUuo3ZZ2opc= -golang.org/x/exp v0.0.0-20230105000112-eab7a2c85304/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= +golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc= +golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= diff --git a/hack/docker.sh b/hack/docker.sh index ed79b501cf..5b608bbc14 100755 --- a/hack/docker.sh +++ b/hack/docker.sh @@ -1,9 +1,9 @@ #!/usr/bin/env bash -git_commit=$1 -git_tag=$2 +git_tag=$1 docker_tag=edge +git_commit=$(git rev-parse HEAD) commit_tag=$(git describe --exact-match ${git_commit} 2>/dev/null) if [[ ${commit_tag} == ${git_tag} ]]; then diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index 224e915929..46634b447c 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -21,6 +21,7 @@ load_module modules/ngx_http_app_protect_module.so; {{- if .AppProtectDosLoadModule}} load_module modules/ngx_http_app_protect_dos_module.so; {{- end}} +load_module modules/ngx_fips_check_module.so; {{- if .MainSnippets}} {{range $value := .MainSnippets}} {{$value}}{{end}} diff --git a/tests/requirements.txt b/tests/requirements.txt index a3c314cf63..5d7aef8701 100644 --- a/tests/requirements.txt +++ b/tests/requirements.txt @@ -344,9 +344,9 @@ packaging==23.1 \ # via # -r requirements.txt # pytest -pluggy==1.0.0 \ - --hash=sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159 \ - --hash=sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3 +pluggy==1.2.0 \ + --hash=sha256:c2fd55a7d7a3863cba1a013e4e2414658b1d07b6bc57b3919e0c63c9abb99849 \ + --hash=sha256:d12f0c4b579b15f5e054301bb226ee85eeeba08ffec228092f8defbaa3a4c4b3 # via # -r requirements.txt # pytest