From f1bfec24272446eafcdea81df0d5bb57334196a8 Mon Sep 17 00:00:00 2001 From: oseoin Date: Tue, 30 Jan 2024 16:00:19 +0000 Subject: [PATCH] Build base images for OSS (#4999) * build base images for OSS --- .github/data/matrix-smoke.json | 2 +- .github/workflows/build-base-images.yml | 260 ++++++++++++++++++++++++ .github/workflows/build-oss.yml | 2 - .github/workflows/build-plus.yml | 2 - .github/workflows/ci.yml | 2 +- Makefile | 2 +- build/Dockerfile | 12 +- 7 files changed, 270 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/build-base-images.yml diff --git a/.github/data/matrix-smoke.json b/.github/data/matrix-smoke.json index c229f539fd..dec0f1c3f8 100644 --- a/.github/data/matrix-smoke.json +++ b/.github/data/matrix-smoke.json @@ -97,7 +97,7 @@ }, { "label": "AP_WAF 2/4", - "image": "alpine-plus-nap-waf-fips", + "image": "alpine-plus-nap-fips", "marker": "'appprotect_waf_policies and not appprotect_waf_policies_allow'" }, { diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml new file mode 100644 index 0000000000..8ce03775e8 --- /dev/null +++ b/.github/workflows/build-base-images.yml @@ -0,0 +1,260 @@ +name: Build Base Images + +on: + workflow_dispatch: + schedule: + - cron: "30 4 * * 1-5" # run Mon-Fri at 04:30 UTC + +defaults: + run: + shell: bash + +concurrency: + group: ${{ github.ref_name }}-ci + cancel-in-progress: true + +permissions: + contents: read + id-token: write + +jobs: + checks: + name: Checks and variables + runs-on: ubuntu-22.04 + outputs: + docker_md5: ${{ steps.vars.outputs.docker_md5 }} + ic_version: ${{ steps.vars.outputs.ic_version }} + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Output Variables + id: vars + run: | + docker_md5=$(find . -type f \( -name "build/Dockerfile" -o -name .github/data/version.txt \) -not -path "./docs*" -exec md5sum {} + | LC_ALL=C sort | md5sum | awk '{ print $1 }' ) + echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT + source .github/data/version.txt + echo "ic_version=${IC_VERSION}" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT + + build-oss: + name: Build OSS base images + runs-on: ubuntu-22.04 + needs: checks + strategy: + fail-fast: false + matrix: + image: [debian, alpine] + platforms: + ["linux/arm, linux/arm64, linux/amd64, linux/ppc64le, linux/s390x"] + include: + - image: ubi + platforms: "linux/arm64, linux/amd64, linux/ppc64le, linux/s390x" + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + with: + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/oss + flavor: | + suffix=-${{ matrix.image }},onlatest=false + tags: | + type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha + cache-to: type=gha,mode=max + target: common + tags: ${{ steps.meta.outputs.tags }} + pull: true + push: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=${{ needs.checks.outputs.ic_version }} + + build-plus: + name: Build Plus base images + runs-on: ubuntu-22.04 + needs: checks + strategy: + fail-fast: false + matrix: + image: [debian-plus, alpine-plus, alpine-plus-fips] + platforms: ["linux/arm64, linux/amd64"] + include: + - image: ubi-plus + platforms: "linux/arm64, linux/amd64, linux/s390x" + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + with: + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus + flavor: | + suffix=-${{ matrix.image }},onlatest=false + tags: | + type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha + cache-to: type=gha,mode=max + target: common + tags: ${{ steps.meta.outputs.tags }} + pull: true + push: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=${{ needs.checks.outputs.ic_version }} + secrets: | + "nginx-repo.crt=${{ secrets.NGINX_CRT }}" + "nginx-repo.key=${{ secrets.NGINX_KEY }}" + + build-plus-nap: + name: Build Plus NAP base images + runs-on: ubuntu-22.04 + needs: checks + strategy: + fail-fast: false + matrix: + image: [debian-plus-nap] + platforms: ["linux/amd64"] + nap_modules: [dos, waf, "waf,dos"] + include: + - image: ubi-9-plus-nap + platforms: "linux/amd64" + nap_modules: waf + - image: ubi-8-plus-nap + platforms: "linux/amd64" + nap_modules: dos + - image: ubi-8-plus-nap + platforms: "linux/amd64" + nap_modules: "waf,dos" + - image: alpine-plus-nap-fips + platforms: "linux/amd64" + nap_modules: waf + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0 + with: + token_format: access_token + workload_identity_provider: ${{ secrets.GCR_WORKLOAD_IDENTITY }} + service_account: ${{ secrets.GCR_SERVICE_ACCOUNT }} + + - name: Login to GCR + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: gcr.io + username: oauth2accesstoken + password: ${{ steps.auth.outputs.access_token }} + + - name: NAP modules + id: nap_modules + run: | + [[ "${{ matrix.nap_modules }}" == "waf,dos" ]] && modules="waf-dos" || modules="${{ matrix.nap_modules }}" + echo "modules=${modules}" >> $GITHUB_OUTPUT + if: ${{ matrix.nap_modules != '' }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0 + with: + images: | + name=gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/dev/nginx-ic-base/plus + flavor: | + suffix=-${{ matrix.image }}-${{ steps.nap_modules.outputs.modules }},onlatest=false + tags: | + type=raw,value=${{ needs.checks.outputs.docker_md5 }},enable=${{ needs.checks.outputs.docker_md5 != '' }} + + - name: Build Base Container + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 + with: + file: build/Dockerfile + context: "." + cache-from: type=gha + cache-to: type=gha,mode=max + target: common + tags: ${{ steps.meta.outputs.tags }} + pull: true + push: true + build-args: | + BUILD_OS=${{ matrix.image }} + IC_VERSION=${{ needs.checks.outputs.ic_version }} + NAP_MODULES=${{ matrix.nap_modules }} + secrets: | + "nginx-repo.crt=${{ secrets.NGINX_AP_CRT }}" + "nginx-repo.key=${{ secrets.NGINX_AP_KEY }}" + ${{ contains(matrix.image, 'ubi') && format('"rhel_license={0}"', secrets.RHEL_LICENSE) || '' }} diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 529f2b8f54..5a1bdef845 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -124,8 +124,6 @@ jobs: type=raw,value=${{ steps.tag.outputs.short }},enable=${{ inputs.tag != '' }} labels: | org.opencontainers.image.description=NGINX Ingress Controller for Kubernetes - org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller - org.opencontainers.image.vendor=NGINX Inc io.artifacthub.package.readme-url=https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/README.md io.artifacthub.package.logo-url=https://docs.nginx.com/nginx-ingress-controller/images/icons/NGINX-Ingress-Controller-product-icon.svg io.artifacthub.package.maintainers=[{"name":"NGINX Inc","email":"kubernetes@nginx.com"}] diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 2793b9ab7d..14aa14d1cb 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -142,8 +142,6 @@ jobs: type=semver,pattern={{major}}.{{minor}} labels: | org.opencontainers.image.description=NGINX Plus Ingress Controller for Kubernetes - org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller - org.opencontainers.image.vendor=NGINX Inc - name: NAP modules id: nap_modules diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a4ef7ef106..73189dc9c7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -497,7 +497,7 @@ jobs: target: aws platforms: "linux/amd64" nap_modules: "waf,dos" - - image: alpine-plus-nap-waf-fips + - image: alpine-plus-nap-fips target: goreleaser platforms: "linux/amd64" nap_modules: waf diff --git a/Makefile b/Makefile index 0da24455f8..1f05f61909 100644 --- a/Makefile +++ b/Makefile @@ -124,7 +124,7 @@ alpine-image-plus-fips: build ## Create Docker image for Ingress Controller (Alp .PHONY: alpine-image-nap-plus-fips alpine-image-nap-plus-fips: build ## Create Docker image for Ingress Controller (Alpine with NGINX Plus, NGINX App Protect WAF and FIPS) - $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-waf-fips + $(DOCKER_CMD) $(PLUS_ARGS) --build-arg BUILD_OS=alpine-plus-nap-fips .PHONY: debian-image-plus debian-image-plus: build ## Create Docker image for Ingress Controller (Debian with NGINX Plus) diff --git a/build/Dockerfile b/build/Dockerfile index 85524ea2fc..aa246765bc 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -114,7 +114,7 @@ RUN --mount=type=bind,from=alpine-fips-3.19,target=/tmp/fips/ \ ############################################# Base image for Alpine with NGINX Plus, App Protect WAF and FIPS ############################################# -FROM alpine:3.17@sha256:6e94b5cda2d6fd57d85abf81e81dabaea97a5885f919da676cc19d3551da4061 as alpine-plus-nap-waf-fips +FROM alpine:3.17@sha256:6e94b5cda2d6fd57d85abf81e81dabaea97a5885f919da676cc19d3551da4061 as alpine-plus-nap-fips ARG NGINX_PLUS_VERSION RUN --mount=type=bind,from=alpine-fips-3.17,target=/tmp/fips/ \ @@ -347,10 +347,12 @@ ENTRYPOINT ["/nginx-ingress"] # 101 is nginx USER 101 -LABEL org.opencontainers.image.version="${IC_VERSION}" -LABEL org.nginx.kic.image.build.target="${TARGETPLATFORM}" -LABEL org.nginx.kic.image.build.os="${BUILD_OS}" -LABEL org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERSION}" +LABEL org.opencontainers.image.version="${IC_VERSION}" \ + org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller \ + org.opencontainers.image.vendor="NGINX Inc " \ + org.nginx.kic.image.build.target="${TARGETPLATFORM}" \ + org.nginx.kic.image.build.os="${BUILD_OS}" \ + org.nginx.kic.image.build.nginx.version="${NGINX_PLUS_VERSION}${NGINX_VERSION}" ############################################# Build nginx-ingress in golang container #############################################