From 8ec1be27b0b3eaa50a710b50600af5e3222fdd06 Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Fri, 12 Jan 2024 14:13:07 +0000 Subject: [PATCH] add alpine-fips-waf image (#4897) --- .github/workflows/ci.yml | 4 ++++ Makefile | 4 ++++ build/Dockerfile | 30 ++++++++++++++++++++++++++++-- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2cff33942b..1467f80743 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -469,6 +469,10 @@ jobs: target: aws platforms: "linux/amd64" nap_modules: "waf,dos" + - image: alpine-plus-nap-waf-fips + target: goreleaser + platforms: "linux/amd64" + nap_modules: waf uses: ./.github/workflows/build-plus.yml with: diff --git a/Makefile b/Makefile index 7a0649be14..9589e65acc 100644 --- a/Makefile +++ b/Makefile @@ -121,6 +121,10 @@ alpine-image-plus: build ## Create Docker image for Ingress Controller (Alpine w alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus and FIPS) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-fips +.PHONY: alpine-image-nap-plus-fips +alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS) + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-waf-fips + .PHONY: debian-image-plus debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=debian-plus diff --git a/build/Dockerfile b/build/Dockerfile index b51469bcc2..1b6482d64e 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -8,7 +8,8 @@ ARG DEBIAN_FRONTEND=noninteractive ############################################# Base images containing libs for Opentracing and FIPS ############################################# FROM opentracing/nginx-opentracing:nginx-1.25.3 as opentracing-lib FROM opentracing/nginx-opentracing:nginx-1.25.3-alpine as alpine-opentracing-lib -FROM ghcr.io/nginxinc/alpine-fips:0.1.1-alpine3.18 as alpine-fips +FROM ghcr.io/nginxinc/alpine-fips:0.1.0-alpine3.17 as alpine-fips-3.17 +FROM ghcr.io/nginxinc/alpine-fips:0.1.2-alpine3.19 as alpine-fips-3.19 ############################################# Base image for Alpine ############################################# @@ -66,6 +67,7 @@ ADD --link --chown=101:0 https://cs.nginx.com/static/files/90pkgs-nginx 90pkgs-n ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.key nginx_signing.key ADD --link --chown=101:0 https://cs.nginx.com/static/keys/nginx_signing.rsa.pub nginx_signing.rsa.pub ADD --link --chown=101:0 https://cs.nginx.com/static/keys/app-protect-security-updates.key app-protect-security-updates.key +ADD --link --chown=101:0 https://cs.nginx.com/static/keys/app-protect-security-updates.rsa.pub app-protect-security-updates.rsa.pub ADD --link --chown=101:0 https://cs.nginx.com/static/files/nginx-plus-8.repo nginx-plus-8.repo ADD --link --chown=101:0 https://cs.nginx.com/static/files/plus-9.repo nginx-plus-9.repo ADD --link --chown=101:0 https://cs.nginx.com/static/files/app-protect-8.repo app-protect-8.repo @@ -104,13 +106,37 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ ############################################# Base image for Alpine with NGINX Plus and FIPS ############################################# FROM alpine-plus as alpine-plus-fips -RUN --mount=type=bind,from=alpine-fips,target=/tmp/fips/ \ +RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ mkdir -p /usr/ssl \ && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ && cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf +############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# +FROM alpine:3.17 as alpine-plus-nap-waf-fips +ARG NGINX_PLUS_VERSION + +RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ + --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \ + --mount=type=secret,id=nginx-repo.key,dst=/etc/apk/cert.key,mode=0644 \ + --mount=type=bind,from=alpine-opentracing-lib,target=/tmp/ot/ \ + --mount=type=bind,from=nginx-files,src=app-protect-security-updates.rsa.pub,target=/etc/apk/keys/app-protect-security-updates.rsa.pub \ + --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk/keys/nginx_signing.rsa.pub \ + printf "%s\n" "https://pkgs.nginx.com/plus/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && printf "%s\n" "https://pkgs.nginx.com/app-protect/${NGINX_PLUS_VERSION}/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && printf "%s\n" "https://pkgs.nginx.com/app-protect-security-updates/alpine/v$(grep -E -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \ + && apk upgrade --no-cache -U \ + && apk add --no-cache libcap-utils libcurl nginx-plus nginx-plus-module-njs nginx-plus-module-opentracing nginx-plus-module-fips-check \ + && mkdir -p /usr/ssl \ + && cp -av /tmp/fips/usr/lib/ossl-modules/fips.so /usr/lib/ossl-modules/fips.so \ + && cp -av /tmp/fips/usr/ssl/fipsmodule.cnf /usr/ssl/fipsmodule.cnf \ + && cp -av /tmp/fips/etc/ssl/openssl.cnf /etc/ssl/openssl.cnf \ + && cp -av /tmp/ot/usr/local/lib/libjaegertracing*so* /tmp/ot/usr/local/lib/libzipkin*so* /tmp/ot/usr/local/lib/libdd*so* /tmp/ot/usr/local/lib/libyaml*so* /usr/local/lib/ \ + && ldconfig /usr/local/lib/ \ + && apk add --no-cache app-protect app-protect-attack-signatures app-protect-threat-campaigns + + ############################################# Base image for Debian with NGINX Plus ############################################# FROM debian:12-slim AS debian-plus